@agentplugged/claw 0.1.0

package/dist/router/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/router/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA0KA,gDAgCC;AA1MD,2CAA6B;AAE7B,sCAAmD;AACnD,6CAAkD;AAClD,yCAAyC;AACzC,yCAAiD;AACjD,qCAAyE;AAEzE,mDAAgE;AAEhE,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,QAAQ,CAAC,GAAyB;IACzC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QACtD,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACtE,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,QAAQ,CACf,GAAwB,EACxB,MAAc,EACd,IAAa;IAEb,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAClC,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE;QACpB,cAAc,EAAE,kBAAkB;QAClC,gBAAgB,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;KAC1C,CAAC,CAAC;IACH,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED,SAAS,SAAS,CAChB,GAAwB,EACxB,MAAc,EACd,OAAe;IAEf,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE;QACpB,KAAK,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,EAAE;KACvD,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAE9E,KAAK,UAAU,qBAAqB,CAClC,GAAyB,EACzB,GAAwB,EACxB,MAAkB,EAClB,EAAqB;IAErB,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE3B,IAAI,IAAY,CAAC;IACjB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,6BAA6B,CAAC,CAAC;IAC5D,CAAC;IAED,IAAI,OAA8B,CAAC;IACnC,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAA0B,CAAC;IACtD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,mBAAmB,CAAC,CAAC;IAClD,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1D,OAAO,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,qCAAqC,CAAC,CAAC;IACpE,CAAC;IAED,0CAA0C;IAC1C,MAAM,UAAU,GAAG,IAAA,+BAAkB,EAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAExD,yCAAyC;IACzC,IAAI,QAAwC,CAAC;IAC7C,IAAI,CAAC;QACH,QAAQ,GAAG,IAAA,sBAAW,EAAC,UAAU,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;IACxE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,kCAAkC,EAAE,GAAG,CAAC,CAAC;QACvD,OAAO,SAAS,CAAC,GAAG,EAAE,GAAG,EAAG,GAAa,CAAC,OAAO,CAAC,CAAC;IACrD,CAAC;IAED,wBAAwB;IACxB,IAAI,YAA6D,CAAC;IAClE,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,IAAA,8BAAmB,EACtC,OAAO,EACP,QAAQ,EACR,MAAM,CAAC,SAAS,CACjB,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC;QACvC,IAAA,yBAAgB,EAAC,EAAE,EAAE;YACnB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,EAAE;YACxB,QAAQ,EAAE,QAAQ,CAAC,QAAQ,CAAC,IAAI;YAChC,WAAW,EAAE,CAAC;YACd,YAAY,EAAE,CAAC;YACf,IAAI,EAAE,CAAC;YACP,SAAS;YACT,UAAU;YACV,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,KAAK;YACd,KAAK,EAAG,GAAa,CAAC,OAAO;SAC9B,CAAC,CAAC;QACH,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,GAAG,CAAC,CAAC;QACrD,OAAO,SAAS,CAAC,GAAG,EAAE,GAAG,EAAG,GAAa,CAAC,OAAO,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC;IACvC,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,YAAY,CAAC;IAEhD,MAAM,WAAW,GAAG,QAAQ,CAAC,KAAK,EAAE,aAAa,IAAI,CAAC,CAAC;IACvD,MAAM,YAAY,GAAG,QAAQ,CAAC,KAAK,EAAE,iBAAiB,IAAI,CAAC,CAAC;IAC5D,MAAM,IAAI,GAAG,IAAA,sBAAa,EACxB,WAAW,EACX,YAAY,EACZ,QAAQ,CAAC,KAAK,CAAC,UAAU,EACzB,QAAQ,CAAC,KAAK,CAAC,WAAW,CAC3B,CAAC;IAEF,kEAAkE;IAClE,IAAI,YAAY,GAAG,KAAK,CAAC;IACzB,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;QACrB,KAAK,MAAM,MAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC;YACxC,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;gBAChC,MAAM,MAAM,GAAG,IAAA,2BAAW,EAAC,OAAO,CAAC,CAAC;gBACpC,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;oBAClB,YAAY,GAAG,IAAI,CAAC;oBACpB,OAAO,CAAC,IAAI,CACV,6CAA6C,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,MAAM,CAAC,QAAQ,CAAC,MAAM,aAAa,EACvG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,KAAK,EAAE,CAAC,CACpD,CAAC;oBACF,MAAM,CAAC,OAAO,CAAC,OAAO,GAAG,IAAA,gCAAgB,EAAC,OAAO,CAAC,CAAC;gBACrD,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,6EAA6E;IAC7E,IAAA,yBAAgB,EAAC,EAAE,EAAE;QACnB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,EAAE;QACxB,QAAQ,EAAE,QAAQ,CAAC,QAAQ,CAAC,IAAI;QAChC,WAAW;QACX,YAAY;QACZ,IAAI;QACJ,SAAS;QACT,UAAU;QACV,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,QAAQ,EAAE,YAAY;QACtB,OAAO,EAAE,IAAI;QACb,YAAY;KACb,CAAC,CAAC;IAEH,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;AAC/B,CAAC;AAED,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E,SAAgB,kBAAkB,CAChC,MAAkB,EAClB,EAAqB;IAErB,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAC9B,KAAK,EAAE,GAAyB,EAAE,GAAwB,EAAE,EAAE;QAC5D,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,WAAW,EAAE,CAAC;QACzC,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC;QAE3B,eAAe;QACf,IAAI,MAAM,KAAK,KAAK,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC1C,OAAO,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE;gBACxB,MAAM,EAAE,IAAI;gBACZ,OAAO,EAAE,OAAO;gBAChB,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,SAAS,EAAE,MAAM,CAAC,SAAS;qBACxB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;qBACxB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;aACtB,CAAC,CAAC;QACL,CAAC;QAED,gDAAgD;QAChD,IAAI,MAAM,KAAK,MAAM,IAAI,GAAG,KAAK,sBAAsB,EAAE,CAAC;YACxD,OAAO,qBAAqB,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC;QACrD,CAAC;QAED,0BAA0B;QAC1B,OAAO,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,oBAAoB,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;IAClE,CAAC,CACF,CAAC;IAEF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,kCAAkC;AAClC,8EAA8E;AAE9E,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;IAC5B,MAAM,MAAM,GAAG,IAAA,mBAAU,GAAE,CAAC;IAC5B,MAAM,EAAE,GAAG,IAAA,qBAAY,EAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAExC,MAAM,MAAM,GAAG,kBAAkB,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAE9C,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,GAAG,EAAE;QACpC,OAAO,CAAC,GAAG,CACT,gDAAgD,MAAM,CAAC,UAAU,EAAE,CACpE,CAAC;QACF,OAAO,CAAC,GAAG,CACT,sBAAsB,MAAM,CAAC,QAAQ,iBAAiB,MAAM,CAAC,SAAS;aACnE,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;aACxB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;aAClB,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM,EAAE,CAC1B,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;QACzB,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;QACzC,EAAE,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE;QACxB,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;QACtD,EAAE,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/router/leak-detector.d.ts

