secure-file-check 1.0.0

package/README.md

@@ -0,0 +1,420 @@
+Secure File Check
+=================
+
+CLI + API for file type validation and suspicious Office detection
+
+A lightweight utility to validate file types by extension + magic bytes and detect potentially malicious Office documents (e.g., VBA macros). Supports both CLI and programmatic API usage.
+
+---
+
+Features
+
+- Validate file content against extension using magic-byte detectors
+- Detect suspicious Office documents (e.g., presence of VBA project)
+- CLI with JSON output and audit logging
+- Scan folders in parallel
+- Ignore patterns for selective scanning
+- Configurable whitelist of allowed file types
+- Supported file types: png, jpg, jpeg, pdf, docx, xlsx, gif, bmp, tiff, mp3, wav, svg
+
+---
+
+CLI Usage & Output
+
+1. Scan a single file
+
+```sh
+node bin/cli.js --file=path/to/file
+```
+
+Example stdout:
+
+```json
+{"timestamp":"2026-03-24T09:49:49.386Z","file":"uploads/a.png","status":"valid","ext":"png","size":1024,"suspicious":false}
+```
+
+- `status`: `valid` / `invalid`
+- `suspicious`: `true` if suspicious Office file
+- `size`: file size in bytes
+- `timestamp`: scan time
+
+---
+
+2. Scan a folder
+
+```sh
+node bin/cli.js --folder=uploads
+```
+
+Example stdout (per-file JSON lines):
+
+```json
+{"timestamp":"2026-03-24T09:49:49.405Z","file":"uploads/1.png","status":"valid","ext":"png","size":1024,"suspicious":false}
+{"timestamp":"2026-03-24T09:49:49.406Z","file":"uploads/2.jpg","status":"valid","ext":"jpg","size":2048,"suspicious":false}
+{"timestamp":"2026-03-24T09:49:49.407Z","file":"uploads/fake.docx","status":"invalid","ext":"docx","size":512,"reason":"Invalid ZIP (no EOCD)"}
+```
+
+- One JSON object per line — easy to parse with CI/CD scripts or log aggregators
+- `reason` appears when `status` = `invalid`
+
+---
+
+3. JSON output for folder scan
+
+```sh
+node bin/cli.js --folder=uploads --json
+```
+
+Example stdout:
+
+```json
+[
+  {"timestamp":"2026-03-24T09:49:49.405Z","file":"uploads/1.png","status":"valid","ext":"png","size":1024,"suspicious":false},
+  {"timestamp":"2026-03-24T09:49:49.405Z","file":"uploads/2.jpg","status":"valid","ext":"jpg","size":2048,"suspicious":false}
+]
+```
+
+- `--json` emits a single JSON array on stdout
+- Audit log lines remain on `stderr`
+
+Notes for CI
+
+- By default (without `--json`) the CLI emits one JSON object per file on stdout (one line per file). This is streamable and CI-friendly for large scans.
+- Audit/human-readable lines are written to `stderr` so tools can capture structured stdout separately.
+- Use `--json` to get a single JSON array of all results on stdout.
+
+---
+
+4. Audit log
+
+- The CLI writes structured JSON audit lines to `stderr`:
+
+```json
+{"timestamp":"2026-03-24T09:49:49.386Z","file":"uploads/a.png","status":"valid"}
+{"timestamp":"2026-03-24T09:49:49.390Z","file":"uploads/fake.png","status":"invalid","reason":"File content invalid"}
+```
+
+- Use `--log=FILE` to append audit lines to a file
+- Useful for CI/CD, SIEM integration, or auditing
+
+---
+
+5. Additional CLI options
+
+```
+--file=PATH       Scan single file
+--folder=PATH     Scan folder recursively
+--ignore=PATTERN  Ignore files/folders matching pattern
+--allow=EXT1,EXT2 Only allow these extensions
+--json            Output JSON array (folder scan)
+--log=FILE        Write audit log to file
+--parallel=N      Parallel scans (default = CPU cores)
+--fail-fast       Exit immediately on first invalid file (exit code 1)
+```
+
+---
+
+6. Exit codes
+
+- `0` — all files valid
+- `1` — at least one file invalid or an error occurred
+
+When using `--fail-fast`, the CLI exits immediately with code `1` on the first invalid file detected. Without `--fail-fast` the CLI runs all checks, prints a summary, and exits with `1` if any file was invalid.
