pompelmi 0.35.5 → 1.0.0

package/dist/pompelmi.cjs

@@ -1,2591 +0,0 @@
-'use strict';
-
-var crypto = require('crypto');
-var os = require('os');
-var path = require('path');
-var zlib = require('zlib');
-
-function _interopNamespaceDefault(e) {
-    var n = Object.create(null);
-    if (e) {
-        Object.keys(e).forEach(function (k) {
-            if (k !== 'default') {
-                var d = Object.getOwnPropertyDescriptor(e, k);
-                Object.defineProperty(n, k, d.get ? d : {
-                    enumerable: true,
-                    get: function () { return e[k]; }
-                });
-            }
-        });
-    }
-    n.default = e;
-    return Object.freeze(n);
-}
-
-var crypto__namespace = /*#__PURE__*/_interopNamespaceDefault(crypto);
-var os__namespace = /*#__PURE__*/_interopNamespaceDefault(os);
-var path__namespace = /*#__PURE__*/_interopNamespaceDefault(path);
-
-/**
- * Advanced configuration system for pompelmi
- * @module config
- */
-/**
- * Default configuration
- */
-const DEFAULT_CONFIG = {
-    defaultPreset: "zip-basic",
-    performance: {
-        enableCache: false,
-        enablePerformanceTracking: false,
-        enableParallel: true,
-        maxConcurrency: 5,
-        cacheOptions: {
-            maxSize: 1000,
-            ttl: 3600000, // 1 hour
-            enableLRU: true,
-            enableStats: false,
-        },
-    },
-    security: {
-        maxFileSize: 100 * 1024 * 1024, // 100MB
-        enableThreatIntel: false,
-        scanTimeout: 30000, // 30 seconds
-        strictMode: false,
-    },
-    advanced: {
-        enablePolyglotDetection: true,
-        enableObfuscationDetection: true,
-        enableNestedArchiveAnalysis: true,
-        maxArchiveDepth: 5,
-    },
-    logging: {
-        verbose: false,
-        level: "info",
-        enableStats: false,
-    },
-};
-/**
- * Configuration presets for common use cases
- */
-const CONFIG_PRESETS = {
-    /** Fast scanning with minimal features */
-    fast: {
-        defaultPreset: "basic",
-        performance: {
-            enableCache: true,
-            enablePerformanceTracking: false,
-            maxConcurrency: 10,
-        },
-        advanced: {
-            enablePolyglotDetection: false,
-            enableObfuscationDetection: false,
-            enableNestedArchiveAnalysis: false,
-        },
-    },
-    /** Balanced scanning (recommended) */
-    balanced: DEFAULT_CONFIG,
-    /** Thorough scanning with all features */
-    thorough: {
-        defaultPreset: "advanced",
-        performance: {
-            enableCache: true,
-            enablePerformanceTracking: true,
-            maxConcurrency: 3,
-        },
-        security: {
-            maxFileSize: 500 * 1024 * 1024, // 500MB
-            enableThreatIntel: true,
-            scanTimeout: 60000, // 60 seconds
-            strictMode: true,
-        },
-        advanced: {
-            enablePolyglotDetection: true,
-            enableObfuscationDetection: true,
-            enableNestedArchiveAnalysis: true,
-            maxArchiveDepth: 10,
-        },
-        logging: {
-            verbose: true,
-            level: "debug",
-            enableStats: true,
-        },
-    },
-    /** Production-ready configuration */
-    production: {
-        defaultPreset: "advanced",
-        performance: {
-            enableCache: true,
-            enablePerformanceTracking: true,
-            maxConcurrency: 5,
-            cacheOptions: {
-                maxSize: 5000,
-                ttl: 7200000, // 2 hours
-                enableLRU: true,
-                enableStats: true,
-            },
-        },
-        security: {
-            maxFileSize: 200 * 1024 * 1024, // 200MB
-            enableThreatIntel: true,
-            scanTimeout: 45000,
-            strictMode: false,
-        },
-        advanced: {
-            enablePolyglotDetection: true,
-            enableObfuscationDetection: true,
-            enableNestedArchiveAnalysis: true,
-            maxArchiveDepth: 7,
-        },
-        logging: {
-            verbose: false,
-            level: "warn",
-            enableStats: true,
-        },
-    },
-    /** Development configuration */
-    development: {
-        defaultPreset: "basic",
-        performance: {
-            enableCache: false,
-            enablePerformanceTracking: true,
-            maxConcurrency: 3,
-        },
-        security: {
-            maxFileSize: 50 * 1024 * 1024, // 50MB
-            scanTimeout: 15000,
-            strictMode: false,
-        },
-        logging: {
-            verbose: true,
-            level: "debug",
-            enableStats: true,
-        },
-    },
-};
-/**
- * Configuration manager
- */
-class ConfigManager {
-    constructor(initialConfig) {
-        this.config = this.mergeConfig(DEFAULT_CONFIG, initialConfig || {});
-    }
-    /**
-     * Get current configuration
-     */
-    getConfig() {
-        return { ...this.config };
-    }
-    /**
-     * Update configuration
-     */
-    updateConfig(updates) {
-        this.config = this.mergeConfig(this.config, updates);
-    }
-    /**
-     * Load a preset configuration
-     */
-    loadPreset(preset) {
-        const presetConfig = CONFIG_PRESETS[preset];
-        this.config = this.mergeConfig(DEFAULT_CONFIG, presetConfig);
-    }
-    /**
-     * Reset to default configuration
-     */
-    reset() {
-        this.config = { ...DEFAULT_CONFIG };
-    }
-    /**
-     * Get a specific configuration value
-     */
-    get(key) {
-        return this.config[key];
-    }
-    /**
-     * Set a specific configuration value
-     */
-    set(key, value) {
-        this.config[key] = value;
-    }
-    /**
-     * Validate configuration
-     */
-    validate() {
-        const errors = [];
-        // Validate performance settings
-        if (this.config.performance?.maxConcurrency !== undefined) {
-            if (this.config.performance.maxConcurrency < 1) {
-                errors.push("maxConcurrency must be at least 1");
-            }
-            if (this.config.performance.maxConcurrency > 50) {
-                errors.push("maxConcurrency should not exceed 50");
-            }
-        }
-        // Validate security settings
-        if (this.config.security?.maxFileSize !== undefined) {
-            if (this.config.security.maxFileSize < 1024) {
-                errors.push("maxFileSize must be at least 1KB");
-            }
-        }
-        if (this.config.security?.scanTimeout !== undefined) {
-            if (this.config.security.scanTimeout < 1000) {
-                errors.push("scanTimeout must be at least 1000ms");
-            }
-        }
-        // Validate advanced settings
-        if (this.config.advanced?.maxArchiveDepth !== undefined) {
-            if (this.config.advanced.maxArchiveDepth < 1) {
-                errors.push("maxArchiveDepth must be at least 1");
-            }
-            if (this.config.advanced.maxArchiveDepth > 20) {
-                errors.push("maxArchiveDepth should not exceed 20");
-            }
-        }
-        return {
-            valid: errors.length === 0,
-            errors,
-        };
-    }
-    /**
-     * Deep merge configuration objects
-     */
-    mergeConfig(base, updates) {
-        return {
-            ...base,
-            ...updates,
-            performance: {
-                ...base.performance,
-                ...updates.performance,
-                cacheOptions: {
-                    ...base.performance?.cacheOptions,
-                    ...updates.performance?.cacheOptions,
-                },
-            },
-            security: {
-                ...base.security,
-                ...updates.security,
-            },
-            advanced: {
-                ...base.advanced,
-                ...updates.advanced,
-            },
-            logging: {
-                ...base.logging,
-                ...updates.logging,
-            },
-            callbacks: {
-                ...base.callbacks,
-                ...updates.callbacks,
-            },
-            presetOptions: {
-                ...base.presetOptions,
-                ...updates.presetOptions,
-            },
-        };
-    }
-    /**
-     * Export configuration as JSON
-     */
-    toJSON() {
-        return JSON.stringify(this.config, null, 2);
-    }
-    /**
-     * Load configuration from JSON
-     */
-    fromJSON(json) {
-        try {
-            const parsed = JSON.parse(json);
-            this.config = this.mergeConfig(DEFAULT_CONFIG, parsed);
-        }
-        catch (error) {
-            throw new Error(`Failed to parse configuration JSON: ${error}`);
-        }
-    }
-}
-/**
- * Create a new configuration manager
- */
-function createConfig(config) {
-    return new ConfigManager(config);
-}
-/**
- * Get a preset configuration
- */
-function getPresetConfig(preset) {
-    return { ...DEFAULT_CONFIG, ...CONFIG_PRESETS[preset] };
-}
-
-/**
- * HIPAA Compliance Module for Pompelmi
- *
- * This module provides comprehensive HIPAA compliance features for healthcare environments
- * where Pompelmi is used to analyze potentially compromised systems containing PHI.
