pompelmi 0.33.0 → 0.34.0

package/dist/pompelmi.browser.cjs

@@ -0,0 +1,1455 @@
+'use strict';
+
+var crypto = require('crypto');
+
+function hasAsciiToken(buf, token) {
+    // Use latin1 so we can safely search binary
+    return buf.indexOf(token, 0, 'latin1') !== -1;
+}
+function startsWith(buf, bytes) {
+    if (buf.length < bytes.length)
+        return false;
+    for (let i = 0; i < bytes.length; i++)
+        if (buf[i] !== bytes[i])
+            return false;
+    return true;
+}
+function isPDF(buf) {
+    // %PDF-
+    return startsWith(buf, [0x25, 0x50, 0x44, 0x46, 0x2d]);
+}
+function isOleCfb(buf) {
+    // D0 CF 11 E0 A1 B1 1A E1
+    const sig = [0xD0, 0xCF, 0x11, 0xE0, 0xA1, 0xB1, 0x1A, 0xE1];
+    return startsWith(buf, sig);
+}
+function isZipLike$1(buf) {
+    // PK\x03\x04
+    return startsWith(buf, [0x50, 0x4b, 0x03, 0x04]);
+}
+function isPeExecutable(buf) {
+    // "MZ"
+    return startsWith(buf, [0x4d, 0x5a]);
+}
+/** OOXML macro hint via filename token in ZIP container */
+function hasOoxmlMacros(buf) {
+    if (!isZipLike$1(buf))
+        return false;
+    return hasAsciiToken(buf, 'vbaProject.bin');
+}
+/** PDF risky features (/JavaScript, /OpenAction, /AA, /Launch) */
+function pdfRiskTokens(buf) {
+    const tokens = ['/JavaScript', '/OpenAction', '/AA', '/Launch'];
+    return tokens.filter(t => hasAsciiToken(buf, t));
+}
+const CommonHeuristicsScanner = {
+    async scan(input) {
+        const buf = Buffer.from(input);
+        const matches = [];
+        // Office macros (OLE / OOXML)
+        if (isOleCfb(buf)) {
+            matches.push({ rule: 'office_ole_container', severity: 'suspicious' });
+        }
+        if (hasOoxmlMacros(buf)) {
+            matches.push({ rule: 'office_ooxml_macros', severity: 'suspicious' });
+        }
+        // PDF risky tokens
+        if (isPDF(buf)) {
+            const toks = pdfRiskTokens(buf);
+            if (toks.length) {
+                matches.push({
+                    rule: 'pdf_risky_actions',
+                    severity: 'suspicious',
+                    meta: { tokens: toks }
+                });
+            }
+        }
+        // Executable header
+        if (isPeExecutable(buf)) {
+            matches.push({ rule: 'pe_executable_signature', severity: 'suspicious' });
+        }
+        // EICAR test file
+        const EICAR_NEEDLE = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!";
+        if (hasAsciiToken(buf, EICAR_NEEDLE)) {
+            matches.push({ rule: 'eicar_test_file', severity: 'high', meta: { note: 'EICAR standard antivirus test file detected' } });
+        }
+        return matches;
+    }
+};
+
+function toScanFn(s) {
+    return (typeof s === "function" ? s : s.scan);
+}
+/** Map a Match's severity field to a Verdict for stopOn comparison. */
+function matchToVerdict(m) {
+    const s = m.severity;
+    if (s === "critical" || s === "high" || s === "malicious")
+        return "malicious";
+    if (s === "medium" || s === "low" || s === "suspicious" || s === "info")
+        return "suspicious";
+    return "clean";
+}
+/** Highest verdict across all matches in the list. */
+function highestSeverity(matches) {
+    if (matches.length === 0)
+        return null;
+    if (matches.some((m) => matchToVerdict(m) === "malicious"))
+        return "malicious";
+    if (matches.some((m) => matchToVerdict(m) === "suspicious"))
+        return "suspicious";
+    return "clean";
+}
+const SEVERITY_RANK = { malicious: 2, suspicious: 1, clean: 0 };
+function shouldStop(matches, stopOn) {
+    if (!stopOn)
+        return false;
+    const highest = highestSeverity(matches);
+    if (!highest)
+        return false;
+    return SEVERITY_RANK[highest] >= SEVERITY_RANK[stopOn];
+}
+async function runWithTimeout(fn, timeoutMs) {
+    if (!timeoutMs)
+        return fn();
+    return new Promise((resolve, reject) => {
+        const timer = setTimeout(() => reject(new Error("scanner timeout")), timeoutMs);
+        fn().then((v) => { clearTimeout(timer); resolve(v); }, (e) => { clearTimeout(timer); reject(e); });
+    });
+}
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function composeScanners(...args) {
+    const first = args[0];
+    const rest = args.slice(1);
+    // ── Named-scanner array form ──────────────────────────────────────────────
+    if (Array.isArray(first) &&
+        (first.length === 0 || (Array.isArray(first[0]) && typeof first[0][0] === "string"))) {
+        const entries = first;
+        const opts = rest.length > 0 && !Array.isArray(rest[0]) && typeof rest[0] !== "function" &&
+            !(typeof rest[0] === "object" && rest[0] !== null && "scan" in rest[0])
+            ? rest[0]
+            : {};
+        return async (input, ctx) => {
+            const all = [];
+            if (opts.parallel) {
+                // Parallel execution — collect all results then return
+                const results = await Promise.allSettled(entries.map(([name, scanner]) => runWithTimeout(() => toScanFn(scanner)(input, ctx), opts.timeoutMsPerScanner)));
+                for (let i = 0; i < results.length; i++) {
+                    const result = results[i];
+                    if (result.status === "fulfilled" && Array.isArray(result.value)) {
+                        const matches = opts.tagSourceName
+                            ? result.value.map((m) => ({
+                                ...m,
+                                meta: { ...m.meta, _sourceName: entries[i][0] },
+                            }))
+                            : result.value;
+                        all.push(...matches);
+                    }
+                }
+            }
+            else {
+                // Sequential execution with optional stopOn short-circuit
+                for (const [name, scanner] of entries) {
+                    try {
+                        const out = await runWithTimeout(() => toScanFn(scanner)(input, ctx), opts.timeoutMsPerScanner);
+                        if (Array.isArray(out)) {
+                            const matches = opts.tagSourceName
+                                ? out.map((m) => ({ ...m, meta: { ...m.meta, _sourceName: name } }))
+                                : out;
+                            all.push(...matches);
+                            if (shouldStop(all, opts.stopOn))
+                                break;
+                        }
+                    }
+                    catch {
+                        // individual scanner failure is non-fatal
+                    }
+                }
+            }
+            return all;
+        };
+    }
+    // ── Variadic form (backward-compatible) ───────────────────────────────────
+    const scanners = [first, ...rest].filter(Boolean);
+    return async (input, ctx) => {
+        const all = [];
+        for (const s of scanners) {
+            try {
+                const out = await toScanFn(s)(input, ctx);
+                if (Array.isArray(out))
+                    all.push(...out);
+            }
+            catch {
+                // ignore individual scanner failures
+            }
+        }
+        return all;
+    };
+}
+function createPresetScanner(preset, opts = {}) {
+    const scanners = [];
+    // Always include heuristics (EICAR, PHP webshells, JS obfuscation, PE hints, etc.)