+
+---
+
+Allowed file types
+
+The CLI and API both support restricting scans to an explicit whitelist of file extensions.
+
+- Default allowed types (built-in): `png`, `jpg`, `jpeg`, `pdf`, `docx`, `xlsx`, `gif`, `bmp`, `tiff`, `mp3`, `wav`, `svg`.
+
+CLI example (allow only images):
+
+```sh
+node bin/cli.js --folder=uploads --allow=png,jpg,gif,svg
+```
+
+Notes:
+- Provide extensions as a comma-separated list (no leading dots). The CLI lowercases and matches against file extensions.
+- If `--allow` is omitted the tool uses the built-in default list.
+
+Programmatic API example:
+
+```js
+await validateFile('/path/to/file.png', {
+  allowedTypes: ['png', 'jpg', 'svg'],
+});
+```
+
+The `allowedTypes` array should contain lowercase extensions without the leading dot. The `validateFile` function will reject files whose extension is not included in the whitelist.
+
+---
+
+Example: React / Next.js integration
+
+This example shows a Next.js API route that accepts a multipart file upload, saves it to a temporary path, calls `validateFile`, and returns the result. It uses `formidable` for parsing on the server — install it in your Next.js project if you follow this pattern.
+
+pages/api/validate.js
+
+```js
+import formidable from 'formidable';
+import fs from 'fs/promises';
+import { validateFile } from 'secure-file-check';
+
+export const config = { api: { bodyParser: false } };
+
+export default async function handler(req, res) {
+  const form = new formidable.IncomingForm({ uploadDir: '/tmp', keepExtensions: true });
+  let filepath;
+
+  try {
+    const { fields, files } = await new Promise((resolve, reject) => {
+      form.parse(req, (err, fields, files) => (err ? reject(err) : resolve({ fields, files })));
+    });
+
+    const file = files.file;
+    filepath = file?.filepath || file?.path;
+    if (!filepath) throw new Error('No uploaded file found');
+
+    const result = await validateFile(filepath);
+    res.json(result);
+  } catch (err) {
+    res.status(400).json({ error: err?.message || String(err) });
+  } finally {
+    if (filepath) await fs.unlink(filepath).catch(() => {});
+  }
+}
+```
+
+Client example (browser / Next.js page):
+
+```js
+async function submitFile(file) {
+  const fd = new FormData();
+  fd.append('file', file);
+
+  const r = await fetch('/api/validate', { method: 'POST', body: fd });
+  const json = await r.json();
+  console.log('validation', json);
+}
+```
+
+Notes
+- Keep uploads ephemeral (remove temp files after validation).
+- Running `validateFile` from a Next.js API route requires access to the code (the `src/` folder) from the server runtime — this works in Node-based deployments (Vercel serverless functions may need adaptation).
+
+
+Programmatic API
+
+Use the exported `validateFile` function from `src/validator.js`:
+
+```js
+import { validateFile } from './src/validator.js';
+
+const res = await validateFile('/path/to/file', {
+  allowedTypes: ['png','jpg','pdf'],
+  maxSize: 10*1024*1024, // 10MB
+  detectSuspicious: true,
+});
+
+console.log(res);
+// Example: { ext: 'png', size: 1024, suspicious: false }
+```
+
+- `allowedTypes`: array of extensions to allow
+- `maxSize`: maximum allowed size in bytes
+- `detectSuspicious`: enable detection of suspicious Office files
+
+---
+
+Key files
+
+- `bin/cli.js` — CLI entrypoint
+- `src/validator.js` — validation logic and allowed types
+- `src/detectors.js` — magic-byte detectors for file types
+- `src/zip.js` — parse Office zip entries for macros
+- `src/logger.js` — audit logging (writes structured JSON to stderr)
+
+---
+
+Testing
+
+Run all tests:
+
+```sh
+node --test
+```
+
+Or run specific tests:
+
+```sh
+node --test test/validator.test.js
