lifecycleion 0.0.9 → 0.0.11

package/dist/lib/domain-utils/domain-utils.cjs

@@ -0,0 +1,1154 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/lib/domain-utils/domain-utils.ts
+var domain_utils_exports = {};
+__export(domain_utils_exports, {
+  canonicalizeBracketedIPv6Content: () => canonicalizeBracketedIPv6Content,
+  checkDNSLength: () => checkDNSLength,
+  getDomain: () => import_tldts2.getDomain,
+  getSubdomain: () => import_tldts2.getSubdomain,
+  isApexDomain: () => isApexDomain,
+  isIPAddress: () => isIPAddress,
+  isIPv4: () => isIPv4,
+  isIPv6: () => isIPv6,
+  matchesCORSCredentialsList: () => matchesCORSCredentialsList,
+  matchesDomainList: () => matchesDomainList,
+  matchesOriginList: () => matchesOriginList,
+  matchesWildcardDomain: () => matchesWildcardDomain,
+  matchesWildcardOrigin: () => matchesWildcardOrigin,
+  normalizeDomain: () => normalizeDomain,
+  normalizeOrigin: () => normalizeOrigin,
+  parseHostHeader: () => parseHostHeader,
+  safeParseURL: () => safeParseURL,
+  validateConfigEntry: () => validateConfigEntry
+});
+module.exports = __toCommonJS(domain_utils_exports);
+var import_tldts = require("tldts");
+
+// src/lib/domain-utils/helpers.ts
+var import_tr46 = require("tr46");
+var MAX_LABELS = 32;
+var STEP_LIMIT = 1e4;
+var INVALID_DOMAIN_CHARS = /[/?#:[\]@\\]/;
+var INTERNAL_PSEUDO_TLDS = Object.freeze(
+  /* @__PURE__ */ new Set(["localhost", "local", "test", "internal"])
+);
+function isAllWildcards(s) {
+  return s.split(".").every((l) => l === "*" || l === "**");
+}
+function hasPartialLabelWildcard(s) {
+  return s.split(".").some((l) => l.includes("*") && l !== "*" && l !== "**");
+}
+function checkDNSLength(host) {
+  const labels = host.split(".");
+  if (labels.length === 0 || labels.length > 127) {
+    return false;
+  }
+  let total = 0;
+  let i = 0;
+  for (const lbl of labels) {
+    const isLast = i++ === labels.length - 1;
+    if (lbl.length === 0) {
+      if (!isLast) {
+        return false;
+      }
+      continue;
+    }
+    if (lbl.length > 63) {
+      return false;
+    }
+    total += lbl.length + 1;
+  }
+  return total > 0 ? total - 1 <= 255 : false;
+}
+var IPV6_BASE_REGEX = /^(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$/;
+function isIPv4(str) {
+  const ipv4Regex = /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/;
+  return ipv4Regex.test(str);
+}
+function isIPv6(str) {
+  const cleaned = str.replace(/^\[|\]$/g, "");
+  if (cleaned.includes("%")) {
+    return false;
+  }
+  return IPV6_BASE_REGEX.test(cleaned);
+}
+function isIPAddress(str) {
+  return isIPv4(str) || isIPv6(str);
+}
+function canonicalizeIPAddressLiteral(host) {
+  const isIPAddressLike = host.includes(".") || host.includes(":") || host.startsWith("[") && host.endsWith("]");
+  if (!isIPAddressLike) {
+    return null;
+  }
+  if (isIPv6(host)) {
+    return canonicalizeBracketedIPv6Content(host.replace(/^\[|\]$/g, ""));
+  }
+  try {
+    const url = new URL(`http://${host}/`);
+    const canonicalHostname = url.hostname.toLowerCase();
+    if (isIPv4(canonicalHostname)) {
+      return canonicalHostname;
+    }
+    if (isIPv6(canonicalHostname)) {
+      return canonicalHostname.replace(/^\[|\]$/g, "");
+    }
+  } catch {
+  }
+  return null;
+}
+function canonicalizeBracketedIPv6Content(content) {
+  try {
+    const url = new URL(`http://[${content}]/`);
+    return url.hostname.replace(/^\[|\]$/g, "");
+  } catch {
+    return content.toLowerCase();
+  }
+}
+function extractFixedTailAfterLastWildcard(patternLabels) {
+  let lastWildcardIdx = -1;
+  for (let i = patternLabels.length - 1; i >= 0; i--) {
+    const lbl = patternLabels[i];
+    if (lbl === "*" || lbl === "**") {
+      lastWildcardIdx = i;
+      break;
+    }
+  }
+  const fixedTailStart = lastWildcardIdx + 1;
+  const fixedTail = patternLabels.slice(fixedTailStart);
+  return { fixedTailStart, fixedTail };
+}
+function matchesWildcardLabelsInternal(domainLabels, patternLabels, domainIndex, patternIndex, counter) {
+  if (++counter.count > STEP_LIMIT) {
+    return false;
+  }
+  while (patternIndex < patternLabels.length) {
+    const patternLabel = patternLabels[patternIndex];
+    if (patternLabel === "**") {
+      const isLeftmost = patternIndex === 0;
+      if (isLeftmost) {
+        for (let i = domainIndex + 1; i <= domainLabels.length; i++) {
