pompelmi 0.34.10 → 0.35.1

package/dist/pompelmi.esm.js

@@ -3,1044 +3,631 @@ import { createHash } from 'crypto';
 import * as os from 'os';
 import * as path from 'path';
 
-function hasAsciiToken(buf, token) {
-    // Use latin1 so we can safely search binary
-    return buf.indexOf(token, 0, 'latin1') !== -1;
-}
-function startsWith(buf, bytes) {
-    if (buf.length < bytes.length)
-        return false;
-    for (let i = 0; i < bytes.length; i++)
-        if (buf[i] !== bytes[i])
-            return false;
-    return true;
-}
-function isPDF(buf) {
-    // %PDF-
-    return startsWith(buf, [0x25, 0x50, 0x44, 0x46, 0x2d]);
-}
-function isOleCfb(buf) {
-    // D0 CF 11 E0 A1 B1 1A E1
-    const sig = [0xD0, 0xCF, 0x11, 0xE0, 0xA1, 0xB1, 0x1A, 0xE1];
-    return startsWith(buf, sig);
-}
-function isZipLike$1(buf) {
-    // PK\x03\x04
-    return startsWith(buf, [0x50, 0x4b, 0x03, 0x04]);
-}
-function isPeExecutable(buf) {
-    // "MZ"
-    return startsWith(buf, [0x4d, 0x5a]);
-}
-/** OOXML macro hint via filename token in ZIP container */
-function hasOoxmlMacros(buf) {
-    if (!isZipLike$1(buf))
-        return false;
-    return hasAsciiToken(buf, 'vbaProject.bin');
-}
-/** PDF risky features (/JavaScript, /OpenAction, /AA, /Launch) */
-function pdfRiskTokens(buf) {
-    const tokens = ['/JavaScript', '/OpenAction', '/AA', '/Launch'];
-    return tokens.filter(t => hasAsciiToken(buf, t));
-}
-const CommonHeuristicsScanner = {
-    async scan(input) {
-        const buf = Buffer.from(input);
-        const matches = [];
-        // Office macros (OLE / OOXML)
-        if (isOleCfb(buf)) {
-            matches.push({ rule: 'office_ole_container', severity: 'suspicious' });
-        }
-        if (hasOoxmlMacros(buf)) {
-            matches.push({ rule: 'office_ooxml_macros', severity: 'suspicious' });
-        }
-        // PDF risky tokens
-        if (isPDF(buf)) {
-            const toks = pdfRiskTokens(buf);
-            if (toks.length) {
-                matches.push({
-                    rule: 'pdf_risky_actions',
-                    severity: 'suspicious',
-                    meta: { tokens: toks }
-                });
-            }
-        }
-        // Executable header
-        if (isPeExecutable(buf)) {
-            matches.push({ rule: 'pe_executable_signature', severity: 'suspicious' });
-        }
-        // EICAR test file
-        const EICAR_NEEDLE = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!";
-        if (hasAsciiToken(buf, EICAR_NEEDLE)) {
-            matches.push({ rule: 'eicar_test_file', severity: 'high', meta: { note: 'EICAR standard antivirus test file detected' } });
-        }
-        return matches;
-    }
-};
-
-function toScanFn(s) {
-    return (typeof s === "function" ? s : s.scan);
-}
-/** Map a Match's severity field to a Verdict for stopOn comparison. */
-function matchToVerdict(m) {
-    const s = m.severity;
-    if (s === "critical" || s === "high" || s === "malicious")
-        return "malicious";
-    if (s === "medium" || s === "low" || s === "suspicious" || s === "info")
-        return "suspicious";
-    return "clean";
-}
-/** Highest verdict across all matches in the list. */
-function highestSeverity(matches) {
-    if (matches.length === 0)
-        return null;
-    if (matches.some((m) => matchToVerdict(m) === "malicious"))
-        return "malicious";
-    if (matches.some((m) => matchToVerdict(m) === "suspicious"))
-        return "suspicious";
-    return "clean";
-}
-const SEVERITY_RANK = { malicious: 2, suspicious: 1, clean: 0 };
-function shouldStop(matches, stopOn) {
-    if (!stopOn)
-        return false;
-    const highest = highestSeverity(matches);
-    if (!highest)
-        return false;
-    return SEVERITY_RANK[highest] >= SEVERITY_RANK[stopOn];
-}
-async function runWithTimeout(fn, timeoutMs) {
-    if (!timeoutMs)
-        return fn();
-    return new Promise((resolve, reject) => {
-        const timer = setTimeout(() => reject(new Error("scanner timeout")), timeoutMs);
-        fn().then((v) => { clearTimeout(timer); resolve(v); }, (e) => { clearTimeout(timer); reject(e); });
-    });
-}
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
-function composeScanners(...args) {
-    const first = args[0];
-    const rest = args.slice(1);
-    // ── Named-scanner array form ──────────────────────────────────────────────
-    if (Array.isArray(first) &&
-        (first.length === 0 || (Array.isArray(first[0]) && typeof first[0][0] === "string"))) {
-        const entries = first;
-        const opts = rest.length > 0 && !Array.isArray(rest[0]) && typeof rest[0] !== "function" &&
-            !(typeof rest[0] === "object" && rest[0] !== null && "scan" in rest[0])
-            ? rest[0]
-            : {};
-        return async (input, ctx) => {
-            const all = [];
-            if (opts.parallel) {
-                // Parallel execution — collect all results then return
-                const results = await Promise.allSettled(entries.map(([name, scanner]) => runWithTimeout(() => toScanFn(scanner)(input, ctx), opts.timeoutMsPerScanner)));
-                for (let i = 0; i < results.length; i++) {
-                    const result = results[i];
-                    if (result.status === "fulfilled" && Array.isArray(result.value)) {
-                        const matches = opts.tagSourceName
-                            ? result.value.map((m) => ({
-                                ...m,
-                                meta: { ...m.meta, _sourceName: entries[i][0] },
-                            }))
-                            : result.value;
-                        all.push(...matches);
-                    }
-                }
-            }
-            else {
-                // Sequential execution with optional stopOn short-circuit
-                for (const [name, scanner] of entries) {
-                    try {
-                        const out = await runWithTimeout(() => toScanFn(scanner)(input, ctx), opts.timeoutMsPerScanner);
-                        if (Array.isArray(out)) {
-                            const matches = opts.tagSourceName
-                                ? out.map((m) => ({ ...m, meta: { ...m.meta, _sourceName: name } }))
-                                : out;
-                            all.push(...matches);
-                            if (shouldStop(all, opts.stopOn))
-                                break;
-                        }
-                    }
-                    catch {
-                        // individual scanner failure is non-fatal
-                    }
-                }
-            }
-            return all;
-        };
-    }
-    // ── Variadic form (backward-compatible) ───────────────────────────────────
-    const scanners = [first, ...rest].filter(Boolean);
-    return async (input, ctx) => {
-        const all = [];
-        for (const s of scanners) {
-            try {
-                const out = await toScanFn(s)(input, ctx);
-                if (Array.isArray(out))
-                    all.push(...out);
-            }
-            catch {
-                // ignore individual scanner failures
-            }
-        }
-        return all;
-    };
-}
-function createPresetScanner(preset, opts = {}) {
-    const scanners = [];
-    // Always include heuristics (EICAR, PHP webshells, JS obfuscation, PE hints, etc.)
-    scanners.push(CommonHeuristicsScanner);
-    // Add decompilation scanners based on preset
-    if (preset === 'decompilation-basic' || preset === 'decompilation-deep' ||
-        preset === 'malware-analysis' || opts.enableDecompilation) {
-        const depth = preset === 'decompilation-deep' ? 'deep' :
-            preset === 'decompilation-basic' ? 'basic' :
-                opts.decompilationDepth || 'basic';
-        if (!opts.decompilationEngine || opts.decompilationEngine === 'binaryninja-hlil' || opts.decompilationEngine === 'both') {
-            try {
-                // Dynamic import to avoid bundling issues - using Function to bypass TypeScript type checking
-                const importModule = new Function('specifier', 'return import(specifier)');
-                importModule('@pompelmi/engine-binaryninja').then((mod) => {
-                    const binjaScanner = mod.createBinaryNinjaScanner({
-                        timeout: opts.decompilationTimeout || opts.timeout || 30000,
-                        depth,
-                        pythonPath: opts.pythonPath,
-                        binaryNinjaPath: opts.binaryNinjaPath
-                    });
-                    scanners.push(binjaScanner);
-                }).catch(() => {
-                    // Binary Ninja engine not available - silently skip
-                });
-            }
-            catch {
-                // Engine not installed
-            }
-        }
-        if (!opts.decompilationEngine || opts.decompilationEngine === 'ghidra-pcode' || opts.decompilationEngine === 'both') {
-            try {
-                // Dynamic import for Ghidra engine (when implemented) - using Function to bypass TypeScript type checking
-                const importModule = new Function('specifier', 'return import(specifier)');
-                importModule('@pompelmi/engine-ghidra').then((mod) => {
-                    const ghidraScanner = mod.createGhidraScanner({
-                        timeout: opts.decompilationTimeout || opts.timeout || 30000,
-                        depth,
-                        ghidraPath: opts.ghidraPath,
-                        analyzeHeadless: opts.analyzeHeadless
-                    });
-                    scanners.push(ghidraScanner);
-                }).catch(() => {
-                    // Ghidra engine not available - silently skip
-                });
-            }
-            catch {
-                // Engine not installed
-            }
-        }
-    }
-    if (scanners.length === 0) {
-        // Fallback scanner that returns no matches
-        return async (_input, _ctx) => {
-            return [];
-        };
-    }
-    return composeScanners(...scanners);
-}
-
-/**
- * Performance monitoring utilities for pompelmi scans
- * @module utils/performance-metrics
- */
-/**
- * Track performance metrics for a scan operation
- */
-class PerformanceTracker {
-    constructor() {
-        this.checkpoints = new Map();
-        this.startTime = Date.now();
-    }
-    /**
-     * Mark a checkpoint in the scan process
-     */
-    checkpoint(name) {
-        this.checkpoints.set(name, Date.now());
-    }
-    /**
-     * Get duration since start or since a specific checkpoint
-     */
-    getDuration(since) {
-        const now = Date.now();
-        if (since && this.checkpoints.has(since)) {
-            return now - (this.checkpoints.get(since) ?? now);
-        }
-        return now - this.startTime;
-    }
-    /**
-     * Generate final metrics report
-     */
-    getMetrics(bytesScanned) {
-        const totalDuration = this.getDuration();
-        const throughput = totalDuration > 0 ? (bytesScanned / totalDuration) * 1000 : 0;
-        return {
-            totalDurationMs: totalDuration,
-            heuristicsDurationMs: this.checkpoints.has('heuristics_end')
-                ? (this.checkpoints.get('heuristics_end') ?? 0) - (this.checkpoints.get('heuristics_start') ?? 0)
-                : undefined,
-            yaraDurationMs: this.checkpoints.has('yara_end')
-                ? (this.checkpoints.get('yara_end') ?? 0) - (this.checkpoints.get('yara_start') ?? 0)
-                : undefined,
-            prepDurationMs: this.checkpoints.has('prep_end')
-                ? (this.checkpoints.get('prep_end') ?? 0) - this.startTime
-                : undefined,
-            throughputBps: throughput,
-            bytesScanned,
-            startedAt: this.startTime,
-            completedAt: Date.now(),
-        };
-    }
-}
 /**
- * Aggregate statistics from multiple scan reports
- */
-function aggregateScanStats(reports) {
-    let cleanCount = 0;
-    let suspiciousCount = 0;
-    let maliciousCount = 0;
-    let totalDuration = 0;
-    let totalBytes = 0;
-    let validDurationCount = 0;
-    for (const report of reports) {
-        if (report.verdict === 'clean')
-            cleanCount++;
-        else if (report.verdict === 'suspicious')
-            suspiciousCount++;
-        else if (report.verdict === 'malicious')
-            maliciousCount++;
-        if (report.durationMs !== undefined) {
-            totalDuration += report.durationMs;
-            validDurationCount++;
-        }
-        if (report.file?.size !== undefined) {
-            totalBytes += report.file.size;
-        }
-    }
-    const avgDuration = validDurationCount > 0 ? totalDuration / validDurationCount : 0;
-    const avgThroughput = totalDuration > 0 ? (totalBytes / totalDuration) * 1000 : 0;
-    return {
-        totalScans: reports.length,
-        cleanCount,
-        suspiciousCount,
-        maliciousCount,
-        avgDurationMs: avgDuration,
-        avgThroughputBps: avgThroughput,
-        totalBytesScanned: totalBytes,
-    };
-}
-
-/**
- * Advanced threat detection utilities
- * @module utils/advanced-detection
- */
-/**
- * Enhanced polyglot file detection
- * Detects files that can be interpreted as multiple formats
- */
-function detectPolyglot(bytes) {
-    const matches = [];
-    // Check for PDF/ZIP polyglot
-    if (isPDFZipPolyglot(bytes)) {
-        matches.push({
-            rule: 'polyglot_pdf_zip',
-            severity: 'high',
-            meta: { description: 'File can be interpreted as both PDF and ZIP' },
-        });
-    }
-    // Check for image/script polyglot
-    if (isImageScriptPolyglot(bytes)) {
-        matches.push({
-            rule: 'polyglot_image_script',
-            severity: 'high',
-            meta: { description: 'Image file contains executable script content' },
-        });
-    }
-    // Check for GIFAR (GIF/JAR polyglot)
-    if (isGIFAR(bytes)) {
-        matches.push({
-            rule: 'polyglot_gifar',
-            severity: 'critical',
-            meta: { description: 'GIF file contains Java archive' },
-        });
-    }
-    return matches;
-}
-/**
- * Detect obfuscated JavaScript/VBScript
+ * Advanced configuration system for pompelmi
+ * @module config
  */
-function detectObfuscatedScripts(bytes) {
-    const matches = [];
-    const text = new TextDecoder('utf-8', { fatal: false }).decode(bytes.slice(0, Math.min(64 * 1024, bytes.length)));
-    // Check for common obfuscation patterns
-    const obfuscationPatterns = [
-        /eval\s*\(\s*unescape\s*\(/gi,
-        /eval\s*\(\s*atob\s*\(/gi,
-        /String\.fromCharCode\s*\(\s*\d+(?:\s*,\s*\d+){10,}/gi,
-        /[a-z0-9]{100,}/gi, // Long encoded strings
-        /\\x[0-9a-f]{2}/gi, // Hex escapes
-    ];
-    for (const pattern of obfuscationPatterns) {
-        if (pattern.test(text)) {
-            matches.push({
-                rule: 'obfuscated_script',
-                severity: 'medium',
-                meta: {
-                    description: 'Detected obfuscated script content',
-                    pattern: pattern.source,
-                },
-            });
-            break;
-        }
-    }
-    return matches;
-}
 /**
- * Enhanced nested archive detection with depth limits
+ * Default configuration
  */
-function analyzeNestedArchives(bytes, maxDepth = 10) {
-    let depth = 0;
-    let currentBytes = bytes;
-    while (depth < maxDepth) {
-        if (isArchive(currentBytes)) {
-            depth++;
-            {
-                break;
-            }
-        }
-        else {
-            break;
-        }
-    }
-    return {
-        depth,
-        hasExcessiveNesting: depth >= 5,
-    };
-}
-// Helper functions
-function isPDFZipPolyglot(bytes) {
-    if (bytes.length < 8)
-        return false;
-    // Check for PDF signature
-    const hasPDF = bytes[0] === 0x25 && bytes[1] === 0x50 && bytes[2] === 0x44 && bytes[3] === 0x46;
-    // Check for ZIP signature anywhere in the file
-    let hasZIP = false;
-    for (let i = 0; i < Math.min(bytes.length - 4, 1024); i++) {
-        if (bytes[i] === 0x50 && bytes[i + 1] === 0x4B && bytes[i + 2] === 0x03 && bytes[i + 3] === 0x04) {
-            hasZIP = true;
-            break;
-        }
-    }
-    return hasPDF && hasZIP;
-}
-function isImageScriptPolyglot(bytes) {
-    if (bytes.length < 100)
-        return false;
-    // Check for image signatures
-    const isImage = ((bytes[0] === 0xFF && bytes[1] === 0xD8) || // JPEG
-        (bytes[0] === 0x89 && bytes[1] === 0x50 && bytes[2] === 0x4E && bytes[3] === 0x47) || // PNG
-        (bytes[0] === 0x47 && bytes[1] === 0x49 && bytes[2] === 0x46) // GIF
-    );
-    if (!isImage)
-        return false;
-    // Check for script content
-    const text = new TextDecoder('utf-8', { fatal: false }).decode(bytes);
-    return /<script|javascript:|eval\(|function\s*\(/i.test(text);
-}
-function isGIFAR(bytes) {
-    if (bytes.length < 100)
-        return false;
-    // Check for GIF signature
-    const isGIF = bytes[0] === 0x47 && bytes[1] === 0x49 && bytes[2] === 0x46;
-    // Check for ZIP/JAR signature
-    let hasZIP = false;
-    for (let i = 0; i < Math.min(bytes.length - 4, 1024); i++) {
-        if (bytes[i] === 0x50 && bytes[i + 1] === 0x4B && bytes[i + 2] === 0x03 && bytes[i + 3] === 0x04) {
-            hasZIP = true;
-            break;
-        }
-    }
-    return isGIF && hasZIP;
-}
-function isArchive(bytes) {
-    if (bytes.length < 4)
-        return false;
-    return (
-    // ZIP
-    (bytes[0] === 0x50 && bytes[1] === 0x4B && bytes[2] === 0x03 && bytes[3] === 0x04) ||
-        // RAR
-        (bytes[0] === 0x52 && bytes[1] === 0x61 && bytes[2] === 0x72 && bytes[3] === 0x21) ||
-        // 7z
-        (bytes[0] === 0x37 && bytes[1] === 0x7A && bytes[2] === 0xBC && bytes[3] === 0xAF) ||
-        // tar.gz
-        (bytes[0] === 0x1F && bytes[1] === 0x8B));
-}
-
+const DEFAULT_CONFIG = {
+    defaultPreset: "zip-basic",
+    performance: {
+        enableCache: false,
+        enablePerformanceTracking: false,
+        enableParallel: true,
+        maxConcurrency: 5,
+        cacheOptions: {
+            maxSize: 1000,
+            ttl: 3600000, // 1 hour
+            enableLRU: true,
+            enableStats: false,
+        },
+    },
+    security: {
+        maxFileSize: 100 * 1024 * 1024, // 100MB
+        enableThreatIntel: false,
+        scanTimeout: 30000, // 30 seconds
+        strictMode: false,
+    },
+    advanced: {
+        enablePolyglotDetection: true,
+        enableObfuscationDetection: true,
+        enableNestedArchiveAnalysis: true,
+        maxArchiveDepth: 5,
+    },
+    logging: {
+        verbose: false,
+        level: "info",
+        enableStats: false,
+    },
+};
 /**
- * Cache management system for scan results
- * @module utils/cache-manager
+ * Configuration presets for common use cases
  */
+const CONFIG_PRESETS = {
+    /** Fast scanning with minimal features */
+    fast: {
+        defaultPreset: "basic",
+        performance: {
+            enableCache: true,
+            enablePerformanceTracking: false,
+            maxConcurrency: 10,
+        },
+        advanced: {
+            enablePolyglotDetection: false,
+            enableObfuscationDetection: false,
+            enableNestedArchiveAnalysis: false,
+        },
+    },
+    /** Balanced scanning (recommended) */
+    balanced: DEFAULT_CONFIG,
+    /** Thorough scanning with all features */
+    thorough: {
+        defaultPreset: "advanced",
+        performance: {
+            enableCache: true,
+            enablePerformanceTracking: true,
+            maxConcurrency: 3,
+        },
+        security: {
+            maxFileSize: 500 * 1024 * 1024, // 500MB
+            enableThreatIntel: true,
+            scanTimeout: 60000, // 60 seconds
+            strictMode: true,
+        },
+        advanced: {
+            enablePolyglotDetection: true,
+            enableObfuscationDetection: true,
+            enableNestedArchiveAnalysis: true,
+            maxArchiveDepth: 10,
