exarch-rs 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/index.d.ts ADDED
@@ -0,0 +1,789 @@
1
+ /* auto-generated by NAPI-RS */
2
+ /* eslint-disable */
3
+ /**
4
+ * Configuration for archive creation operations.
5
+ *
6
+ * Controls how archives are created from filesystem sources, including
7
+ * security options, compression settings, and file filtering.
8
+ *
9
+ * # Defaults
10
+ *
11
+ * | Setting | Default Value |
12
+ * |---------|--------------|
13
+ * | `compression_level` | 6 (balanced) |
14
+ * | `preserve_permissions` | true |
15
+ * | `follow_symlinks` | false (secure) |
16
+ * | `include_hidden` | false |
17
+ * | `max_file_size` | None (no limit) |
18
+ * | `exclude_patterns` | `[".git", ".DS_Store", "*.tmp"]` |
19
+ */
20
+ export declare class CreationConfig {
21
+ /** Creates a new `CreationConfig` with secure defaults. */
22
+ constructor()
23
+ /**
24
+ * Creates a `CreationConfig` with secure defaults.
25
+ *
26
+ * This is equivalent to calling `new CreationConfig()`.
27
+ */
28
+ static default(): CreationConfig
29
+ /**
30
+ * Sets the compression level (1-9).
31
+ *
32
+ * Higher values provide better compression but slower speed.
33
+ * Default: 6 (balanced).
34
+ *
35
+ * # Errors
36
+ *
37
+ * Returns error if level is not in range 1-9.
38
+ */
39
+ setCompressionLevel(level: number): this
40
+ /**
41
+ * Sets whether to preserve file permissions from source.
42
+ *
43
+ * Default: true.
44
+ */
45
+ setPreservePermissions(preserve?: boolean | undefined | null): this
46
+ /**
47
+ * Sets whether to follow symlinks when adding files.
48
+ *
49
+ * Default: false (store symlinks as symlinks).
50
+ *
51
+ * Security note: Following symlinks may include unintended files
52
+ * from outside the source directory.
53
+ */
54
+ setFollowSymlinks(follow?: boolean | undefined | null): this
55
+ /**
56
+ * Sets whether to include hidden files (files starting with '.').
57
+ *
58
+ * Default: false.
59
+ */
60
+ setIncludeHidden(include?: boolean | undefined | null): this
61
+ /**
62
+ * Sets maximum size for a single file in bytes.
63
+ *
64
+ * Files larger than this limit will be skipped.
65
+ *
66
+ * # Errors
67
+ *
68
+ * Returns error if size is negative.
69
+ */
70
+ setMaxFileSize(size: number): this
71
+ /**
72
+ * Adds an exclude pattern.
73
+ *
74
+ * Files matching this pattern will be skipped.
75
+ *
76
+ * # Errors
77
+ *
78
+ * Returns error if pattern contains null bytes.
79
+ */
80
+ addExcludePattern(pattern: string): this
81
+ /** Finalizes the configuration (for API consistency). */
82
+ build(): this
83
+ /** Compression level (1-9). */
84
+ get compressionLevel(): number | null
85
+ /** Whether to preserve permissions. */
86
+ get preservePermissions(): boolean
87
+ /** Whether to follow symlinks. */
88
+ get followSymlinks(): boolean
89
+ /** Whether to include hidden files. */
90
+ get includeHidden(): boolean
91
+ /** Maximum file size in bytes. */
92
+ get maxFileSize(): number | null
93
+ /** List of exclude patterns. */
94
+ get excludePatterns(): Array<string>
95
+ }
96
+
97
+ /**
98
+ * Options controlling extraction behavior (non-security).
99
+ *
100
+ * Separate from `SecurityConfig` to keep security settings focused.
101
+ * These options control operational behavior such as duplicate handling.
102
+ *
103
+ * # Defaults
104
+ *
105
+ * | Setting | Default Value |
106
+ * |---------|--------------|
107
+ * | `skipDuplicates` | `true` |
108
+ * | `atomic` | `false` |
109
+ */
110
+ export declare class ExtractionOptions {
111
+ /** Creates a new `ExtractionOptions` with defaults. */
112
+ constructor()
113
+ /**
114
+ * Creates an `ExtractionOptions` with defaults.