- *
- * Key protections:
- * - Data sanitization and redaction
- * - Secure temporary file handling
- * - Audit logging
- * - Memory protection
- * - Error message sanitization
- */
-class HipaaComplianceManager {
-    constructor(config) {
-        this.auditEvents = [];
-        this.config = {
-            sanitizeErrors: true,
-            sanitizeFilenames: true,
-            encryptTempFiles: true,
-            memoryProtection: true,
-            requireSecureTransport: true,
-            ...config,
-            enabled: config.enabled !== undefined ? config.enabled : true,
-        };
-        this.sessionId = this.generateSessionId();
-    }
-    /**
-     * Sanitize filename to prevent PHI leakage in logs
-     */
-    sanitizeFilename(filename) {
-        if (!this.config.enabled || !this.config.sanitizeFilenames || !filename) {
-            return filename || "unknown";
-        }
-        // Remove potentially sensitive path information
-        const basename = path__namespace.basename(filename);
-        // Hash the filename to create a consistent but non-revealing identifier
-        const hash = crypto__namespace.createHash("sha256").update(basename).digest("hex").substring(0, 8);
-        // Preserve file extension for analysis purposes
-        const ext = path__namespace.extname(basename);
-        return `file_${hash}${ext}`;
-    }
-    /**
-     * Sanitize error messages to prevent PHI exposure
-     */
-    sanitizeError(error) {
-        if (!this.config.enabled || !this.config.sanitizeErrors) {
-            return typeof error === "string" ? error : error.message;
-        }
-        const message = typeof error === "string" ? error : error.message;
-        // Remove common patterns that might contain PHI
-        const sanitized = message
-            // Remove file paths
-            .replace(/[A-Za-z]:\\\\[^\\s]+/g, "[REDACTED_PATH]")
-            .replace(/\/[^\\s]+/g, "[REDACTED_PATH]")
-            // Remove potential patient identifiers (numbers that could be MRNs, SSNs)
-            .replace(/\\b\\d{3}-?\\d{2}-?\\d{4}\\b/g, "[REDACTED_ID]")
-            .replace(/\\b\\d{6,}\\b/g, "[REDACTED_ID]")
-            // Remove email addresses
-            .replace(/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}/g, "[REDACTED_EMAIL]")
-            // Remove potential names (capitalize words in error messages)
-            .replace(/\\b[A-Z][a-z]+\\s+[A-Z][a-z]+\\b/g, "[REDACTED_NAME]")
-            // Remove IP addresses
-            .replace(/\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b/g, "[REDACTED_IP]");
-        return sanitized;
-    }
-    /**
-     * Create secure temporary file path with encryption if enabled
-     */
-    createSecureTempPath(prefix = "pompelmi") {
-        if (!this.config.enabled) {
-            return path__namespace.join(os__namespace.tmpdir(), `${prefix}-${Date.now()}-${Math.random().toString(36).slice(2)}`);
-        }
-        // Use cryptographically secure random names
-        const randomId = crypto__namespace.randomBytes(16).toString("hex");
-        const timestamp = Date.now();
-        // Create path in secure temp directory
-        const secureTempDir = this.getSecureTempDir();
-        const tempPath = path__namespace.join(secureTempDir, `${prefix}-${timestamp}-${randomId}`);
-        this.auditLog("temp_file_created", {
-            action: "create_temp_file",
-            success: true,
-            metadata: { path: this.sanitizeFilename(tempPath) },
-        });
-        return tempPath;
-    }
-    /**
-     * Get or create secure temporary directory with restricted permissions
-     */
-    getSecureTempDir() {
-        const secureTempPath = path__namespace.join(os__namespace.tmpdir(), "pompelmi-secure");
-        try {
-            const fs = require("fs");
-            if (!fs.existsSync(secureTempPath)) {
-                fs.mkdirSync(secureTempPath, { mode: 0o700 }); // Owner read/write/execute only
-            }
-        }
-        catch (error) {
-            // Fallback to system temp
-            return os__namespace.tmpdir();
-        }
-        return secureTempPath;
-    }
-    /**
-     * Secure file cleanup with multiple overwrite passes
-     */
-    async secureFileCleanup(filePath) {
-        if (!this.config.enabled) {
-            try {
-                const fs = await import('fs/promises');
-                await fs.unlink(filePath);
-            }
-            catch {
-                // Ignore cleanup errors
-            }
-            return;
-        }
-        try {
-            const fs = await import('fs/promises');
-            const stats = await fs.stat(filePath);
-            if (this.config.memoryProtection) {
-                // Overwrite file with random data multiple times (DoD 5220.22-M standard)
-                const fileSize = stats.size;
-                const buffer = crypto__namespace.randomBytes(Math.min(fileSize, 64 * 1024)); // 64KB chunks
-                for (let pass = 0; pass < 3; pass++) {
-                    const handle = await fs.open(filePath, "r+");
-                    try {
-                        for (let offset = 0; offset < fileSize; offset += buffer.length) {
-                            const chunk = offset + buffer.length > fileSize ? buffer.subarray(0, fileSize - offset) : buffer;
-                            await handle.write(chunk, 0, chunk.length, offset);
-                        }
-                        await handle.sync();
-                    }
-                    finally {
-                        await handle.close();
-                    }
-                }
-            }
-            // Final deletion
-            await fs.unlink(filePath);
-            this.auditLog("temp_file_deleted", {
-                action: "secure_delete",
-                success: true,
-                metadata: {
-                    path: this.sanitizeFilename(filePath),
-                    overwritePasses: this.config.memoryProtection ? 3 : 0,
-                },
-            });
-        }
-        catch (error) {
-            this.auditLog("temp_file_deleted", {
-                action: "secure_delete",
-                success: false,
-                sanitizedError: this.sanitizeError(error),
-                metadata: { path: this.sanitizeFilename(filePath) },
-            });
-        }
-    }
-    /**
-     * Calculate secure file hash for audit purposes
-     */
-    calculateFileHash(data) {
-        return crypto__namespace.createHash("sha256").update(data).digest("hex");
-    }
-    /**
-     * Log audit event
-     */
-    auditLog(eventType, details) {
-        if (!this.config.enabled)
-            return;
-        const event = {
-            timestamp: new Date().toISOString(),
-            eventType,
-            sessionId: this.sessionId,
-            details: {
-                action: details.action || "unknown",
-                success: details.success ?? true,
-                ...details,
-            },
-        };
-        this.auditEvents.push(event);
-        // Write to audit log file if configured
-        if (this.config.auditLogPath) {
-            this.writeAuditLog(event).catch(() => {
-                // Silent failure to prevent error loops
-            });
-        }
-    }
-    /**
-     * Write audit event to file
-     */
-    async writeAuditLog(event) {
-        if (!this.config.auditLogPath)
-            return;
-        try {
-            const fs = await import('fs/promises');
-            const logLine = JSON.stringify(event) + "\\n";
-            await fs.appendFile(this.config.auditLogPath, logLine, { flag: "a" });
-        }
-        catch {
-            // Silent failure
-        }
-    }
-    /**
-     * Generate cryptographically secure session ID
-     */
-    generateSessionId() {
-        return crypto__namespace.randomBytes(16).toString("hex");
-    }
-    /**
-     * Get current audit events for this session
-     */
-    getAuditEvents() {
-        return [...this.auditEvents];
-    }
-    /**
-     * Clear sensitive data from memory
-     */
-    clearSensitiveData() {
-        if (!this.config.enabled || !this.config.memoryProtection)
-            return;
-        // Clear audit events
-        this.auditEvents.length = 0;
-        // Force garbage collection if available
-        if (global.gc) {
-            global.gc();
-        }
-    }
-    /**
-     * Validate transport security
-     */
-    validateTransportSecurity(url) {
-        if (!this.config.enabled || !this.config.requireSecureTransport) {
-            return true;
-        }
-        if (!url)
-            return true;
-        try {
-            const urlObj = new URL(url);
-            const isSecure = urlObj.protocol === "https:" ||
-                urlObj.hostname === "localhost" ||
-                urlObj.hostname === "127.0.0.1";
-            if (!isSecure) {
-                this.auditLog("security_violation", {
-                    action: "insecure_transport",
-                    success: false,
-                    metadata: { protocol: urlObj.protocol, hostname: urlObj.hostname },
-                });
-            }
-            return isSecure;
-        }
-        catch {
-            return false;
-        }
-    }
-}
-// Global HIPAA compliance instance
-let hipaaManager = null;
-/**
- * Initialize HIPAA compliance
- */
-function initializeHipaaCompliance(config) {
-    hipaaManager = new HipaaComplianceManager(config);
-    return hipaaManager;
-}
-/**
- * Get current HIPAA compliance manager
- */
-function getHipaaManager() {
-    return hipaaManager;
-}
-/**
- * HIPAA-compliant error wrapper
- */
-function createHipaaError(error, context) {
-    const manager = getHipaaManager();
-    if (!manager) {
-        return typeof error === "string" ? new Error(error) : error;
-    }
-    const sanitizedMessage = manager.sanitizeError(error);
-    const hipaaError = new Error(sanitizedMessage);
-    manager.auditLog("error_occurred", {
-        action: context || "error",
-        success: false,
-        sanitizedError: sanitizedMessage,
-    });
-    return hipaaError;
-}
-/**
- * HIPAA-compliant temporary file utilities
- */
-const HipaaTemp = {
-    createPath: (prefix) => {
-        const manager = getHipaaManager();
-        return manager
-            ? manager.createSecureTempPath(prefix)
-            : path__namespace.join(os__namespace.tmpdir(), `${prefix || "pompelmi"}-${Date.now()}`);
-    },
-    cleanup: async (filePath) => {
-        const manager = getHipaaManager();
-        if (manager) {
-            await manager.secureFileCleanup(filePath);
-        }
-        else {
-            try {
-                const fs = await import('fs/promises');
-                await fs.unlink(filePath);
-            }
-            catch {
-                // Ignore errors
-            }
-        }
-    },
-};
-
-const MB$1 = 1024 * 1024;
-const DEFAULT_POLICY = {
-    includeExtensions: ["zip", "png", "jpg", "jpeg", "pdf"],
-    allowedMimeTypes: ["application/zip", "image/png", "image/jpeg", "application/pdf", "text/plain"],
-    maxFileSizeBytes: 20 * MB$1,
-    timeoutMs: 5000,
-    concurrency: 4,
-    failClosed: true,
-};
-function definePolicy(input = {}) {
-    const p = { ...DEFAULT_POLICY, ...input };
-    if (!Array.isArray(p.includeExtensions))
-        throw new TypeError("includeExtensions must be string[]");
-    if (!Array.isArray(p.allowedMimeTypes))
-        throw new TypeError("allowedMimeTypes must be string[]");
-    if (!(Number.isFinite(p.maxFileSizeBytes) && p.maxFileSizeBytes > 0))
-        throw new TypeError("maxFileSizeBytes must be > 0");
-    if (!(Number.isFinite(p.timeoutMs) && p.timeoutMs > 0))
-        throw new TypeError("timeoutMs must be > 0");
-    if (!(Number.isInteger(p.concurrency) && p.concurrency > 0))
-        throw new TypeError("concurrency must be > 0");
-    return p;
-}
-
-/**
- * Policy packs for Pompelmi.
- *
- * Pre-configured, named policies for common upload scenarios.  Each pack
- * defines the file type allowlist, size limits, and timeout appropriate for
- * its use case.
- *
- * All packs are built on `definePolicy` and are fully overridable:
- *
- * ```ts
- * import { POLICY_PACKS } from 'pompelmi/policy-packs';
- *
- * // Use a pack as-is:
- * const policy = POLICY_PACKS['images-only'];
- *
- * // Or override individual fields:
- * import { definePolicy } from 'pompelmi';
- * const custom = definePolicy({ ...POLICY_PACKS['documents-only'], maxFileSizeBytes: 5 * 1024 * 1024 });
- * ```
- *
- * These packs are *deterministic* and *descriptor-based* — they do not
- * depend on any external threat intelligence feed.
- *
- * @module policy-packs
- */
-const KB = 1024;
-const MB = 1024 * KB;
-// ── Policy packs ──────────────────────────────────────────────────────────────
-/**
- * Documents-only policy.
- *
- * Appropriate for: document management APIs, PDF/Office file upload endpoints,
- * data import pipelines.
- *
- * Allowed: PDF, Word (.docx/.doc), Excel (.xlsx/.xls), PowerPoint (.pptx/.ppt),
- *   CSV, plain text, JSON, YAML, ODT/ODS/ODP (OpenDocument).
- * Max size: 25 MB.
- */
-const DOCUMENTS_ONLY = definePolicy({
-    includeExtensions: [
-        "pdf",
-        "doc",
-        "docx",
-        "xls",
-        "xlsx",
-        "ppt",
-        "pptx",
-        "odt",
-        "ods",
-        "odp",
-        "csv",
-        "txt",
-        "json",
-        "yaml",
-        "yml",
-        "md",
-    ],
-    allowedMimeTypes: [
-        "application/pdf",
-        "application/msword",
-        "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
-        "application/vnd.ms-excel",
-        "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
-        "application/vnd.ms-powerpoint",
-        "application/vnd.openxmlformats-officedocument.presentationml.presentation",
-        "application/vnd.oasis.opendocument.text",
-        "application/vnd.oasis.opendocument.spreadsheet",
-        "application/vnd.oasis.opendocument.presentation",
-        "text/csv",
-        "text/plain",
-        "application/json",
-        "text/yaml",
-        "text/markdown",
-    ],
-    maxFileSizeBytes: 25 * MB,
-    timeoutMs: 10000,
-    concurrency: 4,
-    failClosed: true,
-});
-/**
- * Images-only policy.
