pompelmi 0.33.0 → 0.34.0

package/dist/pompelmi.hooks.cjs

@@ -0,0 +1,75 @@
+'use strict';
+
+/**
+ * Scan lifecycle hooks for Pompelmi.
+ *
+ * Hooks let you observe and react to scan events without modifying the scan
+ * pipeline itself.  They are the recommended integration point for:
+ *   - logging / metrics collection
+ *   - alerting on threats
+ *   - triggering quarantine automatically
+ *   - OpenTelemetry span creation
+ *
+ * Usage:
+ * ```ts
+ * import { scanBytes } from 'pompelmi';
+ * import { createScanHooks, withHooks } from 'pompelmi/hooks';
+ *
+ * const hooks = createScanHooks({
+ *   onScanComplete(ctx, report) {
+ *     console.log(ctx.filename, report.verdict, report.durationMs + 'ms');
+ *   },
+ *   onThreatDetected(ctx, report) {
+ *     alertTeam({ file: ctx.filename, verdict: report.verdict });
+ *   },
+ * });
+ *
+ * const scan = withHooks(scanBytes, hooks);
+ * const report = await scan(bytes, { ctx: { filename: 'upload.zip' } });
+ * ```
+ *
+ * @module hooks
+ */
+// ── Factory ───────────────────────────────────────────────────────────────────
+/**
+ * Create a `ScanHooks` object with optional defaults.
+ * This is a thin factory — the value of using it is the inline TS types.
+ */
+function createScanHooks(hooks) {
+    return hooks;
+}
+/**
+ * Wrap a scan function with lifecycle hooks.
+ *
+ * Returns a new function with the same signature that fires the hooks
+ * around each scan call.
+ */
+function withHooks(scanFn, hooks) {
+    return async (bytes, opts = {}) => {
+        const scanId = typeof crypto !== 'undefined' && 'randomUUID' in crypto
+            ? crypto.randomUUID()
+            : undefined;
+        const startedAt = Date.now();
+        const ctx = { ...opts.ctx, scanId, startedAt };
+        void hooks.onScanStart?.(ctx);
+        let report;
+        try {
+            report = await scanFn(bytes, opts);
+        }
+        catch (err) {
+            void hooks.onScanError?.({ ...ctx }, err);
+            throw err;
+        }
+        const durationMs = Date.now() - startedAt;
+        const completeCtx = { ...ctx, durationMs };
+        void hooks.onScanComplete?.(completeCtx, report);
+        if (report.verdict === 'suspicious' || report.verdict === 'malicious') {
+            void hooks.onThreatDetected?.(completeCtx, report);
+        }
+        return report;
+    };
+}
+
+exports.createScanHooks = createScanHooks;
+exports.withHooks = withHooks;
+//# sourceMappingURL=pompelmi.hooks.cjs.map

package/dist/pompelmi.hooks.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"pompelmi.hooks.cjs","sources":["../src/hooks.ts"],"sourcesContent":["/**\n * Scan lifecycle hooks for Pompelmi.\n *\n * Hooks let you observe and react to scan events without modifying the scan\n * pipeline itself.  They are the recommended integration point for:\n *   - logging / metrics collection\n *   - alerting on threats\n *   - triggering quarantine automatically\n *   - OpenTelemetry span creation\n *\n * Usage:\n * ```ts\n * import { scanBytes } from 'pompelmi';\n * import { createScanHooks, withHooks } from 'pompelmi/hooks';\n *\n * const hooks = createScanHooks({\n *   onScanComplete(ctx, report) {\n *     console.log(ctx.filename, report.verdict, report.durationMs + 'ms');\n *   },\n *   onThreatDetected(ctx, report) {\n *     alertTeam({ file: ctx.filename, verdict: report.verdict });\n *   },\n * });\n *\n * const scan = withHooks(scanBytes, hooks);\n * const report = await scan(bytes, { ctx: { filename: 'upload.zip' } });\n * ```\n *\n * @module hooks\n */\n\nimport type { ScanContext, ScanReport } from './types';\nimport type { QuarantineEntry } from './quarantine/types';\n\n// ── Event payloads ────────────────────────────────────────────────────────────\n\nexport interface ScanStartContext extends ScanContext {\n  /** Unique identifier for this scan invocation (useful for correlating logs). */\n  scanId?: string;\n  /** Timestamp when the scan started (ms since epoch). */\n  startedAt: number;\n}\n\nexport interface ScanCompleteContext extends ScanStartContext {\n  /** Duration of the scan in milliseconds. */\n  durationMs: number;\n}\n\n// ── Hook interface ────────────────────────────────────────────────────────────\n\n/**\n * Callbacks for the scan lifecycle.  All hooks are optional.\n *\n * Hooks MUST NOT throw — wrap logic in try/catch if it can fail.\n * Async hooks are fire-and-forget; they do not block the scan result.\n */\nexport interface ScanHooks {\n  /**\n   * Called immediately before a scan begins.\n   */\n  onScanStart?: (ctx: ScanStartContext) => void | Promise<void>;\n\n  /**\n   * Called when a scan completes successfully (any verdict, including clean).\n   */\n  onScanComplete?: (ctx: ScanCompleteContext, report: ScanReport) => void | Promise<void>;\n\n  /**\n   * Called when the scan verdict is 'suspicious' or 'malicious'.\n   * Fired in addition to `onScanComplete`.\n   */\n  onThreatDetected?: (ctx: ScanCompleteContext, report: ScanReport) => void | Promise<void>;\n\n  /**\n   * Called when a file has been quarantined.\n   * Requires wiring with a `QuarantineManager`; not fired automatically by `scanBytes`.\n   */\n  onQuarantine?: (entry: QuarantineEntry) => void | Promise<void>;\n\n  /**\n   * Called when a scan throws an unexpected error.\n   */\n  onScanError?: (ctx: ScanStartContext, error: unknown) => void | Promise<void>;\n}\n\n// ── Factory ───────────────────────────────────────────────────────────────────\n\n/**\n * Create a `ScanHooks` object with optional defaults.\n * This is a thin factory — the value of using it is the inline TS types.