@nekzus/liop 2.1.0-alpha.1 → 2.1.0-alpha.11

package/dist/chunk-2JLG4DET.js

@@ -0,0 +1,3354 @@
+import { LIOP_SCOPES, authorizeRequest } from './chunk-IJHTRIZC.js';
+import { liopV1, createServerCredentials } from './chunk-RDWCGZ2A.js';
+import { MeshNode } from './chunk-NJRSFFD7.js';
+import { log } from './chunk-72MNYFR6.js';
+import { Buffer } from 'buffer';
+import crypto2 from 'crypto';
+import * as fs from 'fs';
+import { createRequire } from 'module';
+import path from 'path';
+import { fileURLToPath, pathToFileURL } from 'url';
+import * as grpc2 from '@grpc/grpc-js';
+import { createMlKem768 } from 'mlkem';
+import { Piscina, FixedQueue } from 'piscina';
+import { z } from 'zod';
+import * as jose from 'jose';
+import Provider from 'oidc-provider';
+import * as acorn from 'acorn';
+import { simple } from 'acorn-walk';
+
+var GRPC_CHANNEL_OPTIONS = {
+  "grpc.keepalive_time_ms": 3e4,
+  "grpc.keepalive_timeout_ms": 1e4,
+  "grpc.keepalive_permit_without_calls": 1,
+  "grpc.max_send_message_length": -1,
+  "grpc.max_receive_message_length": -1,
+  "grpc.enable_retries": 1
+};
+var LiopRpcServer = class {
+  server;
+  constructor() {
+    this.server = new grpc2.Server(GRPC_CHANNEL_OPTIONS);
+  }
+  addService(handlers) {
+    this.server.addService(liopV1.LogicMesh.service, {
+      NegotiateIntent: handlers.negotiateIntent,
+      ExecuteLogic: handlers.executeLogic
+    });
+  }
+  async listen(port = 50051, tls) {
+    const credentials = createServerCredentials(tls);
+    return new Promise((resolve, reject) => {
+      this.server.bindAsync(
+        `0.0.0.0:${port}`,
+        credentials,
+        (error, assignedPort) => {
+          if (error) {
+            reject(error);
+            return;
+          }
+          log.info(`[LIOP-RPC] Server listening on port ${assignedPort}`);
+          resolve(assignedPort);
+        }
+      );
+    });
+  }
+  async stop() {
+    return new Promise((resolve) => {
+      this.server.tryShutdown(() => {
+        log.info("[LIOP-RPC] Server shut down");
+        resolve();
+      });
+    });
+  }
+};
+
+// src/security/auth-config.ts
+var AUTH_DEFAULTS = {
+  /** JWT audience claim for the LIOP mesh API. */
+  audience: "urn:liop:mesh:api",
+  /** M2M token time-to-live in seconds (1 hour). */
+  tokenTtlSeconds: 3600,
+  /** JWKS cache TTL in milliseconds (10 min — jose default). */
+  jwksCacheTtlMs: 6e5,
+  /** Minimum interval between JWKS refetches (30s — jose default). */
+  jwksCooldownMs: 3e4,
+  /** Clock tolerance for JWT expiration checks (mesh clock skew). */
+  clockToleranceSec: 5,
+  /** JWT signing algorithm (aligned with libp2p Ed25519 PeerID curve). */
+  signingAlgorithm: "EdDSA"
+};
+var JwtValidator = class {
+  jwksResolver;
+  issuer;
+  audience;
+  constructor(issuer, audience, jwksSource) {
+    this.issuer = issuer;
+    this.audience = audience;
+    if (jwksSource instanceof URL) {
+      this.jwksResolver = jose.createRemoteJWKSet(jwksSource, {
+        cacheMaxAge: AUTH_DEFAULTS.jwksCacheTtlMs,
+        cooldownDuration: AUTH_DEFAULTS.jwksCooldownMs
+      });
+    } else {
+      this.jwksResolver = jose.createLocalJWKSet(jwksSource);
+    }
+  }
+  /**
+   * Validates a JWT access token and extracts authorization context.
+   *
+   * Checks performed (jose.jwtVerify):
+   * - Cryptographic signature verification (EdDSA or ES256)
+   * - Issuer claim matches configured issuer
+   * - Audience claim matches configured audience
+   * - Token is not expired (with clock tolerance for mesh skew)
+   * - Required claims (sub, scope) are present
+   *
+   * @throws JOSEError if validation fails (expired, wrong issuer, bad signature, etc.)
+   */
+  async validate(token) {
+    const issuers = this.buildIssuerAliases();
+    const { payload } = await jose.jwtVerify(token, this.jwksResolver, {
+      issuer: issuers.length > 1 ? issuers : this.issuer,
+      audience: this.audience,
+      // Algorithm whitelist: only accept EdDSA (Ed25519) or ES256.
+      // Prevents algorithm confusion attacks (OWASP API-A01).
+      algorithms: [AUTH_DEFAULTS.signingAlgorithm, "ES256"],
+      // Clock tolerance for P2P mesh nodes with slight time drift.
+      clockTolerance: AUTH_DEFAULTS.clockToleranceSec,
+      // Enforce required claims to prevent malformed tokens.
+      requiredClaims: ["sub", "scope"]
+    });
+    return {
+      token,
+      clientId: payload.sub ?? "unknown",
+      scopes: typeof payload.scope === "string" ? payload.scope.split(" ") : [],
+      expiresAt: payload.exp
+    };
+  }
+  /**
+   * Builds a complete set of issuer URL aliases for the LIOP demo topology.
+   *
+   * The LIOP mesh runs on Docker Desktop with the following network layout:
+   *   Container hostnames: "nexus", "liop-nexus" (internal port 3000)
+   *   Host-published ports: 13000 (HTTP/MCP), 13001 (libp2p TCP)
+   *   Loopback addresses: 127.0.0.1, localhost
+   *
+   * The Nexus OAuth server may set its issuer to any of these depending on
+   * how it was configured, and nodes may resolve it via LIOP_NEXUS_URL
+   * which varies by context. This method generates all equivalent aliases
+   * so that jose.jwtVerify accepts the token regardless of which alias
+   * was used as `iss` in the JWT.
+   *
+   * Security note: This does NOT weaken validation — the cryptographic
+   * signature is still verified against the same JWKS keys. Only the
+   * string comparison of the `iss` claim is relaxed across known aliases.
+   */
+  buildIssuerAliases() {
+    const issuers = [this.issuer];
+    const cleanIssuer = this.issuer.endsWith("/") ? this.issuer.slice(0, -1) : this.issuer;
+    const NEXUS_AUTHORITIES = [
+      "nexus:3000",
+      "liop-nexus:3000",
+      "127.0.0.1:3000",
+      "localhost:3000",
+      "127.0.0.1:13000",
+      "localhost:13000",
+      "127.0.0.1:13001",
+      "localhost:13001"
+    ];
+    let issuerAuthority = "";
+    try {
+      const url = new URL(cleanIssuer);
+      issuerAuthority = `${url.hostname}:${url.port || "3000"}`;
+    } catch {
+      return issuers;
+    }
+    const isNexusIssuer = NEXUS_AUTHORITIES.some(
+      (authority) => issuerAuthority === authority
+    );
+    if (!isNexusIssuer) return issuers;
+    const pathSuffix = cleanIssuer.replace(/^https?:\/\/[^/]+/, "");
+    for (const authority of NEXUS_AUTHORITIES) {
+      const alias = `http://${authority}${pathSuffix}`;
+      if (!issuers.includes(alias)) {
+        issuers.push(alias);
+      }
+    }
+    if (pathSuffix) {
+      for (const authority of NEXUS_AUTHORITIES) {
+        const alias = `http://${authority}`;
+        if (!issuers.includes(alias)) {
+          issuers.push(alias);
+        }
+      }
+    } else {
+      for (const authority of NEXUS_AUTHORITIES) {
+        const alias = `http://${authority}/oidc`;
+        if (!issuers.includes(alias)) {
+          issuers.push(alias);
+        }
+      }
+    }
+    return issuers;
+  }
+  /**
+   * Returns the configured issuer URL for PRM (RFC 9728) metadata.
+   */
+  getIssuer() {
+    return this.issuer;
+  }
+  /**
+   * Returns the configured audience for PRM metadata.
+   */
+  getAudience() {
+    return this.audience;
+  }
+};
+function createOAuthServer(config) {
+  const { privateKey, publicKey } = crypto2.generateKeyPairSync("ed25519");
+  const privateJwk = privateKey.export({ format: "jwk" });
+  const publicJwk = publicKey.export({ format: "jwk" });
+  const kid = crypto2.createHash("sha256").update(publicJwk.x || "").digest("hex").slice(0, 16);
+  const privateJwkComplete = {
+    ...privateJwk,
+    kid,
+    use: "sig",
+    alg: "EdDSA"
+  };
+  const publicJwkComplete = {
+    ...publicJwk,
+    kid,
+    use: "sig",
+    alg: "EdDSA"
+  };
+  const jwksInternal = {
+    keys: [privateJwkComplete]
+  };
+  const jwksPublic = {
+    keys: [publicJwkComplete]
+  };
+  const oidcConfig = {
+    // Supported scopes at the Authorization Server level (RFC 6749)
+    scopes: ["openid", "offline_access", ...LIOP_SCOPES],
+    // Define registered Machine-to-Machine clients
+    clients: config.clients.map((c) => ({
+      client_id: c.client_id,
+      client_secret: c.client_secret,
+      grant_types: ["client_credentials"],
+      response_types: [],
+      // CC Grant does not use response types
+      redirect_uris: [],
+      // M2M flows require no redirects
+      scope: c.scope,
+      token_endpoint_auth_method: "client_secret_post",
+      id_token_signed_response_alg: "EdDSA"
+    })),
+    // [SEC] Features whitelist: Enable Client Credentials, disable all human interactions
+    features: {
+      clientCredentials: { enabled: true },
+      devInteractions: { enabled: false },
+      // Prevent development interactions UI
+      resourceIndicators: {
+        enabled: true,
+        useGrantedResource: () => true,
+        getResourceServerInfo: (_ctx, _resource, client) => {
+          return {
+            scope: client.scope || "",
+            accessTokenFormat: "jwt",
+            jwt: {
+              sign: { alg: "EdDSA" }
+            }
+          };
+        }
+      }
+    },
+    // [SEC] Emit M2M Access Tokens as JWTs instead of opaque strings
+    // This enables high-performance local validation at resource servers (NIST SP 800-207)
+    formats: {
+      AccessToken: "jwt"
+      // biome-ignore lint/suspicious/noExplicitAny: library typings mismatch in oidc-provider
+    },
+    // [SEC] Lockout: Throw immediate error on any interactive login flow attempt
+    interactions: {
+      url: () => {
+        throw new Error(
+          "InteractionsNotSupportedException: This Authorization Server is strictly configured for Machine-to-Machine flows."
+        );
+      }
+    },
+    // Keys used for signing Issued Tokens (ID Tokens, Access Tokens)
+    jwks: jwksInternal,
+    // Token life configurations (NIST SP 800-63B token rotation guidelines)
+    ttl: {
+      ClientCredentials: 3600
+      // Access Token valid for 1 hour
+    },
+    // Allow HTTP locally for development/Docker testnets (production MUST use HTTPS in proxy)
+    cookies: {
+      keys: [crypto2.randomBytes(32).toString("hex")]
+    },
+    // Map scopes directly into the JWT token claims during client_credentials grant
+    extraTokenClaims: (_ctx, token) => {
+      if (token.kind === "AccessToken") {
+        return {
+          scope: token.scope
+        };
+      }
+      return {};
+    }
+  };
+  const normalizedIssuer = config.issuer.endsWith("/") ? config.issuer.slice(0, -1) : config.issuer;
+  const provider = new Provider(normalizedIssuer, oidcConfig);
+  provider.proxy = true;
+  return {
+    provider,
+    jwks: jwksPublic
+  };
+}
+var TaintAnalyzer = class _TaintAnalyzer {
+  piiFields;
+  sensitiveKeys;
+  /** String methods that extract character-level information from PII */
+  static TAINT_PROPAGATING_METHODS = /* @__PURE__ */ new Set([
+    // Character extraction
+    "charCodeAt",
+    "codePointAt",
+    "charAt",
+    "at",
+    // Search/position (reveals content structure)
+    "indexOf",
+    "lastIndexOf",
+    "search",
+    // Comparison (reveals ordering/content)
+    "localeCompare",
+    "startsWith",
+    "endsWith",
+    "includes",
+    // Transformation (preserves PII content in different form)
+    "substring",
+    "slice",
+    "substr",
+    "split",
+    "match",
+    "matchAll",
+    "replace",
+    "replaceAll",
+    "normalize",
+    "toLowerCase",
+    "toUpperCase",
+    "trim",
+    "trimStart",
+    "trimEnd",
+    "padStart",
+    "padEnd",
+    "repeat"
+  ]);
+  /** Array iteration methods whose callbacks receive individual records */
+  static ARRAY_CALLBACK_METHODS = /* @__PURE__ */ new Set([
+    "map",
+    "forEach",
+    "filter",
+    "find",
+    "some",
+    "every",
+    "flatMap",
+    "findIndex"
+  ]);
+  /** Reduce-family methods where the record param is the SECOND callback arg */
+  static REDUCE_METHODS = /* @__PURE__ */ new Set(["reduce", "reduceRight"]);
+  constructor(piiFields, sensitiveKeys = []) {
+    this.piiFields = new Set(piiFields.map((f) => f.toLowerCase()));
+    this.sensitiveKeys = new Set(sensitiveKeys.map((f) => f.toLowerCase()));
+  }
+  /**
+   * Classifies a field into forbidden, sensitive, or public tiers (NIST SP 800-226).
+   */
+  classifyField(field, policySensitiveKeys = []) {
+    const lowerField = field.toLowerCase();
+    if (this.piiFields.has(lowerField)) {
+      return "forbidden";
+    }
+    const lowerPolicyKeys = new Set(
+      policySensitiveKeys.map((k) => k.toLowerCase())
+    );
+    if (this.sensitiveKeys.has(lowerField) || lowerPolicyKeys.has(lowerField)) {
+      return "sensitive";
+    }
+    return "public";
+  }
+  /**
+   * Analyzes injected source code for PII taint violations.
+   *
+   * @param sourceCode - The raw JavaScript logic extracted from the LIOP envelope
+   * @param recordCount - Size of source dataset (enables correlation/min-max gates for small sets)
+   * @param minMaxBlockThreshold - Threshold below which extrema/correlation extraction is blocked
+   * @returns A TaintViolation if PII-derived values flow to output, null if clean
+   */
+  analyze(sourceCode, recordCount, minMaxBlockThreshold = 50) {
+    let ast;
+    try {
+      const wrapped = `function liop_analysis_wrapper(env) {
+${sourceCode}
+}`;
+      ast = acorn.parse(wrapped, {
+        ecmaVersion: 2022,
+        sourceType: "script",
+        locations: true
+      });
+    } catch {
+      return null;
+    }
+    const recordBoundVars = /* @__PURE__ */ new Set();
+    const taintedVars = /* @__PURE__ */ new Set();
+    this.identifyRecordBoundVars(ast, recordBoundVars);
+    this.propagateTaint(ast, recordBoundVars, taintedVars);
+    const taintResult = this.checkReturnStatements(
+      ast,
+      recordBoundVars,
+      taintedVars
+    );
+    if (taintResult) return taintResult;
+    if (recordCount !== void 0 && recordCount > 0 && recordCount < minMaxBlockThreshold) {
+      const correlationResult = this.detectCorrelatedAggregations(ast);
+      if (correlationResult) {
+        correlationResult.reason = correlationResult.reason.replace(
+          "50 records",
+          `${minMaxBlockThreshold} records`
+        );
+        return correlationResult;
+      }
+    }
+    if (recordCount !== void 0 && recordCount > 0 && recordCount < minMaxBlockThreshold) {
+      const minMaxResult = this.detectMinMaxExtraction(ast);
+      if (minMaxResult) {
+        minMaxResult.reason = minMaxResult.reason.replace(
+          "50 records",
+          `${minMaxBlockThreshold} records`
+        );
+        return minMaxResult;
+      }
+    }
+    return null;
+  }
+  /**
+   * Extracts all unique field names accessed via env.records operations.
