@dcyfr/ai 1.0.4 → 2.1.0

package/dist/ai/delegation/middleware/chain-depth-middleware.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Chain Depth + Fan-Out Middleware
+ * TLP:AMBER - Internal Use Only
+ *
+ * Enforces:
+ *   1. Maximum delegation chain depth (default: 5)
+ *   2. Maximum fan-out per delegator in a single session (default: 10)
+ *
+ * Both limits are configurable and gated by the `chain_tracking` feature flag.
+ *
+ * @module delegation/middleware/chain-depth-middleware
+ * @version 1.0.0
+ * @date 2026-02-24
+ */
+import type { SecurityMiddleware, SecurityContext, SecurityVerdict, SecurityOperationType } from '../../types/security-middleware.js';
+export interface ChainDepthMiddlewareOptions {
+    /** Maximum delegation chain depth before blocking (inclusive). Default: 5 */
+    maxDepth?: number;
+    /** Maximum direct delegations from one agent in one session. Default: 10 */
+    maxFanOut?: number;
+}
+export declare class ChainDepthMiddleware implements SecurityMiddleware {
+    readonly name = "chain-depth";
+    readonly featureFlag = "chain_tracking";
+    readonly appliesTo: SecurityOperationType[];
+    private readonly maxDepth;
+    private readonly maxFanOut;
+    /**
+     * Per-delegator fan-out counter: agent_id → count of active delegations
+     * Managed by contract-manager which calls `incrementFanOut` / `decrementFanOut`.
+     */
+    private readonly fanOutCounters;
+    constructor(options?: ChainDepthMiddlewareOptions);
+    evaluate(context: SecurityContext): Promise<SecurityVerdict>;
+    incrementFanOut(delegatorId: string): void;
+    decrementFanOut(delegatorId: string): void;
+    getFanOut(delegatorId: string): number;
+}
+//# sourceMappingURL=chain-depth-middleware.d.ts.map

package/dist/ai/delegation/middleware/chain-depth-middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"chain-depth-middleware.d.ts","sourceRoot":"","sources":["../../../../packages/ai/delegation/middleware/chain-depth-middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,eAAe,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAEtI,MAAM,WAAW,2BAA2B;IAC1C,6EAA6E;IAC7E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,4EAA4E;IAC5E,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,qBAAa,oBAAqB,YAAW,kBAAkB;IAC7D,QAAQ,CAAC,IAAI,iBAAiB;IAC9B,QAAQ,CAAC,WAAW,oBAAoB;IACxC,QAAQ,CAAC,SAAS,EAAE,qBAAqB,EAAE,CAAc;IAEzD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IAEnC;;;OAGG;IACH,OAAO,CAAC,QAAQ,CAAC,cAAc,CAA6B;gBAEhD,OAAO,GAAE,2BAAgC;IAK/C,QAAQ,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;IAoClE,eAAe,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IAI1C,eAAe,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IAS1C,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM;CAGvC"}

package/dist/ai/delegation/middleware/chain-depth-middleware.js

@@ -0,0 +1,77 @@
+/**
+ * Chain Depth + Fan-Out Middleware
+ * TLP:AMBER - Internal Use Only
+ *
+ * Enforces:
+ *   1. Maximum delegation chain depth (default: 5)
+ *   2. Maximum fan-out per delegator in a single session (default: 10)
+ *
+ * Both limits are configurable and gated by the `chain_tracking` feature flag.
+ *
+ * @module delegation/middleware/chain-depth-middleware
+ * @version 1.0.0
+ * @date 2026-02-24
+ */
+export class ChainDepthMiddleware {
+    name = 'chain-depth';
+    featureFlag = 'chain_tracking';
+    appliesTo = ['create'];
+    maxDepth;
+    maxFanOut;
+    /**
+     * Per-delegator fan-out counter: agent_id → count of active delegations
+     * Managed by contract-manager which calls `incrementFanOut` / `decrementFanOut`.
+     */
+    fanOutCounters = new Map();
+    constructor(options = {}) {
+        this.maxDepth = options.maxDepth ?? 5;
+        this.maxFanOut = options.maxFanOut ?? 10;
+    }
+    async evaluate(context) {
+        const depth = context.contract.delegation_depth ?? 0;
+        // Block if depth exceeds limit
+        if (depth > this.maxDepth) {
+            return {
+                action: 'block',
+                reason: `Delegation chain depth ${depth} exceeds maximum allowed depth of ${this.maxDepth}.`,
+                threat_type: 'chain_depth_exceeded',
+                severity: 'critical',
+                evidence: { depth, max_depth: this.maxDepth },
+            };
+        }
+        // Check fan-out for the delegating agent
+        const delegatorId = context.delegator_auth?.agent_id ?? context.contract.delegator?.agent_id;
+        if (delegatorId) {
+            const current = this.fanOutCounters.get(delegatorId) ?? 0;
+            if (current >= this.maxFanOut) {
+                return {
+                    action: 'block',
+                    reason: `Agent '${delegatorId}' has reached the fan-out limit of ${this.maxFanOut} concurrent delegations.`,
+                    threat_type: 'fan_out_exceeded',
+                    severity: 'high',
+                    evidence: { delegator_id: delegatorId, current_fan_out: current, max_fan_out: this.maxFanOut },
+                };
+            }
+        }
+        return { action: 'allow' };
+    }
+    // ──────────────────────────────────────────────────────────────────────────
+    // Fan-out counter management (called by contract-manager lifecycle hooks)
+    // ──────────────────────────────────────────────────────────────────────────
+    incrementFanOut(delegatorId) {
+        this.fanOutCounters.set(delegatorId, (this.fanOutCounters.get(delegatorId) ?? 0) + 1);
+    }
+    decrementFanOut(delegatorId) {
+        const current = this.fanOutCounters.get(delegatorId) ?? 0;
+        if (current <= 1) {
+            this.fanOutCounters.delete(delegatorId);
+        }
+        else {
+            this.fanOutCounters.set(delegatorId, current - 1);
+        }
+    }
+    getFanOut(delegatorId) {
+        return this.fanOutCounters.get(delegatorId) ?? 0;
+    }
+}
+//# sourceMappingURL=chain-depth-middleware.js.map