+node --test test/cli.test.js
+```
+
+- Tests cover validator core and CLI behavior
+- Temporary files are auto-cleaned after tests
+
+---
+
+Contributing
+
+Contributions and bug reports welcome. Please open issues or PRs with a clear reproduction and tests when appropriate.
+
+---
+
+License
+
+MIT
+
+---
+
+Installation
+
+Install the package (choose one):
+
+```sh
+# npm (local)
+npm install --save secure-file-check
+
+# npm (global CLI)
+npm install -g secure-file-check
+
+# npx (run without installing globally)
+npx secure-file-check --file=path/to/file
+
+# yarn
+yarn add secure-file-check
+# yarn global (CLI)
+yarn global add secure-file-check
+
+# pnpm
+pnpm add secure-file-check
+# pnpm global (CLI)
+pnpm add -g secure-file-check
+```
+
+Programmatic usage after install (import from the package):
+
+```js
+import { validateFile } from 'secure-file-check';
+
+const res = await validateFile('/path/to/file');
+```
+
+Publishing
+
+To publish the package to npm (one-time setup may be required):
+
+```sh
+# bump version in package.json, build if needed
+npm publish --access public
+```
+
+Notes:
+- The package exposes the `validateFile` function as its module export.
+- The CLI binary name is `secure-file-check` (installed via the `bin` field).
+
+CI / GitHub Actions
+
+Here's a minimal GitHub Actions workflow you can add at `.github/workflows/ci.yml`. It runs tests on PRs and pushes, and publishes to npm when a tag is pushed (requires `NPM_TOKEN` repo secret).
+
+```yaml
+name: CI
+
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+          cache: 'npm'
+      - run: npm ci
+      - run: npm test
+
+  publish:
+    needs: test
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/v')
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+          registry-url: 'https://registry.npmjs.org'
+      - run: npm ci
+      - run: npm publish --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+```
+
+Notes:
+- The CLI writes structured per-file JSON to `stdout` and audit JSON lines to `stderr` — in CI you can capture `stdout` for structured analysis and save `stderr` for audit logs.
+- Set `NPM_TOKEN` in repository secrets to enable publishing. Optionally use `GITHUB_TOKEN` and a release action to create GitHub releases.
+
+Background scanning / cron
+
+If you want an automated background scanner for an `uploads` folder (e.g., nightly or hourly), add the included helper script `scripts/scan-uploads.sh` to your server and schedule it with `cron` or systemd timers. The script writes a timestamped JSON results file and an audit log.
+
+Example `cron` (runs hourly):
+
+```
+# run hourly at :00
+0 * * * * /usr/bin/env bash /srv/app/secure-file-check/scripts/scan-uploads.sh /var/www/app/uploads /var/log/secure-file-check
+```
+
+Example `systemd` unit + timer (optional)
+
+`/etc/systemd/system/secure-file-check.service`:
+
+```
+[Unit]
+Description=Secure File Check scanner
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/env bash /srv/app/secure-file-check/scripts/scan-uploads.sh /var/www/app/uploads /var/log/secure-file-check
+```
+
+`/etc/systemd/system/secure-file-check.timer`:
+
+```
+[Unit]
+Description=Run secure-file-check hourly
+
+[Timer]
+OnCalendar=hourly
+
+[Install]
+WantedBy=timers.target
+```
+
+Then enable with:
+
+```sh
+sudo systemctl enable --now secure-file-check.timer
+```
+
+Docker sidecar / cron container
+
+You can also run the scanner from a container that mounts your uploads directory and a host directory for logs:
+
+```sh
+docker run --rm \
+  -v /var/www/app/uploads:/uploads:ro \
+  -v /var/log/secure-file-check:/scan-output \
+  node:18 \
+  bash -c "npm ci && node /workspace/bin/cli.js --folder=/uploads --json --log=/scan-output/scan.log"
+```
+
+

