npm - pompelmi - Versions diffs - 0.34.10 → 0.35.0 - Mend

pompelmi 0.34.10 → 0.35.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (112) hide show

package/README.md +26 -15
package/dist/pompelmi.audit.cjs +13 -15
package/dist/pompelmi.audit.cjs.map +1 -1
package/dist/pompelmi.audit.esm.js +13 -15
package/dist/pompelmi.audit.esm.js.map +1 -1
package/dist/pompelmi.browser.cjs +585 -534
package/dist/pompelmi.browser.cjs.map +1 -1
package/dist/pompelmi.browser.esm.js +585 -534
package/dist/pompelmi.browser.esm.js.map +1 -1
package/dist/pompelmi.cjs +2066 -2016
package/dist/pompelmi.cjs.map +1 -1
package/dist/pompelmi.esm.js +2066 -2016
package/dist/pompelmi.esm.js.map +1 -1
package/dist/pompelmi.hooks.cjs +2 -2
package/dist/pompelmi.hooks.cjs.map +1 -1
package/dist/pompelmi.hooks.esm.js +2 -2
package/dist/pompelmi.hooks.esm.js.map +1 -1
package/dist/pompelmi.policy-packs.cjs +74 -73
package/dist/pompelmi.policy-packs.cjs.map +1 -1
package/dist/pompelmi.policy-packs.esm.js +74 -73
package/dist/pompelmi.policy-packs.esm.js.map +1 -1
package/dist/pompelmi.quarantine.cjs +135 -133
package/dist/pompelmi.quarantine.cjs.map +1 -1
package/dist/pompelmi.quarantine.esm.js +135 -133
package/dist/pompelmi.quarantine.esm.js.map +1 -1
package/dist/pompelmi.react.cjs +585 -534
package/dist/pompelmi.react.cjs.map +1 -1
package/dist/pompelmi.react.esm.js +585 -534
package/dist/pompelmi.react.esm.js.map +1 -1
package/dist/types/audit.d.ts +12 -12
package/dist/types/browser-index.d.ts +12 -12
package/dist/types/config.d.ts +4 -4
package/dist/types/engines/dynamic-taint.d.ts +1 -1
package/dist/types/engines/hybrid-orchestrator.d.ts +1 -1
package/dist/types/engines/hybrid-taint-integration.d.ts +6 -6
package/dist/types/engines/taint-policies.d.ts +4 -4
package/dist/types/hipaa-compliance.d.ts +2 -2
package/dist/types/hooks.d.ts +2 -2
package/dist/types/index.d.ts +20 -20
package/dist/types/node/scanDir.d.ts +5 -5
package/dist/types/policy-packs.d.ts +2 -2
package/dist/types/presets.d.ts +3 -3
package/dist/types/quarantine/index.d.ts +3 -3
package/dist/types/quarantine/storage.d.ts +1 -1
package/dist/types/quarantine/types.d.ts +3 -3
package/dist/types/quarantine/workflow.d.ts +4 -4
package/dist/types/react-index.d.ts +2 -2
package/dist/types/risk.d.ts +1 -1
package/dist/types/scan/remote.d.ts +2 -2
package/dist/types/scan.d.ts +5 -5
package/dist/types/scanners/common-heuristics.d.ts +1 -1
package/dist/types/scanners/zip-bomb-guard.d.ts +1 -1
package/dist/types/src/audit.d.ts +84 -0
package/dist/types/src/browser-index.d.ts +29 -0
package/dist/types/src/config.d.ts +143 -0
package/dist/types/src/engines/dynamic-taint.d.ts +102 -0
package/dist/types/src/engines/hybrid-orchestrator.d.ts +65 -0
package/dist/types/src/engines/hybrid-taint-integration.d.ts +129 -0
package/dist/types/src/engines/taint-policies.d.ts +84 -0
package/dist/types/src/hipaa-compliance.d.ts +110 -0
package/dist/types/src/hooks.d.ts +89 -0
package/dist/types/src/index.d.ts +29 -0
package/dist/types/src/magic.d.ts +7 -0
package/dist/types/src/node/scanDir.d.ts +30 -0
package/dist/types/src/policy-packs.d.ts +98 -0
package/dist/types/src/policy.d.ts +12 -0
package/dist/types/src/presets.d.ts +72 -0
package/dist/types/src/quarantine/index.d.ts +18 -0
package/dist/types/src/quarantine/storage.d.ts +77 -0
package/dist/types/src/quarantine/types.d.ts +78 -0
package/dist/types/src/quarantine/workflow.d.ts +97 -0
package/dist/types/src/react-index.d.ts +13 -0
package/dist/types/src/risk.d.ts +18 -0
package/dist/types/src/scan/remote.d.ts +12 -0
package/dist/types/src/scan.d.ts +17 -0
package/dist/types/src/scanners/common-heuristics.d.ts +14 -0
package/dist/types/src/scanners/zip-bomb-guard.d.ts +9 -0
package/dist/types/src/scanners/zipTraversalGuard.d.ts +19 -0
package/dist/types/src/stream.d.ts +10 -0
package/dist/types/src/types/decompilation.d.ts +96 -0
package/dist/types/src/types/taint-tracking.d.ts +495 -0
package/dist/types/src/types.d.ts +48 -0
package/dist/types/src/useFileScanner.d.ts +15 -0
package/dist/types/src/utils/advanced-detection.d.ts +21 -0
package/dist/types/src/utils/batch-scanner.d.ts +62 -0
package/dist/types/src/utils/cache-manager.d.ts +95 -0
package/dist/types/src/utils/export.d.ts +51 -0
package/dist/types/src/utils/performance-metrics.d.ts +68 -0
package/dist/types/src/utils/threat-intelligence.d.ts +96 -0
package/dist/types/src/validate.d.ts +7 -0
package/dist/types/src/verdict.d.ts +2 -0
package/dist/types/src/yara/browser.d.ts +7 -0
package/dist/types/src/yara/index.d.ts +17 -0
package/dist/types/src/yara/node.d.ts +2 -0
package/dist/types/src/yara/remote.d.ts +10 -0
package/dist/types/src/yara-bridge.d.ts +3 -0
package/dist/types/src/zip.d.ts +13 -0
package/dist/types/types/decompilation.d.ts +4 -4
package/dist/types/types/taint-tracking.d.ts +19 -19
package/dist/types/types.d.ts +3 -3
package/dist/types/useFileScanner.d.ts +1 -1
package/dist/types/utils/advanced-detection.d.ts +1 -1
package/dist/types/utils/batch-scanner.d.ts +3 -3
package/dist/types/utils/cache-manager.d.ts +1 -1
package/dist/types/utils/export.d.ts +2 -2
package/dist/types/utils/threat-intelligence.d.ts +4 -4
package/dist/types/verdict.d.ts +1 -1
package/dist/types/yara/browser.d.ts +1 -1
package/dist/types/yara/index.d.ts +1 -1
package/dist/types/yara/node.d.ts +1 -1
package/dist/types/yara/remote.d.ts +2 -2
package/package.json +6 -6

package/dist/pompelmi.policy-packs.esm.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"pompelmi.policy-packs.esm.js","sources":["../src/policy.ts","../src/policy-packs.ts"],"sourcesContent":["export interface Policy {\n includeExtensions: string[];\n allowedMimeTypes: string[];\n maxFileSizeBytes: number;\n timeoutMs: number;\n concurrency: number;\n failClosed: boolean;\n onScanEvent?: (ev: unknown) => void;\n}\nexport type PolicyInput = Partial<Policy>;\n\nconst MB = 1024 * 1024;\n\nexport const DEFAULT_POLICY: Policy = {\n includeExtensions: ['zip','png','jpg','jpeg','pdf'],\n allowedMimeTypes: ['application/zip','image/png','image/jpeg','application/pdf','text/plain'],\n maxFileSizeBytes: 20 * MB,\n timeoutMs: 5000,\n concurrency: 4,\n failClosed: true\n};\n\nexport function definePolicy(input: PolicyInput = {}): Policy {\n const p: Policy = { ...DEFAULT_POLICY, ...input };\n if (!Array.isArray(p.includeExtensions)) throw new TypeError('includeExtensions must be string[]');\n if (!Array.isArray(p.allowedMimeTypes)) throw new TypeError('allowedMimeTypes must be string[]');\n if (!(Number.isFinite(p.maxFileSizeBytes) && p.maxFileSizeBytes > 0)) throw new TypeError('maxFileSizeBytes must be > 0');\n if (!(Number.isFinite(p.timeoutMs) && p.timeoutMs > 0)) throw new TypeError('timeoutMs must be > 0');\n if (!(Number.isInteger(p.concurrency) && p.concurrency > 0)) throw new TypeError('concurrency must be > 0');\n return p;\n}\n","/*\n Policy packs for Pompelmi.\n \n Pre-configured, named policies for common upload scenarios. Each pack\n * defines the file type allowlist, size limits, and timeout appropriate for\n * its use case.\n \n All packs are built on `definePolicy` and are fully overridable:\n \n ```ts\n * import { POLICY_PACKS } from 'pompelmi/policy-packs';\n \n // Use a pack as-is:\n * const policy = POLICY_PACKS['images-only'];\n \n // Or override individual fields:\n * import { definePolicy } from 'pompelmi';\n * const custom = definePolicy({ ...POLICY_PACKS['documents-only'], maxFileSizeBytes: 5 * 1024 * 1024 });\n * ```\n \n These packs are deterministic and descriptor-based — they do not\n * depend on any external threat intelligence feed.\n \n @module policy-packs\n /\n\nimport { definePolicy, type Policy } from './policy';\n\nconst KB = 1024;\nconst MB = 1024 KB;\n\n// ── Policy packs ──────────────────────────────────────────────────────────────\n\n/*\n Documents-only policy.\n \n Appropriate for: document management APIs, PDF/Office file upload endpoints,\n * data import pipelines.\n \n Allowed: PDF, Word (.docx/.doc), Excel (.xlsx/.xls), PowerPoint (.pptx/.ppt),\n * CSV, plain text, JSON, YAML, ODT/ODS/ODP (OpenDocument).\n * Max size: 25 MB.\n /\nexport const DOCUMENTS_ONLY: Policy = definePolicy({\n includeExtensions: [\n 'pdf',\n 'doc', 'docx',\n 'xls', 'xlsx',\n 'ppt', 'pptx',\n 'odt', 'ods', 'odp',\n 'csv',\n 'txt',\n 'json',\n 'yaml', 'yml',\n 'md',\n ],\n allowedMimeTypes: [\n 'application/pdf',\n 'application/msword',\n 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',\n 'application/vnd.ms-excel',\n 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',\n 'application/vnd.ms-powerpoint',\n 'application/vnd.openxmlformats-officedocument.presentationml.presentation',\n 'application/vnd.oasis.opendocument.text',\n 'application/vnd.oasis.opendocument.spreadsheet',\n 'application/vnd.oasis.opendocument.presentation',\n 'text/csv',\n 'text/plain',\n 'application/json',\n 'text/yaml',\n 'text/markdown',\n ],\n maxFileSizeBytes: 25 MB,\n timeoutMs: 10_000,\n concurrency: 4,\n failClosed: true,\n});\n\n/*\n Images-only policy.\n \n Appropriate for: avatar uploads, product image APIs, content platforms with\n * user-generated imagery.\n \n Allowed: JPEG, PNG, GIF, WebP, AVIF, TIFF, BMP, ICO.\n * Max size: 10 MB.\n * Note: SVG is intentionally excluded — inline SVGs can contain scripts.