package/dist/ai/delegation/middleware/chain-depth-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"chain-depth-middleware.js","sourceRoot":"","sources":["../../../../packages/ai/delegation/middleware/chain-depth-middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAWH,MAAM,OAAO,oBAAoB;IACtB,IAAI,GAAG,aAAa,CAAC;IACrB,WAAW,GAAG,gBAAgB,CAAC;IAC/B,SAAS,GAA4B,CAAC,QAAQ,CAAC,CAAC;IAExC,QAAQ,CAAS;IACjB,SAAS,CAAS;IAEnC;;;OAGG;IACc,cAAc,GAAG,IAAI,GAAG,EAAkB,CAAC;IAE5D,YAAY,UAAuC,EAAE;QACnD,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,CAAC,CAAC;QACtC,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,OAAwB;QACrC,MAAM,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC,gBAAgB,IAAI,CAAC,CAAC;QAErD,+BAA+B;QAC/B,IAAI,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC1B,OAAO;gBACL,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,0BAA0B,KAAK,qCAAqC,IAAI,CAAC,QAAQ,GAAG;gBAC5F,WAAW,EAAE,sBAAsB;gBACnC,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,QAAQ,EAAE;aAC9C,CAAC;QACJ,CAAC;QAED,yCAAyC;QACzC,MAAM,WAAW,GAAG,OAAO,CAAC,cAAc,EAAE,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC;QAC7F,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;YAC1D,IAAI,OAAO,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBAC9B,OAAO;oBACL,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,UAAU,WAAW,sCAAsC,IAAI,CAAC,SAAS,0BAA0B;oBAC3G,WAAW,EAAE,kBAAkB;oBAC/B,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,EAAE,YAAY,EAAE,WAAW,EAAE,eAAe,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,SAAS,EAAE;iBAC/F,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IAC7B,CAAC;IAED,6EAA6E;IAC7E,0EAA0E;IAC1E,6EAA6E;IAE7E,eAAe,CAAC,WAAmB;QACjC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACxF,CAAC;IAED,eAAe,CAAC,WAAmB;QACjC,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QAC1D,IAAI,OAAO,IAAI,CAAC,EAAE,CAAC;YACjB,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAC1C,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAED,SAAS,CAAC,WAAmB;QAC3B,OAAO,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;IACnD,CAAC;CACF"}

package/dist/ai/delegation/middleware/chain-tracker-middleware.d.ts

@@ -0,0 +1,46 @@
+/**
+ * DCYFR Chain Tracker Middleware
+ * TLP:CLEAR
+ *
+ * SecurityMiddleware that wraps DelegationChainTracker to enforce loop detection
+ * and delegation chain depth limits as an automatic guard during contract creation.
+ *
+ * @module delegation/middleware/chain-tracker-middleware
+ * @version 1.0.0
+ * @date 2026-02-24
+ */
+import type { DelegationContract } from '../../types/delegation-contracts.js';
+import type { SecurityMiddleware, SecurityContext, SecurityVerdict, SecurityOperationType } from '../../types/security-middleware.js';
+/**
+ * Minimal contract provider interface required by DelegationChainTracker.
+ */
+export interface ChainContractProvider {
+    getContract(contract_id: string): DelegationContract | null;
+}
+/**
+ * ChainTrackerMiddleware — loop detection and depth validation guard.
+ *
+ * This middleware fires only during contract CREATION (`appliesTo: ['create']`).
+ * Before the new contract is persisted it:
+ *
+ * 1. Builds the existing delegation chain from the `parent_contract_id` using
+ *    `DelegationChainTracker.buildChain()`.
+ * 2. Blocks if the proposed delegatee (or delegator) is already present in the
+ *    existing chain — indicating a loop.
+ * 3. Blocks if the resulting chain depth (parent depth + 1) would exceed
+ *    `maxChainDepth`.
+ *
+ * Gate: `chain_tracking` feature flag.
+ */
+export declare class ChainTrackerMiddleware implements SecurityMiddleware {
+    readonly name = "chain-tracker";
+    readonly featureFlag = "chain_tracking";
+    readonly appliesTo: SecurityOperationType[];
+    private readonly tracker;
+    private readonly maxChainDepth;
+    constructor(provider: ChainContractProvider, options?: {
+        maxChainDepth?: number;
+    });
+    evaluate(context: SecurityContext): Promise<SecurityVerdict>;
+}
+//# sourceMappingURL=chain-tracker-middleware.d.ts.map

