@ai-pip/core 0.4.0 → 0.5.0

package/CHANGELOG.md

@@ -7,6 +7,40 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [0.5.0] - (latest)
+
+### ✨ Added
+
+- **ISL – Semantic isolation and canonical tags (v0.5.0)**
+  - **ThreatTag**: Structural metadata for semantic isolation: `segmentId`, `startOffset`, `endOffset`, `type` (ThreatTagType), `confidence`. ISL (or SDK) produces ThreatTags; the core does not insert tags into text.
+  - **createThreatTag(segmentId, startOffset, endOffset, type, confidence)**: Factory that validates and returns a frozen ThreatTag. Validates non-empty segmentId, 0 ≤ start ≤ end, valid type, confidence in [0, 1].
+  - **Tag registry**: `VALID_TAG_TYPES` (readonly list aligned with ISL detect taxonomy) and `isValidThreatTagType(value)` for validation.
+  - **Canonical AI-PIP tag serializer** (`isl/tags/serializer.ts`): Official protocol representation only. No offsets, no segment mutation, no encapsulation logic.
+    - **openTag(type)**: Returns canonical opening tag string, e.g. `<aipip:prompt-injection>`.
+    - **closeTag(type)**: Returns canonical closing tag string, e.g. `</aipip:prompt-injection>`.
+    - **wrapWithTag(type, content)**: Returns content wrapped with opening and closing tags (pure string concatenation).
+  - **Namespace**: `AIPIP_NAMESPACE` (`"aipip"`) and `AIPIP_TAG_SCHEMA_VERSION` (1) for forward compatibility.
+  - **ThreatTagType**: Alias for threat type in tag context (aligned with `ThreatType` from detect); single source of truth remains ISL detect.
+  - **ISLResult.threatTags**: `readonly ThreatTag[]` — List of threat tags derived from segment detections (only detections with valid `ThreatTagType`). Built in `sanitize()` and passed to `buildISLResult`; SDK uses it with the canonical serializer to apply encapsulation.
+  - **buildISLResult(segments, lineage, threatTags, processingTimeMs?)**: New third parameter **threatTags** (required); `processingTimeMs` is now the fourth optional argument. Callers (e.g. `sanitize`) must pass the array of ThreatTag derived from detections (or `[]` when none).
+
+- **Benefits of semantic isolation**
+  - **No semantic corruption**: Core does not modify segment text; it produces metadata (ThreatTag) and defines the canonical tag format.
+  - **Auditable and reversible**: Tag format is deterministic and standardized; SDK applies tags at fragment level using offsets.
+  - **Clear responsibility**: SDK is responsible for applying offsets, inserting tags at correct positions, resolving multiple/overlapping tags (e.g. by descending offset order). The serializer only builds strings.
+
+### 📚 Documentation
+
+- **README.md**: New subsection *Semantic isolation and canonical tags (v0.5.0)*: ThreatTag, serializer (openTag, closeTag, wrapWithTag), encapsulation at fragment level, SDK responsibilities.
+- **FEATURE.md**: 0.5.0 section with new APIs (ThreatTag, createThreatTag, tag registry, serializer), benefits, and methods table.
+- **docs/readme.md**: Same 0.5.0 content and link from Architecture / ISL.
+
+### 📎 More information
+
+See **[FEATURE.md](./FEATURE.md)** for 0.5.0 API details.
+
+---
+
 ## [0.4.0] - (unreleased)
 
 ### ✨ Added
@@ -453,6 +487,6 @@ For specific method signatures and API changes in 0.3.0, see **[FEATURE.md](./FE
 
 ---
 
-**Current Version**: 0.4.0  
+**Current Version**: 0.5.0  
 **Status**: Phase 1 - Core Layers (100% completed)
 

package/README.md

@@ -25,7 +25,7 @@ AI-powered browsers and chat interfaces (e.g. **GPT Atlas**, embedded AI in web
 | Layer | Role |
 |-------|------|
 | **CSL** (Context Segmentation Layer) | Segments and classifies content by origin (UI, DOM, API, SYSTEM). |
-| **ISL** (Instruction Sanitization Layer) | Detects threats (~287 patterns), scores risk, sanitizes content, and emits a **signal** (risk score, detections) for other layers. |
+| **ISL** (Instruction Sanitization Layer) | Detects threats (~287 patterns), scores risk, sanitizes content, and emits a **signal** (risk score, detections) for other layers. From **v0.5.0**: produces **ThreatTag** metadata and exposes the **canonical tag serializer** for semantic isolation (encapsulation with `<aipip:threat-type>...</aipip>` is applied by the SDK at fragment level). |
 | **AAL** (Agent Action Lock) | Consumes the ISL signal and applies policy: **ALLOW**, **WARN**, or **BLOCK**. Produces a **remediation plan** (what to clean—target segments, goals, constraints); the SDK or an AI agent performs the actual cleanup. |
 | **CPE** (Cryptographic Prompt Envelope) | **Transversal**: ensures the **integrity of each layer**. Wraps pipeline output with a signed envelope (nonce, metadata, HMAC-SHA256) so that results can be verified. Implemented in `shared/envelope`; exported as `@ai-pip/core/cpe`. |
 
@@ -35,6 +35,8 @@ The processing pipeline is **CSL → ISL** (optionally **AAL** consumes the sign
 - **`source`** (UI, DOM, API, SYSTEM) determines trust level and sanitization. It **must be set only by trusted code** (backend/SDK), **never** derived from user input. Otherwise an attacker could send `source: 'SYSTEM'` and reduce sanitization.
 - **CPE secret key**: The key passed to `envelope(..., secretKey)` **must not be logged or serialized**. Key rotation and storage are the **SDK’s responsibility** (e.g. use a key id in metadata and multiple keys in the verifier).
 
