@ai-pip/core 0.1.8 → 0.2.0

package/CHANGELOG.md

@@ -7,6 +7,52 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [0.2.0] - 2026-01-26
+
+### ♻️ Architectural Refactor - ISL / AAL Separation
+
+- Refactored ISL (Instruction Sanitization Layer) to be strictly pure and semantic
+- Removed all decision-making logic from ISL:
+  - No Blocking
+  - No allowing
+  - No warnings
+  - No instruction removal
+- ISL is now responsible for:
+  - Malicious pattern detection (prompt injection, jailbreak, role hijacking, ...)
+  - Risk scoring (RiskScore)
+  - Content sanitization
+  - Signal emission and lineage preservation
+
+- Introduced AAL (Agent Action Lock) as a distinct hybrid layer:
+  - Consume ISL signal (RiskScore, detection)
+  - Applies configurable policies (ALLOW / WARN / BLOCK)
+  - Decides whether to remove malicious instructions
+  - Ensures only sanitized content reaches the LLM
+  - Designed as a core-defined contract, implemented at the SDK level
+
+- **Shared audit utilities**: Pure functions for ordered, human-readable audit output (`formatCSLForAudit`, `formatISLForAudit`, `formatISLSignalForAudit`, `formatAALForAudit`, `formatCPEForAudit`, `formatPipelineAudit`) for compliance and debugging
+
+- **Package**: Version set to 0.2.0; AAL export path corrected (`./aal` → `./dist/AAL/`)
+
+### 📚 Documentation
+
+- README.md updated to clarify the new ISL / AAL responsibility split; architecture and layer sections in English
+- **Use cases** section added with scenarios (secure chat, policy moderation, audit, DOM/API/SYSTEM sources, lineage)
+- Examples for policy-based moderation (ISL + AAL) and audit report using shared formatters
+- Audit and pretty-print utilities documented (formatCSLForAudit, formatISLForAudit, formatISLSignalForAudit, formatAALForAudit, formatCPEForAudit, formatPipelineAudit)
+
+### 🧪 Testing
+
+- Added unit tests for CSL (segment, classify), ISL (signals, emitSignal, buildISLResult, RiskScore), AAL (resolveAgentAction, buildDecisionReason, buildRemovalPlan, buildAALLineage, AnomalyScore, PolicyRule), CPE (envelope), and shared (audit formatters)
+- Integration tests updated for ISL Signal → AAL flow; all test messages in English
+- Coverage target met: **92%+** statements for CSL, ISL, AAL, CPE, and shared layers
+
+### ⚠️ Breaking Semantic Change
+
+- Although public APIs remain mostly stable, ISL behavior has changed semantically
+- Consumers must no longer expect ISL to perform actions or remove instructions
+- Decision logic must be handled by AAL or the SDK
+
 ## [0.1.8] - 2026-01-04
 
 ### 🐛 Critical Fixes - Origin Classification
@@ -92,6 +138,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [0.1.7] - 2026-01-04
 
+### ⚠️ DEPRECATED
+
+**Deprecation reason**: This version has incorrect source classification that doesn't match the AI-PIP protocol specification. The trust level assignments for sources (UI, DOM, API, SYSTEM) are incorrect, which can lead to improper sanitization levels and security vulnerabilities.
+
+**Known issues**:
+- Incorrect source-to-trust-level mapping (UI classified as TC instead of STC, DOM as STC instead of UC, API as UC instead of STC)
+- Inconsistent behavior with AI-PIP protocol specification
+- Tests and documentation don't match actual implementation
+- Potential security risks due to incorrect sanitization levels
+
+**Recommendation**: Update to `0.1.8` or higher, which fixes all classification issues and aligns with the AI-PIP protocol specification.
+
 ### 🐛 Critical Fixes
 