package/bin/cli.js

@@ -0,0 +1,133 @@
+#!/usr/bin/env node
+import fs from "fs/promises";
+import path from "path";
+import os from "os";
+import { validateFile } from "../src/validator.js";
+import { initLogger } from "../src/logger.js";
+
+// ===== ARG =====
+const args = process.argv.slice(2);
+
+const fileArg = args.find((a) => a.startsWith("--file="));
+const folderArg = args.find((a) => a.startsWith("--folder="));
+const allowArg = args.find((a) => a.startsWith("--allow="));
+const ignoreArg = args.find((a) => a.startsWith("--ignore="));
+const logArg = args.find((a) => a.startsWith("--log="));
+const jsonMode = args.includes("--json");
+const failFast = args.includes("--fail-fast");
+const parallelArg = args.find((a) => a.startsWith("--parallel="));
+
+// ===== INIT LOGGER =====
+initLogger({
+  file: logArg ? logArg.split("=")[1] : null,
+});
+
+// ===== CONFIG =====
+const allowedTypes = allowArg
+  ? allowArg.split("=")[1].split(",")
+  : undefined;
+
+const ignorePatterns = ignoreArg
+  ? ignoreArg.split("=")[1].split(",")
+  : [];
+
+const concurrency = parallelArg
+  ? parseInt(parallelArg.split("=")[1])
+  : os.cpus().length;
+
+// ===== HELPERS =====
+function isIgnored(filePath) {
+  return ignorePatterns.some((p) => filePath.includes(p));
+}
+
+async function walkDir(dir) {
+  const results = [];
+  const list = await fs.readdir(dir, { withFileTypes: true });
+
+  for (const f of list) {
+    const fullPath = path.join(dir, f.name);
+
+    if (isIgnored(fullPath)) continue;
+
+    if (f.isDirectory()) {
+      results.push(...(await walkDir(fullPath)));
+    } else {
+      results.push(fullPath);
+    }
+  }
+
+  return results;
+}
+
+async function runWithConcurrency(tasks, limit) {
+  const results = [];
+  let index = 0;
+
+  async function worker() {
+    while (index < tasks.length) {
+      const i = index++;
+      results[i] = await tasks[i]();
+    }
+  }
+
+  await Promise.all(Array.from({ length: limit }, worker));
+  return results;
+}
+
+// ===== MAIN =====
+async function run() {
+  let files = [];
+
+  if (fileArg) {
+    files = [fileArg.split("=")[1]];
+  } else if (folderArg) {
+    files = await walkDir(folderArg.split("=")[1]);
+  } else {
+    console.error("Usage: secure-file-check --file=path OR --folder=path");
+    process.exit(1);
+  }
+
+  const tasks = files.map((file) => async () => {
+    try {
+      const res = await validateFile(file, { allowedTypes });
+
+      const out = { file, status: "valid", ...res };
+      if (!jsonMode) {
+        // print one JSON object per line to stdout for CI parsing
+        console.log(JSON.stringify(out));
+      }
+
+      return out;
+    } catch (err) {
+      const out = { file, status: "invalid", error: err.message };
+
+      // keep human-friendly audit on stderr
+      console.error(`${file} -> ${err.message}`);
+
+      if (!jsonMode) console.log(JSON.stringify(out));
+
+      if (failFast) {
+        // immediate exit on first failure (useful in CI)
+        process.exit(1);
+      }
+
+      return out;
+    }
+  });
+
+  const results = await runWithConcurrency(tasks, concurrency);
+
+  const hasError = results.some((r) => r.status === "invalid");
+
+  if (jsonMode) {
+    console.log(JSON.stringify(results, null, 2));
+  } else {
+    console.log("\n--- Summary ---");
+    console.log(`Total: ${results.length}`);
+    console.log(`Invalid: ${results.filter(r => r.status === "invalid").length}`);
+  }
+
+  process.exit(hasError ? 1 : 0);
+}
+
+run();

package/package.json

@@ -0,0 +1,34 @@
+{
+  "name": "secure-file-check",
+  "description": "CLI + API for validating file types and detecting suspicious Office documents (VBA/macro detection).",
+  "version": "1.0.0",
+  "type": "module",
+  "main": "./src/validator.js",
+  "scripts": {
+    "test": "node --test",
+    "start": "node ./bin/cli.js",
+    "cli": "node ./bin/cli.js",
+    "prepublishOnly": "node --test"
+  },
+  "bin": {
+    "secure-file-check": "./bin/cli.js"
+  },
+  "exports": {
+    ".": "./src/validator.js"
+  },
+  "keywords": ["file","mime","security","upload","validation","cli","validator","vba","office"],
+  "author": "vietvq",
+  "files": ["bin/","src/","README.md"],
+  "engines": {
+    "node": ">=16"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/vietvq/secure-file-check.git"
+  },
+  "bugs": {
+    "url": "https://github.com/vietvq/secure-file-check/issues"
+  },
+  "homepage": "https://github.com/vietvq/secure-file-check#readme",
+  "license": "MIT"
+}

