@aion0/bastion 0.1.7

package/dist/dlp/patterns/prompt-injection.js

@@ -0,0 +1,244 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.promptInjectionPatterns = void 0;
+/** Prompt injection detection patterns (OWASP LLM01) */
+exports.promptInjectionPatterns = [
+    // ── instruction-override (6) ──
+    {
+        name: 'pi-ignore-prev',
+        category: 'prompt-injection',
+        regex: /ignore\s+(all\s+)?(previous|above|prior|earlier)\s+(instructions?|prompts?|rules?|context)/gi,
+        description: 'Instruction override: ignore previous instructions',
+    },
+    {
+        name: 'pi-disregard',
+        category: 'prompt-injection',
+        regex: /disregard\s+(all|any|your|the)\s+(previous|prior|system|above)/gi,
+        description: 'Instruction override: disregard previous',
+    },
+    {
+        name: 'pi-forget',
+        category: 'prompt-injection',
+        regex: /forget\s+(everything|all|your)\s+(previous\s+)?(instructions?|rules?|training|guidelines)/gi,
+        description: 'Instruction override: forget instructions',
+    },
+    {
+        name: 'pi-new-instructions',
+        category: 'prompt-injection',
+        regex: /new\s+instructions?\s*:/gi,
+        description: 'Instruction override: new instructions directive',
+        requireContext: ['ignore', 'system', 'override', 'jailbreak', 'pretend', 'forget', 'disregard', 'you are'],
+    },
+    {
+        name: 'pi-do-not-follow',
+        category: 'prompt-injection',
+        regex: /do\s+not\s+follow\s+(your|the|any)\s+(rules|guidelines|instructions|safety)/gi,
+        description: 'Instruction override: do not follow rules',
+    },
+    {
+        name: 'pi-stop-being',
+        category: 'prompt-injection',
+        regex: /stop\s+being\s+(a|an)?\s*(helpful|safe|responsible|ethical)\s*(assistant|AI)?/gi,
+        description: 'Instruction override: stop being safe/helpful',
+    },
+    // ── role-injection (5) ──
+    {
+        name: 'pi-you-are-now',
+        category: 'prompt-injection',
+        regex: /you\s+are\s+now\s+(a|an|the|in)\s+/gi,
+        description: 'Role injection: you are now...',
+        requireContext: ['ignore', 'instruction', 'system', 'pretend', 'override', 'jailbreak'],
+    },
+    {
+        name: 'pi-pretend',
+        category: 'prompt-injection',
+        regex: /pretend\s+(you\s+are|to\s+be|you're|that\s+you)\s+/gi,
+        description: 'Role injection: pretend to be...',
+        requireContext: ['ignore', 'instruction', 'system', 'override', 'jailbreak', 'bypass', 'disregard', 'forget'],
+    },
+    {
+        name: 'pi-no-restrictions',
+        category: 'prompt-injection',
+        regex: /act\s+as\s+if\s+(you\s+have\s+)?no\s+(restrictions|rules|limits|boundaries)/gi,
+        description: 'Role injection: act without restrictions',
+    },
+    {
+        name: 'pi-from-now-on',
+        category: 'prompt-injection',
+        regex: /from\s+now\s+on\s+you\s+(are|will|must|should)\s+/gi,
+        description: 'Role injection: from now on you will...',
+        requireContext: ['ignore', 'instruction', 'system', 'pretend', 'override', 'jailbreak'],
+    },
+    {
+        name: 'pi-entering-mode',
+        category: 'prompt-injection',
+        regex: /entering\s+(?:unrestricted|god|admin|root|sudo)\s+mode/gi,
+        description: 'Role injection: entering unrestricted/god/admin mode',
+    },
+    // ── system-manipulation (6) ──
+    {
+        name: 'pi-system-bracket',
+        category: 'prompt-injection',
+        regex: /\[SYSTEM\s*(?:UPDATE|NOTE|OVERRIDE|PROMPT)\s*\]/gi,
+        description: 'System manipulation: fake [SYSTEM] bracket tag',
+    },
+    {
+        name: 'pi-system-xml',
+        category: 'prompt-injection',
+        regex: /<\s*\/?(?:system|SYSTEM|instruction|INSTRUCTION)\s*>/gi,
+        description: 'System manipulation: fake <system>/<instruction> XML tag',
+        contextVerify: { rejectInCodeBlock: true },
+    },
+    {
+        name: 'pi-inst-token',
+        category: 'prompt-injection',
+        regex: /\[INST\]|\[\/INST\]|<<SYS>>|<\|(?:im_start|im_end|system|user|assistant)\|>/gi,
+        description: 'System manipulation: model-specific instruction tokens',
+        contextVerify: { rejectInCodeBlock: true },
+    },
+    {
+        name: 'pi-markdown-system',
+        category: 'prompt-injection',
+        regex: /^#{1,3}\s*(?:system|instruction|directive)\s*(?:prompt|override)?/gim,
+        description: 'System manipulation: markdown heading system/instruction',
+        requireContext: ['ignore', 'override', 'jailbreak', 'bypass', 'pretend', 'forget', 'disregard'],
+        contextVerify: { rejectInCodeBlock: true },
+    },
+    {
+        name: 'pi-codeblock-system',
+        category: 'prompt-injection',
+        regex: /```\s*(?:system|instruction)/gi,
+        description: 'System manipulation: code block with system/instruction label',
+        requireContext: ['ignore', 'override', 'jailbreak', 'bypass', 'pretend', 'forget', 'disregard'],
+    },
+    {
+        name: 'pi-assistant-prefix',
+        category: 'prompt-injection',
+        regex: /^assistant\s*:/gim,
+        description: 'System manipulation: fake assistant: prefix',
