pretext-pdf 1.1.0 → 1.6.0

package/dist/assets/loaders/orchestrator.js

@@ -0,0 +1,109 @@
+/**
+ * Image-loading orchestrator — extracted from src/assets.ts in v1.6.0 commit 15/16.
+ *
+ * Stage 2b of the render pipeline: loads + embeds every ImageElement,
+ * float-group image, vector asset (SVG / QR / barcode / chart), plugin
+ * asset, and watermark image into a single ImageMap that the layout
+ * engine consumes.
+ *
+ * Image keys are 'img-N' / 'float-group-N' / 'watermark' / per-vector keys
+ * assigned inside loadVectorAssets / plugin-supplied keys.
+ *
+ * IMPORTANT: @cantoo/pdf-lib image embedding is NOT thread-safe. Raw bytes
+ * load in parallel; embed calls run sequentially.
+ *
+ * Images that fail to load (network error, file not found, unreachable URL)
+ * are routed through doc.onImageLoadError (default = warn-and-skip) so a
+ * single broken image does not crash the document.
+ */
+import { PDFDocument } from '@cantoo/pdf-lib';
+import { PretextPdfError } from '../../errors.js';
+import { findPlugin, runPluginLoadAsset } from '../../plugin-registry.js';
+import { loadImageBytes, resolveImageFormat } from './images.js';
+import { loadVectorAssets } from './vectors.js';
+import { loadWatermarkImage } from './watermark.js';
+export async function loadImages(doc, pdfDoc, contentWidth, plugins, logger) {
+    const warn = logger ? logger.warn.bind(logger) : console.warn.bind(console);
+    const imageMap = new Map();
+    const allowedDirs = doc.allowedFileDirs;
+    // Collect all ImageElement entries with their content index for stable keys
+    const imageEntries = [];
+    for (let i = 0; i < doc.content.length; i++) {
+        const el = doc.content[i];
+        if (el.type === 'image') {
+            imageEntries.push({ el, key: `img-${i}` });
+        }
+        else if (el.type === 'float-group') {
+            const fgImage = {
+                type: 'image',
+                src: el.image.src,
+                ...(el.image.format !== undefined ? { format: el.image.format } : {}),
+                ...(el.image.height !== undefined ? { height: el.image.height } : {}),
+                align: 'left',
+                spaceAfter: 0,
+                spaceBefore: 0,
+            };
+            imageEntries.push({ el: fgImage, key: `float-group-${i}` });
+        }
+    }
+    // Load all image bytes in parallel; capture both successes and failures
+    const loadResults = imageEntries.length > 0
+        ? await Promise.allSettled(imageEntries.map(async ({ el, key }) => {
+            const bytes = await loadImageBytes(el, key, allowedDirs);
+            return { el, key, bytes };
+        }))
+        : [];
+    // Process results: embed successful images, warn on failures
+    for (let ri = 0; ri < loadResults.length; ri++) {
+        const result = loadResults[ri];
+        const entry = imageEntries[ri];
+        if (result.status === 'rejected') {
+            const err = result.reason instanceof Error ? result.reason : new Error(String(result.reason));
+            const action = doc.onImageLoadError ? doc.onImageLoadError(entry.el.src, err) : 'skip';
+            if (action === 'throw')
+                throw err;
+            warn(`[pretext-pdf] Image load skipped: ${err.message}`);
+            continue;
+        }
+        const { el, key, bytes } = result.value;
+        const resolvedFormat = resolveImageFormat(el, bytes, key);
+        try {
+            const pdfImage = resolvedFormat === 'png'
+                ? await pdfDoc.embedPng(bytes)
+                : await pdfDoc.embedJpg(bytes);
+            imageMap.set(key, pdfImage);
+        }
+        catch (err) {
+            const error = err instanceof Error ? err : new Error(String(err));
+            const action = doc.onImageLoadError ? doc.onImageLoadError(entry.el.src, error) : 'skip';
+            if (action === 'throw')
+                throw error;
+            warn(`[pretext-pdf] Image embed failed: key "${key}" (format: '${resolvedFormat}')`);
+            // Continue without this image rather than crashing
+        }
+    }
+    await loadVectorAssets(doc, pdfDoc, imageMap, contentWidth, allowedDirs, warn);
+    // Load plugin assets
+    if (plugins && plugins.length > 0) {
+        for (let i = 0; i < doc.content.length; i++) {
+            const el = doc.content[i];
+            const plugin = findPlugin(plugins, el.type);
+            if (!plugin)
+                continue;
+            try {
+                const assetResult = await runPluginLoadAsset(plugin, el, pdfDoc, contentWidth, i);
+                if (assetResult) {
+                    imageMap.set(assetResult.key, assetResult.image);
+                }
+            }
+            catch (err) {
+                if (err instanceof PretextPdfError)
+                    throw err;
+                warn(`[pretext-pdf] Plugin '${plugin.type}' loadAsset failed at index ${i}: ${err instanceof Error ? err.message : String(err)}`);
+            }
+        }
+    }
+    await loadWatermarkImage(doc, pdfDoc, imageMap, allowedDirs, warn);
+    return imageMap;
+}
+//# sourceMappingURL=orchestrator.js.map

