secure-ui-components 0.1.0-beta.1

package/dist/core/base-component.js

@@ -0,0 +1,303 @@
+/**
+ * @fileoverview Base Component Class for Secure-UI
+ *
+ * This module provides the foundational class that all Secure-UI web components
+ * extend. It implements core security features, progressive enhancement,
+ * and standardized lifecycle management.
+ *
+ * Security Features:
+ * - Closed Shadow DOM (prevents external JavaScript access)
+ * - Automatic XSS sanitization
+ * - Security tier enforcement
+ * - Audit logging infrastructure
+ * - Rate limiting support
+ * - Progressive enhancement (works without JS)
+ *
+ * @module base-component
+ * @license MIT
+ */
+import { SecurityTier, getTierConfig, isValidTier, } from './security-config.js';
+/**
+ * Base class for all Secure-UI components
+ *
+ * All components in the Secure-UI library should extend this class to inherit
+ * core security functionality and standardized behavior.
+ *
+ * Security Architecture:
+ * - Closed Shadow DOM prevents external tampering
+ * - All attributes are sanitized on read
+ * - Security tier is immutable after initial set
+ * - Default tier is CRITICAL (fail secure)
+ */
+export class SecureBaseComponent extends HTMLElement {
+    #securityTier = SecurityTier.CRITICAL;
+    #config;
+    #shadow;
+    #auditLog = [];
+    #rateLimitState = {
+        attempts: 0,
+        windowStart: Date.now()
+    };
+    #initialized = false;
+    /**
+     * Constructor
+     *
+     * Security Note: Creates a CLOSED shadow DOM to prevent external JavaScript
+     * from accessing or modifying the component's internal DOM.
+     */
+    constructor() {
+        super();
+        this.#shadow = this.attachShadow({ mode: 'closed' });
+        this.#config = getTierConfig(this.#securityTier);
+    }
+    /**
+     * Observed attributes - must be overridden by child classes
+     */
+    static get observedAttributes() {
+        return ['security-tier', 'disabled', 'readonly'];
+    }
+    /**
+     * Called when element is added to DOM
+     */
+    connectedCallback() {
+        if (!this.#initialized) {
+            this.#initialize();
+            this.#initialized = true;
+        }
+    }
+    #initialize() {
+        this.initializeSecurity();
+        this.#render();
+    }
+    /**
+     * Initialize security tier, config, and audit logging without triggering render.
+     *
+     * Components that manage their own rendering (e.g. secure-table) can call this
+     * from their connectedCallback instead of super.connectedCallback() to get
+     * security initialization without the base render lifecycle.
+     * @protected
+     */
+    initializeSecurity() {
+        const tierAttr = this.getAttribute('security-tier');
+        if (tierAttr && isValidTier(tierAttr)) {
+            this.#securityTier = tierAttr;
+        }
+        this.#config = getTierConfig(this.#securityTier);
+        this.#audit('component_initialized', {
+            tier: this.#securityTier,
+            timestamp: new Date().toISOString()
+        });
+    }
+    /**
+     * Called when an observed attribute changes
+     *
+     * Security Note: security-tier attribute is immutable after initialization
+     * to prevent privilege escalation.
+     */
+    attributeChangedCallback(name, oldValue, newValue) {
+        if (name === 'security-tier' && this.#initialized) {
+            console.warn(`Security tier cannot be changed after initialization. ` +
+                `Attempted change from "${oldValue}" to "${newValue}" blocked.`);
+            if (oldValue !== null) {
+                this.setAttribute('security-tier', oldValue);
+            }
+            return;
+        }
+        if (this.#initialized) {
+            this.handleAttributeChange(name, oldValue, newValue);
+        }
+    }
+    /**
+     * Handle attribute changes - to be overridden by child classes
+     */
+    handleAttributeChange(_name, _oldValue, _newValue) {
+        // Child classes should override this method
+    }
+    #render() {
+        this.#shadow.innerHTML = '';
+        // Base styles via <link> — loads from 'self', fully CSP-safe.