+   * Used by the Query Budget to enforce per-field query limits.
+   */
+  extractQueriedFields(sourceCode) {
+    let ast;
+    try {
+      ast = acorn.parse(`function w(env) {
+${sourceCode}
+}`, {
+        ecmaVersion: 2022,
+        sourceType: "script"
+      });
+    } catch {
+      return [];
+    }
+    const recordBoundVars = /* @__PURE__ */ new Set();
+    this.identifyRecordBoundVars(ast, recordBoundVars);
+    const fields = /* @__PURE__ */ new Set();
+    const visitors = {
+      MemberExpression: (node) => {
+        const propName = this.getPropertyName(node);
+        if (!propName || propName === "length") return;
+        if (node.object.type === "Identifier" && recordBoundVars.has(node.object.name)) {
+          fields.add(propName);
+        }
+        if (node.object.type === "MemberExpression") {
+          const parentMember = node.object;
+          if (parentMember.computed && this.isEnvRecordsAccess(parentMember.object)) {
+            fields.add(propName);
+          }
+        }
+      }
+    };
+    simple(ast, visitors);
+    return Array.from(fields);
+  }
+  // ── Pass 4: Correlation Guard ─────────────────────────────────────
+  /**
+   * Detects when 2+ reduce/aggregation calls access the same field.
+   * This prevents differencing attacks: sum(all.field) - sum(excl1.field) = individual value.
+   * Exempt: .length access (metadata, not field access).
+   */
+  detectCorrelatedAggregations(ast) {
+    const fieldAggCounts = /* @__PURE__ */ new Map();
+    const visitors = {
+      CallExpression: (node) => {
+        if (node.callee.type !== "MemberExpression") return;
+        const callee = node.callee;
+        const methodName = this.getPropertyName(callee);
+        if (!methodName || !_TaintAnalyzer.REDUCE_METHODS.has(methodName))
+          return;
+        if (!this.isEnvRecordsChain(callee.object)) return;
+        const callback = node.arguments[0];
+        if (!callback || callback.type !== "ArrowFunctionExpression" && callback.type !== "FunctionExpression")
+          return;
+        const fn = callback;
+        const recordParam = fn.params.length > 1 ? fn.params[1] : fn.params[0];
+        if (recordParam?.type !== "Identifier") return;
+        const paramName = recordParam.name;
+        const fields = this.extractFieldsFromBody(
+          fn.body,
+          paramName
+        );
+        for (const field of fields) {
+          const current = fieldAggCounts.get(field) ?? 0;
+          fieldAggCounts.set(field, current + 1);
+        }
+      }
+    };
+    simple(ast, visitors);
+    for (const [field, count] of fieldAggCounts) {
+      if (count >= 2) {
+        return {
+          reason: `Correlation guard: ${count} aggregations detected on field '${field}'. Multiple correlated aggregations on the same field can enable differencing attacks. Use a single aggregation per numeric field, or increase dataset size above 50 records.`
+        };
+      }
+    }
+    return null;
+  }
+  /**
+   * Checks if a node is env.records or a chain like env.records.slice(N) / env.records.filter(...)
+   */
+  isEnvRecordsChain(node) {
+    if (this.isEnvRecordsAccess(node)) return true;
+    if (node.type === "CallExpression") {
+      const call = node;
+      if (call.callee.type === "MemberExpression") {
+        const member = call.callee;
+        const method = this.getPropertyName(member);
+        if (method && (method === "slice" || method === "filter" || method === "toSorted")) {
+          return this.isEnvRecordsChain(member.object);
+        }
+      }
+    }
+    return false;
+  }
+  /**
+   * Extracts field names accessed on a record parameter within a function body.
+   * e.g., in `(s, r) => s + r.balance`, extracts "balance".
+   * Ignores .length as it's metadata, not a field access.
+   */
+  extractFieldsFromBody(body, paramName) {
+    const fields = [];
+    const visitors = {
+      MemberExpression: (node) => {
+        if (node.object.type === "Identifier" && node.object.name === paramName) {
+          const prop = this.getPropertyName(node);
+          if (prop && prop !== "length") {
+            fields.push(prop);
+          }
+        }
+      }
+    };
+    simple(body, visitors);
+    return fields;
+  }
+  // ── Pass 5: Min/Max Gate ──────────────────────────────────────────
+  /**
+   * Detects Math.min/max and sort()[0] patterns that expose individual
+   * record values from small datasets.
+   */
+  detectMinMaxExtraction(ast) {
+    let violation = null;
+    const visitors = {
+      CallExpression: (node) => {
+        if (violation) return;
+        if (node.callee.type === "MemberExpression") {
+          const callee = node.callee;
+          if (callee.object.type === "Identifier" && callee.object.name === "Math") {
+            const method = this.getPropertyName(callee);
+            if (method === "min" || method === "max") {
+              if (node.arguments.some(
+                (arg) => arg.type === "SpreadElement" && this.isRecordsMapCall(
+                  arg.argument
+                )
+              )) {
+                violation = {
+                  reason: `Min/Max gate: Math.${method}() on individual records blocked for small datasets (n < 50). Use avg/stddev/count for privacy-safe aggregations.`
+                };
+              }
+            }
+          }
+        }
+      },
+      // Pattern: env.records.sort(...)[0].field or [...env.records].sort(...)[0].field
+      MemberExpression: (node) => {
+        if (violation) return;
+        if (node.computed && node.object.type === "CallExpression") {
+          const call = node.object;
+          if (call.callee.type === "MemberExpression") {
+            const method = this.getPropertyName(
+              call.callee
+            );
+            if (method === "sort" || method === "toSorted") {
+              const sortTarget = call.callee.object;
+              if (this.isEnvRecordsChain(sortTarget)) {
+                violation = {
+                  reason: "Min/Max gate: .sort()[index] on individual records blocked for small datasets (n < 50). Use avg/stddev/count for privacy-safe aggregations."
+                };
+              }
+            }
+          }
+        }
+      }
+    };
+    simple(ast, visitors);
+    return violation;
+  }
+  /**
+   * Checks if a node is env.records.map(callback) — used by Min/Max Gate.
+   */
+  isRecordsMapCall(node) {
+    if (node.type !== "CallExpression") return false;
+    const call = node;
+    if (call.callee.type !== "MemberExpression") return false;
+    const callee = call.callee;
+    const method = this.getPropertyName(callee);
+    return method === "map" && this.isEnvRecordsChain(callee.object);
+  }
+  // ── Pass 1: Record-Bound Variable Identification ──────────────────
+  identifyRecordBoundVars(ast, recordBoundVars) {
+    const visitors = {
+      CallExpression: (node) => {
+        if (node.callee.type !== "MemberExpression") return;
+        const member = node.callee;
+        const methodName = this.getPropertyName(member);
+        if (!methodName) return;
+        if (!this.isEnvRecordsAccess(member.object)) return;
+        const callback = node.arguments[0];
+        if (!callback) return;
+        if (callback.type === "ArrowFunctionExpression" || callback.type === "FunctionExpression") {
+          const fn = callback;
+          if (_TaintAnalyzer.ARRAY_CALLBACK_METHODS.has(methodName) && fn.params.length > 0) {
+            const param = fn.params[0];
+            if (param.type === "Identifier") {
+              recordBoundVars.add(param.name);
+            }
+          }
+          if (_TaintAnalyzer.REDUCE_METHODS.has(methodName) && fn.params.length > 1) {
+            const recordParam = fn.params[1];
+            if (recordParam.type === "Identifier") {
+              recordBoundVars.add(recordParam.name);
+            }
+          }
+        }
+      },
+      // for (const r of env.records) → r is record-bound
+      ForOfStatement: (node) => {
+        if (!this.isEnvRecordsAccess(node.right)) return;
+        if (node.left.type === "VariableDeclaration") {
+          for (const declarator of node.left.declarations) {
+            if (declarator.id.type === "Identifier") {
+              recordBoundVars.add(declarator.id.name);
+            }
+          }
+        }
+      }
+    };
+    simple(ast, visitors);
+    const indexVisitors = {
+      VariableDeclarator: (node) => {
+        if (!node.init || node.id.type !== "Identifier") return;
+        if (node.init.type === "MemberExpression" && node.init.computed) {
+          const member = node.init;
+          if (this.isEnvRecordsAccess(member.object)) {
+            recordBoundVars.add(node.id.name);
+          }
+        }
+      }
+    };
+    simple(ast, indexVisitors);
+  }
+  // ── Pass 2: Taint Propagation ─────────────────────────────────────
+  propagateTaint(ast, recordBoundVars, taintedVars) {
+    for (let iteration = 0; iteration < 3; iteration++) {
+      const sizeBefore = taintedVars.size;
+      const visitors = {
+        VariableDeclarator: (node) => {
+          if (!node.init || node.id.type !== "Identifier") return;
+          if (this.isExpressionTainted(node.init, recordBoundVars, taintedVars)) {
+            taintedVars.add(node.id.name);
+          }
+        },
+        AssignmentExpression: (node) => {
+          if (node.left.type !== "Identifier") return;
+          if (this.isExpressionTainted(node.right, recordBoundVars, taintedVars)) {
+            taintedVars.add(node.left.name);
+          }
+        },
+        FunctionDeclaration: (node) => {
+          if (node.id && node.id.type === "Identifier") {
+            if (this.doesCallbackProduceTaint(
+              node,
+              null,
+              recordBoundVars,
+              taintedVars
+            )) {
+              taintedVars.add(node.id.name);
+            }
+          }
+        },
+        // Imperative taint: array.push(taintedValue) contaminates the array
+        // Covers for-of and forEach patterns that push PII-derived values
+        CallExpression: (node) => {
+          if (node.callee.type !== "MemberExpression") return;
+          const callee = node.callee;
+          const methodName = this.getPropertyName(callee);
+          if (methodName === "push" && callee.object.type === "Identifier" && node.arguments.some(
+            (arg) => this.isExpressionTainted(arg, recordBoundVars, taintedVars)
+          )) {
+            taintedVars.add(callee.object.name);
+          }
+        }
+      };
+      simple(ast, visitors);
+      if (taintedVars.size === sizeBefore) break;
+    }
+  }
+  // ── Pass 3: Return Statement Sink Detection ───────────────────────
+  checkReturnStatements(ast, recordBoundVars, taintedVars) {
+    let violation = null;
+    const visitors = {
+      ReturnStatement: (node) => {
+        if (violation) return;
+        if (!node.argument) return;
+        if (this.isExpressionTainted(node.argument, recordBoundVars, taintedVars)) {
+          const line = node.loc?.start.line ? node.loc.start.line - 1 : void 0;
+          const operation = this.describeTaintSource(
+            node.argument,
+            recordBoundVars,
+            taintedVars
+          );
+          violation = {
+            reason: `PII side-channel detected: output contains values derived from restricted fields. ${operation ? `Operation: ${operation}. ` : ""}Use only non-PII fields (e.g., numeric/date columns) for aggregations.`,
+            line,
+            operation
+          };
+        }
+      }
+    };
+    simple(ast, visitors);
+    return violation;
+  }
+  // ── Core Taint Evaluation ─────────────────────────────────────────
+  /**
+   * Recursively determines if an AST expression produces a tainted value.
+   * A value is tainted if it derives from a PII field on a record-bound variable.
+   */
+  isExpressionTainted(node, recordBoundVars, taintedVars) {
+    switch (node.type) {
+      case "Identifier":
+        return taintedVars.has(node.name);
+      case "MemberExpression":
+        return this.isMemberExprTainted(
+          node,
+          recordBoundVars,
+          taintedVars
+        );
+      case "CallExpression":
+        return this.isCallExprTainted(
+          node,
+          recordBoundVars,
+          taintedVars
+        );
+      case "YieldExpression": {
+        const yieldNode = node;
+        return yieldNode.argument ? this.isExpressionTainted(
+          yieldNode.argument,
+          recordBoundVars,
+          taintedVars
+        ) : false;
+      }
+      case "FunctionExpression":
+      case "ArrowFunctionExpression": {
+        const fn = node;
+        return this.doesCallbackProduceTaint(
+          fn,
+          null,
+          recordBoundVars,
+          taintedVars
+        );
+      }
+      case "BinaryExpression":
+      case "LogicalExpression": {
+        const bin = node;
+        return this.isExpressionTainted(bin.left, recordBoundVars, taintedVars) || this.isExpressionTainted(bin.right, recordBoundVars, taintedVars);
+      }
+      case "UnaryExpression": {
+        const unary = node;
+        return this.isExpressionTainted(
+          unary.argument,
+          recordBoundVars,
+          taintedVars
+        );
+      }
+      case "ConditionalExpression": {
+        const cond = node;
+        return this.isExpressionTainted(cond.test, recordBoundVars, taintedVars) || this.isExpressionTainted(
+          cond.consequent,
+          recordBoundVars,
+          taintedVars
+        ) || this.isExpressionTainted(cond.alternate, recordBoundVars, taintedVars);
+      }
+      case "ObjectExpression": {
+        const obj = node;
+        return obj.properties.some(
+          (prop) => prop.type === "Property" && this.isExpressionTainted(prop.value, recordBoundVars, taintedVars)
+        );
+      }
+      case "ArrayExpression": {
+        const arr = node;
+        return arr.elements.some(
+          (el) => el !== null && this.isExpressionTainted(el, recordBoundVars, taintedVars)
+        );
+      }
+      case "TemplateLiteral": {
+        const tmpl = node;
+        return tmpl.expressions.some(
+          (expr) => this.isExpressionTainted(expr, recordBoundVars, taintedVars)
+        );
+      }
+      case "SpreadElement": {
+        const spread = node;
+        return this.isExpressionTainted(
+          spread.argument,
+          recordBoundVars,
+          taintedVars
+        );
+      }
+      default:
+        return false;
+    }
+  }
+  /**
+   * Checks if a MemberExpression accesses a PII field on a record-bound variable.
+   * Examples: r.accountHolder, r["name"], taintedVar.length, taintedVar[0]
+   */
+  isMemberExprTainted(member, recordBoundVars, taintedVars) {
+    const propName = this.getPropertyName(member);
+    if (member.object.type === "Identifier" && recordBoundVars.has(member.object.name) && propName && this.piiFields.has(propName.toLowerCase())) {
+      return true;
+    }
+    if (member.object.type === "MemberExpression" && propName && this.piiFields.has(propName.toLowerCase())) {
+      const parentMember = member.object;
+      if (parentMember.computed && this.isEnvRecordsAccess(parentMember.object)) {
+        return true;
+      }
+    }
+    if (this.isExpressionTainted(member.object, recordBoundVars, taintedVars)) {
+      return true;
+    }
+    if (member.computed && member.object.type === "Identifier" && recordBoundVars.has(member.object.name)) {
+      if (member.property.type === "Literal") {
+        const litVal = member.property.value;
+        if (typeof litVal === "string" && this.piiFields.has(litVal.toLowerCase())) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+  /**
+   * Checks if a CallExpression produces a tainted result.
+   * Handles: taintedObj.method(), env.records.map(r => r.piiField), etc.