115
+ *
116
+ * This is equivalent to calling `new ExtractionOptions()`.
117
+ */
118
+ static default(): ExtractionOptions
119
+ /**
120
+ * Sets whether duplicate archive entries are skipped silently.
121
+ *
122
+ * When `true` (default), duplicate entries produce a warning in the
123
+ * report. When `false`, a duplicate entry causes an error.
124
+ */
125
+ withSkipDuplicates(skip?: boolean | undefined | null): this
126
+ /**
127
+ * Sets whether extraction uses a temporary directory for atomic commits.
128
+ *
129
+ * When `true`, files are extracted to a temp dir in the same parent as
130
+ * the output directory, then atomically renamed on completion. On failure
131
+ * the temp dir is removed, leaving the output directory untouched.
132
+ * Default: `false`.
133
+ *
134
+ * **Important:** atomic mode requires that the output directory does not
135
+ * already exist. If it does, extraction fails with an
136
+ * output-already-exists error. Non-atomic mode extracts into an
137
+ * existing directory without error.
138
+ */
139
+ withAtomic(atomic?: boolean | undefined | null): this
140
+ /** Finalizes the configuration (for API consistency). */
141
+ build(): this
142
+ /** Whether duplicate entries are skipped silently. */
143
+ get skipDuplicates(): boolean
144
+ /** Whether atomic extraction is enabled. */
145
+ get atomic(): boolean
146
+ }
147
+
148
+ /**
149
+ * Security configuration for archive extraction.
150
+ *
151
+ * All security features default to deny (secure-by-default policy).
152
+ *
153
+ * # Defaults
154
+ *
155
+ * | Setting | Default Value |
156
+ * |---------|--------------|
157
+ * | `max_file_size` | 50 MB (52,428,800 bytes) |
158
+ * | `max_total_size` | 500 MB (524,288,000 bytes) |
159
+ * | `max_compression_ratio` | 100.0 |
160
+ * | `max_file_count` | 10,000 |
161
+ * | `max_path_depth` | 32 |
162
+ * | `allow_symlinks` | false |
163
+ * | `allow_hardlinks` | false |
164
+ * | `allow_absolute_paths` | false |
165
+ * | `allow_world_writable` | false |
166
+ * | `preserve_permissions` | false |
167
+ * | `allowed_extensions` | empty (all allowed) |
168
+ * | `banned_path_components` | `.git`, `.ssh` |
169
+ */
170
+ export declare class SecurityConfig {
171
+ /** Creates a new `SecurityConfig` with secure defaults. */
172
+ constructor()
173
+ /**
174
+ * Creates a `SecurityConfig` with secure defaults.
175
+ *
176
+ * This is equivalent to calling `new SecurityConfig()`.
177
+ */
178
+ static default(): SecurityConfig
179
+ /**
180
+ * Creates a permissive configuration for trusted archives.
181
+ *
182
+ * Enables: symlinks, hardlinks, absolute paths, world-writable files.
183
+ * Use only for archives from trusted sources.
184
+ */
185
+ static permissive(): SecurityConfig
186
+ /**
187
+ * Sets the maximum file size in bytes.
188
+ *
189
+ * # Errors
190
+ *
191
+ * Returns error if size is negative.
192
+ */
193
+ setMaxFileSize(size: number): this
194
+ /**
195
+ * Sets the maximum total size in bytes.
196
+ *
197
+ * # Errors
198
+ *
199
+ * Returns error if size is negative.
200
+ */
201
+ setMaxTotalSize(size: number): this
202
+ /**
203
+ * Sets the maximum compression ratio.
204
+ *
205
+ * # Errors
206
+ *
207
+ * Returns error if ratio is not a positive finite number.