+        // Using adoptedStyleSheets + replaceSync(inlineString) triggers CSP violations
+        // when style-src lacks 'unsafe-inline'. A <link> element loading from 'self'
+        // is always permitted.
+        const baseLink = document.createElement('link');
+        baseLink.rel = 'stylesheet';
+        baseLink.href = new URL('./base.css', import.meta.url).href;
+        this.#shadow.appendChild(baseLink);
+        const content = this.render();
+        if (content) {
+            this.#shadow.appendChild(content);
+        }
+    }
+    /**
+     * Returns the URL of the shared base stylesheet.
+     * Components that manage their own rendering (e.g. secure-table) can use
+     * this to inject the base <link> themselves.
+     * @protected
+     */
+    getBaseStylesheetUrl() {
+        return new URL('./base.css', import.meta.url).href;
+    }
+    /**
+     * Inject a component stylesheet into the shadow root via <link>.
+     * Accepts a URL (use import.meta.url to derive it, e.g.
+     *   new URL('./my-component.css', import.meta.url).href
+     * ). Loading from 'self' satisfies strict CSP without unsafe-inline.
+     * @protected
+     */
+    addComponentStyles(cssUrl) {
+        const link = document.createElement('link');
+        link.rel = 'stylesheet';
+        link.href = cssUrl;
+        this.#shadow.appendChild(link);
+    }
+    /**
+     * Sanitize a string value to prevent XSS
+     */
+    sanitizeValue(value) {
+        if (typeof value !== 'string') {
+            return '';
+        }
+        const div = document.createElement('div');
+        div.textContent = value;
+        return div.innerHTML;
+    }
+    /**
+     * Validate input against tier-specific rules
+     */
+    validateInput(value, options = {}) {
+        const errors = [];
+        const config = this.#config;
+        if (config.validation.required && (!value || value.trim().length === 0)) {
+            errors.push('This field is required');
+        }
+        const maxLength = options.maxLength || config.validation.maxLength;
+        if (value && value.length > maxLength) {
+            errors.push(`Value exceeds maximum length of ${maxLength}`);
+        }
+        const minLength = options.minLength || 0;
+        if (value && value.length < minLength) {
+            errors.push(`Value must be at least ${minLength} characters`);
+        }
+        const pattern = options.pattern || config.validation.pattern;
+        if (pattern && value && !pattern.test(value)) {
+            errors.push('Value does not match required format');
+        }
+        if (config.validation.strict && errors.length > 0) {
+            this.#audit('validation_failed', {
+                errors,
+                valueLength: value ? value.length : 0
+            });
+        }
+        return {
+            valid: errors.length === 0,
+            errors
+        };
+    }
+    /**
+     * Check rate limit for this component
+     */
+    checkRateLimit() {
+        if (!this.#config.rateLimit.enabled) {
+            return { allowed: true, retryAfter: 0 };
+        }
+        const now = Date.now();
+        const windowMs = this.#config.rateLimit.windowMs;
+        if (now - this.#rateLimitState.windowStart > windowMs) {
+            this.#rateLimitState.attempts = 0;
+            this.#rateLimitState.windowStart = now;
+        }
+        if (this.#rateLimitState.attempts >= this.#config.rateLimit.maxAttempts) {
+            const retryAfter = windowMs - (now - this.#rateLimitState.windowStart);
+            this.#audit('rate_limit_exceeded', {
+                attempts: this.#rateLimitState.attempts,
+                retryAfter
+            });
+            return { allowed: false, retryAfter };
+        }
+        this.#rateLimitState.attempts++;
+        return { allowed: true, retryAfter: 0 };
+    }
+    #audit(event, data = {}) {
+        const config = this.#config.audit;
+        const shouldLog = (event.includes('access') && config.logAccess) ||
