@agentlensai/server 0.7.0 → 0.9.0

package/dist/lib/guardrails/engine.js

@@ -0,0 +1,122 @@
+/**
+ * Guardrail Evaluation Engine (v0.8.0 — Story 1.3)
+ *
+ * Subscribes to EventBus and evaluates guardrail rules asynchronously.
+ * Never blocks the event POST response.
+ */
+import { ulid } from 'ulid';
+import { GuardrailStore } from '../../db/guardrail-store.js';
+import { evaluateCondition } from './conditions.js';
+import { executeAction } from './actions.js';
+import { eventBus } from '../event-bus.js';
+export class GuardrailEngine {
+    store;
+    eventStore;
+    listener = null;
+    started = false;
+    constructor(eventStore, db) {
+        this.eventStore = eventStore;
+        this.store = new GuardrailStore(db);
+    }
+    start() {
+        if (this.started)
+            return;
+        this.listener = (busEvent) => {
+            if (busEvent.type === 'event_ingested') {
+                this.evaluateEvent(busEvent.event).catch((err) => {
+                    console.error('[guardrail-engine] evaluation error:', err instanceof Error ? err.message : err);
+                });
+            }
+        };
+        eventBus.on('event_ingested', this.listener);
+        this.started = true;
+    }
+    stop() {
+        if (this.listener) {
+            eventBus.off('event_ingested', this.listener);
+            this.listener = null;
+        }
+        this.started = false;
+    }
+    getStore() {
+        return this.store;
+    }
+    async evaluateEvent(event) {
+        const rules = this.store.listEnabledRules(event.tenantId, event.agentId);
+        if (rules.length === 0)
+            return;
+        for (const rule of rules) {
+            try {
+                await this.evaluateRule(rule, event);
+            }
+            catch (err) {
+                console.error(`[guardrail-engine] rule ${rule.id} error:`, err instanceof Error ? err.message : err);
+            }
+        }
+    }
+    async evaluateRule(rule, event) {
+        const now = new Date();
+        // 0. Check enabled (defense-in-depth — listEnabledRules already filters, but verify)
+        if (!rule.enabled)
+            return;
+        // 1. Check cooldown
+        if (this.isInCooldown(rule, now))
+            return;
+        // 2. Evaluate condition
+        const conditionResult = await evaluateCondition(this.eventStore, rule, event.agentId, event.sessionId);
+        // 3. Update state
+        const existingState = this.store.getState(rule.tenantId, rule.id);
+        const newState = {
+            ruleId: rule.id,
+            tenantId: rule.tenantId,
+            lastEvaluatedAt: now.toISOString(),
+            currentValue: conditionResult.currentValue,
+            triggerCount: existingState?.triggerCount ?? 0,
+            lastTriggeredAt: existingState?.lastTriggeredAt,
+        };
+        if (!conditionResult.triggered) {
+            this.store.upsertState(newState);
+            return;
+        }
+        // 4. Execute action (or dry-run)
+        let actionResult = 'dry_run';
+        let actionExecuted = false;
+        if (!rule.dryRun) {
+            const result = await executeAction(rule, conditionResult, event.agentId);
+            actionResult = result.result;
+            actionExecuted = result.success;
+        }
+        // 5. Record trigger history
+        this.store.insertTrigger({
+            id: ulid(),
+            ruleId: rule.id,
+            tenantId: rule.tenantId,
+            triggeredAt: now.toISOString(),
+            conditionValue: conditionResult.currentValue,
+            conditionThreshold: conditionResult.threshold,
+            actionExecuted,
+            actionResult,
+            metadata: {
+                agentId: event.agentId,
+                sessionId: event.sessionId,
+                eventId: event.id,
+                dryRun: rule.dryRun,
+                message: conditionResult.message,
+            },
+        });
+        // 6. Update state
+        newState.triggerCount = (existingState?.triggerCount ?? 0) + 1;
+        newState.lastTriggeredAt = now.toISOString();
+        this.store.upsertState(newState);
+    }
+    isInCooldown(rule, now) {
+        if (rule.cooldownMinutes <= 0)
+            return false;
+        const state = this.store.getState(rule.tenantId, rule.id);
+        if (!state?.lastTriggeredAt)
+            return false;
+        const lastTriggered = new Date(state.lastTriggeredAt);
+        return now.getTime() - lastTriggered.getTime() < rule.cooldownMinutes * 60 * 1000;
+    }
+}
+//# sourceMappingURL=engine.js.map

