forlogic-core 2.3.5 → 2.3.6

package/dist/providers/CoreProviders.d.ts

@@ -82,7 +82,22 @@ export interface CoreProvidersProps {
      * @default 'supabase'
      */
     backend?: BackendMode;
+    /**
+     * Modo de segurança da lib.
+     *
+     * - `'legacy'` (default): comportamento histórico — JWT em localStorage, CORS permissivo,
+     *   mensagens de erro verbose. Mantém compatibilidade com todos os consumidores atuais.
+     * - `'strict'`: ativa antecipadamente os comportamentos do hardening v2:
+     *   mensagens de erro sanitizadas SEMPRE (mesmo em DEV), refresh de token agressivo,
+     *   warnings extras no console para padrões inseguros (apikey em URL, etc).
+     *
+     * Use `'strict'` em produção para validar antes da release v2.0.0 da lib.
+     *
+     * @default 'legacy'
+     */
+    securityMode?: 'legacy' | 'strict';
 }
+export declare function getSecurityMode(): 'legacy' | 'strict';
 /**
  * CoreProviders - Encapsulates all essential providers for forlogic-core applications
  *
@@ -104,4 +119,4 @@ export interface CoreProvidersProps {
  * }
  * ```
  */
-export declare function CoreProviders({ children, queryClient, moduleAlias, moduleAccessGuardProps, appTranslations, clarityProjectId, clarityMode, backend, }: CoreProvidersProps): import("react/jsx-runtime").JSX.Element;
+export declare function CoreProviders({ children, queryClient, moduleAlias, moduleAccessGuardProps, appTranslations, clarityProjectId, clarityMode, backend, securityMode, }: CoreProvidersProps): import("react/jsx-runtime").JSX.Element;

package/dist/storage/index.d.ts

@@ -0,0 +1,57 @@
+/**
+ * forlogic-core/storage — helpers de segurança para upload de arquivos.
+ *
+ * Cobre os pontos críticos do hardening:
+ *  - Bucket privado por default + URL assinada de TTL curto.
+ *  - Validação por magic bytes (não confiar em extensão/MIME do cliente).
+ *  - Nome aleatório (evita path traversal e enumeration).
+ *  - Allowlist de MIME por categoria.
+ */
+export declare const SAFE_IMAGE_MIME: readonly ["image/jpeg", "image/png", "image/webp", "image/gif", "image/svg+xml"];
+export declare const SAFE_DOCUMENT_MIME: readonly ["application/pdf", "application/msword", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "application/vnd.ms-excel", "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", "application/vnd.ms-powerpoint", "application/vnd.openxmlformats-officedocument.presentationml.presentation", "text/plain", "text/csv"];
+/**
+ * Buckets que SEMPRE devem ser privados (acesso via signed URL).
+ * Lista canônica para auditoria cross-projeto.
+ */
+export declare const RECOMMENDED_PRIVATE_BUCKETS: readonly ["imports", "contracts", "user-uploads", "resumes", "pdi-uploads", "performance", "knowledge-files", "trainings"];
+/**
+ * Lê os primeiros bytes do arquivo e retorna o MIME real (ou `null` se desconhecido).
+ * Lança erro se detectar formato perigoso (executável).
+ */
+export declare function detectMimeFromMagicBytes(file: Blob | File): Promise<string | null>;
+/**
+ * Valida que o arquivo casa com pelo menos um dos MIMEs permitidos (via magic bytes).
+ * Não confia no `file.type` (que vem do cliente e é falsificável).
+ */
+export declare function validateMagicBytes(file: Blob | File, allowed: readonly string[]): Promise<{
+    ok: true;
+    mime: string;
+} | {
+    ok: false;
+    reason: string;
+}>;
+/**
+ * Gera um nome de arquivo aleatório e seguro, preservando a extensão original.
+ * Remove path traversal, caracteres de controle e nomes reservados.
