pompelmi 0.35.5 → 1.0.0

package/dist/pompelmi.browser.cjs

@@ -1,1549 +0,0 @@
-'use strict';
-
-var crypto = require('crypto');
-var zlib = require('zlib');
-
-const MB$1 = 1024 * 1024;
-const DEFAULT_POLICY = {
-    includeExtensions: ["zip", "png", "jpg", "jpeg", "pdf"],
-    allowedMimeTypes: ["application/zip", "image/png", "image/jpeg", "application/pdf", "text/plain"],
-    maxFileSizeBytes: 20 * MB$1,
-    timeoutMs: 5000,
-    concurrency: 4,
-    failClosed: true,
-};
-function definePolicy(input = {}) {
-    const p = { ...DEFAULT_POLICY, ...input };
-    if (!Array.isArray(p.includeExtensions))
-        throw new TypeError("includeExtensions must be string[]");
-    if (!Array.isArray(p.allowedMimeTypes))
-        throw new TypeError("allowedMimeTypes must be string[]");
-    if (!(Number.isFinite(p.maxFileSizeBytes) && p.maxFileSizeBytes > 0))
-        throw new TypeError("maxFileSizeBytes must be > 0");
-    if (!(Number.isFinite(p.timeoutMs) && p.timeoutMs > 0))
-        throw new TypeError("timeoutMs must be > 0");
-    if (!(Number.isInteger(p.concurrency) && p.concurrency > 0))
-        throw new TypeError("concurrency must be > 0");
-    return p;
-}
-
-/**
- * Policy packs for Pompelmi.
- *
- * Pre-configured, named policies for common upload scenarios.  Each pack
- * defines the file type allowlist, size limits, and timeout appropriate for
- * its use case.
- *
- * All packs are built on `definePolicy` and are fully overridable:
- *
- * ```ts
- * import { POLICY_PACKS } from 'pompelmi/policy-packs';
- *
- * // Use a pack as-is:
- * const policy = POLICY_PACKS['images-only'];
- *
- * // Or override individual fields:
- * import { definePolicy } from 'pompelmi';
- * const custom = definePolicy({ ...POLICY_PACKS['documents-only'], maxFileSizeBytes: 5 * 1024 * 1024 });
- * ```
- *
- * These packs are *deterministic* and *descriptor-based* — they do not
- * depend on any external threat intelligence feed.
- *
- * @module policy-packs
- */
-const KB = 1024;
-const MB = 1024 * KB;
-// ── Policy packs ──────────────────────────────────────────────────────────────
-/**
- * Documents-only policy.
- *
- * Appropriate for: document management APIs, PDF/Office file upload endpoints,
- * data import pipelines.
- *
- * Allowed: PDF, Word (.docx/.doc), Excel (.xlsx/.xls), PowerPoint (.pptx/.ppt),
- *   CSV, plain text, JSON, YAML, ODT/ODS/ODP (OpenDocument).
- * Max size: 25 MB.
- */
-const DOCUMENTS_ONLY = definePolicy({
-    includeExtensions: [
-        "pdf",
-        "doc",
-        "docx",
-        "xls",
-        "xlsx",
-        "ppt",
-        "pptx",
-        "odt",
-        "ods",
-        "odp",
-        "csv",
-        "txt",
-        "json",
-        "yaml",
-        "yml",
-        "md",
-    ],
-    allowedMimeTypes: [
-        "application/pdf",
-        "application/msword",
-        "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
-        "application/vnd.ms-excel",
-        "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
-        "application/vnd.ms-powerpoint",
-        "application/vnd.openxmlformats-officedocument.presentationml.presentation",
-        "application/vnd.oasis.opendocument.text",
-        "application/vnd.oasis.opendocument.spreadsheet",
-        "application/vnd.oasis.opendocument.presentation",
-        "text/csv",
-        "text/plain",
-        "application/json",
-        "text/yaml",
-        "text/markdown",
-    ],
-    maxFileSizeBytes: 25 * MB,
-    timeoutMs: 10000,
-    concurrency: 4,
-    failClosed: true,
-});
-/**
- * Images-only policy.
- *
- * Appropriate for: avatar uploads, product image APIs, content platforms with
- * user-generated imagery.
- *
- * Allowed: JPEG, PNG, GIF, WebP, AVIF, TIFF, BMP, ICO.
- * Max size: 10 MB.
- * Note: SVG is intentionally excluded — inline SVGs can contain scripts.
- */
-const IMAGES_ONLY = definePolicy({
-    includeExtensions: ["jpg", "jpeg", "png", "gif", "webp", "avif", "tiff", "tif", "bmp", "ico"],
-    allowedMimeTypes: [
-        "image/jpeg",
-        "image/png",
-        "image/gif",
-        "image/webp",
-        "image/avif",
-        "image/tiff",
-        "image/bmp",
-        "image/x-icon",
-        "image/vnd.microsoft.icon",
-    ],
-    maxFileSizeBytes: 10 * MB,
-    timeoutMs: 5000,
-    concurrency: 8,
-    failClosed: true,
-});
-/**
- * Strict public-upload policy.
- *
- * Appropriate for: anonymous or low-trust upload endpoints, public APIs,
- * any surface exposed to untrusted users.
- *
- * Aggressive size limit (5 MB), short timeout, fail-closed, narrow MIME
- * allowlist.  Only allows plain images and PDF.
- */
-const STRICT_PUBLIC_UPLOAD = definePolicy({
-    includeExtensions: ["jpg", "jpeg", "png", "webp", "pdf"],
-    allowedMimeTypes: ["image/jpeg", "image/png", "image/webp", "application/pdf"],
-    maxFileSizeBytes: 5 * MB,
-    timeoutMs: 4000,
-    concurrency: 2,
-    failClosed: true,
-});
-/**
- * Conservative default policy.
- *
- * A hardened version of the built-in `DEFAULT_POLICY` suitable for
- * production without further customisation.  Stricter size limit and
- * shorter timeout than the permissive default.
- */
-const CONSERVATIVE_DEFAULT = definePolicy({
-    includeExtensions: ["zip", "png", "jpg", "jpeg", "pdf", "txt", "csv", "docx", "xlsx"],
-    allowedMimeTypes: [
-        "application/zip",
-        "image/png",
-        "image/jpeg",
-        "application/pdf",
-        "text/plain",
-        "text/csv",
-        "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
-        "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
-    ],
-    maxFileSizeBytes: 10 * MB,
-    timeoutMs: 8000,
-    concurrency: 4,
-    failClosed: true,
-});
-/**
- * Archives policy.
- *
- * Appropriate for: endpoints that accept ZIP, tar, or compressed archives.
- * Combines a generous size allowance with a longer timeout for deep inspection.
- *
- * NOTE: Pair this policy with `createZipBombGuard()` to defend against
- * decompression-bomb attacks:
- *
- * ```ts
- * import { composeScanners, createZipBombGuard, CommonHeuristicsScanner } from 'pompelmi';
- * const scanner = composeScanners(
- *   [['zipGuard', createZipBombGuard()], ['heuristics', CommonHeuristicsScanner]]
- * );
- * ```
- */
-const ARCHIVES = definePolicy({
-    includeExtensions: ["zip", "tar", "gz", "tgz", "bz2", "xz", "7z", "rar"],
-    allowedMimeTypes: [
-        "application/zip",
-        "application/x-tar",
-        "application/gzip",
-        "application/x-bzip2",
-        "application/x-xz",
-        "application/x-7z-compressed",
-        "application/x-rar-compressed",
-    ],
-    maxFileSizeBytes: 100 * MB,
-    timeoutMs: 30000,
-    concurrency: 2,
-    failClosed: true,
-});
-/**
- * Named map of all built-in policy packs.
