@nekzus/liop 1.3.0-alpha.1 → 2.0.0-alpha.1

package/README.md

@@ -188,9 +188,24 @@ new LiopServer(
   serverInfo: { name: string; version: string },
   config?: {
     capabilities?: Record<string, unknown>;
+    workerPool?: {
+      enabled?: boolean;           // Enable OS-thread sandboxing (default: true)
+      maxThreads?: number;         // Max worker threads (default: CPU count)
+      maxHeapMb?: number;          // V8 heap limit per worker (default: 64, env: LIOP_WORKER_MAX_HEAP_MB)
+    };
     security?: {
       piiPatterns?: PiiRule[];     // Regex/validator rules for PII detection
       forbiddenKeys?: string[];    // Keys stripped from outgoing responses
+      enableNerScanning?: boolean; // NLP entity detection via compromise (default: false)
+      rateLimit?: {                // Sliding window rate limiter per tool
+        maxPerWindow?: number;     // Max calls per window (default: 30)
+        windowMs?: number;         // Window duration in ms (default: 60000)
+      };
+    };
+    taxonomy?: {                   // Data domain classification
+      domain?: string;             // e.g., "finance", "healthcare"
+      clearanceTier?: string;      // e.g., "tier-0", "tier-1"
+      executionTypes?: string[];   // e.g., ["aggregation", "analytics"]
     };
   }
 )
@@ -243,22 +258,31 @@ await bridge.connect();
 ### The Shield — Multi-Layer Defense
 
 ```
-┌─────────────────────────────────────────────────────┐
-│  Layer 1: Guardian AST (Zero-Time Static Analysis)  │
-│  Blocks: require, import(), fs, eval, fetch,        │
-│  process, global, __proto__, XMLHttpRequest         │
-├─────────────────────────────────────────────────────┤
-│  Layer 2: WASI Sandbox (V8 Isolate)                 │
-│  No Node.js globals • CPU Fuel limits • 3s timeout  │
-├─────────────────────────────────────────────────────┤
-│  Layer 3: PII Shield (Egress Filter)                │
-│  Scans output for Email, SSN, Credit Card, IP       │
-│  Strips forbidden keys from response objects        │
-├─────────────────────────────────────────────────────┤
-│  Layer 4: ZK-Receipt (Integrity Verification)       │
-│  SHA-256 ImageID + SHA-512 RISC0-style Seal         │
-│  LiopMcpBridge verifies before forwarding to LLM    │
-└─────────────────────────────────────────────────────┘
+┌───────────────────────────────────────────────────────────┐
+│  Layer 1: Guardian AST (Zero-Time Static Analysis)        │
+│  Blocks: require, import(), fs, eval, fetch, process,     │
+│  global, __proto__, XMLHttpRequest • 128 import cap       │
+├───────────────────────────────────────────────────────────┤
+│  Layer 2: WASI Sandbox (V8 Isolate)                       │
+│  25 poisoned globals (incl. Date, TypedArrays) •          │
+│  CPU Fuel limits • 5s timeout • maxHeapMb (64MB default)  │
+├───────────────────────────────────────────────────────────┤
+│  Layer 3: Prototype Pollution Defense                     │
+│  Object.freeze() on 6 core prototypes (Object, Array,     │
+│  String, Number, Boolean, Function) inside sandbox IIFE   │
+├───────────────────────────────────────────────────────────┤
+│  Layer 4: PII Shield (Egress Filter)                      │
+│  Scans output for Email, SSN, Credit Card, IP, IBAN,      │
+│  Passport MRZ • Strips forbidden keys • NER opt-in        │
+├───────────────────────────────────────────────────────────┤
+│  Layer 5: Aggregation-First Policy                        │
+│  Blocks raw row export • maxOutputRows (default: 10) •    │
+│  Conditional error: detailed (dev) vs opaque (production) │
+├───────────────────────────────────────────────────────────┤
+│  Layer 6: ZK-Receipt (Integrity Verification)             │
+│  SHA-256 ImageID + HMAC-SHA256 Seal (Kyber768-derived)    │
+│  LiopMcpBridge verifies before forwarding to LLM          │
+└───────────────────────────────────────────────────────────┘
 ```
 
 ### PII Patterns
@@ -390,7 +414,7 @@ await server.connectToMesh();
 
 This package is continuously tested across multiple platforms and Node.js versions via CI/CD:
 
-- **209+ tests** spanning unit, integration, conformance, and crossnet suites
+- **227+ tests** spanning unit, integration, conformance, adversarial, and crossnet suites
 - **Multi-OS matrix:** Ubuntu, Windows, macOS
 - **Node.js versions:** 22.x, 24.x
 - **Code quality:** Enforced by [Biome.js](https://biomejs.dev/) (linting + formatting)

package/dist/gateway/router.d.ts

@@ -62,6 +62,13 @@ export declare class LiopMcpRouter {
      * by searching the manifest cache. Supports exact names and suffixed names.
      */
     private resolveManifestTarget;
+    /**
+     * Redacts a PeerID for external-facing diagnostics.
+     * LIOP_DIAGNOSTIC_LEVEL controls verbosity:
+     *   - "redacted" (default): truncated to last 8 chars
+     *   - "full": complete PeerID (development only)
+     */
+    private redactPeerId;
     private transcodeMcpToLiop;
     private routeToRemoteProvider;
     private performTranscoding;