\n /\nexport const IMAGES_ONLY: Policy = definePolicy({\n includeExtensions: ['jpg', 'jpeg', 'png', 'gif', 'webp', 'avif', 'tiff', 'tif', 'bmp', 'ico'],\n allowedMimeTypes: [\n 'image/jpeg',\n 'image/png',\n 'image/gif',\n 'image/webp',\n 'image/avif',\n 'image/tiff',\n 'image/bmp',\n 'image/x-icon',\n 'image/vnd.microsoft.icon',\n ],\n maxFileSizeBytes: 10 MB,\n timeoutMs: 5_000,\n concurrency: 8,\n failClosed: true,\n});\n\n/*\n Strict public-upload policy.\n \n Appropriate for: anonymous or low-trust upload endpoints, public APIs,\n * any surface exposed to untrusted users.\n \n Aggressive size limit (5 MB), short timeout, fail-closed, narrow MIME\n * allowlist. Only allows plain images and PDF.\n /\nexport const STRICT_PUBLIC_UPLOAD: Policy = definePolicy({\n includeExtensions: ['jpg', 'jpeg', 'png', 'webp', 'pdf'],\n allowedMimeTypes: [\n 'image/jpeg',\n 'image/png',\n 'image/webp',\n 'application/pdf',\n ],\n maxFileSizeBytes: 5 MB,\n timeoutMs: 4_000,\n concurrency: 2,\n failClosed: true,\n});\n\n/*\n Conservative default policy.\n \n A hardened version of the built-in `DEFAULT_POLICY` suitable for\n * production without further customisation. Stricter size limit and\n * shorter timeout than the permissive default.\n /\nexport const CONSERVATIVE_DEFAULT: Policy = definePolicy({\n includeExtensions: ['zip', 'png', 'jpg', 'jpeg', 'pdf', 'txt', 'csv', 'docx', 'xlsx'],\n allowedMimeTypes: [\n 'application/zip',\n 'image/png',\n 'image/jpeg',\n 'application/pdf',\n 'text/plain',\n 'text/csv',\n 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',\n 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',\n ],\n maxFileSizeBytes: 10 MB,\n timeoutMs: 8_000,\n concurrency: 4,\n failClosed: true,\n});\n\n/*\n Archives policy.\n \n Appropriate for: endpoints that accept ZIP, tar, or compressed archives.\n * Combines a generous size allowance with a longer timeout for deep inspection.\n \n NOTE: Pair this policy with `createZipBombGuard()` to defend against\n * decompression-bomb attacks:\n \n ```ts\n * import { composeScanners, createZipBombGuard, CommonHeuristicsScanner } from 'pompelmi';\n * const scanner = composeScanners(\n * [['zipGuard', createZipBombGuard()], ['heuristics', CommonHeuristicsScanner]]\n * );\n * ```\n /\nexport const ARCHIVES: Policy = definePolicy({\n includeExtensions: ['zip', 'tar', 'gz', 'tgz', 'bz2', 'xz', '7z', 'rar'],\n allowedMimeTypes: [\n 'application/zip',\n 'application/x-tar',\n 'application/gzip',\n 'application/x-bzip2',\n 'application/x-xz',\n 'application/x-7z-compressed',\n 'application/x-rar-compressed',\n ],\n maxFileSizeBytes: 100 MB,\n timeoutMs: 30_000,\n concurrency: 2,\n failClosed: true,\n});\n\n// ── Named map ────────────────────────────────────────────────────────────────\n\nexport type PolicyPackName =\n \| 'documents-only'\n \| 'images-only'\n \| 'strict-public-upload'\n \| 'conservative-default'\n \| 'archives';\n\n/*\n Named map of all built-in policy packs.\n \n ```ts\n * import { POLICY_PACKS } from 'pompelmi/policy-packs';\n * const policy = POLICY_PACKS['strict-public-upload'];\n * ```\n /\nexport const POLICY_PACKS: Record<PolicyPackName, Policy> = {\n 'documents-only': DOCUMENTS_ONLY,\n 'images-only': IMAGES_ONLY,\n 'strict-public-upload': STRICT_PUBLIC_UPLOAD,\n 'conservative-default': CONSERVATIVE_DEFAULT,\n 'archives': ARCHIVES,\n};\n\n/\n Look up a policy pack by name.\n * Throws if the name is not recognised.\n */\nexport function getPolicyPack(name: PolicyPackName): Policy {\n const policy = POLICY_PACKS[name];\n if (!policy) throw new Error(`Unknown policy pack: '${name}'. Valid names: ${Object.keys(POLICY_PACKS).join(', ')}`);\n return policy;\n}\n"],"names":["MB"],"mappings":"AAWA,MAAMA,IAAE,GAAG,IAAI,GAAG,IAAI;AAEf,MAAM,cAAc,GAAW;IACpC,iBAAiB,EAAE,CAAC,KAAK,EAAC,KAAK,EAAC,KAAK,EAAC,MAAM,EAAC,KAAK,CAAC;IACnD,gBAAgB,EAAE,CAAC,iBAAiB,EAAC,WAAW,EAAC,YAAY,EAAC,iBAAiB,EAAC,YAAY,CAAC;IAC7F,gBAAgB,EAAE,EAAE,GAAGA,IAAE;AACzB,IAAA,SAAS,EAAE,IAAI;AACf,IAAA,WAAW,EAAE,CAAC;AACd,IAAA,UAAU,EAAE;CACb;AAEK,SAAU,YAAY,CAAC,KAAA,GAAqB,EAAE,EAAA;IAClD,MAAM,CAAC,GAAW,EAAE,GAAG,cAAc,EAAE,GAAG,KAAK,EAAE;IACjD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,iBAAiB,CAAC;AAAE,QAAA,MAAM,IAAI,SAAS,CAAC,oCAAoC,CAAC;IAClG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB,CAAC;AAAE,QAAA,MAAM,IAAI,SAAS,CAAC,mCAAmC,CAAC;AAChG,IAAA,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,gBAAgB,GAAG,CAAC,CAAC;AAAE,QAAA,MAAM,IAAI,SAAS,CAAC,8BAA8B,CAAC;AACzH,IAAA,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC;AAAE,QAAA,MAAM,IAAI,SAAS,CAAC,uBAAuB,CAAC;AACpG,IAAA,IAAI,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,WAAW,GAAG,CAAC,CAAC;AAAE,QAAA,MAAM,IAAI,SAAS,CAAC,yBAAyB,CAAC;AAC3G,IAAA,OAAO,CAAC;AACV;;AC9BA;;;;;;;;;;;;;;;;;;;;;;;;AAwBG;AAIH,MAAM,EAAE,GAAG,IAAI;AACf,MAAM,EAAE,GAAG,IAAI,GAAG,EAAE;AAEpB;AAEA;;;;;;;;;AASG;AACI,MAAM,cAAc,GAAW,YAAY,CAAC;AACjD,IAAA,iBAAiB,EAAE;QACjB,KAAK;AACL,QAAA,KAAK,EAAE,MAAM;AACb,QAAA,KAAK,EAAE,MAAM;AACb,QAAA,KAAK,EAAE,MAAM;QACb,KAAK,EAAE,KAAK,EAAE,KAAK;QACnB,KAAK;QACL,KAAK;QACL,MAAM;AACN,QAAA,MAAM,EAAE,KAAK;QACb,IAAI;AACL,KAAA;AACD,IAAA,gBAAgB,EAAE;QAChB,iBAAiB;QACjB,oBAAoB;QACpB,yEAAyE;QACzE,0BAA0B;QAC1B,mEAAmE;QACnE,+BAA+B;QAC/B,2EAA2E;QAC3E,yCAAyC;QACzC,gDAAgD;QAChD,iDAAiD;QACjD,UAAU;QACV,YAAY;QACZ,kBAAkB;QAClB,WAAW;QACX,eAAe;AAChB,KAAA;IACD,gBAAgB,EAAE,EAAE,GAAG,EAAE;AACzB,IAAA,SAAS,EAAE,KAAM;AACjB,IAAA,WAAW,EAAE,CAAC;AACd,IAAA,UAAU,EAAE,IAAI;AACjB,CAAA;AAED;;;;;;;;;AASG;AACI,MAAM,WAAW,GAAW,YAAY,CAAC;IAC9C,iBAAiB,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC;AAC7F,IAAA,gBAAgB,EAAE;QAChB,YAAY;QACZ,WAAW;QACX,WAAW;QACX,YAAY;QACZ,YAAY;QACZ,YAAY;QACZ,WAAW;QACX,cAAc;QACd,0BAA0B;AAC3B,KAAA;IACD,gBAAgB,EAAE,EAAE,GAAG,EAAE;AACzB,IAAA,SAAS,EAAE,IAAK;AAChB,IAAA,WAAW,EAAE,CAAC;AACd,IAAA,UAAU,EAAE,IAAI;AACjB,CAAA;AAED;;;;;;;;AAQG;AACI,MAAM,oBAAoB,GAAW,YAAY,CAAC;IACvD,iBAAiB,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC;AACxD,IAAA,gBAAgB,EAAE;QAChB,YAAY;QACZ,WAAW;QACX,YAAY;QACZ,iBAAiB;AAClB,KAAA;IACD,gBAAgB,EAAE,CAAC,GAAG,EAAE;AACxB,IAAA,SAAS,EAAE,IAAK;AAChB,IAAA,WAAW,EAAE,CAAC;AACd,IAAA,UAAU,EAAE,IAAI;AACjB,CAAA;AAED;;;;;;AAMG;AACI,MAAM,oBAAoB,GAAW,YAAY,CAAC;AACvD,IAAA,iBAAiB,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;AACrF,IAAA,gBAAgB,EAAE;QAChB,iBAAiB;QACjB,WAAW;QACX,YAAY;QACZ,iBAAiB;QACjB,YAAY;QACZ,UAAU;QACV,yEAAyE;QACzE,mEAAmE;AACpE,KAAA;IACD,gBAAgB,EAAE,EAAE,GAAG,EAAE;AACzB,IAAA,SAAS,EAAE,IAAK;AAChB,IAAA,WAAW,EAAE,CAAC;AACd,IAAA,UAAU,EAAE,IAAI;AACjB,CAAA;AAED;;;;;;;;;;;;;;;AAeG;AACI,MAAM,QAAQ,GAAW,YAAY,CAAC;AAC3C,IAAA,iBAAiB,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC;AACxE,IAAA,gBAAgB,EAAE;QAChB,iBAAiB;QACjB,mBAAmB;QACnB,kBAAkB;QAClB,qBAAqB;QACrB,kBAAkB;QAClB,6BAA6B;QAC7B,8BAA8B;AAC/B,KAAA;IACD,gBAAgB,EAAE,GAAG,GAAG,EAAE;AAC1B,IAAA,SAAS,EAAE,KAAM;AACjB,IAAA,WAAW,EAAE,CAAC;AACd,IAAA,UAAU,EAAE,IAAI;AACjB,CAAA;AAWD;;;;;;;AAOG;AACI,MAAM,YAAY,GAAmC;AAC1D,IAAA,gBAAgB,EAAE,cAAc;AAChC,IAAA,aAAa,EAAE,WAAW;AAC1B,IAAA,sBAAsB,EAAE,oBAAoB;AAC5C,IAAA,sBAAsB,EAAE,oBAAoB;AAC5C,IAAA,UAAU,EAAE,QAAQ;;AAGtB;;;AAGG;AACG,SAAU,aAAa,CAAC,IAAoB,EAAA;AAChD,IAAA,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC;AACjC,IAAA,IAAI,CAAC,MAAM;AAAE,QAAA,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,CAAA,gBAAA,EAAmB,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA,CAAE,CAAC;AACpH,IAAA,OAAO,MAAM;AACf;;;;"}
1	+ {"version":3,"file":"pompelmi.policy-packs.esm.js","sources":["../../src/policy.ts","../../src/policy-packs.ts"],"sourcesContent":["export interface Policy {\n includeExtensions: string[];\n allowedMimeTypes: string[];\n maxFileSizeBytes: number;\n timeoutMs: number;\n concurrency: number;\n failClosed: boolean;\n onScanEvent?: (ev: unknown) => void;\n}\nexport type PolicyInput = Partial<Policy>;\n\nconst MB = 1024 * 1024;\n\nexport const DEFAULT_POLICY: Policy = {\n includeExtensions: [\"zip\", \"png\", \"jpg\", \"jpeg\", \"pdf\"],\n allowedMimeTypes: [\"application/zip\", \"image/png\", \"image/jpeg\", \"application/pdf\", \"text/plain\"],\n maxFileSizeBytes: 20 * MB,\n timeoutMs: 5000,\n concurrency: 4,\n failClosed: true,\n};\n\nexport function definePolicy(input: PolicyInput = {}): Policy {\n const p: Policy = { ...DEFAULT_POLICY, ...input };\n if (!Array.isArray(p.includeExtensions))\n throw new TypeError(\"includeExtensions must be string[]\");\n if (!Array.isArray(p.allowedMimeTypes)) throw new TypeError(\"allowedMimeTypes must be string[]\");\n if (!(Number.isFinite(p.maxFileSizeBytes) && p.maxFileSizeBytes > 0))\n throw new TypeError(\"maxFileSizeBytes must be > 0\");\n if (!(Number.isFinite(p.timeoutMs) && p.timeoutMs > 0))\n throw new TypeError(\"timeoutMs must be > 0\");\n if (!(Number.isInteger(p.concurrency) && p.concurrency > 0))\n throw new TypeError(\"concurrency must be > 0\");\n return p;\n}\n","/*\n Policy packs for Pompelmi.\n \n Pre-configured, named policies for common upload scenarios. Each pack\n * defines the file type allowlist, size limits, and timeout appropriate for\n * its use case.\n \n All packs are built on `definePolicy` and are fully overridable:\n \n ```ts\n * import { POLICY_PACKS } from 'pompelmi/policy-packs';\n \n // Use a pack as-is:\n * const policy = POLICY_PACKS['images-only'];\n \n // Or override individual fields:\n * import { definePolicy } from 'pompelmi';\n * const custom = definePolicy({ ...POLICY_PACKS['documents-only'], maxFileSizeBytes: 5 * 1024 * 1024 });\n * ```\n \n These packs are deterministic and descriptor-based — they do not\n * depend on any external threat intelligence feed.\n \n @module policy-packs\n /\n\nimport { definePolicy, type Policy } from \"./policy\";\n\nconst KB = 1024;\nconst MB = 1024 KB;\n\n// ── Policy packs ──────────────────────────────────────────────────────────────\n\n/*\n Documents-only policy.