mcpmake 0.1.0 → 0.2.0

package/dist/types/site.d.ts

@@ -1,284 +0,0 @@
-/**
- * Type definitions for the Website-to-MCP pipeline.
- *
- * These types represent DOM-based interactions (forms, buttons, links)
- * rather than HTTP API calls. They form a parallel pipeline to the
- * existing OperationDescriptor/ToolDefinition types in index.ts.
- */
-import type { EnvVarDescriptor, TransportMode } from './index.js';
-export type SelectorStrategy = 'data-testid' | 'id' | 'aria-label' | 'name' | 'role' | 'css-path' | 'xpath';
-export interface SelectorSet {
-    /** Best available selector string */
-    primary: string;
-    /** Ordered fallback selectors */
-    fallbacks: string[];
-    /** Strategy used for the primary selector */
-    strategy: SelectorStrategy;
-    /** 0-1 confidence score for selector stability */
-    confidence: number;
-    /** LLM-inferred human-readable label, e.g. "Login button" */
-    humanLabel?: string;
-}
-export type FormFieldType = 'text' | 'email' | 'password' | 'number' | 'tel' | 'url' | 'search' | 'select' | 'checkbox' | 'radio' | 'textarea' | 'hidden' | 'file' | 'date' | 'datetime-local' | 'color' | 'range' | 'other';
-export interface FormFieldDescriptor {
-    /** Form field name attribute */
-    name: string;
-    /** Input type */
-    fieldType: FormFieldType;
-    /** Selector set for this field */
-    selector: SelectorSet;
-    /** Associated <label> text or aria-label */
-    label?: string;
-    /** Placeholder text */
-    placeholder?: string;
-    /** Whether the field is required */
-    required: boolean;
-    /** Options for <select>, radio groups, and datalists */
-    options?: string[];
-    /** Default or current value */
-    defaultValue?: string;
-}
-export interface FormDescriptor {
-    /** Generated stable ID for this form */
-    formId: string;
-    /** Form action URL (if present) */
-    action?: string;
-    /** Form method */
-    method: 'get' | 'post';
-    /** Selector set for the <form> element */
-    selector: SelectorSet;
-    /** Fields within the form */
-    fields: FormFieldDescriptor[];
-    /** Submit button selector */
-    submitButton?: SelectorSet;
-    /** LLM-inferred semantic name, e.g. "login_form", "search_form" */
-    semanticName?: string;
-    /** LLM-inferred description of what this form does */
-    description?: string;
-}
-export interface ButtonDescriptor {
-    /** Generated stable ID */
-    buttonId: string;
-    /** Selector set for the button element */
-    selector: SelectorSet;
-    /** Visible button text */
-    text?: string;
-    /** aria-label value */
-    ariaLabel?: string;
-    /** LLM-inferred action, e.g. "add_to_cart", "submit_order" */
-    semanticAction?: string;
-    /** LLM-inferred description */
-    description?: string;
-    /** Button type */
-    type: 'submit' | 'button' | 'link' | 'other';
-    /** href for link-style buttons */
-    href?: string;
-}
-export interface LinkDescriptor {
-    /** Generated stable ID */
-    linkId: string;
-    /** Selector set for the <a> element */
-    selector: SelectorSet;
-    /** Visible link text */
-    text?: string;
-    /** Link destination */
-    href: string;
-    /** Whether this link navigates to a new page (vs anchor/JS action) */
-    isNavigation: boolean;
-    /** LLM-inferred semantic action */
-    semanticAction?: string;
-}
-export interface PageDescriptor {
-    /** Generated stable ID */
-    pageId: string;
-    /** Canonical URL of the page */
-    url: string;
-    /** URL pattern for parameterized pages (e.g. /products/:id) */
-    urlPattern?: string;
-    /** Page title from <title> or first <h1> */
-    title?: string;
-    /** LLM-inferred semantic name, e.g. "login_page", "search_results" */
-    semanticName?: string;
-    /** LLM-inferred description */
-    description?: string;
-    /** Forms discovered on this page */
-    forms: FormDescriptor[];
-    /** Standalone buttons (not inside forms) */
-    buttons: ButtonDescriptor[];
-    /** Links discovered on this page */
-    links: LinkDescriptor[];
-    /** SHA-256 hash of the analysis screenshot */
-    screenshotHash?: string;
-    /** ISO timestamp of when this page was analyzed */
-    analyzedAt: string;
-}
-export type AuthFlowType = 'form-login' | 'oauth-redirect' | 'basic-auth' | 'cookie-session' | 'unknown';
-export interface AuthFlowDescriptor {
-    /** Detected auth mechanism */
-    type: AuthFlowType;
-    /** The page containing the login form */
-    loginPage?: PageDescriptor;
-    /** The login form descriptor */
-    loginForm?: FormDescriptor;
-    /** Selector for the username/email field */
-    usernameField?: SelectorSet;
-    /** Selector for the password field */
-    passwordField?: SelectorSet;
-    /** Selector for the submit/login button */
-    submitButton?: SelectorSet;
-    /** How to detect if the user is currently logged in */
-    sessionIndicator?: {
-        /** Element present when logged in (e.g. user avatar, logout button) */
-        selector?: SelectorSet;
-        /** Cookie name that indicates an active session */