@@ -0,0 +1,33 @@
+export type LeakType = "api_key" | "env_var" | "password" | "token" | "email" | "credit_card" | "ssn" | "private_key" | "aws_key";
+export interface LeakFinding {
+    /** Category of the detected leak */
+    type: LeakType;
+    /** Masked version of the matched text (first 4 chars + ***) */
+    match: string;
+    /** Character position in the original text where the match starts */
+    position: number;
+}
+export interface LeakDetectionResult {
+    /** True if at least one leak was detected */
+    leaked: boolean;
+    /** All individual findings */
+    findings: LeakFinding[];
+}
+/**
+ * Scan a text for potential data leaks.
+ *
+ * Returns all findings with masked match strings so the result itself
+ * does not become a leak vector (CWE-532).
+ */
+export declare function detectLeaks(text: string): LeakDetectionResult;
+/**
+ * Replace all detected leaks in the text with [REDACTED].
+ *
+ * This is the last line of defense before sending a response to the client.
+ * Use this after detectLeaks() confirms there are findings.
+ *
+ * OWASP ASVS V8.3.4: Verify that sensitive data is not sent to
+ * untrusted parties.
+ */
+export declare function sanitizeResponse(text: string): string;
+//# sourceMappingURL=leak-detector.d.ts.map

package/dist/router/leak-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"leak-detector.d.ts","sourceRoot":"","sources":["../../src/router/leak-detector.ts"],"names":[],"mappings":"AAgBA,MAAM,MAAM,QAAQ,GAChB,SAAS,GACT,SAAS,GACT,UAAU,GACV,OAAO,GACP,OAAO,GACP,aAAa,GACb,KAAK,GACL,aAAa,GACb,SAAS,CAAC;AAEd,MAAM,WAAW,WAAW;IAC1B,oCAAoC;IACpC,IAAI,EAAE,QAAQ,CAAC;IACf,+DAA+D;IAC/D,KAAK,EAAE,MAAM,CAAC;IACd,qEAAqE;IACrE,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,mBAAmB;IAClC,6CAA6C;IAC7C,MAAM,EAAE,OAAO,CAAC;IAChB,8BAA8B;IAC9B,QAAQ,EAAE,WAAW,EAAE,CAAC;CACzB;AAgQD;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,mBAAmB,CAuC7D;AAMD;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAwBrD"}

