@jterrats/open-orchestra 1.0.15 → 1.0.17

package/dist/security/operation-contract-types.d.ts

@@ -0,0 +1,28 @@
+import type { PolicyAction, PolicyDecision, PolicyResource, PolicySink, PolicySubject, SegmentKind } from "./policy-types.js";
+export type OperationKind = "evidence" | "provider" | "pythonWorker" | "runtime" | "tool";
+export interface OperationPayloadInput {
+    text?: string;
+    kind?: SegmentKind;
+    provenance?: string;
+}
+export interface PythonWorkerContractInput {
+    contract?: "json";
+    timeoutMs?: number;
+    maxInputBytes?: number;
+    authorizes?: boolean;
+    network?: boolean;
+    filesystem?: boolean;
+}
+export interface OperationPacketInput {
+    packetId?: string;
+    kind?: OperationKind;
+    subject?: Partial<PolicySubject>;
+    action?: PolicyAction;
+    resource?: Partial<PolicyResource>;
+    sink?: PolicySink;
+    payload?: OperationPayloadInput;
+    pythonWorker?: PythonWorkerContractInput;
+}
+export interface OperationValidationDecision extends PolicyDecision {
+    encodedPayload?: string;
+}

package/dist/security/operation-contract-types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=operation-contract-types.js.map

package/dist/security/operation-contract-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"operation-contract-types.js","sourceRoot":"","sources":["../../src/security/operation-contract-types.ts"],"names":[],"mappings":""}

package/dist/security/operation-contract.d.ts

@@ -0,0 +1,2 @@
+import type { OperationPacketInput, OperationValidationDecision } from "./operation-contract-types.js";
+export declare function validateOperationPacket(input: OperationPacketInput): OperationValidationDecision;

package/dist/security/operation-contract.js

@@ -0,0 +1,169 @@
+import { encodeForSink } from "./sink-encoding.js";
+import { evaluateSecurityPolicy } from "./policy-engine.js";
+import { intakePromptSegment } from "./prompt-intake.js";
+import { redactPromptSegments } from "./redaction.js";
+const specs = {
+    evidence: {
+        action: "evidence.write",
+        resourceType: "evidence",
+        sink: "evidence",
+        segmentKind: "evidence",
+    },
+    provider: {
+        action: "provider.message",
+        resourceType: "prompt",
+        sink: "provider",
+        segmentKind: "data",
+    },
+    pythonWorker: {
+        action: "pythonWorker.process",
+        resourceType: "pythonWorker",
+        sink: "json",
+        segmentKind: "data",
+    },
+    runtime: {
+        action: "command.execute",
+        resourceType: "command",
+        sink: "log",
+        segmentKind: "instruction",
+    },
+    tool: {
+        action: "command.execute",
+        resourceType: "command",
+        sink: "log",
+        segmentKind: "toolInput",
+    },
+};
+export function validateOperationPacket(input) {
+    const contractRules = validateContractShape(input);
+    if (contractRules.length > 0)
+        return contractDeny(input.packetId, contractRules);
+    const kind = input.kind;
+    const spec = specs[kind];
+    const packetId = input.packetId;
+    const subject = input.subject;
+    const action = input.action;
+    const resource = input.resource;
+    const sink = input.sink;
+    const semanticRules = [
+        exactRule("operation.contract.action", action, spec.action, "action"),
+        exactRule("operation.contract.resource", resource.resourceType, spec.resourceType, "resource type"),
+        exactRule("operation.contract.sink", sink, spec.sink, "sink"),
+        ...validatePythonWorkerContract(input),
+    ].filter((rule) => rule !== null);
+    if (semanticRules.length > 0)
+        return contractDeny(input.packetId, semanticRules);
+    const segment = normalizedSegment(input, spec, packetId, sink);
+    const redactionReport = redactPromptSegments([segment]);
+    const policySegment = redactedPolicySegment(input, spec, redactionReport, packetId, sink);
+    const policyDecision = evaluateSecurityPolicy({
+        requestId: packetId,
+        subject,
+        action,
+        resource,
+        sink,
+        dataClassification: policySegment.classification.classification,
+        segments: [policySegment],
+        redactionReport,
+    });
+    if (policyDecision.outcome === "deny")
+        return policyDecision;
+    return {
+        ...policyDecision,
+        encodedPayload: encodeForSink(policySegment.text, sink).value,
+    };
+}
+function validateContractShape(input) {
+    return [
+        requiredRule("operation.contract.packet-id", "packet id", input.packetId),
+        requiredRule("operation.contract.kind", "operation kind", input.kind),
+        requiredRule("operation.contract.subject", "subject", input.subject),
+        requiredRule("operation.contract.action", "action", input.action),
+        requiredRule("operation.contract.resource", "resource", input.resource),
+        requiredRule("operation.contract.resource-type", "resource type", input.resource?.resourceType),
+        requiredRule("operation.contract.sink", "sink", input.sink),
+        requiredRule("operation.contract.payload", "payload", input.payload),
+        requiredRule("operation.contract.payload-text", "payload text", input.payload?.text),
+    ].filter((rule) => rule !== null);
+}
+function validatePythonWorkerContract(input) {
+    if (input.kind !== "pythonWorker")
+        return [];
+    const worker = input.pythonWorker;
+    const rules = [
+        requiredRule("operation.python-worker.contract", "worker contract", worker),
+        exactRule("operation.python-worker.json-contract", worker?.contract, "json", "worker contract"),
+        falseRule("operation.python-worker.no-auth", "worker authorization authority", worker?.authorizes),
+        falseRule("operation.python-worker.no-network", "worker network access", worker?.network),
+        falseRule("operation.python-worker.no-filesystem", "worker filesystem access", worker?.filesystem),
+        boundedNumberRule("operation.python-worker.timeout", "worker timeout", worker?.timeoutMs, 1, 5000),
+        boundedNumberRule("operation.python-worker.input-bytes", "worker max input bytes", worker?.maxInputBytes, 1, 1_000_000),
+        jsonRule(input.payload?.text),
+    ];
+    return rules.filter((rule) => rule !== null);
+}
+function normalizedSegment(input, spec, packetId, sink) {
+    return intakePromptSegment({
+        id: `${packetId}:payload`,
+        kind: input.payload?.kind ?? spec.segmentKind,
+        provenance: input.payload?.provenance ?? `${input.kind}:packet`,
+        sink,
+        text: input.payload?.text ?? "",
+    });
+}
+function redactedPolicySegment(input, spec, redactionReport, packetId, sink) {
+    return intakePromptSegment({
+        id: `${packetId}:payload:redacted`,
+        kind: input.payload?.kind ?? spec.segmentKind,
+        provenance: input.payload?.provenance ?? `${input.kind}:packet`,
+        sink,
+        text: redactionReport.redactedSegments[0]?.text ?? "",
+    });
+}
+function requiredRule(ruleId, label, value) {
+    if (value)
+        return null;
+    return { ruleId, reason: `missing ${label}` };
+}
+function exactRule(ruleId, actual, expected, label) {
+    if (actual === expected)
+        return null;
+    return { ruleId, reason: `ambiguous ${label}` };
+}
+function falseRule(ruleId, label, value) {
+    if (value === false)
+        return null;
+    return { ruleId, reason: `${label} must be disabled` };
+}
+function boundedNumberRule(ruleId, label, value, min, max) {
+    if (typeof value === "number" &&
+        Number.isInteger(value) &&
+        value >= min &&
+        value <= max) {
+        return null;
+    }
+    return { ruleId, reason: `${label} must be between ${min} and ${max}` };
+}
+function jsonRule(text) {
+    try {
+        JSON.parse(text ?? "");
+        return null;
+    }
+    catch {
+        return {
+            ruleId: "operation.python-worker.json-payload",
+            reason: "worker payload must be valid JSON",
+        };
+    }
+}
+function contractDeny(packetId, rules) {
+    return {
+        requestId: packetId ?? "unknown",
+        outcome: "deny",
+        matchedRuleIds: rules.map((rule) => rule.ruleId),
+        redactionStatus: "unsafeUnredacted",
+        sanitizedReasons: rules.map((rule) => rule.reason),
+        evidenceSummary: "deny: operation contract failed closed",
+    };
+}
+//# sourceMappingURL=operation-contract.js.map