 #### Type Resolution Fix
@@ -145,6 +203,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [0.1.6] - 2025-12-28
 
+### ⚠️ DEPRECATED
+
+**Deprecation reason**: This version has incorrect source classification that doesn't match the AI-PIP protocol specification. The trust level assignments for sources are incorrect, which can lead to improper sanitization levels and security vulnerabilities.
+
+**Known issues**:
+- Incorrect source-to-trust-level mapping
+- Inconsistent behavior with AI-PIP protocol specification
+- Potential security risks due to incorrect sanitization levels
+
+**Recommendation**: Update to `0.1.8` or higher, which fixes all classification issues and aligns with the AI-PIP protocol specification.
+
 ### 📚 Documentation Improvements
 - **Centralized documentation**: Moved all protocol documentation to `ai-pip-docs` repository
 - **Updated README**: Added comprehensive links to centralized documentation
@@ -158,6 +227,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [0.1.5] - 2025-12-28
 
+### ⚠️ DEPRECATED
+
+**Deprecation reason**: This version has incorrect source classification that doesn't match the AI-PIP protocol specification. The trust level assignments for sources are incorrect, which can lead to improper sanitization levels and security vulnerabilities.
+
+**Known issues**:
+- Incorrect source-to-trust-level mapping
+- Inconsistent behavior with AI-PIP protocol specification
+- Potential security risks due to incorrect sanitization levels
+
+**Recommendation**: Update to `0.1.8` or higher, which fixes all classification issues and aligns with the AI-PIP protocol specification.
+
 ### 📚 Documentation Improvements
 - **Updated README**: Added links to whitepaper, roadmap, and complete layer documentation
 - **Updated Roadmap**: Added SDK-browser in Phase 4, updated Phase 1 status to 100% completed
@@ -176,6 +256,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [0.1.3] - 2025-12-28
 
+### ⚠️ DEPRECATED
+
+**Deprecation reason**: This version has incorrect source classification that doesn't match the AI-PIP protocol specification. The trust level assignments for sources are incorrect, which can lead to improper sanitization levels and security vulnerabilities.
+
+**Known issues**:
+- Incorrect source-to-trust-level mapping
+- Inconsistent behavior with AI-PIP protocol specification
+- Potential security risks due to incorrect sanitization levels
+
+**Recommendation**: Update to `0.1.8` or higher, which fixes all classification issues and aligns with the AI-PIP protocol specification.
+
 ### ✨ New Features
 - **JavaScript compilation**: The package now compiles to JavaScript (`dist/`) for better compatibility
 - **Type declaration files**: `.d.ts` files are generated for full TypeScript support

package/README.md

@@ -25,6 +25,9 @@ This package contains the **core** implementation of the protocol, which include
   - [Complete Example (Layer-Specific Imports)](#complete-example-layer-specific-imports)
   - [Example with additional functions](#example-with-additional-functions)
   - [Example: Multi-Layer Lineage and Audit Trail](#example-multi-layer-lineage-and-audit-trail)
+  - [Example: ISL Signal and AAL Integration](#example-isl-signal-aal)
+  - [Example: Audit and pretty-print utilities](#example-audit-utilities)
+  - [Use cases](#use-cases)
   - [Examples by Content Source](#examples-by-content-source)
     - [DOM Source (HTML Content)](#example-dom-source-html-content)
     - [UI Source (User Input)](#example-ui-source-user-input)
@@ -32,6 +35,7 @@ This package contains the **core** implementation of the protocol, which include
     - [API Source (External Data)](#example-api-source-external-data)
 - [Documentation](#documentation)
 - [Testing](#testing)
+  - [Coverage](#coverage)
 - [Development](#development)
 - [Requirements](#requirements)
 - [License](#license)
@@ -44,21 +48,73 @@ This package contains the **core** implementation of the protocol, which include
 <a id="architecture"></a>
 ## 🏗️ Architecture
 
-The AI-PIP protocol is composed of the following layers:
+The AI-PIP protocol is composed of the following layers with clear separation of responsibilities:
 
 ### ✅ Implemented Layers
 
 - **CSL (Context Segmentation Layer)**: Segments and classifies content according to its origin
-- **ISL (Instruction Sanitization Layer)**: Sanitizes instructions according to trust level
+- **ISL (Instruction Sanitization Layer)**: Detects malicious patterns, scores risk, and sanitizes content. Emits signals (ISLSignal) for other layers to consume.
+- **AAL (Agent Action Lock)**: Hybrid layer that consumes ISL signals and applies configurable policies (ALLOW/WARN/BLOCK). Core-defined contract, SDK-implemented.
 - **CPE (Cryptographic Prompt Envelope)**: Generates cryptographic envelope with HMAC-SHA256 signature
 
