pompelmi 0.34.10 → 0.35.1

package/dist/pompelmi.browser.esm.js

@@ -1,8 +1,238 @@
 import { createHash } from 'crypto';
 
+const MB$1 = 1024 * 1024;
+const DEFAULT_POLICY = {
+    includeExtensions: ["zip", "png", "jpg", "jpeg", "pdf"],
+    allowedMimeTypes: ["application/zip", "image/png", "image/jpeg", "application/pdf", "text/plain"],
+    maxFileSizeBytes: 20 * MB$1,
+    timeoutMs: 5000,
+    concurrency: 4,
+    failClosed: true,
+};
+function definePolicy(input = {}) {
+    const p = { ...DEFAULT_POLICY, ...input };
+    if (!Array.isArray(p.includeExtensions))
+        throw new TypeError("includeExtensions must be string[]");
+    if (!Array.isArray(p.allowedMimeTypes))
+        throw new TypeError("allowedMimeTypes must be string[]");
+    if (!(Number.isFinite(p.maxFileSizeBytes) && p.maxFileSizeBytes > 0))
+        throw new TypeError("maxFileSizeBytes must be > 0");
+    if (!(Number.isFinite(p.timeoutMs) && p.timeoutMs > 0))
+        throw new TypeError("timeoutMs must be > 0");
+    if (!(Number.isInteger(p.concurrency) && p.concurrency > 0))
+        throw new TypeError("concurrency must be > 0");
+    return p;
+}
+
+/**
+ * Policy packs for Pompelmi.
+ *
+ * Pre-configured, named policies for common upload scenarios.  Each pack
+ * defines the file type allowlist, size limits, and timeout appropriate for
+ * its use case.
+ *
+ * All packs are built on `definePolicy` and are fully overridable:
+ *
+ * ```ts
+ * import { POLICY_PACKS } from 'pompelmi/policy-packs';
+ *
+ * // Use a pack as-is:
+ * const policy = POLICY_PACKS['images-only'];
+ *
+ * // Or override individual fields:
+ * import { definePolicy } from 'pompelmi';
+ * const custom = definePolicy({ ...POLICY_PACKS['documents-only'], maxFileSizeBytes: 5 * 1024 * 1024 });
+ * ```
+ *
+ * These packs are *deterministic* and *descriptor-based* — they do not
+ * depend on any external threat intelligence feed.
+ *
+ * @module policy-packs
+ */
+const KB = 1024;
+const MB = 1024 * KB;
+// ── Policy packs ──────────────────────────────────────────────────────────────
+/**
+ * Documents-only policy.
+ *
+ * Appropriate for: document management APIs, PDF/Office file upload endpoints,
+ * data import pipelines.
+ *
+ * Allowed: PDF, Word (.docx/.doc), Excel (.xlsx/.xls), PowerPoint (.pptx/.ppt),
+ *   CSV, plain text, JSON, YAML, ODT/ODS/ODP (OpenDocument).
+ * Max size: 25 MB.
+ */
+const DOCUMENTS_ONLY = definePolicy({
+    includeExtensions: [
+        "pdf",
+        "doc",
+        "docx",
+        "xls",
+        "xlsx",
+        "ppt",
+        "pptx",
+        "odt",
+        "ods",
+        "odp",
+        "csv",
+        "txt",
+        "json",
+        "yaml",
+        "yml",
+        "md",
+    ],
+    allowedMimeTypes: [
+        "application/pdf",
+        "application/msword",
+        "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+        "application/vnd.ms-excel",
+        "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+        "application/vnd.ms-powerpoint",
+        "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+        "application/vnd.oasis.opendocument.text",
+        "application/vnd.oasis.opendocument.spreadsheet",
+        "application/vnd.oasis.opendocument.presentation",
+        "text/csv",
+        "text/plain",
+        "application/json",
+        "text/yaml",
+        "text/markdown",
+    ],
+    maxFileSizeBytes: 25 * MB,
+    timeoutMs: 10000,
+    concurrency: 4,
+    failClosed: true,
+});
+/**
+ * Images-only policy.
+ *
+ * Appropriate for: avatar uploads, product image APIs, content platforms with
+ * user-generated imagery.
+ *
+ * Allowed: JPEG, PNG, GIF, WebP, AVIF, TIFF, BMP, ICO.
+ * Max size: 10 MB.
+ * Note: SVG is intentionally excluded — inline SVGs can contain scripts.
+ */
+const IMAGES_ONLY = definePolicy({
+    includeExtensions: ["jpg", "jpeg", "png", "gif", "webp", "avif", "tiff", "tif", "bmp", "ico"],
+    allowedMimeTypes: [
+        "image/jpeg",
+        "image/png",
+        "image/gif",
+        "image/webp",
+        "image/avif",
+        "image/tiff",
+        "image/bmp",
+        "image/x-icon",
+        "image/vnd.microsoft.icon",
+    ],
+    maxFileSizeBytes: 10 * MB,
+    timeoutMs: 5000,
+    concurrency: 8,
+    failClosed: true,
+});
+/**
+ * Strict public-upload policy.
+ *
+ * Appropriate for: anonymous or low-trust upload endpoints, public APIs,
+ * any surface exposed to untrusted users.
+ *
+ * Aggressive size limit (5 MB), short timeout, fail-closed, narrow MIME
+ * allowlist.  Only allows plain images and PDF.
+ */
+const STRICT_PUBLIC_UPLOAD = definePolicy({
+    includeExtensions: ["jpg", "jpeg", "png", "webp", "pdf"],
+    allowedMimeTypes: ["image/jpeg", "image/png", "image/webp", "application/pdf"],
+    maxFileSizeBytes: 5 * MB,
+    timeoutMs: 4000,
+    concurrency: 2,
+    failClosed: true,
+});
+/**
+ * Conservative default policy.
+ *
+ * A hardened version of the built-in `DEFAULT_POLICY` suitable for
+ * production without further customisation.  Stricter size limit and
+ * shorter timeout than the permissive default.
+ */
+const CONSERVATIVE_DEFAULT = definePolicy({
+    includeExtensions: ["zip", "png", "jpg", "jpeg", "pdf", "txt", "csv", "docx", "xlsx"],
+    allowedMimeTypes: [
+        "application/zip",
+        "image/png",
+        "image/jpeg",
+        "application/pdf",
+        "text/plain",
+        "text/csv",
+        "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+        "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+    ],
+    maxFileSizeBytes: 10 * MB,
+    timeoutMs: 8000,
+    concurrency: 4,
+    failClosed: true,
+});
+/**
+ * Archives policy.
+ *
+ * Appropriate for: endpoints that accept ZIP, tar, or compressed archives.
+ * Combines a generous size allowance with a longer timeout for deep inspection.
+ *
+ * NOTE: Pair this policy with `createZipBombGuard()` to defend against
+ * decompression-bomb attacks:
+ *
+ * ```ts
+ * import { composeScanners, createZipBombGuard, CommonHeuristicsScanner } from 'pompelmi';
+ * const scanner = composeScanners(
+ *   [['zipGuard', createZipBombGuard()], ['heuristics', CommonHeuristicsScanner]]
+ * );
+ * ```
+ */
+const ARCHIVES = definePolicy({
+    includeExtensions: ["zip", "tar", "gz", "tgz", "bz2", "xz", "7z", "rar"],
+    allowedMimeTypes: [
+        "application/zip",
+        "application/x-tar",
+        "application/gzip",
+        "application/x-bzip2",
+        "application/x-xz",
+        "application/x-7z-compressed",
+        "application/x-rar-compressed",
+    ],
+    maxFileSizeBytes: 100 * MB,
+    timeoutMs: 30000,
+    concurrency: 2,
+    failClosed: true,
+});
+/**
+ * Named map of all built-in policy packs.
+ *
+ * ```ts
+ * import { POLICY_PACKS } from 'pompelmi/policy-packs';
+ * const policy = POLICY_PACKS['strict-public-upload'];
+ * ```
+ */
+const POLICY_PACKS = {
+    "documents-only": DOCUMENTS_ONLY,
+    "images-only": IMAGES_ONLY,
+    "strict-public-upload": STRICT_PUBLIC_UPLOAD,
+    "conservative-default": CONSERVATIVE_DEFAULT,
+    archives: ARCHIVES,
+};
+/**
+ * Look up a policy pack by name.