package/dist/lib/guardrails/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../../src/lib/guardrails/engine.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAI5B,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,QAAQ,EAAiB,MAAM,iBAAiB,CAAC;AAE1D,MAAM,OAAO,eAAe;IAClB,KAAK,CAAiB;IACtB,UAAU,CAAc;IACxB,QAAQ,GAAuC,IAAI,CAAC;IACpD,OAAO,GAAG,KAAK,CAAC;IAExB,YAAY,UAAuB,EAAE,EAAY;QAC/C,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,KAAK,GAAG,IAAI,cAAc,CAAC,EAAE,CAAC,CAAC;IACtC,CAAC;IAED,KAAK;QACH,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO;QACzB,IAAI,CAAC,QAAQ,GAAG,CAAC,QAAkB,EAAE,EAAE;YACrC,IAAI,QAAQ,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;gBACvC,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;oBAC/C,OAAO,CAAC,KAAK,CAAC,sCAAsC,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;gBAClG,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC;QACF,QAAQ,CAAC,EAAE,CAAC,gBAAgB,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC7C,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;IACtB,CAAC;IAED,IAAI;QACF,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,QAAQ,CAAC,GAAG,CAAC,gBAAgB,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC9C,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QACvB,CAAC;QACD,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;IACvB,CAAC;IAED,QAAQ;QACN,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,KAAqB;QACvC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACzE,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YACvC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CAAC,2BAA2B,IAAI,CAAC,EAAE,SAAS,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACvG,CAAC;QACH,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,IAAmB,EAAE,KAAqB;QACnE,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QAEvB,qFAAqF;QACrF,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO;QAE1B,oBAAoB;QACpB,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,GAAG,CAAC;YAAE,OAAO;QAEzC,wBAAwB;QACxB,MAAM,eAAe,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;QAEvG,kBAAkB;QAClB,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QAClE,MAAM,QAAQ,GAAmB;YAC/B,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,eAAe,EAAE,GAAG,CAAC,WAAW,EAAE;YAClC,YAAY,EAAE,eAAe,CAAC,YAAY;YAC1C,YAAY,EAAE,aAAa,EAAE,YAAY,IAAI,CAAC;YAC9C,eAAe,EAAE,aAAa,EAAE,eAAe;SAChD,CAAC;QAEF,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,CAAC;YAC/B,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;YACjC,OAAO;QACT,CAAC;QAED,iCAAiC;QACjC,IAAI,YAAY,GAAG,SAAS,CAAC;QAC7B,IAAI,cAAc,GAAG,KAAK,CAAC;QAE3B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,IAAI,EAAE,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YACzE,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC;YAC7B,cAAc,GAAG,MAAM,CAAC,OAAO,CAAC;QAClC,CAAC;QAED,4BAA4B;QAC5B,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC;YACvB,EAAE,EAAE,IAAI,EAAE;YACV,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE;YAC9B,cAAc,EAAE,eAAe,CAAC,YAAY;YAC5C,kBAAkB,EAAE,eAAe,CAAC,SAAS;YAC7C,cAAc;YACd,YAAY;YACZ,QAAQ,EAAE;gBACR,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,OAAO,EAAE,KAAK,CAAC,EAAE;gBACjB,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,OAAO,EAAE,eAAe,CAAC,OAAO;aACjC;SACF,CAAC,CAAC;QAEH,kBAAkB;QAClB,QAAQ,CAAC,YAAY,GAAG,CAAC,aAAa,EAAE,YAAY,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QAC/D,QAAQ,CAAC,eAAe,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QAC7C,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IACnC,CAAC;IAEO,YAAY,CAAC,IAAmB,EAAE,GAAS;QACjD,IAAI,IAAI,CAAC,eAAe,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;QAC5C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QAC1D,IAAI,CAAC,KAAK,EAAE,eAAe;YAAE,OAAO,KAAK,CAAC;QAC1C,MAAM,aAAa,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;QACtD,OAAO,GAAG,CAAC,OAAO,EAAE,GAAG,aAAa,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,eAAe,GAAG,EAAE,GAAG,IAAI,CAAC;IACpF,CAAC;CACF"}

package/dist/lib/redaction/human-review-layer.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Layer 6: Human Review Gate (Story 2.2)
+ */
+import type { RedactionLayer, RedactionLayerResult, RedactionContext } from '@agentlensai/core';
+/** Interface for the review queue store */
+export interface ReviewQueueStore {
+    addToQueue(entry: {
+        id: string;
+        tenantId: string;
+        lessonId: string;
+        originalTitle: string;
+        originalContent: string;
+        redactedTitle: string;
+        redactedContent: string;
+        redactionFindings: string;
+        status: string;
+        createdAt: string;
+        expiresAt: string;
+    }): void | Promise<void>;
+    getReviewStatus(reviewId: string): Promise<{
+        status: string;
+    } | null> | {
+        status: string;
+    } | null;
+    approveReview(reviewId: string, reviewedBy: string): void | Promise<void>;
+    rejectReview(reviewId: string, reviewedBy: string): void | Promise<void>;
+}
+export declare class HumanReviewLayer implements RedactionLayer {
+    private readonly enabled;
+    private readonly store?;
+    private readonly generateId;
+    readonly name: "human_review";
+    readonly order = 600;
+    constructor(enabled?: boolean, store?: ReviewQueueStore | undefined, generateId?: () => string);
+    process(input: string, _context: RedactionContext): Promise<RedactionLayerResult>;
+}
+//# sourceMappingURL=human-review-layer.d.ts.map

package/dist/lib/redaction/human-review-layer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"human-review-layer.d.ts","sourceRoot":"","sources":["../../../src/lib/redaction/human-review-layer.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EACV,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAEjB,MAAM,mBAAmB,CAAC;AAE3B,2CAA2C;AAC3C,MAAM,WAAW,gBAAgB;IAC/B,UAAU,CAAC,KAAK,EAAE;QAChB,EAAE,EAAE,MAAM,CAAC;QACX,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,aAAa,EAAE,MAAM,CAAC;QACtB,eAAe,EAAE,MAAM,CAAC;QACxB,aAAa,EAAE,MAAM,CAAC;QACtB,eAAe,EAAE,MAAM,CAAC;QACxB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,EAAE,MAAM,CAAC;QAClB,SAAS,EAAE,MAAM,CAAC;KACnB,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC,GAAG;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAClG,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1E,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1E;AAED,qBAAa,gBAAiB,YAAW,cAAc;IAKnD,OAAO,CAAC,QAAQ,CAAC,OAAO;IACxB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC;IACvB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAN7B,QAAQ,CAAC,IAAI,EAAG,cAAc,CAAU;IACxC,QAAQ,CAAC,KAAK,OAAO;gBAGF,OAAO,GAAE,OAAe,EACxB,KAAK,CAAC,EAAE,gBAAgB,YAAA,EACxB,UAAU,GAAE,MAAM,MAAkC;IAGjE,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,gBAAgB,GAAG,OAAO,CAAC,oBAAoB,CAAC;CAmDxF"}