package/dist/ai/delegation/middleware/chain-tracker-middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"chain-tracker-middleware.d.ts","sourceRoot":"","sources":["../../../../packages/ai/delegation/middleware/chain-tracker-middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,qCAAqC,CAAC;AAC9E,OAAO,KAAK,EACV,kBAAkB,EAClB,eAAe,EACf,eAAe,EACf,qBAAqB,EACtB,MAAM,oCAAoC,CAAC;AAE5C;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,kBAAkB,GAAG,IAAI,CAAC;CAC7D;AAED;;;;;;;;;;;;;;GAcG;AACH,qBAAa,sBAAuB,YAAW,kBAAkB;IAC/D,QAAQ,CAAC,IAAI,mBAAmB;IAChC,QAAQ,CAAC,WAAW,oBAAoB;IACxC,QAAQ,CAAC,SAAS,EAAE,qBAAqB,EAAE,CAAc;IAEzD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyB;IACjD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;gBAE3B,QAAQ,EAAE,qBAAqB,EAAE,OAAO,GAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAA;KAAO;IAU/E,QAAQ,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;CAiDnE"}

package/dist/ai/delegation/middleware/chain-tracker-middleware.js

@@ -0,0 +1,89 @@
+/**
+ * DCYFR Chain Tracker Middleware
+ * TLP:CLEAR
+ *
+ * SecurityMiddleware that wraps DelegationChainTracker to enforce loop detection
+ * and delegation chain depth limits as an automatic guard during contract creation.
+ *
+ * @module delegation/middleware/chain-tracker-middleware
+ * @version 1.0.0
+ * @date 2026-02-24
+ */
+import { DelegationChainTracker } from '../chain-tracker.js';
+/**
+ * ChainTrackerMiddleware — loop detection and depth validation guard.
+ *
+ * This middleware fires only during contract CREATION (`appliesTo: ['create']`).
+ * Before the new contract is persisted it:
+ *
+ * 1. Builds the existing delegation chain from the `parent_contract_id` using
+ *    `DelegationChainTracker.buildChain()`.
+ * 2. Blocks if the proposed delegatee (or delegator) is already present in the
+ *    existing chain — indicating a loop.
+ * 3. Blocks if the resulting chain depth (parent depth + 1) would exceed
+ *    `maxChainDepth`.
+ *
+ * Gate: `chain_tracking` feature flag.
+ */
+export class ChainTrackerMiddleware {
+    name = 'chain-tracker';
+    featureFlag = 'chain_tracking';
+    appliesTo = ['create'];
+    tracker;
+    maxChainDepth;
+    constructor(provider, options = {}) {
+        this.maxChainDepth = options.maxChainDepth ?? 5;
+        // Cast the minimal provider to the full ContractManager type expected by chain-tracker.
+        // ChainTrackerMiddleware only needs getContract() — DelegationContractManager satisfies this.
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        this.tracker = new DelegationChainTracker(provider, {
+            maxChainDepth: this.maxChainDepth,
+        });
+    }
+    async evaluate(context) {
+        const parentContractId = context.contract.parent_contract_id;
+        // Root delegation — nothing to track against
+        if (!parentContractId) {
+            return { action: 'allow' };
+        }
+        let chain;
+        try {
+            chain = await this.tracker.buildChain(parentContractId);
+        }
+        catch {
+            // Parent contract not found — let downstream validation handle it
+            return { action: 'allow' };
+        }
+        // ── 1. Loop detection ──────────────────────────────────────────────────
+        // Only block on a genuine circular parent_contract_id reference.
+        // Agent-ID reuse at different chain levels is intentional (retries, sub-tasks)
+        // and must NOT be treated as a loop — post-hoc analyzeChain() handles that.
+        if (chain.has_loops) {
+            return {
+                action: 'block',
+                reason: `Delegation loop detected in existing chain (parent: ${parentContractId})`,
+                threat_type: 'chain_depth_exceeded',
+                severity: 'critical',
+                evidence: { parent_contract_id: parentContractId, chain_depth: chain.depth },
+            };
+        }
+        // ── 2. Depth validation ────────────────────────────────────────────────
+        const resultingDepth = chain.depth + 1;
+        if (resultingDepth > this.maxChainDepth) {
+            return {
+                action: 'block',
+                reason: `Chain depth ${resultingDepth} would exceed the limit of ${this.maxChainDepth}`,
+                threat_type: 'chain_depth_exceeded',
+                severity: 'critical',
+                evidence: {
+                    parent_contract_id: parentContractId,
+                    current_depth: chain.depth,
+                    resulting_depth: resultingDepth,
+                    max_chain_depth: this.maxChainDepth,
+                },
+            };
+        }
+        return { action: 'allow' };
+    }
+}
+//# sourceMappingURL=chain-tracker-middleware.js.map