+**Semantic isolation and canonical tags (v0.5.0):** The core does **not** modify segment text. It produces **ThreatTag** metadata (segmentId, offsets, type, confidence) and defines the **canonical AI-PIP tag format** via the serializer (`openTag`, `closeTag`, `wrapWithTag`). Encapsulation with tags like `<aipip:prompt-injection>...</aipip>` is applied by the **SDK** at fragment level. Benefits: no semantic corruption, auditable and reversible, deterministic; the SDK is responsible for applying offsets, insertions, and ordering (e.g. by descending offset when resolving multiple tags).
+
 ---
 
 ## Installation
@@ -82,8 +84,9 @@ if (remediationPlan.needsRemediation) {
 
 - **Full README** (examples, use cases, audit, all layers): [docs/readme.md](./docs/readme.md)
 - **Protocol docs** (whitepaper, architecture, layers): [AI-PIP documentation repository](https://github.com/AI-PIP/ai-pip-docs)
-- **Package changelog**: [CHANGELOG.md](./CHANGELOG.md)  
+- **Package changelog**: [CHANGELOG.md](./CHANGELOG.md) — Latest: **0.5.0** (unreleased)  
 - **Features by version**: [FEATURE.md](./FEATURE.md)
+- **Roadmap** (path to 1.0.0): [roadmap.md](./roadmap.md)
 
 ---
 

package/dist/isl/index.d.ts

@@ -26,4 +26,6 @@ export type { PiDetection, PiDetectionResult, Pattern, RiskScore } from './value
 export { createPiDetection, getDetectionLength, isHighConfidence, isMediumConfidence, isLowConfidence, createPiDetectionResult, hasDetections, getDetectionCount, getDetectionsByType, getHighestConfidenceDetection, createPattern, matchesPattern, findMatch, MAX_CONTENT_LENGTH, MAX_PATTERN_LENGTH, MAX_MATCHES, createRiskScore, normalizeRiskScore, isHighRiskScore, isMediumRiskScore, isLowRiskScore, MIN_RISK_SCORE, MAX_RISK_SCORE } from './value-objects/index.js';
 export { SanitizationError } from './exceptions/SanitizationError.js';
 export type { RiskScore as RiskScoreType, ISLSegment, ISLResult } from './types.js';
+export { AIPIP_NAMESPACE, AIPIP_TAG_SCHEMA_VERSION, createThreatTag, VALID_TAG_TYPES, isValidThreatTagType, openTag, closeTag, wrapWithTag } from './tags/index.js';
+export type { ThreatTag, ThreatTagType } from './tags/index.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/isl/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/isl/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAA;AACxC,YAAY,EAAE,eAAe,EAAE,MAAM,eAAe,CAAA;AAGpD,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAC/D,YAAY,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA;AAG3D,OAAO,EAAE,aAAa,EAAE,wBAAwB,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAA;AACzF,YAAY,EAAE,oBAAoB,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAGzE,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAA;AAGpD,YAAY,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAA;AAChE,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,EAChB,MAAM,cAAc,CAAA;AAGrB,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AACvE,YAAY,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAA;AAC/D,OAAO,EACL,uBAAuB,EACvB,4BAA4B,EAC5B,wBAAwB,EACxB,+BAA+B,EAC/B,oBAAoB,EACrB,MAAM,sBAAsB,CAAA;AAG7B,YAAY,EAAE,WAAW,EAAE,iBAAiB,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAA;AAClG,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,EACf,uBAAuB,EACvB,aAAa,EACb,iBAAiB,EACjB,mBAAmB,EACnB,6BAA6B,EAC7B,aAAa,EACb,cAAc,EACd,SAAS,EACT,kBAAkB,EAClB,kBAAkB,EAClB,WAAW,EACX,eAAe,EACf,kBAAkB,EAClB,eAAe,EACf,iBAAiB,EACjB,cAAc,EACd,cAAc,EACd,cAAc,EACf,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAA;AAGrE,YAAY,EACV,SAAS,IAAI,aAAa,EAC1B,UAAU,EACV,SAAS,EACV,MAAM,YAAY,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/isl/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAA;AACxC,YAAY,EAAE,eAAe,EAAE,MAAM,eAAe,CAAA;AAGpD,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAC/D,YAAY,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA;AAG3D,OAAO,EAAE,aAAa,EAAE,wBAAwB,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAA;AACzF,YAAY,EAAE,oBAAoB,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAGzE,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAA;AAGpD,YAAY,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAA;AAChE,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,EAChB,MAAM,cAAc,CAAA;AAGrB,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AACvE,YAAY,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAA;AAC/D,OAAO,EACL,uBAAuB,EACvB,4BAA4B,EAC5B,wBAAwB,EACxB,+BAA+B,EAC/B,oBAAoB,EACrB,MAAM,sBAAsB,CAAA;AAG7B,YAAY,EAAE,WAAW,EAAE,iBAAiB,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAA;AAClG,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,EACf,uBAAuB,EACvB,aAAa,EACb,iBAAiB,EACjB,mBAAmB,EACnB,6BAA6B,EAC7B,aAAa,EACb,cAAc,EACd,SAAS,EACT,kBAAkB,EAClB,kBAAkB,EAClB,WAAW,EACX,eAAe,EACf,kBAAkB,EAClB,eAAe,EACf,iBAAiB,EACjB,cAAc,EACd,cAAc,EACd,cAAc,EACf,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAA;AAGrE,YAAY,EACV,SAAS,IAAI,aAAa,EAC1B,UAAU,EACV,SAAS,EACV,MAAM,YAAY,CAAA;AAGnB,OAAO,EACL,eAAe,EACf,wBAAwB,EACxB,eAAe,EACf,eAAe,EACf,oBAAoB,EACpB,OAAO,EACP,QAAQ,EACR,WAAW,EACZ,MAAM,iBAAiB,CAAA;AACxB,YAAY,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA"}

package/dist/isl/index.js

@@ -25,4 +25,6 @@ export { maxConfidenceCalculator, severityPlusVolumeCalculator, weightedByTypeCa
 export { createPiDetection, getDetectionLength, isHighConfidence, isMediumConfidence, isLowConfidence, createPiDetectionResult, hasDetections, getDetectionCount, getDetectionsByType, getHighestConfidenceDetection, createPattern, matchesPattern, findMatch, MAX_CONTENT_LENGTH, MAX_PATTERN_LENGTH, MAX_MATCHES, createRiskScore, normalizeRiskScore, isHighRiskScore, isMediumRiskScore, isLowRiskScore, MIN_RISK_SCORE, MAX_RISK_SCORE } from './value-objects/index.js';
 // Exceptions
 export { SanitizationError } from './exceptions/SanitizationError.js';
+// Tags – semantic isolation metadata and canonical serializer (v0.5.0)
+export { AIPIP_NAMESPACE, AIPIP_TAG_SCHEMA_VERSION, createThreatTag, VALID_TAG_TYPES, isValidThreatTagType, openTag, closeTag, wrapWithTag } from './tags/index.js';
 //# sourceMappingURL=index.js.map

