resafe 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 ofabiodev
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,99 @@
+<p align="center">
+ <img src="https://github.com/ofabiodev/resafe/blob/main/.github/assets/logo.svg" align="center" width="200" alt="Resafe Logo">
+ <h1 align="center">Resafe</h1>
+ <p align="center">
+  Lightweight package to detect unsafe regex patterns and prevent ReDoS.
+ </p>
+</p>
+<br/>
+
+<p align="center">
+ <a href="https://github.com/ofabiodev/resafe/actions?query=branch%3Amain" rel="nofollow"><img alt="GitHub Actions Workflow Status" src="https://img.shields.io/github/actions/workflow/status/ofabiodev/resafe/test.yml?branch=main&event=push"></a>
+ <a href="https://opensource.org/licenses/MIT" rel="nofollow"><img alt="GitHub License" src="https://img.shields.io/github/license/ofabiodev/resafe"></a>
+ <a href="https://www.npmjs.com/package/resafe" rel="nofollow"><img alt="NPM Downloads" src="https://img.shields.io/npm/dw/resafe"></a>
+</p>
+
+<div align="center">
+ <a href="https://resafe.js.org">▪ Docs ▪</a>
+</div>
+<br/>
+
+## What is Resafe?
+**Resafe** is a mathematical ReDoS detection engine that uses **Thompson NFA construction**, **epsilon transition elimination**, and **spectral radius analysis** to detect exponential backtracking vulnerabilities. By analyzing the automaton's adjacency matrix eigenvalues, Resafe determines if a regex has exponential growth patterns without executing test strings.
+
+```ts
+import { check } from "resafe";
+
+check("(a+)+$");
+
+/* 
+  x [Resafe] Unsafe pattern: /(a+)+$/
+  ! Spectral radius: 4.0 (threshold: 1.0)
+    Simplify regex structure to eliminate exponential paths
+*/
+```
+
+## Features
+
+- **Pure Mathematical Analysis**: Thompson NFA construction with spectral radius computation
+- **Deterministic Detection**: Analyzes automaton structure, not pattern matching heuristics
+- **Spectral Radius**: Detects exponential growth when eigenvalue > 1.0
+- **Fast Analysis**: Average analysis time <1ms per pattern
+
+## Installation
+
+```sh
+# Using Bun (Recommended)
+bun add resafe
+
+# Using NPM
+npm install resafe
+
+# Using Yarn
+yarn add resafe
+```
+
+## Basic Usage
+
+### Simple Analysis
+By default, Resafe logs warnings and errors to the console if a pattern is unsafe.
+
+```ts
+import { check } from "resafe";
+
+check(/([a-zA-Z0-9]+)*$/);
+```
+
+### Production Guard
+Prevent unsafe regex from being used by throwing an error.
+
+```ts
+import { check } from "resafe";
+
+const safeRegex = check("^[0-9]+$", { 
+  throwErr: true, 
+  silent: true 
+});
+```
+
+### Advanced Configuration
+Configure detection threshold.
+
+```ts
+import { check } from "resafe";
+
+check("a+a+", {
+  threshold: 1.5
+});
+```
+
+## Why Resafe?
+
+Regular expressions are powerful but can be a security bottleneck. A single poorly crafted regex can freeze a Node.js/Bun event loop. Resafe helps you:
+1. **Educate**: Developers learn why a regex is bad through the "Solution" hints.
+2. **Automate**: Run checks during CI/CD to catch ReDoS early.
+3. **Secure**: Stop malicious or accidental "Catastrophic Backtracking" patterns.