+            (event.includes('change') && config.logChanges) ||
+            (event.includes('submit') && config.logSubmission) ||
+            event.includes('initialized') ||
+            event.includes('rate_limit') ||
+            event.includes('validation');
+        if (!shouldLog) {
+            return;
+        }
+        const logEntry = {
+            event,
+            tier: this.#securityTier,
+            timestamp: new Date().toISOString(),
+            ...data
+        };
+        if (config.includeMetadata) {
+            logEntry.userAgent = navigator.userAgent;
+            logEntry.language = navigator.language;
+        }
+        this.#auditLog.push(logEntry);
+        this.dispatchEvent(new CustomEvent('secure-audit', {
+            detail: logEntry,
+            bubbles: true,
+            composed: true
+        }));
+    }
+    /**
+     * Get the shadow root (protected access for child classes)
+     */
+    get shadowRoot() {
+        return this.#shadow;
+    }
+    /**
+     * Get the current security tier
+     */
+    get securityTier() {
+        return this.#securityTier;
+    }
+    /**
+     * Get the tier configuration
+     */
+    get config() {
+        return this.#config;
+    }
+    /**
+     * Get all audit log entries
+     */
+    getAuditLog() {
+        return [...this.#auditLog];
+    }
+    /**
+     * Clear the local audit log
+     */
+    clearAuditLog() {
+        this.#auditLog = [];
+    }
+    /**
+     * Trigger an audit event from child classes
+     */
+    audit(event, data) {
+        this.#audit(event, data);
+    }
+    /**
+     * Force re-render of the component
+     */
+    rerender() {
+        this.#render();
+    }
+    /**
+     * Clean up when component is removed from DOM
+     */
+    disconnectedCallback() {
+        this.#rateLimitState = { attempts: 0, windowStart: Date.now() };
+        if (this.#config.audit.logAccess) {
+            this.#audit('component_disconnected', {
+                timestamp: new Date().toISOString()
+            });
+        }
+    }
+}
+export default SecureBaseComponent;
+//# sourceMappingURL=base-component.js.map

package/dist/core/base-component.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"base-component.js","sourceRoot":"","sources":["../../src/core/base-component.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EACL,YAAY,EACZ,aAAa,EACb,WAAW,GACZ,MAAM,sBAAsB,CAAC;AAY9B;;;;;;;;;;;GAWG;AACH,MAAM,OAAgB,mBAAoB,SAAQ,WAAW;IAC3D,aAAa,GAAsB,YAAY,CAAC,QAA6B,CAAC;IAC9E,OAAO,CAAa;IACpB,OAAO,CAAa;IACpB,SAAS,GAAoB,EAAE,CAAC;IAChC,eAAe,GAAmB;QAChC,QAAQ,EAAE,CAAC;QACX,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE;KACxB,CAAC;IACF,YAAY,GAAY,KAAK,CAAC;IAE9B;;;;;OAKG;IACH;QACE,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;QACrD,IAAI,CAAC,OAAO,GAAG,aAAa,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IACnD,CAAC;IAED;;OAEG;IACH,MAAM,KAAK,kBAAkB;QAC3B,OAAO,CAAC,eAAe,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;IACnD,CAAC;IAED;;OAEG;IACH,iBAAiB;QACf,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,IAAI,CAAC,WAAW,EAAE,CAAC;YACnB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QAC3B,CAAC;IACH,CAAC;IAED,WAAW;QACT,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC1B,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;IAED;;;;;;;OAOG;IACO,kBAAkB;QAC1B,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC;QACpD,IAAI,QAAQ,IAAI,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;YACtC,IAAI,CAAC,aAAa,GAAG,QAAQ,CAAC;QAChC,CAAC;QAED,IAAI,CAAC,OAAO,GAAG,aAAa,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAEjD,IAAI,CAAC,MAAM,CAAC,uBAAuB,EAAE;YACnC,IAAI,EAAE,IAAI,CAAC,aAAa;YACxB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC,CAAC;IACL,CAAC;IAED;;;;;OAKG;IACH,wBAAwB,CAAC,IAAY,EAAE,QAAuB,EAAE,QAAuB;QACrF,IAAI,IAAI,KAAK,eAAe,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YAClD,OAAO,CAAC,IAAI,CACV,wDAAwD;gBACxD,0BAA0B,QAAQ,SAAS,QAAQ,YAAY,CAChE,CAAC;YACF,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;gBACtB,IAAI