package/dist/isl/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/isl/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,sBAAsB;AACtB,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAA;AAGxC,oBAAoB;AACpB,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAG/D,kDAAkD;AAClD,OAAO,EAAE,aAAa,EAAE,wBAAwB,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAGzF,oBAAoB;AACpB,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAA;AAIpD,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,EAChB,MAAM,cAAc,CAAA;AAErB,oFAAoF;AACpF,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AAEvE,OAAO,EACL,uBAAuB,EACvB,4BAA4B,EAC5B,wBAAwB,EACxB,+BAA+B,EAC/B,oBAAoB,EACrB,MAAM,sBAAsB,CAAA;AAI7B,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,EACf,uBAAuB,EACvB,aAAa,EACb,iBAAiB,EACjB,mBAAmB,EACnB,6BAA6B,EAC7B,aAAa,EACb,cAAc,EACd,SAAS,EACT,kBAAkB,EAClB,kBAAkB,EAClB,WAAW,EACX,eAAe,EACf,kBAAkB,EAClB,eAAe,EACf,iBAAiB,EACjB,cAAc,EACd,cAAc,EACd,cAAc,EACf,MAAM,0BAA0B,CAAA;AAEjC,aAAa;AACb,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/isl/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,sBAAsB;AACtB,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAA;AAGxC,oBAAoB;AACpB,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAG/D,kDAAkD;AAClD,OAAO,EAAE,aAAa,EAAE,wBAAwB,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAGzF,oBAAoB;AACpB,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAA;AAIpD,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,EAChB,MAAM,cAAc,CAAA;AAErB,oFAAoF;AACpF,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AAEvE,OAAO,EACL,uBAAuB,EACvB,4BAA4B,EAC5B,wBAAwB,EACxB,+BAA+B,EAC/B,oBAAoB,EACrB,MAAM,sBAAsB,CAAA;AAI7B,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,EACf,uBAAuB,EACvB,aAAa,EACb,iBAAiB,EACjB,mBAAmB,EACnB,6BAA6B,EAC7B,aAAa,EACb,cAAc,EACd,SAAS,EACT,kBAAkB,EAClB,kBAAkB,EAClB,WAAW,EACX,eAAe,EACf,kBAAkB,EAClB,eAAe,EACf,iBAAiB,EACjB,cAAc,EACd,cAAc,EACd,cAAc,EACf,MAAM,0BAA0B,CAAA;AAEjC,aAAa;AACb,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAA;AASrE,uEAAuE;AACvE,OAAO,EACL,eAAe,EACf,wBAAwB,EACxB,eAAe,EACf,eAAe,EACf,oBAAoB,EACpB,OAAO,EACP,QAAQ,EACR,WAAW,EACZ,MAAM,iBAAiB,CAAA"}

package/dist/isl/process/buildISLResult.d.ts

@@ -12,13 +12,15 @@
  */
 import type { ISLResult, ISLSegment } from '../types.js';
 import type { LineageEntry } from '../../csl/value-objects/index.js';
+import type { ThreatTag } from '../tags/threat-tag.js';
 /**
  * Builds an ISLResult from processed segments
  *
  * @param segments - Segments sanitized by ISL
  * @param lineage - Complete processing lineage
+ * @param threatTags - Threat tags detected by ISL
  * @param processingTimeMs - Processing time in milliseconds (optional)
  * @returns ISLResult with all processing information
  */
-export declare function buildISLResult(segments: readonly ISLSegment[], lineage: readonly LineageEntry[], processingTimeMs?: number): ISLResult;
+export declare function buildISLResult(segments: readonly ISLSegment[], lineage: readonly LineageEntry[], threatTags: readonly ThreatTag[], processingTimeMs?: number): ISLResult;
 //# sourceMappingURL=buildISLResult.d.ts.map

package/dist/isl/process/buildISLResult.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"buildISLResult.d.ts","sourceRoot":"","sources":["../../../src/isl/process/buildISLResult.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kCAAkC,CAAA;AAEpE;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,SAAS,UAAU,EAAE,EAC/B,OAAO,EAAE,SAAS,YAAY,EAAE,EAChC,gBAAgB,CAAC,EAAE,MAAM,GACxB,SAAS,CAiBX"}
+{"version":3,"file":"buildISLResult.d.ts","sourceRoot":"","sources":["../../../src/isl/process/buildISLResult.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kCAAkC,CAAA;AACpE,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAA;AAEtD;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,SAAS,UAAU,EAAE,EAC/B,OAAO,EAAE,SAAS,YAAY,EAAE,EAChC,UAAU,EAAE,SAAS,SAAS,EAAE,EAChC,gBAAgB,CAAC,EAAE,MAAM,GACxB,SAAS,CAkBX"}

package/dist/isl/process/buildISLResult.js

@@ -15,10 +15,11 @@
  *
  * @param segments - Segments sanitized by ISL
  * @param lineage - Complete processing lineage
+ * @param threatTags - Threat tags detected by ISL
  * @param processingTimeMs - Processing time in milliseconds (optional)
  * @returns ISLResult with all processing information
  */
-export function buildISLResult(segments, lineage, processingTimeMs) {
+export function buildISLResult(segments, lineage, threatTags, processingTimeMs) {
     const metadata = processingTimeMs === undefined
         ? {
             totalSegments: segments.length,
@@ -32,6 +33,7 @@ export function buildISLResult(segments, lineage, processingTimeMs) {
     return {
         segments: Object.freeze(segments),
         lineage: Object.freeze(lineage),
+        threatTags: Object.freeze(threatTags),
         metadata: Object.freeze(metadata)
     };
 }

package/dist/isl/process/buildISLResult.js.map

@@ -1 +1 @@
-{"version":3,"file":"buildISLResult.js","sourceRoot":"","sources":["../../../src/isl/process/buildISLResult.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAKH;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAC5B,QAA+B,EAC/B,OAAgC,EAChC,gBAAyB;IAEzB,MAAM,QAAQ,GAAG,gBAAgB,KAAK,SAAS;QAC7C,CAAC,CAAC;YACE,aAAa,EAAE,QAAQ,CAAC,MAAM;YAC9B,iBAAiB,EAAE,QAAQ,CAAC,MAAM;SACnC;QACH,CAAC,CAAC;YACE,aAAa,EAAE,QAAQ,CAAC,MAAM;YAC9B,iBAAiB,EAAE,QAAQ,CAAC,MAAM;YAClC,gBAAgB;SACjB,CAAA;IAEL,OAAO;QACL,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;QACjC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC;QAC/B,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;KAClC,CAAA;AACH,CAAC"}
+{"version":3,"file":"buildISLResult.js","sourceRoot":"","sources":["../../../src/isl/process/buildISLResult.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAMH;;;;;;;;GAQG;AACH,MAAM,UAAU,cAAc,CAC5B,QAA+B,EAC/B,OAAgC,EAChC,UAAgC,EAChC,gBAAyB;IAEzB,MAAM,QAAQ,GAAG,gBAAgB,KAAK,SAAS;QAC7C,CAAC,CAAC;YACE,aAAa,EAAE,QAAQ,CAAC,MAAM;YAC9B,iBAAiB,EAAE,QAAQ,CAAC,MAAM;SACnC;QACH,CAAC,CAAC;YACE,aAAa,EAAE,QAAQ,CAAC,MAAM;YAC9B,iBAAiB,EAAE,QAAQ,CAAC,MAAM;YAClC,gBAAgB;SACjB,CAAA;IAEL,OAAO;QACL,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;QACjC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC;QAC/B,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC;QACrC,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;KAClC,CAAA;AACH,CAAC"}