package/dist/security/operation-contract.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"operation-contract.js","sourceRoot":"","sources":["../../src/security/operation-contract.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AA4BtD,MAAM,KAAK,GAAG;IACZ,QAAQ,EAAE;QACR,MAAM,EAAE,gBAAgB;QACxB,YAAY,EAAE,UAAU;QACxB,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE,UAAU;KACxB;IACD,QAAQ,EAAE;QACR,MAAM,EAAE,kBAAkB;QAC1B,YAAY,EAAE,QAAQ;QACtB,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE,MAAM;KACpB;IACD,YAAY,EAAE;QACZ,MAAM,EAAE,sBAAsB;QAC9B,YAAY,EAAE,cAAc;QAC5B,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,MAAM;KACpB;IACD,OAAO,EAAE;QACP,MAAM,EAAE,iBAAiB;QACzB,YAAY,EAAE,SAAS;QACvB,IAAI,EAAE,KAAK;QACX,WAAW,EAAE,aAAa;KAC3B;IACD,IAAI,EAAE;QACJ,MAAM,EAAE,iBAAiB;QACzB,YAAY,EAAE,SAAS;QACvB,IAAI,EAAE,KAAK;QACX,WAAW,EAAE,WAAW;KACzB;CACkD,CAAC;AAEtD,MAAM,UAAU,uBAAuB,CACrC,KAA2B;IAE3B,MAAM,aAAa,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IACnD,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC;QAC1B,OAAO,YAAY,CAAC,KAAK,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IAErD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAqB,CAAC;IACzC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC;IACzB,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAkB,CAAC;IAC1C,MAAM,OAAO,GAAG,KAAK,CAAC,OAAwB,CAAC;IAC/C,MAAM,MAAM,GAAG,KAAK,CAAC,MAAsB,CAAC;IAC5C,MAAM,QAAQ,GAAG,KAAK,CAAC,QAA0B,CAAC;IAClD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAkB,CAAC;IACtC,MAAM,aAAa,GAAG;QACpB,SAAS,CAAC,2BAA2B,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC;QACrE,SAAS,CACP,6BAA6B,EAC7B,QAAQ,CAAC,YAAY,EACrB,IAAI,CAAC,YAAY,EACjB,eAAe,CAChB;QACD,SAAS,CAAC,yBAAyB,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC;QAC7D,GAAG,4BAA4B,CAAC,KAAK,CAAC;KACvC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAwB,EAAE,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IACxD,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC;QAC1B,OAAO,YAAY,CAAC,KAAK,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IAErD,MAAM,OAAO,GAAG,iBAAiB,CAAC,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC/D,MAAM,eAAe,GAAG,oBAAoB,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IACxD,MAAM,aAAa,GAAG,qBAAqB,CACzC,KAAK,EACL,IAAI,EACJ,eAAe,EACf,QAAQ,EACR,IAAI,CACL,CAAC;IACF,MAAM,cAAc,GAAG,sBAAsB,CAAC;QAC5C,SAAS,EAAE,QAAQ;QACnB,OAAO;QACP,MAAM;QACN,QAAQ;QACR,IAAI;QACJ,kBAAkB,EAAE,aAAa,CAAC,cAAc,CAAC,cAAc;QAC/D,QAAQ,EAAE,CAAC,aAAa,CAAC;QACzB,eAAe;KAChB,CAAC,CAAC;IAEH,IAAI,cAAc,CAAC,OAAO,KAAK,MAAM;QAAE,OAAO,cAAc,CAAC;IAE7D,OAAO;QACL,GAAG,cAAc;QACjB,cAAc,EAAE,aAAa,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,KAAK;KAC9D,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,KAA2B;IACxD,OAAO;QACL,YAAY,CAAC,8BAA8B,EAAE,WAAW,EAAE,KAAK,CAAC,QAAQ,CAAC;QACzE,YAAY,CAAC,yBAAyB,EAAE,gBAAgB,EAAE,KAAK,CAAC,IAAI,CAAC;QACrE,YAAY,CAAC,4BAA4B,EAAE,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC;QACpE,YAAY,CAAC,2BAA2B,EAAE,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC;QACjE,YAAY,CAAC,6BAA6B,EAAE,UAAU,EAAE,KAAK,CAAC,QAAQ,CAAC;QACvE,YAAY,CACV,kCAAkC,EAClC,eAAe,EACf,KAAK,CAAC,QAAQ,EAAE,YAAY,CAC7B;QACD,YAAY,CAAC,yBAAyB,EAAE,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC;QAC3D,YAAY,CAAC,4BAA4B,EAAE,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC;QACpE,YAAY,CACV,iCAAiC,EACjC,cAAc,EACd,KAAK,CAAC,OAAO,EAAE,IAAI,CACpB;KACF,CAAC,MAAM,CAAC,CAAC,IAAI,EAAwB,EAAE,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,4BAA4B,CACnC,KAA2B;IAE3B,IAAI,KAAK,CAAC,IAAI,KAAK,cAAc;QAAE,OAAO,EAAE,CAAC;IAC7C,MAAM,MAAM,GAAG,KAAK,CAAC,YAAY,CAAC;IAClC,MAAM,KAAK,GAAG;QACZ,YAAY,CAAC,kCAAkC,EAAE,iBAAiB,EAAE,MAAM,CAAC;QAC3E,SAAS,CACP,uCAAuC,EACvC,MAAM,EAAE,QAAQ,EAChB,MAAM,EACN,iBAAiB,CAClB;QACD,SAAS,CACP,iCAAiC,EACjC,gCAAgC,EAChC,MAAM,EAAE,UAAU,CACnB;QACD,SAAS,CACP,oCAAoC,EACpC,uBAAuB,EACvB,MAAM,EAAE,OAAO,CAChB;QACD,SAAS,CACP,uCAAuC,EACvC,0BAA0B,EAC1B,MAAM,EAAE,UAAU,CACnB;QACD,iBAAiB,CACf,iCAAiC,EACjC,gBAAgB,EAChB,MAAM,EAAE,SAAS,EACjB,CAAC,EACD,IAAI,CACL;QACD,iBAAiB,CACf,qCAAqC,EACrC,wBAAwB,EACxB,MAAM,EAAE,aAAa,EACrB,CAAC,EACD,SAAS,CACV;QACD,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC;KAC9B,CAAC;IACF,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAwB,EAAE,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;AACrE,CAAC;AAED,SAAS,iBAAiB,CACxB,KAA2B,EAC3B,IAAmB,EACnB,QAAgB,EAChB,IAAgB;IAEhB,OAAO,mBAAmB,CAAC;QACzB,EAAE,EAAE,GAAG,QAAQ,UAAU;QACzB,IAAI,EAAE,KAAK,CAAC,OAAO,EAAE,IAAI,IAAI,IAAI,CAAC,WAAW;QAC7C,UAAU,EAAE,KAAK,CAAC,OAAO,EAAE,UAAU,IAAI,GAAG,KAAK,CAAC,IAAI,SAAS;QAC/D,IAAI;QACJ,IAAI,EAAE,KAAK,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE;KAChC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,qBAAqB,CAC5B,KAA2B,EAC3B,IAAmB,EACnB,eAAyD,EACzD,QAAgB,EAChB,IAAgB;IAEhB,OAAO,mBAAmB,CAAC;QACzB,EAAE,EAAE,GAAG,QAAQ,mBAAmB;QAClC,IAAI,EAAE,KAAK,CAAC,OAAO,EAAE,IAAI,IAAI,IAAI,CAAC,WAAW;QAC7C,UAAU,EAAE,KAAK,CAAC,OAAO,EAAE,UAAU,IAAI,GAAG,KAAK,CAAC,IAAI,SAAS;QAC/D,IAAI;QACJ,IAAI,EAAE,eAAe,CAAC,gBAAgB,CAAC,CAAC,CAAC,EAAE,IAAI,IAAI,EAAE;KACtD,CAAC,CAAC;AACL,CAAC;AAED,SAAS,YAAY,CACnB,MAAc,EACd,KAAa,EACb,KAAc;IAEd,IAAI,KAAK;QAAE,OAAO,IAAI,CAAC;IACvB,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,KAAK,EAAE,EAAE,CAAC;AAChD,CAAC;AAED,SAAS,SAAS,CAChB,MAAc,EACd,MAAe,EACf,QAAiB,EACjB,KAAa;IAEb,IAAI,MAAM,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACrC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,KAAK,EAAE,EAAE,CAAC;AAClD,CAAC;AAED,SAAS,SAAS,CAChB,MAAc,EACd,KAAa,EACb,KAA0B;IAE1B,IAAI,KAAK,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IACjC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,KAAK,mBAAmB,EAAE,CAAC;AACzD,CAAC;AAED,SAAS,iBAAiB,CACxB,MAAc,EACd,KAAa,EACb,KAAyB,EACzB,GAAW,EACX,GAAW;IAEX,IACE,OAAO,KAAK,KAAK,QAAQ;QACzB,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC;QACvB,KAAK,IAAI,GAAG;QACZ,KAAK,IAAI,GAAG,EACZ,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,KAAK,oBAAoB,GAAG,QAAQ,GAAG,EAAE,EAAE,CAAC;AAC1E,CAAC;AAED,SAAS,QAAQ,CAAC,IAAwB;IACxC,IAAI,CAAC;QACH,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,MAAM,EAAE,sCAAsC;YAC9C,MAAM,EAAE,mCAAmC;SAC5C,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CACnB,QAA4B,EAC5B,KAAqB;IAErB,OAAO;QACL,SAAS,EAAE,QAAQ,IAAI,SAAS;QAChC,OAAO,EAAE,MAAM;QACf,cAAc,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;QAChD,eAAe,EAAE,kBAA4C;QAC7D,gBAAgB,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;QAClD,eAAe,EAAE,wCAAwC;KAC1D,CAAC;AACJ,CAAC"}