208
+ */
209
+ setMaxCompressionRatio(ratio: number): this
210
+ /** Sets the maximum file count. */
211
+ setMaxFileCount(count: number): this
212
+ /** Sets the maximum path depth. */
213
+ setMaxPathDepth(depth: number): this
214
+ /** Allows or denies symlinks. */
215
+ setAllowSymlinks(allow?: boolean | undefined | null): this
216
+ /** Allows or denies hardlinks. */
217
+ setAllowHardlinks(allow?: boolean | undefined | null): this
218
+ /** Allows or denies absolute paths. */
219
+ setAllowAbsolutePaths(allow?: boolean | undefined | null): this
220
+ /** Allows or denies world-writable files. */
221
+ setAllowWorldWritable(allow?: boolean | undefined | null): this
222
+ /**
223
+ * Allows or denies solid 7z archives.
224
+ *
225
+ * Solid archives require reading all preceding entries to decompress any
226
+ * entry, which may allow a crafted archive to consume excessive
227
+ * memory. Disabled by default.
228
+ */
229
+ setAllowSolidArchives(allow?: boolean | undefined | null): this
230
+ /**
231
+ * Sets the maximum memory that may be used to decompress a solid 7z block.
232
+ *
233
+ * Solid archives decompress entire blocks into memory before individual
234
+ * entries can be read. This limit caps that allocation to prevent
235
+ * memory exhaustion from crafted archives. Default: 512 MB.
236
+ *
237
+ * # Errors
238
+ *
239
+ * Returns error if size is negative or zero.
240
+ */
241
+ setMaxSolidBlockMemory(size: number): this
242
+ /** Sets whether to preserve permissions from archive. */
243
+ setPreservePermissions(preserve?: boolean | undefined | null): this
244
+ /**
245
+ * Adds an allowed file extension.
246
+ *
247
+ * # Errors
248
+ *
249
+ * Returns error if extension exceeds maximum length or contains null
250
+ * bytes.
251
+ */
252
+ addAllowedExtension(ext: string): this
253
+ /**
254
+ * Adds a banned path component.
255
+ *
256
+ * # Errors
257
+ *
258
+ * Returns error if component exceeds maximum length or contains null
259
+ * bytes.
260
+ */
261
+ addBannedComponent(component: string): this
262
+ /**
263
+ * Finalizes the configuration (for API consistency).
264
+ *
265
+ * This method is provided for builder pattern consistency but is optional.
266
+ * The configuration is always valid and can be used directly.
267
+ */
268
+ build(): this
269
+ /** Checks if a path component is allowed. */
270
+ isPathComponentAllowed(component: string): boolean
271
+ /** Checks if a file extension is allowed. */
272
+ isExtensionAllowed(extension: string): boolean
273
+ /** Maximum file size in bytes. */
274
+ get maxFileSize(): number
275
+ /** Maximum total size in bytes. */
276
+ get maxTotalSize(): number
277
+ /** Maximum compression ratio. */
278
+ get maxCompressionRatio(): number
279
+ /** Maximum file count. */
280
+ get maxFileCount(): number
281
+ /** Maximum path depth. */
282
+ get maxPathDepth(): number
283
+ /** Whether to preserve permissions from archive. */
284
+ get preservePermissions(): boolean
285
+ /** Whether symlinks are allowed. */
286
+ get allowSymlinks(): boolean
287
+ /** Whether hardlinks are allowed. */
288
+ get allowHardlinks(): boolean
289
+ /** Whether absolute paths are allowed. */
290
+ get allowAbsolutePaths(): boolean
291
+ /** Whether world-writable files are allowed. */
292
+ get allowWorldWritable(): boolean
293
+ /** Whether solid 7z archives are allowed. */
294
+ get allowSolidArchives(): boolean
295
+ /** Maximum memory in bytes for decompressing a solid 7z block. */
296
+ get maxSolidBlockMemory(): number
297
+ /**
298
+ * List of allowed file extensions.
299
+ *
300
+ * Note: This getter clones the underlying data. For performance-critical
301
+ * code that only needs to count or check membership, use
302
+ * `getAllowedExtensionsCount()` or `hasAllowedExtension()` instead.