- *
- * ```ts
- * import { POLICY_PACKS } from 'pompelmi/policy-packs';
- * const policy = POLICY_PACKS['strict-public-upload'];
- * ```
- */
-const POLICY_PACKS = {
-    "documents-only": DOCUMENTS_ONLY,
-    "images-only": IMAGES_ONLY,
-    "strict-public-upload": STRICT_PUBLIC_UPLOAD,
-    "conservative-default": CONSERVATIVE_DEFAULT,
-    archives: ARCHIVES,
-};
-/**
- * Look up a policy pack by name.
- * Throws if the name is not recognised.
- */
-function getPolicyPack(name) {
-    const policy = POLICY_PACKS[name];
-    if (!policy)
-        throw new Error(`Unknown policy pack: '${name}'. Valid names: ${Object.keys(POLICY_PACKS).join(", ")}`);
-    return policy;
-}
-
-function hasAsciiToken(buf, token) {
-    // Use latin1 so we can safely search binary
-    return buf.indexOf(token, 0, "latin1") !== -1;
-}
-function startsWith(buf, bytes) {
-    if (buf.length < bytes.length)
-        return false;
-    for (let i = 0; i < bytes.length; i++)
-        if (buf[i] !== bytes[i])
-            return false;
-    return true;
-}
-function isPDF(buf) {
-    // %PDF-
-    return startsWith(buf, [0x25, 0x50, 0x44, 0x46, 0x2d]);
-}
-function isOleCfb(buf) {
-    // D0 CF 11 E0 A1 B1 1A E1
-    const sig = [0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1];
-    return startsWith(buf, sig);
-}
-function isZipLike$1(buf) {
-    // PK\x03\x04
-    return startsWith(buf, [0x50, 0x4b, 0x03, 0x04]);
-}
-function isPeExecutable(buf) {
-    // "MZ"
-    return startsWith(buf, [0x4d, 0x5a]);
-}
-/** OOXML macro hint via filename token in ZIP container */
-function hasOoxmlMacros(buf) {
-    if (!isZipLike$1(buf))
-        return false;
-    return hasAsciiToken(buf, "vbaProject.bin");
-}
-/** PDF risky features (/JavaScript, /OpenAction, /AA, /Launch) */
-function pdfRiskTokens(buf) {
-    const tokens = ["/JavaScript", "/OpenAction", "/AA", "/Launch"];
-    return tokens.filter((t) => hasAsciiToken(buf, t));
-}
-const CommonHeuristicsScanner = {
-    async scan(input) {
-        const buf = Buffer.from(input);
-        const matches = [];
-        // Office macros (OLE / OOXML)
-        if (isOleCfb(buf)) {
-            matches.push({ rule: "office_ole_container", severity: "suspicious" });
-        }
-        if (hasOoxmlMacros(buf)) {
-            matches.push({ rule: "office_ooxml_macros", severity: "suspicious" });
-        }
-        // PDF risky tokens
-        if (isPDF(buf)) {
-            const toks = pdfRiskTokens(buf);
-            if (toks.length) {
-                matches.push({
-                    rule: "pdf_risky_actions",
-                    severity: "suspicious",
-                    meta: { tokens: toks },
-                });
-            }
-        }
-        // Executable header
-        if (isPeExecutable(buf)) {
-            matches.push({ rule: "pe_executable_signature", severity: "suspicious" });
-        }
-        // EICAR test file
-        const EICAR_NEEDLE = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!";
-        if (hasAsciiToken(buf, EICAR_NEEDLE)) {
-            matches.push({
-                rule: "eicar_test_file",
-                severity: "high",
-                meta: { note: "EICAR standard antivirus test file detected" },
-            });
-        }
-        return matches;
-    },
-};
-
-function toScanFn(s) {
-    return (typeof s === "function" ? s : s.scan);
-}
-/** Map a Match's severity field to a Verdict for stopOn comparison. */
-function matchToVerdict(m) {
-    const s = m.severity;
-    if (s === "critical" || s === "high" || s === "malicious")
-        return "malicious";
-    if (s === "medium" || s === "low" || s === "suspicious" || s === "info")
-        return "suspicious";
-    return "clean";
-}
-/** Highest verdict across all matches in the list. */
-function highestSeverity(matches) {
-    if (matches.length === 0)
-        return null;
-    if (matches.some((m) => matchToVerdict(m) === "malicious"))
-        return "malicious";
-    if (matches.some((m) => matchToVerdict(m) === "suspicious"))
-        return "suspicious";
-    return "clean";
-}
-const SEVERITY_RANK = { malicious: 2, suspicious: 1, clean: 0 };
-function shouldStop(matches, stopOn) {
-    if (!stopOn)
-        return false;
-    const highest = highestSeverity(matches);
-    if (!highest)
-        return false;
-    return SEVERITY_RANK[highest] >= SEVERITY_RANK[stopOn];
-}
-async function runWithTimeout(fn, timeoutMs) {
-    if (!timeoutMs)
-        return fn();
-    return new Promise((resolve, reject) => {
-        const timer = setTimeout(() => reject(new Error("scanner timeout")), timeoutMs);
-        fn().then((v) => {
-            clearTimeout(timer);
-            resolve(v);
-        }, (e) => {
-            clearTimeout(timer);
-            reject(e);
-        });
-    });
-}
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
-function composeScanners(...args) {
-    const first = args[0];
-    const rest = args.slice(1);
-    // ── Named-scanner array form ──────────────────────────────────────────────
-    if (Array.isArray(first) &&
-        (first.length === 0 || (Array.isArray(first[0]) && typeof first[0][0] === "string"))) {
-        const entries = first;
-        const opts = rest.length > 0 &&
-            !Array.isArray(rest[0]) &&
-            typeof rest[0] !== "function" &&
-            !(typeof rest[0] === "object" && rest[0] !== null && "scan" in rest[0])
-            ? rest[0]
-            : {};
-        return async (input, ctx) => {
-            const all = [];
-            if (opts.parallel) {
-                // Parallel execution — collect all results then return
-                const results = await Promise.allSettled(entries.map(([_name, scanner]) => runWithTimeout(() => toScanFn(scanner)(input, ctx), opts.timeoutMsPerScanner)));
-                for (let i = 0; i < results.length; i++) {
-                    const result = results[i];
-                    if (result.status === "fulfilled" && Array.isArray(result.value)) {
-                        const matches = opts.tagSourceName
-                            ? result.value.map((m) => ({
-                                ...m,
-                                meta: { ...m.meta, _sourceName: entries[i][0] },
-                            }))
-                            : result.value;
-                        all.push(...matches);
-                    }
-                }
-            }
-            else {
-                // Sequential execution with optional stopOn short-circuit
-                for (const [name, scanner] of entries) {
-                    try {
-                        const out = await runWithTimeout(() => toScanFn(scanner)(input, ctx), opts.timeoutMsPerScanner);
-                        if (Array.isArray(out)) {
-                            const matches = opts.tagSourceName
-                                ? out.map((m) => ({ ...m, meta: { ...m.meta, _sourceName: name } }))
-                                : out;
-                            all.push(...matches);
-                            if (shouldStop(all, opts.stopOn))