+          if (matchesWildcardLabelsInternal(
+            domainLabels,
+            patternLabels,
+            i,
+            patternIndex + 1,
+            counter
+          )) {
+            return true;
+          }
+        }
+        return false;
+      }
+      if (matchesWildcardLabelsInternal(
+        domainLabels,
+        patternLabels,
+        domainIndex,
+        patternIndex + 1,
+        counter
+      )) {
+        return true;
+      }
+      for (let i = domainIndex + 1; i <= domainLabels.length; i++) {
+        if (matchesWildcardLabelsInternal(
+          domainLabels,
+          patternLabels,
+          i,
+          patternIndex + 1,
+          counter
+        )) {
+          return true;
+        }
+      }
+      return false;
+    } else if (patternLabel === "*") {
+      if (domainIndex >= domainLabels.length) {
+        return false;
+      }
+      domainIndex++;
+      patternIndex++;
+    } else {
+      if (domainIndex >= domainLabels.length || domainLabels[domainIndex] !== patternLabel) {
+        return false;
+      }
+      domainIndex++;
+      patternIndex++;
+    }
+  }
+  return domainIndex === domainLabels.length;
+}
+function matchesWildcardLabels(domainLabels, patternLabels) {
+  const counter = { count: 0 };
+  return matchesWildcardLabelsInternal(
+    domainLabels,
+    patternLabels,
+    0,
+    0,
+    counter
+  );
+}
+function matchesMultiLabelPattern(domain, pattern) {
+  const domainLabels = domain.split(".");
+  const patternLabels = pattern.split(".");
+  if (domainLabels.length > MAX_LABELS || patternLabels.length > MAX_LABELS) {
+    return false;
+  }
+  if (patternLabels.length === 0 || patternLabels.every((label) => label === "*" || label === "**")) {
+    return false;
+  }
+  const { fixedTailStart, fixedTail } = extractFixedTailAfterLastWildcard(patternLabels);
+  if (domainLabels.length < fixedTail.length) {
+    return false;
+  }
+  for (let i = 0; i < fixedTail.length; i++) {
+    const domainLabel = domainLabels[domainLabels.length - fixedTail.length + i];
+    const patternLabel = fixedTail[i];
+    if (patternLabel !== domainLabel) {
+      return false;
+    }
+  }
+  const remainingDomainLabels = domainLabels.slice(
+    0,
+    domainLabels.length - fixedTail.length
+  );
+  const leftPatternLabels = patternLabels.slice(0, fixedTailStart);
+  if (leftPatternLabels.length === 0) {
+    return remainingDomainLabels.length === 0;
+  }
+  return matchesWildcardLabels(remainingDomainLabels, leftPatternLabels);
+}
+function toAsciiDots(s) {
+  return s.replace(/[．。｡]/g, ".");
+}
+function normalizeDomain(domain) {
+  let trimmed = domain.trim();
+  trimmed = toAsciiDots(trimmed);
+  if (/\.\.+$/.test(trimmed)) {
+    return "";
+  }
+  if (trimmed.endsWith(".")) {
+    trimmed = trimmed.slice(0, -1);
+  }
+  const canonicalIPAddress = canonicalizeIPAddressLiteral(trimmed);
+  if (canonicalIPAddress !== null) {
+    return canonicalIPAddress;
+  }
+  const normalized = trimmed.normalize("NFC").toLowerCase();
+  try {
+    const ascii = (0, import_tr46.toASCII)(normalized, {
+      useSTD3ASCIIRules: true,
+      checkHyphens: true,
+      checkBidi: true,
+      checkJoiners: true,
+      transitionalProcessing: false,
+      // matches modern browser behavior (non-transitional)
+      verifyDNSLength: false
+      // we already do our own length checks
+    });
+    if (!ascii) {
+      throw new Error("TR46 processing failed");
+    }
+    return checkDNSLength(ascii) ? ascii : "";
+  } catch {
+    return "";
+  }
+}
+function normalizeWildcardPattern(pattern) {
+  let trimmed = pattern.trim().normalize("NFC").replace(/[．。｡]/g, ".");
+  if (INVALID_DOMAIN_CHARS.test(trimmed)) {
+    return "";
+  }
+  if (trimmed.endsWith(".")) {
+    trimmed = trimmed.slice(0, -1);
+  }
+  const labels = trimmed.split(".");
+  for (const lbl of labels) {
+    if (lbl.length === 0) {
+      return "";
+    }
+  }
+  const normalizedLabels = [];
+  for (const lbl of labels) {
+    if (lbl === "*" || lbl === "**") {
+      normalizedLabels.push(lbl);
+      continue;
+    }
+    if (lbl.length > 63) {
+      return "";
+    }
+    const nd = normalizeDomain(lbl);
+    if (nd === "") {
+      return "";
+    }
+    normalizedLabels.push(nd);
+  }
+  const concreteLabels = normalizedLabels.filter(
+    (lbl) => lbl !== "*" && lbl !== "**"
+  );