+ * Throws if the name is not recognised.
+ */
+function getPolicyPack(name) {
+    const policy = POLICY_PACKS[name];
+    if (!policy)
+        throw new Error(`Unknown policy pack: '${name}'. Valid names: ${Object.keys(POLICY_PACKS).join(", ")}`);
+    return policy;
+}
+
 function hasAsciiToken(buf, token) {
     // Use latin1 so we can safely search binary
-    return buf.indexOf(token, 0, 'latin1') !== -1;
+    return buf.indexOf(token, 0, "latin1") !== -1;
 }
 function startsWith(buf, bytes) {
     if (buf.length < bytes.length)
@@ -18,7 +248,7 @@ function isPDF(buf) {
 }
 function isOleCfb(buf) {
     // D0 CF 11 E0 A1 B1 1A E1
-    const sig = [0xD0, 0xCF, 0x11, 0xE0, 0xA1, 0xB1, 0x1A, 0xE1];
+    const sig = [0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1];
     return startsWith(buf, sig);
 }
 function isZipLike$1(buf) {
@@ -33,12 +263,12 @@ function isPeExecutable(buf) {
 function hasOoxmlMacros(buf) {
     if (!isZipLike$1(buf))
         return false;
-    return hasAsciiToken(buf, 'vbaProject.bin');
+    return hasAsciiToken(buf, "vbaProject.bin");
 }
 /** PDF risky features (/JavaScript, /OpenAction, /AA, /Launch) */
 function pdfRiskTokens(buf) {
-    const tokens = ['/JavaScript', '/OpenAction', '/AA', '/Launch'];
-    return tokens.filter(t => hasAsciiToken(buf, t));
+    const tokens = ["/JavaScript", "/OpenAction", "/AA", "/Launch"];
+    return tokens.filter((t) => hasAsciiToken(buf, t));
 }
 const CommonHeuristicsScanner = {
     async scan(input) {
@@ -46,33 +276,37 @@ const CommonHeuristicsScanner = {
         const matches = [];
         // Office macros (OLE / OOXML)
         if (isOleCfb(buf)) {
-            matches.push({ rule: 'office_ole_container', severity: 'suspicious' });
+            matches.push({ rule: "office_ole_container", severity: "suspicious" });
         }
         if (hasOoxmlMacros(buf)) {
-            matches.push({ rule: 'office_ooxml_macros', severity: 'suspicious' });
+            matches.push({ rule: "office_ooxml_macros", severity: "suspicious" });
         }
         // PDF risky tokens
         if (isPDF(buf)) {
             const toks = pdfRiskTokens(buf);
             if (toks.length) {
                 matches.push({
-                    rule: 'pdf_risky_actions',
-                    severity: 'suspicious',
-                    meta: { tokens: toks }
+                    rule: "pdf_risky_actions",
+                    severity: "suspicious",
+                    meta: { tokens: toks },
                 });
             }
         }
         // Executable header
         if (isPeExecutable(buf)) {
-            matches.push({ rule: 'pe_executable_signature', severity: 'suspicious' });
+            matches.push({ rule: "pe_executable_signature", severity: "suspicious" });
         }
         // EICAR test file
         const EICAR_NEEDLE = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!";
         if (hasAsciiToken(buf, EICAR_NEEDLE)) {
-            matches.push({ rule: 'eicar_test_file', severity: 'high', meta: { note: 'EICAR standard antivirus test file detected' } });
+            matches.push({
+                rule: "eicar_test_file",
+                severity: "high",
+                meta: { note: "EICAR standard antivirus test file detected" },
+            });
         }
         return matches;
-    }
+    },
 };
 
 function toScanFn(s) {
@@ -111,7 +345,13 @@ async function runWithTimeout(fn, timeoutMs) {
         return fn();
     return new Promise((resolve, reject) => {
         const timer = setTimeout(() => reject(new Error("scanner timeout")), timeoutMs);
-        fn().then((v) => { clearTimeout(timer); resolve(v); }, (e) => { clearTimeout(timer); reject(e); });
+        fn().then((v) => {
+            clearTimeout(timer);
+            resolve(v);
+        }, (e) => {
+            clearTimeout(timer);
+            reject(e);
+        });
     });
 }
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -122,7 +362,9 @@ function composeScanners(...args) {
     if (Array.isArray(first) &&
         (first.length === 0 || (Array.isArray(first[0]) && typeof first[0][0] === "string"))) {
         const entries = first;
-        const opts = rest.length > 0 && !Array.isArray(rest[0]) && typeof rest[0] !== "function" &&
+        const opts = rest.length > 0 &&
+            !Array.isArray(rest[0]) &&
+            typeof rest[0] !== "function" &&
             !(typeof rest[0] === "object" && rest[0] !== null && "scan" in rest[0])
             ? rest[0]
             : {};
@@ -130,7 +372,7 @@ function composeScanners(...args) {
             const all = [];
             if (opts.parallel) {
                 // Parallel execution — collect all results then return
-                const results = await Promise.allSettled(entries.map(([name, scanner]) => runWithTimeout(() => toScanFn(scanner)(input, ctx), opts.timeoutMsPerScanner)));
+                const results = await Promise.allSettled(entries.map(([_name, scanner]) => runWithTimeout(() => toScanFn(scanner)(input, ctx), opts.timeoutMsPerScanner)));
                 for (let i = 0; i < results.length; i++) {
                     const result = results[i];
                     if (result.status === "fulfilled" && Array.isArray(result.value)) {
@@ -184,152 +426,61 @@ function composeScanners(...args) {
     };
 }
 function createPresetScanner(preset, opts = {}) {
-    const scanners = [];
-    // Always include heuristics (EICAR, PHP webshells, JS obfuscation, PE hints, etc.)
-    scanners.push(CommonHeuristicsScanner);
+    const baseScanners = [CommonHeuristicsScanner];
+    const dynamicScannerPromises = [];
     // Add decompilation scanners based on preset
-    if (preset === 'decompilation-basic' || preset === 'decompilation-deep' ||
-        preset === 'malware-analysis' || opts.enableDecompilation) {
-        const depth = preset === 'decompilation-deep' ? 'deep' :
-            preset === 'decompilation-basic' ? 'basic' :
-                opts.decompilationDepth || 'basic';
-        if (!opts.decompilationEngine || opts.decompilationEngine === 'binaryninja-hlil' || opts.decompilationEngine === 'both') {
-            try {
-                // Dynamic import to avoid bundling issues - using Function to bypass TypeScript type checking
-                const importModule = new Function('specifier', 'return import(specifier)');
-                importModule('@pompelmi/engine-binaryninja').then((mod) => {
-                    const binjaScanner = mod.createBinaryNinjaScanner({
-                        timeout: opts.decompilationTimeout || opts.timeout || 30000,
-                        depth,
-                        pythonPath: opts.pythonPath,
-                        binaryNinjaPath: opts.binaryNinjaPath
-                    });
-                    scanners.push(binjaScanner);
-                }).catch(() => {
-                    // Binary Ninja engine not available - silently skip
-                });
-            }
-            catch {
-                // Engine not installed
-            }
-        }
-        if (!opts.decompilationEngine || opts.decompilationEngine === 'ghidra-pcode' || opts.decompilationEngine === 'both') {
-            try {
-                // Dynamic import for Ghidra engine (when implemented) - using Function to bypass TypeScript type checking
-                const importModule = new Function('specifier', 'return import(specifier)');
-                importModule('@pompelmi/engine-ghidra').then((mod) => {
-                    const ghidraScanner = mod.createGhidraScanner({
-                        timeout: opts.decompilationTimeout || opts.timeout || 30000,
-                        depth,
-                        ghidraPath: opts.ghidraPath,
-                        analyzeHeadless: opts.analyzeHeadless
-                    });
-                    scanners.push(ghidraScanner);
-                }).catch(() => {
-                    // Ghidra engine not available - silently skip
-                });
-            }
-            catch {