+        requireContext: ['ignore', 'instruction', 'system', 'pretend', 'override', 'jailbreak'],
+    },
+    // ── prompt-leaking (5) ──
+    {
+        name: 'pi-reveal-prompt',
+        category: 'prompt-injection',
+        regex: /reveal\s+(your|the)\s+(system\s+)?(prompt|instructions?|rules|configuration)/gi,
+        description: 'Prompt leaking: reveal your prompt/instructions',
+    },
+    {
+        name: 'pi-show-prompt',
+        category: 'prompt-injection',
+        regex: /show\s+(?:me\s+)?(?:your|the)\s+(?:system\s+)?(?:prompt|instructions?|rules)/gi,
+        description: 'Prompt leaking: show me your prompt',
+    },
+    {
+        name: 'pi-repeat-above',
+        category: 'prompt-injection',
+        regex: /repeat\s+(?:everything|all|the\s+text)\s+(?:above|before|prior)/gi,
+        description: 'Prompt leaking: repeat everything above',
+    },
+    {
+        name: 'pi-output-prompt',
+        category: 'prompt-injection',
+        regex: /output\s+(?:the\s+)?(?:full|complete|entire)\s+(?:prompt|instructions?)/gi,
+        description: 'Prompt leaking: output full prompt/instructions',
+    },
+    {
+        name: 'pi-print-above',
+        category: 'prompt-injection',
+        regex: /(?:print|type|write|display)\s+(?:everything|all|the\s+text)\s+(?:above|before)/gi,
+        description: 'Prompt leaking: print/display everything above',
+    },
+    // ── jailbreak (7) ──
+    {
+        name: 'pi-jailbreak-keyword',
+        category: 'prompt-injection',
+        regex: /\bjailbreak\b/gi,
+        description: 'Jailbreak: keyword "jailbreak"',
+        requireContext: ['ignore', 'instruction', 'system', 'override', 'bypass', 'AI', 'LLM', 'chatbot', 'GPT', 'prompt'],
+    },
+    {
+        name: 'pi-dan-mode',
+        category: 'prompt-injection',
+        regex: /\bDAN\s+(?:mode|prompt)\b/g,
+        description: 'Jailbreak: DAN mode (Do Anything Now)',
+    },
+    {
+        name: 'pi-dan-phrase',
+        category: 'prompt-injection',
+        regex: /do\s+anything\s+now/gi,
+        description: 'Jailbreak: "do anything now" phrase',
+    },
+    {
+        name: 'pi-developer-mode',
+        category: 'prompt-injection',
+        regex: /(?:you\s+are\s+now\s+in\s+)?developer\s+mode/gi,
+        description: 'Jailbreak: developer mode activation',
+        requireContext: ['ignore', 'instruction', 'system', 'override', 'jailbreak', 'bypass', 'pretend', 'disregard'],
+    },
+    {
+        name: 'pi-override-safety',
+        category: 'prompt-injection',
+        regex: /override\s+(?:safety|content|security)\s+(?:filter|policy|rules|checks)/gi,
+        description: 'Jailbreak: override safety filters/policy',
+    },
+    {
+        name: 'pi-bypass-filter',
+        category: 'prompt-injection',
+        regex: /bypass\s+(?:the\s+)?(?:safety|content|security|ethical)\s+(?:filter|check|guard)/gi,
+        description: 'Jailbreak: bypass safety/content filter',
+    },
+    {
+        name: 'pi-no-rules',
+        category: 'prompt-injection',
+        regex: /(?:without|remove)\s+(?:any\s+)?(?:restrictions|rules|limits|safety|filters|censorship)/gi,
+        description: 'Jailbreak: remove restrictions/rules/safety',
+        requireContext: ['ignore', 'instruction', 'system', 'override', 'jailbreak', 'bypass', 'pretend', 'respond'],
+    },
+    // ── encoding-obfuscation (3) ──
+    {
+        name: 'pi-zero-width',
+        category: 'prompt-injection',
+        regex: /[\u200B\u200C\uFEFF\u2060-\u2064]/g,
+        description: 'Encoding obfuscation: zero-width characters (excludes ZWJ used in emoji)',
+    },
+    {
+        name: 'pi-bidi-override',
+        category: 'prompt-injection',
+        regex: /[\u202A-\u202E\u2066-\u2069]/g,
+        description: 'Encoding obfuscation: bidirectional text override characters',
+    },
+    {
+        name: 'pi-control-chars',
+        category: 'prompt-injection',
+        regex: /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g,
+        description: 'Encoding obfuscation: unexpected control characters',
+    },
+    // ── delimiter-injection (2) ──
+    {
+        name: 'pi-newline-injection',
+        category: 'prompt-injection',
+        regex: /\n{3,}\s*(?:ignore|forget|disregard|system|instruction|override)/gi,
+        description: 'Delimiter injection: multiple newlines followed by instruction override',
+    },
+    {
+        name: 'pi-separator-injection',
+        category: 'prompt-injection',
+        regex: /(?:---{3,}|==={3,})\s*\n\s*(?:system|instruction|ignore|forget)/gi,
+        description: 'Delimiter injection: separator line followed by system/instruction keyword',
+    },
+    // ── indirect-injection (2) ──
+    {
+        name: 'pi-html-comment',
+        category: 'prompt-injection',
+        regex: /<!--\s*(?:ignore|disregard|forget|override|system|instruction|you\s+are)/gi,
+        description: 'Indirect injection: HTML comment with injection payload',
+    },
+    {
+        name: 'pi-hidden-tag',
+        category: 'prompt-injection',
+        regex: /\[(?:hidden|secret|system)\s*(?:instruction|prompt|directive)\]/gi,
+        description: 'Indirect injection: [hidden instruction] / [system prompt] tag',
+    },
+];
+//# sourceMappingURL=prompt-injection.js.map

