npm - pretext-pdf - Versions diffs - 1.1.0 → 1.6.0 - Mend

pretext-pdf 1.1.0 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (342) hide show

package/CHANGELOG.md +687 -0
package/README.md +83 -8
package/dist/allowed-props.d.ts +76 -0
package/dist/allowed-props.d.ts.map +1 -1
package/dist/allowed-props.js.map +1 -1
package/dist/assets/generators/barcode.d.ts +9 -0
package/dist/assets/generators/barcode.d.ts.map +1 -0
package/dist/assets/generators/barcode.js +24 -0
package/dist/assets/generators/barcode.js.map +1 -0
package/dist/assets/generators/chart.d.ts +13 -0
package/dist/assets/generators/chart.d.ts.map +1 -0
package/dist/assets/generators/chart.js +32 -0
package/dist/assets/generators/chart.js.map +1 -0
package/dist/assets/generators/qr.d.ts +9 -0
package/dist/assets/generators/qr.d.ts.map +1 -0
package/dist/assets/generators/qr.js +25 -0
package/dist/assets/generators/qr.js.map +1 -0
package/dist/assets/index.d.ts +19 -0
package/dist/assets/index.d.ts.map +1 -0
package/dist/assets/index.js +19 -0
package/dist/assets/index.js.map +1 -0
package/dist/assets/loaders/images.d.ts +20 -0
package/dist/assets/loaders/images.d.ts.map +1 -0
package/dist/assets/loaders/images.js +69 -0
package/dist/assets/loaders/images.js.map +1 -0
package/dist/assets/loaders/orchestrator.d.ts +24 -0
package/dist/assets/loaders/orchestrator.d.ts.map +1 -0
package/dist/assets/loaders/orchestrator.js +109 -0
package/dist/assets/loaders/orchestrator.js.map +1 -0
package/dist/assets/loaders/vectors.d.ts +25 -0
package/dist/assets/loaders/vectors.d.ts.map +1 -0
package/dist/assets/loaders/vectors.js +118 -0
package/dist/assets/loaders/vectors.js.map +1 -0
package/dist/assets/loaders/watermark.d.ts +12 -0
package/dist/assets/loaders/watermark.d.ts.map +1 -0
package/dist/assets/loaders/watermark.js +40 -0
package/dist/assets/loaders/watermark.js.map +1 -0
package/dist/assets/security/fetch.d.ts +14 -0
package/dist/assets/security/fetch.d.ts.map +1 -0
package/dist/assets/security/fetch.js +112 -0
package/dist/assets/security/fetch.js.map +1 -0
package/dist/assets/security/ipv4-normalize.d.ts +28 -0
package/dist/assets/security/ipv4-normalize.d.ts.map +1 -0
package/dist/assets/security/ipv4-normalize.js +116 -0
package/dist/assets/security/ipv4-normalize.js.map +1 -0
package/dist/assets/security/path-allowlist.d.ts +12 -0
package/dist/assets/security/path-allowlist.d.ts.map +1 -0
package/dist/assets/security/path-allowlist.js +26 -0
package/dist/assets/security/path-allowlist.js.map +1 -0
package/dist/assets/security/url-validation.d.ts +22 -0
package/dist/assets/security/url-validation.d.ts.map +1 -0
package/dist/assets/security/url-validation.js +164 -0
package/dist/assets/security/url-validation.js.map +1 -0
package/dist/assets/svg/dimensions.d.ts +19 -0
package/dist/assets/svg/dimensions.d.ts.map +1 -0
package/dist/assets/svg/dimensions.js +43 -0
package/dist/assets/svg/dimensions.js.map +1 -0
package/dist/assets/svg/rasterize.d.ts +6 -0
package/dist/assets/svg/rasterize.d.ts.map +1 -0
package/dist/assets/svg/rasterize.js +38 -0
package/dist/assets/svg/rasterize.js.map +1 -0
package/dist/assets/svg/resolve-content.d.ts +16 -0
package/dist/assets/svg/resolve-content.d.ts.map +1 -0
package/dist/assets/svg/resolve-content.js +38 -0
package/dist/assets/svg/resolve-content.js.map +1 -0
package/dist/assets/svg/sanitize.d.ts +22 -0
package/dist/assets/svg/sanitize.d.ts.map +1 -0
package/dist/assets/svg/sanitize.js +46 -0
package/dist/assets/svg/sanitize.js.map +1 -0
package/dist/assets/util/redact-path.d.ts +14 -0
package/dist/assets/util/redact-path.d.ts.map +1 -0
package/dist/assets/util/redact-path.js +16 -0
package/dist/assets/util/redact-path.js.map +1 -0
package/dist/assets.d.ts +10 -27
package/dist/assets.d.ts.map +1 -1
package/dist/assets.js +10 -549
package/dist/assets.js.map +1 -1
package/dist/builder.d.ts.map +1 -1
package/dist/builder.js +2 -1
package/dist/builder.js.map +1 -1
package/dist/cli.js +11 -1
package/dist/cli.js.map +1 -1
package/dist/compat.d.ts +63 -1
package/dist/compat.d.ts.map +1 -1
package/dist/compat.js +42 -5
package/dist/compat.js.map +1 -1
package/dist/errors.d.ts +2 -2
package/dist/errors.d.ts.map +1 -1
package/dist/errors.js +2 -2
package/dist/errors.js.map +1 -1
package/dist/fonts.d.ts.map +1 -1
package/dist/fonts.js +8 -10
package/dist/fonts.js.map +1 -1
package/dist/index.d.ts +1 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +7 -5
package/dist/index.js.map +1 -1
package/dist/layout-state.d.ts +1 -1
package/dist/layout-state.d.ts.map +1 -1
package/dist/layout-state.js +5 -0
package/dist/layout-state.js.map +1 -1
package/dist/measure-blocks/float-group.d.ts +9 -0
package/dist/measure-blocks/float-group.d.ts.map +1 -0
package/dist/measure-blocks/float-group.js +103 -0
package/dist/measure-blocks/float-group.js.map +1 -0
package/dist/measure-blocks/helpers.d.ts +44 -0
package/dist/measure-blocks/helpers.d.ts.map +1 -0
package/dist/measure-blocks/helpers.js +43 -0
package/dist/measure-blocks/helpers.js.map +1 -0
package/dist/measure-blocks/highlight.d.ts +26 -0
package/dist/measure-blocks/highlight.d.ts.map +1 -0
package/dist/measure-blocks/highlight.js +169 -0
package/dist/measure-blocks/highlight.js.map +1 -0
package/dist/measure-blocks/image.d.ts +9 -0
package/dist/measure-blocks/image.d.ts.map +1 -0
package/dist/measure-blocks/image.js +136 -0
package/dist/measure-blocks/image.js.map +1 -0
package/dist/measure-blocks/index.d.ts +24 -0
package/dist/measure-blocks/index.d.ts.map +1 -0
package/dist/measure-blocks/index.js +179 -0
package/dist/measure-blocks/index.js.map +1 -0
package/dist/measure-blocks/list.d.ts +8 -0
package/dist/measure-blocks/list.d.ts.map +1 -0
package/dist/measure-blocks/list.js +108 -0
package/dist/measure-blocks/list.js.map +1 -0
package/dist/measure-blocks/simple-blocks.d.ts +18 -0
package/dist/measure-blocks/simple-blocks.d.ts.map +1 -0
package/dist/measure-blocks/simple-blocks.js +121 -0
package/dist/measure-blocks/simple-blocks.js.map +1 -0
package/dist/measure-blocks/table/columns.d.ts +17 -0
package/dist/measure-blocks/table/columns.d.ts.map +1 -0
package/dist/measure-blocks/table/columns.js +83 -0
package/dist/measure-blocks/table/columns.js.map +1 -0
package/dist/measure-blocks/table/measure.d.ts +8 -0
package/dist/measure-blocks/table/measure.d.ts.map +1 -0
package/dist/measure-blocks/table/measure.js +231 -0
package/dist/measure-blocks/table/measure.js.map +1 -0
package/dist/measure-blocks/table/spans.d.ts +25 -0
package/dist/measure-blocks/table/spans.d.ts.map +1 -0
package/dist/measure-blocks/table/spans.js +55 -0
package/dist/measure-blocks/table/spans.js.map +1 -0
package/dist/measure-blocks/text-blocks.d.ts +17 -0
package/dist/measure-blocks/text-blocks.d.ts.map +1 -0
package/dist/measure-blocks/text-blocks.js +242 -0
package/dist/measure-blocks/text-blocks.js.map +1 -0
package/dist/measure-text.d.ts +21 -3
package/dist/measure-text.d.ts.map +1 -1
package/dist/measure-text.js +87 -36
package/dist/measure-text.js.map +1 -1
package/dist/measure.d.ts +1 -1
package/dist/measure.d.ts.map +1 -1
package/dist/measure.js +8 -6
package/dist/measure.js.map +1 -1
package/dist/node-polyfill.d.ts.map +1 -1
package/dist/node-polyfill.js +9 -0
package/dist/node-polyfill.js.map +1 -1
package/dist/pipeline-footnotes.d.ts +1 -1
package/dist/pipeline-footnotes.d.ts.map +1 -1
package/dist/pipeline-toc.d.ts +1 -1
package/dist/pipeline-toc.d.ts.map +1 -1
package/dist/pipeline.d.ts +3 -3
package/dist/pipeline.d.ts.map +1 -1
package/dist/pipeline.js +4 -5
package/dist/pipeline.js.map +1 -1
package/dist/plugin-types.d.ts +1 -1
package/dist/plugin-types.d.ts.map +1 -1
package/dist/post-process.d.ts +2 -2
package/dist/post-process.d.ts.map +1 -1
package/dist/post-process.js +32 -9
package/dist/post-process.js.map +1 -1
package/dist/render-blocks/blockquote.d.ts +7 -0