+
+## License
+
+[MIT](LICENSE) © [ofabiodev](https://github.com/ofabiodev)

package/dist/index.cjs

@@ -0,0 +1,336 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  check: () => check,
+  checkAsync: () => checkAsync
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/core/spectral.ts
+function buildNFA(pattern) {
+  let stateId = 0;
+  const newState = () => ({
+    id: stateId++,
+    transitions: /* @__PURE__ */ new Map(),
+    epsilon: []
+  });
+  const parse = (expr, start, end) => {
+    if (start >= end) {
+      const s = newState();
+      const e = newState();
+      s.epsilon.push(e.id);
+      return { states: [s, e], start: s.id, accept: e.id };
+    }
+    const fragments = [];
+    let i = start;
+    while (i < end) {
+      const char = expr[i];
+      if (char === void 0) break;
+      if (char === "(") {
+        let depth = 1;
+        let j = i + 1;
+        while (j < end && depth > 0) {
+          if (expr[j] === "\\") {
+            j += 2;
+            continue;
+          }
+          if (expr[j] === "(") depth++;
+          if (expr[j] === ")") depth--;
+          j++;
+        }
+        const groupNFA = parse(expr, i + 1, j - 1);
+        const nextChar = expr[j];
+        if (j < end && nextChar !== void 0 && /[*+?]/.test(nextChar)) {
+          fragments.push(quantify(groupNFA, nextChar));
+          i = j + 1;
+        } else {
+          fragments.push(groupNFA);
+          i = j;
+        }
+      } else if (char === "[") {
+        let j = i + 1;
+        while (j < end && expr[j] !== "]") {
+          if (expr[j] === "\\") j++;
+          j++;
+        }
+        j++;
+        const s = newState();
+        const e = newState();
+        s.transitions.set(expr.slice(i, j), [e.id]);
+        const nfa = { states: [s, e], start: s.id, accept: e.id };
+        const nextChar = expr[j];
+        if (j < end && nextChar !== void 0 && /[*+?]/.test(nextChar)) {
+          fragments.push(quantify(nfa, nextChar));
+          i = j + 1;
+        } else {
+          fragments.push(nfa);
+          i = j;
+        }
+      } else if (char === "|") {
+        const left = concat(fragments);
+        const right = parse(expr, i + 1, end);
+        return alternate(left, right);
+      } else if (!/[*+?]/.test(char)) {
+        const s = newState();
+        const e = newState();
+        const symbol = char === "\\" && i + 1 < end ? expr.slice(i, i + 2) : char;
+        s.transitions.set(symbol, [e.id]);
+        const nfa = { states: [s, e], start: s.id, accept: e.id };
+        if (char === "\\") i++;
+        i++;
+        const nextChar = expr[i];
+        if (i < end && nextChar !== void 0 && /[*+?]/.test(nextChar)) {
+          fragments.push(quantify(nfa, nextChar));
+          i++;
+        } else {
+          fragments.push(nfa);
+        }
+      } else {
+        i++;
+      }
+    }
+    return concat(fragments);
+  };
+  const concat = (nfas) => {
+    if (nfas.length === 0) {
+      const s = newState();
+      const e = newState();
+      s.epsilon.push(e.id);
+      return { states: [s, e], start: s.id, accept: e.id };
+    }
+    if (nfas.length === 1 && nfas[0]) return nfas[0];
+    const states = [];
+    for (let i = 0; i < nfas.length; i++) {
+      const nfa = nfas[i];
+      if (!nfa) continue;
+      states.push(...nfa.states);
+      if (i < nfas.length - 1) {
+        const nextNfa = nfas[i + 1];
+        if (!nextNfa) continue;
+        const accept = states.find((s) => s.id === nfa.accept);
+        if (accept) accept.epsilon.push(nextNfa.start);
+      }
