@dotsetlabs/tollgate 0.2.0 → 0.2.2

package/dist/analyzers/output-validation-types.d.ts

@@ -0,0 +1,179 @@
+/**
+ * Output Validation Types
+ *
+ * Type definitions for the enhanced output validation system that scans
+ * tool responses for sensitive data, PII, credentials, and injection attempts.
+ *
+ * @module analyzers/output-validation-types
+ */
+/**
+ * Action to take when a pattern matches in output content.
+ *
+ * - `block`: Prevent the response from being returned entirely
+ * - `redact`: Replace matched content with a placeholder
+ * - `warn`: Log a warning but allow the response through
+ * - `log`: Silently log for auditing without affecting response
+ */
+export type OutputValidationAction = 'block' | 'redact' | 'warn' | 'log';
+/**
+ * Severity level for output validation matches.
+ */
+export type OutputValidationSeverity = 'low' | 'medium' | 'high' | 'critical';
+/**
+ * A configurable output validation pattern.
+ *
+ * @example
+ * ```typescript
+ * const ssnPattern: OutputValidationPattern = {
+ *   name: 'ssn',
+ *   pattern: /\b\d{3}-\d{2}-\d{4}\b/,
+ *   action: 'redact',
+ *   severity: 'critical',
+ *   category: 'pii',
+ *   replacement: '[SSN REDACTED]',
+ * };
+ * ```
+ */
+export interface OutputValidationPattern {
+    /** Unique identifier for the pattern */
+    name: string;
+    /** Regex pattern or string to match */
+    pattern: RegExp | string;
+    /** Action to take when pattern matches */
+    action: OutputValidationAction;
+    /** Severity level of the match */
+    severity?: OutputValidationSeverity;
+    /** Category for grouping (pii, credential, injection, etc.) */
+    category?: string;
+    /** Human-readable description */
+    description?: string;
+    /** Replacement text for redaction (default: '[REDACTED]') */
+    replacement?: string;
+    /** Whether this pattern is enabled (default: true) */
+    enabled?: boolean;
+}
+/**
+ * PII detection configuration.
+ *
+ * Each PII type can be set to an action or disabled.
+ */
+export interface PIIDetectionConfig {
+    /** Social Security Numbers (US format: XXX-XX-XXXX) */
+    ssn?: OutputValidationAction | false;
+    /** Credit card numbers (with Luhn validation) */
+    creditCard?: OutputValidationAction | false;
+    /** Phone numbers (various formats) */
+    phone?: OutputValidationAction | false;
+    /** Email addresses */
+    email?: OutputValidationAction | false;
+    /** IPv4 addresses */
+    ipAddress?: OutputValidationAction | false;
+    /** Bank account numbers (contextual) */
+    bankAccount?: OutputValidationAction | false;
+    /** Date of birth patterns */
+    dateOfBirth?: OutputValidationAction | false;
+    /** Driver's license numbers */
+    driversLicense?: OutputValidationAction | false;
+    /** Passport numbers */
+    passport?: OutputValidationAction | false;
+    /** Street addresses (limited accuracy) */
+    address?: OutputValidationAction | false;
+}
+/**
+ * Full configuration for output validation.
+ *
+ * @example
+ * ```typescript
+ * const config: OutputValidationConfig = {
+ *   enabled: true,
+ *   patterns: [
+ *     { name: 'custom_key', pattern: /MY_SECRET_\w+/, action: 'redact' }
+ *   ],
+ *   pii: {
+ *     ssn: 'redact',
+ *     creditCard: 'redact',
+ *     email: 'warn',
+ *   },
+ *   credentials: true,
+ *   injection: true,
+ * };
+ * ```
+ */
+export interface OutputValidationConfig {
+    /** Enable/disable output validation (default: true) */
+    enabled: boolean;
+    /** Custom patterns to match */
+    patterns?: OutputValidationPattern[];
+    /** PII detection settings */
+    pii?: PIIDetectionConfig;
+    /** Enable built-in credential detection (default: true) */
+    credentials?: boolean;
+    /** Enable built-in injection detection (default: true) */
+    injection?: boolean;
+    /** Maximum content length to scan (default: 1MB) */
+    maxContentLength?: number;
+    /** Default action for matches without specified action */
+    defaultAction?: OutputValidationAction;
+}
+/**
+ * A single match found during output validation.
+ */
+export interface OutputValidationMatch {
+    /** Pattern name that matched */
+    pattern: string;
+    /** Category of the pattern (pii, credential, injection, custom) */
+    category: string;
+    /** Action taken for this match */
+    action: OutputValidationAction;
+    /** The matched content */
+    matchedContent: string;
+    /** Replacement used for redaction (if applicable) */
+    replacement?: string;
+    /** Position in the original content */
+    position: {
+        start: number;
+        end: number;
+    };
+    /** Severity of the match */
+    severity: OutputValidationSeverity;
+}
+/**
+ * Result of output validation.
+ */
+export interface OutputValidationResult {
+    /** Whether the response is allowed through */
+    allowed: boolean;
+    /** Whether the content was modified (redacted) */
+    modified: boolean;
+    /** Original content before any transformations */
+    originalContent: string;
+    /** Transformed content (if modified) */
+    transformedContent?: string;
+    /** All matches found */
+    matches: OutputValidationMatch[];
+    /** Summary of actions taken */
+    summary: {
+        blocked: number;
+        redacted: number;
+        warned: number;
+        logged: number;
+    };
+    /** Processing time in milliseconds */
+    processingTimeMs: number;
+}
+/**
+ * Default output validation configuration.
+ */
+export declare const DEFAULT_OUTPUT_VALIDATION_CONFIG: OutputValidationConfig;
+/**
+ * Built-in pattern categories.
+ */
+export declare const OUTPUT_VALIDATION_CATEGORIES: {
+    readonly PII: "pii";
+    readonly CREDENTIAL: "credential";
+    readonly INJECTION: "injection";
+    readonly EXFILTRATION: "exfiltration";
+    readonly CUSTOM: "custom";
+};
+export type OutputValidationCategory = typeof OUTPUT_VALIDATION_CATEGORIES[keyof typeof OUTPUT_VALIDATION_CATEGORIES];
+//# sourceMappingURL=output-validation-types.d.ts.map