\n \n Appropriate for: document management APIs, PDF/Office file upload endpoints,\n * data import pipelines.\n \n Allowed: PDF, Word (.docx/.doc), Excel (.xlsx/.xls), PowerPoint (.pptx/.ppt),\n * CSV, plain text, JSON, YAML, ODT/ODS/ODP (OpenDocument).\n * Max size: 25 MB.\n /\nexport const DOCUMENTS_ONLY: Policy = definePolicy({\n includeExtensions: [\n \"pdf\",\n \"doc\",\n \"docx\",\n \"xls\",\n \"xlsx\",\n \"ppt\",\n \"pptx\",\n \"odt\",\n \"ods\",\n \"odp\",\n \"csv\",\n \"txt\",\n \"json\",\n \"yaml\",\n \"yml\",\n \"md\",\n ],\n allowedMimeTypes: [\n \"application/pdf\",\n \"application/msword\",\n \"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\n \"application/vnd.ms-excel\",\n \"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet\",\n \"application/vnd.ms-powerpoint\",\n \"application/vnd.openxmlformats-officedocument.presentationml.presentation\",\n \"application/vnd.oasis.opendocument.text\",\n \"application/vnd.oasis.opendocument.spreadsheet\",\n \"application/vnd.oasis.opendocument.presentation\",\n \"text/csv\",\n \"text/plain\",\n \"application/json\",\n \"text/yaml\",\n \"text/markdown\",\n ],\n maxFileSizeBytes: 25 MB,\n timeoutMs: 10_000,\n concurrency: 4,\n failClosed: true,\n});\n\n/*\n Images-only policy.\n \n Appropriate for: avatar uploads, product image APIs, content platforms with\n * user-generated imagery.\n \n Allowed: JPEG, PNG, GIF, WebP, AVIF, TIFF, BMP, ICO.\n * Max size: 10 MB.\n * Note: SVG is intentionally excluded — inline SVGs can contain scripts.\n /\nexport const IMAGES_ONLY: Policy = definePolicy({\n includeExtensions: [\"jpg\", \"jpeg\", \"png\", \"gif\", \"webp\", \"avif\", \"tiff\", \"tif\", \"bmp\", \"ico\"],\n allowedMimeTypes: [\n \"image/jpeg\",\n \"image/png\",\n \"image/gif\",\n \"image/webp\",\n \"image/avif\",\n \"image/tiff\",\n \"image/bmp\",\n \"image/x-icon\",\n \"image/vnd.microsoft.icon\",\n ],\n maxFileSizeBytes: 10 MB,\n timeoutMs: 5_000,\n concurrency: 8,\n failClosed: true,\n});\n\n/*\n Strict public-upload policy.\n \n Appropriate for: anonymous or low-trust upload endpoints, public APIs,\n * any surface exposed to untrusted users.\n \n Aggressive size limit (5 MB), short timeout, fail-closed, narrow MIME\n * allowlist. Only allows plain images and PDF.\n /\nexport const STRICT_PUBLIC_UPLOAD: Policy = definePolicy({\n includeExtensions: [\"jpg\", \"jpeg\", \"png\", \"webp\", \"pdf\"],\n allowedMimeTypes: [\"image/jpeg\", \"image/png\", \"image/webp\", \"application/pdf\"],\n maxFileSizeBytes: 5 MB,\n timeoutMs: 4_000,\n concurrency: 2,\n failClosed: true,\n});\n\n/*\n Conservative default policy.\n \n A hardened version of the built-in `DEFAULT_POLICY` suitable for\n * production without further customisation. Stricter size limit and\n * shorter timeout than the permissive default.\n /\nexport const CONSERVATIVE_DEFAULT: Policy = definePolicy({\n includeExtensions: [\"zip\", \"png\", \"jpg\", \"jpeg\", \"pdf\", \"txt\", \"csv\", \"docx\", \"xlsx\"],\n allowedMimeTypes: [\n \"application/zip\",\n \"image/png\",\n \"image/jpeg\",\n \"application/pdf\",\n \"text/plain\",\n \"text/csv\",\n \"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\n \"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet\",\n ],\n maxFileSizeBytes: 10 MB,\n timeoutMs: 8_000,\n concurrency: 4,\n failClosed: true,\n});\n\n/*\n Archives policy.\n \n Appropriate for: endpoints that accept ZIP, tar, or compressed archives.\n * Combines a generous size allowance with a longer timeout for deep inspection.\n \n NOTE: Pair this policy with `createZipBombGuard()` to defend against\n * decompression-bomb attacks:\n \n ```ts\n * import { composeScanners, createZipBombGuard, CommonHeuristicsScanner } from 'pompelmi';\n * const scanner = composeScanners(\n * [['zipGuard', createZipBombGuard()], ['heuristics', CommonHeuristicsScanner]]\n * );\n * ```\n /\nexport const ARCHIVES: Policy = definePolicy({\n includeExtensions: [\"zip\", \"tar\", \"gz\", \"tgz\", \"bz2\", \"xz\", \"7z\", \"rar\"],\n allowedMimeTypes: [\n \"application/zip\",\n \"application/x-tar\",\n \"application/gzip\",\n \"application/x-bzip2\",\n \"application/x-xz\",\n \"application/x-7z-compressed\",\n \"application/x-rar-compressed\",\n ],\n maxFileSizeBytes: 100 MB,\n timeoutMs: 30_000,\n concurrency: 2,\n failClosed: true,\n});\n\n// ── Named map ────────────────────────────────────────────────────────────────\n\nexport type PolicyPackName =\n \| \"documents-only\"\n \| \"images-only\"\n \| \"strict-public-upload\"\n \| \"conservative-default\"\n \| \"archives\";\n\n/*\n Named map of all built-in policy packs.\n \n ```ts\n * import { POLICY_PACKS } from 'pompelmi/policy-packs';\n * const policy = POLICY_PACKS['strict-public-upload'];\n * ```\n /\nexport const POLICY_PACKS: Record<PolicyPackName, Policy> = {\n \"documents-only\": DOCUMENTS_ONLY,\n \"images-only\": IMAGES_ONLY,\n \"strict-public-upload\": STRICT_PUBLIC_UPLOAD,\n \"conservative-default\": CONSERVATIVE_DEFAULT,\n archives: ARCHIVES,\n};\n\n/\n Look up a policy pack by name.\n * Throws if the name is not recognised.\n */\nexport function getPolicyPack(name: PolicyPackName): Policy {\n const policy = POLICY_PACKS[name];\n if (!policy)\n throw new Error(\n `Unknown policy pack: '${name}'. Valid names: ${Object.keys(POLICY_PACKS).join(\", \")}`,\n );\n return policy;\n}\n"],"names":["MB"],"mappings":"AAWA,MAAMA,IAAE,GAAG,IAAI,GAAG,IAAI;AAEf,MAAM,cAAc,GAAW;IACpC,iBAAiB,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC;IACvD,gBAAgB,EAAE,CAAC,iBAAiB,EAAE,WAAW,EAAE,YAAY,EAAE,iBAAiB,EAAE,YAAY,CAAC;IACjG,gBAAgB,EAAE,EAAE,GAAGA,IAAE;AACzB,IAAA,SAAS,EAAE,IAAI;AACf,IAAA,WAAW,EAAE,CAAC;AACd,IAAA,UAAU,EAAE,IAAI;CACjB;AAEK,SAAU,YAAY,CAAC,KAAA,GAAqB,EAAE,EAAA;IAClD,MAAM,CAAC,GAAW,EAAE,GAAG,cAAc,EAAE,GAAG,KAAK,EAAE;IACjD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,iBAAiB,CAAC;AACrC,QAAA,MAAM,IAAI,SAAS,CAAC,oCAAoC,CAAC;IAC3D,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB,CAAC;AAAE,QAAA,MAAM,IAAI,SAAS,CAAC,mCAAmC,CAAC;AAChG,IAAA,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,gBAAgB,GAAG,CAAC,CAAC;AAClE,QAAA,MAAM,IAAI,SAAS,CAAC,8BAA8B,CAAC;AACrD,IAAA,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC;AACpD,QAAA,MAAM,IAAI,SAAS,CAAC,uBAAuB,CAAC;AAC9C,IAAA,IAAI,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,WAAW,GAAG,CAAC,CAAC;AACzD,QAAA,MAAM,IAAI,SAAS,CAAC,yBAAyB,CAAC;AAChD,IAAA,OAAO,CAAC;AACV;;AClCA;;;;;;;;;;;;;;;;;;;;;;;;AAwBG;AAIH,MAAM,EAAE,GAAG,IAAI;AACf,MAAM,EAAE,GAAG,IAAI,GAAG,EAAE;AAEpB;AAEA;;;;;;;;;AASG;AACI,MAAM,cAAc,GAAW,YAAY,CAAC;AACjD,IAAA,iBAAiB,EAAE;QACjB,KAAK;QACL,KAAK;QACL,MAAM;QACN,KAAK;QACL,MAAM;QACN,KAAK;QACL,MAAM;QACN,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,MAAM;QACN,MAAM;QACN,KAAK;QACL,IAAI;AACL,KAAA;AACD,IAAA,gBAAgB,EAAE;QAChB,iBAAiB;QACjB,oBAAoB;QACpB,yEAAyE;QACzE,0BAA0B;QAC1B,mEAAmE;QACnE,+BAA+B;QAC/B,2EAA2E;QAC3E,yCAAyC;QACzC,gDAAgD;QAChD,iDAAiD;QACjD,UAAU;QACV,YAAY;QACZ,kBAAkB;QAClB,WAAW;QACX,eAAe;AAChB,KAAA;IACD,gBAAgB,EAAE,EAAE,GAAG,EAAE;AACzB,IAAA,SAAS,EAAE,KAAM;AACjB,IAAA,WAAW,EAAE,CAAC;AACd,IAAA,UAAU,EAAE,IAAI;AACjB,CAAA;AAED;;;;;;;;;AASG;AACI,MAAM,WAAW,GAAW,YAAY,CAAC;IAC9C,iBAAiB,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC;AAC7F,IAAA,gBAAgB,EAAE;QAChB,YAAY;QACZ,WAAW;QACX,WAAW;QACX,YAAY;QACZ,YAAY;QACZ,YAAY;QACZ,WAAW;QACX,cAAc;QACd,0BAA0B;AAC3B,KAAA;IACD,gBAAgB,EAAE,EAAE,GAAG,EAAE;AACzB,IAAA,SAAS,EAAE,IAAK;AAChB,IAAA,WAAW,EAAE,CAAC;AACd,IAAA,UAAU,EAAE,IAAI;AACjB,CAAA;AAED;;;;;;;;AAQG;AACI,MAAM,oBAAoB,GAAW,YAAY,CAAC;IACvD,iBAAiB,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC;IACxD,gBAAgB,EAAE,CAAC,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,iBAAiB,CAAC;IAC9E,gBAAgB,EAAE,CAAC,GAAG,EAAE;AACxB,IAAA,SAAS,EAAE,IAAK;AAChB,IAAA,WAAW,EAAE,CAAC;AACd,IAAA,UAAU,EAAE,IAAI;AACjB,CAAA;AAED;;;;;;AAMG;AACI,MAAM,oBAAoB,GAAW,YAAY,CAAC;AACvD,IAAA,iBAAiB,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;AACrF,IAAA,gBAAgB,EAAE;QAChB,iBAAiB;QACjB,WAAW;QACX,YAAY;QACZ,iBAAiB;QACjB,YAAY;QACZ,UAAU;QACV,yEAAyE;QACzE,mEAAmE;AACpE,KAAA;IACD,gBAAgB,EAAE,EAAE,GAAG,EAAE;AACzB,IAAA,SAAS,EAAE,IAAK;AAChB,IAAA,WAAW,EAAE,CAAC;AACd,IAAA,UAAU,EAAE,IAAI;AACjB,CAAA;AAED;;;;;;;;;;;;;;;AAeG;AACI,MAAM,QAAQ,GAAW,YAAY,CAAC;AAC3C,IAAA,iBAAiB,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC;AACxE,IAAA,gBAAgB,EAAE;QAChB,iBAAiB;QACjB,mBAAmB;QACnB,kBAAkB;QAClB,qBAAqB;QACrB,kBAAkB;QAClB,6BAA6B;QAC7B,8BAA8B;AAC/B,KAAA;IACD,gBAAgB,EAAE,GAAG,GAAG,EAAE;AAC1B,IAAA,SAAS,EAAE,KAAM;AACjB,IAAA,WAAW,EAAE,CAAC;AACd,IAAA,UAAU,EAAE,IAAI;AACjB,CAAA;AAWD;;;;;;;AAOG;AACI,MAAM,YAAY,GAAmC;AAC1D,IAAA,gBAAgB,EAAE,cAAc;AAChC,IAAA,aAAa,EAAE,WAAW;AAC1B,IAAA,sBAAsB,EAAE,oBAAoB;AAC5C,IAAA,sBAAsB,EAAE,oBAAoB;AAC5C,IAAA,QAAQ,EAAE,QAAQ;;AAGpB;;;AAGG;AACG,SAAU,aAAa,CAAC,IAAoB,EAAA;AAChD,IAAA,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC;AACjC,IAAA,IAAI,CAAC,MAAM;AACT,QAAA,MAAM,IAAI,KAAK,CACb,yBAAyB,IAAI,CAAA,gBAAA,EAAmB,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA,CAAE,CACvF;AACH,IAAA,OAAO,MAAM;AACf;;;;"}

package/dist/pompelmi.quarantine.cjs CHANGED Viewed

@@ -25,6 +25,132 @@ var crypto__namespace = /*#__PURE__*/_interopNamespaceDefault(crypto);
 var fs__namespace = /*#__PURE__*/_interopNamespaceDefault(fs);
 var path__namespace = /*#__PURE__*/_interopNamespaceDefault(path);
+/**
+ * Quarantine storage adapter interface and filesystem reference implementation.