-                // Engine not installed
-            }
+    if (preset === "decompilation-basic" ||
+        preset === "decompilation-deep" ||
+        preset === "malware-analysis" ||
+        opts.enableDecompilation) {
+        const depth = preset === "decompilation-deep" || preset === "malware-analysis"
+            ? "deep"
+            : preset === "decompilation-basic"
+                ? "basic"
+                : opts.decompilationDepth || "basic";
+        let importModule;
+        try {
+            // Dynamic import to avoid bundling issues - using Function to bypass TypeScript type checking
+            importModule = new Function("specifier", "return import(specifier)");
         }
-    }
-    if (scanners.length === 0) {
-        // Fallback scanner that returns no matches
-        return async (_input, _ctx) => {
-            return [];
-        };
-    }
-    return composeScanners(...scanners);
-}
-
-/**
- * Performance monitoring utilities for pompelmi scans
- * @module utils/performance-metrics
- */
-/**
- * Track performance metrics for a scan operation
- */
-class PerformanceTracker {
-    constructor() {
-        this.checkpoints = new Map();
-        this.startTime = Date.now();
-    }
-    /**
-     * Mark a checkpoint in the scan process
-     */
-    checkpoint(name) {
-        this.checkpoints.set(name, Date.now());
-    }
-    /**
-     * Get duration since start or since a specific checkpoint
-     */
-    getDuration(since) {
-        const now = Date.now();
-        if (since && this.checkpoints.has(since)) {
-            return now - (this.checkpoints.get(since) ?? now);
+        catch {
+            importModule = undefined;
         }
-        return now - this.startTime;
-    }
-    /**
-     * Generate final metrics report
-     */
-    getMetrics(bytesScanned) {
-        const totalDuration = this.getDuration();
-        const throughput = totalDuration > 0 ? (bytesScanned / totalDuration) * 1000 : 0;
-        return {
-            totalDurationMs: totalDuration,
-            heuristicsDurationMs: this.checkpoints.has('heuristics_end')
-                ? (this.checkpoints.get('heuristics_end') ?? 0) - (this.checkpoints.get('heuristics_start') ?? 0)
-                : undefined,
-            yaraDurationMs: this.checkpoints.has('yara_end')
-                ? (this.checkpoints.get('yara_end') ?? 0) - (this.checkpoints.get('yara_start') ?? 0)
-                : undefined,
-            prepDurationMs: this.checkpoints.has('prep_end')
-                ? (this.checkpoints.get('prep_end') ?? 0) - this.startTime
-                : undefined,
-            throughputBps: throughput,
-            bytesScanned,
-            startedAt: this.startTime,
-            completedAt: Date.now(),
-        };
-    }
-}
-/**
- * Aggregate statistics from multiple scan reports
- */
-function aggregateScanStats(reports) {
-    let cleanCount = 0;
-    let suspiciousCount = 0;
-    let maliciousCount = 0;
-    let totalDuration = 0;
-    let totalBytes = 0;
-    let validDurationCount = 0;
-    for (const report of reports) {
-        if (report.verdict === 'clean')
-            cleanCount++;
-        else if (report.verdict === 'suspicious')
-            suspiciousCount++;
-        else if (report.verdict === 'malicious')
-            maliciousCount++;
-        if (report.durationMs !== undefined) {
-            totalDuration += report.durationMs;
-            validDurationCount++;
+        if (importModule &&
+            (!opts.decompilationEngine ||
+                opts.decompilationEngine === "binaryninja-hlil" ||
+                opts.decompilationEngine === "both")) {
+            dynamicScannerPromises.push(importModule("@pompelmi/engine-binaryninja")
+                .then((mod) => mod.createBinaryNinjaScanner({
+                timeout: opts.decompilationTimeout || opts.timeout || 30000,
+                depth,
+                pythonPath: opts.pythonPath,
+                binaryNinjaPath: opts.binaryNinjaPath,
+            }))
+                .catch(() => null));
         }
-        if (report.file?.size !== undefined) {
-            totalBytes += report.file.size;
+        if (importModule &&
+            (!opts.decompilationEngine ||
+                opts.decompilationEngine === "ghidra-pcode" ||
+                opts.decompilationEngine === "both")) {
+            dynamicScannerPromises.push(importModule("@pompelmi/engine-ghidra")
+                .then((mod) => mod.createGhidraScanner({
+                timeout: opts.decompilationTimeout || opts.timeout || 30000,
+                depth,
+                ghidraPath: opts.ghidraPath,
+                analyzeHeadless: opts.analyzeHeadless,
+            }))
+                .catch(() => null));
         }
     }
-    const avgDuration = validDurationCount > 0 ? totalDuration / validDurationCount : 0;
-    const avgThroughput = totalDuration > 0 ? (totalBytes / totalDuration) * 1000 : 0;
-    return {
-        totalScans: reports.length,
-        cleanCount,
-        suspiciousCount,
-        maliciousCount,
-        avgDurationMs: avgDuration,
-        avgThroughputBps: avgThroughput,
-        totalBytesScanned: totalBytes,
+    let composedScannerPromise;
+    const getComposedScanner = async () => {
+        composedScannerPromise ?? (composedScannerPromise = Promise.all(dynamicScannerPromises).then((dynamicScanners) => composeScanners(...baseScanners, ...dynamicScanners.filter((scanner) => scanner !== null))));
+        return composedScannerPromise;
+    };
+    return async (input, ctx) => {
+        const scanner = await getComposedScanner();
+        return scanner(input, ctx);
     };
 }
 
@@ -346,25 +497,25 @@ function detectPolyglot(bytes) {
     // Check for PDF/ZIP polyglot
     if (isPDFZipPolyglot(bytes)) {
         matches.push({
-            rule: 'polyglot_pdf_zip',
-            severity: 'high',
-            meta: { description: 'File can be interpreted as both PDF and ZIP' },
+            rule: "polyglot_pdf_zip",
+            severity: "high",
+            meta: { description: "File can be interpreted as both PDF and ZIP" },
         });
     }
     // Check for image/script polyglot
     if (isImageScriptPolyglot(bytes)) {
         matches.push({
-            rule: 'polyglot_image_script',
-            severity: 'high',
-            meta: { description: 'Image file contains executable script content' },
+            rule: "polyglot_image_script",
+            severity: "high",
+            meta: { description: "Image file contains executable script content" },
         });
     }
     // Check for GIFAR (GIF/JAR polyglot)
     if (isGIFAR(bytes)) {
         matches.push({
-            rule: 'polyglot_gifar',
-            severity: 'critical',
-            meta: { description: 'GIF file contains Java archive' },
+            rule: "polyglot_gifar",
+            severity: "critical",
+            meta: { description: "GIF file contains Java archive" },
         });
     }
     return matches;
@@ -374,7 +525,7 @@ function detectPolyglot(bytes) {
  */
 function detectObfuscatedScripts(bytes) {
     const matches = [];
-    const text = new TextDecoder('utf-8', { fatal: false }).decode(bytes.slice(0, Math.min(64 * 1024, bytes.length)));
+    const text = new TextDecoder("utf-8", { fatal: false }).decode(bytes.slice(0, Math.min(64 * 1024, bytes.length)));
     // Check for common obfuscation patterns
     const obfuscationPatterns = [
         /eval\s*\(\s*unescape\s*\(/gi,
@@ -386,10 +537,10 @@ function detectObfuscatedScripts(bytes) {
     for (const pattern of obfuscationPatterns) {
         if (pattern.test(text)) {
             matches.push({
-                rule: 'obfuscated_script',
-                severity: 'medium',
+                rule: "obfuscated_script",
+                severity: "medium",
                 meta: {
-                    description: 'Detected obfuscated script content',
+                    description: "Detected obfuscated script content",
