pompelmi 0.35.4 → 1.0.0

package/dist/pompelmi.quarantine.cjs

@@ -1,317 +0,0 @@
-'use strict';
-
-var crypto = require('crypto');
-var fs = require('fs');
-var path = require('path');
-
-function _interopNamespaceDefault(e) {
-    var n = Object.create(null);
-    if (e) {
-        Object.keys(e).forEach(function (k) {
-            if (k !== 'default') {
-                var d = Object.getOwnPropertyDescriptor(e, k);
-                Object.defineProperty(n, k, d.get ? d : {
-                    enumerable: true,
-                    get: function () { return e[k]; }
-                });
-            }
-        });
-    }
-    n.default = e;
-    return Object.freeze(n);
-}
-
-var crypto__namespace = /*#__PURE__*/_interopNamespaceDefault(crypto);
-var fs__namespace = /*#__PURE__*/_interopNamespaceDefault(fs);
-var path__namespace = /*#__PURE__*/_interopNamespaceDefault(path);
-
-/**
- * Quarantine storage adapter interface and filesystem reference implementation.
- *
- * The `QuarantineStorage` interface decouples the quarantine workflow from any
- * specific persistence layer.  You can implement it for S3, GCS, a database,
- * or any other backend.
- *
- * The built-in `FilesystemQuarantineStorage` stores files and metadata as JSON
- * in a local directory — suitable for development, self-hosted, and on-premise
- * deployments where data must not leave the machine.
- *
- * @module quarantine/storage
- */
-/**
- * Reference implementation of `QuarantineStorage` backed by the local filesystem.
- *
- * File layout:
- *   <dir>/files/<storageKey>   — raw file bytes
- *   <dir>/meta/<id>.json       — QuarantineEntry JSON
- *
- * Suitable for single-process servers.  For multi-process or distributed
- * deployments, implement `QuarantineStorage` against a shared backend.
- */
-class FilesystemQuarantineStorage {
-    constructor(options) {
-        this.filesDir = path__namespace.join(options.dir, "files");
-        this.metaDir = path__namespace.join(options.dir, "meta");
-        if (options.createIfMissing !== false) {
-            fs__namespace.mkdirSync(this.filesDir, { recursive: true });
-            fs__namespace.mkdirSync(this.metaDir, { recursive: true });
-        }
-    }
-    async saveFile(id, bytes) {
-        // Use a safe, collision-resistant filename derived from the entry id.
-        const storageKey = `${id}-${crypto__namespace.randomBytes(4).toString("hex")}`;
-        const filePath = path__namespace.join(this.filesDir, storageKey);
-        await fs__namespace.promises.writeFile(filePath, bytes);
-        return storageKey;
-    }
-    async getFile(storageKey) {
-        const filePath = path__namespace.join(this.filesDir, safeBasename(storageKey));
-        try {
-            const buf = await fs__namespace.promises.readFile(filePath);
-            return new Uint8Array(buf);
-        }
-        catch {
-            return null;
-        }
-    }
-    async deleteFile(storageKey) {
-        const filePath = path__namespace.join(this.filesDir, safeBasename(storageKey));
-        await fs__namespace.promises.unlink(filePath).catch(() => {
-            /* already gone */
-        });
-    }
-    async saveEntry(entry) {
-        const metaPath = path__namespace.join(this.metaDir, `${safeBasename(entry.id)}.json`);
-        await fs__namespace.promises.writeFile(metaPath, JSON.stringify(entry, null, 2), "utf8");
-    }
-    async getEntry(id) {
-        const metaPath = path__namespace.join(this.metaDir, `${safeBasename(id)}.json`);
-        try {
-            const raw = await fs__namespace.promises.readFile(metaPath, "utf8");
-            return JSON.parse(raw);
-        }
-        catch {
-            return null;
-        }
-    }
-    async updateEntry(id, patch) {
-        const existing = await this.getEntry(id);
-        if (!existing)
-            throw new Error(`Quarantine entry not found: ${id}`);
-        const updated = { ...existing, ...patch };
-        await this.saveEntry(updated);
-        return updated;
-    }
-    async listEntries(filter) {
-        const files = await fs__namespace.promises.readdir(this.metaDir).catch(() => []);
-        const entries = [];
-        for (const file of files) {
-            if (!file.endsWith(".json"))
-                continue;
-            try {
-                const raw = await fs__namespace.promises.readFile(path__namespace.join(this.metaDir, file), "utf8");
-                entries.push(JSON.parse(raw));
-            }
-            catch {
-                // Skip unreadable entries.
-            }
-        }
-        return applyFilter(entries, filter);
-    }
-    async countEntries(filter) {
-        const entries = await this.listEntries(filter);
-        return entries.length;
-    }
-}
-// ── Helpers ───────────────────────────────────────────────────────────────────
-/**
- * Strip directory separators to prevent path-traversal attacks when using
- * user-supplied or derived keys as filenames.
- */
-function safeBasename(key) {
-    return path__namespace.basename(key).replace(/[^a-zA-Z0-9._-]/g, "_");
-}
-function applyFilter(entries, filter) {
-    if (!filter)
-        return entries;
-    let result = entries;
-    if (filter.status !== undefined) {
-        const statuses = Array.isArray(filter.status) ? filter.status : [filter.status];
-        result = result.filter((e) => statuses.includes(e.status));
-    }
-    if (filter.after) {
-        result = result.filter((e) => e.quarantinedAt >= filter.after);
-    }
-    if (filter.before) {
-        result = result.filter((e) => e.quarantinedAt <= filter.before);
-    }
-    if (filter.limit !== undefined) {
-        result = result.slice(0, filter.limit);
-    }
-    return result;
-}
-
-/**
- * Quarantine workflow — core API for the quarantine/review/resolve lifecycle.