+ */
+export declare function sanitizeAndRandomizeFilename(originalName: string): string;
+interface SupabaseLikeStorage {
+    from(bucket: string): {
+        createSignedUrl(path: string, expiresIn: number): Promise<{
+            data: {
+                signedUrl: string;
+            } | null;
+            error: {
+                message: string;
+            } | null;
+        }>;
+    };
+}
+/**
+ * Wrapper sobre `supabase.storage.from(bucket).createSignedUrl`.
+ * Default TTL de 5 minutos — força chamadas curtas e auditáveis.
+ */
+export declare function getSignedUrl(client: {
+    storage: SupabaseLikeStorage;
+}, bucket: string, path: string, ttlSeconds?: number): Promise<string>;
+export {};

package/dist/storage/index.esm.js

@@ -0,0 +1,107 @@
+function generateId(kind = "uuid") {
+  if (kind === "short") {
+    const bytes2 = new Uint8Array(9);
+    crypto.getRandomValues(bytes2);
+    return Array.from(bytes2, (b) => b.toString(36).padStart(2, "0")).join("").slice(0, 12);
+  }
+  if (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function") {
+    return crypto.randomUUID();
+  }
+  const bytes = new Uint8Array(16);
+  crypto.getRandomValues(bytes);
+  bytes[6] = bytes[6] & 15 | 64;
+  bytes[8] = bytes[8] & 63 | 128;
+  const hex = Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+  return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+}
+
+const SAFE_IMAGE_MIME = [
+  "image/jpeg",
+  "image/png",
+  "image/webp",
+  "image/gif",
+  "image/svg+xml"
+];
+const SAFE_DOCUMENT_MIME = [
+  "application/pdf",
+  "application/msword",
+  "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+  "application/vnd.ms-excel",
+  "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+  "application/vnd.ms-powerpoint",
+  "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+  "text/plain",
+  "text/csv"
+];
+const RECOMMENDED_PRIVATE_BUCKETS = [
+  "imports",
+  "contracts",
+  "user-uploads",
+  "resumes",
+  "pdi-uploads",
+  "performance",
+  "knowledge-files",
+  "trainings"
+];
+const SIGNATURES = [
+  { mime: "image/jpeg", offset: 0, bytes: [255, 216, 255] },
+  { mime: "image/png", offset: 0, bytes: [137, 80, 78, 71] },
+  { mime: "image/gif", offset: 0, bytes: [71, 73, 70, 56] },
+  { mime: "image/webp", offset: 8, bytes: [87, 69, 66, 80] },
+  { mime: "application/pdf", offset: 0, bytes: [37, 80, 68, 70] },
+  { mime: "application/zip", offset: 0, bytes: [80, 75, 3, 4] }
+  // .docx/.xlsx/.pptx
+];
+const DANGEROUS_SIGNATURES = [
+  { mime: "application/x-msdownload", offset: 0, bytes: [77, 90] },
+  // PE/EXE
+  { mime: "application/x-elf", offset: 0, bytes: [127, 69, 76, 70] }
+  // ELF
+];
+function matches(buf, sig) {
+  for (let i = 0; i < sig.bytes.length; i++) {
+    if (buf[sig.offset + i] !== sig.bytes[i]) return false;
+  }
+  return true;
+}
+async function detectMimeFromMagicBytes(file) {
+  const buf = new Uint8Array(await file.slice(0, 16).arrayBuffer());
+  for (const sig of DANGEROUS_SIGNATURES) {
+    if (matches(buf, sig)) {
+      throw new Error(`Arquivo execut\xE1vel detectado (${sig.mime}). Upload bloqueado.`);
+    }
+  }
+  for (const sig of SIGNATURES) {
+    if (matches(buf, sig)) return sig.mime;
+  }
+  return null;
+}
+async function validateMagicBytes(file, allowed) {
+  try {
+    const detected = await detectMimeFromMagicBytes(file);
+    if (!detected) return { ok: false, reason: "Tipo de arquivo n\xE3o reconhecido" };