\n */\nexport function createScanHooks(hooks: ScanHooks): ScanHooks {\n  return hooks;\n}\n\n// ── withHooks wrapper ─────────────────────────────────────────────────────────\n\ntype ScanFn = (bytes: Uint8Array, opts?: { ctx?: ScanContext; [k: string]: unknown }) => Promise<ScanReport>;\n\n/**\n * Wrap a scan function with lifecycle hooks.\n *\n * Returns a new function with the same signature that fires the hooks\n * around each scan call.\n */\nexport function withHooks(scanFn: ScanFn, hooks: ScanHooks): ScanFn {\n  return async (bytes, opts = {}) => {\n    const scanId = typeof crypto !== 'undefined' && 'randomUUID' in crypto\n      ? (crypto as { randomUUID(): string }).randomUUID()\n      : undefined;\n\n    const startedAt = Date.now();\n    const ctx: ScanStartContext = { ...opts.ctx, scanId, startedAt };\n\n    void hooks.onScanStart?.(ctx);\n\n    let report: ScanReport;\n    try {\n      report = await scanFn(bytes, opts);\n    } catch (err) {\n      void hooks.onScanError?.({ ...ctx }, err);\n      throw err;\n    }\n\n    const durationMs = Date.now() - startedAt;\n    const completeCtx: ScanCompleteContext = { ...ctx, durationMs };\n\n    void hooks.onScanComplete?.(completeCtx, report);\n\n    if (report.verdict === 'suspicious' || report.verdict === 'malicious') {\n      void hooks.onThreatDetected?.(completeCtx, report);\n    }\n\n    return report;\n  };\n}\n"],"names":[],"mappings":";;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6BG;AAwDH;AAEA;;;AAGG;AACG,SAAU,eAAe,CAAC,KAAgB,EAAA;AAC9C,IAAA,OAAO,KAAK;AACd;AAMA;;;;;AAKG;AACG,SAAU,SAAS,CAAC,MAAc,EAAE,KAAgB,EAAA;IACxD,OAAO,OAAO,KAAK,EAAE,IAAI,GAAG,EAAE,KAAI;QAChC,MAAM,MAAM,GAAG,OAAO,MAAM,KAAK,WAAW,IAAI,YAAY,IAAI;AAC9D,cAAG,MAAmC,CAAC,UAAU;cAC/C,SAAS;AAEb,QAAA,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE;AAC5B,QAAA,MAAM,GAAG,GAAqB,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE;AAEhE,QAAA,KAAK,KAAK,CAAC,WAAW,GAAG,GAAG,CAAC;AAE7B,QAAA,IAAI,MAAkB;AACtB,QAAA,IAAI;YACF,MAAM,GAAG,MAAM,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC;QACpC;QAAE,OAAO,GAAG,EAAE;AACZ,YAAA,KAAK,KAAK,CAAC,WAAW,GAAG,EAAE,GAAG,GAAG,EAAE,EAAE,GAAG,CAAC;AACzC,YAAA,MAAM,GAAG;QACX;QAEA,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;QACzC,MAAM,WAAW,GAAwB,EAAE,GAAG,GAAG,EAAE,UAAU,EAAE;QAE/D,KAAK,KAAK,CAAC,cAAc,GAAG,WAAW,EAAE,MAAM,CAAC;AAEhD,QAAA,IAAI,MAAM,CAAC,OAAO,KAAK,YAAY,IAAI,MAAM,CAAC,OAAO,KAAK,WAAW,EAAE;YACrE,KAAK,KAAK,CAAC,gBAAgB,GAAG,WAAW,EAAE,MAAM,CAAC;QACpD;AAEA,QAAA,OAAO,MAAM;AACf,IAAA,CAAC;AACH;;;;;"}

package/dist/pompelmi.hooks.esm.js

@@ -0,0 +1,72 @@
+/**
+ * Scan lifecycle hooks for Pompelmi.
+ *
+ * Hooks let you observe and react to scan events without modifying the scan
+ * pipeline itself.  They are the recommended integration point for:
+ *   - logging / metrics collection
+ *   - alerting on threats
+ *   - triggering quarantine automatically
+ *   - OpenTelemetry span creation
+ *
+ * Usage:
+ * ```ts
+ * import { scanBytes } from 'pompelmi';
+ * import { createScanHooks, withHooks } from 'pompelmi/hooks';
+ *
+ * const hooks = createScanHooks({
+ *   onScanComplete(ctx, report) {
+ *     console.log(ctx.filename, report.verdict, report.durationMs + 'ms');
+ *   },
+ *   onThreatDetected(ctx, report) {
+ *     alertTeam({ file: ctx.filename, verdict: report.verdict });
+ *   },
+ * });
+ *
+ * const scan = withHooks(scanBytes, hooks);
+ * const report = await scan(bytes, { ctx: { filename: 'upload.zip' } });
+ * ```
+ *
+ * @module hooks
+ */
+// ── Factory ───────────────────────────────────────────────────────────────────
+/**
+ * Create a `ScanHooks` object with optional defaults.
+ * This is a thin factory — the value of using it is the inline TS types.
+ */
+function createScanHooks(hooks) {
+    return hooks;
+}
+/**
+ * Wrap a scan function with lifecycle hooks.
+ *
+ * Returns a new function with the same signature that fires the hooks
+ * around each scan call.
+ */
+function withHooks(scanFn, hooks) {
+    return async (bytes, opts = {}) => {
+        const scanId = typeof crypto !== 'undefined' && 'randomUUID' in crypto
+            ? crypto.randomUUID()
+            : undefined;
+        const startedAt = Date.now();
+        const ctx = { ...opts.ctx, scanId, startedAt };
+        void hooks.onScanStart?.(ctx);
+        let report;
+        try {
+            report = await scanFn(bytes, opts);
+        }
+        catch (err) {
+            void hooks.onScanError?.({ ...ctx }, err);
+            throw err;
+        }
+        const durationMs = Date.now() - startedAt;
+        const completeCtx = { ...ctx, durationMs };
+        void hooks.onScanComplete?.(completeCtx, report);
+        if (report.verdict === 'suspicious' || report.verdict === 'malicious') {
+            void hooks.onThreatDetected?.(completeCtx, report);
+        }
+        return report;
+    };
+}
+
+export { createScanHooks, withHooks };
+//# sourceMappingURL=pompelmi.hooks.esm.js.map

package/dist/pompelmi.hooks.esm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pompelmi.hooks.esm.js","sources":["../src/hooks.ts"],"sourcesContent":["/**\n * Scan lifecycle hooks for Pompelmi.\n *\n * Hooks let you observe and react to scan events without modifying the scan\n * pipeline itself.  