package/dist/router/leak-detector.js

@@ -0,0 +1,320 @@
+"use strict";
+// ---------------------------------------------------------------------------
+// Leak Detector — Scanne les reponses LLM pour detecter les fuites de donnees
+// sensibles AVANT qu'elles ne soient renvoyees au client.
+//
+// References:
+//   - OWASP Top 10 2021 — A01:2021 Broken Access Control
+//   - OWASP Top 10 2021 — A02:2021 Cryptographic Failures
+//   - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
+//   - CWE-532: Insertion of Sensitive Information into Log File
+//   - OWASP ASVS v4.0.3 — V8: Data Protection
+// ---------------------------------------------------------------------------
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectLeaks = detectLeaks;
+exports.sanitizeResponse = sanitizeResponse;
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/**
+ * Mask a matched string to avoid logging secrets in clear text.
+ * Shows at most the first 4 characters followed by "***".
+ *
+ * CWE-532: We never expose the full secret in logs or results.
+ */
+function maskMatch(value) {
+    if (value.length <= 4) {
+        return value[0] + "***";
+    }
+    return value.slice(0, 4) + "***";
+}
+/**
+ * Luhn algorithm for credit card validation.
+ * Reduces false positives by verifying the checksum.
+ */
+function luhnCheck(digits) {
+    const nums = digits.split("").map(Number);
+    let sum = 0;
+    let alternate = false;
+    for (let i = nums.length - 1; i >= 0; i--) {
+        let n = nums[i];
+        if (alternate) {
+            n *= 2;
+            if (n > 9) {
+                n -= 9;
+            }
+        }
+        sum += n;
+        alternate = !alternate;
+    }
+    return sum % 10 === 0;
+}
+/**
+ * All patterns are designed to minimize false positives:
+ * - API key patterns require a prefix + minimum length
+ * - Word boundaries (\b) prevent matching substrings (e.g. "skeleton" != "sk-eleton")
+ * - Credit cards require Luhn validation
+ * - Passwords require an assignment context (key=value)
+ */
+const LEAK_PATTERNS = [
+    // -- Private keys (PEM format) --
+    // CWE-321: Use of Hard-coded Cryptographic Key
+    {
+        type: "private_key",
+        regex: /-----BEGIN\s+(?:RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY-----[\s\S]*?-----END\s+(?:RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY-----/g,
+    },
+    // -- AWS Access Keys --
+    // Always start with AKIA and are exactly 20 chars
+    {
+        type: "aws_key",
+        regex: /\bAKIA[0-9A-Z]{16}\b/g,
+    },
+    // -- API Keys with known prefixes --
+    // OpenAI: sk-... (min 20 chars after prefix to avoid "skeleton", "sk-ip", etc.)
+    {
+        type: "api_key",
+        regex: /\bsk-[A-Za-z0-9_-]{20,}\b/g,
+    },
+    // Anthropic: sk-ant-...
+    {
+        type: "api_key",
+        regex: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/g,
+    },
+    // Generic key- prefix (min 20 chars)
+    {
+        type: "api_key",
+        regex: /\bkey-[A-Za-z0-9_-]{20,}\b/g,
+    },
+    // Google AI: AIzaSy...
+    {
+        type: "api_key",
+        regex: /\bAIzaSy[A-Za-z0-9_-]{30,}\b/g,
+    },
+    // GitHub personal access tokens
+    {
+        type: "api_key",
+        regex: /\bghp_[A-Za-z0-9]{36,}\b/g,
+    },
+    // GitHub fine-grained tokens
+    {
+        type: "api_key",
+        regex: /\bgithub_pat_[A-Za-z0-9_]{22,}\b/g,
+    },
+    // GitLab personal access tokens
+    {
+        type: "api_key",
+        regex: /\bglpat-[A-Za-z0-9_-]{20,}\b/g,
+    },
+    // Slack bot tokens
+    {
+        type: "api_key",
+        regex: /\bxoxb-[0-9]{10,}-[A-Za-z0-9-]+\b/g,
+    },
+    // Slack user tokens
+    {
+        type: "api_key",
+        regex: /\bxoxp-[0-9]{10,}-[A-Za-z0-9-]+\b/g,
+    },
+    // Stripe keys
+    {
+        type: "api_key",
+        regex: /\b[sr]k_(?:live|test)_[A-Za-z0-9]{20,}\b/g,
+    },
+    // Sendgrid
+    {
+        type: "api_key",
+        regex: /\bSG\.[A-Za-z0-9_-]{22,}\.[A-Za-z0-9_-]{22,}\b/g,
+    },
+    // Twilio
+    {
+        type: "api_key",
+        regex: /\bSK[0-9a-fA-F]{32}\b/g,
+    },
+    // -- JWT tokens --
+    // CWE-200: Must not leak session tokens
+    {
+        type: "token",
+        regex: /\beyJhbGciOi[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g,
+    },
+    // -- Environment variable references --
+    // process.env.SOMETHING
+    {
+        type: "env_var",
+        regex: /\bprocess\.env\.[A-Z_][A-Z0-9_]{2,}\b/g,
+    },
+    // os.environ["SOMETHING"] or os.environ.get("SOMETHING")
+    {
+        type: "env_var",
+        regex: /\bos\.environ(?:\[['"][A-Z_][A-Z0-9_]*['"]\]|\.get\(['"][A-Z_][A-Z0-9_]*['"]\))/g,
+    },
+    // Shell-style $ENV_VAR (min 3 chars in name, preceded by whitespace or line start)
+    {
+        type: "env_var",
+        regex: /(?:^|[\s=:])(\$[A-Z_][A-Z0-9_]{2,})\b/gm,
+    },
+    // -- Passwords / secrets in assignment context --
+    // Matches: password=xxx, secret=xxx, token=xxx, api_key=xxx, etc.
+    // Requires value to be at least 8 chars to avoid trivial matches
+    {
+        type: "password",
+        regex: /\b(?:password|passwd|pwd|secret|api_?key|api_?secret|auth_?token|access_?token|private_?key)\s*[:=]\s*['"]?([^\s'"]{8,})['"]?/gi,
+    },
+    // -- Email addresses --
+    // Detected in LLM output context — real emails that could be PII leaks
+    // CWE-359: Exposure of Private Personal Information
+    {
+        type: "email",
+        regex: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g,
+        validate: (match) => {