-                                break;
-                        }
-                    }
-                    catch {
-                        // individual scanner failure is non-fatal
-                    }
-                }
-            }
-            return all;
-        };
-    }
-    // ── Variadic form (backward-compatible) ───────────────────────────────────
-    const scanners = [first, ...rest].filter(Boolean);
-    return async (input, ctx) => {
-        const all = [];
-        for (const s of scanners) {
-            try {
-                const out = await toScanFn(s)(input, ctx);
-                if (Array.isArray(out))
-                    all.push(...out);
-            }
-            catch {
-                // ignore individual scanner failures
-            }
-        }
-        return all;
-    };
-}
-function createPresetScanner(preset, opts = {}) {
-    const baseScanners = [CommonHeuristicsScanner];
-    const dynamicScannerPromises = [];
-    // Add decompilation scanners based on preset
-    if (preset === "decompilation-basic" ||
-        preset === "decompilation-deep" ||
-        preset === "malware-analysis" ||
-        opts.enableDecompilation) {
-        const depth = preset === "decompilation-deep" || preset === "malware-analysis"
-            ? "deep"
-            : preset === "decompilation-basic"
-                ? "basic"
-                : opts.decompilationDepth || "basic";
-        let importModule;
-        try {
-            // Dynamic import to avoid bundling issues - using Function to bypass TypeScript type checking
-            importModule = new Function("specifier", "return import(specifier)");
-        }
-        catch {
-            importModule = undefined;
-        }
-        if (importModule &&
-            (!opts.decompilationEngine ||
-                opts.decompilationEngine === "binaryninja-hlil" ||
-                opts.decompilationEngine === "both")) {
-            dynamicScannerPromises.push(importModule("@pompelmi/engine-binaryninja")
-                .then((mod) => mod.createBinaryNinjaScanner({
-                timeout: opts.decompilationTimeout || opts.timeout || 30000,
-                depth,
-                pythonPath: opts.pythonPath,
-                binaryNinjaPath: opts.binaryNinjaPath,
-            }))
-                .catch(() => null));
-        }
-        if (importModule &&
-            (!opts.decompilationEngine ||
-                opts.decompilationEngine === "ghidra-pcode" ||
-                opts.decompilationEngine === "both")) {
-            dynamicScannerPromises.push(importModule("@pompelmi/engine-ghidra")
-                .then((mod) => mod.createGhidraScanner({
-                timeout: opts.decompilationTimeout || opts.timeout || 30000,
-                depth,
-                ghidraPath: opts.ghidraPath,
-                analyzeHeadless: opts.analyzeHeadless,
-            }))
-                .catch(() => null));
-        }
-    }
-    let composedScannerPromise;
-    const getComposedScanner = async () => {
-        composedScannerPromise ?? (composedScannerPromise = Promise.all(dynamicScannerPromises).then((dynamicScanners) => composeScanners(...baseScanners, ...dynamicScanners.filter((scanner) => scanner !== null))));
-        return composedScannerPromise;
-    };
-    return async (input, ctx) => {
-        const scanner = await getComposedScanner();
-        return scanner(input, ctx);
-    };
-}
-
-/**
- * Advanced threat detection utilities
- * @module utils/advanced-detection
- */
-/**
- * Enhanced polyglot file detection
- * Detects files that can be interpreted as multiple formats
- */
-function detectPolyglot(bytes) {
-    const matches = [];
-    // Check for PDF/ZIP polyglot
-    if (isPDFZipPolyglot(bytes)) {
-        matches.push({
-            rule: "polyglot_pdf_zip",
-            severity: "high",
-            meta: { description: "File can be interpreted as both PDF and ZIP" },
-        });
-    }
-    // Check for image/script polyglot
-    if (isImageScriptPolyglot(bytes)) {
-        matches.push({
-            rule: "polyglot_image_script",
-            severity: "high",
-            meta: { description: "Image file contains executable script content" },
-        });
-    }
-    // Check for GIFAR (GIF/JAR polyglot)
-    if (isGIFAR(bytes)) {
-        matches.push({
-            rule: "polyglot_gifar",
-            severity: "critical",
-            meta: { description: "GIF file contains Java archive" },
-        });
-    }
-    return matches;
-}
-/**
- * Detect obfuscated JavaScript/VBScript
- */
-function detectObfuscatedScripts(bytes) {
-    const matches = [];
-    const text = new TextDecoder("utf-8", { fatal: false }).decode(bytes.slice(0, Math.min(64 * 1024, bytes.length)));
-    // Check for common obfuscation patterns
-    const obfuscationPatterns = [
-        /eval\s*\(\s*unescape\s*\(/gi,
-        /eval\s*\(\s*atob\s*\(/gi,
-        /String\.fromCharCode\s*\(\s*\d+(?:\s*,\s*\d+){10,}/gi,
-        /[a-z0-9]{100,}/gi, // Long encoded strings
-        /\\x[0-9a-f]{2}/gi, // Hex escapes
-    ];
-    for (const pattern of obfuscationPatterns) {
-        if (pattern.test(text)) {
-            matches.push({
-                rule: "obfuscated_script",
-                severity: "medium",
-                meta: {
-                    description: "Detected obfuscated script content",
-                    pattern: pattern.source,
-                },
-            });
-            break;
-        }
-    }
-    return matches;
-}
-/**
- * Enhanced nested archive detection with depth limits
- */
-function analyzeNestedArchives(bytes, maxDepth = 10) {
-    let depth = 0;
-    let currentBytes = bytes;
-    while (depth < maxDepth) {
-        if (isArchive(currentBytes)) {
-            depth++;
-            {
-                break;
-            }
-        }
-        else {
-            break;
-        }
-    }
-    return {
-        depth,
-        hasExcessiveNesting: depth >= 5,
-    };
-}
-// Helper functions
-function isPDFZipPolyglot(bytes) {
-    if (bytes.length < 8)
-        return false;
-    // Check for PDF signature
-    const hasPDF = bytes[0] === 0x25 && bytes[1] === 0x50 && bytes[2] === 0x44 && bytes[3] === 0x46;
-    // Check for ZIP signature anywhere in the file
-    let hasZIP = false;
-    for (let i = 0; i < Math.min(bytes.length - 4, 1024); i++) {
-        if (bytes[i] === 0x50 &&
-            bytes[i + 1] === 0x4b &&
-            bytes[i + 2] === 0x03 &&
-            bytes[i + 3] === 0x04) {
-            hasZIP = true;
-            break;
-        }
-    }
-    return hasPDF && hasZIP;
-}
-function isImageScriptPolyglot(bytes) {
-    if (bytes.length < 100)
-        return false;
-    // Check for image signatures
-    const isImage = (bytes[0] === 0xff && bytes[1] === 0xd8) || // JPEG
-        (bytes[0] === 0x89 && bytes[1] === 0x50 && bytes[2] === 0x4e && bytes[3] === 0x47) || // PNG
-        (bytes[0] === 0x47 && bytes[1] === 0x49 && bytes[2] === 0x46); // GIF
-    if (!isImage)
-        return false;
-    // Check for script content