303
+ */
304
+ get allowedExtensions(): Array<string>
305
+ /** Returns the number of allowed extensions. */
306
+ getAllowedExtensionsCount(): number
307
+ /** Checks if a specific extension is in the allowed list. */
308
+ hasAllowedExtension(ext: string): boolean
309
+ /**
310
+ * List of banned path components.
311
+ *
312
+ * Note: This getter clones the underlying data. For performance-critical
313
+ * code that only needs to count or check membership, use
314
+ * `getBannedPathComponentsCount()` or `hasBannedPathComponent()` instead.
315
+ */
316
+ get bannedPathComponents(): Array<string>
317
+ /** Returns the number of banned path components. */
318
+ getBannedPathComponentsCount(): number
319
+ /** Checks if a specific component is in the banned list. */
320
+ hasBannedPathComponent(component: string): boolean
321
+ }
322
+
323
+ /**
324
+ * Single entry in archive manifest.
325
+ *
326
+ * Contains metadata about a file, directory, symlink, or hardlink
327
+ * without extracting it to disk.
328
+ */
329
+ export interface ArchiveEntry {
330
+ /** Entry path (relative, as stored in archive). */
331
+ path: string
332
+ /** Entry type ("File", "Directory", "Symlink", "Hardlink"). */
333
+ entryType: string
334
+ /** Uncompressed size in bytes (0 for directories). */
335
+ size: number
336
+ /** Compressed size in bytes (if available, ZIP only). */
337
+ compressedSize?: number
338
+ /** File permissions (Unix mode). */
339
+ mode?: number
340
+ /** Modification time (milliseconds since Unix epoch). */
341
+ modified?: number
342
+ /** Symlink target (if `entry_type` is "Symlink"). */
343
+ symlinkTarget?: string
344
+ /** Hardlink target (if `entry_type` is "Hardlink"). */
345
+ hardlinkTarget?: string
346
+ }
347
+
348
+ /**
349
+ * Complete manifest of archive contents.
350
+ *
351
+ * Generated by `listArchive()`, contains metadata about all entries
352
+ * without extracting them to disk.
353
+ */
354
+ export interface ArchiveManifest {
355
+ /** All entries in the archive (files, dirs, symlinks, hardlinks). */
356
+ entries: Array<ArchiveEntry>
357
+ /** Total number of entries. */
358
+ totalEntries: number
359
+ /** Total uncompressed size in bytes. */
360
+ totalSize: number
361
+ /** Archive format (e.g., `TarGz`, `Zip`). */
362
+ format: string
363
+ }
364
+
365
+ /**
366
+ * Create an archive from source files and directories (async).
367
+ *
368
+ * # Arguments
369
+ *
370
+ * * `output_path` - Path to output archive file
371
+ * * `sources` - Array of source files/directories to include
372
+ * * `config` - Optional `CreationConfig` (uses defaults if omitted)
373
+ *
374
+ * # Returns
375
+ *
376
+ * Promise resolving to `CreationReport` with creation statistics
377
+ *
378
+ * # Errors
379
+ *
380
+ * Returns error if path validation fails, archive creation fails, or I/O
381
+ * errors occur.
382
+ *
383
+ * # Examples
384
+ *
385
+ * ```javascript
386
+ * // Use defaults
387
+ * const report = await createArchive('output.tar.gz', ['source_dir/']);
388
+ * console.log(`Created archive with ${report.filesAdded} files`);
389
+ *
390
+ * // Customize configuration
391
+ * const config = new CreationConfig().compressionLevel(9);
392
+ * const report = await createArchive('output.tar.gz', ['src/'], config);
393
+ * ```
394
+ */
395
+ export declare function createArchive(outputPath: string, sources: Array<string>, config?: CreationConfig | undefined | null): Promise<CreationReport>
396
+
397
+ /**
398
+ * Create an archive from source files and directories (sync).
399
+ *
400
+ * Synchronous version of `createArchive`. Blocks the event loop until
401
+ * creation completes. Prefer the async version for most use cases.
