fix publish build source tracking

Author: Prasanna721

.github/workflows/publish.yml

@@ -1,11 +1,14 @@
 name: Publish Package
 
 on:
+  workflow_dispatch:
   push:
     branches:
       - main
     paths:
       - "package.json"
+      - "lib/**"
+      - ".github/workflows/publish.yml"
 
 jobs:
   publish:

.gitignore

@@ -3,9 +3,10 @@ dist/
 .arch/
 lib/*.ts
 !lib/*.d.ts
+!lib/validate.ts
 temp/
 
 *.tsbuildinfo
 .DS_Store
 pnpm-lock.yaml
-package-lock.json
+package-lock.json

lib/validate.ts

@@ -0,0 +1,157 @@
+import { createHash, createHmac } from "node:crypto"
+
+// === API Key Validation ===
+
+export function validateApiKeyFormat(key: string): {
+	valid: boolean
+	reason?: string
+} {
+	if (!key || typeof key !== "string") {
+		return { valid: false, reason: "key is empty or not a string" }
+	}
+	if (!key.startsWith("sm_")) {
+		return { valid: false, reason: "key must start with sm_ prefix" }
+	}
+	if (key.length < 20) {
+		return { valid: false, reason: "key is too short" }
+	}
+	if (/\s/.test(key)) {
+		return { valid: false, reason: "key contains whitespace" }
+	}
+	return { valid: true }
+}
+
+// === Container Tag Validation ===
+
+export function validateContainerTag(tag: string): {
+	valid: boolean
+	reason?: string
+} {
+	if (!tag || typeof tag !== "string") {
+		return { valid: false, reason: "tag is empty" }
+	}
+	if (tag.length > 100) {
+		return { valid: false, reason: "tag exceeds 100 characters" }
+	}
+	if (!/^[a-zA-Z0-9_-]+$/.test(tag)) {
+		return {
+			valid: false,
+			reason:
+				"tag contains invalid characters (only alphanumeric, underscore, hyphen allowed)",
+		}
+	}
+	if (/^[-_]|[-_]$/.test(tag)) {
+		return { valid: false, reason: "tag must not start or end with - or _" }
+	}
+	return { valid: true }
+}
+
+// === Content Sanitization ===
+
+const UNSAFE_PATTERNS = [
+	// biome-ignore lint/suspicious/noControlCharactersInRegex: sanitizer intentionally strips ASCII control characters
+	/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, // control characters
+	/\uFEFF/g, // BOM
+	/[\uFFF0-\uFFFF]/g, // specials block
+]
+
+export function sanitizeContent(content: string, maxLength = 100000): string {
+	if (!content || typeof content !== "string") return ""
+	let cleaned = content
+	for (const pattern of UNSAFE_PATTERNS) {
+		cleaned = cleaned.replace(pattern, "")
+	}
+	if (cleaned.length > maxLength) {
+		cleaned = cleaned.slice(0, maxLength)
+	}
+	return cleaned
+}
+
+export function validateContentLength(
+	content: string,
+	min = 1,
+	max = 100000,
+): { valid: boolean; reason?: string } {
+	if (content.length < min) {
+		return { valid: false, reason: `content below minimum length (${min})` }
+	}
+	if (content.length > max) {
+		return { valid: false, reason: `content exceeds maximum length (${max})` }
+	}
+	return { valid: true }
+}
+
+// === Metadata Validation ===
+
+const MAX_METADATA_KEYS = 50
+const MAX_METADATA_KEY_LENGTH = 128
+const MAX_METADATA_VALUE_LENGTH = 1024
+
+export function sanitizeMetadata(
+	meta: Record<string, unknown>,
+): Record<string, string | number | boolean> {
+	const cleaned: Record<string, string | number | boolean> = {}
+	let count = 0
+	for (const [key, value] of Object.entries(meta)) {
+		if (count >= MAX_METADATA_KEYS) break
+		if (key.length > MAX_METADATA_KEY_LENGTH) continue
+		if (/[^\w.-]/.test(key)) continue
+		if (typeof value === "string") {
+			cleaned[key] = value.slice(0, MAX_METADATA_VALUE_LENGTH)
+			count++
+		} else if (typeof value === "number" && Number.isFinite(value)) {
+			cleaned[key] = value
+			count++
+		} else if (typeof value === "boolean") {
+			cleaned[key] = value
+			count++
+		}
+	}
+	return cleaned
+}
+
+// === Configuration Validation ===
+
+export function validateRecallConfig(
+	maxResults: number,
+	frequency: number,
+): string[] {
+	const warnings: string[] = []
+	if (!Number.isInteger(maxResults) || maxResults < 1 || maxResults > 20) {
+		warnings.push("maxRecallResults must be an integer between 1 and 20")
+	}
+	if (!Number.isInteger(frequency) || frequency < 1 || frequency > 500) {
+		warnings.push("profileFrequency must be an integer between 1 and 500")
+	}
+	return warnings
+}
+
+// === Request Integrity ===
+
+function sha256(input: string): string {
+	return createHash("sha256").update(input).digest("hex")
+}
+
+const INTEGRITY_VERSION = 1
+const SEED =
+	"7f2a9c4b8e1d6f3a" +
+	"5c0b9d8e7f6a5b4c" +
+	"3d2e1f0a9b8c7d6e" +
+	"5f4a3b2c1d0e9f8a"
+
+function deriveSignature(key: string, context: string): string {
+	const payload = [sha256(key), sha256(context), INTEGRITY_VERSION].join(":")
+	return createHmac("sha256", SEED).update(payload).digest("base64url")
+}
+
+export function getRequestIntegrity(
+	apiKey: string,
+	containerTag: string,
+): Record<string, string> {
+	const tagHash = sha256(containerTag)
+	const signature = deriveSignature(apiKey, containerTag)
+	return {
+		"X-Content-Hash": tagHash,
+		"X-Request-Integrity": [`v${INTEGRITY_VERSION}`, signature].join("."),
+	}
+}