+   */
+  isCallExprTainted(call, recordBoundVars, taintedVars) {
+    if (call.callee.type === "MemberExpression") {
+      const callee = call.callee;
+      const methodName = this.getPropertyName(callee);
+      if (methodName && _TaintAnalyzer.TAINT_PROPAGATING_METHODS.has(methodName) && this.isExpressionTainted(callee.object, recordBoundVars, taintedVars)) {
+        return true;
+      }
+      if (this.isEnvRecordsAccess(callee.object) && call.arguments[0]) {
+        const callback = call.arguments[0];
+        if (callback.type === "ArrowFunctionExpression" || callback.type === "FunctionExpression") {
+          return this.doesCallbackProduceTaint(
+            callback,
+            methodName,
+            recordBoundVars,
+            taintedVars
+          );
+        }
+      }
+      if (this.isExpressionTainted(callee.object, recordBoundVars, taintedVars)) {
+        return true;
+      }
+      if (call.arguments.some(
+        (arg) => this.isExpressionTainted(arg, recordBoundVars, taintedVars)
+      )) {
+        return true;
+      }
+    }
+    if (call.callee.type === "MemberExpression") {
+      const callee = call.callee;
+      const methodName = this.getPropertyName(callee);
+      if (methodName === "push" && callee.object.type === "Identifier" && call.arguments.some(
+        (arg) => this.isExpressionTainted(arg, recordBoundVars, taintedVars)
+      )) {
+        taintedVars.add(callee.object.name);
+      }
+    }
+    if (call.callee.type === "Identifier") {
+      const fnName = call.callee.name;
+      if (taintedVars.has(fnName)) {
+        return true;
+      }
+      const SAFE_GLOBALS = /* @__PURE__ */ new Set([
+        "Math",
+        "Number",
+        "parseInt",
+        "parseFloat",
+        "isNaN",
+        "isFinite"
+      ]);
+      if (!SAFE_GLOBALS.has(fnName)) {
+        return call.arguments.some(
+          (arg) => this.isExpressionTainted(arg, recordBoundVars, taintedVars)
+        );
+      }
+    }
+    return false;
+  }
+  /**
+   * Checks if an array method callback produces tainted output.
+   * e.g., env.records.map(r => r.name.charCodeAt(0)) → tainted result
+   */
+  doesCallbackProduceTaint(callback, methodName, recordBoundVars, taintedVars) {
+    const scopedRecordVars = new Set(recordBoundVars);
+    const scopedTaintedVars = new Set(taintedVars);
+    if (callback.params.length > 0) {
+      const isReduce = methodName !== null && _TaintAnalyzer.REDUCE_METHODS.has(methodName);
+      const recordParamIndex = isReduce ? 1 : 0;
+      if (callback.params.length > recordParamIndex && callback.params[recordParamIndex].type === "Identifier") {
+        scopedRecordVars.add(
+          callback.params[recordParamIndex].name
+        );
+      }
+    }
+    if (callback.type === "ArrowFunctionExpression" && callback.body.type !== "BlockStatement") {
+      return this.isExpressionTainted(
+        callback.body,
+        scopedRecordVars,
+        scopedTaintedVars
+      );
+    }
+    let hasTaintedReturnOrYield = false;
+    const returnVisitors = {
+      ReturnStatement: (node) => {
+        if (node.argument && this.isExpressionTainted(
+          node.argument,
+          scopedRecordVars,
+          scopedTaintedVars
+        )) {
+          hasTaintedReturnOrYield = true;
+        }
+      },
+      YieldExpression: (node) => {
+        const yieldNode = node;
+        if (yieldNode.argument && this.isExpressionTainted(
+          yieldNode.argument,
+          scopedRecordVars,
+          scopedTaintedVars
+        )) {
+          hasTaintedReturnOrYield = true;
+        }
+      }
+    };
+    simple(callback.body, returnVisitors);
+    return hasTaintedReturnOrYield;
+  }
+  // ── Utility Methods ───────────────────────────────────────────────
+  /** Extracts the property name from a MemberExpression (dot or bracket with string literal) */
+  getPropertyName(member) {
+    if (!member.computed && member.property.type === "Identifier") {
+      return member.property.name;
+    }
+    if (member.computed && member.property.type === "Literal") {
+      const val = member.property.value;
+      if (typeof val === "string") return val;
+    }
+    return null;
+  }
+  /** Checks if an expression resolves to `env.records` or `records` */
+  isEnvRecordsAccess(node) {
+    if (node.type === "MemberExpression") {
+      const member = node;
+      const propName = this.getPropertyName(member);
+      if (propName === "records" && member.object.type === "Identifier" && member.object.name === "env") {
+        return true;
+      }
+    }
+    if (node.type === "Identifier" && node.name === "records") {
+      return true;
+    }
+    return false;
+  }
+  /** Generates a human-readable description of the taint source for error messages */
+  describeTaintSource(node, recordBoundVars, taintedVars) {
+    if (node.type === "Identifier") {
+      const name = node.name;
+      if (taintedVars.has(name)) return `variable '${name}' is PII-derived`;
+    }
+    if (node.type === "ObjectExpression") {
+      const obj = node;
+      for (const prop of obj.properties) {
+        if (prop.type === "Property" && this.isExpressionTainted(prop.value, recordBoundVars, taintedVars)) {
+          const keyName = prop.key.type === "Identifier" ? prop.key.name : "unknown";
+          return `property '${keyName}' contains PII-derived value`;
+        }
+      }
+    }
+    if (node.type === "CallExpression") {
+      const call = node;
+      if (call.callee.type === "MemberExpression") {
+        const methodName = this.getPropertyName(
+          call.callee
+        );
+        if (methodName) return `result of .${methodName}() on PII data`;
+      }
+    }
+    return void 0;
+  }
+};
+
+// src/server/ner-scanner.ts
+var MEDICAL_VOCABULARY = {
+  aspirin: "Medication",
+  lisinopril: "Medication",
+  metformin: "Medication",
+  amlodipine: "Medication",
+  atorvastatin: "Medication",
+  omeprazole: "Medication",
+  losartan: "Medication",
+  simvastatin: "Medication",
+  levothyroxine: "Medication",
+  ibuprofen: "Medication",
+  acetaminophen: "Medication",
+  amoxicillin: "Medication",
+  ciprofloxacin: "Medication",
+  prednisone: "Medication",
+  warfarin: "Medication",
+  insulin: "Medication",
+  hydrochlorothiazide: "Medication",
+  gabapentin: "Medication",
+  albuterol: "Medication",
+  pantoprazole: "Medication",
+  // Generic clinical terms
+  hypertension: "Condition",
+  diabetes: "Condition",
+  bronchitis: "Condition",
+  pneumonia: "Condition",
+  asthma: "Condition"
+};
+var MIN_TEXT_LENGTH = 4;
+var NON_TEXT_PATTERN = /^[\d\s.,:;!?()[\]{}<>@#$%^&*+=|\\/"'`~_-]+$/;
+var NerScanner = class _NerScanner {
+  static nlp = null;
+  /**
+   * Lazy loads the compromise library only when needed.
+   */
+  async getNlp() {
+    if (!_NerScanner.nlp) {
+      const mod = await import('compromise/three');
+      _NerScanner.nlp = mod.default || mod;
+      _NerScanner.nlp.addWords(MEDICAL_VOCABULARY);
+    }
+    return _NerScanner.nlp;
+  }
+  /**
+   * Scans a single string value for named entities.
+   * Returns detected entities if the text contains recognizable PII.
+   */
+  async scan(text) {
+    if (text.length < MIN_TEXT_LENGTH || NON_TEXT_PATTERN.test(text)) {
+      return { detected: false, entities: [] };
+    }
+    const nlp = await this.getNlp();
+    const doc = nlp(text);
+    const entities = [];
+    const people = doc.people().out("array");
+    for (const person of people) {
+      const trimmed = person.trim();
+      if (trimmed.length >= MIN_TEXT_LENGTH) {
+        entities.push({ type: "person", text: trimmed });
+      }
+    }
+    const places = doc.places().out("array");
+    for (const place of places) {
+      const trimmed = place.trim();
+      if (trimmed.length >= MIN_TEXT_LENGTH) {
+        entities.push({ type: "place", text: trimmed });
+      }
+    }
+    const orgs = doc.organizations().out("array");
+    for (const org of orgs) {
+      const trimmed = org.trim();
+      if (trimmed.length >= MIN_TEXT_LENGTH) {
+        entities.push({ type: "organization", text: trimmed });
+      }
+    }
+    return {
+      detected: entities.length > 0,
+      entities
+    };
+  }
+  /**
+   * Recursively scans all string values within an object/array.
+   * Stops at the first detection for performance (fail-fast).
+   */
+  async scanDeep(input, seen = /* @__PURE__ */ new WeakSet()) {
+    if (input === null || input === void 0) {
+      return { detected: false, entities: [] };
+    }
+    if (typeof input === "string") {
+      return this.scan(input);
+    }
+    if (typeof input === "object") {
+      if (seen.has(input)) {
+        return { detected: false, entities: [] };
+      }
+      seen.add(input);
+      const values = Array.isArray(input) ? input : Object.values(input);
+      const allEntities = [];
+      for (const value of values) {
+        const result = await this.scanDeep(value, seen);
+        if (result.detected) {
+          allEntities.push(...result.entities);
+          if (result.entities.some((e) => e.type === "person")) {
+            return { detected: true, entities: allEntities };
+          }
+        }
+      }
+      return {
+        detected: allEntities.length > 0,
+        entities: allEntities
+      };
+    }
+    return { detected: false, entities: [] };
+  }
+};
+
+// src/server/output-sanitizer.ts
+var DEFAULT_CONFIG = {
+  maxDecimalPlaces: 4,
+  clampNonNegative: true
+};
+function sanitizeOutput(output, config) {
+  const merged = { ...DEFAULT_CONFIG, ...config };
+  const seen = /* @__PURE__ */ new WeakSet();
+  function walk(node) {
+    if (node === null || node === void 0) {
+      return node;
+    }
+    if (typeof node === "number") {
+      if (!Number.isFinite(node)) {
+        return node;
+      }
+      let value = node;
+      if (merged.clampNonNegative && value < 0) {
+        value = 0;
+      }
+      const factor = 10 ** merged.maxDecimalPlaces;
+      value = Math.round(value * factor) / factor;
+      return value;
+    }
+    if (typeof node === "string" || typeof node === "boolean") {
+      return node;
+    }
+    if (typeof node === "object") {
+      if (seen.has(node)) {
+        return node;
+      }
+      seen.add(node);
+      if (Array.isArray(node)) {
+        return node.map((item) => walk(item));
+      }
+      const result = {};
+      for (const [key, val] of Object.entries(
+        node
+      )) {
+        result[key] = walk(val);
+      }
+      return result;
+    }
+    return node;
+  }
+  return walk(output);
+}
+
+// src/server/pii.ts
+function isLuhnValid(cardNumber) {
+  const digits = cardNumber.replace(/\D/g, "");
+  if (digits.length < 13 || digits.length > 19) return false;
+  let sum = 0;
+  let isEven = false;
+  for (let i = digits.length - 1; i >= 0; i--) {
+    let digit = parseInt(digits.charAt(i), 10);
+    if (isEven) {
+      digit *= 2;
+      if (digit > 9) {
+        digit -= 9;
+      }
+    }
+    sum += digit;
+    isEven = !isEven;
+  }
+  return sum % 10 === 0;
+}
+function isIbanValid(iban) {
+  const sanitized = iban.replace(/\s+/g, "").toUpperCase();
+  if (!/^[A-Z]{2}[0-9]{2}[A-Z0-9]{1,30}$/.test(sanitized)) return false;
+  const rearranged = sanitized.substring(4) + sanitized.substring(0, 4);
+  let numericString = "";
+  for (let i = 0; i < rearranged.length; i++) {
+    const charCode = rearranged.charCodeAt(i);
+    if (charCode >= 65 && charCode <= 90) {
+      numericString += (charCode - 55).toString();
+    } else if (charCode >= 48 && charCode <= 57) {
+      numericString += rearranged.charAt(i);
+    } else {
+      return false;
+    }
+  }
+  try {
+    return BigInt(numericString) % 97n === 1n;
+  } catch (_e) {
+    return false;
+  }
+}
+var PII_PATTERNS = {
+  EMAIL: {
+    name: "EMAIL",
+    pattern: /\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}\b/gi,
+    validator: (match) => !match.endsWith("@example.com") && !match.endsWith("@test.com")
+  },
+  CREDIT_CARD: {
+    name: "CREDIT_CARD",
+    pattern: /\b(?:\d[ -]*?){13,16}\b/g,
+    validator: isLuhnValid
+  },
+  IP_ADDRESS: {
+    name: "IP_ADDRESS",
+    pattern: /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/g,
+    validator: (match) => {
+      const safeIps = ["127.0.0.1", "0.0.0.0", "255.255.255.255"];
+      if (safeIps.includes(match)) return false;
+      const parts = match.split(".").map(Number);
+      return parts.every((p) => p >= 0 && p <= 255);
+    }
+  },
+  PHONE: {
+    name: "PHONE",
+    // Strict boundary to avoid matching long numeric IDs wrapped in symbols
+    pattern: /(?:(?:\+?\d{1,3}[-. ]?)?\(?\d{3}\)?[-. ]?\d{3}[-. ]?\d{4})\b/g,
+    validator: (match) => {
+      const digits = match.replace(/\D/g, "");
+      if (digits.length < 7 || digits.length > 15) return false;
+      if (/^(\d)\1+$/.test(digits)) return false;
+      if (digits === "1234567890") return false;
+      return true;
+    }
+  },
+  SSN: {
+    name: "SSN",
+    pattern: /\b\d{3}[- ]?\d{2}[- ]?\d{4}\b/g,
+    validator: (match) => {
+      const digits = match.replace(/\D/g, "");
+      if (digits.length !== 9) return false;
+      const area = parseInt(digits.substring(0, 3), 10);
+      if (area === 0 || area === 666 || area >= 900) return false;
+      const group = parseInt(digits.substring(3, 5), 10);
+      if (group === 0) return false;
+      const serial = parseInt(digits.substring(5, 9), 10);
+      if (serial === 0) return false;
+      if (/^(\d)\1+$/.test(digits) || digits === "123456789") return false;
+      return true;
+    }
+  },
+  IBAN: {
+    name: "IBAN",
+    pattern: /\b[A-Z]{2}[0-9]{2}[A-Z0-9]{1,30}\b/gi,
+    validator: isIbanValid
+  },
+  PASSPORT_MRZ: {
+    name: "PASSPORT_MRZ",
+    // Machina Readable Zone line match for standard international passports
+    pattern: /\bP[A-Z<][A-Z<]{3}[A-Z0-9<]{39}(?:\b|\s|$)/g
+  }
+};
+var PII_PRESETS = {
+  GLOBAL_STRICT: [
+    PII_PATTERNS.EMAIL,
+    PII_PATTERNS.CREDIT_CARD,
+    PII_PATTERNS.IP_ADDRESS,
+    PII_PATTERNS.PHONE,
+    PII_PATTERNS.PASSPORT_MRZ,
+    PII_PATTERNS.IBAN
+  ],
+  US_COMPLIANT: [
+    PII_PATTERNS.EMAIL,
+    PII_PATTERNS.CREDIT_CARD,
+    PII_PATTERNS.IP_ADDRESS,
+    PII_PATTERNS.PHONE,
+    PII_PATTERNS.SSN,
+    PII_PATTERNS.PASSPORT_MRZ
+  ],
+  EU_GDPR: [
+    PII_PATTERNS.EMAIL,
+    PII_PATTERNS.CREDIT_CARD,
+    PII_PATTERNS.IP_ADDRESS,
+    PII_PATTERNS.PHONE,
+    PII_PATTERNS.IBAN,
+    PII_PATTERNS.PASSPORT_MRZ
+  ]
+};
+var PiiScanner = class _PiiScanner {
+  patterns;
+  forbiddenKeysSet;
+  nerScanner;
+  /**
+   * Safelist of keys that contain forbidden substrings but are NOT PII.
+   * Prevents false positives from fuzzy matching (e.g., "grid" contains "id").
