@aion0/bastion 0.1.15 → 0.1.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/config/default.yaml +17 -0
- package/dist/cli/commands/start.d.ts.map +1 -1
- package/dist/cli/commands/start.js +4 -0
- package/dist/cli/commands/start.js.map +1 -1
- package/dist/config/schema.d.ts +21 -1
- package/dist/config/schema.d.ts.map +1 -1
- package/dist/core/bootstrap.d.ts.map +1 -1
- package/dist/core/bootstrap.js +30 -0
- package/dist/core/bootstrap.js.map +1 -1
- package/dist/dashboard/api-routes.d.ts.map +1 -1
- package/dist/dashboard/api-routes.js +338 -8
- package/dist/dashboard/api-routes.js.map +1 -1
- package/dist/dashboard/page.d.ts.map +1 -1
- package/dist/dashboard/page.js +646 -109
- package/dist/dashboard/page.js.map +1 -1
- package/dist/dlp/actions.d.ts +2 -0
- package/dist/dlp/actions.d.ts.map +1 -1
- package/dist/dlp/ai-validator.d.ts +15 -1
- package/dist/dlp/ai-validator.d.ts.map +1 -1
- package/dist/dlp/ai-validator.js +84 -3
- package/dist/dlp/ai-validator.js.map +1 -1
- package/dist/dlp/engine.d.ts +5 -1
- package/dist/dlp/engine.d.ts.map +1 -1
- package/dist/dlp/engine.js +25 -7
- package/dist/dlp/engine.js.map +1 -1
- package/dist/dlp/message-cache.js +2 -2
- package/dist/dlp/message-cache.js.map +1 -1
- package/dist/plugins/builtin/rate-limiter.d.ts +24 -0
- package/dist/plugins/builtin/rate-limiter.d.ts.map +1 -0
- package/dist/plugins/builtin/rate-limiter.js +248 -0
- package/dist/plugins/builtin/rate-limiter.js.map +1 -0
- package/dist/plugins/builtin/threat-scorer.d.ts.map +1 -1
- package/dist/plugins/builtin/threat-scorer.js +13 -1
- package/dist/plugins/builtin/threat-scorer.js.map +1 -1
- package/dist/plugins/builtin/tool-guard.d.ts +18 -0
- package/dist/plugins/builtin/tool-guard.d.ts.map +1 -1
- package/dist/plugins/builtin/tool-guard.js +148 -8
- package/dist/plugins/builtin/tool-guard.js.map +1 -1
- package/dist/plugins/types.d.ts +3 -0
- package/dist/plugins/types.d.ts.map +1 -1
- package/package.json +1 -1
package/config/default.yaml
CHANGED
|
@@ -33,6 +33,8 @@ plugins:
|
|
|
33
33
|
provider: "anthropic"
|
|
34
34
|
model: "claude-haiku-4-5-20241022"
|
|
35
35
|
apiKey: ""
|
|
36
|
+
ollamaEndpoint: "http://localhost:11434"
|
|
37
|
+
ollamaModel: "llama3.2"
|
|
36
38
|
timeoutMs: 5000
|
|
37
39
|
cacheSize: 500
|
|
38
40
|
semantics:
|
|
@@ -49,6 +51,15 @@ plugins:
|
|
|
49
51
|
rawData: true
|
|
50
52
|
rawMaxBytes: 524288
|
|
51
53
|
summaryMaxBytes: 1024
|
|
54
|
+
rateLimiter:
|
|
55
|
+
enabled: true
|
|
56
|
+
requestsPerMinute: 0
|
|
57
|
+
tokensPerHour: 0
|
|
58
|
+
maxCostPerHour: 0
|
|
59
|
+
maxCostPerDay: 0
|
|
60
|
+
maxCostPerMonth: 0
|
|
61
|
+
action: "block"
|
|
62
|
+
warningThreshold: 0.8
|
|
52
63
|
toolGuard:
|
|
53
64
|
enabled: true
|
|
54
65
|
action: "audit"
|
|
@@ -57,6 +68,12 @@ plugins:
|
|
|
57
68
|
alertMinSeverity: "high"
|
|
58
69
|
alertDesktop: true
|
|
59
70
|
alertWebhookUrl: ""
|
|
71
|
+
piEscalation:
|
|
72
|
+
enabled: true
|
|
73
|
+
scoreThreshold: 0.8
|
|
74
|
+
overrideSeverity: "medium"
|
|
75
|
+
scope: "session"
|
|
76
|
+
ttlMinutes: 30
|
|
60
77
|
external: []
|
|
61
78
|
|
|
62
79
|
retention:
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"start.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/start.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,OAAO,EAAE,MAAM,WAAW,CAAC;AAIzC,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,
|
|
1
|
+
{"version":3,"file":"start.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/start.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,OAAO,EAAE,MAAM,WAAW,CAAC;AAIzC,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CA4C3D"}
|
|
@@ -8,11 +8,15 @@ function registerStartCommand(program) {
|
|
|
8
8
|
.command('start')
|
|
9
9
|
.description('Start the Bastion AI Gateway')
|
|
10
10
|
.option('--foreground', 'Run in foreground (no daemon)')
|
|
11
|
+
.option('--test', 'Enable test mode (PI detection playground)')
|
|
11
12
|
.option('-p, --port <port>', 'Override port')
|
|
12
13
|
.action(async (options) => {
|
|
13
14
|
if (options.port) {
|
|
14
15
|
process.env.BASTION_PORT = options.port;
|
|
15
16
|
}
|
|
17
|
+
if (options.test) {
|
|
18
|
+
process.env.BASTION_TEST_MODE = '1';
|
|
19
|
+
}
|
|
16
20
|
if (options.foreground) {
|
|
17
21
|
// Import and run server directly
|
|
18
22
|
const { startGateway } = await import('../../index.js');
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"start.js","sourceRoot":"","sources":["../../../src/cli/commands/start.ts"],"names":[],"mappings":";;AAIA,
|
|
1
|
+
{"version":3,"file":"start.js","sourceRoot":"","sources":["../../../src/cli/commands/start.ts"],"names":[],"mappings":";;AAIA,oDA4CC;AA/CD,4CAA4D;AAC5D,iDAA8C;AAE9C,SAAgB,oBAAoB,CAAC,OAAgB;IACnD,OAAO;SACJ,OAAO,CAAC,OAAO,CAAC;SAChB,WAAW,CAAC,8BAA8B,CAAC;SAC3C,MAAM,CAAC,cAAc,EAAE,+BAA+B,CAAC;SACvD,MAAM,CAAC,QAAQ,EAAE,4CAA4C,CAAC;SAC9D,MAAM,CAAC,mBAAmB,EAAE,eAAe,CAAC;SAC5C,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;QACxB,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;QAC1C,CAAC;QACD,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,iBAAiB,GAAG,GAAG,CAAC;QACtC,CAAC;QAED,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACvB,iCAAiC;YACjC,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;YACxD,MAAM,YAAY,EAAE,CAAC;YACrB,OAAO;QACT,CAAC;QAED,2BAA2B;QAC3B,MAAM,MAAM,GAAG,IAAA,2BAAe,GAAE,CAAC;QACjC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,OAAO,CAAC,GAAG,CAAC,oCAAoC,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC;YAC/D,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,IAAA,uBAAU,GAAE,CAAC;QAC7B,MAAM,GAAG,GAAG,IAAA,uBAAW,GAAE,CAAC;QAC1B,OAAO,CAAC,GAAG,CAAC,uBAAuB,OAAO,kBAAkB,GAAG,GAAG,CAAC,CAAC;QACpE,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;QAClD,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;QAC/C,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;QAC9E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QAC/B,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAC;QACzD,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;AACP,CAAC"}