package/dist/render-blocks/blockquote.d.ts.map +1 -0
package/dist/render-blocks/blockquote.js +87 -0
package/dist/render-blocks/blockquote.js.map +1 -0
package/dist/render-blocks/callout.d.ts +7 -0
package/dist/render-blocks/callout.d.ts.map +1 -0
package/dist/render-blocks/callout.js +84 -0
package/dist/render-blocks/callout.js.map +1 -0
package/dist/render-blocks/code.d.ts +7 -0
package/dist/render-blocks/code.d.ts.map +1 -0
package/dist/render-blocks/code.js +84 -0
package/dist/render-blocks/code.js.map +1 -0
package/dist/render-blocks/footnote.d.ts +11 -0
package/dist/render-blocks/footnote.d.ts.map +1 -0
package/dist/render-blocks/footnote.js +45 -0
package/dist/render-blocks/footnote.js.map +1 -0
package/dist/render-blocks/header-footer.d.ts +11 -0
package/dist/render-blocks/header-footer.d.ts.map +1 -0
package/dist/render-blocks/header-footer.js +56 -0
package/dist/render-blocks/header-footer.js.map +1 -0
package/dist/render-blocks/hr.d.ts +7 -0
package/dist/render-blocks/hr.d.ts.map +1 -0
package/dist/render-blocks/hr.js +24 -0
package/dist/render-blocks/hr.js.map +1 -0
package/dist/render-blocks/image.d.ts +9 -0
package/dist/render-blocks/image.d.ts.map +1 -0
package/dist/render-blocks/image.js +135 -0
package/dist/render-blocks/image.js.map +1 -0
package/dist/render-blocks/index.d.ts +17 -0
package/dist/render-blocks/index.d.ts.map +1 -0
package/dist/render-blocks/index.js +17 -0
package/dist/render-blocks/index.js.map +1 -0
package/dist/render-blocks/list-item.d.ts +7 -0
package/dist/render-blocks/list-item.d.ts.map +1 -0
package/dist/render-blocks/list-item.js +80 -0
package/dist/render-blocks/list-item.js.map +1 -0
package/dist/render-blocks/rich.d.ts +7 -0
package/dist/render-blocks/rich.d.ts.map +1 -0
package/dist/render-blocks/rich.js +160 -0
package/dist/render-blocks/rich.js.map +1 -0
package/dist/render-blocks/table.d.ts +7 -0
package/dist/render-blocks/table.d.ts.map +1 -0
package/dist/render-blocks/table.js +139 -0
package/dist/render-blocks/table.js.map +1 -0
package/dist/render-blocks/text.d.ts +7 -0
package/dist/render-blocks/text.d.ts.map +1 -0
package/dist/render-blocks/text.js +183 -0
package/dist/render-blocks/text.js.map +1 -0
package/dist/render-blocks/watermark.d.ts +8 -0
package/dist/render-blocks/watermark.d.ts.map +1 -0
package/dist/render-blocks/watermark.js +52 -0
package/dist/render-blocks/watermark.js.map +1 -0
package/dist/render-extras.d.ts.map +1 -1
package/dist/render-extras.js +1 -2
package/dist/render-extras.js.map +1 -1
package/dist/render-utils.d.ts.map +1 -1
package/dist/render-utils.js +10 -6
package/dist/render-utils.js.map +1 -1
package/dist/render.d.ts.map +1 -1
package/dist/render.js +9 -3
package/dist/render.js.map +1 -1
package/dist/rich-text.d.ts +2 -1
package/dist/rich-text.d.ts.map +1 -1
package/dist/rich-text.js +0 -1
package/dist/rich-text.js.map +1 -1
package/dist/types-internal.d.ts +19 -3
package/dist/types-internal.d.ts.map +1 -1
package/dist/types-public/document.d.ts +261 -0
package/dist/types-public/document.d.ts.map +1 -0
package/dist/types-public/document.js +2 -0
package/dist/types-public/document.js.map +1 -0
package/dist/types-public/elements-block.d.ts +246 -0
package/dist/types-public/elements-block.d.ts.map +1 -0
package/dist/types-public/elements-block.js +8 -0
package/dist/types-public/elements-block.js.map +1 -0
package/dist/types-public/elements-media.d.ts +199 -0
package/dist/types-public/elements-media.d.ts.map +1 -0
package/dist/types-public/elements-media.js +2 -0
package/dist/types-public/elements-media.js.map +1 -0
package/dist/types-public/elements-text.d.ts +327 -0
package/dist/types-public/elements-text.d.ts.map +1 -0
package/dist/types-public/elements-text.js +2 -0
package/dist/types-public/elements-text.js.map +1 -0
package/dist/types-public/index.d.ts +14 -0
package/dist/types-public/index.d.ts.map +1 -0
package/dist/types-public/index.js +2 -0
package/dist/types-public/index.js.map +1 -0
package/dist/types-public/render-options.d.ts +38 -0
package/dist/types-public/render-options.d.ts.map +1 -0
package/dist/types-public/render-options.js +2 -0
package/dist/types-public/render-options.js.map +1 -0
package/dist/types-public/union.d.ts +13 -0
package/dist/types-public/union.d.ts.map +1 -0
package/dist/types-public/union.js +2 -0
package/dist/types-public/union.js.map +1 -0
package/dist/types-public/validation.d.ts +64 -0
package/dist/types-public/validation.d.ts.map +1 -0
package/dist/types-public/validation.js +2 -0
package/dist/types-public/validation.js.map +1 -0
package/dist/types-public.d.ts +5 -1081
package/dist/types-public.d.ts.map +1 -1
package/dist/types.d.ts +1 -1
package/dist/types.d.ts.map +1 -1
package/dist/validate/document.d.ts +28 -0
package/dist/validate/document.d.ts.map +1 -0
package/dist/validate/document.js +295 -0
package/dist/validate/document.js.map +1 -0
package/dist/validate/elements/forms-floats.d.ts +19 -0
package/dist/validate/elements/forms-floats.d.ts.map +1 -0
package/dist/validate/elements/forms-floats.js +96 -0
package/dist/validate/elements/forms-floats.js.map +1 -0
package/dist/validate/elements/list.d.ts +10 -0
package/dist/validate/elements/list.d.ts.map +1 -0
package/dist/validate/elements/list.js +66 -0
package/dist/validate/elements/list.js.map +1 -0
package/dist/validate/elements/media.d.ts +23 -0
package/dist/validate/elements/media.d.ts.map +1 -0
package/dist/validate/elements/media.js +179 -0
package/dist/validate/elements/media.js.map +1 -0
package/dist/validate/elements/structural-simple.d.ts +21 -0
package/dist/validate/elements/structural-simple.d.ts.map +1 -0
package/dist/validate/elements/structural-simple.js +63 -0
package/dist/validate/elements/structural-simple.js.map +1 -0
package/dist/validate/elements/structural.d.ts +12 -0
package/dist/validate/elements/structural.d.ts.map +1 -0
package/dist/validate/elements/structural.js +12 -0
package/dist/validate/elements/structural.js.map +1 -0
package/dist/validate/elements/table.d.ts +10 -0
package/dist/validate/elements/table.d.ts.map +1 -0
package/dist/validate/elements/table.js +165 -0
package/dist/validate/elements/table.js.map +1 -0
package/dist/validate/elements/text.d.ts +26 -0
package/dist/validate/elements/text.d.ts.map +1 -0
package/dist/validate/elements/text.js +331 -0
package/dist/validate/elements/text.js.map +1 -0
package/dist/validate/errors.d.ts +9 -0
package/dist/validate/errors.d.ts.map +1 -0
package/dist/validate/errors.js +43 -0
package/dist/validate/errors.js.map +1 -0
package/dist/validate/fonts.d.ts +11 -0
package/dist/validate/fonts.d.ts.map +1 -0
package/dist/validate/fonts.js +118 -0
package/dist/validate/fonts.js.map +1 -0
package/dist/validate/helpers.d.ts +76 -0
package/dist/validate/helpers.d.ts.map +1 -0
package/dist/validate/helpers.js +169 -0
package/dist/validate/helpers.js.map +1 -0
package/dist/validate/index.d.ts +37 -0
package/dist/validate/index.d.ts.map +1 -0
package/dist/validate/index.js +279 -0
package/dist/validate/index.js.map +1 -0
package/dist/validate.d.ts +6 -18
package/dist/validate.d.ts.map +1 -1
package/dist/validate.js +6 -1582
package/dist/validate.js.map +1 -1
package/dist/vendor/pretext/VERSION.d.ts +3 -0
package/dist/vendor/pretext/VERSION.d.ts.map +1 -0
package/dist/vendor/pretext/VERSION.js +12 -0
package/dist/vendor/pretext/VERSION.js.map +1 -0
package/dist/version-check.d.ts +47 -0
package/dist/version-check.d.ts.map +1 -0
package/dist/version-check.js +75 -0
package/dist/version-check.js.map +1 -0
package/package.json +27 -8
package/dist/measure-blocks.d.ts +0 -26
package/dist/measure-blocks.d.ts.map +0 -1
package/dist/measure-blocks.js +0 -1317
package/dist/measure-blocks.js.map +0 -1
package/dist/render-blocks.d.ts +0 -28
package/dist/render-blocks.d.ts.map +0 -1
package/dist/render-blocks.js +0 -1059
package/dist/render-blocks.js.map +0 -1