They are the recommended integration point for:\n *   - logging / metrics collection\n *   - alerting on threats\n *   - triggering quarantine automatically\n *   - OpenTelemetry span creation\n *\n * Usage:\n * ```ts\n * import { scanBytes } from 'pompelmi';\n * import { createScanHooks, withHooks } from 'pompelmi/hooks';\n *\n * const hooks = createScanHooks({\n *   onScanComplete(ctx, report) {\n *     console.log(ctx.filename, report.verdict, report.durationMs + 'ms');\n *   },\n *   onThreatDetected(ctx, report) {\n *     alertTeam({ file: ctx.filename, verdict: report.verdict });\n *   },\n * });\n *\n * const scan = withHooks(scanBytes, hooks);\n * const report = await scan(bytes, { ctx: { filename: 'upload.zip' } });\n * ```\n *\n * @module hooks\n */\n\nimport type { ScanContext, ScanReport } from './types';\nimport type { QuarantineEntry } from './quarantine/types';\n\n// ── Event payloads ────────────────────────────────────────────────────────────\n\nexport interface ScanStartContext extends ScanContext {\n  /** Unique identifier for this scan invocation (useful for correlating logs). */\n  scanId?: string;\n  /** Timestamp when the scan started (ms since epoch). */\n  startedAt: number;\n}\n\nexport interface ScanCompleteContext extends ScanStartContext {\n  /** Duration of the scan in milliseconds. */\n  durationMs: number;\n}\n\n// ── Hook interface ────────────────────────────────────────────────────────────\n\n/**\n * Callbacks for the scan lifecycle.  All hooks are optional.\n *\n * Hooks MUST NOT throw — wrap logic in try/catch if it can fail.\n * Async hooks are fire-and-forget; they do not block the scan result.\n */\nexport interface ScanHooks {\n  /**\n   * Called immediately before a scan begins.\n   */\n  onScanStart?: (ctx: ScanStartContext) => void | Promise<void>;\n\n  /**\n   * Called when a scan completes successfully (any verdict, including clean).\n   */\n  onScanComplete?: (ctx: ScanCompleteContext, report: ScanReport) => void | Promise<void>;\n\n  /**\n   * Called when the scan verdict is 'suspicious' or 'malicious'.\n   * Fired in addition to `onScanComplete`.\n   */\n  onThreatDetected?: (ctx: ScanCompleteContext, report: ScanReport) => void | Promise<void>;\n\n  /**\n   * Called when a file has been quarantined.\n   * Requires wiring with a `QuarantineManager`; not fired automatically by `scanBytes`.\n   */\n  onQuarantine?: (entry: QuarantineEntry) => void | Promise<void>;\n\n  /**\n   * Called when a scan throws an unexpected error.\n   */\n  onScanError?: (ctx: ScanStartContext, error: unknown) => void | Promise<void>;\n}\n\n// ── Factory ───────────────────────────────────────────────────────────────────\n\n/**\n * Create a `ScanHooks` object with optional defaults.\n * This is a thin factory — the value of using it is the inline TS types.\n */\nexport function createScanHooks(hooks: ScanHooks): ScanHooks {\n  return hooks;\n}\n\n// ── withHooks wrapper ─────────────────────────────────────────────────────────\n\ntype ScanFn = (bytes: Uint8Array, opts?: { ctx?: ScanContext; [k: string]: unknown }) => Promise<ScanReport>;\n\n/**\n * Wrap a scan function with lifecycle hooks.\n *\n * Returns a new function with the same signature that fires the hooks\n * around each scan call.\n */\nexport function withHooks(scanFn: ScanFn, hooks: ScanHooks): ScanFn {\n  return async (bytes, opts = {}) => {\n    const scanId = typeof crypto !== 'undefined' && 'randomUUID' in crypto\n      ? (crypto as { randomUUID(): string }).randomUUID()\n      : undefined;\n\n    const startedAt = Date.now();\n    const ctx: ScanStartContext = { ...opts.ctx, scanId, startedAt };\n\n    void hooks.onScanStart?.(ctx);\n\n    let report: ScanReport;\n    try {\n      report = await scanFn(bytes, opts);\n    } catch (err) {\n      void hooks.onScanError?.({ ...ctx }, err);\n      throw err;\n    }\n\n    const durationMs = Date.now() - startedAt;\n    const completeCtx: ScanCompleteContext = { ...ctx, durationMs };\n\n    void hooks.onScanComplete?.(completeCtx, report);\n\n    if (report.verdict === 'suspicious' || report.verdict === 'malicious') {\n      void hooks.onThreatDetected?.(completeCtx, report);\n    }\n\n    return report;\n  };\n}\n"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6BG;AAwDH;AAEA;;;AAGG;AACG,SAAU,eAAe,CAAC,KAAgB,EAAA;AAC9C,IAAA,OAAO,KAAK;AACd;AAMA;;;;;AAKG;AACG,SAAU,SAAS,CAAC,MAAc,EAAE,KAAgB,EAAA;IACxD,OAAO,OAAO,KAAK,EAAE,IAAI,GAAG,EAAE,KAAI;QAChC,MAAM,MAAM,GAAG,OAAO,MAAM,KAAK,WAAW,IAAI,YAAY,IAAI;AAC9D,cAAG,MAAmC,CAAC,UAAU;cAC/C,SAAS;AAEb,QAAA,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE;AAC5B,QAAA,MAAM,GAAG,GAAqB,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE;AAEhE,QAAA,KAAK,KAAK,CAAC,WAAW,GAAG,GAAG,CAAC;AAE7B,QAAA,IAAI,MAAkB;AACtB,QAAA,IAAI;YACF,MAAM,GAAG,MAAM,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC;QACpC;QAAE,OAAO,GAAG,EAAE;AACZ,YAAA,KAAK,KAAK,CAAC,WAAW,GAAG,EAAE,GAAG,GAAG,EAAE,EAAE,GAAG,CAAC;AACzC,YAAA,MAAM,GAAG;QACX;QAEA,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;QACzC,MAAM,WAAW,GAAwB,EAAE,GAAG,GAAG,EAAE,UAAU,EAAE;QAE/D,KAAK,KAAK,CAAC,cAAc,GAAG,WAAW,EAAE,MAAM,CAAC;AAEhD,QAAA,IAAI,MAAM,CAAC,OAAO,KAAK,YAAY,IAAI,MAAM,CAAC,OAAO,KAAK,WAAW,EAAE;YACrE,KAAK,KAAK,CAAC,gBAAgB,GAAG,WAAW,EAAE,MAAM,CAAC;QACpD;AAEA,QAAA,OAAO,MAAM;AACf,IAAA,CAAC;AACH;;;;"}

package/dist/pompelmi.policy-packs.cjs

@@ -0,0 +1,239 @@
+'use strict';
+
+const MB$1 = 1024 * 1024;
+const DEFAULT_POLICY = {
+    includeExtensions: ['zip', 'png', 'jpg', 'jpeg', 'pdf'],
+    allowedMimeTypes: ['application/zip', 'image/png', 'image/jpeg', 'application/pdf', 'text/plain'],
+    maxFileSizeBytes: 20 * MB$1,
+    timeoutMs: 5000,
+    concurrency: 4,
+    failClosed: true
+};
+function definePolicy(input = {}) {
+    const p = { ...DEFAULT_POLICY, ...input };
+    if (!Array.isArray(p.includeExtensions))
+        throw new TypeError('includeExtensions must be string[]');
+    if (!Array.isArray(p.allowedMimeTypes))
+        throw new TypeError('allowedMimeTypes must be string[]');
+    if (!(Number.isFinite(p.maxFileSizeBytes) && p.maxFileSizeBytes > 0))
+        throw new TypeError('maxFileSizeBytes must be > 0');
+    if (!(Number.isFinite(p.timeoutMs) && p.timeoutMs > 0))
+        throw new TypeError('timeoutMs must be > 0');
+    if (!(Number.isInteger(p.concurrency) && p.concurrency > 0))
+        throw new TypeError('concurrency must be > 0');
+    return p;
+}
+
+/**
+ * Policy packs for Pompelmi.