+    if (!allowed.includes(detected)) {
+      return { ok: false, reason: `Tipo ${detected} n\xE3o permitido` };
+    }
+    return { ok: true, mime: detected };
+  } catch (e) {
+    return { ok: false, reason: e instanceof Error ? e.message : "Valida\xE7\xE3o falhou" };
+  }
+}
+function sanitizeAndRandomizeFilename(originalName) {
+  const lastDot = originalName.lastIndexOf(".");
+  const ext = lastDot > 0 ? originalName.slice(lastDot + 1).toLowerCase() : "";
+  const safeExt = ext.replace(/[^a-z0-9]/g, "").slice(0, 8);
+  const random = generateId("short");
+  return safeExt ? `${random}.${safeExt}` : random;
+}
+async function getSignedUrl(client, bucket, path, ttlSeconds = 300) {
+  if (ttlSeconds > 3600) {
+    throw new Error("TTL > 1h n\xE3o \xE9 permitido por padr\xE3o. Justifique no call-site.");
+  }
+  const { data, error } = await client.storage.from(bucket).createSignedUrl(path, ttlSeconds);
+  if (error || !data) throw new Error(error?.message ?? "Falha ao gerar signed URL");
+  return data.signedUrl;
+}
+
+export { RECOMMENDED_PRIVATE_BUCKETS, SAFE_DOCUMENT_MIME, SAFE_IMAGE_MIME, detectMimeFromMagicBytes, getSignedUrl, sanitizeAndRandomizeFilename, validateMagicBytes };

package/dist/storage/index.js

@@ -0,0 +1,115 @@
+'use strict';
+
+function generateId(kind = "uuid") {
+  if (kind === "short") {
+    const bytes2 = new Uint8Array(9);
+    crypto.getRandomValues(bytes2);
+    return Array.from(bytes2, (b) => b.toString(36).padStart(2, "0")).join("").slice(0, 12);
+  }
+  if (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function") {
+    return crypto.randomUUID();
+  }
+  const bytes = new Uint8Array(16);
+  crypto.getRandomValues(bytes);
+  bytes[6] = bytes[6] & 15 | 64;
+  bytes[8] = bytes[8] & 63 | 128;
+  const hex = Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+  return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+}
+
+const SAFE_IMAGE_MIME = [
+  "image/jpeg",
+  "image/png",
+  "image/webp",
+  "image/gif",
+  "image/svg+xml"
+];
+const SAFE_DOCUMENT_MIME = [
+  "application/pdf",
+  "application/msword",
+  "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+  "application/vnd.ms-excel",
+  "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+  "application/vnd.ms-powerpoint",
+  "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+  "text/plain",
+  "text/csv"
+];
+const RECOMMENDED_PRIVATE_BUCKETS = [
+  "imports",
+  "contracts",
+  "user-uploads",
+  "resumes",
+  "pdi-uploads",
+  "performance",
+  "knowledge-files",
+  "trainings"
+];
+const SIGNATURES = [
+  { mime: "image/jpeg", offset: 0, bytes: [255, 216, 255] },
+  { mime: "image/png", offset: 0, bytes: [137, 80, 78, 71] },
+  { mime: "image/gif", offset: 0, bytes: [71, 73, 70, 56] },
+  { mime: "image/webp", offset: 8, bytes: [87, 69, 66, 80] },
+  { mime: "application/pdf", offset: 0, bytes: [37, 80, 68, 70] },
+  { mime: "application/zip", offset: 0, bytes: [80, 75, 3, 4] }
+  // .docx/.xlsx/.pptx
+];
+const DANGEROUS_SIGNATURES = [
+  { mime: "application/x-msdownload", offset: 0, bytes: [77, 90] },
+  // PE/EXE
+  { mime: "application/x-elf", offset: 0, bytes: [127, 69, 76, 70] }
+  // ELF
+];
+function matches(buf, sig) {
+  for (let i = 0; i < sig.bytes.length; i++) {
+    if (buf[sig.offset + i] !== sig.bytes[i]) return false;
+  }
+  return true;
+}
+async function detectMimeFromMagicBytes(file) {
+  const buf = new Uint8Array(await file.slice(0, 16).arrayBuffer());