+    scanners.push(CommonHeuristicsScanner);
+    // Add decompilation scanners based on preset
+    if (preset === 'decompilation-basic' || preset === 'decompilation-deep' ||
+        preset === 'malware-analysis' || opts.enableDecompilation) {
+        const depth = preset === 'decompilation-deep' ? 'deep' :
+            preset === 'decompilation-basic' ? 'basic' :
+                opts.decompilationDepth || 'basic';
+        if (!opts.decompilationEngine || opts.decompilationEngine === 'binaryninja-hlil' || opts.decompilationEngine === 'both') {
+            try {
+                // Dynamic import to avoid bundling issues - using Function to bypass TypeScript type checking
+                const importModule = new Function('specifier', 'return import(specifier)');
+                importModule('@pompelmi/engine-binaryninja').then((mod) => {
+                    const binjaScanner = mod.createBinaryNinjaScanner({
+                        timeout: opts.decompilationTimeout || opts.timeout || 30000,
+                        depth,
+                        pythonPath: opts.pythonPath,
+                        binaryNinjaPath: opts.binaryNinjaPath
+                    });
+                    scanners.push(binjaScanner);
+                }).catch(() => {
+                    // Binary Ninja engine not available - silently skip
+                });
+            }
+            catch {
+                // Engine not installed
+            }
+        }
+        if (!opts.decompilationEngine || opts.decompilationEngine === 'ghidra-pcode' || opts.decompilationEngine === 'both') {
+            try {
+                // Dynamic import for Ghidra engine (when implemented) - using Function to bypass TypeScript type checking
+                const importModule = new Function('specifier', 'return import(specifier)');
+                importModule('@pompelmi/engine-ghidra').then((mod) => {
+                    const ghidraScanner = mod.createGhidraScanner({
+                        timeout: opts.decompilationTimeout || opts.timeout || 30000,
+                        depth,
+                        ghidraPath: opts.ghidraPath,
+                        analyzeHeadless: opts.analyzeHeadless
+                    });
+                    scanners.push(ghidraScanner);
+                }).catch(() => {
+                    // Ghidra engine not available - silently skip
+                });
+            }
+            catch {
+                // Engine not installed
+            }
+        }
+    }
+    if (scanners.length === 0) {
+        // Fallback scanner that returns no matches
+        return async (_input, _ctx) => {
+            return [];
+        };
+    }
+    return composeScanners(...scanners);
+}
+
+/**
+ * Performance monitoring utilities for pompelmi scans
+ * @module utils/performance-metrics
+ */
+/**
+ * Track performance metrics for a scan operation
+ */
+class PerformanceTracker {
+    constructor() {
+        this.checkpoints = new Map();
+        this.startTime = Date.now();
+    }
+    /**
+     * Mark a checkpoint in the scan process
+     */
+    checkpoint(name) {
+        this.checkpoints.set(name, Date.now());
+    }
+    /**
+     * Get duration since start or since a specific checkpoint
+     */
+    getDuration(since) {
+        const now = Date.now();
+        if (since && this.checkpoints.has(since)) {
+            return now - (this.checkpoints.get(since) ?? now);
+        }
+        return now - this.startTime;
+    }
+    /**
+     * Generate final metrics report
+     */
+    getMetrics(bytesScanned) {
+        const totalDuration = this.getDuration();
+        const throughput = totalDuration > 0 ? (bytesScanned / totalDuration) * 1000 : 0;
+        return {
+            totalDurationMs: totalDuration,
+            heuristicsDurationMs: this.checkpoints.has('heuristics_end')
+                ? (this.checkpoints.get('heuristics_end') ?? 0) - (this.checkpoints.get('heuristics_start') ?? 0)
+                : undefined,
+            yaraDurationMs: this.checkpoints.has('yara_end')
+                ? (this.checkpoints.get('yara_end') ?? 0) - (this.checkpoints.get('yara_start') ?? 0)
+                : undefined,
+            prepDurationMs: this.checkpoints.has('prep_end')
+                ? (this.checkpoints.get('prep_end') ?? 0) - this.startTime
+                : undefined,
+            throughputBps: throughput,
+            bytesScanned,
+            startedAt: this.startTime,
+            completedAt: Date.now(),
+        };
+    }
+}
+/**
+ * Aggregate statistics from multiple scan reports
+ */
+function aggregateScanStats(reports) {
+    let cleanCount = 0;
+    let suspiciousCount = 0;
+    let maliciousCount = 0;
+    let totalDuration = 0;
+    let totalBytes = 0;
+    let validDurationCount = 0;
+    for (const report of reports) {
+        if (report.verdict === 'clean')
+            cleanCount++;
+        else if (report.verdict === 'suspicious')
+            suspiciousCount++;
+        else if (report.verdict === 'malicious')
+            maliciousCount++;
+        if (report.durationMs !== undefined) {
+            totalDuration += report.durationMs;
+            validDurationCount++;
+        }
+        if (report.file?.size !== undefined) {
+            totalBytes += report.file.size;
+        }
+    }
+    const avgDuration = validDurationCount > 0 ? totalDuration / validDurationCount : 0;
+    const avgThroughput = totalDuration > 0 ? (totalBytes / totalDuration) * 1000 : 0;
+    return {
+        totalScans: reports.length,
+        cleanCount,
+        suspiciousCount,
+        maliciousCount,
+        avgDurationMs: avgDuration,
+        avgThroughputBps: avgThroughput,
+        totalBytesScanned: totalBytes,
+    };
+}
+
+/**
+ * Advanced threat detection utilities
+ * @module utils/advanced-detection
+ */
+/**
+ * Enhanced polyglot file detection
+ * Detects files that can be interpreted as multiple formats
+ */
+function detectPolyglot(bytes) {
+    const matches = [];
+    // Check for PDF/ZIP polyglot
+    if (isPDFZipPolyglot(bytes)) {
+        matches.push({
+            rule: 'polyglot_pdf_zip',
+            severity: 'high',
+            meta: { description: 'File can be interpreted as both PDF and ZIP' },
+        });
+    }
+    // Check for image/script polyglot
+    if (isImageScriptPolyglot(bytes)) {
+        matches.push({
+            rule: 'polyglot_image_script',
+            severity: 'high',
+            meta: { description: 'Image file contains executable script content' },
+        });
+    }
+    // Check for GIFAR (GIF/JAR polyglot)
+    if (isGIFAR(bytes)) {
+        matches.push({
+            rule: 'polyglot_gifar',
+            severity: 'critical',
+            meta: { description: 'GIF file contains Java archive' },
+        });
+    }
+    return matches;
+}
+/**
+ * Detect obfuscated JavaScript/VBScript
+ */
+function detectObfuscatedScripts(bytes) {
+    const matches = [];
+    const text = new TextDecoder('utf-8', { fatal: false }).decode(bytes.slice(0, Math.min(64 * 1024, bytes.length)));
+    // Check for common obfuscation patterns
+    const obfuscationPatterns = [
