npm - tlc-claude-code - Versions diffs - 1.4.8 → 1.4.9 - Mend

tlc-claude-code 1.4.8 → 1.4.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

package/package.json +1 -1
package/server/index.js +229 -14
package/server/lib/compliance/control-mapper.js +401 -0
package/server/lib/compliance/control-mapper.test.js +117 -0
package/server/lib/compliance/evidence-linker.js +296 -0
package/server/lib/compliance/evidence-linker.test.js +121 -0
package/server/lib/compliance/gdpr-checklist.js +416 -0
package/server/lib/compliance/gdpr-checklist.test.js +131 -0
package/server/lib/compliance/hipaa-checklist.js +277 -0
package/server/lib/compliance/hipaa-checklist.test.js +101 -0
package/server/lib/compliance/iso27001-checklist.js +287 -0
package/server/lib/compliance/iso27001-checklist.test.js +99 -0
package/server/lib/compliance/multi-framework-reporter.js +284 -0
package/server/lib/compliance/multi-framework-reporter.test.js +127 -0
package/server/lib/compliance/pci-dss-checklist.js +214 -0
package/server/lib/compliance/pci-dss-checklist.test.js +95 -0
package/server/lib/compliance/trust-centre.js +187 -0
package/server/lib/compliance/trust-centre.test.js +93 -0
package/server/lib/dashboard/api-server.js +155 -0
package/server/lib/dashboard/api-server.test.js +155 -0
package/server/lib/dashboard/health-api.js +199 -0
package/server/lib/dashboard/health-api.test.js +122 -0
package/server/lib/dashboard/notes-api.js +234 -0
package/server/lib/dashboard/notes-api.test.js +134 -0
package/server/lib/dashboard/router-api.js +176 -0
package/server/lib/dashboard/router-api.test.js +132 -0
package/server/lib/dashboard/tasks-api.js +289 -0
package/server/lib/dashboard/tasks-api.test.js +161 -0
package/server/lib/dashboard/tlc-introspection.js +197 -0
package/server/lib/dashboard/tlc-introspection.test.js +138 -0
package/server/lib/dashboard/version-api.js +222 -0
package/server/lib/dashboard/version-api.test.js +112 -0
package/server/lib/dashboard/websocket-server.js +104 -0
package/server/lib/dashboard/websocket-server.test.js +118 -0
package/server/lib/deploy/branch-classifier.js +163 -0
package/server/lib/deploy/branch-classifier.test.js +164 -0
package/server/lib/deploy/deployment-approval.js +299 -0
package/server/lib/deploy/deployment-approval.test.js +296 -0
package/server/lib/deploy/deployment-audit.js +374 -0
package/server/lib/deploy/deployment-audit.test.js +307 -0
package/server/lib/deploy/deployment-executor.js +335 -0
package/server/lib/deploy/deployment-executor.test.js +329 -0
package/server/lib/deploy/deployment-rules.js +163 -0
package/server/lib/deploy/deployment-rules.test.js +188 -0
package/server/lib/deploy/rollback-manager.js +379 -0
package/server/lib/deploy/rollback-manager.test.js +321 -0
package/server/lib/deploy/security-gates.js +236 -0
package/server/lib/deploy/security-gates.test.js +222 -0
package/server/lib/k8s/gitops-config.js +188 -0
package/server/lib/k8s/gitops-config.test.js +59 -0
package/server/lib/k8s/helm-generator.js +196 -0
package/server/lib/k8s/helm-generator.test.js +59 -0
package/server/lib/k8s/kustomize-generator.js +176 -0
package/server/lib/k8s/kustomize-generator.test.js +58 -0
package/server/lib/k8s/network-policy.js +114 -0
package/server/lib/k8s/network-policy.test.js +53 -0
package/server/lib/k8s/pod-security.js +114 -0
package/server/lib/k8s/pod-security.test.js +55 -0
package/server/lib/k8s/rbac-generator.js +132 -0
package/server/lib/k8s/rbac-generator.test.js +57 -0
package/server/lib/k8s/resource-manager.js +172 -0
package/server/lib/k8s/resource-manager.test.js +60 -0
package/server/lib/k8s/secrets-encryption.js +168 -0