,CAAC,YAAY,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;YAC/C,CAAC;YACD,OAAO;QACT,CAAC;QAED,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,IAAI,CAAC,qBAAqB,CAAC,IAAI,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAED;;OAEG;IACO,qBAAqB,CAAC,KAAa,EAAE,SAAwB,EAAE,SAAwB;QAC/F,4CAA4C;IAC9C,CAAC;IAED,OAAO;QACL,IAAI,CAAC,OAAO,CAAC,SAAS,GAAG,EAAE,CAAC;QAE5B,8DAA8D;QAC9D,+EAA+E;QAC/E,6EAA6E;QAC7E,uBAAuB;QACvB,MAAM,QAAQ,GAAG,QAAQ,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAChD,QAAQ,CAAC,GAAG,GAAG,YAAY,CAAC;QAC5B,QAAQ,CAAC,IAAI,GAAG,IAAI,GAAG,CAAC,YAAY,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;QAC5D,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QAEnC,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAC9B,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACO,oBAAoB;QAC5B,OAAO,IAAI,GAAG,CAAC,YAAY,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;IACrD,CAAC;IAED;;;;;;OAMG;IACO,kBAAkB,CAAC,MAAc;QACzC,MAAM,IAAI,GAAG,QAAQ,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAC5C,IAAI,CAAC,GAAG,GAAG,YAAY,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC;QACnB,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC;IAOD;;OAEG;IACO,aAAa,CAAC,KAAa;QACnC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,GAAG,GAAG,QAAQ,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAC1C,GAAG,CAAC,WAAW,GAAG,KAAK,CAAC;QACxB,OAAO,GAAG,CAAC,SAAS,CAAC;IACvB,CAAC;IAED;;OAEG;IACO,aAAa,CAAC,KAAa,EAAE,UAA6B,EAAE;QACpE,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC;QAE5B,IAAI,MAAM,CAAC,UAAU,CAAC,QAAQ,IAAI,CAAC,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;YACxE,MAAM,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QACxC,CAAC;QAED,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC;QACnE,IAAI,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;YACtC,MAAM,CAAC,IAAI,CAAC,mCAAmC,SAAS,EAAE,CAAC,CAAC;QAC9D,CAAC;QAED,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,CAAC,CAAC;QACzC,IAAI,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;YACtC,MAAM,CAAC,IAAI,CAAC,0BAA0B,SAAS,aAAa,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC;QAC7D,IAAI,OAAO,IAAI,KAAK,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7C,MAAM,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;QACtD,CAAC;QAED,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClD,IAAI,CAAC,MAAM,CAAC,mBAAmB,EAAE;gBAC/B,MAAM;gBACN,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;aACtC,CAAC,CAAC;QACL,CAAC;QAED,OAAO;YACL,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;YAC1B,MAAM;SACP,CAAC;IACJ,CAAC;IAED;;OAEG;IACO,cAAc;QACtB,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;YACpC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;QAC1C,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC;QAEjD,IAAI,GAAG,GAAG,IAAI,CAAC,eAAe,CAAC,WAAW,GAAG,QAAQ,EAAE,CAAC;YACtD,IAAI,CAAC,eAAe,CAAC,QAAQ,GAAG,CAAC,CAAC;YAClC,IAAI,CAAC,eAAe,CAAC,WAAW,GAAG,GAAG,CAAC;QACzC,CAAC;QAED,IAAI,IAAI,CAAC,eAAe,CAAC,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YACxE,MAAM,UAAU,GAAG,QAAQ,GAAG,CAAC,GAAG,GAAG,IAAI,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;YACvE,IAAI,CAAC,MAAM,CAAC,qBAAqB,EAAE;gBACjC,QAAQ,EAAE,IAAI,CAAC,eAAe,CAAC,QAAQ;gBACvC,UAAU;aACX,CAAC,CAAC;YACH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;QACxC,CAAC;QAED,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,CAAC;QAEhC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;IAC1C,CAAC;IAED,MAAM,CAAC,KAAa,EAAE,OAAgC,EAAE;QACtD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC;QAElC,MAAM,SAAS,GACb,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,SAAS,CAAC;YAC9C,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC;YAC/C,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,aAAa,CAAC;YAClD,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC;YAC7B,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC;YAC5B,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;QAE/B,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAkB;YAC9B,KAAK;YACL,IAAI,EAAE,IAAI,CAAC,aAAa;YACxB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,GAAG,IAAI;SACR,CAAC;QAEF,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;YAC3B,QAAQ,CAAC,SAAS,GAAG,SAAS,CAAC,SAAS,CAAC;YACzC,QAAQ,CAAC,QAAQ,GAAG,SAAS,CAAC,QAAQ,CAAC;QACzC,CAAC;QAED,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAE9B,IAAI,CAAC,aAAa,CAChB,IAAI,WAAW,CAAC,cAAc,EAAE;YAC9B,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE,IAAI;SACf,CAAC,CACH,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,IAAI,UAAU;QACZ,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,IAAI,YAAY;QACd,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,WAAW;QACT,OAAO,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,aAAa;QACX,IAAI,CAAC,SAAS,GAAG,EAAE,CAAC;IACtB,CAAC;IAED;;OAEG;IACO,KAAK,CAAC,KAAa,EAAE,IAA6B;QAC1D,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAC3B,CAAC;IAED;;OAEG;IACO,QAAQ;QAChB,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,oBAAoB;QAClB,IAAI,CAAC,eAAe,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAEhE,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;YACjC,IAAI,CAAC,MAAM,CAAC,wBAAwB,EAAE;gBACpC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACpC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;CACF;AAED,eAAe,mBAAmB,CAAC"}

package/dist/core/base.css

@@ -0,0 +1,37 @@
+/**
+ * Base Shadow DOM styles shared by all Secure-UI components.
+ * Loaded via <link rel="stylesheet"> to satisfy strict CSP (style-src 'self').
+ */
+
+:host {
+  display: block;
+  box-sizing: border-box;
+  font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
+  font-size: 14px;
+  line-height: 1.5;
+}
+
+:host([hidden]) {
+  display: none;
+}
+
+* {
+  box-sizing: border-box;
+}
+
+.hidden {
+  display: none;
+}
+
+.security-badge {
+  display: inline-block;
+  padding: var(--secure-ui-badge-padding, 2px 6px);
+  margin-left: var(--secure-ui-space-2, 0.5rem);
+  font-size: var(--secure-ui-badge-font-size, 0.6875rem); /* 11px — below normal text threshold, verify contrast */
+  font-weight: var(--secure-ui-font-weight-semibold, 600);
+  border-radius: var(--secure-ui-badge-border-radius, 0.25rem);
+  text-transform: uppercase;
+  background-color: var(--secure-ui-color-bg-tertiary);
+  color: var(--secure-ui-color-text-secondary);
+  border: var(--secure-ui-border-width-thin, 1px) solid var(--secure-ui-color-border);
+}

package/dist/core/security-config.d.ts

@@ -0,0 +1,89 @@
+/**
+ * @fileoverview Security Configuration and Tier Definitions
+ *
+ * This module defines the four security tiers that govern all component behavior
+ * in the Secure-UI library. Each tier represents a different level of data sensitivity
+ * and applies corresponding security controls.
+ *
+ * Security Philosophy:
+ * - Defense in depth: Multiple layers of protection at each tier
+ * - Fail secure: Default to highest security when tier is ambiguous
+ * - Progressive enhancement: All tiers work without JavaScript
+ * - Zero trust: Always validate, never assume data is safe
+ *
+ * @module security-config
+ * @license MIT
+ */
+import type { SecurityTierValue, TierConfig, CSPDirectives, SecurityHeaders } from './types.js';
+/**
+ * Security tier enumeration
+ * These constants should be used throughout the library to reference security levels
+ */
+export declare const SecurityTier: Readonly<{
+    /** PUBLIC: Non-sensitive data (e.g., search queries, public comments) */
+    PUBLIC: "public";
+    /** AUTHENTICATED: User-specific but non-sensitive data (e.g., display names, preferences) */
+    AUTHENTICATED: "authenticated";
+    /** SENSITIVE: Personally identifiable information (e.g., email, phone, address) */
+    SENSITIVE: "sensitive";
+    /** CRITICAL: High-risk data (e.g., passwords, SSN, payment info) */
+    CRITICAL: "critical";
+}>;
+/**
+ * Default configuration for each security tier
+ *
+ * Security Note: These defaults implement defense-in-depth by progressively
+ * adding security controls at each tier. When in doubt, components should
+ * default to CRITICAL tier behavior.