+        /eval\s*\(\s*unescape\s*\(/gi,
+        /eval\s*\(\s*atob\s*\(/gi,
+        /String\.fromCharCode\s*\(\s*\d+(?:\s*,\s*\d+){10,}/gi,
+        /[a-z0-9]{100,}/gi, // Long encoded strings
+        /\\x[0-9a-f]{2}/gi, // Hex escapes
+    ];
+    for (const pattern of obfuscationPatterns) {
+        if (pattern.test(text)) {
+            matches.push({
+                rule: 'obfuscated_script',
+                severity: 'medium',
+                meta: {
+                    description: 'Detected obfuscated script content',
+                    pattern: pattern.source,
+                },
+            });
+            break;
+        }
+    }
+    return matches;
+}
+/**
+ * Enhanced nested archive detection with depth limits
+ */
+function analyzeNestedArchives(bytes, maxDepth = 10) {
+    let depth = 0;
+    let currentBytes = bytes;
+    while (depth < maxDepth) {
+        if (isArchive(currentBytes)) {
+            depth++;
+            {
+                break;
+            }
+        }
+        else {
+            break;
+        }
+    }
+    return {
+        depth,
+        hasExcessiveNesting: depth >= 5,
+    };
+}
+// Helper functions
+function isPDFZipPolyglot(bytes) {
+    if (bytes.length < 8)
+        return false;
+    // Check for PDF signature
+    const hasPDF = bytes[0] === 0x25 && bytes[1] === 0x50 && bytes[2] === 0x44 && bytes[3] === 0x46;
+    // Check for ZIP signature anywhere in the file
+    let hasZIP = false;
+    for (let i = 0; i < Math.min(bytes.length - 4, 1024); i++) {
+        if (bytes[i] === 0x50 && bytes[i + 1] === 0x4B && bytes[i + 2] === 0x03 && bytes[i + 3] === 0x04) {
+            hasZIP = true;
+            break;
+        }
+    }
+    return hasPDF && hasZIP;
+}
+function isImageScriptPolyglot(bytes) {
+    if (bytes.length < 100)
+        return false;
+    // Check for image signatures
+    const isImage = ((bytes[0] === 0xFF && bytes[1] === 0xD8) || // JPEG
+        (bytes[0] === 0x89 && bytes[1] === 0x50 && bytes[2] === 0x4E && bytes[3] === 0x47) || // PNG
+        (bytes[0] === 0x47 && bytes[1] === 0x49 && bytes[2] === 0x46) // GIF
+    );
+    if (!isImage)
+        return false;
+    // Check for script content
+    const text = new TextDecoder('utf-8', { fatal: false }).decode(bytes);
+    return /<script|javascript:|eval\(|function\s*\(/i.test(text);
+}
+function isGIFAR(bytes) {
+    if (bytes.length < 100)
+        return false;
+    // Check for GIF signature
+    const isGIF = bytes[0] === 0x47 && bytes[1] === 0x49 && bytes[2] === 0x46;
+    // Check for ZIP/JAR signature
+    let hasZIP = false;
+    for (let i = 0; i < Math.min(bytes.length - 4, 1024); i++) {
+        if (bytes[i] === 0x50 && bytes[i + 1] === 0x4B && bytes[i + 2] === 0x03 && bytes[i + 3] === 0x04) {
+            hasZIP = true;
+            break;
+        }
+    }
+    return isGIF && hasZIP;
+}
+function isArchive(bytes) {
+    if (bytes.length < 4)
+        return false;
+    return (
+    // ZIP
+    (bytes[0] === 0x50 && bytes[1] === 0x4B && bytes[2] === 0x03 && bytes[3] === 0x04) ||
+        // RAR
+        (bytes[0] === 0x52 && bytes[1] === 0x61 && bytes[2] === 0x72 && bytes[3] === 0x21) ||
+        // 7z
+        (bytes[0] === 0x37 && bytes[1] === 0x7A && bytes[2] === 0xBC && bytes[3] === 0xAF) ||
+        // tar.gz
+        (bytes[0] === 0x1F && bytes[1] === 0x8B));
+}
+
+/**
+ * Cache management system for scan results
+ * @module utils/cache-manager
+ */
+/**
+ * LRU cache for scan results with TTL support
+ */
+class ScanCacheManager {
+    constructor(options = {}) {
+        this.cache = new Map();
+        // Statistics
+        this.stats = {
+            hits: 0,
+            misses: 0,
+            evictions: 0,
+        };
+        this.maxSize = options.maxSize ?? 1000;
+        this.ttl = options.ttl ?? 3600000; // 1 hour default
+        this.enableLRU = options.enableLRU ?? true;
+        this.enableStats = options.enableStats ?? false;
+    }
+    /**
+     * Generate cache key from file content
+     */
+    generateKey(content, preset) {
+        const hash = crypto.createHash('sha256')
+            .update(content)
+            .update(preset || 'default')
+            .digest('hex');
+        return hash;
+    }
+    /**
+     * Check if cache entry is still valid
+     */
+    isValid(entry) {
+        return Date.now() - entry.timestamp < this.ttl;
+    }
+    /**
+     * Evict oldest or least-used entry when cache is full
+     */
+    evict() {
+        if (this.cache.size === 0)
+            return;
+        let targetKey = null;
+        let oldestTime = Infinity;
+        let lowestAccess = Infinity;
+        for (const [key, entry] of this.cache.entries()) {
+            if (this.enableLRU) {
+                // LRU: evict least recently used
+                if (entry.timestamp < oldestTime) {
+                    oldestTime = entry.timestamp;
+                    targetKey = key;
+                }
+            }
+            else {
+                // LFU: evict least frequently used
+                if (entry.accessCount < lowestAccess) {
+                    lowestAccess = entry.accessCount;
+                    targetKey = key;
+                }
+            }
+        }
+        if (targetKey) {
+            this.cache.delete(targetKey);
+            if (this.enableStats)
+                this.stats.evictions++;
+        }
+    }
+    /**
+     * Store scan result in cache
+     */
+    set(content, report, preset) {
+        const key = this.generateKey(content, preset);
+        // Evict if necessary
+        if (this.cache.size >= this.maxSize) {
+            this.evict();
+        }
+        this.cache.set(key, {
+            report,
+            timestamp: Date.now(),
+            accessCount: 0,
+        });
+    }
+    /**
+     * Retrieve scan result from cache
+     */
+    get(content, preset) {
+        const key = this.generateKey(content, preset);
+        const entry = this.cache.get(key);
+        if (!entry) {
+            if (this.enableStats)
+                this.stats.misses++;
+            return null;
+        }
+        if (!this.isValid(entry)) {
+            this.cache.delete(key);
+            if (this.enableStats)
+                this.stats.misses++;
+            return null;
+        }
+        // Update access tracking
+        entry.accessCount++;
+        entry.timestamp = Date.now(); // Update for LRU
+        if (this.enableStats)
+            this.stats.hits++;
+        return entry.report;
+    }
+    /**
+     * Check if result exists in cache
+     */
+    has(content, preset) {
+        const key = this.generateKey(content, preset);
+        const entry = this.cache.get(key);
+        return entry !== undefined && this.isValid(entry);
+    }
+    /**
+     * Clear entire cache
+     */
+    clear() {
+        this.cache.clear();
+        if (this.enableStats) {
+            this.stats.hits = 0;
+            this.stats.misses = 0;
+            this.stats.evictions = 0;
+        }
+    }
+    /**
+     * Remove expired entries
+     */
+    prune() {
+        let removed = 0;
+        for (const [key, entry] of this.cache.entries()) {