package/dist/analyzers/output-validation-types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"output-validation-types.d.ts","sourceRoot":"","sources":["../../src/analyzers/output-validation-types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAMH;;;;;;;GAOG;AACH,MAAM,MAAM,sBAAsB,GAAG,OAAO,GAAG,QAAQ,GAAG,MAAM,GAAG,KAAK,CAAC;AAEzE;;GAEG;AACH,MAAM,MAAM,wBAAwB,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAM9E;;;;;;;;;;;;;;GAcG;AACH,MAAM,WAAW,uBAAuB;IACpC,wCAAwC;IACxC,IAAI,EAAE,MAAM,CAAC;IAEb,uCAAuC;IACvC,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC;IAEzB,0CAA0C;IAC1C,MAAM,EAAE,sBAAsB,CAAC;IAE/B,kCAAkC;IAClC,QAAQ,CAAC,EAAE,wBAAwB,CAAC;IAEpC,+DAA+D;IAC/D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,iCAAiC;IACjC,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,6DAA6D;IAC7D,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,sDAAsD;IACtD,OAAO,CAAC,EAAE,OAAO,CAAC;CACrB;AAMD;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IAC/B,uDAAuD;IACvD,GAAG,CAAC,EAAE,sBAAsB,GAAG,KAAK,CAAC;IAErC,iDAAiD;IACjD,UAAU,CAAC,EAAE,sBAAsB,GAAG,KAAK,CAAC;IAE5C,sCAAsC;IACtC,KAAK,CAAC,EAAE,sBAAsB,GAAG,KAAK,CAAC;IAEvC,sBAAsB;IACtB,KAAK,CAAC,EAAE,sBAAsB,GAAG,KAAK,CAAC;IAEvC,qBAAqB;IACrB,SAAS,CAAC,EAAE,sBAAsB,GAAG,KAAK,CAAC;IAE3C,wCAAwC;IACxC,WAAW,CAAC,EAAE,sBAAsB,GAAG,KAAK,CAAC;IAE7C,6BAA6B;IAC7B,WAAW,CAAC,EAAE,sBAAsB,GAAG,KAAK,CAAC;IAE7C,+BAA+B;IAC/B,cAAc,CAAC,EAAE,sBAAsB,GAAG,KAAK,CAAC;IAEhD,uBAAuB;IACvB,QAAQ,CAAC,EAAE,sBAAsB,GAAG,KAAK,CAAC;IAE1C,0CAA0C;IAC1C,OAAO,CAAC,EAAE,sBAAsB,GAAG,KAAK,CAAC;CAC5C;AAMD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,WAAW,sBAAsB;IACnC,uDAAuD;IACvD,OAAO,EAAE,OAAO,CAAC;IAEjB,+BAA+B;IAC/B,QAAQ,CAAC,EAAE,uBAAuB,EAAE,CAAC;IAErC,6BAA6B;IAC7B,GAAG,CAAC,EAAE,kBAAkB,CAAC;IAEzB,2DAA2D;IAC3D,WAAW,CAAC,EAAE,OAAO,CAAC;IAEtB,0DAA0D;IAC1D,SAAS,CAAC,EAAE,OAAO,CAAC;IAEpB,oDAAoD;IACpD,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,0DAA0D;IAC1D,aAAa,CAAC,EAAE,sBAAsB,CAAC;CAC1C;AAMD;;GAEG;AACH,MAAM,WAAW,qBAAqB;IAClC,gCAAgC;IAChC,OAAO,EAAE,MAAM,CAAC;IAEhB,mEAAmE;IACnE,QAAQ,EAAE,MAAM,CAAC;IAEjB,kCAAkC;IAClC,MAAM,EAAE,sBAAsB,CAAC;IAE/B,0BAA0B;IAC1B,cAAc,EAAE,MAAM,CAAC;IAEvB,qDAAqD;IACrD,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,uCAAuC;IACvC,QAAQ,EAAE;QACN,KAAK,EAAE,MAAM,CAAC;QACd,GAAG,EAAE,MAAM,CAAC;KACf,CAAC;IAEF,4BAA4B;IAC5B,QAAQ,EAAE,wBAAwB,CAAC;CACtC;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACnC,8CAA8C;IAC9C,OAAO,EAAE,OAAO,CAAC;IAEjB,kDAAkD;IAClD,QAAQ,EAAE,OAAO,CAAC;IAElB,kDAAkD;IAClD,eAAe,EAAE,MAAM,CAAC;IAExB,wCAAwC;IACxC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAE5B,wBAAwB;IACxB,OAAO,EAAE,qBAAqB,EAAE,CAAC;IAEjC,+BAA+B;IAC/B,OAAO,EAAE;QACL,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,EAAE,MAAM,CAAC;KAClB,CAAC;IAEF,sCAAsC;IACtC,gBAAgB,EAAE,MAAM,CAAC;CAC5B;AAMD;;GAEG;AACH,eAAO,MAAM,gCAAgC,EAAE,sBAc9C,CAAC;AAMF;;GAEG;AACH,eAAO,MAAM,4BAA4B;;;;;;CAM/B,CAAC;AAEX,MAAM,MAAM,wBAAwB,GAAG,OAAO,4BAA4B,CAAC,MAAM,OAAO,4BAA4B,CAAC,CAAC"}