package/dist/assets/security/path-allowlist.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+/**
+ * Enforce allowedFileDirs: resolved absolute path must start with an allowed dir.
+ * Deny-by-default: when allowedFileDirs is undefined or empty, file:// access is
+ * rejected unless the caller explicitly configures the allowed directories.
+ *
+ * Extracted from `src/assets.ts` in v1.6.0 commit 5/16 as part of the
+ * post-v1.5.2 assets.ts file-size sprint. The original module re-exports
+ * this symbol for back-compat with production consumers (fonts.ts,
+ * post-process.ts) and the public API surface.
+ */
+export declare function assertPathAllowed(resolvedPath: string, allowedDirs: string[] | undefined, label: string): void;
+//# sourceMappingURL=path-allowlist.d.ts.map

package/dist/assets/security/path-allowlist.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"path-allowlist.d.ts","sourceRoot":"","sources":["../../../src/assets/security/path-allowlist.ts"],"names":[],"mappings":"AAEA;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAC/B,YAAY,EAAE,MAAM,EACpB,WAAW,EAAE,MAAM,EAAE,GAAG,SAAS,EACjC,KAAK,EAAE,MAAM,GACZ,IAAI,CAmBN"}

package/dist/assets/security/path-allowlist.js ADDED Viewed

@@ -0,0 +1,26 @@
+import { PretextPdfError } from '../../errors.js';
+/**
+ * Enforce allowedFileDirs: resolved absolute path must start with an allowed dir.
+ * Deny-by-default: when allowedFileDirs is undefined or empty, file:// access is
+ * rejected unless the caller explicitly configures the allowed directories.
+ *
+ * Extracted from `src/assets.ts` in v1.6.0 commit 5/16 as part of the
+ * post-v1.5.2 assets.ts file-size sprint. The original module re-exports
+ * this symbol for back-compat with production consumers (fonts.ts,
+ * post-process.ts) and the public API surface.
+ */
+export function assertPathAllowed(resolvedPath, allowedDirs, label) {
+    if (!allowedDirs || allowedDirs.length === 0) {
+        throw new PretextPdfError('PATH_TRAVERSAL', `${label} src uses a local file path but doc.allowedFileDirs is not set. ` +
+            `Configure allowedFileDirs to explicitly list the directories from which files may be read.`);
+    }
+    const norm = resolvedPath.replace(/\\/g, '/');
+    const allowed = allowedDirs.some((dir) => {
+        const d = dir.replace(/\\/g, '/').replace(/\/$/, '');
+        return norm === d || norm.startsWith(d + '/');
+    });
+    if (!allowed) {
+        throw new PretextPdfError('PATH_TRAVERSAL', `${label} src is outside allowedFileDirs. Configure doc.allowedFileDirs to include the file's directory.`);
+    }
+}
+//# sourceMappingURL=path-allowlist.js.map

package/dist/assets/security/path-allowlist.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"path-allowlist.js","sourceRoot":"","sources":["../../../src/assets/security/path-allowlist.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AAEjD;;;;;;;;;GASG;AACH,MAAM,UAAU,iBAAiB,CAC/B,YAAoB,EACpB,WAAiC,EACjC,KAAa;IAEb,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,eAAe,CACvB,gBAAgB,EAChB,GAAG,KAAK,kEAAkE;YACxE,4FAA4F,CAC/F,CAAA;IACH,CAAC;IACD,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAA;IAC7C,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE;QACvC,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;QACpD,OAAO,IAAI,KAAK,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,GAAG,GAAG,CAAC,CAAA;IAC/C,CAAC,CAAC,CAAA;IACF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,eAAe,CACvB,gBAAgB,EAChB,GAAG,KAAK,iGAAiG,CAC1G,CAAA;IACH,CAAC;AACH,CAAC"}

package/dist/assets/security/url-validation.d.ts ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * Result of resolving a URL: the parsed URL plus the pre-validated IP that
+ * downstream fetches should pin to (closing the TOCTOU rebinding window).
+ * `ip` is null only for IP-literal hostnames (no DNS lookup performed).
+ */
+export interface ResolvedSafeUrl {
+    url: URL;
+    ip: string | null;
+    family: 4 | 6 | null;
+}
+/**
+ * Validate that a URL is safe to fetch. Returns the parsed URL and the
+ * pre-resolved IP so callers can pin the connection. Throws PretextPdfError
+ * if the URL targets a private/internal address.
+ */
+export declare function resolveAndValidateUrl(url: string, errorCode: 'IMAGE_LOAD_FAILED' | 'SVG_LOAD_FAILED', label: string): Promise<ResolvedSafeUrl>;
+/**
+ * Back-compat wrapper that drops the resolution result. Kept so existing
+ * tests and call sites that only need the validation side-effect still work.
+ */
+export declare function assertSafeUrl(url: string, errorCode: 'IMAGE_LOAD_FAILED' | 'SVG_LOAD_FAILED', label: string): Promise<void>;
+//# sourceMappingURL=url-validation.d.ts.map

