npm - @n8n/n8n-nodes-langchain - Versions diffs - 1.117.0 → 1.118.1 - Mend

@n8n/n8n-nodes-langchain 1.117.0 → 1.118.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (83) hide show

package/dist/nodes/Guardrails/actions/checks/secretKeys.js ADDED Viewed

@@ -0,0 +1,201 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var secretKeys_exports = {};
+__export(secretKeys_exports, {
+  createSecretKeysCheckFn: () => createSecretKeysCheckFn,
+  secretKeysCheck: () => secretKeysCheck
+});
+module.exports = __toCommonJS(secretKeys_exports);
+const COMMON_KEY_PREFIXES = [
+  "key-",
+  "sk-",
+  "sk_",
+  "pk_",
+  "pk-",
+  "ghp_",
+  "AKIA",
+  "xox",
+  "SG.",
+  "hf_",
+  "api-",
+  "apikey-",
+  "token-",
+  "secret-",
+  "SHA:",
+  "Bearer "
+];
+const ALLOWED_EXTENSIONS = [
+  ".py",
+  ".js",
+  ".html",
+  ".css",
+  ".json",
+  ".md",
+  ".txt",
+  ".csv",
+  ".xml",
+  ".yaml",
+  ".yml",
+  ".ini",
+  ".conf",
+  ".config",
+  ".log",
+  ".sql",
+  ".sh",
+  ".bat",
+  ".dll",
+  ".so",
+  ".dylib",
+  ".jar",
+  ".war",
+  ".php",
+  ".rb",
+  ".go",
+  ".rs",
+  ".ts",
+  ".jsx",
+  ".vue",
+  ".cpp",
+  ".c",
+  ".h",
+  ".cs",
+  ".fs",
+  ".vb",
+  ".doc",
+  ".docx",
+  ".xls",
+  ".xlsx",
+  ".ppt",
+  ".pptx",
+  ".pdf",
+  ".jpg",
+  ".jpeg",
+  ".png"
+];
+const CONFIGS = {
+  strict: {
+    min_length: 10,
+    min_entropy: 3,
+    // Lowered from 3.5 to be more reasonable
+    min_diversity: 2,
+    strict_mode: true
+  },
+  balanced: {
+    min_length: 10,
+    // Lowered to catch more common keys
+    min_entropy: 3.8,
+    min_diversity: 3,
+    strict_mode: false
+  },
+  permissive: {
+    min_length: 30,
+    min_entropy: 4,
+    min_diversity: 2,
+    // Lowered from 3 to be more reasonable
+    strict_mode: false
+  }
+};
+function entropy(s) {
+  if (s.length === 0) return 0;
+  const counts = {};
+  for (const c of s) {
+    counts[c] = (counts[c] || 0) + 1;
+  }
+  let entropy2 = 0;
+  for (const count of Object.values(counts)) {
+    const probability = count / s.length;
+    entropy2 -= probability * Math.log2(probability);
+  }
+  return entropy2;
+}
+function charDiversity(s) {
+  return [
+    s.split("").some((c) => c === c.toLowerCase() && c !== c.toUpperCase()),
+    // lowercase
+    s.split("").some((c) => c === c.toUpperCase() && c !== c.toLowerCase()),
+    // uppercase
+    s.split("").some((c) => /\d/.test(c)),
+    // digits
+    s.split("").some((c) => !/\w/.test(c))
+    // special characters
+  ].filter(Boolean).length;
+}
+function containsAllowedPattern(text) {
+  const urlPattern = /^https?:\/\/[a-zA-Z0-9.-]+\/?[a-zA-Z0-9.\/_-]*$/i;
+  if (urlPattern.test(text)) {
+    if (COMMON_KEY_PREFIXES.some((prefix) => text.includes(prefix))) {
+      return false;
+    }
+    return true;
+  }
+  const extPattern = new RegExp(
+    `^[^\\s]*(${ALLOWED_EXTENSIONS.map((ext) => ext.replace(".", "\\.")).join("|")})$`,
+    "i"
+  );
+  return extPattern.test(text);
+}
+function isSecretCandidate(s, cfg, customRegex) {
+  if (customRegex) {
+    for (const pattern of customRegex) {
+      try {
+        const regex = new RegExp(pattern);
+        if (regex.test(s)) {
+          return true;
+        }
+      } catch {
+        continue;
+      }
+    }
+  }
+  if (!cfg.strict_mode && containsAllowedPattern(s)) {
+    return false;
+  }
+  const longEnough = s.length >= cfg.min_length;
+  const diverse = charDiversity(s) >= cfg.min_diversity;
+  if (COMMON_KEY_PREFIXES.some((prefix) => s.startsWith(prefix))) {
+    return true;
+  }
+  if (!(longEnough && diverse)) {
+    return false;
+  }
+  return entropy(s) >= cfg.min_entropy;
+}
+function detectSecretKeys(text, cfg, config) {
+  const words = text.split(/\s+/).map((w) => w.replace(/[*#]/g, ""));
+  const secrets = words.filter((w) => isSecretCandidate(w, cfg, config.customRegex));
+  return {
+    guardrailName: "secretKeys",
+    tripwireTriggered: secrets.length > 0,
+    info: {
+      maskEntities: { SECRET: secrets },
+      detectedSecrets: secrets
+    }
+  };
+}
+const secretKeysCheck = (data, config) => {
+  const cfg = CONFIGS[config.threshold];
+  return detectSecretKeys(data, cfg, config);
+};
+const createSecretKeysCheckFn = (config) => (input) => secretKeysCheck(input, config);
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createSecretKeysCheckFn,
+  secretKeysCheck
+});
+//# sourceMappingURL=secretKeys.js.map