package/dist/analyzers/output-validation-types.js

@@ -0,0 +1,43 @@
+/**
+ * Output Validation Types
+ *
+ * Type definitions for the enhanced output validation system that scans
+ * tool responses for sensitive data, PII, credentials, and injection attempts.
+ *
+ * @module analyzers/output-validation-types
+ */
+// ============================================================================
+// Default Configuration
+// ============================================================================
+/**
+ * Default output validation configuration.
+ */
+export const DEFAULT_OUTPUT_VALIDATION_CONFIG = {
+    enabled: true,
+    patterns: [],
+    pii: {
+        ssn: 'redact',
+        creditCard: 'redact',
+        phone: 'warn',
+        email: 'log',
+        ipAddress: 'log',
+    },
+    credentials: true,
+    injection: true,
+    maxContentLength: 1024 * 1024, // 1MB
+    defaultAction: 'redact',
+};
+// ============================================================================
+// Built-in Categories
+// ============================================================================
+/**
+ * Built-in pattern categories.
+ */
+export const OUTPUT_VALIDATION_CATEGORIES = {
+    PII: 'pii',
+    CREDENTIAL: 'credential',
+    INJECTION: 'injection',
+    EXFILTRATION: 'exfiltration',
+    CUSTOM: 'custom',
+};
+//# sourceMappingURL=output-validation-types.js.map

package/dist/analyzers/output-validation-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"output-validation-types.js","sourceRoot":"","sources":["../../src/analyzers/output-validation-types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AA0NH,+EAA+E;AAC/E,wBAAwB;AACxB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAA2B;IACpE,OAAO,EAAE,IAAI;IACb,QAAQ,EAAE,EAAE;IACZ,GAAG,EAAE;QACD,GAAG,EAAE,QAAQ;QACb,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,MAAM;QACb,KAAK,EAAE,KAAK;QACZ,SAAS,EAAE,KAAK;KACnB;IACD,WAAW,EAAE,IAAI;IACjB,SAAS,EAAE,IAAI;IACf,gBAAgB,EAAE,IAAI,GAAG,IAAI,EAAE,MAAM;IACrC,aAAa,EAAE,QAAQ;CAC1B,CAAC;AAEF,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAG;IACxC,GAAG,EAAE,KAAK;IACV,UAAU,EAAE,YAAY;IACxB,SAAS,EAAE,WAAW;IACtB,YAAY,EAAE,cAAc;IAC5B,MAAM,EAAE,QAAQ;CACV,CAAC"}

package/dist/analyzers/pii-detector.d.ts

@@ -0,0 +1,61 @@
+/**
+ * PII Detector
+ *
+ * Detects Personally Identifiable Information (PII) in text content:
+ * - Social Security Numbers (SSN)
+ * - Credit Card Numbers (with Luhn validation)
+ * - Phone Numbers (US and international formats)
+ * - Email Addresses
+ * - IP Addresses
+ * - And more...
+ *
+ * @module analyzers/pii-detector
+ */
+import type { PIIDetectionConfig, OutputValidationMatch, OutputValidationSeverity } from './output-validation-types.js';
+interface PIIPattern {
+    name: string;
+    pattern: RegExp;
+    severity: OutputValidationSeverity;
+    replacement: string;
+    validator?: (match: string) => boolean;
+}
+/**
+ * Built-in PII patterns with validation functions.
+ */
+declare const PII_PATTERNS: Record<string, PIIPattern>;
+/**
+ * Luhn algorithm for credit card validation.
+ */
+declare function luhnValidate(cardNumber: string): boolean;
+/**
+ * Detects PII in text content based on configuration.
+ */
+export declare class PIIDetector {
+    private config;
+    constructor(config?: PIIDetectionConfig);
+    /**
+     * Update the configuration.
+     */
+    configure(config: PIIDetectionConfig): void;
+    /**
+     * Detect all PII matches in content.
+     */
+    detect(content: string): OutputValidationMatch[];
+    /**
+     * Remove overlapping matches, keeping the more specific/lengthy one.
+     */
+    private deduplicateMatches;
+    /**
+     * Apply redactions to content.
+     */
+    applyRedactions(content: string, matches: OutputValidationMatch[]): string;
+}
+/**
+ * Export Luhn validator for testing.
+ */
+export { luhnValidate };
+/**
+ * Export PII patterns for testing.
+ */
+export { PII_PATTERNS };
+//# sourceMappingURL=pii-detector.d.ts.map

package/dist/analyzers/pii-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii-detector.d.ts","sourceRoot":"","sources":["../../src/analyzers/pii-detector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EACR,kBAAkB,EAClB,qBAAqB,EAErB,wBAAwB,EAC3B,MAAM,8BAA8B,CAAC;AAOtC,UAAU,UAAU;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,wBAAwB,CAAC;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;CAC1C;AAED;;GAEG;AACH,QAAA,MAAM,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,CAoI5C,CAAC;AAMF;;GAEG;AACH,iBAAS,YAAY,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAwBjD;AAMD;;GAEG;AACH,qBAAa,WAAW;IACpB,OAAO,CAAC,MAAM,CAAqB;gBAEvB,MAAM,GAAE,kBAAuB;IAI3C;;OAEG;IACH,SAAS,CAAC,MAAM,EAAE,kBAAkB,GAAG,IAAI;IAI3C;;OAEG;IACH,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,qBAAqB,EAAE;IA0DhD;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA0B1B;;OAEG;IACH,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,qBAAqB,EAAE,GAAG,MAAM;CAoB7E;AAED;;GAEG;AACH,OAAO,EAAE,YAAY,EAAE,CAAC;AAExB;;GAEG;AACH,OAAO,EAAE,YAAY,EAAE,CAAC"}