+        },
+        logging: {
+            verbose: true,
+            level: "debug",
+            enableStats: true,
+        },
+    },
+    /** Production-ready configuration */
+    production: {
+        defaultPreset: "advanced",
+        performance: {
+            enableCache: true,
+            enablePerformanceTracking: true,
+            maxConcurrency: 5,
+            cacheOptions: {
+                maxSize: 5000,
+                ttl: 7200000, // 2 hours
+                enableLRU: true,
+                enableStats: true,
+            },
+        },
+        security: {
+            maxFileSize: 200 * 1024 * 1024, // 200MB
+            enableThreatIntel: true,
+            scanTimeout: 45000,
+            strictMode: false,
+        },
+        advanced: {
+            enablePolyglotDetection: true,
+            enableObfuscationDetection: true,
+            enableNestedArchiveAnalysis: true,
+            maxArchiveDepth: 7,
+        },
+        logging: {
+            verbose: false,
+            level: "warn",
+            enableStats: true,
+        },
+    },
+    /** Development configuration */
+    development: {
+        defaultPreset: "basic",
+        performance: {
+            enableCache: false,
+            enablePerformanceTracking: true,
+            maxConcurrency: 3,
+        },
+        security: {
+            maxFileSize: 50 * 1024 * 1024, // 50MB
+            scanTimeout: 15000,
+            strictMode: false,
+        },
+        logging: {
+            verbose: true,
+            level: "debug",
+            enableStats: true,
+        },
+    },
+};
 /**
- * LRU cache for scan results with TTL support
+ * Configuration manager
  */
-class ScanCacheManager {
-    constructor(options = {}) {
-        this.cache = new Map();
-        // Statistics
-        this.stats = {
-            hits: 0,
-            misses: 0,
-            evictions: 0,
-        };
-        this.maxSize = options.maxSize ?? 1000;
-        this.ttl = options.ttl ?? 3600000; // 1 hour default
-        this.enableLRU = options.enableLRU ?? true;
-        this.enableStats = options.enableStats ?? false;
+class ConfigManager {
+    constructor(initialConfig) {
+        this.config = this.mergeConfig(DEFAULT_CONFIG, initialConfig || {});
     }
     /**
-     * Generate cache key from file content
+     * Get current configuration
      */
-    generateKey(content, preset) {
-        const hash = createHash('sha256')
-            .update(content)
-            .update(preset || 'default')
-            .digest('hex');
-        return hash;
+    getConfig() {
+        return { ...this.config };
     }
     /**
-     * Check if cache entry is still valid
+     * Update configuration
      */
-    isValid(entry) {
-        return Date.now() - entry.timestamp < this.ttl;
+    updateConfig(updates) {
+        this.config = this.mergeConfig(this.config, updates);
     }
     /**
-     * Evict oldest or least-used entry when cache is full
+     * Load a preset configuration
      */
-    evict() {
-        if (this.cache.size === 0)
-            return;
-        let targetKey = null;
-        let oldestTime = Infinity;
-        let lowestAccess = Infinity;
-        for (const [key, entry] of this.cache.entries()) {
-            if (this.enableLRU) {
-                // LRU: evict least recently used
-                if (entry.timestamp < oldestTime) {
-                    oldestTime = entry.timestamp;
-                    targetKey = key;
-                }
-            }
-            else {
-                // LFU: evict least frequently used
-                if (entry.accessCount < lowestAccess) {
-                    lowestAccess = entry.accessCount;
-                    targetKey = key;
-                }
-            }
-        }
-        if (targetKey) {
-            this.cache.delete(targetKey);
-            if (this.enableStats)
-                this.stats.evictions++;
-        }
+    loadPreset(preset) {
+        const presetConfig = CONFIG_PRESETS[preset];
+        this.config = this.mergeConfig(DEFAULT_CONFIG, presetConfig);
     }
     /**
-     * Store scan result in cache
+     * Reset to default configuration
      */
-    set(content, report, preset) {
-        const key = this.generateKey(content, preset);
-        // Evict if necessary
-        if (this.cache.size >= this.maxSize) {
-            this.evict();
-        }
-        this.cache.set(key, {
-            report,
-            timestamp: Date.now(),
-            accessCount: 0,
-        });
+    reset() {
+        this.config = { ...DEFAULT_CONFIG };
     }
     /**
-     * Retrieve scan result from cache
+     * Get a specific configuration value
      */
-    get(content, preset) {
-        const key = this.generateKey(content, preset);
-        const entry = this.cache.get(key);
-        if (!entry) {
-            if (this.enableStats)
-                this.stats.misses++;
-            return null;
-        }
-        if (!this.isValid(entry)) {
-            this.cache.delete(key);
-            if (this.enableStats)
-                this.stats.misses++;
-            return null;
-        }
-        // Update access tracking
-        entry.accessCount++;
-        entry.timestamp = Date.now(); // Update for LRU
-        if (this.enableStats)
-            this.stats.hits++;
-        return entry.report;
+    get(key) {
+        return this.config[key];
     }
     /**
-     * Check if result exists in cache
+     * Set a specific configuration value
      */
-    has(content, preset) {
-        const key = this.generateKey(content, preset);
-        const entry = this.cache.get(key);
-        return entry !== undefined && this.isValid(entry);
+    set(key, value) {
+        this.config[key] = value;
     }
     /**
-     * Clear entire cache
+     * Validate configuration
      */
-    clear() {
-        this.cache.clear();
-        if (this.enableStats) {
-            this.stats.hits = 0;
-            this.stats.misses = 0;
-            this.stats.evictions = 0;
+    validate() {
+        const errors = [];
+        // Validate performance settings
+        if (this.config.performance?.maxConcurrency !== undefined) {
+            if (this.config.performance.maxConcurrency < 1) {
+                errors.push("maxConcurrency must be at least 1");
+            }
+            if (this.config.performance.maxConcurrency > 50) {
+                errors.push("maxConcurrency should not exceed 50");
+            }
         }
-    }
-    /**
-     * Remove expired entries
-     */
-    prune() {
-        let removed = 0;
-        for (const [key, entry] of this.cache.entries()) {
-            if (!this.isValid(entry)) {
-                this.cache.delete(key);
-                removed++;
+        // Validate security settings
+        if (this.config.security?.maxFileSize !== undefined) {
+            if (this.config.security.maxFileSize < 1024) {
+                errors.push("maxFileSize must be at least 1KB");
             }
         }
-        return removed;
+        if (this.config.security?.scanTimeout !== undefined) {
+            if (this.config.security.scanTimeout < 1000) {
+                errors.push("scanTimeout must be at least 1000ms");
+            }
+        }
+        // Validate advanced settings
+        if (this.config.advanced?.maxArchiveDepth !== undefined) {
+            if (this.config.advanced.maxArchiveDepth < 1) {
+                errors.push("maxArchiveDepth must be at least 1");
+            }
+            if (this.config.advanced.maxArchiveDepth > 20) {
+                errors.push("maxArchiveDepth should not exceed 20");
+            }
+        }
+        return {
+            valid: errors.length === 0,
+            errors,
+        };
     }
     /**
-     * Get cache statistics
+     * Deep merge configuration objects
      */
-    getStats() {
-        const total = this.stats.hits + this.stats.misses;
-        const hitRate = total > 0 ? (this.stats.hits / total) * 100 : 0;
+    mergeConfig(base, updates) {
         return {
-            hits: this.stats.hits,
-            misses: this.stats.misses,
-            size: this.cache.size,
-            hitRate,
-            evictions: this.stats.evictions,
+            ...base,
+            ...updates,
+            performance: {
+                ...base.performance,
+                ...updates.performance,
+                cacheOptions: {
+                    ...base.performance?.cacheOptions,
+                    ...updates.performance?.cacheOptions,
+                },
+            },
+            security: {
+                ...base.security,
+                ...updates.security,
+            },
+            advanced: {
+                ...base.advanced,
+                ...updates.advanced,
+            },
+            logging: {
+                ...base.logging,
+                ...updates.logging,
+            },
+            callbacks: {
+                ...base.callbacks,
+                ...updates.callbacks,
+            },
+            presetOptions: {
+                ...base.presetOptions,
+                ...updates.presetOptions,
+            },
         };
     }
     /**
-     * Get current cache size
+     * Export configuration as JSON
      */
-    get size() {
-        return this.cache.size;
+    toJSON() {
+        return JSON.stringify(this.config, null, 2);
+    }
+    /**
+     * Load configuration from JSON
+     */
+    fromJSON(json) {
+        try {
+            const parsed = JSON.parse(json);
+            this.config = this.mergeConfig(DEFAULT_CONFIG, parsed);
+        }
+        catch (error) {
+            throw new Error(`Failed to parse configuration JSON: ${error}`);
+        }
     }
 }
-// Export singleton instance for convenience
-let defaultCache = null;
 /**
- * Get or create the default cache instance
+ * Create a new configuration manager
  */
-function getDefaultCache(options) {
-    if (!defaultCache) {
-        defaultCache = new ScanCacheManager(options);
-    }
-    return defaultCache;
+function createConfig(config) {
+    return new ConfigManager(config);
 }
 /**
- * Reset the default cache instance
+ * Get a preset configuration
  */
-function resetDefaultCache() {
-    defaultCache = null;
+function getPresetConfig(preset) {
+    return { ...DEFAULT_CONFIG, ...CONFIG_PRESETS[preset] };
 }
 
-/** Mappa veloce estensione -> mime (basic) */
-function guessMimeByExt(name) {
-    if (!name)
-        return;
-    const ext = name.toLowerCase().split('.').pop();
-    switch (ext) {
-        case 'zip': return 'application/zip';
-        case 'png': return 'image/png';
-        case 'jpg':
-        case 'jpeg': return 'image/jpeg';
-        case 'pdf': return 'application/pdf';
-        case 'txt': return 'text/plain';
-        default: return;
+/**
+ * HIPAA Compliance Module for Pompelmi
+ *
+ * This module provides comprehensive HIPAA compliance features for healthcare environments
+ * where Pompelmi is used to analyze potentially compromised systems containing PHI.
+ *
+ * Key protections:
+ * - Data sanitization and redaction
+ * - Secure temporary file handling
+ * - Audit logging
+ * - Memory protection
+ * - Error message sanitization
+ */
+class HipaaComplianceManager {
+    constructor(config) {
+        this.auditEvents = [];
+        this.config = {
+            sanitizeErrors: true,
+            sanitizeFilenames: true,
+            encryptTempFiles: true,
+            memoryProtection: true,
+            requireSecureTransport: true,
+            ...config,
+            enabled: config.enabled !== undefined ? config.enabled : true,
+        };
+        this.sessionId = this.generateSessionId();
     }
-}
-/** Heuristica semplice per verdetto */
-function computeVerdict(matches) {
-    if (!matches.length)
-        return 'clean';
-    // se la regola contiene 'zip_' lo marchiamo "suspicious"
-    const anyHigh = matches.some(m => (m.tags ?? []).includes('critical') || (m.tags ?? []).includes('high'));
-    return anyHigh ? 'malicious' : 'suspicious';
-}
-/** Converte i Match (heuristics) in YaraMatch-like per uniformare l'output */
-function toYaraMatches(ms) {
-    return ms.map(m => ({
-        rule: m.rule,
-        namespace: 'heuristics',
-        tags: ['heuristics'].concat(m.severity ? [m.severity] : []),
-        meta: m.meta,
-    }));
-}
-/** Scan di bytes (browser/node) usando preset (default: zip-basic) */
-async function scanBytes(input, opts = {}) {
-    // Check cache first if enabled
-    if (opts.enableCache || opts.config?.performance?.enableCache) {
-        const cache = getDefaultCache(opts.config?.performance?.cacheOptions);
-        const cached = cache.get(input, opts.preset);
-        if (cached) {
-            return cached;
+    /**
+     * Sanitize filename to prevent PHI leakage in logs
+     */
+    sanitizeFilename(filename) {
+        if (!this.config.enabled || !this.config.sanitizeFilenames || !filename) {
+            return filename || "unknown";
         }
+        // Remove potentially sensitive path information
+        const basename = path.basename(filename);
+        // Hash the filename to create a consistent but non-revealing identifier
+        const hash = crypto.createHash("sha256").update(basename).digest("hex").substring(0, 8);
+        // Preserve file extension for analysis purposes
+        const ext = path.extname(basename);
+        return `file_${hash}${ext}`;
     }
-    const perfTracker = (opts.enablePerformanceTracking || opts.config?.performance?.enablePerformanceTracking)
-        ? new PerformanceTracker()
-        : null;
-    perfTracker?.checkpoint('prep_start');
-    const preset = opts.preset ?? opts.config?.defaultPreset ?? 'zip-basic';
-    const ctx = {
-        ...opts.ctx,
-        mimeType: opts.ctx?.mimeType ?? guessMimeByExt(opts.ctx?.filename),
-        size: opts.ctx?.size ?? input.byteLength,
-    };
-    perfTracker?.checkpoint('prep_end');
-    perfTracker?.checkpoint('heuristics_start');
-    const scanFn = createPresetScanner(preset);
-    const matchesH = await (typeof scanFn === "function" ? scanFn : scanFn.scan)(input, ctx);
-    let allMatches = [...matchesH];
-    perfTracker?.checkpoint('heuristics_end');
-    // Advanced detection (enabled by default, can be overridden by config)
-    const advancedEnabled = opts.enableAdvancedDetection ?? opts.config?.advanced?.enablePolyglotDetection ?? true;
-    if (advancedEnabled) {
-        perfTracker?.checkpoint('advanced_start');
-        // Detect polyglot files
-        if (opts.config?.advanced?.enablePolyglotDetection !== false) {
-            const polyglotMatches = detectPolyglot(input);
-            allMatches.push(...polyglotMatches);
-        }
-        // Detect obfuscated scripts
-        if (opts.config?.advanced?.enableObfuscationDetection !== false) {
-            const obfuscatedMatches = detectObfuscatedScripts(input);
-            allMatches.push(...obfuscatedMatches);
-        }
-        // Check for excessive nesting in archives
-        if (opts.config?.advanced?.enableNestedArchiveAnalysis !== false) {
-            const nestingAnalysis = analyzeNestedArchives(input);
-            const maxDepth = opts.config?.advanced?.maxArchiveDepth ?? 5;
-            if (nestingAnalysis.hasExcessiveNesting || (nestingAnalysis.depth > maxDepth)) {
-                allMatches.push({
-                    rule: 'excessive_archive_nesting',
-                    severity: 'high',
-                    meta: {
-                        description: 'Excessive archive nesting detected',
-                        depth: nestingAnalysis.depth,
-                        maxAllowed: maxDepth,
-                    },
-                });
-            }
+    /**
+     * Sanitize error messages to prevent PHI exposure
+     */
+    sanitizeError(error) {
+        if (!this.config.enabled || !this.config.sanitizeErrors) {
+            return typeof error === "string" ? error : error.message;
         }
-        perfTracker?.checkpoint('advanced_end');
-    }
-    const matches = toYaraMatches(allMatches);
-    const verdict = computeVerdict(matches);
-    perfTracker ? perfTracker.getDuration() : Date.now();
-    const durationMs = perfTracker ? perfTracker.getDuration() : 0;
-    const report = {
-        ok: verdict === 'clean',
-        verdict,
-        matches,
-        reasons: matches.map(m => m.rule),
-        file: { name: ctx.filename, mimeType: ctx.mimeType, size: ctx.size },
-        durationMs,
-        engine: 'heuristics',
-        truncated: false,
-        timedOut: false,
-    };
-    // Add performance metrics if tracking enabled
-    if (perfTracker && (opts.enablePerformanceTracking || opts.config?.performance?.enablePerformanceTracking)) {
-        report.performanceMetrics = perfTracker.getMetrics(input.byteLength);
-    }
-    // Cache result if enabled
-    if (opts.enableCache || opts.config?.performance?.enableCache) {
-        const cache = getDefaultCache(opts.config?.performance?.cacheOptions);
-        cache.set(input, report, opts.preset);
+        const message = typeof error === "string" ? error : error.message;
+        // Remove common patterns that might contain PHI
+        const sanitized = message
+            // Remove file paths
+            .replace(/[A-Za-z]:\\\\[^\\s]+/g, "[REDACTED_PATH]")
+            .replace(/\/[^\\s]+/g, "[REDACTED_PATH]")
+            // Remove potential patient identifiers (numbers that could be MRNs, SSNs)
+            .replace(/\\b\\d{3}-?\\d{2}-?\\d{4}\\b/g, "[REDACTED_ID]")
+            .replace(/\\b\\d{6,}\\b/g, "[REDACTED_ID]")
+            // Remove email addresses
+            .replace(/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}/g, "[REDACTED_EMAIL]")
+            // Remove potential names (capitalize words in error messages)
+            .replace(/\\b[A-Z][a-z]+\\s+[A-Z][a-z]+\\b/g, "[REDACTED_NAME]")
+            // Remove IP addresses
+            .replace(/\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b/g, "[REDACTED_IP]");
+        return sanitized;
     }
-    // Invoke callbacks if configured
-    opts.config?.callbacks?.onScanComplete?.(report);
-    return report;
-}
-/** Scan di un file su disco (Node). Import dinamico per non vincolare il bundle browser. */
-async function scanFile(filePath, opts = {}) {
-    const [{ readFile, stat }, path] = await Promise.all([
-        import('fs/promises'),
-        import('path'),
-    ]);
-    const [buf, st] = await Promise.all([readFile(filePath), stat(filePath)]);
-    const ctx = {
-        filename: path.basename(filePath),
-        mimeType: guessMimeByExt(filePath),
-        size: st.size,
-    };
-    return scanBytes(new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength), { ...opts, ctx });
-}
-/** Scan multipli File (browser) usando scanBytes + preset di default */
-async function scanFiles(files, opts = {}) {
-    const list = Array.from(files);
-    const out = [];
-    for (const f of list) {
-        const buf = new Uint8Array(await f.arrayBuffer());
-        const rep = await scanBytes(buf, {
-            ...opts,
-            ctx: { filename: f.name, mimeType: f.type || guessMimeByExt(f.name), size: f.size },
+    /**
+     * Create secure temporary file path with encryption if enabled
+     */
+    createSecureTempPath(prefix = "pompelmi") {
+        if (!this.config.enabled) {
+            return path.join(os.tmpdir(), `${prefix}-${Date.now()}-${Math.random().toString(36).slice(2)}`);
+        }
+        // Use cryptographically secure random names
+        const randomId = crypto.randomBytes(16).toString("hex");
+        const timestamp = Date.now();
+        // Create path in secure temp directory
+        const secureTempDir = this.getSecureTempDir();
+        const tempPath = path.join(secureTempDir, `${prefix}-${timestamp}-${randomId}`);
+        this.auditLog("temp_file_created", {
+            action: "create_temp_file",
+            success: true,
+            metadata: { path: this.sanitizeFilename(tempPath) },
         });
-        out.push(rep);
-    }
-    return out;
-}
-
-/**
- * Validates a File by MIME type and size (max 5 MB).