package/server/lib/k8s/secrets-encryption.test.js +49 -0
package/server/lib/monitoring/alert-manager.js +238 -0
package/server/lib/monitoring/alert-manager.test.js +106 -0
package/server/lib/monitoring/health-check.js +226 -0
package/server/lib/monitoring/health-check.test.js +176 -0
package/server/lib/monitoring/incident-manager.js +230 -0
package/server/lib/monitoring/incident-manager.test.js +98 -0
package/server/lib/monitoring/log-aggregator.js +147 -0
package/server/lib/monitoring/log-aggregator.test.js +89 -0
package/server/lib/monitoring/metrics-collector.js +337 -0
package/server/lib/monitoring/metrics-collector.test.js +172 -0
package/server/lib/monitoring/status-page.js +214 -0
package/server/lib/monitoring/status-page.test.js +105 -0
package/server/lib/monitoring/uptime-monitor.js +194 -0
package/server/lib/monitoring/uptime-monitor.test.js +109 -0
package/server/lib/network/fail2ban-config.js +294 -0
package/server/lib/network/fail2ban-config.test.js +275 -0
package/server/lib/network/firewall-manager.js +252 -0
package/server/lib/network/firewall-manager.test.js +254 -0
package/server/lib/network/geoip-filter.js +282 -0
package/server/lib/network/geoip-filter.test.js +264 -0
package/server/lib/network/rate-limiter.js +229 -0
package/server/lib/network/rate-limiter.test.js +293 -0
package/server/lib/network/request-validator.js +351 -0
package/server/lib/network/request-validator.test.js +345 -0
package/server/lib/network/security-headers.js +251 -0
package/server/lib/network/security-headers.test.js +283 -0
package/server/lib/network/tls-config.js +210 -0
package/server/lib/network/tls-config.test.js +248 -0
package/server/lib/security/auth-security.js +369 -0
package/server/lib/security/auth-security.test.js +448 -0
package/server/lib/security/cis-benchmark.js +152 -0
package/server/lib/security/cis-benchmark.test.js +137 -0
package/server/lib/security/compose-templates.js +312 -0
package/server/lib/security/compose-templates.test.js +229 -0
package/server/lib/security/container-runtime.js +456 -0
package/server/lib/security/container-runtime.test.js +503 -0
package/server/lib/security/cors-validator.js +278 -0
package/server/lib/security/cors-validator.test.js +310 -0
package/server/lib/security/crypto-utils.js +253 -0
package/server/lib/security/crypto-utils.test.js +409 -0
package/server/lib/security/dockerfile-linter.js +459 -0
package/server/lib/security/dockerfile-linter.test.js +483 -0
package/server/lib/security/dockerfile-templates.js +278 -0
package/server/lib/security/dockerfile-templates.test.js +164 -0
package/server/lib/security/error-sanitizer.js +426 -0
package/server/lib/security/error-sanitizer.test.js +331 -0
package/server/lib/security/headers-generator.js +368 -0
package/server/lib/security/headers-generator.test.js +398 -0
package/server/lib/security/image-scanner.js +83 -0
package/server/lib/security/image-scanner.test.js +106 -0
package/server/lib/security/input-validator.js +352 -0
package/server/lib/security/input-validator.test.js +330 -0
package/server/lib/security/network-policy.js +174 -0
package/server/lib/security/network-policy.test.js +164 -0
package/server/lib/security/output-encoder.js +237 -0
package/server/lib/security/output-encoder.test.js +276 -0
package/server/lib/security/path-validator.js +359 -0
package/server/lib/security/path-validator.test.js +293 -0
package/server/lib/security/query-builder.js +421 -0
package/server/lib/security/query-builder.test.js +318 -0
package/server/lib/security/secret-detector.js +290 -0
package/server/lib/security/secret-detector.test.js +354 -0
package/server/lib/security/secrets-validator.js +137 -0