package/dist/gateway/router.js

@@ -72,6 +72,11 @@ export class LiopMcpRouter {
                 log.info(`[LIOP-Router] Failed to announce manifest: ${err instanceof Error ? err.message : String(err)}`);
             });
         }
+        // [OWASP-A01] Startup warning when diagnostic level exposes full topology
+        if (process.env.LIOP_DIAGNOSTIC_LEVEL === "full") {
+            process.stderr.write("⚠️ [LIOP-Security] Diagnostic level set to FULL — " +
+                "PeerIDs and network topology are exposed. Do NOT use in production.\n");
+        }
     }
     shouldSkipManifestQuery(peerId) {
         const state = this.manifestFailureState.get(peerId);
@@ -691,6 +696,18 @@ export class LiopMcpRouter {
         }
         return null;
     }
+    /**
+     * Redacts a PeerID for external-facing diagnostics.
+     * LIOP_DIAGNOSTIC_LEVEL controls verbosity:
+     *   - "redacted" (default): truncated to last 8 chars
+     *   - "full": complete PeerID (development only)
+     */
+    redactPeerId(peerId) {
+        const level = process.env.LIOP_DIAGNOSTIC_LEVEL || "redacted";
+        if (level === "full")
+            return peerId;
+        return `***${peerId.slice(-8)}`;
+    }
     // biome-ignore lint/suspicious/noExplicitAny: MCP JSON-RPC params/id are polymorphic
     async transcodeMcpToLiop(id, params) {
         const toolName = params.name;
@@ -724,16 +741,17 @@ export class LiopMcpRouter {
                 .map((addr) => {
                 const parts = addr.split("/");
                 const id = parts[parts.length - 1];
-                return `  • ${id ? id.slice(-8) : "Unknown"} (${addr})`;
+                return `  • ${id ? id.slice(-8) : "Unknown"} (bootstrap)`;
             })
                 .join("\n");
             const routingTableSize = this.meshNode
                 ? // biome-ignore lint/suspicious/noExplicitAny: access internal nodes
                     this.meshNode.getRoutingTableSize()
                 : 0;
-            const localPeerId = this.meshNode?.getPeerId() || "Offline";
+            const rawPeerId = this.meshNode?.getPeerId() || "Offline";
+            const localPeerId = rawPeerId === "Offline" ? rawPeerId : this.redactPeerId(rawPeerId);
             const cachedToolList = Array.from(this.manifestCache.entries())
-                .flatMap(([peerId, { manifest }]) => manifest.tools.map((t) => `  • ${t.name} (from origin: ${peerId})`))
+                .flatMap(([peerId, { manifest }]) => manifest.tools.map((t) => `  • ${t.name} (from origin: ${this.redactPeerId(peerId)})`))
                 .join("\n");
             const statusText = [
                 `LIOP Mesh Status: ${meshState === "Active" ? "Active" : "Offline"}`,

package/dist/sandbox/wasi.js

@@ -117,6 +117,23 @@ export class WasiSandbox {
             sandboxEnv.eval = undefined;
             sandboxEnv.Function = undefined;
             sandboxEnv.SharedArrayBuffer = undefined;
+            sandboxEnv.Date = undefined;
+            // [DoS Defense] Block off-heap memory allocation vectors.
+            // Logic-on-Origin operates on JSON data (env.records) — binary buffers
+            // serve no legitimate purpose and enable memory exhaustion DoS.
+            // (Uint8Array(2GB) bypassed Piscina's maxOldGenerationSizeMb limit)
+            sandboxEnv.ArrayBuffer = undefined;
+            sandboxEnv.Uint8Array = undefined;
+            sandboxEnv.Int8Array = undefined;
+            sandboxEnv.Uint16Array = undefined;
+            sandboxEnv.Int16Array = undefined;
+            sandboxEnv.Uint32Array = undefined;
+            sandboxEnv.Int32Array = undefined;
+            sandboxEnv.Float32Array = undefined;
+            sandboxEnv.Float64Array = undefined;
+            sandboxEnv.BigInt64Array = undefined;
+            sandboxEnv.BigUint64Array = undefined;
+            sandboxEnv.DataView = undefined;
             // Inject strictly monitored globals
             sandboxEnv.records = JSON.parse(JSON.stringify(records)); // Deep copy safety
             sandboxEnv.env = JSON.parse(JSON.stringify(env));
@@ -155,6 +172,13 @@ export class WasiSandbox {
             const scriptCode = `
 				(function() {
 					try {
+						Object.freeze(Object.prototype);
+						Object.freeze(Array.prototype);
+						Object.freeze(String.prototype);
+						Object.freeze(Number.prototype);
+						Object.freeze(Boolean.prototype);
+						Object.freeze(Object.getPrototypeOf(function(){}));
+
 						${processedLogic}
 						if (typeof liop_main === 'function') {
 							return liop_main(env);