+ *
+ * The `QuarantineStorage` interface decouples the quarantine workflow from any
+ * specific persistence layer.  You can implement it for S3, GCS, a database,
+ * or any other backend.
+ *
+ * The built-in `FilesystemQuarantineStorage` stores files and metadata as JSON
+ * in a local directory — suitable for development, self-hosted, and on-premise
+ * deployments where data must not leave the machine.
+ *
+ * @module quarantine/storage
+ */
+/**
+ * Reference implementation of `QuarantineStorage` backed by the local filesystem.
+ *
+ * File layout:
+ *   <dir>/files/<storageKey>   — raw file bytes
+ *   <dir>/meta/<id>.json       — QuarantineEntry JSON
+ *
+ * Suitable for single-process servers.  For multi-process or distributed
+ * deployments, implement `QuarantineStorage` against a shared backend.
+ */
+class FilesystemQuarantineStorage {
+    constructor(options) {
+        this.filesDir = path__namespace.join(options.dir, "files");
+        this.metaDir = path__namespace.join(options.dir, "meta");
+        if (options.createIfMissing !== false) {
+            fs__namespace.mkdirSync(this.filesDir, { recursive: true });
+            fs__namespace.mkdirSync(this.metaDir, { recursive: true });
+        }
+    }
+    async saveFile(id, bytes) {
+        // Use a safe, collision-resistant filename derived from the entry id.
+        const storageKey = `${id}-${crypto__namespace.randomBytes(4).toString("hex")}`;
+        const filePath = path__namespace.join(this.filesDir, storageKey);
+        await fs__namespace.promises.writeFile(filePath, bytes);
+        return storageKey;
+    }
+    async getFile(storageKey) {
+        const filePath = path__namespace.join(this.filesDir, safeBasename(storageKey));
+        try {
+            const buf = await fs__namespace.promises.readFile(filePath);
+            return new Uint8Array(buf);
+        }
+        catch {
+            return null;
+        }
+    }
+    async deleteFile(storageKey) {
+        const filePath = path__namespace.join(this.filesDir, safeBasename(storageKey));
+        await fs__namespace.promises.unlink(filePath).catch(() => {
+            /* already gone */
+        });
+    }
+    async saveEntry(entry) {
+        const metaPath = path__namespace.join(this.metaDir, `${safeBasename(entry.id)}.json`);
+        await fs__namespace.promises.writeFile(metaPath, JSON.stringify(entry, null, 2), "utf8");
+    }
+    async getEntry(id) {
+        const metaPath = path__namespace.join(this.metaDir, `${safeBasename(id)}.json`);
+        try {
+            const raw = await fs__namespace.promises.readFile(metaPath, "utf8");
+            return JSON.parse(raw);
+        }
+        catch {
+            return null;
+        }
+    }
+    async updateEntry(id, patch) {
+        const existing = await this.getEntry(id);
+        if (!existing)
+            throw new Error(`Quarantine entry not found: ${id}`);
+        const updated = { ...existing, ...patch };
+        await this.saveEntry(updated);
+        return updated;
+    }
+    async listEntries(filter) {
+        const files = await fs__namespace.promises.readdir(this.metaDir).catch(() => []);
+        const entries = [];
+        for (const file of files) {
+            if (!file.endsWith(".json"))
+                continue;
+            try {
+                const raw = await fs__namespace.promises.readFile(path__namespace.join(this.metaDir, file), "utf8");
+                entries.push(JSON.parse(raw));
+            }
+            catch {
+                // Skip unreadable entries.
+            }
+        }
+        return applyFilter(entries, filter);
+    }
+    async countEntries(filter) {
+        const entries = await this.listEntries(filter);
+        return entries.length;
+    }
+}
+// ── Helpers ───────────────────────────────────────────────────────────────────
+/**
+ * Strip directory separators to prevent path-traversal attacks when using
+ * user-supplied or derived keys as filenames.
+ */
+function safeBasename(key) {
+    return path__namespace.basename(key).replace(/[^a-zA-Z0-9._-]/g, "_");
+}
+function applyFilter(entries, filter) {
+    if (!filter)
+        return entries;
+    let result = entries;
+    if (filter.status !== undefined) {
+        const statuses = Array.isArray(filter.status) ? filter.status : [filter.status];
+        result = result.filter((e) => statuses.includes(e.status));
+    }
+    if (filter.after) {
+        result = result.filter((e) => e.quarantinedAt >= filter.after);
+    }
+    if (filter.before) {
+        result = result.filter((e) => e.quarantinedAt <= filter.before);
+    }
+    if (filter.limit !== undefined) {
+        result = result.slice(0, filter.limit);
+    }
+    return result;
+}
 /**
  * Quarantine workflow — core API for the quarantine/review/resolve lifecycle.
  *
@@ -68,9 +194,9 @@ class QuarantineManager {
      * configured policy.
      */
     shouldQuarantine(report) {
-        if (report.verdict === 'malicious')
+        if (report.verdict === "malicious")
             return this.quarantineMalicious;
-        if (report.verdict === 'suspicious')
+        if (report.verdict === "suspicious")
             return this.quarantineSuspicious;
         return false;
     }
@@ -93,7 +219,7 @@ class QuarantineManager {
             file: { ...fileInfo, sha256 },
             scanReport: report,
             quarantinedAt: now,
-            status: 'pending',
+            status: "pending",
             updatedAt: now,
         };
         await this.storage.saveEntry(entry);
@@ -104,7 +230,7 @@ class QuarantineManager {
      */
     async startReview(id, reviewedBy) {
         return this.storage.updateEntry(id, {
-            status: 'reviewing',
+            status: "reviewing",
             reviewedBy,
             updatedAt: new Date().toISOString(),
         });
@@ -120,12 +246,12 @@ class QuarantineManager {
         const entry = await this.storage.getEntry(id);
         if (!entry)
             throw new Error(`Quarantine entry not found: ${id}`);
-        if (entry.status === 'promoted' || entry.status === 'deleted') {
+        if (entry.status === "promoted" || entry.status === "deleted") {
             throw new Error(`Quarantine entry ${id} is already resolved (${entry.status}).`);
         }
         const now = new Date().toISOString();
-        const newStatus = review.decision === 'promote' ? 'promoted' : 'deleted';
-        if (review.decision === 'delete') {
+        const newStatus = review.decision === "promote" ? "promoted" : "deleted";
+        if (review.decision === "delete") {
             await this.storage.deleteFile(entry.storageKey);
         }
         return this.storage.updateEntry(id, {
@@ -155,7 +281,7 @@ class QuarantineManager {
         return this.storage.listEntries(filter);
     }
     listPending() {
-        return this.storage.listEntries({ status: 'pending' });
+        return this.storage.listEntries({ status: "pending" });
     }
     countEntries(filter) {
         return this.storage.countEntries(filter);
@@ -183,131 +309,7 @@ function generateId() {
     return crypto__namespace.randomUUID();
 }
 function computeSha256(bytes) {
-    return crypto__namespace.createHash('sha256').update(bytes).digest('hex');
-}
-/**
- * Quarantine storage adapter interface and filesystem reference implementation.
- *
- * The `QuarantineStorage` interface decouples the quarantine workflow from any
- * specific persistence layer.  You can implement it for S3, GCS, a database,
- * or any other backend.
- *
- * The built-in `FilesystemQuarantineStorage` stores files and metadata as JSON
- * in a local directory — suitable for development, self-hosted, and on-premise
- * deployments where data must not leave the machine.
- *
- * @module quarantine/storage
- */
-/**
- * Reference implementation of `QuarantineStorage` backed by the local filesystem.
- *
- * File layout:
- *   <dir>/files/<storageKey>   — raw file bytes
- *   <dir>/meta/<id>.json       — QuarantineEntry JSON
- *
- * Suitable for single-process servers.  For multi-process or distributed
- * deployments, implement `QuarantineStorage` against a shared backend.
- */
-class FilesystemQuarantineStorage {
-    constructor(options) {
-        this.filesDir = path__namespace.join(options.dir, 'files');
-        this.metaDir = path__namespace.join(options.dir, 'meta');
-        if (options.createIfMissing !== false) {
-            fs__namespace.mkdirSync(this.filesDir, { recursive: true });
-            fs__namespace.mkdirSync(this.metaDir, { recursive: true });
-        }
-    }
-    async saveFile(id, bytes) {
-        // Use a safe, collision-resistant filename derived from the entry id.
-        const storageKey = `${id}-${crypto__namespace.randomBytes(4).toString('hex')}`;
-        const filePath = path__namespace.join(this.filesDir, storageKey);
-        await fs__namespace.promises.writeFile(filePath, bytes);
-        return storageKey;
-    }
-    async getFile(storageKey) {
-        const filePath = path__namespace.join(this.filesDir, safeBasename(storageKey));
-        try {
-            const buf = await fs__namespace.promises.readFile(filePath);
-            return new Uint8Array(buf);
-        }
-        catch {
-            return null;
-        }
-    }
-    async deleteFile(storageKey) {
-        const filePath = path__namespace.join(this.filesDir, safeBasename(storageKey));
-        await fs__namespace.promises.unlink(filePath).catch(() => { });
-    }
-    async saveEntry(entry) {
-        const metaPath = path__namespace.join(this.metaDir, `${safeBasename(entry.id)}.json`);
-        await fs__namespace.promises.writeFile(metaPath, JSON.stringify(entry, null, 2), 'utf8');
-    }
-    async getEntry(id) {
-        const metaPath = path__namespace.join(this.metaDir, `${safeBasename(id)}.json`);
-        try {
-            const raw = await fs__namespace.promises.readFile(metaPath, 'utf8');
-            return JSON.parse(raw);
-        }
-        catch {
-            return null;
-        }
-    }
-    async updateEntry(id, patch) {
-        const existing = await this.getEntry(id);
-        if (!existing)
-            throw new Error(`Quarantine entry not found: ${id}`);
-        const updated = { ...existing, ...patch };
-        await this.saveEntry(updated);
-        return updated;
-    }
-    async listEntries(filter) {
-        const files = await fs__namespace.promises.readdir(this.metaDir).catch(() => []);
-        const entries = [];
-        for (const file of files) {
-            if (!file.endsWith('.json'))
-                continue;
-            try {
-                const raw = await fs__namespace.promises.readFile(path__namespace.join(this.metaDir, file), 'utf8');
-                entries.push(JSON.parse(raw));
-            }
-            catch {
-                // Skip unreadable entries.