+            if (!this.isValid(entry)) {
+                this.cache.delete(key);
+                removed++;
+            }
+        }
+        return removed;
+    }
+    /**
+     * Get cache statistics
+     */
+    getStats() {
+        const total = this.stats.hits + this.stats.misses;
+        const hitRate = total > 0 ? (this.stats.hits / total) * 100 : 0;
+        return {
+            hits: this.stats.hits,
+            misses: this.stats.misses,
+            size: this.cache.size,
+            hitRate,
+            evictions: this.stats.evictions,
+        };
+    }
+    /**
+     * Get current cache size
+     */
+    get size() {
+        return this.cache.size;
+    }
+}
+// Export singleton instance for convenience
+let defaultCache = null;
+/**
+ * Get or create the default cache instance
+ */
+function getDefaultCache(options) {
+    if (!defaultCache) {
+        defaultCache = new ScanCacheManager(options);
+    }
+    return defaultCache;
+}
+
+/** Mappa veloce estensione -> mime (basic) */
+function guessMimeByExt(name) {
+    if (!name)
+        return;
+    const ext = name.toLowerCase().split('.').pop();
+    switch (ext) {
+        case 'zip': return 'application/zip';
+        case 'png': return 'image/png';
+        case 'jpg':
+        case 'jpeg': return 'image/jpeg';
+        case 'pdf': return 'application/pdf';
+        case 'txt': return 'text/plain';
+        default: return;
+    }
+}
+/** Heuristica semplice per verdetto */
+function computeVerdict(matches) {
+    if (!matches.length)
+        return 'clean';
+    // se la regola contiene 'zip_' lo marchiamo "suspicious"
+    const anyHigh = matches.some(m => (m.tags ?? []).includes('critical') || (m.tags ?? []).includes('high'));
+    return anyHigh ? 'malicious' : 'suspicious';
+}
+/** Converte i Match (heuristics) in YaraMatch-like per uniformare l'output */
+function toYaraMatches(ms) {
+    return ms.map(m => ({
+        rule: m.rule,
+        namespace: 'heuristics',
+        tags: ['heuristics'].concat(m.severity ? [m.severity] : []),
+        meta: m.meta,
+    }));
+}
+/** Scan di bytes (browser/node) usando preset (default: zip-basic) */
+async function scanBytes(input, opts = {}) {
+    // Check cache first if enabled
+    if (opts.enableCache || opts.config?.performance?.enableCache) {
+        const cache = getDefaultCache(opts.config?.performance?.cacheOptions);
+        const cached = cache.get(input, opts.preset);
+        if (cached) {
+            return cached;
+        }
+    }
+    const perfTracker = (opts.enablePerformanceTracking || opts.config?.performance?.enablePerformanceTracking)
+        ? new PerformanceTracker()
+        : null;
+    perfTracker?.checkpoint('prep_start');
+    const preset = opts.preset ?? opts.config?.defaultPreset ?? 'zip-basic';
+    const ctx = {
+        ...opts.ctx,
+        mimeType: opts.ctx?.mimeType ?? guessMimeByExt(opts.ctx?.filename),
+        size: opts.ctx?.size ?? input.byteLength,
+    };
+    perfTracker?.checkpoint('prep_end');
+    perfTracker?.checkpoint('heuristics_start');
+    const scanFn = createPresetScanner(preset);
+    const matchesH = await (typeof scanFn === "function" ? scanFn : scanFn.scan)(input, ctx);
+    let allMatches = [...matchesH];
+    perfTracker?.checkpoint('heuristics_end');
+    // Advanced detection (enabled by default, can be overridden by config)
+    const advancedEnabled = opts.enableAdvancedDetection ?? opts.config?.advanced?.enablePolyglotDetection ?? true;
+    if (advancedEnabled) {
+        perfTracker?.checkpoint('advanced_start');
+        // Detect polyglot files
+        if (opts.config?.advanced?.enablePolyglotDetection !== false) {
+            const polyglotMatches = detectPolyglot(input);
+            allMatches.push(...polyglotMatches);
+        }
+        // Detect obfuscated scripts
+        if (opts.config?.advanced?.enableObfuscationDetection !== false) {
+            const obfuscatedMatches = detectObfuscatedScripts(input);
+            allMatches.push(...obfuscatedMatches);
+        }
+        // Check for excessive nesting in archives
+        if (opts.config?.advanced?.enableNestedArchiveAnalysis !== false) {
+            const nestingAnalysis = analyzeNestedArchives(input);
+            const maxDepth = opts.config?.advanced?.maxArchiveDepth ?? 5;
+            if (nestingAnalysis.hasExcessiveNesting || (nestingAnalysis.depth > maxDepth)) {
+                allMatches.push({
+                    rule: 'excessive_archive_nesting',
+                    severity: 'high',
+                    meta: {
+                        description: 'Excessive archive nesting detected',
+                        depth: nestingAnalysis.depth,
+                        maxAllowed: maxDepth,
+                    },
+                });
+            }
+        }
+        perfTracker?.checkpoint('advanced_end');
+    }
+    const matches = toYaraMatches(allMatches);
+    const verdict = computeVerdict(matches);
+    perfTracker ? perfTracker.getDuration() : Date.now();
+    const durationMs = perfTracker ? perfTracker.getDuration() : 0;
+    const report = {
+        ok: verdict === 'clean',
+        verdict,
+        matches,
+        reasons: matches.map(m => m.rule),
+        file: { name: ctx.filename, mimeType: ctx.mimeType, size: ctx.size },
+        durationMs,
+        engine: 'heuristics',
+        truncated: false,
+        timedOut: false,
+    };
+    // Add performance metrics if tracking enabled
+    if (perfTracker && (opts.enablePerformanceTracking || opts.config?.performance?.enablePerformanceTracking)) {
+        report.performanceMetrics = perfTracker.getMetrics(input.byteLength);
+    }
+    // Cache result if enabled
+    if (opts.enableCache || opts.config?.performance?.enableCache) {
+        const cache = getDefaultCache(opts.config?.performance?.cacheOptions);
+        cache.set(input, report, opts.preset);
+    }
+    // Invoke callbacks if configured
+    opts.config?.callbacks?.onScanComplete?.(report);
+    return report;
+}
+/** Scan di un file su disco (Node). Import dinamico per non vincolare il bundle browser. */
+async function scanFile(filePath, opts = {}) {
+    const [{ readFile, stat }, path] = await Promise.all([
+        import('fs/promises'),
+        import('path'),
+    ]);
+    const [buf, st] = await Promise.all([readFile(filePath), stat(filePath)]);
+    const ctx = {
+        filename: path.basename(filePath),
+        mimeType: guessMimeByExt(filePath),
+        size: st.size,
+    };
+    return scanBytes(new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength), { ...opts, ctx });
+}
+/** Scan multipli File (browser) usando scanBytes + preset di default */
+async function scanFiles(files, opts = {}) {
+    const list = Array.from(files);
+    const out = [];
+    for (const f of list) {
+        const buf = new Uint8Array(await f.arrayBuffer());
+        const rep = await scanBytes(buf, {
+            ...opts,
+            ctx: { filename: f.name, mimeType: f.type || guessMimeByExt(f.name), size: f.size },
+        });
+        out.push(rep);
+    }
+    return out;
+}
+
+/**
+ * Validates a File by MIME type and size (max 5 MB).