+  for (const sig of DANGEROUS_SIGNATURES) {
+    if (matches(buf, sig)) {
+      throw new Error(`Arquivo execut\xE1vel detectado (${sig.mime}). Upload bloqueado.`);
+    }
+  }
+  for (const sig of SIGNATURES) {
+    if (matches(buf, sig)) return sig.mime;
+  }
+  return null;
+}
+async function validateMagicBytes(file, allowed) {
+  try {
+    const detected = await detectMimeFromMagicBytes(file);
+    if (!detected) return { ok: false, reason: "Tipo de arquivo n\xE3o reconhecido" };
+    if (!allowed.includes(detected)) {
+      return { ok: false, reason: `Tipo ${detected} n\xE3o permitido` };
+    }
+    return { ok: true, mime: detected };
+  } catch (e) {
+    return { ok: false, reason: e instanceof Error ? e.message : "Valida\xE7\xE3o falhou" };
+  }
+}
+function sanitizeAndRandomizeFilename(originalName) {
+  const lastDot = originalName.lastIndexOf(".");
+  const ext = lastDot > 0 ? originalName.slice(lastDot + 1).toLowerCase() : "";
+  const safeExt = ext.replace(/[^a-z0-9]/g, "").slice(0, 8);
+  const random = generateId("short");
+  return safeExt ? `${random}.${safeExt}` : random;
+}
+async function getSignedUrl(client, bucket, path, ttlSeconds = 300) {
+  if (ttlSeconds > 3600) {
+    throw new Error("TTL > 1h n\xE3o \xE9 permitido por padr\xE3o. Justifique no call-site.");
+  }
+  const { data, error } = await client.storage.from(bucket).createSignedUrl(path, ttlSeconds);
+  if (error || !data) throw new Error(error?.message ?? "Falha ao gerar signed URL");
+  return data.signedUrl;
+}
+
+exports.RECOMMENDED_PRIVATE_BUCKETS = RECOMMENDED_PRIVATE_BUCKETS;
+exports.SAFE_DOCUMENT_MIME = SAFE_DOCUMENT_MIME;
+exports.SAFE_IMAGE_MIME = SAFE_IMAGE_MIME;
+exports.detectMimeFromMagicBytes = detectMimeFromMagicBytes;
+exports.getSignedUrl = getSignedUrl;
+exports.sanitizeAndRandomizeFilename = sanitizeAndRandomizeFilename;
+exports.validateMagicBytes = validateMagicBytes;

package/dist/utils/generateId.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Gerador de IDs criptograficamente seguros.
+ *
+ * Substitui o padrão antigo `Date.now().toString()`, que é previsível,
+ * colide sob alta concorrência e revela timestamps internos.
+ *
+ * @example
+ * const id = generateId();           // UUID v4 padrão
+ * const short = generateId('short'); // 12 chars base36 (não-criptográfico)
+ */
+export declare function generateId(kind?: 'uuid' | 'short'): string;
+/**
+ * @deprecated Use `generateId()`. `Date.now()` como ID é previsível e colide.
+ */
+export declare const timestampId: () => string;

package/dist/utils/index.d.ts

@@ -7,3 +7,5 @@ export declare const debounce: <T extends (...args: any[]) => any>(func: T, wait
 export declare const slugify: (text: string) => string;
 export { generatePastelBg, getLuminance, getContrastRatio } from './color';
 export { handleExternalLink, buildModuleUrl } from './linkHelpers';
+export { generateId, timestampId } from './generateId';
+export { sanitizeErrorMessage, stripTechHeaders } from './sanitizeError';

package/dist/utils/sanitizeError.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Retorna uma mensagem segura para exibir ao usuário final.
+ * Em DEV, retorna a mensagem original. Em PROD, mascara detalhes técnicos.
+ */
+export declare function sanitizeErrorMessage(error: unknown): string;
+/**
+ * Remove campos técnicos de um objeto de erro antes de enviá-lo para logs externos.