package/dist/nodes/Guardrails/actions/checks/secretKeys.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../../../nodes/Guardrails/actions/checks/secretKeys.ts"],"sourcesContent":["/**\n * Secret key detection guardrail module.\n *\n * This module provides functions and configuration for detecting potential API keys,\n * secrets, and credentials in text. It includes entropy and diversity checks, pattern\n * recognition, and a guardrail check_fn for runtime enforcement.\n */\n\nimport type { CreateCheckFn, GuardrailResult } from '../types';\n\nexport type SecretKeysConfig = {\n\tthreshold: 'strict' | 'balanced' | 'permissive';\n\tcustomRegex?: string[];\n};\n\n/**\n * Common key prefixes used in secret keys.\n */\nconst COMMON_KEY_PREFIXES = [\n\t'key-',\n\t'sk-',\n\t'sk_',\n\t'pk_',\n\t'pk-',\n\t'ghp_',\n\t'AKIA',\n\t'xox',\n\t'SG.',\n\t'hf_',\n\t'api-',\n\t'apikey-',\n\t'token-',\n\t'secret-',\n\t'SHA:',\n\t'Bearer ',\n];\n\n/**\n * File extensions to ignore when strict_mode is False.\n */\nconst ALLOWED_EXTENSIONS = [\n\t'.py',\n\t'.js',\n\t'.html',\n\t'.css',\n\t'.json',\n\t'.md',\n\t'.txt',\n\t'.csv',\n\t'.xml',\n\t'.yaml',\n\t'.yml',\n\t'.ini',\n\t'.conf',\n\t'.config',\n\t'.log',\n\t'.sql',\n\t'.sh',\n\t'.bat',\n\t'.dll',\n\t'.so',\n\t'.dylib',\n\t'.jar',\n\t'.war',\n\t'.php',\n\t'.rb',\n\t'.go',\n\t'.rs',\n\t'.ts',\n\t'.jsx',\n\t'.vue',\n\t'.cpp',\n\t'.c',\n\t'.h',\n\t'.cs',\n\t'.fs',\n\t'.vb',\n\t'.doc',\n\t'.docx',\n\t'.xls',\n\t'.xlsx',\n\t'.ppt',\n\t'.pptx',\n\t'.pdf',\n\t'.jpg',\n\t'.jpeg',\n\t'.png',\n];\n\n/**\n * Configuration presets for different sensitivity levels.\n */\nconst CONFIGS: Record<\n\tstring,\n\t{\n\t\tmin_length: number;\n\t\tmin_entropy: number;\n\t\tmin_diversity: number;\n\t\tstrict_mode: boolean;\n\t}\n> = {\n\tstrict: {\n\t\tmin_length: 10,\n\t\tmin_entropy: 3.0, // Lowered from 3.5 to be more reasonable\n\t\tmin_diversity: 2,\n\t\tstrict_mode: true,\n\t},\n\tbalanced: {\n\t\tmin_length: 10, // Lowered to catch more common keys\n\t\tmin_entropy: 3.8,\n\t\tmin_diversity: 3,\n\t\tstrict_mode: false,\n\t},\n\tpermissive: {\n\t\tmin_length: 30,\n\t\tmin_entropy: 4.0,\n\t\tmin_diversity: 2, // Lowered from 3 to be more reasonable\n\t\tstrict_mode: false,\n\t},\n};\n\n/**\n * Calculate the Shannon entropy of a string.\n */\nfunction entropy(s: string): number {\n\tif (s.length === 0) return 0;\n\n\tconst counts: Record<string, number> = {};\n\tfor (const c of s) {\n\t\tcounts[c] = (counts[c] || 0) + 1;\n\t}\n\n\tlet entropy = 0;\n\tfor (const count of Object.values(counts)) {\n\t\tconst probability = count / s.length;\n\t\tentropy -= probability * Math.log2(probability);\n\t}\n\n\treturn entropy;\n}\n\n/**\n * Count the number of character types present in a string.\n */\nfunction charDiversity(s: string): number {\n\treturn [\n\t\ts\n\t\t\t.split('')\n\t\t\t.some((c) => c === c.toLowerCase() && c !== c.toUpperCase()), // lowercase\n\t\ts\n\t\t\t.split('')\n\t\t\t.some((c) => c === c.toUpperCase() && c !== c.toLowerCase()), // uppercase\n\t\ts\n\t\t\t.split('')\n\t\t\t.some((c) => /\\d/.test(c)), // digits\n\t\ts\n\t\t\t.split('')\n\t\t\t.some((c) => !/\\w/.test(c)), // special characters\n\t].filter(Boolean).length;\n}\n\n/**\n * Check if text contains allowed URL or file extension patterns.\n */\nfunction containsAllowedPattern(text: string): boolean {\n\t// Check if it's a URL pattern\n\tconst urlPattern = /^https?:\\/\\/[a-zA-Z0-9.-]+\\/?[a-zA-Z0-9.\\/_-]*$/i;\n\tif (urlPattern.test(text)) {\n\t\t// If it's a URL, check if it contains any secret patterns\n\t\t// If it contains secrets, don't allow it\n\t\tif (COMMON_KEY_PREFIXES.some((prefix) => text.includes(prefix))) {\n\t\t\treturn false;\n\t\t}\n\t\treturn true;\n\t}\n\n\t// Regex for allowed file extensions - must end with the extension\n\tconst extPattern = new RegExp(\n\t\t`^[^\\\\s]*(${ALLOWED_EXTENSIONS.map((ext) => ext.replace('.', '\\\\.')).join('|')})$`,\n\t\t'i',\n\t);\n\treturn extPattern.test(text);\n}\n\n/**\n * Check if a string is a secret key using the specified criteria.\n */\nfunction isSecretCandidate(\n\ts: string,\n\tcfg: (typeof CONFIGS)[keyof typeof CONFIGS],\n\tcustomRegex?: string[],\n): boolean {\n\t// Check custom patterns first if provided\n\tif (customRegex) {\n\t\tfor (const pattern of customRegex) {\n\t\t\ttry {\n\t\t\t\tconst regex = new RegExp(pattern);\n\t\t\t\tif (regex.test(s)) {\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t} catch {\n\t\t\t\t// Invalid regex pattern, skip\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t}\n\t}\n\n\tif (!cfg.strict_mode && containsAllowedPattern(s)) {\n\t\treturn false;\n\t}\n\n\tconst longEnough = s.length >= cfg.min_length;\n\tconst diverse = charDiversity(s) >= cfg.min_diversity;\n\n\t// Check common prefixes first - these should always be detected\n\tif (COMMON_KEY_PREFIXES.some((prefix) => s.startsWith(prefix))) {\n\t\treturn true;\n\t}\n\n\t// For other candidates, check length and diversity\n\tif (!