package/dist/server/index.d.ts

@@ -1,8 +1,9 @@
 import { z } from "zod";
 import { MeshNode } from "../mesh/node.js";
 import type { CallToolRequest, CallToolResult, GetPromptRequest, GetPromptResult, Prompt, Resource, ServerInfo, Tool } from "../types.js";
+import { NerScanner } from "./ner-scanner.js";
 import { PII_PATTERNS, PII_PRESETS, type PiiRule, PiiScanner } from "./pii.js";
-export { PII_PATTERNS, PII_PRESETS, type PiiRule, PiiScanner };
+export { NerScanner, PII_PATTERNS, PII_PRESETS, type PiiRule, PiiScanner };
 export type ToolHandler<T extends z.ZodRawShape = z.ZodRawShape> = (args: z.infer<z.ZodObject<T>>, extra: {
     signal?: AbortSignal;
 }) => Promise<CallToolResult>;
@@ -13,10 +14,21 @@ export interface LiopServerOptions {
         minThreads?: number;
         maxThreads?: number;
         idleTimeout?: number;
+        /** Max heap memory per worker in MB (default: 64). Prevents heap bomb DoS. */
+        maxHeapMb?: number;
     };
     security?: {
         piiPatterns?: PiiRule[];
         forbiddenKeys?: string[];
+        /** Enable NLP-based Named Entity Recognition scanning on output values. */
+        enableNerScanning?: boolean;
+        /** Rate limiting configuration for tool calls (OWASP A01). */
+        rateLimit?: {
+            /** Maximum calls per window per tool (default: 30). */
+            maxPerWindow?: number;
+            /** Sliding window duration in milliseconds (default: 60000 = 1 min). */
+            windowMs?: number;
+        };
     };
     taxonomy?: {
         domain?: string;
@@ -53,6 +65,9 @@ export declare class LiopServer {
     private readonly CACHE_TTL_MS;
     private readonly THROTTLE_THRESHOLD;
     private readonly THROTTLE_COOLDOWN_MS;
+    private toolCallWindows;
+    private readonly toolCallMaxPerWindow;
+    private readonly toolCallWindowMs;
     private tools;
     private resources;
     private prompts;
@@ -128,6 +143,13 @@ export declare class LiopServer {
      * Manually invalidates the AST Logic Cache (e.g. for Zero-Day patches).
      */
     clearAstCache(): void;
+    /**
+     * Sliding window rate limiter for tool call frequency.
+     * Prevents micro-query exfiltration attacks where an attacker
+     * makes hundreds of individually-legitimate calls to reconstruct
+     * the full dataset field by field. (OWASP A01)
+     */
+    private checkToolCallRateLimit;
     /**
      * Emulates calling a tool (used locally or via LIOPMcpBridge)
      */