-    const text = new TextDecoder("utf-8", { fatal: false }).decode(bytes);
-    return /<script|javascript:|eval\(|function\s*\(/i.test(text);
-}
-function isGIFAR(bytes) {
-    if (bytes.length < 100)
-        return false;
-    // Check for GIF signature
-    const isGIF = bytes[0] === 0x47 && bytes[1] === 0x49 && bytes[2] === 0x46;
-    // Check for ZIP/JAR signature
-    let hasZIP = false;
-    for (let i = 0; i < Math.min(bytes.length - 4, 1024); i++) {
-        if (bytes[i] === 0x50 &&
-            bytes[i + 1] === 0x4b &&
-            bytes[i + 2] === 0x03 &&
-            bytes[i + 3] === 0x04) {
-            hasZIP = true;
-            break;
-        }
-    }
-    return isGIF && hasZIP;
-}
-function isArchive(bytes) {
-    if (bytes.length < 4)
-        return false;
-    return (
-    // ZIP
-    (bytes[0] === 0x50 && bytes[1] === 0x4b && bytes[2] === 0x03 && bytes[3] === 0x04) ||
-        // RAR
-        (bytes[0] === 0x52 && bytes[1] === 0x61 && bytes[2] === 0x72 && bytes[3] === 0x21) ||
-        // 7z
-        (bytes[0] === 0x37 && bytes[1] === 0x7a && bytes[2] === 0xbc && bytes[3] === 0xaf) ||
-        // tar.gz
-        (bytes[0] === 0x1f && bytes[1] === 0x8b));
-}
-
-/**
- * Cache management system for scan results
- * @module utils/cache-manager
- */
-/**
- * LRU cache for scan results with TTL support
- */
-class ScanCacheManager {
-    constructor(options = {}) {
-        this.cache = new Map();
-        // Statistics
-        this.stats = {
-            hits: 0,
-            misses: 0,
-            evictions: 0,
-        };
-        this.maxSize = options.maxSize ?? 1000;
-        this.ttl = options.ttl ?? 3600000; // 1 hour default
-        this.enableLRU = options.enableLRU ?? true;
-        this.enableStats = options.enableStats ?? false;
-    }
-    /**
-     * Generate cache key from file content
-     */
-    generateKey(content, preset) {
-        const hash = crypto.createHash("sha256")
-            .update(content)
-            .update(preset || "default")
-            .digest("hex");
-        return hash;
-    }
-    /**
-     * Check if cache entry is still valid
-     */
-    isValid(entry) {
-        return Date.now() - entry.timestamp < this.ttl;
-    }
-    /**
-     * Evict oldest or least-used entry when cache is full
-     */
-    evict() {
-        if (this.cache.size === 0)
-            return;
-        let targetKey = null;
-        let oldestTime = Infinity;
-        let lowestAccess = Infinity;
-        for (const [key, entry] of this.cache.entries()) {
-            if (this.enableLRU) {
-                // LRU: evict least recently used
-                if (entry.timestamp < oldestTime) {
-                    oldestTime = entry.timestamp;
-                    targetKey = key;
-                }
-            }
-            else {
-                // LFU: evict least frequently used
-                if (entry.accessCount < lowestAccess) {
-                    lowestAccess = entry.accessCount;
-                    targetKey = key;
-                }
-            }
-        }
-        if (targetKey) {
-            this.cache.delete(targetKey);
-            if (this.enableStats)
-                this.stats.evictions++;
-        }
-    }
-    /**
-     * Store scan result in cache
-     */
-    set(content, report, preset) {
-        const key = this.generateKey(content, preset);
-        // Evict if necessary
-        if (this.cache.size >= this.maxSize) {
-            this.evict();
-        }
-        this.cache.set(key, {
-            report,
-            timestamp: Date.now(),
-            accessCount: 0,
-        });
-    }
-    /**
-     * Retrieve scan result from cache
-     */
-    get(content, preset) {
-        const key = this.generateKey(content, preset);
-        const entry = this.cache.get(key);
-        if (!entry) {
-            if (this.enableStats)
-                this.stats.misses++;
-            return null;
-        }
-        if (!this.isValid(entry)) {
-            this.cache.delete(key);
-            if (this.enableStats)
-                this.stats.misses++;
-            return null;
-        }
-        // Update access tracking
-        entry.accessCount++;
-        entry.timestamp = Date.now(); // Update for LRU
-        if (this.enableStats)
-            this.stats.hits++;
-        return entry.report;
-    }
-    /**
-     * Check if result exists in cache
-     */
-    has(content, preset) {
-        const key = this.generateKey(content, preset);
-        const entry = this.cache.get(key);
-        return entry !== undefined && this.isValid(entry);
-    }
-    /**
-     * Clear entire cache
-     */
-    clear() {
-        this.cache.clear();
-        if (this.enableStats) {
-            this.stats.hits = 0;
-            this.stats.misses = 0;
-            this.stats.evictions = 0;
-        }
-    }
-    /**
-     * Remove expired entries
-     */
-    prune() {
-        let removed = 0;
-        for (const [key, entry] of this.cache.entries()) {
-            if (!this.isValid(entry)) {
-                this.cache.delete(key);
-                removed++;
-            }
-        }
-        return removed;
-    }
-    /**
-     * Get cache statistics
-     */
-    getStats() {
-        const total = this.stats.hits + this.stats.misses;
-        const hitRate = total > 0 ? (this.stats.hits / total) * 100 : 0;
-        return {
-            hits: this.stats.hits,
-            misses: this.stats.misses,
-            size: this.cache.size,
-            hitRate,
-            evictions: this.stats.evictions,
-        };
-    }
-    /**
-     * Get current cache size
-     */
-    get size() {
-        return this.cache.size;
-    }
-}
-// Export singleton instance for convenience
-let defaultCache = null;
-/**
- * Get or create the default cache instance
- */
-function getDefaultCache(options) {
-    if (!defaultCache) {
-        defaultCache = new ScanCacheManager(options);
-    }
-    return defaultCache;
-}
-
-/**
- * Performance monitoring utilities for pompelmi scans
- * @module utils/performance-metrics
- */
-/**
- * Track performance metrics for a scan operation
- */
-class PerformanceTracker {
-    constructor() {
-        this.checkpoints = new Map();
-        this.startTime = Date.now();
-    }
-    /**
-     * Mark a checkpoint in the scan process
-     */
-    checkpoint(name) {
-        this.checkpoints.set(name, Date.now());
-    }
-    /**
-     * Get duration since start or since a specific checkpoint
-     */
-    getDuration(since) {
-        const now = Date.now();
-        if (since && this.checkpoints.has(since)) {
-            return now - (this.checkpoints.get(since) ?? now);
-        }
-        return now - this.startTime;
-    }
-    /**
-     * Generate final metrics report
-     */
-    getMetrics(bytesScanned) {
-        const totalDuration = this.getDuration();
-        const throughput = totalDuration > 0 ? (bytesScanned / totalDuration) * 1000 : 0;
-        return {
-            totalDurationMs: totalDuration,
-            heuristicsDurationMs: this.checkpoints.has("heuristics_end")