+    }
+    const first = nfas[0];
+    const last = nfas[nfas.length - 1];
+    if (!first || !last) {
+      const s = newState();
+      const e = newState();
+      s.epsilon.push(e.id);
+      return { states: [s, e], start: s.id, accept: e.id };
+    }
+    return { states, start: first.start, accept: last.accept };
+  };
+  const alternate = (nfa1, nfa2) => {
+    const s = newState();
+    const e = newState();
+    s.epsilon.push(nfa1.start, nfa2.start);
+    const accept1 = nfa1.states.find((st) => st.id === nfa1.accept);
+    const accept2 = nfa2.states.find((st) => st.id === nfa2.accept);
+    if (accept1) accept1.epsilon.push(e.id);
+    if (accept2) accept2.epsilon.push(e.id);
+    return {
+      states: [s, ...nfa1.states, ...nfa2.states, e],
+      start: s.id,
+      accept: e.id
+    };
+  };
+  const quantify = (nfa, q) => {
+    const s = newState();
+    const e = newState();
+    const accept = nfa.states.find((st) => st.id === nfa.accept);
+    if (q === "*") {
+      s.epsilon.push(nfa.start, e.id);
+      if (accept) accept.epsilon.push(nfa.start, e.id);
+    } else if (q === "+") {
+      s.epsilon.push(nfa.start);
+      if (accept) accept.epsilon.push(nfa.start, e.id);
+    } else if (q === "?") {
+      s.epsilon.push(nfa.start, e.id);
+      if (accept) accept.epsilon.push(e.id);
+    }
+    return { states: [s, ...nfa.states, e], start: s.id, accept: e.id };
+  };
+  const clean = pattern.replace(/^\^|\$$/g, "");
+  return parse(clean, 0, clean.length);
+}
+function removeEpsilon(nfa) {
+  const closure = (id) => {
+    const result = /* @__PURE__ */ new Set([id]);
+    const stack = [id];
+    while (stack.length > 0) {
+      const current = stack.pop();
+      if (current === void 0) break;
+      const state = nfa.states.find((s) => s.id === current);
+      if (state) {
+        for (const eps of state.epsilon) {
+          if (!result.has(eps)) {
+            result.add(eps);
+            stack.push(eps);
+          }
+        }
+      }
+    }
+    return result;
+  };
+  const states = nfa.states.map((s) => ({
+    id: s.id,
+    transitions: /* @__PURE__ */ new Map(),
+    epsilon: []
+  }));
+  for (const state of nfa.states) {
+    const cls = closure(state.id);
+    const newState = states.find((s) => s.id === state.id);
+    if (!newState) continue;
+    for (const clsId of cls) {
+      const clsState = nfa.states.find((s) => s.id === clsId);
+      if (clsState) {
+        for (const [symbol, targets] of clsState.transitions) {
+          const existing = newState.transitions.get(symbol) || [];
+          for (const target of targets) {
+            const targetCls = closure(target);
+            for (const t of targetCls) {
+              if (!existing.includes(t)) existing.push(t);
+            }
+          }
+          newState.transitions.set(symbol, existing);
+        }
+      }
+    }
+  }
+  return { states, start: nfa.start, accept: nfa.accept };
+}
+function buildMatrix(nfa) {
+  const n = nfa.states.length;
+  const matrix = Array(n).fill(0).map(() => Array(n).fill(0));
+  for (const state of nfa.states) {
+    for (const targets of state.transitions.values()) {
+      for (const target of targets) {
+        const row = matrix[state.id];
+        if (row) {
+          const current = row[target];
+          if (current !== void 0) {
+            row[target] = current + 1;
+          }
+        }
+      }
+    }
+  }
+  return matrix;
+}
+function spectralRadius(matrix) {
+  const n = matrix.length;
+  if (n === 0) return 0;
+  let v = Array(n).fill(1 / Math.sqrt(n));
