i18ntk 3.1.2 → 3.2.0

package/CHANGELOG.md

@@ -3,34 +3,72 @@
 All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
-
-## [3.1.2] - 2026-05-07
-
-### Fixed
-- Auto Translate now resolves locale roots such as `./locales` to the selected source-language folder such as `./locales/en` when JSON files are stored under language folders.
-- Public package staging now verifies root `package.json` and `package.public.json` release metadata are synchronized before pack or publish.
-- Added a safe `publish:public:dry-run` path for validating the exact staged npm publish flow.
-
-### Changed
-- Updated release docs, npm README metadata, and package manifests for v3.1.2.
-- Kept generated backups, temporary benchmark datasets, local setup state, and debug repair files out of future public repo commits through `.gitignore`.
-
-## [3.1.1] - 2026-05-07
-
-### Added
-- **Auto Translate protection file workflow**: Added user-editable `i18ntk-auto-translate.json` support for protected terms, key paths, exact values, and regex patterns.
-- **Public package README guard**: Public package staging now verifies `README.md` is included and non-empty before publish.
-
-### Changed
-- Updated README and release documentation for the current Auto Translate protection workflow and public package contents.
-- Removed project-specific hardcoded validation examples so users configure their own brand and domain terms.
-
-### Fixed
-- Removed provider-shaped fake secret fixtures from tests to avoid GitHub push protection false positives.
-- Ensured public package metadata includes `readmeFilename: "README.md"` so npm can render the package README.
-
-## [3.1.0] - 2026-05-07
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [3.2.0] - 2026-05-16
+
+### Security
+- **CRITICAL**: Fixed invalid `crypto.createCipherGCM`/`createDecipherGCM` API calls in `admin-pin.js` — replaced with `crypto.createCipheriv`/`createDecipheriv`.
+- **CRITICAL**: Fixed missing `SecurityUtils` imports in `admin-pin.js`, `security-config.js`, and `scripts/security-check.js` causing `ReferenceError` at runtime.
+- **CRITICAL**: Removed encryption key stored alongside ciphertext in `admin-pin.js`. The AES key was stored in the same JSON file as the encrypted PIN, providing zero cryptographic protection. Encryption key is now derived via HKDF from the scrypt hash.
+- Enforced HTTPS-only for Google Translate API requests in `utils/translate/api.js`; dropped `http` protocol support.
+- Fixed `http.get` timeout for Node.js <16.14 compatibility by using `req.setTimeout()` instead of the options-based `{ timeout }` parameter.
+- Added `SecurityUtils.validatePath` checks to `secure-backup.js` `restoreBackup` and `verifyBackup` methods.
+- Added `backupDir` traversal validation in `secure-backup.js` constructor.
+- Fixed `FileManagementService` `isAuthRequiredForScript`/`verifyPin` stubs — previously returned hardcoded `false`/`true`, disabling PIN protection. Now delegates to proper `AdminAuth` module.
+- Fixed `admin-auth.js` `logSecurityEvent` signature mismatches — 6 calls passed raw strings instead of structured objects.
+- Fixed `admin-pin.js` `getPinDisplay` to use stored `pinLength` instead of decrypting the raw PIN into memory.
+
+### Fixed
+- `admin-pin.js` lockout now uses timestamp-based expiry (`lockedUntil`) instead of `setTimeout`, ensuring lockout state survives process restarts.
+- `translate/traverse.js` `setLeaf` now correctly creates `[]` for numeric array indices (was creating `{}`).
+- `translate/traverse.js` extracted shared `parseKeyPath` function — `setLeaf` and `getLeaf` had duplicate path-parsing logic.
+- `translate/traverse.js` `deepClone` now handles `null`, `undefined`, and circular references gracefully.
+- `translate/api.js` retry logic now retries `TimeoutError` and `NetworkError` with exponential backoff (previously only retried rate-limit errors).
+- `translate/api.js` added `User-Agent` header to Google Translate API requests.
+- `main/manage/index.js` `startupTimeout` no longer cleared before `createPrompt` and other blocking initialization steps.
+- `main/manage/index.js` removed silent no-op `t('init.autoDetectedI18nDirectory', ...)` whose return value was never used.
+- `ultra-performance-optimizer.js` removed dead `preallocateMemory` pools (`stringPool`, `objectPool`, `arrayPool`) — ~1MB wasted allocation.
+- `ultra-performance-optimizer.js` `getCacheKey` now uses async `fs.stat` instead of blocking `fs.statSync`.
+- `ultra-performance-optimizer.js` GC timer now enforces minimum 5-second interval and warns when `--expose-gc` is missing.
+- `ultra-performance-optimizer.js` `readFileUltra` now handles files >64KB with chunked reads.
+- `ultra-performance-optimizer.js` `createUltraCache` replaced per-entry `setTimeout` (timer leak) with unified cleanup interval.
+- `ultra-performance-optimizer.js` benchmark now uses real benchmark datasets instead of non-existent mock files.
+- `config-manager.js` now exports `loadSettings`/`saveSettings` aliases — resolves 20+ phantom API fallback calls across the codebase.
+- `config-manager.js` `updateConfig` now clones before deep-merging to prevent in-place cache corruption.
+- `admin-pin.js` scrypt→pbkdf2 fallback now emits a console warning instead of failing silently.
+
+### Changed
+- Updated all documentation to v3.2.0: README, CHANGELOG, docs/README, getting-started, runtime, auto-translate, environment-variables, scanner-guide, API_REFERENCE, COMPONENTS, and CONFIGURATION.
+- Updated `package.json` version, `versionInfo`, `majorChanges`, and `nextVersion` for v3.2.0.
+- Socket badge URL updated to v3.2.0.
+
+## [3.1.2] - 2026-05-07
+
+### Fixed
+- Auto Translate now resolves locale roots such as `./locales` to the selected source-language folder such as `./locales/en` when JSON files are stored under language folders.
+- Public package staging now verifies root `package.json` and `package.public.json` release metadata are synchronized before pack or publish.
+- Added a safe `publish:public:dry-run` path for validating the exact staged npm publish flow.
+
+### Changed
+- Updated release docs, npm README metadata, and package manifests for v3.1.2.