- *
- * Appropriate for: avatar uploads, product image APIs, content platforms with
- * user-generated imagery.
- *
- * Allowed: JPEG, PNG, GIF, WebP, AVIF, TIFF, BMP, ICO.
- * Max size: 10 MB.
- * Note: SVG is intentionally excluded — inline SVGs can contain scripts.
- */
-const IMAGES_ONLY = definePolicy({
-    includeExtensions: ["jpg", "jpeg", "png", "gif", "webp", "avif", "tiff", "tif", "bmp", "ico"],
-    allowedMimeTypes: [
-        "image/jpeg",
-        "image/png",
-        "image/gif",
-        "image/webp",
-        "image/avif",
-        "image/tiff",
-        "image/bmp",
-        "image/x-icon",
-        "image/vnd.microsoft.icon",
-    ],
-    maxFileSizeBytes: 10 * MB,
-    timeoutMs: 5000,
-    concurrency: 8,
-    failClosed: true,
-});
-/**
- * Strict public-upload policy.
- *
- * Appropriate for: anonymous or low-trust upload endpoints, public APIs,
- * any surface exposed to untrusted users.
- *
- * Aggressive size limit (5 MB), short timeout, fail-closed, narrow MIME
- * allowlist.  Only allows plain images and PDF.
- */
-const STRICT_PUBLIC_UPLOAD = definePolicy({
-    includeExtensions: ["jpg", "jpeg", "png", "webp", "pdf"],
-    allowedMimeTypes: ["image/jpeg", "image/png", "image/webp", "application/pdf"],
-    maxFileSizeBytes: 5 * MB,
-    timeoutMs: 4000,
-    concurrency: 2,
-    failClosed: true,
-});
-/**
- * Conservative default policy.
- *
- * A hardened version of the built-in `DEFAULT_POLICY` suitable for
- * production without further customisation.  Stricter size limit and
- * shorter timeout than the permissive default.
- */
-const CONSERVATIVE_DEFAULT = definePolicy({
-    includeExtensions: ["zip", "png", "jpg", "jpeg", "pdf", "txt", "csv", "docx", "xlsx"],
-    allowedMimeTypes: [
-        "application/zip",
-        "image/png",
-        "image/jpeg",
-        "application/pdf",
-        "text/plain",
-        "text/csv",
-        "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
-        "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
-    ],
-    maxFileSizeBytes: 10 * MB,
-    timeoutMs: 8000,
-    concurrency: 4,
-    failClosed: true,
-});
-/**
- * Archives policy.
- *
- * Appropriate for: endpoints that accept ZIP, tar, or compressed archives.
- * Combines a generous size allowance with a longer timeout for deep inspection.
- *
- * NOTE: Pair this policy with `createZipBombGuard()` to defend against
- * decompression-bomb attacks:
- *
- * ```ts
- * import { composeScanners, createZipBombGuard, CommonHeuristicsScanner } from 'pompelmi';
- * const scanner = composeScanners(
- *   [['zipGuard', createZipBombGuard()], ['heuristics', CommonHeuristicsScanner]]
- * );
- * ```
- */
-const ARCHIVES = definePolicy({
-    includeExtensions: ["zip", "tar", "gz", "tgz", "bz2", "xz", "7z", "rar"],
-    allowedMimeTypes: [
-        "application/zip",
-        "application/x-tar",
-        "application/gzip",
-        "application/x-bzip2",
-        "application/x-xz",
-        "application/x-7z-compressed",
-        "application/x-rar-compressed",
-    ],
-    maxFileSizeBytes: 100 * MB,
-    timeoutMs: 30000,
-    concurrency: 2,
-    failClosed: true,
-});
-/**
- * Named map of all built-in policy packs.
- *
- * ```ts
- * import { POLICY_PACKS } from 'pompelmi/policy-packs';
- * const policy = POLICY_PACKS['strict-public-upload'];
- * ```
- */
-const POLICY_PACKS = {
-    "documents-only": DOCUMENTS_ONLY,
-    "images-only": IMAGES_ONLY,
-    "strict-public-upload": STRICT_PUBLIC_UPLOAD,
-    "conservative-default": CONSERVATIVE_DEFAULT,
-    archives: ARCHIVES,
-};
-/**
- * Look up a policy pack by name.
- * Throws if the name is not recognised.
- */
-function getPolicyPack(name) {
-    const policy = POLICY_PACKS[name];
-    if (!policy)
-        throw new Error(`Unknown policy pack: '${name}'. Valid names: ${Object.keys(POLICY_PACKS).join(", ")}`);
-    return policy;
-}
-
-function hasAsciiToken(buf, token) {
-    // Use latin1 so we can safely search binary
-    return buf.indexOf(token, 0, "latin1") !== -1;
-}
-function startsWith(buf, bytes) {
-    if (buf.length < bytes.length)
-        return false;
-    for (let i = 0; i < bytes.length; i++)
-        if (buf[i] !== bytes[i])
-            return false;
-    return true;
-}
-function isPDF(buf) {
-    // %PDF-
-    return startsWith(buf, [0x25, 0x50, 0x44, 0x46, 0x2d]);
-}
-function isOleCfb(buf) {
-    // D0 CF 11 E0 A1 B1 1A E1
-    const sig = [0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1];
-    return startsWith(buf, sig);
-}
-function isZipLike$1(buf) {
-    // PK\x03\x04
-    return startsWith(buf, [0x50, 0x4b, 0x03, 0x04]);
-}
-function isPeExecutable(buf) {
-    // "MZ"
-    return startsWith(buf, [0x4d, 0x5a]);
-}
-/** OOXML macro hint via filename token in ZIP container */
-function hasOoxmlMacros(buf) {
-    if (!isZipLike$1(buf))
-        return false;
-    return hasAsciiToken(buf, "vbaProject.bin");
-}
-/** PDF risky features (/JavaScript, /OpenAction, /AA, /Launch) */
-function pdfRiskTokens(buf) {
-    const tokens = ["/JavaScript", "/OpenAction", "/AA", "/Launch"];
-    return tokens.filter((t) => hasAsciiToken(buf, t));
-}
-const CommonHeuristicsScanner = {
-    async scan(input) {
-        const buf = Buffer.from(input);
-        const matches = [];
-        // Office macros (OLE / OOXML)
-        if (isOleCfb(buf)) {
-            matches.push({ rule: "office_ole_container", severity: "suspicious" });
-        }
-        if (hasOoxmlMacros(buf)) {
-            matches.push({ rule: "office_ooxml_macros", severity: "suspicious" });
-        }
-        // PDF risky tokens
-        if (isPDF(buf)) {
-            const toks = pdfRiskTokens(buf);
-            if (toks.length) {
-                matches.push({
-                    rule: "pdf_risky_actions",
-                    severity: "suspicious",
-                    meta: { tokens: toks },
-                });
-            }
-        }
-        // Executable header
-        if (isPeExecutable(buf)) {
-            matches.push({ rule: "pe_executable_signature", severity: "suspicious" });
-        }
-        // EICAR test file
-        const EICAR_NEEDLE = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!";
-        if (hasAsciiToken(buf, EICAR_NEEDLE)) {
-            matches.push({
-                rule: "eicar_test_file",
-                severity: "high",
-                meta: { note: "EICAR standard antivirus test file detected" },
-            });
-        }
-        return matches;
-    },
-};
-
-function toScanFn(s) {
-    return (typeof s === "function" ? s : s.scan);
-}
-/** Map a Match's severity field to a Verdict for stopOn comparison. */
-function matchToVerdict(m) {
-    const s = m.severity;
-    if (s === "critical" || s === "high" || s === "malicious")
-        return "malicious";
-    if (s === "medium" || s === "low" || s === "suspicious" || s === "info")
-        return "suspicious";
-    return "clean";
-}
-/** Highest verdict across all matches in the list. */
-function highestSeverity(matches) {
-    if (matches.length === 0)
-        return null;
-    if (matches.some((m) => matchToVerdict(m) === "malicious"))
-        return "malicious";
-    if (matches.some((m) => matchToVerdict(m) === "suspicious"))
-        return "suspicious";
-    return "clean";
-}
-const SEVERITY_RANK = { malicious: 2, suspicious: 1, clean: 0 };
-function shouldStop(matches, stopOn) {
-    if (!stopOn)
-        return false;
-    const highest = highestSeverity(matches);
-    if (!highest)
-        return false;
-    return SEVERITY_RANK[highest] >= SEVERITY_RANK[stopOn];
-}
-async function runWithTimeout(fn, timeoutMs) {
-    if (!timeoutMs)
-        return fn();
-    return new Promise((resolve, reject) => {
-        const timer = setTimeout(() => reject(new Error("scanner timeout")), timeoutMs);
-        fn().then((v) => {
-            clearTimeout(timer);
-            resolve(v);
-        }, (e) => {
-            clearTimeout(timer);
-            reject(e);
-        });
-    });
-}
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
-function composeScanners(...args) {
-    const first = args[0];
-    const rest = args.slice(1);
-    // ── Named-scanner array form ──────────────────────────────────────────────
-    if (Array.isArray(first) &&
-        (first.length === 0 || (Array.isArray(first[0]) && typeof first[0][0] === "string"))) {
-        const entries = first;
-        const opts = rest.length > 0 &&
-            !Array.isArray(rest[0]) &&
-            typeof rest[0] !== "function" &&
-            !(typeof rest[0] === "object" && rest[0] !== null && "scan" in rest[0])
-            ? rest[0]
-            : {};
-        return async (input, ctx) => {
-            const all = [];
-            if (opts.parallel) {
-                // Parallel execution — collect all results then return
-                const results = await Promise.allSettled(entries.map(([_name, scanner]) => runWithTimeout(() => toScanFn(scanner)(input, ctx), opts.timeoutMsPerScanner)));
-                for (let i = 0; i < results.length; i++) {
-                    const result = results[i];
-                    if (result.status === "fulfilled" && Array.isArray(result.value)) {
-                        const matches = opts.tagSourceName
-                            ? result.value.map((m) => ({
-                                ...m,
-                                meta: { ...m.meta, _sourceName: entries[i][0] },
-                            }))
-                            : result.value;
-                        all.push(...matches);
-                    }
-                }
-            }
-            else {
-                // Sequential execution with optional stopOn short-circuit
-                for (const [name, scanner] of entries) {
-                    try {
-                        const out = await runWithTimeout(() => toScanFn(scanner)(input, ctx), opts.timeoutMsPerScanner);
-                        if (Array.isArray(out)) {
-                            const matches = opts.tagSourceName
-                                ? out.map((m) => ({ ...m, meta: { ...m.meta, _sourceName: name } }))
-                                : out;
-                            all.push(...matches);
-                            if (shouldStop(all, opts.stopOn))
-                                break;
-                        }
-                    }
-                    catch {
-                        // individual scanner failure is non-fatal
-                    }
-                }
-            }
-            return all;
-        };
-    }
-    // ── Variadic form (backward-compatible) ───────────────────────────────────
-    const scanners = [first, ...rest].filter(Boolean);
-    return async (input, ctx) => {
-        const all = [];
-        for (const s of scanners) {
-            try {
-                const out = await toScanFn(s)(input, ctx);
-                if (Array.isArray(out))
-                    all.push(...out);
-            }
-            catch {
-                // ignore individual scanner failures
-            }
-        }
-        return all;
-    };
-}
-function createPresetScanner(preset, opts = {}) {
-    const baseScanners = [CommonHeuristicsScanner];
-    const dynamicScannerPromises = [];
-    // Add decompilation scanners based on preset
-    if (preset === "decompilation-basic" ||
-        preset === "decompilation-deep" ||
-        preset === "malware-analysis" ||
-        opts.enableDecompilation) {
-        const depth = preset === "decompilation-deep" || preset === "malware-analysis"
-            ? "deep"
-            : preset === "decompilation-basic"
-                ? "basic"
-                : opts.decompilationDepth || "basic";
-        let importModule;
-        try {
-            // Dynamic import to avoid bundling issues - using Function to bypass TypeScript type checking
-            importModule = new Function("specifier", "return import(specifier)");
-        }
-        catch {
