@ai-pip/core 0.3.0 → 0.5.0

package/CHANGELOG.md

@@ -7,6 +7,79 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [0.5.0] - (latest)
+
+### ✨ Added
+
+- **ISL – Semantic isolation and canonical tags (v0.5.0)**
+  - **ThreatTag**: Structural metadata for semantic isolation: `segmentId`, `startOffset`, `endOffset`, `type` (ThreatTagType), `confidence`. ISL (or SDK) produces ThreatTags; the core does not insert tags into text.
+  - **createThreatTag(segmentId, startOffset, endOffset, type, confidence)**: Factory that validates and returns a frozen ThreatTag. Validates non-empty segmentId, 0 ≤ start ≤ end, valid type, confidence in [0, 1].
+  - **Tag registry**: `VALID_TAG_TYPES` (readonly list aligned with ISL detect taxonomy) and `isValidThreatTagType(value)` for validation.
+  - **Canonical AI-PIP tag serializer** (`isl/tags/serializer.ts`): Official protocol representation only. No offsets, no segment mutation, no encapsulation logic.
+    - **openTag(type)**: Returns canonical opening tag string, e.g. `<aipip:prompt-injection>`.
+    - **closeTag(type)**: Returns canonical closing tag string, e.g. `</aipip:prompt-injection>`.
+    - **wrapWithTag(type, content)**: Returns content wrapped with opening and closing tags (pure string concatenation).
+  - **Namespace**: `AIPIP_NAMESPACE` (`"aipip"`) and `AIPIP_TAG_SCHEMA_VERSION` (1) for forward compatibility.
+  - **ThreatTagType**: Alias for threat type in tag context (aligned with `ThreatType` from detect); single source of truth remains ISL detect.
+  - **ISLResult.threatTags**: `readonly ThreatTag[]` — List of threat tags derived from segment detections (only detections with valid `ThreatTagType`). Built in `sanitize()` and passed to `buildISLResult`; SDK uses it with the canonical serializer to apply encapsulation.
+  - **buildISLResult(segments, lineage, threatTags, processingTimeMs?)**: New third parameter **threatTags** (required); `processingTimeMs` is now the fourth optional argument. Callers (e.g. `sanitize`) must pass the array of ThreatTag derived from detections (or `[]` when none).
+
+- **Benefits of semantic isolation**
+  - **No semantic corruption**: Core does not modify segment text; it produces metadata (ThreatTag) and defines the canonical tag format.
+  - **Auditable and reversible**: Tag format is deterministic and standardized; SDK applies tags at fragment level using offsets.
+  - **Clear responsibility**: SDK is responsible for applying offsets, inserting tags at correct positions, resolving multiple/overlapping tags (e.g. by descending offset order). The serializer only builds strings.
+
+### 📚 Documentation
+
+- **README.md**: New subsection *Semantic isolation and canonical tags (v0.5.0)*: ThreatTag, serializer (openTag, closeTag, wrapWithTag), encapsulation at fragment level, SDK responsibilities.
+- **FEATURE.md**: 0.5.0 section with new APIs (ThreatTag, createThreatTag, tag registry, serializer), benefits, and methods table.
+- **docs/readme.md**: Same 0.5.0 content and link from Architecture / ISL.
+
+### 📎 More information
+
+See **[FEATURE.md](./FEATURE.md)** for 0.5.0 API details.
+
+---
+
+## [0.4.0] - (unreleased)
+
+### ✨ Added
+
+- **AAL – Remediation plan (what to clean, not how)**
+  - `buildRemediationPlan(islResult, policy)`: builds a **RemediationPlan** describing *what* to clean (target segment IDs, goals, constraints). The SDK or an AI tool performs the actual cleanup.
+  - **RemediationPlan**: `strategy: 'AI_CLEANUP'`, `goals: string[]` (e.g. `remove_prompt_injection`, `remove_role_hijacking`), `constraints: string[]` (e.g. `preserve_user_intent`, `do_not_add_information`, `do_not_change_language`), `targetSegments: string[]` (segment IDs with detections), `needsRemediation: boolean`.
+  - Policy: **`remediation: { enabled: boolean }`** (replaces `removal`).
+
+- **Shared – Audit with remediation plan**
+  - **RemediationPlanLike** (shared type) for audit payloads; same shape as RemediationPlan.
+  - `formatPipelineAuditFull(..., remediationPlan?, cpe?, options?)` and `buildFullAuditPayload` / `formatPipelineAuditAsJson` accept **`remediationPlan`** in options (replacing removal plan).
+  - `formatAALForAudit(reason, remediationPlan?)` documents the remediation plan in the AAL section.
+
+- **CPE – Transversal (documented and clarified)**
+  - CPE (Cryptographic Prompt Envelope) is **transversal**: it **ensures the integrity of each layer** for greater security. It is not a sequential processing layer but a shared capability that wraps pipeline output (e.g. ISL or AAL result) with a cryptographic envelope (nonce, metadata, HMAC-SHA256), so that the result of each layer can be verified and tampering detected. Implementation lives in **`shared/envelope`**; the package exports it as **`@ai-pip/core/cpe`** for backward compatibility. Use `envelope(islResult, secretKey)` to wrap any pipeline result.
+
+### 🗑️ Removed
+
+- **AAL – Removal plan and application (moved to SDK)**
+  - **Removed**: `buildRemovalPlan`, `buildRemovalPlanFromResult`, `applyRemovalPlan`, **RemovalPlan**, **RemovedInstruction**.
+  - The core no longer performs instruction removal; it only produces a remediation plan. The SDK (or an AI cleanup tool) uses the plan to clean the content.
+
+### 🔄 Changed
+
+- **AgentPolicy**: `removal: { enabled }` → **`remediation: { enabled }`**.
+- **Audit**: All formatters and payloads use **remediationPlan** / **RemediationPlanLike** instead of removal plan / RemovalPlanLike.
+
+### 📚 Documentation
+
+- **README.md**: Examples and use cases updated to remediation (buildRemediationPlan, RemediationPlan, policy.remediation); audit section uses remediationPlan; SDK responsibility clarified (remediation execution, e.g. AI cleanup). New subsection *CPE as transversal* in Architecture: CPE ensures the **integrity of each layer** for greater security (shared/envelope, export `@ai-pip/core/cpe`); pipeline clarified (CSL → ISL → optional AAL; CPE wraps result for verification).
+- **FEATURE.md**: 0.4.0 section with new APIs, removed APIs, and CPE transversal; tables updated for remediation.
+
+### 📎 More information
+
+See **[FEATURE.md](./FEATURE.md)** for API details.
+
+---
+
 ## [0.3.0] - (unreleased)
 
 ### ✨ Added
@@ -414,6 +487,6 @@ For specific method signatures and API changes in 0.3.0, see **[FEATURE.md](./FE
 
 ---
 
-**Current Version**: 0.1.8  
+**Current Version**: 0.5.0  
 **Status**: Phase 1 - Core Layers (100% completed)