                     pattern: pattern.source,
                 },
             });
@@ -429,7 +580,10 @@ function isPDFZipPolyglot(bytes) {
     // Check for ZIP signature anywhere in the file
     let hasZIP = false;
     for (let i = 0; i < Math.min(bytes.length - 4, 1024); i++) {
-        if (bytes[i] === 0x50 && bytes[i + 1] === 0x4B && bytes[i + 2] === 0x03 && bytes[i + 3] === 0x04) {
+        if (bytes[i] === 0x50 &&
+            bytes[i + 1] === 0x4b &&
+            bytes[i + 2] === 0x03 &&
+            bytes[i + 3] === 0x04) {
             hasZIP = true;
             break;
         }
@@ -440,14 +594,13 @@ function isImageScriptPolyglot(bytes) {
     if (bytes.length < 100)
         return false;
     // Check for image signatures
-    const isImage = ((bytes[0] === 0xFF && bytes[1] === 0xD8) || // JPEG
-        (bytes[0] === 0x89 && bytes[1] === 0x50 && bytes[2] === 0x4E && bytes[3] === 0x47) || // PNG
-        (bytes[0] === 0x47 && bytes[1] === 0x49 && bytes[2] === 0x46) // GIF
-    );
+    const isImage = (bytes[0] === 0xff && bytes[1] === 0xd8) || // JPEG
+        (bytes[0] === 0x89 && bytes[1] === 0x50 && bytes[2] === 0x4e && bytes[3] === 0x47) || // PNG
+        (bytes[0] === 0x47 && bytes[1] === 0x49 && bytes[2] === 0x46); // GIF
     if (!isImage)
         return false;
     // Check for script content
-    const text = new TextDecoder('utf-8', { fatal: false }).decode(bytes);
+    const text = new TextDecoder("utf-8", { fatal: false }).decode(bytes);
     return /<script|javascript:|eval\(|function\s*\(/i.test(text);
 }
 function isGIFAR(bytes) {
@@ -458,7 +611,10 @@ function isGIFAR(bytes) {
     // Check for ZIP/JAR signature
     let hasZIP = false;
     for (let i = 0; i < Math.min(bytes.length - 4, 1024); i++) {
-        if (bytes[i] === 0x50 && bytes[i + 1] === 0x4B && bytes[i + 2] === 0x03 && bytes[i + 3] === 0x04) {
+        if (bytes[i] === 0x50 &&
+            bytes[i + 1] === 0x4b &&
+            bytes[i + 2] === 0x03 &&
+            bytes[i + 3] === 0x04) {
             hasZIP = true;
             break;
         }
@@ -470,13 +626,13 @@ function isArchive(bytes) {
         return false;
     return (
     // ZIP
-    (bytes[0] === 0x50 && bytes[1] === 0x4B && bytes[2] === 0x03 && bytes[3] === 0x04) ||
+    (bytes[0] === 0x50 && bytes[1] === 0x4b && bytes[2] === 0x03 && bytes[3] === 0x04) ||
         // RAR
         (bytes[0] === 0x52 && bytes[1] === 0x61 && bytes[2] === 0x72 && bytes[3] === 0x21) ||
         // 7z
-        (bytes[0] === 0x37 && bytes[1] === 0x7A && bytes[2] === 0xBC && bytes[3] === 0xAF) ||
+        (bytes[0] === 0x37 && bytes[1] === 0x7a && bytes[2] === 0xbc && bytes[3] === 0xaf) ||
         // tar.gz
-        (bytes[0] === 0x1F && bytes[1] === 0x8B));
+        (bytes[0] === 0x1f && bytes[1] === 0x8b));
 }
 
 /**
@@ -504,10 +660,10 @@ class ScanCacheManager {
      * Generate cache key from file content
      */
     generateKey(content, preset) {
-        const hash = createHash('sha256')
+        const hash = createHash("sha256")
             .update(content)
-            .update(preset || 'default')
-            .digest('hex');
+            .update(preset || "default")
+            .digest("hex");
         return hash;
     }
     /**
@@ -651,35 +807,132 @@ function getDefaultCache(options) {
     return defaultCache;
 }
 
-/** Mappa veloce estensione -> mime (basic) */
+/**
+ * Performance monitoring utilities for pompelmi scans
+ * @module utils/performance-metrics
+ */
+/**
+ * Track performance metrics for a scan operation
+ */
+class PerformanceTracker {
+    constructor() {
+        this.checkpoints = new Map();
+        this.startTime = Date.now();
+    }
+    /**
+     * Mark a checkpoint in the scan process
+     */
+    checkpoint(name) {
+        this.checkpoints.set(name, Date.now());
+    }
+    /**
+     * Get duration since start or since a specific checkpoint
+     */
+    getDuration(since) {
+        const now = Date.now();
+        if (since && this.checkpoints.has(since)) {
+            return now - (this.checkpoints.get(since) ?? now);
+        }
+        return now - this.startTime;
+    }
+    /**
+     * Generate final metrics report
+     */
+    getMetrics(bytesScanned) {
+        const totalDuration = this.getDuration();
+        const throughput = totalDuration > 0 ? (bytesScanned / totalDuration) * 1000 : 0;
+        return {
+            totalDurationMs: totalDuration,
+            heuristicsDurationMs: this.checkpoints.has("heuristics_end")
+                ? (this.checkpoints.get("heuristics_end") ?? 0) -
+                    (this.checkpoints.get("heuristics_start") ?? 0)
+                : undefined,
+            yaraDurationMs: this.checkpoints.has("yara_end")
+                ? (this.checkpoints.get("yara_end") ?? 0) - (this.checkpoints.get("yara_start") ?? 0)
+                : undefined,
+            prepDurationMs: this.checkpoints.has("prep_end")
+                ? (this.checkpoints.get("prep_end") ?? 0) - this.startTime
+                : undefined,
+            throughputBps: throughput,
+            bytesScanned,
+            startedAt: this.startTime,
+            completedAt: Date.now(),
+        };
+    }
+}
+/**
+ * Aggregate statistics from multiple scan reports
+ */
+function aggregateScanStats(reports) {
+    let cleanCount = 0;
+    let suspiciousCount = 0;
+    let maliciousCount = 0;
+    let totalDuration = 0;
+    let totalBytes = 0;
+    let validDurationCount = 0;
+    for (const report of reports) {
+        if (report.verdict === "clean")
+            cleanCount++;
+        else if (report.verdict === "suspicious")
+            suspiciousCount++;
+        else if (report.verdict === "malicious")
+            maliciousCount++;
+        if (report.durationMs !== undefined) {
+            totalDuration += report.durationMs;
+            validDurationCount++;
+        }
+        if (report.file?.size !== undefined) {
+            totalBytes += report.file.size;
+        }
+    }
+    const avgDuration = validDurationCount > 0 ? totalDuration / validDurationCount : 0;
+    const avgThroughput = totalDuration > 0 ? (totalBytes / totalDuration) * 1000 : 0;
+    return {
+        totalScans: reports.length,
+        cleanCount,
+        suspiciousCount,
+        maliciousCount,
+        avgDurationMs: avgDuration,
+        avgThroughputBps: avgThroughput,
+        totalBytesScanned: totalBytes,
+    };
+}
+
+/** Mappa veloce estensione -> mime (basic) */
 function guessMimeByExt(name) {
     if (!name)
         return;
-    const ext = name.toLowerCase().split('.').pop();
+    const ext = name.toLowerCase().split(".").pop();
     switch (ext) {
-        case 'zip': return 'application/zip';
-        case 'png': return 'image/png';
-        case 'jpg':
-        case 'jpeg': return 'image/jpeg';
-        case 'pdf': return 'application/pdf';
-        case 'txt': return 'text/plain';
-        default: return;
+        case "zip":
+            return "application/zip";
+        case "png":
+            return "image/png";
+        case "jpg":
+        case "jpeg":
+            return "image/jpeg";
+        case "pdf":
+            return "application/pdf";
+        case "txt":
+            return "text/plain";
+        default:
+            return;
     }
 }
 /** Heuristica semplice per verdetto */
 function computeVerdict(matches) {
     if (!matches.length)
-        return 'clean';
+        return "clean";
     // se la regola contiene 'zip_' lo marchiamo "suspicious"
-    const anyHigh = matches.some(m => (m.tags ?? []).includes('critical') || (m.tags ?? []).includes('high'));
-    return anyHigh ? 'malicious' : 'suspicious';
+    const anyHigh = matches.some((m) => (m.tags ?? []).includes("critical") || (m.tags ?? []).includes("high"));
+    return anyHigh ? "malicious" : "suspicious";
 }
 /** Converte i Match (heuristics) in YaraMatch-like per uniformare l'output */
 function toYaraMatches(ms) {
-    return ms.map(m => ({
+    return ms.map((m) => ({
         rule: m.rule,
-        namespace: 'heuristics',