- *
- * Usage (Node.js):
- *
- * ```ts
- * import { scanBytes } from 'pompelmi';
- * import { QuarantineManager, FilesystemQuarantineStorage } from 'pompelmi/quarantine';
- *
- * const quarantine = new QuarantineManager({
- *   storage: new FilesystemQuarantineStorage({ dir: './quarantine' }),
- * });
- *
- * const report = await scanBytes(fileBytes, { ctx: { filename: file.name } });
- *
- * if (report.verdict !== 'clean') {
- *   const entry = await quarantine.quarantine(fileBytes, report, {
- *     originalName: file.name,
- *     sizeBytes: fileBytes.length,
- *     uploadedBy: req.user?.id,
- *   });
- *   console.log('Quarantined:', entry.id);
- * }
- * ```
- *
- * @module quarantine/workflow
- */
-// ── Manager ───────────────────────────────────────────────────────────────────
-/**
- * Manages the full lifecycle of quarantined files:
- *   scan → quarantine → review → promote | delete
- */
-class QuarantineManager {
-    constructor(options) {
-        this.storage = options.storage;
-        this.quarantineSuspicious = options.quarantineSuspicious ?? true;
-        this.quarantineMalicious = options.quarantineMalicious ?? true;
-    }
-    /**
-     * Determine whether a scan report should trigger quarantine per the
-     * configured policy.
-     */
-    shouldQuarantine(report) {
-        if (report.verdict === "malicious")
-            return this.quarantineMalicious;
-        if (report.verdict === "suspicious")
-            return this.quarantineSuspicious;
-        return false;
-    }
-    /**
-     * Quarantine a file: save the bytes in storage, create the metadata entry,
-     * and return the entry.
-     *
-     * @param bytes     Raw file bytes.
-     * @param report    The scan report that triggered quarantine.
-     * @param fileInfo  Partial metadata; `sha256` is derived from `bytes` if omitted.
-     */
-    async quarantine(bytes, report, fileInfo) {
-        const id = generateId();
-        const sha256 = fileInfo.sha256 ?? computeSha256(bytes);
-        const now = new Date().toISOString();
-        const storageKey = await this.storage.saveFile(id, bytes);
-        const entry = {
-            id,
-            storageKey,
-            file: { ...fileInfo, sha256 },
-            scanReport: report,
-            quarantinedAt: now,
-            status: "pending",
-            updatedAt: now,
-        };
-        await this.storage.saveEntry(entry);
-        return entry;
-    }
-    /**
-     * Mark an entry as being actively reviewed.
-     */
-    async startReview(id, reviewedBy) {
-        return this.storage.updateEntry(id, {
-            status: "reviewing",
-            reviewedBy,
-            updatedAt: new Date().toISOString(),
-        });
-    }
-    /**
-     * Resolve a quarantine entry with a final decision.
-     *
-     * - `promote`: the file is cleared — bytes remain in storage for the caller
-     *   to move to its final destination.
-     * - `delete`: the bytes are permanently removed from quarantine storage.
-     */
-    async resolve(id, review) {
-        const entry = await this.storage.getEntry(id);
-        if (!entry)
-            throw new Error(`Quarantine entry not found: ${id}`);
-        if (entry.status === "promoted" || entry.status === "deleted") {
-            throw new Error(`Quarantine entry ${id} is already resolved (${entry.status}).`);
-        }
-        const now = new Date().toISOString();
-        const newStatus = review.decision === "promote" ? "promoted" : "deleted";
-        if (review.decision === "delete") {
-            await this.storage.deleteFile(entry.storageKey);
-        }
-        return this.storage.updateEntry(id, {
-            status: newStatus,
-            reviewedBy: review.reviewedBy,
-            reviewNote: review.reviewNote,
-            resolvedAt: now,
-            updatedAt: now,
-        });
-    }
-    /**
-     * Retrieve the raw bytes of a promoted file so the caller can move it to
-     * permanent storage.  Returns `null` if the entry is not found or has been
-     * deleted.
-     */
-    async getFile(id) {
-        const entry = await this.storage.getEntry(id);
-        if (!entry)
-            return null;
-        return this.storage.getFile(entry.storageKey);
-    }
-    // ── Query helpers ───────────────────────────────────────────────────────────
-    getEntry(id) {
-        return this.storage.getEntry(id);
-    }
-    listEntries(filter) {
-        return this.storage.listEntries(filter);
-    }
-    listPending() {
-        return this.storage.listEntries({ status: "pending" });
-    }
-    countEntries(filter) {
-        return this.storage.countEntries(filter);
-    }
-    // ── Reporting ───────────────────────────────────────────────────────────────
-    /**
-     * Generate a structured JSON report of all quarantine entries matching the
-     * filter — suitable for audit logs and dashboards.