package/dist/assets/loaders/orchestrator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"orchestrator.js","sourceRoot":"","sources":["../../../src/assets/loaders/orchestrator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AACH,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAA;AAG7C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AAEjD,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAA;AACzE,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAA;AAChE,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAA;AAC/C,OAAO,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAA;AAEnD,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,GAAgB,EAChB,MAAmB,EACnB,YAAoB,EACpB,OAA4B,EAC5B,MAAe;IAEf,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAC3E,MAAM,QAAQ,GAAa,IAAI,GAAG,EAAE,CAAA;IACpC,MAAM,WAAW,GAAG,GAAG,CAAC,eAAe,CAAA;IAEvC,4EAA4E;IAC5E,MAAM,YAAY,GAA6C,EAAE,CAAA;IACjE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5C,MAAM,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC,CAAE,CAAA;QAC1B,IAAI,EAAE,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YACxB,YAAY,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAA;QAC5C,CAAC;aAAM,IAAI,EAAE,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;YACrC,MAAM,OAAO,GAAiB;gBAC5B,IAAI,EAAE,OAAO;gBACb,GAAG,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG;gBACjB,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACrE,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACrE,KAAK,EAAE,MAAM;gBACb,UAAU,EAAE,CAAC;gBACb,WAAW,EAAE,CAAC;aACf,CAAA;YACD,YAAY,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,OAAO,EAAE,GAAG,EAAE,eAAe,CAAC,EAAE,EAAE,CAAC,CAAA;QAC7D,CAAC;IACH,CAAC;IAED,wEAAwE;IACxE,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC;QACzC,CAAC,CAAC,MAAM,OAAO,CAAC,UAAU,CACtB,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE;YACrC,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,EAAE,EAAE,GAAG,EAAE,WAAW,CAAC,CAAA;YACxD,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,CAAA;QAC3B,CAAC,CAAC,CACH;QACH,CAAC,CAAC,EAAE,CAAA;IAEN,6DAA6D;IAC7D,KAAK,IAAI,EAAE,GAAG,CAAC,EAAE,EAAE,GAAG,WAAW,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC;QAC/C,MAAM,MAAM,GAAG,WAAW,CAAC,EAAE,CAAE,CAAA;QAC/B,MAAM,KAAK,GAAG,YAAY,CAAC,EAAE,CAAE,CAAA;QAE/B,IAAI,MAAM,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YACjC,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,YAAY,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAA;YAC7F,MAAM,MAAM,GAAG,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAA;YACtF,IAAI,MAAM,KAAK,OAAO;gBAAE,MAAM,GAAG,CAAA;YACjC,IAAI,CAAC,qCAAqC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;YACxD,SAAQ;QACV,CAAC;QAED,MAAM,EAAE,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,MAAM,CAAC,KAAK,CAAA;QACvC,MAAM,cAAc,GAAG,kBAAkB,CAAC,EAAE,EAAE,KAAK,EAAE,GAAG,CAAC,CAAA;QACzD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,cAAc,KAAK,KAAK;gBACvC,CAAC,CAAC,MAAM,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAC9B,CAAC,CAAC,MAAM,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;YAChC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;QAC7B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,KAAK,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAA;YACjE,MAAM,MAAM,GAAG,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAA;YACxF,IAAI,MAAM,KAAK,OAAO;gBAAE,MAAM,KAAK,CAAA;YACnC,IAAI,CAAC,0CAA0C,GAAG,eAAe,cAAc,IAAI,CAAC,CAAA;YACpF,mDAAmD;QACrD,CAAC;IACH,CAAC;IAED,MAAM,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,WAAW,EAAE,IAAI,CAAC,CAAA;IAE9E,qBAAqB;IACrB,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5C,MAAM,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC,CAAE,CAAA;YAC1B,MAAM,MAAM,GAAG,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,CAAA;YAC3C,IAAI,CAAC,MAAM;gBAAE,SAAQ;YACrB,IAAI,CAAC;gBACH,MAAM,WAAW,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,EAAwC,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC,CAAA;gBACvH,IAAI,WAAW,EAAE,CAAC;oBAChB,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,EAAE,WAAW,CAAC,KAAK,CAAC,CAAA;gBAClD,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,GAAG,YAAY,eAAe;oBAAE,MAAM,GAAG,CAAA;gBAC7C,IAAI,CAAC,yBAAyB,MAAM,CAAC,IAAI,+BAA+B,CAAC,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;YACnI,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,CAAC,CAAA;IAElE,OAAO,QAAQ,CAAA;AACjB,CAAC"}

package/dist/assets/loaders/vectors.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Vector asset loader — extracted from src/assets.ts in v1.6.0 commit 14/16.
+ *
+ * Two-phase load for SVG / QR / barcode / chart elements:
+ *   Phase A — generate svg + rasterize to PNG in bounded-parallel (CPU/I/O,
+ *             safe to fan out)
+ *   Phase B — embed PNGs sequentially because pdf-lib xref mutation is not
+ *             concurrency-safe
+ *
+ * One failed asset must not block other embeds (error isolation matches
+ * prior behavior). SVG failures propagate; QR/barcode/chart failures warn
+ * and leave the slot blank.
+ */
+import { PDFDocument } from '@cantoo/pdf-lib';
+import type { PdfDocument } from '../../types.js';
+import type { ImageMap } from '../../types-internal.js';
+/** Maximum number of vector-asset rasterization tasks allowed to run in parallel. */
+export declare const VECTOR_RASTER_CONCURRENCY = 4;
+/**
+ * Bounded-parallel allSettled. Runs at most `limit` tasks concurrently and
+ * collects per-task fulfilled/rejected results in the original order.
+ */
+export declare function allSettledWithLimit<T>(items: ReadonlyArray<() => Promise<T>>, limit: number): Promise<PromiseSettledResult<T>[]>;
+export declare function loadVectorAssets(doc: PdfDocument, pdfDoc: PDFDocument, imageMap: ImageMap, contentWidth: number, allowedDirs: string[] | undefined, warn: (msg: string) => void): Promise<void>;
+//# sourceMappingURL=vectors.d.ts.map

package/dist/assets/loaders/vectors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vectors.d.ts","sourceRoot":"","sources":["../../../src/assets/loaders/vectors.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAA;AAC7C,OAAO,KAAK,EAAE,WAAW,EAAc,MAAM,gBAAgB,CAAA;AAC7D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAA;AASvD,qFAAqF;AACrF,eAAO,MAAM,yBAAyB,IAAI,CAAA;AAE1C;;;GAGG;AACH,wBAAsB,mBAAmB,CAAC,CAAC,EACzC,KAAK,EAAE,aAAa,CAAC,MAAM,OAAO,CAAC,CAAC,CAAC,CAAC,EACtC,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,oBAAoB,CAAC,CAAC,CAAC,EAAE,CAAC,CAiBpC;AAED,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,WAAW,EAChB,MAAM,EAAE,WAAW,EACnB,QAAQ,EAAE,QAAQ,EAClB,YAAY,EAAE,MAAM,EACpB,WAAW,EAAE,MAAM,EAAE,GAAG,SAAS,EACjC,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,GAC1B,OAAO,CAAC,IAAI,CAAC,CAqEf"}