-                ? (this.checkpoints.get("heuristics_end") ?? 0) -
-                    (this.checkpoints.get("heuristics_start") ?? 0)
-                : undefined,
-            yaraDurationMs: this.checkpoints.has("yara_end")
-                ? (this.checkpoints.get("yara_end") ?? 0) - (this.checkpoints.get("yara_start") ?? 0)
-                : undefined,
-            prepDurationMs: this.checkpoints.has("prep_end")
-                ? (this.checkpoints.get("prep_end") ?? 0) - this.startTime
-                : undefined,
-            throughputBps: throughput,
-            bytesScanned,
-            startedAt: this.startTime,
-            completedAt: Date.now(),
-        };
-    }
-}
-/**
- * Aggregate statistics from multiple scan reports
- */
-function aggregateScanStats(reports) {
-    let cleanCount = 0;
-    let suspiciousCount = 0;
-    let maliciousCount = 0;
-    let totalDuration = 0;
-    let totalBytes = 0;
-    let validDurationCount = 0;
-    for (const report of reports) {
-        if (report.verdict === "clean")
-            cleanCount++;
-        else if (report.verdict === "suspicious")
-            suspiciousCount++;
-        else if (report.verdict === "malicious")
-            maliciousCount++;
-        if (report.durationMs !== undefined) {
-            totalDuration += report.durationMs;
-            validDurationCount++;
-        }
-        if (report.file?.size !== undefined) {
-            totalBytes += report.file.size;
-        }
-    }
-    const avgDuration = validDurationCount > 0 ? totalDuration / validDurationCount : 0;
-    const avgThroughput = totalDuration > 0 ? (totalBytes / totalDuration) * 1000 : 0;
-    return {
-        totalScans: reports.length,
-        cleanCount,
-        suspiciousCount,
-        maliciousCount,
-        avgDurationMs: avgDuration,
-        avgThroughputBps: avgThroughput,
-        totalBytesScanned: totalBytes,
-    };
-}
-
-/** Mappa veloce estensione -> mime (basic) */
-function guessMimeByExt(name) {
-    if (!name)
-        return;
-    const ext = name.toLowerCase().split(".").pop();
-    switch (ext) {
-        case "zip":
-            return "application/zip";
-        case "png":
-            return "image/png";
-        case "jpg":
-        case "jpeg":
-            return "image/jpeg";
-        case "pdf":
-            return "application/pdf";
-        case "txt":
-            return "text/plain";
-        default:
-            return;
-    }
-}
-/** Heuristica semplice per verdetto */
-function computeVerdict(matches) {
-    if (!matches.length)
-        return "clean";
-    // se la regola contiene 'zip_' lo marchiamo "suspicious"
-    const anyHigh = matches.some((m) => (m.tags ?? []).includes("critical") || (m.tags ?? []).includes("high"));
-    return anyHigh ? "malicious" : "suspicious";
-}
-/** Converte i Match (heuristics) in YaraMatch-like per uniformare l'output */
-function toYaraMatches(ms) {
-    return ms.map((m) => ({
-        rule: m.rule,
-        namespace: "heuristics",
-        tags: ["heuristics"].concat(m.severity ? [m.severity] : []),
-        meta: m.meta,
-    }));
-}
-/** Scan di bytes (browser/node) usando preset (default: zip-basic) */
-async function scanBytes(input, opts = {}) {
-    // Check cache first if enabled
-    if (opts.enableCache || opts.config?.performance?.enableCache) {
-        const cache = getDefaultCache(opts.config?.performance?.cacheOptions);
-        const cached = cache.get(input, opts.preset);
-        if (cached) {
-            return cached;
-        }
-    }
-    const perfTracker = opts.enablePerformanceTracking || opts.config?.performance?.enablePerformanceTracking
-        ? new PerformanceTracker()
-        : null;
-    perfTracker?.checkpoint("prep_start");
-    const preset = opts.preset ?? opts.config?.defaultPreset ?? "zip-basic";
-    const ctx = {
-        ...opts.ctx,
-        mimeType: opts.ctx?.mimeType ?? guessMimeByExt(opts.ctx?.filename),
-        size: opts.ctx?.size ?? input.byteLength,
-    };
-    perfTracker?.checkpoint("prep_end");
-    perfTracker?.checkpoint("heuristics_start");
-    const scanFn = createPresetScanner(preset);
-    const matchesH = await (typeof scanFn === "function"
-        ? scanFn
-        : scanFn.scan)(input, ctx);
-    const allMatches = [...matchesH];
-    perfTracker?.checkpoint("heuristics_end");
-    // Advanced detection (enabled by default, can be overridden by config)
-    const advancedEnabled = opts.enableAdvancedDetection ?? opts.config?.advanced?.enablePolyglotDetection ?? true;
-    if (advancedEnabled) {
-        perfTracker?.checkpoint("advanced_start");
-        // Detect polyglot files
-        if (opts.config?.advanced?.enablePolyglotDetection !== false) {
-            const polyglotMatches = detectPolyglot(input);
-            allMatches.push(...polyglotMatches);
-        }
-        // Detect obfuscated scripts
-        if (opts.config?.advanced?.enableObfuscationDetection !== false) {
-            const obfuscatedMatches = detectObfuscatedScripts(input);
-            allMatches.push(...obfuscatedMatches);
-        }
-        // Check for excessive nesting in archives
-        if (opts.config?.advanced?.enableNestedArchiveAnalysis !== false) {
-            const nestingAnalysis = analyzeNestedArchives(input);
-            const maxDepth = opts.config?.advanced?.maxArchiveDepth ?? 5;
-            if (nestingAnalysis.hasExcessiveNesting || nestingAnalysis.depth > maxDepth) {
-                allMatches.push({
-                    rule: "excessive_archive_nesting",
-                    severity: "high",
-                    meta: {
-                        description: "Excessive archive nesting detected",
-                        depth: nestingAnalysis.depth,
-                        maxAllowed: maxDepth,
-                    },
-                });
-            }
-        }
-        perfTracker?.checkpoint("advanced_end");
-    }
-    const matches = toYaraMatches(allMatches);
-    const verdict = computeVerdict(matches);
-    perfTracker ? perfTracker.getDuration() : Date.now();
-    const durationMs = perfTracker ? perfTracker.getDuration() : 0;
-    const report = {
-        ok: verdict === "clean",
-        verdict,
-        matches,
-        reasons: matches.map((m) => m.rule),
-        file: { name: ctx.filename, mimeType: ctx.mimeType, size: ctx.size },
-        durationMs,
-        engine: "heuristics",
-        truncated: false,
-        timedOut: false,
-    };
-    // Add performance metrics if tracking enabled
-    if (perfTracker &&
-        (opts.enablePerformanceTracking || opts.config?.performance?.enablePerformanceTracking)) {
-        report.performanceMetrics = perfTracker.getMetrics(input.byteLength);
-    }
-    // Cache result if enabled
-    if (opts.enableCache || opts.config?.performance?.enableCache) {
-        const cache = getDefaultCache(opts.config?.performance?.cacheOptions);
-        cache.set(input, report, opts.preset);
-    }
-    // Invoke callbacks if configured
-    opts.config?.callbacks?.onScanComplete?.(report);
-    return report;
-}