package/dist/server/index.js

@@ -10,8 +10,9 @@ import { zodToJsonSchema } from "zod-to-json-schema";
 import { MeshNode } from "../mesh/node.js";
 import { LiopRpcServer } from "../rpc/server.js";
 import { log } from "../utils/logger.js";
+import { NerScanner } from "./ner-scanner.js";
 import { PII_PATTERNS, PII_PRESETS, PiiScanner } from "./pii.js";
-export { PII_PATTERNS, PII_PRESETS, PiiScanner };
+export { NerScanner, PII_PATTERNS, PII_PRESETS, PiiScanner };
 /**
  * When enabled, `payload` tools that are not LIOP v1 envelopes are passed through to the
  * registered handler unchanged (no worker extraction). Default off for strict protocol tests.
@@ -29,6 +30,10 @@ export class LiopServer {
     CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
     THROTTLE_THRESHOLD = 5;
     THROTTLE_COOLDOWN_MS = 60 * 1000; // 60 seconds
+    // [OWASP-A01] Sliding window rate limiter — prevents micro-query exfiltration
+    toolCallWindows = new Map();
+    toolCallMaxPerWindow;
+    toolCallWindowMs;
     tools = new Map();
     resources = new Map();
     prompts = new Map();
@@ -67,8 +72,10 @@ export class LiopServer {
         const compact = logic.replace(/\s+/g, " ");
         if (policy.enforceAggregationFirst) {
             const rowExtractionPatterns = [
-                /return\s+env\.records\b/i,
-                /return\s*\{[\s\S]*\b(accounts|patients|rows|records)\s*:\s*env\.records/i,
+                // Block raw record dumps but allow safe aggregation chains
+                // (.reduce, .length, .filter().length, .every, .some)
+                /return\s+env\.records(?!\s*\.\s*(?:reduce|length|filter|every|some|find)\b)/i,
+                /return\s*\{[\s\S]*\b(accounts|patients|rows|records)\s*:\s*env\.records(?!\s*\.\s*(?:reduce|length|filter)\b)/i,
             ];
             if (rowExtractionPatterns.some((p) => p.test(compact))) {
                 return "Preflight policy rejected: potential row-level export pattern detected.";
@@ -84,15 +91,29 @@ export class LiopServer {
             return null;
         const parsed = this.parseUnknownJson(output);
         if (policy.outputSchema) {
-            const schemaResult = policy.outputSchema.safeParse(parsed);
+            // SEC-HARDENING: Force strict mode on ZodObject schemas to prevent
+            // key aliasing bypasses via .passthrough(). However, respect schemas
+            // that explicitly use .catchall() — calling .strict() would override
+            // the catchall with ZodNever, destroying the developer's intent.
+            const effectiveSchema = (() => {
+                if (!(policy.outputSchema instanceof z.ZodObject)) {
+                    return policy.outputSchema;
+                }
+                const obj = policy.outputSchema;
+                // If schema has an explicit catchall (not ZodNever), respect it
+                if (!(obj._def.catchall instanceof z.ZodNever)) {
+                    return obj;
+                }
+                // Otherwise force strict to block unrecognized keys by default
+                return obj.strict();
+            })();
+            const schemaResult = effectiveSchema.safeParse(parsed);
             if (!schemaResult.success) {
-                // Include a truncated preview of the rejected value so the LLM can self-correct
-                const preview = typeof parsed === "string"
-                    ? parsed.slice(0, 200)
-                    : JSON.stringify(parsed).slice(0, 200);
+                // SEC-CRITICAL: Never expose rejected data in error messages.
+                // Only report the structural violation (unrecognized keys, type mismatches).
                 return `[LIOP] Output schema violation for ${toolName}: ${schemaResult.error.issues
                     .map((i) => `${i.path.join(".") || "<root>"} ${i.message}`)
-                    .join("; ")}. Rejected value: ${preview}. HINT: Use 'env.records' to access the dataset inside your logic.`;
+                    .join("; ")}. HINT: Your output must conform to the declared schema. Use 'env.records' to access the dataset and return only allowed fields.`;
             }
         }
         if (policy.enforceAggregationFirst &&
@@ -143,6 +164,14 @@ export class LiopServer {
         return this.unwrapForAggregationPolicyScan(joined);
     }
     violatesAggregationFirstPolicy(input, policyObj) {
+        const maxRows = typeof policyObj === "object" &&
+            typeof policyObj.maxOutputRows === "number"
+            ? policyObj.maxOutputRows
+            : 10;
+        const allowPrimitives = typeof policyObj === "object" &&
+            typeof policyObj.allowPrimitiveArrays === "boolean"
+            ? policyObj.allowPrimitiveArrays
+            : true;
         if (typeof input === "string") {
             const trimmed = input.trim();
             if ((trimmed.startsWith("{") && trimmed.endsWith("}")) ||
@@ -157,14 +186,6 @@ export class LiopServer {
             return false;
         }
         if (Array.isArray(input)) {
-            const maxRows = typeof policyObj === "object" &&
-                typeof policyObj.maxOutputRows === "number"
-                ? policyObj.maxOutputRows
-                : 10;
-            const allowPrimitives = typeof policyObj === "object" &&
-                typeof policyObj.allowPrimitiveArrays === "boolean"
-                ? policyObj.allowPrimitiveArrays
-                : true;
             if (input.length > 0 &&
                 input.every((item) => typeof item === "object" && item !== null)) {
                 // Treat tabular row export as non-aggregated leakage risk if above threshold.
@@ -182,6 +203,11 @@ export class LiopServer {
             return input.some((item) => this.violatesAggregationFirstPolicy(item, policyObj));
         }
         if (input && typeof input === "object") {
+            const keys = Object.keys(input);
+            // Treat flat dictionary with too many keys as non-aggregated leakage risk (Dynamic Key Bypass).
+            if (keys.length > maxRows) {
+                return true;
+            }
             return Object.values(input).some((value) => this.violatesAggregationFirstPolicy(value, policyObj));
         }
         return false;
@@ -189,6 +215,9 @@ export class LiopServer {
     constructor(serverInfo, config) {
         this.serverInfo = serverInfo;
         this.config = config;
+        const nerScanner = this.config?.security?.enableNerScanning
+            ? new NerScanner()
+            : null;
         this.piiScanner = new PiiScanner(this.config?.security?.piiPatterns ?? PII_PRESETS.GLOBAL_STRICT, this.config?.security?.forbiddenKeys ?? [
             "id",
             "name",
@@ -210,7 +239,15 @@ export class LiopServer {
             "token",
             "secret",
             "privateKey",
-        ]);
+        ], nerScanner);
+        // [OWASP-A01] Rate limit: config > env > default (30 calls/min)
+        const rlConfig = this.config?.security?.rateLimit;
+        this.toolCallWindowMs =
+            rlConfig?.windowMs ??
+                Number.parseInt(process.env.LIOP_RATE_LIMIT_WINDOW_MS ?? "60000", 10);
+        this.toolCallMaxPerWindow =
+            rlConfig?.maxPerWindow ??
+                Number.parseInt(process.env.LIOP_RATE_LIMIT_MAX ?? "30", 10);
         // Initialize Zero-Blocking Worker Pool for Heavy Cryptography & Sandboxing
         const isTS = import.meta.url.endsWith(".ts");
         const workerExt = isTS ? ".ts" : ".js";
@@ -239,6 +276,12 @@ export class LiopServer {
             maxQueue: "auto",
             taskQueue: new FixedQueue(),
             execArgv,
+            // [DoS Defense] Enforce hard memory ceiling per worker thread.
+            // Workers exceeding this limit are terminated by Node.js runtime.
+            resourceLimits: {
+                maxOldGenerationSizeMb: this.config?.workerPool?.maxHeapMb ??
+                    Number.parseInt(process.env.LIOP_WORKER_MAX_HEAP_MB ?? "64", 10),
+            },
         });
         // [Token Economy] Auto-register LIOP protocol spec as a single Resource.
         // This centralizes the envelope documentation that was previously
@@ -568,6 +611,37 @@ Protocol Adherence is mandatory for successful execution.`,
         this.logicCache.clear();
         log.info("[LIOP-SDK] AST Security Cache cleared by Admin.");
     }
+    /**
+     * Sliding window rate limiter for tool call frequency.
+     * Prevents micro-query exfiltration attacks where an attacker
+     * makes hundreds of individually-legitimate calls to reconstruct