-        cookie?: string;
-        /** URL pattern after successful login (e.g. /dashboard) */
-        urlPattern?: string;
-    };
-}
-export interface SiteDescriptor {
-    /** Unique identifier for this site analysis */
-    siteId: string;
-    /** Base URL of the site */
-    baseUrl: string;
-    /** All discovered pages */
-    pages: PageDescriptor[];
-    /** Detected authentication flow */
-    authFlow?: AuthFlowDescriptor;
-    /** ISO timestamp of the analysis */
-    analyzedAt: string;
-    /** Version number, incremented on rescan */
-    version: number;
-    /** How deep the crawler went */
-    crawlDepth: number;
-    /** Site metadata */
-    metadata: {
-        title?: string;
-        description?: string;
-        favicon?: string;
-    };
-}
-export type SiteToolType = 'page-action' | 'element-action' | 'navigation' | 'browser-lifecycle';
-export interface SiteToolDefinition {
-    /** Tool name (kebab-case, MCP-compatible) */
-    name: string;
-    /** Human-readable title */
-    title: string;
-    /** Tool description */
-    description: string;
-    /** Zod schema code for tool input parameters */
-    inputSchemaCode: string;
-    /** Output file name */
-    fileName: string;
-    /** Generated function name (camelCase) */
-    functionName: string;
-    /** What kind of site tool this is */
-    toolType: SiteToolType;
-    /** Which page this tool operates on */
-    pageId?: string;
-    /** Page URL for navigation */
-    pageUrl?: string;
-    /** Form descriptor (for form-based page-action tools) */
-    form?: FormDescriptor;
-    /** Button descriptor (for element-action tools) */
-    button?: ButtonDescriptor;
-    /** Link descriptor (for navigation tools) */
-    link?: LinkDescriptor;
-    /** All selectors this tool depends on */
-    selectors: SelectorSet[];
-    /** Whether this tool returns a screenshot alongside text */
-    returnsScreenshot: boolean;
-    /** MCP tool annotations */
-    annotations?: {
-        readOnlyHint?: boolean;
-        destructiveHint?: boolean;
-        idempotentHint?: boolean;
-    };
-}
-export interface BrowserConfig {
-    /** Run browser in headless mode */
-    headless: boolean;
-    /** Idle timeout before auto-closing browser (ms) */
-    idleTimeoutMs: number;
-    /** Browser viewport dimensions */
-    viewport: {
-        width: number;
-        height: number;
-    };
-    /** Custom user agent string */
-    userAgent?: string;
-    /** Maximum concurrent browser sessions (default: 10) */
-    maxSessions?: number;
-}
-export interface SiteProjectManifest {
-    /** Server name (kebab-case) */
-    serverName: string;
-    /** Server version */
-    serverVersion: string;
-    /** Target website base URL */
-    baseUrl: string;
-    /** MCP transport mode */
-    transport: TransportMode;
-    /** Full site descriptor (embedded in generated project) */
-    siteDescriptor: SiteDescriptor;
-    /** Generated tools */
-    tools: SiteToolDefinition[];
-    /** Environment variables the generated server needs */
-    envVars: EnvVarDescriptor[];
-    /** Playwright browser configuration */
-    browserConfig: BrowserConfig;
-}
-/**
- * Regeneration metadata written to the generated project root as
- * `mcpmake.site.json` so `mcpmake rescan` can rebuild the project from a
- * freshly crawled SiteDescriptor without re-specifying the original CLI flags.
- * The SiteDescriptor itself lives in `src/site-descriptor.json` and the tools
- * are regenerated deterministically, so neither is duplicated here.
- */
-export interface SiteRegenMetadata {
-    serverName: string;
-    serverVersion: string;
-    transport: TransportMode;
-    baseUrl: string;
-    envVars: EnvVarDescriptor[];
-    browserConfig: BrowserConfig;
-}
-export type ChangeType = 'added' | 'removed' | 'modified' | 'selector-broken';
-export type ElementType = 'page' | 'form' | 'button' | 'link' | 'field';
-export interface SiteChangeEntry {
-    /** What kind of change */
-    changeType: ChangeType;
-    /** What kind of element changed */
-    elementType: ElementType;
-    /** ID of the element that changed */
-    elementId: string;
-    /** Page where the change occurred */
-    pageId: string;
-    /** Human-readable description of the change */
-    description: string;
-    /** ISO timestamp */
-    timestamp: string;
-    /** Previous value (for modified/removed) */
-    oldValue?: unknown;
-    /** New value (for added/modified) */
-    newValue?: unknown;
-}
-export interface RescanResult {
-    /** Previous site descriptor version */
-    previousVersion: number;
-    /** New version number */
-    newVersion: number;
-    /** All changes detected */
-    changes: SiteChangeEntry[];
-    /** Selectors that no longer resolve */
-    brokenSelectors: Array<{
-        toolName: string;
-        selector: SelectorSet;
-        /** New selector if self-healing succeeded */
-        healedSelector?: SelectorSet;
-    }>;
-    /** Updated site descriptor */
-    newSiteDescriptor: SiteDescriptor;
-    /** ISO timestamp of the rescan */
-    timestamp: string;
-}

