@aion0/bastion 0.1.7

package/dist/dlp/engine.js

@@ -0,0 +1,342 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getPatterns = getPatterns;
+exports.scanText = scanText;
+const validators_js_1 = require("./validators.js");
+const high_confidence_js_1 = require("./patterns/high-confidence.js");
+const validated_js_1 = require("./patterns/validated.js");
+const context_aware_js_1 = require("./patterns/context-aware.js");
+const prompt_injection_js_1 = require("./patterns/prompt-injection.js");
+const structure_js_1 = require("./structure.js");
+const entropy_js_1 = require("./entropy.js");
+const semantics_js_1 = require("./semantics.js");
+const PATTERN_TIMEOUT_MS = 50;
+function runRegexWithPositions(regex, text, timeoutMs) {
+    const results = [];
+    const start = Date.now();
+    const cloned = new RegExp(regex.source, regex.flags);
+    let match;
+    while ((match = cloned.exec(text)) !== null) {
+        results.push({ match: match[0], index: match.index });
+        if (Date.now() - start > timeoutMs)
+            break;
+        if (match.index === cloned.lastIndex)
+            cloned.lastIndex++;
+    }
+    return results;
+}
+function runRegexWithTimeout(regex, text, timeoutMs) {
+    const matches = [];
+    const start = Date.now();
+    // Clone regex to reset lastIndex
+    const cloned = new RegExp(regex.source, regex.flags);
+    let match;
+    while ((match = cloned.exec(text)) !== null) {
+        matches.push(match[0]);
+        if (Date.now() - start > timeoutMs)
+            break;
+        // Prevent infinite loops on zero-length matches
+        if (match.index === cloned.lastIndex)
+            cloned.lastIndex++;
+    }
+    return matches;
+}
+const CONTEXT_RADIUS = 200; // chars around match to look for context words
+/** Match a context word in text. Short words (<=3 chars) use word-boundary matching
+ *  to avoid substring false positives (e.g., 'ip' matching inside 'script'). */
+function contextWordMatches(haystack, word) {
+    const lowerWord = word.toLowerCase();
+    // Words with underscores, dots, or length > 3 are specific enough for substring match
+    if (lowerWord.length > 3 || /[_.]/.test(lowerWord)) {
+        return haystack.includes(lowerWord);
+    }
+    // Short words need word-boundary matching
+    const escaped = lowerWord.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    return new RegExp(`\\b${escaped}\\b`, 'i').test(haystack);
+}
+function hasContext(text, contextWords) {
+    const lower = text.toLowerCase();
+    return contextWords.some((word) => contextWordMatches(lower, word));
+}
+/** Check if any context word appears within CONTEXT_RADIUS chars of the match position */
+function hasNearbyContext(text, matchIndex, matchLength, contextWords) {
+    const start = Math.max(0, matchIndex - CONTEXT_RADIUS);
+    const end = Math.min(text.length, matchIndex + matchLength + CONTEXT_RADIUS);
+    const nearby = text.slice(start, end);
+    return contextWords.some((word) => contextWordMatches(nearby, word));
+}
+const VERIFY_CONTEXT_RADIUS = 300;
+/** Check if a position in text falls inside a markdown code block (``` ... ```) */
+function isInsideCodeBlock(text, matchIndex) {
+    let inside = false;
+    let i = 0;
+    while (i < matchIndex) {
+        if (text[i] === '`' && i + 2 < text.length && text[i + 1] === '`' && text[i + 2] === '`') {
+            inside = !inside;
+            i += 3;
+            // skip to end of line for opening fence (language tag)
+            if (inside)
+                while (i < matchIndex && text[i] !== '\n')
+                    i++;
+        }
+        else {
+            i++;
+        }
+    }
+    return inside;
+}
+/** Post-match context verification (free tier — always runs) */
+function contextVerifyMatch(text, match, matchIndex, verify) {
+    // 1. rejectInCodeBlock
+    if (verify.rejectInCodeBlock && isInsideCodeBlock(text, matchIndex)) {
+        return false;
+    }
+    // 2. minEntropy
+    if (verify.minEntropy !== undefined) {
+        const entropy = (0, entropy_js_1.shannonEntropy)(match);
+        if (entropy < verify.minEntropy)
+            return false;
+    }
+    // 3. antiPatterns — extract context window, reject if any matches
+    const start = Math.max(0, matchIndex - VERIFY_CONTEXT_RADIUS);
+    const end = Math.min(text.length, matchIndex + match.length + VERIFY_CONTEXT_RADIUS);
+    const context = text.slice(start, end);
+    if (verify.antiPatterns) {
+        for (const ap of verify.antiPatterns) {
+            ap.lastIndex = 0; // reset in case regex has 'g' flag
+            if (ap.test(context))
+                return false;
+        }
+    }
+    // 4. confirmPatterns — require at least one match
+    if (verify.confirmPatterns && verify.confirmPatterns.length > 0) {
+        const confirmed = verify.confirmPatterns.some(cp => {
+            cp.lastIndex = 0;
+            return cp.test(context);
+        });
+        if (!confirmed)
+            return false;
+    }
+    return true;
+}
+function getPatterns(categories) {
+    const all = [];
+    const catSet = new Set(categories);
+    if (catSet.has('high-confidence'))
+        all.push(...high_confidence_js_1.highConfidencePatterns);
+    if (catSet.has('validated'))
+        all.push(...validated_js_1.validatedPatterns);
+    if (catSet.has('context-aware'))
+        all.push(...context_aware_js_1.contextAwarePatterns);
+    if (catSet.has('prompt-injection'))
+        all.push(...prompt_injection_js_1.promptInjectionPatterns);
+    return all;
+}
+function scanText(text, patterns, action, trace) {
+    const findings = [];
+    let redactedBody = text;
+    const t0 = trace ? performance.now() : 0;
+    if (trace) {
+        trace.entries.push({ layer: -1, layerName: 'init', step: 'start', detail: `Input: ${text.length} chars, ${patterns.length} patterns, action=${action}` });