+     * the full dataset field by field. (OWASP A01)
+     */
+    checkToolCallRateLimit(toolName) {
+        const now = Date.now();
+        const windowMs = this.toolCallWindowMs;
+        const maxPerWindow = this.toolCallMaxPerWindow;
+        const window = this.toolCallWindows.get(toolName) || [];
+        // Evict expired timestamps outside the sliding window
+        const active = window.filter((t) => now - t < windowMs);
+        if (active.length >= maxPerWindow) {
+            const retryAfterSec = Math.ceil((active[0] + windowMs - now) / 1000);
+            return {
+                content: [
+                    {
+                        type: "text",
+                        text: `LIOP_RATE_LIMITED: Too many calls to ${toolName}. ` +
+                            `Max ${maxPerWindow} per ${windowMs / 1000}s window. ` +
+                            `Retry after ${retryAfterSec}s.`,
+                    },
+                ],
+                isError: true,
+            };
+        }
+        active.push(now);
+        this.toolCallWindows.set(toolName, active);
+        return null;
+    }
     /**
      * Emulates calling a tool (used locally or via LIOPMcpBridge)
      */
@@ -576,6 +650,10 @@ Protocol Adherence is mandatory for successful execution.`,
         if (!entry) {
             throw new Error(`Tool not found: ${request.name}`);
         }
+        // [OWASP-A01] Rate limiting: prevent micro-query exfiltration
+        const rateLimitResult = this.checkToolCallRateLimit(request.name);
+        if (rateLimitResult)
+            return rateLimitResult;
         try {
             // Validate inputs natively with Zod before execution
             const parsedArgs = entry.schema.parse(request.arguments || {});
@@ -813,10 +891,11 @@ Protocol Adherence is mandatory for successful execution.`,
                     ]);
                     const aggregationViolation = this.violatesAggregationFirstPolicy(this.unwrapForAggregationPolicyScan(finalOutput));
                     if (violation || aggregationViolation) {
-                        const reason = violation ||
-                            "Aggregation-First Policy Violation: row-level export blocked. HINT: Use .reduce() to produce a flat {key:value} object. Do NOT use .map() to create arrays of objects.";
-                        log.info(`[LIOP-RPC] Secure egress blocked in gRPC stream: ${reason}`);
-                        response.semantic_evidence = `[LIOP] Egress Security Violation. Output blocked due to policy enforcement (${reason}).`;
+                        // SEC-CRITICAL: Log details server-side, never expose to caller
+                        const internalReason = violation || "Aggregation-First Policy Violation";
+                        log.info(`[LIOP-RPC] Secure egress blocked in gRPC stream: ${internalReason}`);
+                        response.semantic_evidence =
+                            "[LIOP] Egress Security Violation. Output blocked due to policy enforcement.";
                         response.is_error = true;
                     }
                     call.write(response, () => {
@@ -825,10 +904,16 @@ Protocol Adherence is mandatory for successful execution.`,
                 }
                 catch (error) {
                     const e = error;
-                    log.error(`[LIOP-RPC] Execution Error: ${e.message}`);
+                    const isDev = process.env.NODE_ENV === "development" ||
+                        process.env.NODE_ENV === "test";
+                    const detail = e.message || String(error);
+                    log.error(`[LIOP-RPC] Execution Error: ${detail}`);
+                    const errorMessage = isDev
+                        ? `Execution Error: ${detail}`
+                        : "[LIOP] Execution Failed. The injected logic violated runtime constraints or encountered a fatal error.";
                     // Send error response before closing, avoiding "stream closed without results"
                     const errorResponse = {
-                        semantic_evidence: `Execution Error: ${e.message}`,
+                        semantic_evidence: errorMessage,
                         cryptographic_proof: Buffer.from(""),
                         zk_receipt: Buffer.from(""),
                         is_error: true,
@@ -881,9 +966,20 @@ Protocol Adherence is mandatory for successful execution.`,
                 : undefined;
             const policyViolation = this.validateOutputPolicy(toolName || "unknown_tool", workerResponse.output, toolPolicy);
             if (policyViolation) {
+                // SEC-CRITICAL: Log details server-side, never expose to caller in Production
                 log.info(`[LIOP-SDK] Output policy blocked for ${toolName || "unknown_tool"}: ${policyViolation}`);
+                const isDev = process.env.NODE_ENV === "development" ||
+                    process.env.NODE_ENV === "test";
+                const errorMessage = isDev
+                    ? policyViolation
+                    : "[LIOP] Egress Security Violation. Output blocked due to policy enforcement. HINT: Return only aggregated, non-PII results using .reduce() to produce a flat {key:value} object with allowed schema fields.";
                 return {
-                    content: [{ type: "text", text: `[LIOP] ${policyViolation}` }],
+                    content: [
+                        {
+                            type: "text",
+                            text: errorMessage,
+                        },
+                    ],
                     isError: true,
                 };
             }
@@ -891,14 +987,21 @@ Protocol Adherence is mandatory for successful execution.`,
             const violation = this.piiScanner.scan(content);
             const aggregationViolation = this.violatesAggregationFirstPolicy(workerResponse.output);
             if (violation || aggregationViolation) {
-                const reason = violation ||
-                    "Aggregation-First Policy Violation: row-level export blocked. HINT: Use .reduce() to produce a flat {key:value} object. Do NOT use .map() to create arrays of objects.";
-                log.info(`[LIOP-SDK] Secure egress blocked in local execution: ${reason}`);
+                // SEC-CRITICAL: Log the specific violation reason server-side only.
+                // Never expose detection details (entity names, matched values) to the caller in Production.
+                const internalReason = violation ||
+                    "Aggregation-First Policy Violation: Output blocked due to dynamic flat-key policy enforcement.";
+                log.info(`[LIOP-SDK] Secure egress blocked in local execution: ${internalReason}`);
+                const isDev = process.env.NODE_ENV === "development" ||
+                    process.env.NODE_ENV === "test";
+                const errorMessage = isDev
+                    ? `[LIOP] Egress Security Violation: ${internalReason}`
+                    : "[LIOP] Egress Security Violation. Output blocked due to policy enforcement. HINT: Return only aggregated, non-PII results using .reduce() to produce a flat {key:value} object with allowed schema fields.";
                 return {
                     content: [
                         {
                             type: "text",
-                            text: `[LIOP] Egress Security Violation. Output blocked due to policy enforcement (${reason}).`,
+                            text: errorMessage,
                         },
                     ],
                     isError: true,
@@ -908,11 +1011,18 @@ Protocol Adherence is mandatory for successful execution.`,
         }
         catch (error) {
             const e = error;
+            const isDev = process.env.NODE_ENV === "development" ||
+                process.env.NODE_ENV === "test";
+            const detail = e.message || String(error);
+            log.error(`[LIOP-SDK] WorkerPool Execution Fault: ${detail}`);
+            const errorMessage = isDev
+                ? `WorkerPoolError: ${detail}`
+                : "[LIOP] Execution Failed. The injected logic violated runtime constraints or encountered a fatal error.";
             return {
                 content: [
                     {
                         type: "text",
-                        text: `WorkerPoolError: ${e.message || String(error)}`,
+                        text: errorMessage,
                     },
                 ],
                 isError: true,