-/** Scan di un file su disco (Node). Import dinamico per non vincolare il bundle browser. */
-async function scanFile(filePath, opts = {}) {
-    const [{ readFile, stat }, path] = await Promise.all([import('fs/promises'), import('path')]);
-    const [buf, st] = await Promise.all([readFile(filePath), stat(filePath)]);
-    const ctx = {
-        filename: path.basename(filePath),
-        mimeType: guessMimeByExt(filePath),
-        size: st.size,
-    };
-    return scanBytes(new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength), { ...opts, ctx });
-}
-/** Scan multipli File (browser) usando scanBytes + preset di default */
-async function scanFiles(files, opts = {}) {
-    const list = Array.from(files);
-    const out = [];
-    for (const f of list) {
-        const buf = new Uint8Array(await f.arrayBuffer());
-        const rep = await scanBytes(buf, {
-            ...opts,
-            ctx: { filename: f.name, mimeType: f.type || guessMimeByExt(f.name), size: f.size },
-        });
-        out.push(rep);
-    }
-    return out;
-}
-
-const ARCHIVE_BOMB_DETECTED = "ARCHIVE_BOMB_DETECTED";
-const SIG_LFH = 0x04034b50;
-const SIG_CEN = 0x02014b50;
-const DEFAULTS = {
-    maxEntries: 1000,
-    maxTotalUncompressedBytes: 500 * 1024 * 1024,
-    maxPerEntryUncompressedBytes: 100 * 1024 * 1024,
-    maxEntryNameLength: 255,
-    maxCompressionRatio: 100,
-    eocdSearchWindow: 70000,
-};
-function r16(buf, off) {
-    return buf.readUInt16LE(off);
-}
-function r32(buf, off) {
-    return buf.readUInt32LE(off);
-}
-function isZipLike(buf) {
-    return (buf.length >= 4 && buf[0] === 0x50 && buf[1] === 0x4b && buf[2] === 0x03 && buf[3] === 0x04);
-}
-function lastIndexOfEOCD(buf, window) {
-    const sig = Buffer.from([0x50, 0x4b, 0x05, 0x06]);
-    const start = Math.max(0, buf.length - window);
-    const idx = buf.lastIndexOf(sig, Math.min(buf.length - sig.length, buf.length - 1));
-    return idx >= start ? idx : -1;
-}
-function hasTraversal(name) {
-    return (name.includes("../") || name.includes("..\\") || name.startsWith("/") || /^[A-Za-z]:/.test(name));
-}
-function makeBombError() {
-    return Object.assign(new Error("Archive bomb detected: decompression limits exceeded"), {
-        code: ARCHIVE_BOMB_DETECTED,
-    });
-}
-/**
- * Feeds `compressed` into a raw DEFLATE inflate stream and counts the actual
- * output bytes. Resolves with bombed=true and aborts early if any limit fires:
- *   - decompressed bytes > maxPerEntry
- *   - totalSoFar + decompressed > maxTotal
- *   - decompressed / compressed > maxRatio  (ratio measured on real bytes, not headers)
- *
- * Malformed DEFLATE is treated as safe (bombed=false, decompressed=0).
- */
-function streamInflate(compressed, maxPerEntry, maxTotal, alreadySeen, maxRatio) {
-    return new Promise((resolve) => {
-        const inf = zlib.createInflateRaw();
-        let out = 0;
-        const compBytes = compressed.length;
-        let done = false;
-        const finish = (bombed) => {
-            if (done)
-                return;
-            done = true;
-            inf.destroy();
-            resolve({ decompressed: out, bombed });
-        };
-        inf.on("data", (chunk) => {
-            out += chunk.length;
-            if (out > maxPerEntry ||
-                alreadySeen + out > maxTotal ||
-                (compBytes > 0 && out / compBytes > maxRatio)) {
-                finish(true);
-            }
-        });
-        inf.on("end", () => finish(false));
-        // Malformed DEFLATE stream → not a bomb, just corrupt
-        inf.on("error", () => finish(false));
-        inf.end(compressed);
-    });
-}
-function createZipBombGuard(opts = {}) {
-    const cfg = { ...DEFAULTS, ...opts };
-    return {
-        async scan(input) {
-            const buf = Buffer.from(input);
-            const matches = [];
-            if (!isZipLike(buf))
-                return matches;
-            // ── 1. Locate EOCD ──────────────────────────────────────────────────────
-            const eocdPos = lastIndexOfEOCD(buf, cfg.eocdSearchWindow);
-            if (eocdPos < 0 || eocdPos + 22 > buf.length) {
-                matches.push({ rule: "zip_eocd_not_found", severity: "medium" });
-                return matches;
-            }
-            const totalEntries = r16(buf, eocdPos + 10);
-            const cdSize = r32(buf, eocdPos + 12);
-            const cdOffset = r32(buf, eocdPos + 16);
-            if (cdOffset + cdSize > buf.length) {
-                matches.push({ rule: "zip_cd_out_of_bounds", severity: "medium" });
-                return matches;
-            }
-            const lfhIndex = [];
-            let ptr = cdOffset;
-            let seen = 0;
-            while (ptr + 46 <= cdOffset + cdSize && seen < totalEntries) {
-                if (r32(buf, ptr) !== SIG_CEN)
-                    break;
-                const cdCompSize = r32(buf, ptr + 20);
-                const fnLen = r16(buf, ptr + 28);
-                const exLen = r16(buf, ptr + 30);
-                const cmLen = r16(buf, ptr + 32);
-                const lfhOffset = r32(buf, ptr + 42);
-                const nameEnd = ptr + 46 + fnLen;
-                if (nameEnd > buf.length)
-                    break;
-                const name = buf.toString("utf8", ptr + 46, nameEnd);
-                seen++;
-                lfhIndex.push({ lfhOffset, cdCompSize });
-                if (name.length > cfg.maxEntryNameLength) {
-                    matches.push({
-                        rule: "zip_entry_name_too_long",
-                        severity: "medium",
-                        meta: { name, length: name.length },
-                    });
-                }
-                if (hasTraversal(name)) {
-                    matches.push({ rule: "zip_path_traversal_entry", severity: "medium", meta: { name } });
-                }
-                ptr = nameEnd + exLen + cmLen;
-            }
-            if (seen !== totalEntries) {
-                matches.push({
-                    rule: "zip_cd_truncated",
-                    severity: "medium",
-                    meta: { seen, totalEntries },
-                });
-            }
-            if (seen > cfg.maxEntries) {
-                matches.push({
-                    rule: "zip_too_many_entries",
-                    severity: "medium",
-                    meta: { seen, limit: cfg.maxEntries },
-                });
-                // Return early — decompressing thousands of entries would be a DoS vector
-                return matches;
-            }
-            // ── 3. True streaming decompression — archive bomb detection ────────────
-            // For every DEFLATE entry (method=8) we feed the raw compressed bytes into
-            // zlib.createInflateRaw() and count the bytes that come OUT.  We abort the
-            // moment any limit fires; we NEVER trust the header-reported uncompressed
-            // size for the ratio decision.
-            //
-            // For STORED entries (method=0) compressed == uncompressed by spec, so the
-            // byte count is immediate.