package/dist/assets/loaders/vectors.js

@@ -0,0 +1,118 @@
+/**
+ * Vector asset loader — extracted from src/assets.ts in v1.6.0 commit 14/16.
+ *
+ * Two-phase load for SVG / QR / barcode / chart elements:
+ *   Phase A — generate svg + rasterize to PNG in bounded-parallel (CPU/I/O,
+ *             safe to fan out)
+ *   Phase B — embed PNGs sequentially because pdf-lib xref mutation is not
+ *             concurrency-safe
+ *
+ * One failed asset must not block other embeds (error isolation matches
+ * prior behavior). SVG failures propagate; QR/barcode/chart failures warn
+ * and leave the slot blank.
+ */
+import { PDFDocument } from '@cantoo/pdf-lib';
+import { PretextPdfError } from '../../errors.js';
+import { resolveSvgContent } from '../svg/resolve-content.js';
+import { resolveSvgDimensions } from '../svg/dimensions.js';
+import { rasterizeSvgToPng } from '../svg/rasterize.js';
+import { generateQrSvg } from '../generators/qr.js';
+import { generateBarcodeSvg } from '../generators/barcode.js';
+import { generateChartSvg } from '../generators/chart.js';
+/** Maximum number of vector-asset rasterization tasks allowed to run in parallel. */
+export const VECTOR_RASTER_CONCURRENCY = 4;
+/**
+ * Bounded-parallel allSettled. Runs at most `limit` tasks concurrently and
+ * collects per-task fulfilled/rejected results in the original order.
+ */
+export async function allSettledWithLimit(items, limit) {
+    const results = new Array(items.length);
+    let cursor = 0;
+    async function next() {
+        while (cursor < items.length) {
+            const idx = cursor++;
+            try {
+                const value = await items[idx]();
+                results[idx] = { status: 'fulfilled', value };
+            }
+            catch (reason) {
+                results[idx] = { status: 'rejected', reason };
+            }
+        }
+    }
+    const workerCount = Math.min(Math.max(1, limit), items.length);
+    await Promise.all(Array.from({ length: workerCount }, () => next()));
+    return results;
+}
+export async function loadVectorAssets(doc, pdfDoc, imageMap, contentWidth, allowedDirs, warn) {
+    const tasks = [];
+    for (let i = 0; i < doc.content.length; i++) {
+        const el = doc.content[i];
+        if (el.type === 'svg') {
+            tasks.push({ key: `svg-${i}`, index: i, kind: 'svg', run: async () => {
+                    const svgContent = await resolveSvgContent(el, allowedDirs);
+                    const svgWithContent = { type: 'svg', svg: svgContent, width: el.width, height: el.height, align: el.align, spaceBefore: el.spaceBefore, spaceAfter: el.spaceAfter };
+                    const { widthPt, heightPt } = resolveSvgDimensions(svgWithContent, contentWidth);
+                    return rasterizeSvgToPng(svgContent, widthPt, heightPt);
+                } });
+        }
+        else if (el.type === 'qr-code') {
+            tasks.push({ key: `qr-${i}`, index: i, kind: 'qr-code', run: async () => {
+                    const svgString = await generateQrSvg(el);
+                    const sizePt = el.size ?? 80;
+                    return rasterizeSvgToPng(svgString, sizePt, sizePt);
+                } });
+        }
+        else if (el.type === 'barcode') {
+            tasks.push({ key: `barcode-${i}`, index: i, kind: 'barcode', run: async () => {
+                    const svgString = await generateBarcodeSvg(el);
+                    const widthPt = el.width ?? 200;
+                    const heightPt = el.height ?? 60;
+                    return rasterizeSvgToPng(svgString, widthPt, heightPt);
+                } });
+        }
+        else if (el.type === 'chart') {
+            tasks.push({ key: `chart-${i}`, index: i, kind: 'chart', run: async () => {
+                    const svgString = await generateChartSvg(el, contentWidth);
+                    const widthPt = el.width ?? contentWidth;
+                    const heightPt = el.height ?? 300;
+                    return rasterizeSvgToPng(svgString, widthPt, heightPt);
+                } });
+        }
+    }
+    if (tasks.length === 0)
+        return;
+    // Phase A: bounded-parallel rasterization. allSettled isolates per-task failures.
+    // Cap concurrency to avoid resource exhaustion (sharp/svg2pdfkit workers, FDs)
+    // when a document carries many vector assets.
+    const results = await allSettledWithLimit(tasks.map(t => () => t.run()), VECTOR_RASTER_CONCURRENCY);
+    // Phase B: MUST remain sequential — pdf-lib xref mutation is not concurrency-safe
+    for (let ti = 0; ti < tasks.length; ti++) {
+        const task = tasks[ti];
+        const result = results[ti];
+        if (result.status === 'rejected') {
+            const err = result.reason;
+            // SVG failures historically propagated (file/url/render errors thrown).
+            if (task.kind === 'svg')
+                throw err;
+            if (err instanceof PretextPdfError)
+                throw err;
+            const message = err instanceof Error ? err.message : String(err);
+            warn(`[pretext-pdf] ${task.kind} load failed at index ${task.index} (CHART_LOAD_FAILED): ${message}. Slot will be blank in PDF.`);
+            continue;
+        }
+        try {
+            const pdfImage = await pdfDoc.embedPng(result.value);
+            imageMap.set(task.key, pdfImage);
+        }
+        catch (err) {
+            if (task.kind === 'svg')
+                throw err;
+            if (err instanceof PretextPdfError)
+                throw err;
+            const message = err instanceof Error ? err.message : String(err);
+            warn(`[pretext-pdf] ${task.kind} embed failed at index ${task.index} (CHART_LOAD_FAILED): ${message}. Slot will be blank in PDF.`);
+        }
+    }
+}
+//# sourceMappingURL=vectors.js.map