package/dist/analyzers/pii-detector.js

@@ -0,0 +1,289 @@
+/**
+ * PII Detector
+ *
+ * Detects Personally Identifiable Information (PII) in text content:
+ * - Social Security Numbers (SSN)
+ * - Credit Card Numbers (with Luhn validation)
+ * - Phone Numbers (US and international formats)
+ * - Email Addresses
+ * - IP Addresses
+ * - And more...
+ *
+ * @module analyzers/pii-detector
+ */
+import { OUTPUT_VALIDATION_CATEGORIES } from './output-validation-types.js';
+/**
+ * Built-in PII patterns with validation functions.
+ */
+const PII_PATTERNS = {
+    ssn: {
+        name: 'Social Security Number',
+        // Matches XXX-XX-XXXX format (most common)
+        pattern: /\b\d{3}-\d{2}-\d{4}\b/g,
+        severity: 'critical',
+        replacement: '[SSN REDACTED]',
+        validator: (match) => {
+            // Basic SSN validation: not all zeros in any group
+            const parts = match.split('-');
+            if (parts[0] === '000' || parts[1] === '00' || parts[2] === '0000') {
+                return false;
+            }
+            // Area numbers 900-999 and 666 are invalid
+            const area = parseInt(parts[0], 10);
+            if (area >= 900 || area === 666) {
+                return false;
+            }
+            return true;
+        },
+    },
+    ssnCompact: {
+        name: 'Social Security Number (no dashes)',
+        // 9 consecutive digits (less reliable, requires context)
+        pattern: /\bSSN[:\s]*(\d{9})\b/gi,
+        severity: 'critical',
+        replacement: '[SSN REDACTED]',
+    },
+    creditCard: {
+        name: 'Credit Card Number',
+        // Major card types: Visa, MasterCard, Amex, Discover, etc.
+        pattern: /\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12}|3(?:0[0-5]|[68][0-9])[0-9]{11})\b/g,
+        severity: 'critical',
+        replacement: '[CARD REDACTED]',
+        validator: luhnValidate,
+    },
+    creditCardSpaced: {
+        name: 'Credit Card Number (spaced)',
+        // Cards with spaces or dashes between groups
+        pattern: /\b(?:4[0-9]{3}[-\s]?[0-9]{4}[-\s]?[0-9]{4}[-\s]?[0-9]{4}|5[1-5][0-9]{2}[-\s]?[0-9]{4}[-\s]?[0-9]{4}[-\s]?[0-9]{4}|3[47][0-9]{2}[-\s]?[0-9]{6}[-\s]?[0-9]{5})\b/g,
+        severity: 'critical',
+        replacement: '[CARD REDACTED]',
+        validator: (match) => luhnValidate(match.replace(/[-\s]/g, '')),
+    },
+    phone: {
+        name: 'Phone Number',
+        // US phone formats: (XXX) XXX-XXXX, XXX-XXX-XXXX, XXX.XXX.XXXX, +1XXXXXXXXXX
+        pattern: /\b(?:\+?1[-.\s]?)?\(?[2-9]\d{2}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b/g,
+        severity: 'medium',
+        replacement: '[PHONE REDACTED]',
+    },
+    email: {
+        name: 'Email Address',
+        pattern: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g,
+        severity: 'low',
+        replacement: '[EMAIL REDACTED]',
+    },
+    ipAddress: {
+        name: 'IP Address (IPv4)',
+        pattern: /\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b/g,
+        severity: 'low',
+        replacement: '[IP REDACTED]',
+        validator: (match) => {
+            // Filter out version numbers like 1.2.3.4 in code
+            const octets = match.split('.').map(n => parseInt(n, 10));
+            // Private and loopback ranges are less sensitive
+            if (octets[0] === 127 || octets[0] === 10) {
+                return false; // Don't flag localhost/private
+            }
+            if (octets[0] === 192 && octets[1] === 168) {
+                return false; // Private range
+            }
+            return true;
+        },
+    },
+    dateOfBirth: {
+        name: 'Date of Birth',
+        // MM/DD/YYYY or MM-DD-YYYY format with DOB context
+        pattern: /\b(?:DOB|D\.O\.B\.?|Date of Birth|Born)[:\s]*(\d{1,2}[-/]\d{1,2}[-/]\d{2,4})\b/gi,
+        severity: 'high',
+        replacement: '[DOB REDACTED]',
+    },
+    passport: {
+        name: 'Passport Number',
+        // US passport: starts with letter, 8-9 digits
+        pattern: /\b(?:passport|passport\s*#?|passport\s*no\.?)[:\s]*([A-Z]?\d{8,9})\b/gi,
+        severity: 'critical',
+        replacement: '[PASSPORT REDACTED]',
+    },
+    driversLicense: {
+        name: 'Drivers License',
+        // Format varies by state, catch with context
+        pattern: /\b(?:DL|driver'?s?\s*license|license\s*#?)[:\s]*([A-Z0-9]{6,15})\b/gi,
+        severity: 'high',
+        replacement: '[DL REDACTED]',
+    },
+    bankAccount: {
+        name: 'Bank Account Number',
+        // Account numbers with context
+        pattern: /\b(?:account|acct|account\s*#?|bank\s*account)[:\s]*(\d{8,17})\b/gi,
+        severity: 'critical',
+        replacement: '[ACCOUNT REDACTED]',
+    },
+    routingNumber: {
+        name: 'Bank Routing Number',
+        pattern: /\b(?:routing|ABA|routing\s*#?)[:\s]*(\d{9})\b/gi,
+        severity: 'high',
+        replacement: '[ROUTING REDACTED]',
+        validator: (match) => {
+            // ABA routing number checksum validation
+            const digits = match.replace(/\D/g, '');
+            if (digits.length !== 9)
+                return false;
+            const nums = digits.split('').map(n => parseInt(n, 10));
+            const checksum = (3 * (nums[0] + nums[3] + nums[6]) +
+                7 * (nums[1] + nums[4] + nums[7]) +
+                1 * (nums[2] + nums[5] + nums[8])) % 10;