package/dist/server/ner-scanner.d.ts

@@ -0,0 +1,29 @@
+/** Single named entity detected by the NER scanner. */
+export interface NerEntity {
+    type: "person" | "place" | "organization";
+    text: string;
+}
+/** Result of an NER scan operation. */
+export interface NerScanResult {
+    detected: boolean;
+    entities: NerEntity[];
+}
+/**
+ * Scans text content for named entities that may represent PII.
+ * Uses `compromise/three` for person, place, and organization detection.
+ *
+ * Designed for egress filtering — optimized for recall over precision
+ * to ensure sensitive data does not leak through aliased output keys.
+ */
+export declare class NerScanner {
+    /**
+     * Scans a single string value for named entities.
+     * Returns detected entities if the text contains recognizable PII.
+     */
+    scan(text: string): NerScanResult;
+    /**
+     * Recursively scans all string values within an object/array.
+     * Stops at the first detection for performance (fail-fast).
+     */
+    scanDeep(input: unknown, seen?: WeakSet<object>): NerScanResult;
+}

package/dist/server/ner-scanner.js

@@ -0,0 +1,141 @@
+/**
+ * LIOP NER Content Scanner (The Shield V3 — Named Entity Recognition Layer)
+ *
+ * Lightweight NER scanner using `compromise` NLP for detecting
+ * person names, places, and organizations in free-text output values.
+ *
+ * This layer operates AFTER the regex-based PII scanner and
+ * catches entities that lack a deterministic format pattern
+ * (e.g., "Evelyn Reed" cannot be detected by regex).
+ *
+ * Architecture: opt-in per-server via `enableNerScanning: true`.
+ * Performance: ~10ms for typical SDK output sizes (< 10KB).
+ *
+ * @see https://github.com/spencermountain/compromise
+ */
+import nlp from "compromise/three";
+/**
+ * Medical/pharmaceutical vocabulary safelist.
+ * These terms are tagged as #Medication to prevent the NER
+ * from misclassifying them as person/organization names.
+ * Extends progressively — add terms as false positives arise.
+ */
+const MEDICAL_VOCABULARY = {
+    aspirin: "Medication",
+    lisinopril: "Medication",
+    metformin: "Medication",
+    amlodipine: "Medication",
+    atorvastatin: "Medication",
+    omeprazole: "Medication",
+    losartan: "Medication",
+    simvastatin: "Medication",
+    levothyroxine: "Medication",
+    ibuprofen: "Medication",
+    acetaminophen: "Medication",
+    amoxicillin: "Medication",
+    ciprofloxacin: "Medication",
+    prednisone: "Medication",
+    warfarin: "Medication",
+    insulin: "Medication",
+    hydrochlorothiazide: "Medication",
+    gabapentin: "Medication",
+    albuterol: "Medication",
+    pantoprazole: "Medication",
+    // Generic clinical terms
+    hypertension: "Condition",
+    diabetes: "Condition",
+    bronchitis: "Condition",
+    pneumonia: "Condition",
+    asthma: "Condition",
+};
+// Register medical vocabulary BEFORE any scan operations.
+// compromise's addWords() overrides the default classification,
+// preventing these terms from being tagged as #Person or #Organization.
+nlp.addWords(MEDICAL_VOCABULARY);
+// Minimum string length to attempt NER analysis.
+// Shorter strings are unlikely to contain meaningful named entities.
+const MIN_TEXT_LENGTH = 4;
+// Pattern to identify strings that are purely numeric/symbolic (skip NER)
+const NON_TEXT_PATTERN = /^[\d\s.,:;!?()[\]{}<>@#$%^&*+=|\\/"'`~_-]+$/;
+/**
+ * Scans text content for named entities that may represent PII.
+ * Uses `compromise/three` for person, place, and organization detection.
+ *
+ * Designed for egress filtering — optimized for recall over precision
+ * to ensure sensitive data does not leak through aliased output keys.
+ */
+export class NerScanner {
+    /**
+     * Scans a single string value for named entities.
+     * Returns detected entities if the text contains recognizable PII.
+     */
+    scan(text) {
+        if (text.length < MIN_TEXT_LENGTH || NON_TEXT_PATTERN.test(text)) {
+            return { detected: false, entities: [] };
+        }
+        const doc = nlp(text);
+        const entities = [];
+        const people = doc.people().out("array");
+        for (const person of people) {
+            const trimmed = person.trim();
+            if (trimmed.length >= MIN_TEXT_LENGTH) {
+                entities.push({ type: "person", text: trimmed });
+            }
+        }
+        const places = doc.places().out("array");
+        for (const place of places) {
+            const trimmed = place.trim();
+            if (trimmed.length >= MIN_TEXT_LENGTH) {
+                entities.push({ type: "place", text: trimmed });
+            }
+        }
+        const orgs = doc.organizations().out("array");
+        for (const org of orgs) {
+            const trimmed = org.trim();
+            if (trimmed.length >= MIN_TEXT_LENGTH) {
+                entities.push({ type: "organization", text: trimmed });
+            }
+        }
+        return {
+            detected: entities.length > 0,
+            entities,
+        };
+    }
+    /**
+     * Recursively scans all string values within an object/array.
+     * Stops at the first detection for performance (fail-fast).
+     */
+    scanDeep(input, seen = new WeakSet()) {
+        if (input === null || input === undefined) {
+            return { detected: false, entities: [] };
+        }
+        if (typeof input === "string") {
+            return this.scan(input);
+        }
+        if (typeof input === "object") {
+            if (seen.has(input)) {
+                return { detected: false, entities: [] };
+            }
+            seen.add(input);
+            const values = Array.isArray(input)
+                ? input
+                : Object.values(input);
+            const allEntities = [];
+            for (const value of values) {
+                const result = this.scanDeep(value, seen);
+                if (result.detected) {
+                    allEntities.push(...result.entities);
+                    // Fail-fast: return immediately on first person detection
+                    if (result.entities.some((e) => e.type === "person")) {
+                        return { detected: true, entities: allEntities };
+                    }
+                }
+            }
+            return {
+                detected: allEntities.length > 0,
+                entities: allEntities,
+            };
+        }
+        return { detected: false, entities: [] };
+    }
+}