+  if (concreteLabels.length > 0) {
+    const concretePattern = concreteLabels.join(".");
+    if (!checkDNSLength(concretePattern)) {
+      return "";
+    }
+  }
+  return normalizedLabels.join(".");
+}
+
+// src/lib/domain-utils/domain-utils.ts
+var import_tldts2 = require("tldts");
+function safeParseURL(input) {
+  try {
+    return new URL(input);
+  } catch {
+    return null;
+  }
+}
+function hasValidWildcardOriginHost(url) {
+  return normalizeDomain(url.hostname) !== "";
+}
+function extractAuthority(input, schemeIdx) {
+  const afterScheme = input.slice(schemeIdx + 3);
+  const cut = Math.min(
+    ...[
+      afterScheme.indexOf("/"),
+      afterScheme.indexOf("?"),
+      afterScheme.indexOf("#")
+    ].filter((i) => i !== -1)
+  );
+  return cut === Infinity ? afterScheme : afterScheme.slice(0, cut);
+}
+function hasDanglingPortInAuthority(input) {
+  const schemeIdx = input.indexOf("://");
+  if (schemeIdx === -1) {
+    return false;
+  }
+  const authority = extractAuthority(input, schemeIdx);
+  const at = authority.lastIndexOf("@");
+  const hostPort = at === -1 ? authority : authority.slice(at + 1);
+  return hostPort.endsWith(":");
+}
+function normalizeOrigin(origin) {
+  if (origin === "null") {
+    return "null";
+  }
+  const normalizedOrigin = toAsciiDots(origin);
+  if (hasDanglingPortInAuthority(normalizedOrigin)) {
+    return "";
+  }
+  const url = safeParseURL(normalizedOrigin);
+  if (url) {
+    if (url.username || url.password || url.pathname && url.pathname !== "/" || url.search || url.hash) {
+      return "";
+    }
+    const normalizedHostname = normalizeDomain(url.hostname);
+    if (normalizedHostname === "") {
+      return "";
+    }
+    let host;
+    const schemeSep = normalizedOrigin.indexOf("://");
+    const authority = extractAuthority(normalizedOrigin, schemeSep);
+    const bracketMatch = authority.match(/\[([^\]]+)\]/);
+    const rawBracketContent = bracketMatch ? bracketMatch[1] : null;
+    const hostnameForIpv6Check = (rawBracketContent ? rawBracketContent : normalizedHostname).replace(/%25/g, "%").toLowerCase();
+    if (isIPv6(hostnameForIpv6Check)) {
+      const raw = rawBracketContent ? rawBracketContent : normalizedHostname.replace(/^\[|\]$/g, "");
+      const canon = canonicalizeBracketedIPv6Content(raw);
+      host = `[${canon}]`;
+    } else {
+      host = normalizedHostname;
+    }
+    let port = "";
+    const protocolLower = url.protocol.toLowerCase();
+    const defaultPort = protocolLower === "https:" ? "443" : protocolLower === "http:" ? "80" : "";
+    if (url.port) {
+      port = url.port === defaultPort ? "" : `:${url.port}`;
+    } else {
+      let portMatch = authority.match(/^(?:[^@]*@)?\[[^\]]+\]:(\d+)$/);
+      if (portMatch) {
+        const explicit = portMatch[1];
+        port = explicit === defaultPort ? "" : `:${explicit}`;
+      } else {
+        portMatch = authority.match(/^(?:[^@]*@)?([^:]+):(\d+)$/);
+        if (portMatch) {
+          const explicit = portMatch[2];
+          port = explicit === defaultPort ? "" : `:${explicit}`;
+        }
+      }
+    }
+    return `${protocolLower}//${host}${port}`;
+  }
+  return "";
+}
+function matchesWildcardDomain(domain, pattern) {
+  const normalizedDomain = normalizeDomain(domain);
+  if (normalizedDomain === "") {
+    return false;
+  }
+  const normalizedPattern = normalizeWildcardPattern(pattern);
+  if (!normalizedPattern) {
+    return false;
+  }
+  if (!normalizedPattern.includes("*")) {
+    return false;
+  }
+  if (normalizedPattern === "*") {
+    return true;
+  }
+  if (isIPAddress(normalizedDomain)) {
+    return false;
+  }
+  if (isAllWildcards(normalizedPattern)) {
+    return false;
+  }
+  const labels = normalizedPattern.split(".");
+  const { fixedTail: fixedTailLabels } = extractFixedTailAfterLastWildcard(labels);
+  if (fixedTailLabels.length === 0) {
+    return false;
+  }
+  const tail = fixedTailLabels.join(".");
+  if (isIPAddress(tail)) {
+    return false;
+  }
+  const ps = (0, import_tldts.getPublicSuffix)(tail);
+  if (INTERNAL_PSEUDO_TLDS.has(tail) || ps && ps === tail) {
+    return false;
+  }
+  if (normalizedPattern.startsWith("**.")) {
+    if (normalizedDomain === normalizeDomain(normalizedPattern.slice(3))) {
+      return false;
+    }
+  }
+  return matchesMultiLabelPattern(normalizedDomain, normalizedPattern);
+}