402
+ *
403
+ * # Arguments
404
+ *
405
+ * * `output_path` - Path to output archive file
406
+ * * `sources` - Array of source files/directories to include
407
+ * * `config` - Optional `CreationConfig` (uses defaults if omitted)
408
+ *
409
+ * # Returns
410
+ *
411
+ * `CreationReport` with creation statistics
412
+ *
413
+ * # Errors
414
+ *
415
+ * Returns error if path validation fails, archive creation fails, or I/O
416
+ * errors occur.
417
+ *
418
+ * # Examples
419
+ *
420
+ * ```javascript
421
+ * // Use defaults
422
+ * const report = createArchiveSync('output.tar.gz', ['source_dir/']);
423
+ * console.log(`Created archive with ${report.filesAdded} files`);
424
+ * ```
425
+ */
426
+ export declare function createArchiveSync(outputPath: string, sources: Array<string>, config?: CreationConfig | undefined | null): CreationReport
427
+
428
+ /**
429
+ * Report of an archive creation operation.
430
+ *
431
+ * Contains statistics and metadata about the creation process.
432
+ */
433
+ export interface CreationReport {
434
+ /** Number of files added to the archive. */
435
+ filesAdded: number
436
+ /** Number of directories added to the archive. */
437
+ directoriesAdded: number
438
+ /** Number of symlinks added to the archive. */
439
+ symlinksAdded: number
440
+ /** Total bytes written to the archive (uncompressed). */
441
+ bytesWritten: number
442
+ /** Total bytes in the final archive (compressed). */
443
+ bytesCompressed: number
444
+ /** Duration of the creation operation in milliseconds. */
445
+ durationMs: number
446
+ /** Number of files skipped (due to filters or errors). */
447
+ filesSkipped: number
448
+ /** Warnings generated during creation. */
449
+ warnings: Array<string>
450
+ }
451
+
452
+ /**
453
+ * Extract an archive to the specified directory (async).
454
+ *
455
+ * This function provides secure archive extraction with configurable
456
+ * security policies. By default, it uses a restrictive security
457
+ * configuration that blocks symlinks, hardlinks, absolute paths, and
458
+ * enforces resource quotas.
459
+ *
460
+ * # Security Considerations
461
+ *
462
+ * ## Thread Safety and TOCTOU
463
+ *
464
+ * The extraction runs on a libuv thread pool worker thread. This creates
465
+ * a Time-Of-Check-Time-Of-Use (TOCTOU) race condition where the archive
466
+ * file could be modified between validation and extraction. This is an
467
+ * accepted tradeoff for async performance. For untrusted archives, ensure
468
+ * exclusive access to the archive file during extraction.
469
+ *
470
+ * ## Input Validation
471
+ *
472
+ * - Paths containing null bytes are rejected (security)
473
+ * - Paths exceeding 4096 bytes are rejected (`DoS` prevention)
474
+ * - All validation happens at the Node.js boundary before calling core library
475
+ *
476
+ * # Arguments
477
+ *
478
+ * * `archive_path` - Path to the archive file
479
+ * * `output_dir` - Directory where files will be extracted
480
+ * * `config` - Optional `SecurityConfig` (uses secure defaults if omitted)
481
+ *
482
+ * # Returns
483
+ *
484
+ * Promise resolving to `ExtractionReport` with extraction statistics
485
+ *
486
+ * # Errors
487
+ *
488
+ * Returns error for security violations or I/O errors. Error messages are
489
+ * prefixed with error codes for discrimination in JavaScript:
490
+ *
491
+ * - `PATH_TRAVERSAL`: Path traversal attempt detected
492
+ * - `SYMLINK_ESCAPE`: Symlink points outside extraction directory
493
+ * - `HARDLINK_ESCAPE`: Hardlink target outside extraction directory