package/dist/ai/delegation/middleware/chain-tracker-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"chain-tracker-middleware.js","sourceRoot":"","sources":["../../../../packages/ai/delegation/middleware/chain-tracker-middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAgB7D;;;;;;;;;;;;;;GAcG;AACH,MAAM,OAAO,sBAAsB;IACxB,IAAI,GAAG,eAAe,CAAC;IACvB,WAAW,GAAG,gBAAgB,CAAC;IAC/B,SAAS,GAA4B,CAAC,QAAQ,CAAC,CAAC;IAExC,OAAO,CAAyB;IAChC,aAAa,CAAS;IAEvC,YAAY,QAA+B,EAAE,UAAsC,EAAE;QACnF,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,CAAC,CAAC;QAChD,wFAAwF;QACxF,8FAA8F;QAC9F,8DAA8D;QAC9D,IAAI,CAAC,OAAO,GAAG,IAAI,sBAAsB,CAAC,QAA0B,EAAE;YACpE,aAAa,EAAE,IAAI,CAAC,aAAa;SAClC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,OAAwB;QACrC,MAAM,gBAAgB,GAAG,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC;QAE7D,6CAA6C;QAC7C,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;QAC7B,CAAC;QAED,IAAI,KAAgE,CAAC;QACrE,IAAI,CAAC;YACH,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC;QAC1D,CAAC;QAAC,MAAM,CAAC;YACP,kEAAkE;YAClE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;QAC7B,CAAC;QAED,0EAA0E;QAC1E,iEAAiE;QACjE,+EAA+E;QAC/E,4EAA4E;QAC5E,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;YACpB,OAAO;gBACL,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,uDAAuD,gBAAgB,GAAG;gBAClF,WAAW,EAAE,sBAAsB;gBACnC,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,WAAW,EAAE,KAAK,CAAC,KAAK,EAAE;aAC7E,CAAC;QACJ,CAAC;QAED,0EAA0E;QAC1E,MAAM,cAAc,GAAG,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC;QACvC,IAAI,cAAc,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;YACxC,OAAO;gBACL,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,eAAe,cAAc,8BAA8B,IAAI,CAAC,aAAa,EAAE;gBACvF,WAAW,EAAE,sBAAsB;gBACnC,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE;oBACR,kBAAkB,EAAE,gBAAgB;oBACpC,aAAa,EAAE,KAAK,CAAC,KAAK;oBAC1B,eAAe,EAAE,cAAc;oBAC/B,eAAe,EAAE,IAAI,CAAC,aAAa;iBACpC;aACF,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IAC7B,CAAC;CACF"}

package/dist/ai/delegation/middleware/content-policy-middleware.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Content Policy Middleware — task instruction sanitization
+ * TLP:AMBER - Internal Use Only
+ *
+ * Checks `context.task_content` for prompt-injection patterns and content-policy
+ * violations.  Only fires when `content_security` feature flag is enabled and
+ * task_content is provided.
+ *
+ * @module delegation/middleware/content-policy-middleware
+ * @version 1.0.0
+ * @date 2026-02-24
+ */
+import type { SecurityMiddleware, SecurityContext, SecurityVerdict } from '../../types/security-middleware.js';
+/**
+ * Configurable content policy rules.
+ * Each rule is a named regex pattern that blocks or warns depending on severity.
+ */
+export interface ContentRule {
+    name: string;
+    pattern: RegExp;
+    severity: 'block' | 'warn';
+    message: string;
+}
+export declare class ContentPolicyMiddleware implements SecurityMiddleware {
+    readonly name = "content-policy";
+    readonly featureFlag = "content_security";
+    private readonly rules;
+    constructor(rules?: ContentRule[]);
+    evaluate(context: SecurityContext): Promise<SecurityVerdict>;
+}
+//# sourceMappingURL=content-policy-middleware.d.ts.map