package/server/lib/security/secrets-validator.test.js +120 -0
package/server/lib/security-testing/dast-runner.js +154 -0
package/server/lib/security-testing/dast-runner.test.js +62 -0
package/server/lib/security-testing/dependency-scanner.js +172 -0
package/server/lib/security-testing/dependency-scanner.test.js +64 -0
package/server/lib/security-testing/pentest-runner.js +230 -0
package/server/lib/security-testing/pentest-runner.test.js +60 -0
package/server/lib/security-testing/sast-runner.js +136 -0
package/server/lib/security-testing/sast-runner.test.js +62 -0
package/server/lib/security-testing/secret-scanner.js +153 -0
package/server/lib/security-testing/secret-scanner.test.js +66 -0
package/server/lib/security-testing/security-gate.js +216 -0
package/server/lib/security-testing/security-gate.test.js +115 -0
package/server/lib/security-testing/security-reporter.js +303 -0
package/server/lib/security-testing/security-reporter.test.js +114 -0
package/server/lib/standards/audit-checker.js +546 -0
package/server/lib/standards/audit-checker.test.js +415 -0
package/server/lib/standards/cleanup-executor.js +452 -0
package/server/lib/standards/cleanup-executor.test.js +293 -0
package/server/lib/standards/refactor-stepper.js +425 -0
package/server/lib/standards/refactor-stepper.test.js +298 -0
package/server/lib/standards/standards-injector.js +167 -0
package/server/lib/standards/standards-injector.test.js +232 -0
package/server/lib/user-management.test.js +284 -0
package/server/lib/vps/backup-manager.js +157 -0
package/server/lib/vps/backup-manager.test.js +59 -0
package/server/lib/vps/caddy-config.js +159 -0
package/server/lib/vps/caddy-config.test.js +48 -0
package/server/lib/vps/compose-orchestrator.js +219 -0
package/server/lib/vps/compose-orchestrator.test.js +50 -0
package/server/lib/vps/database-config.js +208 -0
package/server/lib/vps/database-config.test.js +47 -0
package/server/lib/vps/deploy-script.js +211 -0
package/server/lib/vps/deploy-script.test.js +53 -0
package/server/lib/vps/secrets-manager.js +148 -0
package/server/lib/vps/secrets-manager.test.js +58 -0
package/server/lib/vps/server-hardening.js +174 -0
package/server/lib/vps/server-hardening.test.js +70 -0
package/server/package-lock.json +19 -0
package/server/package.json +1 -0
package/server/templates/CLAUDE.md +37 -0
package/server/templates/CODING-STANDARDS.md +408 -0

package/server/lib/network/request-validator.js ADDED Viewed

@@ -0,0 +1,351 @@
+/**
+ * Request Validator
+ * Validates request size, content type, JSON depth, and prevents path traversal
+ */
+export const REQUEST_LIMITS = {
+  MAX_BODY_SIZE: 10 * 1024 * 1024, // 10MB
+  MAX_JSON_DEPTH: 10,
+  MAX_QUERY_LENGTH: 2048,
+  MAX_HEADER_SIZE: 8192,
+  MAX_PARAMS: 100,
+};
+/**
+ * Validate request size against limit
+ */
+export function validateRequestSize(options) {
+  const { contentLength, maxSize = REQUEST_LIMITS.MAX_BODY_SIZE } = options;
+  if (contentLength === undefined || contentLength === null) {
+    return {
+      valid: true,
+      warning: 'Content-Length header not provided',
+    };
+  }
+  if (contentLength > maxSize) {
+    return {
+      valid: false,
+      error: `Request size ${contentLength} exceeds maximum allowed size of ${maxSize}`,
+    };
+  }
+  return { valid: true };
+}
+/**
+ * Validate content type against allowed types
+ */
+export function validateContentType(options) {
+  const { contentType, allowedTypes } = options;
+  if (!contentType) {
+    return {
+      valid: false,
+      error: 'Content-Type header is required',
+    };
+  }
+  // Extract base content type (without charset, etc.)