package/dist/lib/redaction/human-review-layer.js

@@ -0,0 +1,62 @@
+/**
+ * Layer 6: Human Review Gate (Story 2.2)
+ */
+export class HumanReviewLayer {
+    enabled;
+    store;
+    generateId;
+    name = 'human_review';
+    order = 600;
+    constructor(enabled = false, store, generateId = () => crypto.randomUUID()) {
+        this.enabled = enabled;
+        this.store = store;
+        this.generateId = generateId;
+    }
+    async process(input, _context) {
+        if (!this.enabled) {
+            // Pass-through when disabled
+            return { output: input, findings: [], blocked: false };
+        }
+        if (!this.store) {
+            // If enabled but no store provided, block (fail-closed)
+            return {
+                output: input,
+                findings: [],
+                blocked: true,
+                blockReason: 'Human review is enabled but no review queue store is configured',
+            };
+        }
+        const reviewId = this.generateId();
+        const now = new Date();
+        const expiresAt = new Date(now.getTime() + 7 * 24 * 60 * 60 * 1000); // 7 days
+        await this.store.addToQueue({
+            id: reviewId,
+            tenantId: _context.tenantId,
+            lessonId: '', // filled by pipeline
+            originalTitle: '',
+            originalContent: '',
+            redactedTitle: '',
+            redactedContent: input,
+            redactionFindings: '[]',
+            status: 'pending',
+            createdAt: now.toISOString(),
+            expiresAt: expiresAt.toISOString(),
+        });
+        const finding = {
+            layer: 'human_review',
+            category: 'pending_review',
+            originalLength: input.length,
+            replacement: '',
+            startOffset: 0,
+            endOffset: input.length,
+            confidence: 1.0,
+        };
+        return {
+            output: input,
+            findings: [finding],
+            blocked: true,
+            blockReason: `pending_review:${reviewId}`,
+        };
+    }
+}
+//# sourceMappingURL=human-review-layer.js.map

package/dist/lib/redaction/human-review-layer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"human-review-layer.js","sourceRoot":"","sources":["../../../src/lib/redaction/human-review-layer.ts"],"names":[],"mappings":"AAAA;;GAEG;AA8BH,MAAM,OAAO,gBAAgB;IAKR;IACA;IACA;IANV,IAAI,GAAG,cAAuB,CAAC;IAC/B,KAAK,GAAG,GAAG,CAAC;IAErB,YACmB,UAAmB,KAAK,EACxB,KAAwB,EACxB,aAA2B,GAAG,EAAE,CAAC,MAAM,CAAC,UAAU,EAAE;QAFpD,YAAO,GAAP,OAAO,CAAiB;QACxB,UAAK,GAAL,KAAK,CAAmB;QACxB,eAAU,GAAV,UAAU,CAA0C;IACpE,CAAC;IAEJ,KAAK,CAAC,OAAO,CAAC,KAAa,EAAE,QAA0B;QACrD,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,6BAA6B;YAC7B,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QACzD,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,wDAAwD;YACxD,OAAO;gBACL,MAAM,EAAE,KAAK;gBACb,QAAQ,EAAE,EAAE;gBACZ,OAAO,EAAE,IAAI;gBACb,WAAW,EAAE,iEAAiE;aAC/E,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS;QAE9E,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;YAC1B,EAAE,EAAE,QAAQ;YACZ,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,QAAQ,EAAE,EAAE,EAAE,qBAAqB;YACnC,aAAa,EAAE,EAAE;YACjB,eAAe,EAAE,EAAE;YACnB,aAAa,EAAE,EAAE;YACjB,eAAe,EAAE,KAAK;YACtB,iBAAiB,EAAE,IAAI;YACvB,MAAM,EAAE,SAAS;YACjB,SAAS,EAAE,GAAG,CAAC,WAAW,EAAE;YAC5B,SAAS,EAAE,SAAS,CAAC,WAAW,EAAE;SACnC,CAAC,CAAC;QAEH,MAAM,OAAO,GAAqB;YAChC,KAAK,EAAE,cAAc;YACrB,QAAQ,EAAE,gBAAgB;YAC1B,cAAc,EAAE,KAAK,CAAC,MAAM;YAC5B,WAAW,EAAE,EAAE;YACf,WAAW,EAAE,CAAC;YACd,SAAS,EAAE,KAAK,CAAC,MAAM;YACvB,UAAU,EAAE,GAAG;SAChB,CAAC;QAEF,OAAO;YACL,MAAM,EAAE,KAAK;YACb,QAAQ,EAAE,CAAC,OAAO,CAAC;YACnB,OAAO,EAAE,IAAI;YACb,WAAW,EAAE,kBAAkB,QAAQ,EAAE;SAC1C,CAAC;IACJ,CAAC;CACF"}