+    }
+    // ── Layer 2: Regex pattern matching ──
+    const regexStart = trace ? performance.now() : 0;
+    for (const pattern of patterns) {
+        const patStart = trace ? performance.now() : 0;
+        // Quick pre-check: if context words don't appear anywhere, skip entirely
+        if (pattern.requireContext && !hasContext(text, pattern.requireContext)) {
+            if (trace) {
+                trace.entries.push({
+                    layer: 2, layerName: 'regex', step: 'context-skip',
+                    detail: `[${pattern.name}] context words [${pattern.requireContext.join(', ')}] not found in text — skipped`,
+                    durationMs: performance.now() - patStart,
+                });
+            }
+            continue;
+        }
+        // Use position-aware matching when requireContext or contextVerify needs it
+        const needPositions = !!(pattern.requireContext || pattern.contextVerify);
+        let matches;
+        let posMatches;
+        if (needPositions) {
+            posMatches = runRegexWithPositions(pattern.regex, text, PATTERN_TIMEOUT_MS);
+            if (pattern.requireContext) {
+                const filtered = posMatches.filter((m) => hasNearbyContext(text, m.index, m.match.length, pattern.requireContext));
+                if (trace) {
+                    trace.entries.push({
+                        layer: 2, layerName: 'regex', step: 'context-match',
+                        detail: `[${pattern.name}] regex matched ${posMatches.length}, ${filtered.length} with nearby context [${pattern.requireContext.join(', ')}]`,
+                        durationMs: performance.now() - patStart,
+                    });
+                }
+                posMatches = filtered;
+            }
+            else if (trace) {
+                trace.entries.push({
+                    layer: 2, layerName: 'regex', step: 'match',
+                    detail: `[${pattern.name}] (${pattern.category}) regex /${pattern.regex.source}/ → ${posMatches.length} match(es)${posMatches.length > 0 ? ': ' + posMatches.map(m => m.match.length > 40 ? m.match.slice(0, 40) + '...' : m.match).join(', ') : ''}`,
+                    durationMs: performance.now() - patStart,
+                });
+            }
+            matches = posMatches.map((m) => m.match);
+        }
+        else {
+            matches = runRegexWithTimeout(pattern.regex, text, PATTERN_TIMEOUT_MS);
+            if (trace) {
+                trace.entries.push({
+                    layer: 2, layerName: 'regex', step: 'match',
+                    detail: `[${pattern.name}] (${pattern.category}) regex /${pattern.regex.source}/ → ${matches.length} match(es)${matches.length > 0 ? ': ' + matches.map(m => m.length > 40 ? m.slice(0, 40) + '...' : m).join(', ') : ''}`,
+                    durationMs: performance.now() - patStart,
+                });
+            }
+        }
+        if (matches.length === 0)
+            continue;
+        // Run validator if one is specified
+        const validatedMatches = pattern.validator
+            ? matches.filter((m) => validators_js_1.validators[pattern.validator]?.(m) ?? true)
+            : matches;
+        if (trace && pattern.validator) {
+            const rejected = matches.length - validatedMatches.length;
+            trace.entries.push({
+                layer: 2, layerName: 'regex', step: 'validate',
+                detail: `[${pattern.name}] validator "${pattern.validator}": ${validatedMatches.length} passed, ${rejected} rejected`,
+            });
+        }
+        if (validatedMatches.length === 0)
+            continue;
+        // Context verification (free tier — always runs when contextVerify is defined)
+        let verifiedMatches = validatedMatches;
+        if (pattern.contextVerify && posMatches) {
+            // Build verified list from posMatches to preserve per-occurrence position info
+            // (avoids find-first-match bug when same string appears at multiple positions)
+            const validatedSet = new Set(validatedMatches);
+            verifiedMatches = [];
+            for (const pos of posMatches) {
+                if (!validatedSet.has(pos.match))
+                    continue; // filtered by validator
+                if (contextVerifyMatch(text, pos.match, pos.index, pattern.contextVerify)) {
+                    verifiedMatches.push(pos.match);
+                }
+                else if (trace) {
+                    trace.entries.push({
+                        layer: 2, layerName: 'regex', step: 'context-verify-reject',
+                        detail: `[${pattern.name}] match "${pos.match.length > 30 ? pos.match.slice(0, 30) + '...' : pos.match}" rejected by context verification`,
+                    });
+                }
+            }
+        }
+        if (verifiedMatches.length === 0)
+            continue;
+        findings.push({
+            patternName: pattern.name,
+            patternCategory: pattern.category,
+            matchCount: verifiedMatches.length,
+            matches: verifiedMatches,
+        });
+        // Apply redaction if needed
+        if (action === 'redact') {
+            for (const m of verifiedMatches) {
+                redactedBody = redactedBody.replaceAll(m, `[${pattern.name.toUpperCase()}_REDACTED]`);
+            }
+        }
+    }
+    if (trace) {
+        trace.entries.push({
+            layer: 2, layerName: 'regex', step: 'summary',
+            detail: `Layer 2 complete: ${findings.length} finding(s) from regex patterns`,
+            durationMs: performance.now() - regexStart,
+        });
+    }
+    // ── Layer 0 + 1 + 3: Structure → Entropy → Semantic detection ──
+    // Detect generic secrets: high-entropy values in sensitive field names
+    // that were NOT already caught by a specific regex pattern above.