-     */
-    async report(filter) {
-        const entries = await this.storage.listEntries(filter);
-        const byStatus = { pending: 0, reviewing: 0, promoted: 0, deleted: 0 };
-        for (const e of entries)
-            byStatus[e.status]++;
-        return {
-            generatedAt: new Date().toISOString(),
-            totalEntries: entries.length,
-            byStatus,
-            entries,
-        };
-    }
-}
-// ── Helpers ───────────────────────────────────────────────────────────────────
-function generateId() {
-    return crypto__namespace.randomUUID();
-}
-function computeSha256(bytes) {
-    return crypto__namespace.createHash("sha256").update(bytes).digest("hex");
-}
-
-exports.FilesystemQuarantineStorage = FilesystemQuarantineStorage;
-exports.QuarantineManager = QuarantineManager;
-//# sourceMappingURL=pompelmi.quarantine.cjs.map

package/dist/pompelmi.quarantine.cjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"pompelmi.quarantine.cjs","sources":["../../src/quarantine/storage.ts","../../src/quarantine/workflow.ts"],"sourcesContent":["/**\n * Quarantine storage adapter interface and filesystem reference implementation.\n *\n * The `QuarantineStorage` interface decouples the quarantine workflow from any\n * specific persistence layer.  You can implement it for S3, GCS, a database,\n * or any other backend.\n *\n * The built-in `FilesystemQuarantineStorage` stores files and metadata as JSON\n * in a local directory — suitable for development, self-hosted, and on-premise\n * deployments where data must not leave the machine.\n *\n * @module quarantine/storage\n */\n\nimport * as crypto from \"crypto\";\nimport * as fs from \"fs\";\nimport * as path from \"path\";\nimport type { QuarantineEntry, QuarantineFilter } from \"./types\";\n\n// ── Adapter interface ─────────────────────────────────────────────────────────\n\n/**\n * Storage adapter for the quarantine workflow.\n * Implement this interface to support any backend (S3, GCS, DB, etc.).\n */\nexport interface QuarantineStorage {\n  /**\n   * Persist the raw bytes of a quarantined file.\n   * Returns a `storageKey` that can later be used to retrieve or delete the bytes.\n   */\n  saveFile(id: string, bytes: Uint8Array): Promise<string>;\n\n  /**\n   * Retrieve the raw bytes of a quarantined file.\n   * Returns `null` if the file is not found.\n   */\n  getFile(storageKey: string): Promise<Uint8Array | null>;\n\n  /**\n   * Permanently remove the raw bytes of a quarantined file.\n   * No-op if already removed.\n   */\n  deleteFile(storageKey: string): Promise<void>;\n\n  /** Persist a quarantine entry (metadata + scan report). */\n  saveEntry(entry: QuarantineEntry): Promise<void>;\n\n  /** Load a quarantine entry by id. Returns `null` if not found. */\n  getEntry(id: string): Promise<QuarantineEntry | null>;\n\n  /** Update an existing quarantine entry (partial update). */\n  updateEntry(id: string, patch: Partial<QuarantineEntry>): Promise<QuarantineEntry>;\n\n  /** List quarantine entries matching the given filter. */\n  listEntries(filter?: QuarantineFilter): Promise<QuarantineEntry[]>;\n\n  /** Return the total count of quarantine entries matching the filter. */\n  countEntries(filter?: QuarantineFilter): Promise<number>;\n}\n\n// ── Filesystem implementation ─────────────────────────────────────────────────\n\nexport interface FilesystemQuarantineStorageOptions {\n  /**\n   * Root directory for quarantine storage.\n   * Two subdirectories are created: `files/` (raw bytes) and `meta/` (JSON).\n   */\n  dir: string;\n  /** Create the directory if it does not exist (default: true). */\n  createIfMissing?: boolean;\n}\n\n/**\n * Reference implementation of `QuarantineStorage` backed by the local filesystem.\n *\n * File layout:\n *   <dir>/files/<storageKey>   — raw file bytes\n *   <dir>/meta/<id>.json       — QuarantineEntry JSON\n *\n * Suitable for single-process servers.  For multi-process or distributed\n * deployments, implement `QuarantineStorage` against a shared backend.\n */\nexport class FilesystemQuarantineStorage implements QuarantineStorage {\n  private readonly filesDir: string;\n  private readonly metaDir: string;\n\n  constructor(options: FilesystemQuarantineStorageOptions) {\n    this.filesDir = path.join(options.dir, \"files\");\n    this.metaDir = path.join(options.dir, \"meta\");\n    if (options.createIfMissing !== false) {\n      fs.mkdirSync(this.filesDir, { recursive: true });\n      fs.mkdirSync(this.metaDir, { recursive: true });\n    }\n  }\n\n  async saveFile(id: string, bytes: Uint8Array): Promise<string> {\n    // Use a safe, collision-resistant filename derived from the entry id.