- */
-function validateFile(file) {
-    const maxSize = 5 * 1024 * 1024;
-    const allowedTypes = ['text/plain', 'application/json', 'text/csv'];
-    if (!allowedTypes.includes(file.type)) {
-        return { valid: false, error: 'Unsupported file type' };
+        return tempPath;
     }
-    if (file.size > maxSize) {
-        return { valid: false, error: 'File too large (max 5 MB)' };
+    /**
+     * Get or create secure temporary directory with restricted permissions
+     */
+    getSecureTempDir() {
+        const secureTempPath = path.join(os.tmpdir(), "pompelmi-secure");
+        try {
+            const fs = require("fs");
+            if (!fs.existsSync(secureTempPath)) {
+                fs.mkdirSync(secureTempPath, { mode: 0o700 }); // Owner read/write/execute only
+            }
+        }
+        catch (error) {
+            // Fallback to system temp
+            return os.tmpdir();
+        }
+        return secureTempPath;
     }
-    return { valid: true };
-}
-
-async function createRemoteEngine(opts) {
-    const { endpoint, headers = {}, rulesField = 'rules', fileField = 'file', mode = 'multipart', rulesAsBase64 = false, } = opts;
-    const engine = {
-        async compile(rulesSource) {
-            return {
-                async scan(data) {
-                    const fetchFn = globalThis.fetch;
-                    if (!fetchFn)
-                        throw new Error('[remote-yara] fetch non disponibile in questo ambiente');
-                    let res;
-                    if (mode === 'multipart') {
-                        const FormDataCtor = globalThis.FormData;
-                        const BlobCtor = globalThis.Blob;
-                        if (!FormDataCtor || !BlobCtor) {
-                            throw new Error('[remote-yara] FormData/Blob non disponibili (usa json-base64 oppure esegui in browser)');
-                        }
-                        const form = new FormDataCtor();
-                        form.set(rulesField, new BlobCtor([rulesSource], { type: 'text/plain' }), 'rules.yar');
-                        form.set(fileField, new BlobCtor([data], { type: 'application/octet-stream' }), 'sample.bin');
-                        res = await fetchFn(endpoint, { method: 'POST', body: form, headers });
-                    }
-                    else {
-                        const b64 = base64FromBytes(data);
-                        const payload = { [fileField]: b64 };
-                        if (rulesAsBase64) {
-                            payload['rulesB64'] = base64FromString(rulesSource);
-                        }
-                        else {
-                            payload[rulesField] = rulesSource;
+    /**
+     * Secure file cleanup with multiple overwrite passes
+     */
+    async secureFileCleanup(filePath) {
+        if (!this.config.enabled) {
+            try {
+                const fs = await import('fs/promises');
+                await fs.unlink(filePath);
+            }
+            catch {
+                // Ignore cleanup errors
+            }
+            return;
+        }
+        try {
+            const fs = await import('fs/promises');
+            const stats = await fs.stat(filePath);
+            if (this.config.memoryProtection) {
+                // Overwrite file with random data multiple times (DoD 5220.22-M standard)
+                const fileSize = stats.size;
+                const buffer = crypto.randomBytes(Math.min(fileSize, 64 * 1024)); // 64KB chunks
+                for (let pass = 0; pass < 3; pass++) {
+                    const handle = await fs.open(filePath, "r+");
+                    try {
+                        for (let offset = 0; offset < fileSize; offset += buffer.length) {
+                            const chunk = offset + buffer.length > fileSize ? buffer.subarray(0, fileSize - offset) : buffer;
+                            await handle.write(chunk, 0, chunk.length, offset);
                         }
-                        res = await fetchFn(endpoint, {
-                            method: 'POST',
-                            headers: { 'Content-Type': 'application/json', ...headers },
-                            body: JSON.stringify(payload),
-                        });
+                        await handle.sync();
                     }
-                    if (!res.ok) {
-                        throw new Error(`[remote-yara] HTTP ${res.status} ${res.statusText}`);
+                    finally {
+                        await handle.close();
                     }
-                    const json = await res.json().catch(() => null);
-                    const arr = Array.isArray(json) ? json : (json?.matches ?? []);
-                    return (arr ?? []).map((m) => ({
-                        rule: m.rule ?? m.ruleIdentifier ?? 'unknown',
-                        tags: m.tags ?? [],
-                    }));
+                }
+            }
+            // Final deletion
+            await fs.unlink(filePath);
+            this.auditLog("temp_file_deleted", {
+                action: "secure_delete",
+                success: true,
+                metadata: {
+                    path: this.sanitizeFilename(filePath),
+                    overwritePasses: this.config.memoryProtection ? 3 : 0,
                 },
-            };
-        },
-    };
-    return engine;
-}
-// Helpers
-function base64FromBytes(bytes) {
-    // usa btoa se disponibile (browser); altrimenti fallback manuale
-    const btoaFn = globalThis.btoa;
-    let bin = '';
-    for (let i = 0; i < bytes.byteLength; i++)
-        bin += String.fromCharCode(bytes[i]);
-    return btoaFn ? btoaFn(bin) : Buffer.from(bin, 'binary').toString('base64');
-}
-function base64FromString(s) {
-    const btoaFn = globalThis.btoa;
-    return btoaFn ? btoaFn(s) : Buffer.from(s, 'utf8').toString('base64');
-}
-
-// src/scan/remote.ts
-/**
- * Scansiona una lista di File nel browser usando il motore remoto via HTTP.
- * Non richiede WASM né dipendenze native sul client.
- */
-async function scanFilesWithRemoteYara(files, rulesSource, remote) {
-    const engine = await createRemoteEngine(remote);
-    const compiled = await engine.compile(rulesSource);
-    const results = [];
-    for (const file of files) {
+            });
+        }
+        catch (error) {
+            this.auditLog("temp_file_deleted", {
+                action: "secure_delete",
+                success: false,
+                sanitizedError: this.sanitizeError(error),
+                metadata: { path: this.sanitizeFilename(filePath) },
+            });
+        }
+    }
+    /**
+     * Calculate secure file hash for audit purposes
+     */
+    calculateFileHash(data) {
+        return crypto.createHash("sha256").update(data).digest("hex");
+    }
+    /**
+     * Log audit event
+     */
+    auditLog(eventType, details) {
+        if (!this.config.enabled)
+            return;
+        const event = {
+            timestamp: new Date().toISOString(),
+            eventType,
+            sessionId: this.sessionId,
+            details: {
+                action: details.action || "unknown",
+                success: details.success ?? true,
+                ...details,
+            },
+        };
+        this.auditEvents.push(event);
+        // Write to audit log file if configured
+        if (this.config.auditLogPath) {
+            this.writeAuditLog(event).catch(() => {
+                // Silent failure to prevent error loops
+            });
+        }
+    }
+    /**
+     * Write audit event to file
+     */
+    async writeAuditLog(event) {
+        if (!this.config.auditLogPath)
+            return;
         try {
-            const bytes = new Uint8Array(await file.arrayBuffer());
-            const matches = await compiled.scan(bytes);
-            results.push({ file, matches });
+            const fs = await import('fs/promises');
+            const logLine = JSON.stringify(event) + "\\n";
+            await fs.appendFile(this.config.auditLogPath, logLine, { flag: "a" });
         }
-        catch (err) {
-            console.warn('[remote-yara] scan error for', file.name, err);
-            results.push({ file, matches: [], error: String(err?.message ?? err) });
+        catch {
+            // Silent failure
         }
     }
-    return results;
-}
-
-const SIG_CEN = 0x02014b50;
-const DEFAULTS = {
-    maxEntries: 1000,
-    maxTotalUncompressedBytes: 500 * 1024 * 1024,
-    maxEntryNameLength: 255,
-    maxCompressionRatio: 1000,
-    eocdSearchWindow: 70000,
-};
-function r16(buf, off) {
-    return buf.readUInt16LE(off);
-}
-function r32(buf, off) {
-    return buf.readUInt32LE(off);
-}
-function isZipLike(buf) {
-    // local file header at start is common
-    return buf.length >= 4 && buf[0] === 0x50 && buf[1] === 0x4b && buf[2] === 0x03 && buf[3] === 0x04;
-}
-function lastIndexOfEOCD(buf, window) {
-    const sig = Buffer.from([0x50, 0x4b, 0x05, 0x06]);
-    const start = Math.max(0, buf.length - window);
-    const idx = buf.lastIndexOf(sig, Math.min(buf.length - sig.length, buf.length - 1));
-    return idx >= start ? idx : -1;
-}
-function hasTraversal(name) {
-    return name.includes('../') || name.includes('..\\') || name.startsWith('/') || /^[A-Za-z]:/.test(name);
-}
-function createZipBombGuard(opts = {}) {
-    const cfg = { ...DEFAULTS, ...opts };
-    return {
-        async scan(input) {
-            const buf = Buffer.from(input);
-            const matches = [];
-            if (!isZipLike(buf))
-                return matches;
-            // Find EOCD near the end
-            const eocdPos = lastIndexOfEOCD(buf, cfg.eocdSearchWindow);
-            if (eocdPos < 0 || eocdPos + 22 > buf.length) {
-                // ZIP but no EOCD — malformed or polyglot → suspicious
-                matches.push({ rule: 'zip_eocd_not_found', severity: 'medium' });
-                return matches;
-            }
-            const totalEntries = r16(buf, eocdPos + 10);
-            const cdSize = r32(buf, eocdPos + 12);
-            const cdOffset = r32(buf, eocdPos + 16);
-            // Bounds check
-            if (cdOffset + cdSize > buf.length) {
-                matches.push({ rule: 'zip_cd_out_of_bounds', severity: 'medium' });
-                return matches;
-            }
-            // Iterate central directory entries
-            let ptr = cdOffset;
-            let seen = 0;
-            let sumComp = 0;
-            let sumUnc = 0;
-            while (ptr + 46 <= cdOffset + cdSize && seen < totalEntries) {
-                const sig = r32(buf, ptr);
-                if (sig !== SIG_CEN)
-                    break; // stop if structure breaks
-                const compSize = r32(buf, ptr + 20);
-                const uncSize = r32(buf, ptr + 24);
-                const fnLen = r16(buf, ptr + 28);
-                const exLen = r16(buf, ptr + 30);
-                const cmLen = r16(buf, ptr + 32);
-                const nameStart = ptr + 46;
-                const nameEnd = nameStart + fnLen;
-                if (nameEnd > buf.length)
-                    break;
-                const name = buf.toString('utf8', nameStart, nameEnd);
-                sumComp += compSize;
-                sumUnc += uncSize;
-                seen++;
-                if (name.length > cfg.maxEntryNameLength) {
-                    matches.push({ rule: 'zip_entry_name_too_long', severity: 'medium', meta: { name, length: name.length } });
-                }
-                if (hasTraversal(name)) {
-                    matches.push({ rule: 'zip_path_traversal_entry', severity: 'medium', meta: { name } });
-                }
-                // move to next entry
-                ptr = nameEnd + exLen + cmLen;
-            }
-            if (seen !== totalEntries) {
-                // central dir truncated/odd, still report what we found
-                matches.push({ rule: 'zip_cd_truncated', severity: 'medium', meta: { seen, totalEntries } });
-            }
-            // Heuristics thresholds
-            if (seen > cfg.maxEntries) {
-                matches.push({ rule: 'zip_too_many_entries', severity: 'medium', meta: { seen, limit: cfg.maxEntries } });
-            }
-            if (sumUnc > cfg.maxTotalUncompressedBytes) {
-                matches.push({
-                    rule: 'zip_total_uncompressed_too_large',
-                    severity: 'medium',
-                    meta: { totalUncompressed: sumUnc, limit: cfg.maxTotalUncompressedBytes }
+    /**
+     * Generate cryptographically secure session ID
+     */
+    generateSessionId() {
+        return crypto.randomBytes(16).toString("hex");
+    }
+    /**
+     * Get current audit events for this session
+     */
+    getAuditEvents() {
+        return [...this.auditEvents];
+    }
+    /**
+     * Clear sensitive data from memory
+     */
+    clearSensitiveData() {
+        if (!this.config.enabled || !this.config.memoryProtection)
+            return;
+        // Clear audit events
+        this.auditEvents.length = 0;
+        // Force garbage collection if available
+        if (global.gc) {
+            global.gc();
+        }
+    }
+    /**
+     * Validate transport security
+     */
+    validateTransportSecurity(url) {
+        if (!this.config.enabled || !this.config.requireSecureTransport) {
+            return true;
+        }
+        if (!url)
+            return true;
+        try {
+            const urlObj = new URL(url);
+            const isSecure = urlObj.protocol === "https:" ||
+                urlObj.hostname === "localhost" ||
+                urlObj.hostname === "127.0.0.1";
+            if (!isSecure) {
+                this.auditLog("security_violation", {
+                    action: "insecure_transport",
+                    success: false,
+                    metadata: { protocol: urlObj.protocol, hostname: urlObj.hostname },
                 });
             }
-            if (sumComp === 0 && sumUnc > 0) {
-                matches.push({ rule: 'zip_suspicious_ratio', severity: 'medium', meta: { ratio: Infinity } });
+            return isSecure;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+// Global HIPAA compliance instance
+let hipaaManager = null;
+/**
+ * Initialize HIPAA compliance
+ */
+function initializeHipaaCompliance(config) {
+    hipaaManager = new HipaaComplianceManager(config);
+    return hipaaManager;
+}
+/**
+ * Get current HIPAA compliance manager
+ */
+function getHipaaManager() {
+    return hipaaManager;
+}
+/**
+ * HIPAA-compliant error wrapper
+ */
+function createHipaaError(error, context) {
+    const manager = getHipaaManager();
+    if (!manager) {
+        return typeof error === "string" ? new Error(error) : error;
+    }
+    const sanitizedMessage = manager.sanitizeError(error);
+    const hipaaError = new Error(sanitizedMessage);
+    manager.auditLog("error_occurred", {
+        action: context || "error",
+        success: false,
+        sanitizedError: sanitizedMessage,
+    });
+    return hipaaError;
+}
+/**
+ * HIPAA-compliant temporary file utilities
+ */
+const HipaaTemp = {
+    createPath: (prefix) => {
+        const manager = getHipaaManager();
+        return manager
+            ? manager.createSecureTempPath(prefix)
+            : path.join(os.tmpdir(), `${prefix || "pompelmi"}-${Date.now()}`);
+    },
+    cleanup: async (filePath) => {
+        const manager = getHipaaManager();
+        if (manager) {
+            await manager.secureFileCleanup(filePath);
+        }
+        else {
+            try {
+                const fs = await import('fs/promises');
+                await fs.unlink(filePath);
             }
-            else if (sumComp > 0) {
-                const ratio = sumUnc / Math.max(1, sumComp);
-                if (ratio >= cfg.maxCompressionRatio) {
-                    matches.push({ rule: 'zip_suspicious_ratio', severity: 'medium', meta: { ratio, limit: cfg.maxCompressionRatio } });
-                }
+            catch {
+                // Ignore errors
             }
-            return matches;
         }
-    };
-}
+    },
+};
 
 const MB$1 = 1024 * 1024;
 const DEFAULT_POLICY = {
-    includeExtensions: ['zip', 'png', 'jpg', 'jpeg', 'pdf'],
-    allowedMimeTypes: ['application/zip', 'image/png', 'image/jpeg', 'application/pdf', 'text/plain'],
+    includeExtensions: ["zip", "png", "jpg", "jpeg", "pdf"],
+    allowedMimeTypes: ["application/zip", "image/png", "image/jpeg", "application/pdf", "text/plain"],
     maxFileSizeBytes: 20 * MB$1,
     timeoutMs: 5000,
     concurrency: 4,
-    failClosed: true
+    failClosed: true,
 };
 function definePolicy(input = {}) {
     const p = { ...DEFAULT_POLICY, ...input };
     if (!Array.isArray(p.includeExtensions))
-        throw new TypeError('includeExtensions must be string[]');
+        throw new TypeError("includeExtensions must be string[]");
     if (!Array.isArray(p.allowedMimeTypes))
-        throw new TypeError('allowedMimeTypes must be string[]');
+        throw new TypeError("allowedMimeTypes must be string[]");
     if (!(Number.isFinite(p.maxFileSizeBytes) && p.maxFileSizeBytes > 0))
-        throw new TypeError('maxFileSizeBytes must be > 0');
+        throw new TypeError("maxFileSizeBytes must be > 0");
     if (!(Number.isFinite(p.timeoutMs) && p.timeoutMs > 0))
-        throw new TypeError('timeoutMs must be > 0');
+        throw new TypeError("timeoutMs must be > 0");
     if (!(Number.isInteger(p.concurrency) && p.concurrency > 0))
-        throw new TypeError('concurrency must be > 0');
+        throw new TypeError("concurrency must be > 0");
     return p;
 }
 
@@ -1084,33 +671,39 @@ const MB = 1024 * KB;
  */
 const DOCUMENTS_ONLY = definePolicy({
     includeExtensions: [
-        'pdf',
-        'doc', 'docx',
-        'xls', 'xlsx',
-        'ppt', 'pptx',
-        'odt', 'ods', 'odp',
-        'csv',
-        'txt',
-        'json',
-        'yaml', 'yml',
-        'md',
+        "pdf",
+        "doc",
+        "docx",
+        "xls",
+        "xlsx",
+        "ppt",
+        "pptx",
+        "odt",
+        "ods",
+        "odp",
+        "csv",
+        "txt",
+        "json",
+        "yaml",
+        "yml",
+        "md",
     ],
     allowedMimeTypes: [
-        'application/pdf',
-        'application/msword',
-        'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
-        'application/vnd.ms-excel',
-        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
-        'application/vnd.ms-powerpoint',
-        'application/vnd.openxmlformats-officedocument.presentationml.presentation',
-        'application/vnd.oasis.opendocument.text',
-        'application/vnd.oasis.opendocument.spreadsheet',
-        'application/vnd.oasis.opendocument.presentation',
-        'text/csv',
-        'text/plain',
-        'application/json',
-        'text/yaml',
-        'text/markdown',
+        "application/pdf",
+        "application/msword",
+        "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+        "application/vnd.ms-excel",
+        "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+        "application/vnd.ms-powerpoint",
+        "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+        "application/vnd.oasis.opendocument.text",
+        "application/vnd.oasis.opendocument.spreadsheet",
+        "application/vnd.oasis.opendocument.presentation",
+        "text/csv",
+        "text/plain",
+        "application/json",
+        "text/yaml",
+        "text/markdown",
     ],
     maxFileSizeBytes: 25 * MB,
     timeoutMs: 10000,
@@ -1128,17 +721,17 @@ const DOCUMENTS_ONLY = definePolicy({
  * Note: SVG is intentionally excluded — inline SVGs can contain scripts.