 ### 🔧 Shared Features
 
 - **Shared**: Shared functions and global incremental lineage (not a layer, but features shared between layers)
 
+### 🏛️ Architectural Principles
+
+#### Layer Separation and Signals
+
+**Fundamental rule**: A layer must never consume another layer's internal "result". It consumes a signal.
+
+- **ISLResult**: Internal result of the ISL pipeline (segments, lineage, full metadata)
+  - Intended for: debugging, reporter, internal traceability
+- **ISLSignal**: Semantic contract between layers (risk scores, detections, security signals)
+  - Intended for: AAL, SDK, Engine
+  - Does not expose ISL internals
+
+**Processing flow:**
+```
+ISL.process() 
+  → ISLResult          (internal)
+  → ISLSignal          (external)
+      → AAL consumes ISLSignal (not ISLResult)
+```
+
+#### Layer Organization
+
+Each layer follows a consistent structure:
+
+```
+Layer/
+ ├─ exceptions/        → what is invalid
+ ├─ value-objects/     → what it is
+ ├─ process/           → how it transforms
+ ├─ lineage/           → what happened
+ ├─ types.ts
+ └─ index.ts
+```
+
+**Benefits:**
+- ✅ No layer overlap
+- ✅ Clear separation of responsibilities
+- ✅ Core scales better
+- ✅ Clear separation between internals and semantic contracts
+
 ### 📝 Note on AAL and Model Gateway
 
-**AAL (Agent Action Lock)** and **Model Gateway** are SDK components, not part of the semantic core. The semantic core focuses on pure functions and signals, while these layers require operational decisions and side effects that belong to the implementation (SDK).
+**AAL (Agent Action Lock)** is a hybrid layer defined in the semantic core but implemented at the SDK level. The core provides:
+- Value objects (AnomalyScore, AgentPolicy, PolicyRule)
+- Semantic contracts and types
+- Pure functions for decision logic
+
+The SDK implements:
+- Operational decision execution
+- Policy enforcement
+- Instruction removal
+- Side effects and state management
+
+**Model Gateway** is a pure SDK component for routing and managing AI model interactions.
 
 <a id="installation"></a>
 ## 📦 Installation
@@ -97,8 +153,12 @@ import { segment, classifySource, createTrustLevel } from '@ai-pip/core/csl'
 import type { CSLResult, CSLSegment, TrustLevel } from '@ai-pip/core/csl'
 
 // Import from ISL (Instruction Sanitization Layer)
-import { sanitize } from '@ai-pip/core/isl'
-import type { ISLResult, ISLSegment } from '@ai-pip/core/isl'
+import { sanitize, createISLSignal } from '@ai-pip/core/isl'
+import type { ISLResult, ISLSegment, ISLSignal } from '@ai-pip/core/isl'
+
+// Import from AAL (Agent Action Lock)
+import { createAnomalyScore, resolveAgentAction } from '@ai-pip/core/aal'
+import type { AnomalyScore, AgentPolicy } from '@ai-pip/core/aal'
 
 // Import from CPE (Cryptographic Prompt Envelope)
 import { envelope, createNonce, createMetadata } from '@ai-pip/core/cpe'
@@ -139,7 +199,7 @@ This example demonstrates the complete AI-PIP processing pipeline:
 
 1. **CSL (Context Segmentation Layer)**: The `segment()` function takes user input and segments it into semantic chunks. Each segment is classified by its origin (`source: 'UI'`), which determines its trust level. The result contains multiple segments, each with its own trust classification and lineage tracking.
 
-2. **ISL (Instruction Sanitization Layer)**: The `sanitize()` function processes the segmented content and applies sanitization based on each segment's trust level. Trusted content (TC) receives minimal sanitization, semi-trusted (STC) gets moderate sanitization, and untrusted content (UC) receives aggressive sanitization to remove potential prompt injection attempts.
+2. **ISL (Instruction Sanitization Layer)**: The `sanitize()` function processes the segmented content and applies sanitization based on each segment's trust level. Trusted content (TC) receives minimal sanitization, semi-trusted (STC) gets moderate sanitization, and untrusted content (UC) receives aggressive sanitization to remove potential prompt injection attempts. ISL also detects malicious patterns and emits signals (ISLSignal) that can be consumed by AAL for policy-based decisions.
 