(longEnough && diverse)) {\n\t\treturn false;\n\t}\n\n\treturn entropy(s) >= cfg.min_entropy;\n}\n\n/**\n * Detect potential secret keys in text.\n */\nfunction detectSecretKeys(\n\ttext: string,\n\tcfg: (typeof CONFIGS)[keyof typeof CONFIGS],\n\tconfig: SecretKeysConfig,\n): GuardrailResult {\n\tconst words = text.split(/\\s+/).map((w) => w.replace(/[*#]/g, ''));\n\tconst secrets = words.filter((w) => isSecretCandidate(w, cfg, config.customRegex));\n\n\treturn {\n\t\tguardrailName: 'secretKeys',\n\t\ttripwireTriggered: secrets.length > 0,\n\t\tinfo: {\n\t\t\tmaskEntities: { SECRET: secrets },\n\t\t\tdetectedSecrets: secrets,\n\t\t},\n\t};\n}\n\n/**\n * Async guardrail function for secret key and credential detection.\n *\n * Scans the input for likely secrets or credentials (e.g., API keys, tokens)\n * using entropy, diversity, and pattern rules.\n *\n * @param data Input text to scan.\n * @param config Configuration for secret detection.\n * @returns GuardrailResult indicating if secrets were detected, with findings in info.\n */\nexport const secretKeysCheck = (data: string, config: SecretKeysConfig): GuardrailResult => {\n\tconst cfg = CONFIGS[config.threshold];\n\treturn detectSecretKeys(data, cfg, config);\n};\n\nexport const createSecretKeysCheckFn: CreateCheckFn<SecretKeysConfig> =\n\t(config) => (input: string) =>\n\t\tsecretKeysCheck(input, config);\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAkBA,MAAM,sBAAsB;AAAA,EAC3B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACD;AAKA,MAAM,qBAAqB;AAAA,EAC1B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACD;AAKA,MAAM,UAQF;AAAA,EACH,QAAQ;AAAA,IACP,YAAY;AAAA,IACZ,aAAa;AAAA;AAAA,IACb,eAAe;AAAA,IACf,aAAa;AAAA,EACd;AAAA,EACA,UAAU;AAAA,IACT,YAAY;AAAA;AAAA,IACZ,aAAa;AAAA,IACb,eAAe;AAAA,IACf,aAAa;AAAA,EACd;AAAA,EACA,YAAY;AAAA,IACX,YAAY;AAAA,IACZ,aAAa;AAAA,IACb,eAAe;AAAA;AAAA,IACf,aAAa;AAAA,EACd;AACD;AAKA,SAAS,QAAQ,GAAmB;AACnC,MAAI,EAAE,WAAW,EAAG,QAAO;AAE3B,QAAM,SAAiC,CAAC;AACxC,aAAW,KAAK,GAAG;AAClB,WAAO,CAAC,KAAK,OAAO,CAAC,KAAK,KAAK;AAAA,EAChC;AAEA,MAAIA,WAAU;AACd,aAAW,SAAS,OAAO,OAAO,MAAM,GAAG;AAC1C,UAAM,cAAc,QAAQ,EAAE;AAC9B,IAAAA,YAAW,cAAc,KAAK,KAAK,WAAW;AAAA,EAC/C;AAEA,SAAOA;AACR;AAKA,SAAS,cAAc,GAAmB;AACzC,SAAO;AAAA,IACN,EACE,MAAM,EAAE,EACR,KAAK,CAAC,MAAM,MAAM,EAAE,YAAY,KAAK,MAAM,EAAE,YAAY,CAAC;AAAA;AAAA,IAC5D,EACE,MAAM,EAAE,EACR,KAAK,CAAC,MAAM,MAAM,EAAE,YAAY,KAAK,MAAM,EAAE,YAAY,CAAC;AAAA;AAAA,IAC5D,EACE,MAAM,EAAE,EACR,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,CAAC;AAAA;AAAA,IAC1B,EACE,MAAM,EAAE,EACR,KAAK,CAAC,MAAM,CAAC,KAAK,KAAK,CAAC,CAAC;AAAA;AAAA,EAC5B,EAAE,OAAO,OAAO,EAAE;AACnB;AAKA,SAAS,uBAAuB,MAAuB;AAEtD,QAAM,aAAa;AACnB,MAAI,WAAW,KAAK,IAAI,GAAG;AAG1B,QAAI,oBAAoB,KAAK,CAAC,WAAW,KAAK,SAAS,MAAM,CAAC,GAAG;AAChE,aAAO;AAAA,IACR;AACA,WAAO;AAAA,EACR;AAGA,QAAM,aAAa,IAAI;AAAA,IACtB,YAAY,mBAAmB,IAAI,CAAC,QAAQ,IAAI,QAAQ,KAAK,KAAK,CAAC,EAAE,KAAK,GAAG,CAAC;AAAA,IAC9E;AAAA,EACD;AACA,SAAO,WAAW,KAAK,IAAI;AAC5B;AAKA,SAAS,kBACR,GACA,KACA,aACU;AAEV,MAAI,aAAa;AAChB,eAAW,WAAW,aAAa;AAClC,UAAI;AACH,cAAM,QAAQ,IAAI,OAAO,OAAO;AAChC,YAAI,MAAM,KAAK,CAAC,GAAG;AAClB,iBAAO;AAAA,QACR;AAAA,MACD,QAAQ;AAEP;AAAA,MACD;AAAA,IACD;AAAA,EACD;AAEA,MAAI,CAAC,IAAI,eAAe,uBAAuB,CAAC,GAAG;AAClD,WAAO;AAAA,EACR;AAEA,QAAM,aAAa,EAAE,UAAU,IAAI;AACnC,QAAM,UAAU,cAAc,CAAC,KAAK,IAAI;AAGxC,MAAI,oBAAoB,KAAK,CAAC,WAAW,EAAE,WAAW,MAAM,CAAC,GAAG;AAC/D,WAAO;AAAA,EACR;AAGA,MAAI,EAAE,cAAc,UAAU;AAC7B,WAAO;AAAA,EACR;AAEA,SAAO,QAAQ,CAAC,KAAK,IAAI;AAC1B;AAKA,SAAS,iBACR,MACA,KACA,QACkB;AAClB,QAAM,QAAQ,KAAK,MAAM,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,QAAQ,SAAS,EAAE,CAAC;AACjE,QAAM,UAAU,MAAM,OAAO,CAAC,MAAM,kBAAkB,GAAG,KAAK,OAAO,WAAW,CAAC;AAEjF,SAAO;AAAA,IACN,eAAe;AAAA,IACf,mBAAmB,QAAQ,SAAS;AAAA,IACpC,MAAM;AAAA,MACL,cAAc,EAAE,QAAQ,QAAQ;AAAA,MAChC,iBAAiB;AAAA,IAClB;AAAA,EACD;AACD;AAYO,MAAM,kBAAkB,CAAC,MAAc,WAA8C;AAC3F,QAAM,MAAM,QAAQ,OAAO,SAAS;AACpC,SAAO,iBAAiB,MAAM,KAAK,MAAM;AAC1C;AAEO,MAAM,0BACZ,CAAC,WAAW,CAAC,UACZ,gBAAgB,OAAO,MAAM;","names":["entropy"]}

package/dist/nodes/Guardrails/actions/checks/topicalAlignment.js ADDED Viewed

@@ -0,0 +1,38 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var topicalAlignment_exports = {};
+__export(topicalAlignment_exports, {
+  TOPICAL_ALIGNMENT_SYSTEM_PROMPT: () => TOPICAL_ALIGNMENT_SYSTEM_PROMPT,
+  createTopicalAlignmentCheckFn: () => createTopicalAlignmentCheckFn
+});
+module.exports = __toCommonJS(topicalAlignment_exports);
+var import_model = require("../../helpers/model");
+const TOPICAL_ALIGNMENT_SYSTEM_PROMPT = `You are a content analysis system that determines if text stays on topic.