+    const structStart = trace ? performance.now() : 0;
+    const fields = (0, structure_js_1.extractStructuredFields)(text);
+    if (trace) {
+        trace.entries.push({
+            layer: 0, layerName: 'structure', step: 'extract',
+            detail: `Layer 0: extracted ${fields.length} field(s) from text${fields.length > 0 ? ' — ' + fields.map(f => `${f.path}=${f.value.length > 20 ? f.value.slice(0, 20) + '...' : f.value}`).join('; ') : ''}`,
+            durationMs: performance.now() - structStart,
+        });
+    }
+    for (const field of fields) {
+        if (field.value.length < entropy_js_1.MIN_ENTROPY_LENGTH || field.value.length > entropy_js_1.MAX_SECRET_LENGTH) {
+            if (trace) {
+                trace.entries.push({
+                    layer: 1, layerName: 'entropy', step: 'length-skip',
+                    detail: `[${field.path}] value length ${field.value.length} outside range [${entropy_js_1.MIN_ENTROPY_LENGTH}, ${entropy_js_1.MAX_SECRET_LENGTH}] — skipped`,
+                });
+            }
+            continue;
+        }
+        const sensitive = (0, semantics_js_1.isSensitiveFieldName)(field.key);
+        if (!sensitive) {
+            if (trace) {
+                trace.entries.push({
+                    layer: 3, layerName: 'semantics', step: 'not-sensitive',
+                    detail: `[${field.path}] field name "${field.key}" not sensitive — skipped`,
+                });
+            }
+            continue;
+        }
+        const entropy = (0, entropy_js_1.shannonEntropy)(field.value);
+        const highEnt = entropy >= entropy_js_1.DEFAULT_ENTROPY_THRESHOLD;
+        if (trace) {
+            trace.entries.push({
+                layer: 1, layerName: 'entropy', step: highEnt ? 'high' : 'low',
+                detail: `[${field.path}] entropy=${entropy.toFixed(3)} bits/char (threshold=${entropy_js_1.DEFAULT_ENTROPY_THRESHOLD})${highEnt ? ' → HIGH' : ' → low, skipped'}`,
+            });
+        }
+        if (!highEnt)
+            continue;
+        // Check if this value is already covered by a regex finding
+        const alreadyCovered = findings.some((f) => f.matches.some((m) => field.value.includes(m) || m.includes(field.value)));
+        if (alreadyCovered) {
+            if (trace) {
+                trace.entries.push({
+                    layer: 1, layerName: 'entropy', step: 'dedup',
+                    detail: `[${field.path}] already covered by regex finding — skipped`,
+                });
+            }
+            continue;
+        }
+        if (trace) {
+            trace.entries.push({
+                layer: 1, layerName: 'entropy', step: 'finding',
+                detail: `[${field.path}] ✓ generic-secret detected: sensitive field "${field.key}" + high entropy (${entropy.toFixed(3)})`,
+            });
+        }
+        findings.push({
+            patternName: 'generic-secret',
+            patternCategory: 'entropy',
+            matchCount: 1,
+            matches: [field.value],
+        });
+        if (action === 'redact') {
+            redactedBody = redactedBody.replaceAll(field.value, '[GENERIC-SECRET_REDACTED]');
+            // Also handle JSON-encoded version (escapes like \" or \\n)
+            const encoded = JSON.stringify(field.value).slice(1, -1);
+            if (encoded !== field.value) {
+                redactedBody = redactedBody.replaceAll(encoded, '[GENERIC-SECRET_REDACTED]');
+            }
+        }
+    }
+    if (trace) {
+        trace.totalDurationMs = performance.now() - t0;
+        trace.entries.push({
+            layer: -1, layerName: 'summary', step: 'done',
+            detail: `Scan complete: ${findings.length} total finding(s), action=${findings.length === 0 ? 'pass' : action}, ${trace.totalDurationMs.toFixed(2)}ms`,
+            durationMs: trace.totalDurationMs,
+        });
+    }
+    if (findings.length === 0) {
+        return { action: 'pass', findings: [] };
+    }
+    return {
+        action,
+        findings,
+        redactedBody: action === 'redact' ? redactedBody : undefined,