494
+ * - `ZIP_BOMB`: Potential zip bomb detected
495
+ * - `INVALID_PERMISSIONS`: File permissions are invalid or unsafe
496
+ * - `QUOTA_EXCEEDED`: Resource quota exceeded
497
+ * - `SECURITY_VIOLATION`: Security policy violation
498
+ * - `UNSUPPORTED_FORMAT`: Archive format not supported
499
+ * - `INVALID_ARCHIVE`: Archive is corrupted
500
+ * - `IO_ERROR`: I/O operation failed
501
+ *
502
+ * # Examples
503
+ *
504
+ * ```javascript
505
+ * // Use secure defaults
506
+ * const report = await extractArchive('archive.tar.gz', '/tmp/output');
507
+ * console.log(`Extracted ${report.filesExtracted} files`);
508
+ *
509
+ * // Customize security settings
510
+ * const config = new SecurityConfig().setMaxFileSize(100 * 1024 * 1024);
511
+ * const report = await extractArchive('archive.tar.gz', '/tmp/output', config);
512
+ *
513
+ * // Customize extraction options
514
+ * const opts = new ExtractionOptions().withSkipDuplicates(false);
515
+ * const report = await extractArchive('archive.tar.gz', '/tmp/output', null, opts);
516
+ * ```
517
+ */
518
+ export declare function extractArchive(archivePath: string, outputDir: string, config?: SecurityConfig | undefined | null, options?: ExtractionOptions | undefined | null): Promise<ExtractionReport>
519
+
520
+ /**
521
+ * Extract an archive to the specified directory (sync).
522
+ *
523
+ * Synchronous version of `extractArchive`. Blocks the event loop until
524
+ * extraction completes. Prefer the async version for most use cases.
525
+ *
526
+ * # Arguments
527
+ *
528
+ * * `archive_path` - Path to the archive file
529
+ * * `output_dir` - Directory where files will be extracted
530
+ * * `config` - Optional `SecurityConfig` (uses secure defaults if omitted)
531
+ *
532
+ * # Returns
533
+ *
534
+ * `ExtractionReport` with extraction statistics
535
+ *
536
+ * # Errors
537
+ *
538
+ * Returns error for security violations or I/O errors. See `extract_archive`
539
+ * for error code documentation.
540
+ *
541
+ * # Examples
542
+ *
543
+ * ```javascript
544
+ * // Use secure defaults
545
+ * const report = extractArchiveSync('archive.tar.gz', '/tmp/output');
546
+ * console.log(`Extracted ${report.filesExtracted} files`);
547
+ *
548
+ * // Customize security settings
549
+ * const config = new SecurityConfig().setMaxFileSize(100 * 1024 * 1024);
550
+ * const report = extractArchiveSync('archive.tar.gz', '/tmp/output', config);
551
+ * ```
552
+ */
553
+ export declare function extractArchiveSync(archivePath: string, outputDir: string, config?: SecurityConfig | undefined | null, options?: ExtractionOptions | undefined | null): ExtractionReport
554
+
555
+ /**
556
+ * Extract an archive to the specified directory with a progress callback
557
+ * (async).
558
+ *
559
+ * The `progress` callback is called once per entry with
560
+ * `(path, total, current, bytesWritten)` where:
561
+ * - `path` — entry path inside the archive
562
+ * - `total` — total number of entries as `number` (0 for TAR-family formats
563
+ * because the entry count is unknown until the stream is fully read)
564
+ * - `current` — 1-based index of the current entry as `number`
565
+ * - `bytesWritten` — cumulative bytes written to disk so far as `number`
566
+ * (always 0 during extraction because the core library does not emit
567
+ * byte-level progress events for extraction; only entry-level events fire)
568
+ *
569
+ * Extraction runs on the tokio blocking thread pool. The progress callback is
570
+ * dispatched back to the JavaScript thread via a threadsafe function.