|
package/dist/config/schema.d.ts
CHANGED
|
@@ -29,9 +29,11 @@ export interface BastionConfig {
|
|
|
29
29
|
};
|
|
30
30
|
aiValidation: {
|
|
31
31
|
enabled: boolean;
|
|
32
|
-
provider: 'anthropic' | 'openai' | 'local';
|
|
32
|
+
provider: 'anthropic' | 'openai' | 'deepseek' | 'ollama' | 'local';
|
|
33
33
|
model: string;
|
|
34
34
|
apiKey: string;
|
|
35
|
+
ollamaEndpoint: string;
|
|
36
|
+
ollamaModel: string;
|
|
35
37
|
timeoutMs: number;
|
|
36
38
|
cacheSize: number;
|
|
37
39
|
};
|
|
@@ -61,11 +63,29 @@ export interface BastionConfig {
|
|
|
61
63
|
alertMinSeverity: 'critical' | 'high' | 'medium' | 'low';
|
|
62
64
|
alertDesktop: boolean;
|
|
63
65
|
alertWebhookUrl: string;
|
|
66
|
+
piEscalation?: {
|
|
67
|
+
enabled: boolean;
|
|
68
|
+
scoreThreshold: number;
|
|
69
|
+
overrideSeverity: 'critical' | 'high' | 'medium' | 'low';
|
|
70
|
+
scope: 'session' | 'request';
|
|
71
|
+
ttlMinutes: number;
|
|
72
|
+
};
|
|
73
|
+
};
|
|
74
|
+
rateLimiter?: {
|
|
75
|
+
enabled: boolean;
|
|
76
|
+
requestsPerMinute: number;
|
|
77
|
+
tokensPerHour: number;
|
|
78
|
+
maxCostPerHour: number;
|
|
79
|
+
maxCostPerDay: number;
|
|
80
|
+
maxCostPerMonth: number;
|
|
81
|
+
action: 'block' | 'warn';
|
|
82
|
+
warningThreshold: number;
|
|
64
83
|
};
|
|
65
84
|
threatIntelligence?: {
|
|
66
85
|
enabled: boolean;
|
|
67
86
|
scoring?: {
|
|
68
87
|
piWeight?: number;
|
|
88
|
+
indirectPiWeight?: number;
|
|
69
89
|
dlpWeight?: number;
|
|
70
90
|
toolGuardWeights?: {
|
|
71
91
|
critical?: number;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/config/schema.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE;QACN,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;QACvB,QAAQ,EAAE,MAAM,GAAG,QAAQ,CAAC;QAC5B,IAAI,EAAE;YACJ,OAAO,EAAE,OAAO,CAAC;YACjB,KAAK,EAAE,MAAM,CAAC;YACd,YAAY,EAAE,MAAM,EAAE,CAAC;SACxB,CAAC;KACH,CAAC;IACF,OAAO,EAAE;QACP,KAAK,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;KAC5C,CAAC;IACF,OAAO,EAAE;QACP,OAAO,EAAE;YACP,OAAO,EAAE,OAAO,CAAC;SAClB,CAAC;QACF,GAAG,EAAE;YACH,OAAO,EAAE,OAAO,CAAC;YACjB,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,QAAQ,GAAG,OAAO,CAAC;YAC7C,QAAQ,EAAE,CAAC,iBAAiB,GAAG,WAAW,GAAG,eAAe,GAAG,kBAAkB,CAAC,EAAE,CAAC;YACrF,cAAc,EAAE;gBACd,GAAG,EAAE,MAAM,CAAC;gBACZ,MAAM,EAAE,MAAM,CAAC;gBACf,WAAW,EAAE,OAAO,CAAC;gBACrB,mBAAmB,EAAE,MAAM,CAAC;aAC7B,CAAC;YACF,YAAY,EAAE;gBACZ,OAAO,EAAE,OAAO,CAAC;gBACjB,QAAQ,EAAE,WAAW,GAAG,QAAQ,GAAG,OAAO,CAAC;
|
|
1
|
+
{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/config/schema.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE;QACN,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;QACvB,QAAQ,EAAE,MAAM,GAAG,QAAQ,CAAC;QAC5B,IAAI,EAAE;YACJ,OAAO,EAAE,OAAO,CAAC;YACjB,KAAK,EAAE,MAAM,CAAC;YACd,YAAY,EAAE,MAAM,EAAE,CAAC;SACxB,CAAC;KACH,CAAC;IACF,OAAO,EAAE;QACP,KAAK,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;KAC5C,CAAC;IACF,OAAO,EAAE;QACP,OAAO,EAAE;YACP,OAAO,EAAE,OAAO,CAAC;SAClB,CAAC;QACF,GAAG,EAAE;YACH,OAAO,EAAE,OAAO,CAAC;YACjB,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,QAAQ,GAAG,OAAO,CAAC;YAC7C,QAAQ,EAAE,CAAC,iBAAiB,GAAG,WAAW,GAAG,eAAe,GAAG,kBAAkB,CAAC,EAAE,CAAC;YACrF,cAAc,EAAE;gBACd,GAAG,EAAE,MAAM,CAAC;gBACZ,MAAM,EAAE,MAAM,CAAC;gBACf,WAAW,EAAE,OAAO,CAAC;gBACrB,mBAAmB,EAAE,MAAM,CAAC;aAC7B,CAAC;YACF,YAAY,EAAE;gBACZ,OAAO,EAAE,OAAO,CAAC;gBACjB,QAAQ,EAAE,WAAW,GAAG,QAAQ,GAAG,UAAU,GAAG,QAAQ,GAAG,OAAO,CAAC;gBACnE,KAAK,EAAE,MAAM,CAAC;gBACd,MAAM,EAAE,MAAM,CAAC;gBACf,cAAc,EAAE,MAAM,CAAC;gBACvB,WAAW,EAAE,MAAM,CAAC;gBACpB,SAAS,EAAE,MAAM,CAAC;gBAClB,SAAS,EAAE,MAAM,CAAC;aACnB,CAAC;YACF,SAAS,EAAE;gBACT,iBAAiB,EAAE,MAAM,EAAE,CAAC;gBAC5B,iBAAiB,EAAE,MAAM,EAAE,CAAC;aAC7B,CAAC;SACH,CAAC;QACF,SAAS,EAAE;YACT,OAAO,EAAE,OAAO,CAAC;YACjB,KAAK,EAAE,OAAO,CAAC;YACf,eAAe,EAAE,MAAM,CAAC;YACxB,cAAc,EAAE,OAAO,CAAC;YACxB,eAAe,EAAE,OAAO,CAAC;SAC1B,CAAC;QACF,KAAK,EAAE;YACL,OAAO,EAAE,OAAO,CAAC;YACjB,OAAO,EAAE,OAAO,CAAC;YACjB,WAAW,EAAE,MAAM,CAAC;YACpB,eAAe,EAAE,MAAM,CAAC;SACzB,CAAC;QACF,SAAS,EAAE;YACT,OAAO,EAAE,OAAO,CAAC;YACjB,MAAM,EAAE,OAAO,GAAG,OAAO,CAAC;YAC1B,SAAS,EAAE,OAAO,CAAC;YACnB,gBAAgB,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;YACzD,gBAAgB,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;YACzD,YAAY,EAAE,OAAO,CAAC;YACtB,eAAe,EAAE,MAAM,CAAC;YACxB,YAAY,CAAC,EAAE;gBACb,OAAO,EAAE,OAAO,CAAC;gBACjB,cAAc,EAAE,MAAM,CAAC;gBACvB,gBAAgB,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;gBACzD,KAAK,EAAE,SAAS,GAAG,SAAS,CAAC;gBAC7B,UAAU,EAAE,MAAM,CAAC;aACpB,CAAC;SACH,CAAC;QACF,WAAW,CAAC,EAAE;YACZ,OAAO,EAAE,OAAO,CAAC;YACjB,iBAAiB,EAAE,MAAM,CAAC;YAC1B,aAAa,EAAE,MAAM,CAAC;YACtB,cAAc,EAAE,MAAM,CAAC;YACvB,aAAa,EAAE,MAAM,CAAC;YACtB,eAAe,EAAE,MAAM,CAAC;YACxB,MAAM,EAAE,OAAO,GAAG,MAAM,CAAC;YACzB,gBAAgB,EAAE,MAAM,CAAC;SAC1B,CAAC;QACF,kBAAkB,CAAC,EAAE;YACnB,OAAO,EAAE,OAAO,CAAC;YACjB,OAAO,CAAC,EAAE;gBACR,QAAQ,CAAC,EAAE,MAAM,CAAC;gBAClB,gBAAgB,CAAC,EAAE,MAAM,CAAC;gBAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;gBACnB,gBAAgB,CAAC,EAAE;oBAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;oBAAC,IAAI,CAAC,EAAE,MAAM,CAAC;oBAAC,MAAM,CAAC,EAAE,MAAM,CAAC;oBAAC,GAAG,CAAC,EAAE,MAAM,CAAA;iBAAE,CAAC;gBACvF,eAAe,CAAC,EAAE,MAAM,CAAC;gBACzB,cAAc,CAAC,EAAE,MAAM,CAAC;aACzB,CAAC;YACF,UAAU,CAAC,EAAE;gBACX,QAAQ,CAAC,EAAE,MAAM,CAAC;gBAClB,IAAI,CAAC,EAAE,MAAM,CAAC;gBACd,QAAQ,CAAC,EAAE,MAAM,CAAC;aACnB,CAAC;YACF,SAAS,CAAC,EAAE;gBACV,OAAO,CAAC,EAAE,OAAO,CAAC;gBAClB,aAAa,CAAC,EAAE,MAAM,CAAC;aACxB,CAAC;YACF,aAAa,CAAC,EAAE;gBACd,OAAO,CAAC,EAAE,OAAO,CAAC;gBAClB,UAAU,CAAC,EAAE,MAAM,CAAC;aACrB,CAAC;SACH,CAAC;QACF,QAAQ,CAAC,EAAE,KAAK,CAAC;YACf,OAAO,EAAE,MAAM,CAAC;YAChB,OAAO,EAAE,OAAO,CAAC;YACjB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;SAClC,CAAC,CAAC;KACJ,CAAC;IACF,SAAS,EAAE;QACT,aAAa,EAAE,MAAM,CAAC;QACtB,cAAc,EAAE,MAAM,CAAC;QACvB,cAAc,EAAE,MAAM,CAAC;QACvB,oBAAoB,EAAE,MAAM,CAAC;QAC7B,aAAa,EAAE,MAAM,CAAC;QACtB,aAAa,EAAE,MAAM,CAAC;QACtB,iBAAiB,EAAE,MAAM,CAAC;KAC3B,CAAC;IACF,QAAQ,EAAE;QACR,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;CACH"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"bootstrap.d.ts","sourceRoot":"","sources":["../../src/core/bootstrap.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,WAAW,CAAC;AACxC,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAE3C,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAGzD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;