 3. **CPE (Cryptographic Prompt Envelope)**: The `envelope()` function creates a cryptographic wrapper around the sanitized content. It generates a unique nonce, timestamp, and HMAC-SHA256 signature to ensure the integrity and authenticity of the processed prompt. The resulting envelope can be safely sent to an AI model with cryptographic proof that the content hasn't been tampered with.
 
@@ -529,6 +589,193 @@ const cpeResult = envelope(islResult, 'your-secret-key')
 - Enhanced pattern matching and anomaly detection
 - Production-ready implementations with comprehensive security features
 - and more...
+
+---
+
+<a id="example-isl-signal-aal"></a>
+### Example: ISL Signal and AAL Integration
+
+**How signals work:** ISL produces an internal result (`ISLResult`). You call `emitSignal(islResult)` to obtain an `ISLSignal` (risk score, detections, `hasThreats`). AAL consumes only this signal via `resolveAgentAction(islSignal, policy)` and never sees `ISLResult`. Minimal flow:
+
+```typescript
+const islResult = sanitize(cslResult)       // ISL internal result
+const islSignal = emitSignal(islResult)      // External signal for other layers
+const action = resolveAgentAction(islSignal, policy)  // AAL consumes signal → 'ALLOW' | 'WARN' | 'BLOCK'
+```
+
+Full example below demonstrates the signal-based communication between ISL and AAL layers, following the architectural principle that layers should consume signals, not internal results:
+
+```typescript
+import {
+  segment,
+  sanitize,
+  emitSignal,
+  resolveAgentAction,
+  buildDecisionReason,
+  buildRemovalPlan
+} from '@ai-pip/core'
+import type { ISLSignal, AgentPolicy } from '@ai-pip/core'
+
+// 1. Segment content (CSL)
+const cslResult = segment({
+  content: 'User input with potential injection',
+  source: 'UI',
+  metadata: {}
+})
+
+// 2. Sanitize content (ISL) - produces internal result
+const islResult = sanitize(cslResult)
+
+// 3. Emit signal from ISL result - external contract
+const islSignal: ISLSignal = emitSignal(islResult)
+
+// 4. Define agent policy
+const policy: AgentPolicy = {
+  thresholds: {
+    warn: 0.3,
+    block: 0.7
+  },
+  removal: {
+    enabled: true
+  },
+  mode: 'balanced'
+}
+
+// 5. AAL consumes ISLSignal (not ISLResult) and resolves action
+const action = resolveAgentAction(islSignal, policy)
+console.log('Agent action:', action) // 'ALLOW', 'WARN', or 'BLOCK'
+
+// 6. Build decision reason for audit
+const reason = buildDecisionReason(action, islSignal, policy)
+console.log('Decision reason:', reason.reason)
+
+// 7. Build removal plan if threats detected
+const removalPlan = buildRemovalPlan(islSignal, policy)
+if (removalPlan.shouldRemove) {
+  console.log(`Removing ${removalPlan.instructionsToRemove.length} instruction(s)`)
+}
+```
+
+**What this example demonstrates:**
+
+1. **Signal-Based Communication**: ISL emits `ISLSignal` (external contract) instead of exposing `ISLResult` (internal). This maintains layer separation.
+
+2. **AAL Decision Making**: AAL consumes the signal and applies configurable policies to determine actions (ALLOW/WARN/BLOCK).
+
+3. **Separation of Concerns**: 
+   - ISL: Detects threats, scores risk, sanitizes content
+   - AAL: Evaluates signals, applies policies, builds removal plans
+   - SDK: Executes actions, removes instructions, manages state
+
+4. **Architectural Benefits**:
+   - ✅ No layer coupling (AAL doesn't know ISL internals)
+   - ✅ Clear contracts between layers
+   - ✅ Easy to test and maintain
+   - ✅ Scalable architecture
+
+**Key Principle**: A layer should never consume the internal "result" of another layer. It consumes a signal.
+
+---
+
+<a id="example-audit-utilities"></a>
+### Example: Audit and pretty-print utilities
+
+The core provides pure functions to format layer results and signals for clear, ordered audit output. Use them for logging, compliance, and debugging:
+
+```typescript
+import {
+  segment,
+  sanitize,
+  emitSignal,
+  envelope,
+  resolveAgentAction,
+  buildDecisionReason,
+  buildRemovalPlan,
+  formatCSLForAudit,
+  formatISLForAudit,
+  formatISLSignalForAudit,
+  formatAALForAudit,
+  formatCPEForAudit,
+  formatPipelineAudit
+} from '@ai-pip/core'
+import type { AgentPolicy } from '@ai-pip/core'
+
+// Run pipeline
+const cslResult = segment({ content: 'User input', source: 'UI', metadata: {} })
+const islResult = sanitize(cslResult)
+const islSignal = emitSignal(islResult)
+const cpeResult = envelope(islResult, 'secret-key')
+
+const policy: AgentPolicy = {
+  thresholds: { warn: 0.3, block: 0.7 },
+  removal: { enabled: true }
+}
+const action = resolveAgentAction(islSignal, policy)
+const reason = buildDecisionReason(action, islSignal, policy)
+const removalPlan = buildRemovalPlan(islSignal, policy)
+
+// Pretty-print per layer (ordered, human-readable)
+console.log(formatCSLForAudit(cslResult))
+console.log(formatISLForAudit(islResult))
+console.log(formatISLSignalForAudit(islSignal))
+console.log(formatAALForAudit(reason, removalPlan))
+console.log(formatCPEForAudit(cpeResult))
+
+// Full pipeline audit report
+const fullAudit = formatPipelineAudit(cslResult, islResult, cpeResult, {
+  title: 'AI-PIP Pipeline Audit',
+  sectionSeparator: '\n\n'
+})
+console.log(fullAudit)
+```
+
+**What this example demonstrates:**
+
+- **`formatCSLForAudit(result)`**: Formats CSL result (segments, trust, lineage) for audit.
+- **`formatISLForAudit(result)`**: Formats ISL result (segments, sanitization level, metadata, lineage).
+- **`formatISLSignalForAudit(signal)`**: Formats ISL signal (risk score, threats, detections) for audit.
+- **`formatAALForAudit(reason, removalPlan?)`**: Formats AAL decision reason and optional removal plan.
+- **`formatCPEForAudit(result)`**: Formats CPE result (metadata, signature, lineage).
+- **`formatPipelineAudit(csl, isl, cpe, options?)`**: Builds a single full pipeline audit string.
+
+All formatters accept minimal shapes (layer-agnostic) so you can pass any compatible object. Output is ordered and consistent for compliance and debugging.
+
+<a id="use-cases"></a>
+### Use cases
+
+Typical scenarios where AI-PIP core is used:
+
+| Use case | Layers involved | Goal |
+|----------|-----------------|------|
+| **Secure user chat** | CSL → ISL → CPE | Segment UI input, sanitize, wrap in envelope before sending to the model. |
+| **Policy-based moderation** | CSL → ISL → emitSignal → AAL | Get risk signal from ISL, resolve ALLOW/WARN/BLOCK and removal plan from AAL. |
+| **Audit and compliance** | Shared audit formatters | Pretty-print CSL/ISL/AAL/CPE results and full pipeline for logs and reports. |
+| **DOM / scraped content** | CSL (source: DOM) → ISL → CPE | Treat web content as untrusted (UC), apply aggressive sanitization. |
+| **System instructions** | CSL (source: SYSTEM) → ISL → CPE | Trusted content (TC), minimal sanitization. |
+| **Lineage and forensics** | All layers | Use lineage from results and `filterLineageByStep` / `getLastLineageEntry` for tracing. |
+
+**Example: policy-based moderation (ISL + AAL)**
+
+```typescript
+const cslResult = segment({ content: userInput, source: 'UI', metadata: {} })
+const islResult = sanitize(cslResult)
+const signal = emitSignal(islResult)
+const action = resolveAgentAction(signal, policy)
+const reason = buildDecisionReason(action, signal, policy)
+const plan = buildRemovalPlan(signal, policy)
+// Use action, reason, and plan in your SDK to enforce policy and optionally remove instructions.
+```
+
+**Example: audit report**
+
+```typescript
+const report = formatPipelineAudit(cslResult, islResult, cpeResult, {
+  title: 'Request Audit',
+  sectionSeparator: '\n---\n'
+})
+logger.info(report)
+```
+
 <a id="documentation"></a>
 ## 📚 Documentation
 