package/dist/security/policy-engine.d.ts

@@ -0,0 +1,2 @@
+import type { PolicyDecision, PolicyRequestInput } from "./policy-types.js";
+export declare function evaluateSecurityPolicy(input: PolicyRequestInput): PolicyDecision;

package/dist/security/policy-engine.js

@@ -0,0 +1,142 @@
+const sensitiveSinks = ["evidence", "log", "provider"];
+export function evaluateSecurityPolicy(input) {
+    const validation = validatePolicyRequest(input);
+    if (validation.length > 0) {
+        return denyDecision(input.requestId, validation, "unsafeUnredacted");
+    }
+    const request = input;
+    const denied = deniedRules(request);
+    if (denied.length > 0) {
+        return denyDecision(request.requestId, denied, highestRedactionStatus(denied, request.redactionReport.status));
+    }
+    const quarantined = quarantineRules(request);
+    if (quarantined.length > 0) {
+        return quarantineDecision(request.requestId, quarantined, request.redactionReport.status);
+    }
+    return {
+        requestId: request.requestId,
+        outcome: "allow",
+        matchedRuleIds: ["policy.default.allow-after-rules"],
+        redactionStatus: request.redactionReport.status,
+        sanitizedReasons: ["request satisfied deterministic policy rules"],
+        evidenceSummary: "allow: deterministic security policy accepted request",
+    };
+}
+function validatePolicyRequest(input) {
+    const missing = [
+        requiredRule("policy.input.request-id", "request id", input.requestId),
+        requiredRule("policy.input.subject", "subject", input.subject),
+        requiredRule("policy.input.action", "action", input.action),
+        requiredRule("policy.input.resource", "resource", input.resource),
+        requiredRule("policy.input.sink", "sink", input.sink),
+        requiredRule("policy.input.data-classification", "data classification", input.dataClassification),
+        requiredRule("policy.input.redaction", "redaction report", input.redactionReport),
+    ].filter((rule) => rule !== null);
+    if (missing.length > 0)
+        return missing;
+    const scoped = input.subject?.tenantId ?? input.subject?.workspaceId;
+    const resourceScoped = input.resource?.tenantId ?? input.resource?.workspaceId;
+    const scopeRules = [
+        requiredRule("policy.scope.subject", "subject tenant or workspace", scoped),
+        requiredRule("policy.scope.resource", "resource tenant or workspace", resourceScoped),
+    ].filter((rule) => rule !== null);
+    if (scopeRules.length > 0)
+        return scopeRules;
+    if (input.subject?.tenantId && input.resource?.tenantId) {
+        if (input.subject.tenantId !== input.resource.tenantId) {
+            return [
+                {
+                    ruleId: "policy.scope.tenant-mismatch",
+                    reason: "subject and resource tenant scope do not match",
+                },
+            ];
+        }
+    }
+    return [];
+}
+function deniedRules(request) {
+    const rules = [];
+    if (request.redactionReport.status === "unsafeUnredacted") {
+        rules.push({
+            ruleId: "policy.redaction.fail-closed",
+            reason: "restricted content is not safely redacted",
+            redactionStatus: "unsafeUnredacted",
+        });
+    }
+    if (request.action === "url.fetch" || request.sink === "url") {
+        rules.push(...findingRules(request, "unsafeUrl", "deny"));
+    }
+    if (request.action === "file.write") {
+        rules.push(...findingRules(request, "pathTraversal", "deny"));
+    }
+    return rules;
+}
+function quarantineRules(request) {
+    const rules = request.segments.flatMap((segment) => {
+        if (segment.kind === "unknown" && isSensitiveSink(request.sink)) {
+            return [
+                {
+                    ruleId: "policy.segment.unknown-sensitive-sink",
+                    reason: `segment ${segment.id} is unknown for sensitive sink`,
+                },
+            ];
+        }
+        return segment.classification.findings
+            .filter((finding) => finding.severity === "critical" || finding.severity === "high")
+            .map((finding) => findingRule(segment.id, finding, "quarantine"));
+    });
+    if (request.dataClassification === "unknown" &&
+        isSensitiveSink(request.sink)) {
+        rules.push({
+            ruleId: "policy.data.unknown-sensitive-sink",
+            reason: "unknown data classification cannot reach sensitive sink",
+        });
+    }
+    return rules;
+}
+function findingRules(request, kind, disposition) {
+    return request.segments.flatMap((segment) => segment.classification.findings
+        .filter((finding) => finding.kind === kind)
+        .map((finding) => findingRule(segment.id, finding, disposition)));
+}
+function findingRule(segmentId, finding, disposition) {
+    return {
+        ruleId: `policy.${disposition}.${finding.kind}`,
+        reason: `segment ${segmentId} matched ${finding.summary}`,
+    };
+}
+function requiredRule(ruleId, label, value) {
+    if (value)
+        return null;
+    return {
+        ruleId,
+        reason: `missing ${label}`,
+    };
+}
+function denyDecision(requestId, rules, redactionStatus) {
+    return {
+        requestId: requestId ?? "unknown",
+        outcome: "deny",
+        matchedRuleIds: rules.map((rule) => rule.ruleId),
+        redactionStatus,
+        sanitizedReasons: rules.map((rule) => rule.reason),
+        evidenceSummary: "deny: deterministic security policy failed closed",
+    };
+}
+function quarantineDecision(requestId, rules, redactionStatus) {
+    return {
+        requestId,
+        outcome: "quarantine",
+        matchedRuleIds: rules.map((rule) => rule.ruleId),
+        redactionStatus,
+        sanitizedReasons: rules.map((rule) => rule.reason),
+        evidenceSummary: "quarantine: deterministic security policy isolated content",
+    };
+}
+function highestRedactionStatus(rules, fallback) {
+    return (rules.find((rule) => rule.redactionStatus)?.redactionStatus ?? fallback);
+}
+function isSensitiveSink(sink) {
+    return sensitiveSinks.some((sensitiveSink) => sensitiveSink === sink);
+}
+//# sourceMappingURL=policy-engine.js.map