-            }
-        }
-        return applyFilter(entries, filter);
-    }
-    async countEntries(filter) {
-        const entries = await this.listEntries(filter);
-        return entries.length;
-    }
-}
-// ── Helpers ───────────────────────────────────────────────────────────────────
-/**
- * Strip directory separators to prevent path-traversal attacks when using
- * user-supplied or derived keys as filenames.
- */
-function safeBasename(key) {
-    return path__namespace.basename(key).replace(/[^a-zA-Z0-9._-]/g, '_');
-}
-function applyFilter(entries, filter) {
-    if (!filter)
-        return entries;
-    let result = entries;
-    if (filter.status !== undefined) {
-        const statuses = Array.isArray(filter.status) ? filter.status : [filter.status];
-        result = result.filter((e) => statuses.includes(e.status));
-    }
-    if (filter.after) {
-        result = result.filter((e) => e.quarantinedAt >= filter.after);
-    }
-    if (filter.before) {
-        result = result.filter((e) => e.quarantinedAt <= filter.before);
-    }
-    if (filter.limit !== undefined) {
-        result = result.slice(0, filter.limit);
-    }
-    return result;
+    return crypto__namespace.createHash("sha256").update(bytes).digest("hex");
 }
 exports.FilesystemQuarantineStorage = FilesystemQuarantineStorage;

package/dist/pompelmi.quarantine.cjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"pompelmi.quarantine.cjs","sources":["../src/quarantine/workflow.ts","../src/quarantine/storage.ts"],"sourcesContent":["/*\n Quarantine workflow — core API for the quarantine/review/resolve lifecycle.\n \n Usage (Node.js):\n \n ```ts\n * import { scanBytes } from 'pompelmi';\n * import { QuarantineManager, FilesystemQuarantineStorage } from 'pompelmi/quarantine';\n \n const quarantine = new QuarantineManager({\n * storage: new FilesystemQuarantineStorage({ dir: './quarantine' }),\n * });\n \n const report = await scanBytes(fileBytes, { ctx: { filename: file.name } });\n \n if (report.verdict !== 'clean') {\n * const entry = await quarantine.quarantine(fileBytes, report, {\n * originalName: file.name,\n * sizeBytes: fileBytes.length,\n * uploadedBy: req.user?.id,\n * });\n * console.log('Quarantined:', entry.id);\n * }\n * ```\n \n @module quarantine/workflow\n /\n\nimport as crypto from 'crypto';\nimport type { ScanReport } from '../types';\nimport type {\n QuarantineEntry,\n QuarantineFilter,\n QuarantineReport,\n QuarantineReview,\n QuarantineStatus,\n QuarantinedFileInfo,\n} from './types';\nimport type { QuarantineStorage } from './storage';\n\n// ── Options ───────────────────────────────────────────────────────────────────\n\nexport interface QuarantineManagerOptions {\n /** Storage adapter — use `FilesystemQuarantineStorage` for local deployments. /\n storage: QuarantineStorage;\n\n /\n If true, files with a 'suspicious' verdict are also quarantined.\n * Default: true.\n /\n quarantineSuspicious?: boolean;\n\n /\n If true, files with a 'malicious' verdict are also quarantined.\n * Default: true.\n /\n quarantineMalicious?: boolean;\n}\n\n// ── Manager ───────────────────────────────────────────────────────────────────\n\n/\n Manages the full lifecycle of quarantined files:\n * scan → quarantine → review → promote \| delete\n /\nexport class QuarantineManager {\n private readonly storage: QuarantineStorage;\n private readonly quarantineSuspicious: boolean;\n private readonly quarantineMalicious: boolean;\n\n constructor(options: QuarantineManagerOptions) {\n this.storage = options.storage;\n this.quarantineSuspicious = options.quarantineSuspicious ?? true;\n this.quarantineMalicious = options.quarantineMalicious ?? true;\n }\n\n /\n Determine whether a scan report should trigger quarantine per the\n * configured policy.\n /\n shouldQuarantine(report: ScanReport): boolean {\n if (report.verdict === 'malicious') return this.quarantineMalicious;\n if (report.verdict === 'suspicious') return this.quarantineSuspicious;\n return false;\n }\n\n /\n Quarantine a file: save the bytes in storage, create the metadata entry,\n * and return the entry.\n \n @param bytes Raw file bytes.\n * @param report The scan report that triggered quarantine.\n * @param fileInfo Partial metadata; `sha256` is derived from `bytes` if omitted.\n /\n async quarantine(\n bytes: Uint8Array,\n report: ScanReport,\n fileInfo: Omit<QuarantinedFileInfo, 'sha256'> & { sha256?: string },\n ): Promise<QuarantineEntry> {\n const id = generateId();\n const sha256 = fileInfo.sha256 ?? computeSha256(bytes);\n const now = new Date().toISOString();\n\n const storageKey = await this.storage.saveFile(id, bytes);\n\n const entry: QuarantineEntry = {\n id,\n storageKey,\n file: { ...fileInfo, sha256 },\n scanReport: report,\n quarantinedAt: now,\n status: 'pending',\n updatedAt: now,\n };\n\n await this.storage.saveEntry(entry);\n return entry;\n }\n\n /\n Mark an entry as being actively reviewed.\n /\n async startReview(id: string, reviewedBy?: string): Promise<QuarantineEntry> {\n return this.storage.updateEntry(id, {\n status: 'reviewing',\n reviewedBy,\n updatedAt: new Date().toISOString(),\n });\n }\n\n /\n Resolve a quarantine entry with a final decision.\n \n - `promote`: the file is cleared — bytes remain in storage for the caller\n * to move to its final destination.\n * - `delete`: the bytes are permanently removed from quarantine storage.\n /\n async resolve(id: string, review: QuarantineReview): Promise<QuarantineEntry> {\n const entry = await this.storage.getEntry(id);\n if (!entry) throw new Error(`Quarantine entry not found: ${id}`);\n if (entry.status === 'promoted' \|\| entry.status === 'deleted') {\n throw new Error(`Quarantine entry ${id} is already resolved (${entry.status}).`);\n }\n\n const now = new Date().toISOString();\n const newStatus: QuarantineStatus = review.decision === 'promote' ? 'promoted' : 'deleted';\n\n if (review.decision === 'delete') {\n await this.storage.deleteFile(entry.storageKey);\n }\n\n return this.storage.updateEntry(id, {\n status: newStatus,\n reviewedBy: review.reviewedBy,\n reviewNote: review.reviewNote,\n resolvedAt: now,\n updatedAt: now,\n });\n }\n\n /\n Retrieve the raw bytes of a promoted file so the caller can move it to\n * permanent storage. Returns `null` if the entry is not found or has been\n * deleted.\n /\n async getFile(id: string): Promise<Uint8Array \| null> {\n const entry = await this.storage.getEntry(id);\n if (!entry) return null;\n return this.storage.getFile(entry.storageKey);\n }\n\n // ── Query helpers ───────────────────────────────────────────────────────────\n\n getEntry(id: string): Promise<QuarantineEntry \| null> {\n return this.storage.getEntry(id);\n }\n\n listEntries(filter?: QuarantineFilter): Promise<QuarantineEntry[]> {\n return this.storage.listEntries(filter);\n }\n\n listPending(): Promise<QuarantineEntry[]> {\n return this.storage.listEntries({ status: 'pending' });\n }\n\n countEntries(filter?: QuarantineFilter): Promise<number> {\n return this.storage.countEntries(filter);\n }\n\n // ── Reporting ───────────────────────────────────────────────────────────────\n\n /\n Generate a structured JSON report of all quarantine entries matching the\n * filter — suitable for audit logs and dashboards.\n /\n async report(filter?: QuarantineFilter): Promise<QuarantineReport> {\n const entries = await this.storage.listEntries(filter);\n const byStatus = { pending: 0, reviewing: 0, promoted: 0, deleted: 0 };\n for (const e of entries) byStatus[e.status]++;\n return {\n generatedAt: new Date().toISOString(),\n totalEntries: entries.length,\n byStatus,\n entries,\n };\n }\n}\n\n// ── Helpers ───────────────────────────────────────────────────────────────────\n\nfunction generateId(): string {\n return crypto.randomUUID();\n}\n\nfunction computeSha256(bytes: Uint8Array): string {\n return crypto.createHash('sha256').update(bytes).digest('hex');\n}\n","/\n Quarantine storage adapter interface and filesystem reference implementation.\n \n The `QuarantineStorage` interface decouples the quarantine workflow from any\n * specific persistence layer. You can implement it for S3, GCS, a database,\n * or any other backend.\n \n The built-in `FilesystemQuarantineStorage` stores files and metadata as JSON\n * in a local directory — suitable for development, self-hosted, and on-premise\n * deployments where data must not leave the machine.\n \n @module quarantine/storage\n /\n\nimport as fs from 'fs';\nimport * as path from 'path';\nimport * as crypto from 'crypto';\nimport type { QuarantineEntry, QuarantineFilter } from './types';\n\n// ── Adapter interface ─────────────────────────────────────────────────────────\n\n/*\n Storage adapter for the quarantine workflow.\n * Implement this interface to support any backend (S3, GCS, DB, etc.).\n /\nexport interface QuarantineStorage {\n /\n Persist the raw bytes of a quarantined file.\n * Returns a `storageKey` that can later be used to retrieve or delete the bytes.\n /\n saveFile(id: string, bytes: Uint8Array): Promise<string>;\n\n /\n Retrieve the raw bytes of a quarantined file.\n * Returns `null` if the file is not found.\n /\n getFile(storageKey: string): Promise<Uint8Array \| null>;\n\n /\n Permanently remove the raw bytes of a quarantined file.\n * No-op if already removed.\n /\n deleteFile(storageKey: string): Promise<void>;\n\n /* Persist a quarantine entry (metadata + scan report). /\n saveEntry(entry: QuarantineEntry): Promise<void>;\n\n /* Load a quarantine entry by id. Returns `null` if not found. /\n getEntry(id: string): Promise<QuarantineEntry \| null>;\n\n /* Update an existing quarantine entry (partial update). /\n updateEntry(id: string, patch: Partial<QuarantineEntry>): Promise<QuarantineEntry>;\n\n /* List quarantine entries matching the given filter. /\n listEntries(filter?: QuarantineFilter): Promise<QuarantineEntry[]>;\n\n /* Return the total count of quarantine entries matching the filter. /\n countEntries(filter?: QuarantineFilter): Promise<number>;\n}\n\n// ── Filesystem implementation ─────────────────────────────────────────────────\n\nexport interface FilesystemQuarantineStorageOptions {\n /\n Root directory for quarantine storage.\n * Two subdirectories are created: `files/` (raw bytes) and `meta/` (JSON).\n /\n dir: string;\n /* Create the directory if it does not exist (default: true). /\n createIfMissing?: boolean;\n}\n\n/\n Reference implementation of `QuarantineStorage` backed by the local filesystem.\n \n File layout:\n * <dir>/files/<storageKey> — raw file bytes\n * <dir>/meta/<id>.json — QuarantineEntry JSON\n \n Suitable for single-process servers. For multi-process or distributed\n * deployments, implement `QuarantineStorage` against a shared backend.