+ */
+export declare function stripTechHeaders<T extends Record<string, unknown>>(payload: T): Partial<T>;

package/dist/validation/index.d.ts

@@ -0,0 +1 @@
+export * from './schemas';

package/dist/validation/index.esm.js

@@ -0,0 +1,13 @@
+import { z } from 'zod';
+
+const emailSchema = z.string().trim().toLowerCase().min(3, "E-mail muito curto").max(254, "E-mail muito longo").email("E-mail inv\xE1lido");
+const aliasSchema = z.string().trim().toLowerCase().min(2, "Alias muito curto").max(64, "Alias muito longo").regex(/^[a-z0-9][a-z0-9-]*[a-z0-9]$/, "Alias cont\xE9m caracteres inv\xE1lidos");
+const uuidSchema = z.string().uuid("UUID inv\xE1lido");
+const userIdSchema = z.string().trim().min(1, "userId obrigat\xF3rio").max(64, "userId muito longo").regex(/^[a-zA-Z0-9._-]+$/, "userId cont\xE9m caracteres inv\xE1lidos");
+const safeStringSchema = (max = 1e3) => z.string().trim().max(max, `Texto excede ${max} caracteres`).refine((v) => !/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/.test(v), "Cont\xE9m caracteres inv\xE1lidos");
+const paginationSchema = z.object({
+  page: z.coerce.number().int().min(1).default(1),
+  pageSize: z.coerce.number().int().min(1).max(500).default(50)
+});
+
+export { aliasSchema, emailSchema, paginationSchema, safeStringSchema, userIdSchema, uuidSchema };

package/dist/validation/index.js

@@ -0,0 +1,20 @@
+'use strict';
+
+var zod = require('zod');
+
+const emailSchema = zod.z.string().trim().toLowerCase().min(3, "E-mail muito curto").max(254, "E-mail muito longo").email("E-mail inv\xE1lido");
+const aliasSchema = zod.z.string().trim().toLowerCase().min(2, "Alias muito curto").max(64, "Alias muito longo").regex(/^[a-z0-9][a-z0-9-]*[a-z0-9]$/, "Alias cont\xE9m caracteres inv\xE1lidos");
+const uuidSchema = zod.z.string().uuid("UUID inv\xE1lido");
+const userIdSchema = zod.z.string().trim().min(1, "userId obrigat\xF3rio").max(64, "userId muito longo").regex(/^[a-zA-Z0-9._-]+$/, "userId cont\xE9m caracteres inv\xE1lidos");
+const safeStringSchema = (max = 1e3) => zod.z.string().trim().max(max, `Texto excede ${max} caracteres`).refine((v) => !/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/.test(v), "Cont\xE9m caracteres inv\xE1lidos");
+const paginationSchema = zod.z.object({
+  page: zod.z.coerce.number().int().min(1).default(1),
+  pageSize: zod.z.coerce.number().int().min(1).max(500).default(50)
+});
+
+exports.aliasSchema = aliasSchema;
+exports.emailSchema = emailSchema;
+exports.paginationSchema = paginationSchema;
+exports.safeStringSchema = safeStringSchema;
+exports.userIdSchema = userIdSchema;
+exports.uuidSchema = uuidSchema;

package/dist/validation/schemas.d.ts

@@ -0,0 +1,26 @@
+import { z } from 'zod';
+/**
+ * Schemas zod compartilhados para validações comuns em toda a stack
+ * (forms, edge functions, payloads de API).
+ *
+ * Centralizar reduz superfície de bugs e garante regras consistentes
+ * de hardening entre projetos que consomem `forlogic-core`.