+- Kept generated backups, temporary benchmark datasets, local setup state, and debug repair files out of future public repo commits through `.gitignore`.
+
+## [3.1.1] - 2026-05-07
+
+### Added
+- **Auto Translate protection file workflow**: Added user-editable `i18ntk-auto-translate.json` support for protected terms, key paths, exact values, and regex patterns.
+- **Public package README guard**: Public package staging now verifies `README.md` is included and non-empty before publish.
+
+### Changed
+- Updated README and release documentation for the current Auto Translate protection workflow and public package contents.
+- Removed project-specific hardcoded validation examples so users configure their own brand and domain terms.
+
+### Fixed
+- Removed provider-shaped fake secret fixtures from tests to avoid GitHub push protection false positives.
+- Ensured public package metadata includes `readmeFilename: "README.md"` so npm can render the package README.
+
+## [3.1.0] - 2026-05-07
 
 ### Added
 - **Placeholder-preserve translation mode**: Translates text segments around dynamic placeholders and reinserts the original tokens exactly.

package/README.md

@@ -1,4 +1,4 @@
-# i18ntk v3.1.2
+# i18ntk v3.2.0
 
 Zero-dependency internationalization toolkit for setup, scanning, analysis, validation, usage tracking, translation completion, automatic JSON locale translation, reporting, and runtime translation loading.
 
@@ -9,7 +9,7 @@ Zero-dependency internationalization toolkit for setup, scanning, analysis, vali
 [![node](https://img.shields.io/badge/node-%3E%3D16-339933)](https://nodejs.org)
 [![dependencies](https://img.shields.io/badge/dependencies-0-success)](https://www.npmjs.com/package/i18ntk)
 [![license](https://img.shields.io/badge/license-MIT-yellow.svg)](LICENSE)
-[![socket](https://socket.dev/api/badge/npm/package/i18ntk/3.1.2)](https://socket.dev/npm/package/i18ntk/overview/3.1.2)
+[![socket](https://socket.dev/api/badge/npm/package/i18ntk/3.2.0)](https://socket.dev/npm/package/i18ntk/overview/3.2.0)
 
 ## Install
 
@@ -30,21 +30,14 @@ Requirements:
 - npm `>=8.0.0`
 - No runtime dependencies
 
-## What's New in 3.1.2
+## What's New in 3.2.0
 
-- Auto Translate can translate strings that contain placeholders by translating text around the placeholders and reinserting the original tokens.
-- Auto Translate supports user-editable protection rules in `i18ntk-auto-translate.json` for brand names, product terms, exact values, key paths, and regex patterns.
-- The manager Auto Translate flow runs in-process, avoiding production `child_process` usage for that command.
-- The target-language prompt supports `all` to translate into every configured target language while excluding the source language.
-- Source-directory prompts are clearer and accept absolute paths or project-relative paths.
-- Validation warnings now distinguish URLs, email addresses, secret-like values, and likely untranslated English content.
-- Sizing reports now include per-language file counts, file-set mismatches, and per-file key/character statistics.
-- Internal UI locale coverage is enforced against the English UI locale.
-- Public package staging verifies `README.md` is present before publish.
-- Auto Translate now resolves locale roots such as `./locales` to the selected source-language folder such as `./locales/en` when needed.
-- Public package staging now fails when root `package.json` and `package.public.json` release metadata drift.
+- **SECURITY**: Fixed 4 critical runtime-crash bugs (invalid crypto APIs, missing imports) across admin-pin.js, security-config.js, and scripts/security-check.js.
+- **SECURITY**: Removed encryption key stored alongside ciphertext in admin-pin.js; encryption key is now derived via HKDF.
+- **SECURITY**: Enforced HTTPS-only for Google Translate API requests; fixed http.get timeout for Node.js <16.14 compatibility.
+- **SECURITY**: Added path validation to backup restore/verify operations; locked down FileManagementService PIN verification stubs.
 
-See [CHANGELOG.md](./CHANGELOG.md) and [docs/migration-guide-v3.1.2.md](./docs/migration-guide-v3.1.2.md) for release details.
+See [CHANGELOG.md](./CHANGELOG.md) and [docs/migration-guide-v3.2.0.md](./docs/migration-guide-v3.2.0.md) for release details.
 
 ## Quick Start
 
@@ -296,7 +289,7 @@ Example:
 
 ```json
 {
-  "version": "3.1.2",
+  "version": "3.2.0",
   "sourceDir": "./locales",
   "i18nDir": "./locales",
   "outputDir": "./i18ntk-reports",
@@ -354,7 +347,7 @@ The public package manifest includes `readmeFilename: "README.md"`, and the rele
 - [Auto Translate Guide](./docs/auto-translate.md)
 - [Scanner Guide](./docs/scanner-guide.md)
 - [Environment Variables](./docs/environment-variables.md)
-- [Migration Guide v3.1.2](./docs/migration-guide-v3.1.2.md)
+- [Migration Guide v3.2.0](./docs/migration-guide-v3.2.0.md)
 - [Migration Guide v3.1.1](./docs/migration-guide-v3.1.1.md)
 - [Migration Guide v3.0.0](./docs/migration-guide-v3.0.0.md)
 - [Migration Guide v2.6.0](./docs/migration-guide-v2.6.0.md)

package/main/manage/index.js

@@ -146,7 +146,6 @@ class I18nManager {
 
                     if (hasLanguageDirs) {
                         this.config.sourceDir = possiblePath;
-                        t('init.autoDetectedI18nDirectory', { path: possiblePath });
                         break;
                     }
                 } catch (error) {
@@ -347,7 +346,6 @@ class I18nManager {
             if (!shouldSkipInitCheck) {
                 await SetupEnforcer.checkSetupCompleteAsync();
             }
-            clearStartupTimeout();
 
             prompt = createPrompt({ noPrompt: args.noPrompt });
             const interactive = isInteractive({ noPrompt: args.noPrompt });

package/main/manage/managers/InteractiveMenu.js

@@ -1,6 +1,10 @@
 /**
  * Interactive Menu Manager
  * @module managers/InteractiveMenu
+ * @deprecated This module is superseded by the I18nManager.showInteractiveMenu
+ *   implementation in main/manage/index.js. This file is retained only for
+ *   backward compatibility with existing test references and should not be
+ *   used in new code.