package/dist/isl/sanitize.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/isl/sanitize.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAGhD,OAAO,KAAK,EAAE,SAAS,EAAc,MAAM,YAAY,CAAA;AAIvD,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA;AAG7D,sFAAsF;AACtF,MAAM,WAAW,eAAe;IAC9B,2EAA2E;IAC3E,QAAQ,CAAC,oBAAoB,CAAC,EAAE,oBAAoB,CAAA;CACrD;AAED;;;;;;;;;GASG;AACH,wBAAgB,QAAQ,CAAC,SAAS,EAAE,SAAS,EAAE,OAAO,GAAE,eAAoB,GAAG,SAAS,CA2CvF"}
+{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/isl/sanitize.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAGhD,OAAO,KAAK,EAAE,SAAS,EAAc,MAAM,YAAY,CAAA;AAIvD,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA;AAK7D,sFAAsF;AACtF,MAAM,WAAW,eAAe;IAC9B,2EAA2E;IAC3E,QAAQ,CAAC,oBAAoB,CAAC,EAAE,oBAAoB,CAAA;CACrD;AAED;;;;;;;;;GASG;AACH,wBAAgB,QAAQ,CAAC,SAAS,EAAE,SAAS,EAAE,OAAO,GAAE,eAAoB,GAAG,SAAS,CAsEvF"}

package/dist/isl/sanitize.js

@@ -3,6 +3,8 @@ import { buildISLLineage } from './lineage/buildISLLineage.js';
 import { buildISLResult } from './process/buildISLResult.js';
 import { detectThreats } from './detect/index.js';
 import { createPiDetectionResult } from './value-objects/PiDetectionResult.js';
+import { createThreatTag } from './tags/threat-tag.js';
+import { isValidThreatTagType } from './tags/tag-registry.js';
 /**
  * Sanitizes content according to trust level - pure function
  *
@@ -16,6 +18,7 @@ import { createPiDetectionResult } from './value-objects/PiDetectionResult.js';
 export function sanitize(cslResult, options = {}) {
     const startTime = Date.now();
     const segments = [];
+    const threatTags = [];
     const detectOptions = options.detectThreatsOptions;
     for (const cslSegment of cslResult.segments) {
         // Determine sanitization level according to trust level
@@ -38,12 +41,21 @@ export function sanitize(cslResult, options = {}) {
             ...(piDetection !== undefined && { piDetection })
         };
         segments.push(islSegment);
+        // Build threat tags 
+        if (detections.length > 0) {
+            for (const detection of detections) {
+                if (isValidThreatTagType(detection.pattern_type)) {
+                    const tag = createThreatTag(cslSegment.id, detection.position.start, detection.position.end, detection.pattern_type, detection.confidence);
+                    threatTags.push(tag);
+                }
+            }
+        }
     }
     // Build complete lineage
     const allLineage = buildISLLineage(cslResult.lineage, startTime);
     // Build result using process function
     const processingTime = Date.now() - startTime;
-    return buildISLResult(segments, allLineage, processingTime);
+    return buildISLResult(segments, allLineage, threatTags, processingTime);
 }
 /**
  * Determines sanitization level according to trust level - pure function