+ */
+export declare const TIER_CONFIG: Readonly<Record<SecurityTierValue, TierConfig>>;
+/**
+ * Get configuration for a specific security tier
+ *
+ * Security Note: If an invalid tier is provided, this function fails secure
+ * by returning the CRITICAL tier configuration.
+ */
+export declare function getTierConfig(tier: string): TierConfig;
+/**
+ * Validate that a tier value is valid
+ */
+export declare function isValidTier(tier: string): tier is SecurityTierValue;
+/**
+ * Compare two security tiers
+ *
+ * @returns -1 if tier1 < tier2, 0 if equal, 1 if tier1 > tier2
+ */
+export declare function compareTiers(tier1: string, tier2: string): number;
+/**
+ * Get the more secure of two tiers
+ */
+export declare function getMoreSecureTier(tier1: string, tier2: string): string;
+/**
+ * Content Security Policy recommendations for each tier
+ */
+export declare const CSP_RECOMMENDATIONS: Readonly<Record<SecurityTierValue, Readonly<CSPDirectives>>>;
+/**
+ * Default security headers recommendations
+ */
+export declare const SECURITY_HEADERS: Readonly<SecurityHeaders>;
+declare const _default: {
+    SecurityTier: Readonly<{
+        /** PUBLIC: Non-sensitive data (e.g., search queries, public comments) */
+        PUBLIC: "public";
+        /** AUTHENTICATED: User-specific but non-sensitive data (e.g., display names, preferences) */
+        AUTHENTICATED: "authenticated";
+        /** SENSITIVE: Personally identifiable information (e.g., email, phone, address) */
+        SENSITIVE: "sensitive";
+        /** CRITICAL: High-risk data (e.g., passwords, SSN, payment info) */
+        CRITICAL: "critical";
+    }>;
+    TIER_CONFIG: Readonly<Record<SecurityTierValue, TierConfig>>;
+    getTierConfig: typeof getTierConfig;
+    isValidTier: typeof isValidTier;
+    compareTiers: typeof compareTiers;
+    getMoreSecureTier: typeof getMoreSecureTier;
+    CSP_RECOMMENDATIONS: Readonly<Record<SecurityTierValue, Readonly<CSPDirectives>>>;
+    SECURITY_HEADERS: Readonly<SecurityHeaders>;
+};
+export default _default;
+//# sourceMappingURL=security-config.d.ts.map

package/dist/core/security-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-config.d.ts","sourceRoot":"","sources":["../../src/core/security-config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EACV,iBAAiB,EACjB,UAAU,EACV,aAAa,EACb,eAAe,EAChB,MAAM,YAAY,CAAC;AAEpB;;;GAGG;AACH,eAAO,MAAM,YAAY;IACvB,yEAAyE;;IAGzE,6FAA6F;;IAG7F,mFAAmF;;IAGnF,oEAAoE;;EAEpE,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,WAAW,EAAE,QAAQ,CAAC,MAAM,CAAC,iBAAiB,EAAE,UAAU,CAAC,CAoJtE,CAAC;AAEH;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,CAOtD;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,IAAI,iBAAiB,CAEnE;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAKjE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAEtE;AAED;;GAEG;AACH,eAAO,MAAM,mBAAmB,EAAE,QAAQ,CAAC,MAAM,CAAC,iBAAiB,EAAE,QAAQ,CAAC,aAAa,CAAC,CAAC,CAiC3F,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,gBAAgB,EAAE,QAAQ,CAAC,eAAe,CAMrD,CAAC;;;QAlQD,yEAAyE;;QAGzE,6FAA6F;;QAG7F,mFAAmF;;QAGnF,oEAAoE;;;;;;;;;;;AA2PtE,wBASE"}