package/dist/types/site.js

@@ -1,8 +0,0 @@
-/**
- * Type definitions for the Website-to-MCP pipeline.
- *
- * These types represent DOM-based interactions (forms, buttons, links)
- * rather than HTTP API calls. They form a parallel pipeline to the
- * existing OperationDescriptor/ToolDefinition types in index.ts.
- */
-export {};

package/dist/utils/fail.d.ts

@@ -1,48 +0,0 @@
-/**
- * Centralized failure exit with opt-in, redacted error reporting.
- *
- * Why a shared helper instead of wrapping citty's `runMain`: the commands don't
- * `throw` on user-facing failures — they call `logger.error(...)` and then
- * `process.exit(1)` directly. `process.exit()` terminates the event loop
- * synchronously and bypasses every `try/catch` (including citty's `runMain`
- * handler), so a wrapper around `runMain` would never observe these exits. The
- * only reliable place to hook reporting is the failure site itself, so each
- * command calls `await fail(...)` where it used to log-and-exit.
- *
- * Telemetry is strictly opt-in (consent modes `prompt` | `auto` | `off`), never
- * blocks or breaks the CLI (timeout + swallowed errors, mirroring
- * `fetchPricing`), and auto-degrades to `off` in non-TTY / CI environments so it
- * can never hang a pipeline waiting for input.
- */
-type ConsentMode = 'prompt' | 'auto' | 'off';
-/**
- * Apply every redaction pass. Run on both errorMessage and stack before use.
- *
- * Exported (as `redactText`) so the redaction contract can be unit-tested
- * directly without invoking `fail()` (which calls `process.exit`).
- */
-export declare function redactText(input: string): string;
-/** Inputs that decide telemetry consent, injectable so the logic is testable. */
-export interface TelemetryEnv {
-    /** The mode read from config (anything else is treated as the `prompt` default). */
-    configured?: unknown;
-    /** Whether stdout is an interactive TTY. */
-    isTTY?: boolean;
-    /** Whether we are running in CI (truthy `$CI`). */
-    ci?: boolean;
-}
-/**
- * Pure consent resolver: given the configured mode and the environment, decide
- * the effective {@link ConsentMode}.
- *
- * Auto-degrades to `'off'` whenever there is no interactive TTY or we're in CI —
- * otherwise the CLI could hang waiting for input that will never come. Exported
- * so this branchy decision can be unit-tested without touching real env/config.
- */
-export declare function resolveTelemetryMode(env: TelemetryEnv): ConsentMode;
-/**
- * Log a user-facing failure message, optionally report it (consent permitting),
- * then exit with code 1. Never throws; always exits.
- */
-export declare function fail(message: string, error?: unknown): Promise<never>;
-export {};