package/dist/isl/sanitize.js.map

@@ -1 +1 @@
-{"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../../src/isl/sanitize.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAA;AAEhD,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAA;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAA;AAC5D,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AAEjD,OAAO,EAAE,uBAAuB,EAAE,MAAM,sCAAsC,CAAA;AAQ9E;;;;;;;;;GASG;AACH,MAAM,UAAU,QAAQ,CAAC,SAAoB,EAAE,UAA2B,EAAE;IAC1E,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAC5B,MAAM,QAAQ,GAAiB,EAAE,CAAA;IACjC,MAAM,aAAa,GAAG,OAAO,CAAC,oBAAoB,CAAA;IAElD,KAAK,MAAM,UAAU,IAAI,SAAS,CAAC,QAAQ,EAAE,CAAC;QAC5C,wDAAwD;QACxD,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;QAEhE,sCAAsC;QACtC,MAAM,SAAS,GAAG,eAAe,CAC/B,UAAU,CAAC,OAAO,EAClB,iBAAiB,CAClB,CAAA;QAED,gHAAgH;QAChH,MAAM,UAAU,GAAG,aAAa,CAAC,SAAS,CAAC,OAAO,EAAE,aAAa,CAAC,CAAA;QAClE,MAAM,WAAW,GACf,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,uBAAuB,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;QAEzE,qCAAqC;QACrC,MAAM,cAAc,GAAG,eAAe,CAAC,UAAU,CAAC,OAAO,EAAE,SAAS,CAAC,CAAA;QAErE,wDAAwD;QACxD,MAAM,UAAU,GAAe;YAC7B,EAAE,EAAE,UAAU,CAAC,EAAE;YACjB,eAAe,EAAE,UAAU,CAAC,OAAO;YACnC,gBAAgB,EAAE,SAAS,CAAC,OAAO;YACnC,KAAK,EAAE,UAAU,CAAC,KAAK;YACvB,OAAO,EAAE,CAAC,GAAG,cAAc,CAAC;YAC5B,iBAAiB;YACjB,GAAG,CAAC,WAAW,KAAK,SAAS,IAAI,EAAE,WAAW,EAAE,CAAC;SAClD,CAAA;QAED,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IAC3B,CAAC;IAED,yBAAyB;IACzB,MAAM,UAAU,GAAG,eAAe,CAAC,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,CAAA;IAEhE,sCAAsC;IACtC,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAA;IAC7C,OAAO,cAAc,CAAC,QAAQ,EAAE,UAAU,EAAE,cAAc,CAAC,CAAA;AAC7D,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,KAAiB;IAC7C,IAAI,KAAK,CAAC,KAAK,KAAK,cAAc,CAAC,EAAE;QAAE,OAAO,SAAS,CAAA;IACvD,IAAI,KAAK,CAAC,KAAK,KAAK,cAAc,CAAC,GAAG;QAAE,OAAO,UAAU,CAAA;IACzD,OAAO,YAAY,CAAA,CAAE,KAAK;AAC5B,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CACtB,OAAe,EACf,MAA6C;IAE7C,oCAAoC;IACpC,oDAAoD;IACpD,OAAO;QACL,OAAO;KACR,CAAA;AACH,CAAC"}
+{"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../../src/isl/sanitize.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAA;AAEhD,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAA;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAA;AAC5D,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AAEjD,OAAO,EAAE,uBAAuB,EAAE,MAAM,sCAAsC,CAAA;AAC9E,OAAO,EAAkB,eAAe,EAAE,MAAM,sBAAsB,CAAA;AACtE,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAA;AAQ7D;;;;;;;;;GASG;AACH,MAAM,UAAU,QAAQ,CAAC,SAAoB,EAAE,UAA2B,EAAE;IAC1E,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAC5B,MAAM,QAAQ,GAAiB,EAAE,CAAA;IACjC,MAAM,UAAU,GAAgB,EAAE,CAAA;IAClC,MAAM,aAAa,GAAG,OAAO,CAAC,oBAAoB,CAAA;IAElD,KAAK,MAAM,UAAU,IAAI,SAAS,CAAC,QAAQ,EAAE,CAAC;QAC5C,wDAAwD;QACxD,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;QAEhE,sCAAsC;QACtC,MAAM,SAAS,GAAG,eAAe,CAC/B,UAAU,CAAC,OAAO,EAClB,iBAAiB,CAClB,CAAA;QAED,gHAAgH;QAChH,MAAM,UAAU,GAAG,aAAa,CAAC,SAAS,CAAC,OAAO,EAAE,aAAa,CAAC,CAAA;QAClE,MAAM,WAAW,GACf,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,uBAAuB,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;QAIzE,qCAAqC;QACrC,MAAM,cAAc,GAAG,eAAe,CAAC,UAAU,CAAC,OAAO,EAAE,SAAS,CAAC,CAAA;QAErE,wDAAwD;QACxD,MAAM,UAAU,GAAe;YAC7B,EAAE,EAAE,UAAU,CAAC,EAAE;YACjB,eAAe,EAAE,UAAU,CAAC,OAAO;YACnC,gBAAgB,EAAE,SAAS,CAAC,OAAO;YACnC,KAAK,EAAE,UAAU,CAAC,KAAK;YACvB,OAAO,EAAE,CAAC,GAAG,cAAc,CAAC;YAC5B,iBAAiB;YACjB,GAAG,CAAC,WAAW,KAAK,SAAS,IAAI,EAAE,WAAW,EAAE,CAAC;SAClD,CAAA;QAED,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAEzB,qBAAqB;QACrB,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;gBACnC,IAAI,oBAAoB,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE,CAAC;oBACjD,MAAM,GAAG,GAAG,eAAe,CACzB,UAAU,CAAC,EAAE,EACb,SAAS,CAAC,QAAQ,CAAC,KAAK,EACxB,SAAS,CAAC,QAAQ,CAAC,GAAG,EACtB,SAAS,CAAC,YAAY,EACtB,SAAS,CAAC,UAAU,CACrB,CAAA;oBACD,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;gBACtB,CAAC;YACH,CAAC;QACH,CAAC;IAKH,CAAC;IAED,yBAAyB;IACzB,MAAM,UAAU,GAAG,eAAe,CAAC,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,CAAA;IAEhE,sCAAsC;IACtC,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAA;IAK7C,OAAO,cAAc,CAAC,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,cAAc,CAAC,CAAA;AACzE,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,KAAiB;IAC7C,IAAI,KAAK,CAAC,KAAK,KAAK,cAAc,CAAC,EAAE;QAAE,OAAO,SAAS,CAAA;IACvD,IAAI,KAAK,CAAC,KAAK,KAAK,cAAc,CAAC,GAAG;QAAE,OAAO,UAAU,CAAA;IACzD,OAAO,YAAY,CAAA,CAAE,KAAK;AAC5B,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CACtB,OAAe,EACf,MAA6C;IAE7C,oCAAoC;IACpC,oDAAoD;IACpD,OAAO;QACL,OAAO;KACR,CAAA;AACH,CAAC"}

package/dist/isl/tags/index.d.ts

@@ -0,0 +1,19 @@
+/**
+ * ISL tags – Semantic isolation metadata and canonical serialization (v0.5.0).
+ *
+ * @remarks
+ * - **Namespace & types:** Official namespace, threat tag types (aligned with detect).
+ * - **ThreatTag:** Structural metadata (segmentId, offsets, type, confidence); no text mutation.
+ * - **Registry:** Valid tag types for validation.
+ * - **Serializer:** Canonical AI-PIP tag format (open/close/wrap); protocol-only, no offsets or segment logic.
+ *
+ * The SDK uses ThreatTag + serializer to insert tags into fragment text; the core only defines the format.
+ */
+export { AIPIP_NAMESPACE, AIPIP_TAG_SCHEMA_VERSION } from './namespace.js';
+export { THREAT_TYPES } from './threat-tag-type.js';
+export type { ThreatTagType, ThreatType } from './threat-tag-type.js';
+export type { ThreatTag } from './threat-tag.js';
+export { createThreatTag } from './threat-tag.js';
+export { VALID_TAG_TYPES, isValidThreatTagType } from './tag-registry.js';
+export { openTag, closeTag, wrapWithTag } from './serializer.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/isl/tags/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/isl/tags/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,eAAe,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAA;AAC1E,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAA;AACnD,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AACrE,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AACjD,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA;AACzE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAA"}

package/dist/isl/tags/index.js

@@ -0,0 +1,17 @@
+/**
+ * ISL tags – Semantic isolation metadata and canonical serialization (v0.5.0).
+ *
+ * @remarks
+ * - **Namespace & types:** Official namespace, threat tag types (aligned with detect).
+ * - **ThreatTag:** Structural metadata (segmentId, offsets, type, confidence); no text mutation.
+ * - **Registry:** Valid tag types for validation.
+ * - **Serializer:** Canonical AI-PIP tag format (open/close/wrap); protocol-only, no offsets or segment logic.
+ *
+ * The SDK uses ThreatTag + serializer to insert tags into fragment text; the core only defines the format.
+ */
+export { AIPIP_NAMESPACE, AIPIP_TAG_SCHEMA_VERSION } from './namespace.js';
+export { THREAT_TYPES } from './threat-tag-type.js';
+export { createThreatTag } from './threat-tag.js';
+export { VALID_TAG_TYPES, isValidThreatTagType } from './tag-registry.js';
+export { openTag, closeTag, wrapWithTag } from './serializer.js';
+//# sourceMappingURL=index.js.map