+ *
+ * Pre-configured, named policies for common upload scenarios.  Each pack
+ * defines the file type allowlist, size limits, and timeout appropriate for
+ * its use case.
+ *
+ * All packs are built on `definePolicy` and are fully overridable:
+ *
+ * ```ts
+ * import { POLICY_PACKS } from 'pompelmi/policy-packs';
+ *
+ * // Use a pack as-is:
+ * const policy = POLICY_PACKS['images-only'];
+ *
+ * // Or override individual fields:
+ * import { definePolicy } from 'pompelmi';
+ * const custom = definePolicy({ ...POLICY_PACKS['documents-only'], maxFileSizeBytes: 5 * 1024 * 1024 });
+ * ```
+ *
+ * These packs are *deterministic* and *descriptor-based* — they do not
+ * depend on any external threat intelligence feed.
+ *
+ * @module policy-packs
+ */
+const KB = 1024;
+const MB = 1024 * KB;
+// ── Policy packs ──────────────────────────────────────────────────────────────
+/**
+ * Documents-only policy.
+ *
+ * Appropriate for: document management APIs, PDF/Office file upload endpoints,
+ * data import pipelines.
+ *
+ * Allowed: PDF, Word (.docx/.doc), Excel (.xlsx/.xls), PowerPoint (.pptx/.ppt),
+ *   CSV, plain text, JSON, YAML, ODT/ODS/ODP (OpenDocument).
+ * Max size: 25 MB.
+ */
+const DOCUMENTS_ONLY = definePolicy({
+    includeExtensions: [
+        'pdf',
+        'doc', 'docx',
+        'xls', 'xlsx',
+        'ppt', 'pptx',
+        'odt', 'ods', 'odp',
+        'csv',
+        'txt',
+        'json',
+        'yaml', 'yml',
+        'md',
+    ],
+    allowedMimeTypes: [
+        'application/pdf',
+        'application/msword',
+        'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+        'application/vnd.ms-excel',
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+        'application/vnd.ms-powerpoint',
+        'application/vnd.openxmlformats-officedocument.presentationml.presentation',
+        'application/vnd.oasis.opendocument.text',
+        'application/vnd.oasis.opendocument.spreadsheet',
+        'application/vnd.oasis.opendocument.presentation',
+        'text/csv',
+        'text/plain',
+        'application/json',
+        'text/yaml',
+        'text/markdown',
+    ],
+    maxFileSizeBytes: 25 * MB,
+    timeoutMs: 10000,
+    concurrency: 4,
+    failClosed: true,
+});
+/**
+ * Images-only policy.
+ *
+ * Appropriate for: avatar uploads, product image APIs, content platforms with
+ * user-generated imagery.
+ *
+ * Allowed: JPEG, PNG, GIF, WebP, AVIF, TIFF, BMP, ICO.
+ * Max size: 10 MB.
+ * Note: SVG is intentionally excluded — inline SVGs can contain scripts.
+ */
+const IMAGES_ONLY = definePolicy({
+    includeExtensions: ['jpg', 'jpeg', 'png', 'gif', 'webp', 'avif', 'tiff', 'tif', 'bmp', 'ico'],
+    allowedMimeTypes: [
+        'image/jpeg',
+        'image/png',
+        'image/gif',
+        'image/webp',
+        'image/avif',
+        'image/tiff',
+        'image/bmp',
+        'image/x-icon',
+        'image/vnd.microsoft.icon',
+    ],
+    maxFileSizeBytes: 10 * MB,
+    timeoutMs: 5000,
+    concurrency: 8,
+    failClosed: true,
+});
+/**
+ * Strict public-upload policy.
+ *
+ * Appropriate for: anonymous or low-trust upload endpoints, public APIs,
+ * any surface exposed to untrusted users.
+ *
+ * Aggressive size limit (5 MB), short timeout, fail-closed, narrow MIME
+ * allowlist.  Only allows plain images and PDF.
+ */
+const STRICT_PUBLIC_UPLOAD = definePolicy({
+    includeExtensions: ['jpg', 'jpeg', 'png', 'webp', 'pdf'],
+    allowedMimeTypes: [
+        'image/jpeg',
+        'image/png',
+        'image/webp',
+        'application/pdf',
+    ],
+    maxFileSizeBytes: 5 * MB,
+    timeoutMs: 4000,
+    concurrency: 2,
+    failClosed: true,
+});
+/**
+ * Conservative default policy.
+ *
+ * A hardened version of the built-in `DEFAULT_POLICY` suitable for
+ * production without further customisation.  Stricter size limit and
+ * shorter timeout than the permissive default.
+ */
+const CONSERVATIVE_DEFAULT = definePolicy({
+    includeExtensions: ['zip', 'png', 'jpg', 'jpeg', 'pdf', 'txt', 'csv', 'docx', 'xlsx'],
+    allowedMimeTypes: [
+        'application/zip',
+        'image/png',
+        'image/jpeg',
+        'application/pdf',
+        'text/plain',
+        'text/csv',
+        'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+    ],
+    maxFileSizeBytes: 10 * MB,
+    timeoutMs: 8000,
+    concurrency: 4,
+    failClosed: true,
+});
+/**
+ * Archives policy.
+ *
+ * Appropriate for: endpoints that accept ZIP, tar, or compressed archives.
+ * Combines a generous size allowance with a longer timeout for deep inspection.
+ *
+ * NOTE: Pair this policy with `createZipBombGuard()` to defend against
+ * decompression-bomb attacks:
+ *
+ * ```ts
+ * import { composeScanners, createZipBombGuard, CommonHeuristicsScanner } from 'pompelmi';
+ * const scanner = composeScanners(
+ *   [['zipGuard', createZipBombGuard()], ['heuristics', CommonHeuristicsScanner]]
+ * );
+ * ```
+ */
+const ARCHIVES = definePolicy({
+    includeExtensions: ['zip', 'tar', 'gz', 'tgz', 'bz2', 'xz', '7z', 'rar'],
+    allowedMimeTypes: [
+        'application/zip',
+        'application/x-tar',
+        'application/gzip',
+        'application/x-bzip2',
+        'application/x-xz',
+        'application/x-7z-compressed',
+        'application/x-rar-compressed',
+    ],
+    maxFileSizeBytes: 100 * MB,
+    timeoutMs: 30000,
+    concurrency: 2,
+    failClosed: true,
+});
+/**
+ * Named map of all built-in policy packs.