+function matchesWildcardOrigin(origin, pattern) {
+  const normalizedOrigin = toAsciiDots(origin);
+  const normalizedPattern = toAsciiDots(pattern);
+  if (hasDanglingPortInAuthority(normalizedOrigin)) {
+    return false;
+  }
+  const originURL = safeParseURL(normalizedOrigin);
+  if (originURL) {
+    const scheme = originURL.protocol.toLowerCase();
+    if (scheme !== "http:" && scheme !== "https:") {
+      return false;
+    }
+    if (originURL.username || originURL.password || originURL.pathname && originURL.pathname !== "/" || originURL.search || originURL.hash) {
+      return false;
+    }
+  }
+  if (normalizedPattern === "*") {
+    return originURL !== null && hasValidWildcardOriginHost(originURL);
+  }
+  const patternLower = normalizedPattern.toLowerCase();
+  if (patternLower === "https://*" || patternLower === "http://*") {
+    if (!originURL) {
+      return false;
+    }
+    const want = patternLower === "https://*" ? "https:" : "http:";
+    return originURL.protocol.toLowerCase() === want && hasValidWildcardOriginHost(originURL);
+  }
+  if (!originURL) {
+    return false;
+  }
+  const normalizedHostname = normalizeDomain(originURL.hostname);
+  if (normalizedHostname === "") {
+    return false;
+  }
+  const originProtocol = originURL.protocol.slice(0, -1).toLowerCase();
+  if (normalizedPattern.includes("://")) {
+    const [patternProtocol, ...rest] = normalizedPattern.split("://");
+    const domainPattern = rest.join("://");
+    if (INVALID_DOMAIN_CHARS.test(domainPattern)) {
+      return false;
+    }
+    if (originProtocol !== patternProtocol.toLowerCase()) {
+      return false;
+    }
+    if (!domainPattern.includes("*") || isAllWildcards(domainPattern)) {
+      return false;
+    }
+    return matchesWildcardDomain(normalizedHostname, domainPattern);
+  }
+  if (normalizedPattern.includes("*")) {
+    if (normalizedPattern !== "*" && isAllWildcards(normalizedPattern)) {
+      return false;
+    }
+    return matchesWildcardDomain(normalizedHostname, normalizedPattern);
+  }
+  return false;
+}
+function matchesDomainList(domain, allowedDomains) {
+  const normalizedDomain = normalizeDomain(domain);
+  if (normalizedDomain === "") {
+    return false;
+  }
+  const cleaned = allowedDomains.map((s) => s.trim()).filter((s) => s.length > 0);
+  const ORIGIN_LIKE = /^[a-z][a-z0-9+\-.]*:\/\//i;
+  const originLike = cleaned.filter((s) => ORIGIN_LIKE.test(s));
+  if (originLike.length > 0) {
+    throw new Error(
+      `matchesDomainList: origin-style patterns are not allowed in domain lists: ${originLike.join(", ")}`
+    );
+  }
+  for (const allowed of cleaned) {
+    if (allowed.includes("*")) {
+      if (matchesWildcardDomain(domain, allowed)) {
+        return true;
+      }
+      continue;
+    }
+    const normalizedAllowed = normalizeDomain(allowed);
+    if (isAllowedExactHostname(normalizedAllowed) && normalizedDomain === normalizedAllowed) {
+      return true;
+    }
+  }
+  return false;
+}
+function isAllowedExactHostname(normalizedHostname) {
+  if (!normalizedHostname) {
+    return false;
+  }
+  if (normalizedHostname === "null") {
+    return false;
+  }
+  if (isIPAddress(normalizedHostname) || INTERNAL_PSEUDO_TLDS.has(normalizedHostname)) {
+    return true;
+  }
+  const publicSuffix = (0, import_tldts.getPublicSuffix)(normalizedHostname);
+  return !(publicSuffix && publicSuffix === normalizedHostname);
+}
+function isValidPortString(port) {
+  if (!/^\d+$/.test(port)) {
+    return false;
+  }
+  const portNumber = Number(port);
+  return Number.isInteger(portNumber) && portNumber >= 0 && portNumber <= 65535;
+}
+function validateConfigEntry(entry, context, options) {
+  const raw = (entry ?? "").trim();
+  const SCHEME_RE = /^[a-z][a-z0-9+\-.]*$/i;
+  if (!raw) {
+    return { valid: false, info: "empty entry", wildcardKind: "none" };
+  }
+  const opts = {
+    allowGlobalWildcard: false,
+    allowProtocolWildcard: true,
+    ...options ?? {}
+  };
+  function validateConcreteLabels(pattern) {
+    const labels = pattern.split(".");
+    const concrete = [];
+    for (const lbl of labels) {
+      if (lbl === "*" || lbl === "**") {
+        continue;
+      }
+      if (lbl.length > 63) {
+        return false;
+      }
+      const nd2 = normalizeDomain(lbl);
+      if (nd2 === "") {
+        return false;
+      }
+      concrete.push(nd2);