package/dist/dlp/patterns/prompt-injection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompt-injection.js","sourceRoot":"","sources":["../../../src/dlp/patterns/prompt-injection.ts"],"names":[],"mappings":";;;AAEA,wDAAwD;AAC3C,QAAA,uBAAuB,GAAiB;IACnD,iCAAiC;IACjC;QACE,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,8FAA8F;QACrG,WAAW,EAAE,oDAAoD;KAClE;IACD;QACE,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,kEAAkE;QACzE,WAAW,EAAE,0CAA0C;KACxD;IACD;QACE,IAAI,EAAE,WAAW;QACjB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,6FAA6F;QACpG,WAAW,EAAE,2CAA2C;KACzD;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,2BAA2B;QAClC,WAAW,EAAE,kDAAkD;QAC/D,cAAc,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,SAAS,EAAE,QAAQ,EAAE,WAAW,EAAE,SAAS,CAAC;KAC3G;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,+EAA+E;QACtF,WAAW,EAAE,2CAA2C;KACzD;IACD;QACE,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,iFAAiF;QACxF,WAAW,EAAE,+CAA+C;KAC7D;IAED,2BAA2B;IAC3B;QACE,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,sCAAsC;QAC7C,WAAW,EAAE,gCAAgC;QAC7C,cAAc,EAAE,CAAC,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,CAAC;KACxF;IACD;QACE,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,sDAAsD;QAC7D,WAAW,EAAE,kCAAkC;QAC/C,cAAc,EAAE,CAAC,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,CAAC;KAC9G;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,+EAA+E;QACtF,WAAW,EAAE,0CAA0C;KACxD;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,qDAAqD;QAC5D,WAAW,EAAE,yCAAyC;QACtD,cAAc,EAAE,CAAC,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,CAAC;KACxF;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,0DAA0D;QACjE,WAAW,EAAE,sDAAsD;KACpE;IAED,gCAAgC;IAChC;QACE,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,mDAAmD;QAC1D,WAAW,EAAE,gDAAgD;KAC9D;IACD;QACE,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,wDAAwD;QAC/D,WAAW,EAAE,0DAA0D;QACvE,aAAa,EAAE,EAAE,iBAAiB,EAAE,IAAI,EAAE;KAC3C;IACD;QACE,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,+EAA+E;QACtF,WAAW,EAAE,wDAAwD;QACrE,aAAa,EAAE,EAAE,iBAAiB,EAAE,IAAI,EAAE;KAC3C;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,sEAAsE;QAC7E,WAAW,EAAE,0DAA0D;QACvE,cAAc,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,WAAW,CAAC;QAC/F,aAAa,EAAE,EAAE,iBAAiB,EAAE,IAAI,EAAE;KAC3C;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,+DAA+D;QAC5E,cAAc,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,WAAW,CAAC;KAChG;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,mBAAmB;QAC1B,WAAW,EAAE,6CAA6C;QAC1D,cAAc,EAAE,CAAC,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,CAAC;KACxF;IAED,2BAA2B;IAC3B;QACE,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,gFAAgF;QACvF,WAAW,EAAE,iDAAiD;KAC/D;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,gFAAgF;QACvF,WAAW,EAAE,qCAAqC;KACnD;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,mEAAmE;QAC1E,WAAW,EAAE,yCAAyC;KACvD;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,2EAA2E;QAClF,WAAW,EAAE,iDAAiD;KAC/D;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,mFAAmF;QAC1F,WAAW,EAAE,gDAAgD;KAC9D;IAED,sBAAsB;IACtB;QACE,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,iBAAiB;QACxB,WAAW,EAAE,gCAAgC;QAC7C,cAAc,EAAE,CAAC,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,CAAC;KACnH;IACD;QACE,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,4BAA4B;QACnC,WAAW,EAAE,uCAAuC;KACrD;IACD;QACE,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,uBAAuB;QAC9B,WAAW,EAAE,qCAAqC;KACnD;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,gDAAgD;QACvD,WAAW,EAAE,sCAAsC;QACnD,cAAc,EAAE,CAAC,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,CAAC;KAC/G;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,2EAA2E;QAClF,WAAW,EAAE,2CAA2C;KACzD;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,oFAAoF;QAC3F,WAAW,EAAE,yCAAyC;KACvD;IACD;QACE,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,2FAA2F;QAClG,WAAW,EAAE,6CAA6C;QAC1D,cAAc,EAAE,CAAC,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC;KAC7G;IAED,iCAAiC;IACjC;QACE,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,0EAA0E;KACxF;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,+BAA+B;QACtC,WAAW,EAAE,8DAA8D;KAC5E;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,mCAAmC;QAC1C,WAAW,EAAE,qDAAqD;KACnE;IAED,gCAAgC;IAChC;QACE,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,oEAAoE;QAC3E,WAAW,EAAE,yEAAyE;KACvF;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,mEAAmE;QAC1E,WAAW,EAAE,4EAA4E;KAC1F;IAED,+BAA+B;IAC/B;QACE,IAAI,EAAE,iBAAiB;QACvB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,4EAA4E;QACnF,WAAW,EAAE,yDAAyD;KACvE;IACD;QACE,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,kBAAkB;QAC5B,KAAK,EAAE,mEAAmE;QAC1E,WAAW,EAAE,gEAAgE;KAC9E;CACF,CAAC"}