+   */
+  static KEY_SAFELIST = /* @__PURE__ */ new Set([
+    // Common words containing "id" substring
+    "grid",
+    "video",
+    "android",
+    "identity",
+    "provide",
+    "override",
+    "validate",
+    "hidden",
+    "widget",
+    "guidelines",
+    "beside",
+    "guideline",
+    "outside",
+    "inside",
+    "collide",
+    "decide",
+    "divide",
+    "aside",
+    "ride",
+    "side",
+    "wide",
+    "hide",
+    "tide",
+    "pride",
+    "bride",
+    "slide",
+    "guide",
+    "stride",
+    "oxide",
+    "dioxide",
+    "suicide",
+    "homicide",
+    "pesticide",
+    "valid",
+    "invalid",
+    "void",
+    "avoid",
+    // Common words containing "name" substring
+    "diagnosis",
+    "medication",
+    "namespace",
+    "namesake",
+    "rename",
+    "filename",
+    "hostname",
+    "typename",
+    "unnamed",
+    "renamed",
+    // Common words containing "phone" substring
+    "phonetic",
+    "phoneme",
+    "microphone",
+    "headphone",
+    "telephone",
+    "saxophone",
+    "smartphone",
+    // Common words containing "address" substring
+    "streetview",
+    "addressable",
+    "addressing",
+    // Common words containing "city" substring
+    "cityscape",
+    "electricity",
+    "capacity",
+    "velocity",
+    "opacity",
+    // Common technical terms
+    "timestamp",
+    "timezone",
+    // LIOP Protocol Internal Keys (must never be blocked)
+    "image_id",
+    "computation_result",
+    "zk_receipt",
+    "testid",
+    "toolid",
+    "sessionid",
+    "peerid",
+    "nodeid",
+    "requestid",
+    "correlationid",
+    "traceid",
+    "spanid"
+  ]);
+  /**
+   * Short forbidden tokens (< 4 chars) that require boundary-aware matching.
+   * Uses regex boundary detection to avoid false positives.
+   */
+  shortTokenBoundaryPatterns;
+  /**
+   * Long forbidden tokens (>= 4 chars) that use substring containment.
+   */
+  longForbiddenTokens;
+  constructor(patterns = [], forbiddenKeys = [], nerScanner) {
+    this.patterns = patterns;
+    this.forbiddenKeysSet = new Set(forbiddenKeys.map((k) => k.toLowerCase()));
+    this.nerScanner = nerScanner ?? null;
+    this.shortTokenBoundaryPatterns = /* @__PURE__ */ new Map();
+    this.longForbiddenTokens = [];
+    for (const token of this.forbiddenKeysSet) {
+      if (token.length < 4) {
+        this.shortTokenBoundaryPatterns.set(
+          token,
+          new RegExp(
+            (() => {
+              const ciPattern = token.split("").map((c) => `[${c.toLowerCase()}${c.toUpperCase()}]`).join("");
+              const camelPattern = `[a-z]${token.charAt(0).toUpperCase()}${token.slice(1)}`;
+              return `(?:^|[_-])${ciPattern}(?:$|[_-])|${camelPattern}(?:$|[A-Z_-])|^${ciPattern}$`;
+            })()
+          )
+        );
+      } else {
+        this.longForbiddenTokens.push(token);
+      }
+    }
+  }
+  /**
+   * Scans any input (string, object, array) for PII violations.
+   * Returns the pattern/rule name that triggered the violation, or null if safe.
+   *
+   * Detection pipeline (fail-fast):
+   *   1. Exact key match (O(1) Set lookup)
+   *   2. Fuzzy key match (boundary detection for short tokens, substring for long)
+   *   3. Regex/algorithmic pattern match on string values
+   *   4. NER content scan on string values (if enabled)
+   */
+  async scan(input, seen = /* @__PURE__ */ new WeakSet()) {
+    if (input === null || input === void 0) return null;
+    if (typeof input === "string") {
+      const trimmed = input.trim();
+      if (trimmed.startsWith("{") && trimmed.endsWith("}") || trimmed.startsWith("[") && trimmed.endsWith("]")) {
+        try {
+          const parsed = JSON.parse(trimmed);
+          const violation = await this.scan(parsed, seen);
+          if (violation) return violation;
+        } catch (_e) {
+        }
+      }
+      const patternViolation = this.checkString(input);
+      if (patternViolation) return patternViolation;
+      if (this.nerScanner) {
+        const nerResult = await this.nerScanner.scan(input);
+        if (nerResult.detected) {
+          const personEntity = nerResult.entities.find(
+            (e) => e.type === "person"
+          );
+          if (personEntity) {
+            return `PII Entity Detected: person name "${personEntity.text}"`;
+          }
+        }
+      }
+      return null;
+    }
+    if (typeof input === "object") {
+      if (seen.has(input)) return null;
+      seen.add(input);
+      if (Array.isArray(input)) {
+        for (const element of input) {
+          const violation = await this.scan(element, seen);
+          if (violation) return violation;
+        }
+      } else {
+        for (const [key, value] of Object.entries(
+          input
+        )) {
+          if (this.forbiddenKeysSet.has(key.toLowerCase())) {
+            return `Forbidden Key: ${key}`;
+          }
+          const fuzzyViolation = this.checkKeyFuzzy(key);
+          if (fuzzyViolation) return fuzzyViolation;
+          const violation = await this.scan(value, seen);
+          if (violation) return violation;
+        }
+      }
+    }
+    return null;
+  }
+  /**
+   * Checks a key against fuzzy matching rules.
+   * Short tokens use boundary-aware regex; long tokens use substring containment.
+   */
+  checkKeyFuzzy(key) {
+    const normalized = key.toLowerCase();
+    if (_PiiScanner.KEY_SAFELIST.has(normalized)) return null;
+    for (const [token, pattern] of this.shortTokenBoundaryPatterns) {
+      if (pattern.test(key)) {
+        return `Forbidden Key (fuzzy): ${key} matches boundary pattern "${token}"`;
+      }
+    }
+    for (const token of this.longForbiddenTokens) {
+      if (normalized.includes(token)) {
+        return `Forbidden Key (fuzzy): ${key} contains restricted token "${token}"`;
+      }
+    }
+    return null;
+  }
+  checkString(text) {
+    for (const rule of this.patterns) {
+      if (typeof rule === "string") {
+        if (text.toLowerCase().includes(rule.toLowerCase())) {
+          return rule;
+        }
+      } else if (rule instanceof RegExp) {
+        if (rule.global) rule.lastIndex = 0;
+        if (rule.test(text)) {
+          return rule.source;
+        }
+      } else if (typeof rule === "object" && rule !== null) {
+        const def = rule;
+        if (typeof def.pattern === "string") {
+          if (text.toLowerCase().includes(def.pattern.toLowerCase())) {
+            if (!def.validator || def.validator(def.pattern)) {
+              return def.name;
+            }
+          }
+        } else if (def.pattern instanceof RegExp) {
+          if (def.pattern.global) def.pattern.lastIndex = 0;
+          let match = def.pattern.exec(text);
+          while (match !== null) {
+            const matchedText = match[0];
+            if (!def.validator || def.validator(matchedText)) {
+              return def.name;
+            }
+            if (!def.pattern.global) break;
+            match = def.pattern.exec(text);
+          }
+        }
+      }
+    }
+    return null;
+  }
+};
+
+// src/server/index.ts
+var __dirname2 = path.dirname(fileURLToPath(import.meta.url));
+var LiopServer = class _LiopServer {
+  constructor(serverInfo, config) {
+    this.serverInfo = serverInfo;
+    this.config = config;
+    const nerScanner = this.config?.security?.enableNerScanning ? new NerScanner() : null;
+    this.piiScanner = new PiiScanner(
+      this.config?.security?.piiPatterns ?? PII_PRESETS.GLOBAL_STRICT,
+      this.config?.security?.forbiddenKeys ?? [
+        "id",
+        "name",
+        "fullName",
+        "firstName",
+        "lastName",
+        "address",
+        "street",
+        "city",
+        "postalCode",
+        "zipCode",
+        "phone",
+        "email",
+        "ssn",
+        "accountHolder",
+        "accountNumber",
+        "account_number",
+        "password",
+        "token",
+        "secret",
+        "privateKey"
+      ],
+      nerScanner
+    );
+    const rlConfig = this.config?.security?.rateLimit;
+    this.toolCallWindowMs = rlConfig?.windowMs ?? Number.parseInt(process.env.LIOP_RATE_LIMIT_WINDOW_MS ?? "60000", 10);
+    this.toolCallMaxPerWindow = rlConfig?.maxPerWindow ?? Number.parseInt(process.env.LIOP_RATE_LIMIT_MAX ?? "15", 10);
+    this.globalCallMaxPerWindow = rlConfig?.globalMaxPerWindow ?? Number.parseInt(process.env.LIOP_RATE_LIMIT_GLOBAL_MAX ?? "40", 10);
+    const forbiddenKeys = this.config?.security?.forbiddenKeys ?? [
+      "id",
+      "name",
+      "fullName",
+      "firstName",
+      "lastName",
+      "address",
+      "street",
+      "city",
+      "postalCode",
+      "zipCode",
+      "phone",
+      "email",
+      "ssn",
+      "accountHolder",
+      "accountNumber",
+      "account_number",
+      "password",
+      "token",
+      "secret",
+      "privateKey"
+    ];
+    const sensitiveKeys = this.config?.security?.sensitiveKeys ?? [];
+    this.taintAnalyzer = new TaintAnalyzer(forbiddenKeys, sensitiveKeys);
+    const isTS = import.meta.url.endsWith(".ts");
+    const workerExt = isTS ? ".ts" : ".js";
+    let execArgv = [];
+    if (isTS) {
+      try {
+        const req = createRequire(import.meta.url);
+        const tsxPkg = req.resolve("tsx/package.json");
+        const absoluteTsx = pathToFileURL(
+          path.join(path.dirname(tsxPkg), "dist", "loader.mjs")
+        ).href;
+        execArgv = ["--import", absoluteTsx];
+      } catch (_e) {
+        execArgv = ["--import", "tsx"];
+      }
+    }
+    const isTest = process.env.NODE_ENV === "test" || process.env.VITEST;
+    if (this.config?.capabilities && !this.serverInfo.capabilities) {
+      this.serverInfo.capabilities = this.config.capabilities;
+    }
+    const workerPaths = [
+      path.resolve(__dirname2, `./workers/logic-execution${workerExt}`),
+      // Flat dist/ (tsup)
+      path.resolve(__dirname2, `../workers/logic-execution${workerExt}`)
+      // Original src/
+    ];
+    const workerFilename = workerPaths.find((p) => fs.existsSync(p)) || workerPaths[1];
+    this.workerPool = new Piscina({
+      filename: workerFilename,
+      minThreads: this.config?.workerPool?.minThreads ?? (isTest ? 0 : 2),
+      maxThreads: this.config?.workerPool?.maxThreads ?? (isTest ? 1 : 8),
+      idleTimeout: this.config?.workerPool?.idleTimeout ?? (isTest ? 500 : 5e3),
+      maxQueue: this.config?.workerPool?.maxQueue ?? "auto",
+      taskQueue: new FixedQueue(),
+      execArgv,
+      // [DoS Defense] Enforce hard memory ceiling per worker thread.
+      // Workers exceeding this limit are terminated by Node.js runtime.
+      resourceLimits: {
+        maxOldGenerationSizeMb: this.config?.workerPool?.maxHeapMb ?? Number.parseInt(process.env.LIOP_WORKER_MAX_HEAP_MB ?? "64", 10)
+      }
+    });
+    const minThreads = this.config?.workerPool?.minThreads ?? (isTest ? 0 : 2);
+    if (this.workerPool && minThreads > 0) {
+      for (let i = 0; i < minThreads; i++) {
+        this.workerPool.run({ isWarmup: true }).catch((err) => {
+          log.debug(
+            `[LiopServer] Worker pool warm-up ping failed: ${err.message}`
+          );
+        });
+      }
+    }
+    if (this.config?.auth?.role === "nexus") {
+      const issuer = this.config.auth.issuer || "http://localhost:3000";
+      const audience = this.config.auth.audience || AUTH_DEFAULTS.audience;
+      const clients = this.config.auth.clients || [
+        {
+          client_id: process.env.LIOP_OAUTH_CLIENT_ID || "liop-mesh-agent",
+          client_secret: process.env.LIOP_OAUTH_CLIENT_SECRET || "dev-secret-change-me",
+          grant_types: ["client_credentials"],
+          scope: "liop:tools:call liop:tools:list liop:resources:read liop:schema:read liop:mesh:query"
+        }
+      ];
+      const { provider, jwks } = createOAuthServer({
+        issuer,
+        clients
+      });
+      this.oauthProvider = provider;
+      this.jwtValidator = new JwtValidator(issuer, audience, jwks);
+    } else if (this.config?.auth?.role === "node") {
+      const nexusUrl = this.config.auth.nexusUrl || process.env.LIOP_NEXUS_URL || "http://localhost:3000";
+      const audience = this.config.auth.audience || AUTH_DEFAULTS.audience;
+      const baseUrl = nexusUrl.endsWith("/oidc") ? nexusUrl : `${nexusUrl}/oidc`;
+      const jwksUri = new URL(`${baseUrl}/jwks`);
+      this.jwtValidator = new JwtValidator(nexusUrl, audience, jwksUri);
+    }
+    this.resource(
+      "LIOP Envelope Specification",
+      "liop://protocol/envelope-spec",
+      "Complete Logic-on-Origin envelope format, execution rules, and security constraints",
+      "text/plain",
+      () => Promise.resolve(this.buildEnvelopeSpec())
+    );
+    if (this.config?.auth?.revocationPath) {
+      this.loadRevocationList();
+    }
+  }
+  logicCache = /* @__PURE__ */ new Map();
+  connectionStats = /* @__PURE__ */ new Map();
+  CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
+  // 24 hours
+  THROTTLE_THRESHOLD = 5;
+  THROTTLE_COOLDOWN_MS = 60 * 1e3;
+  // 60 seconds
+  // [OWASP-A01] Sliding window rate limiter — prevents micro-query exfiltration
+  toolCallWindows = /* @__PURE__ */ new Map();
+  toolCallMaxPerWindow;
+  toolCallWindowMs;
+  // [OWASP-A01] Global cross-tool rate limiter — prevents distributed micro-query attacks
+  globalCallWindow = [];
+  globalCallMaxPerWindow;
+  // [DP] Query Budget — tracks per-field query counts to prevent multi-query differencing
+  // Structure: clientId -> toolName -> field -> count
+  fieldQueryBudget = /* @__PURE__ */ new Map();
+  // [SEC] AST-level taint tracker for PII side-channel prevention
+  taintAnalyzer;
+  tools = /* @__PURE__ */ new Map();
+  resources = /* @__PURE__ */ new Map();
+  prompts = /* @__PURE__ */ new Map();
+  activeSchema = null;
+  sandboxRecords = [];
+  piiScanner;
+  workerPool;
+  meshNode = null;
+  rpcServer = null;
+  boundPort = null;
+  jwtValidator;
+  // biome-ignore lint/suspicious/noExplicitAny: Loaded dynamically in Phase C
+  oauthProvider;
+  sessions = /* @__PURE__ */ new Map();
+  revokedTokenHashes = /* @__PURE__ */ new Set();
+  lastRevocationLoadTime = 0;
+  // Compact envelope: @LIOP{target,name}\n<code>\n@END
+  static LIOP_COMPACT_REGEX = /@LIOP\{(?<target>[^,}]+)(?:,(?<name>[^}]*))?\}\n(?<logic>[\s\S]*?)\n@END/m;
+  extractLogic(payload) {
+    const compact = payload.match(_LiopServer.LIOP_COMPACT_REGEX);
+    return compact?.groups?.logic ? compact.groups.logic.trim() : null;
+  }
+  parseUnknownJson(input) {
+    if (typeof input !== "string") return input;
+    const trimmed = input.trim();
+    if (trimmed.startsWith("{") && trimmed.endsWith("}") || trimmed.startsWith("[") && trimmed.endsWith("]")) {
+      try {
+        return JSON.parse(trimmed);
+      } catch {
+        return input;
+      }
+    }
+    return input;
+  }
+  runPreflightPolicy(_toolName, logic, policy, clientId = "local-client") {
+    if (policy) {
+      const compact = logic.replace(/\s+/g, " ");
+      if (policy.enforceAggregationFirst) {
+        const rowExtractionPatterns = [
+          // Block raw record dumps but allow safe aggregation chains
+          // (.reduce, .length, .filter().length, .every, .some)
+          /return\s+env\.records(?!\s*\.\s*(?:reduce|length|filter|every|some|find)\b)/i,