\n    const storageKey = `${id}-${crypto.randomBytes(4).toString(\"hex\")}`;\n    const filePath = path.join(this.filesDir, storageKey);\n    await fs.promises.writeFile(filePath, bytes);\n    return storageKey;\n  }\n\n  async getFile(storageKey: string): Promise<Uint8Array | null> {\n    const filePath = path.join(this.filesDir, safeBasename(storageKey));\n    try {\n      const buf = await fs.promises.readFile(filePath);\n      return new Uint8Array(buf);\n    } catch {\n      return null;\n    }\n  }\n\n  async deleteFile(storageKey: string): Promise<void> {\n    const filePath = path.join(this.filesDir, safeBasename(storageKey));\n    await fs.promises.unlink(filePath).catch(() => {\n      /* already gone */\n    });\n  }\n\n  async saveEntry(entry: QuarantineEntry): Promise<void> {\n    const metaPath = path.join(this.metaDir, `${safeBasename(entry.id)}.json`);\n    await fs.promises.writeFile(metaPath, JSON.stringify(entry, null, 2), \"utf8\");\n  }\n\n  async getEntry(id: string): Promise<QuarantineEntry | null> {\n    const metaPath = path.join(this.metaDir, `${safeBasename(id)}.json`);\n    try {\n      const raw = await fs.promises.readFile(metaPath, \"utf8\");\n      return JSON.parse(raw) as QuarantineEntry;\n    } catch {\n      return null;\n    }\n  }\n\n  async updateEntry(id: string, patch: Partial<QuarantineEntry>): Promise<QuarantineEntry> {\n    const existing = await this.getEntry(id);\n    if (!existing) throw new Error(`Quarantine entry not found: ${id}`);\n    const updated: QuarantineEntry = { ...existing, ...patch };\n    await this.saveEntry(updated);\n    return updated;\n  }\n\n  async listEntries(filter?: QuarantineFilter): Promise<QuarantineEntry[]> {\n    const files = await fs.promises.readdir(this.metaDir).catch(() => [] as string[]);\n    const entries: QuarantineEntry[] = [];\n\n    for (const file of files) {\n      if (!file.endsWith(\".json\")) continue;\n      try {\n        const raw = await fs.promises.readFile(path.join(this.metaDir, file), \"utf8\");\n        entries.push(JSON.parse(raw) as QuarantineEntry);\n      } catch {\n        // Skip unreadable entries.\n      }\n    }\n\n    return applyFilter(entries, filter);\n  }\n\n  async countEntries(filter?: QuarantineFilter): Promise<number> {\n    const entries = await this.listEntries(filter);\n    return entries.length;\n  }\n}\n\n// ── Helpers ───────────────────────────────────────────────────────────────────\n\n/**\n * Strip directory separators to prevent path-traversal attacks when using\n * user-supplied or derived keys as filenames.\n */\nfunction safeBasename(key: string): string {\n  return path.basename(key).replace(/[^a-zA-Z0-9._-]/g, \"_\");\n}\n\nfunction applyFilter(entries: QuarantineEntry[], filter?: QuarantineFilter): QuarantineEntry[] {\n  if (!filter) return entries;\n\n  let result = entries;\n\n  if (filter.status !== undefined) {\n    const statuses = Array.isArray(filter.status) ? filter.status : [filter.status];\n    result = result.filter((e) => statuses.includes(e.status));\n  }\n  if (filter.after) {\n    result = result.filter((e) => e.quarantinedAt >= filter.after!);\n  }\n  if (filter.before) {\n    result = result.filter((e) => e.quarantinedAt <= filter.before!);\n  }\n  if (filter.limit !== undefined) {\n    result = result.slice(0, filter.limit);\n  }\n\n  return result;\n}\n","/**\n * Quarantine workflow — core API for the quarantine/review/resolve lifecycle.\n *\n * Usage (Node.js):\n *\n * ```ts\n * import { scanBytes } from 'pompelmi';\n * import { QuarantineManager, FilesystemQuarantineStorage } from 'pompelmi/quarantine';\n *\n * const quarantine = new QuarantineManager({\n *   storage: new FilesystemQuarantineStorage({ dir: './quarantine' }),\n * });\n *\n * const report = await scanBytes(fileBytes, { ctx: { filename: file.name } });\n *\n * if (report.verdict !== 'clean') {\n *   const entry = await quarantine.quarantine(fileBytes, report, {\n *     originalName: file.name,\n *     sizeBytes: fileBytes.length,\n *     uploadedBy: req.user?.id,\n *   });\n *   console.log('Quarantined:', entry.id);\n * }\n * ```\n *\n * @module quarantine/workflow\n */\n\nimport * as crypto from \"crypto\";\nimport type { ScanReport } from \"../types\";\nimport type { QuarantineStorage } from \"./storage\";\nimport type {\n  QuarantinedFileInfo,\n  QuarantineEntry,\n  QuarantineFilter,\n  QuarantineReport,\n  QuarantineReview,\n  QuarantineStatus,\n} from \"./types\";\n\n// ── Options ───────────────────────────────────────────────────────────────────\n\nexport interface QuarantineManagerOptions {\n  /** Storage adapter — use `FilesystemQuarantineStorage` for local deployments. */\n  storage: QuarantineStorage;\n\n  /**\n   * If true, files with a 'suspicious' verdict are also quarantined.\n   * Default: true.\n   */\n  quarantineSuspicious?: boolean;\n\n  /**\n   * If true, files with a 'malicious' verdict are also quarantined.\n   * Default: true.\n   */\n  quarantineMalicious?: boolean;\n}\n\n// ── Manager ───────────────────────────────────────────────────────────────────\n\n/**\n * Manages the full lifecycle of quarantined files:\n *   scan → quarantine → review → promote | delete\n */\nexport class QuarantineManager {\n  private readonly storage: QuarantineStorage;\n  private readonly quarantineSuspicious: boolean;\n  private readonly quarantineMalicious: boolean;\n\n  constructor(options: QuarantineManagerOptions) {\n    this.storage = options.storage;\n    this.quarantineSuspicious = options.quarantineSuspicious ?? true;\n    this.quarantineMalicious = options.quarantineMalicious ?? true;\n  }\n\n  /**\n   * Determine whether a scan report should trigger quarantine per the\n   * configured policy.\n   */\n  shouldQuarantine(report: ScanReport): boolean {\n    if (report.verdict === \"malicious\") return this.quarantineMalicious;\n    if (report.verdict === \"suspicious\") return this.quarantineSuspicious;\n    return false;\n  }\n\n  /**\n   * Quarantine a file: save the bytes in storage, create the metadata entry,\n   * and return the entry.\n   *\n   * @param bytes     Raw file bytes.\n   * @param report    The scan report that triggered quarantine.\n   * @param fileInfo  Partial metadata; `sha256` is derived from `bytes` if omitted.