+ *
+ * ```ts
+ * import { POLICY_PACKS } from 'pompelmi/policy-packs';
+ * const policy = POLICY_PACKS['strict-public-upload'];
+ * ```
+ */
+const POLICY_PACKS = {
+    'documents-only': DOCUMENTS_ONLY,
+    'images-only': IMAGES_ONLY,
+    'strict-public-upload': STRICT_PUBLIC_UPLOAD,
+    'conservative-default': CONSERVATIVE_DEFAULT,
+    'archives': ARCHIVES,
+};
+/**
+ * Look up a policy pack by name.
+ * Throws if the name is not recognised.
+ */
+function getPolicyPack(name) {
+    const policy = POLICY_PACKS[name];
+    if (!policy)
+        throw new Error(`Unknown policy pack: '${name}'. Valid names: ${Object.keys(POLICY_PACKS).join(', ')}`);
+    return policy;
+}
+
+exports.ARCHIVES = ARCHIVES;
+exports.CONSERVATIVE_DEFAULT = CONSERVATIVE_DEFAULT;
+exports.DOCUMENTS_ONLY = DOCUMENTS_ONLY;
+exports.IMAGES_ONLY = IMAGES_ONLY;
+exports.POLICY_PACKS = POLICY_PACKS;
+exports.STRICT_PUBLIC_UPLOAD = STRICT_PUBLIC_UPLOAD;
+exports.getPolicyPack = getPolicyPack;
+//# sourceMappingURL=pompelmi.policy-packs.cjs.map

package/dist/pompelmi.policy-packs.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"pompelmi.policy-packs.cjs","sources":["../src/policy.ts","../src/policy-packs.ts"],"sourcesContent":["export interface Policy {\n  includeExtensions: string[];\n  allowedMimeTypes: string[];\n  maxFileSizeBytes: number;\n  timeoutMs: number;\n  concurrency: number;\n  failClosed: boolean;\n  onScanEvent?: (ev: unknown) => void;\n}\nexport type PolicyInput = Partial<Policy>;\n\nconst MB = 1024 * 1024;\n\nexport const DEFAULT_POLICY: Policy = {\n  includeExtensions: ['zip','png','jpg','jpeg','pdf'],\n  allowedMimeTypes: ['application/zip','image/png','image/jpeg','application/pdf','text/plain'],\n  maxFileSizeBytes: 20 * MB,\n  timeoutMs: 5000,\n  concurrency: 4,\n  failClosed: true\n};\n\nexport function definePolicy(input: PolicyInput = {}): Policy {\n  const p: Policy = { ...DEFAULT_POLICY, ...input };\n  if (!Array.isArray(p.includeExtensions)) throw new TypeError('includeExtensions must be string[]');\n  if (!Array.isArray(p.allowedMimeTypes)) throw new TypeError('allowedMimeTypes must be string[]');\n  if (!(Number.isFinite(p.maxFileSizeBytes) && p.maxFileSizeBytes > 0)) throw new TypeError('maxFileSizeBytes must be > 0');\n  if (!(Number.isFinite(p.timeoutMs) && p.timeoutMs > 0)) throw new TypeError('timeoutMs must be > 0');\n  if (!(Number.isInteger(p.concurrency) && p.concurrency > 0)) throw new TypeError('concurrency must be > 0');\n  return p;\n}\n","/**\n * Policy packs for Pompelmi.\n *\n * Pre-configured, named policies for common upload scenarios.  Each pack\n * defines the file type allowlist, size limits, and timeout appropriate for\n * its use case.\n *\n * All packs are built on `definePolicy` and are fully overridable:\n *\n * ```ts\n * import { POLICY_PACKS } from 'pompelmi/policy-packs';\n *\n * // Use a pack as-is:\n * const policy = POLICY_PACKS['images-only'];\n *\n * // Or override individual fields:\n * import { definePolicy } from 'pompelmi';\n * const custom = definePolicy({ ...POLICY_PACKS['documents-only'], maxFileSizeBytes: 5 * 1024 * 1024 });\n * ```\n *\n * These packs are *deterministic* and *descriptor-based* — they do not\n * depend on any external threat intelligence feed.\n *\n * @module policy-packs\n */\n\nimport { definePolicy, type Policy } from './policy';\n\nconst KB = 1024;\nconst MB = 1024 * KB;\n\n// ── Policy packs ──────────────────────────────────────────────────────────────\n\n/**\n * Documents-only policy.\n *\n * Appropriate for: document management APIs, PDF/Office file upload endpoints,\n * data import pipelines.\n *\n * Allowed: PDF, Word (.docx/.doc), Excel (.xlsx/.xls), PowerPoint (.pptx/.ppt),\n *   CSV, plain text, JSON, YAML, ODT/ODS/ODP (OpenDocument).\n * Max size: 25 MB.\n */\nexport const DOCUMENTS_ONLY: Policy = definePolicy({\n  includeExtensions: [\n    'pdf',\n    'doc', 'docx',\n    'xls', 'xlsx',\n    'ppt', 'pptx',\n    'odt', 'ods', 'odp',\n    'csv',\n    'txt',\n    'json',\n    'yaml', 'yml',\n    'md',\n  ],\n  allowedMimeTypes: [\n    'application/pdf',\n    'application/msword',\n    'application/vnd.openxmlformats-officedocument.wordprocessingml.document',\n    'application/vnd.ms-excel',\n    'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',\n    'application/vnd.ms-powerpoint',\n    'application/vnd.openxmlformats-officedocument.presentationml.presentation',\n    'application/vnd.oasis.opendocument.text',\n    'application/vnd.oasis.opendocument.spreadsheet',\n    'application/vnd.oasis.opendocument.presentation',\n    'text/csv',\n    'text/plain',\n    'application/json',\n    'text/yaml',\n    'text/markdown',\n  ],\n  maxFileSizeBytes: 25 * MB,\n  timeoutMs: 10_000,\n  concurrency: 4,\n  failClosed: true,\n});\n\n/**\n * Images-only policy.