+    };
+}
+//# sourceMappingURL=engine.js.map

package/dist/dlp/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../src/dlp/engine.ts"],"names":[],"mappings":";;AAoKA,kCAQC;AAED,4BAmOC;AAjZD,mDAA6C;AAE7C,sEAAuE;AACvE,0DAA4D;AAC5D,kEAAmE;AACnE,wEAAyE;AACzE,iDAAyD;AACzD,6CAA+H;AAC/H,iDAAsD;AAoCtD,MAAM,kBAAkB,GAAG,EAAE,CAAC;AAE9B,SAAS,qBAAqB,CAAC,KAAa,EAAE,IAAY,EAAE,SAAiB;IAC3E,MAAM,OAAO,GAAuC,EAAE,CAAC;IACvD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;IACrD,IAAI,KAA6B,CAAC;IAClC,OAAO,CAAC,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC5C,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;QACtD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,SAAS;YAAE,MAAM;QAC1C,IAAI,KAAK,CAAC,KAAK,KAAK,MAAM,CAAC,SAAS;YAAE,MAAM,CAAC,SAAS,EAAE,CAAC;IAC3D,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAa,EAAE,IAAY,EAAE,SAAiB;IACzE,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEzB,iCAAiC;IACjC,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;IACrD,IAAI,KAA6B,CAAC;IAElC,OAAO,CAAC,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC5C,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACvB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,SAAS;YAAE,MAAM;QAC1C,gDAAgD;QAChD,IAAI,KAAK,CAAC,KAAK,KAAK,MAAM,CAAC,SAAS;YAAE,MAAM,CAAC,SAAS,EAAE,CAAC;IAC3D,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,cAAc,GAAG,GAAG,CAAC,CAAC,+CAA+C;AAE3E;gFACgF;AAChF,SAAS,kBAAkB,CAAC,QAAgB,EAAE,IAAY;IACxD,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACrC,sFAAsF;IACtF,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QACnD,OAAO,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IACtC,CAAC;IACD,0CAA0C;IAC1C,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;IACjE,OAAO,IAAI,MAAM,CAAC,MAAM,OAAO,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,UAAU,CAAC,IAAY,EAAE,YAAsB;IACtD,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,kBAAkB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC;AACtE,CAAC;AAED,0FAA0F;AAC1F,SAAS,gBAAgB,CAAC,IAAY,EAAE,UAAkB,EAAE,WAAmB,EAAE,YAAsB;IACrG,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,cAAc,CAAC,CAAC;IACvD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,UAAU,GAAG,WAAW,GAAG,cAAc,CAAC,CAAC;IAC7E,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACtC,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,kBAAkB,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC;AACvE,CAAC;AAED,MAAM,qBAAqB,GAAG,GAAG,CAAC;AAElC,mFAAmF;AACnF,SAAS,iBAAiB,CAAC,IAAY,EAAE,UAAkB;IACzD,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,UAAU,EAAE,CAAC;QACtB,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YACzF,MAAM,GAAG,CAAC,MAAM,CAAC;YACjB,CAAC,IAAI,CAAC,CAAC;YACP,uDAAuD;YACvD,IAAI,MAAM;gBAAE,OAAO,CAAC,GAAG,UAAU,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI;oBAAE,CAAC,EAAE,CAAC;QAC7D,CAAC;aAAM,CAAC;YACN,CAAC,EAAE,CAAC;QACN,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,gEAAgE;AAChE,SAAS,kBAAkB,CACzB,IAAY,EAAE,KAAa,EAAE,UAAkB,EAC/C,MAA2B;IAE3B,uBAAuB;IACvB,IAAI,MAAM,CAAC,iBAAiB,IAAI,iBAAiB,CAAC,IAAI,EAAE,UAAU,CAAC,EAAE,CAAC;QACpE,OAAO,KAAK,CAAC;IACf,CAAC;IAED,gBAAgB;IAChB,IAAI,MAAM,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACpC,MAAM,OAAO,GAAG,IAAA,2BAAc,EAAC,KAAK,CAAC,CAAC;QACtC,IAAI,OAAO,GAAG,MAAM,CAAC,UAAU;YAAE,OAAO,KAAK,CAAC;IAChD,CAAC;IAED,kEAAkE;IAClE,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,qBAAqB,CAAC,CAAC;IAC9D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,UAAU,GAAG,KAAK,CAAC,MAAM,GAAG,qBAAqB,CAAC,CAAC;IACrF,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAEvC,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;YACrC,EAAE,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,mCAAmC;YACrD,IAAI,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC;gBAAE,OAAO,KAAK,CAAC;QACrC,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,IAAI,MAAM,CAAC,eAAe,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChE,MAAM,SAAS,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;YACjD,EAAE,CAAC,SAAS,GAAG,CAAC,CAAC;YACjB,OAAO,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