package/src/detectors.js

@@ -0,0 +1,69 @@
+export async function readChunk(fd, start, length) {
+  const buffer = Buffer.alloc(length);
+  await fd.read(buffer, 0, length, start);
+  return buffer;
+}
+
+export async function isPNG(fd) {
+  const b = await readChunk(fd, 0, 8);
+  return b.equals(Buffer.from([0x89,0x50,0x4e,0x47,0x0d,0x0a,0x1a,0x0a]));
+}
+
+export async function isJPEG(fd) {
+  const b = await readChunk(fd, 0, 3);
+  return b[0] === 0xff && b[1] === 0xd8 && b[2] === 0xff;
+}
+
+export async function isPDF(fd) {
+  const b = await readChunk(fd, 0, 4);
+  return b.toString() === "%PDF";
+}
+
+export async function isZIP(fd) {
+  const b = await readChunk(fd, 0, 4);
+  return b[0] === 0x50 && b[1] === 0x4b;
+}
+
+export async function isGIF(fd) {
+  const b = await readChunk(fd, 0, 6);
+  const sig = b.toString('ascii');
+  return sig === 'GIF87a' || sig === 'GIF89a';
+}
+
+export async function isBMP(fd) {
+  const b = await readChunk(fd, 0, 2);
+  return b[0] === 0x42 && b[1] === 0x4d; // 'BM'
+}
+
+export async function isTIFF(fd) {
+  const b = await readChunk(fd, 0, 4);
+  // little-endian II*\x00 or big-endian MM\x00*
+  return (
+    (b[0] === 0x49 && b[1] === 0x49 && b[2] === 0x2a && b[3] === 0x00) ||
+    (b[0] === 0x4d && b[1] === 0x4d && b[2] === 0x00 && b[3] === 0x2a)
+  );
+}
+
+export async function isMP3(fd) {
+  const b = await readChunk(fd, 0, 3);
+  // ID3 tag or frame sync 0xFF 0xFB (or 0xFF 0xF3 / 0xFF 0xF2)
+  if (b[0] === 0x49 && b[1] === 0x44 && b[2] === 0x33) return true; // 'ID3'
+  const b2 = await readChunk(fd, 0, 2);
+  return b2[0] === 0xff && (b2[1] & 0xe0) === 0xe0;
+}
+
+export async function isWAV(fd) {
+  const b = await readChunk(fd, 0, 12);
+  // 'RIFF' .... 'WAVE'
+  return (
+    b[0] === 0x52 && b[1] === 0x49 && b[2] === 0x46 && b[3] === 0x46 &&
+    b[8] === 0x57 && b[9] === 0x41 && b[10] === 0x56 && b[11] === 0x45
+  );
+}
+
+export async function isSVG(fd) {
+  // read some initial bytes as text and look for an <svg tag
+  const b = await readChunk(fd, 0, 512);
+  const s = b.toString('utf8').toLowerCase();
+  return s.includes('<svg');
+}

package/src/logger.js

@@ -0,0 +1,28 @@
+import fs from "fs/promises";
+
+let logFilePath = null;
+
+export function initLogger(options = {}) {
+  logFilePath = options.file || null;
+}
+
+export async function auditLog(entry) {
+  const logEntry = {
+    timestamp: new Date().toISOString(),
+    ...entry,
+  };
+
+  const line = JSON.stringify(logEntry) + "\n";
+
+  // console -> use stderr so structured stdout (e.g. JSON mode) isn't polluted
+  console.error(line.trim());
+
+  // file (optional)
+  if (logFilePath) {
+    try {
+      await fs.appendFile(logFilePath, line);
+    } catch (err) {
+      console.error("Logger error:", err.message);
+    }
+  }
+}