  */
 
 const { t } = require('../../../utils/i18n-helper');

package/main/manage/services/FileManagementService.js

@@ -350,19 +350,22 @@ module.exports = class FileManagementService {
    * @returns {Promise<boolean>} True if authentication is required
    */
   async isAuthRequiredForScript(scriptName) {
-    // This would need to be implemented based on the authentication service
-    // For now, return false as a placeholder
-    return false;
+    try {
+      const SecurityUtils = require('../../../utils/security');
+      const configPath = path.join(process.cwd(), 'settings', 'admin-pin.json');
+      return SecurityUtils.safeExistsSync(configPath);
+    } catch {
+      return false;
+    }
   }
 
-  /**
-   * Verify PIN for authentication
-   * @param {string} pin - PIN to verify
-   * @returns {Promise<boolean>} True if PIN is valid
-   */
   async verifyPin(pin) {
-    // This would need to be implemented based on the authentication service
-    // For now, return true as a placeholder
-    return true;
+    try {
+      const AdminAuth = require('../../../utils/admin-auth');
+      const auth = new AdminAuth();
+      return await auth.verifyPin(pin);
+    } catch {
+      return false;
+    }
   }
 };

package/package.json

@@ -1,9 +1,11 @@
 {
   "name": "i18ntk",
-  "version": "3.1.2",
-  "description": "Zero-dependency internationalization toolkit for setup, scanning, analysis, validation, auto translation, fixing, reporting, and runtime translation loading.",
+  "version": "3.2.0",
+  "description": "i18n Tool Kit - Zero-dependency internationalization toolkit for setup, scanning, analysis, validation, auto translation, fixing, reporting, and runtime translation loading.",
   "readmeFilename": "README.md",
   "keywords": [
+    "i18ntk",
+    "i18n-toolkit",
     "i18n",
     "internationalization",
     "localization",
@@ -159,5 +161,5 @@
     "access": "public"
   },
   "preferGlobal": true,
-  "readme": "# i18ntk v3.1.2\n\nZero-dependency internationalization toolkit for setup, scanning, analysis, validation, usage tracking, translation completion, automatic JSON locale translation, reporting, and runtime translation loading.\n\n![i18ntk Logo](https://raw.githubusercontent.com/vladnoskv/i18ntk/main/docs/screenshots/i18ntk-logo-public.PNG)\n\n[![npm version](https://img.shields.io/npm/v/i18ntk.svg?color=brightgreen)](https://www.npmjs.com/package/i18ntk)\n[![npm downloads](https://img.shields.io/npm/dt/i18ntk.svg)](https://www.npmjs.com/package/i18ntk)\n[![node](https://img.shields.io/badge/node-%3E%3D16-339933)](https://nodejs.org)\n[![dependencies](https://img.shields.io/badge/dependencies-0-success)](https://www.npmjs.com/package/i18ntk)\n[![license](https://img.shields.io/badge/license-MIT-yellow.svg)](LICENSE)\n[![socket](https://socket.dev/api/badge/npm/package/i18ntk/3.1.2)](https://socket.dev/npm/package/i18ntk/overview/3.1.2)\n\n## Install\n\n```bash\n# global CLI use\nnpm install -g i18ntk\n\n# local project use\nnpm install --save-dev i18ntk\n\n# one-off execution\nnpx i18ntk --help\n```\n\nRequirements:\n\n- Node.js `>=16.0.0`\n- npm `>=8.0.0`\n- No runtime dependencies\n\n## What's New in 3.1.2\n\n- Auto Translate can translate strings that contain placeholders by translating text around the placeholders and reinserting the original tokens.\n- Auto Translate supports user-editable protection rules in `i18ntk-auto-translate.json` for brand names, product terms, exact values, key paths, and regex patterns.\n- The manager Auto Translate flow runs in-process, avoiding production `child_process` usage for that command.\n- The target-language prompt supports `all` to translate into every configured target language while excluding the source language.\n- Source-directory prompts are clearer and accept absolute paths or project-relative paths.\n- Validation warnings now distinguish URLs, email addresses, secret-like values, and likely untranslated English content.\n- Sizing reports now include per-language file counts, file-set mismatches, and per-file key/character statistics.\n- Internal UI locale coverage is enforced against the English UI locale.\n- Public package staging verifies `README.md` is present before publish.\n- Auto Translate now resolves locale roots such as `./locales` to the selected source-language folder such as `./locales/en` when needed.\n- Public package staging now fails when root `package.json` and `package.public.json` release metadata drift.\n\nSee [CHANGELOG.md](./CHANGELOG.md) and [docs/migration-guide-v3.1.2.md](./docs/migration-guide-v3.1.2.md) for release details.\n\n## Quick Start\n\nInitialize a project:\n\n```bash\ni18ntk\n# or\ni18ntk --command=init\n```\n\nRun common checks:\n\n```bash\ni18ntk --command=analyze\ni18ntk --command=validate\ni18ntk --command=usage\ni18ntk --command=sizing\ni18ntk --command=summary\n```\n\nComplete or fix translation files:\n\n```bash\ni18ntk --command=complete\ni18ntk-fixer --help\n```\n\nAuto-translate locale JSON:\n\n```bash\ni18ntk --command=translate\n# or\ni18ntk-translate locales/en/common.json de --report-stdout\n```\n\nThe full onboarding guide is in [docs/getting-started.md](./docs/getting-started.md).\n\n## Main Commands\n\nPrimary CLI:\n\n```bash\ni18ntk\ni18ntk --help\ni18ntk --command=init\ni18ntk --command=analyze\ni18ntk --command=validate\ni18ntk --command=usage\ni18ntk --command=scanner\ni18ntk --command=sizing\ni18ntk --command=complete\ni18ntk --command=translate\ni18ntk --command=summary\ni18ntk --command=debug\n```\n\nStandalone executables:\n\n```bash\ni18ntk-init\ni18ntk-analyze\ni18ntk-validate\ni18ntk-usage\ni18ntk-scanner\ni18ntk-sizing\ni18ntk-complete\ni18ntk-summary\ni18ntk-doctor\ni18ntk-fixer\ni18ntk-backup\ni18ntk-translate\n```\n\nNote: manager route `i18ntk --command=backup` is disabled in current builds. Use `i18ntk-backup` directly for backup operations.