package/dist/dlp/patterns/validated.d.ts

@@ -0,0 +1,4 @@
+import type { DlpPattern } from '../engine.js';
+/** Validated patterns: regex match + structural validation (Luhn, etc.) */
+export declare const validatedPatterns: DlpPattern[];
+//# sourceMappingURL=validated.d.ts.map

package/dist/dlp/patterns/validated.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validated.d.ts","sourceRoot":"","sources":["../../../src/dlp/patterns/validated.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE/C,2EAA2E;AAC3E,eAAO,MAAM,iBAAiB,EAAE,UAAU,EAezC,CAAC"}

package/dist/dlp/patterns/validated.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validatedPatterns = void 0;
+/** Validated patterns: regex match + structural validation (Luhn, etc.) */
+exports.validatedPatterns = [
+    {
+        name: 'credit-card',
+        category: 'validated',
+        regex: /\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12})\b/g,
+        description: 'Credit Card Number (Visa, MC, Amex, Discover)',
+        validator: 'luhn',
+    },
+    {
+        name: 'ssn',
+        category: 'validated',
+        regex: /\b(?!000|666|9\d{2})\d{3}-(?!00)\d{2}-(?!0000)\d{4}\b/g,
+        description: 'US Social Security Number',
+        validator: 'ssn',
+    },
+];
+//# sourceMappingURL=validated.js.map

package/dist/dlp/patterns/validated.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validated.js","sourceRoot":"","sources":["../../../src/dlp/patterns/validated.ts"],"names":[],"mappings":";;;AAEA,2EAA2E;AAC9D,QAAA,iBAAiB,GAAiB;IAC7C;QACE,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,WAAW;QACrB,KAAK,EAAE,6FAA6F;QACpG,WAAW,EAAE,+CAA+C;QAC5D,SAAS,EAAE,MAAM;KAClB;IACD;QACE,IAAI,EAAE,KAAK;QACX,QAAQ,EAAE,WAAW;QACrB,KAAK,EAAE,wDAAwD;QAC/D,WAAW,EAAE,2BAA2B;QACxC,SAAS,EAAE,KAAK;KACjB;CACF,CAAC"}

package/dist/dlp/remote-sync.d.ts

@@ -0,0 +1,47 @@
+import { DlpPatternsRepository } from '../storage/repositories/dlp-patterns.js';
+export interface RemotePatternsConfig {
+    url: string;
+    branch: string;
+    syncOnStart: boolean;
+    syncIntervalMinutes: number;
+}
+export interface SignatureMeta {
+    version: string;
+    updatedAt: string;
+    patternCount: number;
+    syncedAt: string;
+    repoUrl: string;
+    branch: string;
+    changelog?: SignatureChangelog[];
+}
+export interface SignatureChangelog {
+    version: string;
+    date: string;
+    changes: string[];
+}
+export interface SignatureStatus {
+    local: SignatureMeta | null;
+    remote: {
+        version: string;
+        updatedAt: string;
+        patternCount: number;
+    } | null;
+    updateAvailable: boolean;
+}
+/** Read locally stored signature metadata (from last sync) */
+export declare function getLocalSignatureMeta(): SignatureMeta | null;
+/**
+ * Check if a newer signature version is available on remote.
+ * Does git fetch + reads remote signature.yaml without pulling (non-destructive).
+ */
+export declare function checkForUpdates(config: RemotePatternsConfig): SignatureStatus;
+/**
+ * Full sync: clone/pull repo → parse YAML → upsert into DB → save meta.
+ * Returns the number of patterns synced, or -1 on failure.
+ */
+export declare function syncRemotePatterns(config: RemotePatternsConfig, patternsRepo: DlpPatternsRepository, enabledCategories: string[]): number;
+/**
+ * Start periodic sync timer. Returns a cleanup function to stop it.
+ */
+export declare function startPeriodicSync(config: RemotePatternsConfig, patternsRepo: DlpPatternsRepository, enabledCategories: string[]): () => void;
+//# sourceMappingURL=remote-sync.d.ts.map

package/dist/dlp/remote-sync.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"remote-sync.d.ts","sourceRoot":"","sources":["../../src/dlp/remote-sync.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,qBAAqB,EAAE,MAAM,yCAAyC,CAAC;AAQhF,MAAM,WAAW,oBAAoB;IACnC,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,OAAO,CAAC;IACrB,mBAAmB,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,kBAAkB,EAAE,CAAC;CAClC;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,aAAa,GAAG,IAAI,CAAC;IAC5B,MAAM,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAC5E,eAAe,EAAE,OAAO,CAAC;CAC1B;AA6KD,8DAA8D;AAC9D,wBAAgB,qBAAqB,IAAI,aAAa,GAAG,IAAI,CAS5D;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,oBAAoB,GAAG,eAAe,CA4C7E;AAID;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,oBAAoB,EAC5B,YAAY,EAAE,qBAAqB,EACnC,iBAAiB,EAAE,MAAM,EAAE,GAC1B,MAAM,CAoCR;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,oBAAoB,EAC5B,YAAY,EAAE,qBAAqB,EACnC,iBAAiB,EAAE,MAAM,EAAE,GAC1B,MAAM,IAAI,CAiBZ"}