+            // Exclude obvious placeholder/example emails
+            const lowerMatch = match.toLowerCase();
+            const excludePatterns = [
+                "example.com",
+                "example.org",
+                "example.net",
+                "test.com",
+                "test.org",
+                "localhost",
+                "placeholder",
+                "user@",
+                "email@",
+                "your@",
+                "name@",
+                "noreply@",
+                "no-reply@",
+                "support@",
+                "info@",
+                "hello@",
+                "contact@",
+            ];
+            return !excludePatterns.some((p) => lowerMatch.includes(p) || lowerMatch.startsWith(p));
+        },
+    },
+    // -- Credit card numbers --
+    // 13-19 digits, possibly separated by spaces or dashes
+    // CWE-311: Missing Encryption of Sensitive Data
+    {
+        type: "credit_card",
+        regex: /\b(?:\d[ -]?){13,19}\b/g,
+        validate: (match) => {
+            const digits = match.replace(/[\s-]/g, "");
+            // Must be between 13 and 19 digits
+            if (digits.length < 13 || digits.length > 19)
+                return false;
+            // Must start with a valid card prefix
+            const validPrefixes = [
+                "4", // Visa
+                "5", // Mastercard
+                "34", // Amex
+                "37", // Amex
+                "6011", // Discover
+                "65", // Discover
+                "36", // Diners
+                "38", // Diners
+                "35", // JCB
+            ];
+            const startsValid = validPrefixes.some((p) => digits.startsWith(p));
+            if (!startsValid)
+                return false;
+            return luhnCheck(digits);
+        },
+    },
+    // -- US Social Security Numbers --
+    // CWE-359: Exposure of Private Personal Information
+    {
+        type: "ssn",
+        regex: /\b\d{3}-\d{2}-\d{4}\b/g,
+        validate: (match) => {
+            // Exclude known invalid SSN prefixes (000, 666, 900-999)
+            const area = parseInt(match.slice(0, 3), 10);
+            if (area === 0 || area === 666 || area >= 900)
+                return false;
+            // Group number cannot be 00
+            const group = parseInt(match.slice(4, 6), 10);
+            if (group === 0)
+                return false;
+            // Serial cannot be 0000
+            const serial = parseInt(match.slice(7, 11), 10);
+            if (serial === 0)
+                return false;
+            return true;
+        },
+    },
+];
+// ---------------------------------------------------------------------------
+// Core detection
+// ---------------------------------------------------------------------------
+/**
+ * Scan a text for potential data leaks.
+ *
+ * Returns all findings with masked match strings so the result itself
+ * does not become a leak vector (CWE-532).
+ */
+function detectLeaks(text) {
+    const findings = [];
+    for (const pattern of LEAK_PATTERNS) {
+        // Reset lastIndex for global regexes
+        pattern.regex.lastIndex = 0;
+        let regexMatch;
+        while ((regexMatch = pattern.regex.exec(text)) !== null) {
+            // Use captured group if present (e.g., password value), otherwise full match
+            const matchedText = regexMatch[1] ?? regexMatch[0];
+            const position = regexMatch.index;
+            // Run optional validator to reduce false positives
+            if (pattern.validate && !pattern.validate(matchedText)) {
+                continue;
+            }
+            findings.push({
+                type: pattern.type,
+                match: maskMatch(matchedText),
+                position,
+            });
+        }
+    }
+    // Deduplicate findings at the same position (overlapping patterns)
+    const seen = new Set();
+    const deduped = findings.filter((f) => {
+        const key = `${f.type}:${f.position}`;
+        if (seen.has(key))
+            return false;
+        seen.add(key);
+        return true;
+    });
+    return {
+        leaked: deduped.length > 0,
+        findings: deduped,
+    };
+}
+// ---------------------------------------------------------------------------
+// Sanitization
+// ---------------------------------------------------------------------------
+/**
+ * Replace all detected leaks in the text with [REDACTED].
+ *
+ * This is the last line of defense before sending a response to the client.
+ * Use this after detectLeaks() confirms there are findings.
+ *
+ * OWASP ASVS V8.3.4: Verify that sensitive data is not sent to
+ * untrusted parties.
+ */
+function sanitizeResponse(text) {
+    let sanitized = text;
+    for (const pattern of LEAK_PATTERNS) {
+        // Reset lastIndex for global regexes
+        pattern.regex.lastIndex = 0;
+        sanitized = sanitized.replace(pattern.regex, (fullMatch, ...args) => {
+            // For patterns with capture groups, the captured group is the sensitive part
+            // but we replace the full match to preserve context
+            const capturedGroup = typeof args[0] === "string" ? args[0] : null;
+            if (pattern.validate) {
+                const toValidate = capturedGroup ?? fullMatch;
+                if (!pattern.validate(toValidate)) {
+                    return fullMatch; // Not a real leak, leave untouched
+                }
+            }
+            return "[REDACTED]";
+        });
+    }
+    return sanitized;
+}
+//# sourceMappingURL=leak-detector.js.map