+BUSINESS SCOPE: [INSERT BUSINESS SCOPE HERE]
+Determine if the text stays within the defined business scope. Flag any content
+that strays from the allowed topics.`;
+const createTopicalAlignmentCheckFn = (config) => (0, import_model.createLLMCheckFn)("topicalAlignment", config);
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  TOPICAL_ALIGNMENT_SYSTEM_PROMPT,
+  createTopicalAlignmentCheckFn
+});
+//# sourceMappingURL=topicalAlignment.js.map

package/dist/nodes/Guardrails/actions/checks/topicalAlignment.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../../../nodes/Guardrails/actions/checks/topicalAlignment.ts"],"sourcesContent":["import { createLLMCheckFn } from '../../helpers/model';\nimport type { CreateCheckFn, LLMConfig } from '../types';\n\nexport const TOPICAL_ALIGNMENT_SYSTEM_PROMPT = `You are a content analysis system that determines if text stays on topic.\n\nBUSINESS SCOPE: [INSERT BUSINESS SCOPE HERE]\n\nDetermine if the text stays within the defined business scope. Flag any content\nthat strays from the allowed topics.`;\n\nexport const createTopicalAlignmentCheckFn: CreateCheckFn<LLMConfig> = (config) =>\n\tcreateLLMCheckFn('topicalAlignment', config);\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,mBAAiC;AAG1B,MAAM,kCAAkC;AAAA;AAAA;AAAA;AAAA;AAAA;AAOxC,MAAM,gCAA0D,CAAC,eACvE,+BAAiB,oBAAoB,MAAM;","names":[]}

package/dist/nodes/Guardrails/actions/checks/urls.js ADDED Viewed

@@ -0,0 +1,245 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var urls_exports = {};
+__export(urls_exports, {
+  createUrlsCheckFn: () => createUrlsCheckFn,
+  urls: () => urls
+});
+module.exports = __toCommonJS(urls_exports);
+function ipToInt(ip) {
+  const parts = ip.split(".").map(Number);
+  if (parts.length !== 4 || parts.some((part) => part < 0 || part > 255)) {
+    throw new Error(`Invalid IP address: ${ip}`);
+  }
+  return (parts[0] << 24) + (parts[1] << 16) + (parts[2] << 8) + parts[3];
+}
+function detectUrls(text) {
+  const PUNCTUATION_CLEANUP = /[.,;:!?)\\]]+$/;
+  const detectedUrls = [];
+  const schemePatterns = [
+    /https?:\/\/[^\s<>"{}|\\^`\[\]]+/gi,
+    /ftp:\/\/[^\s<>"{}|\\^`\[\]]+/gi,
+    /data:[^\s<>"{}|\\^`\[\]]+/gi,
+    /javascript:[^\s<>"{}|\\^`\[\]]+/gi,
+    /vbscript:[^\s<>"{}|\\^`\[\]]+/gi,
+    /mailto:[^\s<>"{}|\\^`\[\]]+/gi
+  ];
+  const schemeUrls = /* @__PURE__ */ new Set();
+  for (const pattern of schemePatterns) {
+    const matches = text.match(pattern) || [];
+    for (let match of matches) {
+      match = match.replace(PUNCTUATION_CLEANUP, "");
+      if (match) {
+        detectedUrls.push(match);
+        if (match.includes("://")) {
+          const domainPart = match.split("://", 2)[1].split("/")[0].split("?")[0].split("#")[0];
+          schemeUrls.add(domainPart.toLowerCase());
+        }
+      }
+    }
+  }
+  const domainPattern = /\b(?:www\.)?[a-zA-Z0-9][a-zA-Z0-9.-]*\.[a-zA-Z]{2,}(?:\/[^\s]*)?/gi;
+  const domainMatches = text.match(domainPattern) || [];
+  for (let match of domainMatches) {
+    match = match.replace(PUNCTUATION_CLEANUP, "");
+    if (match) {
+      const domainPart = match.split("/")[0].split("?")[0].split("#")[0].toLowerCase();
+      if (!schemeUrls.has(domainPart)) {
+        detectedUrls.push(match);
+      }
+    }
+  }
+  const ipPattern = /\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}(?::[0-9]+)?(?:\/[^\s]*)?/g;
+  const ipMatches = text.match(ipPattern) || [];
+  for (let match of ipMatches) {
+    match = match.replace(PUNCTUATION_CLEANUP, "");
+    if (match) {
+      const ipPart = match.split("/")[0].split("?")[0].split("#")[0].toLowerCase();
+      if (!schemeUrls.has(ipPart)) {
+        detectedUrls.push(match);
+      }
+    }
+  }
+  const finalUrls = [];
+  const schemeUrlDomains = /* @__PURE__ */ new Set();
+  for (const url of detectedUrls) {
+    if (url.includes("://")) {
+      try {
+        const parsed = new URL(url);
+        if (parsed.hostname) {
+          schemeUrlDomains.add(parsed.hostname.toLowerCase());
+          const bareDomain = parsed.hostname.toLowerCase().replace(/^www\./, "");
+          schemeUrlDomains.add(bareDomain);
+        }
+      } catch (error) {
+      }
+      finalUrls.push(url);
+    }
+  }
+  for (const url of detectedUrls) {
+    if (!url.includes("://")) {
+      const urlLower = url.toLowerCase().replace(/^www\./, "");
+      if (!schemeUrlDomains.has(urlLower)) {
+        finalUrls.push(url);
+      }
+    }
+  }
+  return [...new Set(finalUrls.filter((url) => url))];
+}
+function validateUrlSecurity(urlString, config) {
+  try {
+    let parsedUrl;
+    let originalScheme;
+    if (urlString.includes("://")) {
+      parsedUrl = new URL(urlString);
+      originalScheme = parsedUrl.protocol.replace(":", "");
+    } else if (urlString.includes(":") && urlString.split(":", 1)[0].match(/^(data|javascript|vbscript|mailto)$/)) {
+      parsedUrl = new URL(urlString);
+      originalScheme = parsedUrl.protocol.replace(":", "");
+    } else {
+      parsedUrl = new URL(`http://${urlString}`);
+      originalScheme = "http";
+    }
+    if (!parsedUrl.protocol) {
+      return { parsedUrl: null, reason: "Invalid URL format" };
+    }
+    const specialSchemes = /* @__PURE__ */ new Set(["data:", "javascript:", "vbscript:", "mailto:"]);