package/dist/isl/tags/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/isl/tags/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,eAAe,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAA;AAC1E,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAA;AAGnD,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AACjD,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA;AACzE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAA"}

package/dist/isl/tags/namespace.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Official namespace identifier for AI-PIP semantic tags.
+ *
+ * This namespace is used by upper layers (SDK) to serialize
+ * ThreatTags into textual encapsulation form:
+ *
+ * <aipip:threat-type>...</aipip>
+ *
+ * The core does not perform serialization.
+ * This value must remain stable across versions.
+ */
+export declare const AIPIP_NAMESPACE: "aipip";
+/**
+ * Current schema version for AI-PIP tag structure.
+ * Used for forward compatibility if needed.
+ */
+export declare const AIPIP_TAG_SCHEMA_VERSION: 1;
+//# sourceMappingURL=namespace.d.ts.map

package/dist/isl/tags/namespace.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"namespace.d.ts","sourceRoot":"","sources":["../../../src/isl/tags/namespace.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,eAAO,MAAM,eAAe,EAAG,OAAgB,CAAC;AAGhD;;;GAGG;AACH,eAAO,MAAM,wBAAwB,EAAG,CAAU,CAAC"}

package/dist/isl/tags/namespace.js

@@ -0,0 +1,18 @@
+/**
+ * Official namespace identifier for AI-PIP semantic tags.
+ *
+ * This namespace is used by upper layers (SDK) to serialize
+ * ThreatTags into textual encapsulation form:
+ *
+ * <aipip:threat-type>...</aipip>
+ *
+ * The core does not perform serialization.
+ * This value must remain stable across versions.
+ */
+export const AIPIP_NAMESPACE = "aipip";
+/**
+ * Current schema version for AI-PIP tag structure.
+ * Used for forward compatibility if needed.
+ */
+export const AIPIP_TAG_SCHEMA_VERSION = 1;
+//# sourceMappingURL=namespace.js.map

package/dist/isl/tags/namespace.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"namespace.js","sourceRoot":"","sources":["../../../src/isl/tags/namespace.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,OAAgB,CAAC;AAGhD;;;GAGG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,CAAU,CAAC"}

package/dist/isl/tags/serializer.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Canonical AI-PIP tag serializer – Official protocol representation.
+ *
+ * @remarks
+ * This module defines the only normative, standardized textual format for
+ * AI-PIP semantic tags. It does not apply offsets, does not mutate segments,
+ * and does not decide when to encapsulate. The SDK is responsible for applying
+ * tags at the correct positions (using ThreatTag metadata) and for resolving
+ * multiple or overlapping tags (e.g. descending offset order).
+ *
+ * The serializer only builds strings: opening tag, closing tag, or fully
+ * wrapped content. This makes the tag format part of the formal protocol,
+ * not an informal SDK convention.
+ */
+import type { ThreatTagType } from './threat-tag-type.js';
+/**
+ * Returns the canonical opening tag string.
+ *
+ * @example
+ * openTag('prompt-injection') // "<aipip:prompt-injection>"
+ */
+export declare function openTag(type: ThreatTagType): string;
+/**
+ * Returns the canonical closing tag string.
+ *
+ * @example
+ * closeTag('prompt-injection') // "</aipip:prompt-injection>"
+ */
+export declare function closeTag(type: ThreatTagType): string;
+/**
+ * Returns content wrapped with opening and closing tags.
+ * Does not validate or interpret content; purely concatenation.
+ *
+ * @example
+ * wrapWithTag('prompt-injection', 'Ignore previous instructions.')
+ * // "<aipip:prompt-injection>Ignore previous instructions.</aipip:prompt-injection>"
+ */
+export declare function wrapWithTag(type: ThreatTagType, content: string): string;
+//# sourceMappingURL=serializer.d.ts.map

package/dist/isl/tags/serializer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"serializer.d.ts","sourceRoot":"","sources":["../../../src/isl/tags/serializer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AAEzD;;;;;GAKG;AACH,wBAAgB,OAAO,CAAC,IAAI,EAAE,aAAa,GAAG,MAAM,CAEnD;AAED;;;;;GAKG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,aAAa,GAAG,MAAM,CAEpD;AAED;;;;;;;GAOG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAExE"}

package/dist/isl/tags/serializer.js

@@ -0,0 +1,45 @@
+/**
+ * Canonical AI-PIP tag serializer – Official protocol representation.
+ *
+ * @remarks
+ * This module defines the only normative, standardized textual format for
+ * AI-PIP semantic tags. It does not apply offsets, does not mutate segments,
+ * and does not decide when to encapsulate. The SDK is responsible for applying
+ * tags at the correct positions (using ThreatTag metadata) and for resolving
+ * multiple or overlapping tags (e.g. descending offset order).
+ *
+ * The serializer only builds strings: opening tag, closing tag, or fully
+ * wrapped content. This makes the tag format part of the formal protocol,
+ * not an informal SDK convention.
+ */
+import { AIPIP_NAMESPACE } from './namespace.js';
+/**
+ * Returns the canonical opening tag string.
+ *
+ * @example
+ * openTag('prompt-injection') // "<aipip:prompt-injection>"
+ */
+export function openTag(type) {
+    return `<${AIPIP_NAMESPACE}:${type}>`;
+}
+/**
+ * Returns the canonical closing tag string.
+ *
+ * @example
+ * closeTag('prompt-injection') // "</aipip:prompt-injection>"
+ */
+export function closeTag(type) {
+    return `</${AIPIP_NAMESPACE}:${type}>`;
+}
+/**
+ * Returns content wrapped with opening and closing tags.
+ * Does not validate or interpret content; purely concatenation.
+ *
+ * @example
+ * wrapWithTag('prompt-injection', 'Ignore previous instructions.')
+ * // "<aipip:prompt-injection>Ignore previous instructions.</aipip:prompt-injection>"
+ */
+export function wrapWithTag(type, content) {
+    return `${openTag(type)}${content}${closeTag(type)}`;
+}
+//# sourceMappingURL=serializer.js.map

package/dist/isl/tags/serializer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"serializer.js","sourceRoot":"","sources":["../../../src/isl/tags/serializer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAGhD;;;;;GAKG;AACH,MAAM,UAAU,OAAO,CAAC,IAAmB;IACzC,OAAO,IAAI,eAAe,IAAI,IAAI,GAAG,CAAA;AACvC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,QAAQ,CAAC,IAAmB;IAC1C,OAAO,KAAK,eAAe,IAAI,IAAI,GAAG,CAAA;AACxC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,WAAW,CAAC,IAAmB,EAAE,OAAe;IAC9D,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAA;AACtD,CAAC"}

