wu-framework 1.1.16 → 1.1.17

package/src/core/wu-loader.js

@@ -1,68 +1,177 @@
 /**
- * 🚀 WU-LOADER: SISTEMA DE CARGA DINÁMICA UNIVERSAL
+ * WU-LOADER: SISTEMA DE CARGA DINAMICA UNIVERSAL
  * Carga aplicaciones y componentes sin depender del framework
+ *
+ * Cache strategy: LRU with TTL eviction.
+ * Entries track lastAccess time. When the cache reaches maxCacheSize,
+ * the least recently accessed entry is evicted. Entries older than
+ * cacheTTL are treated as stale and removed on access or eviction.
  */
 
 import { logger } from './wu-logger.js';
 
+/**
+ * @typedef {Object} WuLoaderOptions
+ * @property {number} [maxCacheSize=50] - Maximum cache entries
+ * @property {number} [cacheTTL=1800000] - Cache TTL in ms (default 30min)
+ */
+
+/**
+ * @typedef {Object} WuLoaderStats
+ * @property {number} cached - Number of cached entries
+ * @property {number} loading - Number of in-flight loads
+ * @property {number} maxCacheSize - Max cache size setting
+ * @property {number} cacheTTL - Cache TTL setting
+ * @property {string[]} cacheKeys - Cached URL keys
+ */
+
 export class WuLoader {
-  constructor() {
+  /**
+   * @param {Object} options
+   * @param {number} [options.maxCacheSize=50] - Maximum number of entries in the cache
+   * @param {number} [options.cacheTTL=1800000] - Time-to-live for cache entries in ms (default 30 minutes)
+   */
+  constructor(options = {}) {
+    this.maxCacheSize = options.maxCacheSize ?? 50;
+    this.cacheTTL = options.cacheTTL ?? 1800000;
     this.cache = new Map();
     this.loadingPromises = new Map();
 
-    logger.debug('[WuLoader] 📦 Dynamic loader initialized');
+    logger.debug('[WuLoader] Dynamic loader initialized');
+  }
+
+  /**
+   * Read from cache with TTL validation and LRU access tracking.
+   * Returns undefined if the entry does not exist or has expired.
+   * @param {string} key
+   * @returns {string|undefined}
+   */
+  _cacheGet(key) {
+    if (!this.cache.has(key)) {
+      return undefined;
+    }
+
+    const entry = this.cache.get(key);
+    const now = Date.now();
+
+    if (now - entry.timestamp > this.cacheTTL) {
+      this.cache.delete(key);
+      logger.debug(`[WuLoader] Cache expired for: ${key}`);
+      return undefined;
+    }
+
+    // Promote: delete and re-insert so iteration order reflects recency.
+    // Map iteration order in JS follows insertion order, so the oldest
+    // inserted entry is always first -- exactly what we need for LRU eviction.
+    this.cache.delete(key);
+    entry.lastAccess = now;
+    this.cache.set(key, entry);
+
+    return entry.code;
+  }
+
+  /**
+   * Write to cache. Evicts stale and LRU entries before inserting.
+   * @param {string} key
+   * @param {string} code
+   */
+  _cacheSet(key, code) {
+    // If the key already exists, remove it first so re-insertion
+    // moves it to the end (most-recently-used position).
+    if (this.cache.has(key)) {
+      this.cache.delete(key);
+    }
+
+    this._evictIfNeeded();
+
+    const now = Date.now();
+    this.cache.set(key, {
+      code,
+      timestamp: now,
+      lastAccess: now
+    });
+  }
+
+  /**
+   * Evict entries until cache is below maxCacheSize.
+   *
+   * Two-pass strategy:
+   *   1. Remove all expired entries (TTL exceeded).
+   *   2. If still at capacity, remove the least recently accessed entry.
+   *      Because Map preserves insertion order and _cacheGet promotes on
+   *      access, the first key from the iterator is always the LRU entry.
+   */
+  _evictIfNeeded() {
+    const now = Date.now();
+
+    // Pass 1: purge expired entries
+    for (const [key, entry] of this.cache) {
+      if (now - entry.timestamp > this.cacheTTL) {
+        this.cache.delete(key);
+        logger.debug(`[WuLoader] Evicted expired entry: ${key}`);
+      }
+    }
+
+    // Pass 2: evict LRU entries until we are under the limit
+    while (this.cache.size >= this.maxCacheSize) {
+      // Map.keys().next() gives us the oldest-inserted key (LRU)
+      const oldestKey = this.cache.keys().next().value;
+      this.cache.delete(oldestKey);
+      logger.debug(`[WuLoader] Evicted LRU entry: ${oldestKey}`);
+    }
   }
 