\n *\n * Appropriate for: avatar uploads, product image APIs, content platforms with\n * user-generated imagery.\n *\n * Allowed: JPEG, PNG, GIF, WebP, AVIF, TIFF, BMP, ICO.\n * Max size: 10 MB.\n * Note: SVG is intentionally excluded — inline SVGs can contain scripts.\n */\nexport const IMAGES_ONLY: Policy = definePolicy({\n  includeExtensions: ['jpg', 'jpeg', 'png', 'gif', 'webp', 'avif', 'tiff', 'tif', 'bmp', 'ico'],\n  allowedMimeTypes: [\n    'image/jpeg',\n    'image/png',\n    'image/gif',\n    'image/webp',\n    'image/avif',\n    'image/tiff',\n    'image/bmp',\n    'image/x-icon',\n    'image/vnd.microsoft.icon',\n  ],\n  maxFileSizeBytes: 10 * MB,\n  timeoutMs: 5_000,\n  concurrency: 8,\n  failClosed: true,\n});\n\n/**\n * Strict public-upload policy.\n *\n * Appropriate for: anonymous or low-trust upload endpoints, public APIs,\n * any surface exposed to untrusted users.\n *\n * Aggressive size limit (5 MB), short timeout, fail-closed, narrow MIME\n * allowlist.  Only allows plain images and PDF.\n */\nexport const STRICT_PUBLIC_UPLOAD: Policy = definePolicy({\n  includeExtensions: ['jpg', 'jpeg', 'png', 'webp', 'pdf'],\n  allowedMimeTypes: [\n    'image/jpeg',\n    'image/png',\n    'image/webp',\n    'application/pdf',\n  ],\n  maxFileSizeBytes: 5 * MB,\n  timeoutMs: 4_000,\n  concurrency: 2,\n  failClosed: true,\n});\n\n/**\n * Conservative default policy.\n *\n * A hardened version of the built-in `DEFAULT_POLICY` suitable for\n * production without further customisation.  Stricter size limit and\n * shorter timeout than the permissive default.\n */\nexport const CONSERVATIVE_DEFAULT: Policy = definePolicy({\n  includeExtensions: ['zip', 'png', 'jpg', 'jpeg', 'pdf', 'txt', 'csv', 'docx', 'xlsx'],\n  allowedMimeTypes: [\n    'application/zip',\n    'image/png',\n    'image/jpeg',\n    'application/pdf',\n    'text/plain',\n    'text/csv',\n    'application/vnd.openxmlformats-officedocument.wordprocessingml.document',\n    'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',\n  ],\n  maxFileSizeBytes: 10 * MB,\n  timeoutMs: 8_000,\n  concurrency: 4,\n  failClosed: true,\n});\n\n/**\n * Archives policy.\n *\n * Appropriate for: endpoints that accept ZIP, tar, or compressed archives.\n * Combines a generous size allowance with a longer timeout for deep inspection.\n *\n * NOTE: Pair this policy with `createZipBombGuard()` to defend against\n * decompression-bomb attacks:\n *\n * ```ts\n * import { composeScanners, createZipBombGuard, CommonHeuristicsScanner } from 'pompelmi';\n * const scanner = composeScanners(\n *   [['zipGuard', createZipBombGuard()], ['heuristics', CommonHeuristicsScanner]]\n * );\n * ```\n */\nexport const ARCHIVES: Policy = definePolicy({\n  includeExtensions: ['zip', 'tar', 'gz', 'tgz', 'bz2', 'xz', '7z', 'rar'],\n  allowedMimeTypes: [\n    'application/zip',\n    'application/x-tar',\n    'application/gzip',\n    'application/x-bzip2',\n    'application/x-xz',\n    'application/x-7z-compressed',\n    'application/x-rar-compressed',\n  ],\n  maxFileSizeBytes: 100 * MB,\n  timeoutMs: 30_000,\n  concurrency: 2,\n  failClosed: true,\n});\n\n// ── Named map ────────────────────────────────────────────────────────────────\n\nexport type PolicyPackName =\n  | 'documents-only'\n  | 'images-only'\n  | 'strict-public-upload'\n  | 'conservative-default'\n  | 'archives';\n\n/**\n * Named map of all built-in policy packs.\n *\n * ```ts\n * import { POLICY_PACKS } from 'pompelmi/policy-packs';\n * const policy = POLICY_PACKS['strict-public-upload'];\n * ```\n */\nexport const POLICY_PACKS: Record<PolicyPackName, Policy> = {\n  'documents-only': DOCUMENTS_ONLY,\n  'images-only': IMAGES_ONLY,\n  'strict-public-upload': STRICT_PUBLIC_UPLOAD,\n  'conservative-default': CONSERVATIVE_DEFAULT,\n  'archives': ARCHIVES,\n};\n\n/**\n * Look up a policy pack by name.\n * Throws if the name is not recognised.\n */\nexport function getPolicyPack(name: PolicyPackName): Policy {\n  const policy = POLICY_PACKS[name];\n  if (!policy) throw new Error(`Unknown policy pack: '${name}'. Valid names: ${Object.keys(POLICY_PACKS).join(', ')}`);\n  return