|
|
1
|
+
{"version":3,"file":"bootstrap.d.ts","sourceRoot":"","sources":["../../src/core/bootstrap.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,WAAW,CAAC;AACxC,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAE3C,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAGzD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AA2BzD,MAAM,WAAW,gBAAgB;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC1C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC/C,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,aAAa,CAAC;IACtB,aAAa,EAAE,aAAa,CAAC;IAC7B,EAAE,EAAE,QAAQ,CAAC,QAAQ,CAAC;IACtB,aAAa,EAAE,aAAa,CAAC;IAC7B,QAAQ,EAAE,cAAc,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,KAAK,CAAC,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IAC7C,aAAa,EAAE,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC;IACrC,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;CAC/B;AAED,wBAAsB,SAAS,CAAC,OAAO,CAAC,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC,CAuNpF"}
|
package/dist/core/bootstrap.js
CHANGED
|
@@ -17,6 +17,7 @@ const token_optimizer_js_1 = require("../plugins/builtin/token-optimizer.js");
|
|
|
17
17
|
const audit_logger_js_1 = require("../plugins/builtin/audit-logger.js");
|
|
18
18
|
const tool_guard_js_1 = require("../plugins/builtin/tool-guard.js");
|
|
19
19
|
const threat_scorer_js_1 = require("../plugins/builtin/threat-scorer.js");
|
|
20
|
+
const rate_limiter_js_1 = require("../plugins/builtin/rate-limiter.js");
|
|
20
21
|
const anthropic_js_1 = require("../proxy/providers/anthropic.js");
|
|
21
22
|
const openai_js_1 = require("../proxy/providers/openai.js");
|
|
22
23
|
const gemini_js_1 = require("../proxy/providers/gemini.js");
|
|
@@ -89,6 +90,21 @@ async function bootstrap(options) {
|
|
|
89
90
|
pluginManager.register((0, metrics_collector_js_1.createMetricsCollectorPlugin)(db));
|
|
90
91
|
if (!config.plugins.metrics.enabled)
|
|
91
92
|
pluginManager.disable('metrics-collector');
|
|
93
|
+
pluginManager.register((0, rate_limiter_js_1.createRateLimiterPlugin)(db, () => {
|
|
94
|
+
const rl = configManager.get().plugins.rateLimiter;
|
|
95
|
+
return {
|
|
96
|
+
enabled: rl?.enabled ?? true,
|
|
97
|
+
requestsPerMinute: rl?.requestsPerMinute ?? 0,
|
|
98
|
+
tokensPerHour: rl?.tokensPerHour ?? 0,
|
|
99
|
+
maxCostPerHour: rl?.maxCostPerHour ?? 0,
|
|
100
|
+
maxCostPerDay: rl?.maxCostPerDay ?? 0,
|
|
101
|
+
maxCostPerMonth: rl?.maxCostPerMonth ?? 0,
|
|
102
|
+
action: rl?.action ?? 'block',
|
|
103
|
+
warningThreshold: rl?.warningThreshold ?? 0.8,
|
|
104
|
+
};
|
|
105
|
+
}, eventBus));
|
|
106
|
+
if (!config.plugins.rateLimiter?.enabled)
|
|
107
|
+
pluginManager.disable('rate-limiter');
|
|
92
108
|
pluginManager.register((0, dlp_scanner_js_1.createDlpScannerPlugin)(db, {
|
|
93
109
|
action: config.plugins.dlp.action,
|
|
94
110
|
patterns: config.plugins.dlp.patterns,
|
|
@@ -126,6 +142,13 @@ async function bootstrap(options) {
|
|
|
126
142
|
alertMinSeverity: config.plugins.toolGuard?.alertMinSeverity ?? 'high',
|
|
127
143
|
alertDesktop: config.plugins.toolGuard?.alertDesktop ?? true,
|
|
128
144
|
alertWebhookUrl: config.plugins.toolGuard?.alertWebhookUrl ?? '',
|
|
145
|
+
piEscalation: config.plugins.toolGuard?.piEscalation ?? {
|
|
146
|
+
enabled: true,
|
|
147
|
+
scoreThreshold: 0.8,
|
|
148
|
+
overrideSeverity: 'medium',
|
|
149
|
+
scope: 'session',
|
|
150
|
+
ttlMinutes: 30,
|
|
151
|
+
},
|
|
129
152
|
getLiveConfig: () => {
|
|
130
153
|
const tg = configManager.get().plugins.toolGuard;
|
|
131
154
|
return {
|
|
@@ -160,6 +183,13 @@ async function bootstrap(options) {
|
|
|
160
183
|
// Sync failMode changes at runtime
|
|
161
184
|
configManager.onChange((c) => {
|
|
162
185
|
pluginManager.setFailMode(c.server.failMode ?? 'open');
|
|
186
|
+
// Broadcast external plugin config changes for hot-reload
|
|
187
|
+
const ext = c.plugins.external;
|
|
188
|
+
if (ext?.length) {
|
|
189
|
+
const cfg = ext.find((e) => e.enabled !== false);
|
|
190
|
+
if (cfg?.config)
|
|
191
|
+
eventBus.emit('config:external-plugin', cfg.config);
|
|
192
|
+
}
|
|
163
193
|
});
|
|
164
194
|
// Create and start server
|
|
165
195
|
const server = (0, server_js_1.createProxyServer)(config, pluginManager, () => {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/core/bootstrap.ts"],"names":[],"mappings":";;;;;
|
|
1
|
+
{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/core/bootstrap.ts"],"names":[],"mappings":";;;;;AA4DA,8BAuNC;AAnRD,8DAAiC;AAGjC,iDAAgD;AAChD,qDAAqD;AAErD,kDAA+D;AAC/D,wDAAoE;AACpE,kDAAoD;AACpD,0DAAyD;AACzD,kFAAuF;AACvF,sEAA2E;AAC3E,8EAAmF;AACnF,wEAA6E;AAC7E,oEAAyE;AACzE,0EAA+E;AAC/E,wEAA6E;AAC7E,kEAA4E;AAC5E,4DAAsE;AACtE,4DAAsE;AACtE,oEAA6E;AAC7E,kEAA6E;AAC7E,kDAAoE;AACpE,sDAA2D;AAC3D,qEAAyE;AACzE,yEAA4E;AAC5E,qFAAwF;AACxF,qEAAyE;AACzE,uEAA0E;AAC1E,yEAA4E;AAC5E,+EAAkF;AAClF,oDAA2D;AAC3D,8CAA2C;AAE3C,MAAM,GAAG,GAAG,IAAA,wBAAY,EAAC,WAAW,CAAC,CAAC;AA0B/B,KAAK,UAAU,SAAS,CAAC,OAA0B;IACxD,qBAAqB;IACrB,MAAM,MAAM,GAAG,IAAA,qBAAU,EAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAE/C,kBAAkB;IAClB,IAAI,OAAO,EAAE,eAAe,EAAE,CAAC;QAC7B,aAAa,CAAC,MAA4C,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACvF,CAAC;IACD,IAAI,OAAO,EAAE,IAAI,KAAK,SAAS;QAAE,MAAM,CAAC,MAAM,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IACnE,IAAI,OAAO,EAAE,IAAI,KAAK,SAAS;QAAE,MAAM,CAAC,MAAM,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IACnE,IAAI,OAAO,EAAE,QAAQ;QAAE,MAAM,CAAC,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC;IAE/D,IAAA,uBAAW,EAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAElC,MAAM,OAAO,GAAG,IAAA,uBAAU,GAAE,CAAC;IAC7B,GAAG,CAAC,IAAI,CAAC,6BAA6B,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;IAErD,gDAAgD;IAChD,MAAM,aAAa,GAAG,IAAI,0BAAa,CAAC,MAAM,CAAC,CAAC;IAEhD,mEAAmE;IACnE,IAAI,SAA6B,CAAC;IAClC,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,KAAK,KAAK,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;QACxE,MAAM,KAAK,GAAG,qBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACrD,aAAa,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;QACtD,SAAS,GAAG,KAAK,CAAC;QAClB,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC;YACrB,OAAO,CAAC,GAAG,CAAC,kCAAkC,KAAK,EAAE,CAAC,CAAC;YACvD,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;QAChF,CAAC;IACH,CAAC;SAAM,CAAC;QACN,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC;IACxC,CAAC;IAED,qDAAqD;IACrD,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;QACjC,IAAA,mCAAoB,EAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACrD,CAAC;IACD,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE;QAC3B,IAAI,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS;YAAE,IAAA,mCAAoB,EAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,sBAAsB;IACtB,MAAM,EAAE,GAAG,IAAA,yBAAW,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAExC,qBAAqB;IACrB,IAAA,wCAAyB,GAAE,CAAC;IAC5B,IAAA,kCAAsB,GAAE,CAAC;IACzB,IAAA,kCAAsB,GAAE,CAAC;IACzB,IAAA,yCAAyB,GAAE,CAAC;IAC5B,IAAA,yCAA0B,GAAE,CAAC;IAE7B,oEAAoE;IACpE,MAAM,QAAQ,GAAG,IAAI,6BAAc,EAAE,CAAC;IAEtC,4BAA4B;IAC5B,MAAM,aAAa,GAAG,IAAI,wBAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ,IAAI,MAAM,EAAE,QAAQ,CAAC,CAAC;IAE5G,aAAa,CAAC,QAAQ,CAAC,IAAA,mDAA4B,EAAC,EAAE,CAAC,CAAC,CAAC;IACzD,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO;QAAE,aAAa,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAEhF,aAAa,CAAC,QAAQ,CAAC,IAAA,yCAAuB,EAAC,EAAE,EAAE,GAAG,EAAE;QACtD,MAAM,EAAE,GAAG,aAAa,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC;QACnD,OAAO;YACL,OAAO,EAAE,EAAE,EAAE,OAAO,IAAI,IAAI;YAC5B,iBAAiB,EAAE,EAAE,EAAE,iBAAiB,IAAI,CAAC;YAC7C,aAAa,EAAE,EAAE,EAAE,aAAa,IAAI,CAAC;YACrC,cAAc,EAAE,EAAE,EAAE,cAAc,IAAI,CAAC;YACvC,aAAa,EAAE,EAAE,EAAE,aAAa,IAAI,CAAC;YACrC,eAAe,EAAE,EAAE,EAAE,eAAe,IAAI,CAAC;YACzC,MAAM,EAAE,EAAE,EAAE,MAAM,IAAI,OAAO;YAC7B,gBAAgB,EAAE,EAAE,EAAE,gBAAgB,IAAI,GAAG;SAC9C,CAAC;IACJ,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IACd,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,OAAO;QAAE,aAAa,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAEhF,aAAa,CAAC,QAAQ,CAAC,IAAA,uCAAsB,EAAC,EAAE,EAAE;QAChD,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM;QACjC,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ;QACrC,cAAc,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc;QACjD,YAAY,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY;QAC7C,SAAS,EAAE,GAAG,EAAE,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM;QACvD,gBAAgB,EAAE,GAAG,EAAE,CAAC,iBAAiB,CAAC,eAAe,EAAE,oBAAoB,CAAoE;KACpJ,EAAE,QAAQ,CAAC,CAAC,CAAC;IACd,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO;QAAE,aAAa,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAEtE,aAAa,CAAC,QAAQ,CAAC,IAAA,+CAA0B,EAAC,EAAE,EAAE;QACpD,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK;QACrC,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,eAAe,IAAI,GAAG;QAChE,cAAc,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,cAAc;QACvD,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,eAAe;KAC1D,CAAC,CAAC,CAAC;IACJ,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO;QAAE,aAAa,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IAEhF,aAAa,CAAC,QAAQ,CAAC,IAAA,yCAAuB,EAAC,EAAE,EAAE;QACjD,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,IAAI,IAAI;QAC9C,WAAW,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,WAAW,IAAI,MAAM;QACxD,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,eAAe,IAAI,IAAI;KAC/D,CAAC,CAAC,CAAC;IACJ,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO;QAAE,aAAa,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAE1E,uFAAuF;IACvF,aAAa,CAAC,QAAQ,CAAC,IAAA,2CAAwB,EAAC,MAAM,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC;IACvE,IAAI,MAAM,CAAC,OAAO,CAAC,kBAAkB,EAAE,OAAO,KAAK,KAAK;QAAE,aAAa,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAEjG,aAAa,CAAC,QAAQ,CAAC,IAAA,qCAAqB,EAAC,EAAE,EAAE;QAC/C,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,IAAI,IAAI;QAClD,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,MAAM,IAAI,OAAO;QACnD,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,IAAI,IAAI;QACtD,gBAAgB,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,gBAAgB,IAAI,UAAU;QAC1E,gBAAgB,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,gBAAgB,IAAI,MAAM;QACtE,YAAY,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,YAAY,IAAI,IAAI;QAC5D,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,eAAe,IAAI,EAAE;QAChE,YAAY,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,YAAY,IAAI;YACtD,OAAO,EAAE,IAAI;YACb,cAAc,EAAE,GAAG;YACnB,gBAAgB,EAAE,QAAQ;YAC1B,KAAK,EAAE,SAAS;YAChB,UAAU,EAAE,EAAE;SACf;QACD,aAAa,EAAE,GAAG,EAAE;YAClB,MAAM,EAAE,GAAG,aAAa,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;YACjD,OAAO;gBACL,MAAM,EAAE,EAAE,EAAE,MAAM,IAAI,OAAO;gBAC7B,SAAS,EAAE,EAAE,EAAE,SAAS,IAAI,IAAI;gBAChC,gBAAgB,EAAE,EAAE,EAAE,gBAAgB,IAAI,UAAU;gBACpD,gBAAgB,EAAE,EAAE,EAAE,gBAAgB,IAAI,MAAM;aACjD,CAAC;QACJ,CAAC;KACF,EAAE,QAAQ,CAAC,CAAC,CAAC;IACd,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO;QAAE,aAAa,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAE5E,wFAAwF;IACxF,gFAAgF;IAChF,IAAI,iBAAiB,GAA6D,GAAG,EAAE,CAAC,SAAS,CAAC;IAElG,wBAAwB;IACxB,MAAM,eAAe,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;IACtD,IAAI,gBAAgB,GAA+B,EAAE,CAAC;IACtD,IAAI,cAAc,GAA6D,GAAG,EAAE,CAAC,SAAS,CAAC;IAC/F,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,MAAM,IAAA,+BAAmB,EAAC,eAAe,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;QACxE,gBAAgB,GAAG,MAAM,CAAC,gBAAgB,CAAC;QAC3C,cAAc,GAAG,MAAM,CAAC,cAAc,CAAC;QACvC,iBAAiB,GAAG,MAAM,CAAC,cAAc,CAAC;QAC1C,