package/dist/utils/fail.js

@@ -1,204 +0,0 @@
-/**
- * Centralized failure exit with opt-in, redacted error reporting.
- *
- * Why a shared helper instead of wrapping citty's `runMain`: the commands don't
- * `throw` on user-facing failures — they call `logger.error(...)` and then
- * `process.exit(1)` directly. `process.exit()` terminates the event loop
- * synchronously and bypasses every `try/catch` (including citty's `runMain`
- * handler), so a wrapper around `runMain` would never observe these exits. The
- * only reliable place to hook reporting is the failure site itself, so each
- * command calls `await fail(...)` where it used to log-and-exit.
- *
- * Telemetry is strictly opt-in (consent modes `prompt` | `auto` | `off`), never
- * blocks or breaks the CLI (timeout + swallowed errors, mirroring
- * `fetchPricing`), and auto-degrades to `off` in non-TTY / CI environments so it
- * can never hang a pipeline waiting for input.
- */
-import os from 'node:os';
-import { consola } from 'consola';
-import { logger } from './logger.js';
-import { loadConfig, globalConfig } from '../config/mcpmake-config.js';
-import { DEFAULT_PRICING_SERVER } from '../pricing.js';
-/** Keep in sync with `meta.version` in src/index.ts. */
-const CLI_VERSION = '0.1.0';
-/** How long to wait for the report POST before giving up (never blocks longer). */
-const REPORT_TIMEOUT_MS = 4_000;
-/** Server-side caps — fields are truncated to these lengths before sending. */
-const CAPS = {
-    command: 200,
-    errorMessage: 2000,
-    stack: 16_000,
-    cliVersion: 40,
-    platform: 60,
-    nodeVersion: 40,
-};
-// --- Redaction helpers -----------------------------------------------------
-/** Replace the user's home directory (and generic /Users|/home/<name>) with `~`. */
-function redactHomePaths(input) {
-    let out = input;
-    const home = os.homedir();
-    if (home) {
-        out = out.split(home).join('~');
-    }
-    // Catch home dirs other than the current user's (e.g. paths from logs/CI).
-    out = out.replace(/\/(?:Users|home)\/[^/\s]+/g, '~');
-    return out;
-}
-/** Strip bearer tokens: `Bearer <token>` → `Bearer [redacted]`. */
-function redactBearerTokens(input) {
-    return input.replace(/Bearer\s+\S+/g, 'Bearer [redacted]');
-}
-/** Strip mcpmake-style tokens (`mf_<hex>`). */
-function redactMfTokens(input) {
-    return input.replace(/mf_[a-f0-9]+/g, 'mf_[redacted]');
-}
-/** Strip URL query strings (`?foo=bar` → `?[redacted]`) so creds in URLs don't leak. */
-function redactQueryStrings(input) {
-    return input.replace(/\?[^\s'"]+/g, '?[redacted]');
-}
-/**
- * Apply every redaction pass. Run on both errorMessage and stack before use.
- *
- * Exported (as `redactText`) so the redaction contract can be unit-tested
- * directly without invoking `fail()` (which calls `process.exit`).
- */
-export function redactText(input) {
-    return redactQueryStrings(redactMfTokens(redactBearerTokens(redactHomePaths(input))));
-}
-/** @deprecated internal alias — prefer the exported `redactText`. */
-const redact = redactText;
-function truncate(input, max) {
-    return input.length > max ? input.slice(0, max) : input;
-}
-// --- Payload assembly ------------------------------------------------------
-/**
- * Best-effort command name from argv, e.g. `from openapi` or `deploy`. Joins the
- * first one or two non-flag tokens (subcommands like `from openapi` need two).
- */
-function deriveCommand() {
-    const tokens = process.argv.slice(2).filter((t) => !t.startsWith('-'));
-    return tokens.slice(0, 2).join(' ');
-}
-function buildPayload(message, error) {
-    const errorMessage = error instanceof Error && error.message ? error.message : message;
-    const stack = error instanceof Error && error.stack ? error.stack : '';
-    return {
-        // Redact the command too: a positional arg can be a path or URL with creds
-        // (e.g. a mistyped `mcpmake /Users/me/secret.yaml`).
-        command: truncate(redact(deriveCommand()), CAPS.command),
-        errorMessage: truncate(redact(errorMessage), CAPS.errorMessage),
-        stack: truncate(redact(stack), CAPS.stack),
-        cliVersion: truncate(CLI_VERSION, CAPS.cliVersion),
-        platform: truncate(`${process.platform} ${process.arch}`, CAPS.platform),