@@ -545,6 +792,7 @@ All AI-PIP protocol documentation is centralized in the [documentation repositor
 - **[Core Overview](https://github.com/AI-PIP/ai-pip-docs/blob/main/docs/core/CORE.md)** - Semantic core description
 - **[CSL (Context Segmentation Layer)](https://github.com/AI-PIP/ai-pip-docs/blob/main/docs/core/layers/CSL.md)** - Context segmentation layer
 - **[ISL (Instruction Sanitization Layer)](https://github.com/AI-PIP/ai-pip-docs/blob/main/docs/core/layers/ISL.md)** - Instruction sanitization layer
+- **[AAL (Agent Action Lock)](https://github.com/AI-PIP/ai-pip-docs/blob/main/docs/core/layers/AAL.md)** - Agent Action Lock (hybrid layer)
 - **[CPE (Cryptographic Prompt Envelope)](https://github.com/AI-PIP/ai-pip-docs/blob/main/docs/core/layers/CPE.md)** - Cryptographic prompt envelope
 - **[Shared](https://github.com/AI-PIP/ai-pip-docs/blob/main/docs/core/layers/shared.md)** - Shared features and lineage
 
@@ -575,7 +823,9 @@ pnpm test:coverage
 pnpm test:ui
 ```
 
-**Current coverage**: 88.5%
+### Coverage
+- **Current coverage**: 92%+ (CSL, ISL, AAL, CPE, shared)
+
 
 <a id="development"></a>
 ## 🔧 Development
@@ -752,5 +1002,6 @@ For complete details and all version history, see [CHANGELOG.md](./CHANGELOG.md)
 
 ---
 
-**Current Version**: 0.1.8  
-**Status**: Phase 1 - Core Layers (100% completed)
+**Current Version**: 0.2.0  
+**Status**: Phase 1 - Core Layers (100% completed)  
+**Latest**: Architectural refactor with ISL/AAL separation and signal-based communication

package/dist/AAL/index.d.ts

@@ -0,0 +1,28 @@
+/**
+ * AAL (Agent Action Lock) - Semantic Core
+ *
+ * @remarks
+ * This is the semantic core of AAL. It only contains:
+ * - Pure functions (stateless)
+ * - Immutable value objects
+ * - Types
+ * - Decision processing
+ *
+ * **Architecture:**
+ * - Consumes ISLSignal (not ISLResult) to maintain layer separation
+ * - Applies configurable policies (ALLOW/WARN/BLOCK)
+ * - Builds instruction removal plans
+ * - Does not execute actions (that is SDK responsibility)
+ *
+ * **Does NOT contain:**
+ * - Prompt injection detection (goes to ISL)
+ * - Stateful services (go to SDK)
+ * - Action execution (goes to SDK)
+ */
+export { createAnomalyScore, isHighRisk, isLowRisk, isWarnRisk, isRoleProtected, isContextLeakPreventionEnabled, isInstructionImmutable, isIntentBlocked, isScopeSensitive } from './value-objects/index.js';
+export type { AnomalyScore, PolicyRule } from './value-objects/index.js';
+export { resolveAgentAction, resolveAgentActionWithScore, buildDecisionReason, buildRemovalPlan } from './process/index.js';
+export type { DecisionReason, RemovalPlan } from './process/index.js';
+export { buildAALLineage } from './lineage/index.js';
+export type { AnomalyAction, RemovedInstruction, BlockedIntent, SensitiveScope, ProtectedRole, ImmutableInstruction, AgentPolicy, } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/AAL/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/AAL/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAGH,OAAO,EACH,kBAAkB,EAClB,UAAU,EACV,SAAS,EACT,UAAU,EACV,eAAe,EACf,8BAA8B,EAC9B,sBAAsB,EACtB,eAAe,EACf,gBAAgB,EACnB,MAAM,0BAA0B,CAAA;AAEjC,YAAY,EACR,YAAY,EACZ,UAAU,EACb,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EACH,kBAAkB,EAClB,2BAA2B,EAC3B,mBAAmB,EACnB,gBAAgB,EACnB,MAAM,oBAAoB,CAAA;AAE3B,YAAY,EACR,cAAc,EACd,WAAW,EACd,MAAM,oBAAoB,CAAA;AAG3B,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAA;AAGpD,YAAY,EACR,aAAa,EACb,kBAAkB,EAClB,aAAa,EACb,cAAc,EACd,aAAa,EACb,oBAAoB,EACpB,WAAW,GACd,MAAM,YAAY,CAAA"}