\n\n## Common Options\n\nMost commands support:\n\n- `--source-dir <path>`\n- `--i18n-dir <path>`\n- `--output-dir <path>`\n- `--source-language <code>`\n- `--ui-language <code>`\n- `--no-prompt`\n- `--dry-run`\n- `--help`\n\nExample:\n\n```bash\ni18ntk --command=analyze --source-dir=./src --i18n-dir=./locales --output-dir=./i18ntk-reports\n```\n\n## Auto Translate\n\nInteractive manager flow:\n\n```bash\ni18ntk\n# choose \"Auto Translate (Beta)\"\n```\n\nDirect CLI examples:\n\n```bash\ni18ntk-translate locales/en/common.json de\ni18ntk-translate locales/en/common.json fr --dry-run --report-stdout\ni18ntk-translate locales/en es --source-dir locales/en --files \"*.json\" --no-confirm --preserve-placeholders\n```\n\nThe manager flow asks for:\n\n- source locale directory, either the folder with JSON files or a locale root such as `./locales`\n- source language code\n- one or more target languages, or `all`\n- one JSON file or all JSON files in the source directory\n\nIf you select a locale root such as `./locales` and choose source language `en`, the manager automatically uses `./locales/en` when that folder contains the source JSON files.\n\nBefore writing files, the manager can run a dry-run preview. After confirmation it writes translated files under sibling target-language folders, for example:\n\n```text\nlocales/en/common.json\nlocales/de/common.json\nlocales/fr/common.json\n```\n\n### Placeholder Handling\n\nAuto Translate detects common placeholders such as:\n\n- `{name}`\n- `{{count}}`\n- `%s`\n- `%d`\n- `:id`\n- `%{name}`\n- `${value}`\n\nUseful flags:\n\n- `--preserve-placeholders`: translate text around placeholders and reinsert original tokens\n- `--skip-placeholders`: copy placeholder-bearing strings unchanged\n- `--send-placeholders`: send placeholder-bearing strings through translation after masking\n- `--custom-regex <regex>`: add project-specific placeholder detection\n\n### Protected Terms and Keys\n\nAuto Translate can create and use a project-local protection file:\n\n```bash\ni18ntk-translate locales/en/common.json de --create-protection-file --protection-file ./i18ntk-auto-translate.json\n```\n\nExample `i18ntk-auto-translate.json`:\n\n```json\n{\n  \"version\": 1,\n  \"terms\": [\"BrandName\", \"PRODUCT_CODE\", \"API\"],\n  \"keys\": [\"app.brandName\", \"legal.companyName\", \"product.*.symbol\"],\n  \"values\": [\"BrandName Ltd\", \"support@example.com\"],\n  \"patterns\": [\"[A-Z]{2,}-\\\\d+\"]\n}\n```\n\n- `terms` are masked before translation and restored exactly afterward.\n- `keys` are exact key paths or `*` wildcard paths copied unchanged.\n- `values` are exact source values copied unchanged.\n- `patterns` are JavaScript regex strings for advanced protected substrings.\n\nUseful flags:\n\n- `--protection-file <path>`\n- `--create-protection-file`\n- `--no-protection`\n\nOpen Settings and choose `Auto Translate Beta` to edit defaults for placeholder mode, concurrency, batch size, retry settings, report output, BOM output, protection file path, first-run setup prompt, and update prompt.\n\nSee [docs/auto-translate.md](./docs/auto-translate.md) for the full Auto Translate guide.\n\n## Validation\n\nValidation checks locale structure, completeness, placeholders, and content risks.\n\nIn 3.1.2, warning types are more specific:\n\n- `Potential risky content`: URL, email address, or secret-like value\n- `Possible untranslated English content`: target-language value appears to contain too much English\n\nEnglish-content warnings include:\n\n- detected English percentage\n- configured threshold\n- matched word count\n- sample matched words\n\nTune warnings in `.i18ntk-config`:\n\n```json\n{\n  \"englishContentThresholdPercent\": 10,\n  \"allowedEnglishTerms\": [\"BrandName\", \"PRODUCT_CODE\"]\n}\n```\n\n## Sizing Analysis\n\n`i18ntk-sizing` reports translation file sizes, key counts, average value length, and file-set mismatches across language folders.\n\n```bash\ni18ntk-sizing --source-dir ./locales --format table\ni18ntk-sizing --source-dir ./locales --detailed --output-dir ./i18ntk-reports\n```\n\nUse `--detailed` to print per-file rows in the terminal.\n\n## Runtime API\n\nUse `i18ntk/runtime` when an application needs to read locale JSON files at runtime.\n\n```js\nconst runtime = require('i18ntk/runtime');\n\nruntime.initRuntime({\n  baseDir: './locales',\n  language: 'en',\n  fallbackLanguage: 'en',\n  keySeparator: '.',\n  preload: true\n});\n\nconsole.log(runtime.t('common.hello'));\nruntime.setLanguage('fr');\nconsole.log(runtime.getLanguage());\nconsole.log(runtime.getAvailableLanguages());\nruntime.refresh('fr');\n```\n\nSee [docs/runtime.md](./docs/runtime.md) for runtime details.\n\n## Configuration\n\ni18ntk uses a project-local `.i18ntk-config` file.