package/dist/isl/tags/tag-registry.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Tag registry – Valid threat tag types for validation and iteration.
+ *
+ * @remarks
+ * Single source of truth is ISL detect (THREAT_TYPES). This module exposes
+ * a readonly list and a type guard for use by ThreatTag creation and by the SDK.
+ */
+import type { ThreatTagType } from './threat-tag-type.js';
+/** Readonly list of valid tag type strings (for validation and iteration) */
+export declare const VALID_TAG_TYPES: readonly ThreatTagType[];
+/**
+ * Type guard: returns true if value is a valid ThreatTagType.
+ */
+export declare function isValidThreatTagType(value: string): value is ThreatTagType;
+//# sourceMappingURL=tag-registry.d.ts.map

package/dist/isl/tags/tag-registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tag-registry.d.ts","sourceRoot":"","sources":["../../../src/isl/tags/tag-registry.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AAEzD,6EAA6E;AAC7E,eAAO,MAAM,eAAe,EAAE,SAAS,aAAa,EAEhC,CAAA;AAEpB;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,KAAK,IAAI,aAAa,CAE1E"}

package/dist/isl/tags/tag-registry.js

@@ -0,0 +1,17 @@
+/**
+ * Tag registry – Valid threat tag types for validation and iteration.
+ *
+ * @remarks
+ * Single source of truth is ISL detect (THREAT_TYPES). This module exposes
+ * a readonly list and a type guard for use by ThreatTag creation and by the SDK.
+ */
+import { THREAT_TYPES } from './threat-tag-type.js';
+/** Readonly list of valid tag type strings (for validation and iteration) */
+export const VALID_TAG_TYPES = Object.values(THREAT_TYPES);
+/**
+ * Type guard: returns true if value is a valid ThreatTagType.
+ */
+export function isValidThreatTagType(value) {
+    return VALID_TAG_TYPES.includes(value);
+}
+//# sourceMappingURL=tag-registry.js.map

package/dist/isl/tags/tag-registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tag-registry.js","sourceRoot":"","sources":["../../../src/isl/tags/tag-registry.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAA;AAGnD,6EAA6E;AAC7E,MAAM,CAAC,MAAM,eAAe,GAA6B,MAAM,CAAC,MAAM,CACpE,YAAY,CACM,CAAA;AAEpB;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAa;IAChD,OAAQ,eAAqC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;AAC/D,CAAC"}

package/dist/isl/tags/threat-tag-type.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Threat tag types – Aligned with ISL detection taxonomy.
+ *
+ * @remarks
+ * Tag types correspond to pattern_type in PiDetection. Used for canonical
+ * encapsulation: <aipip:threat-type>...</aipip>. Single source of truth: detect layer.
+ */
+import type { ThreatType } from '../detect/detect.js';
+export { THREAT_TYPES } from '../detect/detect.js';
+export type { ThreatType } from '../detect/detect.js';
+/** Alias for tag context (same as ThreatType) */
+export type ThreatTagType = ThreatType;
+//# sourceMappingURL=threat-tag-type.d.ts.map

package/dist/isl/tags/threat-tag-type.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"threat-tag-type.d.ts","sourceRoot":"","sources":["../../../src/isl/tags/threat-tag-type.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAA;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AAClD,YAAY,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAA;AAErD,iDAAiD;AACjD,MAAM,MAAM,aAAa,GAAG,UAAU,CAAA"}

package/dist/isl/tags/threat-tag-type.js

@@ -0,0 +1,9 @@
+/**
+ * Threat tag types – Aligned with ISL detection taxonomy.
+ *
+ * @remarks
+ * Tag types correspond to pattern_type in PiDetection. Used for canonical
+ * encapsulation: <aipip:threat-type>...</aipip>. Single source of truth: detect layer.
+ */
+export { THREAT_TYPES } from '../detect/detect.js';
+//# sourceMappingURL=threat-tag-type.js.map

package/dist/isl/tags/threat-tag-type.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"threat-tag-type.js","sourceRoot":"","sources":["../../../src/isl/tags/threat-tag-type.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA"}

package/dist/isl/tags/threat-tag.d.ts

@@ -0,0 +1,32 @@
+/**
+ * ThreatTag – Structural metadata for semantic isolation (v0.5.0).
+ *
+ * @remarks
+ * ISL produces ThreatTag objects: segment id, offsets into the segment content,
+ * threat type, and confidence. The core does not insert tags into text; the SDK
+ * uses this metadata plus the canonical serializer to wrap fragments.
+ *
+ * Offsets are relative to the original segment content (immutable). start is
+ * inclusive, end is exclusive [start, end).
+ */
+import type { ThreatTagType } from './threat-tag-type.js';
+export interface ThreatTag {
+    /** Segment that contains the detected fragment */
+    readonly segmentId: string;
+    /** Start offset (inclusive) into segment content */
+    readonly startOffset: number;
+    /** End offset (exclusive) into segment content */
+    readonly endOffset: number;
+    /** Threat type (aligns with detection taxonomy) */
+    readonly type: ThreatTagType;
+    /** Confidence in [0, 1] */
+    readonly confidence: number;
+}
+/**
+ * Creates a ThreatTag (frozen). Validates segmentId, offsets, type, and confidence.
+ *
+ * @throws {TypeError} If segmentId or type is invalid
+ * @throws {RangeError} If offsets or confidence are out of range
+ */
+export declare function createThreatTag(segmentId: string, startOffset: number, endOffset: number, type: ThreatTagType, confidence: number): ThreatTag;
+//# sourceMappingURL=threat-tag.d.ts.map

package/dist/isl/tags/threat-tag.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"threat-tag.d.ts","sourceRoot":"","sources":["../../../src/isl/tags/threat-tag.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AAGzD,MAAM,WAAW,SAAS;IACxB,kDAAkD;IAClD,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B,oDAAoD;IACpD,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;IAC5B,kDAAkD;IAClD,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B,mDAAmD;IACnD,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAA;IAC5B,2BAA2B;IAC3B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;CAC5B;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAC7B,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,aAAa,EACnB,UAAU,EAAE,MAAM,GACjB,SAAS,CAuBX"}