policy;\n}\n"],"names":["MB"],"mappings":";;AAWA,MAAMA,IAAE,GAAG,IAAI,GAAG,IAAI;AAEf,MAAM,cAAc,GAAW;IACpC,iBAAiB,EAAE,CAAC,KAAK,EAAC,KAAK,EAAC,KAAK,EAAC,MAAM,EAAC,KAAK,CAAC;IACnD,gBAAgB,EAAE,CAAC,iBAAiB,EAAC,WAAW,EAAC,YAAY,EAAC,iBAAiB,EAAC,YAAY,CAAC;IAC7F,gBAAgB,EAAE,EAAE,GAAGA,IAAE;AACzB,IAAA,SAAS,EAAE,IAAI;AACf,IAAA,WAAW,EAAE,CAAC;AACd,IAAA,UAAU,EAAE;CACb;AAEK,SAAU,YAAY,CAAC,KAAA,GAAqB,EAAE,EAAA;IAClD,MAAM,CAAC,GAAW,EAAE,GAAG,cAAc,EAAE,GAAG,KAAK,EAAE;IACjD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,iBAAiB,CAAC;AAAE,QAAA,MAAM,IAAI,SAAS,CAAC,oCAAoC,CAAC;IAClG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB,CAAC;AAAE,QAAA,MAAM,IAAI,SAAS,CAAC,mCAAmC,CAAC;AAChG,IAAA,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,gBAAgB,GAAG,CAAC,CAAC;AAAE,QAAA,MAAM,IAAI,SAAS,CAAC,8BAA8B,CAAC;AACzH,IAAA,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC;AAAE,QAAA,MAAM,IAAI,SAAS,CAAC,uBAAuB,CAAC;AACpG,IAAA,IAAI,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,WAAW,GAAG,CAAC,CAAC;AAAE,QAAA,MAAM,IAAI,SAAS,CAAC,yBAAyB,CAAC;AAC3G,IAAA,OAAO,CAAC;AACV;;AC9BA;;;;;;;;;;;;;;;;;;;;;;;;AAwBG;AAIH,MAAM,EAAE,GAAG,IAAI;AACf,MAAM,EAAE,GAAG,IAAI,GAAG,EAAE;AAEpB;AAEA;;;;;;;;;AASG;AACI,MAAM,cAAc,GAAW,YAAY,CAAC;AACjD,IAAA,iBAAiB,EAAE;QACjB,KAAK;AACL,QAAA,KAAK,EAAE,MAAM;AACb,QAAA,KAAK,EAAE,MAAM;AACb,QAAA,KAAK,EAAE,MAAM;QACb,KAAK,EAAE,KAAK,EAAE,KAAK;QACnB,KAAK;QACL,KAAK;QACL,MAAM;AACN,QAAA,MAAM,EAAE,KAAK;QACb,IAAI;AACL,KAAA;AACD,IAAA,gBAAgB,EAAE;QAChB,iBAAiB;QACjB,oBAAoB;QACpB,yEAAyE;QACzE,0BAA0B;QAC1B,mEAAmE;QACnE,+BAA+B;QAC/B,2EAA2E;QAC3E,yCAAyC;QACzC,gDAAgD;QAChD,iDAAiD;QACjD,UAAU;QACV,YAAY;QACZ,kBAAkB;QAClB,WAAW;QACX,eAAe;AAChB,KAAA;IACD,gBAAgB,EAAE,EAAE,GAAG,EAAE;AACzB,IAAA,SAAS,EAAE,KAAM;AACjB,IAAA,WAAW,EAAE,CAAC;AACd,IAAA,UAAU,EAAE,IAAI;AACjB,CAAA;AAED;;;;;;;;;AASG;AACI,MAAM,WAAW,GAAW,YAAY,CAAC;IAC9C,iBAAiB,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC;AAC7F,IAAA,gBAAgB,EAAE;QAChB,YAAY;QACZ,WAAW;QACX,WAAW;QACX,YAAY;QACZ,YAAY;QACZ,YAAY;QACZ,WAAW;QACX,cAAc;QACd,0BAA0B;AAC3B,KAAA;IACD,gBAAgB,EAAE,EAAE,GAAG,EAAE;AACzB,IAAA,SAAS,EAAE,IAAK;AAChB,IAAA,WAAW,EAAE,CAAC;AACd,IAAA,UAAU,EAAE,IAAI;AACjB,CAAA;AAED;;;;;;;;AAQG;AACI,MAAM,oBAAoB,GAAW,YAAY,CAAC;IACvD,iBAAiB,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC;AACxD,IAAA,gBAAgB,EAAE;QAChB,YAAY;QACZ,WAAW;QACX,YAAY;QACZ,iBAAiB;AAClB,KAAA;IACD,gBAAgB,EAAE,CAAC,GAAG,EAAE;AACxB,IAAA,SAAS,EAAE,IAAK;AAChB,IAAA,WAAW,EAAE,CAAC;AACd,IAAA,UAAU,EAAE,IAAI;AACjB,CAAA;AAED;;;;;;AAMG;AACI,MAAM,oBAAoB,GAAW,YAAY,CAAC;AACvD,IAAA,iBAAiB,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;AACrF,IAAA,gBAAgB,EAAE;QAChB,iBAAiB;QACjB,WAAW;QACX,YAAY;QACZ,iBAAiB;QACjB,YAAY;QACZ,UAAU;QACV,yEAAyE;QACzE,mEAAmE;AACpE,KAAA;IACD,gBAAgB,EAAE,EAAE,GAAG,EAAE;AACzB,IAAA,SAAS,EAAE,IAAK;AAChB,IAAA,WAAW,EAAE,CAAC;AACd,IAAA,UAAU,EAAE,IAAI;AACjB,CAAA;AAED;;;;;;;;;;;;;;;AAeG;AACI,MAAM,QAAQ,GAAW,YAAY,CAAC;AAC3C,IAAA,iBAAiB,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC;AACxE,IAAA,gBAAgB,EAAE;QAChB,iBAAiB;QACjB,mBAAmB;QACnB,kBAAkB;QAClB,qBAAqB;QACrB,kBAAkB;QAClB,6BAA6B;QAC7B,8BAA8B;AAC/B,KAAA;IACD,gBAAgB,EAAE,GAAG,GAAG,EAAE;AAC1B,IAAA,SAAS,EAAE,KAAM;AACjB,IAAA,WAAW,EAAE,CAAC;AACd,IAAA,UAAU,EAAE,IAAI;AACjB,CAAA;AAWD;;;;;;;AAOG;AACI,MAAM,YAAY,GAAmC;AAC1D,IAAA,gBAAgB,EAAE,cAAc;AAChC,IAAA,aAAa,EAAE,WAAW;AAC1B,IAAA,sBAAsB,EAAE,oBAAoB;AAC5C,IAAA,sBAAsB,EAAE,oBAAoB;AAC5C,IAAA,UAAU,EAAE,QAAQ;;AAGtB;;;AAGG;AACG,SAAU,aAAa,CAAC,IAAoB,EAAA;AAChD,IAAA,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC;AACjC,IAAA,IAAI,CAAC,MAAM;AAAE,QAAA,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,CAAA,gBAAA,EAAmB,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA,CAAE,CAAC;AACpH,IAAA,OAAO,MAAM;AACf;;;;;;;;;;"}

package/dist/pompelmi.policy-packs.esm.js

@@ -0,0 +1,231 @@
+const MB$1 = 1024 * 1024;
+const DEFAULT_POLICY = {
+    includeExtensions: ['zip', 'png', 'jpg', 'jpeg', 'pdf'],
+    allowedMimeTypes: ['application/zip', 'image/png', 'image/jpeg', 'application/pdf', 'text/plain'],
+    maxFileSizeBytes: 20 * MB$1,
+    timeoutMs: 5000,
+    concurrency: 4,
+    failClosed: true
+};
+function definePolicy(input = {}) {
+    const p = { ...DEFAULT_POLICY, ...input };
+    if (!Array.isArray(p.includeExtensions))
+        throw new TypeError('includeExtensions must be string[]');
+    if (!Array.isArray(p.allowedMimeTypes))
+        throw new TypeError('allowedMimeTypes must be string[]');
+    if (!(Number.isFinite(p.maxFileSizeBytes) && p.maxFileSizeBytes > 0))
+        throw new TypeError('maxFileSizeBytes must be > 0');
+    if (!(Number.isFinite(p.timeoutMs) && p.timeoutMs > 0))
+        throw new TypeError('timeoutMs must be > 0');
+    if (!(Number.isInteger(p.concurrency) && p.concurrency > 0))
+        throw new TypeError('concurrency must be > 0');
+    return p;
+}
+
+/**
+ * Policy packs for Pompelmi.
+ *
+ * Pre-configured, named policies for common upload scenarios.  Each pack
+ * defines the file type allowlist, size limits, and timeout appropriate for
+ * its use case.
+ *
+ * All packs are built on `definePolicy` and are fully overridable:
+ *
+ * ```ts
+ * import { POLICY_PACKS } from 'pompelmi/policy-packs';
+ *
+ * // Use a pack as-is:
+ * const policy = POLICY_PACKS['images-only'];
+ *
+ * // Or override individual fields:
+ * import { definePolicy } from 'pompelmi';
+ * const custom = definePolicy({ ...POLICY_PACKS['documents-only'], maxFileSizeBytes: 5 * 1024 * 1024 });
+ * ```
+ *
+ * These packs are *deterministic* and *descriptor-based* — they do not
+ * depend on any external threat intelligence feed.