+  const baseType = contentType.split(';')[0].trim().toLowerCase();
+  const isAllowed = allowedTypes.some((allowed) => {
+    const allowedLower = allowed.toLowerCase();
+    // Handle wildcard types (e.g., image/*)
+    if (allowedLower.endsWith('/*')) {
+      const prefix = allowedLower.slice(0, -1); // Remove *
+      return baseType.startsWith(prefix);
+    }
+    return baseType === allowedLower;
+  });
+  if (!isAllowed) {
+    return {
+      valid: false,
+      error: `Content-Type '${baseType}' is not allowed. Allowed types: ${allowedTypes.join(', ')}`,
+    };
+  }
+  return { valid: true };
+}
+/**
+ * Calculate depth of a JSON object/array
+ */
+function calculateDepth(obj, currentDepth = 0) {
+  if (obj === null || typeof obj !== 'object') {
+    return currentDepth;
+  }
+  currentDepth++;
+  if (Array.isArray(obj)) {
+    if (obj.length === 0) return currentDepth;
+    return Math.max(...obj.map((item) => calculateDepth(item, currentDepth)));
+  }
+  const values = Object.values(obj);
+  if (values.length === 0) return currentDepth;
+  return Math.max(...values.map((value) => calculateDepth(value, currentDepth)));
+}
+/**
+ * Validate JSON depth against limit
+ */
+export function validateJsonDepth(options) {
+  const { json, maxDepth = REQUEST_LIMITS.MAX_JSON_DEPTH } = options;
+  const depth = calculateDepth(json);
+  if (depth > maxDepth) {
+    return {
+      valid: false,
+      error: `JSON depth ${depth} exceeds maximum allowed depth of ${maxDepth}`,
+      depth,
+    };
+  }
+  return { valid: true, depth };
+}
+/**
+ * Validate query string length and parameters
+ */
+export function validateQueryString(options) {
+  const {
+    queryString,
+    maxLength = REQUEST_LIMITS.MAX_QUERY_LENGTH,
+    maxParams = REQUEST_LIMITS.MAX_PARAMS,
+    allowDuplicates = true,
+  } = options;
+  if (!queryString) {
+    return { valid: true };
+  }
+  // Check length
+  if (queryString.length > maxLength) {
+    return {
+      valid: false,
+      error: `query string length ${queryString.length} exceeds maximum of ${maxLength}`,
+    };
+  }
+  // Parse parameters
+  const params = queryString.split('&').filter((p) => p.length > 0);
+  // Check parameter count
+  if (params.length > maxParams) {
+    return {
+      valid: false,
+      error: `Query string has ${params.length} parameters, exceeds maximum of ${maxParams}`,
+    };
+  }
+  // Check for duplicates
+  if (!allowDuplicates) {
+    const names = params.map((p) => p.split('=')[0]);
+    const uniqueNames = new Set(names);
+    if (uniqueNames.size !== names.length) {
+      return {
+        valid: false,
+        error: 'Query string contains duplicate parameter names',
+      };
+    }
+  }
+  return { valid: true };
+}
+/**
+ * Validate headers size and format
+ */
+export function validateHeaders(options) {
+  const {
+    headers,
+    maxSize = REQUEST_LIMITS.MAX_HEADER_SIZE,
+    maxHeaderSize,
+    validateNames = false,
+  } = options;
+  // Calculate total headers size
+  let totalSize = 0;
+  for (const [name, value] of Object.entries(headers)) {
+    const headerSize = name.length + String(value).length;
+    totalSize += headerSize;
+    // Check individual header size
+    if (maxHeaderSize && headerSize > maxHeaderSize) {
+      return {
+        valid: false,
+        error: `Header '${name}' size ${headerSize} exceeds maximum of ${maxHeaderSize}`,
+      };
+    }
+    // Validate header name format (RFC 7230)
+    if (validateNames) {
+      const validHeaderName = /^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/;
+      if (!validHeaderName.test(name)) {
+        return {
+          valid: false,
+          error: `Header name '${name}' contains invalid characters`,
+        };
+      }
+    }
+  }
+  if (totalSize > maxSize) {
+    return {
+      valid: false,
+      error: `Total header size ${totalSize} exceeds maximum of ${maxSize}`,
+    };
+  }
+  return { valid: true };
+}
+/**
+ * Validate path for security issues
+ */
+export function validatePath(options) {
+  const { path, allowedPaths } = options;
+  // Decode the path to catch encoded attacks