\n /\nexport class FilesystemQuarantineStorage implements QuarantineStorage {\n private readonly filesDir: string;\n private readonly metaDir: string;\n\n constructor(options: FilesystemQuarantineStorageOptions) {\n this.filesDir = path.join(options.dir, 'files');\n this.metaDir = path.join(options.dir, 'meta');\n if (options.createIfMissing !== false) {\n fs.mkdirSync(this.filesDir, { recursive: true });\n fs.mkdirSync(this.metaDir, { recursive: true });\n }\n }\n\n async saveFile(id: string, bytes: Uint8Array): Promise<string> {\n // Use a safe, collision-resistant filename derived from the entry id.\n const storageKey = `${id}-${crypto.randomBytes(4).toString('hex')}`;\n const filePath = path.join(this.filesDir, storageKey);\n await fs.promises.writeFile(filePath, bytes);\n return storageKey;\n }\n\n async getFile(storageKey: string): Promise<Uint8Array \| null> {\n const filePath = path.join(this.filesDir, safeBasename(storageKey));\n try {\n const buf = await fs.promises.readFile(filePath);\n return new Uint8Array(buf);\n } catch {\n return null;\n }\n }\n\n async deleteFile(storageKey: string): Promise<void> {\n const filePath = path.join(this.filesDir, safeBasename(storageKey));\n await fs.promises.unlink(filePath).catch(() => {/ already gone /});\n }\n\n async saveEntry(entry: QuarantineEntry): Promise<void> {\n const metaPath = path.join(this.metaDir, `${safeBasename(entry.id)}.json`);\n await fs.promises.writeFile(metaPath, JSON.stringify(entry, null, 2), 'utf8');\n }\n\n async getEntry(id: string): Promise<QuarantineEntry \| null> {\n const metaPath = path.join(this.metaDir, `${safeBasename(id)}.json`);\n try {\n const raw = await fs.promises.readFile(metaPath, 'utf8');\n return JSON.parse(raw) as QuarantineEntry;\n } catch {\n return null;\n }\n }\n\n async updateEntry(id: string, patch: Partial<QuarantineEntry>): Promise<QuarantineEntry> {\n const existing = await this.getEntry(id);\n if (!existing) throw new Error(`Quarantine entry not found: ${id}`);\n const updated: QuarantineEntry = { ...existing, ...patch };\n await this.saveEntry(updated);\n return updated;\n }\n\n async listEntries(filter?: QuarantineFilter): Promise<QuarantineEntry[]> {\n const files = await fs.promises.readdir(this.metaDir).catch(() => [] as string[]);\n const entries: QuarantineEntry[] = [];\n\n for (const file of files) {\n if (!file.endsWith('.json')) continue;\n try {\n const raw = await fs.promises.readFile(path.join(this.metaDir, file), 'utf8');\n entries.push(JSON.parse(raw) as QuarantineEntry);\n } catch {\n // Skip unreadable entries.\n }\n }\n\n return applyFilter(entries, filter);\n }\n\n async countEntries(filter?: QuarantineFilter): Promise<number> {\n const entries = await this.listEntries(filter);\n return entries.length;\n }\n}\n\n// ── Helpers ───────────────────────────────────────────────────────────────────\n\n/\n Strip directory separators to prevent path-traversal attacks when using\n * user-supplied or derived keys as filenames.\n */\nfunction safeBasename(key: string): string {\n return path.basename(key).replace(/[^a-zA-Z0-9._-]/g, '_');\n}\n\nfunction applyFilter(entries: QuarantineEntry[], filter?: QuarantineFilter): QuarantineEntry[] {\n if (!filter) return entries;\n\n let result = entries;\n\n if (filter.status !== undefined) {\n const statuses = Array.isArray(filter.status) ? filter.status : [filter.status];\n result = result.filter((e) => statuses.includes(e.status));\n }\n if (filter.after) {\n result = result.filter((e) => e.quarantinedAt >= filter.after!);\n }\n if (filter.before) {\n result = result.filter((e) => e.quarantinedAt <= filter.before!);\n }\n if (filter.limit !== undefined) {\n result = result.slice(0, filter.limit);\n }\n\n return result;\n}\n"],"names":["crypto","path","fs"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;AA0BG;AAiCH;AAEA;;;AAGG;MACU,iBAAiB,CAAA;AAK5B,IAAA,WAAA,CAAY,OAAiC,EAAA;AAC3C,QAAA,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO;QAC9B,IAAI,CAAC,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,IAAI,IAAI;QAChE,IAAI,CAAC,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,IAAI,IAAI;IAChE;AAEA;;;AAGG;AACH,IAAA,gBAAgB,CAAC,MAAkB,EAAA;AACjC,QAAA,IAAI,MAAM,CAAC,OAAO,KAAK,WAAW;YAAE,OAAO,IAAI,CAAC,mBAAmB;AACnE,QAAA,IAAI,MAAM,CAAC,OAAO,KAAK,YAAY;YAAE,OAAO,IAAI,CAAC,oBAAoB;AACrE,QAAA,OAAO,KAAK;IACd;AAEA;;;;;;;AAOG;AACH,IAAA,MAAM,UAAU,CACd,KAAiB,EACjB,MAAkB,EAClB,QAAmE,EAAA;AAEnE,QAAA,MAAM,EAAE,GAAG,UAAU,EAAE;QACvB,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,IAAI,aAAa,CAAC,KAAK,CAAC;QACtD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;AAEpC,QAAA,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;AAEzD,QAAA,MAAM,KAAK,GAAoB;YAC7B,EAAE;YACF,UAAU;AACV,YAAA,IAAI,EAAE,EAAE,GAAG,QAAQ,EAAE,MAAM,EAAE;AAC7B,YAAA,UAAU,EAAE,MAAM;AAClB,YAAA,aAAa,EAAE,GAAG;AAClB,YAAA,MAAM,EAAE,SAAS;AACjB,YAAA,SAAS,EAAE,GAAG;SACf;QAED,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,CAAC;AACnC,QAAA,OAAO,KAAK;IACd;AAEA;;AAEG;AACH,IAAA,MAAM,WAAW,CAAC,EAAU,EAAE,UAAmB,EAAA;AAC/C,QAAA,OAAO,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,EAAE;AAClC,YAAA,MAAM,EAAE,WAAW;YACnB,UAAU;AACV,YAAA,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;AACpC,SAAA,CAAC;IACJ;AAEA;;;;;;AAMG;AACH,IAAA,MAAM,OAAO,CAAC,EAAU,EAAE,MAAwB,EAAA;QAChD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;AAC7C,QAAA,IAAI,CAAC,KAAK;AAAE,YAAA,MAAM,IAAI,KAAK,CAAC,+BAA+B,EAAE,CAAA,CAAE,CAAC;AAChE,QAAA,IAAI,KAAK,CAAC,MAAM,KAAK,UAAU,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,EAAE;YAC7D,MAAM,IAAI,KAAK,CAAC,CAAA,iBAAA,EAAoB,EAAE,CAAA,sBAAA,EAAyB,KAAK,CAAC,MAAM,CAAA,EAAA,CAAI,CAAC;QAClF;QAEA,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;AACpC,QAAA,MAAM,SAAS,GAAqB,MAAM,CAAC,QAAQ,KAAK,SAAS,GAAG,UAAU,GAAG,SAAS;AAE1F,QAAA,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE;YAChC,MAAM,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,UAAU,CAAC;QACjD;AAEA,QAAA,OAAO,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,EAAE;AAClC,YAAA,MAAM,EAAE,SAAS;YACjB,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;AAC7B,YAAA,UAAU,EAAE,GAAG;AACf,YAAA,SAAS,EAAE,GAAG;AACf,SAAA,CAAC;IACJ;AAEA;;;;AAIG;IACH,MAAM,OAAO,CAAC,EAAU,EAAA;QACtB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;AAC7C,QAAA,IAAI,CAAC,KAAK;AAAE,YAAA,OAAO,IAAI;QACvB,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC;IAC/C;;AAIA,IAAA,QAAQ,CAAC,EAAU,EAAA;QACjB,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;IAClC;AAEA,IAAA,WAAW,CAAC,MAAyB,EAAA;QACnC,OAAO,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC;IACzC;IAEA,WAAW,GAAA;AACT,QAAA,OAAO,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IACxD;AAEA,IAAA,YAAY,CAAC,MAAyB,EAAA;QACpC,OAAO,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC;IAC1C;;AAIA;;;AAGG;IACH,MAAM,MAAM,CAAC,MAAyB,EAAA;QACpC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC;AACtD,QAAA,MAAM,QAAQ,GAAG,EAAE,OAAO,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE;QACtE,KAAK,MAAM,CAAC,IAAI,OAAO;AAAE,YAAA,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE;QAC7C,OAAO;AACL,YAAA,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACrC,YAAY,EAAE,OAAO,CAAC,MAAM;YAC5B,QAAQ;YACR,OAAO;SACR;IACH;AACD;AAED;AAEA,SAAS,UAAU,GAAA;AACjB,IAAA,OAAOA,iBAAM,CAAC,UAAU,EAAE;AAC5B;AAEA,SAAS,aAAa,CAAC,KAAiB,EAAA;AACtC,IAAA,OAAOA,iBAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;AAChE;;ACxNA;;;;;;;;;;;;AAYG;AA4DH;;;;;;;;;AASG;MACU,2BAA2B,CAAA;AAItC,IAAA,WAAA,CAAY,OAA2C,EAAA;AACrD,QAAA,IAAI,CAAC,QAAQ,GAAGC,eAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC;AAC/C,QAAA,IAAI,CAAC,OAAO,GAAGA,eAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC;AAC7C,QAAA,IAAI,OAAO,CAAC,eAAe,KAAK,KAAK,EAAE;AACrC,YAAAC,aAAE,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AAChD,YAAAA,aAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QACjD;IACF;AAEA,IAAA,MAAM,QAAQ,CAAC,EAAU,EAAE,KAAiB,EAAA;;AAE1C,QAAA,MAAM,UAAU,GAAG,CAAA,EAAG,EAAE,CAAA,CAAA,EAAIF,iBAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE;AACnE,QAAA,MAAM,QAAQ,GAAGC,eAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC;QACrD,MAAMC,aAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,QAAQ,EAAE,KAAK,CAAC;AAC5C,QAAA,OAAO,UAAU;IACnB;IAEA,MAAM,OAAO,CAAC,UAAkB,EAAA;AAC9B,QAAA,MAAM,QAAQ,GAAGD,eAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,UAAU,CAAC,CAAC;AACnE,QAAA,IAAI;YACF,MAAM,GAAG,GAAG,MAAMC,aAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;AAChD,YAAA,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC;QAC5B;AAAE,QAAA,MAAM;AACN,YAAA,OAAO,IAAI;QACb;IACF;IAEA,MAAM,UAAU,CAAC,UAAkB,EAAA;AACjC,QAAA,MAAM,QAAQ,GAAGD,eAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,UAAU,CAAC,CAAC;AACnE,QAAA,MAAMC,aAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,MAAK,EAAoB,CAAC,CAAC;IACtE;IAEA,MAAM,SAAS,CAAC,KAAsB,EAAA;AACpC,QAAA,MAAM,QAAQ,GAAGD,eAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAA,EAAG,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC,CAAA,KAAA,CAAO,CAAC;QAC1E,MAAMC,aAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,CAAC;IAC/E;IAEA,MAAM,QAAQ,CAAC,EAAU,EAAA;AACvB,QAAA,MAAM,QAAQ,GAAGD,eAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,YAAY,CAAC,EAAE,CAAC,CAAA,KAAA,CAAO,CAAC;AACpE,QAAA,IAAI;AACF,YAAA,MAAM,GAAG,GAAG,MAAMC,aAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;AACxD,YAAA,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAoB;QAC3C;AAAE,QAAA,MAAM;AACN,YAAA,OAAO,IAAI;QACb;IACF;AAEA,IAAA,MAAM,WAAW,CAAC,EAAU,EAAE,KAA+B,EAAA;QAC3D,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;AACxC,QAAA,IAAI,CAAC,QAAQ;AAAE,YAAA,MAAM,IAAI,KAAK,CAAC,+BAA+B,EAAE,CAAA,CAAE,CAAC;QACnE,MAAM,OAAO,GAAoB,EAAE,GAAG,QAAQ,EAAE,GAAG,KAAK,EAAE;AAC1D,QAAA,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;AAC7B,QAAA,OAAO,OAAO;IAChB;IAEA,MAAM,WAAW,CAAC,MAAyB,EAAA;QACzC,MAAM,KAAK,GAAG,MAAMA,aAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,MAAM,EAAc,CAAC;QACjF,MAAM,OAAO,GAAsB,EAAE;AAErC,QAAA,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE;AACxB,YAAA,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE;AAC7B,YAAA,IAAI;gBACF,MAAM,GAAG,GAAG,MAAMA,aAAE,CAAC,QAAQ,CAAC,QAAQ,CAACD,eAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC;gBAC7E,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAoB,CAAC;YAClD;AAAE,YAAA,MAAM;;YAER;QACF;AAEA,QAAA,OAAO,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC;IACrC;IAEA,MAAM,YAAY,CAAC,MAAyB,EAAA;QAC1C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC;QAC9C,OAAO,OAAO,CAAC,MAAM;IACvB;AACD;AAED;AAEA;;;AAGG;AACH,SAAS,YAAY,CAAC,GAAW,EAAA;AAC/B,IAAA,OAAOA,eAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,kBAAkB,EAAE,GAAG,CAAC;AAC5D;AAEA,SAAS,WAAW,CAAC,OAA0B,EAAE,MAAyB,EAAA;AACxE,IAAA,IAAI,CAAC,MAAM;AAAE,QAAA,OAAO,OAAO;IAE3B,IAAI,MAAM,GAAG,OAAO;AAEpB,IAAA,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE;QAC/B,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC;AAC/E,QAAA,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAC5D;AACA,IAAA,IAAI,MAAM,CAAC,KAAK,EAAE;AAChB,QAAA,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,aAAa,IAAI,MAAM,CAAC,KAAM,CAAC;IACjE;AACA,IAAA,IAAI,MAAM,CAAC,MAAM,EAAE;AACjB,QAAA,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,aAAa,IAAI,MAAM,CAAC,MAAO,CAAC;IAClE;AACA,IAAA,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS,EAAE;QAC9B,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC;IACxC;AAEA,IAAA,OAAO,MAAM;AACf;;;;;"}