+            return checksum === 0;
+        },
+    },
+};
+// ============================================================================
+// Validation Functions
+// ============================================================================
+/**
+ * Luhn algorithm for credit card validation.
+ */
+function luhnValidate(cardNumber) {
+    const digits = cardNumber.replace(/\D/g, '');
+    if (digits.length < 13 || digits.length > 19 || /^0+$/.test(digits)) {
+        return false;
+    }
+    let sum = 0;
+    let isEven = false;
+    for (let i = digits.length - 1; i >= 0; i--) {
+        let digit = parseInt(digits[i], 10);
+        if (isEven) {
+            digit *= 2;
+            if (digit > 9) {
+                digit -= 9;
+            }
+        }
+        sum += digit;
+        isEven = !isEven;
+    }
+    return sum % 10 === 0;
+}
+// ============================================================================
+// PII Detector Class
+// ============================================================================
+/**
+ * Detects PII in text content based on configuration.
+ */
+export class PIIDetector {
+    config;
+    constructor(config = {}) {
+        this.config = config;
+    }
+    /**
+     * Update the configuration.
+     */
+    configure(config) {
+        this.config = { ...this.config, ...config };
+    }
+    /**
+     * Detect all PII matches in content.
+     */
+    detect(content) {
+        const matches = [];
+        // Map config keys to pattern keys
+        const configToPattern = {
+            ssn: ['ssn', 'ssnCompact'],
+            creditCard: ['creditCard', 'creditCardSpaced'],
+            phone: ['phone'],
+            email: ['email'],
+            ipAddress: ['ipAddress'],
+            dateOfBirth: ['dateOfBirth'],
+            passport: ['passport'],
+            driversLicense: ['driversLicense'],
+            bankAccount: ['bankAccount', 'routingNumber'],
+        };
+        for (const [configKey, patternKeys] of Object.entries(configToPattern)) {
+            const action = this.config[configKey];
+            if (action === false || action === undefined) {
+                continue;
+            }
+            for (const patternKey of patternKeys) {
+                const piiPattern = PII_PATTERNS[patternKey];
+                if (!piiPattern)
+                    continue;
+                // Reset regex lastIndex
+                piiPattern.pattern.lastIndex = 0;
+                let match;
+                while ((match = piiPattern.pattern.exec(content)) !== null) {
+                    const matchedText = match[0];
+                    // Run validator if present
+                    if (piiPattern.validator && !piiPattern.validator(matchedText)) {
+                        continue;
+                    }
+                    matches.push({
+                        pattern: piiPattern.name,
+                        category: OUTPUT_VALIDATION_CATEGORIES.PII,
+                        action: action,
+                        matchedContent: matchedText,
+                        replacement: piiPattern.replacement,
+                        position: {
+                            start: match.index,
+                            end: match.index + matchedText.length,
+                        },
+                        severity: piiPattern.severity,
+                    });
+                }
+            }
+        }
+        // Sort by position and deduplicate overlapping matches
+        return this.deduplicateMatches(matches);
+    }
+    /**
+     * Remove overlapping matches, keeping the more specific/lengthy one.
+     */
+    deduplicateMatches(matches) {
+        if (matches.length <= 1) {
+            return matches;
+        }
+        // Sort by position
+        matches.sort((a, b) => a.position.start - b.position.start);
+        const result = [];
+        let lastEnd = -1;
+        for (const match of matches) {
+            if (match.position.start >= lastEnd) {
+                result.push(match);
+                lastEnd = match.position.end;
+            }
+            else if (match.position.end > lastEnd) {
+                // Overlapping match that extends further - replace last one
+                // (e.g. creditCardSpaced vs creditCard)
+                result[result.length - 1] = match;
+                lastEnd = match.position.end;
+            }
+        }
+        return result;
+    }
+    /**
+     * Apply redactions to content.
+     */
+    applyRedactions(content, matches) {
+        if (matches.length === 0) {
+            return content;
+        }
+        // Filter to only redact actions, sort in reverse order for safe replacement
+        const redactMatches = matches
+            .filter(m => m.action === 'redact')
+            .sort((a, b) => b.position.start - a.position.start);
+        let result = content;
+        for (const match of redactMatches) {
+            result =
+                result.slice(0, match.position.start) +
+                    (match.replacement || '[REDACTED]') +
+                    result.slice(match.position.end);
+        }
+        return result;
+    }
+}
+/**
+ * Export Luhn validator for testing.
+ */
+export { luhnValidate };
+/**
+ * Export PII patterns for testing.
+ */
+export { PII_PATTERNS };
+//# sourceMappingURL=pii-detector.js.map