+ */
+function validateFile(file) {
+    const maxSize = 5 * 1024 * 1024;
+    const allowedTypes = ['text/plain', 'application/json', 'text/csv'];
+    if (!allowedTypes.includes(file.type)) {
+        return { valid: false, error: 'Unsupported file type' };
+    }
+    if (file.size > maxSize) {
+        return { valid: false, error: 'File too large (max 5 MB)' };
+    }
+    return { valid: true };
+}
+
+const SIG_CEN = 0x02014b50;
+const DEFAULTS = {
+    maxEntries: 1000,
+    maxTotalUncompressedBytes: 500 * 1024 * 1024,
+    maxEntryNameLength: 255,
+    maxCompressionRatio: 1000,
+    eocdSearchWindow: 70000,
+};
+function r16(buf, off) {
+    return buf.readUInt16LE(off);
+}
+function r32(buf, off) {
+    return buf.readUInt32LE(off);
+}
+function isZipLike(buf) {
+    // local file header at start is common
+    return buf.length >= 4 && buf[0] === 0x50 && buf[1] === 0x4b && buf[2] === 0x03 && buf[3] === 0x04;
+}
+function lastIndexOfEOCD(buf, window) {
+    const sig = Buffer.from([0x50, 0x4b, 0x05, 0x06]);
+    const start = Math.max(0, buf.length - window);
+    const idx = buf.lastIndexOf(sig, Math.min(buf.length - sig.length, buf.length - 1));
+    return idx >= start ? idx : -1;
+}
+function hasTraversal(name) {
+    return name.includes('../') || name.includes('..\\') || name.startsWith('/') || /^[A-Za-z]:/.test(name);
+}
+function createZipBombGuard(opts = {}) {
+    const cfg = { ...DEFAULTS, ...opts };
+    return {
+        async scan(input) {
+            const buf = Buffer.from(input);
+            const matches = [];
+            if (!isZipLike(buf))
+                return matches;
+            // Find EOCD near the end
+            const eocdPos = lastIndexOfEOCD(buf, cfg.eocdSearchWindow);
+            if (eocdPos < 0 || eocdPos + 22 > buf.length) {
+                // ZIP but no EOCD — malformed or polyglot → suspicious
+                matches.push({ rule: 'zip_eocd_not_found', severity: 'medium' });
+                return matches;
+            }
+            const totalEntries = r16(buf, eocdPos + 10);
+            const cdSize = r32(buf, eocdPos + 12);
+            const cdOffset = r32(buf, eocdPos + 16);
+            // Bounds check
+            if (cdOffset + cdSize > buf.length) {
+                matches.push({ rule: 'zip_cd_out_of_bounds', severity: 'medium' });
+                return matches;
+            }
+            // Iterate central directory entries
+            let ptr = cdOffset;
+            let seen = 0;
+            let sumComp = 0;
+            let sumUnc = 0;
+            while (ptr + 46 <= cdOffset + cdSize && seen < totalEntries) {
+                const sig = r32(buf, ptr);
+                if (sig !== SIG_CEN)
+                    break; // stop if structure breaks
+                const compSize = r32(buf, ptr + 20);
+                const uncSize = r32(buf, ptr + 24);
+                const fnLen = r16(buf, ptr + 28);
+                const exLen = r16(buf, ptr + 30);
+                const cmLen = r16(buf, ptr + 32);
+                const nameStart = ptr + 46;
+                const nameEnd = nameStart + fnLen;
+                if (nameEnd > buf.length)
+                    break;
+                const name = buf.toString('utf8', nameStart, nameEnd);
+                sumComp += compSize;
+                sumUnc += uncSize;
+                seen++;
+                if (name.length > cfg.maxEntryNameLength) {
+                    matches.push({ rule: 'zip_entry_name_too_long', severity: 'medium', meta: { name, length: name.length } });
+                }
+                if (hasTraversal(name)) {
+                    matches.push({ rule: 'zip_path_traversal_entry', severity: 'medium', meta: { name } });
+                }
+                // move to next entry
+                ptr = nameEnd + exLen + cmLen;
+            }
+            if (seen !== totalEntries) {
+                // central dir truncated/odd, still report what we found
+                matches.push({ rule: 'zip_cd_truncated', severity: 'medium', meta: { seen, totalEntries } });
+            }
+            // Heuristics thresholds
+            if (seen > cfg.maxEntries) {
+                matches.push({ rule: 'zip_too_many_entries', severity: 'medium', meta: { seen, limit: cfg.maxEntries } });
+            }
+            if (sumUnc > cfg.maxTotalUncompressedBytes) {
+                matches.push({
+                    rule: 'zip_total_uncompressed_too_large',
+                    severity: 'medium',
+                    meta: { totalUncompressed: sumUnc, limit: cfg.maxTotalUncompressedBytes }
+                });
+            }
+            if (sumComp === 0 && sumUnc > 0) {
+                matches.push({ rule: 'zip_suspicious_ratio', severity: 'medium', meta: { ratio: Infinity } });
+            }
+            else if (sumComp > 0) {
+                const ratio = sumUnc / Math.max(1, sumComp);
+                if (ratio >= cfg.maxCompressionRatio) {
+                    matches.push({ rule: 'zip_suspicious_ratio', severity: 'medium', meta: { ratio, limit: cfg.maxCompressionRatio } });
+                }
+            }
+            return matches;
+        }
+    };
+}
+
+const MB$1 = 1024 * 1024;
+const DEFAULT_POLICY = {
+    includeExtensions: ['zip', 'png', 'jpg', 'jpeg', 'pdf'],
+    allowedMimeTypes: ['application/zip', 'image/png', 'image/jpeg', 'application/pdf', 'text/plain'],
+    maxFileSizeBytes: 20 * MB$1,
+    timeoutMs: 5000,
+    concurrency: 4,
+    failClosed: true
+};
+function definePolicy(input = {}) {
+    const p = { ...DEFAULT_POLICY, ...input };
+    if (!Array.isArray(p.includeExtensions))
+        throw new TypeError('includeExtensions must be string[]');
+    if (!Array.isArray(p.allowedMimeTypes))
+        throw new TypeError('allowedMimeTypes must be string[]');
+    if (!(Number.isFinite(p.maxFileSizeBytes) && p.maxFileSizeBytes > 0))
+        throw new TypeError('maxFileSizeBytes must be > 0');
+    if (!(Number.isFinite(p.timeoutMs) && p.timeoutMs > 0))
+        throw new TypeError('timeoutMs must be > 0');
+    if (!(Number.isInteger(p.concurrency) && p.concurrency > 0))
+        throw new TypeError('concurrency must be > 0');
+    return p;
+}
+
+/**
+ * Policy packs for Pompelmi.