package/dist/assets/security/url-validation.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"url-validation.d.ts","sourceRoot":"","sources":["../../../src/assets/security/url-validation.ts"],"names":[],"mappings":"AAsEA;;;;GAIG;AACH,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,GAAG,CAAA;IACR,EAAE,EAAE,MAAM,GAAG,IAAI,CAAA;IACjB,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,IAAI,CAAA;CACrB;AAED;;;;GAIG;AACH,wBAAsB,qBAAqB,CACzC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,mBAAmB,GAAG,iBAAiB,EAClD,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,eAAe,CAAC,CAyF1B;AAED;;;GAGG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,mBAAmB,GAAG,iBAAiB,EAClD,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,IAAI,CAAC,CAEf"}

package/dist/assets/security/url-validation.js ADDED Viewed

@@ -0,0 +1,164 @@
+import { promises as dnsPromises } from 'node:dns';
+import { PretextPdfError } from '../../errors.js';
+import { normalizeIpv4Hostname } from './ipv4-normalize.js';
+/**
+ * SSRF defence-in-depth helpers for remote image / SVG fetches.
+ *
+ * Extracted from `src/assets.ts` in v1.6.0 commit 7/16 as part of the
+ * post-v1.5.2 assets.ts file-size sprint. Pure module — no top-level side
+ * effects. `src/assets.ts` re-exports `resolveAndValidateUrl`, `assertSafeUrl`,
+ * and `ResolvedSafeUrl` for back-compat with consumers that import from
+ * `'./assets.js'` / `'../dist/assets.js'` (notably `test/security-ssrf.test.ts`).
+ *
+ * `isPrivateAddress` is intentionally NOT re-exported — it is a private
+ * implementation detail.
+ */
+/**
+ * Validate a remote URL before fetching:
+ * - Rejects http:// (plaintext only)
+ * - Rejects private/internal IP ranges (SSRF prevention), including IPv4-mapped IPv6
+ *   forms like [::ffff:127.0.0.1] which would otherwise bypass dotted-decimal regexes.
+ * - Rejects alternative IPv4 notations (decimal `2130706433`, octal `0177.0.0.1`,
+ *   hex `0x7f000001`, short form `127.1`) by normalizing through
+ *   `normalizeIpv4Hostname` before regex matching.
+ * Throws IMAGE_LOAD_FAILED or SVG_LOAD_FAILED on violations.
+ */
+function isPrivateAddress(h, raw) {
+    // Defense-in-depth: if `h` is an alternative IPv4 notation, fold to its
+    // canonical dotted form before regex matching. Callers should normally
+    // pre-normalize, but private-address checks are also invoked on freshly
+    // resolved DNS results — normalize there too in case a resolver ever
+    // returns a non-dotted form.
+    const normalized = normalizeIpv4Hostname(h);
+    if (normalized && normalized !== h) {
+        h = normalized;
+    }
+    return _isPrivateAddressInner(h, raw);
+}
+function _isPrivateAddressInner(h, raw) {
+    // IPv6 prefix checks must only fire on actual IPv6 hostnames (which contain
+    // a colon) — otherwise legitimate hostnames like `ffmpeg.com` or `fcc.gov`
+    // would be blocked.
+    const isV6 = raw.includes(':');
+    return (h === 'localhost' ||
+        h === '0.0.0.0' ||
+        h === '::' || // IPv6 unspecified address (== 0.0.0.0)
+        h === '::1' ||
+        raw === '::1' ||
+        raw === '::' || // also catch un-normalized IPv6 forms
+        /^0\./.test(h) || // 0.0.0.0/8 "this network"
+        /^127\./.test(h) ||
+        /^10\./.test(h) ||
+        /^192\.168\./.test(h) ||
+        /^192\.0\.0\./.test(h) || // 192.0.0/24 IETF protocol assignments
+        /^172\.(1[6-9]|2\d|3[01])\./.test(h) ||
+        /^169\.254\./.test(h) || // link-local / AWS IMDS
+        /^198\.1[89]\./.test(h) || // 198.18/15 benchmark testing
+        /^22[4-9]\./.test(h) ||
+        /^23\d\./.test(h) || // 224/4 multicast
+        /^2[4-5]\d\./.test(h) || // 240/4 reserved (240–255)
+        /^100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\./.test(h) || // CGNAT RFC 6598
+        (isV6 && (raw.startsWith('fc') || raw.startsWith('fd'))) || // IPv6 ULA fc00::/7
+        (isV6 && /^fe[89ab]/i.test(raw)) || // IPv6 link-local fe80::/10
+        (isV6 && /^ff/i.test(raw)) // IPv6 multicast ff00::/8
+    );
+}
+/**
+ * Validate that a URL is safe to fetch. Returns the parsed URL and the
+ * pre-resolved IP so callers can pin the connection. Throws PretextPdfError
+ * if the URL targets a private/internal address.
+ */
+export async function resolveAndValidateUrl(url, errorCode, label) {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        throw new PretextPdfError(errorCode, `${label}: invalid URL`);
+    }
+    if (parsed.protocol === 'http:') {
+        throw new PretextPdfError(errorCode, `${label}: HTTP URLs are not allowed — use HTTPS`);
+    }
+    if (parsed.protocol === 'data:' || parsed.protocol === 'file:' || parsed.protocol === 'javascript:') {
+        throw new PretextPdfError(errorCode, `${label}: ${parsed.protocol} URLs are not allowed — use HTTPS only`);
+    }
+    if (parsed.protocol !== 'https:') {
+        throw new PretextPdfError(errorCode, `${label}: refused scheme: ${parsed.protocol}`);
+    }
+    const raw = parsed.hostname.toLowerCase().replace(/^\[|\]$/g, ''); // strip IPv6 brackets
+    // Normalize IPv4-mapped IPv6 to its dotted-decimal form so the IPv4
+    // private-range regexes catch it. WHATWG URL normalizes `[::ffff:127.0.0.1]`
+    // to `[::ffff:7f00:1]` (hex form), so we must handle BOTH the dotted
+    // (`::ffff:127.0.0.1`) and hex-compressed (`::ffff:7f00:1`) forms.
+    // Without this an attacker can bypass the localhost/private-IP check via
+    // `https://[::ffff:127.0.0.1]/admin` → resolves to 127.0.0.1.
+    let h = raw;
+    const v4Dotted = raw.match(/^::ffff:(?:0:)?(\d{1,3}(?:\.\d{1,3}){3})$/i);
+    const v4Hex = raw.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i);
+    if (v4Dotted) {
+        h = v4Dotted[1];
+    }
+    else if (v4Hex) {
+        const hi = parseInt(v4Hex[1], 16);
+        const lo = parseInt(v4Hex[2], 16);
+        h = `${(hi >> 8) & 0xff}.${hi & 0xff}.${(lo >> 8) & 0xff}.${lo & 0xff}`;
+    }
+    // Normalize alternative IPv4 notations (decimal `2130706433`, octal
+    // `0177.0.0.1`, hex `0x7f000001`, short form `127.1`) to dotted-decimal
+    // BEFORE the private-IP check. Without this an attacker can bypass the
+    // localhost / RFC1918 regexes by encoding 127.0.0.1 in any non-dotted form;
+    // WHATWG URL does not normalize these and DNS will happily resolve them
+    // on Linux via getaddrinfo.
+    const normalizedIpv4 = normalizeIpv4Hostname(h);
+    if (normalizedIpv4) {
+        h = normalizedIpv4;
+    }
+    if (isPrivateAddress(h, raw)) {
+        throw new PretextPdfError(errorCode, `${label}: connections to private or internal addresses are not allowed`);
+    }
+    // DNS pre-resolution: re-verify the resolved IP AND remember it so callers
+    // can pin the actual TCP connection to this exact IP (closes the TOCTOU
+    // window where an attacker with TTL=0 DNS could rebind between check and
+    // connect).
+    const isIpv4Literal = /^\d{1,3}(\.\d{1,3}){3}$/.test(parsed.hostname);
+    const isIpv6Literal = parsed.hostname.startsWith('[');
+    if (isIpv4Literal) {
+        return { url: parsed, ip: parsed.hostname, family: 4 };
+    }
+    // Alternative IPv4 notation that we just normalized to dotted form: treat
+    // as a literal (no DNS lookup needed, and we already verified it's public).
+    // Pin to the normalized dotted form so undici skips its own getaddrinfo.
+    if (normalizedIpv4) {
+        return { url: parsed, ip: normalizedIpv4, family: 4 };
+    }
+    if (isIpv6Literal) {
+        return { url: parsed, ip: raw, family: 6 };
+    }
+    if (!parsed.hostname) {
+        return { url: parsed, ip: null, family: null };
+    }
+    try {
+        const { address, family } = await dnsPromises.lookup(parsed.hostname);
+        const resolvedH = address.toLowerCase();
+        if (isPrivateAddress(resolvedH, resolvedH)) {
+            throw new PretextPdfError(errorCode, `${label}: hostname resolves to a private address`);
+        }
+        return { url: parsed, ip: address, family: family === 6 ? 6 : 4 };
+    }
+    catch (err) {
+        if (err instanceof PretextPdfError)
+            throw err;
+        // DNS unavailable: fetch() will also fail, so rebinding is not possible.
+        // Without a resolved IP we cannot pin the connection; let undici resolve
+        // itself, which will then fail with the same DNS error.
+        return { url: parsed, ip: null, family: null };
+    }
+}
+/**
+ * Back-compat wrapper that drops the resolution result. Kept so existing
+ * tests and call sites that only need the validation side-effect still work.
+ */
+export async function assertSafeUrl(url, errorCode, label) {
+    await resolveAndValidateUrl(url, errorCode, label);
+}
+//# sourceMappingURL=url-validation.js.map