\n   */\n  async quarantine(\n    bytes: Uint8Array,\n    report: ScanReport,\n    fileInfo: Omit<QuarantinedFileInfo, \"sha256\"> & { sha256?: string },\n  ): Promise<QuarantineEntry> {\n    const id = generateId();\n    const sha256 = fileInfo.sha256 ?? computeSha256(bytes);\n    const now = new Date().toISOString();\n\n    const storageKey = await this.storage.saveFile(id, bytes);\n\n    const entry: QuarantineEntry = {\n      id,\n      storageKey,\n      file: { ...fileInfo, sha256 },\n      scanReport: report,\n      quarantinedAt: now,\n      status: \"pending\",\n      updatedAt: now,\n    };\n\n    await this.storage.saveEntry(entry);\n    return entry;\n  }\n\n  /**\n   * Mark an entry as being actively reviewed.\n   */\n  async startReview(id: string, reviewedBy?: string): Promise<QuarantineEntry> {\n    return this.storage.updateEntry(id, {\n      status: \"reviewing\",\n      reviewedBy,\n      updatedAt: new Date().toISOString(),\n    });\n  }\n\n  /**\n   * Resolve a quarantine entry with a final decision.\n   *\n   * - `promote`: the file is cleared — bytes remain in storage for the caller\n   *   to move to its final destination.\n   * - `delete`: the bytes are permanently removed from quarantine storage.\n   */\n  async resolve(id: string, review: QuarantineReview): Promise<QuarantineEntry> {\n    const entry = await this.storage.getEntry(id);\n    if (!entry) throw new Error(`Quarantine entry not found: ${id}`);\n    if (entry.status === \"promoted\" || entry.status === \"deleted\") {\n      throw new Error(`Quarantine entry ${id} is already resolved (${entry.status}).`);\n    }\n\n    const now = new Date().toISOString();\n    const newStatus: QuarantineStatus = review.decision === \"promote\" ? \"promoted\" : \"deleted\";\n\n    if (review.decision === \"delete\") {\n      await this.storage.deleteFile(entry.storageKey);\n    }\n\n    return this.storage.updateEntry(id, {\n      status: newStatus,\n      reviewedBy: review.reviewedBy,\n      reviewNote: review.reviewNote,\n      resolvedAt: now,\n      updatedAt: now,\n    });\n  }\n\n  /**\n   * Retrieve the raw bytes of a promoted file so the caller can move it to\n   * permanent storage.  Returns `null` if the entry is not found or has been\n   * deleted.\n   */\n  async getFile(id: string): Promise<Uint8Array | null> {\n    const entry = await this.storage.getEntry(id);\n    if (!entry) return null;\n    return this.storage.getFile(entry.storageKey);\n  }\n\n  // ── Query helpers ───────────────────────────────────────────────────────────\n\n  getEntry(id: string): Promise<QuarantineEntry | null> {\n    return this.storage.getEntry(id);\n  }\n\n  listEntries(filter?: QuarantineFilter): Promise<QuarantineEntry[]> {\n    return this.storage.listEntries(filter);\n  }\n\n  listPending(): Promise<QuarantineEntry[]> {\n    return this.storage.listEntries({ status: \"pending\" });\n  }\n\n  countEntries(filter?: QuarantineFilter): Promise<number> {\n    return this.storage.countEntries(filter);\n  }\n\n  // ── Reporting ───────────────────────────────────────────────────────────────\n\n  /**\n   * Generate a structured JSON report of all quarantine entries matching the\n   * filter — suitable for audit logs and dashboards.\n   */\n  async report(filter?: QuarantineFilter): Promise<QuarantineReport> {\n    const entries = await this.storage.listEntries(filter);\n    const byStatus = { pending: 0, reviewing: 0, promoted: 0, deleted: 0 };\n    for (const e of entries) byStatus[e.status]++;\n    return {\n      generatedAt: new Date().toISOString(),\n      totalEntries: entries.length,\n      byStatus,\n      entries,\n    };\n  }\n}\n\n// ── Helpers ───────────────────────────────────────────────────────────────────\n\nfunction generateId(): string {\n  return crypto.randomUUID();\n}\n\nfunction computeSha256(bytes: Uint8Array): string {\n  return crypto.createHash(\"sha256\").update(bytes).digest(\"hex\");\n}\n"],"names":["path","fs","crypto"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;AAYG;AA4DH;;;;;;;;;AASG;MACU,2BAA2B,CAAA;AAItC,IAAA,WAAA,CAAY,OAA2C,EAAA;AACrD,QAAA,IAAI,CAAC,QAAQ,GAAGA,eAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC;AAC/C,QAAA,IAAI,CAAC,OAAO,GAAGA,eAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC;AAC7C,QAAA,IAAI,OAAO,CAAC,eAAe,KAAK,KAAK,EAAE;AACrC,YAAAC,aAAE,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AAChD,YAAAA,aAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QACjD;IACF;AAEA,IAAA,MAAM,QAAQ,CAAC,EAAU,EAAE,KAAiB,EAAA;;AAE1C,QAAA,MAAM,UAAU,GAAG,CAAA,EAAG,EAAE,CAAA,CAAA,EAAIC,iBAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE;AACnE,QAAA,MAAM,QAAQ,GAAGF,eAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC;QACrD,MAAMC,aAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,QAAQ,EAAE,KAAK,CAAC;AAC5C,QAAA,OAAO,UAAU;IACnB;IAEA,MAAM,OAAO,CAAC,UAAkB,EAAA;AAC9B,QAAA,MAAM,QAAQ,GAAGD,eAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,UAAU,CAAC,CAAC;AACnE,QAAA,IAAI;YACF,MAAM,GAAG,GAAG,MAAMC,aAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;AAChD,YAAA,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC;QAC5B;AAAE,QAAA,MAAM;AACN,YAAA,OAAO,IAAI;QACb;IACF;IAEA,MAAM,UAAU,CAAC,UAAkB,EAAA;AACjC,QAAA,MAAM,QAAQ,GAAGD,eAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,UAAU,CAAC,CAAC;AACnE,QAAA,MAAMC,aAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,MAAK;;AAE9C,QAAA,CAAC,CAAC;IACJ;IAEA,MAAM,SAAS,CAAC,KAAsB,EAAA;AACpC,QAAA,MAAM,QAAQ,GAAGD,eAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAA,EAAG,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC,CAAA,KAAA,CAAO,CAAC;QAC1E,MAAMC,aAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,CAAC;IAC/E;IAEA,MAAM,QAAQ,CAAC,EAAU,EAAA;AACvB,QAAA,MAAM,QAAQ,GAAGD,eAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,YAAY,CAAC,EAAE,CAAC,CAAA,KAAA,CAAO,CAAC;AACpE,QAAA,IAAI;AACF,YAAA,MAAM,GAAG,GAAG,MAAMC,aAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;AACxD,YAAA,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAoB;QAC3C;AAAE,QAAA,MAAM;AACN,YAAA,OAAO,IAAI;QACb;IACF;AAEA,IAAA,MAAM,WAAW,CAAC,EAAU,EAAE,KAA+B,EAAA;QAC3D,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;AACxC,QAAA,IAAI,CAAC,QAAQ;AAAE,YAAA,MAAM,IAAI,KAAK,CAAC,+BAA+B,EAAE,CAAA,CAAE,CAAC;QACnE,MAAM,OAAO,GAAoB,EAAE,GAAG,QAAQ,EAAE,GAAG,KAAK,EAAE;AAC1D,QAAA,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;AAC7B,QAAA,OAAO,OAAO;IAChB;IAEA,MAAM,WAAW,CAAC,MAAyB,EAAA;QACzC,MAAM,KAAK,GAAG,MAAMA,aAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,MAAM,EAAc,CAAC;QACjF,MAAM,OAAO,GAAsB,EAAE;AAErC,QAAA,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE;AACxB,YAAA,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE;AAC7B,YAAA,IAAI;gBACF,MAAM,GAAG,GAAG,MAAMA,aAAE,CAAC,QAAQ,CAAC,QAAQ,CAACD,eAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC;gBAC7E,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAoB,CAAC;YAClD;AAAE,YAAA,MAAM;;YAER;QACF;AAEA,QAAA,OAAO,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC;IACrC;IAEA,MAAM,YAAY,CAAC,MAAyB,EAAA;QAC1C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC;QAC9C,OAAO,OAAO,CAAC,MAAM;IACvB;AACD;AAED;AAEA;;;AAGG;AACH,SAAS,YAAY,CAAC,GAAW,EAAA;AAC/B,IAAA,OAAOA,eAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,kBAAkB,EAAE,GAAG,CAAC;AAC5D;AAEA,SAAS,WAAW,CAAC,OAA0B,EAAE,MAAyB,EAAA;AACxE,IAAA,IAAI,CAAC,MAAM;AAAE,QAAA,OAAO,OAAO;IAE3B,IAAI,MAAM,GAAG,OAAO;AAEpB,IAAA,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE;QAC/B,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC;AAC/E,QAAA,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAC5D;AACA,IAAA,IAAI,MAAM,CAAC,KAAK,EAAE;AAChB,QAAA,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,aAAa,IAAI,MAAM,CAAC,KAAM,CAAC;IACjE;AACA,IAAA,IAAI,MAAM,CAAC,MAAM,EAAE;AACjB,QAAA,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,aAAa,IAAI,MAAM,CAAC,MAAO,CAAC;IAClE;AACA,IAAA,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS,EAAE;QAC9B,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC;IACxC;AAEA,IAAA,OAAO,MAAM;AACf;;ACpMA;;;;;;;;;;;;;;;;;;;;;;;;;;AA0BG;AAiCH;AAEA;;;AAGG;MACU,iBAAiB,CAAA;AAK5B,IAAA,WAAA,CAAY,OAAiC,EAAA;AAC3C,QAAA,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO;QAC9B,IAAI,CAAC,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,IAAI,IAAI;QAChE,IAAI,CAAC,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,IAAI,IAAI;IAChE;AAEA;;;AAGG;AACH,IAAA,gBAAgB,CAAC,MAAkB,EAAA;AACjC,QAAA,IAAI,MAAM,CAAC,OAAO,KAAK,WAAW;YAAE,OAAO,IAAI,CAAC,mBAAmB;AACnE,QAAA,IAAI,MAAM,CAAC,OAAO,KAAK,YAAY;YAAE,OAAO,IAAI,CAAC,oBAAoB;AACrE,QAAA,OAAO,KAAK;IACd;AAEA;;;;;;;AAOG;AACH,IAAA,MAAM,UAAU,CACd,KAAiB,EACjB,MAAkB,EAClB,QAAmE,EAAA;AAEnE,QAAA,MAAM,EAAE,GAAG,UAAU,EAAE;QACvB,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,IAAI,aAAa,CAAC,KAAK,CAAC;QACtD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;AAEpC,QAAA,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;AAEzD,QAAA,MAAM,KAAK,GAAoB;YAC7B,EAAE;YACF,UAAU;AACV,YAAA,IAAI,EAAE,EAAE,GAAG,QAAQ,EAAE,MAAM,EAAE;AAC7B,YAAA,UAAU,EAAE,MAAM;AAClB,YAAA,aAAa,EAAE,GAAG;AAClB,YAAA,MAAM,EAAE,SAAS;AACjB,YAAA,SAAS,EAAE,GAAG;SACf;QAED,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,CAAC;AACnC,QAAA,OAAO,KAAK;IACd;AAEA;;AAEG;AACH,IAAA,MAAM,WAAW,CAAC,EAAU,EAAE,UAAmB,EAAA;AAC/C,QAAA,OAAO,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,EAAE;AAClC,YAAA,MAAM,EAAE,WAAW;YACnB,UAAU;AACV,YAAA,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;AACpC,SAAA,CAAC;IACJ;AAEA;;;;;;AAMG;AACH,IAAA,MAAM,OAAO,CAAC,EAAU,EAAE,MAAwB,EAAA;QAChD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;AAC7C,QAAA,IAAI,CAAC,KAAK;AAAE,YAAA,MAAM,IAAI,KAAK,CAAC,+BAA+B,EAAE,CAAA,CAAE,CAAC;AAChE,QAAA,IAAI,KAAK,CAAC,MAAM,KAAK,UAAU,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,EAAE;YAC7D,MAAM,IAAI,KAAK,CAAC,CAAA,iBAAA,EAAoB,EAAE,CAAA,sBAAA,EAAyB,KAAK,CAAC,MAAM,CAAA,EAAA,CAAI,CAAC;QAClF;QAEA,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;AACpC,QAAA,MAAM,SAAS,GAAqB,MAAM,CAAC,QAAQ,KAAK,SAAS,GAAG,UAAU,GAAG,SAAS;AAE1F,QAAA,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE;YAChC,MAAM,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,UAAU,CAAC;QACjD;AAEA,QAAA,OAAO,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,EAAE;AAClC,YAAA,MAAM,EAAE,SAAS;YACjB,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;AAC7B,YAAA,UAAU,EAAE,GAAG;AACf,YAAA,SAAS,EAAE,GAAG;AACf,SAAA,CAAC;IACJ;AAEA;;;;AAIG;IACH,MAAM,OAAO,CAAC,EAAU,EAAA;QACtB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;AAC7C,QAAA,IAAI,CAAC,KAAK;AAAE,YAAA,OAAO,IAAI;QACvB,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC;IAC/C;;AAIA,IAAA,QAAQ,CAAC,EAAU,EAAA;QACjB,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;IAClC;AAEA,IAAA,WAAW,CAAC,MAAyB,EAAA;QACnC,OAAO,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC;IACzC;IAEA,WAAW,GAAA;AACT,QAAA,OAAO,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IACxD;AAEA,IAAA,YAAY,CAAC,MAAyB,EAAA;QACpC,OAAO,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC;IAC1C;;AAIA;;;AAGG;IACH,MAAM,MAAM,CAAC,MAAyB,EAAA;QACpC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC;AACtD,QAAA,MAAM,QAAQ,GAAG,EAAE,OAAO,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE;QACtE,KAAK,MAAM,CAAC,IAAI,OAAO;AAAE,YAAA,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE;QAC7C,OAAO;AACL,YAAA,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACrC,YAAY,EAAE,OAAO,CAAC,MAAM;YAC5B,QAAQ;YACR,OAAO;SACR;IACH;AACD;AAED;AAEA,SAAS,UAAU,GAAA;AACjB,IAAA,OAAOE,iBAAM,CAAC,UAAU,EAAE;AAC5B;AAEA,SAAS,aAAa,CAAC,KAAiB,EAAA;AACtC,IAAA,OAAOA,iBAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;AAChE;;;;;"}