-            importModule = undefined;
-        }
-        if (importModule &&
-            (!opts.decompilationEngine ||
-                opts.decompilationEngine === "binaryninja-hlil" ||
-                opts.decompilationEngine === "both")) {
-            dynamicScannerPromises.push(importModule("@pompelmi/engine-binaryninja")
-                .then((mod) => mod.createBinaryNinjaScanner({
-                timeout: opts.decompilationTimeout || opts.timeout || 30000,
-                depth,
-                pythonPath: opts.pythonPath,
-                binaryNinjaPath: opts.binaryNinjaPath,
-            }))
-                .catch(() => null));
-        }
-        if (importModule &&
-            (!opts.decompilationEngine ||
-                opts.decompilationEngine === "ghidra-pcode" ||
-                opts.decompilationEngine === "both")) {
-            dynamicScannerPromises.push(importModule("@pompelmi/engine-ghidra")
-                .then((mod) => mod.createGhidraScanner({
-                timeout: opts.decompilationTimeout || opts.timeout || 30000,
-                depth,
-                ghidraPath: opts.ghidraPath,
-                analyzeHeadless: opts.analyzeHeadless,
-            }))
-                .catch(() => null));
-        }
-    }
-    let composedScannerPromise;
-    const getComposedScanner = async () => {
-        composedScannerPromise ?? (composedScannerPromise = Promise.all(dynamicScannerPromises).then((dynamicScanners) => composeScanners(...baseScanners, ...dynamicScanners.filter((scanner) => scanner !== null))));
-        return composedScannerPromise;
-    };
-    return async (input, ctx) => {
-        const scanner = await getComposedScanner();
-        return scanner(input, ctx);
-    };
-}
-
-/**
- * Advanced threat detection utilities
- * @module utils/advanced-detection
- */
-/**
- * Enhanced polyglot file detection
- * Detects files that can be interpreted as multiple formats
- */
-function detectPolyglot(bytes) {
-    const matches = [];
-    // Check for PDF/ZIP polyglot
-    if (isPDFZipPolyglot(bytes)) {
-        matches.push({
-            rule: "polyglot_pdf_zip",
-            severity: "high",
-            meta: { description: "File can be interpreted as both PDF and ZIP" },
-        });
-    }
-    // Check for image/script polyglot
-    if (isImageScriptPolyglot(bytes)) {
-        matches.push({
-            rule: "polyglot_image_script",
-            severity: "high",
-            meta: { description: "Image file contains executable script content" },
-        });
-    }
-    // Check for GIFAR (GIF/JAR polyglot)
-    if (isGIFAR(bytes)) {
-        matches.push({
-            rule: "polyglot_gifar",
-            severity: "critical",
-            meta: { description: "GIF file contains Java archive" },
-        });
-    }
-    return matches;
-}
-/**
- * Detect obfuscated JavaScript/VBScript
- */
-function detectObfuscatedScripts(bytes) {
-    const matches = [];
-    const text = new TextDecoder("utf-8", { fatal: false }).decode(bytes.slice(0, Math.min(64 * 1024, bytes.length)));
-    // Check for common obfuscation patterns
-    const obfuscationPatterns = [
-        /eval\s*\(\s*unescape\s*\(/gi,
-        /eval\s*\(\s*atob\s*\(/gi,
-        /String\.fromCharCode\s*\(\s*\d+(?:\s*,\s*\d+){10,}/gi,
-        /[a-z0-9]{100,}/gi, // Long encoded strings
-        /\\x[0-9a-f]{2}/gi, // Hex escapes
-    ];
-    for (const pattern of obfuscationPatterns) {
-        if (pattern.test(text)) {
-            matches.push({
-                rule: "obfuscated_script",
-                severity: "medium",
-                meta: {
-                    description: "Detected obfuscated script content",
-                    pattern: pattern.source,
-                },
-            });
-            break;
-        }
-    }
-    return matches;
-}
-/**
- * Enhanced nested archive detection with depth limits
- */
-function analyzeNestedArchives(bytes, maxDepth = 10) {
-    let depth = 0;
-    let currentBytes = bytes;
-    while (depth < maxDepth) {
-        if (isArchive(currentBytes)) {
-            depth++;
-            {
-                break;
-            }
-        }
-        else {
-            break;
-        }
-    }
-    return {
-        depth,
-        hasExcessiveNesting: depth >= 5,
-    };
-}
-// Helper functions
-function isPDFZipPolyglot(bytes) {
-    if (bytes.length < 8)
-        return false;
-    // Check for PDF signature
-    const hasPDF = bytes[0] === 0x25 && bytes[1] === 0x50 && bytes[2] === 0x44 && bytes[3] === 0x46;
-    // Check for ZIP signature anywhere in the file
-    let hasZIP = false;
-    for (let i = 0; i < Math.min(bytes.length - 4, 1024); i++) {
-        if (bytes[i] === 0x50 &&
-            bytes[i + 1] === 0x4b &&
-            bytes[i + 2] === 0x03 &&
-            bytes[i + 3] === 0x04) {
-            hasZIP = true;
-            break;
-        }
-    }
-    return hasPDF && hasZIP;
-}
-function isImageScriptPolyglot(bytes) {
-    if (bytes.length < 100)
-        return false;
-    // Check for image signatures
-    const isImage = (bytes[0] === 0xff && bytes[1] === 0xd8) || // JPEG
-        (bytes[0] === 0x89 && bytes[1] === 0x50 && bytes[2] === 0x4e && bytes[3] === 0x47) || // PNG
-        (bytes[0] === 0x47 && bytes[1] === 0x49 && bytes[2] === 0x46); // GIF
-    if (!isImage)
-        return false;
-    // Check for script content
-    const text = new TextDecoder("utf-8", { fatal: false }).decode(bytes);
-    return /<script|javascript:|eval\(|function\s*\(/i.test(text);
-}
-function isGIFAR(bytes) {
-    if (bytes.length < 100)
-        return false;
-    // Check for GIF signature
-    const isGIF = bytes[0] === 0x47 && bytes[1] === 0x49 && bytes[2] === 0x46;
-    // Check for ZIP/JAR signature
-    let hasZIP = false;
-    for (let i = 0; i < Math.min(bytes.length - 4, 1024); i++) {
-        if (bytes[i] === 0x50 &&
-            bytes[i + 1] === 0x4b &&
-            bytes[i + 2] === 0x03 &&
-            bytes[i + 3] === 0x04) {
-            hasZIP = true;
-            break;
-        }
-    }
-    return isGIF && hasZIP;
-}
-function isArchive(bytes) {
-    if (bytes.length < 4)
-        return false;
-    return (
-    // ZIP
-    (bytes[0] === 0x50 && bytes[1] === 0x4b && bytes[2] === 0x03 && bytes[3] === 0x04) ||
-        // RAR
-        (bytes[0] === 0x52 && bytes[1] === 0x61 && bytes[2] === 0x72 && bytes[3] === 0x21) ||
-        // 7z
-        (bytes[0] === 0x37 && bytes[1] === 0x7a && bytes[2] === 0xbc && bytes[3] === 0xaf) ||
-        // tar.gz
-        (bytes[0] === 0x1f && bytes[1] === 0x8b));
-}
-
-/**
- * Cache management system for scan results
- * @module utils/cache-manager
- */
-/**
- * LRU cache for scan results with TTL support
- */
-class ScanCacheManager {
-    constructor(options = {}) {
-        this.cache = new Map();
-        // Statistics
-        this.stats = {
-            hits: 0,
-            misses: 0,
-            evictions: 0,
-        };
-        this.maxSize = options.maxSize ?? 1000;
-        this.ttl = options.ttl ?? 3600000; // 1 hour default
-        this.enableLRU = options.enableLRU ?? true;
-        this.enableStats = options.enableStats ?? false;
-    }
-    /**
-     * Generate cache key from file content
-     */
-    generateKey(content, preset) {
-        const hash = crypto.createHash("sha256")
-            .update(content)
-            .update(preset || "default")
-            .digest("hex");
-        return hash;
-    }
-    /**
-     * Check if cache entry is still valid
-     */
-    isValid(entry) {
-        return Date.now() - entry.timestamp < this.ttl;
-    }
-    /**
-     * Evict oldest or least-used entry when cache is full
-     */
-    evict() {
-        if (this.cache.size === 0)
-            return;
-        let targetKey = null;
-        let oldestTime = Infinity;
-        let lowestAccess = Infinity;
-        for (const [key, entry] of this.cache.entries()) {
-            if (this.enableLRU) {
-                // LRU: evict least recently used
-                if (entry.timestamp < oldestTime) {
-                    oldestTime = entry.timestamp;
-                    targetKey = key;
-                }
-            }
-            else {
-                // LFU: evict least frequently used
-                if (entry.accessCount < lowestAccess) {
-                    lowestAccess = entry.accessCount;
-                    targetKey = key;
-                }
-            }
-        }
-        if (targetKey) {
-            this.cache.delete(targetKey);
-            if (this.enableStats)
-                this.stats.evictions++;
-        }
-    }
-    /**
-     * Store scan result in cache
-     */
-    set(content, report, preset) {
-        const key = this.generateKey(content, preset);
-        // Evict if necessary
-        if (this.cache.size >= this.maxSize) {
-            this.evict();
-        }
-        this.cache.set(key, {
-            report,
-            timestamp: Date.now(),
-            accessCount: 0,
-        });
-    }
-    /**
-     * Retrieve scan result from cache
-     */
-    get(content, preset) {
-        const key = this.generateKey(content, preset);
-        const entry = this.cache.get(key);
-        if (!entry) {
-            if (this.enableStats)
-                this.stats.misses++;
-            return null;
-        }
-        if (!this.isValid(entry)) {
-            this.cache.delete(key);
-            if (this.enableStats)
-                this.stats.misses++;
-            return null;
-        }
-        // Update access tracking
-        entry.accessCount++;
-        entry.timestamp = Date.now(); // Update for LRU
-        if (this.enableStats)
-            this.stats.hits++;
-        return entry.report;
-    }
-    /**
-     * Check if result exists in cache
-     */
-    has(content, preset) {
-        const key = this.generateKey(content, preset);
-        const entry = this.cache.get(key);
-        return entry !== undefined && this.isValid(entry);
-    }
-    /**
-     * Clear entire cache
-     */
-    clear() {
-        this.cache.clear();
-        if (this.enableStats) {
-            this.stats.hits = 0;
-            this.stats.misses = 0;
-            this.stats.evictions = 0;
-        }
-    }
-    /**
-     * Remove expired entries
-     */
-    prune() {
-        let removed = 0;
-        for (const [key, entry] of this.cache.entries()) {
-            if (!this.isValid(entry)) {
-                this.cache.delete(key);
-                removed++;
-            }
-        }
-        return removed;
-    }
-    /**
-     * Get cache statistics
-     */
-    getStats() {
-        const total = this.stats.hits + this.stats.misses;
-        const hitRate = total > 0 ? (this.stats.hits / total) * 100 : 0;
-        return {
-            hits: this.stats.hits,
-            misses: this.stats.misses,
-            size: this.cache.size,
-            hitRate,
-            evictions: this.stats.evictions,
-        };
-    }
-    /**
-     * Get current cache size
-     */
-    get size() {
-        return this.cache.size;
-    }
-}
-// Export singleton instance for convenience
-let defaultCache = null;
-/**
- * Get or create the default cache instance
- */
-function getDefaultCache(options) {
-    if (!defaultCache) {
-        defaultCache = new ScanCacheManager(options);
-    }
-    return defaultCache;
-}
-/**
- * Reset the default cache instance
- */
-function resetDefaultCache() {
-    defaultCache = null;
-}
-
-/**
- * Performance monitoring utilities for pompelmi scans
- * @module utils/performance-metrics
- */
-/**
- * Track performance metrics for a scan operation
- */
-class PerformanceTracker {
-    constructor() {
-        this.checkpoints = new Map();
-        this.startTime = Date.now();
-    }
-    /**
-     * Mark a checkpoint in the scan process
-     */
-    checkpoint(name) {
-        this.checkpoints.set(name, Date.now());
-    }
-    /**
-     * Get duration since start or since a specific checkpoint
-     */