  */
 const IMAGES_ONLY = definePolicy({
-    includeExtensions: ['jpg', 'jpeg', 'png', 'gif', 'webp', 'avif', 'tiff', 'tif', 'bmp', 'ico'],
+    includeExtensions: ["jpg", "jpeg", "png", "gif", "webp", "avif", "tiff", "tif", "bmp", "ico"],
     allowedMimeTypes: [
-        'image/jpeg',
-        'image/png',
-        'image/gif',
-        'image/webp',
-        'image/avif',
-        'image/tiff',
-        'image/bmp',
-        'image/x-icon',
-        'image/vnd.microsoft.icon',
+        "image/jpeg",
+        "image/png",
+        "image/gif",
+        "image/webp",
+        "image/avif",
+        "image/tiff",
+        "image/bmp",
+        "image/x-icon",
+        "image/vnd.microsoft.icon",
     ],
     maxFileSizeBytes: 10 * MB,
     timeoutMs: 5000,
@@ -1155,13 +748,8 @@ const IMAGES_ONLY = definePolicy({
  * allowlist.  Only allows plain images and PDF.
  */
 const STRICT_PUBLIC_UPLOAD = definePolicy({
-    includeExtensions: ['jpg', 'jpeg', 'png', 'webp', 'pdf'],
-    allowedMimeTypes: [
-        'image/jpeg',
-        'image/png',
-        'image/webp',
-        'application/pdf',
-    ],
+    includeExtensions: ["jpg", "jpeg", "png", "webp", "pdf"],
+    allowedMimeTypes: ["image/jpeg", "image/png", "image/webp", "application/pdf"],
     maxFileSizeBytes: 5 * MB,
     timeoutMs: 4000,
     concurrency: 2,
@@ -1175,16 +763,16 @@ const STRICT_PUBLIC_UPLOAD = definePolicy({
  * shorter timeout than the permissive default.
  */
 const CONSERVATIVE_DEFAULT = definePolicy({
-    includeExtensions: ['zip', 'png', 'jpg', 'jpeg', 'pdf', 'txt', 'csv', 'docx', 'xlsx'],
+    includeExtensions: ["zip", "png", "jpg", "jpeg", "pdf", "txt", "csv", "docx", "xlsx"],
     allowedMimeTypes: [
-        'application/zip',
-        'image/png',
-        'image/jpeg',
-        'application/pdf',
-        'text/plain',
-        'text/csv',
-        'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
-        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+        "application/zip",
+        "image/png",
+        "image/jpeg",
+        "application/pdf",
+        "text/plain",
+        "text/csv",
+        "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+        "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
     ],
     maxFileSizeBytes: 10 * MB,
     timeoutMs: 8000,
@@ -1208,15 +796,15 @@ const CONSERVATIVE_DEFAULT = definePolicy({
  * ```
  */
 const ARCHIVES = definePolicy({
-    includeExtensions: ['zip', 'tar', 'gz', 'tgz', 'bz2', 'xz', '7z', 'rar'],
+    includeExtensions: ["zip", "tar", "gz", "tgz", "bz2", "xz", "7z", "rar"],
     allowedMimeTypes: [
-        'application/zip',
-        'application/x-tar',
-        'application/gzip',
-        'application/x-bzip2',
-        'application/x-xz',
-        'application/x-7z-compressed',
-        'application/x-rar-compressed',
+        "application/zip",
+        "application/x-tar",
+        "application/gzip",
+        "application/x-bzip2",
+        "application/x-xz",
+        "application/x-7z-compressed",
+        "application/x-rar-compressed",
     ],
     maxFileSizeBytes: 100 * MB,
     timeoutMs: 30000,
@@ -1232,11 +820,11 @@ const ARCHIVES = definePolicy({
  * ```
  */
 const POLICY_PACKS = {
-    'documents-only': DOCUMENTS_ONLY,
-    'images-only': IMAGES_ONLY,
-    'strict-public-upload': STRICT_PUBLIC_UPLOAD,
-    'conservative-default': CONSERVATIVE_DEFAULT,
-    'archives': ARCHIVES,
+    "documents-only": DOCUMENTS_ONLY,
+    "images-only": IMAGES_ONLY,
+    "strict-public-upload": STRICT_PUBLIC_UPLOAD,
+    "conservative-default": CONSERVATIVE_DEFAULT,
+    archives: ARCHIVES,
 };
 /**
  * Look up a policy pack by name.
@@ -1245,1184 +833,1637 @@ const POLICY_PACKS = {
 function getPolicyPack(name) {
     const policy = POLICY_PACKS[name];
     if (!policy)
-        throw new Error(`Unknown policy pack: '${name}'. Valid names: ${Object.keys(POLICY_PACKS).join(', ')}`);
+        throw new Error(`Unknown policy pack: '${name}'. Valid names: ${Object.keys(POLICY_PACKS).join(", ")}`);
     return policy;
 }
 
-function mapMatchesToVerdict(matches = []) {
-    if (!matches.length)
-        return 'clean';
-    const malHints = ['trojan', 'ransom', 'worm', 'spy', 'rootkit', 'keylog', 'botnet'];
-    const tagSet = new Set(matches.flatMap(m => (m.tags ?? []).map(t => t.toLowerCase())));
-    const nameHit = (r) => malHints.some(h => r.toLowerCase().includes(h));
-    const isMal = matches.some(m => nameHit(m.rule)) || tagSet.has('malware') || tagSet.has('critical');
-    return isMal ? 'malicious' : 'suspicious';
+function hasAsciiToken(buf, token) {
+    // Use latin1 so we can safely search binary
+    return buf.indexOf(token, 0, "latin1") !== -1;
 }
-
-/** Decompilation-specific types for Pompelmi */
-const SUSPICIOUS_PATTERNS = [
-    {
-        name: 'syscall_direct',
-        description: 'Direct system call without library wrapper',
-        severity: 'medium',
-        pattern: /syscall|sysenter|int\s+0x80/i
-    },
-    {
-        name: 'process_injection',
-        description: 'Process injection techniques',
-        severity: 'high',
-        pattern: /CreateRemoteThread|WriteProcessMemory|VirtualAllocEx/i
-    },
-    {
-        name: 'anti_debug',
-        description: 'Anti-debugging techniques',
-        severity: 'medium',
-        pattern: /IsDebuggerPresent|CheckRemoteDebuggerPresent|OutputDebugString/i
-    },
-    {
-        name: 'obfuscation_xor',
-        description: 'XOR-based obfuscation pattern',
-        severity: 'medium',
-        pattern: /xor.*0x[0-9a-f]+.*xor/i
+function startsWith(buf, bytes) {
+    if (buf.length < bytes.length)
+        return false;
+    for (let i = 0; i < bytes.length; i++)
+        if (buf[i] !== bytes[i])
+            return false;
+    return true;
+}
+function isPDF(buf) {
+    // %PDF-
+    return startsWith(buf, [0x25, 0x50, 0x44, 0x46, 0x2d]);
+}
+function isOleCfb(buf) {
+    // D0 CF 11 E0 A1 B1 1A E1
+    const sig = [0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1];
+    return startsWith(buf, sig);
+}
+function isZipLike$1(buf) {
+    // PK\x03\x04
+    return startsWith(buf, [0x50, 0x4b, 0x03, 0x04]);
+}
+function isPeExecutable(buf) {
+    // "MZ"
+    return startsWith(buf, [0x4d, 0x5a]);
+}
+/** OOXML macro hint via filename token in ZIP container */
+function hasOoxmlMacros(buf) {
+    if (!isZipLike$1(buf))
+        return false;
+    return hasAsciiToken(buf, "vbaProject.bin");
+}
+/** PDF risky features (/JavaScript, /OpenAction, /AA, /Launch) */
+function pdfRiskTokens(buf) {
+    const tokens = ["/JavaScript", "/OpenAction", "/AA", "/Launch"];
+    return tokens.filter((t) => hasAsciiToken(buf, t));
+}
+const CommonHeuristicsScanner = {
+    async scan(input) {
+        const buf = Buffer.from(input);
+        const matches = [];
+        // Office macros (OLE / OOXML)
+        if (isOleCfb(buf)) {
+            matches.push({ rule: "office_ole_container", severity: "suspicious" });
+        }
+        if (hasOoxmlMacros(buf)) {
+            matches.push({ rule: "office_ooxml_macros", severity: "suspicious" });
+        }
+        // PDF risky tokens
+        if (isPDF(buf)) {
+            const toks = pdfRiskTokens(buf);
+            if (toks.length) {
+                matches.push({
+                    rule: "pdf_risky_actions",
+                    severity: "suspicious",
+                    meta: { tokens: toks },
+                });
+            }
+        }
+        // Executable header
+        if (isPeExecutable(buf)) {
+            matches.push({ rule: "pe_executable_signature", severity: "suspicious" });
+        }
+        // EICAR test file
+        const EICAR_NEEDLE = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!";
+        if (hasAsciiToken(buf, EICAR_NEEDLE)) {
+            matches.push({
+                rule: "eicar_test_file",
+                severity: "high",
+                meta: { note: "EICAR standard antivirus test file detected" },
+            });
+        }
+        return matches;
     },
-    {
-        name: 'crypto_constants',
-        description: 'Cryptographic constants',
-        severity: 'low',
-        pattern: /0x67452301|0xefcdab89|0x98badcfe|0x10325476/i
-    }
-];
+};
 
-/**
- * Batch scanning with concurrency control
- * @module utils/batch-scanner
- */
-/**
- * Batch file scanner with concurrency control and progress tracking
- */
-class BatchScanner {
-    constructor(options = {}) {
-        this.options = {
-            concurrency: 5,
-            continueOnError: true,
-            ...options,
-        };
-    }
-    /**
-     * Scan multiple files with controlled concurrency
-     */
-    async scanBatch(tasks) {
-        const startTime = Date.now();
-        const results = new Array(tasks.length);
-        const errors = [];
-        let successCount = 0;
-        let errorCount = 0;
-        let completedCount = 0;
-        const concurrency = this.options.concurrency ?? 5;
-        // Process tasks in chunks with controlled concurrency
-        const processingQueue = [];
-        let currentIndex = 0;
-        const processTask = async (index) => {
-            try {
-                const task = tasks[index];
-                const report = await scanBytes(task.content, {
-                    ...this.options,
-                    ctx: task.context,
-                });
-                results[index] = report;
-                successCount++;
-                completedCount++;
-                if (this.options.onProgress) {
-                    this.options.onProgress(completedCount, tasks.length, report);
+function toScanFn(s) {
+    return (typeof s === "function" ? s : s.scan);
+}
+/** Map a Match's severity field to a Verdict for stopOn comparison. */
+function matchToVerdict(m) {
+    const s = m.severity;
+    if (s === "critical" || s === "high" || s === "malicious")
+        return "malicious";
+    if (s === "medium" || s === "low" || s === "suspicious" || s === "info")
+        return "suspicious";
+    return "clean";
+}
+/** Highest verdict across all matches in the list. */
+function highestSeverity(matches) {
+    if (matches.length === 0)
+        return null;
+    if (matches.some((m) => matchToVerdict(m) === "malicious"))
+        return "malicious";
+    if (matches.some((m) => matchToVerdict(m) === "suspicious"))
+        return "suspicious";
+    return "clean";
+}
+const SEVERITY_RANK = { malicious: 2, suspicious: 1, clean: 0 };
+function shouldStop(matches, stopOn) {
+    if (!stopOn)
+        return false;
+    const highest = highestSeverity(matches);
+    if (!highest)
+        return false;
+    return SEVERITY_RANK[highest] >= SEVERITY_RANK[stopOn];
+}
+async function runWithTimeout(fn, timeoutMs) {
+    if (!timeoutMs)
+        return fn();
+    return new Promise((resolve, reject) => {
+        const timer = setTimeout(() => reject(new Error("scanner timeout")), timeoutMs);
+        fn().then((v) => {
+            clearTimeout(timer);
+            resolve(v);
+        }, (e) => {
+            clearTimeout(timer);
+            reject(e);
+        });
+    });
+}
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function composeScanners(...args) {
+    const first = args[0];
+    const rest = args.slice(1);
+    // ── Named-scanner array form ──────────────────────────────────────────────
+    if (Array.isArray(first) &&
+        (first.length === 0 || (Array.isArray(first[0]) && typeof first[0][0] === "string"))) {
+        const entries = first;
+        const opts = rest.length > 0 &&
+            !Array.isArray(rest[0]) &&
+            typeof rest[0] !== "function" &&
+            !(typeof rest[0] === "object" && rest[0] !== null && "scan" in rest[0])
+            ? rest[0]
+            : {};
+        return async (input, ctx) => {
+            const all = [];
+            if (opts.parallel) {
+                // Parallel execution — collect all results then return
+                const results = await Promise.allSettled(entries.map(([_name, scanner]) => runWithTimeout(() => toScanFn(scanner)(input, ctx), opts.timeoutMsPerScanner)));
+                for (let i = 0; i < results.length; i++) {
+                    const result = results[i];
+                    if (result.status === "fulfilled" && Array.isArray(result.value)) {
+                        const matches = opts.tagSourceName
+                            ? result.value.map((m) => ({
+                                ...m,
+                                meta: { ...m.meta, _sourceName: entries[i][0] },
+                            }))
+                            : result.value;
+                        all.push(...matches);
+                    }
                 }
             }
-            catch (error) {
-                errorCount++;
-                completedCount++;
-                const err = error instanceof Error ? error : new Error(String(error));
-                if (this.options.onError) {
-                    this.options.onError(err, index);
-                }
-                errors.push({ index, error: err });
-                if (!this.options.continueOnError) {
-                    throw err;
+            else {
+                // Sequential execution with optional stopOn short-circuit
+                for (const [name, scanner] of entries) {
+                    try {
+                        const out = await runWithTimeout(() => toScanFn(scanner)(input, ctx), opts.timeoutMsPerScanner);
+                        if (Array.isArray(out)) {
+                            const matches = opts.tagSourceName
+                                ? out.map((m) => ({ ...m, meta: { ...m.meta, _sourceName: name } }))
+                                : out;
+                            all.push(...matches);
+                            if (shouldStop(all, opts.stopOn))
+                                break;
+                        }
+                    }
+                    catch {
+                        // individual scanner failure is non-fatal
+                    }
                 }
-                results[index] = null;
             }
+            return all;
         };
-        // Start initial batch of concurrent tasks
-        while (currentIndex < tasks.length) {
-            while (processingQueue.length < concurrency && currentIndex < tasks.length) {
-                const promise = processTask(currentIndex);
-                processingQueue.push(promise);
-                currentIndex++;
-                // Remove completed promises from queue
-                promise.finally(() => {
-                    const idx = processingQueue.indexOf(promise);
-                    if (idx > -1)
-                        processingQueue.splice(idx, 1);
-                });
+    }
+    // ── Variadic form (backward-compatible) ───────────────────────────────────
+    const scanners = [first, ...rest].filter(Boolean);
+    return async (input, ctx) => {
+        const all = [];
+        for (const s of scanners) {
+            try {
+                const out = await toScanFn(s)(input, ctx);
+                if (Array.isArray(out))
+                    all.push(...out);
             }
-            // Wait for at least one task to complete before continuing
-            if (processingQueue.length >= concurrency) {
-                await Promise.race(processingQueue);
+            catch {
+                // ignore individual scanner failures
             }
         }
-        // Wait for all remaining tasks
-        await Promise.all(processingQueue);
-        const totalDurationMs = Date.now() - startTime;
-        return {
-            reports: results,
-            successCount,
-            errorCount,
-            totalDurationMs,
-            errors,
-        };
+        return all;
+    };
+}
+function createPresetScanner(preset, opts = {}) {
+    const baseScanners = [CommonHeuristicsScanner];
+    const dynamicScannerPromises = [];
+    // Add decompilation scanners based on preset
+    if (preset === "decompilation-basic" ||
+        preset === "decompilation-deep" ||
+        preset === "malware-analysis" ||
+        opts.enableDecompilation) {
+        const depth = preset === "decompilation-deep" || preset === "malware-analysis"
+            ? "deep"
+            : preset === "decompilation-basic"
+                ? "basic"
+                : opts.decompilationDepth || "basic";
+        let importModule;
+        try {
+            // Dynamic import to avoid bundling issues - using Function to bypass TypeScript type checking
+            importModule = new Function("specifier", "return import(specifier)");
+        }
+        catch {
+            importModule = undefined;
+        }
+        if (importModule &&
+            (!opts.decompilationEngine ||
+                opts.decompilationEngine === "binaryninja-hlil" ||
+                opts.decompilationEngine === "both")) {
+            dynamicScannerPromises.push(importModule("@pompelmi/engine-binaryninja")
+                .then((mod) => mod.createBinaryNinjaScanner({
+                timeout: opts.decompilationTimeout || opts.timeout || 30000,
+                depth,
+                pythonPath: opts.pythonPath,
+                binaryNinjaPath: opts.binaryNinjaPath,
+            }))
+                .catch(() => null));
+        }
+        if (importModule &&
+            (!opts.decompilationEngine ||
+                opts.decompilationEngine === "ghidra-pcode" ||
+                opts.decompilationEngine === "both")) {
+            dynamicScannerPromises.push(importModule("@pompelmi/engine-ghidra")
+                .then((mod) => mod.createGhidraScanner({
+                timeout: opts.decompilationTimeout || opts.timeout || 30000,
+                depth,
+                ghidraPath: opts.ghidraPath,
+                analyzeHeadless: opts.analyzeHeadless,
+            }))
+                .catch(() => null));
+        }
+    }
+    let composedScannerPromise;
+    const getComposedScanner = async () => {
+        composedScannerPromise ?? (composedScannerPromise = Promise.all(dynamicScannerPromises).then((dynamicScanners) => composeScanners(...baseScanners, ...dynamicScanners.filter((scanner) => scanner !== null))));
+        return composedScannerPromise;
+    };
+    return async (input, ctx) => {
+        const scanner = await getComposedScanner();
+        return scanner(input, ctx);
+    };
+}
+
+/**
+ * Advanced threat detection utilities
+ * @module utils/advanced-detection
+ */
+/**
+ * Enhanced polyglot file detection
+ * Detects files that can be interpreted as multiple formats
+ */
+function detectPolyglot(bytes) {
+    const matches = [];
+    // Check for PDF/ZIP polyglot
+    if (isPDFZipPolyglot(bytes)) {