package/dist/assets/security/url-validation.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"url-validation.js","sourceRoot":"","sources":["../../../src/assets/security/url-validation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,IAAI,WAAW,EAAE,MAAM,UAAU,CAAA;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAA;AAE3D;;;;;;;;;;;GAWG;AAEH;;;;;;;;;GASG;AACH,SAAS,gBAAgB,CAAC,CAAS,EAAE,GAAW;IAC9C,wEAAwE;IACxE,uEAAuE;IACvE,wEAAwE;IACxE,qEAAqE;IACrE,6BAA6B;IAC7B,MAAM,UAAU,GAAG,qBAAqB,CAAC,CAAC,CAAC,CAAA;IAC3C,IAAI,UAAU,IAAI,UAAU,KAAK,CAAC,EAAE,CAAC;QACnC,CAAC,GAAG,UAAU,CAAA;IAChB,CAAC;IACD,OAAO,sBAAsB,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;AACvC,CAAC;AAED,SAAS,sBAAsB,CAAC,CAAS,EAAE,GAAW;IACpD,4EAA4E;IAC5E,2EAA2E;IAC3E,oBAAoB;IACpB,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAA;IAC9B,OAAO,CACL,CAAC,KAAK,WAAW;QACjB,CAAC,KAAK,SAAS;QACf,CAAC,KAAK,IAAI,IAAI,wCAAwC;QACtD,CAAC,KAAK,KAAK;QACX,GAAG,KAAK,KAAK;QACb,GAAG,KAAK,IAAI,IAAI,sCAAsC;QACtD,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,2BAA2B;QAC7C,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;QAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACf,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC;QACrB,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,uCAAuC;QACjE,4BAA4B,CAAC,IAAI,CAAC,CAAC,CAAC;QACpC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,wBAAwB;QACjD,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,8BAA8B;QACzD,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;QACpB,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,kBAAkB;QACvC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,2BAA2B;QACpD,0CAA0C,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,iBAAiB;QACvE,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,oBAAoB;QAChF,CAAC,IAAI,IAAI,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,4BAA4B;QAChE,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,0BAA0B;KACtD,CAAA;AACH,CAAC;AAaD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,GAAW,EACX,SAAkD,EAClD,KAAa;IAEb,IAAI,MAAW,CAAA;IACf,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,eAAe,CAAC,SAAS,EAAE,GAAG,KAAK,eAAe,CAAC,CAAA;IAC/D,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAChC,MAAM,IAAI,eAAe,CAAC,SAAS,EAAE,GAAG,KAAK,yCAAyC,CAAC,CAAA;IACzF,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,MAAM,CAAC,QAAQ,KAAK,aAAa,EAAE,CAAC;QACpG,MAAM,IAAI,eAAe,CAAC,SAAS,EAAE,GAAG,KAAK,KAAK,MAAM,CAAC,QAAQ,wCAAwC,CAAC,CAAA;IAC5G,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,eAAe,CAAC,SAAS,EAAE,GAAG,KAAK,qBAAqB,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAA;IACtF,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAA,CAAC,sBAAsB;IAExF,oEAAoE;IACpE,6EAA6E;IAC7E,qEAAqE;IACrE,mEAAmE;IACnE,yEAAyE;IACzE,8DAA8D;IAC9D,IAAI,CAAC,GAAG,GAAG,CAAA;IACX,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAA;IACxE,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAA;IACpE,IAAI,QAAQ,EAAE,CAAC;QACb,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAE,CAAA;IAClB,CAAC;SAAM,IAAI,KAAK,EAAE,CAAC;QACjB,MAAM,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,CAAA;QAClC,MAAM,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,CAAA;QAClC,CAAC,GAAG,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,EAAE,GAAG,IAAI,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,EAAE,GAAG,IAAI,EAAE,CAAA;IACzE,CAAC;IAED,oEAAoE;IACpE,wEAAwE;IACxE,uEAAuE;IACvE,4EAA4E;IAC5E,wEAAwE;IACxE,4BAA4B;IAC5B,MAAM,cAAc,GAAG,qBAAqB,CAAC,CAAC,CAAC,CAAA;IAC/C,IAAI,cAAc,EAAE,CAAC;QACnB,CAAC,GAAG,cAAc,CAAA;IACpB,CAAC;IAED,IAAI,gBAAgB,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,eAAe,CAAC,SAAS,EAAE,GAAG,KAAK,gEAAgE,CAAC,CAAA;IAChH,CAAC;IAED,2EAA2E;IAC3E,wEAAwE;IACxE,yEAAyE;IACzE,YAAY;IACZ,MAAM,aAAa,GAAG,yBAAyB,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IACrE,MAAM,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;IACrD,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC,EAAE,CAAA;IACxD,CAAC;IACD,0EAA0E;IAC1E,4EAA4E;IAC5E,yEAAyE;IACzE,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE,CAAC,EAAE,CAAA;IACvD,CAAC;IACD,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC,EAAE,CAAA;IAC5C,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAA;IAChD,CAAC;IACD,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;QACrE,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,EAAE,CAAA;QACvC,IAAI,gBAAgB,CAAC,SAAS,EAAE,SAAS,CAAC,EAAE,CAAC;YAC3C,MAAM,IAAI,eAAe,CAAC,SAAS,EAAE,GAAG,KAAK,0CAA0C,CAAC,CAAA;QAC1F,CAAC;QACD,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IACnE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,eAAe;YAAE,MAAM,GAAG,CAAA;QAC7C,yEAAyE;QACzE,yEAAyE;QACzE,wDAAwD;QACxD,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAA;IAChD,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,GAAW,EACX,SAAkD,EAClD,KAAa;IAEb,MAAM,qBAAqB,CAAC,GAAG,EAAE,SAAS,EAAE,KAAK,CAAC,CAAA;AACpD,CAAC"}

package/dist/assets/svg/dimensions.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * SVG dimension parsing — extracted from src/assets.ts in v1.6.0 commit 10/16.
+ *
+ * Pure parsers — no I/O, no module-level state. Safe to import eagerly.
+ */
+import type { SvgElement } from '../../types.js';
+export declare function parseSvgViewBox(svg: string): {
+    width: number;
+    height: number;
+} | null;
+export declare function parseSvgAttributes(svg: string): {
+    width: number;
+    height: number;
+} | null;
+export declare function resolveSvgDimensions(el: SvgElement, contentWidth: number): {
+    widthPt: number;
+    heightPt: number;
+};
+//# sourceMappingURL=dimensions.d.ts.map

package/dist/assets/svg/dimensions.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"dimensions.d.ts","sourceRoot":"","sources":["../../../src/assets/svg/dimensions.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAA;AAGhD,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAQrF;AAED,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAQxF;AAED,wBAAgB,oBAAoB,CAAC,EAAE,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,GAAG;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAiBhH"}