+          /return\s*\{[\s\S]*\b(accounts|patients|rows|records)\s*:\s*env\.records(?!\s*\.\s*(?:reduce|length|filter)\b)/i
+        ];
+        if (rowExtractionPatterns.some((p) => p.test(compact))) {
+          return "Preflight policy rejected: potential row-level export pattern detected.";
+        }
+      }
+      if (policy.preflightDenyPatterns?.some((p) => p.test(compact))) {
+        return "Preflight policy rejected: custom deny pattern matched.";
+      }
+    }
+    let minMaxThreshold = 50;
+    if (typeof policy?.enforceAggregationFirst === "object") {
+      minMaxThreshold = policy.enforceAggregationFirst.minMaxBlockThreshold ?? 50;
+    }
+    const taintViolation = this.taintAnalyzer.analyze(
+      logic,
+      this.sandboxRecords.length,
+      minMaxThreshold
+    );
+    if (taintViolation) {
+      return `Preflight policy rejected: ${taintViolation.reason}`;
+    }
+    const extractedFields = this.taintAnalyzer.extractQueriedFields(logic);
+    if (extractedFields.length > 0) {
+      const storePath = policy?.budgetStorePath || this.config?.budgetStorePath;
+      if (storePath) {
+        try {
+          const budgetError = this.executeWithBudgetLock(
+            storePath,
+            (budget) => {
+              const clientBudget = budget[clientId] || {};
+              const toolBudget = clientBudget[_toolName] || {};
+              for (const field of extractedFields) {
+                const sensitivity = this.taintAnalyzer.classifyField(
+                  field,
+                  policy?.sensitiveKeys
+                );
+                let queryLimit = 25;
+                let sensLabel = "public";
+                if (policy?.queryBudgetPerField !== void 0) {
+                  queryLimit = policy.queryBudgetPerField;
+                  sensLabel = "override";
+                } else if (sensitivity === "forbidden") {
+                  queryLimit = 3;
+                  sensLabel = "forbidden";
+                } else if (sensitivity === "sensitive") {
+                  queryLimit = 8;
+                  sensLabel = "sensitive";
+                }
+                const count = toolBudget[field] ?? 0;
+                if (count >= queryLimit) {
+                  return {
+                    result: `Preflight policy rejected: Query budget exceeded for field '${field}' (max ${queryLimit} per session for ${sensLabel} fields). Rotate PQC session to reset budget.`
+                  };
+                }
+              }
+              const updatedToolBudget = { ...toolBudget };
+              for (const field of extractedFields) {
+                updatedToolBudget[field] = (updatedToolBudget[field] ?? 0) + 1;
+              }
+              const updatedClientBudget = { ...clientBudget };
+              updatedClientBudget[_toolName] = updatedToolBudget;
+              const updatedBudget = { ...budget };
+              updatedBudget[clientId] = updatedClientBudget;
+              return { result: null, updatedBudget };
+            }
+          );
+          if (budgetError) {
+            return budgetError;
+          }
+        } catch (e) {
+          const errorMsg = e instanceof Error ? e.message : String(e);
+          log.error(
+            `[LIOP-Server] Error applying persistent query budget: ${errorMsg}. Falling back to in-memory.`
+          );
+          const inMemoryError = this.applyInMemoryBudget(
+            clientId,
+            _toolName,
+            extractedFields,
+            policy
+          );
+          if (inMemoryError) return inMemoryError;
+        }
+      } else {
+        const inMemoryError = this.applyInMemoryBudget(
+          clientId,
+          _toolName,
+          extractedFields,
+          policy
+        );
+        if (inMemoryError) return inMemoryError;
+      }
+    }
+    return null;
+  }
+  validateOutputPolicy(toolName, output, policy) {
+    if (!policy) return null;
+    const parsed = this.parseUnknownJson(output);
+    if (parsed && typeof parsed === "object" && parsed.isError === true) {
+      return null;
+    }
+    if (policy.outputSchema) {
+      const effectiveSchema = (() => {
+        if (!(policy.outputSchema instanceof z.ZodObject)) {
+          return policy.outputSchema;
+        }
+        const obj = policy.outputSchema;
+        const def = obj.def || obj._def;
+        if (def && def.catchall !== void 0 && !(def.catchall instanceof z.ZodNever)) {
+          return obj;
+        }
+        return obj.strict();
+      })();
+      const schemaResult = effectiveSchema.safeParse(parsed);
+      if (!schemaResult.success) {
+        return `[LIOP] Output schema violation for ${toolName}: ${schemaResult.error.issues.map((i) => `${i.path.join(".") || "<root>"} ${i.message}`).join(
+          "; "
+        )}. HINT: Your output must conform to the declared schema. Use 'env.records' to access the dataset and return only allowed fields.`;
+      }
+    }
+    if (policy.enforceAggregationFirst && this.violatesAggregationFirstPolicy(
+      this.unwrapForAggregationPolicyScan(parsed),
+      policy.enforceAggregationFirst,
+      this.sandboxRecords.length
+    )) {
+      const isDev = process.env.NODE_ENV === "development" || process.env.NODE_ENV === "test" || process.env.LIOP_SEC_VERBOSE === "1";
+      return isDev ? "Aggregation-First Policy Violation: row-level export or K-Anonymity violation blocked. HINT: Use .reduce() to produce a flat {key:value} object. Do NOT use .map() to create arrays of objects. Ensure dataset size > 10 for detailed results." : "Aggregation-First Policy Violation: Output blocked due to privacy constraints.";
+    }
+    return null;
+  }
+  /**
+   * Proxied tools stringify a full MCP CallToolResult (`{ content: [...] }`).
+   * Aggregation-first heuristics must scan the inner business JSON, not the MCP envelope
+   * (otherwise `content` looks like a tabular array of objects and everything blocks).
+   */
+  unwrapForAggregationPolicyScan(input) {
+    if (typeof input === "string") {
+      const trimmed = input.trim();
+      if (trimmed.startsWith("{") && trimmed.endsWith("}") || trimmed.startsWith("[") && trimmed.endsWith("]")) {
+        try {
+          return this.unwrapForAggregationPolicyScan(JSON.parse(trimmed));
+        } catch {
+          return input;
+        }
+      }
+      return input;
+    }
+    if (!input || typeof input !== "object") {
+      return input;
+    }
+    const rec = input;
+    if (rec.computation_result !== void 0) {
+      return this.unwrapForAggregationPolicyScan(rec.computation_result);
+    }
+    if (!Array.isArray(rec.content) || rec.content.length === 0) {
+      return input;
+    }
+    const texts = [];
+    for (const part of rec.content) {
+      if (part && typeof part === "object" && "text" in part) {
+        const t = part.text;
+        if (typeof t === "string") {
+          texts.push(t);
+        }
+      }
+    }
+    if (texts.length === 0) {
+      return input;
+    }
+    const joined = texts.length === 1 ? texts[0] : texts.join("\n");
+    return this.unwrapForAggregationPolicyScan(joined);
+  }
+  violatesAggregationFirstPolicy(input, policyObj, recordsCount) {
+    if (!policyObj) {
+      return false;
+    }
+    const maxRows = typeof policyObj === "object" && typeof policyObj.maxOutputRows === "number" ? policyObj.maxOutputRows : 10;
+    const allowPrimitives = typeof policyObj === "object" && typeof policyObj.allowPrimitiveArrays === "boolean" ? policyObj.allowPrimitiveArrays : true;
+    if (typeof input === "string") {
+      const trimmed = input.trim();
+      if (trimmed.startsWith("{") && trimmed.endsWith("}") || trimmed.startsWith("[") && trimmed.endsWith("]")) {
+        try {
+          return this.violatesAggregationFirstPolicy(
+            JSON.parse(trimmed),
+            policyObj,
+            recordsCount
+          );
+        } catch {
+          return false;
+        }
+      }
+      return false;
+    }
+    if (Array.isArray(input)) {
+      if (input.length > 0 && input.every((item) => typeof item === "object" && item !== null)) {
+        if (input.length > maxRows) {
+          return true;
+        }
+        return input.some(
+          (item) => this.violatesAggregationFirstPolicy(item, policyObj, recordsCount)
+        );
+      }
+      if (input.length > 0 && input.every((item) => typeof item !== "object" || item === null)) {
+        if (!allowPrimitives) return true;
+        return false;
+      }
+      return input.some(
+        (item) => this.violatesAggregationFirstPolicy(item, policyObj, recordsCount)
+      );
+    }
+    if (input && typeof input === "object") {
+      const keys = Object.keys(input);
+      if (recordsCount !== void 0 && recordsCount > 0 && recordsCount < 10) {
+        if (keys.length > 3) return true;
+        const values = Object.values(input);
+        if (values.some(
+          (v) => Array.isArray(v) || typeof v === "object" && v !== null
+        )) {
+          return true;
+        }
+      }
+      if (keys.length > maxRows) {
+        return true;
+      }
+      return Object.values(input).some(
+        (value) => this.violatesAggregationFirstPolicy(value, policyObj, recordsCount)
+      );
+    }
+    return false;
+  }
+  /**
+   * Builds the centralized LIOP envelope specification document.
+   * Served as a single Resource (liop://protocol/envelope-spec) instead
+   * of being duplicated across every tool description.
+   */
+  buildEnvelopeSpec() {
+    const lines = [
+      "LIOP v1 Envelope Specification",
+      "================================",
+      "",
+      "FORMAT:",
+      "",
+      "Compact Envelope:",
+      "  @LIOP{wasi_v1,TaskName}",
+      "  <JavaScript code>",
+      "  @END",
+      "",
+      "RUNTIME ENVIRONMENT:",
+      "- env.records: Array of data objects from the origin",
+      "- Must use 'return' to output results",
+      "- Zero-Trust WASI Sandbox (Node.js Worker Pool)",
+      "- Return aggregated objects, NOT raw row-level arrays",
+      "",
+      "SANDBOX RUNTIME RESTRICTIONS & WORKAROUNDS:",
+      "- Date is poisoned: The 'Date' class/constructor is undefined (Date.now(), Date.parse(), etc. will throw).",
+      "  Workaround: Use lexicographical string comparison on ISO 8601 date strings (e.g., record.date >= '2024-01-01').",
+      "- Poisoned globals: eval, Function, setTimeout, setInterval, Buffer, ArrayBuffer, and TypedArrays are undefined.",
+      "- Frozen prototypes: Any modifications to Object.prototype, Array.prototype, etc., are blocked.",
+      "",
+      "SECURITY CONSTRAINTS:",
+      "- PII Egress Shield blocks raw identifiers in output",
+      "- Aggregation-First policy: prefer counts, averages, summaries",
+      "- AST Guardian: static analysis before execution",
+      "",
+      "DIFFERENTIAL PRIVACY (DP) MECHANISM (Laplace Mechanism):",
+      "- Default field noise scale is derived from node global sensitivity.",
+      "- COUNT / LENGTH Optimization: To obtain EXACT counts without noise (sensitivity=1),",
+      "  the return keys MUST contain 'count', 'length', 'size', 'num', 'positive', 'negative',",
+      "  or start with 'total_' or 'num_' (e.g. 'total_tx', 'credits_count').",
+      "- AVERAGE Optimization: Keys containing 'avg', 'mean' or 'average' scale noise",
+      "  down automatically by dividing sensitivity by dataset size (sensitivity / n).",
+      "- SUM / OTHER queries: Receive full Laplace noise based on global node sensitivity",
+      "  (e.g., Sensitivity=100,000 in Bank to protect balances)."
+    ];
+    if (this.config?.security?.forbiddenKeys?.length) {
+      lines.push(
+        `- Restricted fields: ${this.config.security.forbiddenKeys.join(", ")}`
+      );
+    }
+    lines.push(
+      "",
+      "TAINT TRACKING (Phase 108):",
+      "- AST-level analysis blocks PII-derived scalars (charCodeAt, charAt, etc.)",
+      "- Operations on restricted fields are tracked through variable assignments",
+      "- Boolean inference (field.charCodeAt(0) < N ? 1 : 0) is blocked",
+      "- Allowed: aggregations on non-PII fields (balance, amount, date)",
+      "",
+      "K-ANONYMITY THRESHOLDS:",
+      "- Small Datasets (< 10 records): Maximum of 3 scalar output fields. Nesting or arrays in output are strictly forbidden.",
+      "- Large Datasets (>= 10 records): Maximum of 10 output fields.",
+      "",
+      "RATE LIMITS (OWASP A01):",
+      "- Per-tool: 15 calls/min (configurable via LIOP_RATE_LIMIT_MAX)",
+      "- Global: 40 calls/min across all tools (LIOP_RATE_LIMIT_GLOBAL_MAX)",
+      "",
+      "OPTIONAL PARAMETERS:",
+      "- __liop_bypass_ast_cache: boolean (force AST re-evaluation)",
+      "",
+      "QUERY BUDGET TIERS (NIST SP 800-226):",
+      "- FORBIDDEN (PII fields like name, accountHolder): Blocked in AST preflight. Never executed, does not consume budget.",
+      "- SENSITIVE (fields marked via sensitiveKeys): 8 queries per agent identity (or queryBudgetPerField override).",
+      "- PUBLIC (all other fields): 25 queries per agent identity.",
+      "- PERSISTENCE: The budget is tracked by agent DID and persisted to disk, NOT by MCP session.",
+      "  Reconnecting or starting a new session does NOT reset the budget.",
+      "  Reset requires: administrator calling resetFieldBudget() or manual deletion of the budget store file.",
+      "",
+      "AUTHENTICATION (tokenSlug Convention):",
+      "- Restricted nodes declare authRequired: true in their manifest.",
+      "- Token resolution: LIOP_TOKEN_<tokenSlug> (deterministic) > LIOP_TOKEN_<PeerID> > LIOP_TOKEN_<ProviderName>",
+      "- Format: tokenSlug must match SCREAMING_SNAKE_CASE /^[A-Z][A-Z0-9_]*$/ (e.g., BANK, VAULT, HFT_ORACLE)."
+    );
+    return lines.join("\n");
+  }
+  /**
+   * Extracts a compact, human-readable field summary from a JSON Schema.
+   *
+   * Walks the schema structure to find actual data property names and types,
+   * rather than returning top-level schema metadata keys (type, items, etc.).
+   *
+   * Example output for a banking schema:
+   *   "Array of {id(string), accountHolder(string), balance(number), transactions(array of {date(string), amount(number)})}"
+   */
+  extractSchemaFieldSummary(schema, depth = 0) {
+    if (depth > 3) return "{...}";
+    const schemaType = schema.type;
+    const properties = schema.properties;
+    const items = schema.items;
+    if (properties) {
+      const fields = Object.entries(properties).map(([key, prop]) => {
+        const propType = prop.type;
+        if (propType === "array" && prop.items) {
+          const nested = this.extractSchemaFieldSummary(
+            prop.items,
+            depth + 1
+          );
+          return `${key}(array of ${nested})`;
+        }
+        if (propType === "object" && prop.properties) {
+          const nested = this.extractSchemaFieldSummary(prop, depth + 1);
+          return `${key}(${nested})`;
+        }
+        return `${key}(${propType || "unknown"})`;
+      });
+      return `{${fields.join(", ")}}`;
+    }
+    if (schemaType === "array" && items) {
+      const itemsSummary = this.extractSchemaFieldSummary(items, depth + 1);
+      return `Array of ${itemsSummary}`;
+    }
+    if (schemaType) return schemaType;
+    return Object.keys(schema).join(", ");
+  }
+  /**
+   * Convenience alias for connectToMesh(), matching official documentation.