+  for (let iter = 0; iter < 100; iter++) {
+    const newV = Array(n).fill(0);
+    for (let i = 0; i < n; i++) {
+      const row = matrix[i];
+      if (row) {
+        for (let j = 0; j < n; j++) {
+          const cell = row[j];
+          const vec = v[j];
+          if (cell !== void 0 && vec !== void 0) {
+            newV[i] += cell * vec;
+          }
+        }
+      }
+    }
+    const norm = Math.sqrt(newV.reduce((sum, val) => sum + val * val, 0));
+    if (norm === 0) return 0;
+    v = newV.map((val) => val / norm);
+  }
+  let eigenvalue = 0;
+  for (let i = 0; i < n; i++) {
+    let sum = 0;
+    const row = matrix[i];
+    if (row) {
+      for (let j = 0; j < n; j++) {
+        const cell = row[j];
+        const vec = v[j];
+        if (cell !== void 0 && vec !== void 0) {
+          sum += cell * vec;
+        }
+      }
+    }
+    const vecI = v[i];
+    if (vecI !== void 0) {
+      eigenvalue += sum * vecI;
+    }
+  }
+  return Math.abs(eigenvalue);
+}
+
+// src/core/analyzer.ts
+function analyze(pattern, config = {}) {
+  const threshold = config.threshold ?? 1;
+  try {
+    const nfa = buildNFA(pattern);
+    const epsilonFree = removeEpsilon(nfa);
+    const matrix = buildMatrix(epsilonFree);
+    const radius = Math.round(spectralRadius(matrix) * 10) / 10;
+    return { safe: radius <= threshold, radius };
+  } catch {
+    return { safe: true, radius: 0 };
+  }
+}
+
+// src/utils/logger.ts
+var C = {
+  reset: "\x1B[0m",
+  yellow: "\x1B[33m",
+  red: "\x1B[31m",
+  gray: "\x1B[90m"
+};
+var S = { WARN: "!", ERROR: "x" };
+var log = {
+  warn: (m) => console.log(`${C.yellow}${S.WARN}${C.reset} ${m}`),
+  error: (m) => console.log(`${C.red}${S.ERROR}${C.reset} ${m}`),
+  hint: (m) => console.log(`${C.gray}${m}${C.reset}`)
+};
+
+// src/index.ts
+function check(regex, options = {}) {
+  const pattern = typeof regex === "string" ? regex : regex.source;
+  const result = analyze(pattern, options);
+  if (!result.safe && !options.silent) {
+    log.error(`[Resafe] Unsafe pattern: /${pattern}/`);
+    log.warn(
+      `Spectral radius: ${result.radius.toFixed(4)} (threshold: ${options.threshold ?? 1})`
+    );
+    log.hint("Simplify regex structure to eliminate exponential paths");
+  }
+  if (!result.safe && options.throwErr) {
+    throw new Error(
+      `[Resafe] Unsafe pattern with spectral radius ${result.radius.toFixed(4)}`
+    );
+  }
+  return result;
+}
+async function checkAsync(regex, options = {}) {
+  return Promise.resolve(check(regex, options));
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  check,
+  checkAsync
+});

package/dist/index.d.cts

@@ -0,0 +1,16 @@
+interface Config {
+    threshold?: number;
+}
+interface Result {
+    safe: boolean;
+    radius: number;
+}
+
+interface Options extends Config {
+    silent?: boolean;
+    throwErr?: boolean;
+}
+declare function check(regex: string | RegExp, options?: Options): Result;
+declare function checkAsync(regex: string | RegExp, options?: Options): Promise<Result>;
+
+export { type Config, type Options, type Result, check, checkAsync };

package/dist/index.d.ts

@@ -0,0 +1,16 @@
+interface Config {
+    threshold?: number;
+}
+interface Result {
+    safe: boolean;
+    radius: number;
+}
+
+interface Options extends Config {
+    silent?: boolean;
+    throwErr?: boolean;
+}
+declare function check(regex: string | RegExp, options?: Options): Result;
+declare function checkAsync(regex: string | RegExp, options?: Options): Promise<Result>;
+
+export { type Config, type Options, type Result, check, checkAsync };