\n\nExample:\n\n```json\n{\n  \"version\": \"3.1.2\",\n  \"sourceDir\": \"./locales\",\n  \"i18nDir\": \"./locales\",\n  \"outputDir\": \"./i18ntk-reports\",\n  \"sourceLanguage\": \"en\",\n  \"defaultLanguages\": [\"de\", \"es\", \"fr\", \"ru\"],\n  \"englishContentThresholdPercent\": 10,\n  \"allowedEnglishTerms\": [\"BrandName\", \"PRODUCT_CODE\"],\n  \"autoTranslate\": {\n    \"placeholderMode\": \"preserve\",\n    \"concurrency\": 6,\n    \"batchSize\": 100,\n    \"progressInterval\": 25,\n    \"retryCount\": 3,\n    \"retryDelay\": 1000,\n    \"timeout\": 15000,\n    \"dryRunFirst\": true,\n    \"reportStdout\": true,\n    \"bom\": false,\n    \"protectionEnabled\": true,\n    \"protectionFile\": \"./i18ntk-auto-translate.json\",\n    \"promptProtectionSetup\": true,\n    \"promptProtectionUpdate\": true\n  },\n  \"setup\": {\n    \"completed\": true\n  }\n}\n```\n\nSee [docs/api/CONFIGURATION.md](./docs/api/CONFIGURATION.md) for the full configuration model.\n\n## Public Package Contents\n\nThe public package intentionally ships runtime and CLI files only. The publish staging script excludes development-only content such as tests, scripts, docs, release staging folders, local config files, and generated protection files.\n\nThe package includes:\n\n- CLI entry points under `main/`\n- manager commands and services\n- runtime API files under `runtime/`\n- settings UI files required at runtime\n- bundled internal UI locales\n- shared utilities required by the shipped commands\n- `README.md`, `CHANGELOG.md`, `LICENSE`, and policy files\n\nThe public package manifest includes `readmeFilename: \"README.md\"`, and the release staging script fails if `README.md` is missing or empty.\n\n## Documentation\n\n- [Documentation Index](./docs/README.md)\n- [Getting Started](./docs/getting-started.md)\n- [API Reference](./docs/api/API_REFERENCE.md)\n- [Configuration Guide](./docs/api/CONFIGURATION.md)\n- [Runtime API Guide](./docs/runtime.md)\n- [Auto Translate Guide](./docs/auto-translate.md)\n- [Scanner Guide](./docs/scanner-guide.md)\n- [Environment Variables](./docs/environment-variables.md)\n- [Migration Guide v3.1.2](./docs/migration-guide-v3.1.2.md)\n- [Migration Guide v3.1.1](./docs/migration-guide-v3.1.1.md)\n- [Migration Guide v3.0.0](./docs/migration-guide-v3.0.0.md)\n- [Migration Guide v2.6.0](./docs/migration-guide-v2.6.0.md)\n- [Migration Guide v2.5.1](./docs/migration-guide-v2.5.1.md)\n\n## Security\n\n- No API key is required for the default Auto Translate flow.\n- Do not store secrets in locale files, `.i18ntk-config`, or protection files.\n- Project-specific brand/product terms should be configured by the user, not hardcoded into the package.\n- Report security issues using [SECURITY.md](./SECURITY.md).\n\n## Community\n\n- [Contributing](./CONTRIBUTING.md)\n- [Code of Conduct](./CODE_OF_CONDUCT.md)\n- [Funding](./FUNDING.md)\n\n## License\n\nMIT. See [LICENSE](./LICENSE).\n"
+  "readme": "# i18ntk v3.2.0\n\nZero-dependency internationalization toolkit for setup, scanning, analysis, validation, usage tracking, translation completion, automatic JSON locale translation, reporting, and runtime translation loading.\n\n![i18ntk Logo](https://raw.githubusercontent.com/vladnoskv/i18ntk/main/docs/screenshots/i18ntk-logo-public.PNG)\n\n[![npm version](https://img.shields.io/npm/v/i18ntk.svg?color=brightgreen)](https://www.npmjs.com/package/i18ntk)\n[![npm downloads](https://img.shields.io/npm/dt/i18ntk.svg)](https://www.npmjs.com/package/i18ntk)\n[![node](https://img.shields.io/badge/node-%3E%3D16-339933)](https://nodejs.org)\n[![dependencies](https://img.shields.io/badge/dependencies-0-success)](https://www.npmjs.com/package/i18ntk)\n[![license](https://img.shields.io/badge/license-MIT-yellow.svg)](LICENSE)\n[![socket](https://socket.dev/api/badge/npm/package/i18ntk/3.2.0)](https://socket.dev/npm/package/i18ntk/overview/3.2.0)\n\n## Install\n\n```bash\n# global CLI use\nnpm install -g i18ntk\n\n# local project use\nnpm install --save-dev i18ntk\n\n# one-off execution\nnpx i18ntk --help\n```\n\nRequirements:\n\n- Node.js `>=16.0.0`\n- npm `>=8.0.0`\n- No runtime dependencies\n\n## What's New in 3.2.0\n\n- **SECURITY**: Fixed 4 critical runtime-crash bugs (invalid crypto APIs, missing imports) across admin-pin.js, security-config.js, and scripts/security-check.js.\n- **SECURITY**: Removed encryption key stored alongside ciphertext in admin-pin.js; encryption key is now derived via HKDF.\n- **SECURITY**: Enforced HTTPS-only for Google Translate API requests; fixed http.get timeout for Node.js <16.14 compatibility.\n- **SECURITY**: Added path validation to backup restore/verify operations; locked down FileManagementService PIN verification stubs.\n\nSee [CHANGELOG.md](./CHANGELOG.md) and [docs/migration-guide-v3.2.0.md](./docs/migration-guide-v3.2.0.md) for release details.\n\n## Quick Start\n\nInitialize a project:\n\n```bash\ni18ntk\n# or\ni18ntk --command=init\n```\n\nRun common checks:\n\n```bash\ni18ntk --command=analyze\ni18ntk --command=validate\ni18ntk --command=usage\ni18ntk --command=sizing\ni18ntk --command=summary\n```\n\nComplete or fix translation files:\n\n```bash\ni18ntk --command=complete\ni18ntk-fixer --help\n```\n\nAuto-translate locale JSON:\n\n```bash\ni18ntk --command=translate\n# or\ni18ntk-translate locales/en/common.json de --report-stdout\n```\n\nThe full onboarding guide is in [docs/getting-started.md](./docs/getting-started.md).\n\n## Main Commands\n\nPrimary CLI:\n\n```bash\ni18ntk\ni18ntk --help\ni18ntk --command=init\ni18ntk --command=analyze\ni18ntk --command=validate\ni18ntk --command=usage\ni18ntk --command=scanner\ni18ntk --command=sizing\ni18ntk --command=complete\ni18ntk --command=translate\ni18ntk --command=summary\ni18ntk --command=debug\n```\n\nStandalone executables:\n\n```bash\ni18ntk-init\ni18ntk-analyze\ni18ntk-validate\ni18ntk-usage\ni18ntk-scanner\ni18ntk-sizing\ni18ntk-complete\ni18ntk-summary\ni18ntk-doctor\ni18ntk-fixer\ni18ntk-backup\ni18ntk-translate\n```\n\nNote: manager route `i18ntk --command=backup` is disabled in current builds. Use `i18ntk-backup` directly for backup operations.