-    getDuration(since) {
-        const now = Date.now();
-        if (since && this.checkpoints.has(since)) {
-            return now - (this.checkpoints.get(since) ?? now);
-        }
-        return now - this.startTime;
-    }
-    /**
-     * Generate final metrics report
-     */
-    getMetrics(bytesScanned) {
-        const totalDuration = this.getDuration();
-        const throughput = totalDuration > 0 ? (bytesScanned / totalDuration) * 1000 : 0;
-        return {
-            totalDurationMs: totalDuration,
-            heuristicsDurationMs: this.checkpoints.has("heuristics_end")
-                ? (this.checkpoints.get("heuristics_end") ?? 0) -
-                    (this.checkpoints.get("heuristics_start") ?? 0)
-                : undefined,
-            yaraDurationMs: this.checkpoints.has("yara_end")
-                ? (this.checkpoints.get("yara_end") ?? 0) - (this.checkpoints.get("yara_start") ?? 0)
-                : undefined,
-            prepDurationMs: this.checkpoints.has("prep_end")
-                ? (this.checkpoints.get("prep_end") ?? 0) - this.startTime
-                : undefined,
-            throughputBps: throughput,
-            bytesScanned,
-            startedAt: this.startTime,
-            completedAt: Date.now(),
-        };
-    }
-}
-/**
- * Aggregate statistics from multiple scan reports
- */
-function aggregateScanStats(reports) {
-    let cleanCount = 0;
-    let suspiciousCount = 0;
-    let maliciousCount = 0;
-    let totalDuration = 0;
-    let totalBytes = 0;
-    let validDurationCount = 0;
-    for (const report of reports) {
-        if (report.verdict === "clean")
-            cleanCount++;
-        else if (report.verdict === "suspicious")
-            suspiciousCount++;
-        else if (report.verdict === "malicious")
-            maliciousCount++;
-        if (report.durationMs !== undefined) {
-            totalDuration += report.durationMs;
-            validDurationCount++;
-        }
-        if (report.file?.size !== undefined) {
-            totalBytes += report.file.size;
-        }
-    }
-    const avgDuration = validDurationCount > 0 ? totalDuration / validDurationCount : 0;
-    const avgThroughput = totalDuration > 0 ? (totalBytes / totalDuration) * 1000 : 0;
-    return {
-        totalScans: reports.length,
-        cleanCount,
-        suspiciousCount,
-        maliciousCount,
-        avgDurationMs: avgDuration,
-        avgThroughputBps: avgThroughput,
-        totalBytesScanned: totalBytes,
-    };
-}
-
-/** Mappa veloce estensione -> mime (basic) */
-function guessMimeByExt(name) {
-    if (!name)
-        return;
-    const ext = name.toLowerCase().split(".").pop();
-    switch (ext) {
-        case "zip":
-            return "application/zip";
-        case "png":
-            return "image/png";
-        case "jpg":
-        case "jpeg":
-            return "image/jpeg";
-        case "pdf":
-            return "application/pdf";
-        case "txt":
-            return "text/plain";
-        default:
-            return;
-    }
-}
-/** Heuristica semplice per verdetto */
-function computeVerdict(matches) {
-    if (!matches.length)
-        return "clean";
-    // se la regola contiene 'zip_' lo marchiamo "suspicious"
-    const anyHigh = matches.some((m) => (m.tags ?? []).includes("critical") || (m.tags ?? []).includes("high"));
-    return anyHigh ? "malicious" : "suspicious";
-}
-/** Converte i Match (heuristics) in YaraMatch-like per uniformare l'output */
-function toYaraMatches(ms) {
-    return ms.map((m) => ({
-        rule: m.rule,
-        namespace: "heuristics",
-        tags: ["heuristics"].concat(m.severity ? [m.severity] : []),
-        meta: m.meta,
-    }));
-}
-/** Scan di bytes (browser/node) usando preset (default: zip-basic) */
-async function scanBytes(input, opts = {}) {
-    // Check cache first if enabled
-    if (opts.enableCache || opts.config?.performance?.enableCache) {
-        const cache = getDefaultCache(opts.config?.performance?.cacheOptions);
-        const cached = cache.get(input, opts.preset);
-        if (cached) {
-            return cached;
-        }
-    }
-    const perfTracker = opts.enablePerformanceTracking || opts.config?.performance?.enablePerformanceTracking
-        ? new PerformanceTracker()
-        : null;
-    perfTracker?.checkpoint("prep_start");
-    const preset = opts.preset ?? opts.config?.defaultPreset ?? "zip-basic";
-    const ctx = {
-        ...opts.ctx,
-        mimeType: opts.ctx?.mimeType ?? guessMimeByExt(opts.ctx?.filename),
-        size: opts.ctx?.size ?? input.byteLength,
-    };
-    perfTracker?.checkpoint("prep_end");
-    perfTracker?.checkpoint("heuristics_start");
-    const scanFn = createPresetScanner(preset);
-    const matchesH = await (typeof scanFn === "function"
-        ? scanFn
-        : scanFn.scan)(input, ctx);
-    const allMatches = [...matchesH];
-    perfTracker?.checkpoint("heuristics_end");
-    // Advanced detection (enabled by default, can be overridden by config)
-    const advancedEnabled = opts.enableAdvancedDetection ?? opts.config?.advanced?.enablePolyglotDetection ?? true;
-    if (advancedEnabled) {
-        perfTracker?.checkpoint("advanced_start");
-        // Detect polyglot files
-        if (opts.config?.advanced?.enablePolyglotDetection !== false) {
-            const polyglotMatches = detectPolyglot(input);
-            allMatches.push(...polyglotMatches);
-        }
-        // Detect obfuscated scripts
-        if (opts.config?.advanced?.enableObfuscationDetection !== false) {
-            const obfuscatedMatches = detectObfuscatedScripts(input);
-            allMatches.push(...obfuscatedMatches);
-        }
-        // Check for excessive nesting in archives
-        if (opts.config?.advanced?.enableNestedArchiveAnalysis !== false) {
-            const nestingAnalysis = analyzeNestedArchives(input);
-            const maxDepth = opts.config?.advanced?.maxArchiveDepth ?? 5;
-            if (nestingAnalysis.hasExcessiveNesting || nestingAnalysis.depth > maxDepth) {
-                allMatches.push({
-                    rule: "excessive_archive_nesting",
-                    severity: "high",
-                    meta: {
-                        description: "Excessive archive nesting detected",
-                        depth: nestingAnalysis.depth,
-                        maxAllowed: maxDepth,
-                    },
-                });
-            }
-        }
-        perfTracker?.checkpoint("advanced_end");
-    }
-    const matches = toYaraMatches(allMatches);
-    const verdict = computeVerdict(matches);
-    perfTracker ? perfTracker.getDuration() : Date.now();
-    const durationMs = perfTracker ? perfTracker.getDuration() : 0;
-    const report = {
-        ok: verdict === "clean",
-        verdict,
-        matches,
-        reasons: matches.map((m) => m.rule),
-        file: { name: ctx.filename, mimeType: ctx.mimeType, size: ctx.size },
-        durationMs,
-        engine: "heuristics",
-        truncated: false,
-        timedOut: false,
-    };
-    // Add performance metrics if tracking enabled
-    if (perfTracker &&
-        (opts.enablePerformanceTracking || opts.config?.performance?.enablePerformanceTracking)) {
-        report.performanceMetrics = perfTracker.getMetrics(input.byteLength);
-    }
-    // Cache result if enabled
-    if (opts.enableCache || opts.config?.performance?.enableCache) {
-        const cache = getDefaultCache(opts.config?.performance?.cacheOptions);
-        cache.set(input, report, opts.preset);
-    }
-    // Invoke callbacks if configured
-    opts.config?.callbacks?.onScanComplete?.(report);
-    return report;
-}
-/** Scan di un file su disco (Node). Import dinamico per non vincolare il bundle browser. */
-async function scanFile(filePath, opts = {}) {
-    const [{ readFile, stat }, path] = await Promise.all([import('fs/promises'), import('path')]);
-    const [buf, st] = await Promise.all([readFile(filePath), stat(filePath)]);
-    const ctx = {
-        filename: path.basename(filePath),
-        mimeType: guessMimeByExt(filePath),
-        size: st.size,
-    };
-    return scanBytes(new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength), { ...opts, ctx });
-}
-/** Scan multipli File (browser) usando scanBytes + preset di default */
-async function scanFiles(files, opts = {}) {
-    const list = Array.from(files);
-    const out = [];
-    for (const f of list) {
-        const buf = new Uint8Array(await f.arrayBuffer());
-        const rep = await scanBytes(buf, {
-            ...opts,
-            ctx: { filename: f.name, mimeType: f.type || guessMimeByExt(f.name), size: f.size },
-        });
-        out.push(rep);
-    }
-    return out;
-}
-
-async function createRemoteEngine(opts) {
-    const { endpoint, headers = {}, rulesField = "rules", fileField = "file", mode = "multipart", rulesAsBase64 = false, } = opts;
-    const engine = {
-        async compile(rulesSource) {
-            return {
-                async scan(data) {
-                    const fetchFn = globalThis.fetch;
-                    if (!fetchFn)
-                        throw new Error("[remote-yara] fetch non disponibile in questo ambiente");
-                    let res;
-                    if (mode === "multipart") {
-                        const FormDataCtor = globalThis.FormData;
-                        const BlobCtor = globalThis.Blob;
-                        if (!FormDataCtor || !BlobCtor) {
-                            throw new Error("[remote-yara] FormData/Blob non disponibili (usa json-base64 oppure esegui in browser)");
-                        }
-                        const form = new FormDataCtor();
-                        form.set(rulesField, new BlobCtor([rulesSource], { type: "text/plain" }), "rules.yar");
-                        form.set(fileField, new BlobCtor([data], { type: "application/octet-stream" }), "sample.bin");
-                        res = await fetchFn(endpoint, { method: "POST", body: form, headers });
-                    }
-                    else {
-                        const b64 = base64FromBytes(data);
-                        const payload = { [fileField]: b64 };
-                        if (rulesAsBase64) {
-                            payload["rulesB64"] = base64FromString(rulesSource);
-                        }
-                        else {
-                            payload[rulesField] = rulesSource;
-                        }
-                        res = await fetchFn(endpoint, {
-                            method: "POST",
-                            headers: { "Content-Type": "application/json", ...headers },
-                            body: JSON.stringify(payload),
-                        });
-                    }
-                    if (!res.ok) {
-                        throw new Error(`[remote-yara] HTTP ${res.status} ${res.statusText}`);
-                    }
-                    const json = await res.json().catch(() => null);
-                    const arr = Array.isArray(json) ? json : (json?.matches ?? []);
-                    return (arr ?? []).map((m) => ({
-                        rule: m.rule ?? m.ruleIdentifier ?? "unknown",
-                        tags: m.tags ?? [],
-                    }));
-                },
-            };
-        },
-    };
-    return engine;
-}
-// Helpers
-function base64FromBytes(bytes) {
-    // usa btoa se disponibile (browser); altrimenti fallback manuale
-    const btoaFn = globalThis.btoa;
-    let bin = "";
-    for (let i = 0; i < bytes.byteLength; i++)
-        bin += String.fromCharCode(bytes[i]);
-    return btoaFn ? btoaFn(bin) : Buffer.from(bin, "binary").toString("base64");
-}
-function base64FromString(s) {
-    const btoaFn = globalThis.btoa;
-    return btoaFn ? btoaFn(s) : Buffer.from(s, "utf8").toString("base64");
-}
-
-// src/scan/remote.ts
-/**
- * Scansiona una lista di File nel browser usando il motore remoto via HTTP.