package/dist/server/pii.d.ts

@@ -30,11 +30,37 @@ export declare const PII_PRESETS: {
 export declare class PiiScanner {
     private patterns;
     private forbiddenKeysSet;
-    constructor(patterns?: PiiRule[], forbiddenKeys?: string[]);
+    private nerScanner;
+    /**
+     * Safelist of keys that contain forbidden substrings but are NOT PII.
+     * Prevents false positives from fuzzy matching (e.g., "grid" contains "id").
+     */
+    private static readonly KEY_SAFELIST;
+    /**
+     * Short forbidden tokens (< 4 chars) that require boundary-aware matching.
+     * Uses regex boundary detection to avoid false positives.
+     */
+    private shortTokenBoundaryPatterns;
+    /**
+     * Long forbidden tokens (>= 4 chars) that use substring containment.
+     */
+    private longForbiddenTokens;
+    constructor(patterns?: PiiRule[], forbiddenKeys?: string[], nerScanner?: import("./ner-scanner.js").NerScanner | null);
     /**
      * Scans any input (string, object, array) for PII violations.
      * Returns the pattern/rule name that triggered the violation, or null if safe.
+     *
+     * Detection pipeline (fail-fast):
+     *   1. Exact key match (O(1) Set lookup)
+     *   2. Fuzzy key match (boundary detection for short tokens, substring for long)
+     *   3. Regex/algorithmic pattern match on string values
+     *   4. NER content scan on string values (if enabled)
      */
     scan(input: unknown, seen?: WeakSet<object>): string | null;
+    /**
+     * Checks a key against fuzzy matching rules.
+     * Short tokens use boundary-aware regex; long tokens use substring containment.
+     */
+    private checkKeyFuzzy;
     private checkString;
 }