571
+ *
572
+ * # Arguments
573
+ *
574
+ * * `archive_path` - Path to the archive file
575
+ * * `output_dir` - Directory where files will be extracted
576
+ * * `config` - Optional `SecurityConfig` (uses secure defaults if omitted)
577
+ * * `options` - Optional `ExtractionOptions` (uses defaults if omitted)
578
+ * * `progress` - Optional progress callback `(path: string, total: number,
579
+ * current: number, bytesWritten: number) => void`
580
+ *
581
+ * # Returns
582
+ *
583
+ * Promise resolving to `ExtractionReport` with extraction statistics
584
+ *
585
+ * # Errors
586
+ *
587
+ * Returns error for security violations or I/O errors. Error messages are
588
+ * prefixed with error codes for discrimination in JavaScript. See
589
+ * `extractArchive` for the full list of error codes.
590
+ *
591
+ * # Examples
592
+ *
593
+ * ```javascript
594
+ * const report = await extractArchiveWithProgress(
595
+ * 'archive.tar.gz',
596
+ * '/tmp/output',
597
+ * null,
598
+ * null,
599
+ * (path, total, current, bytesWritten) => {
600
+ * console.log(`${current}/${total}: ${path}`);
601
+ * },
602
+ * );
603
+ * console.log(`Extracted ${report.filesExtracted} files`);
604
+ * ```
605
+ */
606
+ export declare function extractArchiveWithProgress(archivePath: string, outputDir: string, config?: SecurityConfig | undefined | null, options?: ExtractionOptions | undefined | null, progress?: (((err: Error | null, arg: [string, number, number, number]) => any)) | undefined | null): Promise<ExtractionReport>
607
+
608
+ /**
609
+ * Report of an archive extraction operation.
610
+ *
611
+ * Contains statistics and metadata about the extraction process.
612
+ */
613
+ export interface ExtractionReport {
614
+ /** Number of files successfully extracted. */
615
+ filesExtracted: number
616
+ /** Number of directories created. */
617
+ directoriesCreated: number
618
+ /** Number of symlinks created. */
619
+ symlinksCreated: number
620
+ /** Total bytes written to disk. */
621
+ bytesWritten: number
622
+ /** Extraction duration in milliseconds. */
623
+ durationMs: number
624
+ /** Number of files skipped due to security checks. */
625
+ filesSkipped: number
626
+ /** List of warning messages. */
627
+ warnings: Array<string>
628
+ }
629
+
630
+ /**
631
+ * List archive contents without extracting (async).
632
+ *
633
+ * # Arguments
634
+ *
635
+ * * `archive_path` - Path to archive file
636
+ * * `config` - Optional `SecurityConfig` (uses secure defaults if omitted)
637
+ *
638
+ * # Returns
639
+ *
640
+ * Promise resolving to `ArchiveManifest` with entry metadata
641
+ *
642
+ * # Errors
643
+ *
644
+ * Returns error if path validation fails, archive is invalid, or I/O errors
645
+ * occur.
646
+ *
647
+ * # Examples
648
+ *
649
+ * ```javascript
650
+ * const manifest = await listArchive('archive.tar.gz');
651
+ * for (const entry of manifest.entries) {
652
+ * console.log(`${entry.path}: ${entry.size} bytes`);
653
+ * }
654
+ * ```
655
+ */
656
+ export declare function listArchive(archivePath: string, config?: SecurityConfig | undefined | null): Promise<ArchiveManifest>
657
+
658
+ /**
659
+ * List archive contents without extracting (sync).
660
+ *
661
+ * Synchronous version of `listArchive`. Blocks the event loop until
662
+ * listing completes. Prefer the async version for most use cases.
663
+ *
664
+ * # Arguments
665
+ *
666
+ * * `archive_path` - Path to archive file
667
+ * * `config` - Optional `SecurityConfig` (uses secure defaults if omitted)
668
+ *
669
+ * # Returns
670
+ *
671
+ * `ArchiveManifest` with entry metadata
672
+ *
673
+ * # Errors
674
+ *
675
+ * Returns error if path validation fails, archive is invalid, or I/O errors
676
+ * occur.