package/dist/assets/svg/dimensions.js ADDED Viewed

@@ -0,0 +1,43 @@
+import { SVG_MAX_BYTES } from './sanitize.js';
+export function parseSvgViewBox(svg) {
+    if (svg.length > SVG_MAX_BYTES)
+        return null;
+    const match = svg.match(/viewBox=["']([^"']+)["']/);
+    if (!match)
+        return null;
+    const parts = match[1].split(/[\s,]+/).map(Number);
+    const w = parts[2], h = parts[3];
+    if (!w || !h || !isFinite(w) || !isFinite(h) || w <= 0 || h <= 0)
+        return null;
+    return { width: w, height: h };
+}
+export function parseSvgAttributes(svg) {
+    if (svg.length > SVG_MAX_BYTES)
+        return null;
+    const wMatch = svg.match(/<svg[^>]*\swidth=["'](\d+(?:\.\d+)?)["']/);
+    const hMatch = svg.match(/<svg[^>]*\sheight=["'](\d+(?:\.\d+)?)["']/);
+    if (!wMatch || !hMatch)
+        return null;
+    const w = Number(wMatch[1]), h = Number(hMatch[1]);
+    if (!w || !h || w <= 0 || h <= 0)
+        return null;
+    return { width: w, height: h };
+}
+export function resolveSvgDimensions(el, contentWidth) {
+    const svgStr = el.svg ?? '';
+    const viewbox = parseSvgViewBox(svgStr) ?? parseSvgAttributes(svgStr);
+    const aspectRatio = viewbox ? viewbox.height / viewbox.width : null;
+    if (el.width !== undefined && el.height !== undefined) {
+        return { widthPt: el.width, heightPt: el.height };
+    }
+    if (el.width !== undefined) {
+        return { widthPt: el.width, heightPt: aspectRatio !== null ? el.width * aspectRatio : el.width };
+    }
+    if (el.height !== undefined) {
+        return { widthPt: aspectRatio !== null ? el.height / aspectRatio : el.height, heightPt: el.height };
+    }
+    const widthPt = contentWidth;
+    const heightPt = aspectRatio !== null ? widthPt * aspectRatio : 200;
+    return { widthPt, heightPt };
+}
+//# sourceMappingURL=dimensions.js.map

package/dist/assets/svg/dimensions.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"dimensions.js","sourceRoot":"","sources":["../../../src/assets/svg/dimensions.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAA;AAE7C,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,IAAI,GAAG,CAAC,MAAM,GAAG,aAAa;QAAE,OAAO,IAAI,CAAA;IAC3C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAA;IACnD,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAA;IACvB,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;IACnD,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;IAChC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAA;IAC7E,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAA;AAChC,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,IAAI,GAAG,CAAC,MAAM,GAAG,aAAa;QAAE,OAAO,IAAI,CAAA;IAC3C,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAA;IACpE,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAA;IACrE,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAA;IACnC,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAA;IAClD,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAA;IAC7C,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAA;AAChC,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,EAAc,EAAE,YAAoB;IACvE,MAAM,MAAM,GAAG,EAAE,CAAC,GAAG,IAAI,EAAE,CAAA;IAC3B,MAAM,OAAO,GAAG,eAAe,CAAC,MAAM,CAAC,IAAI,kBAAkB,CAAC,MAAM,CAAC,CAAA;IACrE,MAAM,WAAW,GAAG,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAA;IAEnE,IAAI,EAAE,CAAC,KAAK,KAAK,SAAS,IAAI,EAAE,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACtD,OAAO,EAAE,OAAO,EAAE,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE,CAAC,MAAM,EAAE,CAAA;IACnD,CAAC;IACD,IAAI,EAAE,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC3B,OAAO,EAAE,OAAO,EAAE,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,WAAW,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,CAAA;IAClG,CAAC;IACD,IAAI,EAAE,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC5B,OAAO,EAAE,OAAO,EAAE,WAAW,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,EAAE,CAAC,MAAM,EAAE,CAAA;IACrG,CAAC;IACD,MAAM,OAAO,GAAG,YAAY,CAAA;IAC5B,MAAM,QAAQ,GAAG,WAAW,KAAK,IAAI,CAAC,CAAC,CAAC,OAAO,GAAG,WAAW,CAAC,CAAC,CAAC,GAAG,CAAA;IACnE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAA;AAC9B,CAAC"}

package/dist/assets/svg/rasterize.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * Rasterize an SVG string to a PNG buffer at 2x scale.
+ * Pure compute — no pdf-lib interaction — so it is safe to run in parallel.
+ */
+export declare function rasterizeSvgToPng(svg: string, widthPt: number, heightPt: number): Promise<Buffer>;
+//# sourceMappingURL=rasterize.d.ts.map

package/dist/assets/svg/rasterize.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"rasterize.d.ts","sourceRoot":"","sources":["../../../src/assets/svg/rasterize.ts"],"names":[],"mappings":"AAWA;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CA4BvG"}

package/dist/assets/svg/rasterize.js ADDED Viewed

@@ -0,0 +1,38 @@
+/**
+ * SVG rasterizer — extracted from src/assets.ts in v1.6.0 commit 11/16.
+ *
+ * Pure compute — no pdf-lib interaction — so it is safe to run in parallel.
+ *
+ * @napi-rs/canvas is loaded via dynamic import (optional peer dep). The
+ * lazy-load pattern is preserved so cold-start cost stays equivalent and
+ * users without canvas installed still see a precise error code.
+ */
+import { PretextPdfError } from '../../errors.js';
+/**
+ * Rasterize an SVG string to a PNG buffer at 2x scale.
+ * Pure compute — no pdf-lib interaction — so it is safe to run in parallel.
+ */
+export async function rasterizeSvgToPng(svg, widthPt, heightPt) {
+    let canvasLib;
+    try {
+        canvasLib = await import('@napi-rs/canvas');
+    }
+    catch {
+        throw new PretextPdfError('SVG_RENDER_FAILED', 'SVG rendering requires the optional dependency @napi-rs/canvas. Install it with: pnpm add @napi-rs/canvas');
+    }
+    const scale = 2;
+    const widthPx = Math.round(widthPt * scale);
+    const heightPx = Math.round(heightPt * scale);
+    try {
+        const canvas = canvasLib.createCanvas(widthPx, heightPx);
+        const ctx = canvas.getContext('2d');
+        const img = new canvasLib.Image();
+        img.src = Buffer.from(svg);
+        ctx.drawImage(img, 0, 0, widthPx, heightPx);
+        return canvas.toBuffer('image/png');
+    }
+    catch (err) {
+        throw new PretextPdfError('SVG_RENDER_FAILED', `Failed to rasterize SVG: ${err instanceof Error ? err.message : String(err)}`);
+    }
+}
+//# sourceMappingURL=rasterize.js.map

package/dist/assets/svg/rasterize.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rasterize.js","sourceRoot":"","sources":["../../../src/assets/svg/rasterize.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AAEjD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,GAAW,EAAE,OAAe,EAAE,QAAgB;IACpF,IAAI,SAAc,CAAA;IAClB,IAAI,CAAC;QACH,SAAS,GAAG,MAAM,MAAM,CAAC,iBAA2B,CAAC,CAAA;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,eAAe,CACvB,mBAAmB,EACnB,2GAA2G,CAC5G,CAAA;IACH,CAAC;IAED,MAAM,KAAK,GAAG,CAAC,CAAA;IACf,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,KAAK,CAAC,CAAA;IAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,KAAK,CAAC,CAAA;IAE7C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,SAAS,CAAC,YAAY,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;QACxD,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAA;QACnC,MAAM,GAAG,GAAG,IAAI,SAAS,CAAC,KAAK,EAAE,CAAA;QACjC,GAAG,CAAC,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QAC1B,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAA;QAC3C,OAAO,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,eAAe,CACvB,mBAAmB,EACnB,4BAA4B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC/E,CAAA;IACH,CAAC;AACH,CAAC"}