- * Non richiede WASM né dipendenze native sul client.
- */
-async function scanFilesWithRemoteYara(files, rulesSource, remote) {
-    const engine = await createRemoteEngine(remote);
-    const compiled = await engine.compile(rulesSource);
-    const results = [];
-    for (const file of files) {
-        try {
-            const bytes = new Uint8Array(await file.arrayBuffer());
-            const matches = await compiled.scan(bytes);
-            results.push({ file, matches });
-        }
-        catch (err) {
-            console.warn("[remote-yara] scan error for", file.name, err);
-            results.push({ file, matches: [], error: String(err?.message ?? err) });
-        }
-    }
-    return results;
-}
-
-const ARCHIVE_BOMB_DETECTED = "ARCHIVE_BOMB_DETECTED";
-const SIG_LFH = 0x04034b50;
-const SIG_CEN = 0x02014b50;
-const DEFAULTS = {
-    maxEntries: 1000,
-    maxTotalUncompressedBytes: 500 * 1024 * 1024,
-    maxPerEntryUncompressedBytes: 100 * 1024 * 1024,
-    maxEntryNameLength: 255,
-    maxCompressionRatio: 100,
-    eocdSearchWindow: 70000,
-};
-function r16(buf, off) {
-    return buf.readUInt16LE(off);
-}
-function r32(buf, off) {
-    return buf.readUInt32LE(off);
-}
-function isZipLike(buf) {
-    return (buf.length >= 4 && buf[0] === 0x50 && buf[1] === 0x4b && buf[2] === 0x03 && buf[3] === 0x04);
-}
-function lastIndexOfEOCD(buf, window) {
-    const sig = Buffer.from([0x50, 0x4b, 0x05, 0x06]);
-    const start = Math.max(0, buf.length - window);
-    const idx = buf.lastIndexOf(sig, Math.min(buf.length - sig.length, buf.length - 1));
-    return idx >= start ? idx : -1;
-}
-function hasTraversal(name) {
-    return (name.includes("../") || name.includes("..\\") || name.startsWith("/") || /^[A-Za-z]:/.test(name));
-}
-function makeBombError() {
-    return Object.assign(new Error("Archive bomb detected: decompression limits exceeded"), {
-        code: ARCHIVE_BOMB_DETECTED,
-    });
-}
-/**
- * Feeds `compressed` into a raw DEFLATE inflate stream and counts the actual
- * output bytes. Resolves with bombed=true and aborts early if any limit fires:
- *   - decompressed bytes > maxPerEntry
- *   - totalSoFar + decompressed > maxTotal
- *   - decompressed / compressed > maxRatio  (ratio measured on real bytes, not headers)
- *
- * Malformed DEFLATE is treated as safe (bombed=false, decompressed=0).
- */
-function streamInflate(compressed, maxPerEntry, maxTotal, alreadySeen, maxRatio) {
-    return new Promise((resolve) => {
-        const inf = zlib.createInflateRaw();
-        let out = 0;
-        const compBytes = compressed.length;
-        let done = false;
-        const finish = (bombed) => {
-            if (done)
-                return;
-            done = true;
-            inf.destroy();
-            resolve({ decompressed: out, bombed });
-        };
-        inf.on("data", (chunk) => {
-            out += chunk.length;
-            if (out > maxPerEntry ||
-                alreadySeen + out > maxTotal ||
-                (compBytes > 0 && out / compBytes > maxRatio)) {
-                finish(true);
-            }
-        });
-        inf.on("end", () => finish(false));
-        // Malformed DEFLATE stream → not a bomb, just corrupt
-        inf.on("error", () => finish(false));
-        inf.end(compressed);
-    });
-}
-function createZipBombGuard(opts = {}) {
-    const cfg = { ...DEFAULTS, ...opts };
-    return {
-        async scan(input) {
-            const buf = Buffer.from(input);
-            const matches = [];
-            if (!isZipLike(buf))
-                return matches;
-            // ── 1. Locate EOCD ──────────────────────────────────────────────────────
-            const eocdPos = lastIndexOfEOCD(buf, cfg.eocdSearchWindow);
-            if (eocdPos < 0 || eocdPos + 22 > buf.length) {
-                matches.push({ rule: "zip_eocd_not_found", severity: "medium" });
-                return matches;
-            }
-            const totalEntries = r16(buf, eocdPos + 10);
-            const cdSize = r32(buf, eocdPos + 12);
-            const cdOffset = r32(buf, eocdPos + 16);
-            if (cdOffset + cdSize > buf.length) {
-                matches.push({ rule: "zip_cd_out_of_bounds", severity: "medium" });
-                return matches;
-            }
-            const lfhIndex = [];
-            let ptr = cdOffset;
-            let seen = 0;
-            while (ptr + 46 <= cdOffset + cdSize && seen < totalEntries) {
-                if (r32(buf, ptr) !== SIG_CEN)
-                    break;
-                const cdCompSize = r32(buf, ptr + 20);
-                const fnLen = r16(buf, ptr + 28);
-                const exLen = r16(buf, ptr + 30);
-                const cmLen = r16(buf, ptr + 32);
-                const lfhOffset = r32(buf, ptr + 42);
-                const nameEnd = ptr + 46 + fnLen;
-                if (nameEnd > buf.length)
-                    break;
-                const name = buf.toString("utf8", ptr + 46, nameEnd);
-                seen++;
-                lfhIndex.push({ lfhOffset, cdCompSize });
-                if (name.length > cfg.maxEntryNameLength) {
-                    matches.push({
-                        rule: "zip_entry_name_too_long",
-                        severity: "medium",
-                        meta: { name, length: name.length },
-                    });
-                }
-                if (hasTraversal(name)) {
-                    matches.push({ rule: "zip_path_traversal_entry", severity: "medium", meta: { name } });
-                }
-                ptr = nameEnd + exLen + cmLen;
-            }
-            if (seen !== totalEntries) {
-                matches.push({
-                    rule: "zip_cd_truncated",
-                    severity: "medium",
-                    meta: { seen, totalEntries },
-                });
-            }
-            if (seen > cfg.maxEntries) {
-                matches.push({
-                    rule: "zip_too_many_entries",
-                    severity: "medium",
-                    meta: { seen, limit: cfg.maxEntries },
-                });
-                // Return early — decompressing thousands of entries would be a DoS vector
-                return matches;
-            }
-            // ── 3. True streaming decompression — archive bomb detection ────────────
-            // For every DEFLATE entry (method=8) we feed the raw compressed bytes into
-            // zlib.createInflateRaw() and count the bytes that come OUT.  We abort the
-            // moment any limit fires; we NEVER trust the header-reported uncompressed
-            // size for the ratio decision.
-            //
-            // For STORED entries (method=0) compressed == uncompressed by spec, so the
-            // byte count is immediate.
-            let totalDecompressed = 0;
-            for (const { lfhOffset, cdCompSize } of lfhIndex) {
-                if (lfhOffset + 30 > buf.length)
-                    continue;
-                if (r32(buf, lfhOffset) !== SIG_LFH)
-                    continue;
-                const gpbf = r16(buf, lfhOffset + 6);
-                const method = r16(buf, lfhOffset + 8);
-                let lfhCompSz = r32(buf, lfhOffset + 18);
-                const fnLen = r16(buf, lfhOffset + 26);
-                const exLen = r16(buf, lfhOffset + 28);
-                const dataOff = lfhOffset + 30 + fnLen + exLen;
-                // If the data-descriptor flag is set (GPBF bit 3), the LFH sizes are 0.
-                // Fall back to the CD size purely for navigation — not for bomb detection.