package/dist/index.js

@@ -0,0 +1,308 @@
+// src/core/spectral.ts
+function buildNFA(pattern) {
+  let stateId = 0;
+  const newState = () => ({
+    id: stateId++,
+    transitions: /* @__PURE__ */ new Map(),
+    epsilon: []
+  });
+  const parse = (expr, start, end) => {
+    if (start >= end) {
+      const s = newState();
+      const e = newState();
+      s.epsilon.push(e.id);
+      return { states: [s, e], start: s.id, accept: e.id };
+    }
+    const fragments = [];
+    let i = start;
+    while (i < end) {
+      const char = expr[i];
+      if (char === void 0) break;
+      if (char === "(") {
+        let depth = 1;
+        let j = i + 1;
+        while (j < end && depth > 0) {
+          if (expr[j] === "\\") {
+            j += 2;
+            continue;
+          }
+          if (expr[j] === "(") depth++;
+          if (expr[j] === ")") depth--;
+          j++;
+        }
+        const groupNFA = parse(expr, i + 1, j - 1);
+        const nextChar = expr[j];
+        if (j < end && nextChar !== void 0 && /[*+?]/.test(nextChar)) {
+          fragments.push(quantify(groupNFA, nextChar));
+          i = j + 1;
+        } else {
+          fragments.push(groupNFA);
+          i = j;
+        }
+      } else if (char === "[") {
+        let j = i + 1;
+        while (j < end && expr[j] !== "]") {
+          if (expr[j] === "\\") j++;
+          j++;
+        }
+        j++;
+        const s = newState();
+        const e = newState();
+        s.transitions.set(expr.slice(i, j), [e.id]);
+        const nfa = { states: [s, e], start: s.id, accept: e.id };
+        const nextChar = expr[j];
+        if (j < end && nextChar !== void 0 && /[*+?]/.test(nextChar)) {
+          fragments.push(quantify(nfa, nextChar));
+          i = j + 1;
+        } else {
+          fragments.push(nfa);
+          i = j;
+        }
+      } else if (char === "|") {
+        const left = concat(fragments);
+        const right = parse(expr, i + 1, end);
+        return alternate(left, right);
+      } else if (!/[*+?]/.test(char)) {
+        const s = newState();
+        const e = newState();
+        const symbol = char === "\\" && i + 1 < end ? expr.slice(i, i + 2) : char;
+        s.transitions.set(symbol, [e.id]);
+        const nfa = { states: [s, e], start: s.id, accept: e.id };
+        if (char === "\\") i++;
+        i++;
+        const nextChar = expr[i];
+        if (i < end && nextChar !== void 0 && /[*+?]/.test(nextChar)) {
+          fragments.push(quantify(nfa, nextChar));
+          i++;
+        } else {
+          fragments.push(nfa);
+        }
+      } else {
+        i++;
+      }
+    }
+    return concat(fragments);
+  };
+  const concat = (nfas) => {
+    if (nfas.length === 0) {
+      const s = newState();
+      const e = newState();
+      s.epsilon.push(e.id);
+      return { states: [s, e], start: s.id, accept: e.id };
+    }
+    if (nfas.length === 1 && nfas[0]) return nfas[0];
+    const states = [];
+    for (let i = 0; i < nfas.length; i++) {
+      const nfa = nfas[i];
+      if (!nfa) continue;
+      states.push(...nfa.states);
+      if (i < nfas.length - 1) {
+        const nextNfa = nfas[i + 1];
+        if (!nextNfa) continue;
+        const accept = states.find((s) => s.id === nfa.accept);
+        if (accept) accept.epsilon.push(nextNfa.start);
+      }
+    }
+    const first = nfas[0];
+    const last = nfas[nfas.length - 1];
+    if (!first || !last) {
+      const s = newState();
+      const e = newState();
+      s.epsilon.push(e.id);