package/dist/assets/svg/resolve-content.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+/**
+ * SVG content resolver — extracted from src/assets.ts in v1.6.0 commit 10/16.
+ *
+ * Resolves an SvgElement's content string from either the inline `svg` field
+ * or a `src` file/URL. All loaded content is sanitized before return.
+ *
+ * Dynamic imports of `fs`/`path` are preserved so cold-start cost stays the
+ * same as the pre-split assets.ts.
+ */
+import type { SvgElement } from '../../types.js';
+/**
+ * Resolve SVG content string from either an inline `svg` field or a `src` file/URL.
+ * Throws PretextPdfError if neither is provided or the source cannot be loaded.
+ */
+export declare function resolveSvgContent(el: SvgElement, allowedFileDirs?: string[]): Promise<string>;
+//# sourceMappingURL=resolve-content.d.ts.map

package/dist/assets/svg/resolve-content.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"resolve-content.d.ts","sourceRoot":"","sources":["../../../src/assets/svg/resolve-content.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAA;AAOhD;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,EAAE,EAAE,UAAU,EAAE,eAAe,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CA4BnG"}

package/dist/assets/svg/resolve-content.js ADDED Viewed

@@ -0,0 +1,38 @@
+import { PretextPdfError } from '../../errors.js';
+import { redactPath } from '../util/redact-path.js';
+import { assertPathAllowed } from '../security/path-allowlist.js';
+import { fetchWithTimeout } from '../security/fetch.js';
+import { sanitizeSvg } from './sanitize.js';
+/**
+ * Resolve SVG content string from either an inline `svg` field or a `src` file/URL.
+ * Throws PretextPdfError if neither is provided or the source cannot be loaded.
+ */
+export async function resolveSvgContent(el, allowedFileDirs) {
+    if (el.svg)
+        return sanitizeSvg(el.svg);
+    if (!el.src) {
+        throw new PretextPdfError('SVG_LOAD_FAILED', "SvgElement requires either 'svg' (inline string) or 'src' (file path or https:// URL)");
+    }
+    if (el.src.startsWith('https://') || el.src.startsWith('http://')) {
+        // SSRF validation happens inside fetchWithTimeout — no need to pre-validate
+        let resp;
+        try {
+            resp = await fetchWithTimeout(el.src, 'SVG_LOAD_FAILED', 'SVG');
+        }
+        catch (err) {
+            throw new PretextPdfError('SVG_LOAD_FAILED', `SVG URL fetch failed: ${err instanceof Error ? err.message : String(err)}`);
+        }
+        if (!resp.ok) {
+            throw new PretextPdfError('SVG_LOAD_FAILED', `SVG URL returned HTTP ${resp.status}`);
+        }
+        return sanitizeSvg(await resp.text());
+    }
+    const [fs, pathMod] = await Promise.all([import('fs'), import('path')]);
+    const filePath = pathMod.resolve(el.src);
+    assertPathAllowed(filePath, allowedFileDirs, 'SVG');
+    if (!fs.existsSync(filePath)) {
+        throw new PretextPdfError('SVG_LOAD_FAILED', `SVG file not found: "${redactPath(el.src)}"`);
+    }
+    return sanitizeSvg(fs.readFileSync(filePath, 'utf-8'));
+}
+//# sourceMappingURL=resolve-content.js.map

package/dist/assets/svg/resolve-content.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"resolve-content.js","sourceRoot":"","sources":["../../../src/assets/svg/resolve-content.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAA;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AACvD,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAA;AAE3C;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,EAAc,EAAE,eAA0B;IAChF,IAAI,EAAE,CAAC,GAAG;QAAE,OAAO,WAAW,CAAC,EAAE,CAAC,GAAG,CAAC,CAAA;IAEtC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC;QACZ,MAAM,IAAI,eAAe,CAAC,iBAAiB,EAAE,uFAAuF,CAAC,CAAA;IACvI,CAAC;IAED,IAAI,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAClE,4EAA4E;QAC5E,IAAI,IAAc,CAAA;QAClB,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,gBAAgB,CAAC,EAAE,CAAC,GAAG,EAAE,iBAAiB,EAAE,KAAK,CAAC,CAAA;QACjE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,eAAe,CAAC,iBAAiB,EAAE,yBAAyB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QAC3H,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;YACb,MAAM,IAAI,eAAe,CAAC,iBAAiB,EAAE,yBAAyB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAA;QACtF,CAAC;QACD,OAAO,WAAW,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,CAAA;IACvC,CAAC;IAED,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;IACvE,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,GAAG,CAAC,CAAA;IACxC,iBAAiB,CAAC,QAAQ,EAAE,eAAe,EAAE,KAAK,CAAC,CAAA;IACnD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,eAAe,CAAC,iBAAiB,EAAE,wBAAwB,UAAU,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAC7F,CAAC;IACD,OAAO,WAAW,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAA;AACxD,CAAC"}

package/dist/assets/svg/sanitize.d.ts ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * SVG sanitizer — extracted from src/assets.ts in v1.6.0 commit 9/16.
+ *
+ * Strips dangerous content from SVG before rasterization:
+ * - <script> blocks
+ * - on* event handler attributes
+ * - <image>/<use> with file://, data:, or javascript: hrefs (local-file and injection vectors)
+ * - <foreignObject> (HTML escape hatch into the SVG content model)
+ * - <a> elements whose xlink:href / href use javascript:, vbscript:, or data:
+ * - CSS expression(...) inside <style> blocks (legacy IE XSS vector)
+ *
+ * v1.6.0 Phase 0a (commit 3/16) added the last three to harden against
+ * payloads that survived the previous regex chain.
+ *
+ * IMPORTANT: this symbol is also re-exported from `src/assets.ts` so the
+ * `dist/assets.js` consumers (test/svg-sanitizer.test.ts, the snapshot
+ * tripwire) keep working unchanged.
+ */
+/** Maximum SVG string length (5 MB) — prevents ReDoS on oversized inputs. */
+export declare const SVG_MAX_BYTES: number;
+export declare function sanitizeSvg(svg: string): string;
+//# sourceMappingURL=sanitize.d.ts.map

package/dist/assets/svg/sanitize.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../../src/assets/svg/sanitize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,6EAA6E;AAC7E,eAAO,MAAM,aAAa,QAAkB,CAAA;AAE5C,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CA6B/C"}

package/dist/assets/svg/sanitize.js ADDED Viewed

@@ -0,0 +1,46 @@
+/**
+ * SVG sanitizer — extracted from src/assets.ts in v1.6.0 commit 9/16.
+ *
+ * Strips dangerous content from SVG before rasterization:
+ * - <script> blocks
+ * - on* event handler attributes
+ * - <image>/<use> with file://, data:, or javascript: hrefs (local-file and injection vectors)
+ * - <foreignObject> (HTML escape hatch into the SVG content model)
+ * - <a> elements whose xlink:href / href use javascript:, vbscript:, or data:
+ * - CSS expression(...) inside <style> blocks (legacy IE XSS vector)
+ *
+ * v1.6.0 Phase 0a (commit 3/16) added the last three to harden against
+ * payloads that survived the previous regex chain.
+ *
+ * IMPORTANT: this symbol is also re-exported from `src/assets.ts` so the
+ * `dist/assets.js` consumers (test/svg-sanitizer.test.ts, the snapshot
+ * tripwire) keep working unchanged.
+ */
+/** Maximum SVG string length (5 MB) — prevents ReDoS on oversized inputs. */
+export const SVG_MAX_BYTES = 5 * 1024 * 1024;
+export function sanitizeSvg(svg) {
+    // Skip regex passes on oversized strings — canvas will reject them anyway
+    if (svg.length > SVG_MAX_BYTES)
+        return svg;
+    // Remove self-closing <script/> then paired <script>...</script> blocks
+    let s = svg.replace(/<script\b[^>]*\/>/gi, '');
+    s = s.replace(/<script[\s\S]*?<\/script>/gi, '');
+    // Remove event handler attributes (onload, onclick, onerror, etc.)
+    s = s.replace(/\bon\w+\s*=\s*(?:"[^"]*"|'[^']*'|[^\s>]*)/gi, '');
+    // Remove <image> and <use> hrefs pointing to unsafe schemes
+    s = s.replace(/(<(?:image|use)\b[^>]*?)\s+(?:xlink:)?href\s*=\s*["'](?:file|data|javascript):[^"']*["']/gi, '$1');
+    // v1.6.0: strip <foreignObject> entirely — it's an HTML escape hatch and
+    // the only XML-in-SVG construct that can host arbitrary tags.
+    s = s.replace(/<foreignObject\b[^>]*\/>/gi, '');
+    s = s.replace(/<foreignObject[\s\S]*?<\/foreignObject>/gi, '');
+    // v1.6.0: strip dangerous hrefs from <a> (xlink:href or plain href).
+    // Drop only the attribute, not the whole <a>, so the surrounding text content
+    // (children of <a>) still renders.
+    s = s.replace(/\s+(?:xlink:)?href\s*=\s*["'](?:javascript|vbscript|data):[^"']*["']/gi, '');
+    // v1.6.0: strip CSS expression(...) inside <style> blocks. Replace just the
+    // expression call with an empty string so the surrounding stylesheet stays
+    // parseable.
+    s = s.replace(/expression\s*\([^)]*\)/gi, '');
+    return s;
+}
+//# sourceMappingURL=sanitize.js.map