package/dist/pompelmi.quarantine.esm.js

@@ -1,293 +0,0 @@
-import * as crypto from 'crypto';
-import * as fs from 'fs';
-import * as path from 'path';
-
-/**
- * Quarantine storage adapter interface and filesystem reference implementation.
- *
- * The `QuarantineStorage` interface decouples the quarantine workflow from any
- * specific persistence layer.  You can implement it for S3, GCS, a database,
- * or any other backend.
- *
- * The built-in `FilesystemQuarantineStorage` stores files and metadata as JSON
- * in a local directory — suitable for development, self-hosted, and on-premise
- * deployments where data must not leave the machine.
- *
- * @module quarantine/storage
- */
-/**
- * Reference implementation of `QuarantineStorage` backed by the local filesystem.
- *
- * File layout:
- *   <dir>/files/<storageKey>   — raw file bytes
- *   <dir>/meta/<id>.json       — QuarantineEntry JSON
- *
- * Suitable for single-process servers.  For multi-process or distributed
- * deployments, implement `QuarantineStorage` against a shared backend.
- */
-class FilesystemQuarantineStorage {
-    constructor(options) {
-        this.filesDir = path.join(options.dir, "files");
-        this.metaDir = path.join(options.dir, "meta");
-        if (options.createIfMissing !== false) {
-            fs.mkdirSync(this.filesDir, { recursive: true });
-            fs.mkdirSync(this.metaDir, { recursive: true });
-        }
-    }
-    async saveFile(id, bytes) {
-        // Use a safe, collision-resistant filename derived from the entry id.
-        const storageKey = `${id}-${crypto.randomBytes(4).toString("hex")}`;
-        const filePath = path.join(this.filesDir, storageKey);
-        await fs.promises.writeFile(filePath, bytes);
-        return storageKey;
-    }
-    async getFile(storageKey) {
-        const filePath = path.join(this.filesDir, safeBasename(storageKey));
-        try {
-            const buf = await fs.promises.readFile(filePath);
-            return new Uint8Array(buf);
-        }
-        catch {
-            return null;
-        }
-    }
-    async deleteFile(storageKey) {
-        const filePath = path.join(this.filesDir, safeBasename(storageKey));
-        await fs.promises.unlink(filePath).catch(() => {
-            /* already gone */
-        });
-    }
-    async saveEntry(entry) {
-        const metaPath = path.join(this.metaDir, `${safeBasename(entry.id)}.json`);
-        await fs.promises.writeFile(metaPath, JSON.stringify(entry, null, 2), "utf8");
-    }
-    async getEntry(id) {
-        const metaPath = path.join(this.metaDir, `${safeBasename(id)}.json`);
-        try {
-            const raw = await fs.promises.readFile(metaPath, "utf8");
-            return JSON.parse(raw);
-        }
-        catch {
-            return null;
-        }
-    }
-    async updateEntry(id, patch) {
-        const existing = await this.getEntry(id);
-        if (!existing)
-            throw new Error(`Quarantine entry not found: ${id}`);
-        const updated = { ...existing, ...patch };
-        await this.saveEntry(updated);
-        return updated;
-    }
-    async listEntries(filter) {
-        const files = await fs.promises.readdir(this.metaDir).catch(() => []);
-        const entries = [];
-        for (const file of files) {
-            if (!file.endsWith(".json"))
-                continue;
-            try {
-                const raw = await fs.promises.readFile(path.join(this.metaDir, file), "utf8");
-                entries.push(JSON.parse(raw));
-            }
-            catch {
-                // Skip unreadable entries.
-            }
-        }
-        return applyFilter(entries, filter);
-    }
-    async countEntries(filter) {
-        const entries = await this.listEntries(filter);
-        return entries.length;
-    }
-}
-// ── Helpers ───────────────────────────────────────────────────────────────────
-/**
- * Strip directory separators to prevent path-traversal attacks when using
- * user-supplied or derived keys as filenames.
- */
-function safeBasename(key) {
-    return path.basename(key).replace(/[^a-zA-Z0-9._-]/g, "_");
-}
-function applyFilter(entries, filter) {
-    if (!filter)
-        return entries;
-    let result = entries;
-    if (filter.status !== undefined) {
-        const statuses = Array.isArray(filter.status) ? filter.status : [filter.status];
-        result = result.filter((e) => statuses.includes(e.status));
-    }
-    if (filter.after) {
-        result = result.filter((e) => e.quarantinedAt >= filter.after);
-    }
-    if (filter.before) {
-        result = result.filter((e) => e.quarantinedAt <= filter.before);
-    }
-    if (filter.limit !== undefined) {
-        result = result.slice(0, filter.limit);
-    }
-    return result;
-}
-
-/**
- * Quarantine workflow — core API for the quarantine/review/resolve lifecycle.