package/dist/router/leak-detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"leak-detector.js","sourceRoot":"","sources":["../../src/router/leak-detector.ts"],"names":[],"mappings":";AAAA,8EAA8E;AAC9E,8EAA8E;AAC9E,0DAA0D;AAC1D,EAAE;AACF,cAAc;AACd,yDAAyD;AACzD,0DAA0D;AAC1D,0EAA0E;AAC1E,gEAAgE;AAChE,8CAA8C;AAC9C,8EAA8E;;AAqS9E,kCAuCC;AAeD,4CAwBC;AAlVD,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E;;;;;GAKG;AACH,SAAS,SAAS,CAAC,KAAa;IAC9B,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACtB,OAAO,KAAK,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC;IAC1B,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC;AACnC,CAAC;AAED;;;GAGG;AACH,SAAS,SAAS,CAAC,MAAc;IAC/B,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC1C,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,IAAI,SAAS,GAAG,KAAK,CAAC;IAEtB,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAChB,IAAI,SAAS,EAAE,CAAC;YACd,CAAC,IAAI,CAAC,CAAC;YACP,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBACV,CAAC,IAAI,CAAC,CAAC;YACT,CAAC;QACH,CAAC;QACD,GAAG,IAAI,CAAC,CAAC;QACT,SAAS,GAAG,CAAC,SAAS,CAAC;IACzB,CAAC;IAED,OAAO,GAAG,GAAG,EAAE,KAAK,CAAC,CAAC;AACxB,CAAC;AAaD;;;;;;GAMG;AACH,MAAM,aAAa,GAA2B;IAC5C,kCAAkC;IAClC,+CAA+C;IAC/C;QACE,IAAI,EAAE,aAAa;QACnB,KAAK,EAAE,mIAAmI;KAC3I;IAED,wBAAwB;IACxB,kDAAkD;IAClD;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,uBAAuB;KAC/B;IAED,qCAAqC;IACrC,gFAAgF;IAChF;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,4BAA4B;KACpC;IACD,wBAAwB;IACxB;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,gCAAgC;KACxC;IACD,qCAAqC;IACrC;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,6BAA6B;KACrC;IACD,uBAAuB;IACvB;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,+BAA+B;KACvC;IACD,gCAAgC;IAChC;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,2BAA2B;KACnC;IACD,6BAA6B;IAC7B;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,mCAAmC;KAC3C;IACD,gCAAgC;IAChC;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,+BAA+B;KACvC;IACD,mBAAmB;IACnB;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,oCAAoC;KAC5C;IACD,oBAAoB;IACpB;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,oCAAoC;KAC5C;IACD,cAAc;IACd;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,2CAA2C;KACnD;IACD,WAAW;IACX;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,iDAAiD;KACzD;IACD,SAAS;IACT;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,wBAAwB;KAChC;IAED,mBAAmB;IACnB,wCAAwC;IACxC;QACE,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,kEAAkE;KAC1E;IAED,wCAAwC;IACxC,wBAAwB;IACxB;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,wCAAwC;KAChD;IACD,yDAAyD;IACzD;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,kFAAkF;KAC1F;IACD,mFAAmF;IACnF;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,yCAAyC;KACjD;IAED,kDAAkD;IAClD,kEAAkE;IAClE,iEAAiE;IACjE;QACE,IAAI,EAAE,UAAU;QAChB,KAAK,EAAE,iIAAiI;KACzI;IAED,wBAAwB;IACxB,uEAAuE;IACvE,oDAAoD;IACpD;QACE,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,qDAAqD;QAC5D,QAAQ,EAAE,CAAC,KAAa,EAAW,EAAE;YACnC,6CAA6C;YAC7C,MAAM,UAAU,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;YACvC,MAAM,eAAe,GAAG;gBACtB,aAAa;gBACb,aAAa;gBACb,aAAa;gBACb,UAAU;gBACV,UAAU;gBACV,WAAW;gBACX,aAAa;gBACb,OAAO;gBACP,QAAQ;gBACR,OAAO;gBACP,OAAO;gBACP,UAAU;gBACV,WAAW;gBACX,UAAU;gBACV,OAAO;gBACP,QAAQ;gBACR,UAAU;aACX,CAAC;YACF,OAAO,CAAC,eAAe,CAAC,IAAI,CAC1B,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAC1D,CAAC;QACJ,CAAC;KACF;IAED,4BAA4B;IAC5B,uDAAuD;IACvD,gDAAgD;IAChD;QACE,IAAI,EAAE,aAAa;QACnB,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,CAAC,KAAa,EAAW,EAAE;YACnC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;YAC3C,mCAAmC;YACnC,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE;gBAAE,OAAO,KAAK,CAAC;YAC3D,sCAAsC;YACtC,MAAM,aAAa,GAAG;gBACpB,GAAG,EAAK,OAAO;gBACf,GAAG,EAAK,aAAa;gBACrB,IAAI,EAAI,OAAO;gBACf,IAAI,EAAI,OAAO;gBACf,MAAM,EAAE,WAAW;gBACnB,IAAI,EAAI,WAAW;gBACnB,IAAI,EAAI,SAAS;gBACjB,IAAI,EAAI,SAAS;gBACjB,IAAI,EAAI,MAAM;aACf,CAAC;YACF,MAAM,WAAW,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;YACpE,IAAI,CAAC,WAAW;gBAAE,OAAO,KAAK,CAAC;YAC/B,OAAO,SAAS,CAAC,MAAM,CAAC,CAAC;QAC3B,CAAC;KACF;IAED,mCAAmC;IACnC,oDAAoD;IACpD;QACE,IAAI,EAAE,KAAK;QACX,KAAK,EAAE,wBAAwB;QAC/B,QAAQ,EAAE,CAAC,KAAa,EAAW,EAAE;YACnC,yDAAyD;YACzD,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC7C,IAAI,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,IAAI,GAAG;gBAAE,OAAO,KAAK,CAAC;YAC5D,4BAA4B;YAC5B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC9C,IAAI,KAAK,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC9B,wBAAwB;YACxB,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;YAChD,IAAI,MAAM,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC/B,OAAO,IAAI,CAAC;QACd,CAAC;KACF;CACO,CAAC;AAEX,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E;;;;;GAKG;AACH,SAAgB,WAAW,CAAC,IAAY;IACtC,MAAM,QAAQ,GAAkB,EAAE,CAAC;IAEnC,KAAK,MAAM,OAAO,IAAI,aAAa,EAAE,CAAC;QACpC,qCAAqC;QACrC,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC;QAE5B,IAAI,UAAkC,CAAC;QACvC,OAAO,CAAC,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACxD,6EAA6E;YAC7E,MAAM,WAAW,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;YACnD,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC;YAElC,mDAAmD;YACnD,IAAI,OAAO,CAAC,QAAQ,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBACvD,SAAS;YACX,CAAC;YAED,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,KAAK,EAAE,SAAS,CAAC,WAAW,CAAC;gBAC7B,QAAQ;aACT,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,mEAAmE;IACnE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QACpC,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;QACtC,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QAChC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACd,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,MAAM,EAAE,OAAO,CAAC,MAAM,GAAG,CAAC;QAC1B,QAAQ,EAAE,OAAO;KAClB,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,eAAe;AACf,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,SAAgB,gBAAgB,CAAC,IAAY;IAC3C,IAAI,SAAS,GAAG,IAAI,CAAC;IAErB,KAAK,MAAM,OAAO,IAAI,aAAa,EAAE,CAAC;QACpC,qCAAqC;QACrC,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC;QAE5B,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC,SAAS,EAAE,GAAG,IAAI,EAAE,EAAE;YAClE,6EAA6E;YAC7E,oDAAoD;YACpD,MAAM,aAAa,GAAG,OAAO,IAAI,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YAEnE,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACrB,MAAM,UAAU,GAAG,aAAa,IAAI,SAAS,CAAC;gBAC9C,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;oBAClC,OAAO,SAAS,CAAC,CAAC,mCAAmC;gBACvD,CAAC;YACH,CAAC;YAED,OAAO,YAAY,CAAC;QACtB,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/router/logger.d.ts