677
+ *
678
+ * # Examples
679
+ *
680
+ * ```javascript
681
+ * const manifest = listArchiveSync('archive.tar.gz');
682
+ * for (const entry of manifest.entries) {
683
+ * console.log(`${entry.path}: ${entry.size} bytes`);
684
+ * }
685
+ * ```
686
+ */
687
+ export declare function listArchiveSync(archivePath: string, config?: SecurityConfig | undefined | null): ArchiveManifest
688
+
689
+ /** Single verification issue. */
690
+ export interface VerificationIssue {
691
+ /** Issue severity level ("Critical", "High", "Medium", "Low", "Info"). */
692
+ severity: string
693
+ /** Issue category (`PathTraversal`, `SymlinkEscape`, etc.). */
694
+ category: string
695
+ /** Entry path that triggered issue (if applicable). */
696
+ entryPath?: string
697
+ /** Human-readable description. */
698
+ message: string
699
+ /** Optional context (compression ratio, target path, etc.). */
700
+ context?: string
701
+ }
702
+
703
+ /**
704
+ * Result of archive verification.
705
+ *
706
+ * Generated by `verifyArchive()`, contains security and integrity checks
707
+ * performed without extracting files to disk.
708
+ */
709
+ export interface VerificationReport {
710
+ /** Overall verification status ("Pass", "Fail", "Warning"). */
711
+ status: string
712
+ /** Integrity check result ("Pass", "Fail", "Warning", "Skipped"). */
713
+ integrityStatus: string
714
+ /** Security check result ("Pass", "Fail", "Warning", "Skipped"). */
715
+ securityStatus: string
716
+ /** List of all issues found (sorted by severity). */
717
+ issues: Array<VerificationIssue>
718
+ /** Total entries scanned. */
719
+ totalEntries: number
720
+ /** Entries flagged as suspicious. */
721
+ suspiciousEntries: number
722
+ /** Total uncompressed size. */
723
+ totalSize: number
724
+ /** Archive format (e.g., `TarGz`, `Zip`). */
725
+ format: string
726
+ }
727
+
728
+ /**
729
+ * Verify archive integrity and security (async).
730
+ *
731
+ * # Arguments
732
+ *
733
+ * * `archive_path` - Path to archive file
734
+ * * `config` - Optional `SecurityConfig` (uses secure defaults if omitted)
735
+ *
736
+ * # Returns
737
+ *
738
+ * Promise resolving to `VerificationReport` with validation results
739
+ *
740
+ * # Errors
741
+ *
742
+ * Returns error if path validation fails, archive is invalid, or I/O errors
743
+ * occur.
744
+ *
745
+ * # Examples
746
+ *
747
+ * ```javascript
748
+ * const report = await verifyArchive('archive.tar.gz');
749
+ * if (report.status === 'PASS') {
750
+ * console.log('Archive is safe to extract');
751
+ * } else {
752
+ * for (const issue of report.issues) {
753
+ * console.log(`[${issue.severity}] ${issue.message}`);
754
+ * }
755
+ * }
756
+ * ```
757
+ */
758
+ export declare function verifyArchive(archivePath: string, config?: SecurityConfig | undefined | null): Promise<VerificationReport>
759
+
760
+ /**
761
+ * Verify archive integrity and security (sync).
762
+ *
763
+ * Synchronous version of `verifyArchive`. Blocks the event loop until
764
+ * verification completes. Prefer the async version for most use cases.
765
+ *
766
+ * # Arguments
767
+ *
768
+ * * `archive_path` - Path to archive file
769
+ * * `config` - Optional `SecurityConfig` (uses secure defaults if omitted)
770
+ *
771
+ * # Returns
772
+ *
773
+ * `VerificationReport` with validation results
774
+ *
775
+ * # Errors
776
+ *
777
+ * Returns error if path validation fails, archive is invalid, or I/O errors
778
+ * occur.
779
+ *
780
+ * # Examples
781
+ *
782
+ * ```javascript
783
+ * const report = verifyArchiveSync('archive.tar.gz');
784
+ * if (report.status === 'PASS') {
785
+ * console.log('Archive is safe to extract');
786
+ * }
787
+ * ```
788
+ */
789
+ export declare function verifyArchiveSync(archivePath: string, config?: SecurityConfig | undefined | null): VerificationReport