package/dist/lib/redaction/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Redaction Pipeline — public API
+ */
+export { SecretDetectionLayer } from './secret-detection-layer.js';
+export { PIIDetectionLayer, type PresidioProvider } from './pii-detection-layer.js';
+export { UrlPathScrubbingLayer, DEFAULT_PUBLIC_DOMAINS } from './url-path-scrubbing-layer.js';
+export { TenantDeidentificationLayer } from './tenant-deidentification-layer.js';
+export { SemanticDenyListLayer } from './semantic-denylist-layer.js';
+export { HumanReviewLayer, type ReviewQueueStore } from './human-review-layer.js';
+export { RedactionPipeline, type RedactionPipelineConfig } from './pipeline.js';
+export { shannonEntropy, detectHighEntropyStrings, ACTIVE_SECRET_PATTERNS } from './secret-patterns.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/lib/redaction/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/redaction/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAE,KAAK,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AACpF,OAAO,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAC;AAC9F,OAAO,EAAE,2BAA2B,EAAE,MAAM,oCAAoC,CAAC;AACjF,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,KAAK,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAClF,OAAO,EAAE,iBAAiB,EAAE,KAAK,uBAAuB,EAAE,MAAM,eAAe,CAAC;AAChF,OAAO,EAAE,cAAc,EAAE,wBAAwB,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/lib/redaction/index.js

@@ -0,0 +1,12 @@
+/**
+ * Redaction Pipeline — public API
+ */
+export { SecretDetectionLayer } from './secret-detection-layer.js';
+export { PIIDetectionLayer } from './pii-detection-layer.js';
+export { UrlPathScrubbingLayer, DEFAULT_PUBLIC_DOMAINS } from './url-path-scrubbing-layer.js';
+export { TenantDeidentificationLayer } from './tenant-deidentification-layer.js';
+export { SemanticDenyListLayer } from './semantic-denylist-layer.js';
+export { HumanReviewLayer } from './human-review-layer.js';
+export { RedactionPipeline } from './pipeline.js';
+export { shannonEntropy, detectHighEntropyStrings, ACTIVE_SECRET_PATTERNS } from './secret-patterns.js';
+//# sourceMappingURL=index.js.map

package/dist/lib/redaction/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/lib/redaction/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAyB,MAAM,0BAA0B,CAAC;AACpF,OAAO,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAC;AAC9F,OAAO,EAAE,2BAA2B,EAAE,MAAM,oCAAoC,CAAC;AACjF,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAyB,MAAM,yBAAyB,CAAC;AAClF,OAAO,EAAE,iBAAiB,EAAgC,MAAM,eAAe,CAAC;AAChF,OAAO,EAAE,cAAc,EAAE,wBAAwB,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/lib/redaction/pii-detection-layer.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Layer 2: PII Detection (Story 2.1)
+ */
+import type { RedactionLayer, RedactionLayerResult, RedactionContext } from '@agentlensai/core';
+export interface PIIPattern {
+    name: string;
+    category: string;
+    regex: RegExp;
+    replacement: string;
+    confidence: number;
+    validate?: (match: string) => boolean;
+}
+export declare const PII_PATTERNS: PIIPattern[];
+/** Optional Presidio integration interface */
+export interface PresidioProvider {
+    analyze(text: string): Promise<Array<{
+        entityType: string;
+        start: number;
+        end: number;
+        score: number;
+    }>>;
+}
+export declare class PIIDetectionLayer implements RedactionLayer {
+    private readonly presidio?;
+    readonly name: "pii_detection";
+    readonly order = 200;
+    constructor(presidio?: PresidioProvider | undefined);
+    process(input: string, _context: RedactionContext): Promise<RedactionLayerResult>;
+}
+//# sourceMappingURL=pii-detection-layer.d.ts.map

package/dist/lib/redaction/pii-detection-layer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii-detection-layer.d.ts","sourceRoot":"","sources":["../../../src/lib/redaction/pii-detection-layer.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EACV,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAEjB,MAAM,mBAAmB,CAAC;AAE3B,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;CACvC;AAsBD,eAAO,MAAM,YAAY,EAAE,UAAU,EAqFpC,CAAC;AAEF,8CAA8C;AAC9C,MAAM,WAAW,gBAAgB;IAC/B,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC;QACnC,UAAU,EAAE,MAAM,CAAC;QACnB,KAAK,EAAE,MAAM,CAAC;QACd,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,CAAC;KACf,CAAC,CAAC,CAAC;CACL;AAED,qBAAa,iBAAkB,YAAW,cAAc;IAI1C,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;IAHtC,QAAQ,CAAC,IAAI,EAAG,eAAe,CAAU;IACzC,QAAQ,CAAC,KAAK,OAAO;gBAEQ,QAAQ,CAAC,EAAE,gBAAgB,YAAA;IAElD,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,gBAAgB,GAAG,OAAO,CAAC,oBAAoB,CAAC;CA8ExF"}