package/dist/ai/delegation/middleware/content-policy-middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"content-policy-middleware.d.ts","sourceRoot":"","sources":["../../../../packages/ai/delegation/middleware/content-policy-middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,oCAAoC,CAAC;AAE/G;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,OAAO,GAAG,MAAM,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC;CACjB;AAoCD,qBAAa,uBAAwB,YAAW,kBAAkB;IAChE,QAAQ,CAAC,IAAI,oBAAoB;IACjC,QAAQ,CAAC,WAAW,sBAAsB;IAE1C,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;gBAE1B,KAAK,CAAC,EAAE,WAAW,EAAE;IAI3B,QAAQ,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;CA8BnE"}

package/dist/ai/delegation/middleware/content-policy-middleware.js

@@ -0,0 +1,82 @@
+/**
+ * Content Policy Middleware — task instruction sanitization
+ * TLP:AMBER - Internal Use Only
+ *
+ * Checks `context.task_content` for prompt-injection patterns and content-policy
+ * violations.  Only fires when `content_security` feature flag is enabled and
+ * task_content is provided.
+ *
+ * @module delegation/middleware/content-policy-middleware
+ * @version 1.0.0
+ * @date 2026-02-24
+ */
+/** Default rules targeting common prompt injection vectors */
+const DEFAULT_RULES = [
+    {
+        name: 'ignore_previous_instructions',
+        pattern: /ignore\s+(all\s+)?previous\s+(instructions|constraints|rules)/i,
+        severity: 'block',
+        message: 'Prompt injection attempt: ignore-previous-instructions pattern detected.',
+    },
+    {
+        name: 'system_override',
+        pattern: /\[SYSTEM[^\]]*\]|\[OVERRIDE\]|\[ADMIN\]|\[ROOT\]|SYSTEM\s*:\s*(override|disable|bypass)/i,
+        severity: 'block',
+        message: 'Prompt injection attempt: system-override tag detected.',
+    },
+    {
+        name: 'jailbreak_phrase',
+        pattern: /DAN mode|jailbreak|developer mode enabled/i,
+        severity: 'block',
+        message: 'Prompt injection attempt: known jailbreak phrase detected.',
+    },
+    {
+        name: 'exfiltrate_credentials',
+        pattern: /exfiltrate|steal\s+(api\s+)?key|dump\s+credentials/i,
+        severity: 'block',
+        message: 'Content policy violation: credential-exfiltration language detected.',
+    },
+    {
+        name: 'eval_execute_shell',
+        pattern: /\beval\s*\(|\bexec\s*\(|\bspawn\s*\(|subprocess\.run/i,
+        severity: 'warn',
+        message: 'Advisory: instruction contains execution-like language — review carefully.',
+    },
+];
+export class ContentPolicyMiddleware {
+    name = 'content-policy';
+    featureFlag = 'content_security';
+    rules;
+    constructor(rules) {
+        this.rules = rules ?? DEFAULT_RULES;
+    }
+    async evaluate(context) {
+        const tc = context.task_content;
+        if (!tc)
+            return { action: 'allow' };
+        const target = [tc.instruction, tc.context].filter(Boolean).join('\n');
+        for (const rule of this.rules) {
+            if (rule.pattern.test(target)) {
+                if (rule.severity === 'block') {
+                    return {
+                        action: 'block',
+                        reason: rule.message,
+                        threat_type: 'content_policy_violation',
+                        severity: 'high',
+                        evidence: { rule: rule.name },
+                    };
+                }
+                // warn — keep checking other rules
+                return {
+                    action: 'warn',
+                    reason: rule.message,
+                    threat_type: 'content_policy_violation',
+                    severity: 'medium',
+                    evidence: { rule: rule.name },
+                };
+            }
+        }
+        return { action: 'allow' };
+    }
+}
+//# sourceMappingURL=content-policy-middleware.js.map