+    if (!specialSchemes.has(parsedUrl.protocol) && !parsedUrl.hostname) {
+      return { parsedUrl: null, reason: "Invalid URL format" };
+    }
+    if (!config.allowedSchemes.includes(originalScheme)) {
+      return { parsedUrl: null, reason: `Blocked scheme: ${originalScheme}` };
+    }
+    if (config.blockUserinfo && (parsedUrl.username || parsedUrl.password)) {
+      return { parsedUrl: null, reason: "Contains userinfo (potential credential injection)" };
+    }
+    return { parsedUrl, reason: "" };
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    return { parsedUrl: null, reason: `Invalid URL format: ${errorMessage}` };
+  }
+}
+function isUrlAllowed(parsedUrl, allowList, allowSubdomains) {
+  if (allowList.length === 0) {
+    return false;
+  }
+  const urlHost = parsedUrl.hostname?.toLowerCase();
+  if (!urlHost) {
+    return false;
+  }
+  for (const allowedEntry of allowList) {
+    const entry = allowedEntry.toLowerCase().trim();
+    if (entry.includes("://")) {
+      try {
+        const allowedUrl = new URL(entry);
+        const allowedHost = allowedUrl.hostname?.toLowerCase();
+        const allowedPath = allowedUrl.pathname;
+        if (urlHost === allowedHost) {
+          if (!allowedPath || allowedPath === "/" || parsedUrl.pathname.startsWith(allowedPath)) {
+            return true;
+          }
+        }
+      } catch (error) {
+        throw new Error(
+          `Invalid URL in allow list: "${entry}" - ${error instanceof Error ? error.message : error}`
+        );
+      }
+      continue;
+    }
+    try {
+      if (/^\d+\.\d+\.\d+\.\d+/.test(entry.split("/")[0])) {
+        if (entry === urlHost) {
+          return true;
+        }
+        if (entry.includes("/") && urlHost.match(/^\d+\.\d+\.\d+\.\d+$/)) {
+          const [network, prefixStr] = entry.split("/");
+          const prefix = parseInt(prefixStr);
+          if (prefix >= 0 && prefix <= 32) {
+            const networkInt = ipToInt(network);
+            const hostInt = ipToInt(urlHost);
+            const mask = 4294967295 << 32 - prefix >>> 0;
+            if ((networkInt & mask) === (hostInt & mask)) {
+              return true;
+            }
+          }
+        }
+        continue;
+      }
+    } catch (error) {
+      if (/^\d+\.\d+/.test(entry)) {
+        console.warn(
+          `Warning: Malformed IP address in allow list: "${entry}" - ${error instanceof Error ? error.message : error}`
+        );
+      }
+    }
+    const allowedDomain = entry.replace(/^www\./, "");
+    const urlDomain = urlHost.replace(/^www\./, "");
+    if (urlDomain === allowedDomain) {
+      return true;
+    }
+    if (allowSubdomains && urlDomain.endsWith(`.${allowedDomain}`)) {
+      return true;
+    }
+  }
+  return false;
+}
+const urls = (data, config) => {
+  const detectedUrls = detectUrls(data);
+  const allowed = [];
+  const blocked = [];
+  const blockedReasons = [];
+  for (const urlString of detectedUrls) {
+    const { parsedUrl, reason } = validateUrlSecurity(urlString, config);
+    if (parsedUrl === null) {
+      blocked.push(urlString);
+      blockedReasons.push(`${urlString}: ${reason}`);
+      continue;
+    }
+    const hostlessSchemes = /* @__PURE__ */ new Set(["data:", "javascript:", "vbscript:", "mailto:"]);
+    if (hostlessSchemes.has(parsedUrl.protocol)) {
+      allowed.push(urlString);
+    } else if (isUrlAllowed(parsedUrl, config.allowedUrls, config.allowSubdomains)) {
+      allowed.push(urlString);
+    } else {
+      blocked.push(urlString);
+      blockedReasons.push(`${urlString}: Not in allow list`);
+    }
+  }
+  const tripwireTriggered = blocked.length > 0;
+  return {
+    guardrailName: "urls",
+    tripwireTriggered,
+    info: {
+      maskEntities: {
+        URL: blocked
+      },
+      detected: detectedUrls,
+      allowed,
+      blocked,
+      blockedReasons
+    }
+  };
+};
+const createUrlsCheckFn = (config) => (input) => urls(input, config);
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createUrlsCheckFn,
+  urls
+});
+//# sourceMappingURL=urls.js.map

package/dist/nodes/Guardrails/actions/checks/urls.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../../../nodes/Guardrails/actions/checks/urls.ts"],"sourcesContent":["// Source: https://github.com/openai/openai-guardrails-js/blob/b9b99b4fb454f02a362c2836aec6285176ec40a8/src/checks/urls.ts\n\nimport type { CreateCheckFn, GuardrailResult } from '../types';\n\nexport type UrlsConfig = {\n\tallowedUrls: string[];\n\tallowedSchemes: string[];\n\tblockUserinfo: boolean;\n\tallowSubdomains: boolean;\n};\n\n/**\n * Convert IPv4 address string to 32-bit integer for CIDR calculations.\n */\nfunction ipToInt(ip: string): number {\n\tconst parts = ip.split('.').map(Number);\n\tif (parts.length !== 4 || parts.some((part) => part < 0 || part > 255)) {\n\t\tthrow new Error(`Invalid IP address: ${ip}`);\n\t}\n\treturn (parts[0] << 24) + (parts[1] << 16) + (parts[2] << 8) + parts[3];\n}\n\n/**\n * Detect URLs in text using robust regex patterns.\n */\nfunction detectUrls(text: string): string[] {\n\t// Pattern for cleaning trailing punctuation (] must be escaped)\n\tconst PUNCTUATION_CLEANUP = /[.,;:!?)