-        nodeVersion: truncate(process.version, CAPS.nodeVersion),
-    };
-}
-/**
- * Pure consent resolver: given the configured mode and the environment, decide
- * the effective {@link ConsentMode}.
- *
- * Auto-degrades to `'off'` whenever there is no interactive TTY or we're in CI —
- * otherwise the CLI could hang waiting for input that will never come. Exported
- * so this branchy decision can be unit-tested without touching real env/config.
- */
-export function resolveTelemetryMode(env) {
-    const value = env.configured;
-    const mode = value === 'prompt' || value === 'auto' || value === 'off' ? value : 'prompt';
-    // Critical: never prompt or block when there is no interactive TTY or we're in
-    // CI — otherwise the CLI hangs waiting for input that will never come.
-    if (!env.isTTY || env.ci) {
-        return 'off';
-    }
-    return mode;
-}
-/** Read the `telemetry` global config key; default `prompt`. Then apply env gates. */
-function resolveConsent() {
-    let configured;
-    try {
-        const loaded = loadConfig();
-        if (loaded) {
-            configured = globalConfig(loaded.data).telemetry;
-        }
-    }
-    catch {
-        // A malformed config must never block a failure exit — keep the default.
-    }
-    return resolveTelemetryMode({
-        // consola.prompt reads stdin and writes stdout, so require BOTH to be a TTY —
-        // otherwise a redirected stream could let a prompt appear (or block) wrongly.
-        configured,
-        isTTY: Boolean(process.stdout.isTTY) && Boolean(process.stdin.isTTY),
-        ci: Boolean(process.env.CI),
-    });
-}
-// --- Reporting -------------------------------------------------------------
-function reportServer() {
-    return process.env.MCPMAKE_SERVER || DEFAULT_PRICING_SERVER;
-}
-/** Multi-line preview of exactly what will be sent (already redacted). */
-function previewReport(payload) {
-    logger.info('');
-    logger.info('Opt-in error report (redacted) — exactly what would be sent:');
-    logger.info(`  command:     ${payload.command || '(none)'}`);
-    logger.info(`  errorMessage: ${payload.errorMessage}`);
-    if (payload.stack) {
-        logger.info(`  stack:       ${payload.stack.split('\n')[0]} ...`);
-    }
-    logger.info(`  cliVersion:  ${payload.cliVersion}`);
-    logger.info(`  platform:    ${payload.platform}`);
-    logger.info(`  nodeVersion: ${payload.nodeVersion}`);
-    logger.info('Not sent: no file contents, no environment variables, no secrets.');
-    logger.info('');
-}
-/**
- * POST the report. Mirrors the AbortController + timeout + swallow-everything
- * pattern in `fetchPricing`: this must never throw or block the CLI. The server
- * rejects `Content-Encoding`, so we send a plain JSON body.
- */
-async function sendReport(payload) {
-    const controller = new AbortController();
-    const timer = setTimeout(() => controller.abort(), REPORT_TIMEOUT_MS);
-    try {
-        const base = reportServer().replace(/\/+$/, '');
-        await fetch(`${base}/api/telemetry/report`, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify(payload),
-            signal: controller.signal,
-        });
-    }
-    catch {
-        // Reporting is best-effort; a failure here must never affect the CLI.
-    }
-    finally {
-        clearTimeout(timer);
-    }
-}
-/**
- * Log a user-facing failure message, optionally report it (consent permitting),
- * then exit with code 1. Never throws; always exits.
- */
-export async function fail(message, error) {
-    logger.error(message);
-    const consent = resolveConsent();
-    if (consent !== 'off') {
-        const payload = buildPayload(message, error);
-        try {
-            if (consent === 'prompt') {
-                previewReport(payload);
-                const ok = await consola.prompt('Send this report?', { type: 'confirm' });
-                if (ok === true) {
-                    await sendReport(payload);
-                }
-            }
-            else {
-                // auto: send silently.
-                await sendReport(payload);
-            }
-        }
-        catch {
-            // Prompting/reporting must never get in the way of the exit.
-        }
-    }
-    process.exit(1);
-}