@@ -0,0 +1,18 @@
+import Database from "better-sqlite3";
+import { RouterLogEntry } from "./types";
+/**
+ * Opens (or creates) the SQLite database and ensures the schema exists.
+ * The DB file is stored at <dataDir>/router.db.
+ */
+export declare function openDatabase(dataDir: string): Database.Database;
+/**
+ * Inserts a log entry synchronously (SQLite writes are fast enough for this use case).
+ * Called after every proxied request.
+ */
+export declare function logRouterRequest(db: Database.Database, entry: RouterLogEntry): void;
+/**
+ * Calculates the cost in USD for a request given the model prices.
+ * inputPrice and outputPrice are expressed per 1M tokens.
+ */
+export declare function calculateCost(inputTokens: number, outputTokens: number, inputPricePerM: number, outputPricePerM: number): number;
+//# sourceMappingURL=logger.d.ts.map

package/dist/router/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/router/logger.ts"],"names":[],"mappings":"AAAA,OAAO,QAAQ,MAAM,gBAAgB,CAAC;AAGtC,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAyBzC;;;GAGG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,QAAQ,CAAC,QAAQ,CAa/D;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAC9B,EAAE,EAAE,QAAQ,CAAC,QAAQ,EACrB,KAAK,EAAE,cAAc,GACpB,IAAI,CAmCN;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,EACpB,cAAc,EAAE,MAAM,EACtB,eAAe,EAAE,MAAM,GACtB,MAAM,CAKR"}

package/dist/router/logger.js

@@ -0,0 +1,130 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.openDatabase = openDatabase;
+exports.logRouterRequest = logRouterRequest;
+exports.calculateCost = calculateCost;
+const better_sqlite3_1 = __importDefault(require("better-sqlite3"));
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+// Schema embedded as a constant so we can initialize the DB at runtime
+// without reading from disk (the .sql file is for documentation/migrations).
+const SCHEMA_SQL = `
+CREATE TABLE IF NOT EXISTS router_logs (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  timestamp TEXT NOT NULL,
+  model TEXT NOT NULL,
+  provider TEXT NOT NULL,
+  input_tokens INTEGER NOT NULL DEFAULT 0,
+  output_tokens INTEGER NOT NULL DEFAULT 0,
+  cost REAL NOT NULL DEFAULT 0,
+  latency_ms INTEGER NOT NULL DEFAULT 0,
+  complexity TEXT NOT NULL,
+  strategy TEXT NOT NULL,
+  fallback INTEGER NOT NULL DEFAULT 0,
+  success INTEGER NOT NULL DEFAULT 1,
+  error TEXT,
+  leak_detected INTEGER NOT NULL DEFAULT 0
+);
+
+CREATE INDEX IF NOT EXISTS idx_router_logs_timestamp ON router_logs(timestamp);
+`;
+/**
+ * Opens (or creates) the SQLite database and ensures the schema exists.
+ * The DB file is stored at <dataDir>/router.db.
+ */
+function openDatabase(dataDir) {
+    if (!fs.existsSync(dataDir)) {
+        fs.mkdirSync(dataDir, { recursive: true });
+    }
+    const dbPath = path.join(dataDir, "router.db");
+    const db = new better_sqlite3_1.default(dbPath);
+    // Enable WAL for better concurrency (read while writing)
+    db.pragma("journal_mode = WAL");
+    db.exec(SCHEMA_SQL);
+    return db;
+}
+/**
+ * Inserts a log entry synchronously (SQLite writes are fast enough for this use case).
+ * Called after every proxied request.
+ */
+function logRouterRequest(db, entry) {
+    try {
+        const stmt = db.prepare(`
+      INSERT INTO router_logs (
+        timestamp, model, provider,
+        input_tokens, output_tokens, cost,
+        latency_ms, complexity, strategy,
+        fallback, success, error, leak_detected
+      ) VALUES (
+        @timestamp, @model, @provider,
+        @inputTokens, @outputTokens, @cost,
+        @latencyMs, @complexity, @strategy,
+        @fallback, @success, @error, @leakDetected
+      )
+    `);
+        stmt.run({
+            timestamp: entry.timestamp,
+            model: entry.model,
+            provider: entry.provider,
+            inputTokens: entry.inputTokens,
+            outputTokens: entry.outputTokens,
+            cost: entry.cost,
+            latencyMs: entry.latencyMs,
+            complexity: entry.complexity,
+            strategy: entry.strategy,
+            fallback: entry.fallback ? 1 : 0,
+            success: entry.success ? 1 : 0,
+            error: entry.error ?? null,
+            leakDetected: entry.leakDetected ? 1 : 0,
+        });
+    }
+    catch (err) {
+        // Logging must never crash the proxy
+        console.error("[router/logger] Failed to write log entry:", err);
+    }
+}
+/**
+ * Calculates the cost in USD for a request given the model prices.
+ * inputPrice and outputPrice are expressed per 1M tokens.
+ */
+function calculateCost(inputTokens, outputTokens, inputPricePerM, outputPricePerM) {
+    return ((inputTokens / 1_000_000) * inputPricePerM +
+        (outputTokens / 1_000_000) * outputPricePerM);
+}
+//# sourceMappingURL=logger.js.map