-                if ((gpbf & 0x08) !== 0 && lfhCompSz === 0) {
-                    lfhCompSz = cdCompSize;
-                }
-                if (dataOff + lfhCompSz > buf.length)
-                    continue; // truncated entry — skip
-                if (method === 8 /* DEFLATE */) {
-                    const compressed = buf.slice(dataOff, dataOff + lfhCompSz);
-                    const { decompressed, bombed } = await streamInflate(compressed, cfg.maxPerEntryUncompressedBytes, cfg.maxTotalUncompressedBytes, totalDecompressed, cfg.maxCompressionRatio);
-                    if (bombed)
-                        throw makeBombError();
-                    totalDecompressed += decompressed;
-                }
-                else if (method === 0 /* STORED */) {
-                    // Compressed == uncompressed for stored entries
-                    if (lfhCompSz > cfg.maxPerEntryUncompressedBytes)
-                        throw makeBombError();
-                    totalDecompressed += lfhCompSz;
-                    if (totalDecompressed > cfg.maxTotalUncompressedBytes)
-                        throw makeBombError();
-                }
-                // Other methods (bzip2=12, lzma=14, zstd=93, …) — skip; no built-in support
-            }
-            return matches;
-        },
-    };
-}
-
-/** Decompilation-specific types for Pompelmi */
-const SUSPICIOUS_PATTERNS = [
-    {
-        name: "syscall_direct",
-        description: "Direct system call without library wrapper",
-        severity: "medium",
-        pattern: /syscall|sysenter|int\s+0x80/i,
-    },
-    {
-        name: "process_injection",
-        description: "Process injection techniques",
-        severity: "high",
-        pattern: /CreateRemoteThread|WriteProcessMemory|VirtualAllocEx/i,
-    },
-    {
-        name: "anti_debug",
-        description: "Anti-debugging techniques",
-        severity: "medium",
-        pattern: /IsDebuggerPresent|CheckRemoteDebuggerPresent|OutputDebugString/i,
-    },
-    {
-        name: "obfuscation_xor",
-        description: "XOR-based obfuscation pattern",
-        severity: "medium",
-        pattern: /xor.*0x[0-9a-f]+.*xor/i,
-    },
-    {
-        name: "crypto_constants",
-        description: "Cryptographic constants",
-        severity: "low",
-        pattern: /0x67452301|0xefcdab89|0x98badcfe|0x10325476/i,
-    },
-];
-
-/**
- * Batch scanning with concurrency control
- * @module utils/batch-scanner
- */
-/**
- * Batch file scanner with concurrency control and progress tracking
- */
-class BatchScanner {
-    constructor(options = {}) {
-        this.options = {
-            concurrency: 5,
-            continueOnError: true,
-            ...options,
-        };
-    }
-    /**
-     * Scan multiple files with controlled concurrency
-     */
-    async scanBatch(tasks) {
-        const startTime = Date.now();
-        const results = new Array(tasks.length);
-        const errors = [];
-        let successCount = 0;
-        let errorCount = 0;
-        let completedCount = 0;
-        const concurrency = this.options.concurrency ?? 5;
-        // Process tasks in chunks with controlled concurrency
-        const processingQueue = [];
-        let currentIndex = 0;
-        const processTask = async (index) => {
-            try {
-                const task = tasks[index];
-                const report = await scanBytes(task.content, {
-                    ...this.options,
-                    ctx: task.context,
-                });
-                results[index] = report;
-                successCount++;
-                completedCount++;
-                if (this.options.onProgress) {
-                    this.options.onProgress(completedCount, tasks.length, report);
-                }
-            }
-            catch (error) {
-                errorCount++;
-                completedCount++;
-                const err = error instanceof Error ? error : new Error(String(error));
-                if (this.options.onError) {
-                    this.options.onError(err, index);
-                }
-                errors.push({ index, error: err });
-                if (!this.options.continueOnError) {
-                    throw err;
-                }
-                results[index] = null;
-            }
-        };
-        // Start initial batch of concurrent tasks
-        while (currentIndex < tasks.length) {
-            while (processingQueue.length < concurrency && currentIndex < tasks.length) {
-                const promise = processTask(currentIndex);
-                processingQueue.push(promise);
-                currentIndex++;
-                // Remove completed promises from queue
-                promise
-                    .finally(() => {
-                    const idx = processingQueue.indexOf(promise);
-                    if (idx > -1)
-                        processingQueue.splice(idx, 1);
-                })
-                    .catch(() => {
-                    // Rejections are handled by the main queue waits; swallow the cleanup chain.
-                });
-            }
-            // Wait for at least one task to complete before continuing
-            if (processingQueue.length >= concurrency) {
-                await Promise.race(processingQueue);
-            }
-        }
-        // Wait for all remaining tasks
-        await Promise.all(processingQueue);
-        const totalDurationMs = Date.now() - startTime;
-        return {
-            reports: results,
-            successCount,
-            errorCount,
-            totalDurationMs,
-            errors,
-        };
-    }
-    /**
-     * Scan files from File objects (browser environment)
-     */
-    async scanFiles(files) {
-        const tasks = await Promise.all(files.map(async (file) => ({
-            content: new Uint8Array(await file.arrayBuffer()),
-            context: {
-                filename: file.name,
-                mimeType: file.type,
-                size: file.size,
-            },
-        })));
-        return this.scanBatch(tasks);
-    }
-    /**
-     * Scan files from file paths (Node.js environment)
-     */
-    async scanFilePaths(filePaths) {
-        const fs = await import('fs/promises');
-        const path = await import('path');
-        const tasks = await Promise.all(filePaths.map(async (filePath) => {
-            const [content, stats] = await Promise.all([fs.readFile(filePath), fs.stat(filePath)]);
-            return {
-                content: new Uint8Array(content),
-                context: {
-                    filename: path.basename(filePath),
-                    size: stats.size,
-                },
-            };
-        }));
-        return this.scanBatch(tasks);
-    }
-}
-/**
- * Quick helper for batch scanning with default options
- */
-async function batchScan(tasks, options) {
-    const scanner = new BatchScanner(options);
-    return scanner.scanBatch(tasks);
-}
-
-/**
- * Export utilities for scan results
- * @module utils/export
- */
-/**
- * Export scan results to various formats
- */
-class ScanResultExporter {
-    /**
-     * Export to JSON format
-     */
-    toJSON(reports, options = {}) {
-        const data = Array.isArray(reports) ? reports : [reports];
-        if (!options.includeDetails) {
-            // Simplified output
-            const simplified = data.map((r) => ({
-                verdict: r.verdict,
-                file: r.file?.name,
-                matches: r.matches.length,
-                durationMs: r.durationMs,
-            }));
-            return options.prettyPrint ? JSON.stringify(simplified, null, 2) : JSON.stringify(simplified);
-        }
-        return options.prettyPrint ? JSON.stringify(data, null, 2) : JSON.stringify(data);
-    }
-    /**
-     * Export to CSV format
-     */
-    toCSV(reports, options = {}) {
-        const data = Array.isArray(reports) ? reports : [reports];
-        const headers = [
-            "filename",
-            "verdict",
-            "matches_count",
-            "file_size",
-            "mime_type",
-            "duration_ms",
-            "engine",
-        ];
-        if (options.includeDetails) {
-            headers.push("reasons", "match_rules");
-        }
-        const rows = data.map((report) => {
-            const row = [
-                this.escapeCsv(report.file?.name || "unknown"),
-                report.verdict,
-                report.matches.length.toString(),
-                (report.file?.size || 0).toString(),
-                this.escapeCsv(report.file?.mimeType || "unknown"),
-                (report.durationMs || 0).toString(),
-                report.engine || "unknown",
-            ];
-            if (options.includeDetails) {
-                row.push(this.escapeCsv((report.reasons || []).join("; ")), this.escapeCsv(report.matches.map((m) => m.rule).join("; ")));
-            }
-            return row.join(",");
-        });
-        return [headers.join(","), ...rows].join("\n");
-    }
-    /**
-     * Export to Markdown format
-     */
-    toMarkdown(reports, options = {}) {
-        const data = Array.isArray(reports) ? reports : [reports];
-        let md = "# Scan Results\n\n";
-        md += `**Total Scans:** ${data.length}\n\n`;
-        const clean = data.filter((r) => r.verdict === "clean").length;
-        const suspicious = data.filter((r) => r.verdict === "suspicious").length;
-        const malicious = data.filter((r) => r.verdict === "malicious").length;
-        md += "## Summary\n\n";
-        md += `- ✅ Clean: ${clean}\n`;
-        md += `- ⚠️ Suspicious: ${suspicious}\n`;
-        md += `- ❌ Malicious: ${malicious}\n\n`;
-        md += "## Detailed Results\n\n";
-        for (const report of data) {
-            const icon = report.verdict === "clean" ? "✅" : report.verdict === "suspicious" ? "⚠️" : "❌";
-            md += `### ${icon} ${report.file?.name || "Unknown"}\n\n`;
-            md += `- **Verdict:** ${report.verdict}\n`;
-            md += `- **Size:** ${this.formatBytes(report.file?.size || 0)}\n`;
-            md += `- **MIME Type:** ${report.file?.mimeType || "unknown"}\n`;
-            md += `- **Duration:** ${report.durationMs || 0}ms\n`;
-            md += `- **Matches:** ${report.matches.length}\n`;
-            if (options.includeDetails && report.matches.length > 0) {
-                md += "\n**Match Details:**\n";
-                for (const match of report.matches) {
-                    md += `- ${match.rule}`;
-                    if (match.tags && match.tags.length > 0) {
-                        md += ` (${match.tags.join(", ")})`;
-                    }
-                    md += "\n";
-                }
-            }
-            md += "\n";
-        }
-        return md;
-    }
-    /**
-     * Export to SARIF format (Static Analysis Results Interchange Format)
-     * Useful for CI/CD integration
-     */
-    toSARIF(reports, options = {}) {
-        const data = Array.isArray(reports) ? reports : [reports];
-        const results = data.flatMap((report) => {
-            if (report.verdict === "clean")
-                return [];
-            return report.matches.map((match) => ({
-                ruleId: match.rule,
-                level: report.verdict === "malicious" ? "error" : "warning",
-                message: {
-                    text: `${match.rule} detected in ${report.file?.name || "unknown file"}`,
-                },
-                locations: [
-                    {
-                        physicalLocation: {
-                            artifactLocation: {
-                                uri: report.file?.name || "unknown",
-                            },
-                        },
-                    },
-                ],
-                properties: {
-                    tags: match.tags,
-                    metadata: match.meta,
-                },
-            }));
-        });
-        const sarif = {
-            version: "2.1.0",
-            $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
-            runs: [
-                {
-                    tool: {
-                        driver: {
-                            name: "Pompelmi",