+  let decodedPath;
+  try {
+    // Double decode to catch double-encoding attacks
+    decodedPath = decodeURIComponent(decodeURIComponent(path));
+  } catch {
+    // If decoding fails, use single decode or original
+    try {
+      decodedPath = decodeURIComponent(path);
+    } catch {
+      decodedPath = path;
+    }
+  }
+  // Check for null bytes
+  if (path.includes('%00') || path.includes('\0') || decodedPath.includes('\0')) {
+    return {
+      valid: false,
+      error: 'Path contains null byte injection attempt',
+    };
+  }
+  // Check for path traversal
+  if (
+    decodedPath.includes('..') ||
+    decodedPath.includes('..\\') ||
+    path.includes('%2e%2e') ||
+    path.includes('%252e')
+  ) {
+    return {
+      valid: false,
+      error: 'Path contains traversal attempt',
+    };
+  }
+  // Check against allowed paths
+  if (allowedPaths && allowedPaths.length > 0) {
+    const isAllowed = allowedPaths.some((allowed) => {
+      if (allowed.endsWith('/*')) {
+        const prefix = allowed.slice(0, -1);
+        return path.startsWith(prefix);
+      }
+      return path === allowed || path.startsWith(allowed + '/');
+    });
+    if (!isAllowed) {
+      return {
+        valid: false,
+        error: `Path '${path}' is not in allowed paths`,
+      };
+    }
+  }
+  return { valid: true };
+}
+/**
+ * Create a request validator instance
+ */
+export function createRequestValidator(config = {}) {
+  const {
+    maxBodySize = REQUEST_LIMITS.MAX_BODY_SIZE,
+    maxJsonDepth = REQUEST_LIMITS.MAX_JSON_DEPTH,
+    allowedContentTypes = ['application/json'],
+    allowedPaths,
+  } = config;
+  return {
+    validate(request) {
+      const errors = [];
+      // Validate size
+      const sizeResult = validateRequestSize({
+        contentLength: request.contentLength,
+        maxSize: maxBodySize,
+      });
+      if (!sizeResult.valid) {
+        errors.push(sizeResult.error);
+      }
+      // Validate content type
+      if (request.contentType) {
+        const contentTypeResult = validateContentType({
+          contentType: request.contentType,
+          allowedTypes: allowedContentTypes,
+        });
+        if (!contentTypeResult.valid) {
+          errors.push(contentTypeResult.error);
+        }
+      }
+      // Validate path
+      if (request.path) {
+        const pathResult = validatePath({
+          path: request.path,
+          allowedPaths,
+        });
+        if (!pathResult.valid) {
+          errors.push(pathResult.error);
+        }
+      }
+      // Validate JSON depth
+      if (request.body && typeof request.body === 'object') {
+        const jsonResult = validateJsonDepth({
+          json: request.body,
+          maxDepth: maxJsonDepth,
+        });
+        if (!jsonResult.valid) {
+          errors.push(jsonResult.error);
+        }
+      }
+      return {
+        valid: errors.length === 0,
+        errors,
+      };
+    },
+    validateSize(options) {
+      return validateRequestSize({ ...options, maxSize: maxBodySize });
+    },
+    validateContentType(options) {
+      return validateContentType({ ...options, allowedTypes: allowedContentTypes });
+    },
+    validateJson(json) {
+      return validateJsonDepth({ json, maxDepth: maxJsonDepth });
+    },
+    validatePath(path) {
+      return validatePath({ path, allowedPaths });
+    },
+  };
+}

package/server/lib/network/request-validator.test.js ADDED Viewed

@@ -0,0 +1,345 @@
+/**
+ * Request Validator Tests
+ */
+import { describe, it, expect } from 'vitest';
+import {
+  validateRequestSize,
+  validateContentType,
+  validateJsonDepth,
+  validateQueryString,
+  validateHeaders,
+  validatePath,
+  REQUEST_LIMITS,
+  createRequestValidator,
+} from './request-validator.js';
+describe('request-validator', () => {
+  describe('REQUEST_LIMITS', () => {
+    it('defines default limits', () => {
+      expect(REQUEST_LIMITS.MAX_BODY_SIZE).toBeDefined();
+      expect(REQUEST_LIMITS.MAX_JSON_DEPTH).toBeDefined();
+      expect(REQUEST_LIMITS.MAX_QUERY_LENGTH).toBeDefined();