+   */
+  async connect(options = {}) {
+    return this.connectToMesh(options);
+  }
+  /**
+   * Register a new Tool
+   */
+  tool(name, description, shape, handler, policy) {
+    if (this.tools.has(name)) {
+      throw new Error(`Tool already registered: ${name}`);
+    }
+    const schema = z.object(shape);
+    const generatedSchema = z.toJSONSchema(schema, { target: "draft-07" });
+    let finalDescription = description;
+    let finalHandler = handler;
+    if (shape.payload && shape.payload instanceof z.ZodString) {
+      const blockedKeys = this.config?.security?.forbiddenKeys || [];
+      finalDescription += "\n\nPayload: LIOP v1 envelope (WASI sandbox). Format: @LIOP{wasi_v1,TaskName}\\n<JS code>\\n@END | Access data: env.records. Return aggregated object. Note: If dataset size < 10 (synthetic demo), Egress K-Anonymity blocks output if it has >3 keys or any array/nested object. | Full spec: resource liop://protocol/envelope-spec";
+      if (blockedKeys.length > 0) {
+        finalDescription += `
+Restricted fields: ${blockedKeys.join(", ")}.`;
+      }
+      if (this.activeSchema) {
+        const schemaDigest = this.extractSchemaFieldSummary(this.activeSchema);
+        finalDescription += `
+Data structure: ${schemaDigest}. Full schema: resource liop://schema/global`;
+      }
+      finalHandler = async (args, _extra) => {
+        const clientId = "global_connection";
+        const now = Date.now();
+        const stats = this.connectionStats.get(clientId) || {
+          failures: 0,
+          lastAttempt: 0
+        };
+        if (stats.failures >= this.THROTTLE_THRESHOLD && now - stats.lastAttempt < this.THROTTLE_COOLDOWN_MS) {
+          return {
+            content: [
+              {
+                type: "text",
+                text: "LIOP_THROTTLED: Too many violations. Cooling down for 60 seconds."
+              }
+            ],
+            isError: true
+          };
+        }
+        const payloadValue = args.payload;
+        const bypassCache = args.__liop_bypass_ast_cache === true;
+        const payloadHash = crypto2.createHash("sha256").update(payloadValue).digest("hex");
+        const logic = this.extractLogic(payloadValue);
+        const cached = this.logicCache.get(payloadHash);
+        if (!bypassCache && cached && now - cached.timestamp < this.CACHE_TTL_MS) {
+          if (logic) {
+            args.payload = logic;
+            const preflightReason = this.runPreflightPolicy(
+              name,
+              logic,
+              policy,
+              "mcp-client"
+            );
+            if (preflightReason) {
+              return {
+                content: [{ type: "text", text: preflightReason }],
+                isError: true
+              };
+            }
+            return await this.executeInWorkerPool(args, logic, name);
+          }
+        }
+        if (!logic) {
+          stats.failures++;
+          stats.lastAttempt = now;
+          this.connectionStats.set(clientId, stats);
+          return {
+            content: [
+              {
+                type: "text",
+                text: "Error: Malformed payload. Missing @LIOP boundary.\\nYou MUST wrap your logic exactly like this:\\n\\n@LIOP{wasi_v1,DynamicAudit}\\n// Your JS code here\\n@END"
+              }
+            ],
+            isError: true
+          };
+        }
+        try {
+          const logic2 = this.extractLogic(
+            args.payload
+          );
+          args.payload = logic2;
+          const preflightReason = this.runPreflightPolicy(
+            name,
+            logic2,
+            policy,
+            "mcp-client"
+          );
+          if (preflightReason) {
+            stats.failures++;
+            stats.lastAttempt = now;
+            this.connectionStats.set(clientId, stats);
+            return {
+              content: [{ type: "text", text: preflightReason }],
+              isError: true
+            };
+          }
+          const result = await this.executeInWorkerPool(args, logic2, name);
+          if (!result.isError) {
+            this.connectionStats.set(clientId, {
+              failures: 0,
+              lastAttempt: now
+            });
+            this.logicCache.set(payloadHash, {
+              hash: payloadHash,
+              timestamp: now
+            });
+          } else {
+            stats.failures++;
+            stats.lastAttempt = now;
+            this.connectionStats.set(clientId, stats);
+          }
+          return result;
+        } catch (error) {
+          const e = error;
+          stats.failures++;
+          stats.lastAttempt = now;
+          this.connectionStats.set(clientId, stats);
+          return {
+            content: [
+              { type: "text", text: `ExecutionRuntimeException: ${e.message}` }
+            ],
+            isError: true
+          };
+        }
+      };
+    }
+    const inputSchema = {
+      type: "object",
+      properties: generatedSchema.properties || {},
+      required: generatedSchema.required
+    };
+    this.tools.set(name, {
+      tool: { name, description: finalDescription, inputSchema },
+      handler: finalHandler,
+      schema,
+      policy
+    });
+    if (this.meshNode) {
+      this.meshNode.announceCapability(name).catch((err) => {
+        log.info(
+          `[LIOP-Mesh] Failed to auto-announce tool ${name}: ${err.message}`
+        );
+      });
+    }
+  }
+  /**
+   * Register a dynamic prompt
+   */
+  prompt(name, description, args, handler) {
+    if (this.prompts.has(name)) {
+      throw new Error(`Prompt already registered: ${name}`);
+    }
+    this.prompts.set(name, {
+      prompt: { name, description, arguments: args },
+      handler
+    });
+  }
+  /**
+   * Enables LIOP Zero-Shot Autonomy by registering the Blind Analyst standard prompt.
+   */
+  enableZeroShotAutonomy() {
+    this.prompt(
+      "liop_blind_analyst",
+      "The official Logic-Injection-on-Origin Protocol system prompt. Instructs the LLM on how to securely inject Logic-on-Origin without violating PII or safety constraints.",
+      [],
+      (_request) => {
+        return {
+          description: "LIOP Blind Analyst Instructions",
+          messages: [
+            {
+              role: "user",
+              content: {
+                type: "text",
+                text: `You are the "Blind Analyst" operating within the Logic-Injection-on-Origin Protocol (LIOP) ecosystem.
+Your objective is to perform secure Logic-on-Origin injections. You must process remote data without ever requesting its extraction.
+
+INDUSTRIAL CONSTRAINTS & PROTOCOL RULES:
+1. DATA PRIVACY: NEVER attempt to export Personally Identifiable Information (PII). The LIOP Egress Shield will block any response containing raw IDs, names, or addresses.
+2. AGGREGATION FIRST & K-ANONYMITY THRESHOLDS: Always prefer returning counts, averages, or anonymized summaries.
+   - Dataset < 10 records: Maximum of 3 scalar output fields. Nesting or arrays in output are strictly forbidden.
+   - Dataset >= 10 records: Maximum of 10 output fields.
+3. LAPLACE DIFFERENTIAL PRIVACY (DP) COMPLIANCE:
+   - Legitimate COUNT queries: To obtain EXACT, un-noised counts, you MUST name your return keys containing 'count', 'length', 'size', 'num', 'positive', 'negative', or starting with 'total_' or 'num_' (e.g. 'total_tx', 'credits_count'). This forces sensitivity=1.0, rounds values, and clamps to non-negative values.
+   - Legitimate AVERAGE queries: Use 'avg_', '_average' or 'mean_' keys to automatically scale down Laplace noise by dividing sensitivity by the dataset size (sensitivity / n).
+   - Legitimate SUM queries: Return keys without count/average suffixes will receive full Laplacian noise scaled by the node's global sensitivity (which can be up to 100,000 in Bank nodes to protect raw balances). Do NOT attempt to bypass this by renaming sum fields to count fields, as it violates protocol integrity.
+4. PAYLOAD ENCAPSULATION: Your JavaScript payloads MUST strictly adhere to the Compact Envelope. DO NOT include markdown backticks or leading text inside the 'payload' argument.
+   Structure:
+   @LIOP{wasi_v1,AnalysisTask}
+   // Your JS Code Here
+   @END
+5. RUNTIME SCOPE: The execution environment provides a global 'env' object. Use 'env.records' to access the target dataset.
+6. LOCALIZATION: Format all JSON response keys in the language used by the user in their query (e.g., use Spanish keys if the query is in Spanish).
+7. SCHEMA RIGIDITY: Only use fields defined in the 'Data Dictionary'. Usage of non-existent fields will trigger a sandbox runtime exception.
+8. SANDBOX RUNTIME: The 'Date' class/constructor is poisoned and set to undefined. Calling 'new Date()', 'Date.now()', or 'Date.parse()' will throw exceptions.
+   Workaround: Perform chronological operations and filtering using lexicographical string comparisons on ISO 8601 date strings (e.g., 'record.date >= "2024-01-01"').
+   Additionally, standard globals like 'eval', 'Function', 'setTimeout', 'setInterval', 'Buffer', ArrayBuffer, and TypedArrays are also undefined.
+9. QUERY BUDGET PERSISTENCE: The per-field query budget is tracked by your agent DID and persisted to disk. Reconnecting or starting a new MCP session does NOT reset the budget. If you receive "Query budget exceeded", you must use a different field or request an administrator to invoke resetFieldBudget().${this.activeSchema ? `
+
+CURRENT DATA DICTIONARY (STRICT):
+${JSON.stringify(this.activeSchema, null, 2)}` : ""}
+
+Protocol Adherence is mandatory for successful execution.`
+              }
+            }
+          ]
+        };
+      }
+    );
+  }
+  /**
+   * Register a dynamic resource
+   */
+  resource(name, uri, description, mimeType, content) {
+    if (this.resources.has(uri)) {
+      throw new Error(`Resource URI already registered: ${uri}`);
+    }
+    this.resources.set(uri, { name, uri, description, mimeType, content });
+  }
+  /**
+   * Builds execution guidelines served as a resource to guide LLM code generation.
+   */
+  buildExecutionGuidelines() {
+    return [
+      "LIOP Sandbox Execution Guidelines",
+      "=================================",
+      "",
+      "1. DATE POISONING & FILTERING WORKAROUND:",
+      "   The global 'Date' class is set to undefined inside the sandbox. Calling 'new Date()', 'Date.now()', or 'Date.parse()' will throw a ReferenceError.",
+      "   - Workaround: Perform chronological filtering using lexicographical string comparisons on ISO 8601 strings.",
+      "     Example: const filtered = env.records.filter(r => r.date >= '2024-01-01' && r.date <= '2024-12-31');",
+      "",
+      "2. K-ANONYMITY CONSTRAINTS:",
+      "   - Datasets with LESS than 10 records: The returned object must contain at most 3 scalar fields, and must NOT contain any arrays or nested objects.",
+      "   - Datasets with 10 or MORE records: The returned object can contain up to 10 fields.",
+      "",
+      "3. DIFFERENTIAL PRIVACY SUFFIXES:",
+      "   To avoid Laplacian noise adding random perturbations to your counts or averages, you must name your object keys using specific terms:",
+      "   - Counts (Exact, no noise): Key names must contain 'count', 'length', 'size', 'num', 'positive', 'negative', or start with 'total_' or 'num_'.",
+      "   - Averages (Reduced noise): Key names must contain 'avg', 'mean', or 'average'.",
+      "   - Sums/Other: Will receive full Laplace noise.",
+      "",
+      "4. GENERAL RESTRICTIONS:",
+      "   - Do not use 'eval', 'Function', 'setTimeout', 'setInterval', 'Buffer', 'ArrayBuffer', or TypedArrays.",
+      "   - Do not attempt to modify prototypes (Object.prototype, Array.prototype).",
+      "",
+      "5. QUERY BUDGET TIERS (NIST SP 800-226):",
+      "   The per-field query budget is tracked by agent DID and persisted to disk (not per MCP session).",
+      "   - FORBIDDEN (PII fields): Always blocked in AST preflight. Does not consume budget.",
+      "   - SENSITIVE (sensitiveKeys): 8 queries per agent identity (or queryBudgetPerField override).",
+      "   - PUBLIC (other fields): 25 queries per agent identity.",
+      "   - Reset requires administrator intervention via resetFieldBudget()."
+    ].join("\n");
+  }
+  /**
+   * Broadcasts the Data Dictionary to the LLM prior to code injection.
+   */
+  dataDictionary(schema, name = "Global Medical Data Dictionary", uri = "liop://schema/global", description = "Exposes the internal database schema for Zero-Shot Autonomy planning") {
+    schema.$comment = "LIOP DIRECTIVES: 1. Date is undefined (Date.now(), new Date() throw). Workaround: use lexicographical string comparison on ISO 8601 string dates (e.g. record.date >= '2024-01-01'). 2. Small datasets (<10 records) limit outputs to max 3 scalar keys with NO nesting. 3. DP counts must contain count/length/size/num/total_ prefix/suffix.";
+    this.activeSchema = schema;
+    const schemaDigest = this.extractSchemaFieldSummary(schema);
+    for (const [toolName, entry] of this.tools.entries()) {
+      if (entry.schema.shape.payload && entry.schema.shape.payload instanceof z.ZodString && entry.tool.description && !entry.tool.description.includes("Data structure:")) {
+        entry.tool.description += `
+Data structure: ${schemaDigest}. Full schema: resource ${uri}. Guidelines: resource liop://schema/guidelines`;
+        this.tools.set(toolName, entry);
+      }
+    }
+    if (!this.resources.has("liop://schema/guidelines")) {
+      this.resource(
+        "LIOP Execution Guidelines",
+        "liop://schema/guidelines",
+        "Directives for generating compliant JavaScript code for the LIOP Sandbox runtime",
+        "text/plain",
+        () => Promise.resolve(this.buildExecutionGuidelines())
+      );
+    }
+    this.resource(
+      name,
+      uri,
+      description,
+      "application/json",
+      JSON.stringify(schema, null, 2)
+    );
+  }
+  /**
+   * Manually invalidates the AST Logic Cache (e.g. for Zero-Day patches).
+   */
+  clearAstCache() {
+    this.logicCache.clear();
+    log.info("[LIOP-SDK] AST Security Cache cleared by Admin.");
+  }
+  /**
+   * Sliding window rate limiter for tool call frequency.
+   * Prevents micro-query exfiltration attacks where an attacker
+   * makes hundreds of individually-legitimate calls to reconstruct
+   * the full dataset field by field. (OWASP A01)
+   */
+  checkToolCallRateLimit(toolName) {
+    const now = Date.now();
+    const windowMs = this.toolCallWindowMs;
+    const maxPerWindow = this.toolCallMaxPerWindow;
+    const window = this.toolCallWindows.get(toolName) || [];
+    const active = window.filter((t) => now - t < windowMs);
+    if (active.length >= maxPerWindow) {
+      const retryAfterSec = Math.ceil((active[0] + windowMs - now) / 1e3);
+      return {
+        content: [
+          {
+            type: "text",
+            text: `LIOP_RATE_LIMITED: Too many calls to ${toolName}. Max ${maxPerWindow} per ${windowMs / 1e3}s window. Retry after ${retryAfterSec}s.`
+          }
+        ],
+        isError: true
+      };
+    }
+    active.push(now);
+    this.toolCallWindows.set(toolName, active);
+    return null;
+  }
+  /**
+   * Global cross-tool rate limiter.