\n\n## Common Options\n\nMost commands support:\n\n- `--source-dir <path>`\n- `--i18n-dir <path>`\n- `--output-dir <path>`\n- `--source-language <code>`\n- `--ui-language <code>`\n- `--no-prompt`\n- `--dry-run`\n- `--help`\n\nExample:\n\n```bash\ni18ntk --command=analyze --source-dir=./src --i18n-dir=./locales --output-dir=./i18ntk-reports\n```\n\n## Auto Translate\n\nInteractive manager flow:\n\n```bash\ni18ntk\n# choose \"Auto Translate (Beta)\"\n```\n\nDirect CLI examples:\n\n```bash\ni18ntk-translate locales/en/common.json de\ni18ntk-translate locales/en/common.json fr --dry-run --report-stdout\ni18ntk-translate locales/en es --source-dir locales/en --files \"*.json\" --no-confirm --preserve-placeholders\n```\n\nThe manager flow asks for:\n\n- source locale directory, either the folder with JSON files or a locale root such as `./locales`\n- source language code\n- one or more target languages, or `all`\n- one JSON file or all JSON files in the source directory\n\nIf you select a locale root such as `./locales` and choose source language `en`, the manager automatically uses `./locales/en` when that folder contains the source JSON files.\n\nBefore writing files, the manager can run a dry-run preview. After confirmation it writes translated files under sibling target-language folders, for example:\n\n```text\nlocales/en/common.json\nlocales/de/common.json\nlocales/fr/common.json\n```\n\n### Placeholder Handling\n\nAuto Translate detects common placeholders such as:\n\n- `{name}`\n- `{{count}}`\n- `%s`\n- `%d`\n- `:id`\n- `%{name}`\n- `${value}`\n\nUseful flags:\n\n- `--preserve-placeholders`: translate text around placeholders and reinsert original tokens\n- `--skip-placeholders`: copy placeholder-bearing strings unchanged\n- `--send-placeholders`: send placeholder-bearing strings through translation after masking\n- `--custom-regex <regex>`: add project-specific placeholder detection\n\n### Protected Terms and Keys\n\nAuto Translate can create and use a project-local protection file:\n\n```bash\ni18ntk-translate locales/en/common.json de --create-protection-file --protection-file ./i18ntk-auto-translate.json\n```\n\nExample `i18ntk-auto-translate.json`:\n\n```json\n{\n  \"version\": 1,\n  \"terms\": [\"BrandName\", \"PRODUCT_CODE\", \"API\"],\n  \"keys\": [\"app.brandName\", \"legal.companyName\", \"product.*.symbol\"],\n  \"values\": [\"BrandName Ltd\", \"support@example.com\"],\n  \"patterns\": [\"[A-Z]{2,}-\\\\d+\"]\n}\n```\n\n- `terms` are masked before translation and restored exactly afterward.\n- `keys` are exact key paths or `*` wildcard paths copied unchanged.\n- `values` are exact source values copied unchanged.\n- `patterns` are JavaScript regex strings for advanced protected substrings.\n\nUseful flags:\n\n- `--protection-file <path>`\n- `--create-protection-file`\n- `--no-protection`\n\nOpen Settings and choose `Auto Translate Beta` to edit defaults for placeholder mode, concurrency, batch size, retry settings, report output, BOM output, protection file path, first-run setup prompt, and update prompt.\n\nSee [docs/auto-translate.md](./docs/auto-translate.md) for the full Auto Translate guide.\n\n## Validation\n\nValidation checks locale structure, completeness, placeholders, and content risks.\n\nIn 3.1.2, warning types are more specific:\n\n- `Potential risky content`: URL, email address, or secret-like value\n- `Possible untranslated English content`: target-language value appears to contain too much English\n\nEnglish-content warnings include:\n\n- detected English percentage\n- configured threshold\n- matched word count\n- sample matched words\n\nTune warnings in `.i18ntk-config`:\n\n```json\n{\n  \"englishContentThresholdPercent\": 10,\n  \"allowedEnglishTerms\": [\"BrandName\", \"PRODUCT_CODE\"]\n}\n```\n\n## Sizing Analysis\n\n`i18ntk-sizing` reports translation file sizes, key counts, average value length, and file-set mismatches across language folders.\n\n```bash\ni18ntk-sizing --source-dir ./locales --format table\ni18ntk-sizing --source-dir ./locales --detailed --output-dir ./i18ntk-reports\n```\n\nUse `--detailed` to print per-file rows in the terminal.\n\n## Runtime API\n\nUse `i18ntk/runtime` when an application needs to read locale JSON files at runtime.\n\n```js\nconst runtime = require('i18ntk/runtime');\n\nruntime.initRuntime({\n  baseDir: './locales',\n  language: 'en',\n  fallbackLanguage: 'en',\n  keySeparator: '.',\n  preload: true\n});\n\nconsole.log(runtime.t('common.hello'));\nruntime.setLanguage('fr');\nconsole.log(runtime.getLanguage());\nconsole.log(runtime.getAvailableLanguages());\nruntime.refresh('fr');\n```\n\nSee [docs/runtime.md](./docs/runtime.md) for runtime details.\n\n## Configuration\n\ni18ntk uses a project-local `.i18ntk-config` file.\n\nExample:\n\n```json\n{\n  \"version\": \"3.2.0\",\n  \"sourceDir\": \"./locales\",\n  \"i18nDir\": \"./locales\",\n  \"outputDir\": \"./i18ntk-reports\",\n  \"sourceLanguage\": \"en\",\n  \"defaultLanguages\": [\"de\", \"es\", \"fr\", \"ru\"],\n  \"englishContentThresholdPercent\": 10,\n  \"allowedEnglishTerms\": [\"BrandName\", \"PRODUCT_CODE\"],\n  \"autoTranslate\": {\n    \"placeholderMode\": \"preserve\",\n    \"concurrency\": 6,\n    \"batchSize\": 100,\n    \"progressInterval\": 25,\n    \"retryCount\": 3,\n    \"retryDelay\": 1000,\n    \"timeout\": 15000,\n    \"dryRunFirst\": true,\n    \"reportStdout\": true,\n    \"bom\": false,\n    \"protectionEnabled\": true,\n    \"protectionFile\": \"./i18ntk-auto-translate.json\",\n    \"promptProtectionSetup\": true,\n    \"promptProtectionUpdate\": true\n  },\n  \"setup\": {\n    \"completed\": true\n  }\n}\n```\n\nSee [docs/api/CONFIGURATION.md](./docs/api/CONFIGURATION.md) for the full configuration model.