package/dist/utils/fs.d.ts

@@ -1,5 +0,0 @@
-export declare function ensureDir(dir: string): Promise<void>;
-export declare function writeFileSafe(filePath: string, content: string, options: {
-    force: boolean;
-}): Promise<boolean>;
-export declare function pathExists(filePath: string): Promise<boolean>;

package/dist/utils/fs.js

@@ -1,28 +0,0 @@
-import { mkdir, writeFile, access } from 'node:fs/promises';
-import { dirname } from 'node:path';
-export async function ensureDir(dir) {
-    await mkdir(dir, { recursive: true });
-}
-export async function writeFileSafe(filePath, content, options) {
-    if (!options.force) {
-        try {
-            await access(filePath);
-            return false; // file exists, skip
-        }
-        catch {
-            // file doesn't exist, proceed
-        }
-    }
-    await ensureDir(dirname(filePath));
-    await writeFile(filePath, content, 'utf-8');
-    return true;
-}
-export async function pathExists(filePath) {
-    try {
-        await access(filePath);
-        return true;
-    }
-    catch {
-        return false;
-    }
-}

package/dist/utils/interactive.d.ts

@@ -1,6 +0,0 @@
-import type { OperationDescriptor } from '../types/index.js';
-/**
- * Show detected operations and let user confirm, skip, or rename before generation.
- * Returns the filtered/modified list of operations to proceed with.
- */
-export declare function confirmOperations(operations: OperationDescriptor[]): Promise<OperationDescriptor[]>;

package/dist/utils/interactive.js

@@ -1,30 +0,0 @@
-import { createInterface } from 'node:readline';
-import { logger } from './logger.js';
-/**
- * Show detected operations and let user confirm, skip, or rename before generation.
- * Returns the filtered/modified list of operations to proceed with.
- */
-export async function confirmOperations(operations) {
-    const rl = createInterface({ input: process.stdin, output: process.stderr });
-    const ask = (question) => new Promise((resolve) => rl.question(question, resolve));
-    logger.info('');
-    logger.info(`Detected ${operations.length} operations:`);
-    logger.info('');
-    for (let i = 0; i < operations.length; i++) {
-        const op = operations[i];
-        logger.info(`  ${i + 1}. [${op.method.toUpperCase()}] ${op.path} → ${op.operationId}` +
-            (op.summary ? ` — ${op.summary}` : ''));
-    }
-    logger.info('');
-    const answer = await ask('Enter numbers to exclude (comma-separated), or press Enter to keep all: ');
-    rl.close();
-    if (!answer.trim())
-        return operations;
-    const excludeIndices = new Set(answer
-        .split(',')
-        .map((s) => parseInt(s.trim(), 10) - 1)
-        .filter((n) => !isNaN(n) && n >= 0 && n < operations.length));
-    const result = operations.filter((_, i) => !excludeIndices.has(i));
-    logger.info(`Proceeding with ${result.length} operations (excluded ${excludeIndices.size})`);
-    return result;
-}

package/dist/utils/logger.d.ts

@@ -1 +0,0 @@
-export declare const logger: import("consola").ConsolaInstance;

package/dist/utils/logger.js

@@ -1,2 +0,0 @@
-import { consola } from 'consola';
-export const logger = consola.withTag('mcpmake');

package/dist/utils/sanitize.d.ts

@@ -1,28 +0,0 @@
-/**
- * Sanitize a string for safe embedding in a JavaScript/TypeScript single-quoted string literal.
- * Escapes backslashes, single quotes, and newlines.
- */
-export declare function escapeStringLiteral(str: string): string;
-/**
- * Sanitize a string for safe embedding in a JavaScript/TypeScript template literal.
- * Escapes backticks, ${} expressions, and backslashes.
- */
-export declare function escapeTemplateLiteral(str: string): string;
-/**
- * Validate that an identifier (operationId, param name) contains only safe characters.
- * Strips anything that isn't alphanumeric, underscore, or hyphen.
- */
-export declare function sanitizeIdentifier(str: string): string;
-/**
- * Validate that a URL path template contains only safe characters.
- * Allows: alphanumeric, /, {, }, -, _, .
- */
-export declare function sanitizePathTemplate(str: string): string;
-/**
- * Sanitize a file name — strip path separators and traversal sequences.
- */
-export declare function sanitizeFileName(str: string): string;
-/**
- * Check if a key is a dangerous prototype pollution key.
- */
-export declare function isDangerousKey(key: string): boolean;