package/dist/assets/loaders/vectors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vectors.js","sourceRoot":"","sources":["../../../src/assets/loaders/vectors.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAA;AAG7C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAA;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAA;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AACvD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAA;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAA;AAEzD,qFAAqF;AACrF,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAA;AAE1C;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,KAAsC,EACtC,KAAa;IAEb,MAAM,OAAO,GAA8B,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;IAClE,IAAI,MAAM,GAAG,CAAC,CAAA;IACd,KAAK,UAAU,IAAI;QACjB,OAAO,MAAM,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;YAC7B,MAAM,GAAG,GAAG,MAAM,EAAE,CAAA;YACpB,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,KAAK,CAAC,GAAG,CAAE,EAAE,CAAA;gBACjC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,KAAK,EAAE,CAAA;YAC/C,CAAC;YAAC,OAAO,MAAM,EAAE,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,CAAA;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IACD,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;IAC9D,MAAM,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,CAAA;IACpE,OAAO,OAAO,CAAA;AAChB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,GAAgB,EAChB,MAAmB,EACnB,QAAkB,EAClB,YAAoB,EACpB,WAAiC,EACjC,IAA2B;IAQ3B,MAAM,KAAK,GAAiB,EAAE,CAAA;IAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5C,MAAM,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC,CAAE,CAAA;QAC1B,IAAI,EAAE,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;YACtB,KAAK,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,IAAI,EAAE;oBACnE,MAAM,UAAU,GAAG,MAAM,iBAAiB,CAAC,EAAE,EAAE,WAAW,CAAC,CAAA;oBAC3D,MAAM,cAAc,GAAe,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,KAAK,EAAE,EAAE,CAAC,KAAK,EAAE,WAAW,EAAE,EAAE,CAAC,WAAW,EAAE,UAAU,EAAE,EAAE,CAAC,UAAU,EAAgB,CAAA;oBAC9L,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,oBAAoB,CAAC,cAAc,EAAE,YAAY,CAAC,CAAA;oBAChF,OAAO,iBAAiB,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAA;gBACzD,CAAC,EAAE,CAAC,CAAA;QACN,CAAC;aAAM,IAAI,EAAE,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACjC,KAAK,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,KAAK,IAAI,EAAE;oBACtE,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,EAAE,CAAC,CAAA;oBACzC,MAAM,MAAM,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAA;oBAC5B,OAAO,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,CAAA;gBACrD,CAAC,EAAE,CAAC,CAAA;QACN,CAAC;aAAM,IAAI,EAAE,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACjC,KAAK,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,WAAW,CAAC,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,KAAK,IAAI,EAAE;oBAC3E,MAAM,SAAS,GAAG,MAAM,kBAAkB,CAAC,EAAE,CAAC,CAAA;oBAC9C,MAAM,OAAO,GAAG,EAAE,CAAC,KAAK,IAAI,GAAG,CAAA;oBAC/B,MAAM,QAAQ,GAAG,EAAE,CAAC,MAAM,IAAI,EAAE,CAAA;oBAChC,OAAO,iBAAiB,CAAC,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAA;gBACxD,CAAC,EAAE,CAAC,CAAA;QACN,CAAC;aAAM,IAAI,EAAE,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC/B,KAAK,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,SAAS,CAAC,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,IAAI,EAAE;oBACvE,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,EAAE,EAAE,YAAY,CAAC,CAAA;oBAC1D,MAAM,OAAO,GAAG,EAAE,CAAC,KAAK,IAAI,YAAY,CAAA;oBACxC,MAAM,QAAQ,GAAG,EAAE,CAAC,MAAM,IAAI,GAAG,CAAA;oBACjC,OAAO,iBAAiB,CAAC,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAA;gBACxD,CAAC,EAAE,CAAC,CAAA;QACN,CAAC;IACH,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAM;IAE9B,kFAAkF;IAClF,+EAA+E;IAC/E,8CAA8C;IAC9C,MAAM,OAAO,GAAG,MAAM,mBAAmB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,yBAAyB,CAAC,CAAA;IAEnG,kFAAkF;IAClF,KAAK,IAAI,EAAE,GAAG,CAAC,EAAE,EAAE,GAAG,KAAK,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC;QACzC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAE,CAAA;QACvB,MAAM,MAAM,GAAG,OAAO,CAAC,EAAE,CAAE,CAAA;QAC3B,IAAI,MAAM,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YACjC,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAA;YACzB,wEAAwE;YACxE,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK;gBAAE,MAAM,GAAG,CAAA;YAClC,IAAI,GAAG,YAAY,eAAe;gBAAE,MAAM,GAAG,CAAA;YAC7C,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YAChE,IAAI,CAAC,iBAAiB,IAAI,CAAC,IAAI,yBAAyB,IAAI,CAAC,KAAK,yBAAyB,OAAO,8BAA8B,CAAC,CAAA;YACjI,SAAQ;QACV,CAAC;QACD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;YACpD,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;QAClC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK;gBAAE,MAAM,GAAG,CAAA;YAClC,IAAI,GAAG,YAAY,eAAe;gBAAE,MAAM,GAAG,CAAA;YAC7C,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YAChE,IAAI,CAAC,iBAAiB,IAAI,CAAC,IAAI,0BAA0B,IAAI,CAAC,KAAK,yBAAyB,OAAO,8BAA8B,CAAC,CAAA;QACpI,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/assets/loaders/watermark.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Watermark image loader — extracted from src/assets.ts in v1.6.0 commit 15/16.
+ *
+ * Loads + embeds the optional `doc.watermark.image` (path or Uint8Array)
+ * into the imageMap under the 'watermark' key. PATH_TRAVERSAL errors
+ * propagate; other failures are warn-and-skip (matches prior behavior).
+ */
+import { PDFDocument } from '@cantoo/pdf-lib';
+import type { PdfDocument } from '../../types.js';
+import type { ImageMap } from '../../types-internal.js';
+export declare function loadWatermarkImage(doc: PdfDocument, pdfDoc: PDFDocument, imageMap: ImageMap, allowedDirs: string[] | undefined, warn: (msg: string) => void): Promise<void>;
+//# sourceMappingURL=watermark.d.ts.map