,SAAS;YAAE,OAAO,KAAK,CAAC;IAC/B,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAgB,WAAW,CAAC,UAAoB;IAC9C,MAAM,GAAG,GAAiB,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IACnC,IAAI,MAAM,CAAC,GAAG,CAAC,iBAAiB,CAAC;QAAE,GAAG,CAAC,IAAI,CAAC,GAAG,2CAAsB,CAAC,CAAC;IACvE,IAAI,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC;QAAE,GAAG,CAAC,IAAI,CAAC,GAAG,gCAAiB,CAAC,CAAC;IAC5D,IAAI,MAAM,CAAC,GAAG,CAAC,eAAe,CAAC;QAAE,GAAG,CAAC,IAAI,CAAC,GAAG,uCAAoB,CAAC,CAAC;IACnE,IAAI,MAAM,CAAC,GAAG,CAAC,kBAAkB,CAAC;QAAE,GAAG,CAAC,IAAI,CAAC,GAAG,6CAAuB,CAAC,CAAC;IACzE,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAgB,QAAQ,CAAC,IAAY,EAAE,QAAsB,EAAE,MAAiB,EAAE,KAAgB;IAChG,MAAM,QAAQ,GAAiB,EAAE,CAAC;IAClC,IAAI,YAAY,GAAG,IAAI,CAAC;IACxB,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAEzC,IAAI,KAAK,EAAE,CAAC;QACV,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,IAAI,CAAC,MAAM,WAAW,QAAQ,CAAC,MAAM,qBAAqB,MAAM,EAAE,EAAE,CAAC,CAAC;IAC5J,CAAC;IAED,wCAAwC;IACxC,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAE/C,yEAAyE;QACzE,IAAI,OAAO,CAAC,cAAc,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YACxE,IAAI,KAAK,EAAE,CAAC;gBACV,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;oBACjB,KAAK,EAAE,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,cAAc;oBAClD,MAAM,EAAE,IAAI,OAAO,CAAC,IAAI,oBAAoB,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,+BAA+B;oBAC5G,UAAU,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,QAAQ;iBACzC,CAAC,CAAC;YACL,CAAC;YACD,SAAS;QACX,CAAC;QAED,4EAA4E;QAC5E,MAAM,aAAa,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,cAAc,IAAI,OAAO,CAAC,aAAa,CAAC,CAAC;QAC1E,IAAI,OAAiB,CAAC;QACtB,IAAI,UAA0D,CAAC;QAE/D,IAAI,aAAa,EAAE,CAAC;YAClB,UAAU,GAAG,qBAAqB,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC;YAE5E,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;gBAC3B,MAAM,QAAQ,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,cAAe,CAAC,CAAC,CAAC;gBACpH,IAAI,KAAK,EAAE,CAAC;oBACV,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;wBACjB,KAAK,EAAE,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,eAAe;wBACnD,MAAM,EAAE,IAAI,OAAO,CAAC,IAAI,mBAAmB,UAAU,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM,yBAAyB,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;wBAC7I,UAAU,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,QAAQ;qBACzC,CAAC,CAAC;gBACL,CAAC;gBACD,UAAU,GAAG,QAAQ,CAAC;YACxB,CAAC;iBAAM,IAAI,KAAK,EAAE,CAAC;gBACjB,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;oBACjB,KAAK,EAAE,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO;oBAC3C,MAAM,EAAE,IAAI,OAAO,CAAC,IAAI,MAAM,OAAO,CAAC,QAAQ,YAAY,OAAO,CAAC,KAAK,CAAC,MAAM,OAAO,UAAU,CAAC,MAAM,aAAa,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE;oBACrP,UAAU,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,QAAQ;iBACzC,CAAC,CAAC;YACL,CAAC;YAED,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,mBAAmB,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC;YACvE,IAAI,KAAK,EAAE,CAAC;gBACV,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;oBACjB,KAAK,EAAE,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO;oBAC3C,MAAM,EAAE,IAAI,OAAO,CAAC,IAAI,MAAM,OAAO,CAAC,QAAQ,YAAY,OAAO,CAAC,KAAK,CAAC,MAAM,OAAO,OAAO,CAAC,MAAM,aAAa,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE;oBAC1N,UAAU,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,QAAQ;iBACzC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAEnC,oCAAoC;QACpC,MAAM,gBAAgB,GAAG,OAAO,CAAC,SAAS;YACxC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,0BAAU,CAAC,OAAO,CAAC,SAAU,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;YACpE,CAAC,CAAC,OAAO,CAAC;QAEZ,IAAI,KAAK,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YAC/B,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC;YAC1D,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;gBACjB,KAAK,EAAE,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU;gBAC9C,MAAM,EAAE,IAAI,OAAO,CAAC,IAAI,gBAAgB,OAAO,CAAC,SAAS,MAAM,gBAAgB,CAAC,MAAM,YAAY,QAAQ,WAAW;aACtH,CAAC,CAAC;QACL,CAAC;QAED,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAE5C,+EAA+E;QAC/E,IAAI,eAAe,GAAG,gBAAgB,CAAC;QACvC,IAAI,OAAO,CAAC,aAAa,IAAI,UAAU,EAAE,CAAC;YACxC,+EAA+E;YAC/E,+EAA+E;YAC/E,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,gBAAgB,CAAC,CAAC;YAC/C,eAAe,GAAG,EAAE,CAAC;YACrB,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;gBAC7B,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC;oBAAE,SAAS,CAAC,wBAAwB;gBACpE,IAAI,kBAAkB,CAAC,IAAI,EAAE,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;oBAC1E,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;gBAClC,CAAC;qBAAM,IAAI,KAAK,EAAE,CAAC;oBACjB,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;wBACjB,KAAK,EAAE,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,uBAAuB;wBAC3D,MAAM,EAAE,IAAI,OAAO,CAAC,IAAI,YAAY,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,oCAAoC;qBAC3I,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QACD,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAE3C,QAAQ,CAAC,IAAI,CAAC;YACZ,WAAW,EAAE,OAAO,CAAC,IAAI;YACzB,eAAe,EAAE,OAAO,CAAC,QAAQ;YACjC,UAAU,EAAE,eAAe,CAAC,MAAM;YAClC,OAAO,EAAE,eAAe;SACzB,CAAC,CAAC;QAEH,4BAA4B;QAC5B,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxB,KAAK,MAAM,CAAC,IAAI,eAAe,EAAE,CAAC;gBAChC,YAAY,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;YACxF,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,KAAK,EAAE,CAAC;QACV,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;YACjB,KAAK,EAAE,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS;YAC7C,MAAM,EAAE,qBAAqB,QAAQ,CAAC,MAAM,iCAAiC;YAC7E,UAAU,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,UAAU;SAC3C,CAAC,CAAC;IACL,CAAC;IAED,kEAAkE;IAClE,uEAAuE;IACvE,kEAAkE;IAClE,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,IAAA,sCAAuB,EAAC,IAAI,CAAC,CAAC;IAE7C,IAAI,KAAK,EAAE,CAAC;QACV,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;YACjB,KAAK,EAAE,CAAC,EAAE,SAAS,EAAE,WAAW,EAAE,IAAI,EAAE,SAAS;YACjD,MAAM,EAAE,sBAAsB,MAAM,CAAC,MAAM,sBAAsB,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE;YAC3M,UAAU,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,WAAW;SAC5C,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,+BAAkB,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,8BAAiB,EAAE,CAAC;YACtF,IAAI,KAAK,EAAE,CAAC;gBACV,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;oBACjB,KAAK,EAAE,CAAC,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,aAAa;oBACnD,MAAM,EAAE,IAAI,KAAK,CAAC,IAAI,kBAAkB,KAAK,CAAC,KAAK,CAAC,MAAM,mBAAmB,+BAAkB,KAAK,8BAAiB,aAAa;iBACnI,CAAC,CAAC;YACL,CAAC;YACD,SAAS;QACX,CAAC;QAED,MAAM,SAAS,GAAG,IAAA,mCAAoB,EAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,IAAI,KAAK,EAAE,CAAC;gBACV,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;oBACjB,KAAK,EAAE,CAAC,EAAE,SAAS,EAAE,WAAW,EAAE,IAAI,EAAE,eAAe;oBACvD,MAAM,EAAE,IAAI,KAAK,CAAC,IAAI,iBAAiB,KAAK,CAAC,GAAG,2BAA2B;iBAC5E,CAAC,CAAC;YACL,CAAC;YACD,SAAS;QACX,CAAC;QAED,MAAM,OAAO,GAAG,IAAA,2BAAc,EAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC5C,MAAM,OAAO,GAAG,OAAO,IAAI,sCAAyB,CAAC;QACrD,IAAI,KAAK,EAAE,CAAC;YACV,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;gBACjB,KAAK,EAAE,CAAC,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK;gBAC9D,MAAM,EAAE,IAAI,KAAK,CAAC,IAAI,aAAa,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,yBAAyB,sCAAyB,IAAI,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,iBAAiB,EAAE;aACrJ,CAAC,CAAC;QACL,CAAC;QACD,IAAI,CAAC,OAAO;YAAE,SAAS;QAEvB,4DAA4D;QAC5D,MAAM,cAAc,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CACzC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAC1E,CAAC;QACF,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,KAAK,EAAE,CAAC;gBACV,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;oBACjB,KAAK,EAAE,CAAC,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO;oBAC7C,MAAM,EAAE,IAAI,KAAK,CAAC,IAAI,8CAA8C;iBACrE,CAAC,CAAC;YACL,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,KAAK,EAAE,CAAC;YACV,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;gBACjB,KAAK,EAAE,CAAC,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS;gBAC/C,MAAM,EAAE,IAAI,KAAK,CAAC,IAAI,iDAAiD,KAAK,CAAC,GAAG,qBAAqB,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG;aAC3H,