package/dist/lib/redaction/pii-detection-layer.js

@@ -0,0 +1,183 @@
+/**
+ * Layer 2: PII Detection (Story 2.1)
+ */
+/**
+ * Luhn algorithm for credit card validation.
+ */
+function luhnCheck(digits) {
+    const nums = digits.replace(/\D/g, '');
+    if (nums.length < 13 || nums.length > 19)
+        return false;
+    let sum = 0;
+    let alternate = false;
+    for (let i = nums.length - 1; i >= 0; i--) {
+        let n = parseInt(nums[i], 10);
+        if (alternate) {
+            n *= 2;
+            if (n > 9)
+                n -= 9;
+        }
+        sum += n;
+        alternate = !alternate;
+    }
+    return sum % 10 === 0;
+}
+export const PII_PATTERNS = [
+    {
+        name: 'email',
+        category: 'email',
+        regex: /[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}/g,
+        replacement: '[EMAIL]',
+        confidence: 0.95,
+    },
+    {
+        name: 'ssn_dashed',
+        category: 'ssn',
+        regex: /\b\d{3}-\d{2}-\d{4}\b/g,
+        replacement: '[SSN]',
+        confidence: 0.95,
+    },
+    {
+        name: 'ssn_plain',
+        category: 'ssn',
+        regex: /\b(?<!\d)(?!000|666|9\d\d)\d{3}(?!00)\d{2}(?!0000)\d{4}(?!\d)\b/g,
+        replacement: '[SSN]',
+        confidence: 0.70,
+        validate: (match) => {
+            const digits = match.replace(/\D/g, '');
+            // Must be exactly 9 digits, not all same, not sequential
+            return digits.length === 9 && !/^(\d)\1{8}$/.test(digits);
+        },
+    },
+    {
+        name: 'credit_card_16',
+        category: 'credit_card',
+        regex: /\b\d{4}[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b/g,
+        replacement: '[CREDIT_CARD]',
+        confidence: 0.90,
+        validate: (match) => luhnCheck(match),
+    },
+    {
+        name: 'credit_card_amex',
+        category: 'credit_card',
+        regex: /\b3[47]\d{2}[-\s]?\d{6}[-\s]?\d{5}\b/g,
+        replacement: '[CREDIT_CARD]',
+        confidence: 0.90,
+        validate: (match) => luhnCheck(match),
+    },
+    {
+        name: 'phone_us',
+        category: 'phone',
+        regex: /(?:\+?1[-.\s])?\(?\d{3}\)?[-.\s]\d{3}[-.\s]\d{4}\b/g,
+        replacement: '[PHONE]',
+        confidence: 0.85,
+    },
+    {
+        name: 'phone_international',
+        category: 'phone',
+        regex: /\+\d{1,3}[-.\s]?\d{1,4}[-.\s]?\d{2,4}[-.\s]?\d{2,4}[-.\s]?\d{0,4}\b/g,
+        replacement: '[PHONE]',
+        confidence: 0.80,
+    },
+    {
+        name: 'ip_address_v4',
+        category: 'ip_address',
+        regex: /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/g,
+        replacement: '[IP_ADDRESS]',
+        confidence: 0.80,
+    },
+    {
+        name: 'ip_address_v6',
+        category: 'ip_address',
+        regex: /\b(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}\b/g,
+        replacement: '[IP_ADDRESS]',
+        confidence: 0.80,
+    },
+    {
+        name: 'ip_address_v6_compressed',
+        category: 'ip_address',
+        regex: /\b(?:[0-9a-fA-F]{1,4}:){1,6}(?::[0-9a-fA-F]{1,4}){1,6}\b/g,
+        replacement: '[IP_ADDRESS]',
+        confidence: 0.75,
+    },
+    {
+        name: 'ip_address_v4_mapped_v6',
+        category: 'ip_address',
+        regex: /::ffff:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/g,
+        replacement: '[IP_ADDRESS]',
+        confidence: 0.80,
+    },
+];
+export class PIIDetectionLayer {
+    presidio;
+    name = 'pii_detection';
+    order = 200;
+    constructor(presidio) {
+        this.presidio = presidio;
+    }
+    async process(input, _context) {
+        const findings = [];
+        const allMatches = [];
+        // Regex-based detection
+        for (const pattern of PII_PATTERNS) {
+            const regex = new RegExp(pattern.regex.source, pattern.regex.flags);
+            let match;
+            while ((match = regex.exec(input)) !== null) {
+                if (pattern.validate && !pattern.validate(match[0]))
+                    continue;
+                allMatches.push({
+                    start: match.index,
+                    end: match.index + match[0].length,
+                    replacement: pattern.replacement,
+                    category: pattern.category,
+                    confidence: pattern.confidence,
+                });
+            }
+        }
+        // Optional Presidio NER
+        if (this.presidio) {
+            const entities = await this.presidio.analyze(input);
+            for (const entity of entities) {
+                const alreadyCovered = allMatches.some(m => m.start <= entity.start && m.end >= entity.end);
+                if (!alreadyCovered) {
+                    allMatches.push({
+                        start: entity.start,
+                        end: entity.end,
+                        replacement: `[${entity.entityType}]`,
+                        category: entity.entityType.toLowerCase(),
+                        confidence: entity.score,
+                    });
+                }
+            }
+        }
+        // Sort descending by start for safe replacement
+        allMatches.sort((a, b) => b.start - a.start);
+        // Deduplicate overlapping
+        const deduped = [];
+        for (const m of allMatches) {
+            if (!deduped.some(d => m.start < d.end && m.end > d.start)) {
+                deduped.push(m);
+            }
+        }
+        let output = input;
+        // Record findings in ascending order
+        const ascending = [...deduped].sort((a, b) => a.start - b.start);
+        for (const m of ascending) {
+            findings.push({
+                layer: 'pii_detection',
+                category: m.category,
+                originalLength: m.end - m.start,
+                replacement: m.replacement,
+                startOffset: m.start,
+                endOffset: m.end,
+                confidence: m.confidence,
+            });
+        }
+        // Apply replacements descending
+        for (const m of deduped) {
+            output = output.slice(0, m.start) + m.replacement + output.slice(m.end);
+        }
+        return { output, findings, blocked: false };
+    }
+}
+//# sourceMappingURL=pii-detection-layer.js.map