+        matches.push({
+            rule: "polyglot_pdf_zip",
+            severity: "high",
+            meta: { description: "File can be interpreted as both PDF and ZIP" },
+        });
     }
-    /**
-     * Scan files from File objects (browser environment)
-     */
-    async scanFiles(files) {
-        const tasks = await Promise.all(files.map(async (file) => ({
-            content: new Uint8Array(await file.arrayBuffer()),
-            context: {
-                filename: file.name,
-                mimeType: file.type,
-                size: file.size,
-            },
-        })));
-        return this.scanBatch(tasks);
+    // Check for image/script polyglot
+    if (isImageScriptPolyglot(bytes)) {
+        matches.push({
+            rule: "polyglot_image_script",
+            severity: "high",
+            meta: { description: "Image file contains executable script content" },
+        });
     }
-    /**
-     * Scan files from file paths (Node.js environment)
-     */
-    async scanFilePaths(filePaths) {
-        const fs = await import('fs/promises');
-        const path = await import('path');
-        const tasks = await Promise.all(filePaths.map(async (filePath) => {
-            const [content, stats] = await Promise.all([
-                fs.readFile(filePath),
-                fs.stat(filePath),
-            ]);
-            return {
-                content: new Uint8Array(content),
-                context: {
-                    filename: path.basename(filePath),
-                    size: stats.size,
+    // Check for GIFAR (GIF/JAR polyglot)
+    if (isGIFAR(bytes)) {
+        matches.push({
+            rule: "polyglot_gifar",
+            severity: "critical",
+            meta: { description: "GIF file contains Java archive" },
+        });
+    }
+    return matches;
+}
+/**
+ * Detect obfuscated JavaScript/VBScript
+ */
+function detectObfuscatedScripts(bytes) {
+    const matches = [];
+    const text = new TextDecoder("utf-8", { fatal: false }).decode(bytes.slice(0, Math.min(64 * 1024, bytes.length)));
+    // Check for common obfuscation patterns
+    const obfuscationPatterns = [
+        /eval\s*\(\s*unescape\s*\(/gi,
+        /eval\s*\(\s*atob\s*\(/gi,
+        /String\.fromCharCode\s*\(\s*\d+(?:\s*,\s*\d+){10,}/gi,
+        /[a-z0-9]{100,}/gi, // Long encoded strings
+        /\\x[0-9a-f]{2}/gi, // Hex escapes
+    ];
+    for (const pattern of obfuscationPatterns) {
+        if (pattern.test(text)) {
+            matches.push({
+                rule: "obfuscated_script",
+                severity: "medium",
+                meta: {
+                    description: "Detected obfuscated script content",
+                    pattern: pattern.source,
                 },
-            };
-        }));
-        return this.scanBatch(tasks);
+            });
+            break;
+        }
     }
+    return matches;
 }
 /**
- * Quick helper for batch scanning with default options
+ * Enhanced nested archive detection with depth limits
  */
-async function batchScan(tasks, options) {
-    const scanner = new BatchScanner(options);
-    return scanner.scanBatch(tasks);
+function analyzeNestedArchives(bytes, maxDepth = 10) {
+    let depth = 0;
+    let currentBytes = bytes;
+    while (depth < maxDepth) {
+        if (isArchive(currentBytes)) {
+            depth++;
+            {
+                break;
+            }
+        }
+        else {
+            break;
+        }
+    }
+    return {
+        depth,
+        hasExcessiveNesting: depth >= 5,
+    };
+}
+// Helper functions
+function isPDFZipPolyglot(bytes) {
+    if (bytes.length < 8)
+        return false;
+    // Check for PDF signature
+    const hasPDF = bytes[0] === 0x25 && bytes[1] === 0x50 && bytes[2] === 0x44 && bytes[3] === 0x46;
+    // Check for ZIP signature anywhere in the file
+    let hasZIP = false;
+    for (let i = 0; i < Math.min(bytes.length - 4, 1024); i++) {
+        if (bytes[i] === 0x50 &&
+            bytes[i + 1] === 0x4b &&
+            bytes[i + 2] === 0x03 &&
+            bytes[i + 3] === 0x04) {
+            hasZIP = true;
+            break;
+        }
+    }
+    return hasPDF && hasZIP;
+}
+function isImageScriptPolyglot(bytes) {
+    if (bytes.length < 100)
+        return false;
+    // Check for image signatures
+    const isImage = (bytes[0] === 0xff && bytes[1] === 0xd8) || // JPEG
+        (bytes[0] === 0x89 && bytes[1] === 0x50 && bytes[2] === 0x4e && bytes[3] === 0x47) || // PNG
+        (bytes[0] === 0x47 && bytes[1] === 0x49 && bytes[2] === 0x46); // GIF
+    if (!isImage)
+        return false;
+    // Check for script content
+    const text = new TextDecoder("utf-8", { fatal: false }).decode(bytes);
+    return /<script|javascript:|eval\(|function\s*\(/i.test(text);
+}
+function isGIFAR(bytes) {
+    if (bytes.length < 100)
+        return false;
+    // Check for GIF signature
+    const isGIF = bytes[0] === 0x47 && bytes[1] === 0x49 && bytes[2] === 0x46;
+    // Check for ZIP/JAR signature
+    let hasZIP = false;
+    for (let i = 0; i < Math.min(bytes.length - 4, 1024); i++) {
+        if (bytes[i] === 0x50 &&
+            bytes[i + 1] === 0x4b &&
+            bytes[i + 2] === 0x03 &&
+            bytes[i + 3] === 0x04) {
+            hasZIP = true;
+            break;
+        }
+    }
+    return isGIF && hasZIP;
+}
+function isArchive(bytes) {
+    if (bytes.length < 4)
+        return false;
+    return (
+    // ZIP
+    (bytes[0] === 0x50 && bytes[1] === 0x4b && bytes[2] === 0x03 && bytes[3] === 0x04) ||
+        // RAR
+        (bytes[0] === 0x52 && bytes[1] === 0x61 && bytes[2] === 0x72 && bytes[3] === 0x21) ||
+        // 7z
+        (bytes[0] === 0x37 && bytes[1] === 0x7a && bytes[2] === 0xbc && bytes[3] === 0xaf) ||
+        // tar.gz
+        (bytes[0] === 0x1f && bytes[1] === 0x8b));
 }
 
 /**
- * Threat intelligence integration and enhanced detection
- * @module utils/threat-intelligence
+ * Cache management system for scan results
+ * @module utils/cache-manager
  */
 /**
- * Built-in threat intelligence - known malware hashes
- * In production, this would connect to real threat intel APIs
+ * LRU cache for scan results with TTL support
  */
-class LocalThreatIntelligence {
-    constructor() {
-        this.name = 'Local Database';
-        this.knownThreats = new Map();
-        // Initialize with some example known threats (in production, load from database)
-        this.initializeKnownThreats();
-    }
-    initializeKnownThreats() {
-        // Example: EICAR test file hash
-        this.knownThreats.set('275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f', {
-            threatLevel: 100,
-            category: 'test-malware',
-            source: 'local',
-            metadata: { name: 'EICAR Test File' },
-        });
+class ScanCacheManager {
+    constructor(options = {}) {
+        this.cache = new Map();
+        // Statistics
+        this.stats = {
+            hits: 0,
+            misses: 0,
+            evictions: 0,
+        };
+        this.maxSize = options.maxSize ?? 1000;
+        this.ttl = options.ttl ?? 3600000; // 1 hour default
+        this.enableLRU = options.enableLRU ?? true;
+        this.enableStats = options.enableStats ?? false;
     }
-    async checkHash(hash) {
-        return this.knownThreats.get(hash.toLowerCase()) || null;
+    /**
+     * Generate cache key from file content
+     */
+    generateKey(content, preset) {
+        const hash = createHash("sha256")
+            .update(content)
+            .update(preset || "default")
+            .digest("hex");
+        return hash;
     }
     /**
-     * Add a known threat to the local database
+     * Check if cache entry is still valid
      */
-    addThreat(hash, info) {
-        this.knownThreats.set(hash.toLowerCase(), info);
+    isValid(entry) {
+        return Date.now() - entry.timestamp < this.ttl;
     }
     /**
-     * Remove a threat from the local database
+     * Evict oldest or least-used entry when cache is full
      */
-    removeThreat(hash) {
-        return this.knownThreats.delete(hash.toLowerCase());
+    evict() {
+        if (this.cache.size === 0)
+            return;
+        let targetKey = null;
+        let oldestTime = Infinity;
+        let lowestAccess = Infinity;
+        for (const [key, entry] of this.cache.entries()) {
+            if (this.enableLRU) {
+                // LRU: evict least recently used
+                if (entry.timestamp < oldestTime) {
+                    oldestTime = entry.timestamp;
+                    targetKey = key;
+                }
+            }
+            else {
+                // LFU: evict least frequently used
+                if (entry.accessCount < lowestAccess) {
+                    lowestAccess = entry.accessCount;
+                    targetKey = key;
+                }
+            }
+        }
+        if (targetKey) {
+            this.cache.delete(targetKey);
+            if (this.enableStats)
+                this.stats.evictions++;
+        }
     }
     /**
-     * Get all known threats
+     * Store scan result in cache
      */
-    getAllThreats() {
-        return new Map(this.knownThreats);
+    set(content, report, preset) {
+        const key = this.generateKey(content, preset);
+        // Evict if necessary
+        if (this.cache.size >= this.maxSize) {
+            this.evict();
+        }
+        this.cache.set(key, {
+            report,
+            timestamp: Date.now(),
+            accessCount: 0,
+        });
     }
-}
-/**
- * Threat intelligence aggregator
- */
-class ThreatIntelligenceAggregator {
-    constructor(sources) {
-        this.sources = [];
-        if (sources) {
-            this.sources = sources;
+    /**
+     * Retrieve scan result from cache
+     */
+    get(content, preset) {
+        const key = this.generateKey(content, preset);
+        const entry = this.cache.get(key);
+        if (!entry) {
+            if (this.enableStats)
+                this.stats.misses++;
+            return null;
         }
-        else {
-            // Default to local intelligence
-            this.sources = [new LocalThreatIntelligence()];
+        if (!this.isValid(entry)) {
+            this.cache.delete(key);
+            if (this.enableStats)
+                this.stats.misses++;
+            return null;
         }
+        // Update access tracking
+        entry.accessCount++;
+        entry.timestamp = Date.now(); // Update for LRU
+        if (this.enableStats)
+            this.stats.hits++;
+        return entry.report;
     }
     /**
-     * Add a threat intelligence source
+     * Check if result exists in cache
      */
-    addSource(source) {
-        this.sources.push(source);
+    has(content, preset) {
+        const key = this.generateKey(content, preset);
+        const entry = this.cache.get(key);
+        return entry !== undefined && this.isValid(entry);
     }
     /**
-     * Check file hash against all sources
+     * Clear entire cache
      */
-    async checkHash(hash) {
-        const results = await Promise.allSettled(this.sources.map(source => source.checkHash(hash)));
-        const threats = [];
-        for (const result of results) {
-            if (result.status === 'fulfilled' && result.value) {
-                threats.push(result.value);
+    clear() {
+        this.cache.clear();
+        if (this.enableStats) {
+            this.stats.hits = 0;
+            this.stats.misses = 0;
+            this.stats.evictions = 0;
+        }
+    }
+    /**
+     * Remove expired entries
+     */
+    prune() {
+        let removed = 0;
+        for (const [key, entry] of this.cache.entries()) {
+            if (!this.isValid(entry)) {
+                this.cache.delete(key);
+                removed++;
             }
         }
-        return threats;
+        return removed;
     }
     /**
-     * Enhance scan report with threat intelligence
+     * Get cache statistics
      */
-    async enhanceScanReport(content, report) {
-        // Calculate file hash
-        const hash = createHash('sha256').update(content).digest('hex');
-        // Check threat intelligence
-        const threatIntel = await this.checkHash(hash);
-        // Calculate risk score
-        const riskScore = this.calculateRiskScore(report, threatIntel);
+    getStats() {
+        const total = this.stats.hits + this.stats.misses;
+        const hitRate = total > 0 ? (this.stats.hits / total) * 100 : 0;
         return {
-            ...report,
-            fileHash: hash,
-            threatIntel: threatIntel.length > 0 ? threatIntel : undefined,
-            riskScore,
+            hits: this.stats.hits,
+            misses: this.stats.misses,
+            size: this.cache.size,
+            hitRate,
+            evictions: this.stats.evictions,
         };
     }
     /**
-     * Calculate overall risk score based on scan results and threat intel
+     * Get current cache size
      */
-    calculateRiskScore(report, threats) {
-        let score = 0;
-        // Base score from verdict
-        switch (report.verdict) {
-            case 'malicious':
-                score += 70;
-                break;
-            case 'suspicious':
-                score += 40;
-                break;
-            case 'clean':
-                score += 0;
-                break;
-        }
-        // Add points for number of matches
-        score += Math.min(report.matches.length * 5, 20);
-        // Add points from threat intelligence
-        if (threats.length > 0) {
-            const maxThreat = Math.max(...threats.map(t => t.threatLevel));
-            score = Math.max(score, maxThreat);
-        }
-        return Math.min(score, 100);
+    get size() {
+        return this.cache.size;
     }
 }
+// Export singleton instance for convenience
+let defaultCache = null;
 /**
- * Create default threat intelligence aggregator
+ * Get or create the default cache instance
  */
-function createThreatIntelligence() {
-    return new ThreatIntelligenceAggregator();
+function getDefaultCache(options) {
+    if (!defaultCache) {
+        defaultCache = new ScanCacheManager(options);
+    }
+    return defaultCache;
 }
 /**
- * Helper to get file hash
+ * Reset the default cache instance
  */
-function getFileHash(content) {
-    return createHash('sha256').update(content).digest('hex');
+function resetDefaultCache() {
+    defaultCache = null;
 }
 
 /**
- * Export utilities for scan results
- * @module utils/export
- */
-/**
- * Export scan results to various formats
- */
-class ScanResultExporter {
-    /**
-     * Export to JSON format
-     */
-    toJSON(reports, options = {}) {
-        const data = Array.isArray(reports) ? reports : [reports];
-        if (!options.includeDetails) {
-            // Simplified output
-            const simplified = data.map(r => ({
-                verdict: r.verdict,
-                file: r.file?.name,
-                matches: r.matches.length,
-                durationMs: r.durationMs,
-            }));
-            return options.prettyPrint
-                ? JSON.stringify(simplified, null, 2)
-                : JSON.stringify(simplified);
-        }
-        return options.prettyPrint
-            ? JSON.stringify(data, null, 2)
-            : JSON.stringify(data);
-    }
-    /**
-     * Export to CSV format
-     */
-    toCSV(reports, options = {}) {
-        const data = Array.isArray(reports) ? reports : [reports];
-        const headers = [
-            'filename',
-            'verdict',
-            'matches_count',
-            'file_size',
-            'mime_type',
-            'duration_ms',
-            'engine',
-        ];
-        if (options.includeDetails) {
-            headers.push('reasons', 'match_rules');
-        }
-        const rows = data.map(report => {
-            const row = [
-                this.escapeCsv(report.file?.name || 'unknown'),
-                report.verdict,
-                report.matches.length.toString(),
-                (report.file?.size || 0).toString(),
-                this.escapeCsv(report.file?.mimeType || 'unknown'),
-                (report.durationMs || 0).toString(),
-                report.engine || 'unknown',
-            ];
-            if (options.includeDetails) {
-                row.push(this.escapeCsv((report.reasons || []).join('; ')), this.escapeCsv(report.matches.map(m => m.rule).join('; ')));
-            }
-            return row.join(',');
-        });
-        return [headers.join(','), ...rows].join('\n');
-    }
-    /**
-     * Export to Markdown format
-     */
-    toMarkdown(reports, options = {}) {
-        const data = Array.isArray(reports) ? reports : [reports];
-        let md = '# Scan Results\n\n';
-        md += `**Total Scans:** ${data.length}\n\n`;
-        const clean = data.filter(r => r.verdict === 'clean').length;
-        const suspicious = data.filter(r => r.verdict === 'suspicious').length;
-        const malicious = data.filter(r => r.verdict === 'malicious').length;
-        md += '## Summary\n\n';
-        md += `- ✅ Clean: ${clean}\n`;
-        md += `- ⚠️ Suspicious: ${suspicious}\n`;
-        md += `- ❌ Malicious: ${malicious}\n\n`;
-        md += '## Detailed Results\n\n';
-        for (const report of data) {
-            const icon = report.verdict === 'clean' ? '✅' : report.verdict === 'suspicious' ? '⚠️' : '❌';
-            md += `### ${icon} ${report.file?.name || 'Unknown'}\n\n`;
-            md += `- **Verdict:** ${report.verdict}\n`;
-            md += `- **Size:** ${this.formatBytes(report.file?.size || 0)}\n`;
-            md += `- **MIME Type:** ${report.file?.mimeType || 'unknown'}\n`;
-            md += `- **Duration:** ${report.durationMs || 0}ms\n`;
-            md += `- **Matches:** ${report.matches.length}\n`;
-            if (options.includeDetails && report.matches.length > 0) {
-                md += '\n**Match Details:**\n';
-                for (const match of report.matches) {
-                    md += `- ${match.rule}`;
-                    if (match.tags && match.tags.length > 0) {
-                        md += ` (${match.tags.join(', ')})`;
-                    }
-                    md += '\n';
-                }
-            }
-            md += '\n';
-        }
-        return md;
+ * Performance monitoring utilities for pompelmi scans
+ * @module utils/performance-metrics
+ */
+/**
+ * Track performance metrics for a scan operation
+ */
+class PerformanceTracker {
+    constructor() {
+        this.checkpoints = new Map();
+        this.startTime = Date.now();
     }
     /**
-     * Export to SARIF format (Static Analysis Results Interchange Format)