CAAC,CAAC;QACL,CAAC;QAED,QAAQ,CAAC,IAAI,CAAC;YACZ,WAAW,EAAE,gBAAgB;YAC7B,eAAe,EAAE,SAAS;YAC1B,UAAU,EAAE,CAAC;YACb,OAAO,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC;SACvB,CAAC,CAAC;QAEH,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxB,YAAY,GAAG,YAAY,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,2BAA2B,CAAC,CAAC;YACjF,4DAA4D;YAC5D,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YACzD,IAAI,OAAO,KAAK,KAAK,CAAC,KAAK,EAAE,CAAC;gBAC5B,YAAY,GAAG,YAAY,CAAC,UAAU,CAAC,OAAO,EAAE,2BAA2B,CAAC,CAAC;YAC/E,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,KAAK,EAAE,CAAC;QACV,KAAK,CAAC,eAAe,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC;QAC/C,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;YACjB,KAAK,EAAE,CAAC,CAAC,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM;YAC7C,MAAM,EAAE,kBAAkB,QAAQ,CAAC,MAAM,6BAA6B,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,KAAK,KAAK,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI;YACtJ,UAAU,EAAE,KAAK,CAAC,eAAe;SAClC,CAAC,CAAC;IACL,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;IAC1C,CAAC;IAED,OAAO;QACL,MAAM;QACN,QAAQ;QACR,YAAY,EAAE,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;KAC7D,CAAC;AACJ,CAAC"}

package/dist/dlp/entropy.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Layer 1: Entropy Pre-filter
+ *
+ * Shannon entropy measures information density (randomness) of a string.
+ * Secrets and API keys typically have high entropy (4.5–6.0 bits/char),
+ * while natural language text averages 3.0–4.0 bits/char.
+ *
+ * Used as a pre-filter: only high-entropy values proceed to deeper analysis.
+ */
+/** Calculate Shannon entropy in bits per character */
+export declare function shannonEntropy(s: string): number;
+/** Default threshold: values at or above this are likely secrets.
+ * Real API keys / secrets: 4.5–6.0 bits/char. Natural language: 3.0–4.0.
+ * 4.0 avoids overlap zone and reduces false positives on URLs, paths, code. */
+export declare const DEFAULT_ENTROPY_THRESHOLD = 4;
+/** Minimum length for entropy analysis to be meaningful */
+export declare const MIN_ENTROPY_LENGTH = 8;
+/** Maximum length for a single secret value (longer strings are content, not secrets) */
+export declare const MAX_SECRET_LENGTH = 200;
+/** Check if a string likely contains a secret based on entropy */
+export declare function isHighEntropy(s: string, threshold?: number): boolean;
+//# sourceMappingURL=entropy.d.ts.map

package/dist/dlp/entropy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entropy.d.ts","sourceRoot":"","sources":["../../src/dlp/entropy.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,sDAAsD;AACtD,wBAAgB,cAAc,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAgBhD;AAED;;+EAE+E;AAC/E,eAAO,MAAM,yBAAyB,IAAM,CAAC;AAE7C,2DAA2D;AAC3D,eAAO,MAAM,kBAAkB,IAAI,CAAC;AAEpC,yFAAyF;AACzF,eAAO,MAAM,iBAAiB,MAAM,CAAC;AAErC,kEAAkE;AAClE,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,EAAE,SAAS,SAA4B,GAAG,OAAO,CAEvF"}

package/dist/dlp/entropy.js

@@ -0,0 +1,43 @@
+"use strict";
+/**
+ * Layer 1: Entropy Pre-filter
+ *
+ * Shannon entropy measures information density (randomness) of a string.
+ * Secrets and API keys typically have high entropy (4.5–6.0 bits/char),
+ * while natural language text averages 3.0–4.0 bits/char.
+ *
+ * Used as a pre-filter: only high-entropy values proceed to deeper analysis.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MAX_SECRET_LENGTH = exports.MIN_ENTROPY_LENGTH = exports.DEFAULT_ENTROPY_THRESHOLD = void 0;
+exports.shannonEntropy = shannonEntropy;
+exports.isHighEntropy = isHighEntropy;
+/** Calculate Shannon entropy in bits per character */
+function shannonEntropy(s) {
+    if (s.length === 0)
+        return 0;
+    const freq = new Map();
+    for (const ch of s) {
+        freq.set(ch, (freq.get(ch) ?? 0) + 1);
+    }
+    let h = 0;
+    const len = s.length;
+    for (const count of freq.values()) {
+        const p = count / len;
+        h -= p * Math.log2(p);
+    }
+    return h;
+}
+/** Default threshold: values at or above this are likely secrets.