-        tags: ['heuristics'].concat(m.severity ? [m.severity] : []),
+        namespace: "heuristics",
+        tags: ["heuristics"].concat(m.severity ? [m.severity] : []),
         meta: m.meta,
     }));
 }
@@ -693,26 +946,28 @@ async function scanBytes(input, opts = {}) {
             return cached;
         }
     }
-    const perfTracker = (opts.enablePerformanceTracking || opts.config?.performance?.enablePerformanceTracking)
+    const perfTracker = opts.enablePerformanceTracking || opts.config?.performance?.enablePerformanceTracking
         ? new PerformanceTracker()
         : null;
-    perfTracker?.checkpoint('prep_start');
-    const preset = opts.preset ?? opts.config?.defaultPreset ?? 'zip-basic';
+    perfTracker?.checkpoint("prep_start");
+    const preset = opts.preset ?? opts.config?.defaultPreset ?? "zip-basic";
     const ctx = {
         ...opts.ctx,
         mimeType: opts.ctx?.mimeType ?? guessMimeByExt(opts.ctx?.filename),
         size: opts.ctx?.size ?? input.byteLength,
     };
-    perfTracker?.checkpoint('prep_end');
-    perfTracker?.checkpoint('heuristics_start');
+    perfTracker?.checkpoint("prep_end");
+    perfTracker?.checkpoint("heuristics_start");
     const scanFn = createPresetScanner(preset);
-    const matchesH = await (typeof scanFn === "function" ? scanFn : scanFn.scan)(input, ctx);
-    let allMatches = [...matchesH];
-    perfTracker?.checkpoint('heuristics_end');
+    const matchesH = await (typeof scanFn === "function"
+        ? scanFn
+        : scanFn.scan)(input, ctx);
+    const allMatches = [...matchesH];
+    perfTracker?.checkpoint("heuristics_end");
     // Advanced detection (enabled by default, can be overridden by config)
     const advancedEnabled = opts.enableAdvancedDetection ?? opts.config?.advanced?.enablePolyglotDetection ?? true;
     if (advancedEnabled) {
-        perfTracker?.checkpoint('advanced_start');
+        perfTracker?.checkpoint("advanced_start");
         // Detect polyglot files
         if (opts.config?.advanced?.enablePolyglotDetection !== false) {
             const polyglotMatches = detectPolyglot(input);
@@ -727,37 +982,38 @@ async function scanBytes(input, opts = {}) {
         if (opts.config?.advanced?.enableNestedArchiveAnalysis !== false) {
             const nestingAnalysis = analyzeNestedArchives(input);
             const maxDepth = opts.config?.advanced?.maxArchiveDepth ?? 5;
-            if (nestingAnalysis.hasExcessiveNesting || (nestingAnalysis.depth > maxDepth)) {
+            if (nestingAnalysis.hasExcessiveNesting || nestingAnalysis.depth > maxDepth) {
                 allMatches.push({
-                    rule: 'excessive_archive_nesting',
-                    severity: 'high',
+                    rule: "excessive_archive_nesting",
+                    severity: "high",
                     meta: {
-                        description: 'Excessive archive nesting detected',
+                        description: "Excessive archive nesting detected",
                         depth: nestingAnalysis.depth,
                         maxAllowed: maxDepth,
                     },
                 });
             }
         }
-        perfTracker?.checkpoint('advanced_end');
+        perfTracker?.checkpoint("advanced_end");
     }
     const matches = toYaraMatches(allMatches);
     const verdict = computeVerdict(matches);
     perfTracker ? perfTracker.getDuration() : Date.now();
     const durationMs = perfTracker ? perfTracker.getDuration() : 0;
     const report = {
-        ok: verdict === 'clean',
+        ok: verdict === "clean",
         verdict,
         matches,
-        reasons: matches.map(m => m.rule),
+        reasons: matches.map((m) => m.rule),
         file: { name: ctx.filename, mimeType: ctx.mimeType, size: ctx.size },
         durationMs,
-        engine: 'heuristics',
+        engine: "heuristics",
         truncated: false,
         timedOut: false,
     };
     // Add performance metrics if tracking enabled
-    if (perfTracker && (opts.enablePerformanceTracking || opts.config?.performance?.enablePerformanceTracking)) {
+    if (perfTracker &&
+        (opts.enablePerformanceTracking || opts.config?.performance?.enablePerformanceTracking)) {
         report.performanceMetrics = perfTracker.getMetrics(input.byteLength);
     }
     // Cache result if enabled
@@ -771,10 +1027,7 @@ async function scanBytes(input, opts = {}) {
 }
 /** Scan di un file su disco (Node). Import dinamico per non vincolare il bundle browser. */
 async function scanFile(filePath, opts = {}) {
-    const [{ readFile, stat }, path] = await Promise.all([
-        import('fs/promises'),
-        import('path'),
-    ]);
+    const [{ readFile, stat }, path] = await Promise.all([import('fs/promises'), import('path')]);
     const [buf, st] = await Promise.all([readFile(filePath), stat(filePath)]);
     const ctx = {
         filename: path.basename(filePath),
@@ -798,21 +1051,6 @@ async function scanFiles(files, opts = {}) {
     return out;
 }
 
-/**
- * Validates a File by MIME type and size (max 5 MB).
- */
-function validateFile(file) {
-    const maxSize = 5 * 1024 * 1024;
-    const allowedTypes = ['text/plain', 'application/json', 'text/csv'];
-    if (!allowedTypes.includes(file.type)) {
-        return { valid: false, error: 'Unsupported file type' };
-    }
-    if (file.size > maxSize) {
-        return { valid: false, error: 'File too large (max 5 MB)' };
-    }
-    return { valid: true };
-}
-
 const SIG_CEN = 0x02014b50;
 const DEFAULTS = {
     maxEntries: 1000,
@@ -829,7 +1067,7 @@ function r32(buf, off) {
 }
 function isZipLike(buf) {
     // local file header at start is common
-    return buf.length >= 4 && buf[0] === 0x50 && buf[1] === 0x4b && buf[2] === 0x03 && buf[3] === 0x04;
+    return (buf.length >= 4 && buf[0] === 0x50 && buf[1] === 0x4b && buf[2] === 0x03 && buf[3] === 0x04);
 }
 function lastIndexOfEOCD(buf, window) {
     const sig = Buffer.from([0x50, 0x4b, 0x05, 0x06]);
@@ -838,7 +1076,7 @@ function lastIndexOfEOCD(buf, window) {
     return idx >= start ? idx : -1;
 }
 function hasTraversal(name) {
-    return name.includes('../') || name.includes('..\\') || name.startsWith('/') || /^[A-Za-z]:/.test(name);
+    return (name.includes("../") || name.includes("..\\") || name.startsWith("/") || /^[A-Za-z]:/.test(name));
 }
 function createZipBombGuard(opts = {}) {
     const cfg = { ...DEFAULTS, ...opts };
@@ -852,7 +1090,7 @@ function createZipBombGuard(opts = {}) {
             const eocdPos = lastIndexOfEOCD(buf, cfg.eocdSearchWindow);
             if (eocdPos < 0 || eocdPos + 22 > buf.length) {
                 // ZIP but no EOCD — malformed or polyglot → suspicious
-                matches.push({ rule: 'zip_eocd_not_found', severity: 'medium' });
+                matches.push({ rule: "zip_eocd_not_found", severity: "medium" });
                 return matches;
             }
             const totalEntries = r16(buf, eocdPos + 10);
@@ -860,7 +1098,7 @@ function createZipBombGuard(opts = {}) {
             const cdOffset = r32(buf, eocdPos + 16);
             // Bounds check
             if (cdOffset + cdSize > buf.length) {
-                matches.push({ rule: 'zip_cd_out_of_bounds', severity: 'medium' });
+                matches.push({ rule: "zip_cd_out_of_bounds", severity: "medium" });
                 return matches;
             }
             // Iterate central directory entries
@@ -881,287 +1119,68 @@ function createZipBombGuard(opts = {}) {
                 const nameEnd = nameStart + fnLen;
                 if (nameEnd > buf.length)
                     break;
-                const name = buf.toString('utf8', nameStart, nameEnd);
+                const name = buf.toString("utf8", nameStart, nameEnd);
                 sumComp += compSize;
                 sumUnc += uncSize;
                 seen++;
                 if (name.length > cfg.maxEntryNameLength) {
-                    matches.push({ rule: 'zip_entry_name_too_long', severity: 'medium', meta: { name, length: name.length } });