+    }
+    if (concrete.length > 0) {
+      if (!checkDNSLength(concrete.join("."))) {
+        return false;
+      }
+    }
+    return true;
+  }
+  function wildcardTailIsInvalid(pattern) {
+    const normalized = normalizeWildcardPattern(pattern);
+    const labels = normalized.split(".");
+    const { fixedTail: fixedTailLabels } = extractFixedTailAfterLastWildcard(labels);
+    if (fixedTailLabels.length === 0) {
+      return true;
+    }
+    const tail = fixedTailLabels.join(".");
+    if (isIPAddress(tail)) {
+      return true;
+    }
+    const ps2 = (0, import_tldts.getPublicSuffix)(tail);
+    if (INTERNAL_PSEUDO_TLDS.has(tail) || ps2 && ps2 === tail) {
+      return true;
+    }
+    return false;
+  }
+  function validateDomainWildcard(pattern) {
+    const trimmed = pattern.trim().normalize("NFC").replace(/[．。｡]/g, ".");
+    if (INVALID_DOMAIN_CHARS.test(trimmed)) {
+      return {
+        valid: false,
+        info: "invalid characters in domain pattern",
+        wildcardKind: "none"
+      };
+    }
+    if (hasPartialLabelWildcard(trimmed)) {
+      return {
+        valid: false,
+        info: "partial-label wildcards are not allowed",
+        wildcardKind: "none"
+      };
+    }
+    const normalized = normalizeWildcardPattern(trimmed);
+    if (!normalized) {
+      return {
+        valid: false,
+        info: "invalid domain labels",
+        wildcardKind: "none"
+      };
+    }
+    if (normalized.split(".").length > MAX_LABELS) {
+      return {
+        valid: false,
+        info: "wildcard pattern exceeds label limit",
+        wildcardKind: "none"
+      };
+    }
+    if (isAllWildcards(normalized)) {
+      return {
+        valid: false,
+        info: "all-wildcards pattern is not allowed",
+        wildcardKind: "none"
+      };
+    }
+    if (!validateConcreteLabels(normalized)) {
+      return {
+        valid: false,
+        info: "invalid domain labels",
+        wildcardKind: "none"
+      };
+    }
+    if (wildcardTailIsInvalid(normalized)) {
+      return {
+        valid: false,
+        info: "wildcard tail targets public suffix or IP (disallowed)",
+        wildcardKind: "none"
+      };
+    }
+    return { valid: true, wildcardKind: "subdomain" };
+  }
+  function validateExactDomain(s) {
+    if (s.toLowerCase() === "null") {
+      return {
+        valid: false,
+        info: '"null" is not a valid domain entry',
+        wildcardKind: "none"
+      };
+    }
+    const sDots = toAsciiDots(s);
+    if (isIPAddress(sDots)) {
+      return { valid: true, wildcardKind: "none" };
+    }
+    if (INVALID_DOMAIN_CHARS.test(s)) {
+      return {
+        valid: false,
+        info: "invalid characters in domain",
+        wildcardKind: "none"
+      };
+    }
+    const nd2 = normalizeDomain(s);
+    if (nd2 === "") {
+      return { valid: false, info: "invalid domain", wildcardKind: "none" };
+    }
+    const ps2 = (0, import_tldts.getPublicSuffix)(nd2);
+    if (ps2 && ps2 === nd2 && !INTERNAL_PSEUDO_TLDS.has(nd2)) {
+      return {
+        valid: false,
+        info: "entry equals a public suffix (not registrable)",
+        wildcardKind: "none"
+      };
+    }
+    return { valid: true, wildcardKind: "none" };
+  }
+  if (context === "domain") {
+    if (/^[a-z][a-z0-9+\-.]*:\/\//i.test(raw)) {
+      return {
+        valid: false,
+        info: "protocols are not allowed in domain context",
+        wildcardKind: "none"
+      };
+    }
+    if (raw === "*") {
+      return opts.allowGlobalWildcard ? { valid: true, wildcardKind: "global" } : {
+        valid: false,
+        info: "global wildcard '*' not allowed in this context",
+        wildcardKind: "none"
+      };
+    }
+    if (raw.includes("*")) {
+      return validateDomainWildcard(raw);
+    }
+    return validateExactDomain(raw);
+  }
+  if (raw === "null") {
+    return { valid: true, wildcardKind: "none" };
+  }
+  if (raw === "*") {
+    return opts.allowGlobalWildcard ? { valid: true, wildcardKind: "global" } : {
+      valid: false,
+      info: "global wildcard '*' not allowed in this context",
+      wildcardKind: "none"
+    };
+  }
+  const schemeIdx = raw.indexOf("://");
+  if (schemeIdx === -1) {
+    if (raw.includes("*")) {
+      return validateDomainWildcard(raw);
+    }
+    return validateExactDomain(raw);
+  }