package/dist/assets/loaders/watermark.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"watermark.d.ts","sourceRoot":"","sources":["../../../src/assets/loaders/watermark.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAA;AAC7C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAA;AAIvD,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,WAAW,EAChB,MAAM,EAAE,WAAW,EACnB,QAAQ,EAAE,QAAQ,EAClB,WAAW,EAAE,MAAM,EAAE,GAAG,SAAS,EACjC,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,GAC1B,OAAO,CAAC,IAAI,CAAC,CAwBf"}

package/dist/assets/loaders/watermark.js

@@ -0,0 +1,40 @@
+/**
+ * Watermark image loader — extracted from src/assets.ts in v1.6.0 commit 15/16.
+ *
+ * Loads + embeds the optional `doc.watermark.image` (path or Uint8Array)
+ * into the imageMap under the 'watermark' key. PATH_TRAVERSAL errors
+ * propagate; other failures are warn-and-skip (matches prior behavior).
+ */
+import { PDFDocument } from '@cantoo/pdf-lib';
+import { PretextPdfError } from '../../errors.js';
+import { assertPathAllowed } from '../security/path-allowlist.js';
+export async function loadWatermarkImage(doc, pdfDoc, imageMap, allowedDirs, warn) {
+    if (!doc.watermark?.image)
+        return;
+    const src = doc.watermark.image;
+    try {
+        let bytes;
+        if (src instanceof Uint8Array) {
+            bytes = src;
+        }
+        else {
+            const [fs, pathMod] = await Promise.all([import('fs'), import('path')]);
+            const filePath = pathMod.resolve(src);
+            assertPathAllowed(filePath, allowedDirs, 'watermark image');
+            if (!fs.existsSync(filePath))
+                throw new Error(`Watermark image not found`);
+            bytes = new Uint8Array(fs.readFileSync(filePath));
+        }
+        const isPng = bytes[0] === 0x89 && bytes[1] === 0x50 && bytes[2] === 0x4E && bytes[3] === 0x47;
+        const pdfImage = isPng
+            ? await pdfDoc.embedPng(bytes)
+            : await pdfDoc.embedJpg(bytes);
+        imageMap.set('watermark', pdfImage);
+    }
+    catch (err) {
+        if (err instanceof PretextPdfError && err.code === 'PATH_TRAVERSAL')
+            throw err;
+        warn(`[pretext-pdf] Watermark image skipped: ${err instanceof Error ? err.message : String(err)}`);
+    }
+}
+//# sourceMappingURL=watermark.js.map

package/dist/assets/loaders/watermark.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"watermark.js","sourceRoot":"","sources":["../../../src/assets/loaders/watermark.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAA;AAG7C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AAEjE,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,GAAgB,EAChB,MAAmB,EACnB,QAAkB,EAClB,WAAiC,EACjC,IAA2B;IAE3B,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,KAAK;QAAE,OAAM;IAEjC,MAAM,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,KAAK,CAAA;IAC/B,IAAI,CAAC;QACH,IAAI,KAAiB,CAAA;QACrB,IAAI,GAAG,YAAY,UAAU,EAAE,CAAC;YAC9B,KAAK,GAAG,GAAG,CAAA;QACb,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;YACvE,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,GAAa,CAAC,CAAA;YAC/C,iBAAiB,CAAC,QAAQ,EAAE,WAAW,EAAE,iBAAiB,CAAC,CAAA;YAC3D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;gBAAE,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAA;YAC1E,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAA;QACnD,CAAC;QACD,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,CAAA;QAC9F,MAAM,QAAQ,GAAG,KAAK;YACpB,CAAC,CAAC,MAAM,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;YAC9B,CAAC,CAAC,MAAM,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;QAChC,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAA;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,eAAe,IAAI,GAAG,CAAC,IAAI,KAAK,gBAAgB;YAAE,MAAM,GAAG,CAAA;QAC9E,IAAI,CAAC,0CAA0C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IACpG,CAAC;AACH,CAAC"}

package/dist/assets/security/fetch.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Fetch with a hard 10-second timeout AND a manual redirect chain that
+ * re-validates each hop against `resolveAndValidateUrl`. Without manual
+ * redirect handling, a public URL could 302 to `http://127.0.0.1:8080/internal`
+ * and bypass the upfront check — the connection would still be made to
+ * the private target.
+ *
+ * Each hop creates a fresh undici Agent that pins the socket to the IP
+ * that just passed validation. This defeats DNS-rebinding TOCTOU attacks
+ * where an attacker controls a TTL=0 DNS record and swaps the answer
+ * between our `dns.lookup()` and the actual TCP connect.
+ */
+export declare function fetchWithTimeout(url: string, errorCode: 'IMAGE_LOAD_FAILED' | 'SVG_LOAD_FAILED', label: string): Promise<Response>;
+//# sourceMappingURL=fetch.d.ts.map

package/dist/assets/security/fetch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch.d.ts","sourceRoot":"","sources":["../../../src/assets/security/fetch.ts"],"names":[],"mappings":"AA0DA;;;;;;;;;;;GAWG;AACH,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,mBAAmB,GAAG,iBAAiB,EAClD,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,QAAQ,CAAC,CAgDnB"}