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACpC,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,GAAG,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;IAC7C,CAAC;IAED,mCAAmC;IACnC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE;QAC3B,aAAa,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,CAAC;QACvD,0DAA0D;QAC1D,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;QAC/B,IAAI,GAAG,EAAE,MAAM,EAAE,CAAC;YAChB,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC,CAAwB,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,KAAK,CAAqD,CAAC;YAC5H,IAAI,GAAG,EAAE,MAAM;gBAAE,QAAQ,CAAC,IAAI,CAAC,wBAAwB,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;QACvE,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,0BAA0B;IAC1B,MAAM,MAAM,GAAG,IAAA,6BAAiB,EAAC,MAAM,EAAE,aAAa,EAAE,GAAG,EAAE;QAC3D,KAAK,MAAM,EAAE,IAAI,gBAAgB;YAAE,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACxD,IAAA,2BAAa,GAAE,CAAC;IAClB,CAAC,EAAE,EAAE,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC;IAEtC,MAAM,IAAA,uBAAW,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAElC,mCAAmC;IACnC,IAAI,aAAa,GAA0B,IAAI,CAAC;IAChD,IAAI,CAAC,OAAO,EAAE,aAAa,EAAE,CAAC;QAC5B,MAAM,YAAY,GAAG,IAAI,gCAAkB,CAAC,EAAE,CAAC,CAAC;QAChD,MAAM,aAAa,GAAG,IAAI,mCAAmB,CAAC,EAAE,CAAC,CAAC;QAClD,MAAM,mBAAmB,GAAG,IAAI,+CAAyB,CAAC,EAAE,CAAC,CAAC;QAC9D,MAAM,YAAY,GAAG,IAAI,gCAAkB,CAAC,EAAE,CAAC,CAAC;QAChD,MAAM,YAAY,GAAG,IAAI,iCAAkB,CAAC,EAAE,CAAC,CAAC;QAChD,MAAM,aAAa,GAAG,IAAI,mCAAmB,CAAC,EAAE,CAAC,CAAC;QAClD,MAAM,gBAAgB,GAAG,IAAI,yCAAsB,CAAC,EAAE,CAAC,CAAC;QAExD,SAAS,QAAQ;YACf,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC;YACxC,IAAI,CAAC;gBACH,IAAI,KAAK,GAAG,CAAC,CAAC;gBACd,KAAK,IAAI,YAAY,CAAC,cAAc,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;gBACtD,KAAK,IAAI,aAAa,CAAC,cAAc,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;gBACxD,KAAK,IAAI,mBAAmB,CAAC,cAAc,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC;gBACpE,KAAK,IAAI,YAAY,CAAC,cAAc,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;gBACtD,KAAK,IAAI,YAAY,CAAC,cAAc,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;gBACtD,KAAK,IAAI,aAAa,CAAC,cAAc,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;gBACxD,KAAK,IAAI,gBAAgB,CAAC,cAAc,CAAC,CAAC,CAAC,iBAAiB,IAAI,GAAG,CAAC,CAAC;gBACrE,IAAI,KAAK,GAAG,CAAC;oBAAE,GAAG,CAAC,IAAI,CAAC,gCAAgC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;YAC/E,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,GAAG,CAAC,IAAI,CAAC,6BAA6B,EAAE,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;YAC7E,CAAC;QACH,CAAC;QAED,QAAQ,EAAE,CAAC;QACX,aAAa,GAAG,WAAW,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QACtD,aAAa,CAAC,KAAK,EAAE,CAAC;IACxB,CAAC;IAED,OAAO;QACL,MAAM,EAAE,aAAa,CAAC,GAAG,EAAE;QAC3B,aAAa;QACb,EAAE;QACF,aAAa;QACb,QAAQ;QACR,MAAM;QACN,gBAAgB;QAChB,aAAa;QACb,SAAS;KACV,CAAC;AACJ,CAAC;AAED,kDAAkD;AAClD,SAAS,aAAa,CAAC,MAA+B,EAAE,MAA+B;IACrF,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QACtC,IACE,MAAM,CAAC,GAAG,CAAC,KAAK,IAAI;YACpB,OAAO,MAAM,CAAC,GAAG,CAAC,KAAK,QAAQ;YAC/B,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC3B,OAAO,MAAM,CAAC,GAAG,CAAC,KAAK,QAAQ;YAC/B,MAAM,CAAC,GAAG,CAAC,KAAK,IAAI;YACpB,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,EAC3B,CAAC;YACD,aAAa,CAAC,MAAM,CAAC,GAAG,CAA4B,EAAE,MAAM,CAAC,GAAG,CAA4B,CAAC,CAAC;QAChG,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;AACH,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"api-routes.d.ts","sourceRoot":"","sources":["../../src/dashboard/api-routes.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEjE,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;
|
|
1
|
+
{"version":3,"file":"api-routes.d.ts","sourceRoot":"","sources":["../../src/dashboard/api-routes.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEjE,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAwB3C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAyBzD,wBAAgB,eAAe,CAC7B,EAAE,EAAE,QAAQ,CAAC,QAAQ,EACrB,aAAa,EAAE,aAAa,EAC5B,aAAa,EAAE,aAAa,EAC5B,cAAc,CAAC,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,KAAK,OAAO,GAAG,SAAS,GACxE,CAAC,GAAG,EAAE,eAAe,EAAE,GAAG,EAAE,cAAc,KAAK,OAAO,CAshCxD"}
|
|
@@ -15,11 +15,14 @@ const tool_calls_js_1 = require("../storage/repositories/tool-calls.js");
|
|
|
15
15
|
const tool_guard_rules_js_1 = require("../storage/repositories/tool-guard-rules.js");
|
|
16
16
|
const plugin_events_js_1 = require("../storage/repositories/plugin-events.js");
|
|
17
17
|
const alert_js_1 = require("../tool-guard/alert.js");
|
|
18
|
+
const tool_guard_js_1 = require("../plugins/builtin/tool-guard.js");
|
|
18
19
|
const threat_scores_js_1 = require("../storage/repositories/threat-scores.js");
|
|
19
20
|
const threat_score_events_js_1 = require("../storage/repositories/threat-score-events.js");
|
|
20
21
|
const tool_chain_detections_js_1 = require("../storage/repositories/tool-chain-detections.js");
|
|
21
22
|
const chain_rules_js_1 = require("../tool-guard/chain-rules.js");
|
|
23
|
+
const rules_js_1 = require("../tool-guard/rules.js");
|
|
22
24
|
const engine_js_1 = require("../dlp/engine.js");
|
|
25
|
+
const ai_validator_js_1 = require("../dlp/ai-validator.js");
|
|
23
26
|
const semantics_js_1 = require("../dlp/semantics.js");
|
|
24
27
|
const remote_sync_js_1 = require("../dlp/remote-sync.js");
|
|
25
28
|
const version_js_1 = require("../version.js");
|
|
@@ -54,6 +57,9 @@ function createApiRouter(db, configManager, pluginManager, getPluginState) {
|
|
|
54
57
|
const pluginEventsRepo = new plugin_events_js_1.PluginEventsRepository(db);
|
|
55
58
|
const threatScoresRepo = new threat_scores_js_1.ThreatScoresRepository(db);
|
|
56
59
|
const threatScoreEventsRepo = new threat_score_events_js_1.ThreatScoreEventsRepository(db);
|
|
60
|
+
// AI Validator for full-pipeline DLP testing
|
|
61
|
+
const dlpAiConfig = configManager.get().plugins.dlp.aiValidation;
|
|
62
|
+
const aiValidator = new ai_validator_js_1.AiValidator({ ...dlpAiConfig, getLocalProvider: () => getPluginState?.('pi-classifier', 'classifierProvider') });