-                            version: "0.29.0",
-                            informationUri: "https://pompelmi.github.io/pompelmi/",
-                        },
-                    },
-                    results,
-                },
-            ],
-        };
-        return options.prettyPrint ? JSON.stringify(sarif, null, 2) : JSON.stringify(sarif);
-    }
-    /**
-     * Export to HTML format
-     */
-    toHTML(reports, options = {}) {
-        const data = Array.isArray(reports) ? reports : [reports];
-        const clean = data.filter((r) => r.verdict === "clean").length;
-        const suspicious = data.filter((r) => r.verdict === "suspicious").length;
-        const malicious = data.filter((r) => r.verdict === "malicious").length;
-        let html = `<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Pompelmi Scan Results</title>
-  <style>
-    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; max-width: 1200px; margin: 0 auto; padding: 20px; }
-    .summary { display: grid; grid-template-columns: repeat(3, 1fr); gap: 20px; margin: 20px 0; }
-    .card { padding: 20px; border-radius: 8px; text-align: center; }
-    .clean { background: #d4edda; color: #155724; }
-    .suspicious { background: #fff3cd; color: #856404; }
-    .malicious { background: #f8d7da; color: #721c24; }
-    .result { border: 1px solid #ddd; border-radius: 8px; padding: 15px; margin: 10px 0; }
-    .result h3 { margin-top: 0; }
-    .badge { display: inline-block; padding: 4px 8px; border-radius: 4px; font-size: 0.8em; margin: 2px; }
-    table { width: 100%; border-collapse: collapse; }
-    th, td { padding: 8px; text-align: left; border-bottom: 1px solid #ddd; }
-  </style>
-</head>
-<body>
-  <h1>🛡️ Pompelmi Scan Results</h1>
-  <div class="summary">
-    <div class="card clean"><h2>${clean}</h2><p>Clean Files</p></div>
-    <div class="card suspicious"><h2>${suspicious}</h2><p>Suspicious Files</p></div>
-    <div class="card malicious"><h2>${malicious}</h2><p>Malicious Files</p></div>
-  </div>
-  <h2>Detailed Results</h2>`;
-        for (const report of data) {
-            const statusClass = report.verdict;
-            html += `<div class="result ${statusClass}">`;
-            html += `<h3>${this.escapeHtml(report.file?.name || "Unknown")}</h3>`;
-            html += `<table>`;
-            html += `<tr><th>Verdict</th><td>${report.verdict.toUpperCase()}</td></tr>`;
-            html += `<tr><th>Size</th><td>${this.formatBytes(report.file?.size || 0)}</td></tr>`;
-            html += `<tr><th>MIME Type</th><td>${this.escapeHtml(report.file?.mimeType || "unknown")}</td></tr>`;
-            html += `<tr><th>Duration</th><td>${report.durationMs || 0}ms</td></tr>`;
-            html += `<tr><th>Matches</th><td>${report.matches.length}</td></tr>`;
-            html += `</table>`;
-            if (options.includeDetails && report.matches.length > 0) {
-                html += `<h4>Match Details:</h4><ul>`;
-                for (const match of report.matches) {
-                    html += `<li><strong>${this.escapeHtml(match.rule)}</strong>`;
-                    if (match.tags && match.tags.length > 0) {
-                        html += ` ${match.tags.map((tag) => `<span class="badge">${this.escapeHtml(tag)}</span>`).join("")}`;
-                    }
-                    html += `</li>`;
-                }
-                html += `</ul>`;
-            }
-            html += `</div>`;
-        }
-        html += `</body></html>`;
-        return html;
-    }
-    /**
-     * Export to specified format
-     */
-    export(reports, format, options = {}) {
-        switch (format) {
-            case "json":
-                return this.toJSON(reports, options);
-            case "csv":
-                return this.toCSV(reports, options);
-            case "markdown":
-                return this.toMarkdown(reports, options);
-            case "html":
-                return this.toHTML(reports, options);
-            case "sarif":
-                return this.toSARIF(reports, options);
-            default:
-                throw new Error(`Unsupported export format: ${format}`);
-        }
-    }
-    escapeCsv(value) {
-        if (value.includes(",") || value.includes('"') || value.includes("\n")) {
-            return `"${value.replace(/"/g, '""')}"`;
-        }
-        return value;
-    }
-    escapeHtml(value) {
-        return value
-            .replace(/&/g, "&amp;")
-            .replace(/</g, "&lt;")
-            .replace(/>/g, "&gt;")
-            .replace(/"/g, "&quot;")
-            .replace(/'/g, "&#039;");
-    }
-    formatBytes(bytes) {
-        if (bytes === 0)
-            return "0 Bytes";
-        const k = 1024;
-        const sizes = ["Bytes", "KB", "MB", "GB"];
-        const i = Math.floor(Math.log(bytes) / Math.log(k));
-        return Math.round((bytes / k ** i) * 100) / 100 + " " + sizes[i];
-    }
-}
-/**
- * Quick export helper
- */
-function exportScanResults(reports, format, options) {
-    const exporter = new ScanResultExporter();
-    return exporter.export(reports, format, options);
-}
-
-/**
- * Threat intelligence integration and enhanced detection
- * @module utils/threat-intelligence
- */
-/**
- * Built-in threat intelligence - known malware hashes
- * In production, this would connect to real threat intel APIs
- */
-class LocalThreatIntelligence {
-    constructor() {
-        this.name = "Local Database";
-        this.knownThreats = new Map();
-        // Initialize with some example known threats (in production, load from database)
-        this.initializeKnownThreats();
-    }
-    initializeKnownThreats() {
-        // Example: EICAR test file hash
-        this.knownThreats.set("275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", {
-            threatLevel: 100,
-            category: "test-malware",
-            source: "local",
-            metadata: { name: "EICAR Test File" },
-        });
-    }
-    async checkHash(hash) {
-        return this.knownThreats.get(hash.toLowerCase()) || null;
-    }
-    /**
-     * Add a known threat to the local database
-     */
-    addThreat(hash, info) {
-        this.knownThreats.set(hash.toLowerCase(), info);
-    }
-    /**
-     * Remove a threat from the local database
-     */
-    removeThreat(hash) {
-        return this.knownThreats.delete(hash.toLowerCase());
-    }
-    /**
-     * Get all known threats
-     */
-    getAllThreats() {
-        return new Map(this.knownThreats);
-    }
-}
-/**
- * Threat intelligence aggregator
- */
-class ThreatIntelligenceAggregator {
-    constructor(sources) {
-        this.sources = [];
-        if (sources) {
-            this.sources = sources;
-        }
-        else {
-            // Default to local intelligence
-            this.sources = [new LocalThreatIntelligence()];
-        }
-    }
-    /**
-     * Add a threat intelligence source
-     */
-    addSource(source) {
-        this.sources.push(source);
-    }
-    /**
-     * Check file hash against all sources
-     */
-    async checkHash(hash) {
-        const results = await Promise.allSettled(this.sources.map((source) => source.checkHash(hash)));
-        const threats = [];
-        for (const result of results) {
-            if (result.status === "fulfilled" && result.value) {
-                threats.push(result.value);
-            }
-        }
-        return threats;
-    }
-    /**
-     * Enhance scan report with threat intelligence
-     */
-    async enhanceScanReport(content, report) {
-        // Calculate file hash
-        const hash = crypto.createHash("sha256").update(content).digest("hex");
-        // Check threat intelligence
-        const threatIntel = await this.checkHash(hash);
-        // Calculate risk score
-        const riskScore = this.calculateRiskScore(report, threatIntel);
-        return {
-            ...report,
-            fileHash: hash,
-            threatIntel: threatIntel.length > 0 ? threatIntel : undefined,
-            riskScore,
-        };
-    }
-    /**
-     * Calculate overall risk score based on scan results and threat intel
-     */
-    calculateRiskScore(report, threats) {
-        let score = 0;
-        // Base score from verdict
-        switch (report.verdict) {
-            case "malicious":
-                score += 70;
-                break;
-            case "suspicious":
-                score += 40;
-                break;
-            case "clean":
-                score += 0;
-                break;
-        }
-        // Add points for number of matches
-        score += Math.min(report.matches.length * 5, 20);
-        // Add points from threat intelligence
-        if (threats.length > 0) {
-            const maxThreat = Math.max(...threats.map((t) => t.threatLevel));
-            score = Math.max(score, maxThreat);
-        }
-        return Math.min(score, 100);
-    }
-}
-/**
- * Create default threat intelligence aggregator
- */
-function createThreatIntelligence() {
-    return new ThreatIntelligenceAggregator();
-}
-/**
- * Helper to get file hash
- */
-function getFileHash(content) {
-    return crypto.createHash("sha256").update(content).digest("hex");
-}
-
-/**
- * Validates a File by MIME type and size (max 5 MB).
- */
-function validateFile(file) {
-    const maxSize = 5 * 1024 * 1024;
-    const allowedTypes = ["text/plain", "application/json", "text/csv"];
-    if (!allowedTypes.includes(file.type)) {
-        return { valid: false, error: "Unsupported file type" };
-    }
-    if (file.size > maxSize) {
-        return { valid: false, error: "File too large (max 5 MB)" };
-    }
-    return { valid: true };
-}
-
-function mapMatchesToVerdict(matches = []) {
-    if (!matches.length)
-        return "clean";
-    const malHints = ["trojan", "ransom", "worm", "spy", "rootkit", "keylog", "botnet"];
-    const tagSet = new Set(matches.flatMap((m) => (m.tags ?? []).map((t) => t.toLowerCase())));
-    const nameHit = (r) => malHints.some((h) => r.toLowerCase().includes(h));
-    const isMal = matches.some((m) => nameHit(m.rule)) || tagSet.has("malware") || tagSet.has("critical");
-    return isMal ? "malicious" : "suspicious";
-}
-
-exports.ARCHIVES = ARCHIVES;
-exports.BatchScanner = BatchScanner;
-exports.CONFIG_PRESETS = CONFIG_PRESETS;
-exports.CONSERVATIVE_DEFAULT = CONSERVATIVE_DEFAULT;
-exports.CommonHeuristicsScanner = CommonHeuristicsScanner;
-exports.ConfigManager = ConfigManager;
-exports.DEFAULT_CONFIG = DEFAULT_CONFIG;
-exports.DEFAULT_POLICY = DEFAULT_POLICY;
-exports.DOCUMENTS_ONLY = DOCUMENTS_ONLY;
-exports.HipaaTemp = HipaaTemp;
-exports.IMAGES_ONLY = IMAGES_ONLY;
-exports.LocalThreatIntelligence = LocalThreatIntelligence;
-exports.POLICY_PACKS = POLICY_PACKS;
-exports.PerformanceTracker = PerformanceTracker;
-exports.STRICT_PUBLIC_UPLOAD = STRICT_PUBLIC_UPLOAD;
-exports.SUSPICIOUS_PATTERNS = SUSPICIOUS_PATTERNS;
-exports.ScanCacheManager = ScanCacheManager;
-exports.ScanResultExporter = ScanResultExporter;
-exports.ThreatIntelligenceAggregator = ThreatIntelligenceAggregator;
-exports.aggregateScanStats = aggregateScanStats;
-exports.analyzeNestedArchives = analyzeNestedArchives;
-exports.batchScan = batchScan;
-exports.composeScanners = composeScanners;
-exports.createConfig = createConfig;
-exports.createHipaaError = createHipaaError;
-exports.createPresetScanner = createPresetScanner;
-exports.createThreatIntelligence = createThreatIntelligence;
-exports.createZipBombGuard = createZipBombGuard;
-exports.definePolicy = definePolicy;
-exports.detectObfuscatedScripts = detectObfuscatedScripts;
-exports.detectPolyglot = detectPolyglot;
-exports.exportScanResults = exportScanResults;
-exports.getDefaultCache = getDefaultCache;
-exports.getFileHash = getFileHash;
-exports.getHipaaManager = getHipaaManager;
-exports.getPolicyPack = getPolicyPack;
-exports.getPresetConfig = getPresetConfig;
-exports.initializeHipaaCompliance = initializeHipaaCompliance;
-exports.mapMatchesToVerdict = mapMatchesToVerdict;
-exports.resetDefaultCache = resetDefaultCache;
-exports.scanBytes = scanBytes;
-exports.scanFile = scanFile;
-exports.scanFiles = scanFiles;
-exports.scanFilesWithRemoteYara = scanFilesWithRemoteYara;
-exports.validateFile = validateFile;
-//# sourceMappingURL=pompelmi.cjs.map