package/dist/analyzers/pii-detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii-detector.js","sourceRoot":"","sources":["../../src/analyzers/pii-detector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAQH,OAAO,EAAE,4BAA4B,EAAE,MAAM,8BAA8B,CAAC;AAc5E;;GAEG;AACH,MAAM,YAAY,GAA+B;IAC7C,GAAG,EAAE;QACD,IAAI,EAAE,wBAAwB;QAC9B,2CAA2C;QAC3C,OAAO,EAAE,wBAAwB;QACjC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gBAAgB;QAC7B,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YACzB,mDAAmD;YACnD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,KAAK,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,MAAM,EAAE,CAAC;gBACjE,OAAO,KAAK,CAAC;YACjB,CAAC;YACD,2CAA2C;YAC3C,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACpC,IAAI,IAAI,IAAI,GAAG,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;gBAC9B,OAAO,KAAK,CAAC;YACjB,CAAC;YACD,OAAO,IAAI,CAAC;QAChB,CAAC;KACJ;IAED,UAAU,EAAE;QACR,IAAI,EAAE,oCAAoC;QAC1C,yDAAyD;QACzD,OAAO,EAAE,wBAAwB;QACjC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gBAAgB;KAChC;IAED,UAAU,EAAE;QACR,IAAI,EAAE,oBAAoB;QAC1B,2DAA2D;QAC3D,OAAO,EAAE,4HAA4H;QACrI,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,iBAAiB;QAC9B,SAAS,EAAE,YAAY;KAC1B;IAED,gBAAgB,EAAE;QACd,IAAI,EAAE,6BAA6B;QACnC,6CAA6C;QAC7C,OAAO,EAAE,iKAAiK;QAC1K,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,iBAAiB;QAC9B,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,YAAY,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;KAC1E;IAED,KAAK,EAAE;QACH,IAAI,EAAE,cAAc;QACpB,6EAA6E;QAC7E,OAAO,EAAE,+DAA+D;QACxE,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,kBAAkB;KAClC;IAED,KAAK,EAAE;QACH,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,sDAAsD;QAC/D,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,kBAAkB;KAClC;IAED,SAAS,EAAE;QACP,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,gGAAgG;QACzG,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,eAAe;QAC5B,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YACzB,kDAAkD;YAClD,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;YAC1D,iDAAiD;YACjD,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC;gBACxC,OAAO,KAAK,CAAC,CAAC,+BAA+B;YACjD,CAAC;YACD,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBACzC,OAAO,KAAK,CAAC,CAAC,gBAAgB;YAClC,CAAC;YACD,OAAO,IAAI,CAAC;QAChB,CAAC;KACJ;IAED,WAAW,EAAE;QACT,IAAI,EAAE,eAAe;QACrB,mDAAmD;QACnD,OAAO,EAAE,kFAAkF;QAC3F,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,gBAAgB;KAChC;IAED,QAAQ,EAAE;QACN,IAAI,EAAE,iBAAiB;QACvB,8CAA8C;QAC9C,OAAO,EAAE,wEAAwE;QACjF,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,qBAAqB;KACrC;IAED,cAAc,EAAE;QACZ,IAAI,EAAE,iBAAiB;QACvB,6CAA6C;QAC7C,OAAO,EAAE,sEAAsE;QAC/E,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,eAAe;KAC/B;IAED,WAAW,EAAE;QACT,IAAI,EAAE,qBAAqB;QAC3B,+BAA+B;QAC/B,OAAO,EAAE,oEAAoE;QAC7E,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,oBAAoB;KACpC;IAED,aAAa,EAAE;QACX,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,iDAAiD;QAC1D,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,oBAAoB;QACjC,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YACzB,yCAAyC;YACzC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACxC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YACtC,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;YACxD,MAAM,QAAQ,GAAG,CACb,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;gBACjC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;gBACjC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CACpC,GAAG,EAAE,CAAC;YACP,OAAO,QAAQ,KAAK,CAAC,CAAC;QAC1B,CAAC;KACJ;CACJ,CAAC;AAEF,+EAA+E;AAC/E,uBAAuB;AACvB,+EAA+E;AAE/E;;GAEG;AACH,SAAS,YAAY,CAAC,UAAkB;IACpC,MAAM,MAAM,GAAG,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC7C,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QAClE,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,IAAI,MAAM,GAAG,KAAK,CAAC;IAEnB,KAAK,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,IAAI,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAEpC,IAAI,MAAM,EAAE,CAAC;YACT,KAAK,IAAI,CAAC,CAAC;YACX,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;gBACZ,KAAK,IAAI,CAAC,CAAC;YACf,CAAC;QACL,CAAC;QAED,GAAG,IAAI,KAAK,CAAC;QACb,MAAM,GAAG,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,OAAO,GAAG,GAAG,EAAE,KAAK,CAAC,CAAC;AAC1B,CAAC;AAED,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,OAAO,WAAW;IACZ,MAAM,CAAqB;IAEnC,YAAY,SAA6B,EAAE;QACvC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,MAA0B;QAChC,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC;IAChD,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,OAAe;QAClB,MAAM,OAAO,GAA4B,EAAE,CAAC;QAE5C,kCAAkC;QAClC,MAAM,eAAe,GAA6B;YAC9C,GAAG,EAAE,CAAC,KAAK,EAAE,YAAY,CAAC;YAC1B,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;YAC9C,KAAK,EAAE,CAAC,OAAO,CAAC;YAChB,KAAK,EAAE,CAAC,OAAO,CAAC;YAChB,SAAS,EAAE,CAAC,WAAW,CAAC;YACxB,WAAW,EAAE,CAAC,aAAa,CAAC;YAC5B,QAAQ,EAAE,CAAC,UAAU,CAAC;YACtB,cAAc,EAAE,CAAC,gBAAgB,CAAC;YAClC,WAAW,EAAE,CAAC,aAAa,EAAE,eAAe,CAAC;SAChD,CAAC;QAEF,KAAK,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;YACrE,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,SAAqC,CAAC,CAAC;YAClE,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBAC3C,SAAS;YACb,CAAC;YAED,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;gBACnC,MAAM,UAAU,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;gBAC5C,IAAI,CAAC,UAAU;oBAAE,SAAS;gBAE1B,wBAAwB;gBACxB,UAAU,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBACjC,IAAI,KAA6B,CAAC;gBAElC,OAAO,CAAC,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;oBACzD,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBAE7B,2BAA2B;oBAC3B,IAAI,UAAU,CAAC,SAAS,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,WAAW,CAAC,EAAE,CAAC;wBAC7D,SAAS;oBACb,CAAC;oBAED,OAAO,CAAC,IAAI,CAAC;wBACT,OAAO,EAAE,UAAU,CAAC,IAAI;wBACxB,QAAQ,EAAE,4BAA4B,CAAC,GAAG;wBAC1C,MAAM,EAAE,MAAgC;wBACxC,cAAc,EAAE,WAAW;wBAC3B,WAAW,EAAE,UAAU,CAAC,WAAW;wBACnC,QAAQ,EAAE;4BACN,KAAK,EAAE,KAAK,CAAC,KAAK;4BAClB,GAAG,EAAE,KAAK,CAAC,KAAK,GAAG,WAAW,CAAC,MAAM;yBACxC;wBACD,QAAQ,EAAE,UAAU,CAAC,QAAQ;qBAChC,CAAC,CAAC;gBACP,CAAC;YACL,CAAC;QACL,CAAC;QAED,uDAAuD;QACvD,OAAO,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAC5C,CAAC;IAED;;OAEG;IACK,kBAAkB,CAAC,OAAgC;QACvD,IAAI,OAAO,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YACtB,OAAO,OAAO,CAAC;QACnB,CAAC;QAED,mBAAmB;QACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,GAAG,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAE5D,MAAM,MAAM,GAA4B,EAAE,CAAC;QAC3C,IAAI,OAAO,GAAG,CAAC,CAAC,CAAC;QAEjB,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC1B,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,IAAI,OAAO,EAAE,CAAC;gBAClC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBACnB,OAAO,GAAG,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC;YACjC,CAAC;iBAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,GAAG,OAAO,EAAE,CAAC;gBACtC,4DAA4D;gBAC5D,wCAAwC;gBACxC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC;gBAClC,OAAO,GAAG,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC;YACjC,CAAC;QACL,CAAC;QAED,OAAO,MAAM,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,OAAe,EAAE,OAAgC;QAC7D,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,OAAO,CAAC;QACnB,CAAC;QAED,4EAA4E;QAC5E,MAAM,aAAa,GAAG,OAAO;aACxB,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC;aAClC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,GAAG,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAEzD,IAAI,MAAM,GAAG,OAAO,CAAC;QACrB,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;YAChC,MAAM;gBACF,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC;oBACrC,CAAC,KAAK,CAAC,WAAW,IAAI,YAAY,CAAC;oBACnC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACzC,CAAC;QAED,OAAO,MAAM,CAAC;IAClB,CAAC;CACJ;AAED;;GAEG;AACH,OAAO,EAAE,YAAY,EAAE,CAAC;AAExB;;GAEG;AACH,OAAO,EAAE,YAAY,EAAE,CAAC"}