package/dist/AAL/index.js

@@ -0,0 +1,28 @@
+/**
+ * AAL (Agent Action Lock) - Semantic Core
+ *
+ * @remarks
+ * This is the semantic core of AAL. It only contains:
+ * - Pure functions (stateless)
+ * - Immutable value objects
+ * - Types
+ * - Decision processing
+ *
+ * **Architecture:**
+ * - Consumes ISLSignal (not ISLResult) to maintain layer separation
+ * - Applies configurable policies (ALLOW/WARN/BLOCK)
+ * - Builds instruction removal plans
+ * - Does not execute actions (that is SDK responsibility)
+ *
+ * **Does NOT contain:**
+ * - Prompt injection detection (goes to ISL)
+ * - Stateful services (go to SDK)
+ * - Action execution (goes to SDK)
+ */
+// Value objects
+export { createAnomalyScore, isHighRisk, isLowRisk, isWarnRisk, isRoleProtected, isContextLeakPreventionEnabled, isInstructionImmutable, isIntentBlocked, isScopeSensitive } from './value-objects/index.js';
+// Process functions
+export { resolveAgentAction, resolveAgentActionWithScore, buildDecisionReason, buildRemovalPlan } from './process/index.js';
+// Lineage
+export { buildAALLineage } from './lineage/index.js';
+//# sourceMappingURL=index.js.map

package/dist/AAL/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/AAL/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,gBAAgB;AAChB,OAAO,EACH,kBAAkB,EAClB,UAAU,EACV,SAAS,EACT,UAAU,EACV,eAAe,EACf,8BAA8B,EAC9B,sBAAsB,EACtB,eAAe,EACf,gBAAgB,EACnB,MAAM,0BAA0B,CAAA;AAOjC,oBAAoB;AACpB,OAAO,EACH,kBAAkB,EAClB,2BAA2B,EAC3B,mBAAmB,EACnB,gBAAgB,EACnB,MAAM,oBAAoB,CAAA;AAO3B,UAAU;AACV,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAA"}

package/dist/AAL/lineage/buildAALLineage.d.ts

@@ -0,0 +1,22 @@
+/**
+ * buildAALLineage - Builds AAL lineage
+ *
+ * @remarks
+ * This function builds and updates the AAL-specific lineage,
+ * adding decision and action entries for auditing and traceability.
+ *
+ * **Responsibility:**
+ * - Build AAL lineage
+ * - Add decision entries
+ * - Preserve lineage from previous layers
+ */
+import type { LineageEntry } from '../../csl/value-objects/index.js';
+/**
+ * Builds AAL lineage by adding a processing entry
+ *
+ * @param previousLineage - Lineage from previous layers
+ * @param timestamp - Processing timestamp (default: Date.now())
+ * @returns Updated lineage with AAL entry
+ */
+export declare function buildAALLineage(previousLineage: readonly LineageEntry[], timestamp?: number): readonly LineageEntry[];
+//# sourceMappingURL=buildAALLineage.d.ts.map

package/dist/AAL/lineage/buildAALLineage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"buildAALLineage.d.ts","sourceRoot":"","sources":["../../../src/AAL/lineage/buildAALLineage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kCAAkC,CAAA;AAIpE;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,eAAe,EAAE,SAAS,YAAY,EAAE,EACxC,SAAS,GAAE,MAAmB,GAC7B,SAAS,YAAY,EAAE,CAGzB"}

package/dist/AAL/lineage/buildAALLineage.js

@@ -0,0 +1,26 @@
+/**
+ * buildAALLineage - Builds AAL lineage
+ *
+ * @remarks
+ * This function builds and updates the AAL-specific lineage,
+ * adding decision and action entries for auditing and traceability.
+ *
+ * **Responsibility:**
+ * - Build AAL lineage
+ * - Add decision entries
+ * - Preserve lineage from previous layers
+ */
+import { createLineageEntry } from '../../csl/value-objects/index.js';
+import { addLineageEntry } from '../../shared/lineage.js';
+/**
+ * Builds AAL lineage by adding a processing entry
+ *
+ * @param previousLineage - Lineage from previous layers