-     * Useful for CI/CD integration
+     * Mark a checkpoint in the scan process
      */
-    toSARIF(reports, options = {}) {
-        const data = Array.isArray(reports) ? reports : [reports];
-        const results = data.flatMap(report => {
-            if (report.verdict === 'clean')
-                return [];
-            return report.matches.map(match => ({
-                ruleId: match.rule,
-                level: report.verdict === 'malicious' ? 'error' : 'warning',
-                message: {
-                    text: `${match.rule} detected in ${report.file?.name || 'unknown file'}`,
-                },
-                locations: [
-                    {
-                        physicalLocation: {
-                            artifactLocation: {
-                                uri: report.file?.name || 'unknown',
-                            },
-                        },
-                    },
-                ],
-                properties: {
-                    tags: match.tags,
-                    metadata: match.meta,
-                },
-            }));
-        });
-        const sarif = {
-            version: '2.1.0',
-            $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
-            runs: [
-                {
-                    tool: {
-                        driver: {
-                            name: 'Pompelmi',
-                            version: '0.29.0',
-                            informationUri: 'https://pompelmi.github.io/pompelmi/',
-                        },
-                    },
-                    results,
-                },
-            ],
-        };
-        return options.prettyPrint
-            ? JSON.stringify(sarif, null, 2)
-            : JSON.stringify(sarif);
+    checkpoint(name) {
+        this.checkpoints.set(name, Date.now());
     }
     /**
-     * Export to HTML format
+     * Get duration since start or since a specific checkpoint
      */
-    toHTML(reports, options = {}) {
-        const data = Array.isArray(reports) ? reports : [reports];
-        const clean = data.filter(r => r.verdict === 'clean').length;
-        const suspicious = data.filter(r => r.verdict === 'suspicious').length;
-        const malicious = data.filter(r => r.verdict === 'malicious').length;
-        let html = `<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Pompelmi Scan Results</title>
-  <style>
-    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; max-width: 1200px; margin: 0 auto; padding: 20px; }
-    .summary { display: grid; grid-template-columns: repeat(3, 1fr); gap: 20px; margin: 20px 0; }
-    .card { padding: 20px; border-radius: 8px; text-align: center; }
-    .clean { background: #d4edda; color: #155724; }
-    .suspicious { background: #fff3cd; color: #856404; }
-    .malicious { background: #f8d7da; color: #721c24; }
-    .result { border: 1px solid #ddd; border-radius: 8px; padding: 15px; margin: 10px 0; }
-    .result h3 { margin-top: 0; }
-    .badge { display: inline-block; padding: 4px 8px; border-radius: 4px; font-size: 0.8em; margin: 2px; }
-    table { width: 100%; border-collapse: collapse; }
-    th, td { padding: 8px; text-align: left; border-bottom: 1px solid #ddd; }
-  </style>
-</head>
-<body>
-  <h1>🛡️ Pompelmi Scan Results</h1>
-  <div class="summary">
-    <div class="card clean"><h2>${clean}</h2><p>Clean Files</p></div>
-    <div class="card suspicious"><h2>${suspicious}</h2><p>Suspicious Files</p></div>
-    <div class="card malicious"><h2>${malicious}</h2><p>Malicious Files</p></div>
-  </div>
-  <h2>Detailed Results</h2>`;
-        for (const report of data) {
-            const statusClass = report.verdict;
-            html += `<div class="result ${statusClass}">`;
-            html += `<h3>${this.escapeHtml(report.file?.name || 'Unknown')}</h3>`;
-            html += `<table>`;
-            html += `<tr><th>Verdict</th><td>${report.verdict.toUpperCase()}</td></tr>`;
-            html += `<tr><th>Size</th><td>${this.formatBytes(report.file?.size || 0)}</td></tr>`;
-            html += `<tr><th>MIME Type</th><td>${this.escapeHtml(report.file?.mimeType || 'unknown')}</td></tr>`;
-            html += `<tr><th>Duration</th><td>${report.durationMs || 0}ms</td></tr>`;
-            html += `<tr><th>Matches</th><td>${report.matches.length}</td></tr>`;
-            html += `</table>`;
-            if (options.includeDetails && report.matches.length > 0) {
-                html += `<h4>Match Details:</h4><ul>`;
-                for (const match of report.matches) {
-                    html += `<li><strong>${this.escapeHtml(match.rule)}</strong>`;
-                    if (match.tags && match.tags.length > 0) {
-                        html += ` ${match.tags.map(tag => `<span class="badge">${this.escapeHtml(tag)}</span>`).join('')}`;
-                    }
-                    html += `</li>`;
-                }
-                html += `</ul>`;
-            }
-            html += `</div>`;
+    getDuration(since) {
+        const now = Date.now();
+        if (since && this.checkpoints.has(since)) {
+            return now - (this.checkpoints.get(since) ?? now);
         }
-        html += `</body></html>`;
-        return html;
+        return now - this.startTime;
     }
     /**
-     * Export to specified format
+     * Generate final metrics report
      */
-    export(reports, format, options = {}) {
-        switch (format) {
-            case 'json':
-                return this.toJSON(reports, options);
-            case 'csv':
-                return this.toCSV(reports, options);
-            case 'markdown':
-                return this.toMarkdown(reports, options);
-            case 'html':
-                return this.toHTML(reports, options);
-            case 'sarif':
-                return this.toSARIF(reports, options);
-            default:
-                throw new Error(`Unsupported export format: ${format}`);
+    getMetrics(bytesScanned) {
+        const totalDuration = this.getDuration();
+        const throughput = totalDuration > 0 ? (bytesScanned / totalDuration) * 1000 : 0;
+        return {
+            totalDurationMs: totalDuration,
+            heuristicsDurationMs: this.checkpoints.has("heuristics_end")
+                ? (this.checkpoints.get("heuristics_end") ?? 0) -
+                    (this.checkpoints.get("heuristics_start") ?? 0)
+                : undefined,
+            yaraDurationMs: this.checkpoints.has("yara_end")
+                ? (this.checkpoints.get("yara_end") ?? 0) - (this.checkpoints.get("yara_start") ?? 0)
+                : undefined,
+            prepDurationMs: this.checkpoints.has("prep_end")
+                ? (this.checkpoints.get("prep_end") ?? 0) - this.startTime
+                : undefined,
+            throughputBps: throughput,
+            bytesScanned,
+            startedAt: this.startTime,
+            completedAt: Date.now(),
+        };
+    }
+}
+/**
+ * Aggregate statistics from multiple scan reports
+ */
+function aggregateScanStats(reports) {
+    let cleanCount = 0;
+    let suspiciousCount = 0;
+    let maliciousCount = 0;
+    let totalDuration = 0;
+    let totalBytes = 0;
+    let validDurationCount = 0;
+    for (const report of reports) {
+        if (report.verdict === "clean")
+            cleanCount++;
+        else if (report.verdict === "suspicious")
+            suspiciousCount++;
+        else if (report.verdict === "malicious")
+            maliciousCount++;
+        if (report.durationMs !== undefined) {
+            totalDuration += report.durationMs;
+            validDurationCount++;
+        }
+        if (report.file?.size !== undefined) {
+            totalBytes += report.file.size;
         }
     }
-    escapeCsv(value) {
-        if (value.includes(',') || value.includes('"') || value.includes('\n')) {
-            return `"${value.replace(/"/g, '""')}"`;
+    const avgDuration = validDurationCount > 0 ? totalDuration / validDurationCount : 0;
+    const avgThroughput = totalDuration > 0 ? (totalBytes / totalDuration) * 1000 : 0;
+    return {
+        totalScans: reports.length,
+        cleanCount,
+        suspiciousCount,
+        maliciousCount,
+        avgDurationMs: avgDuration,
+        avgThroughputBps: avgThroughput,
+        totalBytesScanned: totalBytes,
+    };
+}
+
+/** Mappa veloce estensione -> mime (basic) */
+function guessMimeByExt(name) {
+    if (!name)
+        return;
+    const ext = name.toLowerCase().split(".").pop();
+    switch (ext) {
+        case "zip":
+            return "application/zip";
+        case "png":
+            return "image/png";
+        case "jpg":
+        case "jpeg":
+            return "image/jpeg";
+        case "pdf":
+            return "application/pdf";
+        case "txt":
+            return "text/plain";
+        default:
+            return;
+    }
+}
+/** Heuristica semplice per verdetto */
+function computeVerdict(matches) {
+    if (!matches.length)
+        return "clean";
+    // se la regola contiene 'zip_' lo marchiamo "suspicious"
+    const anyHigh = matches.some((m) => (m.tags ?? []).includes("critical") || (m.tags ?? []).includes("high"));
+    return anyHigh ? "malicious" : "suspicious";
+}
+/** Converte i Match (heuristics) in YaraMatch-like per uniformare l'output */
+function toYaraMatches(ms) {
+    return ms.map((m) => ({
+        rule: m.rule,
+        namespace: "heuristics",
+        tags: ["heuristics"].concat(m.severity ? [m.severity] : []),
+        meta: m.meta,
+    }));
+}
+/** Scan di bytes (browser/node) usando preset (default: zip-basic) */
+async function scanBytes(input, opts = {}) {
+    // Check cache first if enabled
+    if (opts.enableCache || opts.config?.performance?.enableCache) {
+        const cache = getDefaultCache(opts.config?.performance?.cacheOptions);
+        const cached = cache.get(input, opts.preset);
+        if (cached) {
+            return cached;
         }
-        return value;
     }
-    escapeHtml(value) {
-        return value
-            .replace(/&/g, '&amp;')
-            .replace(/</g, '&lt;')
-            .replace(/>/g, '&gt;')
-            .replace(/"/g, '&quot;')
-            .replace(/'/g, '&#039;');
+    const perfTracker = opts.enablePerformanceTracking || opts.config?.performance?.enablePerformanceTracking
+        ? new PerformanceTracker()
+        : null;
+    perfTracker?.checkpoint("prep_start");
+    const preset = opts.preset ?? opts.config?.defaultPreset ?? "zip-basic";
+    const ctx = {
+        ...opts.ctx,
+        mimeType: opts.ctx?.mimeType ?? guessMimeByExt(opts.ctx?.filename),
+        size: opts.ctx?.size ?? input.byteLength,
+    };
+    perfTracker?.checkpoint("prep_end");
+    perfTracker?.checkpoint("heuristics_start");
+    const scanFn = createPresetScanner(preset);
+    const matchesH = await (typeof scanFn === "function"
+        ? scanFn
+        : scanFn.scan)(input, ctx);
+    const allMatches = [...matchesH];
+    perfTracker?.checkpoint("heuristics_end");
+    // Advanced detection (enabled by default, can be overridden by config)
+    const advancedEnabled = opts.enableAdvancedDetection ?? opts.config?.advanced?.enablePolyglotDetection ?? true;
+    if (advancedEnabled) {
+        perfTracker?.checkpoint("advanced_start");
+        // Detect polyglot files
+        if (opts.config?.advanced?.enablePolyglotDetection !== false) {
+            const polyglotMatches = detectPolyglot(input);
+            allMatches.push(...polyglotMatches);
+        }
+        // Detect obfuscated scripts
+        if (opts.config?.advanced?.enableObfuscationDetection !== false) {
+            const obfuscatedMatches = detectObfuscatedScripts(input);
+            allMatches.push(...obfuscatedMatches);
+        }
+        // Check for excessive nesting in archives
+        if (opts.config?.advanced?.enableNestedArchiveAnalysis !== false) {
+            const nestingAnalysis = analyzeNestedArchives(input);
+            const maxDepth = opts.config?.advanced?.maxArchiveDepth ?? 5;
+            if (nestingAnalysis.hasExcessiveNesting || nestingAnalysis.depth > maxDepth) {
+                allMatches.push({
+                    rule: "excessive_archive_nesting",
+                    severity: "high",
+                    meta: {
+                        description: "Excessive archive nesting detected",
+                        depth: nestingAnalysis.depth,
+                        maxAllowed: maxDepth,
+                    },
+                });
+            }
+        }
+        perfTracker?.checkpoint("advanced_end");
     }
-    formatBytes(bytes) {
-        if (bytes === 0)
-            return '0 Bytes';
-        const k = 1024;
-        const sizes = ['Bytes', 'KB', 'MB', 'GB'];
-        const i = Math.floor(Math.log(bytes) / Math.log(k));
-        return Math.round(bytes / Math.pow(k, i) * 100) / 100 + ' ' + sizes[i];
+    const matches = toYaraMatches(allMatches);
+    const verdict = computeVerdict(matches);
+    perfTracker ? perfTracker.getDuration() : Date.now();
+    const durationMs = perfTracker ? perfTracker.getDuration() : 0;
+    const report = {
+        ok: verdict === "clean",
+        verdict,
+        matches,
+        reasons: matches.map((m) => m.rule),
+        file: { name: ctx.filename, mimeType: ctx.mimeType, size: ctx.size },
+        durationMs,
+        engine: "heuristics",
+        truncated: false,
+        timedOut: false,
+    };
+    // Add performance metrics if tracking enabled
+    if (perfTracker &&
+        (opts.enablePerformanceTracking || opts.config?.performance?.enablePerformanceTracking)) {
+        report.performanceMetrics = perfTracker.getMetrics(input.byteLength);
+    }
+    // Cache result if enabled
+    if (opts.enableCache || opts.config?.performance?.enableCache) {
+        const cache = getDefaultCache(opts.config?.performance?.cacheOptions);
+        cache.set(input, report, opts.preset);
+    }
+    // Invoke callbacks if configured
+    opts.config?.callbacks?.onScanComplete?.(report);
+    return report;
+}
+/** Scan di un file su disco (Node). Import dinamico per non vincolare il bundle browser. */
+async function scanFile(filePath, opts = {}) {
+    const [{ readFile, stat }, path] = await Promise.all([import('fs/promises'), import('path')]);
+    const [buf, st] = await Promise.all([readFile(filePath), stat(filePath)]);
+    const ctx = {
+        filename: path.basename(filePath),
+        mimeType: guessMimeByExt(filePath),
+        size: st.size,
+    };
+    return scanBytes(new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength), { ...opts, ctx });
+}
+/** Scan multipli File (browser) usando scanBytes + preset di default */
+async function scanFiles(files, opts = {}) {
+    const list = Array.from(files);
+    const out = [];
+    for (const f of list) {
+        const buf = new Uint8Array(await f.arrayBuffer());
+        const rep = await scanBytes(buf, {
+            ...opts,
+            ctx: { filename: f.name, mimeType: f.type || guessMimeByExt(f.name), size: f.size },
+        });
+        out.push(rep);
     }
+    return out;
 }
-/**
- * Quick export helper
- */
-function exportScanResults(reports, format, options) {
-    const exporter = new ScanResultExporter();
-    return exporter.export(reports, format, options);
+
+async function createRemoteEngine(opts) {
+    const { endpoint, headers = {}, rulesField = "rules", fileField = "file", mode = "multipart", rulesAsBase64 = false, } = opts;
+    const engine = {
+        async compile(rulesSource) {
+            return {
+                async scan(data) {
+                    const fetchFn = globalThis.fetch;
+                    if (!fetchFn)
+                        throw new Error("[remote-yara] fetch non disponibile in questo ambiente");
+                    let res;
+                    if (mode === "multipart") {
+                        const FormDataCtor = globalThis.FormData;
+                        const BlobCtor = globalThis.Blob;
+                        if (!FormDataCtor || !BlobCtor) {
+                            throw new Error("[remote-yara] FormData/Blob non disponibili (usa json-base64 oppure esegui in browser)");
+                        }
+                        const form = new FormDataCtor();
+                        form.set(rulesField, new BlobCtor([rulesSource], { type: "text/plain" }), "rules.yar");
+                        form.set(fileField, new BlobCtor([data], { type: "application/octet-stream" }), "sample.bin");
+                        res = await fetchFn(endpoint, { method: "POST", body: form, headers });
+                    }
+                    else {
+                        const b64 = base64FromBytes(data);
+                        const payload = { [fileField]: b64 };
+                        if (rulesAsBase64) {
+                            payload["rulesB64"] = base64FromString(rulesSource);
+                        }
+                        else {
+                            payload[rulesField] = rulesSource;
+                        }
+                        res = await fetchFn(endpoint, {
+                            method: "POST",
+                            headers: { "Content-Type": "application/json", ...headers },
+                            body: JSON.stringify(payload),
+                        });
+                    }
+                    if (!res.ok) {
+                        throw new Error(`[remote-yara] HTTP ${res.status} ${res.statusText}`);
+                    }
+                    const json = await res.json().catch(() => null);
+                    const arr = Array.isArray(json) ? json : (json?.matches ?? []);
+                    return (arr ?? []).map((m) => ({
+                        rule: m.rule ?? m.ruleIdentifier ?? "unknown",
+                        tags: m.tags ?? [],
+                    }));
+                },
+            };
+        },
+    };
+    return engine;
+}
+// Helpers
+function base64FromBytes(bytes) {
+    // usa btoa se disponibile (browser); altrimenti fallback manuale
+    const btoaFn = globalThis.btoa;
+    let bin = "";
+    for (let i = 0; i < bytes.byteLength; i++)
+        bin += String.fromCharCode(bytes[i]);
+    return btoaFn ? btoaFn(bin) : Buffer.from(bin, "binary").toString("base64");
+}
+function base64FromString(s) {
+    const btoaFn = globalThis.btoa;
+    return btoaFn ? btoaFn(s) : Buffer.from(s, "utf8").toString("base64");
 }
 
+// src/scan/remote.ts
 /**
- * Advanced configuration system for pompelmi
- * @module config
- */
-/**
- * Default configuration
+ * Scansiona una lista di File nel browser usando il motore remoto via HTTP.
+ * Non richiede WASM né dipendenze native sul client.