package/src/validator.js

@@ -0,0 +1,165 @@
+import fs from "fs/promises";
+import path from "path";
+import {
+  isPNG,
+  isJPEG,
+  isPDF,
+  isZIP,
+  isGIF,
+  isBMP,
+  isTIFF,
+  isMP3,
+  isWAV,
+  isSVG,
+} from "./detectors.js";
+import { parseZipEntries, validateOffice } from "./zip.js";
+import { auditLog } from "./logger.js";
+
+export async function validateFile(filePath, options = {}) {
+  const {
+    allowedTypes = [
+      "png",
+      "jpg",
+      "jpeg",
+      "pdf",
+      "docx",
+      "xlsx",
+      "gif",
+      "bmp",
+      "tiff",
+      "mp3",
+      "wav",
+      "svg",
+    ],
+    maxSize = 50 * 1024 * 1024,
+    detectSuspicious = true,
+  } = options;
+
+  const ext = path.extname(filePath).slice(1).toLowerCase();
+
+  const stat = await fs.stat(filePath);
+
+  try {
+    if (!allowedTypes.includes(ext)) {
+      throw new Error(`Extension .${ext} not allowed`);
+    }
+
+    if (stat.size > maxSize) {
+      throw new Error("File too large");
+    }
+
+    const fd = await fs.open(filePath, "r");
+
+    let valid = false;
+    let suspicious = false;
+
+    try {
+      switch (ext) {
+        case "png":
+          valid = await isPNG(fd);
+          break;
+
+        case "jpg":
+        case "jpeg":
+          valid = await isJPEG(fd);
+          break;
+
+        case "pdf":
+          valid = await isPDF(fd);
+          break;
+
+        case "gif":
+          valid = await isGIF(fd);
+          break;
+
+        case "bmp":
+          valid = await isBMP(fd);
+          break;
+
+        case "tiff":
+        case "tif":
+          valid = await isTIFF(fd);
+          break;
+
+        case "mp3":
+          valid = await isMP3(fd);
+          break;
+
+        case "wav":
+          valid = await isWAV(fd);
+          break;
+
+        case "svg":
+          valid = await isSVG(fd);
+          break;
+
+        case "docx":
+        case "xlsx":
+          if (!(await isZIP(fd))) break;
+
+          const entries = await parseZipEntries(fd, stat.size);
+          valid = validateOffice(entries, ext);
+
+          if (detectSuspicious) {
+            suspicious = entries.some((e) =>
+              e.toLowerCase().includes("vbaproject.bin")
+            );
+          }
+          break;
+      }
+
+      // If the extension is allowed but we don't have a specific
+      // content detector for it, accept by extension only. This
+      // lets users whitelist arbitrary extensions (e.g. `--allow=js`).
+      const detectorHandled = [
+        "png",
+        "jpg",
+        "jpeg",
+        "pdf",
+        "gif",
+        "bmp",
+        "tiff",
+        "tif",
+        "mp3",
+        "wav",
+        "svg",
+        "docx",
+        "xlsx",
+      ].includes(ext);
+
+      if (!valid && !detectorHandled) {
+        valid = true;
+      }
+    } finally {
+      await fd.close();
+    }
+
+    if (!valid) {
+      throw new Error("File content invalid");
+    }
+
+    await auditLog({
+      file: filePath,
+      status: "valid",
+      ext,
+      size: stat.size,
+      suspicious,
+    });
+
+    return {
+      ext,
+      size: stat.size,
+      suspicious,
+    };
+  } catch (err) {
+    await auditLog({
+      file: filePath,
+      status: "invalid",
+      ext,
+      size: stat.size,
+      reason: err.message,
+    });
+
+    throw err;
+  }
+}

package/src/zip.js

@@ -0,0 +1,53 @@
+export async function parseZipEntries(fd, fileSize) {
+  const readSize = Math.min(65536, fileSize);
+  const tail = Buffer.alloc(readSize);
+
+  await fd.read(tail, 0, readSize, fileSize - readSize);
+
+  const sig = Buffer.from([0x50, 0x4b, 0x05, 0x06]);
+  const idx = tail.lastIndexOf(sig);
+
+  if (idx === -1) {
+    throw new Error("Invalid ZIP (no EOCD)");
+  }
+
+  const centralDirOffset = tail.readUInt32LE(idx + 16);
+  const header = Buffer.alloc(4096);
+
+  await fd.read(header, 0, 4096, centralDirOffset);
+
+  const entries = [];
+  let i = 0;
+
+  while (i < header.length - 46) {
+    if (header[i] !== 0x50 || header[i + 1] !== 0x4b) break;
+
+    const fileNameLength = header.readUInt16LE(i + 28);
+    const extraLength = header.readUInt16LE(i + 30);
+    const commentLength = header.readUInt16LE(i + 32);
+
+    const nameStart = i + 46;
+    const nameEnd = nameStart + fileNameLength;
+
+    const name = header.slice(nameStart, nameEnd).toString("utf-8");
+    entries.push(name);
+
+    i = nameEnd + extraLength + commentLength;
+  }
+
+  return entries;
+}
+
+export function validateOffice(entries, type) {
+  if (!entries.includes("[Content_Types].xml")) return false;
+
+  if (type === "docx") {
+    return entries.some((e) => e.startsWith("word/"));
+  }
+
+  if (type === "xlsx") {
+    return entries.some((e) => e.startsWith("xl/"));
+  }
+
+  return false;
+}