+ * @param timestamp - Processing timestamp (default: Date.now())
+ * @returns Updated lineage with AAL entry
+ */
+export function buildAALLineage(previousLineage, timestamp = Date.now()) {
+    const aalEntry = createLineageEntry('AAL', timestamp);
+    return addLineageEntry(previousLineage, aalEntry);
+}
+//# sourceMappingURL=buildAALLineage.js.map

package/dist/AAL/lineage/buildAALLineage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"buildAALLineage.js","sourceRoot":"","sources":["../../../src/AAL/lineage/buildAALLineage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAA;AAEzD;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAC7B,eAAwC,EACxC,YAAoB,IAAI,CAAC,GAAG,EAAE;IAE9B,MAAM,QAAQ,GAAG,kBAAkB,CAAC,KAAK,EAAE,SAAS,CAAC,CAAA;IACrD,OAAO,eAAe,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAA;AACnD,CAAC"}

package/dist/AAL/lineage/index.d.ts

@@ -0,0 +1,5 @@
+/**
+ * AAL Lineage - Lineage construction for AAL
+ */
+export { buildAALLineage } from './buildAALLineage.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/AAL/lineage/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/AAL/lineage/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAA"}

package/dist/AAL/lineage/index.js

@@ -0,0 +1,5 @@
+/**
+ * AAL Lineage - Lineage construction for AAL
+ */
+export { buildAALLineage } from './buildAALLineage.js';
+//# sourceMappingURL=index.js.map

package/dist/AAL/lineage/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/AAL/lineage/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAA"}

package/dist/AAL/process/buildDecisionReason.d.ts

@@ -0,0 +1,36 @@
+/**
+ * buildDecisionReason - Builds the reason for an AAL decision
+ *
+ * @remarks
+ * This function builds a human-readable description of why
+ * a specific decision was made (ALLOW, WARN, BLOCK).
+ *
+ * **Responsibility:**
+ * - Generate readable decision reasons
+ * - Include risk score and threshold information
+ * - Facilitate auditing and debugging
+ */
+import type { AnomalyAction } from '../types.js';
+import type { ISLSignal } from '../../isl/signals.js';
+import type { AgentPolicy } from '../types.js';
+/**
+ * Reason for an AAL decision
+ */
+export interface DecisionReason {
+    readonly action: AnomalyAction;
+    readonly riskScore: number;
+    readonly threshold: number;
+    readonly reason: string;
+    readonly hasThreats: boolean;
+    readonly detectionCount: number;
+}
+/**
+ * Builds the reason for a decision
+ *
+ * @param action - Determined action (ALLOW, WARN, BLOCK)
+ * @param islSignal - ISL signal that originated the decision
+ * @param policy - Applied policy
+ * @returns DecisionReason with complete information
+ */
+export declare function buildDecisionReason(action: AnomalyAction, islSignal: ISLSignal, policy: AgentPolicy): DecisionReason;
+//# sourceMappingURL=buildDecisionReason.d.ts.map

package/dist/AAL/process/buildDecisionReason.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"buildDecisionReason.d.ts","sourceRoot":"","sources":["../../../src/AAL/process/buildDecisionReason.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAChD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AACrD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAE9C;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAA;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAA;IAC5B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAA;CAChC;AAED;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,aAAa,EACrB,SAAS,EAAE,SAAS,EACpB,MAAM,EAAE,WAAW,GAClB,cAAc,CA2BhB"}