package/dist/server/pii.js

@@ -159,14 +159,136 @@ export const PII_PRESETS = {
 export class PiiScanner {
     patterns;
     forbiddenKeysSet;
-    constructor(patterns = [], forbiddenKeys = []) {
+    nerScanner;
+    /**
+     * Safelist of keys that contain forbidden substrings but are NOT PII.
+     * Prevents false positives from fuzzy matching (e.g., "grid" contains "id").
+     */
+    static KEY_SAFELIST = new Set([
+        // Common words containing "id" substring
+        "grid",
+        "video",
+        "android",
+        "identity",
+        "provide",
+        "override",
+        "validate",
+        "hidden",
+        "widget",
+        "guidelines",
+        "beside",
+        "guideline",
+        "outside",
+        "inside",
+        "collide",
+        "decide",
+        "divide",
+        "aside",
+        "ride",
+        "side",
+        "wide",
+        "hide",
+        "tide",
+        "pride",
+        "bride",
+        "slide",
+        "guide",
+        "stride",
+        "oxide",
+        "dioxide",
+        "suicide",
+        "homicide",
+        "pesticide",
+        "valid",
+        "invalid",
+        "void",
+        "avoid",
+        // Common words containing "name" substring
+        "diagnosis",
+        "medication",
+        "namespace",
+        "namesake",
+        "rename",
+        "filename",
+        "hostname",
+        "typename",
+        "unnamed",
+        "renamed",
+        // Common words containing "phone" substring
+        "phonetic",
+        "phoneme",
+        "microphone",
+        "headphone",
+        "telephone",
+        "saxophone",
+        "smartphone",
+        // Common words containing "address" substring
+        "streetview",
+        "addressable",
+        "addressing",
+        // Common words containing "city" substring
+        "cityscape",
+        "electricity",
+        "capacity",
+        "velocity",
+        "opacity",
+        // Common technical terms
+        "timestamp",
+        "timezone",
+        // LIOP Protocol Internal Keys (must never be blocked)
+        "image_id",
+        "computation_result",
+        "zk_receipt",
+        "testid",
+        "toolid",
+        "sessionid",
+        "peerid",
+        "nodeid",
+        "requestid",
+        "correlationid",
+        "traceid",
+        "spanid",
+    ]);
+    /**
+     * Short forbidden tokens (< 4 chars) that require boundary-aware matching.
+     * Uses regex boundary detection to avoid false positives.
+     */
+    shortTokenBoundaryPatterns;
+    /**
+     * Long forbidden tokens (>= 4 chars) that use substring containment.
+     */
+    longForbiddenTokens;
+    constructor(patterns = [], forbiddenKeys = [], nerScanner) {
         this.patterns = patterns;
-        // Optimizes large recursive evaluations using O(1) continuous key lookup
         this.forbiddenKeysSet = new Set(forbiddenKeys.map((k) => k.toLowerCase()));
+        this.nerScanner = nerScanner ?? null;
+        // Pre-compute fuzzy matching structures for performance
+        this.shortTokenBoundaryPatterns = new Map();
+        this.longForbiddenTokens = [];
+        for (const token of this.forbiddenKeysSet) {
+            if (token.length < 4) {
+                // Short tokens: require word boundary (camelCase, snake_case, kebab-case, or exact)
+                // "id" matches: "patientId", "record_id", "user-id", "id"
+                // "id" does NOT match: "grid", "video", "android"
+                this.shortTokenBoundaryPatterns.set(token, new RegExp(`(?:^|[_-])${token}(?:$|[_-])|` + // snake/kebab boundary
+                    `(?:^|[a-z])${token.charAt(0).toUpperCase()}${token.slice(1)}|` + // camelCase boundary (e.g., patientId)
+                    `^${token}$`, // exact match
+                "i"));
+            }
+            else {
+                this.longForbiddenTokens.push(token);
+            }
+        }
     }
     /**
      * Scans any input (string, object, array) for PII violations.
      * Returns the pattern/rule name that triggered the violation, or null if safe.
+     *
+     * Detection pipeline (fail-fast):
+     *   1. Exact key match (O(1) Set lookup)
+     *   2. Fuzzy key match (boundary detection for short tokens, substring for long)
+     *   3. Regex/algorithmic pattern match on string values
+     *   4. NER content scan on string values (if enabled)
      */
     scan(input, seen = new WeakSet()) {
         if (input === null || input === undefined)
@@ -189,8 +311,21 @@ export class PiiScanner {
                     // Silent fallback: It looked like JSON but wasn't valid. Proceed with raw string check.
                 }
             }
-            // Fallback: Check the raw string
-            return this.checkString(input);
+            // Check string value against regex patterns
+            const patternViolation = this.checkString(input);
+            if (patternViolation)
+                return patternViolation;
+            // Layer 3: NER Content Scan — detect person names in free-text values
+            if (this.nerScanner) {
+                const nerResult = this.nerScanner.scan(input);
+                if (nerResult.detected) {
+                    const personEntity = nerResult.entities.find((e) => e.type === "person");
+                    if (personEntity) {
+                        return `PII Entity Detected: person name "${personEntity.text}"`;
+                    }
+                }
+            }
+            return null;
         }
         // 2. Recursive Objects/Arrays Scan
         if (typeof input === "object") {
@@ -207,10 +342,14 @@ export class PiiScanner {
             }
             else {
                 for (const [key, value] of Object.entries(input)) {
-                    // Check Keys using O(1) Constant Time Memory Evaluation
+                    // Layer 1: Exact key match — O(1) constant time
                     if (this.forbiddenKeysSet.has(key.toLowerCase())) {
                         return `Forbidden Key: ${key}`;
                     }
+                    // Layer 2: Fuzzy key match — catches aliases and variations
+                    const fuzzyViolation = this.checkKeyFuzzy(key);
+                    if (fuzzyViolation)
+                        return fuzzyViolation;
                     // Recurse into values
                     const violation = this.scan(value, seen);
                     if (violation)
@@ -220,6 +359,29 @@ export class PiiScanner {
         }
         return null;
     }
+    /**
+     * Checks a key against fuzzy matching rules.
+     * Short tokens use boundary-aware regex; long tokens use substring containment.
+     */
+    checkKeyFuzzy(key) {
+        const normalized = key.toLowerCase();
+        // Skip safelisted keys entirely
+        if (PiiScanner.KEY_SAFELIST.has(normalized))
+            return null;
+        // Short token boundary matching (e.g., "id" in "patientId" but not "grid")
+        for (const [token, pattern] of this.shortTokenBoundaryPatterns) {
+            if (pattern.test(key)) {
+                return `Forbidden Key (fuzzy): ${key} matches boundary pattern "${token}"`;
+            }
+        }
+        // Long token substring matching (e.g., "name" in "firstName", "names")
+        for (const token of this.longForbiddenTokens) {
+            if (normalized.includes(token)) {
+                return `Forbidden Key (fuzzy): ${key} contains restricted token "${token}"`;
+            }
+        }
+        return null;
+    }
     checkString(text) {
         for (const rule of this.patterns) {
             if (typeof rule === "string") {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nekzus/liop",
-  "version": "1.3.0-alpha.1",
+  "version": "2.0.0-alpha.1",
   "description": "Official SDK for Logic-Injection-on-Origin Protocol (LIOP). Deploy Logic-on-Origin with WebAssembly at gRPC speed and bidirectional MCP compatibility.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -131,6 +131,7 @@
     "@modelcontextprotocol/sdk": "^1.28.0",
     "@multiformats/multiaddr": "^13.0.1",
     "@opentelemetry/api": "^1.9.1",
+    "compromise": "14.15.0",
     "gpt-tokenizer": "^3.4.0",
     "hono": "^4.12.5",
     "it-pipe": "^3.0.1",