package/dist/router/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/router/logger.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgCA,oCAaC;AAMD,4CAsCC;AAMD,sCAUC;AAzGD,oEAAsC;AACtC,uCAAyB;AACzB,2CAA6B;AAG7B,uEAAuE;AACvE,6EAA6E;AAC7E,MAAM,UAAU,GAAG;;;;;;;;;;;;;;;;;;;CAmBlB,CAAC;AAEF;;;GAGG;AACH,SAAgB,YAAY,CAAC,OAAe;IAC1C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IAC/C,MAAM,EAAE,GAAG,IAAI,wBAAQ,CAAC,MAAM,CAAC,CAAC;IAEhC,yDAAyD;IACzD,EAAE,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAChC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAEpB,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;GAGG;AACH,SAAgB,gBAAgB,CAC9B,EAAqB,EACrB,KAAqB;IAErB,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,CAAC;;;;;;;;;;;;KAYvB,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC;YACP,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAChC,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC9B,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,IAAI;YAC1B,YAAY,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;SACzC,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,qCAAqC;QACrC,OAAO,CAAC,KAAK,CAAC,4CAA4C,EAAE,GAAG,CAAC,CAAC;IACnE,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAgB,aAAa,CAC3B,WAAmB,EACnB,YAAoB,EACpB,cAAsB,EACtB,eAAuB;IAEvB,OAAO,CACL,CAAC,WAAW,GAAG,SAAS,CAAC,GAAG,cAAc;QAC1C,CAAC,YAAY,GAAG,SAAS,CAAC,GAAG,eAAe,CAC7C,CAAC;AACJ,CAAC"}

package/dist/router/models.d.ts

@@ -0,0 +1,5 @@
+import { ModelConfig } from "../config";
+export declare const MODELS: ModelConfig[];
+export declare const MODELS_BY_ID: Map<string, ModelConfig>;
+export declare const MODELS_BY_PROVIDER: Map<string, ModelConfig[]>;
+//# sourceMappingURL=models.d.ts.map

package/dist/router/models.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"models.d.ts","sourceRoot":"","sources":["../../src/router/models.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAExC,eAAO,MAAM,MAAM,EAAE,WAAW,EA4E/B,CAAC;AAEF,eAAO,MAAM,YAAY,EAAE,GAAG,CAAC,MAAM,EAAE,WAAW,CAEjD,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,GAAG,CAAC,MAAM,EAAE,WAAW,EAAE,CAmBxD,CAAC"}