+      return { states: [s, e], start: s.id, accept: e.id };
+    }
+    return { states, start: first.start, accept: last.accept };
+  };
+  const alternate = (nfa1, nfa2) => {
+    const s = newState();
+    const e = newState();
+    s.epsilon.push(nfa1.start, nfa2.start);
+    const accept1 = nfa1.states.find((st) => st.id === nfa1.accept);
+    const accept2 = nfa2.states.find((st) => st.id === nfa2.accept);
+    if (accept1) accept1.epsilon.push(e.id);
+    if (accept2) accept2.epsilon.push(e.id);
+    return {
+      states: [s, ...nfa1.states, ...nfa2.states, e],
+      start: s.id,
+      accept: e.id
+    };
+  };
+  const quantify = (nfa, q) => {
+    const s = newState();
+    const e = newState();
+    const accept = nfa.states.find((st) => st.id === nfa.accept);
+    if (q === "*") {
+      s.epsilon.push(nfa.start, e.id);
+      if (accept) accept.epsilon.push(nfa.start, e.id);
+    } else if (q === "+") {
+      s.epsilon.push(nfa.start);
+      if (accept) accept.epsilon.push(nfa.start, e.id);
+    } else if (q === "?") {
+      s.epsilon.push(nfa.start, e.id);
+      if (accept) accept.epsilon.push(e.id);
+    }
+    return { states: [s, ...nfa.states, e], start: s.id, accept: e.id };
+  };
+  const clean = pattern.replace(/^\^|\$$/g, "");
+  return parse(clean, 0, clean.length);
+}
+function removeEpsilon(nfa) {
+  const closure = (id) => {
+    const result = /* @__PURE__ */ new Set([id]);
+    const stack = [id];
+    while (stack.length > 0) {
+      const current = stack.pop();
+      if (current === void 0) break;
+      const state = nfa.states.find((s) => s.id === current);
+      if (state) {
+        for (const eps of state.epsilon) {
+          if (!result.has(eps)) {
+            result.add(eps);
+            stack.push(eps);
+          }
+        }
+      }
+    }
+    return result;
+  };
+  const states = nfa.states.map((s) => ({
+    id: s.id,
+    transitions: /* @__PURE__ */ new Map(),
+    epsilon: []
+  }));
+  for (const state of nfa.states) {
+    const cls = closure(state.id);
+    const newState = states.find((s) => s.id === state.id);
+    if (!newState) continue;
+    for (const clsId of cls) {
+      const clsState = nfa.states.find((s) => s.id === clsId);
+      if (clsState) {
+        for (const [symbol, targets] of clsState.transitions) {
+          const existing = newState.transitions.get(symbol) || [];
+          for (const target of targets) {
+            const targetCls = closure(target);
+            for (const t of targetCls) {
+              if (!existing.includes(t)) existing.push(t);
+            }
+          }
+          newState.transitions.set(symbol, existing);
+        }
+      }
+    }
+  }
+  return { states, start: nfa.start, accept: nfa.accept };
+}
+function buildMatrix(nfa) {
+  const n = nfa.states.length;
+  const matrix = Array(n).fill(0).map(() => Array(n).fill(0));
+  for (const state of nfa.states) {
+    for (const targets of state.transitions.values()) {
+      for (const target of targets) {
+        const row = matrix[state.id];
+        if (row) {
+          const current = row[target];
+          if (current !== void 0) {
+            row[target] = current + 1;
+          }
+        }
+      }
+    }
+  }
+  return matrix;
+}
+function spectralRadius(matrix) {
+  const n = matrix.length;
+  if (n === 0) return 0;
+  let v = Array(n).fill(1 / Math.sqrt(n));
+  for (let iter = 0; iter < 100; iter++) {
+    const newV = Array(n).fill(0);
+    for (let i = 0; i < n; i++) {
+      const row = matrix[i];
+      if (row) {
+        for (let j = 0; j < n; j++) {