|
|
57
63
|
const chainDetectionsRepo = new tool_chain_detections_js_1.ToolChainDetectionsRepository(db);
|
|
58
64
|
return (req, res) => {
|
|
59
65
|
const url = parseUrl(req);
|
|
@@ -95,8 +101,9 @@ function createApiRouter(db, configManager, pluginManager, getPluginState) {
|
|
|
95
101
|
return true;
|
|
96
102
|
}
|
|
97
103
|
// POST /api/dlp/scan — standalone DLP scan for testing and external integration
|
|
104
|
+
// Optional: validate=true to run L4 AI validation on findings
|
|
98
105
|
if (req.method === 'POST' && path === '/api/dlp/scan') {
|
|
99
|
-
bufferBody(req).then((body) => {
|
|
106
|
+
bufferBody(req).then(async (body) => {
|
|
100
107
|
try {
|
|
101
108
|
const data = JSON.parse(body);
|
|
102
109
|
const text = data.text;
|
|
@@ -107,16 +114,45 @@ function createApiRouter(db, configManager, pluginManager, getPluginState) {
|
|
|
107
114
|
const action = (data.action ?? configManager.get().plugins.dlp.action ?? 'warn');
|
|
108
115
|
const patterns = dlpPatternsRepo.getEnabled();
|
|
109
116
|
const enableTrace = Boolean(data.trace);
|
|
117
|
+
const enableValidate = Boolean(data.validate);
|
|
110
118
|
const trace = enableTrace ? { entries: [], totalDurationMs: 0 } : undefined;
|
|
111
119
|
const result = (0, engine_js_1.scanText)(text, patterns, action, trace);
|
|
120
|
+
const mapFinding = (f) => ({
|
|
121
|
+
patternName: f.patternName,
|
|
122
|
+
patternCategory: f.patternCategory,
|
|
123
|
+
matchCount: f.matchCount,
|
|
124
|
+
matches: f.matches,
|
|
125
|
+
});
|
|
126
|
+
// L4 AI validation — filter false positives
|
|
127
|
+
let validation = null;
|
|
128
|
+
let finalFindings = result.findings;
|
|
129
|
+
if (enableValidate) {
|
|
130
|
+
// Refresh config in case it changed
|
|
131
|
+
const freshConfig = configManager.get().plugins.dlp.aiValidation;
|
|
132
|
+
aiValidator.updateConfig(freshConfig);
|
|
133
|
+
validation = {
|
|
134
|
+
enabled: freshConfig.enabled,
|
|
135
|
+
ready: aiValidator.ready,
|
|
136
|
+
provider: freshConfig.provider,
|
|
137
|
+
originalCount: result.findings.length,
|
|
138
|
+
confirmedCount: result.findings.length,
|
|
139
|
+
filteredOut: [],
|
|
140
|
+
};
|
|
141
|
+
if (aiValidator.ready && result.findings.length > 0) {
|
|
142
|
+
const confirmed = await aiValidator.validate(result.findings, text);
|
|
143
|
+
const confirmedNames = new Set(confirmed.map(f => f.patternName + ':' + f.matches[0]));
|
|
144
|
+
validation.confirmedCount = confirmed.length;
|
|
145
|
+
validation.filteredOut = result.findings
|
|
146
|
+
.filter(f => !confirmedNames.has(f.patternName + ':' + f.matches[0]))
|
|
147
|
+
.map(f => f.patternName);
|
|
148
|
+
finalFindings = confirmed;
|
|
149
|
+
}
|
|
150
|
+
}
|
|
112
151
|
sendJson(res, {
|
|
113
|
-
action: result.action,
|
|
114
|
-
findings:
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
matchCount: f.matchCount,
|
|
118
|
-
matches: f.matches,
|
|
119
|
-
})),
|
|
152
|
+
action: finalFindings.length === 0 ? 'pass' : result.action,
|
|
153
|
+
findings: finalFindings.map(mapFinding),
|
|
154
|
+
allFindings: enableValidate ? result.findings.map(mapFinding) : undefined,
|
|
155
|
+
validation: validation,
|
|
120
156
|
redactedText: result.redactedBody ?? null,
|
|
121
157
|
trace: trace ?? null,
|
|
122
158
|
});
|
|
@@ -688,6 +724,17 @@ function createApiRouter(db, configManager, pluginManager, getPluginState) {
|
|
|
688
724
|
}).catch((err) => sendJson(res, { error: err.message }, 500));
|
|
689
725
|
return true;
|
|
690
726
|
}
|
|
727
|
+
// GET /api/rate-limits/status — current rate limiter usage vs limits
|
|
728
|
+
if (req.method === 'GET' && path === '/api/rate-limits/status') {
|
|
729
|
+
const rlPlugin = pluginManager.getPlugins().find(p => p.name === 'rate-limiter');
|
|
730
|
+
if (rlPlugin?.getState) {
|
|
731
|
+
sendJson(res, rlPlugin.getState());
|
|
732
|
+
}
|
|
733
|
+
else {
|
|
734
|
+
sendJson(res, { limits: {}, action: 'block', recentBlocks: 0 });
|
|
735
|
+
}
|
|
736
|
+
return true;
|
|
737
|
+
}
|
|
691
738
|
// ── Threat Intelligence API ──
|
|
692
739
|
// GET /api/threat/sessions — all elevated+ sessions
|
|
693
740
|
if (req.method === 'GET' && path === '/api/threat/sessions') {
|
|
@@ -729,6 +776,289 @@ function createApiRouter(db, configManager, pluginManager, getPluginState) {
|
|
|
729
776
|
sendJson(res, chain_rules_js_1.BUILTIN_CHAIN_RULES);
|
|
730
777
|
return true;
|
|
731
778
|
}
|
|
779
|
+
// ── PI Escalation API ──
|
|
780
|
+
// GET /api/tool-guard/pi-escalations
|
|
781
|
+
if (req.method === 'GET' && path === '/api/tool-guard/pi-escalations') {
|
|
782
|
+
const escalations = (0, tool_guard_js_1.getPiEscalations)();
|
|
783
|
+
sendJson(res, { escalations, count: escalations.length });
|
|
784
|
+
return true;
|
|
785
|
+
}
|
|
786
|
+
// POST /api/tool-guard/pi-escalations/reset/:sessionId
|
|
787
|
+
if (req.method === 'POST' && path.startsWith('/api/tool-guard/pi-escalations/reset/')) {
|
|
788
|
+
const sessionId = decodeURIComponent(path.slice('/api/tool-guard/pi-escalations/reset/'.length));
|
|
789
|
+
if (!sessionId) {
|
|
790
|
+
sendJson(res, { error: 'Missing session ID' }, 400);
|
|
791
|
+
return true;
|
|
792
|
+
}
|
|
793
|
+
const removed = (0, tool_guard_js_1.resetPiEscalation)(sessionId);
|
|
794
|
+
sendJson(res, { ok: true, removed });
|
|
795
|
+
return true;
|
|
796
|
+
}
|
|
797
|
+
// POST /api/tool-guard/pi-escalations/reset
|
|
798
|
+
if (req.method === 'POST' && path === '/api/tool-guard/pi-escalations/reset') {
|
|
799
|
+
const count = (0, tool_guard_js_1.resetAllPiEscalations)();
|
|
800
|
+
sendJson(res, { ok: true, count });
|
|
801
|
+
return true;
|
|
802
|
+
}
|
|
803
|
+
// ── PI Detection Playground (test mode only) ──
|
|
804
|
+
// GET /api/test/pi-status — L5a/L5b readiness and config
|
|
805
|
+
if (req.method === 'GET' && path === '/api/test/pi-status') {
|
|
806
|
+
if (process.env.BASTION_TEST_MODE !== '1') {