  */
-const DEFAULT_CONFIG = {
-    defaultPreset: 'zip-basic',
-    performance: {
-        enableCache: false,
-        enablePerformanceTracking: false,
-        enableParallel: true,
-        maxConcurrency: 5,
-        cacheOptions: {
-            maxSize: 1000,
-            ttl: 3600000, // 1 hour
-            enableLRU: true,
-            enableStats: false,
-        },
-    },
-    security: {
-        maxFileSize: 100 * 1024 * 1024, // 100MB
-        enableThreatIntel: false,
-        scanTimeout: 30000, // 30 seconds
-        strictMode: false,
-    },
-    advanced: {
-        enablePolyglotDetection: true,
-        enableObfuscationDetection: true,
-        enableNestedArchiveAnalysis: true,
-        maxArchiveDepth: 5,
-    },
-    logging: {
-        verbose: false,
-        level: 'info',
-        enableStats: false,
-    },
+async function scanFilesWithRemoteYara(files, rulesSource, remote) {
+    const engine = await createRemoteEngine(remote);
+    const compiled = await engine.compile(rulesSource);
+    const results = [];
+    for (const file of files) {
+        try {
+            const bytes = new Uint8Array(await file.arrayBuffer());
+            const matches = await compiled.scan(bytes);
+            results.push({ file, matches });
+        }
+        catch (err) {
+            console.warn("[remote-yara] scan error for", file.name, err);
+            results.push({ file, matches: [], error: String(err?.message ?? err) });
+        }
+    }
+    return results;
+}
+
+const SIG_CEN = 0x02014b50;
+const DEFAULTS = {
+    maxEntries: 1000,
+    maxTotalUncompressedBytes: 500 * 1024 * 1024,
+    maxEntryNameLength: 255,
+    maxCompressionRatio: 1000,
+    eocdSearchWindow: 70000,
 };
-/**
- * Configuration presets for common use cases
- */
-const CONFIG_PRESETS = {
-    /** Fast scanning with minimal features */
-    fast: {
-        defaultPreset: 'basic',
-        performance: {
-            enableCache: true,
-            enablePerformanceTracking: false,
-            maxConcurrency: 10,
-        },
-        advanced: {
-            enablePolyglotDetection: false,
-            enableObfuscationDetection: false,
-            enableNestedArchiveAnalysis: false,
-        },
-    },
-    /** Balanced scanning (recommended) */
-    balanced: DEFAULT_CONFIG,
-    /** Thorough scanning with all features */
-    thorough: {
-        defaultPreset: 'advanced',
-        performance: {
-            enableCache: true,
-            enablePerformanceTracking: true,
-            maxConcurrency: 3,
-        },
-        security: {
-            maxFileSize: 500 * 1024 * 1024, // 500MB
-            enableThreatIntel: true,
-            scanTimeout: 60000, // 60 seconds
-            strictMode: true,
-        },
-        advanced: {
-            enablePolyglotDetection: true,
-            enableObfuscationDetection: true,
-            enableNestedArchiveAnalysis: true,
-            maxArchiveDepth: 10,
-        },
-        logging: {
-            verbose: true,
-            level: 'debug',
-            enableStats: true,
+function r16(buf, off) {
+    return buf.readUInt16LE(off);
+}
+function r32(buf, off) {
+    return buf.readUInt32LE(off);
+}
+function isZipLike(buf) {
+    // local file header at start is common
+    return (buf.length >= 4 && buf[0] === 0x50 && buf[1] === 0x4b && buf[2] === 0x03 && buf[3] === 0x04);
+}
+function lastIndexOfEOCD(buf, window) {
+    const sig = Buffer.from([0x50, 0x4b, 0x05, 0x06]);
+    const start = Math.max(0, buf.length - window);
+    const idx = buf.lastIndexOf(sig, Math.min(buf.length - sig.length, buf.length - 1));
+    return idx >= start ? idx : -1;
+}
+function hasTraversal(name) {
+    return (name.includes("../") || name.includes("..\\") || name.startsWith("/") || /^[A-Za-z]:/.test(name));
+}
+function createZipBombGuard(opts = {}) {
+    const cfg = { ...DEFAULTS, ...opts };
+    return {
+        async scan(input) {
+            const buf = Buffer.from(input);
+            const matches = [];
+            if (!isZipLike(buf))
+                return matches;
+            // Find EOCD near the end
+            const eocdPos = lastIndexOfEOCD(buf, cfg.eocdSearchWindow);
+            if (eocdPos < 0 || eocdPos + 22 > buf.length) {
+                // ZIP but no EOCD — malformed or polyglot → suspicious
+                matches.push({ rule: "zip_eocd_not_found", severity: "medium" });
+                return matches;
+            }
+            const totalEntries = r16(buf, eocdPos + 10);
+            const cdSize = r32(buf, eocdPos + 12);
+            const cdOffset = r32(buf, eocdPos + 16);
+            // Bounds check
+            if (cdOffset + cdSize > buf.length) {
+                matches.push({ rule: "zip_cd_out_of_bounds", severity: "medium" });
+                return matches;
+            }
+            // Iterate central directory entries
+            let ptr = cdOffset;
+            let seen = 0;
+            let sumComp = 0;
+            let sumUnc = 0;
+            while (ptr + 46 <= cdOffset + cdSize && seen < totalEntries) {
+                const sig = r32(buf, ptr);
+                if (sig !== SIG_CEN)
+                    break; // stop if structure breaks
+                const compSize = r32(buf, ptr + 20);
+                const uncSize = r32(buf, ptr + 24);
+                const fnLen = r16(buf, ptr + 28);
+                const exLen = r16(buf, ptr + 30);
+                const cmLen = r16(buf, ptr + 32);
+                const nameStart = ptr + 46;
+                const nameEnd = nameStart + fnLen;
+                if (nameEnd > buf.length)
+                    break;
+                const name = buf.toString("utf8", nameStart, nameEnd);
+                sumComp += compSize;
+                sumUnc += uncSize;
+                seen++;
+                if (name.length > cfg.maxEntryNameLength) {
+                    matches.push({
+                        rule: "zip_entry_name_too_long",
+                        severity: "medium",
+                        meta: { name, length: name.length },
+                    });
+                }
+                if (hasTraversal(name)) {
+                    matches.push({ rule: "zip_path_traversal_entry", severity: "medium", meta: { name } });
+                }
+                // move to next entry
+                ptr = nameEnd + exLen + cmLen;
+            }
+            if (seen !== totalEntries) {
+                // central dir truncated/odd, still report what we found
+                matches.push({
+                    rule: "zip_cd_truncated",
+                    severity: "medium",
+                    meta: { seen, totalEntries },
+                });
+            }
+            // Heuristics thresholds
+            if (seen > cfg.maxEntries) {
+                matches.push({
+                    rule: "zip_too_many_entries",
+                    severity: "medium",
+                    meta: { seen, limit: cfg.maxEntries },
+                });
+            }
+            if (sumUnc > cfg.maxTotalUncompressedBytes) {
+                matches.push({
+                    rule: "zip_total_uncompressed_too_large",
+                    severity: "medium",
+                    meta: { totalUncompressed: sumUnc, limit: cfg.maxTotalUncompressedBytes },
+                });
+            }
+            if (sumComp === 0 && sumUnc > 0) {
+                matches.push({
+                    rule: "zip_suspicious_ratio",
+                    severity: "medium",
+                    meta: { ratio: Infinity },
+                });
+            }
+            else if (sumComp > 0) {
+                const ratio = sumUnc / Math.max(1, sumComp);
+                if (ratio >= cfg.maxCompressionRatio) {
+                    matches.push({
+                        rule: "zip_suspicious_ratio",
+                        severity: "medium",
+                        meta: { ratio, limit: cfg.maxCompressionRatio },
+                    });
+                }
+            }
+            return matches;
         },
+    };
+}
+
+/** Decompilation-specific types for Pompelmi */
+const SUSPICIOUS_PATTERNS = [
+    {
+        name: "syscall_direct",
+        description: "Direct system call without library wrapper",
+        severity: "medium",
+        pattern: /syscall|sysenter|int\s+0x80/i,
     },
-    /** Production-ready configuration */
-    production: {
-        defaultPreset: 'advanced',
-        performance: {
-            enableCache: true,
-            enablePerformanceTracking: true,
-            maxConcurrency: 5,
-            cacheOptions: {
-                maxSize: 5000,
-                ttl: 7200000, // 2 hours
-                enableLRU: true,
-                enableStats: true,
-            },
-        },
-        security: {
-            maxFileSize: 200 * 1024 * 1024, // 200MB
-            enableThreatIntel: true,
-            scanTimeout: 45000,
-            strictMode: false,
-        },
-        advanced: {
-            enablePolyglotDetection: true,
-            enableObfuscationDetection: true,
-            enableNestedArchiveAnalysis: true,
-            maxArchiveDepth: 7,
-        },
-        logging: {
-            verbose: false,
-            level: 'warn',
-            enableStats: true,
-        },
+    {
+        name: "process_injection",
+        description: "Process injection techniques",
+        severity: "high",
+        pattern: /CreateRemoteThread|WriteProcessMemory|VirtualAllocEx/i,
     },
-    /** Development configuration */
-    development: {
-        defaultPreset: 'basic',
-        performance: {
-            enableCache: false,
-            enablePerformanceTracking: true,
-            maxConcurrency: 3,
-        },
-        security: {
-            maxFileSize: 50 * 1024 * 1024, // 50MB
-            scanTimeout: 15000,
-            strictMode: false,
-        },
-        logging: {
-            verbose: true,
-            level: 'debug',
-            enableStats: true,
-        },
+    {
+        name: "anti_debug",
+        description: "Anti-debugging techniques",
+        severity: "medium",
+        pattern: /IsDebuggerPresent|CheckRemoteDebuggerPresent|OutputDebugString/i,
     },
-};
+    {
+        name: "obfuscation_xor",
+        description: "XOR-based obfuscation pattern",
+        severity: "medium",
+        pattern: /xor.*0x[0-9a-f]+.*xor/i,
+    },
+    {
+        name: "crypto_constants",
+        description: "Cryptographic constants",
+        severity: "low",
+        pattern: /0x67452301|0xefcdab89|0x98badcfe|0x10325476/i,
+    },
+];
+
 /**
- * Configuration manager
+ * Batch scanning with concurrency control
+ * @module utils/batch-scanner
  */
-class ConfigManager {
-    constructor(initialConfig) {
-        this.config = this.mergeConfig(DEFAULT_CONFIG, initialConfig || {});
-    }
-    /**
-     * Get current configuration
-     */
-    getConfig() {
-        return { ...this.config };
-    }
-    /**
-     * Update configuration
-     */
-    updateConfig(updates) {
-        this.config = this.mergeConfig(this.config, updates);
-    }
-    /**
-     * Load a preset configuration
-     */
-    loadPreset(preset) {
-        const presetConfig = CONFIG_PRESETS[preset];
-        this.config = this.mergeConfig(DEFAULT_CONFIG, presetConfig);
-    }
-    /**
-     * Reset to default configuration
-     */
-    reset() {
-        this.config = { ...DEFAULT_CONFIG };
-    }
-    /**
-     * Get a specific configuration value
-     */
-    get(key) {
-        return this.config[key];
-    }
-    /**
-     * Set a specific configuration value
-     */
-    set(key, value) {
-        this.config[key] = value;
+/**
+ * Batch file scanner with concurrency control and progress tracking
+ */
+class BatchScanner {
+    constructor(options = {}) {
+        this.options = {
+            concurrency: 5,
+            continueOnError: true,
+            ...options,
+        };
     }
     /**
-     * Validate configuration
+     * Scan multiple files with controlled concurrency
      */
-    validate() {
+    async scanBatch(tasks) {
+        const startTime = Date.now();
+        const results = new Array(tasks.length);
         const errors = [];
-        // Validate performance settings
-        if (this.config.performance?.maxConcurrency !== undefined) {
-            if (this.config.performance.maxConcurrency < 1) {
-                errors.push('maxConcurrency must be at least 1');
-            }
-            if (this.config.performance.maxConcurrency > 50) {
-                errors.push('maxConcurrency should not exceed 50');
-            }
-        }
-        // Validate security settings
-        if (this.config.security?.maxFileSize !== undefined) {
-            if (this.config.security.maxFileSize < 1024) {
-                errors.push('maxFileSize must be at least 1KB');
+        let successCount = 0;
+        let errorCount = 0;
+        let completedCount = 0;
+        const concurrency = this.options.concurrency ?? 5;
+        // Process tasks in chunks with controlled concurrency
+        const processingQueue = [];
+        let currentIndex = 0;
+        const processTask = async (index) => {
+            try {
+                const task = tasks[index];
+                const report = await scanBytes(task.content, {
+                    ...this.options,
+                    ctx: task.context,
+                });
+                results[index] = report;
+                successCount++;
+                completedCount++;
+                if (this.options.onProgress) {
+                    this.options.onProgress(completedCount, tasks.length, report);
+                }
             }
-        }
-        if (this.config.security?.scanTimeout !== undefined) {
-            if (this.config.security.scanTimeout < 1000) {
-                errors.push('scanTimeout must be at least 1000ms');
+            catch (error) {
+                errorCount++;
+                completedCount++;
+                const err = error instanceof Error ? error : new Error(String(error));
+                if (this.options.onError) {
+                    this.options.onError(err, index);
+                }
+                errors.push({ index, error: err });
+                if (!this.options.continueOnError) {
+                    throw err;
+                }
+                results[index] = null;
             }
-        }
-        // Validate advanced settings
-        if (this.config.advanced?.maxArchiveDepth !== undefined) {
-            if (this.config.advanced.maxArchiveDepth < 1) {
-                errors.push('maxArchiveDepth must be at least 1');
+        };
+        // Start initial batch of concurrent tasks
+        while (currentIndex < tasks.length) {
+            while (processingQueue.length < concurrency && currentIndex < tasks.length) {
+                const promise = processTask(currentIndex);
+                processingQueue.push(promise);
+                currentIndex++;
+                // Remove completed promises from queue
+                promise
+                    .finally(() => {
+                    const idx = processingQueue.indexOf(promise);
+                    if (idx > -1)
+                        processingQueue.splice(idx, 1);
+                })
+                    .catch(() => {
+                    // Rejections are handled by the main queue waits; swallow the cleanup chain.
+                });
             }
-            if (this.config.advanced.maxArchiveDepth > 20) {
-                errors.push('maxArchiveDepth should not exceed 20');
+            // Wait for at least one task to complete before continuing
+            if (processingQueue.length >= concurrency) {
+                await Promise.race(processingQueue);
             }
         }
+        // Wait for all remaining tasks
+        await Promise.all(processingQueue);
+        const totalDurationMs = Date.now() - startTime;
         return {
-            valid: errors.length === 0,
+            reports: results,
+            successCount,
+            errorCount,
+            totalDurationMs,
             errors,
         };
     }
     /**
-     * Deep merge configuration objects
+     * Scan files from File objects (browser environment)
      */
-    mergeConfig(base, updates) {
-        return {
-            ...base,
-            ...updates,
-            performance: {
-                ...base.performance,
-                ...updates.performance,
-                cacheOptions: {
-                    ...base.performance?.cacheOptions,
-                    ...updates.performance?.cacheOptions,
-                },
-            },
-            security: {
-                ...base.security,
-                ...updates.security,
-            },
-            advanced: {
-                ...base.advanced,
-                ...updates.advanced,
-            },
-            logging: {
-                ...base.logging,
-                ...updates.logging,
-            },
-            callbacks: {
-                ...base.callbacks,
-                ...updates.callbacks,
-            },
-            presetOptions: {
-                ...base.presetOptions,
-                ...updates.presetOptions,
+    async scanFiles(files) {
+        const tasks = await Promise.all(files.map(async (file) => ({
+            content: new Uint8Array(await file.arrayBuffer()),
+            context: {
+                filename: file.name,
+                mimeType: file.type,
+                size: file.size,
             },
-        };
-    }
-    /**
-     * Export configuration as JSON
-     */
-    toJSON() {
-        return JSON.stringify(this.config, null, 2);
+        })));
+        return this.scanBatch(tasks);
     }
     /**
-     * Load configuration from JSON
+     * Scan files from file paths (Node.js environment)
      */
-    fromJSON(json) {
-        try {
-            const parsed = JSON.parse(json);
-            this.config = this.mergeConfig(DEFAULT_CONFIG, parsed);
-        }
-        catch (error) {
-            throw new Error(`Failed to parse configuration JSON: ${error}`);
-        }
+    async scanFilePaths(filePaths) {
+        const fs = await import('fs/promises');
+        const path = await import('path');
+        const tasks = await Promise.all(filePaths.map(async (filePath) => {
+            const [content, stats] = await Promise.all([fs.readFile(filePath), fs.stat(filePath)]);
+            return {
+                content: new Uint8Array(content),
+                context: {
+                    filename: path.basename(filePath),
+                    size: stats.size,
+                },
+            };
+        }));
+        return this.scanBatch(tasks);
     }
 }
 /**
- * Create a new configuration manager
+ * Quick helper for batch scanning with default options
  */
-function createConfig(config) {
-    return new ConfigManager(config);
+async function batchScan(tasks, options) {
+    const scanner = new BatchScanner(options);
+    return scanner.scanBatch(tasks);
 }
+
 /**
- * Get a preset configuration
+ * Export utilities for scan results
+ * @module utils/export
  */
-function getPresetConfig(preset) {
-    return { ...DEFAULT_CONFIG, ...CONFIG_PRESETS[preset] };
-}
-
 /**
- * HIPAA Compliance Module for Pompelmi
- *
- * This module provides comprehensive HIPAA compliance features for healthcare environments
- * where Pompelmi is used to analyze potentially compromised systems containing PHI.