+   * Prevents attackers from distributing micro-queries across multiple tools
+   * to evade per-tool rate limits. (OWASP A01)
+   */
+  checkGlobalRateLimit() {
+    const now = Date.now();
+    const windowMs = this.toolCallWindowMs;
+    const maxGlobal = this.globalCallMaxPerWindow;
+    this.globalCallWindow = this.globalCallWindow.filter(
+      (t) => now - t < windowMs
+    );
+    if (this.globalCallWindow.length >= maxGlobal) {
+      const retryAfterSec = Math.ceil(
+        (this.globalCallWindow[0] + windowMs - now) / 1e3
+      );
+      return {
+        content: [
+          {
+            type: "text",
+            text: `LIOP_RATE_LIMITED: Global call limit exceeded. Max ${maxGlobal} total calls per ${windowMs / 1e3}s window. Retry after ${retryAfterSec}s.`
+          }
+        ],
+        isError: true
+      };
+    }
+    this.globalCallWindow.push(now);
+    return null;
+  }
+  /**
+   * Emulates calling a tool (used locally or via LIOPMcpBridge)
+   */
+  async callTool(request, clientId = "local-client") {
+    const entry = this.tools.get(request.name);
+    if (!entry) {
+      throw new Error(`Tool not found: ${request.name}`);
+    }
+    const globalLimitResult = this.checkGlobalRateLimit();
+    if (globalLimitResult) return globalLimitResult;
+    const rateLimitResult = this.checkToolCallRateLimit(request.name);
+    if (rateLimitResult) return rateLimitResult;
+    try {
+      const parsedArgs = entry.schema.parse(request.arguments || {});
+      if (request.arguments?.__liop_bypass_ast_cache === true) {
+        parsedArgs.__liop_bypass_ast_cache = true;
+      }
+      if (parsedArgs && typeof parsedArgs.payload === "string") {
+        const payload = parsedArgs.payload;
+        const logic = this.extractLogic(payload);
+        if (logic) {
+          const preflightReason = this.runPreflightPolicy(
+            request.name,
+            logic,
+            entry.policy,
+            clientId
+          );
+          if (preflightReason) {
+            return {
+              content: [{ type: "text", text: preflightReason }],
+              isError: true
+            };
+          }
+          parsedArgs.payload = logic;
+          return await this.executeInWorkerPool(
+            parsedArgs,
+            logic,
+            request.name
+          );
+        }
+      }
+      const result = await entry.handler(parsedArgs, {});
+      return result;
+    } catch (error) {
+      const e = error;
+      if (e instanceof z.ZodError) {
+        return {
+          content: [{ type: "text", text: `Validation Error: ${e.message}` }],
+          isError: true
+        };
+      }
+      return {
+        content: [
+          { type: "text", text: `Internal Execution Error: ${e.message}` }
+        ],
+        isError: true
+      };
+    }
+  }
+  /**
+   * Retrieves registered tools
+   */
+  listTools() {
+    return Array.from(this.tools.values()).map((t) => t.tool);
+  }
+  /**
+   * Retrieves registered prompts
+   */
+  listPrompts() {
+    return Array.from(this.prompts.values()).map((p) => p.prompt);
+  }
+  /**
+   * Gets a specific prompt by name
+   */
+  async getPrompt(request) {
+    const entry = this.prompts.get(request.name);
+    if (!entry) {
+      throw new Error(`Prompt not found: ${request.name}`);
+    }
+    return await entry.handler(request);
+  }
+  /**
+   * Retrieves registered resources
+   */
+  listResources() {
+    return Array.from(this.resources.values());
+  }
+  /**
+   * Reads a specific resource by URI
+   */
+  async readResource(uri) {
+    const resource = this.resources.get(uri);
+    if (!resource) {
+      throw new Error(`Resource not found: ${uri}`);
+    }
+    let text = "No description provided";
+    if (typeof resource.content === "function") {
+      text = await resource.content();
+    } else if (typeof resource.content === "string") {
+      text = resource.content;
+    } else if (resource.description) {
+      text = resource.description;
+    }
+    return {
+      contents: [
+        {
+          uri: resource.uri,
+          mimeType: resource.mimeType || "text/plain",
+          text
+        }
+      ]
+    };
+  }
+  getServerInfo() {
+    return this.serverInfo;
+  }
+  getMeshNode() {
+    return this.meshNode;
+  }
+  /**
+   * Injects data into the secure sandbox context for Logic-on-Origin tools.
+   */
+  setSandboxData(records) {
+    this.sandboxRecords = records;
+  }
+  getBoundPort() {
+    return this.boundPort;
+  }
+  /**
+   * Connects to the libp2p Kademlia DHT and announces capabilities.
+   * Boots the gRPC server for secure Logic-on-Origin.
+   */
+  async connectToMesh(options = {}) {
+    const envPort = process.env.LIOP_GRPC_PORT ? Number.parseInt(process.env.LIOP_GRPC_PORT, 10) : void 0;
+    const port = options.port ?? envPort ?? 50051;
+    const TOKEN_SLUG_PATTERN = /^[A-Z][A-Z0-9_]*$/;
+    if (this.config?.tokenSlug && !TOKEN_SLUG_PATTERN.test(this.config.tokenSlug)) {
+      throw new Error(
+        `Invalid tokenSlug "${this.config.tokenSlug}". Must match SCREAMING_SNAKE_CASE: /^[A-Z][A-Z0-9_]*$/ (e.g., "BANK", "VAULT", "HFT_ORACLE").`
+      );
+    }
+    this.meshNode = new MeshNode(options.meshConfig);
+    await this.meshNode.start();
+    const meshNodeRef = this.meshNode;
+    this.meshNode.registerManifestHandler(() => {
+      const tools = this.listTools().map((t) => ({
+        name: t.name,
+        description: t.description,
+        inputSchema: t.inputSchema
+      }));
+      const resources = Array.from(this.resources.values()).map((r) => ({
+        name: r.name,
+        uri: r.uri,
+        description: r.description,
+        mimeType: r.mimeType,
+        text: typeof r.content === "string" ? r.content : r.description
+      }));
+      return {
+        peerId: meshNodeRef.getPeerId(),
+        grpcPort: port,
+        tools,
+        resources,
+        serverInfo: this.serverInfo,
+        authRequired: this.jwtValidator !== void 0,
+        tokenSlug: this.config?.tokenSlug,
+        taxonomy: this.config?.taxonomy ? {
+          domain: this.config.taxonomy.domain || "Unknown Domain",
+          clearanceTier: this.config.taxonomy.clearanceTier ?? 0,
+          executionTypes: this.config.taxonomy.executionTypes || []
+        } : void 0
+      };
+    });
+    for (const tool of this.listTools()) {
+      await this.meshNode.announceCapability(tool.name).catch(log.info);
+    }
+    await this.meshNode.announceManifest().catch(log.info);
+    this.rpcServer = new LiopRpcServer();
+    this.rpcServer.addService({
+      negotiateIntent: (call, callback) => {
+        const request = call.request;
+        log.info(
+          `[LIOP-RPC] Negotiating intent for capability: ${request.capability_hash}`
+        );
+        if (this.jwtValidator) {
+          const authHeader = call.metadata.get("authorization")[0];
+          if (!authHeader) {
+            callback({
+              code: grpc2.status.UNAUTHENTICATED,
+              details: "Missing Authorization header in gRPC metadata"
+            });
+            return;
+          }
+          const token = authHeader.startsWith("Bearer ") ? authHeader.slice(7) : authHeader;
+          const tokenHash = crypto2.createHash("sha256").update(token).digest("hex").toLowerCase();
+          this.loadRevocationList();
+          if (this.revokedTokenHashes.has(tokenHash)) {
+            callback({
+              code: grpc2.status.UNAUTHENTICATED,
+              details: "Token has been revoked by the resource owner"
+            });
+            return;
+          }
+          const localTestToken = this.config?.auth?.localTestToken;
+          const isTestTokenPattern = /^[a-zA-Z0-9_-]+-local-test-token$/;
+          if (localTestToken) {
+            if (token === localTestToken) {
+              log.info(
+                `[LIOP-RPC] Bypass authentication for matching localTestToken: ${localTestToken}`
+              );
+              import('./kyber-3ULIJSE3.js').then(
+                async ({ Kyber768Wrapper }) => {
+                  const { publicKey, secretKey } = await Kyber768Wrapper.generateKeyPair();
+                  const sessionToken = crypto2.randomUUID();
+                  this.sessions.set(sessionToken, {
+                    capability_hash: request.capability_hash,
+                    kyber_sk: secretKey,
+                    agent_did: request.agent_did,
+                    tokenHash
+                  });
+                  callback(null, {
+                    accepted: true,
+                    session_token: sessionToken,
+                    error_message: "",
+                    kyber_public_key: publicKey
+                  });
+                }
+              );
+              return;
+            }
+            callback({
+              code: grpc2.status.PERMISSION_DENIED,
+              details: token && isTestTokenPattern.test(token) ? "Pre-shared local test token is invalid for this resource domain (segregation violation)." : "Access Denied: This restricted node requires its specific static access token."
+            });
+            return;
+          }
+          this.jwtValidator.validate(token).then((authInfo) => {
+            const authResult = authorizeRequest("tools/call", authInfo);
+            if (!authResult.allowed) {
+              callback({
+                code: grpc2.status.PERMISSION_DENIED,
+                details: authResult.reason || "Access Denied"
+              });
+              return;
+            }
+            import('./kyber-3ULIJSE3.js').then(
+              async ({ Kyber768Wrapper }) => {
+                const { publicKey, secretKey } = await Kyber768Wrapper.generateKeyPair();
+                const sessionToken = crypto2.randomUUID();
+                this.sessions.set(sessionToken, {
+                  capability_hash: request.capability_hash,
+                  kyber_sk: secretKey,
+                  agent_did: request.agent_did,
+                  tokenHash
+                });
+                callback(null, {
+                  accepted: true,
+                  session_token: sessionToken,
+                  error_message: "",
+                  kyber_public_key: publicKey
+                });
+              }
+            );
+          }).catch((err) => {
+            callback({
+              code: grpc2.status.UNAUTHENTICATED,
+              details: `Invalid JWT token: ${err.message}`
+            });
+          });
+        } else {
+          import('./kyber-3ULIJSE3.js').then(async ({ Kyber768Wrapper }) => {
+            const { publicKey, secretKey } = await Kyber768Wrapper.generateKeyPair();
+            const sessionToken = crypto2.randomUUID();
+            this.sessions.set(sessionToken, {
+              capability_hash: request.capability_hash,
+              kyber_sk: secretKey,
+              agent_did: request.agent_did
+            });
+            callback(null, {
+              accepted: true,
+              session_token: sessionToken,
+              error_message: "",
+              kyber_public_key: publicKey
+            });
+          });
+        }
+      },
+      executeLogic: async (call) => {
+        const request = call.request;
+        log.info(
+          `[LIOP-RPC] Executing Logic-on-Origin for session: ${request.session_token}`
+        );
+        const proceed = async () => {
+          const session = this.sessions.get(request.session_token);
+          if (!session) {
+            call.emit("error", {
+              code: grpc2.status.UNAUTHENTICATED,
+              details: "Invalid session token"
+            });
+            return;
+          }
+          if (session.tokenHash) {
+            this.loadRevocationList();
+            if (this.revokedTokenHashes.has(session.tokenHash)) {
+              call.emit("error", {
+                code: grpc2.status.UNAUTHENTICATED,
+                details: "Token has been revoked by the resource owner"
+              });
+              return;
+            }
+          }
+          const toolName = session.capability_hash;
+          const toolDef = toolName ? this.tools.get(toolName) : void 0;
+          const toolPolicy = toolDef?.policy;
+          try {
+            const kem = await createMlKem768();
+            const sharedSecret = kem.decap(
+              new Uint8Array(request.pqc_ciphertext),
+              session.kyber_sk
+            );
+            const aesKey = Buffer.from(sharedSecret);
+            const wasmBuffer = Buffer.from(request.wasm_binary);
+            const authTag = wasmBuffer.subarray(-16);
+            const encryptedData = wasmBuffer.subarray(0, -16);
+            const decipher = crypto2.createDecipheriv(
+              "aes-256-gcm",
+              aesKey,
+              Buffer.from(request.aes_nonce || new Uint8Array(12))
+            );
+            decipher.setAuthTag(authTag);
+            let decrypted = decipher.update(encryptedData);
+            decrypted = Buffer.concat([decrypted, decipher.final()]);
+            const decryptedPayload = decrypted.toString("utf-8");
+            const logic = this.extractLogic(decryptedPayload) || decryptedPayload.trim();
+            const preflightReason = this.runPreflightPolicy(
+              toolName || "unknown_tool",
+              logic,
+              toolPolicy,
+              session.agent_did || request.session_token
+            );
+            if (preflightReason) {
+              log.info(`[LIOP-RPC] Preflight blocked: ${preflightReason}`);
+              const errorResponse = {
+                semantic_evidence: preflightReason,
+                cryptographic_proof: Buffer.from(""),
+                zk_receipt: Buffer.from(""),
+                is_error: true
+              };
+              call.write(errorResponse, () => {
+                call.end();
+              });
+              return;
+            }
+          } catch (decryptionError) {
+            const errorMsg = decryptionError instanceof Error ? decryptionError.message : String(decryptionError);
+            log.error(`[LIOP-RPC] Preflight decryption failed: ${errorMsg}`);
+            call.emit("error", {
+              code: grpc2.status.INTERNAL,
+              details: `Preflight logic analysis failed: ${errorMsg}`
+            });
+            return;
+          }
+          try {
+            const dpConfig = toolPolicy ? {
+              epsilon: toolPolicy.dpEpsilon ?? 1,
+              sensitivity: toolPolicy.dpSensitivity ?? 1,
+              smallDatasetThreshold: toolPolicy.dpSmallDatasetThreshold ?? 50
+            } : void 0;
+            const workerResponse = await this.workerPool.run({
+              ciphertext: request.pqc_ciphertext,
+              secretKeyObj: Array.from(session.kyber_sk),
+              wasmBinary: request.wasm_binary,
+              inputs: request.inputs,
+              aesNonce: request.aes_nonce,
+              records: this.sandboxRecords,
+              sessionToken: request.session_token,
+              isEncrypted: true,
+              dpConfig
+              // Apply DP noise inside worker before ZK-Receipt commitment
+            });
+            const sanitizedWorkerOutput = sanitizeOutput(workerResponse.output);
+            let finalOutput;
+            let validationOutput = sanitizedWorkerOutput;
+            try {
+              finalOutput = typeof sanitizedWorkerOutput === "string" ? sanitizedWorkerOutput : JSON.stringify(sanitizedWorkerOutput);
+              const decoded = JSON.parse(finalOutput);
+              if (decoded.__liop_proxy_tool) {
+                log.info(
+                  `[LIOP-RPC] Executing Proxied Tool: ${decoded.__liop_proxy_tool}`
+                );
+                const clientId = session.agent_did || "unknown-client";
+                const toolResult = await this.callTool(
+                  {
+                    name: decoded.__liop_proxy_tool,
+                    arguments: decoded.__liop_proxy_args || {}
+                  },
+                  clientId
+                );
+                if (toolResult.isError) {
+                  log.info(
+                    `[LIOP-RPC] Proxy tool execution failed: ${toolResult.content[0].text}`
+                  );
+                  const errorResponse = {
+                    semantic_evidence: toolResult.content[0].text || "Unknown error",
+                    cryptographic_proof: Buffer.from(""),
+                    zk_receipt: Buffer.from(""),
+                    is_error: true
+                  };
+                  call.write(errorResponse, () => {
+                    call.end();
+                  });
+                  return;
+                }
+                const sanitizedToolResult = sanitizeOutput(toolResult);
+                finalOutput = JSON.stringify(sanitizedToolResult);
+                validationOutput = this.unwrapForAggregationPolicyScan(sanitizedToolResult);
+              }
+            } catch {
+              finalOutput = String(sanitizedWorkerOutput);
+            }
+            const policyViolation = this.validateOutputPolicy(
+              toolName || "unknown_tool",
+              validationOutput,
+              toolPolicy
+            );
+            if (policyViolation) {
+              log.info(
+                `[LIOP-RPC] Output policy blocked for ${toolName || "unknown_tool"}: ${policyViolation}`
+              );
+              const isDev = process.env.NODE_ENV === "development" || process.env.NODE_ENV === "test" || process.env.LIOP_SEC_VERBOSE === "1";
+              const errorMessage = isDev ? policyViolation : "[LIOP] Egress Security Violation. Output blocked due to policy enforcement.";
+              const errorResponse = {
+                semantic_evidence: errorMessage,
+                cryptographic_proof: Buffer.from(""),
+                zk_receipt: Buffer.from(""),
+                is_error: true
+              };
+              call.write(errorResponse, () => {
+                call.end();
+              });
+              return;
+            }
+            const response = {
+              semantic_evidence: finalOutput,
+              cryptographic_proof: Buffer.from(
+                workerResponse.image_id || "",
+                "hex"
+              ),
+              zk_receipt: workerResponse.zk_receipt ? Buffer.from(workerResponse.zk_receipt, "base64") : Buffer.from(""),
+              is_error: false
+            };
+            const violation = await this.piiScanner.scan(validationOutput);
+            const aggregationViolation = this.violatesAggregationFirstPolicy(
+              this.unwrapForAggregationPolicyScan(validationOutput),
+              toolPolicy?.enforceAggregationFirst,
+              this.sandboxRecords?.length
+            );
+            if (violation || aggregationViolation) {
+              const internalReason = violation || "Aggregation-First Policy Violation";
+              log.info(
+                `[LIOP-RPC] Secure egress blocked in gRPC stream: ${internalReason}`
+              );
+              response.semantic_evidence = "[LIOP] Egress Security Violation. Output blocked due to policy enforcement.";
+              response.is_error = true;
+            }
+            call.write(response, () => {
+              call.end();
+            });
+          } catch (error) {
+            const e = error;
+            const isDev = process.env.NODE_ENV === "development" || process.env.NODE_ENV === "test";
+            const detail = e.message || String(error);
+            log.error(`[LIOP-RPC] Execution Error: ${detail}`);
+            const errorMessage = isDev ? `Execution Error: ${detail}` : "[LIOP] Execution Failed. The injected logic violated runtime constraints or encountered a fatal error.";
+            const errorResponse = {
+              semantic_evidence: errorMessage,
+              cryptographic_proof: Buffer.from(""),
+              zk_receipt: Buffer.from(""),
+              is_error: true
+            };
+            try {
+              call.write(errorResponse, () => {
+                call.end();
+              });
+            } catch (_writeErr) {
+              call.end();
+            }
+          }
+        };
+        if (this.jwtValidator) {
+          const authHeader = call.metadata.get("authorization")[0];
+          if (!authHeader) {
+            call.emit("error", {
+              code: grpc2.status.UNAUTHENTICATED,
+              details: "Missing Authorization header in gRPC metadata"
+            });
+            return;
+          }
+          const token = authHeader.startsWith("Bearer ") ? authHeader.slice(7) : authHeader;
+          const tokenHash = crypto2.createHash("sha256").update(token).digest("hex").toLowerCase();
+          this.loadRevocationList();
+          if (this.revokedTokenHashes.has(tokenHash)) {
+            call.emit("error", {
+              code: grpc2.status.UNAUTHENTICATED,
+              details: "Token has been revoked by the resource owner"
+            });
+            return;
+          }
+          const localTestToken = this.config?.auth?.localTestToken;
+          const isTestTokenPattern = /^[a-zA-Z0-9_-]+-local-test-token$/;
+          if (localTestToken) {
+            if (token === localTestToken) {
+              log.info(
+                `[LIOP-RPC] Bypass authentication in executeLogic for matching localTestToken: ${localTestToken}`
+              );
+              await proceed();
+              return;
+            }
+            call.emit("error", {
+              code: grpc2.status.PERMISSION_DENIED,
+              details: token && isTestTokenPattern.test(token) ? "Pre-shared local test token is invalid for this resource domain (segregation violation)." : "Access Denied: This restricted node requires its specific static access token."