package/dist/assets/security/fetch.js

@@ -0,0 +1,112 @@
+import { Agent, fetch as undiciFetch } from 'undici';
+import { PretextPdfError } from '../../errors.js';
+import { resolveAndValidateUrl } from './url-validation.js';
+/**
+ * Hardened remote fetch primitives for image / SVG loading.
+ *
+ * Extracted from `src/assets.ts` in v1.6.0 commit 8/16 — the architect-flagged
+ * highest-risk commit of the split. Key invariants preserved here:
+ *
+ *   1. NO module-level side effects. In particular, `createPinnedAgent`
+ *      must remain lazy — every call constructs a fresh undici Agent that
+ *      lives only for the duration of one HTTP request. There is NO module-
+ *      level `new Agent({...})` allocation. This preserves the G7 cold-start
+ *      perf baseline (the previous home in `src/assets.ts` had the same
+ *      lazy behavior).
+ *   2. The undici imports are top-level bindings only; no Agent is
+ *      constructed at module evaluation time.
+ *   3. `fetchWithTimeout` re-validates every redirect hop. Public targets
+ *      that 302 to private addresses are rejected at the next hop.
+ *   4. `Agent.close()` is fire-and-forget inside `finally` so callers never
+ *      block on shutdown.
+ *
+ * `src/assets.ts` re-exports `fetchWithTimeout` so existing consumers
+ * (notably `test/security-ssrf.test.ts` and `test/assets-dns-dedup.test.ts`
+ * which import via `'../src/assets.js'` / `'../dist/assets.js'`) keep working.
+ * `createPinnedAgent` is intentionally NOT re-exported — it is a private
+ * implementation detail of the fetch primitive.
+ */
+/**
+ * Build an undici Agent whose every TCP connection is pinned to the supplied
+ * pre-validated IP. Closes the DNS-rebinding TOCTOU window: even if DNS is
+ * re-resolved by the runtime mid-flight, the socket targets the IP we already
+ * confirmed is public.
+ *
+ * Caller MUST `close()` the agent after the fetch completes.
+ *
+ * LAZY: called only inside `fetchWithTimeout`, never at module load.
+ */
+function createPinnedAgent(ip, family) {
+    return new Agent({
+        connect: {
+            // Undici accepts a Node `dns.lookup`-compatible function here.
+            // We unconditionally return the pre-validated IP so a malicious DNS
+            // server cannot rebind to a private address between validation and
+            // connect.
+            lookup: (_hostname, _options, cb) => {
+                cb(null, ip, family);
+            },
+        },
+    });
+}
+/**
+ * Fetch with a hard 10-second timeout AND a manual redirect chain that
+ * re-validates each hop against `resolveAndValidateUrl`. Without manual
+ * redirect handling, a public URL could 302 to `http://127.0.0.1:8080/internal`
+ * and bypass the upfront check — the connection would still be made to
+ * the private target.
+ *
+ * Each hop creates a fresh undici Agent that pins the socket to the IP
+ * that just passed validation. This defeats DNS-rebinding TOCTOU attacks
+ * where an attacker controls a TTL=0 DNS record and swaps the answer
+ * between our `dns.lookup()` and the actual TCP connect.
+ */
+export async function fetchWithTimeout(url, errorCode, label) {
+    const MAX_REDIRECTS = 3;
+    let currentUrl = url;
+    for (let hop = 0; hop <= MAX_REDIRECTS; hop++) {
+        const { url: parsed, ip, family } = await resolveAndValidateUrl(currentUrl, errorCode, label);
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), 10_000);
+        // Only create a pinned dispatcher when we have a resolved IP. For
+        // IP-literal hosts or DNS-unavailable cases we let undici handle
+        // resolution itself (a DNS failure there is already safe).
+        const pinnedAgent = ip && family ? createPinnedAgent(ip, family) : null;
+        let res;
+        try {
+            const fetchOpts = {
+                signal: controller.signal,
+                redirect: 'manual',
+            };
+            if (pinnedAgent) {
+                // `dispatcher` is an undici-specific extension; cast keeps fetch
+                // typings happy without leaking undici types into the public API.
+                ;
+                fetchOpts.dispatcher = pinnedAgent;
+            }
+            res = (await undiciFetch(parsed.toString(), fetchOpts));
+        }
+        finally {
+            clearTimeout(timer);
+            if (pinnedAgent) {
+                // Don't block the caller on agent shutdown; swallow close errors.
+                void pinnedAgent.close().catch(() => undefined);
+            }
+        }
+        // Undici fetch does not produce `opaqueredirect`, but keep parity with
+        // the browser-fetch contract: if we somehow get one, refuse.
+        if (res.type === 'opaqueredirect') {
+            throw new PretextPdfError(errorCode, `${label}: cannot follow opaque redirect. Pre-resolve the URL.`);
+        }
+        if (res.status >= 300 && res.status < 400) {
+            const loc = res.headers.get('Location');
+            if (!loc)
+                throw new PretextPdfError(errorCode, `${label}: redirect (${res.status}) with no Location header`);
+            currentUrl = new URL(loc, parsed).toString();
+            continue;
+        }
+        return res;
+    }
+    throw new PretextPdfError(errorCode, `${label}: too many redirects (max ${MAX_REDIRECTS})`);
+}
+//# sourceMappingURL=fetch.js.map