package/dist/audit/logger.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/audit/logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAOH,OAAO,EAGL,KAAK,WAAW,EAChB,KAAK,kBAAkB,EACvB,KAAK,SAAS,EACf,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAC1E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAe,KAAK,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAMpE;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,uCAAuC;IACvC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,2CAA2C;IAC3C,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,4BAA4B;IAC5B,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC;;;;;;OAMG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,qBAAa,WAAW;IAKtB,OAAO,CAAC,EAAE,CAAoB;IAC9B,OAAO,CAAC,kBAAkB,CAAqB;IAC/C,OAAO,CAAC,kBAAkB,CAAqB;IAC/C,OAAO,CAAC,sBAAsB,CAAqB;IACnD,OAAO,CAAC,2BAA2B,CAAqB;IACxD,OAAO,CAAC,QAAQ,CAAqB;IACrC,OAAO,CAAC,eAAe,CAAU;IACjC,OAAO,CAAC,YAAY,CAAU;gBAMlB,aAAa,CAAC,EAAE,MAAM,GAAG,kBAAkB;IAyDvD;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA2CxB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAsCxB;;;;;;;;OAQG;IACH,UAAU,CACR,OAAO,EAAE,eAAe,EACxB,QAAQ,EAAE,cAAc,EACxB,cAAc,CAAC,EAAE,MAAM,EACvB,QAAQ,CAAC,EAAE;QACT,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,GACA,MAAM;IAgDT;;;;;;;;OAQG;IACH,SAAS,CACP,EAAE,EAAE,MAAM,EACV,YAAY,EAAE,cAAc,GAAG,IAAI,EACnC,MAAM,EAAE,SAAS,GAAG,OAAO,EAC3B,YAAY,CAAC,EAAE,MAAM,EACrB,UAAU,CAAC,EAAE,MAAM,GAClB,IAAI;IAcP;;;;OAIG;IACH,eAAe,CAAC,KAAK,EAAE,YAAY,GAAG,IAAI;IAa1C;;;;OAIG;IACH,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAI3C;;;;;OAKG;IACH,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI;IAa5D;;OAEG;IACH,cAAc,CACZ,cAAc,GAAE,MAAM,GAAG;QACvB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,KAAK,CAAC,EAAE,IAAI,CAAC;QACb,KAAK,CAAC,EAAE,IAAI,CAAC;QACb,SAAS,CAAC,EAAE,SAAS,CAAC;QACtB,eAAe,CAAC,EAAE,OAAO,CAAC;KACtB,GACL,WAAW,EAAE;IAyFhB;;;;;OAKG;IACH,sBAAsB,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,kBAAkB,EAAE;IAyC7D;;OAEG;IACH,QAAQ,IAAI;QACV,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,MAAM,CAAC;QACjB,iBAAiB,EAAE,MAAM,CAAC;KAC3B;IA4BD;;OAEG;IACH,eAAe,IAAI;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,EAAE,MAAM,CAAC;QACrB,aAAa,EAAE,MAAM,CAAC;QACtB,aAAa,EAAE,MAAM,CAAC;QACtB,UAAU,EAAE,MAAM,CAAC;KACpB;IAgCD,sCAAsC;IACtC,KAAK,IAAI,IAAI;CAGd"}
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/audit/logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAOH,OAAO,EAGL,KAAK,WAAW,EAChB,KAAK,kBAAkB,EACvB,KAAK,SAAS,EACf,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAC1E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAe,KAAK,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAMpE;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,uCAAuC;IACvC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,2CAA2C;IAC3C,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,4BAA4B;IAC5B,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC;;;;;;OAMG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,qBAAa,WAAW;IAKtB,OAAO,CAAC,EAAE,CAAoB;IAC9B,OAAO,CAAC,kBAAkB,CAAqB;IAC/C,OAAO,CAAC,kBAAkB,CAAqB;IAC/C,OAAO,CAAC,sBAAsB,CAAqB;IACnD,OAAO,CAAC,2BAA2B,CAAqB;IACxD,OAAO,CAAC,QAAQ,CAAqB;IACrC,OAAO,CAAC,eAAe,CAAU;IACjC,OAAO,CAAC,YAAY,CAAU;gBAMlB,aAAa,CAAC,EAAE,MAAM,GAAG,kBAAkB;IAyDvD;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA2CxB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAsCxB;;;;;;;;OAQG;IACH,UAAU,CACR,OAAO,EAAE,eAAe,EACxB,QAAQ,EAAE,cAAc,EACxB,cAAc,CAAC,EAAE,MAAM,EACvB,QAAQ,CAAC,EAAE;QACT,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,GACA,MAAM;IAiDT;;;;;;;;OAQG;IACH,SAAS,CACP,EAAE,EAAE,MAAM,EACV,YAAY,EAAE,cAAc,GAAG,IAAI,EACnC,MAAM,EAAE,SAAS,GAAG,OAAO,EAC3B,YAAY,CAAC,EAAE,MAAM,EACrB,UAAU,CAAC,EAAE,MAAM,GAClB,IAAI;IAcP;;;;OAIG;IACH,eAAe,CAAC,KAAK,EAAE,YAAY,GAAG,IAAI;IAa1C;;;;OAIG;IACH,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAI3C;;;;;OAKG;IACH,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI;IAa5D;;OAEG;IACH,cAAc,CACZ,cAAc,GAAE,MAAM,GAAG;QACvB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,KAAK,CAAC,EAAE,IAAI,CAAC;QACb,KAAK,CAAC,EAAE,IAAI,CAAC;QACb,SAAS,CAAC,EAAE,SAAS,CAAC;QACtB,eAAe,CAAC,EAAE,OAAO,CAAC;KACtB,GACL,WAAW,EAAE;IAyFhB;;;;;OAKG;IACH,sBAAsB,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,kBAAkB,EAAE;IAyC7D;;OAEG;IACH,QAAQ,IAAI;QACV,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,MAAM,CAAC;QACjB,iBAAiB,EAAE,MAAM,CAAC;KAC3B;IA4BD;;OAEG;IACH,eAAe,IAAI;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,EAAE,MAAM,CAAC;QACrB,aAAa,EAAE,MAAM,CAAC;QACtB,aAAa,EAAE,MAAM,CAAC;QACtB,UAAU,EAAE,MAAM,CAAC;KACpB;IAgCD,sCAAsC;IACtC,KAAK,IAAI,IAAI;CAGd"}