1	+ {"version":3,"file":"pompelmi.quarantine.cjs","sources":["../../src/quarantine/storage.ts","../../src/quarantine/workflow.ts"],"sourcesContent":["/*\n Quarantine storage adapter interface and filesystem reference implementation.\n \n The `QuarantineStorage` interface decouples the quarantine workflow from any\n * specific persistence layer. You can implement it for S3, GCS, a database,\n * or any other backend.\n \n The built-in `FilesystemQuarantineStorage` stores files and metadata as JSON\n * in a local directory — suitable for development, self-hosted, and on-premise\n * deployments where data must not leave the machine.\n \n @module quarantine/storage\n /\n\nimport as crypto from \"crypto\";\nimport * as fs from \"fs\";\nimport * as path from \"path\";\nimport type { QuarantineEntry, QuarantineFilter } from \"./types\";\n\n// ── Adapter interface ─────────────────────────────────────────────────────────\n\n/*\n Storage adapter for the quarantine workflow.\n * Implement this interface to support any backend (S3, GCS, DB, etc.).\n /\nexport interface QuarantineStorage {\n /\n Persist the raw bytes of a quarantined file.\n * Returns a `storageKey` that can later be used to retrieve or delete the bytes.\n /\n saveFile(id: string, bytes: Uint8Array): Promise<string>;\n\n /\n Retrieve the raw bytes of a quarantined file.\n * Returns `null` if the file is not found.\n /\n getFile(storageKey: string): Promise<Uint8Array \| null>;\n\n /\n Permanently remove the raw bytes of a quarantined file.\n * No-op if already removed.\n /\n deleteFile(storageKey: string): Promise<void>;\n\n /* Persist a quarantine entry (metadata + scan report). /\n saveEntry(entry: QuarantineEntry): Promise<void>;\n\n /* Load a quarantine entry by id. Returns `null` if not found. /\n getEntry(id: string): Promise<QuarantineEntry \| null>;\n\n /* Update an existing quarantine entry (partial update). /\n updateEntry(id: string, patch: Partial<QuarantineEntry>): Promise<QuarantineEntry>;\n\n /* List quarantine entries matching the given filter. /\n listEntries(filter?: QuarantineFilter): Promise<QuarantineEntry[]>;\n\n /* Return the total count of quarantine entries matching the filter. /\n countEntries(filter?: QuarantineFilter): Promise<number>;\n}\n\n// ── Filesystem implementation ─────────────────────────────────────────────────\n\nexport interface FilesystemQuarantineStorageOptions {\n /\n Root directory for quarantine storage.\n * Two subdirectories are created: `files/` (raw bytes) and `meta/` (JSON).\n /\n dir: string;\n /* Create the directory if it does not exist (default: true). /\n createIfMissing?: boolean;\n}\n\n/\n Reference implementation of `QuarantineStorage` backed by the local filesystem.\n \n File layout:\n * <dir>/files/<storageKey> — raw file bytes\n * <dir>/meta/<id>.json — QuarantineEntry JSON\n \n Suitable for single-process servers. For multi-process or distributed\n * deployments, implement `QuarantineStorage` against a shared backend.\n /\nexport class FilesystemQuarantineStorage implements QuarantineStorage {\n private readonly filesDir: string;\n private readonly metaDir: string;\n\n constructor(options: FilesystemQuarantineStorageOptions) {\n this.filesDir = path.join(options.dir, \"files\");\n this.metaDir = path.join(options.dir, \"meta\");\n if (options.createIfMissing !== false) {\n fs.mkdirSync(this.filesDir, { recursive: true });\n fs.mkdirSync(this.metaDir, { recursive: true });\n }\n }\n\n async saveFile(id: string, bytes: Uint8Array): Promise<string> {\n // Use a safe, collision-resistant filename derived from the entry id.\n const storageKey = `${id}-${crypto.randomBytes(4).toString(\"hex\")}`;\n const filePath = path.join(this.filesDir, storageKey);\n await fs.promises.writeFile(filePath, bytes);\n return storageKey;\n }\n\n async getFile(storageKey: string): Promise<Uint8Array \| null> {\n const filePath = path.join(this.filesDir, safeBasename(storageKey));\n try {\n const buf = await fs.promises.readFile(filePath);\n return new Uint8Array(buf);\n } catch {\n return null;\n }\n }\n\n async deleteFile(storageKey: string): Promise<void> {\n const filePath = path.join(this.filesDir, safeBasename(storageKey));\n await fs.promises.unlink(filePath).catch(() => {\n / already gone /\n });\n }\n\n async saveEntry(entry: QuarantineEntry): Promise<void> {\n const metaPath = path.join(this.metaDir, `${safeBasename(entry.id)}.json`);\n await fs.promises.writeFile(metaPath, JSON.stringify(entry, null, 2), \"utf8\");\n }\n\n async getEntry(id: string): Promise<QuarantineEntry \| null> {\n const metaPath = path.join(this.metaDir, `${safeBasename(id)}.json`);\n try {\n const raw = await fs.promises.readFile(metaPath, \"utf8\");\n return JSON.parse(raw) as QuarantineEntry;\n } catch {\n return null;\n }\n }\n\n async updateEntry(id: string, patch: Partial<QuarantineEntry>): Promise<QuarantineEntry> {\n const existing = await this.getEntry(id);\n if (!existing) throw new Error(`Quarantine entry not found: ${id}`);\n const updated: QuarantineEntry = { ...existing, ...patch };\n await this.saveEntry(updated);\n return updated;\n }\n\n async listEntries(filter?: QuarantineFilter): Promise<QuarantineEntry[]> {\n const files = await fs.promises.readdir(this.metaDir).catch(() => [] as string[]);\n const entries: QuarantineEntry[] = [];\n\n for (const file of files) {\n if (!file.endsWith(\".json\")) continue;\n try {\n const raw = await fs.promises.readFile(path.join(this.metaDir, file), \"utf8\");\n entries.push(JSON.parse(raw) as QuarantineEntry);\n } catch {\n // Skip unreadable entries.\n }\n }\n\n return applyFilter(entries, filter);\n }\n\n async countEntries(filter?: QuarantineFilter): Promise<number> {\n const entries = await this.listEntries(filter);\n return entries.length;\n }\n}\n\n// ── Helpers ───────────────────────────────────────────────────────────────────\n\n/\n Strip directory separators to prevent path-traversal attacks when using\n * user-supplied or derived keys as filenames.\n /\nfunction safeBasename(key: string): string {\n return path.basename(key).replace(/[^a-zA-Z0-9._-]/g, \"_\");\n}\n\nfunction applyFilter(entries: QuarantineEntry[], filter?: QuarantineFilter): QuarantineEntry[] {\n if (!filter) return entries;\n\n let result = entries;\n\n if (filter.status !== undefined) {\n const statuses = Array.isArray(filter.status) ? filter.status : [filter.status];\n result = result.filter((e) => statuses.includes(e.status));\n }\n if (filter.after) {\n result = result.filter((e) => e.quarantinedAt >= filter.after!);\n }\n if (filter.before) {\n result = result.filter((e) => e.quarantinedAt <= filter.before!);\n }\n if (filter.limit !== undefined) {\n result = result.slice(0, filter.limit);\n }\n\n return result;\n}\n","/\n Quarantine workflow — core API for the quarantine/review/resolve lifecycle.\n \n Usage (Node.js):\n \n ```ts\n * import { scanBytes } from 'pompelmi';\n * import { QuarantineManager, FilesystemQuarantineStorage } from 'pompelmi/quarantine';\n \n const quarantine = new QuarantineManager({\n * storage: new FilesystemQuarantineStorage({ dir: './quarantine' }),\n * });\n \n const report = await scanBytes(fileBytes, { ctx: { filename: file.name } });\n \n if (report.verdict !== 'clean') {\n * const entry = await quarantine.quarantine(fileBytes, report, {\n * originalName: file.name,\n * sizeBytes: fileBytes.length,\n * uploadedBy: req.user?.id,\n * });\n * console.log('Quarantined:', entry.id);\n * }\n * ```\n \n @module quarantine/workflow\n /\n\nimport as crypto from \"crypto\";\nimport type { ScanReport } from \"../types\";\nimport type { QuarantineStorage } from \"./storage\";\nimport type {\n QuarantinedFileInfo,\n QuarantineEntry,\n QuarantineFilter,\n QuarantineReport,\n QuarantineReview,\n QuarantineStatus,\n} from \"./types\";\n\n// ── Options ───────────────────────────────────────────────────────────────────\n\nexport interface QuarantineManagerOptions {\n /** Storage adapter — use `FilesystemQuarantineStorage` for local deployments. /\n storage: QuarantineStorage;\n\n /\n If true, files with a 'suspicious' verdict are also quarantined.\n * Default: true.\n /\n quarantineSuspicious?: boolean;\n\n /\n If true, files with a 'malicious' verdict are also quarantined.\n * Default: true.\n /\n quarantineMalicious?: boolean;\n}\n\n// ── Manager ───────────────────────────────────────────────────────────────────\n\n/\n Manages the full lifecycle of quarantined files:\n * scan → quarantine → review → promote \| delete\n /\nexport class QuarantineManager {\n private readonly storage: QuarantineStorage;\n private readonly quarantineSuspicious: boolean;\n private readonly quarantineMalicious: boolean;\n\n constructor(options: QuarantineManagerOptions) {\n this.storage = options.storage;\n this.quarantineSuspicious = options.quarantineSuspicious ?? true;\n this.quarantineMalicious = options.quarantineMalicious ?? true;\n }\n\n /\n Determine whether a scan report should trigger quarantine per the\n * configured policy.\n /\n shouldQuarantine(report: ScanReport): boolean {\n if (report.verdict === \"malicious\") return this.quarantineMalicious;\n if (report.verdict === \"suspicious\") return this.quarantineSuspicious;\n return false;\n }\n\n /\n Quarantine a file: save the bytes in storage, create the metadata entry,\n * and return the entry.\n \n @param bytes Raw file bytes.\n * @param report The scan report that triggered quarantine.\n * @param fileInfo Partial metadata; `sha256` is derived from `bytes` if omitted.\n /\n async quarantine(\n bytes: Uint8Array,\n report: ScanReport,\n fileInfo: Omit<QuarantinedFileInfo, \"sha256\"> & { sha256?: string },\n ): Promise<QuarantineEntry> {\n const id = generateId();\n const sha256 = fileInfo.sha256 ?? computeSha256(bytes);\n const now = new Date().toISOString();\n\n const storageKey = await this.storage.saveFile(id, bytes);\n\n const entry: QuarantineEntry = {\n id,\n storageKey,\n file: { ...fileInfo, sha256 },\n scanReport: report,\n quarantinedAt: now,\n status: \"pending\",\n updatedAt: now,\n };\n\n await this.storage.saveEntry(entry);\n return entry;\n }\n\n /\n Mark an entry as being actively reviewed.