-            let totalDecompressed = 0;
-            for (const { lfhOffset, cdCompSize } of lfhIndex) {
-                if (lfhOffset + 30 > buf.length)
-                    continue;
-                if (r32(buf, lfhOffset) !== SIG_LFH)
-                    continue;
-                const gpbf = r16(buf, lfhOffset + 6);
-                const method = r16(buf, lfhOffset + 8);
-                let lfhCompSz = r32(buf, lfhOffset + 18);
-                const fnLen = r16(buf, lfhOffset + 26);
-                const exLen = r16(buf, lfhOffset + 28);
-                const dataOff = lfhOffset + 30 + fnLen + exLen;
-                // If the data-descriptor flag is set (GPBF bit 3), the LFH sizes are 0.
-                // Fall back to the CD size purely for navigation — not for bomb detection.
-                if ((gpbf & 0x08) !== 0 && lfhCompSz === 0) {
-                    lfhCompSz = cdCompSize;
-                }
-                if (dataOff + lfhCompSz > buf.length)
-                    continue; // truncated entry — skip
-                if (method === 8 /* DEFLATE */) {
-                    const compressed = buf.slice(dataOff, dataOff + lfhCompSz);
-                    const { decompressed, bombed } = await streamInflate(compressed, cfg.maxPerEntryUncompressedBytes, cfg.maxTotalUncompressedBytes, totalDecompressed, cfg.maxCompressionRatio);
-                    if (bombed)
-                        throw makeBombError();
-                    totalDecompressed += decompressed;
-                }
-                else if (method === 0 /* STORED */) {
-                    // Compressed == uncompressed for stored entries
-                    if (lfhCompSz > cfg.maxPerEntryUncompressedBytes)
-                        throw makeBombError();
-                    totalDecompressed += lfhCompSz;
-                    if (totalDecompressed > cfg.maxTotalUncompressedBytes)
-                        throw makeBombError();
-                }
-                // Other methods (bzip2=12, lzma=14, zstd=93, …) — skip; no built-in support
-            }
-            return matches;
-        },
-    };
-}
-
-/**
- * Export utilities for scan results
- * @module utils/export
- */
-/**
- * Export scan results to various formats
- */
-class ScanResultExporter {
-    /**
-     * Export to JSON format
-     */
-    toJSON(reports, options = {}) {
-        const data = Array.isArray(reports) ? reports : [reports];
-        if (!options.includeDetails) {
-            // Simplified output
-            const simplified = data.map((r) => ({
-                verdict: r.verdict,
-                file: r.file?.name,
-                matches: r.matches.length,
-                durationMs: r.durationMs,
-            }));
-            return options.prettyPrint ? JSON.stringify(simplified, null, 2) : JSON.stringify(simplified);
-        }
-        return options.prettyPrint ? JSON.stringify(data, null, 2) : JSON.stringify(data);
-    }
-    /**
-     * Export to CSV format
-     */
-    toCSV(reports, options = {}) {
-        const data = Array.isArray(reports) ? reports : [reports];
-        const headers = [
-            "filename",
-            "verdict",
-            "matches_count",
-            "file_size",
-            "mime_type",
-            "duration_ms",
-            "engine",
-        ];
-        if (options.includeDetails) {
-            headers.push("reasons", "match_rules");
-        }
-        const rows = data.map((report) => {
-            const row = [
-                this.escapeCsv(report.file?.name || "unknown"),
-                report.verdict,
-                report.matches.length.toString(),
-                (report.file?.size || 0).toString(),
-                this.escapeCsv(report.file?.mimeType || "unknown"),
-                (report.durationMs || 0).toString(),
-                report.engine || "unknown",
-            ];
-            if (options.includeDetails) {
-                row.push(this.escapeCsv((report.reasons || []).join("; ")), this.escapeCsv(report.matches.map((m) => m.rule).join("; ")));
-            }
-            return row.join(",");
-        });
-        return [headers.join(","), ...rows].join("\n");
-    }
-    /**
-     * Export to Markdown format
-     */
-    toMarkdown(reports, options = {}) {
-        const data = Array.isArray(reports) ? reports : [reports];
-        let md = "# Scan Results\n\n";
-        md += `**Total Scans:** ${data.length}\n\n`;
-        const clean = data.filter((r) => r.verdict === "clean").length;
-        const suspicious = data.filter((r) => r.verdict === "suspicious").length;
-        const malicious = data.filter((r) => r.verdict === "malicious").length;
-        md += "## Summary\n\n";
-        md += `- ✅ Clean: ${clean}\n`;
-        md += `- ⚠️ Suspicious: ${suspicious}\n`;
-        md += `- ❌ Malicious: ${malicious}\n\n`;
-        md += "## Detailed Results\n\n";
-        for (const report of data) {
-            const icon = report.verdict === "clean" ? "✅" : report.verdict === "suspicious" ? "⚠️" : "❌";
-            md += `### ${icon} ${report.file?.name || "Unknown"}\n\n`;
-            md += `- **Verdict:** ${report.verdict}\n`;
-            md += `- **Size:** ${this.formatBytes(report.file?.size || 0)}\n`;
-            md += `- **MIME Type:** ${report.file?.mimeType || "unknown"}\n`;
-            md += `- **Duration:** ${report.durationMs || 0}ms\n`;
-            md += `- **Matches:** ${report.matches.length}\n`;
-            if (options.includeDetails && report.matches.length > 0) {
-                md += "\n**Match Details:**\n";
-                for (const match of report.matches) {
-                    md += `- ${match.rule}`;
-                    if (match.tags && match.tags.length > 0) {
-                        md += ` (${match.tags.join(", ")})`;
-                    }
-                    md += "\n";
-                }
-            }
-            md += "\n";
-        }
-        return md;
-    }
-    /**
-     * Export to SARIF format (Static Analysis Results Interchange Format)
-     * Useful for CI/CD integration
-     */
-    toSARIF(reports, options = {}) {
-        const data = Array.isArray(reports) ? reports : [reports];
-        const results = data.flatMap((report) => {
-            if (report.verdict === "clean")
-                return [];
-            return report.matches.map((match) => ({
-                ruleId: match.rule,
-                level: report.verdict === "malicious" ? "error" : "warning",
-                message: {
-                    text: `${match.rule} detected in ${report.file?.name || "unknown file"}`,
-                },
-                locations: [
-                    {
-                        physicalLocation: {
-                            artifactLocation: {
-                                uri: report.file?.name || "unknown",
-                            },
-                        },
-                    },
-                ],
-                properties: {
-                    tags: match.tags,
-                    metadata: match.meta,
-                },
-            }));
-        });
-        const sarif = {
-            version: "2.1.0",
-            $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
-            runs: [
-                {
-                    tool: {
-                        driver: {