+                    matches.push({
+                        rule: "zip_entry_name_too_long",
+                        severity: "medium",
+                        meta: { name, length: name.length },
+                    });
                 }
                 if (hasTraversal(name)) {
-                    matches.push({ rule: 'zip_path_traversal_entry', severity: 'medium', meta: { name } });
+                    matches.push({ rule: "zip_path_traversal_entry", severity: "medium", meta: { name } });
                 }
                 // move to next entry
                 ptr = nameEnd + exLen + cmLen;
             }
             if (seen !== totalEntries) {
                 // central dir truncated/odd, still report what we found
-                matches.push({ rule: 'zip_cd_truncated', severity: 'medium', meta: { seen, totalEntries } });
+                matches.push({
+                    rule: "zip_cd_truncated",
+                    severity: "medium",
+                    meta: { seen, totalEntries },
+                });
             }
             // Heuristics thresholds
             if (seen > cfg.maxEntries) {
-                matches.push({ rule: 'zip_too_many_entries', severity: 'medium', meta: { seen, limit: cfg.maxEntries } });
+                matches.push({
+                    rule: "zip_too_many_entries",
+                    severity: "medium",
+                    meta: { seen, limit: cfg.maxEntries },
+                });
             }
             if (sumUnc > cfg.maxTotalUncompressedBytes) {
                 matches.push({
-                    rule: 'zip_total_uncompressed_too_large',
-                    severity: 'medium',
-                    meta: { totalUncompressed: sumUnc, limit: cfg.maxTotalUncompressedBytes }
+                    rule: "zip_total_uncompressed_too_large",
+                    severity: "medium",
+                    meta: { totalUncompressed: sumUnc, limit: cfg.maxTotalUncompressedBytes },
                 });
             }
             if (sumComp === 0 && sumUnc > 0) {
-                matches.push({ rule: 'zip_suspicious_ratio', severity: 'medium', meta: { ratio: Infinity } });
+                matches.push({
+                    rule: "zip_suspicious_ratio",
+                    severity: "medium",
+                    meta: { ratio: Infinity },
+                });
             }
             else if (sumComp > 0) {
                 const ratio = sumUnc / Math.max(1, sumComp);
                 if (ratio >= cfg.maxCompressionRatio) {
-                    matches.push({ rule: 'zip_suspicious_ratio', severity: 'medium', meta: { ratio, limit: cfg.maxCompressionRatio } });
+                    matches.push({
+                        rule: "zip_suspicious_ratio",
+                        severity: "medium",
+                        meta: { ratio, limit: cfg.maxCompressionRatio },
+                    });
                 }
             }
             return matches;
-        }
+        },
     };
 }
 
-const MB$1 = 1024 * 1024;
-const DEFAULT_POLICY = {
-    includeExtensions: ['zip', 'png', 'jpg', 'jpeg', 'pdf'],
-    allowedMimeTypes: ['application/zip', 'image/png', 'image/jpeg', 'application/pdf', 'text/plain'],
-    maxFileSizeBytes: 20 * MB$1,
-    timeoutMs: 5000,
-    concurrency: 4,
-    failClosed: true
-};
-function definePolicy(input = {}) {
-    const p = { ...DEFAULT_POLICY, ...input };
-    if (!Array.isArray(p.includeExtensions))
-        throw new TypeError('includeExtensions must be string[]');
-    if (!Array.isArray(p.allowedMimeTypes))
-        throw new TypeError('allowedMimeTypes must be string[]');
-    if (!(Number.isFinite(p.maxFileSizeBytes) && p.maxFileSizeBytes > 0))
-        throw new TypeError('maxFileSizeBytes must be > 0');
-    if (!(Number.isFinite(p.timeoutMs) && p.timeoutMs > 0))
-        throw new TypeError('timeoutMs must be > 0');
-    if (!(Number.isInteger(p.concurrency) && p.concurrency > 0))
-        throw new TypeError('concurrency must be > 0');
-    return p;
-}
-
-/**
- * Policy packs for Pompelmi.
- *
- * Pre-configured, named policies for common upload scenarios.  Each pack
- * defines the file type allowlist, size limits, and timeout appropriate for
- * its use case.
- *
- * All packs are built on `definePolicy` and are fully overridable:
- *
- * ```ts
- * import { POLICY_PACKS } from 'pompelmi/policy-packs';
- *
- * // Use a pack as-is:
- * const policy = POLICY_PACKS['images-only'];
- *
- * // Or override individual fields:
- * import { definePolicy } from 'pompelmi';
- * const custom = definePolicy({ ...POLICY_PACKS['documents-only'], maxFileSizeBytes: 5 * 1024 * 1024 });
- * ```
- *
- * These packs are *deterministic* and *descriptor-based* — they do not
- * depend on any external threat intelligence feed.
- *
- * @module policy-packs
- */
-const KB = 1024;
-const MB = 1024 * KB;
-// ── Policy packs ──────────────────────────────────────────────────────────────
-/**
- * Documents-only policy.
- *
- * Appropriate for: document management APIs, PDF/Office file upload endpoints,
- * data import pipelines.
- *
- * Allowed: PDF, Word (.docx/.doc), Excel (.xlsx/.xls), PowerPoint (.pptx/.ppt),
- *   CSV, plain text, JSON, YAML, ODT/ODS/ODP (OpenDocument).
- * Max size: 25 MB.
- */
-const DOCUMENTS_ONLY = definePolicy({
-    includeExtensions: [
-        'pdf',
-        'doc', 'docx',
-        'xls', 'xlsx',
-        'ppt', 'pptx',
-        'odt', 'ods', 'odp',
-        'csv',
-        'txt',
-        'json',
-        'yaml', 'yml',
-        'md',
-    ],
-    allowedMimeTypes: [
-        'application/pdf',
-        'application/msword',
-        'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
-        'application/vnd.ms-excel',
-        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
-        'application/vnd.ms-powerpoint',
-        'application/vnd.openxmlformats-officedocument.presentationml.presentation',
-        'application/vnd.oasis.opendocument.text',
-        'application/vnd.oasis.opendocument.spreadsheet',
-        'application/vnd.oasis.opendocument.presentation',
-        'text/csv',
-        'text/plain',
-        'application/json',
-        'text/yaml',
-        'text/markdown',
-    ],
-    maxFileSizeBytes: 25 * MB,
-    timeoutMs: 10000,
-    concurrency: 4,
-    failClosed: true,
-});
-/**
- * Images-only policy.
- *
- * Appropriate for: avatar uploads, product image APIs, content platforms with
- * user-generated imagery.
- *
- * Allowed: JPEG, PNG, GIF, WebP, AVIF, TIFF, BMP, ICO.
- * Max size: 10 MB.
- * Note: SVG is intentionally excluded — inline SVGs can contain scripts.
- */
-const IMAGES_ONLY = definePolicy({
-    includeExtensions: ['jpg', 'jpeg', 'png', 'gif', 'webp', 'avif', 'tiff', 'tif', 'bmp', 'ico'],
-    allowedMimeTypes: [
-        'image/jpeg',
-        'image/png',
-        'image/gif',
-        'image/webp',
-        'image/avif',
-        'image/tiff',
-        'image/bmp',
-        'image/x-icon',
-        'image/vnd.microsoft.icon',
-    ],
-    maxFileSizeBytes: 10 * MB,
-    timeoutMs: 5000,
-    concurrency: 8,
-    failClosed: true,
-});
-/**
- * Strict public-upload policy.
- *
- * Appropriate for: anonymous or low-trust upload endpoints, public APIs,
- * any surface exposed to untrusted users.
- *
- * Aggressive size limit (5 MB), short timeout, fail-closed, narrow MIME
- * allowlist.  Only allows plain images and PDF.
- */
-const STRICT_PUBLIC_UPLOAD = definePolicy({
-    includeExtensions: ['jpg', 'jpeg', 'png', 'webp', 'pdf'],
-    allowedMimeTypes: [
-        'image/jpeg',
-        'image/png',
-        'image/webp',
-        'application/pdf',
-    ],
-    maxFileSizeBytes: 5 * MB,
-    timeoutMs: 4000,
-    concurrency: 2,
-    failClosed: true,
-});
-/**
- * Conservative default policy.
- *
- * A hardened version of the built-in `DEFAULT_POLICY` suitable for
- * production without further customisation.  Stricter size limit and
- * shorter timeout than the permissive default.