- *
- * Usage (Node.js):
- *
- * ```ts
- * import { scanBytes } from 'pompelmi';
- * import { QuarantineManager, FilesystemQuarantineStorage } from 'pompelmi/quarantine';
- *
- * const quarantine = new QuarantineManager({
- *   storage: new FilesystemQuarantineStorage({ dir: './quarantine' }),
- * });
- *
- * const report = await scanBytes(fileBytes, { ctx: { filename: file.name } });
- *
- * if (report.verdict !== 'clean') {
- *   const entry = await quarantine.quarantine(fileBytes, report, {
- *     originalName: file.name,
- *     sizeBytes: fileBytes.length,
- *     uploadedBy: req.user?.id,
- *   });
- *   console.log('Quarantined:', entry.id);
- * }
- * ```
- *
- * @module quarantine/workflow
- */
-// ── Manager ───────────────────────────────────────────────────────────────────
-/**
- * Manages the full lifecycle of quarantined files:
- *   scan → quarantine → review → promote | delete
- */
-class QuarantineManager {
-    constructor(options) {
-        this.storage = options.storage;
-        this.quarantineSuspicious = options.quarantineSuspicious ?? true;
-        this.quarantineMalicious = options.quarantineMalicious ?? true;
-    }
-    /**
-     * Determine whether a scan report should trigger quarantine per the
-     * configured policy.
-     */
-    shouldQuarantine(report) {
-        if (report.verdict === "malicious")
-            return this.quarantineMalicious;
-        if (report.verdict === "suspicious")
-            return this.quarantineSuspicious;
-        return false;
-    }
-    /**
-     * Quarantine a file: save the bytes in storage, create the metadata entry,
-     * and return the entry.
-     *
-     * @param bytes     Raw file bytes.
-     * @param report    The scan report that triggered quarantine.
-     * @param fileInfo  Partial metadata; `sha256` is derived from `bytes` if omitted.
-     */
-    async quarantine(bytes, report, fileInfo) {
-        const id = generateId();
-        const sha256 = fileInfo.sha256 ?? computeSha256(bytes);
-        const now = new Date().toISOString();
-        const storageKey = await this.storage.saveFile(id, bytes);
-        const entry = {
-            id,
-            storageKey,
-            file: { ...fileInfo, sha256 },
-            scanReport: report,
-            quarantinedAt: now,
-            status: "pending",
-            updatedAt: now,
-        };
-        await this.storage.saveEntry(entry);
-        return entry;
-    }
-    /**
-     * Mark an entry as being actively reviewed.
-     */
-    async startReview(id, reviewedBy) {
-        return this.storage.updateEntry(id, {
-            status: "reviewing",
-            reviewedBy,
-            updatedAt: new Date().toISOString(),
-        });
-    }
-    /**
-     * Resolve a quarantine entry with a final decision.
-     *
-     * - `promote`: the file is cleared — bytes remain in storage for the caller
-     *   to move to its final destination.
-     * - `delete`: the bytes are permanently removed from quarantine storage.
-     */
-    async resolve(id, review) {
-        const entry = await this.storage.getEntry(id);
-        if (!entry)
-            throw new Error(`Quarantine entry not found: ${id}`);
-        if (entry.status === "promoted" || entry.status === "deleted") {
-            throw new Error(`Quarantine entry ${id} is already resolved (${entry.status}).`);
-        }
-        const now = new Date().toISOString();
-        const newStatus = review.decision === "promote" ? "promoted" : "deleted";
-        if (review.decision === "delete") {
-            await this.storage.deleteFile(entry.storageKey);
-        }
-        return this.storage.updateEntry(id, {
-            status: newStatus,
-            reviewedBy: review.reviewedBy,
-            reviewNote: review.reviewNote,
-            resolvedAt: now,
-            updatedAt: now,
-        });
-    }
-    /**
-     * Retrieve the raw bytes of a promoted file so the caller can move it to
-     * permanent storage.  Returns `null` if the entry is not found or has been
-     * deleted.
-     */
-    async getFile(id) {
-        const entry = await this.storage.getEntry(id);
-        if (!entry)
-            return null;
-        return this.storage.getFile(entry.storageKey);
-    }
-    // ── Query helpers ───────────────────────────────────────────────────────────
-    getEntry(id) {
-        return this.storage.getEntry(id);
-    }
-    listEntries(filter) {
-        return this.storage.listEntries(filter);
-    }
-    listPending() {
-        return this.storage.listEntries({ status: "pending" });
-    }
-    countEntries(filter) {
-        return this.storage.countEntries(filter);
-    }
-    // ── Reporting ───────────────────────────────────────────────────────────────
-    /**
-     * Generate a structured JSON report of all quarantine entries matching the
-     * filter — suitable for audit logs and dashboards.
-     */
-    async report(filter) {
-        const entries = await this.storage.listEntries(filter);
-        const byStatus = { pending: 0, reviewing: 0, promoted: 0, deleted: 0 };
-        for (const e of entries)
-            byStatus[e.status]++;
-        return {
-            generatedAt: new Date().toISOString(),
-            totalEntries: entries.length,
-            byStatus,
-            entries,
-        };
-    }
-}
-// ── Helpers ───────────────────────────────────────────────────────────────────
-function generateId() {
-    return crypto.randomUUID();
-}
-function computeSha256(bytes) {
-    return crypto.createHash("sha256").update(bytes).digest("hex");
-}
-
-export { FilesystemQuarantineStorage, QuarantineManager };
-//# sourceMappingURL=pompelmi.quarantine.esm.js.map