+          const cell = row[j];
+          const vec = v[j];
+          if (cell !== void 0 && vec !== void 0) {
+            newV[i] += cell * vec;
+          }
+        }
+      }
+    }
+    const norm = Math.sqrt(newV.reduce((sum, val) => sum + val * val, 0));
+    if (norm === 0) return 0;
+    v = newV.map((val) => val / norm);
+  }
+  let eigenvalue = 0;
+  for (let i = 0; i < n; i++) {
+    let sum = 0;
+    const row = matrix[i];
+    if (row) {
+      for (let j = 0; j < n; j++) {
+        const cell = row[j];
+        const vec = v[j];
+        if (cell !== void 0 && vec !== void 0) {
+          sum += cell * vec;
+        }
+      }
+    }
+    const vecI = v[i];
+    if (vecI !== void 0) {
+      eigenvalue += sum * vecI;
+    }
+  }
+  return Math.abs(eigenvalue);
+}
+
+// src/core/analyzer.ts
+function analyze(pattern, config = {}) {
+  const threshold = config.threshold ?? 1;
+  try {
+    const nfa = buildNFA(pattern);
+    const epsilonFree = removeEpsilon(nfa);
+    const matrix = buildMatrix(epsilonFree);
+    const radius = Math.round(spectralRadius(matrix) * 10) / 10;
+    return { safe: radius <= threshold, radius };
+  } catch {
+    return { safe: true, radius: 0 };
+  }
+}
+
+// src/utils/logger.ts
+var C = {
+  reset: "\x1B[0m",
+  yellow: "\x1B[33m",
+  red: "\x1B[31m",
+  gray: "\x1B[90m"
+};
+var S = { WARN: "!", ERROR: "x" };
+var log = {
+  warn: (m) => console.log(`${C.yellow}${S.WARN}${C.reset} ${m}`),
+  error: (m) => console.log(`${C.red}${S.ERROR}${C.reset} ${m}`),
+  hint: (m) => console.log(`${C.gray}${m}${C.reset}`)
+};
+
+// src/index.ts
+function check(regex, options = {}) {
+  const pattern = typeof regex === "string" ? regex : regex.source;
+  const result = analyze(pattern, options);
+  if (!result.safe && !options.silent) {
+    log.error(`[Resafe] Unsafe pattern: /${pattern}/`);
+    log.warn(
+      `Spectral radius: ${result.radius.toFixed(4)} (threshold: ${options.threshold ?? 1})`
+    );
+    log.hint("Simplify regex structure to eliminate exponential paths");
+  }
+  if (!result.safe && options.throwErr) {
+    throw new Error(
+      `[Resafe] Unsafe pattern with spectral radius ${result.radius.toFixed(4)}`
+    );
+  }
+  return result;
+}
+async function checkAsync(regex, options = {}) {
+  return Promise.resolve(check(regex, options));
+}
+export {
+  check,
+  checkAsync
+};

package/package.json

@@ -0,0 +1,57 @@
+{
+  "name": "resafe",
+  "version": "1.0.0",
+  "description": "🛡️ Detects ReDoS vulnerabilities in regexes using Thompson NFA construction and spectral radius analysis",
+  "license": "MIT",
+  "homepage": "https://resafe.js.org",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/ofabiodev/resafe.git"
+  },
+  "bugs": {
+    "url": "https://github.com/ofabiodev/resafe/issues"
+  },
+  "author": {
+    "name": "ofabiodev",
+    "url": "https://github.com/ofabiodev"
+  },
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "files": [
+    "dist"
+  ],
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "scripts": {
+    "build": "tsup src/index.ts --format esm,cjs --dts --clean",
+    "prepublishOnly": "npm run build",
+    "test": "poku"
+  },
+  "keywords": [
+    "regex",
+    "redos",
+    "regexp",
+    "security",
+    "vulnerability",
+    "performance",
+    "analyzer",
+    "validation",
+    "backtracking",
+    "lightweight"
+  ],
+  "devDependencies": {
+    "@types/bun": "latest",
+    "@types/node": "^25.0.3",
+    "poku": "^3.0.2",
+    "tsup": "^8.5.1"
+  },
+  "peerDependencies": {
+    "typescript": "^5"
+  }
+}