- */
-const CONSERVATIVE_DEFAULT = definePolicy({
-    includeExtensions: ['zip', 'png', 'jpg', 'jpeg', 'pdf', 'txt', 'csv', 'docx', 'xlsx'],
-    allowedMimeTypes: [
-        'application/zip',
-        'image/png',
-        'image/jpeg',
-        'application/pdf',
-        'text/plain',
-        'text/csv',
-        'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
-        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
-    ],
-    maxFileSizeBytes: 10 * MB,
-    timeoutMs: 8000,
-    concurrency: 4,
-    failClosed: true,
-});
-/**
- * Archives policy.
- *
- * Appropriate for: endpoints that accept ZIP, tar, or compressed archives.
- * Combines a generous size allowance with a longer timeout for deep inspection.
- *
- * NOTE: Pair this policy with `createZipBombGuard()` to defend against
- * decompression-bomb attacks:
- *
- * ```ts
- * import { composeScanners, createZipBombGuard, CommonHeuristicsScanner } from 'pompelmi';
- * const scanner = composeScanners(
- *   [['zipGuard', createZipBombGuard()], ['heuristics', CommonHeuristicsScanner]]
- * );
- * ```
- */
-const ARCHIVES = definePolicy({
-    includeExtensions: ['zip', 'tar', 'gz', 'tgz', 'bz2', 'xz', '7z', 'rar'],
-    allowedMimeTypes: [
-        'application/zip',
-        'application/x-tar',
-        'application/gzip',
-        'application/x-bzip2',
-        'application/x-xz',
-        'application/x-7z-compressed',
-        'application/x-rar-compressed',
-    ],
-    maxFileSizeBytes: 100 * MB,
-    timeoutMs: 30000,
-    concurrency: 2,
-    failClosed: true,
-});
-/**
- * Named map of all built-in policy packs.
- *
- * ```ts
- * import { POLICY_PACKS } from 'pompelmi/policy-packs';
- * const policy = POLICY_PACKS['strict-public-upload'];
- * ```
- */
-const POLICY_PACKS = {
-    'documents-only': DOCUMENTS_ONLY,
-    'images-only': IMAGES_ONLY,
-    'strict-public-upload': STRICT_PUBLIC_UPLOAD,
-    'conservative-default': CONSERVATIVE_DEFAULT,
-    'archives': ARCHIVES,
-};
-/**
- * Look up a policy pack by name.
- * Throws if the name is not recognised.
- */
-function getPolicyPack(name) {
-    const policy = POLICY_PACKS[name];
-    if (!policy)
-        throw new Error(`Unknown policy pack: '${name}'. Valid names: ${Object.keys(POLICY_PACKS).join(', ')}`);
-    return policy;
-}
-
-function mapMatchesToVerdict(matches = []) {
-    if (!matches.length)
-        return 'clean';
-    const malHints = ['trojan', 'ransom', 'worm', 'spy', 'rootkit', 'keylog', 'botnet'];
-    const tagSet = new Set(matches.flatMap(m => (m.tags ?? []).map(t => t.toLowerCase())));
-    const nameHit = (r) => malHints.some(h => r.toLowerCase().includes(h));
-    const isMal = matches.some(m => nameHit(m.rule)) || tagSet.has('malware') || tagSet.has('critical');
-    return isMal ? 'malicious' : 'suspicious';
-}
-
 /**
  * Export utilities for scan results
  * @module utils/export
@@ -1177,19 +1196,15 @@ class ScanResultExporter {
         const data = Array.isArray(reports) ? reports : [reports];
         if (!options.includeDetails) {
             // Simplified output
-            const simplified = data.map(r => ({
+            const simplified = data.map((r) => ({
                 verdict: r.verdict,
                 file: r.file?.name,
                 matches: r.matches.length,
                 durationMs: r.durationMs,
             }));
-            return options.prettyPrint
-                ? JSON.stringify(simplified, null, 2)
-                : JSON.stringify(simplified);
+            return options.prettyPrint ? JSON.stringify(simplified, null, 2) : JSON.stringify(simplified);
         }
-        return options.prettyPrint
-            ? JSON.stringify(data, null, 2)
-            : JSON.stringify(data);
+        return options.prettyPrint ? JSON.stringify(data, null, 2) : JSON.stringify(data);
     }
     /**
      * Export to CSV format
@@ -1197,68 +1212,68 @@ class ScanResultExporter {
     toCSV(reports, options = {}) {
         const data = Array.isArray(reports) ? reports : [reports];
         const headers = [
-            'filename',
-            'verdict',
-            'matches_count',
-            'file_size',
-            'mime_type',
-            'duration_ms',
-            'engine',
+            "filename",
+            "verdict",
+            "matches_count",
+            "file_size",
+            "mime_type",
+            "duration_ms",
+            "engine",
         ];
         if (options.includeDetails) {
-            headers.push('reasons', 'match_rules');
+            headers.push("reasons", "match_rules");
         }
-        const rows = data.map(report => {
+        const rows = data.map((report) => {
             const row = [
-                this.escapeCsv(report.file?.name || 'unknown'),
+                this.escapeCsv(report.file?.name || "unknown"),
                 report.verdict,
                 report.matches.length.toString(),
                 (report.file?.size || 0).toString(),
-                this.escapeCsv(report.file?.mimeType || 'unknown'),
+                this.escapeCsv(report.file?.mimeType || "unknown"),
                 (report.durationMs || 0).toString(),
-                report.engine || 'unknown',
+                report.engine || "unknown",
             ];
             if (options.includeDetails) {
-                row.push(this.escapeCsv((report.reasons || []).join('; ')), this.escapeCsv(report.matches.map(m => m.rule).join('; ')));
+                row.push(this.escapeCsv((report.reasons || []).join("; ")), this.escapeCsv(report.matches.map((m) => m.rule).join("; ")));
             }
-            return row.join(',');
+            return row.join(",");
         });
-        return [headers.join(','), ...rows].join('\n');
+        return [headers.join(","), ...rows].join("\n");
     }
     /**
      * Export to Markdown format
      */
     toMarkdown(reports, options = {}) {
         const data = Array.isArray(reports) ? reports : [reports];
-        let md = '# Scan Results\n\n';
+        let md = "# Scan Results\n\n";
         md += `**Total Scans:** ${data.length}\n\n`;
-        const clean = data.filter(r => r.verdict === 'clean').length;
-        const suspicious = data.filter(r => r.verdict === 'suspicious').length;
-        const malicious = data.filter(r => r.verdict === 'malicious').length;
-        md += '## Summary\n\n';
+        const clean = data.filter((r) => r.verdict === "clean").length;
+        const suspicious = data.filter((r) => r.verdict === "suspicious").length;
+        const malicious = data.filter((r) => r.verdict === "malicious").length;
+        md += "## Summary\n\n";
         md += `- ✅ Clean: ${clean}\n`;
         md += `- ⚠️ Suspicious: ${suspicious}\n`;
         md += `- ❌ Malicious: ${malicious}\n\n`;
-        md += '## Detailed Results\n\n';
+        md += "## Detailed Results\n\n";
         for (const report of data) {
-            const icon = report.verdict === 'clean' ? '✅' : report.verdict === 'suspicious' ? '⚠️' : '❌';
-            md += `### ${icon} ${report.file?.name || 'Unknown'}\n\n`;
+            const icon = report.verdict === "clean" ? "✅" : report.verdict === "suspicious" ? "⚠️" : "❌";
+            md += `### ${icon} ${report.file?.name || "Unknown"}\n\n`;
             md += `- **Verdict:** ${report.verdict}\n`;
             md += `- **Size:** ${this.formatBytes(report.file?.size || 0)}\n`;
-            md += `- **MIME Type:** ${report.file?.mimeType || 'unknown'}\n`;
+            md += `- **MIME Type:** ${report.file?.mimeType || "unknown"}\n`;
             md += `- **Duration:** ${report.durationMs || 0}ms\n`;
             md += `- **Matches:** ${report.matches.length}\n`;
             if (options.includeDetails && report.matches.length > 0) {
-                md += '\n**Match Details:**\n';
+                md += "\n**Match Details:**\n";
                 for (const match of report.matches) {
                     md += `- ${match.rule}`;
                     if (match.tags && match.tags.length > 0) {
-                        md += ` (${match.tags.join(', ')})`;
+                        md += ` (${match.tags.join(", ")})`;
                     }
-                    md += '\n';
+                    md += "\n";
                 }
             }
-            md += '\n';
+            md += "\n";
         }