\n\n## Public Package Contents\n\nThe public package intentionally ships runtime and CLI files only. The publish staging script excludes development-only content such as tests, scripts, docs, release staging folders, local config files, and generated protection files.\n\nThe package includes:\n\n- CLI entry points under `main/`\n- manager commands and services\n- runtime API files under `runtime/`\n- settings UI files required at runtime\n- bundled internal UI locales\n- shared utilities required by the shipped commands\n- `README.md`, `CHANGELOG.md`, `LICENSE`, and policy files\n\nThe public package manifest includes `readmeFilename: \"README.md\"`, and the release staging script fails if `README.md` is missing or empty.\n\n## Documentation\n\n- [Documentation Index](./docs/README.md)\n- [Getting Started](./docs/getting-started.md)\n- [API Reference](./docs/api/API_REFERENCE.md)\n- [Configuration Guide](./docs/api/CONFIGURATION.md)\n- [Runtime API Guide](./docs/runtime.md)\n- [Auto Translate Guide](./docs/auto-translate.md)\n- [Scanner Guide](./docs/scanner-guide.md)\n- [Environment Variables](./docs/environment-variables.md)\n- [Migration Guide v3.2.0](./docs/migration-guide-v3.2.0.md)\n- [Migration Guide v3.1.1](./docs/migration-guide-v3.1.1.md)\n- [Migration Guide v3.0.0](./docs/migration-guide-v3.0.0.md)\n- [Migration Guide v2.6.0](./docs/migration-guide-v2.6.0.md)\n- [Migration Guide v2.5.1](./docs/migration-guide-v2.5.1.md)\n\n## Security\n\n- No API key is required for the default Auto Translate flow.\n- Do not store secrets in locale files, `.i18ntk-config`, or protection files.\n- Project-specific brand/product terms should be configured by the user, not hardcoded into the package.\n- Report security issues using [SECURITY.md](./SECURITY.md).\n\n## Community\n\n- [Contributing](./CONTRIBUTING.md)\n- [Code of Conduct](./CODE_OF_CONDUCT.md)\n- [Funding](./FUNDING.md)\n\n## License\n\nMIT. See [LICENSE](./LICENSE).\n"
 }

package/runtime/enhanced.d.ts

@@ -219,4 +219,4 @@ export interface MigrationResult {
 }
 
 // Export compatibility with existing runtime
-export * from './index.d.ts';
+export * from './i18ntk.d.ts';

package/runtime/i18ntk.d.ts

@@ -1,6 +1,6 @@
 // runtime/i18ntk.d.ts
 // Complete TypeScript definitions for i18ntk internationalization framework
-// Version 1.10.1 - Full TypeScript support with AES-256-GCM encryption
+// Version 3.2.0 - Full TypeScript support with AES-256-GCM encryption
 
 /**
  * Core translation parameters interface
@@ -495,20 +495,11 @@ export declare function initRuntime(options: {
 }): BasicI18nRuntime;
 
 /**
- * Type guards
+ * Type guards (runtime checks, not exported by actual code)
  */
 export declare function isI18nRuntime(obj: any): obj is I18nRuntime;
 export declare function isBasicI18nRuntime(obj: any): obj is BasicI18nRuntime;
 
-/**
- * Utility functions
- */
-export declare function validateConfig(config: any): boolean;
-export declare function sanitizeKey(key: string): string;
-export declare function formatNumber(value: number, locale?: string): string;
-export declare function formatDate(date: Date, locale?: string): string;
-export declare function formatCurrency(value: number, currency?: string, locale?: string): string;
-
 /**
  * Error types
  */

package/utils/admin-auth.js

@@ -544,13 +544,13 @@ class AdminAuth {
         config.lastModified = new Date().toISOString();
         const success = await this.saveConfig(config);
         if (success) {
-          SecurityUtils.logSecurityEvent('pin_protection_disabled', 'info', 'PIN protection disabled (PIN retained)');
+          SecurityUtils.logSecurityEvent('pin_protection_disabled', 'info', { message: 'PIN protection disabled (PIN retained)' });
         }
         return success;
       }
       return true;
     } catch (error) {
-      SecurityUtils.logSecurityEvent('pin_protection_disable_error', 'error', `Failed to disable PIN protection: ${error.message}`);
+      SecurityUtils.logSecurityEvent('pin_protection_disable_error', 'error', { message: `Failed to disable PIN protection: ${error.message}` });
       return false;
     }
   }
@@ -566,13 +566,13 @@ class AdminAuth {
         config.lastModified = new Date().toISOString();
         const success = await this.saveConfig(config);
         if (success) {
-          SecurityUtils.logSecurityEvent('pin_protection_enabled', 'info', 'PIN protection enabled');
+          SecurityUtils.logSecurityEvent('pin_protection_enabled', 'info', { message: 'PIN protection enabled' });
         }
         return success;
       }
       return false;
     } catch (error) {
-      SecurityUtils.logSecurityEvent('pin_protection_enable_error', 'error', `Failed to enable PIN protection: ${error.message}`);
+      SecurityUtils.logSecurityEvent('pin_protection_enable_error', 'error', { message: `Failed to enable PIN protection: ${error.message}` });
       return false;
     }
   }
@@ -618,7 +618,7 @@ class AdminAuth {
   destroySession(sessionId) {
     const deleted = this.activeSessions.delete(sessionId);
     if (deleted) {
-      SecurityUtils.logSecurityEvent('admin_session_destroyed', 'info', 'Admin session destroyed');
+      SecurityUtils.logSecurityEvent('admin_session_destroyed', 'info', { message: 'Admin session destroyed' });