package/dist/router/models.js

@@ -0,0 +1,96 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MODELS_BY_PROVIDER = exports.MODELS_BY_ID = exports.MODELS = void 0;
+exports.MODELS = [
+    // Anthropic
+    {
+        id: "claude-haiku-4-5-20251001",
+        displayName: "Claude Haiku 4.5",
+        inputPrice: 0.80,
+        outputPrice: 4.00,
+        maxTokens: 8192,
+        tier: "economy",
+    },
+    {
+        id: "claude-sonnet-4-6",
+        displayName: "Claude Sonnet 4.6",
+        inputPrice: 3.00,
+        outputPrice: 15.00,
+        maxTokens: 8192,
+        tier: "standard",
+    },
+    {
+        id: "claude-opus-4-6",
+        displayName: "Claude Opus 4.6",
+        inputPrice: 15.00,
+        outputPrice: 75.00,
+        maxTokens: 8192,
+        tier: "premium",
+    },
+    // Google
+    {
+        id: "gemini-2.0-flash",
+        displayName: "Gemini 2.0 Flash",
+        inputPrice: 0.10,
+        outputPrice: 0.40,
+        maxTokens: 8192,
+        tier: "economy",
+    },
+    {
+        id: "gemini-2.0-pro",
+        displayName: "Gemini 2.0 Pro",
+        inputPrice: 1.25,
+        outputPrice: 5.00,
+        maxTokens: 8192,
+        tier: "standard",
+    },
+    {
+        id: "gemini-2.5-pro",
+        displayName: "Gemini 2.5 Pro",
+        inputPrice: 1.25,
+        outputPrice: 10.00,
+        maxTokens: 65536,
+        tier: "premium",
+    },
+    // OpenAI
+    {
+        id: "gpt-4o-mini",
+        displayName: "GPT-4o Mini",
+        inputPrice: 0.15,
+        outputPrice: 0.60,
+        maxTokens: 16384,
+        tier: "economy",
+    },
+    {
+        id: "gpt-4o",
+        displayName: "GPT-4o",
+        inputPrice: 2.50,
+        outputPrice: 10.00,
+        maxTokens: 16384,
+        tier: "standard",
+    },
+    {
+        id: "o3",
+        displayName: "o3",
+        inputPrice: 10.00,
+        outputPrice: 40.00,
+        maxTokens: 100000,
+        tier: "premium",
+    },
+];
+exports.MODELS_BY_ID = new Map(exports.MODELS.map((m) => [m.id, m]));
+exports.MODELS_BY_PROVIDER = new Map([
+    [
+        "anthropic",
+        exports.MODELS.filter((m) => m.id.startsWith("claude-")),
+    ],
+    [
+        "openai",
+        exports.MODELS.filter((m) => m.id.startsWith("gpt-") || m.id === "o3"),
+    ],
+    [
+        "google",
+        exports.MODELS.filter((m) => m.id.startsWith("gemini-")),
+    ],
+]);
+//# sourceMappingURL=models.js.map

package/dist/router/models.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"models.js","sourceRoot":"","sources":["../../src/router/models.ts"],"names":[],"mappings":";;;AAEa,QAAA,MAAM,GAAkB;IACnC,YAAY;IACZ;QACE,EAAE,EAAE,2BAA2B;QAC/B,WAAW,EAAE,kBAAkB;QAC/B,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,IAAI;QACjB,SAAS,EAAE,IAAI;QACf,IAAI,EAAE,SAAS;KAChB;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,WAAW,EAAE,mBAAmB;QAChC,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,KAAK;QAClB,SAAS,EAAE,IAAI;QACf,IAAI,EAAE,UAAU;KACjB;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,WAAW,EAAE,iBAAiB;QAC9B,UAAU,EAAE,KAAK;QACjB,WAAW,EAAE,KAAK;QAClB,SAAS,EAAE,IAAI;QACf,IAAI,EAAE,SAAS;KAChB;IACD,SAAS;IACT;QACE,EAAE,EAAE,kBAAkB;QACtB,WAAW,EAAE,kBAAkB;QAC/B,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,IAAI;QACjB,SAAS,EAAE,IAAI;QACf,IAAI,EAAE,SAAS;KAChB;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,WAAW,EAAE,gBAAgB;QAC7B,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,IAAI;QACjB,SAAS,EAAE,IAAI;QACf,IAAI,EAAE,UAAU;KACjB;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,WAAW,EAAE,gBAAgB;QAC7B,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,KAAK;QAClB,SAAS,EAAE,KAAK;QAChB,IAAI,EAAE,SAAS;KAChB;IACD,SAAS;IACT;QACE,EAAE,EAAE,aAAa;QACjB,WAAW,EAAE,aAAa;QAC1B,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,IAAI;QACjB,SAAS,EAAE,KAAK;QAChB,IAAI,EAAE,SAAS;KAChB;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,WAAW,EAAE,QAAQ;QACrB,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,KAAK;QAClB,SAAS,EAAE,KAAK;QAChB,IAAI,EAAE,UAAU;KACjB;IACD;QACE,EAAE,EAAE,IAAI;QACR,WAAW,EAAE,IAAI;QACjB,UAAU,EAAE,KAAK;QACjB,WAAW,EAAE,KAAK;QAClB,SAAS,EAAE,MAAM;QACjB,IAAI,EAAE,SAAS;KAChB;CACF,CAAC;AAEW,QAAA,YAAY,GAA6B,IAAI,GAAG,CAC3D,cAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAC7B,CAAC;AAEW,QAAA,kBAAkB,GAA+B,IAAI,GAAG,CAAC;IACpE;QACE,WAAW;QACX,cAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAClB,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,CAC3B;KACF;IACD;QACE,QAAQ;QACR,cAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAClB,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,IAAI,CACzC;KACF;IACD;QACE,QAAQ;QACR,cAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAClB,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,CAC3B;KACF;CACF,CAAC,CAAC"}

package/dist/router/providers.d.ts

@@ -0,0 +1,4 @@
+import { ModelConfig, ProviderConfig } from "../config";
+import { ChatCompletionRequest, ChatCompletionResponse } from "./types";
+export declare function forwardToProvider(provider: ProviderConfig, model: ModelConfig, request: ChatCompletionRequest): Promise<ChatCompletionResponse>;
+//# sourceMappingURL=providers.d.ts.map

package/dist/router/providers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"providers.d.ts","sourceRoot":"","sources":["../../src/router/providers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AACxD,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EAGvB,MAAM,SAAS,CAAC;AAqejB,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,cAAc,EACxB,KAAK,EAAE,WAAW,EAClB,OAAO,EAAE,qBAAqB,GAC7B,OAAO,CAAC,sBAAsB,CAAC,CAajC"}