+ *
+ * Pre-configured, named policies for common upload scenarios.  Each pack
+ * defines the file type allowlist, size limits, and timeout appropriate for
+ * its use case.
+ *
+ * All packs are built on `definePolicy` and are fully overridable:
+ *
+ * ```ts
+ * import { POLICY_PACKS } from 'pompelmi/policy-packs';
+ *
+ * // Use a pack as-is:
+ * const policy = POLICY_PACKS['images-only'];
+ *
+ * // Or override individual fields:
+ * import { definePolicy } from 'pompelmi';
+ * const custom = definePolicy({ ...POLICY_PACKS['documents-only'], maxFileSizeBytes: 5 * 1024 * 1024 });
+ * ```
+ *
+ * These packs are *deterministic* and *descriptor-based* — they do not
+ * depend on any external threat intelligence feed.
+ *
+ * @module policy-packs
+ */
+const KB = 1024;
+const MB = 1024 * KB;
+// ── Policy packs ──────────────────────────────────────────────────────────────
+/**
+ * Documents-only policy.
+ *
+ * Appropriate for: document management APIs, PDF/Office file upload endpoints,
+ * data import pipelines.
+ *
+ * Allowed: PDF, Word (.docx/.doc), Excel (.xlsx/.xls), PowerPoint (.pptx/.ppt),
+ *   CSV, plain text, JSON, YAML, ODT/ODS/ODP (OpenDocument).
+ * Max size: 25 MB.
+ */
+const DOCUMENTS_ONLY = definePolicy({
+    includeExtensions: [
+        'pdf',
+        'doc', 'docx',
+        'xls', 'xlsx',
+        'ppt', 'pptx',
+        'odt', 'ods', 'odp',
+        'csv',
+        'txt',
+        'json',
+        'yaml', 'yml',
+        'md',
+    ],
+    allowedMimeTypes: [
+        'application/pdf',
+        'application/msword',
+        'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+        'application/vnd.ms-excel',
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+        'application/vnd.ms-powerpoint',
+        'application/vnd.openxmlformats-officedocument.presentationml.presentation',
+        'application/vnd.oasis.opendocument.text',
+        'application/vnd.oasis.opendocument.spreadsheet',
+        'application/vnd.oasis.opendocument.presentation',
+        'text/csv',
+        'text/plain',
+        'application/json',
+        'text/yaml',
+        'text/markdown',
+    ],
+    maxFileSizeBytes: 25 * MB,
+    timeoutMs: 10000,
+    concurrency: 4,
+    failClosed: true,
+});
+/**
+ * Images-only policy.
+ *
+ * Appropriate for: avatar uploads, product image APIs, content platforms with
+ * user-generated imagery.
+ *
+ * Allowed: JPEG, PNG, GIF, WebP, AVIF, TIFF, BMP, ICO.
+ * Max size: 10 MB.
+ * Note: SVG is intentionally excluded — inline SVGs can contain scripts.
+ */
+const IMAGES_ONLY = definePolicy({
+    includeExtensions: ['jpg', 'jpeg', 'png', 'gif', 'webp', 'avif', 'tiff', 'tif', 'bmp', 'ico'],
+    allowedMimeTypes: [
+        'image/jpeg',
+        'image/png',
+        'image/gif',
+        'image/webp',
+        'image/avif',
+        'image/tiff',
+        'image/bmp',
+        'image/x-icon',
+        'image/vnd.microsoft.icon',
+    ],
+    maxFileSizeBytes: 10 * MB,
+    timeoutMs: 5000,
+    concurrency: 8,
+    failClosed: true,
+});
+/**
+ * Strict public-upload policy.
+ *
+ * Appropriate for: anonymous or low-trust upload endpoints, public APIs,
+ * any surface exposed to untrusted users.
+ *
+ * Aggressive size limit (5 MB), short timeout, fail-closed, narrow MIME
+ * allowlist.  Only allows plain images and PDF.
+ */
+const STRICT_PUBLIC_UPLOAD = definePolicy({
+    includeExtensions: ['jpg', 'jpeg', 'png', 'webp', 'pdf'],
+    allowedMimeTypes: [
+        'image/jpeg',
+        'image/png',
+        'image/webp',
+        'application/pdf',
+    ],
+    maxFileSizeBytes: 5 * MB,
+    timeoutMs: 4000,
+    concurrency: 2,
+    failClosed: true,
+});
+/**
+ * Conservative default policy.
+ *
+ * A hardened version of the built-in `DEFAULT_POLICY` suitable for
+ * production without further customisation.  Stricter size limit and
+ * shorter timeout than the permissive default.
+ */
+const CONSERVATIVE_DEFAULT = definePolicy({
+    includeExtensions: ['zip', 'png', 'jpg', 'jpeg', 'pdf', 'txt', 'csv', 'docx', 'xlsx'],
+    allowedMimeTypes: [
+        'application/zip',
+        'image/png',
+        'image/jpeg',
+        'application/pdf',
+        'text/plain',
+        'text/csv',
+        'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+    ],
+    maxFileSizeBytes: 10 * MB,
+    timeoutMs: 8000,
+    concurrency: 4,
+    failClosed: true,
+});
+/**
+ * Archives policy.
+ *
+ * Appropriate for: endpoints that accept ZIP, tar, or compressed archives.
+ * Combines a generous size allowance with a longer timeout for deep inspection.