\\\\]]+$/;\n\n\tconst detectedUrls: string[] = [];\n\n\t// Pattern 1: URLs with schemes (highest priority)\n\tconst schemePatterns = [\n\t\t/https?:\\/\\/[^\\s<>\"{}|\\\\^`\\[\\]]+/gi,\n\t\t/ftp:\\/\\/[^\\s<>\"{}|\\\\^`\\[\\]]+/gi,\n\t\t/data:[^\\s<>\"{}|\\\\^`\\[\\]]+/gi,\n\t\t/javascript:[^\\s<>\"{}|\\\\^`\\[\\]]+/gi,\n\t\t/vbscript:[^\\s<>\"{}|\\\\^`\\[\\]]+/gi,\n\t\t/mailto:[^\\s<>\"{}|\\\\^`\\[\\]]+/gi,\n\t];\n\n\tconst schemeUrls = new Set<string>();\n\tfor (const pattern of schemePatterns) {\n\t\tconst matches = text.match(pattern) || [];\n\t\tfor (let match of matches) {\n\t\t\t// Clean trailing punctuation\n\t\t\tmatch = match.replace(PUNCTUATION_CLEANUP, '');\n\t\t\tif (match) {\n\t\t\t\tdetectedUrls.push(match);\n\t\t\t\t// Track the domain part to avoid duplicates\n\t\t\t\tif (match.includes('://')) {\n\t\t\t\t\tconst domainPart = match.split('://', 2)[1].split('/')[0].split('?')[0].split('#')[0];\n\t\t\t\t\tschemeUrls.add(domainPart.toLowerCase());\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\t// Pattern 2: Domain-like patterns without schemes (exclude already found)\n\tconst domainPattern = /\\b(?:www\\.)?[a-zA-Z0-9][a-zA-Z0-9.-]*\\.[a-zA-Z]{2,}(?:\\/[^\\s]*)?/gi;\n\tconst domainMatches = text.match(domainPattern) || [];\n\n\tfor (let match of domainMatches) {\n\t\t// Clean trailing punctuation\n\t\tmatch = match.replace(PUNCTUATION_CLEANUP, '');\n\t\tif (match) {\n\t\t\t// Extract just the domain part for comparison\n\t\t\tconst domainPart = match.split('/')[0].split('?')[0].split('#')[0].toLowerCase();\n\t\t\t// Only add if we haven't already found this domain with a scheme\n\t\t\tif (!schemeUrls.has(domainPart)) {\n\t\t\t\tdetectedUrls.push(match);\n\t\t\t}\n\t\t}\n\t}\n\n\t// Pattern 3: IP addresses (exclude already found)\n\tconst ipPattern = /\\b(?:[0-9]{1,3}\\.){3}[0-9]{1,3}(?::[0-9]+)?(?:\\/[^\\s]*)?/g;\n\tconst ipMatches = text.match(ipPattern) || [];\n\n\tfor (let match of ipMatches) {\n\t\t// Clean trailing punctuation\n\t\tmatch = match.replace(PUNCTUATION_CLEANUP, '');\n\t\tif (match) {\n\t\t\t// Extract IP part for comparison\n\t\t\tconst ipPart = match.split('/')[0].split('?')[0].split('#')[0].toLowerCase();\n\t\t\tif (!schemeUrls.has(ipPart)) {\n\t\t\t\tdetectedUrls.push(match);\n\t\t\t}\n\t\t}\n\t}\n\n\t// Advanced deduplication: Remove domains that are already part of full URLs\n\tconst finalUrls: string[] = [];\n\tconst schemeUrlDomains = new Set<string>();\n\n\t// First pass: collect all domains from scheme-ful URLs\n\tfor (const url of detectedUrls) {\n\t\tif (url.includes('://')) {\n\t\t\ttry {\n\t\t\t\tconst parsed = new URL(url);\n\t\t\t\tif (parsed.hostname) {\n\t\t\t\t\tschemeUrlDomains.add(parsed.hostname.toLowerCase());\n\t\t\t\t\t// Also add www-stripped version\n\t\t\t\t\tconst bareDomain = parsed.hostname.toLowerCase().replace(/^www\\./, '');\n\t\t\t\t\tschemeUrlDomains.add(bareDomain);\n\t\t\t\t}\n\t\t\t} catch (error) {\n\t\t\t\t// Skip URLs with parsing errors (malformed URLs, encoding issues)\n\t\t\t\t// This is expected for edge cases and doesn't require logging\n\t\t\t}\n\t\t\tfinalUrls.push(url);\n\t\t}\n\t}\n\n\t// Second pass: only add scheme-less URLs if their domain isn't already covered\n\tfor (const url of detectedUrls) {\n\t\tif (!url.includes('://')) {\n\t\t\t// Check if this domain is already covered by a full URL\n\t\t\tconst urlLower = url.toLowerCase().replace(/^www\\./, '');\n\t\t\tif (!schemeUrlDomains.has(urlLower)) {\n\t\t\t\tfinalUrls.push(url);\n\t\t\t}\n\t\t}\n\t}\n\n\t// Remove empty URLs and return unique list\n\treturn [...new Set(finalUrls.filter((url) => url))];\n}\n\n/**\n * Validate URL against security configuration.\n */\nfunction validateUrlSecurity(\n\turlString: string,\n\tconfig: UrlsConfig,\n): { parsedUrl: URL | null; reason: string } {\n\ttry {\n\t\tlet parsedUrl: URL;\n\t\tlet originalScheme: string;\n\n\t\t// Parse URL - preserve original scheme for validation\n\t\tif (urlString.includes('://')) {\n\t\t\t// Standard URL with double-slash scheme (http://, https://, ftp://, etc.)\n\t\t\tparsedUrl = new URL(urlString);\n\t\t\toriginalScheme = parsedUrl.protocol.replace(':', '');\n\t\t} else if (\n\t\t\turlString.includes(':') &&\n\t\t\turlString.split(':', 1)[0].match(/^(data|javascript|vbscript|mailto)$/)\n\t\t) {\n\t\t\t// Special single-colon schemes\n\t\t\tparsedUrl = new URL(urlString);\n\t\t\toriginalScheme = parsedUrl.protocol.replace(':', '');\n\t\t} else {\n\t\t\t// Add http scheme for parsing, but remember this is a default\n\t\t\tparsedUrl = new URL(`http://${urlString}`);\n\t\t\toriginalScheme = 'http'; // Default scheme for scheme-less URLs\n\t\t}\n\n\t\t// Basic validation: must have scheme and hostname (except for special schemes)\n\t\tif (!parsedUrl.protocol) {\n\t\t\treturn { parsedUrl: null, reason: 'Invalid URL format' };\n\t\t}\n\n\t\t// Special schemes like data: and javascript: don't need hostname\n\t\tconst specialSchemes = new Set(['data:', 'javascript:', 'vbscript:', 'mailto:']);\n\t\tif (!specialSchemes.has(parsedUrl.protocol) && !parsedUrl.hostname) {\n\t\t\treturn { parsedUrl: null, reason: 'Invalid URL format' };\n\t\t}\n\n\t\t// Security validations - use original scheme\n\t\tif (!config.allowedSchemes.includes(originalScheme)) {\n\t\t\treturn { parsedUrl: null, reason: `Blocked scheme: ${originalScheme}` };\n\t\t}\n\n\t\tif (config.blockUserinfo && (parsedUrl.username || parsedUrl.password)) {\n\t\t\treturn { parsedUrl: null, reason: 'Contains userinfo (potential credential injection)' };\n\t\t}\n\n\t\t// Everything else (IPs, localhost, private IPs) goes through allow list logic\n\t\treturn { parsedUrl, reason: '' };\n\t} catch (error) {\n\t\t// Provide specific error information for debugging\n\t\tconst errorMessage = error instanceof Error ? error.message : String(error);\n\t\treturn { parsedUrl: null, reason: `Invalid URL format: ${errorMessage}` };\n\t}\n}\n\n/**\n * Check if URL is allowed based on the allow list configuration.