package/dist/security/policy-engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-engine.js","sourceRoot":"","sources":["../../src/security/policy-engine.ts"],"names":[],"mappings":"AAcA,MAAM,cAAc,GAAG,CAAC,UAAU,EAAE,KAAK,EAAE,UAAU,CAAU,CAAC;AAEhE,MAAM,UAAU,sBAAsB,CACpC,KAAyB;IAEzB,MAAM,UAAU,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IAChD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO,YAAY,CAAC,KAAK,CAAC,SAAS,EAAE,UAAU,EAAE,kBAAkB,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,OAAO,GAAG,KAAsB,CAAC;IACvC,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IACpC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO,YAAY,CACjB,OAAO,CAAC,SAAS,EACjB,MAAM,EACN,sBAAsB,CAAC,MAAM,EAAE,OAAO,CAAC,eAAe,CAAC,MAAM,CAAC,CAC/D,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC7C,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,OAAO,kBAAkB,CACvB,OAAO,CAAC,SAAS,EACjB,WAAW,EACX,OAAO,CAAC,eAAe,CAAC,MAAM,CAC/B,CAAC;IACJ,CAAC;IAED,OAAO;QACL,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,OAAO,EAAE,OAAO;QAChB,cAAc,EAAE,CAAC,kCAAkC,CAAC;QACpD,eAAe,EAAE,OAAO,CAAC,eAAe,CAAC,MAAM;QAC/C,gBAAgB,EAAE,CAAC,8CAA8C,CAAC;QAClE,eAAe,EAAE,uDAAuD;KACzE,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAyB;IACtD,MAAM,OAAO,GAAG;QACd,YAAY,CAAC,yBAAyB,EAAE,YAAY,EAAE,KAAK,CAAC,SAAS,CAAC;QACtE,YAAY,CAAC,sBAAsB,EAAE,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC;QAC9D,YAAY,CAAC,qBAAqB,EAAE,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC;QAC3D,YAAY,CAAC,uBAAuB,EAAE,UAAU,EAAE,KAAK,CAAC,QAAQ,CAAC;QACjE,YAAY,CAAC,mBAAmB,EAAE,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC;QACrD,YAAY,CACV,kCAAkC,EAClC,qBAAqB,EACrB,KAAK,CAAC,kBAAkB,CACzB;QACD,YAAY,CACV,wBAAwB,EACxB,kBAAkB,EAClB,KAAK,CAAC,eAAe,CACtB;KACF,CAAC,MAAM,CAAC,CAAC,IAAI,EAA4B,EAAE,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAC5D,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,OAAO,CAAC;IAEvC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,EAAE,QAAQ,IAAI,KAAK,CAAC,OAAO,EAAE,WAAW,CAAC;IACrE,MAAM,cAAc,GAClB,KAAK,CAAC,QAAQ,EAAE,QAAQ,IAAI,KAAK,CAAC,QAAQ,EAAE,WAAW,CAAC;IAC1D,MAAM,UAAU,GAAG;QACjB,YAAY,CAAC,sBAAsB,EAAE,6BAA6B,EAAE,MAAM,CAAC;QAC3E,YAAY,CACV,uBAAuB,EACvB,8BAA8B,EAC9B,cAAc,CACf;KACF,CAAC,MAAM,CAAC,CAAC,IAAI,EAA4B,EAAE,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAC5D,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,UAAU,CAAC;IAE7C,IAAI,KAAK,CAAC,OAAO,EAAE,QAAQ,IAAI,KAAK,CAAC,QAAQ,EAAE,QAAQ,EAAE,CAAC;QACxD,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,KAAK,KAAK,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACvD,OAAO;gBACL;oBACE,MAAM,EAAE,8BAA8B;oBACtC,MAAM,EAAE,gDAAgD;iBACzD;aACF,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,WAAW,CAAC,OAAsB;IACzC,MAAM,KAAK,GAAuB,EAAE,CAAC;IACrC,IAAI,OAAO,CAAC,eAAe,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;QAC1D,KAAK,CAAC,IAAI,CAAC;YACT,MAAM,EAAE,8BAA8B;YACtC,MAAM,EAAE,2CAA2C;YACnD,eAAe,EAAE,kBAAkB;SACpC,CAAC,CAAC;IACL,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,WAAW,IAAI,OAAO,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC7D,KAAK,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC;IAC5D,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;QACpC,KAAK,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,OAAO,EAAE,eAAe,EAAE,MAAM,CAAC,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,eAAe,CAAC,OAAsB;IAC7C,MAAM,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QACjD,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,IAAI,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YAChE,OAAO;gBACL;oBACE,MAAM,EAAE,uCAAuC;oBAC/C,MAAM,EAAE,WAAW,OAAO,CAAC,EAAE,gCAAgC;iBAC9D;aACF,CAAC;QACJ,CAAC;QACD,OAAO,OAAO,CAAC,cAAc,CAAC,QAAQ;aACnC,MAAM,CACL,CAAC,OAAO,EAAE,EAAE,CACV,OAAO,CAAC,QAAQ,KAAK,UAAU,IAAI,OAAO,CAAC,QAAQ,KAAK,MAAM,CACjE;aACA,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IACH,IACE,OAAO,CAAC,kBAAkB,KAAK,SAAS;QACxC,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,EAC7B,CAAC;QACD,KAAK,CAAC,IAAI,CAAC;YACT,MAAM,EAAE,oCAAoC;YAC5C,MAAM,EAAE,yDAAyD;SAClE,CAAC,CAAC;IACL,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,YAAY,CACnB,OAAsB,EACtB,IAA4B,EAC5B,WAAkC;IAElC,OAAO,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAC1C,OAAO,CAAC,cAAc,CAAC,QAAQ;SAC5B,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,KAAK,IAAI,CAAC;SAC1C,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC,CACnE,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAClB,SAAiB,EACjB,OAAuB,EACvB,WAAkC;IAElC,OAAO;QACL,MAAM,EAAE,UAAU,WAAW,IAAI,OAAO,CAAC,IAAI,EAAE;QAC/C,MAAM,EAAE,WAAW,SAAS,YAAY,OAAO,CAAC,OAAO,EAAE;KAC1D,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CACnB,MAAc,EACd,KAAa,EACb,KAAc;IAEd,IAAI,KAAK;QAAE,OAAO,IAAI,CAAC;IACvB,OAAO;QACL,MAAM;QACN,MAAM,EAAE,WAAW,KAAK,EAAE;KAC3B,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CACnB,SAA6B,EAC7B,KAAyB,EACzB,eAAgC;IAEhC,OAAO;QACL,SAAS,EAAE,SAAS,IAAI,SAAS;QACjC,OAAO,EAAE,MAAM;QACf,cAAc,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;QAChD,eAAe;QACf,gBAAgB,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;QAClD,eAAe,EAAE,mDAAmD;KACrE,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CACzB,SAAiB,EACjB,KAAyB,EACzB,eAAgC;IAEhC,OAAO;QACL,SAAS;QACT,OAAO,EAAE,YAAY;QACrB,cAAc,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;QAChD,eAAe;QACf,gBAAgB,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;QAClD,eAAe,EACb,4DAA4D;KAC/D,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAC7B,KAAyB,EACzB,QAAyB;IAEzB,OAAO,CACL,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,EAAE,eAAe,IAAI,QAAQ,CACxE,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,IAAY;IACnC,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,aAAa,KAAK,IAAI,CAAC,CAAC;AACxE,CAAC"}