package/dist/lib/redaction/pii-detection-layer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii-detection-layer.js","sourceRoot":"","sources":["../../../src/lib/redaction/pii-detection-layer.ts"],"names":[],"mappings":"AAAA;;GAEG;AAkBH;;GAEG;AACH,SAAS,SAAS,CAAC,MAAc;IAC/B,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACvC,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,KAAK,CAAC;IACvD,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,IAAI,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC9B,IAAI,SAAS,EAAE,CAAC;YACd,CAAC,IAAI,CAAC,CAAC;YACP,IAAI,CAAC,GAAG,CAAC;gBAAE,CAAC,IAAI,CAAC,CAAC;QACpB,CAAC;QACD,GAAG,IAAI,CAAC,CAAC;QACT,SAAS,GAAG,CAAC,SAAS,CAAC;IACzB,CAAC;IACD,OAAO,GAAG,GAAG,EAAE,KAAK,CAAC,CAAC;AACxB,CAAC;AAED,MAAM,CAAC,MAAM,YAAY,GAAiB;IACxC;QACE,IAAI,EAAE,OAAO;QACb,QAAQ,EAAE,OAAO;QACjB,KAAK,EAAE,mDAAmD;QAC1D,WAAW,EAAE,SAAS;QACtB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EAAE,OAAO;QACpB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,WAAW;QACjB,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,kEAAkE;QACzE,WAAW,EAAE,OAAO;QACpB,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,CAAC,KAAK,EAAE,EAAE;YAClB,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACxC,yDAAyD;YACzD,OAAO,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5D,CAAC;KACF;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,aAAa;QACvB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EAAE,eAAe;QAC5B,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,SAAS,CAAC,KAAK,CAAC;KACtC;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,aAAa;QACvB,KAAK,EAAE,uCAAuC;QAC9C,WAAW,EAAE,eAAe;QAC5B,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,SAAS,CAAC,KAAK,CAAC;KACtC;IACD;QACE,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,OAAO;QACjB,KAAK,EAAE,qDAAqD;QAC5D,WAAW,EAAE,SAAS;QACtB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,OAAO;QACjB,KAAK,EAAE,sEAAsE;QAC7E,WAAW,EAAE,SAAS;QACtB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,YAAY;QACtB,KAAK,EAAE,yCAAyC;QAChD,WAAW,EAAE,cAAc;QAC3B,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,YAAY;QACtB,KAAK,EAAE,+CAA+C;QACtD,WAAW,EAAE,cAAc;QAC3B,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,YAAY;QACtB,KAAK,EAAE,2DAA2D;QAClE,WAAW,EAAE,cAAc;QAC3B,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,YAAY;QACtB,KAAK,EAAE,8CAA8C;QACrD,WAAW,EAAE,cAAc;QAC3B,UAAU,EAAE,IAAI;KACjB;CACF,CAAC;AAYF,MAAM,OAAO,iBAAiB;IAIC;IAHpB,IAAI,GAAG,eAAwB,CAAC;IAChC,KAAK,GAAG,GAAG,CAAC;IAErB,YAA6B,QAA2B;QAA3B,aAAQ,GAAR,QAAQ,CAAmB;IAAG,CAAC;IAE5D,KAAK,CAAC,OAAO,CAAC,KAAa,EAAE,QAA0B;QACrD,MAAM,QAAQ,GAAuB,EAAE,CAAC;QACxC,MAAM,UAAU,GAMX,EAAE,CAAC;QAER,wBAAwB;QACxB,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;YACnC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YACpE,IAAI,KAA6B,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC5C,IAAI,OAAO,CAAC,QAAQ,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;oBAAE,SAAS;gBAC9D,UAAU,CAAC,IAAI,CAAC;oBACd,KAAK,EAAE,KAAK,CAAC,KAAK;oBAClB,GAAG,EAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM;oBAClC,WAAW,EAAE,OAAO,CAAC,WAAW;oBAChC,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,UAAU,EAAE,OAAO,CAAC,UAAU;iBAC/B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,wBAAwB;QACxB,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YACpD,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;gBAC9B,MAAM,cAAc,GAAG,UAAU,CAAC,IAAI,CACpC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,IAAI,MAAM,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,IAAI,MAAM,CAAC,GAAG,CACpD,CAAC;gBACF,IAAI,CAAC,cAAc,EAAE,CAAC;oBACpB,UAAU,CAAC,IAAI,CAAC;wBACd,KAAK,EAAE,MAAM,CAAC,KAAK;wBACnB,GAAG,EAAE,MAAM,CAAC,GAAG;wBACf,WAAW,EAAE,IAAI,MAAM,CAAC,UAAU,GAAG;wBACrC,QAAQ,EAAE,MAAM,CAAC,UAAU,CAAC,WAAW,EAAE;wBACzC,UAAU,EAAE,MAAM,CAAC,KAAK;qBACzB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,gDAAgD;QAChD,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QAE7C,0BAA0B;QAC1B,MAAM,OAAO,GAAsB,EAAE,CAAC;QACtC,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC3D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QAED,IAAI,MAAM,GAAG,KAAK,CAAC;QACnB,qCAAqC;QACrC,MAAM,SAAS,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACjE,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;YAC1B,QAAQ,CAAC,IAAI,CAAC;gBACZ,KAAK,EAAE,eAAe;gBACtB,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,cAAc,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK;gBAC/B,WAAW,EAAE,CAAC,CAAC,WAAW;gBAC1B,WAAW,EAAE,CAAC,CAAC,KAAK;gBACpB,SAAS,EAAE,CAAC,CAAC,GAAG;gBAChB,UAAU,EAAE,CAAC,CAAC,UAAU;aACzB,CAAC,CAAC;QACL,CAAC;QAED,gCAAgC;QAChC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAC1E,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC9C,CAAC;CACF"}