+ */
+export declare const emailSchema: z.ZodString;
+export declare const aliasSchema: z.ZodString;
+export declare const uuidSchema: z.ZodString;
+/** IDs de usuário Qualiex são short alphanumeric (NUNCA UUIDs). */
+export declare const userIdSchema: z.ZodString;
+/** String sanitizada: sem caracteres de controle, tamanho limitado. */
+export declare const safeStringSchema: (max?: number) => z.ZodEffects<z.ZodString, string, string>;
+export declare const paginationSchema: z.ZodObject<{
+    page: z.ZodDefault<z.ZodNumber>;
+    pageSize: z.ZodDefault<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    page?: number;
+    pageSize?: number;
+}, {
+    page?: number;
+    pageSize?: number;
+}>;
+export type PaginationParams = z.infer<typeof paginationSchema>;

package/dist/vite/index.esm.js

@@ -137,6 +137,13 @@ function createSecurityHeadersPlugin(isDev, options = {}) {
     configureServer(server) {
       server.middlewares.use((req, res, next) => {
         const origin = req.headers.origin;
+        const method = (req.method ?? "").toUpperCase();
+        if (method === "TRACE" || method === "CONNECT") {
+          res.statusCode = 405;
+          res.setHeader("Allow", "GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD");
+          res.end();
+          return;
+        }
         if (origin && isOriginTrusted(origin, allTrustedOrigins)) {
           res.setHeader("Access-Control-Allow-Origin", origin);
           res.setHeader("Access-Control-Allow-Credentials", "true");
@@ -149,12 +156,12 @@ function createSecurityHeadersPlugin(isDev, options = {}) {
             "authorization, x-client-info, apikey, content-type, x-csrf-token, x-nonce"
           );
           res.setHeader("Access-Control-Max-Age", "86400");
-          res.setHeader("Vary", "Origin");
         } else if (origin) {
           console.warn(
             `\u{1F6A8} CORS BLOCKED: Untrusted origin attempted access: ${origin}`
           );
         }
+        res.setHeader("Vary", "Origin");
         res.setHeader(
           "Strict-Transport-Security",
           "max-age=31536000; includeSubDomains; preload"
@@ -167,6 +174,8 @@ function createSecurityHeadersPlugin(isDev, options = {}) {
           "Permissions-Policy",
           "camera=(), microphone=(), geolocation=(), fullscreen=(self), payment=(), display-capture=()"
         );
+        res.setHeader("Cross-Origin-Opener-Policy", "same-origin");
+        res.setHeader("Cross-Origin-Resource-Policy", "same-site");
         res.setHeader("Content-Security-Policy", cspPolicy);
         next();
       });

package/dist/vite/index.js

@@ -139,6 +139,13 @@ function createSecurityHeadersPlugin(isDev, options = {}) {
     configureServer(server) {
       server.middlewares.use((req, res, next) => {
         const origin = req.headers.origin;
+        const method = (req.method ?? "").toUpperCase();
+        if (method === "TRACE" || method === "CONNECT") {
+          res.statusCode = 405;
+          res.setHeader("Allow", "GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD");
+          res.end();
+          return;
+        }
         if (origin && isOriginTrusted(origin, allTrustedOrigins)) {
           res.setHeader("Access-Control-Allow-Origin", origin);
           res.setHeader("Access-Control-Allow-Credentials", "true");
@@ -151,12 +158,12 @@ function createSecurityHeadersPlugin(isDev, options = {}) {
             "authorization, x-client-info, apikey, content-type, x-csrf-token, x-nonce"
           );
           res.setHeader("Access-Control-Max-Age", "86400");
-          res.setHeader("Vary", "Origin");
         } else if (origin) {
           console.warn(
             `\u{1F6A8} CORS BLOCKED: Untrusted origin attempted access: ${origin}`
           );
         }
+        res.setHeader("Vary", "Origin");
         res.setHeader(
           "Strict-Transport-Security",
           "max-age=31536000; includeSubDomains; preload"
@@ -169,6 +176,8 @@ function createSecurityHeadersPlugin(isDev, options = {}) {
           "Permissions-Policy",
           "camera=(), microphone=(), geolocation=(), fullscreen=(self), payment=(), display-capture=()"
         );
+        res.setHeader("Cross-Origin-Opener-Policy", "same-origin");
+        res.setHeader("Cross-Origin-Resource-Policy", "same-site");
         res.setHeader("Content-Security-Policy", cspPolicy);
         next();
       });