|
|
807
|
+
sendJson(res, { error: 'Not found' }, 404);
|
|
808
|
+
return true;
|
|
809
|
+
}
|
|
810
|
+
const l5aProvider = getPluginState?.('pi-classifier', 'classifierProvider');
|
|
811
|
+
const l5bProv = getPluginState?.('pi-classifier', 'l5bProvider');
|
|
812
|
+
const piConfig = getPluginState?.('pi-classifier', 'piConfig');
|
|
813
|
+
sendJson(res, {
|
|
814
|
+
l5a: { ready: !!l5aProvider?.ready, modelName: l5aProvider?.modelName ?? null },
|
|
815
|
+
l5b: { ready: !!l5bProv?.ready, modelName: l5bProv?.modelName ?? null },
|
|
816
|
+
action: piConfig?.action ?? 'warn',
|
|
817
|
+
threshold: piConfig?.threshold ?? 0.8,
|
|
818
|
+
indirectThreshold: piConfig?.indirectThreshold ?? 0.6,
|
|
819
|
+
grayZoneWidth: piConfig?.grayZoneWidth ?? 0.2,
|
|
820
|
+
});
|
|
821
|
+
return true;
|
|
822
|
+
}
|
|
823
|
+
// POST /api/test/pi-classify — run PI classification on arbitrary text
|
|
824
|
+
if (req.method === 'POST' && path === '/api/test/pi-classify') {
|
|
825
|
+
if (process.env.BASTION_TEST_MODE !== '1') {
|
|
826
|
+
sendJson(res, { error: 'Not found' }, 404);
|
|
827
|
+
return true;
|
|
828
|
+
}
|
|
829
|
+
bufferBody(req).then(async (body) => {
|
|
830
|
+
try {
|
|
831
|
+
const data = JSON.parse(body);
|
|
832
|
+
const text = data.text;
|
|
833
|
+
if (typeof text !== 'string' || text.length === 0) {
|
|
834
|
+
sendJson(res, { error: 'text field is required' }, 400);
|
|
835
|
+
return;
|
|
836
|
+
}
|
|
837
|
+
const l5aProvider = getPluginState?.('pi-classifier', 'classifierProvider');
|
|
838
|
+
if (!l5aProvider?.ready || !l5aProvider.classify) {
|
|
839
|
+
sendJson(res, { error: 'L5a classifier not ready' }, 503);
|
|
840
|
+
return;
|
|
841
|
+
}
|
|
842
|
+
const piConfig = getPluginState?.('pi-classifier', 'piConfig');
|
|
843
|
+
const threshold = piConfig?.threshold ?? 0.8;
|
|
844
|
+
const grayZoneWidth = piConfig?.grayZoneWidth ?? 0.2;
|
|
845
|
+
const grayLower = threshold - grayZoneWidth;
|
|
846
|
+
// L5a classification
|
|
847
|
+
const l5a = await l5aProvider.classify(text);
|
|
848
|
+
const isSafe = l5a.label === 'BENIGN' || l5a.label === 'SAFE';
|
|
849
|
+
const injectionScore = isSafe ? 1 - l5a.score : l5a.score;
|
|
850
|
+
// Determine zone
|
|
851
|
+
let zone;
|
|
852
|
+
if (injectionScore >= threshold)
|
|
853
|
+
zone = 'detected';
|
|
854
|
+
else if (injectionScore >= grayLower)
|
|
855
|
+
zone = 'gray';
|
|
856
|
+
else
|
|
857
|
+
zone = 'safe';
|
|
858
|
+
const result = {
|
|
859
|
+
l5a: { label: l5a.label, score: l5a.score, latencyMs: l5a.latencyMs, modelName: l5aProvider.modelName },
|
|
860
|
+
injectionScore,
|
|
861
|
+
threshold,
|
|
862
|
+
grayZone: [grayLower, threshold],
|
|
863
|
+
zone,
|
|
864
|
+
};
|
|
865
|
+
// L5b escalation if gray zone
|
|
866
|
+
if (zone === 'gray') {
|
|
867
|
+
const l5bProv = getPluginState?.('pi-classifier', 'l5bProvider');
|
|
868
|
+
if (l5bProv?.ready && l5bProv.classify) {
|
|
869
|
+
try {
|
|
870
|
+
const l5b = await l5bProv.classify(text);
|
|
871
|
+
const l5bIsSafe = l5b.label === 'BENIGN' || l5b.label === 'SAFE';
|
|
872
|
+
const l5bInjectionScore = l5bIsSafe ? 1 - l5b.score : l5b.score;
|
|
873
|
+
result.l5b = { label: l5b.label, score: l5b.score, latencyMs: l5b.latencyMs, modelName: l5bProv.modelName };
|
|
874
|
+
result.l5bInjectionScore = l5bInjectionScore;
|
|
875
|
+
// L5b verdict overrides gray zone
|
|
876
|
+
result.zone = l5bInjectionScore >= threshold ? 'detected' : 'safe';
|
|
877
|
+
}
|
|
878
|
+
catch (err) {
|
|
879
|
+
result.l5b = { error: err.message };
|
|
880
|
+
}
|
|
881
|
+
}
|
|
882
|
+
else {
|
|
883
|
+
result.l5b = { ready: false };
|
|
884
|
+
}
|
|
885
|
+
}
|
|
886
|
+
result.verdict = result.zone === 'safe' ? 'SAFE' : 'INJECTION';
|
|
887
|
+
sendJson(res, result);
|
|
888
|
+
}
|
|
889
|
+
catch (err) {
|
|
890
|
+
sendJson(res, { error: err.message }, 400);
|
|
891
|
+
}
|
|
892
|
+
}).catch((err) => {
|
|
893
|
+
sendJson(res, { error: err.message }, 500);
|
|
894
|
+
});
|
|
895
|
+
return true;
|
|
896
|
+
}
|
|
897
|
+
// POST /api/test/pipeline — unified full-pipeline test (DLP L0-L4 + PI L5a/L5b)
|
|
898
|
+
if (req.method === 'POST' && path === '/api/test/pipeline') {
|
|
899
|
+
if (process.env.BASTION_TEST_MODE !== '1') {
|
|
900
|
+
sendJson(res, { error: 'Not found' }, 404);
|
|
901
|
+
return true;
|
|
902
|
+
}
|
|
903
|
+
bufferBody(req).then(async (body) => {
|
|
904
|
+
try {
|
|
905
|
+
const data = JSON.parse(body);
|
|
906
|
+
const text = data.text;
|
|
907
|
+
if (typeof text !== 'string' || text.length === 0) {
|
|
908
|
+
sendJson(res, { error: 'text field is required' }, 400);
|
|
909
|
+
return;
|
|
910
|
+
}
|
|
911
|
+
const action = (data.action ?? configManager.get().plugins.dlp.action ?? 'warn');
|
|
912
|
+
// ── DLP L4 AI Validation ──
|
|
913
|
+
const freshAiConfig = configManager.get().plugins.dlp.aiValidation;
|
|
914
|
+
aiValidator.updateConfig(freshAiConfig);
|
|
915
|
+
const l4Ready = aiValidator.ready;
|
|
916
|
+
// ── DLP L0-L3 ──
|
|
917
|
+
const dlpTrace = { entries: [], totalDurationMs: 0 };
|
|
918
|
+
const dlpResult = (0, engine_js_1.scanText)(text, dlpPatternsRepo.getEnabled(), action, dlpTrace, { deferContextVerify: l4Ready });
|
|
919
|
+
const mapF = (f) => ({
|
|
920
|
+
patternName: f.patternName, patternCategory: f.patternCategory, matchCount: f.matchCount, matches: f.matches,
|
|
921
|
+
});
|
|
922
|
+
let l4 = { ready: l4Ready, provider: freshAiConfig.provider, enabled: freshAiConfig.enabled };
|
|
923
|
+
let confirmedFindings = dlpResult.findings;
|
|
924
|
+
const allCandidates = [...dlpResult.findings, ...dlpResult.deferredFindings];
|
|
925
|
+
// Clear L4 cache for fresh results in test mode
|
|
926
|
+
aiValidator.clearCache();
|
|
927
|
+
if (l4Ready && allCandidates.length > 0) {
|
|
928
|
+
const confirmed = await aiValidator.validate(allCandidates, text);
|
|
929
|
+
const confirmedSet = new Set(confirmed.map(f => f.patternName + ':' + f.matches[0]));