+  const scheme = raw.slice(0, schemeIdx).toLowerCase();
+  const rest = raw.slice(schemeIdx + 3);
+  if (!SCHEME_RE.test(scheme)) {
+    return {
+      valid: false,
+      info: "invalid scheme in origin",
+      wildcardKind: "none"
+    };
+  }
+  let normalizedRest = rest;
+  if (normalizedRest.includes("#") || normalizedRest.includes("?")) {
+    return {
+      valid: false,
+      info: "origin must not contain path, query, or fragment",
+      wildcardKind: "none"
+    };
+  }
+  const slashIdx = normalizedRest.indexOf("/");
+  if (slashIdx !== -1) {
+    const authority = normalizedRest.slice(0, slashIdx);
+    const suffix = normalizedRest.slice(slashIdx);
+    if (suffix !== "/" || authority.includes("*")) {
+      return {
+        valid: false,
+        info: "origin must not contain path, query, or fragment",
+        wildcardKind: "none"
+      };
+    }
+    normalizedRest = authority;
+  }
+  if (!normalizedRest) {
+    return {
+      valid: false,
+      info: "missing host in origin",
+      wildcardKind: "none"
+    };
+  }
+  if (normalizedRest.includes("@")) {
+    return {
+      valid: false,
+      info: "origin must not include userinfo",
+      wildcardKind: "none"
+    };
+  }
+  if (normalizedRest === "*") {
+    if (scheme !== "http" && scheme !== "https") {
+      return {
+        valid: false,
+        info: "wildcard origins require http or https scheme",
+        wildcardKind: "none"
+      };
+    }
+    if (!opts.allowProtocolWildcard) {
+      return {
+        valid: false,
+        info: "protocol wildcard not allowed",
+        wildcardKind: "none"
+      };
+    }
+    const info2 = scheme === "http" || scheme === "https" ? void 0 : "non-http(s) scheme; CORS may not match";
+    return { valid: true, info: info2, wildcardKind: "protocol" };
+  }
+  let host = normalizedRest;
+  let hasPort = false;
+  if (normalizedRest.startsWith("[")) {
+    const end = normalizedRest.indexOf("]");
+    if (end === -1) {
+      return {
+        valid: false,
+        info: "unclosed IPv6 bracket",
+        wildcardKind: "none"
+      };
+    }
+    host = normalizedRest.slice(0, end + 1);
+    const after = normalizedRest.slice(end + 1);
+    if (after.startsWith(":")) {
+      const port = after.slice(1);
+      if (!isValidPortString(port)) {
+        return {
+          valid: false,
+          info: "invalid port in origin",
+          wildcardKind: "none"
+        };
+      }
+      hasPort = true;
+    } else if (after.length > 0) {
+      return {
+        valid: false,
+        info: "unexpected characters after IPv6 host",
+        wildcardKind: "none"
+      };
+    }
+  } else {
+    const colon = normalizedRest.indexOf(":");
+    if (colon !== -1) {
+      host = normalizedRest.slice(0, colon);
+      const port = normalizedRest.slice(colon + 1);
+      if (!isValidPortString(port)) {
+        return {
+          valid: false,
+          info: "invalid port in origin",
+          wildcardKind: "none"
+        };
+      }
+      hasPort = true;
+    }
+  }
+  if (host.includes("*")) {
+    if (scheme !== "http" && scheme !== "https") {
+      return {
+        valid: false,
+        info: "wildcard origins require http or https scheme",
+        wildcardKind: "none"
+      };
+    }
+    if (host.includes("[") || host.includes("]")) {
+      return {
+        valid: false,
+        info: "wildcard host cannot be an IP literal",
+        wildcardKind: "none"
+      };
+    }
+    if (hasPort) {
+      return {
+        valid: false,
+        info: "ports are not allowed in wildcard origins",
+        wildcardKind: "none"
+      };
+    }
+    const verdict = validateDomainWildcard(host);
+    if (!verdict.valid) {
+      return verdict;
+    }
+    const info2 = scheme === "http" || scheme === "https" ? void 0 : "non-http(s) scheme; CORS may not match";
+    return { valid: true, info: info2, wildcardKind: "subdomain" };
+  }
+  if (host.startsWith("[")) {
+    const bracketContent = host.slice(1, -1);
+    if (!isIPv6(bracketContent)) {
+      return {
+        valid: false,
+        info: "invalid IPv6 literal in origin",
+        wildcardKind: "none"
+      };
+    }
+    const info2 = scheme === "http" || scheme === "https" ? void 0 : "non-http(s) scheme; CORS may not match";
+    return { valid: true, info: info2, wildcardKind: "none" };
+  }
+  const hostDots = toAsciiDots(host);