+ *
+ * NOTE: Pair this policy with `createZipBombGuard()` to defend against
+ * decompression-bomb attacks:
+ *
+ * ```ts
+ * import { composeScanners, createZipBombGuard, CommonHeuristicsScanner } from 'pompelmi';
+ * const scanner = composeScanners(
+ *   [['zipGuard', createZipBombGuard()], ['heuristics', CommonHeuristicsScanner]]
+ * );
+ * ```
+ */
+const ARCHIVES = definePolicy({
+    includeExtensions: ['zip', 'tar', 'gz', 'tgz', 'bz2', 'xz', '7z', 'rar'],
+    allowedMimeTypes: [
+        'application/zip',
+        'application/x-tar',
+        'application/gzip',
+        'application/x-bzip2',
+        'application/x-xz',
+        'application/x-7z-compressed',
+        'application/x-rar-compressed',
+    ],
+    maxFileSizeBytes: 100 * MB,
+    timeoutMs: 30000,
+    concurrency: 2,
+    failClosed: true,
+});
+/**
+ * Named map of all built-in policy packs.
+ *
+ * ```ts
+ * import { POLICY_PACKS } from 'pompelmi/policy-packs';
+ * const policy = POLICY_PACKS['strict-public-upload'];
+ * ```
+ */
+const POLICY_PACKS = {
+    'documents-only': DOCUMENTS_ONLY,
+    'images-only': IMAGES_ONLY,
+    'strict-public-upload': STRICT_PUBLIC_UPLOAD,
+    'conservative-default': CONSERVATIVE_DEFAULT,
+    'archives': ARCHIVES,
+};
+/**
+ * Look up a policy pack by name.
+ * Throws if the name is not recognised.
+ */
+function getPolicyPack(name) {
+    const policy = POLICY_PACKS[name];
+    if (!policy)
+        throw new Error(`Unknown policy pack: '${name}'. Valid names: ${Object.keys(POLICY_PACKS).join(', ')}`);
+    return policy;
+}
+
+function mapMatchesToVerdict(matches = []) {
+    if (!matches.length)
+        return 'clean';
+    const malHints = ['trojan', 'ransom', 'worm', 'spy', 'rootkit', 'keylog', 'botnet'];
+    const tagSet = new Set(matches.flatMap(m => (m.tags ?? []).map(t => t.toLowerCase())));
+    const nameHit = (r) => malHints.some(h => r.toLowerCase().includes(h));
+    const isMal = matches.some(m => nameHit(m.rule)) || tagSet.has('malware') || tagSet.has('critical');
+    return isMal ? 'malicious' : 'suspicious';
+}
+
+/**
+ * Export utilities for scan results
+ * @module utils/export
+ */
+/**
+ * Export scan results to various formats
+ */
+class ScanResultExporter {
+    /**
+     * Export to JSON format
+     */
+    toJSON(reports, options = {}) {
+        const data = Array.isArray(reports) ? reports : [reports];
+        if (!options.includeDetails) {
+            // Simplified output
+            const simplified = data.map(r => ({
+                verdict: r.verdict,
+                file: r.file?.name,
+                matches: r.matches.length,
+                durationMs: r.durationMs,
+            }));
+            return options.prettyPrint
+                ? JSON.stringify(simplified, null, 2)
+                : JSON.stringify(simplified);
+        }
+        return options.prettyPrint
+            ? JSON.stringify(data, null, 2)
+            : JSON.stringify(data);
+    }
+    /**
+     * Export to CSV format
+     */
+    toCSV(reports, options = {}) {
+        const data = Array.isArray(reports) ? reports : [reports];
+        const headers = [
+            'filename',
+            'verdict',
+            'matches_count',
+            'file_size',
+            'mime_type',
+            'duration_ms',
+            'engine',
+        ];
+        if (options.includeDetails) {
+            headers.push('reasons', 'match_rules');
+        }
+        const rows = data.map(report => {
+            const row = [
+                this.escapeCsv(report.file?.name || 'unknown'),
+                report.verdict,
+                report.matches.length.toString(),
+                (report.file?.size || 0).toString(),
+                this.escapeCsv(report.file?.mimeType || 'unknown'),
+                (report.durationMs || 0).toString(),
+                report.engine || 'unknown',
+            ];
+            if (options.includeDetails) {
+                row.push(this.escapeCsv((report.reasons || []).join('; ')), this.escapeCsv(report.matches.map(m => m.rule).join('; ')));
+            }
+            return row.join(',');
+        });
+        return [headers.join(','), ...rows].join('\n');
+    }
+    /**
+     * Export to Markdown format
+     */
+    toMarkdown(reports, options = {}) {
+        const data = Array.isArray(reports) ? reports : [reports];
+        let md = '# Scan Results\n\n';
+        md += `**Total Scans:** ${data.length}\n\n`;
+        const clean = data.filter(r => r.verdict === 'clean').length;
+        const suspicious = data.filter(r => r.verdict === 'suspicious').length;
+        const malicious = data.filter(r => r.verdict === 'malicious').length;
+        md += '## Summary\n\n';
+        md += `- ✅ Clean: ${clean}\n`;
+        md += `- ⚠️ Suspicious: ${suspicious}\n`;
+        md += `- ❌ Malicious: ${malicious}\n\n`;
+        md += '## Detailed Results\n\n';
+        for (const report of data) {
+            const icon = report.verdict === 'clean' ? '✅' : report.verdict === 'suspicious' ? '⚠️' : '❌';
+            md += `### ${icon} ${report.file?.name || 'Unknown'}\n\n`;
+            md += `- **Verdict:** ${report.verdict}\n`;
+            md += `- **Size:** ${this.formatBytes(report.file?.size || 0)}\n`;
+            md += `- **MIME Type:** ${report.file?.mimeType || 'unknown'}\n`;
+            md += `- **Duration:** ${report.durationMs || 0}ms\n`;
+            md += `- **Matches:** ${report.matches.length}\n`;
+            if (options.includeDetails && report.matches.length > 0) {
+                md += '\n**Match Details:**\n';
+                for (const match of report.matches) {
+                    md += `- ${match.rule}`;
+                    if (match.tags && match.tags.length > 0) {
+                        md += ` (${match.tags.join(', ')})`;
+                    }
+                    md += '\n';
+                }
+            }
+            md += '\n';
+        }
+        return md;
+    }
+    /**
+     * Export to SARIF format (Static Analysis Results Interchange Format)
+     * Useful for CI/CD integration
+     */
+    toSARIF(reports, options = {}) {
+        const data = Array.isArray(reports) ? reports : [reports];
+        const results = data.flatMap(report => {
+            if (report.verdict === 'clean')
+                return [];
+            return report.matches.map(match => ({
+                ruleId: match.rule,
+                level: report.verdict === 'malicious' ? 'error' : 'warning',
+                message: {
+                    text: `${match.rule} detected in ${report.file?.name || 'unknown file'}`,
+                },
+                locations: [
+                    {
+                        physicalLocation: {
+                            artifactLocation: {
+                                uri: report.file?.name || 'unknown',