|
|
930
|
+
const promotedFromDeferred = dlpResult.deferredFindings.filter(f => confirmedSet.has(f.patternName + ':' + f.matches[0]));
|
|
931
|
+
l4 = {
|
|
932
|
+
...l4,
|
|
933
|
+
originalCount: allCandidates.length,
|
|
934
|
+
confirmedCount: confirmed.length,
|
|
935
|
+
filteredOut: allCandidates.filter(f => !confirmedSet.has(f.patternName + ':' + f.matches[0])).map(f => f.patternName),
|
|
936
|
+
deferredCount: dlpResult.deferredFindings.length,
|
|
937
|
+
promotedCount: promotedFromDeferred.length,
|
|
938
|
+
details: aiValidator.lastDetails,
|
|
939
|
+
};
|
|
940
|
+
confirmedFindings = confirmed;
|
|
941
|
+
}
|
|
942
|
+
else {
|
|
943
|
+
l4 = { ...l4, originalCount: dlpResult.findings.length, confirmedCount: dlpResult.findings.length, filteredOut: [], deferredCount: dlpResult.deferredFindings.length };
|
|
944
|
+
}
|
|
945
|
+
const l5aProvider = getPluginState?.('pi-classifier', 'classifierProvider');
|
|
946
|
+
const piConfig = getPluginState?.('pi-classifier', 'piConfig');
|
|
947
|
+
const threshold = piConfig?.threshold ?? 0.8;
|
|
948
|
+
const piIndirectThreshold = piConfig?.indirectThreshold ?? 0.6;
|
|
949
|
+
const grayZoneWidth = piConfig?.grayZoneWidth ?? 0.2;
|
|
950
|
+
const grayLower = threshold - grayZoneWidth;
|
|
951
|
+
let pi = { ready: false };
|
|
952
|
+
if (l5aProvider?.ready && l5aProvider.classify) {
|
|
953
|
+
const l5a = await l5aProvider.classify(text);
|
|
954
|
+
const isSafe = l5a.label === 'BENIGN' || l5a.label === 'SAFE';
|
|
955
|
+
const injectionScore = isSafe ? 1 - l5a.score : l5a.score;
|
|
956
|
+
let zone;
|
|
957
|
+
if (injectionScore >= threshold)
|
|
958
|
+
zone = 'detected';
|
|
959
|
+
else if (injectionScore >= grayLower)
|
|
960
|
+
zone = 'gray';
|
|
961
|
+
else
|
|
962
|
+
zone = 'safe';
|
|
963
|
+
pi = {
|
|
964
|
+
ready: true,
|
|
965
|
+
l5a: { label: l5a.label, score: l5a.score, latencyMs: l5a.latencyMs, modelName: l5aProvider.modelName },
|
|
966
|
+
injectionScore, threshold, indirectThreshold: piIndirectThreshold, grayZone: [grayLower, threshold], zone,
|
|
967
|
+
};
|
|
968
|
+
// L5b if gray
|
|
969
|
+
if (zone === 'gray') {
|
|
970
|
+
const l5bProv = getPluginState?.('pi-classifier', 'l5bProvider');
|
|
971
|
+
if (l5bProv?.ready && l5bProv.classify) {
|
|
972
|
+
try {
|
|
973
|
+
const l5b = await l5bProv.classify(text);
|
|
974
|
+
const l5bSafe = l5b.label === 'BENIGN' || l5b.label === 'SAFE';
|
|
975
|
+
const l5bScore = l5bSafe ? 1 - l5b.score : l5b.score;
|
|
976
|
+
pi.l5b = { label: l5b.label, score: l5b.score, latencyMs: l5b.latencyMs, modelName: l5bProv.modelName };
|
|
977
|
+
pi.l5bInjectionScore = l5bScore;
|
|
978
|
+
pi.zone = l5bScore >= threshold ? 'detected' : 'safe';
|
|
979
|
+
}
|
|
980
|
+
catch (err) {
|
|
981
|
+
pi.l5b = { error: err.message };
|
|
982
|
+
}
|
|
983
|
+
}
|
|
984
|
+
else {
|
|
985
|
+
pi.l5b = { ready: false };
|
|
986
|
+
}
|
|
987
|
+
}
|
|
988
|
+
pi.verdict = (pi.zone === 'safe') ? 'SAFE' : 'INJECTION';
|
|
989
|
+
}
|
|
990
|
+
// ── Combined verdict ──
|
|
991
|
+
const dlpBlocked = confirmedFindings.length > 0 && (action === 'block' || action === 'redact');
|
|
992
|
+
const piBlocked = pi.verdict === 'INJECTION';
|
|
993
|
+
sendJson(res, {
|
|
994
|
+
verdict: (dlpBlocked || piBlocked) ? 'BLOCKED' : 'PASS',
|
|
995
|
+
dlp: {
|
|
996
|
+
action: confirmedFindings.length === 0 ? 'pass' : dlpResult.action,
|
|
997
|
+
findings: confirmedFindings.map(mapF),
|
|
998
|
+
allFindings: [...dlpResult.findings, ...dlpResult.deferredFindings].map(mapF),
|
|
999
|
+
deferredFindings: dlpResult.deferredFindings.map(mapF),
|
|
1000
|
+
redactedText: dlpResult.redactedBody ?? null,
|
|
1001
|
+
trace: dlpTrace,
|
|
1002
|
+
},
|
|
1003
|
+
l4,
|
|
1004
|
+
pi,
|
|
1005
|
+
});
|
|
1006
|
+
}
|
|
1007
|
+
catch (err) {
|
|
1008
|
+
sendJson(res, { error: err.message }, 400);
|
|
1009
|
+
}
|
|
1010
|
+
}).catch((err) => {
|
|
1011
|
+
sendJson(res, { error: err.message }, 500);
|
|
1012
|
+
});
|
|
1013
|
+
return true;
|
|
1014
|
+
}
|
|
1015
|
+
// POST /api/test/tool-guard-scan — test tool call against rules
|
|
1016
|
+
if (req.method === 'POST' && path === '/api/test/tool-guard-scan') {
|
|
1017
|
+
if (process.env.BASTION_TEST_MODE !== '1') {
|
|
1018
|
+
sendJson(res, { error: 'Not found' }, 404);
|
|
1019
|
+
return true;
|
|
1020
|
+
}
|
|
1021
|
+
bufferBody(req).then((body) => {
|
|
1022
|
+
try {
|
|
1023
|
+
const data = JSON.parse(body);
|
|
1024
|
+
const toolName = data.toolName;
|
|
1025
|
+
const toolInput = data.toolInput;
|
|
1026
|
+
if (typeof toolName !== 'string' || toolName.length === 0) {
|
|
1027
|
+
sendJson(res, { error: 'toolName is required' }, 400);
|
|
1028
|
+
return;
|
|
1029
|
+
}
|
|
1030
|
+
if (toolInput === undefined || toolInput === null) {
|
|
1031
|
+
sendJson(res, { error: 'toolInput is required' }, 400);
|
|
1032
|
+
return;
|
|
1033
|
+
}
|
|
1034
|
+
// Use DB rules (builtin + custom, compiled to ToolGuardRule[])
|
|
1035
|
+
const rules = toolGuardRulesRepo.getEnabled();
|
|
1036
|
+
const result = (0, rules_js_1.matchRules)(toolName, toolInput, rules);
|
|
1037
|
+
if (result) {
|
|
1038
|
+
sendJson(res, {
|
|
1039
|
+
matched: true,
|
|
1040
|
+
rule: {
|
|
1041
|
+
id: result.rule.id,
|
|
1042
|
+
name: result.rule.name,
|
|
1043
|
+
description: result.rule.description,
|
|
1044
|
+
severity: result.rule.severity,
|
|
1045
|
+
category: result.rule.category,
|
|
1046
|
+
},
|
|
1047
|
+
matchedText: result.matchedText,
|
|
1048
|
+
});
|
|
1049
|
+
}
|
|
1050
|
+
else {
|
|
1051
|
+
sendJson(res, { matched: false });
|
|
1052
|
+
}
|
|
1053
|
+
}
|
|
1054
|
+
catch (err) {
|
|
1055
|
+
sendJson(res, { error: err.message }, 400);
|
|
1056
|
+
}
|
|
1057
|
+
}).catch((err) => {
|
|
1058
|
+
sendJson(res, { error: err.message }, 500);
|
|
1059
|
+
});
|
|
1060
|
+
return true;
|
|
1061
|
+
}
|
|
732
1062
|
return false;
|
|
733
1063
|
};
|
|
734
1064
|
}
|