package/dist/dlp/remote-sync.js

@@ -0,0 +1,252 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getLocalSignatureMeta = getLocalSignatureMeta;
+exports.checkForUpdates = checkForUpdates;
+exports.syncRemotePatterns = syncRemotePatterns;
+exports.startPeriodicSync = startPeriodicSync;
+const node_child_process_1 = require("node:child_process");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const js_yaml_1 = __importDefault(require("js-yaml"));
+const paths_js_1 = require("../config/paths.js");
+const version_js_1 = require("../version.js");
+const logger_js_1 = require("../utils/logger.js");
+const log = (0, logger_js_1.createLogger)('dlp-remote-sync');
+const META_FILE = '.meta.json';
+// ── Helpers ──
+function resolveBranch(branch) {
+    if (branch !== 'auto')
+        return branch;
+    const major = (0, version_js_1.getMajorVersion)();
+    if (major && major !== '0.0') {
+        return `v${major}`;
+    }
+    log.warn('Could not resolve VERSION for auto branch, falling back to "main"');
+    return 'main';
+}
+function syncRepo(url, branch) {
+    const repoDir = paths_js_1.paths.signaturesDir;
+    try {
+        if ((0, node_fs_1.existsSync)((0, node_path_1.join)(repoDir, '.git'))) {
+            log.info('Updating signature repo', { branch });
+            (0, node_child_process_1.execSync)(`git -C "${repoDir}" fetch origin`, { stdio: 'pipe', timeout: 30000 });
+            (0, node_child_process_1.execSync)(`git -C "${repoDir}" checkout ${branch}`, { stdio: 'pipe', timeout: 10000 });
+            (0, node_child_process_1.execSync)(`git -C "${repoDir}" pull origin ${branch}`, { stdio: 'pipe', timeout: 30000 });
+        }
+        else {
+            log.info('Cloning signature repo', { url, branch });
+            (0, node_fs_1.mkdirSync)(repoDir, { recursive: true });
+            (0, node_child_process_1.execSync)(`git clone --branch ${branch} --depth 1 "${url}" "${repoDir}"`, {
+                stdio: 'pipe',
+                timeout: 60000,
+            });
+        }
+        return repoDir;
+    }
+    catch (err) {
+        log.error('Failed to sync signature repo', { url, branch, error: err.message });
+        return null;
+    }
+}
+function loadPatternFiles(repoDir) {
+    const patternsDir = (0, node_path_1.join)(repoDir, 'patterns');
+    if (!(0, node_fs_1.existsSync)(patternsDir)) {
+        log.warn('No patterns/ directory in signature repo');
+        return [];
+    }
+    const files = (0, node_fs_1.readdirSync)(patternsDir)
+        .filter((f) => f.endsWith('.yaml') || f.endsWith('.yml'))
+        .filter((f) => f !== 'schema.yaml')
+        .sort();
+    const allPatterns = [];
+    for (const file of files) {
+        try {
+            const content = (0, node_fs_1.readFileSync)((0, node_path_1.join)(patternsDir, file), 'utf-8');
+            const parsed = js_yaml_1.default.load(content);
+            if (parsed?.patterns && Array.isArray(parsed.patterns)) {
+                allPatterns.push(...parsed.patterns);
+                log.debug('Loaded patterns from file', { file, count: parsed.patterns.length });
+            }
+        }
+        catch (err) {
+            log.warn('Failed to parse pattern file', { file, error: err.message });
+        }
+    }
+    return allPatterns;
+}
+function serializeYamlContextVerify(cv) {
+    // Validate all regex strings before serializing
+    for (const s of cv.antiPatterns ?? []) {
+        new RegExp(s, 'i'); // throws on invalid regex
+    }
+    for (const s of cv.confirmPatterns ?? []) {
+        new RegExp(s, 'i'); // throws on invalid regex
+    }
+    return JSON.stringify(cv);
+}
+function upsertPatterns(repo, patterns, enabledCategories) {
+    const enabledSet = new Set(enabledCategories);
+    let count = 0;
+    for (const p of patterns) {
+        try {
+            new RegExp(p.regex, p.flags ?? 'g');
+            let contextVerify = null;
+            if (p.contextVerify) {
+                contextVerify = serializeYamlContextVerify(p.contextVerify);
+            }
+            repo.upsertRemote({
+                id: `remote-${p.name}`,
+                name: p.name,
+                category: p.category,
+                regex_source: p.regex,
+                regex_flags: p.flags ?? 'g',
+                description: p.description ?? null,
+                validator: p.validator ?? null,
+                require_context: p.requireContext ? JSON.stringify(p.requireContext) : null,
+                context_verify: contextVerify,
+                enabled: enabledSet.has(p.category),
+                source: 'remote',
+            });
+            count++;
+        }
+        catch (err) {
+            log.warn('Invalid pattern skipped', { name: p.name, error: err.message });
+        }
+    }
+    return count;
+}
+// ── Signature version ──
+function readSignatureYaml(repoDir) {
+    const sigPath = (0, node_path_1.join)(repoDir, 'signature.yaml');
+    if (!(0, node_fs_1.existsSync)(sigPath))
+        return null;
+    try {
+        return js_yaml_1.default.load((0, node_fs_1.readFileSync)(sigPath, 'utf-8'));
+    }
+    catch (err) {
+        log.warn('Failed to parse signature.yaml', { error: err.message });
+        return null;
+    }
+}
+function writeMetaFile(meta) {
+    const metaPath = (0, node_path_1.join)(paths_js_1.paths.signaturesDir, META_FILE);
+    try {
+        (0, node_fs_1.mkdirSync)(paths_js_1.paths.signaturesDir, { recursive: true });
+        (0, node_fs_1.writeFileSync)(metaPath, JSON.stringify(meta, null, 2));
+    }
+    catch (err) {
+        log.warn('Failed to write signature meta', { error: err.message });
+    }
+}
+/** Read locally stored signature metadata (from last sync) */
+function getLocalSignatureMeta() {
+    const metaPath = (0, node_path_1.join)(paths_js_1.paths.signaturesDir, META_FILE);
+    if (!(0, node_fs_1.existsSync)(metaPath))
+        return null;
+    try {
+        return JSON.parse((0, node_fs_1.readFileSync)(metaPath, 'utf-8'));
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Check if a newer signature version is available on remote.
+ * Does git fetch + reads remote signature.yaml without pulling (non-destructive).
+ */
+function checkForUpdates(config) {
+    const local = getLocalSignatureMeta();
+    if (!config.url) {
+        return { local, remote: null, updateAvailable: false };
+    }
+    const repoDir = paths_js_1.paths.signaturesDir;
+    const branch = resolveBranch(config.branch);
+    // If repo not cloned yet, we can't check
+    if (!(0, node_fs_1.existsSync)((0, node_path_1.join)(repoDir, '.git'))) {
+        return { local, remote: null, updateAvailable: false };
+    }
+    try {
+        (0, node_child_process_1.execSync)(`git -C "${repoDir}" fetch origin`, { stdio: 'pipe', timeout: 15000 });
+        // Read remote signature.yaml via git show (doesn't modify working tree)
+        const remoteContent = (0, node_child_process_1.execSync)(`git -C "${repoDir}" show origin/${branch}:signature.yaml`, { encoding: 'utf-8', timeout: 5000 });
+        const remoteSig = js_yaml_1.default.load(remoteContent);
+        if (!remoteSig?.version) {
+            return { local, remote: null, updateAvailable: false };
+        }
+        const remote = {
+            version: String(remoteSig.version),
+            updatedAt: String(remoteSig.updatedAt ?? ''),
+            patternCount: remoteSig.patternCount ?? 0,
+        };
+        const localVer = local ? Number(local.version) || 0 : 0;
+        const remoteVer = Number(remote.version) || 0;
+        const updateAvailable = remoteVer > localVer;
+        return { local, remote, updateAvailable };
+    }
+    catch (err) {
+        log.debug('Check for updates failed', { error: err.message });
+        return { local, remote: null, updateAvailable: false };
+    }
+}
+// ── Main sync ──
+/**
+ * Full sync: clone/pull repo → parse YAML → upsert into DB → save meta.
+ * Returns the number of patterns synced, or -1 on failure.
+ */
+function syncRemotePatterns(config, patternsRepo, enabledCategories) {
+    if (!config.url)
+        return 0;
+    const branch = resolveBranch(config.branch);
+    log.info('Starting remote pattern sync', { url: config.url, branch });
+    const repoDir = syncRepo(config.url, branch);
+    if (!repoDir)
+        return -1;
+    const patterns = loadPatternFiles(repoDir);
+    if (patterns.length === 0) {
+        log.info('No remote patterns found');
+        return 0;
+    }
+    const count = upsertPatterns(patternsRepo, patterns, enabledCategories);
+    // Read signature.yaml and save meta
+    const sig = readSignatureYaml(repoDir);
+    if (sig) {
+        const meta = {
+            version: String(sig.version),
+            updatedAt: String(sig.updatedAt ?? ''),
+            patternCount: sig.patternCount ?? count,
+            syncedAt: new Date().toISOString(),
+            repoUrl: config.url,
+            branch,
+            changelog: sig.changelog,
+        };
+        writeMetaFile(meta);
+        log.info('Remote pattern sync complete', { version: meta.version, count, total: patterns.length });
+    }
+    else {
+        log.info('Remote pattern sync complete (no signature.yaml)', { count, total: patterns.length });
+    }
+    return count;
+}
+/**
+ * Start periodic sync timer. Returns a cleanup function to stop it.
+ */
+function startPeriodicSync(config, patternsRepo, enabledCategories) {
+    if (!config.url || config.syncIntervalMinutes <= 0) {
+        return () => { };
+    }
+    const intervalMs = config.syncIntervalMinutes * 60 * 1000;
+    log.info('Starting periodic pattern sync', { intervalMinutes: config.syncIntervalMinutes });
+    const timer = setInterval(() => {
+        try {
+            syncRemotePatterns(config, patternsRepo, enabledCategories);
+        }
+        catch (err) {
+            log.error('Periodic sync failed', { error: err.message });
+        }
+    }, intervalMs);
+    return () => clearInterval(timer);
+}
+//# sourceMappingURL=remote-sync.js.map