+  if (isIPAddress(hostDots)) {
+    const info2 = scheme === "http" || scheme === "https" ? void 0 : "non-http(s) scheme; CORS may not match";
+    return { valid: true, info: info2, wildcardKind: "none" };
+  }
+  const nd = normalizeDomain(host);
+  if (nd === "") {
+    return {
+      valid: false,
+      info: "invalid domain in origin",
+      wildcardKind: "none"
+    };
+  }
+  const ps = (0, import_tldts.getPublicSuffix)(nd);
+  if (ps && ps === nd && !INTERNAL_PSEUDO_TLDS.has(nd)) {
+    return {
+      valid: false,
+      info: "origin host equals a public suffix (not registrable)",
+      wildcardKind: "none"
+    };
+  }
+  const info = scheme === "http" || scheme === "https" ? void 0 : "non-http(s) scheme; CORS may not match";
+  return { valid: true, info, wildcardKind: "none" };
+}
+function parseExactOriginForMatching(entry) {
+  if (entry === "null") {
+    return { normalizedOrigin: "null", normalizedHostname: "" };
+  }
+  const normalized = toAsciiDots(entry);
+  const schemeIdx = normalized.indexOf("://");
+  if (schemeIdx !== -1) {
+    const authority = extractAuthority(normalized, schemeIdx);
+    const at = authority.lastIndexOf("@");
+    const hostPort = at === -1 ? authority : authority.slice(at + 1);
+    if (hostPort.endsWith(":")) {
+      return null;
+    }
+  }
+  const url = safeParseURL(normalized);
+  if (!url) {
+    return null;
+  }
+  if (url.username || url.password) {
+    return null;
+  }
+  if (url.pathname && url.pathname !== "/") {
+    return null;
+  }
+  if (url.search || url.hash) {
+    return null;
+  }
+  const normalizedOrigin = normalizeOrigin(entry);
+  if (normalizedOrigin === "") {
+    return null;
+  }
+  return {
+    normalizedOrigin,
+    normalizedHostname: normalizeDomain(url.hostname)
+  };
+}
+function isCredentialsSafeWildcardOriginPattern(pattern) {
+  const trimmed = pattern.trim().normalize("NFC").replace(/[．。｡]/g, ".");
+  function isValidCredentialWildcardHost(hostPattern) {
+    if (isAllWildcards(hostPattern)) {
+      return false;
+    }
+    if (INVALID_DOMAIN_CHARS.test(hostPattern)) {
+      return false;
+    }
+    if (hasPartialLabelWildcard(hostPattern)) {
+      return false;
+    }
+    const labels = hostPattern.split(".");
+    const concrete = [];
+    for (const lbl of labels) {
+      if (lbl === "*" || lbl === "**") {
+        continue;
+      }
+      if (lbl.length > 63) {
+        return false;
+      }
+      const nd = normalizeDomain(lbl);
+      if (nd === "") {
+        return false;
+      }
+      concrete.push(nd);
+    }
+    if (concrete.length > 0 && !checkDNSLength(concrete.join("."))) {
+      return false;
+    }
+    const normalized = normalizeWildcardPattern(hostPattern);
+    const { fixedTail } = extractFixedTailAfterLastWildcard(
+      (normalized || hostPattern).split(".")
+    );
+    if (!normalized || fixedTail.length === 0) {
+      return false;
+    }
+    const tail = fixedTail.join(".");
+    if (isIPAddress(tail)) {
+      return false;
+    }
+    const ps = (0, import_tldts.getPublicSuffix)(tail);
+    return !INTERNAL_PSEUDO_TLDS.has(tail) && !(ps && ps === tail);
+  }
+  if (!trimmed.includes("*")) {
+    return false;
+  }
+  const schemeIdx = trimmed.indexOf("://");
+  if (schemeIdx === -1) {
+    return isValidCredentialWildcardHost(trimmed);
+  }
+  const scheme = trimmed.slice(0, schemeIdx).toLowerCase();
+  const host = trimmed.slice(schemeIdx + 3);
+  if (scheme !== "http" && scheme !== "https" || host === "*") {
+    return false;
+  }
+  return isValidCredentialWildcardHost(host);
+}
+function matchesOriginList(origin, allowedOrigins, opts = {}) {
+  const cleaned = allowedOrigins.map((s) => s.trim()).filter(Boolean);
+  if (!origin) {
+    return !!opts.treatNoOriginAsAllowed && cleaned.includes("*");
+  }
+  const parsedOrigin = parseExactOriginForMatching(origin);
+  if (!parsedOrigin) {
+    return false;
+  }
+  return cleaned.some((allowed) => {
+    if (allowed === "*") {
+      return matchesWildcardOrigin(origin, "*");
+    }
+    if (allowed.includes("*")) {
+      return matchesWildcardOrigin(origin, allowed);
+    }
+    if (allowed === "null") {
+      return parsedOrigin.normalizedOrigin === "null";
+    }
+    if (!allowed.includes("://")) {
+      const normalizedAllowedDomain = normalizeDomain(allowed);