-                            name: "Pompelmi",
-                            version: "0.29.0",
-                            informationUri: "https://pompelmi.github.io/pompelmi/",
-                        },
-                    },
-                    results,
-                },
-            ],
-        };
-        return options.prettyPrint ? JSON.stringify(sarif, null, 2) : JSON.stringify(sarif);
-    }
-    /**
-     * Export to HTML format
-     */
-    toHTML(reports, options = {}) {
-        const data = Array.isArray(reports) ? reports : [reports];
-        const clean = data.filter((r) => r.verdict === "clean").length;
-        const suspicious = data.filter((r) => r.verdict === "suspicious").length;
-        const malicious = data.filter((r) => r.verdict === "malicious").length;
-        let html = `<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Pompelmi Scan Results</title>
-  <style>
-    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; max-width: 1200px; margin: 0 auto; padding: 20px; }
-    .summary { display: grid; grid-template-columns: repeat(3, 1fr); gap: 20px; margin: 20px 0; }
-    .card { padding: 20px; border-radius: 8px; text-align: center; }
-    .clean { background: #d4edda; color: #155724; }
-    .suspicious { background: #fff3cd; color: #856404; }
-    .malicious { background: #f8d7da; color: #721c24; }
-    .result { border: 1px solid #ddd; border-radius: 8px; padding: 15px; margin: 10px 0; }
-    .result h3 { margin-top: 0; }
-    .badge { display: inline-block; padding: 4px 8px; border-radius: 4px; font-size: 0.8em; margin: 2px; }
-    table { width: 100%; border-collapse: collapse; }
-    th, td { padding: 8px; text-align: left; border-bottom: 1px solid #ddd; }
-  </style>
-</head>
-<body>
-  <h1>🛡️ Pompelmi Scan Results</h1>
-  <div class="summary">
-    <div class="card clean"><h2>${clean}</h2><p>Clean Files</p></div>
-    <div class="card suspicious"><h2>${suspicious}</h2><p>Suspicious Files</p></div>
-    <div class="card malicious"><h2>${malicious}</h2><p>Malicious Files</p></div>
-  </div>
-  <h2>Detailed Results</h2>`;
-        for (const report of data) {
-            const statusClass = report.verdict;
-            html += `<div class="result ${statusClass}">`;
-            html += `<h3>${this.escapeHtml(report.file?.name || "Unknown")}</h3>`;
-            html += `<table>`;
-            html += `<tr><th>Verdict</th><td>${report.verdict.toUpperCase()}</td></tr>`;
-            html += `<tr><th>Size</th><td>${this.formatBytes(report.file?.size || 0)}</td></tr>`;
-            html += `<tr><th>MIME Type</th><td>${this.escapeHtml(report.file?.mimeType || "unknown")}</td></tr>`;
-            html += `<tr><th>Duration</th><td>${report.durationMs || 0}ms</td></tr>`;
-            html += `<tr><th>Matches</th><td>${report.matches.length}</td></tr>`;
-            html += `</table>`;
-            if (options.includeDetails && report.matches.length > 0) {
-                html += `<h4>Match Details:</h4><ul>`;
-                for (const match of report.matches) {
-                    html += `<li><strong>${this.escapeHtml(match.rule)}</strong>`;
-                    if (match.tags && match.tags.length > 0) {
-                        html += ` ${match.tags.map((tag) => `<span class="badge">${this.escapeHtml(tag)}</span>`).join("")}`;
-                    }
-                    html += `</li>`;
-                }
-                html += `</ul>`;
-            }
-            html += `</div>`;
-        }
-        html += `</body></html>`;
-        return html;
-    }
-    /**
-     * Export to specified format
-     */
-    export(reports, format, options = {}) {
-        switch (format) {
-            case "json":
-                return this.toJSON(reports, options);
-            case "csv":
-                return this.toCSV(reports, options);
-            case "markdown":
-                return this.toMarkdown(reports, options);
-            case "html":
-                return this.toHTML(reports, options);
-            case "sarif":
-                return this.toSARIF(reports, options);
-            default:
-                throw new Error(`Unsupported export format: ${format}`);
-        }
-    }
-    escapeCsv(value) {
-        if (value.includes(",") || value.includes('"') || value.includes("\n")) {
-            return `"${value.replace(/"/g, '""')}"`;
-        }
-        return value;
-    }
-    escapeHtml(value) {
-        return value
-            .replace(/&/g, "&amp;")
-            .replace(/</g, "&lt;")
-            .replace(/>/g, "&gt;")
-            .replace(/"/g, "&quot;")
-            .replace(/'/g, "&#039;");
-    }
-    formatBytes(bytes) {
-        if (bytes === 0)
-            return "0 Bytes";
-        const k = 1024;
-        const sizes = ["Bytes", "KB", "MB", "GB"];
-        const i = Math.floor(Math.log(bytes) / Math.log(k));
-        return Math.round((bytes / k ** i) * 100) / 100 + " " + sizes[i];
-    }
-}
-/**
- * Quick export helper
- */
-function exportScanResults(reports, format, options) {
-    const exporter = new ScanResultExporter();
-    return exporter.export(reports, format, options);
-}
-
-/**
- * Validates a File by MIME type and size (max 5 MB).
- */
-function validateFile(file) {
-    const maxSize = 5 * 1024 * 1024;
-    const allowedTypes = ["text/plain", "application/json", "text/csv"];
-    if (!allowedTypes.includes(file.type)) {
-        return { valid: false, error: "Unsupported file type" };
-    }
-    if (file.size > maxSize) {
-        return { valid: false, error: "File too large (max 5 MB)" };
-    }
-    return { valid: true };
-}
-
-function mapMatchesToVerdict(matches = []) {
-    if (!matches.length)
-        return "clean";
-    const malHints = ["trojan", "ransom", "worm", "spy", "rootkit", "keylog", "botnet"];
-    const tagSet = new Set(matches.flatMap((m) => (m.tags ?? []).map((t) => t.toLowerCase())));
-    const nameHit = (r) => malHints.some((h) => r.toLowerCase().includes(h));
-    const isMal = matches.some((m) => nameHit(m.rule)) || tagSet.has("malware") || tagSet.has("critical");
-    return isMal ? "malicious" : "suspicious";
-}
-
-exports.ARCHIVES = ARCHIVES;
-exports.CONSERVATIVE_DEFAULT = CONSERVATIVE_DEFAULT;
-exports.CommonHeuristicsScanner = CommonHeuristicsScanner;
-exports.DEFAULT_POLICY = DEFAULT_POLICY;
-exports.DOCUMENTS_ONLY = DOCUMENTS_ONLY;
-exports.IMAGES_ONLY = IMAGES_ONLY;
-exports.POLICY_PACKS = POLICY_PACKS;
-exports.PerformanceTracker = PerformanceTracker;
-exports.STRICT_PUBLIC_UPLOAD = STRICT_PUBLIC_UPLOAD;
-exports.ScanResultExporter = ScanResultExporter;
-exports.aggregateScanStats = aggregateScanStats;
-exports.analyzeNestedArchives = analyzeNestedArchives;
-exports.composeScanners = composeScanners;
-exports.createPresetScanner = createPresetScanner;
-exports.createZipBombGuard = createZipBombGuard;
-exports.definePolicy = definePolicy;
-exports.detectObfuscatedScripts = detectObfuscatedScripts;
-exports.detectPolyglot = detectPolyglot;
-exports.exportScanResults = exportScanResults;
-exports.getPolicyPack = getPolicyPack;
-exports.mapMatchesToVerdict = mapMatchesToVerdict;
-exports.scanBytes = scanBytes;
-exports.scanFile = scanFile;
-exports.scanFiles = scanFiles;
-exports.validateFile = validateFile;
-//# sourceMappingURL=pompelmi.browser.cjs.map