- *
- * Key protections:
- * - Data sanitization and redaction
- * - Secure temporary file handling
- * - Audit logging
- * - Memory protection
- * - Error message sanitization
+ * Export scan results to various formats
  */
-class HipaaComplianceManager {
-    constructor(config) {
-        this.auditEvents = [];
-        this.config = {
-            sanitizeErrors: true,
-            sanitizeFilenames: true,
-            encryptTempFiles: true,
-            memoryProtection: true,
-            requireSecureTransport: true,
-            ...config,
-            enabled: config.enabled !== undefined ? config.enabled : true
-        };
-        this.sessionId = this.generateSessionId();
-    }
+class ScanResultExporter {
     /**
-     * Sanitize filename to prevent PHI leakage in logs
+     * Export to JSON format
      */
-    sanitizeFilename(filename) {
-        if (!this.config.enabled || !this.config.sanitizeFilenames || !filename) {
-            return filename || 'unknown';
+    toJSON(reports, options = {}) {
+        const data = Array.isArray(reports) ? reports : [reports];
+        if (!options.includeDetails) {
+            // Simplified output
+            const simplified = data.map((r) => ({
+                verdict: r.verdict,
+                file: r.file?.name,
+                matches: r.matches.length,
+                durationMs: r.durationMs,
+            }));
+            return options.prettyPrint ? JSON.stringify(simplified, null, 2) : JSON.stringify(simplified);
         }
-        // Remove potentially sensitive path information
-        const basename = path.basename(filename);
-        // Hash the filename to create a consistent but non-revealing identifier
-        const hash = crypto.createHash('sha256').update(basename).digest('hex').substring(0, 8);
-        // Preserve file extension for analysis purposes
-        const ext = path.extname(basename);
-        return `file_${hash}${ext}`;
+        return options.prettyPrint ? JSON.stringify(data, null, 2) : JSON.stringify(data);
     }
     /**
-     * Sanitize error messages to prevent PHI exposure
+     * Export to CSV format
      */
-    sanitizeError(error) {
-        if (!this.config.enabled || !this.config.sanitizeErrors) {
-            return typeof error === 'string' ? error : error.message;
+    toCSV(reports, options = {}) {
+        const data = Array.isArray(reports) ? reports : [reports];
+        const headers = [
+            "filename",
+            "verdict",
+            "matches_count",
+            "file_size",
+            "mime_type",
+            "duration_ms",
+            "engine",
+        ];
+        if (options.includeDetails) {
+            headers.push("reasons", "match_rules");
         }
-        const message = typeof error === 'string' ? error : error.message;
-        // Remove common patterns that might contain PHI
-        let sanitized = message
-            // Remove file paths
-            .replace(/[A-Za-z]:\\\\[^\\s]+/g, '[REDACTED_PATH]')
-            .replace(/\/[^\\s]+/g, '[REDACTED_PATH]')
-            // Remove potential patient identifiers (numbers that could be MRNs, SSNs)
-            .replace(/\\b\\d{3}-?\\d{2}-?\\d{4}\\b/g, '[REDACTED_ID]')
-            .replace(/\\b\\d{6,}\\b/g, '[REDACTED_ID]')
-            // Remove email addresses
-            .replace(/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}/g, '[REDACTED_EMAIL]')
-            // Remove potential names (capitalize words in error messages)
-            .replace(/\\b[A-Z][a-z]+\\s+[A-Z][a-z]+\\b/g, '[REDACTED_NAME]')
-            // Remove IP addresses
-            .replace(/\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b/g, '[REDACTED_IP]');
-        return sanitized;
+        const rows = data.map((report) => {
+            const row = [
+                this.escapeCsv(report.file?.name || "unknown"),
+                report.verdict,
+                report.matches.length.toString(),
+                (report.file?.size || 0).toString(),
+                this.escapeCsv(report.file?.mimeType || "unknown"),
+                (report.durationMs || 0).toString(),
+                report.engine || "unknown",
+            ];
+            if (options.includeDetails) {
+                row.push(this.escapeCsv((report.reasons || []).join("; ")), this.escapeCsv(report.matches.map((m) => m.rule).join("; ")));
+            }
+            return row.join(",");
+        });
+        return [headers.join(","), ...rows].join("\n");
     }
     /**
-     * Create secure temporary file path with encryption if enabled
+     * Export to Markdown format
      */
-    createSecureTempPath(prefix = 'pompelmi') {
-        if (!this.config.enabled) {
-            return path.join(os.tmpdir(), `${prefix}-${Date.now()}-${Math.random().toString(36).slice(2)}`);
+    toMarkdown(reports, options = {}) {
+        const data = Array.isArray(reports) ? reports : [reports];
+        let md = "# Scan Results\n\n";
+        md += `**Total Scans:** ${data.length}\n\n`;
+        const clean = data.filter((r) => r.verdict === "clean").length;
+        const suspicious = data.filter((r) => r.verdict === "suspicious").length;
+        const malicious = data.filter((r) => r.verdict === "malicious").length;
+        md += "## Summary\n\n";
+        md += `- ✅ Clean: ${clean}\n`;
+        md += `- ⚠️ Suspicious: ${suspicious}\n`;
+        md += `- ❌ Malicious: ${malicious}\n\n`;
+        md += "## Detailed Results\n\n";
+        for (const report of data) {
+            const icon = report.verdict === "clean" ? "✅" : report.verdict === "suspicious" ? "⚠️" : "❌";
+            md += `### ${icon} ${report.file?.name || "Unknown"}\n\n`;
+            md += `- **Verdict:** ${report.verdict}\n`;
+            md += `- **Size:** ${this.formatBytes(report.file?.size || 0)}\n`;
+            md += `- **MIME Type:** ${report.file?.mimeType || "unknown"}\n`;
+            md += `- **Duration:** ${report.durationMs || 0}ms\n`;
+            md += `- **Matches:** ${report.matches.length}\n`;
+            if (options.includeDetails && report.matches.length > 0) {
+                md += "\n**Match Details:**\n";
+                for (const match of report.matches) {
+                    md += `- ${match.rule}`;
+                    if (match.tags && match.tags.length > 0) {
+                        md += ` (${match.tags.join(", ")})`;
+                    }
+                    md += "\n";
+                }
+            }
+            md += "\n";
         }
-        // Use cryptographically secure random names
-        const randomId = crypto.randomBytes(16).toString('hex');
-        const timestamp = Date.now();
-        // Create path in secure temp directory
-        const secureTempDir = this.getSecureTempDir();
-        const tempPath = path.join(secureTempDir, `${prefix}-${timestamp}-${randomId}`);
-        this.auditLog('temp_file_created', {
-            action: 'create_temp_file',
-            success: true,
-            metadata: { path: this.sanitizeFilename(tempPath) }
-        });
-        return tempPath;
+        return md;
     }
     /**
-     * Get or create secure temporary directory with restricted permissions
+     * Export to SARIF format (Static Analysis Results Interchange Format)
+     * Useful for CI/CD integration
      */
-    getSecureTempDir() {
-        const secureTempPath = path.join(os.tmpdir(), 'pompelmi-secure');
-        try {
-            const fs = require('fs');
-            if (!fs.existsSync(secureTempPath)) {
-                fs.mkdirSync(secureTempPath, { mode: 0o700 }); // Owner read/write/execute only
-            }
-        }
-        catch (error) {
-            // Fallback to system temp
-            return os.tmpdir();
-        }
-        return secureTempPath;
+    toSARIF(reports, options = {}) {
+        const data = Array.isArray(reports) ? reports : [reports];
+        const results = data.flatMap((report) => {
+            if (report.verdict === "clean")
+                return [];
+            return report.matches.map((match) => ({
+                ruleId: match.rule,
+                level: report.verdict === "malicious" ? "error" : "warning",
+                message: {
+                    text: `${match.rule} detected in ${report.file?.name || "unknown file"}`,
+                },
+                locations: [
+                    {
+                        physicalLocation: {
+                            artifactLocation: {
+                                uri: report.file?.name || "unknown",
+                            },
+                        },
+                    },
+                ],
+                properties: {
+                    tags: match.tags,
+                    metadata: match.meta,
+                },
+            }));
+        });
+        const sarif = {
+            version: "2.1.0",
+            $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+            runs: [
+                {
+                    tool: {
+                        driver: {
+                            name: "Pompelmi",
+                            version: "0.29.0",
+                            informationUri: "https://pompelmi.github.io/pompelmi/",
+                        },
+                    },
+                    results,
+                },
+            ],
+        };
+        return options.prettyPrint ? JSON.stringify(sarif, null, 2) : JSON.stringify(sarif);
     }
     /**
-     * Secure file cleanup with multiple overwrite passes
+     * Export to HTML format
      */
-    async secureFileCleanup(filePath) {
-        if (!this.config.enabled) {
-            try {
-                const fs = await import('fs/promises');
-                await fs.unlink(filePath);
-            }
-            catch {
-                // Ignore cleanup errors
-            }
-            return;
-        }
-        try {
-            const fs = await import('fs/promises');
-            const stats = await fs.stat(filePath);
-            if (this.config.memoryProtection) {
-                // Overwrite file with random data multiple times (DoD 5220.22-M standard)
-                const fileSize = stats.size;
-                const buffer = crypto.randomBytes(Math.min(fileSize, 64 * 1024)); // 64KB chunks
-                for (let pass = 0; pass < 3; pass++) {
-                    const handle = await fs.open(filePath, 'r+');
-                    try {
-                        for (let offset = 0; offset < fileSize; offset += buffer.length) {
-                            const chunk = offset + buffer.length > fileSize
-                                ? buffer.subarray(0, fileSize - offset)
-                                : buffer;
-                            await handle.write(chunk, 0, chunk.length, offset);
-                        }
-                        await handle.sync();
-                    }
-                    finally {
-                        await handle.close();
+    toHTML(reports, options = {}) {
+        const data = Array.isArray(reports) ? reports : [reports];
+        const clean = data.filter((r) => r.verdict === "clean").length;
+        const suspicious = data.filter((r) => r.verdict === "suspicious").length;
+        const malicious = data.filter((r) => r.verdict === "malicious").length;
+        let html = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Pompelmi Scan Results</title>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; max-width: 1200px; margin: 0 auto; padding: 20px; }
+    .summary { display: grid; grid-template-columns: repeat(3, 1fr); gap: 20px; margin: 20px 0; }
+    .card { padding: 20px; border-radius: 8px; text-align: center; }
+    .clean { background: #d4edda; color: #155724; }
+    .suspicious { background: #fff3cd; color: #856404; }
+    .malicious { background: #f8d7da; color: #721c24; }
+    .result { border: 1px solid #ddd; border-radius: 8px; padding: 15px; margin: 10px 0; }
+    .result h3 { margin-top: 0; }
+    .badge { display: inline-block; padding: 4px 8px; border-radius: 4px; font-size: 0.8em; margin: 2px; }
+    table { width: 100%; border-collapse: collapse; }
+    th, td { padding: 8px; text-align: left; border-bottom: 1px solid #ddd; }
+  </style>
+</head>
+<body>
+  <h1>🛡️ Pompelmi Scan Results</h1>
+  <div class="summary">
+    <div class="card clean"><h2>${clean}</h2><p>Clean Files</p></div>
+    <div class="card suspicious"><h2>${suspicious}</h2><p>Suspicious Files</p></div>
+    <div class="card malicious"><h2>${malicious}</h2><p>Malicious Files</p></div>
+  </div>
+  <h2>Detailed Results</h2>`;
+        for (const report of data) {
+            const statusClass = report.verdict;
+            html += `<div class="result ${statusClass}">`;
+            html += `<h3>${this.escapeHtml(report.file?.name || "Unknown")}</h3>`;
+            html += `<table>`;
+            html += `<tr><th>Verdict</th><td>${report.verdict.toUpperCase()}</td></tr>`;
+            html += `<tr><th>Size</th><td>${this.formatBytes(report.file?.size || 0)}</td></tr>`;
+            html += `<tr><th>MIME Type</th><td>${this.escapeHtml(report.file?.mimeType || "unknown")}</td></tr>`;
+            html += `<tr><th>Duration</th><td>${report.durationMs || 0}ms</td></tr>`;
+            html += `<tr><th>Matches</th><td>${report.matches.length}</td></tr>`;
+            html += `</table>`;
+            if (options.includeDetails && report.matches.length > 0) {
+                html += `<h4>Match Details:</h4><ul>`;
+                for (const match of report.matches) {
+                    html += `<li><strong>${this.escapeHtml(match.rule)}</strong>`;
+                    if (match.tags && match.tags.length > 0) {
+                        html += ` ${match.tags.map((tag) => `<span class="badge">${this.escapeHtml(tag)}</span>`).join("")}`;
                     }
+                    html += `</li>`;
                 }
+                html += `</ul>`;
             }
-            // Final deletion
-            await fs.unlink(filePath);
-            this.auditLog('temp_file_deleted', {
-                action: 'secure_delete',
-                success: true,
-                metadata: {
-                    path: this.sanitizeFilename(filePath),
-                    overwritePasses: this.config.memoryProtection ? 3 : 0
-                }
-            });
+            html += `</div>`;
         }
-        catch (error) {
-            this.auditLog('temp_file_deleted', {
-                action: 'secure_delete',
-                success: false,
-                sanitizedError: this.sanitizeError(error),
-                metadata: { path: this.sanitizeFilename(filePath) }
-            });
+        html += `</body></html>`;
+        return html;
+    }
+    /**
+     * Export to specified format
+     */
+    export(reports, format, options = {}) {
+        switch (format) {
+            case "json":
+                return this.toJSON(reports, options);
+            case "csv":
+                return this.toCSV(reports, options);
+            case "markdown":
+                return this.toMarkdown(reports, options);
+            case "html":
+                return this.toHTML(reports, options);
+            case "sarif":
+                return this.toSARIF(reports, options);
+            default:
+                throw new Error(`Unsupported export format: ${format}`);
+        }
+    }
+    escapeCsv(value) {
+        if (value.includes(",") || value.includes('"') || value.includes("\n")) {
+            return `"${value.replace(/"/g, '""')}"`;
         }
+        return value;
+    }
+    escapeHtml(value) {
+        return value
+            .replace(/&/g, "&amp;")
+            .replace(/</g, "&lt;")
+            .replace(/>/g, "&gt;")
+            .replace(/"/g, "&quot;")
+            .replace(/'/g, "&#039;");
+    }
+    formatBytes(bytes) {
+        if (bytes === 0)
+            return "0 Bytes";
+        const k = 1024;
+        const sizes = ["Bytes", "KB", "MB", "GB"];
+        const i = Math.floor(Math.log(bytes) / Math.log(k));
+        return Math.round((bytes / k ** i) * 100) / 100 + " " + sizes[i];
+    }
+}
+/**
+ * Quick export helper
+ */
+function exportScanResults(reports, format, options) {
+    const exporter = new ScanResultExporter();
+    return exporter.export(reports, format, options);
+}
+
+/**
+ * Threat intelligence integration and enhanced detection
+ * @module utils/threat-intelligence
+ */
+/**
+ * Built-in threat intelligence - known malware hashes
+ * In production, this would connect to real threat intel APIs
+ */
+class LocalThreatIntelligence {
+    constructor() {
+        this.name = "Local Database";
+        this.knownThreats = new Map();
+        // Initialize with some example known threats (in production, load from database)
+        this.initializeKnownThreats();
+    }
+    initializeKnownThreats() {
+        // Example: EICAR test file hash
+        this.knownThreats.set("275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", {
+            threatLevel: 100,
+            category: "test-malware",
+            source: "local",
+            metadata: { name: "EICAR Test File" },
+        });
+    }
+    async checkHash(hash) {
+        return this.knownThreats.get(hash.toLowerCase()) || null;
     }
     /**
-     * Calculate secure file hash for audit purposes
+     * Add a known threat to the local database
      */
-    calculateFileHash(data) {
-        return crypto.createHash('sha256').update(data).digest('hex');
+    addThreat(hash, info) {
+        this.knownThreats.set(hash.toLowerCase(), info);
     }
     /**
-     * Log audit event
+     * Remove a threat from the local database
      */
-    auditLog(eventType, details) {
-        if (!this.config.enabled)
-            return;
-        const event = {
-            timestamp: new Date().toISOString(),
-            eventType,
-            sessionId: this.sessionId,
-            details: {
-                action: details.action || 'unknown',
-                success: details.success ?? true,
-                ...details
-            }
-        };
-        this.auditEvents.push(event);
-        // Write to audit log file if configured
-        if (this.config.auditLogPath) {
-            this.writeAuditLog(event).catch(() => {
-                // Silent failure to prevent error loops
-            });
-        }
+    removeThreat(hash) {
+        return this.knownThreats.delete(hash.toLowerCase());
     }
     /**
-     * Write audit event to file
+     * Get all known threats
      */
-    async writeAuditLog(event) {
-        if (!this.config.auditLogPath)
-            return;
-        try {
-            const fs = await import('fs/promises');
-            const logLine = JSON.stringify(event) + '\\n';
-            await fs.appendFile(this.config.auditLogPath, logLine, { flag: 'a' });
+    getAllThreats() {
+        return new Map(this.knownThreats);
+    }
+}
+/**
+ * Threat intelligence aggregator
+ */
+class ThreatIntelligenceAggregator {
+    constructor(sources) {
+        this.sources = [];
+        if (sources) {
+            this.sources = sources;
         }
-        catch {
-            // Silent failure
+        else {
+            // Default to local intelligence
+            this.sources = [new LocalThreatIntelligence()];
         }
     }
     /**
-     * Generate cryptographically secure session ID
+     * Add a threat intelligence source
      */
-    generateSessionId() {
-        return crypto.randomBytes(16).toString('hex');
+    addSource(source) {
+        this.sources.push(source);
     }
     /**
-     * Get current audit events for this session
+     * Check file hash against all sources
      */
-    getAuditEvents() {
-        return [...this.auditEvents];
+    async checkHash(hash) {
+        const results = await Promise.allSettled(this.sources.map((source) => source.checkHash(hash)));
+        const threats = [];
+        for (const result of results) {
+            if (result.status === "fulfilled" && result.value) {
+                threats.push(result.value);
+            }
+        }
+        return threats;
     }
     /**
-     * Clear sensitive data from memory
+     * Enhance scan report with threat intelligence
      */
-    clearSensitiveData() {
-        if (!this.config.enabled || !this.config.memoryProtection)
-            return;
-        // Clear audit events
-        this.auditEvents.length = 0;
-        // Force garbage collection if available
-        if (global.gc) {
-            global.gc();
-        }
+    async enhanceScanReport(content, report) {
+        // Calculate file hash
+        const hash = createHash("sha256").update(content).digest("hex");
+        // Check threat intelligence
+        const threatIntel = await this.checkHash(hash);
+        // Calculate risk score
+        const riskScore = this.calculateRiskScore(report, threatIntel);
+        return {
+            ...report,
+            fileHash: hash,
+            threatIntel: threatIntel.length > 0 ? threatIntel : undefined,
+            riskScore,
+        };
     }
     /**
-     * Validate transport security
+     * Calculate overall risk score based on scan results and threat intel
      */
-    validateTransportSecurity(url) {
-        if (!this.config.enabled || !this.config.requireSecureTransport) {
-            return true;
-        }
-        if (!url)
-            return true;
-        try {
-            const urlObj = new URL(url);
-            const isSecure = urlObj.protocol === 'https:' || urlObj.hostname === 'localhost' || urlObj.hostname === '127.0.0.1';
-            if (!isSecure) {
-                this.auditLog('security_violation', {
-                    action: 'insecure_transport',
-                    success: false,
-                    metadata: { protocol: urlObj.protocol, hostname: urlObj.hostname }
-                });
-            }
-            return isSecure;
+    calculateRiskScore(report, threats) {
+        let score = 0;
+        // Base score from verdict
+        switch (report.verdict) {
+            case "malicious":
+                score += 70;
+                break;
+            case "suspicious":
+                score += 40;
+                break;
+            case "clean":
+                score += 0;
+                break;
         }
-        catch {
-            return false;
+        // Add points for number of matches
+        score += Math.min(report.matches.length * 5, 20);
+        // Add points from threat intelligence
+        if (threats.length > 0) {
+            const maxThreat = Math.max(...threats.map((t) => t.threatLevel));
+            score = Math.max(score, maxThreat);
         }
+        return Math.min(score, 100);
     }
 }
-// Global HIPAA compliance instance
-let hipaaManager = null;
 /**
- * Initialize HIPAA compliance
+ * Create default threat intelligence aggregator
  */
-function initializeHipaaCompliance(config) {
-    hipaaManager = new HipaaComplianceManager(config);
-    return hipaaManager;
+function createThreatIntelligence() {
+    return new ThreatIntelligenceAggregator();
 }
 /**
- * Get current HIPAA compliance manager
+ * Helper to get file hash
  */
-function getHipaaManager() {
-    return hipaaManager;
+function getFileHash(content) {
+    return createHash("sha256").update(content).digest("hex");
 }
+
 /**
- * HIPAA-compliant error wrapper
+ * Validates a File by MIME type and size (max 5 MB).
  */
-function createHipaaError(error, context) {
-    const manager = getHipaaManager();
-    if (!manager) {
-        return typeof error === 'string' ? new Error(error) : error;
+function validateFile(file) {
+    const maxSize = 5 * 1024 * 1024;
+    const allowedTypes = ["text/plain", "application/json", "text/csv"];
+    if (!allowedTypes.includes(file.type)) {
+        return { valid: false, error: "Unsupported file type" };
     }
-    const sanitizedMessage = manager.sanitizeError(error);
-    const hipaaError = new Error(sanitizedMessage);
-    manager.auditLog('error_occurred', {
-        action: context || 'error',
-        success: false,
-        sanitizedError: sanitizedMessage
-    });
-    return hipaaError;
-}
-/**
- * HIPAA-compliant temporary file utilities
- */
-const HipaaTemp = {
-    createPath: (prefix) => {
-        const manager = getHipaaManager();
-        return manager ? manager.createSecureTempPath(prefix) : path.join(os.tmpdir(), `${prefix || 'pompelmi'}-${Date.now()}`);
-    },
-    cleanup: async (filePath) => {
-        const manager = getHipaaManager();
-        if (manager) {
-            await manager.secureFileCleanup(filePath);
-        }
-        else {
-            try {
-                const fs = await import('fs/promises');
-                await fs.unlink(filePath);
-            }
-            catch {
-                // Ignore errors
-            }
-        }
+    if (file.size > maxSize) {
+        return { valid: false, error: "File too large (max 5 MB)" };
     }
-};
+    return { valid: true };
+}
+
+function mapMatchesToVerdict(matches = []) {
+    if (!matches.length)
+        return "clean";
+    const malHints = ["trojan", "ransom", "worm", "spy", "rootkit", "keylog", "botnet"];
+    const tagSet = new Set(matches.flatMap((m) => (m.tags ?? []).map((t) => t.toLowerCase())));
+    const nameHit = (r) => malHints.some((h) => r.toLowerCase().includes(h));
+    const isMal = matches.some((m) => nameHit(m.rule)) || tagSet.has("malware") || tagSet.has("critical");
+    return isMal ? "malicious" : "suspicious";
+}
 
 export { ARCHIVES, BatchScanner, CONFIG_PRESETS, CONSERVATIVE_DEFAULT, CommonHeuristicsScanner, ConfigManager, DEFAULT_CONFIG, DEFAULT_POLICY, DOCUMENTS_ONLY, HipaaTemp, IMAGES_ONLY, LocalThreatIntelligence, POLICY_PACKS, PerformanceTracker, STRICT_PUBLIC_UPLOAD, SUSPICIOUS_PATTERNS, ScanCacheManager, ScanResultExporter, ThreatIntelligenceAggregator, aggregateScanStats, analyzeNestedArchives, batchScan, composeScanners, createConfig, createHipaaError, createPresetScanner, createThreatIntelligence, createZipBombGuard, definePolicy, detectObfuscatedScripts, detectPolyglot, exportScanResults, getDefaultCache, getFileHash, getHipaaManager, getPolicyPack, getPresetConfig, initializeHipaaCompliance, mapMatchesToVerdict, resetDefaultCache, scanBytes, scanFile, scanFiles, scanFilesWithRemoteYara, validateFile };
 //# sourceMappingURL=pompelmi.esm.js.map