package/dist/security/policy-types.d.ts

@@ -0,0 +1,79 @@
+export declare const policyDecisionOutcomes: readonly ["allow", "deny", "requiresApproval", "quarantine"];
+export type PolicyDecisionOutcome = (typeof policyDecisionOutcomes)[number];
+export type PolicyAction = "content.ingest" | "evidence.write" | "pythonWorker.process" | "provider.message" | "url.fetch" | "file.write" | "command.execute";
+export type PolicySink = "evidence" | "htmlText" | "json" | "log" | "markdown" | "provider" | "shellArgument" | "url";
+export type SegmentKind = "data" | "evidence" | "instruction" | "providerResponse" | "toolInput" | "toolOutput" | "unknown";
+export type DataClassification = "public" | "internal" | "restricted" | "unknown";
+export type FindingSeverity = "low" | "medium" | "high" | "critical";
+export type ContentFindingKind = "indirectPromptInjection" | "noSqlLike" | "pathTraversal" | "promptInjection" | "secretShaped" | "shellLike" | "sqlLike" | "unsafeUrl";
+export interface ContentFinding {
+    kind: ContentFindingKind;
+    ruleId: string;
+    severity: FindingSeverity;
+    summary: string;
+}
+export interface ContentClassification {
+    classification: DataClassification;
+    findings: ContentFinding[];
+}
+export interface PromptSegment {
+    id: string;
+    kind: SegmentKind;
+    provenance: string;
+    sink: PolicySink;
+    text: string;
+    byteLength: number;
+    classification: ContentClassification;
+}
+export type RedactionStatus = "notRequired" | "redacted" | "quarantined" | "unsafeUnredacted";
+export interface RedactedSegment {
+    id: string;
+    text: string;
+    status: RedactionStatus;
+    redactedFindings: ContentFindingKind[];
+}
+export interface RedactionReport {
+    status: RedactionStatus;
+    redactedSegments: RedactedSegment[];
+    sanitizedReasons: string[];
+}
+export interface PolicySubject {
+    id: string;
+    subjectType: "human" | "runtime" | "system" | "tool";
+    tenantId?: string;
+    workspaceId?: string;
+}
+export interface PolicyResource {
+    resourceType: "command" | "evidence" | "file" | "prompt" | "pythonWorker" | "url";
+    summary: string;
+    tenantId?: string;
+    workspaceId?: string;
+}
+export interface PolicyRequest {
+    requestId: string;
+    subject: PolicySubject;
+    action: PolicyAction;
+    resource: PolicyResource;
+    sink: PolicySink;
+    dataClassification: DataClassification;
+    segments: PromptSegment[];
+    redactionReport: RedactionReport;
+}
+export interface PolicyRequestInput {
+    requestId?: string;
+    subject?: Partial<PolicySubject>;
+    action?: PolicyAction;
+    resource?: Partial<PolicyResource>;
+    sink?: PolicySink;
+    dataClassification?: DataClassification;
+    segments?: PromptSegment[];
+    redactionReport?: RedactionReport;
+}
+export interface PolicyDecision {
+    requestId: string;
+    outcome: PolicyDecisionOutcome;
+    matchedRuleIds: string[];
+    redactionStatus: RedactionStatus;
+    sanitizedReasons: string[];
+    evidenceSummary: string;
+}

package/dist/security/policy-types.js

@@ -0,0 +1,7 @@
+export const policyDecisionOutcomes = [
+    "allow",
+    "deny",
+    "requiresApproval",
+    "quarantine",
+];
+//# sourceMappingURL=policy-types.js.map

package/dist/security/policy-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-types.js","sourceRoot":"","sources":["../../src/security/policy-types.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,sBAAsB,GAAG;IACpC,OAAO;IACP,MAAM;IACN,kBAAkB;IAClB,YAAY;CACJ,CAAC"}

package/dist/security/prompt-intake.d.ts

@@ -0,0 +1,13 @@
+import type { PolicySink, PromptSegment, SegmentKind } from "./policy-types.js";
+export interface PromptSegmentInput {
+    id?: string;
+    kind?: SegmentKind;
+    provenance?: string;
+    sink?: PolicySink;
+    text?: string;
+}
+export interface PromptPacketInput {
+    segments?: PromptSegmentInput[];
+}
+export declare function intakePromptPacket(packet: PromptPacketInput): PromptSegment[];
+export declare function intakePromptSegment(input: PromptSegmentInput, fallbackId?: string): PromptSegment;