+ *
+ * @module policy-packs
+ */
+const KB = 1024;
+const MB = 1024 * KB;
+// ── Policy packs ──────────────────────────────────────────────────────────────
+/**
+ * Documents-only policy.
+ *
+ * Appropriate for: document management APIs, PDF/Office file upload endpoints,
+ * data import pipelines.
+ *
+ * Allowed: PDF, Word (.docx/.doc), Excel (.xlsx/.xls), PowerPoint (.pptx/.ppt),
+ *   CSV, plain text, JSON, YAML, ODT/ODS/ODP (OpenDocument).
+ * Max size: 25 MB.
+ */
+const DOCUMENTS_ONLY = definePolicy({
+    includeExtensions: [
+        'pdf',
+        'doc', 'docx',
+        'xls', 'xlsx',
+        'ppt', 'pptx',
+        'odt', 'ods', 'odp',
+        'csv',
+        'txt',
+        'json',
+        'yaml', 'yml',
+        'md',
+    ],
+    allowedMimeTypes: [
+        'application/pdf',
+        'application/msword',
+        'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+        'application/vnd.ms-excel',
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+        'application/vnd.ms-powerpoint',
+        'application/vnd.openxmlformats-officedocument.presentationml.presentation',
+        'application/vnd.oasis.opendocument.text',
+        'application/vnd.oasis.opendocument.spreadsheet',
+        'application/vnd.oasis.opendocument.presentation',
+        'text/csv',
+        'text/plain',
+        'application/json',
+        'text/yaml',
+        'text/markdown',
+    ],
+    maxFileSizeBytes: 25 * MB,
+    timeoutMs: 10000,
+    concurrency: 4,
+    failClosed: true,
+});
+/**
+ * Images-only policy.
+ *
+ * Appropriate for: avatar uploads, product image APIs, content platforms with
+ * user-generated imagery.
+ *
+ * Allowed: JPEG, PNG, GIF, WebP, AVIF, TIFF, BMP, ICO.
+ * Max size: 10 MB.
+ * Note: SVG is intentionally excluded — inline SVGs can contain scripts.
+ */
+const IMAGES_ONLY = definePolicy({
+    includeExtensions: ['jpg', 'jpeg', 'png', 'gif', 'webp', 'avif', 'tiff', 'tif', 'bmp', 'ico'],
+    allowedMimeTypes: [
+        'image/jpeg',
+        'image/png',
+        'image/gif',
+        'image/webp',
+        'image/avif',
+        'image/tiff',
+        'image/bmp',
+        'image/x-icon',
+        'image/vnd.microsoft.icon',
+    ],
+    maxFileSizeBytes: 10 * MB,
+    timeoutMs: 5000,
+    concurrency: 8,
+    failClosed: true,
+});
+/**
+ * Strict public-upload policy.
+ *
+ * Appropriate for: anonymous or low-trust upload endpoints, public APIs,
+ * any surface exposed to untrusted users.
+ *
+ * Aggressive size limit (5 MB), short timeout, fail-closed, narrow MIME
+ * allowlist.  Only allows plain images and PDF.
+ */
+const STRICT_PUBLIC_UPLOAD = definePolicy({
+    includeExtensions: ['jpg', 'jpeg', 'png', 'webp', 'pdf'],
+    allowedMimeTypes: [
+        'image/jpeg',
+        'image/png',
+        'image/webp',
+        'application/pdf',
+    ],
+    maxFileSizeBytes: 5 * MB,
+    timeoutMs: 4000,
+    concurrency: 2,
+    failClosed: true,
+});
+/**
+ * Conservative default policy.
+ *
+ * A hardened version of the built-in `DEFAULT_POLICY` suitable for
+ * production without further customisation.  Stricter size limit and
+ * shorter timeout than the permissive default.
+ */
+const CONSERVATIVE_DEFAULT = definePolicy({
+    includeExtensions: ['zip', 'png', 'jpg', 'jpeg', 'pdf', 'txt', 'csv', 'docx', 'xlsx'],
+    allowedMimeTypes: [
+        'application/zip',
+        'image/png',
+        'image/jpeg',
+        'application/pdf',
+        'text/plain',
+        'text/csv',
+        'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+    ],
+    maxFileSizeBytes: 10 * MB,
+    timeoutMs: 8000,
+    concurrency: 4,
+    failClosed: true,
+});
+/**
+ * Archives policy.
+ *
+ * Appropriate for: endpoints that accept ZIP, tar, or compressed archives.
+ * Combines a generous size allowance with a longer timeout for deep inspection.
+ *
+ * NOTE: Pair this policy with `createZipBombGuard()` to defend against
+ * decompression-bomb attacks:
+ *
+ * ```ts
+ * import { composeScanners, createZipBombGuard, CommonHeuristicsScanner } from 'pompelmi';
+ * const scanner = composeScanners(
+ *   [['zipGuard', createZipBombGuard()], ['heuristics', CommonHeuristicsScanner]]
+ * );
+ * ```
+ */
+const ARCHIVES = definePolicy({
+    includeExtensions: ['zip', 'tar', 'gz', 'tgz', 'bz2', 'xz', '7z', 'rar'],
+    allowedMimeTypes: [
+        'application/zip',
+        'application/x-tar',
+        'application/gzip',
+        'application/x-bzip2',
+        'application/x-xz',
+        'application/x-7z-compressed',
+        'application/x-rar-compressed',
+    ],
+    maxFileSizeBytes: 100 * MB,
+    timeoutMs: 30000,
+    concurrency: 2,
+    failClosed: true,
+});
+/**
+ * Named map of all built-in policy packs.
+ *
+ * ```ts
+ * import { POLICY_PACKS } from 'pompelmi/policy-packs';
+ * const policy = POLICY_PACKS['strict-public-upload'];
+ * ```
+ */
+const POLICY_PACKS = {
+    'documents-only': DOCUMENTS_ONLY,
+    'images-only': IMAGES_ONLY,
+    'strict-public-upload': STRICT_PUBLIC_UPLOAD,
+    'conservative-default': CONSERVATIVE_DEFAULT,
+    'archives': ARCHIVES,
+};
+/**
+ * Look up a policy pack by name.
+ * Throws if the name is not recognised.
+ */
+function getPolicyPack(name) {
+    const policy = POLICY_PACKS[name];
+    if (!policy)
+        throw new Error(`Unknown policy pack: '${name}'. Valid names: ${Object.keys(POLICY_PACKS).join(', ')}`);
+    return policy;
+}
+
+export { ARCHIVES, CONSERVATIVE_DEFAULT, DOCUMENTS_ONLY, IMAGES_ONLY, POLICY_PACKS, STRICT_PUBLIC_UPLOAD, getPolicyPack };
+//# sourceMappingURL=pompelmi.policy-packs.esm.js.map