+      expect(REQUEST_LIMITS.MAX_HEADER_SIZE).toBeDefined();
+    });
+  });
+  describe('validateRequestSize', () => {
+    it('accepts requests under limit', () => {
+      const result = validateRequestSize({
+        contentLength: 1000,
+        maxSize: 10000,
+      });
+      expect(result.valid).toBe(true);
+    });
+    it('rejects oversized requests', () => {
+      const result = validateRequestSize({
+        contentLength: 20000,
+        maxSize: 10000,
+      });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('size');
+    });
+    it('uses default limit when not specified', () => {
+      const result = validateRequestSize({
+        contentLength: 1000,
+      });
+      expect(result.valid).toBe(true);
+    });
+    it('handles missing content-length', () => {
+      const result = validateRequestSize({
+        maxSize: 10000,
+      });
+      expect(result.valid).toBe(true);
+      expect(result.warning).toContain('Content-Length');
+    });
+  });
+  describe('validateContentType', () => {
+    it('accepts valid JSON content type', () => {
+      const result = validateContentType({
+        contentType: 'application/json',
+        allowedTypes: ['application/json'],
+      });
+      expect(result.valid).toBe(true);
+    });
+    it('accepts content type with charset', () => {
+      const result = validateContentType({
+        contentType: 'application/json; charset=utf-8',
+        allowedTypes: ['application/json'],
+      });
+      expect(result.valid).toBe(true);
+    });
+    it('rejects invalid content type', () => {
+      const result = validateContentType({
+        contentType: 'text/plain',
+        allowedTypes: ['application/json'],
+      });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('Content-Type');
+    });
+    it('supports multiple allowed types', () => {
+      const result = validateContentType({
+        contentType: 'application/xml',
+        allowedTypes: ['application/json', 'application/xml'],
+      });
+      expect(result.valid).toBe(true);
+    });
+    it('handles wildcard types', () => {
+      const result = validateContentType({
+        contentType: 'image/png',
+        allowedTypes: ['image/*'],
+      });
+      expect(result.valid).toBe(true);
+    });
+  });
+  describe('validateJsonDepth', () => {
+    it('accepts JSON within depth limit', () => {
+      const json = { a: { b: { c: 'value' } } };
+      const result = validateJsonDepth({
+        json,
+        maxDepth: 5,
+      });
+      expect(result.valid).toBe(true);
+    });
+    it('rejects deeply nested JSON', () => {
+      const json = { a: { b: { c: { d: { e: { f: 'value' } } } } } };
+      const result = validateJsonDepth({
+        json,
+        maxDepth: 3,
+      });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('depth');
+    });
+    it('handles arrays in depth calculation', () => {
+      const json = { a: [{ b: [{ c: 'value' }] }] };
+      const result = validateJsonDepth({
+        json,
+        maxDepth: 5,
+      });
+      expect(result.valid).toBe(true);
+      expect(result.depth).toBe(5);
+    });
+    it('returns actual depth', () => {
+      const json = { a: { b: 'value' } };
+      const result = validateJsonDepth({
+        json,
+        maxDepth: 10,
+      });
+      expect(result.depth).toBe(2);
+    });
+  });
+  describe('validateQueryString', () => {
+    it('accepts query string under length limit', () => {
+      const result = validateQueryString({
+        queryString: 'foo=bar&baz=qux',
+        maxLength: 1000,
+      });
+      expect(result.valid).toBe(true);
+    });
+    it('rejects query string over length limit', () => {
+      const result = validateQueryString({
+        queryString: 'a'.repeat(2000),
+        maxLength: 1000,
+      });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('query');
+    });
+    it('limits parameter count', () => {
+      const params = Array.from({ length: 200 }, (_, i) => `p${i}=v${i}`).join('&');
+      const result = validateQueryString({
+        queryString: params,
+        maxParams: 100,