   /**
-   * Cargar aplicación completa
-   * @param {string} appUrl - URL base de la aplicación
-   * @param {Object} manifest - Manifest de la aplicación
-   * @returns {string} Código JavaScript de la aplicación
+   * Cargar aplicacion completa
+   * @param {string} appUrl - URL base de la aplicacion
+   * @param {Object} manifest - Manifest de la aplicacion
+   * @returns {string} Codigo JavaScript de la aplicacion
    */
   async loadApp(appUrl, manifest) {
     const entryFile = manifest?.entry || 'index.js';
     const fullUrl = `${appUrl}/${entryFile}`;
 
-    logger.debug(`[WuLoader] 📥 Loading app from: ${fullUrl}`);
+    logger.debug(`[WuLoader] Loading app from: ${fullUrl}`);
 
     try {
-      // Verificar cache
-      if (this.cache.has(fullUrl)) {
-        logger.debug(`[WuLoader] ⚡ Cache hit for: ${fullUrl}`);
-        return this.cache.get(fullUrl);
+      // Check cache with TTL and LRU tracking
+      const cached = this._cacheGet(fullUrl);
+      if (cached !== undefined) {
+        logger.debug(`[WuLoader] Cache hit for: ${fullUrl}`);
+        return cached;
       }
 
-      // Verificar si ya está cargando
+      // Check if already loading
       if (this.loadingPromises.has(fullUrl)) {
-        logger.debug(`[WuLoader] ⏳ Loading in progress for: ${fullUrl}`);
+        logger.debug(`[WuLoader] Loading in progress for: ${fullUrl}`);
         return await this.loadingPromises.get(fullUrl);
       }
 
-      // Crear promesa de carga
+      // Create loading promise
       const loadingPromise = this.fetchCode(fullUrl);
       this.loadingPromises.set(fullUrl, loadingPromise);
 
       const code = await loadingPromise;
 
-      // Limpiar promesa de carga y cachear resultado
+      // Clean up loading promise and cache result
       this.loadingPromises.delete(fullUrl);
-      this.cache.set(fullUrl, code);
+      this._cacheSet(fullUrl, code);
 
-      logger.debug(`[WuLoader] ✅ App loaded successfully: ${fullUrl}`);
+      logger.debug(`[WuLoader] App loaded successfully: ${fullUrl}`);
       return code;
 
     } catch (error) {
       this.loadingPromises.delete(fullUrl);
-      console.error(`[WuLoader] ❌ Failed to load app: ${fullUrl}`, error);
+      console.error(`[WuLoader] Failed to load app: ${fullUrl}`, error);
       throw new Error(`Failed to load app from ${fullUrl}: ${error.message}`);
     }
   }
 
   /**
-   * Cargar componente específico
-   * @param {string} appUrl - URL base de la aplicación
+   * Cargar componente especifico
+   * @param {string} appUrl - URL base de la aplicacion
    * @param {string} componentPath - Ruta del componente
-   * @returns {Function} Función del componente
+   * @returns {Function} Funcion del componente
    */
   async loadComponent(appUrl, componentPath) {
     // Normalizar ruta del componente
@@ -76,13 +185,13 @@ export class WuLoader {
 
     const fullUrl = `${appUrl}/${normalizedPath}`;
 