package/dist/security/prompt-intake.js

@@ -0,0 +1,33 @@
+import { Buffer } from "node:buffer";
+import { classifyContent } from "./content-classifier.js";
+export function intakePromptPacket(packet) {
+    if (!Array.isArray(packet.segments)) {
+        return [unknownSegment("segment-1", "malformed prompt packet")];
+    }
+    return packet.segments.map((segment, index) => intakePromptSegment(segment, `segment-${index + 1}`));
+}
+export function intakePromptSegment(input, fallbackId = "segment-1") {
+    const text = typeof input.text === "string" ? input.text : "";
+    const kind = input.kind ?? "unknown";
+    return {
+        id: input.id ?? fallbackId,
+        kind,
+        provenance: input.provenance ?? "unknown",
+        sink: input.sink ?? "provider",
+        text,
+        byteLength: Buffer.byteLength(text, "utf8"),
+        classification: classifyContent(text),
+    };
+}
+function unknownSegment(id, text) {
+    return {
+        id,
+        kind: "unknown",
+        provenance: "unknown",
+        sink: "provider",
+        text,
+        byteLength: Buffer.byteLength(text, "utf8"),
+        classification: classifyContent(text),
+    };
+}
+//# sourceMappingURL=prompt-intake.js.map

package/dist/security/prompt-intake.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompt-intake.js","sourceRoot":"","sources":["../../src/security/prompt-intake.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAe1D,MAAM,UAAU,kBAAkB,CAAC,MAAyB;IAC1D,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpC,OAAO,CAAC,cAAc,CAAC,WAAW,EAAE,yBAAyB,CAAC,CAAC,CAAC;IAClE,CAAC;IACD,OAAO,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,EAAE,CAC5C,mBAAmB,CAAC,OAAO,EAAE,WAAW,KAAK,GAAG,CAAC,EAAE,CAAC,CACrD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,KAAyB,EACzB,UAAU,GAAG,WAAW;IAExB,MAAM,IAAI,GAAG,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;IAC9D,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,IAAI,SAAS,CAAC;IACrC,OAAO;QACL,EAAE,EAAE,KAAK,CAAC,EAAE,IAAI,UAAU;QAC1B,IAAI;QACJ,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,SAAS;QACzC,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,UAAU;QAC9B,IAAI;QACJ,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE,MAAM,CAAC;QAC3C,cAAc,EAAE,eAAe,CAAC,IAAI,CAAC;KACtC,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,EAAU,EAAE,IAAY;IAC9C,OAAO;QACL,EAAE;QACF,IAAI,EAAE,SAAS;QACf,UAAU,EAAE,SAAS;QACrB,IAAI,EAAE,UAAU;QAChB,IAAI;QACJ,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE,MAAM,CAAC;QAC3C,cAAc,EAAE,eAAe,CAAC,IAAI,CAAC;KACtC,CAAC;AACJ,CAAC"}

package/dist/security/redaction.d.ts

@@ -0,0 +1,3 @@
+import type { PromptSegment, RedactedSegment, RedactionReport } from "./policy-types.js";
+export declare function redactPromptSegments(segments: PromptSegment[]): RedactionReport;
+export declare function redactPromptSegment(segment: PromptSegment): RedactedSegment;

package/dist/security/redaction.js

@@ -0,0 +1,64 @@
+const secretReplacement = "[REDACTED_SECRET]";
+const bearerPattern = /\bbearer\s+[a-z0-9._-]{12,}/gi;
+const assignmentPattern = /\b(api[_-]?key|password|secret|token)(\s*[:=]\s*)[^\s"']{12,}/gi;
+const secretPatterns = [bearerPattern, assignmentPattern];
+export function redactPromptSegments(segments) {
+    const redactedSegments = segments.map(redactPromptSegment);
+    const status = reportStatus(redactedSegments);
+    return {
+        status,
+        redactedSegments,
+        sanitizedReasons: sanitizedReasons(redactedSegments, status),
+    };
+}
+export function redactPromptSegment(segment) {
+    const secretFindings = segment.classification.findings.filter((finding) => finding.kind === "secretShaped");
+    const redactedText = redactSecrets(segment.text);
+    const wasRedacted = redactedText !== segment.text;
+    const hasRemainingSecret = secretPatterns.some((pattern) => {
+        pattern.lastIndex = 0;
+        return pattern.test(redactedText);
+    });
+    return {
+        id: segment.id,
+        text: redactedText,
+        status: redactionStatus(secretFindings.length, wasRedacted, hasRemainingSecret),
+        redactedFindings: wasRedacted ? ["secretShaped"] : [],
+    };
+}
+function redactSecrets(text) {
+    return text
+        .replace(bearerPattern, secretReplacement)
+        .replace(assignmentPattern, (_match, label, separator) => {
+        return `${label}${separator}${secretReplacement}`;
+    });
+}
+function redactionStatus(secretFindingCount, wasRedacted, hasRemainingSecret) {
+    if (hasRemainingSecret)
+        return "unsafeUnredacted";
+    if (wasRedacted)
+        return "redacted";
+    if (secretFindingCount > 0)
+        return "unsafeUnredacted";
+    return "notRequired";
+}
+function reportStatus(segments) {
+    if (segments.some((segment) => segment.status === "unsafeUnredacted")) {
+        return "unsafeUnredacted";
+    }
+    if (segments.some((segment) => segment.status === "redacted")) {
+        return "redacted";
+    }
+    return "notRequired";
+}
+function sanitizedReasons(segments, status) {
+    if (status === "notRequired")
+        return ["no restricted values detected"];
+    return segments
+        .filter((segment) => segment.redactedFindings.length > 0)
+        .map((segment) => redactionReason(segment.id, segment.redactedFindings));
+}
+function redactionReason(segmentId, findings) {
+    return `segment ${segmentId} redacted ${findings.join(", ")}`;
+}
+//# sourceMappingURL=redaction.js.map