+ * Real API keys / secrets: 4.5–6.0 bits/char. Natural language: 3.0–4.0.
+ * 4.0 avoids overlap zone and reduces false positives on URLs, paths, code. */
+exports.DEFAULT_ENTROPY_THRESHOLD = 4.0;
+/** Minimum length for entropy analysis to be meaningful */
+exports.MIN_ENTROPY_LENGTH = 8;
+/** Maximum length for a single secret value (longer strings are content, not secrets) */
+exports.MAX_SECRET_LENGTH = 200;
+/** Check if a string likely contains a secret based on entropy */
+function isHighEntropy(s, threshold = exports.DEFAULT_ENTROPY_THRESHOLD) {
+    return s.length >= exports.MIN_ENTROPY_LENGTH && shannonEntropy(s) >= threshold;
+}
+//# sourceMappingURL=entropy.js.map

package/dist/dlp/entropy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"entropy.js","sourceRoot":"","sources":["../../src/dlp/entropy.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAGH,wCAgBC;AAcD,sCAEC;AAjCD,sDAAsD;AACtD,SAAgB,cAAc,CAAC,CAAS;IACtC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAE7B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,EAAE,IAAI,CAAC,EAAE,CAAC;QACnB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACxC,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,MAAM,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC;IACrB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC;QACtB,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC;IAED,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;+EAE+E;AAClE,QAAA,yBAAyB,GAAG,GAAG,CAAC;AAE7C,2DAA2D;AAC9C,QAAA,kBAAkB,GAAG,CAAC,CAAC;AAEpC,yFAAyF;AAC5E,QAAA,iBAAiB,GAAG,GAAG,CAAC;AAErC,kEAAkE;AAClE,SAAgB,aAAa,CAAC,CAAS,EAAE,SAAS,GAAG,iCAAyB;IAC5E,OAAO,CAAC,CAAC,MAAM,IAAI,0BAAkB,IAAI,cAAc,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC;AAC1E,CAAC"}

package/dist/dlp/message-cache.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Message-level DLP cache.
+ *
+ * LLM API requests carry the full conversation history in a `messages[]` array.
+ * Without caching, every turn re-scans ALL previous messages — O(N²) cumulative.
+ *
+ * This module hashes individual messages and caches their DLP findings so that
+ * only new/unseen messages are scanned. Complexity drops to O(N).
+ *
+ * Cache also distinguishes between "new findings" (first detection) and
+ * "cached findings" (repeated from history) so the caller can decide
+ * whether to record duplicate DLP events.
+ */
+import { type DlpPattern } from './engine.js';
+import type { DlpFinding, DlpResult, DlpAction } from './actions.js';
+export interface MessageCacheStats {
+    hits: number;
+    misses: number;
+    size: number;
+}
+export interface CachedDlpResult extends DlpResult {
+    /** Findings from newly scanned messages (first-time detection) */
+    newFindings: DlpFinding[];
+    /** Findings from cache (already detected in a previous request) */
+    cachedFindings: DlpFinding[];
+}
+export declare class DlpMessageCache {
+    private cache;
+    private hits;
+    private misses;
+    constructor(maxSize?: number);
+    get stats(): MessageCacheStats;
+    /**
+     * Scan a request body with message-level caching.
+     *
+     * If parsedBody has a `messages[]` array, each message is individually
+     * hashed and checked against the cache. Only new messages are scanned.
+     *
+     * Falls back to full-body scan for non-messages payloads.
+     */
+    scanWithCache(body: string, parsedBody: Record<string, unknown>, patterns: DlpPattern[], action: DlpAction): CachedDlpResult;
+    /** Clear the cache (for testing or config changes) */
+    clear(): void;
+}
+//# sourceMappingURL=message-cache.d.ts.map

package/dist/dlp/message-cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"message-cache.d.ts","sourceRoot":"","sources":["../../src/dlp/message-cache.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAY,KAAK,UAAU,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAqErE,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;CACd;AAaD,MAAM,WAAW,eAAgB,SAAQ,SAAS;IAChD,kEAAkE;IAClE,WAAW,EAAE,UAAU,EAAE,CAAC;IAC1B,mEAAmE;IACnE,cAAc,EAAE,UAAU,EAAE,CAAC;CAC9B;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,KAAK,CAAyB;IACtC,OAAO,CAAC,IAAI,CAAK;IACjB,OAAO,CAAC,MAAM,CAAK;gBAEP,OAAO,SAAO;IAI1B,IAAI,KAAK,IAAI,iBAAiB,CAE7B;IAED;;;;;;;OAOG;IACH,aAAa,CACX,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACnC,QAAQ,EAAE,UAAU,EAAE,EACtB,MAAM,EAAE,SAAS,GAChB,eAAe;IAoKlB,sDAAsD;IACtD,KAAK,IAAI,IAAI;CAKd"}