-    logger.debug(`[WuLoader] 🧩 Loading component from: ${fullUrl}`);
+    logger.debug(`[WuLoader] Loading component from: ${fullUrl}`);
 
     try {
-      // Cargar código del componente
+      // Cargar codigo del componente
       const code = await this.loadCode(fullUrl);
 
-      // Crear función que retorna el componente
+      // Crear funcion que retorna el componente
       const componentFunction = new Function('require', 'module', 'exports', `
         ${code}
         return typeof module.exports === 'function' ? module.exports :
@@ -99,39 +208,40 @@ export class WuLoader {
 
       const component = componentFunction(fakeRequire, fakeModule, fakeModule.exports);
 
-      logger.debug(`[WuLoader] ✅ Component loaded: ${componentPath}`);
+      logger.debug(`[WuLoader] Component loaded: ${componentPath}`);
       return component;
 
     } catch (error) {
-      console.error(`[WuLoader] ❌ Failed to load component: ${componentPath}`, error);
+      console.error(`[WuLoader] Failed to load component: ${componentPath}`, error);
       throw new Error(`Failed to load component ${componentPath}: ${error.message}`);
     }
   }
 
   /**
-   * Cargar código con cache
+   * Cargar codigo con cache
    * @param {string} url - URL del archivo
-   * @returns {string} Código JavaScript
+   * @returns {string} Codigo JavaScript
    */
   async loadCode(url) {
-    // Verificar cache
-    if (this.cache.has(url)) {
-      return this.cache.get(url);
+    // Check cache with TTL and LRU tracking
+    const cached = this._cacheGet(url);
+    if (cached !== undefined) {
+      return cached;
     }
 
-    // Verificar si ya está cargando
+    // Check if already loading
     if (this.loadingPromises.has(url)) {
       return await this.loadingPromises.get(url);
     }
 
-    // Crear promesa de carga
+    // Create loading promise
     const loadingPromise = this.fetchCode(url);
     this.loadingPromises.set(url, loadingPromise);
 
     try {
       const code = await loadingPromise;
       this.loadingPromises.delete(url);
-      this.cache.set(url, code);
+      this._cacheSet(url, code);
       return code;
     } catch (error) {
       this.loadingPromises.delete(url);
@@ -140,9 +250,9 @@ export class WuLoader {
   }
 
   /**
-   * Realizar fetch del código
+   * Realizar fetch del codigo
    * @param {string} url - URL del archivo
-   * @returns {string} Código JavaScript
+   * @returns {string} Codigo JavaScript
    */
   async fetchCode(url) {
     const response = await fetch(url, {
@@ -170,25 +280,25 @@ export class WuLoader {
    * @param {Array} appConfigs - Configuraciones de aplicaciones
    */
   async preload(appConfigs) {
-    logger.debug(`[WuLoader] 🚀 Preloading ${appConfigs.length} apps...`);
+    logger.debug(`[WuLoader] Preloading ${appConfigs.length} apps...`);
 
     const preloadPromises = appConfigs.map(async (config) => {
       try {
         await this.loadApp(config.url, config.manifest);
-        logger.debug(`[WuLoader] ✅ Preloaded: ${config.name}`);
+        logger.debug(`[WuLoader] Preloaded: ${config.name}`);
       } catch (error) {
-        logger.warn(`[WuLoader] ⚠️ Failed to preload ${config.name}:`, error.message);
+        logger.warn(`[WuLoader] Failed to preload ${config.name}:`, error.message);
       }
     });
 
     await Promise.allSettled(preloadPromises);
-    logger.debug(`[WuLoader] 🎉 Preload completed`);
+    logger.debug(`[WuLoader] Preload completed`);
   }
 