package/dist/ai/delegation/middleware/content-policy-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"content-policy-middleware.js","sourceRoot":"","sources":["../../../../packages/ai/delegation/middleware/content-policy-middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAeH,8DAA8D;AAC9D,MAAM,aAAa,GAAkB;IACnC;QACE,IAAI,EAAE,8BAA8B;QACpC,OAAO,EAAE,gEAAgE;QACzE,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,0EAA0E;KACpF;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,0FAA0F;QACnG,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,yDAAyD;KACnE;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,4CAA4C;QACrD,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,4DAA4D;KACtE;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,qDAAqD;QAC9D,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,sEAAsE;KAChF;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,uDAAuD;QAChE,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,4EAA4E;KACtF;CACF,CAAC;AAEF,MAAM,OAAO,uBAAuB;IACzB,IAAI,GAAG,gBAAgB,CAAC;IACxB,WAAW,GAAG,kBAAkB,CAAC;IAEzB,KAAK,CAAgB;IAEtC,YAAY,KAAqB;QAC/B,IAAI,CAAC,KAAK,GAAG,KAAK,IAAI,aAAa,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,OAAwB;QACrC,MAAM,EAAE,GAAG,OAAO,CAAC,YAAY,CAAC;QAChC,IAAI,CAAC,EAAE;YAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;QAEpC,MAAM,MAAM,GAAG,CAAC,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEvE,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC9B,IAAI,IAAI,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;oBAC9B,OAAO;wBACL,MAAM,EAAE,OAAO;wBACf,MAAM,EAAE,IAAI,CAAC,OAAO;wBACpB,WAAW,EAAE,0BAA0B;wBACvC,QAAQ,EAAE,MAAM;wBAChB,QAAQ,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;qBAC9B,CAAC;gBACJ,CAAC;gBACD,mCAAmC;gBACnC,OAAO;oBACL,MAAM,EAAE,MAAM;oBACd,MAAM,EAAE,IAAI,CAAC,OAAO;oBACpB,WAAW,EAAE,0BAA0B;oBACvC,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;iBAC9B,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IAC7B,CAAC;CACF"}

package/dist/ai/delegation/middleware/feature-flag-middleware.d.ts

@@ -0,0 +1,46 @@
+/**
+ * DCYFR Feature Flag Middleware
+ * TLP:CLEAR
+ *
+ * First-in-chain kill-switch middleware.  Blocks all delegation operations when
+ * the `delegation_enabled` feature flag is disabled via FeatureFlagManager.
+ *
+ * Unlike other middleware this one intentionally has NO `featureFlag` property —
+ * it IS the gate and gating itself would be circular.
+ *
+ * @module delegation/middleware/feature-flag-middleware
+ * @version 1.0.0
+ * @date 2026-02-24
+ */
+import { FeatureFlagManager } from '../feature-flags.js';
+import type { SecurityMiddleware, SecurityContext, SecurityVerdict } from '../../types/security-middleware.js';
+/**
+ * Thrown when delegation is attempted while the `delegation_enabled` flag is
+ * set to `false`.  Extends Error so catch-blocks can distinguish it from other
+ * security rejections.
+ */
+export declare class DelegationDisabledError extends Error {
+    constructor();
+}
+/**
+ * FeatureFlagMiddleware — master kill-switch for the delegation framework.
+ *
+ * Registers as the first middleware in every `SecurityMiddlewareChain` so that
+ * all downstream guards are skipped when delegation is administratively disabled.
+ *
+ * Usage:
+ * ```ts
+ * const chain = new SecurityMiddlewareChain();
+ * chain.use(new FeatureFlagMiddleware(flagManager));   // must come first
+ * chain.use(new IdentityMiddleware(agentRegistry));
+ * // …
+ * ```
+ */
+export declare class FeatureFlagMiddleware implements SecurityMiddleware {
+    /** Unique name used in chain events and audit logs */
+    readonly name = "feature-flag";
+    private readonly flagManager;
+    constructor(flagManager: FeatureFlagManager);
+    evaluate(_context: SecurityContext): Promise<SecurityVerdict>;
+}
+//# sourceMappingURL=feature-flag-middleware.d.ts.map

package/dist/ai/delegation/middleware/feature-flag-middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"feature-flag-middleware.d.ts","sourceRoot":"","sources":["../../../../packages/ai/delegation/middleware/feature-flag-middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,KAAK,EACV,kBAAkB,EAClB,eAAe,EACf,eAAe,EAChB,MAAM,oCAAoC,CAAC;AAE5C;;;;GAIG;AACH,qBAAa,uBAAwB,SAAQ,KAAK;;CAKjD;AAED;;;;;;;;;;;;;GAaG;AACH,qBAAa,qBAAsB,YAAW,kBAAkB;IAC9D,sDAAsD;IACtD,QAAQ,CAAC,IAAI,kBAAkB;IAK/B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAqB;gBAErC,WAAW,EAAE,kBAAkB;IAIrC,QAAQ,CAAC,QAAQ,EAAE,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;CASpE"}