package/dist/lib/redaction/pipeline.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Redaction Pipeline Orchestrator (Story 2.3)
+ */
+import type { RedactionLayer, RedactionContext, RedactionResult, RawLessonContent } from '@agentlensai/core';
+import { type PresidioProvider } from './pii-detection-layer.js';
+import { type ReviewQueueStore } from './human-review-layer.js';
+export interface RedactionPipelineConfig {
+    humanReviewEnabled?: boolean;
+    reviewQueueStore?: ReviewQueueStore;
+    presidioProvider?: PresidioProvider;
+    publicDomainAllowlist?: string[];
+}
+export declare class RedactionPipeline {
+    private layers;
+    constructor(config?: RedactionPipelineConfig, customLayers?: RedactionLayer[]);
+    getLayers(): readonly RedactionLayer[];
+    /**
+     * Register a custom redaction layer at runtime.
+     * The layer is inserted at the correct position based on its `order` field.
+     * Multiple custom layers are supported.
+     * Plugin errors trigger fail-closed behavior (same as built-in layers).
+     */
+    registerCustomLayer(layer: RedactionLayer): void;
+    process(raw: RawLessonContent, ctx: RedactionContext): Promise<RedactionResult>;
+}
+//# sourceMappingURL=pipeline.d.ts.map

package/dist/lib/redaction/pipeline.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../../../src/lib/redaction/pipeline.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EACV,cAAc,EAEd,gBAAgB,EAChB,eAAe,EAEf,gBAAgB,EACjB,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EAAqB,KAAK,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAIpF,OAAO,EAAoB,KAAK,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAElF,MAAM,WAAW,uBAAuB;IACtC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;CAClC;AAED,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,MAAM,CAAmB;gBAG/B,MAAM,GAAE,uBAA4B,EACpC,YAAY,CAAC,EAAE,cAAc,EAAE;IAqBjC,SAAS,IAAI,SAAS,cAAc,EAAE;IAItC;;;;;OAKG;IACH,mBAAmB,CAAC,KAAK,EAAE,cAAc,GAAG,IAAI;IAK1C,OAAO,CAAC,GAAG,EAAE,gBAAgB,EAAE,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;CAuDtF"}

package/dist/lib/redaction/pipeline.js

@@ -0,0 +1,91 @@
+/**
+ * Redaction Pipeline Orchestrator (Story 2.3)
+ */
+import { createRedactedLessonContent, REDACTION_PIPELINE_KEY } from '@agentlensai/core';
+import { SecretDetectionLayer } from './secret-detection-layer.js';
+import { PIIDetectionLayer } from './pii-detection-layer.js';
+import { UrlPathScrubbingLayer } from './url-path-scrubbing-layer.js';
+import { TenantDeidentificationLayer } from './tenant-deidentification-layer.js';
+import { SemanticDenyListLayer } from './semantic-denylist-layer.js';
+import { HumanReviewLayer } from './human-review-layer.js';
+export class RedactionPipeline {
+    layers;
+    constructor(config = {}, customLayers) {
+        const defaultLayers = [
+            new SecretDetectionLayer(),
+            new PIIDetectionLayer(config.presidioProvider),
+            new UrlPathScrubbingLayer(config.publicDomainAllowlist),
+            new TenantDeidentificationLayer(),
+            new SemanticDenyListLayer(),
+            new HumanReviewLayer(config.humanReviewEnabled ?? false, config.reviewQueueStore),
+        ];
+        if (customLayers) {
+            defaultLayers.push(...customLayers);
+        }
+        this.layers = defaultLayers.sort((a, b) => a.order - b.order);
+    }
+    getLayers() {
+        return this.layers;
+    }
+    /**
+     * Register a custom redaction layer at runtime.
+     * The layer is inserted at the correct position based on its `order` field.
+     * Multiple custom layers are supported.
+     * Plugin errors trigger fail-closed behavior (same as built-in layers).
+     */
+    registerCustomLayer(layer) {
+        this.layers.push(layer);
+        this.layers.sort((a, b) => a.order - b.order);
+    }
+    async process(raw, ctx) {
+        // Combine title and content for processing
+        let text = `${raw.title}\n---\n${raw.content}`;
+        const allFindings = [];
+        for (const layer of this.layers) {
+            let result;
+            try {
+                result = await layer.process(text, ctx);
+            }
+            catch (error) {
+                // FAIL-CLOSED: any layer error blocks the lesson
+                return {
+                    status: 'error',
+                    error: error instanceof Error ? error.message : String(error),
+                    layer: layer.name,
+                };
+            }
+            if (result.blocked) {
+                // Check for pending_review special case
+                if (result.blockReason?.startsWith('pending_review:')) {
+                    const reviewId = result.blockReason.split(':')[1];
+                    return { status: 'pending_review', reviewId };
+                }
+                return {
+                    status: 'blocked',
+                    reason: result.blockReason ?? 'Blocked by redaction layer',
+                    layer: layer.name,
+                };
+            }
+            text = result.output;
+            allFindings.push(...result.findings);
+        }
+        // Split back into title and content
+        const separatorIndex = text.indexOf('\n---\n');
+        let title;
+        let content;
+        if (separatorIndex !== -1) {
+            title = text.slice(0, separatorIndex);
+            content = text.slice(separatorIndex + 5);
+        }
+        else {
+            title = text;
+            content = '';
+        }
+        return {
+            status: 'redacted',
+            content: createRedactedLessonContent(title, content, {}, REDACTION_PIPELINE_KEY), // context always stripped
+            findings: allFindings,
+        };
+    }
+}
+//# sourceMappingURL=pipeline.js.map