   /**
-   * Verificar si una URL está disponible
+   * Verificar si una URL esta disponible
    * @param {string} url - URL a verificar
-   * @returns {boolean} True si está disponible
+   * @returns {boolean} True si esta disponible
    */
   async isAvailable(url) {
     try {
@@ -232,9 +342,9 @@ export class WuLoader {
       try {
         const component = await this.loadComponent(app.url, exportPath);
         resolved.set(importPath, component);
-        logger.debug(`[WuLoader] ✅ Resolved dependency: ${importPath}`);
+        logger.debug(`[WuLoader] Resolved dependency: ${importPath}`);
       } catch (error) {
-        console.error(`[WuLoader] ❌ Failed to resolve: ${importPath}`, error);
+        console.error(`[WuLoader] Failed to resolve: ${importPath}`, error);
       }
     }
 
@@ -243,7 +353,7 @@ export class WuLoader {
 
   /**
    * Limpiar cache
-   * @param {string} pattern - Patrón opcional para limpiar URLs específicas
+   * @param {string} pattern - Patron opcional para limpiar URLs especificas
    */
   clearCache(pattern) {
     if (pattern) {
@@ -251,23 +361,25 @@ export class WuLoader {
       for (const [url] of this.cache) {
         if (regex.test(url)) {
           this.cache.delete(url);
-          logger.debug(`[WuLoader] 🗑️ Cleared cache for: ${url}`);
+          logger.debug(`[WuLoader] Cleared cache for: ${url}`);
         }
       }
     } else {
       this.cache.clear();
-      logger.debug(`[WuLoader] 🗑️ Cache cleared completely`);
+      logger.debug(`[WuLoader] Cache cleared completely`);
     }
   }
 
   /**
-   * Obtener estadísticas del loader
+   * Obtener estadisticas del loader
    */
   getStats() {
     return {
       cached: this.cache.size,
+      maxCacheSize: this.maxCacheSize,
+      cacheTTL: this.cacheTTL,
       loading: this.loadingPromises.size,
       cacheKeys: Array.from(this.cache.keys())
     };
   }
-}
+}

package/src/core/wu-logger.js

@@ -23,19 +23,27 @@ export class WuLogger {
    * Detectar si estamos en desarrollo
    */
   detectEnvironment() {
-    // Múltiples formas de detectar desarrollo
-    return (
-      // Vite development
-      window.location.hostname === 'localhost' ||
-      window.location.hostname === '127.0.0.1' ||
-      window.location.port !== '' ||
-      // NODE_ENV si está disponible
-      (typeof process !== 'undefined' && process.env?.NODE_ENV === 'development') ||
-      // URL params para forzar debug
-      new URLSearchParams(window.location.search).has('wu-debug') ||
-      // Manual override
-      window.WU_DEBUG === true
-    );
+    // 1. Explicit flag takes priority
+    if (typeof window !== 'undefined' && window.WU_DEBUG === true) return true;
+    if (typeof window !== 'undefined' && window.WU_DEBUG === false) return false;
+
+    // 2. NODE_ENV check (works in bundlers and Node)
+    if (typeof process !== 'undefined' && process.env?.NODE_ENV === 'production') return false;
+    if (typeof process !== 'undefined' && process.env?.NODE_ENV === 'development') return true;
+
+    // 3. Browser heuristics (only if window exists)
+    if (typeof window !== 'undefined' && window.location) {
+      const hostname = window.location.hostname;
+      if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '[::1]') return true;
+
+      // URL param override
+      try {
+        if (new URLSearchParams(window.location.search).has('wu-debug')) return true;
+      } catch {}
+    }
+
+    // 4. Default: assume production
+    return false;
   }
 
   /**

package/src/core/wu-manifest.js

@@ -302,6 +302,29 @@ export class WuManifest {
       }
     }
 
+    // Validate optional fields
+    if (manifest.styleMode !== undefined) {
+      const validModes = ['shared', 'isolated', 'fully-isolated'];
+      if (!validModes.includes(manifest.styleMode)) {
+        logger.warn(`[WuManifest] Invalid styleMode "${manifest.styleMode}", defaulting to "shared". Valid: ${validModes.join(', ')}`);
+        manifest.styleMode = 'shared';
+      }
+    }
+
+    if (manifest.version !== undefined && typeof manifest.version !== 'string') {
+      logger.warn('[WuManifest] version must be a string, ignoring');
+      delete manifest.version;
+    }
+
+    if (manifest.folder !== undefined) {
+      if (typeof manifest.folder !== 'string') {
+        logger.warn('[WuManifest] folder must be a string, ignoring');
+        delete manifest.folder;
+      } else if (this._hasDangerousPatterns(manifest.folder)) {
+        throw new Error('folder contains dangerous patterns');
+      }
+    }
+
     // Normalizar y limpiar manifest
     return this.normalize(manifest);
   }