+                            },
+                        },
+                    },
+                ],
+                properties: {
+                    tags: match.tags,
+                    metadata: match.meta,
+                },
+            }));
+        });
+        const sarif = {
+            version: '2.1.0',
+            $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+            runs: [
+                {
+                    tool: {
+                        driver: {
+                            name: 'Pompelmi',
+                            version: '0.29.0',
+                            informationUri: 'https://pompelmi.github.io/pompelmi/',
+                        },
+                    },
+                    results,
+                },
+            ],
+        };
+        return options.prettyPrint
+            ? JSON.stringify(sarif, null, 2)
+            : JSON.stringify(sarif);
+    }
+    /**
+     * Export to HTML format
+     */
+    toHTML(reports, options = {}) {
+        const data = Array.isArray(reports) ? reports : [reports];
+        const clean = data.filter(r => r.verdict === 'clean').length;
+        const suspicious = data.filter(r => r.verdict === 'suspicious').length;
+        const malicious = data.filter(r => r.verdict === 'malicious').length;
+        let html = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Pompelmi Scan Results</title>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; max-width: 1200px; margin: 0 auto; padding: 20px; }
+    .summary { display: grid; grid-template-columns: repeat(3, 1fr); gap: 20px; margin: 20px 0; }
+    .card { padding: 20px; border-radius: 8px; text-align: center; }
+    .clean { background: #d4edda; color: #155724; }
+    .suspicious { background: #fff3cd; color: #856404; }
+    .malicious { background: #f8d7da; color: #721c24; }
+    .result { border: 1px solid #ddd; border-radius: 8px; padding: 15px; margin: 10px 0; }
+    .result h3 { margin-top: 0; }
+    .badge { display: inline-block; padding: 4px 8px; border-radius: 4px; font-size: 0.8em; margin: 2px; }
+    table { width: 100%; border-collapse: collapse; }
+    th, td { padding: 8px; text-align: left; border-bottom: 1px solid #ddd; }
+  </style>
+</head>
+<body>
+  <h1>🛡️ Pompelmi Scan Results</h1>
+  <div class="summary">
+    <div class="card clean"><h2>${clean}</h2><p>Clean Files</p></div>
+    <div class="card suspicious"><h2>${suspicious}</h2><p>Suspicious Files</p></div>
+    <div class="card malicious"><h2>${malicious}</h2><p>Malicious Files</p></div>
+  </div>
+  <h2>Detailed Results</h2>`;
+        for (const report of data) {
+            const statusClass = report.verdict;
+            html += `<div class="result ${statusClass}">`;
+            html += `<h3>${this.escapeHtml(report.file?.name || 'Unknown')}</h3>`;
+            html += `<table>`;
+            html += `<tr><th>Verdict</th><td>${report.verdict.toUpperCase()}</td></tr>`;
+            html += `<tr><th>Size</th><td>${this.formatBytes(report.file?.size || 0)}</td></tr>`;
+            html += `<tr><th>MIME Type</th><td>${this.escapeHtml(report.file?.mimeType || 'unknown')}</td></tr>`;
+            html += `<tr><th>Duration</th><td>${report.durationMs || 0}ms</td></tr>`;
+            html += `<tr><th>Matches</th><td>${report.matches.length}</td></tr>`;
+            html += `</table>`;
+            if (options.includeDetails && report.matches.length > 0) {
+                html += `<h4>Match Details:</h4><ul>`;
+                for (const match of report.matches) {
+                    html += `<li><strong>${this.escapeHtml(match.rule)}</strong>`;
+                    if (match.tags && match.tags.length > 0) {
+                        html += ` ${match.tags.map(tag => `<span class="badge">${this.escapeHtml(tag)}</span>`).join('')}`;
+                    }
+                    html += `</li>`;
+                }
+                html += `</ul>`;
+            }
+            html += `</div>`;
+        }
+        html += `</body></html>`;
+        return html;
+    }
+    /**
+     * Export to specified format
+     */
+    export(reports, format, options = {}) {
+        switch (format) {
+            case 'json':
+                return this.toJSON(reports, options);
+            case 'csv':
+                return this.toCSV(reports, options);
+            case 'markdown':
+                return this.toMarkdown(reports, options);
+            case 'html':
+                return this.toHTML(reports, options);
+            case 'sarif':
+                return this.toSARIF(reports, options);
+            default:
+                throw new Error(`Unsupported export format: ${format}`);
+        }
+    }
+    escapeCsv(value) {
+        if (value.includes(',') || value.includes('"') || value.includes('\n')) {
+            return `"${value.replace(/"/g, '""')}"`;
+        }
+        return value;
+    }
+    escapeHtml(value) {
+        return value
+            .replace(/&/g, '&amp;')
+            .replace(/</g, '&lt;')
+            .replace(/>/g, '&gt;')
+            .replace(/"/g, '&quot;')
+            .replace(/'/g, '&#039;');
+    }
+    formatBytes(bytes) {
+        if (bytes === 0)
+            return '0 Bytes';
+        const k = 1024;
+        const sizes = ['Bytes', 'KB', 'MB', 'GB'];
+        const i = Math.floor(Math.log(bytes) / Math.log(k));
+        return Math.round(bytes / Math.pow(k, i) * 100) / 100 + ' ' + sizes[i];
+    }
+}
+/**
+ * Quick export helper
+ */
+function exportScanResults(reports, format, options) {
+    const exporter = new ScanResultExporter();
+    return exporter.export(reports, format, options);
+}
+
+exports.ARCHIVES = ARCHIVES;
+exports.CONSERVATIVE_DEFAULT = CONSERVATIVE_DEFAULT;
+exports.CommonHeuristicsScanner = CommonHeuristicsScanner;
+exports.DEFAULT_POLICY = DEFAULT_POLICY;
+exports.DOCUMENTS_ONLY = DOCUMENTS_ONLY;
+exports.IMAGES_ONLY = IMAGES_ONLY;
+exports.POLICY_PACKS = POLICY_PACKS;
+exports.PerformanceTracker = PerformanceTracker;
+exports.STRICT_PUBLIC_UPLOAD = STRICT_PUBLIC_UPLOAD;
+exports.ScanResultExporter = ScanResultExporter;
+exports.aggregateScanStats = aggregateScanStats;
+exports.analyzeNestedArchives = analyzeNestedArchives;
+exports.composeScanners = composeScanners;
+exports.createPresetScanner = createPresetScanner;
+exports.createZipBombGuard = createZipBombGuard;
+exports.definePolicy = definePolicy;
+exports.detectObfuscatedScripts = detectObfuscatedScripts;
+exports.detectPolyglot = detectPolyglot;
+exports.exportScanResults = exportScanResults;
+exports.getPolicyPack = getPolicyPack;
+exports.mapMatchesToVerdict = mapMatchesToVerdict;
+exports.scanBytes = scanBytes;
+exports.scanFile = scanFile;
+exports.scanFiles = scanFiles;
+exports.validateFile = validateFile;
+//# sourceMappingURL=pompelmi.browser.cjs.map