+      });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('parameters');
+    });
+    it('detects duplicate parameters', () => {
+      const result = validateQueryString({
+        queryString: 'foo=bar&foo=baz',
+        allowDuplicates: false,
+      });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('duplicate');
+    });
+  });
+  describe('validateHeaders', () => {
+    it('accepts headers under size limit', () => {
+      const result = validateHeaders({
+        headers: {
+          'Content-Type': 'application/json',
+          'Authorization': 'Bearer token123',
+        },
+        maxSize: 8000,
+      });
+      expect(result.valid).toBe(true);
+    });
+    it('rejects headers over size limit', () => {
+      const result = validateHeaders({
+        headers: {
+          'X-Large-Header': 'a'.repeat(10000),
+        },
+        maxSize: 8000,
+      });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('header');
+    });
+    it('limits individual header size', () => {
+      const result = validateHeaders({
+        headers: {
+          'X-Large-Header': 'a'.repeat(5000),
+        },
+        maxHeaderSize: 4000,
+      });
+      expect(result.valid).toBe(false);
+    });
+    it('validates header name format', () => {
+      const result = validateHeaders({
+        headers: {
+          'Invalid Header Name': 'value',
+        },
+        validateNames: true,
+      });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('invalid');
+    });
+  });
+  describe('validatePath', () => {
+    it('accepts valid paths', () => {
+      const result = validatePath({
+        path: '/api/users/123',
+      });
+      expect(result.valid).toBe(true);
+    });
+    it('blocks path traversal attempts', () => {
+      const result = validatePath({
+        path: '/api/files/../../../etc/passwd',
+      });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('traversal');
+    });
+    it('blocks encoded path traversal', () => {
+      const result = validatePath({
+        path: '/api/files/%2e%2e%2f%2e%2e%2fetc/passwd',
+      });
+      expect(result.valid).toBe(false);
+    });
+    it('blocks double-encoded traversal', () => {
+      const result = validatePath({
+        path: '/api/files/%252e%252e%252f',
+      });
+      expect(result.valid).toBe(false);
+    });
+    it('blocks null bytes', () => {
+      const result = validatePath({
+        path: '/api/files/test%00.txt',
+      });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('null');
+    });
+    it('validates against allowed paths', () => {
+      const result = validatePath({
+        path: '/admin/secret',
+        allowedPaths: ['/api/*', '/public/*'],
+      });
+      expect(result.valid).toBe(false);
+    });
+  });
+  describe('createRequestValidator', () => {
+    it('creates validator with methods', () => {
+      const validator = createRequestValidator();
+      expect(validator.validate).toBeDefined();
+      expect(validator.validateSize).toBeDefined();
+      expect(validator.validateContentType).toBeDefined();
+      expect(validator.validateJson).toBeDefined();
+      expect(validator.validatePath).toBeDefined();
+    });
+    it('validates full request', () => {
+      const validator = createRequestValidator({
+        maxBodySize: 10000,
+        maxJsonDepth: 5,
+        allowedContentTypes: ['application/json'],
+      });
+      const result = validator.validate({
+        contentLength: 1000,
+        contentType: 'application/json',
+        path: '/api/users',
+        body: { name: 'test' },
+      });
+      expect(result.valid).toBe(true);
+    });
+    it('returns all validation errors', () => {
+      const validator = createRequestValidator({
+        maxBodySize: 100,
+        maxJsonDepth: 2,
+      });
+      const result = validator.validate({
+        contentLength: 10000,
+        contentType: 'application/json',
+        path: '/api/../etc/passwd',
+        body: { a: { b: { c: { d: 'value' } } } },
+      });
+      expect(result.valid).toBe(false);
+      expect(result.errors.length).toBeGreaterThan(1);
+    });
+  });
+});