package/src/core/wu-plugin.js

@@ -11,7 +11,7 @@ import { logger } from './wu-logger.js';
 
 
 export class WuPluginSystem {
-  constructor(core) {
+  constructor(core, options = {}) {
     this._core = core; // Privado - no expuesto a plugins
     this.plugins = new Map();
     this.hooks = new Map();
@@ -35,7 +35,7 @@ export class WuPluginSystem {
     ];
 
     // 🔐 Timeout para hooks (evita que plugins bloqueen)
-    this.hookTimeout = 5000; // 5 segundos
+    this.hookTimeout = options.hookTimeout || 5000; // Default: 5 segundos
 
     this.availableHooks.forEach(hook => {
       this.hooks.set(hook, []);
@@ -106,8 +106,61 @@ export class WuPluginSystem {
       logger.warn('[WuPlugin] ⚠️ Plugin has unsafe access to core!');
     }
 
-    // Congelar API para evitar modificaciones
-    return Object.freeze(api);
+    // Congelar API recursivamente para evitar modificaciones en cualquier nivel
+    return WuPluginSystem._deepFreeze(api);
+  }
+
+  /**
+   * Deep-freeze an object and all its nested plain objects and arrays.
+   * Functions, DOM nodes, and other non-plain types are left untouched
+   * so they remain callable / functional. A WeakSet guards against
+   * circular references.
+   *
+   * @param {*} obj - The value to deep-freeze
+   * @param {WeakSet} [seen] - Internal tracker for circular references
+   * @returns {*} The same object, now deeply frozen
+   */
+  static _deepFreeze(obj, seen) {
+    if (obj === null || obj === undefined) {
+      return obj;
+    }
+
+    // Only freeze plain objects and arrays.
+    // Functions must stay invocable; DOM nodes, class instances, etc.
+    // should not be tampered with.
+    const dominated = typeof obj === 'object';
+    if (!dominated) {
+      return obj;
+    }
+
+    const isPlainObject =
+      Object.getPrototypeOf(obj) === Object.prototype ||
+      Object.getPrototypeOf(obj) === null;
+    const isArray = Array.isArray(obj);
+
+    if (!isPlainObject && !isArray) {
+      return obj;
+    }
+
+    // Circular-reference guard
+    if (!seen) {
+      seen = new WeakSet();
+    }
+    if (seen.has(obj)) {
+      return obj;
+    }
+    seen.add(obj);
+
+    // Recurse into own enumerable properties
+    const keys = Object.keys(obj);
+    for (let i = 0; i < keys.length; i++) {
+      const value = obj[keys[i]];
+      if (value !== null && value !== undefined && typeof value === 'object') {
+        WuPluginSystem._deepFreeze(value, seen);
+      }
+    }
+
+    return Object.freeze(obj);
   }
 
   /**

package/src/core/wu-proxy-sandbox.js

@@ -13,8 +13,9 @@
 import { logger } from './wu-logger.js';
 
 export class WuProxySandbox {
-  constructor(appName) {
+  constructor(appName, options = {}) {
     this.appName = appName;
+    this.options = options;
     this.proxy = null;
     this.fakeWindow = Object.create(null);
     this.active = false;

package/src/core/wu-script-executor.js

@@ -15,6 +15,52 @@ import { logger } from './wu-logger.js';
 