+            });
+            return;
+          }
+          try {
+            const authInfo = await this.jwtValidator.validate(token);
+            const authResult = authorizeRequest("tools/call", authInfo);
+            if (!authResult.allowed) {
+              call.emit("error", {
+                code: grpc2.status.PERMISSION_DENIED,
+                details: authResult.reason || "Access Denied"
+              });
+              return;
+            }
+            await proceed();
+          } catch (err) {
+            call.emit("error", {
+              code: grpc2.status.UNAUTHENTICATED,
+              details: `Invalid JWT token: ${err instanceof Error ? err.message : String(err)}`
+            });
+          }
+        } else {
+          await proceed();
+        }
+      }
+    });
+    this.boundPort = await this.rpcServer.listen(port);
+    log.info(
+      `[LIOP-SDK] Node successfully announced to Mesh. PeerID: ${this.meshNode.getPeerId()}`
+    );
+  }
+  /**
+   * Internal worker execution with Egress Filtering logic.
+   */
+  async executeInWorkerPool(_args, rawPayload, toolName) {
+    try {
+      const dpPolicy = toolName ? this.tools.get(toolName)?.policy : void 0;
+      const dpConfig = dpPolicy ? {
+        epsilon: dpPolicy.dpEpsilon ?? 1,
+        sensitivity: dpPolicy.dpSensitivity ?? 1,
+        smallDatasetThreshold: dpPolicy.dpSmallDatasetThreshold ?? 50
+      } : void 0;
+      const workerResponse = await this.workerPool.run({
+        ciphertext: new Uint8Array(0),
+        secretKeyObj: Array.from(new Uint8Array(0)),
+        kyberPublicKey: new Uint8Array(0),
+        wasmBinary: Buffer.from(rawPayload),
+        inputs: {},
+        records: this.sandboxRecords,
+        sessionToken: "local-dev-token",
+        isEncrypted: false,
+        // Use plaintext for local Logic-on-Origin injection
+        dpConfig
+        // Pass DP Config to apply inside worker before ZK-Receipt commitment
+      });
+      const dpOutput = workerResponse.output;
+      const sanitizedOutput = sanitizeOutput(dpOutput);
+      const textOutput = JSON.stringify({
+        computation_result: sanitizedOutput,
+        image_id: workerResponse.image_id,
+        zk_receipt: workerResponse.zk_receipt,
+        status: "Worker Pool Execution Success"
+      });
+      const content = [
+        {
+          type: "text",
+          text: textOutput
+        }
+      ];
+      const toolPolicy = toolName ? this.tools.get(toolName)?.policy : void 0;
+      const policyViolation = this.validateOutputPolicy(
+        toolName || "unknown_tool",
+        sanitizedOutput,
+        // Phase 109: Validate NOISY output to ensure invariants
+        toolPolicy
+      );
+      if (policyViolation) {
+        log.info(
+          `[LIOP-SDK] Output policy blocked for ${toolName || "unknown_tool"}: ${policyViolation}`
+        );
+        const isDev = process.env.NODE_ENV === "development" || process.env.NODE_ENV === "test" || process.env.LIOP_SEC_VERBOSE === "1";
+        const errorMessage = isDev ? policyViolation : "[LIOP] Egress Security Violation. Output blocked due to policy enforcement. Ensure your logic uses strictly aggregated, non-PII patterns.";
+        return {
+          content: [
+            {
+              type: "text",
+              text: errorMessage
+            }
+          ],
+          isError: true
+        };
+      }
+      const violation = await this.piiScanner.scan(sanitizedOutput);
+      const aggregationViolation = this.violatesAggregationFirstPolicy(
+        sanitizedOutput,
+        // Phase 109: Validate NOISY output
+        toolPolicy?.enforceAggregationFirst,
+        this.sandboxRecords?.length
+      );
+      if (violation || aggregationViolation) {
+        const internalReason = violation || "Aggregation-First Policy Violation: Output blocked due to dynamic flat-key policy enforcement.";
+        log.info(
+          `[LIOP-SDK] Secure egress blocked in local execution: ${internalReason}`
+        );
+        const isDev = process.env.NODE_ENV === "development" || process.env.NODE_ENV === "test" || process.env.LIOP_SEC_VERBOSE === "1";
+        const errorMessage = isDev ? `[LIOP] Egress Security Violation: ${internalReason}` : "[LIOP] Egress Security Violation. Output blocked due to policy enforcement. Ensure your logic uses strictly aggregated, non-PII patterns.";
+        return {
+          content: [
+            {
+              type: "text",
+              text: errorMessage
+            }
+          ],
+          isError: true
+        };
+      }
+      return { content };
+    } catch (error) {
+      const e = error;
+      const isDev = process.env.NODE_ENV === "development" || process.env.NODE_ENV === "test" || process.env.LIOP_SEC_VERBOSE === "1";
+      const detail = e.message || String(error);
+      log.error(`[LIOP-SDK] WorkerPool Execution Fault: ${detail}`);
+      const isOom = detail.includes("worker_thread_exited") || detail.includes("ERR_WORKER_OUT_OF_MEMORY") || detail.includes("terminated") || detail.includes("heap limit");
+      const errorMessage = isOom ? "[LIOP] Execution terminated: memory limit exceeded (64MB heap). Reduce data processing volume." : isDev ? `WorkerPoolError: ${detail}` : "[LIOP] Execution Failed. The injected logic violated runtime constraints or encountered a fatal error.";
+      return {
+        content: [
+          {
+            type: "text",
+            text: errorMessage
+          }
+        ],
+        isError: true
+      };
+    }
+  }
+  /**
+   * Safely destroys the worker pool, gRPC server, and Mesh node.
+   * Recommended to be called during graceful shutdowns or test teardowns.
+   */
+  async close() {
+    if (this.workerPool) {
+      await this.workerPool.close({ force: true });
+    }
+    if (this.rpcServer) {
+      await this.rpcServer.stop();
+    }
+    if (this.meshNode) {
+      await this.meshNode.stop();
+    }
+  }
+  loadRevocationList() {
+    const rPath = this.config?.auth?.revocationPath;
+    if (!rPath) return;
+    try {
+      if (fs.existsSync(rPath)) {
+        const stats = fs.statSync(rPath);
+        if (stats.mtimeMs <= this.lastRevocationLoadTime) {
+          return;
+        }
+        const content = fs.readFileSync(rPath, "utf-8");
+        const list = JSON.parse(content);
+        if (Array.isArray(list)) {
+          this.revokedTokenHashes.clear();
+          for (const item of list) {
+            if (typeof item === "string") {
+              this.revokedTokenHashes.add(item.trim().toLowerCase());
+            }
+          }
+          this.lastRevocationLoadTime = stats.mtimeMs;
+          log.info(
+            `[LiopServer] Loaded ${this.revokedTokenHashes.size} revoked token hashes from ${rPath}`
+          );
+        }
+      } else {
+        const dir = path.dirname(rPath);
+        if (!fs.existsSync(dir)) {
+          fs.mkdirSync(dir, { recursive: true });
+        }
+        fs.writeFileSync(rPath, JSON.stringify([], null, 2), "utf-8");
+        this.lastRevocationLoadTime = Date.now();
+        log.info(
+          `[LiopServer] Created empty local revocation list at ${rPath}`
+        );
+      }
+    } catch (err) {
+      log.error(
+        `[LiopServer] Failed to load revocation list: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  revokeToken(token) {
+    if (!token) return;
+    const hash = crypto2.createHash("sha256").update(token).digest("hex").toLowerCase();
+    this.revokeTokenHash(hash);
+  }
+  revokeTokenHash(hash) {
+    if (!hash) return;
+    const normalizedHash = hash.toLowerCase();
+    this.loadRevocationList();
+    this.revokedTokenHashes.add(normalizedHash);
+    const rPath = this.config?.auth?.revocationPath;
+    if (rPath) {
+      try {
+        const dir = path.dirname(rPath);
+        if (!fs.existsSync(dir)) {
+          fs.mkdirSync(dir, { recursive: true });
+        }
+        const hashes = Array.from(this.revokedTokenHashes);
+        fs.writeFileSync(rPath, JSON.stringify(hashes, null, 2), "utf-8");
+        const stats = fs.statSync(rPath);
+        this.lastRevocationLoadTime = stats.mtimeMs;
+        log.info(
+          `[LiopServer] Persisted revocation for hash ${normalizedHash} to ${rPath}`
+        );
+      } catch (err) {
+        log.error(
+          `[LiopServer] Failed to persist revocation: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
+  }
+  /**
+   * Resets the query budget for a specific client identity.
+   * If toolName is provided, only that tool's budget is cleared.
+   * Otherwise, all tool budgets for the client are reset.
+   *
+   * Operates on both in-memory and persistent (disk) budget stores.
+   * Uses file-level locking for safe concurrent access.
+   */
+  resetFieldBudget(clientId, toolName) {
+    if (toolName) {
+      const clientBudget = this.fieldQueryBudget.get(clientId);
+      if (clientBudget) {
+        clientBudget.delete(toolName);
+      }
+    } else {
+      this.fieldQueryBudget.delete(clientId);
+    }
+    const storePath = this.config?.budgetStorePath;
+    if (storePath) {
+      try {
+        this.executeWithBudgetLock(storePath, (budget) => {
+          if (toolName) {
+            if (budget[clientId]) {
+              delete budget[clientId][toolName];
+            }
+          } else {
+            delete budget[clientId];
+          }
+          return { result: void 0, updatedBudget: budget };
+        });
+        log.info(
+          `[LiopServer] Reset query budget for client ${clientId}${toolName ? ` / tool ${toolName}` : ""}`
+        );
+      } catch (err) {
+        log.error(
+          `[LiopServer] Failed to reset persistent budget: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
+  }
+  getPersistentBudget(storePath) {
+    try {
+      if (!fs.existsSync(storePath)) {
+        return {};
+      }
+      const content = fs.readFileSync(storePath, "utf-8");
+      return JSON.parse(content || "{}");
+    } catch {
+      return {};
+    }
+  }
+  savePersistentBudget(storePath, budget) {
+    const tempPath = `${storePath}.tmp`;
+    const dir = path.dirname(storePath);
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+    fs.writeFileSync(tempPath, JSON.stringify(budget, null, 2), "utf-8");
+    fs.renameSync(tempPath, storePath);
+  }
+  executeWithBudgetLock(storePath, action) {
+    const lockPath = `${storePath}.lock`;
+    const maxRetries = 100;
+    let attempts = 0;
+    const dir = path.dirname(storePath);
+    if (!fs.existsSync(dir)) {
+      try {
+        fs.mkdirSync(dir, { recursive: true });
+      } catch {
+      }
+    }
+    while (attempts < maxRetries) {
+      try {
+        fs.writeFileSync(lockPath, process.pid.toString(), { flag: "wx" });
+        break;
+      } catch (e) {
+        if (e && typeof e === "object" && "code" in e && e.code === "EEXIST") {
+          attempts++;
+        } else {
+          throw e;
+        }
+      }
+    }
+    if (attempts >= maxRetries) {
+      throw new Error(
+        "Timeout acquiring lock for persistent query budget database"
+      );
+    }
+    try {
+      const currentBudget = this.getPersistentBudget(storePath);
+      const { result, updatedBudget } = action(currentBudget);
+      if (updatedBudget) {
+        this.savePersistentBudget(storePath, updatedBudget);
+      }
+      return result;
+    } finally {
+      try {
+        if (fs.existsSync(lockPath)) {
+          fs.unlinkSync(lockPath);
+        }
+      } catch {
+      }
+    }
+  }
+  applyInMemoryBudget(clientId, _toolName, extractedFields, policy) {
+    let clientBudget = this.fieldQueryBudget.get(clientId);
+    if (!clientBudget) {
+      clientBudget = /* @__PURE__ */ new Map();
+      this.fieldQueryBudget.set(clientId, clientBudget);
+    }
+    let toolBudget = clientBudget.get(_toolName);
+    if (!toolBudget) {
+      toolBudget = /* @__PURE__ */ new Map();
+      clientBudget.set(_toolName, toolBudget);
+    }
+    for (const field of extractedFields) {
+      const sensitivity = this.taintAnalyzer.classifyField(
+        field,
+        policy?.sensitiveKeys
+      );
+      let queryLimit = 25;
+      let sensLabel = "public";
+      if (policy?.queryBudgetPerField !== void 0) {
+        queryLimit = policy.queryBudgetPerField;
+        sensLabel = "override";
+      } else if (sensitivity === "forbidden") {
+        queryLimit = 3;
+        sensLabel = "forbidden";
+      } else if (sensitivity === "sensitive") {
+        queryLimit = 8;
+        sensLabel = "sensitive";
+      }
+      const count = toolBudget.get(field) ?? 0;
+      if (count >= queryLimit) {
+        return `Preflight policy rejected: Query budget exceeded for field '${field}' (max ${queryLimit} per session for ${sensLabel} fields). Rotate PQC session to reset budget.`;
+      }
+    }
+    for (const field of extractedFields) {
+      const count = toolBudget.get(field) ?? 0;
+      toolBudget.set(field, count + 1);
+    }
+    return null;
+  }
+};
+
+export { AUTH_DEFAULTS, JwtValidator, LiopRpcServer, LiopServer, NerScanner, PII_PATTERNS, PII_PRESETS, PiiScanner, createOAuthServer, sanitizeOutput };
+//# sourceMappingURL=chunk-2JLG4DET.js.map
+//# sourceMappingURL=chunk-2JLG4DET.js.map