package/dist/ai/delegation/middleware/feature-flag-middleware.js

@@ -0,0 +1,59 @@
+/**
+ * DCYFR Feature Flag Middleware
+ * TLP:CLEAR
+ *
+ * First-in-chain kill-switch middleware.  Blocks all delegation operations when
+ * the `delegation_enabled` feature flag is disabled via FeatureFlagManager.
+ *
+ * Unlike other middleware this one intentionally has NO `featureFlag` property —
+ * it IS the gate and gating itself would be circular.
+ *
+ * @module delegation/middleware/feature-flag-middleware
+ * @version 1.0.0
+ * @date 2026-02-24
+ */
+/**
+ * Thrown when delegation is attempted while the `delegation_enabled` flag is
+ * set to `false`.  Extends Error so catch-blocks can distinguish it from other
+ * security rejections.
+ */
+export class DelegationDisabledError extends Error {
+    constructor() {
+        super('Delegation is disabled via feature flag (delegation_enabled=false)');
+        this.name = 'DelegationDisabledError';
+    }
+}
+/**
+ * FeatureFlagMiddleware — master kill-switch for the delegation framework.
+ *
+ * Registers as the first middleware in every `SecurityMiddlewareChain` so that
+ * all downstream guards are skipped when delegation is administratively disabled.
+ *
+ * Usage:
+ * ```ts
+ * const chain = new SecurityMiddlewareChain();
+ * chain.use(new FeatureFlagMiddleware(flagManager));   // must come first
+ * chain.use(new IdentityMiddleware(agentRegistry));
+ * // …
+ * ```
+ */
+export class FeatureFlagMiddleware {
+    /** Unique name used in chain events and audit logs */
+    name = 'feature-flag';
+    // Intentionally NO `featureFlag` property — this is the kill-switch itself
+    // and must always execute regardless of feature-flag state.
+    flagManager;
+    constructor(flagManager) {
+        this.flagManager = flagManager;
+    }
+    async evaluate(_context) {
+        const evaluation = this.flagManager.isEnabled('delegation_enabled');
+        if (!evaluation.enabled) {
+            // Throw a typed error so unit tests can assert on `DelegationDisabledError`.
+            // The SecurityMiddlewareChain catches this and converts it to a 'block' verdict.
+            throw new DelegationDisabledError();
+        }
+        return { action: 'allow' };
+    }
+}
+//# sourceMappingURL=feature-flag-middleware.js.map

package/dist/ai/delegation/middleware/feature-flag-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"feature-flag-middleware.js","sourceRoot":"","sources":["../../../../packages/ai/delegation/middleware/feature-flag-middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AASH;;;;GAIG;AACH,MAAM,OAAO,uBAAwB,SAAQ,KAAK;IAChD;QACE,KAAK,CAAC,oEAAoE,CAAC,CAAC;QAC5E,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;IACxC,CAAC;CACF;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,OAAO,qBAAqB;IAChC,sDAAsD;IAC7C,IAAI,GAAG,cAAc,CAAC;IAE/B,2EAA2E;IAC3E,4DAA4D;IAE3C,WAAW,CAAqB;IAEjD,YAAY,WAA+B;QACzC,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,QAAyB;QACtC,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;QACpE,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YACxB,6EAA6E;YAC7E,iFAAiF;YACjF,MAAM,IAAI,uBAAuB,EAAE,CAAC;QACtC,CAAC;QACD,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IAC7B,CAAC;CACF"}

package/dist/ai/delegation/middleware/identity-middleware.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Identity Middleware — HMAC-SHA256 token verification
+ * TLP:AMBER - Internal Use Only
+ *
+ * Verifies that delegator and delegatee have valid auth tokens before allowing
+ * a delegation operation.  When the `identity_auth` feature flag is disabled
+ * (default in legacy environments) the middleware is a no-op pass-through.
+ *
+ * @module delegation/middleware/identity-middleware
+ * @version 1.0.0
+ * @date 2026-02-24
+ */
+import type { SecurityMiddleware, SecurityContext, SecurityVerdict } from '../../types/security-middleware.js';
+import { AgentRegistry } from '../agent-registry.js';
+export declare class IdentityMiddleware implements SecurityMiddleware {
+    private readonly registry;
+    readonly name = "identity";
+    readonly featureFlag = "identity_auth";
+    constructor(registry: AgentRegistry);
+    evaluate(context: SecurityContext): Promise<SecurityVerdict>;
+    private verify;
+}
+//# sourceMappingURL=identity-middleware.d.ts.map

package/dist/ai/delegation/middleware/identity-middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-middleware.d.ts","sourceRoot":"","sources":["../../../../packages/ai/delegation/middleware/identity-middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,oCAAoC,CAAC;AAC/G,OAAO,EACL,aAAa,EAId,MAAM,sBAAsB,CAAC;AAE9B,qBAAa,kBAAmB,YAAW,kBAAkB;IAI/C,OAAO,CAAC,QAAQ,CAAC,QAAQ;IAHrC,QAAQ,CAAC,IAAI,cAAc;IAC3B,QAAQ,CAAC,WAAW,mBAAmB;gBAEV,QAAQ,EAAE,aAAa;IAE9C,QAAQ,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;IA0BlE,OAAO,CAAC,MAAM;CAoBf"}