 export class WuScriptExecutor {
 
+  /**
+   * Dangerous patterns that indicate prototype pollution, sandbox escape,
+   * or direct access to sensitive APIs. Each entry is a regex paired with
+   * a human-readable label used in error messages.
+   *
+   * This is a tripwire, not a full parser. It catches the most common
+   * attack vectors without the overhead of AST analysis.
+   */
+  static DANGEROUS_PATTERNS = [
+    // Prototype pollution vectors
+    { pattern: /constructor\s*\[\s*['"`]constructor['"`]\s*\]/, label: 'constructor chain access (sandbox escape)' },
+    { pattern: /__proto__/, label: '__proto__ access (prototype pollution)' },
+
+    // Sandbox escape via proxy introspection
+    { pattern: /Object\s*\.\s*getPrototypeOf\s*\(\s*proxy\s*\)/, label: 'Object.getPrototypeOf(proxy) (sandbox escape)' },
+
+    // Dynamic code generation that bypasses the sandbox
+    { pattern: /Function\s*\(\s*['"`]/, label: 'Function() constructor (dynamic code generation)' },
+    { pattern: /\beval\s*\(/, label: 'eval() (dynamic code execution)' },
+
+    // Dynamic import escapes the sandbox entirely (runs in global scope)
+    { pattern: /\bimport\s*\(/, label: 'import() (dynamic import escapes sandbox)' },
+
+    // Direct cookie access (should go through proxy traps, not raw document)
+    { pattern: /document\s*\.\s*cookie/, label: 'document.cookie (direct cookie access)' },
+  ];
+
+  /**
+   * Validate script text against known dangerous patterns before execution.
+   * Throws if any pattern matches. This is intentionally lightweight --
+   * pattern detection only, not a full parse.
+   *
+   * @param {string} scriptText - The raw script to validate
+   * @param {string} appName - App identifier (for error context)
+   * @throws {Error} If a dangerous pattern is detected
+   */
+  _validateScript(scriptText, appName) {
+    for (const { pattern, label } of WuScriptExecutor.DANGEROUS_PATTERNS) {
+      if (pattern.test(scriptText)) {
+        const msg = `[ScriptExecutor] Blocked dangerous pattern in "${appName}": ${label}`;
+        logger.wuError(msg);
+        throw new Error(msg);
+      }
+    }
+  }
+
   /**
    * Execute a script string inside the proxy sandbox.
    *
@@ -31,6 +77,8 @@ export class WuScriptExecutor {
 
     if (!scriptText || !scriptText.trim()) return;
 
+    this._validateScript(scriptText, appName);
+
     const sourceComment = sourceUrl ? `\n//# sourceURL=wu-sandbox:///${appName}/${sourceUrl}\n` : '';
 
     let wrappedCode;

package/src/core/wu-store.js

@@ -8,6 +8,15 @@
  * - API minimalista: get(), set(), on()
  */
 
+/**
+ * @typedef {Object} WuStoreMetrics
+ * @property {number} reads - Total read operations
+ * @property {number} writes - Total write operations
+ * @property {number} notifications - Total notifications sent
+ * @property {number} bufferUtilization - Ring buffer utilization (0-1)
+ * @property {number} listenerCount - Active listener count
+ */
+
 export class WuStore {
   constructor(bufferSize = 256) {
     // Ring Buffer configuration
@@ -63,8 +72,9 @@ export class WuStore {
   set(path, value) {
     this.metrics.writes++;
 
-    // Write to ring buffer (lock-free)
-    const sequence = this.cursor++;
+    // Write to ring buffer (lock-free, wraps at buffer boundary)
+    const sequence = this.cursor;
+    this.cursor = (this.cursor + 1) % (this.bufferSize * this.bufferSize);
     const index = sequence & this.mask;
 
     // Reuse buffer slot (zero allocation)
@@ -151,7 +161,7 @@ export class WuStore {
   getMetrics() {
     return {
       ...this.metrics,
-      bufferUtilization: (this.cursor % this.bufferSize) / this.bufferSize,
+      bufferUtilization: Math.min(1, this.cursor / this.bufferSize),
       listenerCount: this.listeners.size + this.patternListeners.size
     };
   }