\n */\nfunction isUrlAllowed(parsedUrl: URL, allowList: string[], allowSubdomains: boolean): boolean {\n\tif (allowList.length === 0) {\n\t\treturn false;\n\t}\n\n\tconst urlHost = parsedUrl.hostname?.toLowerCase();\n\tif (!urlHost) {\n\t\treturn false;\n\t}\n\n\tfor (const allowedEntry of allowList) {\n\t\tconst entry = allowedEntry.toLowerCase().trim();\n\n\t\t// Handle full URLs with specific paths\n\t\tif (entry.includes('://')) {\n\t\t\ttry {\n\t\t\t\tconst allowedUrl = new URL(entry);\n\t\t\t\tconst allowedHost = allowedUrl.hostname?.toLowerCase();\n\t\t\t\tconst allowedPath = allowedUrl.pathname;\n\n\t\t\t\tif (urlHost === allowedHost) {\n\t\t\t\t\t// Check if the URL path starts with the allowed path\n\t\t\t\t\tif (!allowedPath || allowedPath === '/' || parsedUrl.pathname.startsWith(allowedPath)) {\n\t\t\t\t\t\treturn true;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t} catch (error) {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`Invalid URL in allow list: \"${entry}\" - ${error instanceof Error ? error.message : error}`,\n\t\t\t\t);\n\t\t\t}\n\t\t\tcontinue;\n\t\t}\n\n\t\t// Handle IP addresses and CIDR blocks\n\t\ttry {\n\t\t\t// Basic IP pattern check\n\t\t\tif (/^\\d+\\.\\d+\\.\\d+\\.\\d+/.test(entry.split('/')[0])) {\n\t\t\t\tif (entry === urlHost) {\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t\t// Proper CIDR validation\n\t\t\t\tif (entry.includes('/') && urlHost.match(/^\\d+\\.\\d+\\.\\d+\\.\\d+$/)) {\n\t\t\t\t\tconst [network, prefixStr] = entry.split('/');\n\t\t\t\t\tconst prefix = parseInt(prefixStr);\n\n\t\t\t\t\tif (prefix >= 0 && prefix <= 32) {\n\t\t\t\t\t\t// Convert IPs to 32-bit integers for bitwise comparison\n\t\t\t\t\t\tconst networkInt = ipToInt(network);\n\t\t\t\t\t\tconst hostInt = ipToInt(urlHost);\n\n\t\t\t\t\t\t// Create subnet mask\n\t\t\t\t\t\tconst mask = (0xffffffff << (32 - prefix)) >>> 0;\n\n\t\t\t\t\t\t// Check if host is in the network\n\t\t\t\t\t\tif ((networkInt & mask) === (hostInt & mask)) {\n\t\t\t\t\t\t\treturn true;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t} catch (error) {\n\t\t\t// Expected: entry is not an IP address/CIDR, continue to domain matching\n\t\t\t// Only log if it looks like it was intended to be an IP but failed parsing\n\t\t\tif (/^\\d+\\.\\d+/.test(entry)) {\n\t\t\t\tconsole.warn(\n\t\t\t\t\t`Warning: Malformed IP address in allow list: \"${entry}\" - ${error instanceof Error ? error.message : error}`,\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\t// Handle domain matching\n\t\tconst allowedDomain = entry.replace(/^www\\./, '');\n\t\tconst urlDomain = urlHost.replace(/^www\\./, '');\n\n\t\t// Exact match always allowed\n\t\tif (urlDomain === allowedDomain) {\n\t\t\treturn true;\n\t\t}\n\n\t\t// Subdomain matching if enabled\n\t\tif (allowSubdomains && urlDomain.endsWith(`.${allowedDomain}`)) {\n\t\t\treturn true;\n\t\t}\n\t}\n\n\treturn false;\n}\n\n/**\n * Main URL filtering function.\n */\nexport const urls = (data: string, config: UrlsConfig): GuardrailResult => {\n\t// Detect URLs in the text\n\tconst detectedUrls = detectUrls(data);\n\n\tconst allowed: string[] = [];\n\tconst blocked: string[] = [];\n\tconst blockedReasons: string[] = [];\n\n\tfor (const urlString of detectedUrls) {\n\t\t// Validate URL with security checks\n\t\tconst { parsedUrl, reason } = validateUrlSecurity(urlString, config);\n\n\t\tif (parsedUrl === null) {\n\t\t\tblocked.push(urlString);\n\t\t\tblockedReasons.push(`${urlString}: ${reason}`);\n\t\t\tcontinue;\n\t\t}\n\n\t\t// Check against allow list\n\t\t// Special schemes (data:, javascript:, mailto:) don't have meaningful hosts\n\t\t// so they only need scheme validation, not host-based allow list checking\n\t\tconst hostlessSchemes = new Set(['data:', 'javascript:', 'vbscript:', 'mailto:']);\n\t\tif (hostlessSchemes.has(parsedUrl.protocol)) {\n\t\t\t// For hostless schemes, only scheme permission matters (no allow list needed)\n\t\t\t// They were already validated for scheme permission in validateUrlSecurity\n\t\t\tallowed.push(urlString);\n\t\t} else if (isUrlAllowed(parsedUrl, config.allowedUrls, config.allowSubdomains)) {\n\t\t\tallowed.push(urlString);\n\t\t} else {\n\t\t\tblocked.push(urlString);\n\t\t\tblockedReasons.push(`${urlString}: Not in allow list`);\n\t\t}\n\t}\n\n\tconst tripwireTriggered = blocked.length > 0;\n\n\treturn {\n\t\tguardrailName: 'urls',\n\t\ttripwireTriggered,\n\t\tinfo: {\n\t\t\tmaskEntities: {\n\t\t\t\tURL: blocked,\n\t\t\t},\n\t\t\tdetected: detectedUrls,\n\t\t\tallowed,\n\t\t\tblocked,\n\t\t\tblockedReasons,\n\t\t},\n\t};\n};\n\nexport const createUrlsCheckFn: CreateCheckFn<UrlsConfig> = (config) => (input: string) =>\n\turls(input, config);\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAcA,SAAS,QAAQ,IAAoB;AACpC,QAAM,QAAQ,GAAG,MAAM,GAAG,EAAE,IAAI,MAAM;AACtC,MAAI,MAAM,WAAW,KAAK,MAAM,KAAK,CAAC,SAAS,OAAO,KAAK,OAAO,GAAG,GAAG;AACvE,UAAM,IAAI,MAAM,uBAAuB,EAAE,EAAE;AAAA,EAC5C;AACA,UAAQ,MAAM,CAAC,KAAK,OAAO,MAAM,CAAC,KAAK,OAAO,MAAM,CAAC,KAAK,KAAK,MAAM,CAAC;AACvE;AAKA,SAAS,WAAW,MAAwB;AAE3C,QAAM,sBAAsB;AAE5B,QAAM,eAAyB,CAAC;AAGhC,QAAM,iBAAiB;AAAA,IACtB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACD;AAEA,QAAM,aAAa,oBAAI,IAAY;AACnC,aAAW,WAAW,gBAAgB;AACrC,UAAM,UAAU,KAAK,MAAM,OAAO,KAAK,CAAC;AACxC,aAAS,SAAS,SAAS;AAE1B,cAAQ,MAAM,QAAQ,qBAAqB,EAAE;AAC7C,UAAI,OAAO;AACV,qBAAa,KAAK,KAAK;AAEvB,YAAI,MAAM,SAAS,KAAK,GAAG;AAC1B,gBAAM,aAAa,MAAM,MAAM,OAAO,CAAC,EAAE,CAAC,EAAE,MAAM,GAAG,EAAE,CAAC,EAAE,MAAM,GAAG,EAAE,CAAC,EAAE,MAAM,GAAG,EAAE,CAAC;AACpF,qBAAW,IAAI,WAAW,YAAY,CAAC;AAAA,QACxC;AAAA,MACD;AAAA,IACD;AAAA,EACD;AAGA,QAAM,gBAAgB;AACtB,QAAM,gBAAgB,KAAK,MAAM,aAAa,KAAK,CAAC;AAEpD,WAAS,SAAS,eAAe;AAEhC,YAAQ,MAAM,QAAQ,qBAAqB,EAAE;AAC7C,QAAI,OAAO;AAEV,YAAM,aAAa,MAAM,MAAM,GAAG,EAAE,CAAC,EAAE,MAAM,GAAG,EAAE,CAAC,EAAE,MAAM,GAAG,EAAE,CAAC,EAAE,YAAY;AAE/E,UAAI,CAAC,WAAW,IAAI,UAAU,GAAG;AAChC,qBAAa,KAAK,KAAK;AAAA,MACxB;AAAA,IACD;AAAA,EACD;AAGA,QAAM,YAAY;AAClB,QAAM,YAAY,KAAK,MAAM,SAAS,KAAK,CAAC;AAE5C,WAAS,SAAS,WAAW;AAE5B,YAAQ,MAAM,QAAQ,qBAAqB,EAAE;AAC7C,QAAI,OAAO;AAEV,YAAM,SAAS,MAAM,MAAM,GAAG,EAAE,CAAC,EAAE,MAAM,GAAG,EAAE,CAAC,EAAE,MAAM,GAAG,EAAE,CAAC,EAAE,YAAY;AAC3E,UAAI,CAAC,WAAW,IAAI,MAAM,GAAG;AAC5B,qBAAa,KAAK,KAAK;AAAA,MACxB;AAAA,IACD;AAAA,EACD;AAGA,QAAM,YAAsB,CAAC;AAC7B,QAAM,mBAAmB,oBAAI,IAAY;AAGzC,aAAW,OAAO,cAAc;AAC/B,QAAI,IAAI,SAAS,KAAK,GAAG;AACxB,UAAI;AACH,cAAM,SAAS,IAAI,IAAI,GAAG;AAC1B,YAAI,OAAO,UAAU;AACpB,2BAAiB,IAAI,OAAO,SAAS,YAAY,CAAC;AAElD,gBAAM,aAAa,OAAO,SAAS,YAAY,EAAE,QAAQ,UAAU,EAAE;AACrE,2BAAiB,IAAI,UAAU;AAAA,QAChC;AAAA,MACD,SAAS,OAAO;AAAA,MAGhB;AACA,gBAAU,KAAK,GAAG;AAAA,IACnB;AAAA,EACD;AAGA,aAAW,OAAO,cAAc;AAC/B,QAAI,CAAC,IAAI,SAAS,KAAK,GAAG;AAEzB,YAAM,WAAW,IAAI,YAAY,EAAE,QAAQ,UAAU,EAAE;AACvD,UAAI,CAAC,iBAAiB,IAAI,QAAQ,GAAG;AACpC,kBAAU,KAAK,GAAG;AAAA,MACnB;AAAA,IACD;AAAA,EACD;AAGA,SAAO,CAAC,GAAG,IAAI,IAAI,UAAU,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;AACnD;AAKA,SAAS,oBACR,WACA,QAC4C;AAC5C,MAAI;AACH,QAAI;AACJ,QAAI;AAGJ,QAAI,UAAU,SAAS,KAAK,GAAG;AAE9B,kBAAY,IAAI,IAAI,SAAS;AAC7B,uBAAiB,UAAU,SAAS,QAAQ,KAAK,EAAE;AAAA,IACpD,WACC,UAAU,SAAS,GAAG,KACtB,UAAU,MAAM,KAAK,CAAC,EAAE,CAAC,EAAE,MAAM,qCAAqC,GACrE;AAED,kBAAY,IAAI,IAAI,SAAS;AAC7B,uBAAiB,UAAU,SAAS,QAAQ,KAAK,EAAE;AAAA,IACpD,OAAO;AAEN,kBAAY,IAAI,IAAI,UAAU,SAAS,EAAE;AACzC,uBAAiB;AAAA,IAClB;AAGA,QAAI,CAAC,UAAU,UAAU;AACxB,aAAO,EAAE,WAAW,MAAM,QAAQ,qBAAqB;AAAA,IACxD;AAGA,UAAM,iBAAiB,oBAAI,IAAI,CAAC,SAAS,eAAe,aAAa,SAAS,CAAC;AAC/E,QAAI,CAAC,eAAe,IAAI,UAAU,QAAQ,KAAK,CAAC,UAAU,UAAU;AACnE,aAAO,EAAE,WAAW,MAAM,QAAQ,qBAAqB;AAAA,IACxD;AAGA,QAAI,CAAC,OAAO,eAAe,SAAS,cAAc,GAAG;AACpD,aAAO,EAAE,WAAW,MAAM,QAAQ,mBAAmB,cAAc,GAAG;AAAA,IACvE;AAEA,QAAI,OAAO,kBAAkB,UAAU,YAAY,UAAU,WAAW;AACvE,aAAO,EAAE,WAAW,MAAM,QAAQ,qDAAqD;AAAA,IACxF;AAGA,WAAO,EAAE,WAAW,QAAQ,GAAG;AAAA,EAChC,SAAS,OAAO;AAEf,UAAM,eAAe,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAC1E,WAAO,EAAE,WAAW,MAAM,QAAQ,uBAAuB,YAAY,GAAG;AAAA,EACzE;AACD;AAKA,SAAS,aAAa,WAAgB,WAAqB,iBAAmC;AAC7F,MAAI,UAAU,WAAW,GAAG;AAC3B,WAAO;AAAA,EACR;AAEA,QAAM,UAAU,UAAU,UAAU,YAAY;AAChD,MAAI,CAAC,SAAS;AACb,WAAO;AAAA,EACR;AAEA,aAAW,gBAAgB,WAAW;AACrC,UAAM,QAAQ,aAAa,YAAY,EAAE,KAAK;AAG9C,QAAI,MAAM,SAAS,KAAK,GAAG;AAC1B,UAAI;AACH,cAAM,aAAa,IAAI,IAAI,KAAK;AAChC,cAAM,cAAc,WAAW,UAAU,YAAY;AACrD,cAAM,cAAc,WAAW;AAE/B,YAAI,YAAY,aAAa;AAE5B,cAAI,CAAC,eAAe,gBAAgB,OAAO,UAAU,SAAS,WAAW,WAAW,GAAG;AACtF,mBAAO;AAAA,UACR;AAAA,QACD;AAAA,MACD,SAAS,OAAO;AACf,cAAM,IAAI;AAAA,UACT,+BAA+B,KAAK,OAAO,iBAAiB,QAAQ,MAAM,UAAU,KAAK;AAAA,QAC1F;AAAA,MACD;AACA;AAAA,IACD;AAGA,QAAI;AAEH,UAAI,sBAAsB,KAAK,MAAM,MAAM,GAAG,EAAE,CAAC,CAAC,GAAG;AACpD,YAAI,UAAU,SAAS;AACtB,iBAAO;AAAA,QACR;AAEA,YAAI,MAAM,SAAS,GAAG,KAAK,QAAQ,MAAM,sBAAsB,GAAG;AACjE,gBAAM,CAAC,SAAS,SAAS,IAAI,MAAM,MAAM,GAAG;AAC5C,gBAAM,SAAS,SAAS,SAAS;AAEjC,cAAI,UAAU,KAAK,UAAU,IAAI;AAEhC,kBAAM,aAAa,QAAQ,OAAO;AAClC,kBAAM,UAAU,QAAQ,OAAO;AAG/B,kBAAM,OAAQ,cAAe,KAAK,WAAa;AAG/C,iBAAK,aAAa,WAAW,UAAU,OAAO;AAC7C,qBAAO;AAAA,YACR;AAAA,UACD;AAAA,QACD;AACA;AAAA,MACD;AAAA,IACD,SAAS,OAAO;AAGf,UAAI,YAAY,KAAK,KAAK,GAAG;AAC5B,gBAAQ;AAAA,UACP,iDAAiD,KAAK,OAAO,iBAAiB,QAAQ,MAAM,UAAU,KAAK;AAAA,QAC5G;AAAA,MACD;AAAA,IACD;AAGA,UAAM,gBAAgB,MAAM,QAAQ,UAAU,EAAE;AAChD,UAAM,YAAY,QAAQ,QAAQ,UAAU,EAAE;AAG9C,QAAI,cAAc,eAAe;AAChC,aAAO;AAAA,IACR;AAGA,QAAI,mBAAmB,UAAU,SAAS,IAAI,aAAa,EAAE,GAAG;AAC/D,aAAO;AAAA,IACR;AAAA,EACD;AAEA,SAAO;AACR;AAKO,MAAM,OAAO,CAAC,MAAc,WAAwC;AAE1E,QAAM,eAAe,WAAW,IAAI;AAEpC,QAAM,UAAoB,CAAC;AAC3B,QAAM,UAAoB,CAAC;AAC3B,QAAM,iBAA2B,CAAC;AAElC,aAAW,aAAa,cAAc;AAErC,UAAM,EAAE,WAAW,OAAO,IAAI,oBAAoB,WAAW,MAAM;AAEnE,QAAI,cAAc,MAAM;AACvB,cAAQ,KAAK,SAAS;AACtB,qBAAe,KAAK,GAAG,SAAS,KAAK,MAAM,EAAE;AAC7C;AAAA,IACD;AAKA,UAAM,kBAAkB,oBAAI,IAAI,CAAC,SAAS,eAAe,aAAa,SAAS,CAAC;AAChF,QAAI,gBAAgB,IAAI,UAAU,QAAQ,GAAG;AAG5C,cAAQ,KAAK,SAAS;AAAA,IACvB,WAAW,aAAa,WAAW,OAAO,aAAa,OAAO,eAAe,GAAG;AAC/E,cAAQ,KAAK,SAAS;AAAA,IACvB,OAAO;AACN,cAAQ,KAAK,SAAS;AACtB,qBAAe,KAAK,GAAG,SAAS,qBAAqB;AAAA,IACtD;AAAA,EACD;AAEA,QAAM,oBAAoB,QAAQ,SAAS;AAE3C,SAAO;AAAA,IACN,eAAe;AAAA,IACf;AAAA,IACA,MAAM;AAAA,MACL,cAAc;AAAA,QACb,KAAK;AAAA,MACN;AAAA,MACA,UAAU;AAAA,MACV;AAAA,MACA;AAAA,MACA;AAAA,IACD;AAAA,EACD;AACD;AAEO,MAAM,oBAA+C,CAAC,WAAW,CAAC,UACxE,KAAK,OAAO,MAAM;","names":[]}