         return md;
     }
@@ -1268,20 +1283,20 @@ class ScanResultExporter {
      */
     toSARIF(reports, options = {}) {
         const data = Array.isArray(reports) ? reports : [reports];
-        const results = data.flatMap(report => {
-            if (report.verdict === 'clean')
+        const results = data.flatMap((report) => {
+            if (report.verdict === "clean")
                 return [];
-            return report.matches.map(match => ({
+            return report.matches.map((match) => ({
                 ruleId: match.rule,
-                level: report.verdict === 'malicious' ? 'error' : 'warning',
+                level: report.verdict === "malicious" ? "error" : "warning",
                 message: {
-                    text: `${match.rule} detected in ${report.file?.name || 'unknown file'}`,
+                    text: `${match.rule} detected in ${report.file?.name || "unknown file"}`,
                 },
                 locations: [
                     {
                         physicalLocation: {
                             artifactLocation: {
-                                uri: report.file?.name || 'unknown',
+                                uri: report.file?.name || "unknown",
                             },
                         },
                     },
@@ -1293,33 +1308,31 @@ class ScanResultExporter {
             }));
         });
         const sarif = {
-            version: '2.1.0',
-            $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+            version: "2.1.0",
+            $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
             runs: [
                 {
                     tool: {
                         driver: {
-                            name: 'Pompelmi',
-                            version: '0.29.0',
-                            informationUri: 'https://pompelmi.github.io/pompelmi/',
+                            name: "Pompelmi",
+                            version: "0.29.0",
+                            informationUri: "https://pompelmi.github.io/pompelmi/",
                         },
                     },
                     results,
                 },
             ],
         };
-        return options.prettyPrint
-            ? JSON.stringify(sarif, null, 2)
-            : JSON.stringify(sarif);
+        return options.prettyPrint ? JSON.stringify(sarif, null, 2) : JSON.stringify(sarif);
     }
     /**
      * Export to HTML format
      */
     toHTML(reports, options = {}) {
         const data = Array.isArray(reports) ? reports : [reports];
-        const clean = data.filter(r => r.verdict === 'clean').length;
-        const suspicious = data.filter(r => r.verdict === 'suspicious').length;
-        const malicious = data.filter(r => r.verdict === 'malicious').length;
+        const clean = data.filter((r) => r.verdict === "clean").length;
+        const suspicious = data.filter((r) => r.verdict === "suspicious").length;
+        const malicious = data.filter((r) => r.verdict === "malicious").length;
         let html = `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -1351,11 +1364,11 @@ class ScanResultExporter {
         for (const report of data) {
             const statusClass = report.verdict;
             html += `<div class="result ${statusClass}">`;
-            html += `<h3>${this.escapeHtml(report.file?.name || 'Unknown')}</h3>`;
+            html += `<h3>${this.escapeHtml(report.file?.name || "Unknown")}</h3>`;
             html += `<table>`;
             html += `<tr><th>Verdict</th><td>${report.verdict.toUpperCase()}</td></tr>`;
             html += `<tr><th>Size</th><td>${this.formatBytes(report.file?.size || 0)}</td></tr>`;
-            html += `<tr><th>MIME Type</th><td>${this.escapeHtml(report.file?.mimeType || 'unknown')}</td></tr>`;
+            html += `<tr><th>MIME Type</th><td>${this.escapeHtml(report.file?.mimeType || "unknown")}</td></tr>`;
             html += `<tr><th>Duration</th><td>${report.durationMs || 0}ms</td></tr>`;
             html += `<tr><th>Matches</th><td>${report.matches.length}</td></tr>`;
             html += `</table>`;
@@ -1364,7 +1377,7 @@ class ScanResultExporter {
                 for (const match of report.matches) {
                     html += `<li><strong>${this.escapeHtml(match.rule)}</strong>`;
                     if (match.tags && match.tags.length > 0) {
-                        html += ` ${match.tags.map(tag => `<span class="badge">${this.escapeHtml(tag)}</span>`).join('')}`;
+                        html += ` ${match.tags.map((tag) => `<span class="badge">${this.escapeHtml(tag)}</span>`).join("")}`;
                     }
                     html += `</li>`;
                 }
@@ -1380,41 +1393,41 @@ class ScanResultExporter {
      */
     export(reports, format, options = {}) {
         switch (format) {
-            case 'json':
+            case "json":
                 return this.toJSON(reports, options);
-            case 'csv':
+            case "csv":
                 return this.toCSV(reports, options);
-            case 'markdown':
+            case "markdown":
                 return this.toMarkdown(reports, options);
-            case 'html':
+            case "html":
                 return this.toHTML(reports, options);
-            case 'sarif':
+            case "sarif":
                 return this.toSARIF(reports, options);
             default:
                 throw new Error(`Unsupported export format: ${format}`);
         }
     }
     escapeCsv(value) {
-        if (value.includes(',') || value.includes('"') || value.includes('\n')) {
+        if (value.includes(",") || value.includes('"') || value.includes("\n")) {
             return `"${value.replace(/"/g, '""')}"`;
         }
         return value;
     }
     escapeHtml(value) {
         return value
-            .replace(/&/g, '&amp;')
-            .replace(/</g, '&lt;')
-            .replace(/>/g, '&gt;')
-            .replace(/"/g, '&quot;')
-            .replace(/'/g, '&#039;');
+            .replace(/&/g, "&amp;")
+            .replace(/</g, "&lt;")
+            .replace(/>/g, "&gt;")
+            .replace(/"/g, "&quot;")
+            .replace(/'/g, "&#039;");
     }
     formatBytes(bytes) {
         if (bytes === 0)
-            return '0 Bytes';
+            return "0 Bytes";
         const k = 1024;
-        const sizes = ['Bytes', 'KB', 'MB', 'GB'];
+        const sizes = ["Bytes", "KB", "MB", "GB"];
         const i = Math.floor(Math.log(bytes) / Math.log(k));
-        return Math.round(bytes / Math.pow(k, i) * 100) / 100 + ' ' + sizes[i];
+        return Math.round((bytes / k ** i) * 100) / 100 + " " + sizes[i];
     }
 }
 /**
@@ -1425,5 +1438,30 @@ function exportScanResults(reports, format, options) {
     return exporter.export(reports, format, options);
 }
 
+/**
+ * Validates a File by MIME type and size (max 5 MB).
+ */
+function validateFile(file) {
+    const maxSize = 5 * 1024 * 1024;
+    const allowedTypes = ["text/plain", "application/json", "text/csv"];
+    if (!allowedTypes.includes(file.type)) {
+        return { valid: false, error: "Unsupported file type" };
+    }
+    if (file.size > maxSize) {
+        return { valid: false, error: "File too large (max 5 MB)" };
+    }
+    return { valid: true };
+}
+
+function mapMatchesToVerdict(matches = []) {
+    if (!matches.length)
+        return "clean";
+    const malHints = ["trojan", "ransom", "worm", "spy", "rootkit", "keylog", "botnet"];
+    const tagSet = new Set(matches.flatMap((m) => (m.tags ?? []).map((t) => t.toLowerCase())));
+    const nameHit = (r) => malHints.some((h) => r.toLowerCase().includes(h));
+    const isMal = matches.some((m) => nameHit(m.rule)) || tagSet.has("malware") || tagSet.has("critical");
+    return isMal ? "malicious" : "suspicious";
+}
+
 export { ARCHIVES, CONSERVATIVE_DEFAULT, CommonHeuristicsScanner, DEFAULT_POLICY, DOCUMENTS_ONLY, IMAGES_ONLY, POLICY_PACKS, PerformanceTracker, STRICT_PUBLIC_UPLOAD, ScanResultExporter, aggregateScanStats, analyzeNestedArchives, composeScanners, createPresetScanner, createZipBombGuard, definePolicy, detectObfuscatedScripts, detectPolyglot, exportScanResults, getPolicyPack, mapMatchesToVerdict, scanBytes, scanFile, scanFiles, validateFile };
 //# sourceMappingURL=pompelmi.browser.esm.js.map