package/dist/assets/security/fetch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch.js","sourceRoot":"","sources":["../../../src/assets/security/fetch.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,KAAK,IAAI,WAAW,EAAE,MAAM,QAAQ,CAAA;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAA;AAE3D;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH;;;;;;;;;GASG;AACH,SAAS,iBAAiB,CAAC,EAAU,EAAE,MAAa;IAClD,OAAO,IAAI,KAAK,CAAC;QACf,OAAO,EAAE;YACP,+DAA+D;YAC/D,oEAAoE;YACpE,mEAAmE;YACnE,WAAW;YACX,MAAM,EAAE,CACN,SAAiB,EACjB,QAAiB,EACjB,EAAgF,EAC1E,EAAE;gBACR,EAAE,CAAC,IAAI,EAAE,EAAE,EAAE,MAAM,CAAC,CAAA;YACtB,CAAC;SACF;KACF,CAAC,CAAA;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,GAAW,EACX,SAAkD,EAClD,KAAa;IAEb,MAAM,aAAa,GAAG,CAAC,CAAA;IACvB,IAAI,UAAU,GAAG,GAAG,CAAA;IACpB,KAAK,IAAI,GAAG,GAAG,CAAC,EAAE,GAAG,IAAI,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC;QAC9C,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,MAAM,qBAAqB,CAAC,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC,CAAA;QAE7F,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAA;QACxC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,MAAM,CAAC,CAAA;QAE1D,kEAAkE;QAClE,iEAAiE;QACjE,2DAA2D;QAC3D,MAAM,WAAW,GAAG,EAAE,IAAI,MAAM,CAAC,CAAC,CAAC,iBAAiB,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;QAEvE,IAAI,GAAa,CAAA;QACjB,IAAI,CAAC;YACH,MAAM,SAAS,GAAsC;gBACnD,MAAM,EAAE,UAAU,CAAC,MAAM;gBACzB,QAAQ,EAAE,QAAQ;aACnB,CAAA;YACD,IAAI,WAAW,EAAE,CAAC;gBAChB,iEAAiE;gBACjE,kEAAkE;gBAClE,CAAC;gBAAC,SAA8C,CAAC,UAAU,GAAG,WAAW,CAAA;YAC3E,CAAC;YACD,GAAG,GAAG,CAAC,MAAM,WAAW,CAAC,MAAM,CAAC,QAAQ,EAAE,EAAE,SAAS,CAAC,CAAwB,CAAA;QAChF,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,KAAK,CAAC,CAAA;YACnB,IAAI,WAAW,EAAE,CAAC;gBAChB,kEAAkE;gBAClE,KAAK,WAAW,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAA;YACjD,CAAC;QACH,CAAC;QAED,uEAAuE;QACvE,6DAA6D;QAC7D,IAAI,GAAG,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;YAClC,MAAM,IAAI,eAAe,CAAC,SAAS,EAAE,GAAG,KAAK,uDAAuD,CAAC,CAAA;QACvG,CAAC;QACD,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YAC1C,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;YACvC,IAAI,CAAC,GAAG;gBAAE,MAAM,IAAI,eAAe,CAAC,SAAS,EAAE,GAAG,KAAK,eAAe,GAAG,CAAC,MAAM,2BAA2B,CAAC,CAAA;YAC5G,UAAU,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAA;YAC5C,SAAQ;QACV,CAAC;QACD,OAAO,GAAG,CAAA;IACZ,CAAC;IACD,MAAM,IAAI,eAAe,CAAC,SAAS,EAAE,GAAG,KAAK,6BAA6B,aAAa,GAAG,CAAC,CAAA;AAC7F,CAAC"}

package/dist/assets/security/ipv4-normalize.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Normalize alternative IPv4 notations to dotted-decimal form so the
+ * private-range regexes catch them. WHATWG URL does NOT normalize these,
+ * so an attacker can use any of these forms to bypass `/^127\./`-style
+ * checks:
+ *   - Pure decimal:  `2130706433`            → 127.0.0.1
+ *   - Pure hex:      `0x7f000001`            → 127.0.0.1
+ *   - Octal octet:   `0177.0.0.1`            → 127.0.0.1
+ *   - Hex octet:     `0x7f.0.0.1`            → 127.0.0.1
+ *   - Short form:    `127.1`, `127.0.1`      → 127.0.0.1
+ *
+ * Returns the dotted-decimal form when `hostname` is any valid IPv4
+ * representation, otherwise `null` (leaving the original hostname for
+ * DNS resolution / regex matching). Never throws.
+ *
+ * NOTE: parts with leading zeros (e.g. `008`) are parsed as octal per the
+ * traditional inet_aton rules — `008` is INVALID (8 is not an octal digit)
+ * so we return null. `010` parses as octal 8. This matches how Linux's
+ * getaddrinfo / inet_aton historically resolved these forms, which is what
+ * we need to defend against.
+ *
+ * Extracted from `src/assets.ts` in v1.6.0 commit 6/16 as part of the
+ * post-v1.5.2 assets.ts file-size sprint. Pure function — no module-level
+ * side effects. Re-exported from `src/assets.ts` so existing direct importers
+ * (`test/security-ipv4-bypass.test.ts`) keep working.
+ */
+export declare function normalizeIpv4Hostname(hostname: string): string | null;
+//# sourceMappingURL=ipv4-normalize.d.ts.map

package/dist/assets/security/ipv4-normalize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ipv4-normalize.d.ts","sourceRoot":"","sources":["../../../src/assets/security/ipv4-normalize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAuErE"}