\n /\n async startReview(id: string, reviewedBy?: string): Promise<QuarantineEntry> {\n return this.storage.updateEntry(id, {\n status: \"reviewing\",\n reviewedBy,\n updatedAt: new Date().toISOString(),\n });\n }\n\n /\n Resolve a quarantine entry with a final decision.\n \n - `promote`: the file is cleared — bytes remain in storage for the caller\n * to move to its final destination.\n * - `delete`: the bytes are permanently removed from quarantine storage.\n /\n async resolve(id: string, review: QuarantineReview): Promise<QuarantineEntry> {\n const entry = await this.storage.getEntry(id);\n if (!entry) throw new Error(`Quarantine entry not found: ${id}`);\n if (entry.status === \"promoted\" \|\| entry.status === \"deleted\") {\n throw new Error(`Quarantine entry ${id} is already resolved (${entry.status}).`);\n }\n\n const now = new Date().toISOString();\n const newStatus: QuarantineStatus = review.decision === \"promote\" ? \"promoted\" : \"deleted\";\n\n if (review.decision === \"delete\") {\n await this.storage.deleteFile(entry.storageKey);\n }\n\n return this.storage.updateEntry(id, {\n status: newStatus,\n reviewedBy: review.reviewedBy,\n reviewNote: review.reviewNote,\n resolvedAt: now,\n updatedAt: now,\n });\n }\n\n /\n Retrieve the raw bytes of a promoted file so the caller can move it to\n * permanent storage. Returns `null` if the entry is not found or has been\n * deleted.\n /\n async getFile(id: string): Promise<Uint8Array \| null> {\n const entry = await this.storage.getEntry(id);\n if (!entry) return null;\n return this.storage.getFile(entry.storageKey);\n }\n\n // ── Query helpers ───────────────────────────────────────────────────────────\n\n getEntry(id: string): Promise<QuarantineEntry \| null> {\n return this.storage.getEntry(id);\n }\n\n listEntries(filter?: QuarantineFilter): Promise<QuarantineEntry[]> {\n return this.storage.listEntries(filter);\n }\n\n listPending(): Promise<QuarantineEntry[]> {\n return this.storage.listEntries({ status: \"pending\" });\n }\n\n countEntries(filter?: QuarantineFilter): Promise<number> {\n return this.storage.countEntries(filter);\n }\n\n // ── Reporting ───────────────────────────────────────────────────────────────\n\n /\n Generate a structured JSON report of all quarantine entries matching the\n * filter — suitable for audit logs and dashboards.\n */\n async report(filter?: QuarantineFilter): Promise<QuarantineReport> {\n const entries = await this.storage.listEntries(filter);\n const byStatus = { pending: 0, reviewing: 0, promoted: 0, deleted: 0 };\n for (const e of entries) byStatus[e.status]++;\n return {\n generatedAt: new Date().toISOString(),\n totalEntries: entries.length,\n byStatus,\n entries,\n };\n }\n}\n\n// ── Helpers ───────────────────────────────────────────────────────────────────\n\nfunction generateId(): string {\n return crypto.randomUUID();\n}\n\nfunction computeSha256(bytes: Uint8Array): string {\n return crypto.createHash(\"sha256\").update(bytes).digest(\"hex\");\n}\n"],"names":["path","fs","crypto"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;AAYG;AA4DH;;;;;;;;;AASG;MACU,2BAA2B,CAAA;AAItC,IAAA,WAAA,CAAY,OAA2C,EAAA;AACrD,QAAA,IAAI,CAAC,QAAQ,GAAGA,eAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC;AAC/C,QAAA,IAAI,CAAC,OAAO,GAAGA,eAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC;AAC7C,QAAA,IAAI,OAAO,CAAC,eAAe,KAAK,KAAK,EAAE;AACrC,YAAAC,aAAE,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AAChD,YAAAA,aAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QACjD;IACF;AAEA,IAAA,MAAM,QAAQ,CAAC,EAAU,EAAE,KAAiB,EAAA;;AAE1C,QAAA,MAAM,UAAU,GAAG,CAAA,EAAG,EAAE,CAAA,CAAA,EAAIC,iBAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE;AACnE,QAAA,MAAM,QAAQ,GAAGF,eAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC;QACrD,MAAMC,aAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,QAAQ,EAAE,KAAK,CAAC;AAC5C,QAAA,OAAO,UAAU;IACnB;IAEA,MAAM,OAAO,CAAC,UAAkB,EAAA;AAC9B,QAAA,MAAM,QAAQ,GAAGD,eAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,UAAU,CAAC,CAAC;AACnE,QAAA,IAAI;YACF,MAAM,GAAG,GAAG,MAAMC,aAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;AAChD,YAAA,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC;QAC5B;AAAE,QAAA,MAAM;AACN,YAAA,OAAO,IAAI;QACb;IACF;IAEA,MAAM,UAAU,CAAC,UAAkB,EAAA;AACjC,QAAA,MAAM,QAAQ,GAAGD,eAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,UAAU,CAAC,CAAC;AACnE,QAAA,MAAMC,aAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,MAAK;;AAE9C,QAAA,CAAC,CAAC;IACJ;IAEA,MAAM,SAAS,CAAC,KAAsB,EAAA;AACpC,QAAA,MAAM,QAAQ,GAAGD,eAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAA,EAAG,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC,CAAA,KAAA,CAAO,CAAC;QAC1E,MAAMC,aAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,CAAC;IAC/E;IAEA,MAAM,QAAQ,CAAC,EAAU,EAAA;AACvB,QAAA,MAAM,QAAQ,GAAGD,eAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,YAAY,CAAC,EAAE,CAAC,CAAA,KAAA,CAAO,CAAC;AACpE,QAAA,IAAI;AACF,YAAA,MAAM,GAAG,GAAG,MAAMC,aAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;AACxD,YAAA,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAoB;QAC3C;AAAE,QAAA,MAAM;AACN,YAAA,OAAO,IAAI;QACb;IACF;AAEA,IAAA,MAAM,WAAW,CAAC,EAAU,EAAE,KAA+B,EAAA;QAC3D,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;AACxC,QAAA,IAAI,CAAC,QAAQ;AAAE,YAAA,MAAM,IAAI,KAAK,CAAC,+BAA+B,EAAE,CAAA,CAAE,CAAC;QACnE,MAAM,OAAO,GAAoB,EAAE,GAAG,QAAQ,EAAE,GAAG,KAAK,EAAE;AAC1D,QAAA,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;AAC7B,QAAA,OAAO,OAAO;IAChB;IAEA,MAAM,WAAW,CAAC,MAAyB,EAAA;QACzC,MAAM,KAAK,GAAG,MAAMA,aAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,MAAM,EAAc,CAAC;QACjF,MAAM,OAAO,GAAsB,EAAE;AAErC,QAAA,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE;AACxB,YAAA,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE;AAC7B,YAAA,IAAI;gBACF,MAAM,GAAG,GAAG,MAAMA,aAAE,CAAC,QAAQ,CAAC,QAAQ,CAACD,eAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC;gBAC7E,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAoB,CAAC;YAClD;AAAE,YAAA,MAAM;;YAER;QACF;AAEA,QAAA,OAAO,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC;IACrC;IAEA,MAAM,YAAY,CAAC,MAAyB,EAAA;QAC1C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC;QAC9C,OAAO,OAAO,CAAC,MAAM;IACvB;AACD;AAED;AAEA;;;AAGG;AACH,SAAS,YAAY,CAAC,GAAW,EAAA;AAC/B,IAAA,OAAOA,eAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,kBAAkB,EAAE,GAAG,CAAC;AAC5D;AAEA,SAAS,WAAW,CAAC,OAA0B,EAAE,MAAyB,EAAA;AACxE,IAAA,IAAI,CAAC,MAAM;AAAE,QAAA,OAAO,OAAO;IAE3B,IAAI,MAAM,GAAG,OAAO;AAEpB,IAAA,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE;QAC/B,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC;AAC/E,QAAA,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAC5D;AACA,IAAA,IAAI,MAAM,CAAC,KAAK,EAAE;AAChB,QAAA,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,aAAa,IAAI,MAAM,CAAC,KAAM,CAAC;IACjE;AACA,IAAA,IAAI,MAAM,CAAC,MAAM,EAAE;AACjB,QAAA,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,aAAa,IAAI,MAAM,CAAC,MAAO,CAAC;IAClE;AACA,IAAA,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS,EAAE;QAC9B,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC;IACxC;AAEA,IAAA,OAAO,MAAM;AACf;;ACpMA;;;;;;;;;;;;;;;;;;;;;;;;;;AA0BG;AAiCH;AAEA;;;AAGG;MACU,iBAAiB,CAAA;AAK5B,IAAA,WAAA,CAAY,OAAiC,EAAA;AAC3C,QAAA,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO;QAC9B,IAAI,CAAC,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,IAAI,IAAI;QAChE,IAAI,CAAC,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,IAAI,IAAI;IAChE;AAEA;;;AAGG;AACH,IAAA,gBAAgB,CAAC,MAAkB,EAAA;AACjC,QAAA,IAAI,MAAM,CAAC,OAAO,KAAK,WAAW;YAAE,OAAO,IAAI,CAAC,mBAAmB;AACnE,QAAA,IAAI,MAAM,CAAC,OAAO,KAAK,YAAY;YAAE,OAAO,IAAI,CAAC,oBAAoB;AACrE,QAAA,OAAO,KAAK;IACd;AAEA;;;;;;;AAOG;AACH,IAAA,MAAM,UAAU,CACd,KAAiB,EACjB,MAAkB,EAClB,QAAmE,EAAA;AAEnE,QAAA,MAAM,EAAE,GAAG,UAAU,EAAE;QACvB,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,IAAI,aAAa,CAAC,KAAK,CAAC;QACtD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;AAEpC,QAAA,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;AAEzD,QAAA,MAAM,KAAK,GAAoB;YAC7B,EAAE;YACF,UAAU;AACV,YAAA,IAAI,EAAE,EAAE,GAAG,QAAQ,EAAE,MAAM,EAAE;AAC7B,YAAA,UAAU,EAAE,MAAM;AAClB,YAAA,aAAa,EAAE,GAAG;AAClB,YAAA,MAAM,EAAE,SAAS;AACjB,YAAA,SAAS,EAAE,GAAG;SACf;QAED,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,CAAC;AACnC,QAAA,OAAO,KAAK;IACd;AAEA;;AAEG;AACH,IAAA,MAAM,WAAW,CAAC,EAAU,EAAE,UAAmB,EAAA;AAC/C,QAAA,OAAO,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,EAAE;AAClC,YAAA,MAAM,EAAE,WAAW;YACnB,UAAU;AACV,YAAA,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;AACpC,SAAA,CAAC;IACJ;AAEA;;;;;;AAMG;AACH,IAAA,MAAM,OAAO,CAAC,EAAU,EAAE,MAAwB,EAAA;QAChD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;AAC7C,QAAA,IAAI,CAAC,KAAK;AAAE,YAAA,MAAM,IAAI,KAAK,CAAC,+BAA+B,EAAE,CAAA,CAAE,CAAC;AAChE,QAAA,IAAI,KAAK,CAAC,MAAM,KAAK,UAAU,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,EAAE;YAC7D,MAAM,IAAI,KAAK,CAAC,CAAA,iBAAA,EAAoB,EAAE,CAAA,sBAAA,EAAyB,KAAK,CAAC,MAAM,CAAA,EAAA,CAAI,CAAC;QAClF;QAEA,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;AACpC,QAAA,MAAM,SAAS,GAAqB,MAAM,CAAC,QAAQ,KAAK,SAAS,GAAG,UAAU,GAAG,SAAS;AAE1F,QAAA,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE;YAChC,MAAM,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,UAAU,CAAC;QACjD;AAEA,QAAA,OAAO,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,EAAE;AAClC,YAAA,MAAM,EAAE,SAAS;YACjB,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;AAC7B,YAAA,UAAU,EAAE,GAAG;AACf,YAAA,SAAS,EAAE,GAAG;AACf,SAAA,CAAC;IACJ;AAEA;;;;AAIG;IACH,MAAM,OAAO,CAAC,EAAU,EAAA;QACtB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;AAC7C,QAAA,IAAI,CAAC,KAAK;AAAE,YAAA,OAAO,IAAI;QACvB,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC;IAC/C;;AAIA,IAAA,QAAQ,CAAC,EAAU,EAAA;QACjB,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;IAClC;AAEA,IAAA,WAAW,CAAC,MAAyB,EAAA;QACnC,OAAO,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC;IACzC;IAEA,WAAW,GAAA;AACT,QAAA,OAAO,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IACxD;AAEA,IAAA,YAAY,CAAC,MAAyB,EAAA;QACpC,OAAO,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC;IAC1C;;AAIA;;;AAGG;IACH,MAAM,MAAM,CAAC,MAAyB,EAAA;QACpC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC;AACtD,QAAA,MAAM,QAAQ,GAAG,EAAE,OAAO,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE;QACtE,KAAK,MAAM,CAAC,IAAI,OAAO;AAAE,YAAA,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE;QAC7C,OAAO;AACL,YAAA,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACrC,YAAY,EAAE,OAAO,CAAC,MAAM;YAC5B,QAAQ;YACR,OAAO;SACR;IACH;AACD;AAED;AAEA,SAAS,UAAU,GAAA;AACjB,IAAA,OAAOE,iBAAM,CAAC,UAAU,EAAE;AAC5B;AAEA,SAAS,aAAa,CAAC,KAAiB,EAAA;AACtC,IAAA,OAAOA,iBAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;AAChE;;;;;"}