package/dist/dlp/remote-sync.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"remote-sync.js","sourceRoot":"","sources":["../../src/dlp/remote-sync.ts"],"names":[],"mappings":";;;;;AAsNA,sDASC;AAMD,0CA4CC;AAQD,gDAwCC;AAKD,8CAqBC;AA3VD,2DAA8C;AAC9C,qCAA0F;AAC1F,yCAAiC;AACjC,sDAA2B;AAC3B,iDAA2C;AAE3C,8CAAgD;AAChD,kDAAkD;AAElD,MAAM,GAAG,GAAG,IAAA,wBAAY,EAAC,iBAAiB,CAAC,CAAC;AAgE5C,MAAM,SAAS,GAAG,YAAY,CAAC;AAE/B,gBAAgB;AAEhB,SAAS,aAAa,CAAC,MAAc;IACnC,IAAI,MAAM,KAAK,MAAM;QAAE,OAAO,MAAM,CAAC;IAErC,MAAM,KAAK,GAAG,IAAA,4BAAe,GAAE,CAAC;IAChC,IAAI,KAAK,IAAI,KAAK,KAAK,KAAK,EAAE,CAAC;QAC7B,OAAO,IAAI,KAAK,EAAE,CAAC;IACrB,CAAC;IAED,GAAG,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;IAC9E,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW,EAAE,MAAc;IAC3C,MAAM,OAAO,GAAG,gBAAK,CAAC,aAAa,CAAC;IAEpC,IAAI,CAAC;QACH,IAAI,IAAA,oBAAU,EAAC,IAAA,gBAAI,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC;YACtC,GAAG,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;YAChD,IAAA,6BAAQ,EAAC,WAAW,OAAO,gBAAgB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;YAChF,IAAA,6BAAQ,EAAC,WAAW,OAAO,cAAc,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;YACtF,IAAA,6BAAQ,EAAC,WAAW,OAAO,iBAAiB,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QAC3F,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,IAAI,CAAC,wBAAwB,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC;YACpD,IAAA,mBAAS,EAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACxC,IAAA,6BAAQ,EAAC,sBAAsB,MAAM,eAAe,GAAG,MAAM,OAAO,GAAG,EAAE;gBACvE,KAAK,EAAE,MAAM;gBACb,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;QACL,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,KAAK,CAAC,+BAA+B,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3F,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAe;IACvC,MAAM,WAAW,GAAG,IAAA,gBAAI,EAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAC9C,IAAI,CAAC,IAAA,oBAAU,EAAC,WAAW,CAAC,EAAE,CAAC;QAC7B,GAAG,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;QACrD,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,KAAK,GAAG,IAAA,qBAAW,EAAC,WAAW,CAAC;SACnC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;SACxD,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,aAAa,CAAC;SAClC,IAAI,EAAE,CAAC;IAEV,MAAM,WAAW,GAAkB,EAAE,CAAC;IAEtC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAA,sBAAY,EAAC,IAAA,gBAAI,EAAC,WAAW,EAAE,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;YAC/D,MAAM,MAAM,GAAG,iBAAI,CAAC,IAAI,CAAC,OAAO,CAAoB,CAAC;YACrD,IAAI,MAAM,EAAE,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACvD,WAAW,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;gBACrC,GAAG,CAAC,KAAK,CAAC,2BAA2B,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YAClF,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,IAAI,CAAC,8BAA8B,EAAE,EAAE,IAAI,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACpF,CAAC;IACH,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,SAAS,0BAA0B,CAAC,EAAqB;IACvD,gDAAgD;IAChD,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC,YAAY,IAAI,EAAE,EAAE,CAAC;QACtC,IAAI,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,0BAA0B;IAChD,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC,eAAe,IAAI,EAAE,EAAE,CAAC;QACzC,IAAI,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,0BAA0B;IAChD,CAAC;IACD,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;AAC5B,CAAC;AAED,SAAS,cAAc,CAAC,IAA2B,EAAE,QAAuB,EAAE,iBAA2B;IACvG,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAC9C,IAAI,KAAK,GAAG,CAAC,CAAC;IAEd,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC;YACH,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,GAAG,CAAC,CAAC;YAEpC,IAAI,aAAa,GAAkB,IAAI,CAAC;YACxC,IAAI,CAAC,CAAC,aAAa,EAAE,CAAC;gBACpB,aAAa,GAAG,0BAA0B,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;YAC9D,CAAC;YAED,IAAI,CAAC,YAAY,CAAC;gBAChB,EAAE,EAAE,UAAU,CAAC,CAAC,IAAI,EAAE;gBACtB,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,YAAY,EAAE,CAAC,CAAC,KAAK;gBACrB,WAAW,EAAE,CAAC,CAAC,KAAK,IAAI,GAAG;gBAC3B,WAAW,EAAE,CAAC,CAAC,WAAW,IAAI,IAAI;gBAClC,SAAS,EAAE,CAAC,CAAC,SAAS,IAAI,IAAI;gBAC9B,eAAe,EAAE,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,IAAI;gBAC3E,cAAc,EAAE,aAAa;gBAC7B,OAAO,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC;gBACnC,MAAM,EAAE,QAAQ;aACjB,CAAC,CAAC;YACH,KAAK,EAAE,CAAC;QACV,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACvF,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,0BAA0B;AAE1B,SAAS,iBAAiB,CAAC,OAAe;IACxC,MAAM,OAAO,GAAG,IAAA,gBAAI,EAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;IAChD,IAAI,CAAC,IAAA,oBAAU,EAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAEtC,IAAI,CAAC;QACH,OAAO,iBAAI,CAAC,IAAI,CAAC,IAAA,sBAAY,EAAC,OAAO,EAAE,OAAO,CAAC,CAAkB,CAAC;IACpE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,IAAI,CAAC,gCAAgC,EAAE,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC9E,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,IAAmB;IACxC,MAAM,QAAQ,GAAG,IAAA,gBAAI,EAAC,gBAAK,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;IACtD,IAAI,CAAC;QACH,IAAA,mBAAS,EAAC,gBAAK,CAAC,aAAa,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACpD,IAAA,uBAAa,EAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACzD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,IAAI,CAAC,gCAAgC,EAAE,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;IAChF,CAAC;AACH,CAAC;AAED,8DAA8D;AAC9D,SAAgB,qBAAqB;IACnC,MAAM,QAAQ,GAAG,IAAA,gBAAI,EAAC,gBAAK,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;IACtD,IAAI,CAAC,IAAA,oBAAU,EAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAA,sBAAY,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAkB,CAAC;IACtE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAgB,eAAe,CAAC,MAA4B;IAC1D,MAAM,KAAK,GAAG,qBAAqB,EAAE,CAAC;IAEtC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QAChB,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC;IACzD,CAAC;IAED,MAAM,OAAO,GAAG,gBAAK,CAAC,aAAa,CAAC;IACpC,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAE5C,yCAAyC;IACzC,IAAI,CAAC,IAAA,oBAAU,EAAC,IAAA,gBAAI,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC;QACvC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC;IACzD,CAAC;IAED,IAAI,CAAC;QACH,IAAA,6BAAQ,EAAC,WAAW,OAAO,gBAAgB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QAEhF,wEAAwE;QACxE,MAAM,aAAa,GAAG,IAAA,6BAAQ,EAC5B,WAAW,OAAO,iBAAiB,MAAM,iBAAiB,EAC1D,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CACrC,CAAC;QAEF,MAAM,SAAS,GAAG,iBAAI,CAAC,IAAI,CAAC,aAAa,CAAkB,CAAC;QAC5D,IAAI,CAAC,SAAS,EAAE,OAAO,EAAE,CAAC;YACxB,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC;QACzD,CAAC;QAED,MAAM,MAAM,GAAG;YACb,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC;YAClC,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,SAAS,IAAI,EAAE,CAAC;YAC5C,YAAY,EAAE,SAAS,CAAC,YAAY,IAAI,CAAC;SAC1C,CAAC;QAEF,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACxD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC9C,MAAM,eAAe,GAAG,SAAS,GAAG,QAAQ,CAAC;QAE7C,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAC5C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,KAAK,CAAC,0BAA0B,EAAE,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACzE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC;IACzD,CAAC;AACH,CAAC;AAED,kBAAkB;AAElB;;;GAGG;AACH,SAAgB,kBAAkB,CAChC,MAA4B,EAC5B,YAAmC,EACnC,iBAA2B;IAE3B,IAAI,CAAC,MAAM,CAAC,GAAG;QAAE,OAAO,CAAC,CAAC;IAE1B,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,GAAG,CAAC,IAAI,CAAC,8BAA8B,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC;IAEtE,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,OAAO;QAAE,OAAO,CAAC,CAAC,CAAC;IAExB,MAAM,QAAQ,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAC3C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,GAAG,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QACrC,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,KAAK,GAAG,cAAc,CAAC,YAAY,EAAE,QAAQ,EAAE,iBAAiB,CAAC,CAAC;IAExE,oCAAoC;IACpC,MAAM,GAAG,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IACvC,IAAI,GAAG,EAAE,CAAC;QACR,MAAM,IAAI,GAAkB;YAC1B,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC;YAC5B,SAAS,EAAE,MAAM,CAAC,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC;YACtC,YAAY,EAAE,GAAG,CAAC,YAAY,IAAI,KAAK;YACvC,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAClC,OAAO,EAAE,MAAM,CAAC,GAAG;YACnB,MAAM;YACN,SAAS,EAAE,GAAG,CAAC,SAAS;SACzB,CAAC;QACF,aAAa,CAAC,IAAI,CAAC,CAAC;QACpB,GAAG,CAAC,IAAI,CAAC,8BAA8B,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACrG,CAAC;SAAM,CAAC;QACN,GAAG,CAAC,IAAI,CAAC,kDAAkD,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IAClG,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAC/B,MAA4B,EAC5B,YAAmC,EACnC,iBAA2B;IAE3B,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,mBAAmB,IAAI,CAAC,EAAE,CAAC;QACnD,OAAO,GAAG,EAAE,GAAE,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,CAAC,mBAAmB,GAAG,EAAE,GAAG,IAAI,CAAC;IAC1D,GAAG,CAAC,IAAI,CAAC,gCAAgC,EAAE,EAAE,eAAe,EAAE,MAAM,CAAC,mBAAmB,EAAE,CAAC,CAAC;IAE5F,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE;QAC7B,IAAI,CAAC;YACH,kBAAkB,CAAC,MAAM,EAAE,YAAY,EAAE,iBAAiB,CAAC,CAAC;QAC9D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,KAAK,CAAC,sBAAsB,EAAE,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACvE,CAAC;IACH,CAAC,EAAE,UAAU,CAAC,CAAC;IAEf,OAAO,GAAG,EAAE,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;AACpC,CAAC"}