+      return isAllowedExactHostname(normalizedAllowedDomain) && parsedOrigin.normalizedHostname !== "" && parsedOrigin.normalizedHostname === normalizedAllowedDomain;
+    }
+    const parsedAllowed = parseExactOriginForMatching(allowed);
+    if (!parsedAllowed) {
+      return false;
+    }
+    if (!isAllowedExactHostname(parsedAllowed.normalizedHostname)) {
+      return false;
+    }
+    return parsedOrigin.normalizedOrigin === parsedAllowed.normalizedOrigin;
+  });
+}
+function matchesCORSCredentialsList(origin, allowedOrigins, options = {}) {
+  if (!origin) {
+    return false;
+  }
+  const parsedOrigin = parseExactOriginForMatching(origin);
+  if (!parsedOrigin) {
+    return false;
+  }
+  const cleaned = allowedOrigins.map((s) => s.trim()).filter(Boolean);
+  const allowWildcard = !!options.allowWildcardSubdomains;
+  for (const allowed of cleaned) {
+    if (allowWildcard && allowed.includes("*")) {
+      if (isCredentialsSafeWildcardOriginPattern(allowed) && matchesWildcardOrigin(origin, allowed)) {
+        return true;
+      }
+      continue;
+    }
+    if (allowed === "null") {
+      if (parsedOrigin.normalizedOrigin === "null") {
+        return true;
+      }
+      continue;
+    }
+    if (!allowed.includes("://")) {
+      const normalizedAllowedDomain = normalizeDomain(allowed);
+      if (isAllowedExactHostname(normalizedAllowedDomain) && parsedOrigin.normalizedHostname !== "" && parsedOrigin.normalizedHostname === normalizedAllowedDomain) {
+        return true;
+      }
+      continue;
+    }
+    const parsedAllowed = parseExactOriginForMatching(allowed);
+    if (!parsedAllowed) {
+      continue;
+    }
+    if (!isAllowedExactHostname(parsedAllowed.normalizedHostname)) {
+      continue;
+    }
+    if (parsedOrigin.normalizedOrigin === parsedAllowed.normalizedOrigin) {
+      return true;
+    }
+  }
+  return false;
+}
+function parseHostHeader(host) {
+  const trimmedHost = host.trim();
+  if (!trimmedHost) {
+    return { domain: "", port: "" };
+  }
+  function parsePortOrFail(port) {
+    if (!isValidPortString(port)) {
+      return { domain: "", port: "" };
+    }
+    return null;
+  }
+  if (trimmedHost.startsWith("[")) {
+    const end = trimmedHost.indexOf("]");
+    if (end !== -1) {
+      const domain = trimmedHost.slice(1, end);
+      const rest = trimmedHost.slice(end + 1);
+      if (!isIPv6(domain)) {
+        return { domain: "", port: "" };
+      }
+      if (rest === "") {
+        return { domain, port: "" };
+      }
+      if (rest.startsWith(":")) {
+        const invalid2 = parsePortOrFail(rest.slice(1));
+        if (invalid2) {
+          return invalid2;
+        }
+        return { domain, port: rest.slice(1) };
+      }
+      return { domain: "", port: "" };
+    }
+    return { domain: "", port: "" };
+  }
+  const idx = trimmedHost.indexOf(":");
+  if (idx === -1) {
+    return { domain: trimmedHost, port: "" };
+  }
+  if (idx === 0) {
+    return { domain: "", port: "" };
+  }
+  const invalid = parsePortOrFail(trimmedHost.slice(idx + 1));
+  if (invalid) {
+    return invalid;
+  }
+  return {
+    domain: trimmedHost.slice(0, idx),
+    port: trimmedHost.slice(idx + 1)
+  };
+}
+function isApexDomain(domain) {
+  const normalizedDomain = normalizeDomain(domain);
+  if (!normalizedDomain || isIPAddress(normalizedDomain)) {
+    return false;
+  }
+  const labels = normalizedDomain.split(".");
+  const lastLabel = labels[labels.length - 1];
+  if (INTERNAL_PSEUDO_TLDS.has(lastLabel)) {
+    if (normalizedDomain === lastLabel) {
+      return true;
+    }
+    if (lastLabel === "localhost") {
+      return false;
+    }
+    return labels.length === 2;
+  }
+  const parsedDomain = (0, import_tldts.getDomain)(normalizedDomain);
+  const subdomain = (0, import_tldts.getSubdomain)(normalizedDomain);
+  if (!parsedDomain) {
+    return false;
+  }
+  return parsedDomain === normalizedDomain && !subdomain;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  canonicalizeBracketedIPv6Content,
+  checkDNSLength,
+  getDomain,
+  getSubdomain,
+  isApexDomain,
+  isIPAddress,
+  isIPv4,
+  isIPv6,
+  matchesCORSCredentialsList,
+  matchesDomainList,
+  matchesOriginList,
+  matchesWildcardDomain,
+  matchesWildcardOrigin,
+  normalizeDomain,
+  normalizeOrigin,
+  parseHostHeader,
+  safeParseURL,
+  validateConfigEntry
+});
+//# sourceMappingURL=domain-utils.cjs.map