package/dist/ai/delegation/middleware/identity-middleware.js

@@ -0,0 +1,64 @@
+/**
+ * Identity Middleware — HMAC-SHA256 token verification
+ * TLP:AMBER - Internal Use Only
+ *
+ * Verifies that delegator and delegatee have valid auth tokens before allowing
+ * a delegation operation.  When the `identity_auth` feature flag is disabled
+ * (default in legacy environments) the middleware is a no-op pass-through.
+ *
+ * @module delegation/middleware/identity-middleware
+ * @version 1.0.0
+ * @date 2026-02-24
+ */
+import { AuthenticationFailedError, AuthenticationExpiredError, AgentNotFoundError, } from '../agent-registry.js';
+export class IdentityMiddleware {
+    registry;
+    name = 'identity';
+    featureFlag = 'identity_auth';
+    constructor(registry) {
+        this.registry = registry;
+    }
+    async evaluate(context) {
+        const errors = [];
+        // Verify delegator if auth fields are present
+        if (context.delegator_auth) {
+            const err = this.verify(context.delegator_auth, 'delegator');
+            if (err)
+                errors.push(err);
+        }
+        // Verify delegatee if auth fields are present
+        if (context.delegatee_auth) {
+            const err = this.verify(context.delegatee_auth, 'delegatee');
+            if (err)
+                errors.push(err);
+        }
+        if (errors.length === 0)
+            return { action: 'allow' };
+        return {
+            action: 'block',
+            reason: `Identity verification failed: ${errors.join('; ')}`,
+            threat_type: 'identity_failure',
+            severity: 'critical',
+            evidence: { errors },
+        };
+    }
+    verify(agent, role) {
+        if (!agent.auth_token || !agent.auth_timestamp || !agent.key_id) {
+            return `${role} '${agent.agent_id}' is missing auth credentials`;
+        }
+        try {
+            this.registry.verifyToken(agent.auth_token, agent.agent_id, agent.auth_timestamp, agent.key_id);
+            return null;
+        }
+        catch (err) {
+            if (err instanceof AuthenticationExpiredError) {
+                return `${role} token expired for '${agent.agent_id}'`;
+            }
+            if (err instanceof AuthenticationFailedError || err instanceof AgentNotFoundError) {
+                return `${role} auth failed for '${agent.agent_id}': ${err.message}`;
+            }
+            return `${role} auth error for '${agent.agent_id}': ${err.message}`;
+        }
+    }
+}
+//# sourceMappingURL=identity-middleware.js.map

package/dist/ai/delegation/middleware/identity-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-middleware.js","sourceRoot":"","sources":["../../../../packages/ai/delegation/middleware/identity-middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EAEL,yBAAyB,EACzB,0BAA0B,EAC1B,kBAAkB,GACnB,MAAM,sBAAsB,CAAC;AAE9B,MAAM,OAAO,kBAAkB;IAIA;IAHpB,IAAI,GAAG,UAAU,CAAC;IAClB,WAAW,GAAG,eAAe,CAAC;IAEvC,YAA6B,QAAuB;QAAvB,aAAQ,GAAR,QAAQ,CAAe;IAAG,CAAC;IAExD,KAAK,CAAC,QAAQ,CAAC,OAAwB;QACrC,MAAM,MAAM,GAAa,EAAE,CAAC;QAE5B,8CAA8C;QAC9C,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;YAC7D,IAAI,GAAG;gBAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC5B,CAAC;QAED,8CAA8C;QAC9C,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;YAC7D,IAAI,GAAG;gBAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC5B,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;QAEpD,OAAO;YACL,MAAM,EAAE,OAAO;YACf,MAAM,EAAE,iCAAiC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YAC5D,WAAW,EAAE,kBAAkB;YAC/B,QAAQ,EAAE,UAAU;YACpB,QAAQ,EAAE,EAAE,MAAM,EAAE;SACrB,CAAC;IACJ,CAAC;IAEO,MAAM,CACZ,KAA0F,EAC1F,IAAY;QAEZ,IAAI,CAAC,KAAK,CAAC,UAAU,IAAI,CAAC,KAAK,CAAC,cAAc,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YAChE,OAAO,GAAG,IAAI,KAAK,KAAK,CAAC,QAAQ,+BAA+B,CAAC;QACnE,CAAC;QACD,IAAI,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,cAAc,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;YAChG,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,0BAA0B,EAAE,CAAC;gBAC9C,OAAO,GAAG,IAAI,uBAAuB,KAAK,CAAC,QAAQ,GAAG,CAAC;YACzD,CAAC;YACD,IAAI,GAAG,YAAY,yBAAyB,IAAI,GAAG,YAAY,kBAAkB,EAAE,CAAC;gBAClF,OAAO,GAAG,IAAI,qBAAqB,KAAK,CAAC,QAAQ,MAAO,GAAa,CAAC,OAAO,EAAE,CAAC;YAClF,CAAC;YACD,OAAO,GAAG,IAAI,oBAAoB,KAAK,CAAC,QAAQ,MAAO,GAAa,CAAC,OAAO,EAAE,CAAC;QACjF,CAAC;IACH,CAAC;CACF"}