package/dist/dlp/semantics.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Layer 3: Field-name Semantics
+ *
+ * Uses JSON field names to identify potentially sensitive data.
+ * When a value appears under a field like "api_key" or "password",
+ * it provides strong signal that the value is a secret — even if
+ * no specific regex pattern matches.
+ *
+ * Built-in patterns are immutable defaults.
+ * Additional patterns / non-sensitive names can be added at runtime
+ * via updateSemanticConfig() (driven by the Settings UI).
+ */
+export interface SemanticConfig {
+    /** Additional regex patterns (strings) for sensitive field names */
+    sensitivePatterns?: string[];
+    /** Additional non-sensitive field names to exclude */
+    nonSensitiveNames?: string[];
+}
+/** Update user-configurable semantic rules. Called when config changes. */
+export declare function updateSemanticConfig(config: SemanticConfig): void;
+/** Read-only access to built-in sensitive patterns (for UI display) */
+export declare function getBuiltinSensitivePatterns(): string[];
+/** Read-only access to built-in non-sensitive names (for UI display) */
+export declare function getBuiltinNonSensitiveNames(): string[];
+/** Check if a field name suggests it holds sensitive data */
+export declare function isSensitiveFieldName(name: string): boolean;
+//# sourceMappingURL=semantics.d.ts.map

package/dist/dlp/semantics.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"semantics.d.ts","sourceRoot":"","sources":["../../src/dlp/semantics.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AA2CH,MAAM,WAAW,cAAc;IAC7B,oEAAoE;IACpE,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,sDAAsD;IACtD,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC9B;AAED,2EAA2E;AAC3E,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,cAAc,GAAG,IAAI,CAYjE;AAED,uEAAuE;AACvE,wBAAgB,2BAA2B,IAAI,MAAM,EAAE,CAEtD;AAED,wEAAwE;AACxE,wBAAgB,2BAA2B,IAAI,MAAM,EAAE,CAEtD;AAED,6DAA6D;AAC7D,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAY1D"}