package/dist/audit/logger.js

@@ -74,10 +74,10 @@ export class AuditLogger {
         // Prepared statements for tool calls (updated for new schema)
         this.insertToolCallStmt = this.db.prepare(`
       INSERT INTO tool_calls (
-        id, server, tool, args, args_redacted, policy_decision, policy_rule,
+        id, timestamp, server, tool, args, args_redacted, policy_decision, policy_rule,
         policy_reason, analyzer, risk_level, session_grant_id, correlation_id, client_id
       )
-      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
     `);
         this.updateToolCallStmt = this.db.prepare(`
       UPDATE tool_calls
@@ -208,7 +208,7 @@ export class AuditLogger {
         // Extract analysis metadata if available
         const analyzer = decision.analysis?.analyzer ?? null;
         const riskLevel = decision.analysis?.risk ?? null;
-        this.insertToolCallStmt.run(id, context.server, context.tool, argsToStore, argsRedacted, decision.action, decision.matchedRule ?? null, decision.reason ?? null, analyzer, riskLevel, sessionGrantId ?? null, metadata?.correlationId ?? null, metadata?.clientId ?? null);
+        this.insertToolCallStmt.run(id, context.timestamp.toISOString(), context.server, context.tool, argsToStore, argsRedacted, decision.action, decision.matchedRule ?? null, decision.reason ?? null, analyzer, riskLevel, sessionGrantId ?? null, metadata?.correlationId ?? null, metadata?.clientId ?? null);
         return id;
     }
     /**