package/dist/assets/security/ipv4-normalize.js

@@ -0,0 +1,116 @@
+/**
+ * Normalize alternative IPv4 notations to dotted-decimal form so the
+ * private-range regexes catch them. WHATWG URL does NOT normalize these,
+ * so an attacker can use any of these forms to bypass `/^127\./`-style
+ * checks:
+ *   - Pure decimal:  `2130706433`            → 127.0.0.1
+ *   - Pure hex:      `0x7f000001`            → 127.0.0.1
+ *   - Octal octet:   `0177.0.0.1`            → 127.0.0.1
+ *   - Hex octet:     `0x7f.0.0.1`            → 127.0.0.1
+ *   - Short form:    `127.1`, `127.0.1`      → 127.0.0.1
+ *
+ * Returns the dotted-decimal form when `hostname` is any valid IPv4
+ * representation, otherwise `null` (leaving the original hostname for
+ * DNS resolution / regex matching). Never throws.
+ *
+ * NOTE: parts with leading zeros (e.g. `008`) are parsed as octal per the
+ * traditional inet_aton rules — `008` is INVALID (8 is not an octal digit)
+ * so we return null. `010` parses as octal 8. This matches how Linux's
+ * getaddrinfo / inet_aton historically resolved these forms, which is what
+ * we need to defend against.
+ *
+ * Extracted from `src/assets.ts` in v1.6.0 commit 6/16 as part of the
+ * post-v1.5.2 assets.ts file-size sprint. Pure function — no module-level
+ * side effects. Re-exported from `src/assets.ts` so existing direct importers
+ * (`test/security-ipv4-bypass.test.ts`) keep working.
+ */
+export function normalizeIpv4Hostname(hostname) {
+    if (!hostname || hostname.includes(':') || hostname.includes('['))
+        return null;
+    // Parse a single part as decimal / octal / hex per inet_aton semantics.
+    // Returns null on any malformed input (non-digit chars, out-of-range, etc.)
+    const parsePart = (part) => {
+        if (part.length === 0)
+            return null;
+        let radix = 10;
+        let body = part;
+        if (part.length > 1 && (part[0] === '0' || part[0] === '-')) {
+            // Reject negative parts outright
+            if (part[0] === '-')
+                return null;
+        }
+        if (part === '0')
+            return 0;
+        if (part.length >= 2 && (part[0] === '0') && (part[1] === 'x' || part[1] === 'X')) {
+            radix = 16;
+            body = part.slice(2);
+            if (body.length === 0)
+                return null;
+            if (!/^[0-9a-fA-F]+$/.test(body))
+                return null;
+        }
+        else if (part[0] === '0') {
+            radix = 8;
+            body = part.slice(1);
+            if (!/^[0-7]+$/.test(body))
+                return null;
+        }
+        else {
+            if (!/^[0-9]+$/.test(part))
+                return null;
+        }
+        const n = parseInt(body, radix);
+        if (!Number.isFinite(n) || n < 0)
+            return null;
+        return n;
+    };
+    const parts = hostname.split('.');
+    if (parts.length === 0 || parts.length > 4)
+        return null;
+    const parsed = [];
+    for (const p of parts) {
+        const n = parsePart(p);
+        if (n === null)
+            return null;
+        parsed.push(n);
+    }
+    // Apply inet_aton-style packing for short forms:
+    //   1 part:  a            → a (32-bit, all octets)
+    //   2 parts: a.b          → a.0.0.0 | b (last covers low 24 bits)
+    //   3 parts: a.b.c        → a.b.0.0 | c (last covers low 16 bits)
+    //   4 parts: a.b.c.d      → each octet 0–255
+    let value;
+    if (parsed.length === 1) {
+        value = parsed[0];
+        // Single-int forms (decimal/hex) must fit in 32 bits; reject before the
+        // `>>> 0` truncation below would silently wrap.
+        if (value < 0 || value > 0xffffffff)
+            return null;
+    }
+    else if (parsed.length === 2) {
+        const [a, b] = parsed;
+        if (a > 0xff || b > 0xffffff)
+            return null;
+        value = (a << 24) >>> 0 | b;
+    }
+    else if (parsed.length === 3) {
+        const [a, b, c] = parsed;
+        if (a > 0xff || b > 0xff || c > 0xffff)
+            return null;
+        value = ((a << 24) >>> 0) | (b << 16) | c;
+    }
+    else {
+        const [a, b, c, d] = parsed;
+        if (a > 0xff || b > 0xff || c > 0xff || d > 0xff)
+            return null;
+        value = ((a << 24) >>> 0) | (b << 16) | (c << 8) | d;
+    }
+    // `|` in JS is a signed 32-bit op — coerce to unsigned for the final value
+    // so 0xFFFFFFFF reads as 4294967295 rather than -1.
+    value = value >>> 0;
+    // Final 32-bit range guard (covers single-int forms like `2130706433`)
+    if (value > 0xffffffff)
+        return null;
+    return `${(value >>> 24) & 0xff}.${(value >>> 16) & 0xff}.${(value >>> 8) & 0xff}.${value & 0xff}`;
+}
+//# sourceMappingURL=ipv4-normalize.js.map

package/dist/assets/security/ipv4-normalize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ipv4-normalize.js","sourceRoot":"","sources":["../../../src/assets/security/ipv4-normalize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAgB;IACpD,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAE9E,wEAAwE;IACxE,4EAA4E;IAC5E,MAAM,SAAS,GAAG,CAAC,IAAY,EAAiB,EAAE;QAChD,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAA;QAClC,IAAI,KAAK,GAAG,EAAE,CAAA;QACd,IAAI,IAAI,GAAG,IAAI,CAAA;QACf,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;YAC5D,iCAAiC;YACjC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,GAAG;gBAAE,OAAO,IAAI,CAAA;QAClC,CAAC;QACD,IAAI,IAAI,KAAK,GAAG;YAAE,OAAO,CAAC,CAAA;QAC1B,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;YAClF,KAAK,GAAG,EAAE,CAAA;YACV,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;YACpB,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAA;YAClC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,OAAO,IAAI,CAAA;QAC/C,CAAC;aAAM,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YAC3B,KAAK,GAAG,CAAC,CAAA;YACT,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;YACpB,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,OAAO,IAAI,CAAA;QACzC,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,OAAO,IAAI,CAAA;QACzC,CAAC;QACD,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;QAC/B,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAA;QAC7C,OAAO,CAAC,CAAA;IACV,CAAC,CAAA;IAED,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACjC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IACvD,MAAM,MAAM,GAAa,EAAE,CAAA;IAC3B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,MAAM,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,CAAA;QACtB,IAAI,CAAC,KAAK,IAAI;YAAE,OAAO,IAAI,CAAA;QAC3B,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IAChB,CAAC;IAED,iDAAiD;IACjD,mDAAmD;IACnD,kEAAkE;IAClE,kEAAkE;IAClE,6CAA6C;IAC7C,IAAI,KAAa,CAAA;IACjB,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,KAAK,GAAG,MAAM,CAAC,CAAC,CAAE,CAAA;QAClB,wEAAwE;QACxE,gDAAgD;QAChD,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,UAAU;YAAE,OAAO,IAAI,CAAA;IAClD,CAAC;SAAM,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAA0B,CAAA;QACzC,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,QAAQ;YAAE,OAAO,IAAI,CAAA;QACzC,KAAK,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC7B,CAAC;SAAM,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,GAAG,MAAkC,CAAA;QACpD,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,MAAM;YAAE,OAAO,IAAI,CAAA;QACnD,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAA;IAC3C,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,GAAG,MAA0C,CAAA;QAC/D,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,IAAI;YAAE,OAAO,IAAI,CAAA;QAC7D,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAA;IACtD,CAAC;IACD,2EAA2E;IAC3E,oDAAoD;IACpD,KAAK,GAAG,KAAK,KAAK,CAAC,CAAA;IACnB,uEAAuE;IACvE,IAAI,KAAK,GAAG,UAAU;QAAE,OAAO,IAAI,CAAA;IAEnC,OAAO,GAAG,CAAC,KAAK,KAAK,EAAE,CAAC,GAAG,IAAI,IAAI,CAAC,KAAK,KAAK,EAAE,CAAC,GAAG,IAAI,IAAI,CAAC,KAAK,KAAK,CAAC,CAAC,GAAG,IAAI,IAAI,KAAK,GAAG,IAAI,EAAE,CAAA;AACpG,CAAC"}