package/dist/assets/svg/sanitize.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../../../src/assets/svg/sanitize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,6EAA6E;AAC7E,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAA;AAE5C,MAAM,UAAU,WAAW,CAAC,GAAW;IACrC,0EAA0E;IAC1E,IAAI,GAAG,CAAC,MAAM,GAAG,aAAa;QAAE,OAAO,GAAG,CAAA;IAC1C,wEAAwE;IACxE,IAAI,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,qBAAqB,EAAE,EAAE,CAAC,CAAA;IAC9C,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,6BAA6B,EAAE,EAAE,CAAC,CAAA;IAChD,mEAAmE;IACnE,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,6CAA6C,EAAE,EAAE,CAAC,CAAA;IAChE,4DAA4D;IAC5D,CAAC,GAAG,CAAC,CAAC,OAAO,CACX,4FAA4F,EAC5F,IAAI,CACL,CAAA;IACD,yEAAyE;IACzE,8DAA8D;IAC9D,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,4BAA4B,EAAE,EAAE,CAAC,CAAA;IAC/C,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,2CAA2C,EAAE,EAAE,CAAC,CAAA;IAC9D,qEAAqE;IACrE,8EAA8E;IAC9E,mCAAmC;IACnC,CAAC,GAAG,CAAC,CAAC,OAAO,CACX,wEAAwE,EACxE,EAAE,CACH,CAAA;IACD,4EAA4E;IAC5E,2EAA2E;IAC3E,aAAa;IACb,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,0BAA0B,EAAE,EAAE,CAAC,CAAA;IAC7C,OAAO,CAAC,CAAA;AACV,CAAC"}

package/dist/assets/util/redact-path.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+/**
+ * Return just the filename from a path. Used in error messages to avoid
+ * leaking absolute directory structure to untrusted output sinks (logs,
+ * PretextPdfError.message strings).
+ *
+ * Behavior: take the last `/` or `\` separated segment. Returns the literal
+ * string `(file)` when the input has no useful trailing segment.
+ *
+ * Extracted from `src/assets.ts` in v1.6.0 commit 4/16 as part of the
+ * post-v1.5.2 assets.ts file-size sprint. Pure function — no module-level
+ * side effects.
+ */
+export declare function redactPath(src: string): string;
+//# sourceMappingURL=redact-path.d.ts.map

package/dist/assets/util/redact-path.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"redact-path.d.ts","sourceRoot":"","sources":["../../../src/assets/util/redact-path.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAE9C"}

package/dist/assets/util/redact-path.js ADDED Viewed

@@ -0,0 +1,16 @@
+/**
+ * Return just the filename from a path. Used in error messages to avoid
+ * leaking absolute directory structure to untrusted output sinks (logs,
+ * PretextPdfError.message strings).
+ *
+ * Behavior: take the last `/` or `\` separated segment. Returns the literal
+ * string `(file)` when the input has no useful trailing segment.
+ *
+ * Extracted from `src/assets.ts` in v1.6.0 commit 4/16 as part of the
+ * post-v1.5.2 assets.ts file-size sprint. Pure function — no module-level
+ * side effects.
+ */
+export function redactPath(src) {
+    return src.replace(/\\/g, '/').split('/').pop() ?? '(file)';
+}
+//# sourceMappingURL=redact-path.js.map

package/dist/assets/util/redact-path.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"redact-path.js","sourceRoot":"","sources":["../../../src/assets/util/redact-path.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,UAAU,CAAC,GAAW;IACpC,OAAO,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,QAAQ,CAAA;AAC7D,CAAC"}

package/dist/assets.d.ts CHANGED Viewed

@@ -1,32 +1,15 @@
-import { PDFDocument } from '@cantoo/pdf-lib';
-import type { PdfDocument, Logger } from './types.js';
-import type { ImageMap } from './types-internal.js';
-import type { PluginDefinition } from './plugin-types.js';
 /**
- * Enforce allowedFileDirs: resolved absolute path must start with an allowed dir.
- * No-op when allowedFileDirs is unset (backwards-compatible default).
- */
-export declare function assertPathAllowed(resolvedPath: string, allowedDirs: string[] | undefined, label: string): void;
-/**
- * Validate a remote URL before fetching:
- * - Rejects http:// (plaintext only)
- * - Rejects private/internal IP ranges (SSRF prevention), including IPv4-mapped IPv6
- *   forms like [::ffff:127.0.0.1] which would otherwise bypass dotted-decimal regexes.
- * Throws IMAGE_LOAD_FAILED or SVG_LOAD_FAILED on violations.
- */
-export declare function assertSafeUrl(url: string, errorCode: 'IMAGE_LOAD_FAILED' | 'SVG_LOAD_FAILED', label: string): void;
-/**
- * Stage 2b: Load and embed all images into pdfDoc.
- * Runs after loadFonts(), receives the same pdfDoc.
- *
- * Image keys are 'img-N' where N is the element's position in doc.content.
- * This makes keys stable and avoids collisions from duplicate src paths.
+ * Back-compat shim — v1.6.0 commit 15/16.
  *
- * IMPORTANT: @cantoo/pdf-lib image embedding is NOT thread-safe.
- * We load bytes in parallel but embed sequentially.
+ * The assets module was split into src/assets/ during the v1.6.0 sprint
+ * (commits 4–15). Everything still flows through dist/assets.js so that
+ * internal consumers (fonts.ts, pipeline.ts, post-process.ts) and direct
+ * test imports (security-ssrf, security-ipv4-bypass, assets-dns-dedup,
+ * svg-sanitizer, public-api-surface) keep working unchanged.
  *
- * Images that fail to load (network error, file not found, unreachable URL) are
- * logged as warnings but do not crash the document — the document renders without that image.
+ * Public API contract is enforced by api-extractor (etc/pretext-pdf.api.md);
+ * the snapshot tripwire (test/assets-split-tripwire.test.ts) plus the
+ * six other G-gates pin the runtime contract.
  */
-export declare function loadImages(doc: PdfDocument, pdfDoc: PDFDocument, contentWidth: number, plugins?: PluginDefinition[], logger?: Logger): Promise<ImageMap>;
+export * from './assets/index.js';
 //# sourceMappingURL=assets.d.ts.map

package/dist/assets.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"assets.d.ts","sourceRoot":"","sources":["../src/assets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAA;AAC7C,OAAO,KAAK,EAAE,WAAW,EAAyE,MAAM,EAAE,MAAM,YAAY,CAAA;AAC5H,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAA;AAEnD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAA;AAKzD;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,SAAS,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAa9G;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,mBAAmB,GAAG,iBAAiB,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAiDlH;AAgSD;;;;;;;;;;;;GAYG;AACH,~~wBAAsB~~,~~UAAU~~,~~CAAC,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,gBAAgB,EAAE,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CA2J9J~~"}
1	+ {"version":3,"file":"assets.d.ts","sourceRoot":"","sources":["../src/assets.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,cAAc,mBAAmB,CAAA"}