package/dist/lib/redaction/pipeline.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pipeline.js","sourceRoot":"","sources":["../../../src/lib/redaction/pipeline.ts"],"names":[],"mappings":"AAAA;;GAEG;AAUH,OAAO,EAAE,2BAA2B,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AACxF,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAyB,MAAM,0BAA0B,CAAC;AACpF,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AACtE,OAAO,EAAE,2BAA2B,EAAE,MAAM,oCAAoC,CAAC;AACjF,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAyB,MAAM,yBAAyB,CAAC;AASlF,MAAM,OAAO,iBAAiB;IACpB,MAAM,CAAmB;IAEjC,YACE,SAAkC,EAAE,EACpC,YAA+B;QAE/B,MAAM,aAAa,GAAqB;YACtC,IAAI,oBAAoB,EAAE;YAC1B,IAAI,iBAAiB,CAAC,MAAM,CAAC,gBAAgB,CAAC;YAC9C,IAAI,qBAAqB,CAAC,MAAM,CAAC,qBAAqB,CAAC;YACvD,IAAI,2BAA2B,EAAE;YACjC,IAAI,qBAAqB,EAAE;YAC3B,IAAI,gBAAgB,CAClB,MAAM,CAAC,kBAAkB,IAAI,KAAK,EAClC,MAAM,CAAC,gBAAgB,CACxB;SACF,CAAC;QAEF,IAAI,YAAY,EAAE,CAAC;YACjB,aAAa,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;QACtC,CAAC;QAED,IAAI,CAAC,MAAM,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IAChE,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED;;;;;OAKG;IACH,mBAAmB,CAAC,KAAqB;QACvC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAqB,EAAE,GAAqB;QACxD,2CAA2C;QAC3C,IAAI,IAAI,GAAG,GAAG,GAAG,CAAC,KAAK,UAAU,GAAG,CAAC,OAAO,EAAE,CAAC;QAC/C,MAAM,WAAW,GAAuB,EAAE,CAAC;QAE3C,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChC,IAAI,MAAM,CAAC;YACX,IAAI,CAAC;gBACH,MAAM,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YAC1C,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,iDAAiD;gBACjD,OAAO;oBACL,MAAM,EAAE,OAAO;oBACf,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;oBAC7D,KAAK,EAAE,KAAK,CAAC,IAA0B;iBACxC,CAAC;YACJ,CAAC;YAED,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,wCAAwC;gBACxC,IAAI,MAAM,CAAC,WAAW,EAAE,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;oBACtD,MAAM,QAAQ,GAAG,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBAClD,OAAO,EAAE,MAAM,EAAE,gBAAgB,EAAE,QAAQ,EAAE,CAAC;gBAChD,CAAC;gBAED,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,MAAM,EAAE,MAAM,CAAC,WAAW,IAAI,4BAA4B;oBAC1D,KAAK,EAAE,KAAK,CAAC,IAA0B;iBACxC,CAAC;YACJ,CAAC;YAED,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC;YACrB,WAAW,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;QACvC,CAAC;QAED,oCAAoC;QACpC,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,KAAa,CAAC;QAClB,IAAI,OAAe,CAAC;QAEpB,IAAI,cAAc,KAAK,CAAC,CAAC,EAAE,CAAC;YAC1B,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;YACtC,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,GAAG,CAAC,CAAC,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,KAAK,GAAG,IAAI,CAAC;YACb,OAAO,GAAG,EAAE,CAAC;QACf,CAAC;QAED,OAAO;YACL,MAAM,EAAE,UAAU;YAClB,OAAO,EAAE,2BAA2B,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,sBAAsB,CAAC,EAAE,0BAA0B;YAC5G,QAAQ,EAAE,WAAW;SACtB,CAAC;IACJ,CAAC;CACF"}

package/dist/lib/redaction/secret-detection-layer.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Layer 1: Secret Detection (Story 2.1)
+ */
+import type { RedactionLayer, RedactionLayerResult, RedactionContext } from '@agentlensai/core';
+export declare class SecretDetectionLayer implements RedactionLayer {
+    readonly name: "secret_detection";
+    readonly order = 100;
+    process(input: string, _context: RedactionContext): RedactionLayerResult;
+}
+//# sourceMappingURL=secret-detection-layer.d.ts.map

package/dist/lib/redaction/secret-detection-layer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-detection-layer.d.ts","sourceRoot":"","sources":["../../../src/lib/redaction/secret-detection-layer.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EACV,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAEjB,MAAM,mBAAmB,CAAC;AAG3B,qBAAa,oBAAqB,YAAW,cAAc;IACzD,QAAQ,CAAC,IAAI,EAAG,kBAAkB,CAAU;IAC5C,QAAQ,CAAC,KAAK,OAAO;IAErB,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,gBAAgB,GAAG,oBAAoB;CAyFzE"}