package/dist/security/redaction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redaction.js","sourceRoot":"","sources":["../../src/security/redaction.ts"],"names":[],"mappings":"AAQA,MAAM,iBAAiB,GAAG,mBAAmB,CAAC;AAC9C,MAAM,aAAa,GAAG,+BAA+B,CAAC;AACtD,MAAM,iBAAiB,GACrB,iEAAiE,CAAC;AACpE,MAAM,cAAc,GAAG,CAAC,aAAa,EAAE,iBAAiB,CAAU,CAAC;AAEnE,MAAM,UAAU,oBAAoB,CAClC,QAAyB;IAEzB,MAAM,gBAAgB,GAAG,QAAQ,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,YAAY,CAAC,gBAAgB,CAAC,CAAC;IAC9C,OAAO;QACL,MAAM;QACN,gBAAgB;QAChB,gBAAgB,EAAE,gBAAgB,CAAC,gBAAgB,EAAE,MAAM,CAAC;KAC7D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAAsB;IACxD,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAC3D,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,KAAK,cAAc,CAC7C,CAAC;IACF,MAAM,YAAY,GAAG,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACjD,MAAM,WAAW,GAAG,YAAY,KAAK,OAAO,CAAC,IAAI,CAAC;IAClD,MAAM,kBAAkB,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE;QACzD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QACtB,OAAO,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IACH,OAAO;QACL,EAAE,EAAE,OAAO,CAAC,EAAE;QACd,IAAI,EAAE,YAAY;QAClB,MAAM,EAAE,eAAe,CACrB,cAAc,CAAC,MAAM,EACrB,WAAW,EACX,kBAAkB,CACnB;QACD,gBAAgB,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EAAE;KACtD,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,OAAO,IAAI;SACR,OAAO,CAAC,aAAa,EAAE,iBAAiB,CAAC;SACzC,OAAO,CAAC,iBAAiB,EAAE,CAAC,MAAM,EAAE,KAAa,EAAE,SAAiB,EAAE,EAAE;QACvE,OAAO,GAAG,KAAK,GAAG,SAAS,GAAG,iBAAiB,EAAE,CAAC;IACpD,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,eAAe,CACtB,kBAA0B,EAC1B,WAAoB,EACpB,kBAA2B;IAE3B,IAAI,kBAAkB;QAAE,OAAO,kBAAkB,CAAC;IAClD,IAAI,WAAW;QAAE,OAAO,UAAU,CAAC;IACnC,IAAI,kBAAkB,GAAG,CAAC;QAAE,OAAO,kBAAkB,CAAC;IACtD,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,SAAS,YAAY,CAAC,QAA2B;IAC/C,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,KAAK,kBAAkB,CAAC,EAAE,CAAC;QACtE,OAAO,kBAAkB,CAAC;IAC5B,CAAC;IACD,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,KAAK,UAAU,CAAC,EAAE,CAAC;QAC9D,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,SAAS,gBAAgB,CACvB,QAA2B,EAC3B,MAAuB;IAEvB,IAAI,MAAM,KAAK,aAAa;QAAE,OAAO,CAAC,+BAA+B,CAAC,CAAC;IACvE,OAAO,QAAQ;SACZ,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC;SACxD,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,eAAe,CACtB,SAAiB,EACjB,QAA8B;IAE9B,OAAO,WAAW,SAAS,aAAa,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;AAChE,CAAC"}

package/dist/security/sink-encoding.d.ts

@@ -0,0 +1,6 @@
+import type { PolicySink } from "./policy-types.js";
+export interface EncodedSinkValue {
+    sink: PolicySink;
+    value: string;
+}
+export declare function encodeForSink(text: string, sink: PolicySink): EncodedSinkValue;

package/dist/security/sink-encoding.js

@@ -0,0 +1,40 @@
+export function encodeForSink(text, sink) {
+    return {
+        sink,
+        value: sinkEncoder(sink)(text),
+    };
+}
+function sinkEncoder(sink) {
+    const encoders = {
+        evidence: escapeMarkdown,
+        htmlText: escapeHtmlText,
+        json: JSON.stringify,
+        log: normalizeLogLine,
+        markdown: escapeMarkdown,
+        provider: wrapProviderData,
+        shellArgument: preserveArgumentValue,
+        url: encodeURI,
+    };
+    return encoders[sink];
+}
+function escapeMarkdown(text) {
+    return text.replaceAll("```", "`\\`\\`");
+}
+function escapeHtmlText(text) {
+    return text
+        .replaceAll("&", "&")
+        .replaceAll("<", "&lt;")
+        .replaceAll(">", "&gt;")
+        .replaceAll('"', "&quot;")
+        .replaceAll("'", "&#39;");
+}
+function normalizeLogLine(text) {
+    return text.replaceAll(/\r?\n/g, "\\n");
+}
+function wrapProviderData(text) {
+    return `<untrusted-data>${text}</untrusted-data>`;
+}
+function preserveArgumentValue(text) {
+    return text;
+}
+//# sourceMappingURL=sink-encoding.js.map

package/dist/security/sink-encoding.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sink-encoding.js","sourceRoot":"","sources":["../../src/security/sink-encoding.ts"],"names":[],"mappings":"AAOA,MAAM,UAAU,aAAa,CAC3B,IAAY,EACZ,IAAgB;IAEhB,OAAO;QACL,IAAI;QACJ,KAAK,EAAE,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC;KAC/B,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,IAAgB;IACnC,MAAM,QAAQ,GAAG;QACf,QAAQ,EAAE,cAAc;QACxB,QAAQ,EAAE,cAAc;QACxB,IAAI,EAAE,IAAI,CAAC,SAAS;QACpB,GAAG,EAAE,gBAAgB;QACrB,QAAQ,EAAE,cAAc;QACxB,QAAQ,EAAE,gBAAgB;QAC1B,aAAa,EAAE,qBAAqB;QACpC,GAAG,EAAE,SAAS;KAC6C,CAAC;IAC9D,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC;AACxB,CAAC;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,OAAO,IAAI;SACR,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC;SACxB,UAAU,CAAC,GAAG,EAAE,MAAM,CAAC;SACvB,UAAU,CAAC,GAAG,EAAE,MAAM,CAAC;SACvB,UAAU,CAAC,GAAG,EAAE,QAAQ,CAAC;SACzB,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;AAC1C,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,OAAO,mBAAmB,IAAI,mBAAmB,CAAC;AACpD,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAY;IACzC,OAAO,IAAI,CAAC;AACd,CAAC"}