package/dist/isl/tags/threat-tag.js

@@ -0,0 +1,43 @@
+/**
+ * ThreatTag – Structural metadata for semantic isolation (v0.5.0).
+ *
+ * @remarks
+ * ISL produces ThreatTag objects: segment id, offsets into the segment content,
+ * threat type, and confidence. The core does not insert tags into text; the SDK
+ * uses this metadata plus the canonical serializer to wrap fragments.
+ *
+ * Offsets are relative to the original segment content (immutable). start is
+ * inclusive, end is exclusive [start, end).
+ */
+import { VALID_TAG_TYPES } from './tag-registry.js';
+/**
+ * Creates a ThreatTag (frozen). Validates segmentId, offsets, type, and confidence.
+ *
+ * @throws {TypeError} If segmentId or type is invalid
+ * @throws {RangeError} If offsets or confidence are out of range
+ */
+export function createThreatTag(segmentId, startOffset, endOffset, type, confidence) {
+    if (segmentId == null || typeof segmentId !== 'string' || segmentId.trim().length === 0) {
+        throw new TypeError('ThreatTag segmentId must be a non-empty string');
+    }
+    if (typeof startOffset !== 'number' || !Number.isFinite(startOffset) || startOffset < 0) {
+        throw new RangeError('ThreatTag startOffset must be a non-negative finite number');
+    }
+    if (typeof endOffset !== 'number' || !Number.isFinite(endOffset) || endOffset < startOffset) {
+        throw new RangeError('ThreatTag endOffset must be >= startOffset');
+    }
+    if (!VALID_TAG_TYPES.includes(type)) {
+        throw new TypeError(`ThreatTag type must be one of: ${VALID_TAG_TYPES.join(', ')}`);
+    }
+    if (typeof confidence !== 'number' || !Number.isFinite(confidence) || confidence < 0 || confidence > 1) {
+        throw new RangeError('ThreatTag confidence must be a number in [0, 1]');
+    }
+    return Object.freeze({
+        segmentId: segmentId.trim(),
+        startOffset,
+        endOffset,
+        type,
+        confidence
+    });
+}
+//# sourceMappingURL=threat-tag.js.map

package/dist/isl/tags/threat-tag.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"threat-tag.js","sourceRoot":"","sources":["../../../src/isl/tags/threat-tag.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAenD;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAC7B,SAAiB,EACjB,WAAmB,EACnB,SAAiB,EACjB,IAAmB,EACnB,UAAkB;IAElB,IAAI,SAAS,IAAI,IAAI,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxF,MAAM,IAAI,SAAS,CAAC,gDAAgD,CAAC,CAAA;IACvE,CAAC;IACD,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;QACxF,MAAM,IAAI,UAAU,CAAC,4DAA4D,CAAC,CAAA;IACpF,CAAC;IACD,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,GAAG,WAAW,EAAE,CAAC;QAC5F,MAAM,IAAI,UAAU,CAAC,4CAA4C,CAAC,CAAA;IACpE,CAAC;IACD,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,SAAS,CAAC,kCAAkC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;IACrF,CAAC;IACD,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,UAAU,GAAG,CAAC,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;QACvG,MAAM,IAAI,UAAU,CAAC,iDAAiD,CAAC,CAAA;IACzE,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,SAAS,EAAE,SAAS,CAAC,IAAI,EAAE;QAC3B,WAAW;QACX,SAAS;QACT,IAAI;QACJ,UAAU;KACX,CAAC,CAAA;AACJ,CAAC"}

package/dist/isl/types.d.ts

@@ -3,6 +3,7 @@
  */
 import type { LineageEntry, TrustLevel } from '../csl/value-objects/index.js';
 import type { PiDetectionResult } from './value-objects/PiDetectionResult.js';
+import type { ThreatTag } from './tags/threat-tag.js';
 export type { RiskScore } from './value-objects/RiskScore.js';
 /**
  * ISLSegment - Segment sanitized by ISL
@@ -18,10 +19,22 @@ export interface ISLSegment {
 }
 /**
  * ISLResult - Sanitization result
+ *
+ * @remarks
+ * The ISLResult contains the following:
+ *  - segments: readonly ISLSegment[]
+ *  - lineage: readonly LineageEntry[]
+ *  - threatTags: readonly ThreatTag[]
+ *  - metadata: {
+ *      - totalSegments: number
+ *      - sanitizedSegments: number
+ *      - processingTimeMs?: number
+ *  }
  */
 export interface ISLResult {
     readonly segments: readonly ISLSegment[];
     readonly lineage: readonly LineageEntry[];
+    readonly threatTags: readonly ThreatTag[];
     readonly metadata: {
         readonly totalSegments: number;
         readonly sanitizedSegments: number;

package/dist/isl/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/isl/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAA;AAC7E,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,sCAAsC,CAAA;AAG7E,YAAY,EAAE,SAAS,EAAE,MAAM,8BAA8B,CAAA;AAU7D;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAA;IACnB,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAA;IAChC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAA;IACjC,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAA;IAC1B,QAAQ,CAAC,OAAO,EAAE,YAAY,EAAE,CAAA;IAChC,QAAQ,CAAC,WAAW,CAAC,EAAE,iBAAiB,CAAA;IACxC,QAAQ,CAAC,iBAAiB,EAAE,SAAS,GAAG,UAAU,GAAG,YAAY,CAAA;CAClE;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,QAAQ,EAAE,SAAS,UAAU,EAAE,CAAA;IACxC,QAAQ,CAAC,OAAO,EAAE,SAAS,YAAY,EAAE,CAAA;IACzC,QAAQ,CAAC,QAAQ,EAAE;QACjB,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAA;QAC9B,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAA;QAClC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAA;KACnC,CAAA;CACF"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/isl/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAA;AAC7E,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,sCAAsC,CAAA;AAC7E,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAGrD,YAAY,EAAE,SAAS,EAAE,MAAM,8BAA8B,CAAA;AAU7D;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAA;IACnB,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAA;IAChC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAA;IACjC,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAA;IAC1B,QAAQ,CAAC,OAAO,EAAE,YAAY,EAAE,CAAA;IAChC,QAAQ,CAAC,WAAW,CAAC,EAAE,iBAAiB,CAAA;IACxC,QAAQ,CAAC,iBAAiB,EAAE,SAAS,GAAG,UAAU,GAAG,YAAY,CAAA;CAClE;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,QAAQ,EAAE,SAAS,UAAU,EAAE,CAAA;IACxC,QAAQ,CAAC,OAAO,EAAE,SAAS,YAAY,EAAE,CAAA;IACzC,QAAQ,CAAC,UAAU,EAAE,SAAS,SAAS,EAAE,CAAA;IACzC,QAAQ,CAAC,QAAQ,EAAE;QACjB,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAA;QAC9B,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAA;QAClC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAA;KACnC,CAAA;CACF"}