     }
     return deleted;
   }
@@ -643,7 +643,7 @@ class AdminAuth {
     }
     
     if (cleaned > 0) {
-      SecurityUtils.logSecurityEvent('admin_sessions_cleaned', 'info', `Cleaned up ${cleaned} expired sessions`);
+      SecurityUtils.logSecurityEvent('admin_sessions_cleaned', 'info', { message: `Cleaned up ${cleaned} expired sessions` });
     }
   }
 

package/utils/config-manager.js

@@ -720,9 +720,10 @@ async function setConfig(cfg) {
 
 async function updateConfig(patch) {
   const cfg = loadConfig();
-  deepMerge(cfg, patch);
-  // Don't save to disk - use in-memory config only
-  return cfg;
+  const cloned = clone(cfg);
+  deepMerge(cloned, patch);
+  currentConfig = cloned;
+  return cloned;
 }
 
 async function resetToDefaults() {
@@ -764,6 +765,8 @@ module.exports = {
   DEFAULT_CONFIG,
   loadConfig,
   saveConfig,
+  loadSettings: loadConfig,
+  saveSettings: saveConfig,
   getConfig,
   updateConfig,
   setConfig,

package/utils/translate/api.js

@@ -1,5 +1,4 @@
 const https = require('https');
-const http = require('http');
 const { URL } = require('url');
 
 const DEFAULT_CONCURRENCY = 3;
@@ -10,8 +9,11 @@ const MAX_BACKOFF_DELAY = 30000;
 function httpGet(urlString, timeout = 15000) {
   return new Promise((resolve) => {
     const url = new URL(urlString);
-    const client = url.protocol === 'https:' ? https : http;
-    const req = client.get(urlString, { timeout }, (res) => {
+    if (url.protocol !== 'https:') {
+      resolve({ ok: false, error: 'ProtocolError', message: 'Only HTTPS requests are supported' });
+      return;
+    }
+    const req = https.get(urlString, { headers: { 'User-Agent': 'i18ntk/3.2.0' } }, (res) => {
       let data = '';
       res.on('data', (chunk) => { data += chunk; });
       res.on('end', () => {
@@ -23,13 +25,13 @@ function httpGet(urlString, timeout = 15000) {
         }
       });
     });
-    req.on('error', (e) => {
-      resolve({ ok: false, error: e.code || 'NetworkError', message: e.message });
-    });
-    req.on('timeout', () => {
+    req.setTimeout(timeout, () => {
       req.destroy();
       resolve({ ok: false, error: 'TimeoutError', message: 'Request timed out' });
     });
+    req.on('error', (e) => {
+      resolve({ ok: false, error: e.code || 'NetworkError', message: e.message });
+    });
   });
 }
 
@@ -98,7 +100,7 @@ async function translateText(text, targetLang, options = {}) {
       if (translated === text) {
         return { ok: true, translated: text };
       }
-      if (result.status === 429) {
+      if (result.status === 429 || (translated === null && result.status >= 400)) {
         lastError = { error: 'RateLimited', message: 'Google Translate rate limit hit' };
         continue;
       }
@@ -109,6 +111,11 @@ async function translateText(text, targetLang, options = {}) {
       continue;
     }
 
+    if (result.error === 'TimeoutError' || result.error === 'NetworkError') {
+      lastError = { error: result.error, message: result.message || 'Network request failed, retrying' };
+      continue;
+    }
+
     lastError = { error: result.error || 'UnknownError', message: result.message || 'Request failed' };
   }
 
@@ -149,8 +156,9 @@ async function translateBatch(batch, targetLang, options = {}) {
     }
   }
 
-  const workerCount = Math.min(concurrency, batch.length);
+  const workerCount = Math.min(concurrency > 0 ? concurrency : DEFAULT_CONCURRENCY, batch.length);
   const workers = Array.from({ length: workerCount }, () => worker());
+
   await Promise.all(workers);
 
   return results;

package/utils/translate/traverse.js

@@ -54,7 +54,7 @@ function collectLeaves(obj, prefix = '') {
   return entries;
 }
 
-function setLeaf(obj, keyPath, value) {
+function parseKeyPath(keyPath) {
   const parts = [];
   let current = '';
   for (let i = 0; i < keyPath.length; i++) {
@@ -77,13 +77,18 @@ function setLeaf(obj, keyPath, value) {
     }
   }
   if (current) parts.push(current);
+  return parts;
+}
+
+function setLeaf(obj, keyPath, value) {
+  const parts = parseKeyPath(keyPath);
 
   let target = obj;
   for (let i = 0; i < parts.length - 1; i++) {
     const part = parts[i];
     if (part.startsWith('[') && part.endsWith(']')) {
       const idx = parseInt(part.slice(1, -1), 10);
-      if (!(idx in target)) target[idx] = {};
+      if (!(idx in target)) target[idx] = [];
       target = target[idx];
     } else {
       if (!(part in target)) target[part] = {};
@@ -100,28 +105,7 @@ function setLeaf(obj, keyPath, value) {
 }
 
 function getLeaf(obj, keyPath) {
-  const parts = [];
-  let current = '';
-  for (let i = 0; i < keyPath.length; i++) {
-    const ch = keyPath[i];
-    if (ch === '.' && keyPath[i - 1] !== '\\') {
-      if (current) parts.push(current);
-      current = '';
-    } else if (ch === '[') {
-      if (current) parts.push(current);
-      current = '';
-      i++;
-      while (i < keyPath.length && keyPath[i] !== ']') {
-        current += keyPath[i];
-        i++;
-      }
-      parts.push(`[${current}]`);
-      current = '';
-    } else {
-      current += ch;
-    }
-  }
-  if (current) parts.push(current);
+  const parts = parseKeyPath(keyPath);
 
   let target = obj;
   for (const part of parts) {
@@ -136,7 +120,12 @@ function getLeaf(obj, keyPath) {
 }
 
 function deepClone(obj) {
-  return JSON.parse(JSON.stringify(obj));
+  if (obj === null || obj === undefined) return obj;
+  try {
+    return JSON.parse(JSON.stringify(obj));
+  } catch (e) {
+    return obj;
+  }
 }
 
 module.exports = {