npm - @o-lang/olang - Versions diffs - 1.2.6 → 1.2.8 - Mend

@o-lang/olang 1.2.6 → 1.2.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/src/runtime/RuntimeAPI.js +146 -30

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@o-lang/olang",
-  "version": "1.2.6",
+  "version": "1.2.8",
   "author": "Olalekan Ogundipe <info@workfily.com>",
   "description": "O-Lang: A governance language for user-directed, rule-enforced agent workflows",
   "main": "./src/index.js",

package/src/runtime/RuntimeAPI.js CHANGED Viewed

@@ -331,40 +331,156 @@ class RuntimeAPI {
     });
   }
-  // -----------------------------
-  // ✅ KERNEL-LEVEL LLM HALLUCINATION PREVENTION (ZERO WORKFLOW CHANGES)
-  // -----------------------------
-  _validateLLMOutput(output, actionContext) {
-    if (!output || typeof output !== 'string') return { passed: true };
-    // 🔑 CRITICAL: Extract ONLY allowed capabilities from workflow allowlist
-    const allowedCapabilities = Array.from(this.allowedResolvers)
-      .filter(name => !name.startsWith('llm-') && name !== 'builtInMathResolver')
-      .map(name => name.replace('@o-lang/', '').replace(/-resolver$/, ''));
-    // 🔒 Block capability hallucinations (claims to do things outside allowlist)
-    const forbiddenPatterns = [
-      { pattern: /\b(transfer|send|wire|pay|withdraw|deposit)\b/i, capability: 'transfer' },
-      { pattern: /\b(create|open|close|delete)\s+(account|profile)\b/i, capability: 'account_management' },
-      { pattern: /\bI (can|will|am able to)\s+(transfer|pay|send)/i, capability: 'unauthorized_action' }
-    ];
-    for (const { pattern, capability } of forbiddenPatterns) {
-      if (pattern.test(output)) {
-        // ✅ Only block if capability NOT in allowlist
-        if (!allowedCapabilities.some(c => c.includes(capability) || c.includes('transfer'))) {
-          return {
-            passed: false,
-            reason: `Hallucinated "${capability}" capability (not in workflow allowlist: ${allowedCapabilities.join(', ') || 'none'})`,
-            detected: output.match(pattern)?.[0] || 'unknown'
-          };
-        }
+// -----------------------------
+// ✅ KERNEL-LEVEL LLM HALLUCINATION PREVENTION (PAN-AFRICAN SEMANTIC SAFETY)
+// -----------------------------
+_validateLLMOutput(output, actionContext) {
+  if (!output || typeof output !== 'string') return { passed: true };
+  // 🔑 Extract allowed capabilities from workflow allowlist
+  const allowedCapabilities = Array.from(this.allowedResolvers)
+    .filter(name => !name.startsWith('llm-') && name !== 'builtInMathResolver')
+    .map(name => name.replace('@o-lang/', '').replace(/-resolver$/, ''));
+  // 🔒 PAN-AFRICAN + GLOBAL INTENT DETECTION (Deterministic, No LLM Required)
+  const forbiddenPatterns = [
+    // ────────────────────────────────────────────────
+    // 🇳🇬 NIGERIAN LANGUAGES (Priority)
+    // ────────────────────────────────────────────────
+    // Yoruba (yo)
+    { pattern: /\b(fi\s+(?:owo|ẹ̀wọ̀|ewo|ku|fun|s'ọkọọ))\b/i, capability: 'transfer', lang: 'yo' },
+    { pattern: /\b(san\s+(?:owo|ẹ̀wọ̀|ewo|fun|wo))\b/i, capability: 'payment', lang: 'yo' },
+    { pattern: /\b(gba\s+owo)\b/i, capability: 'withdrawal', lang: 'yo' },
+    { pattern: /\b(mo\s+ti\s+(?:fi|san|gba))\b/i, capability: 'unauthorized_action', lang: 'yo' },
+    // Hausa (ha)
+    { pattern: /\b(ciyar\s*(?:da)?|ciya\s*(?:da)?|shiga\s+kuɗi)\b/i, capability: 'transfer', lang: 'ha' },
+    { pattern: /\b(biya\s*(?:da)?)\b/i, capability: 'payment', lang: 'ha' },
+    { pattern: /\b(sahaw[ae]\s+kuɗi)\b/i, capability: 'withdrawal', lang: 'ha' },
+    { pattern: /\b(ina\s+(?:ciyar|biya|sahawa))\b/i, capability: 'unauthorized_action', lang: 'ha' },
+    // Igbo (ig)
+    { pattern: /\b(zipu\s+(?:ego|moni|isi|na))\b/i, capability: 'transfer', lang: 'ig' },
+    { pattern: /\b(buru\s+(?:ego|moni|isi))\b/i, capability: 'transfer', lang: 'ig' },
+    { pattern: /\b(tinye\s+(?:ego|moni|isi))\b/i, capability: 'deposit', lang: 'ig' },
+    { pattern: /\b(m\s+(?:ziri|buru|zipuru|tinyere))\b/i, capability: 'unauthorized_action', lang: 'ig' },
+    // ────────────────────────────────────────────────
+    // 🌍 PAN-AFRICAN LANGUAGES
+    // ────────────────────────────────────────────────
+    // Swahili (sw) - 200M+ speakers
+    { pattern: /\b(tuma\s+(?:pesa|fedha)|pelek[ae]?\s+(?:pesa|fedha))\b/i, capability: 'transfer', lang: 'sw' },
+    { pattern: /\b(lipa|maliza\s+malipo)\b/i, capability: 'payment', lang: 'sw' },
+    { pattern: /\b(ongez[ae]?\s*(?:kiasi|pesa|fedha)|wek[ae]?\s+(?:katika|ndani)\s+(?:akaunti|hisa))\b/i, capability: 'deposit', lang: 'sw' },
+    { pattern: /\b(nime(?:tuma|lipa|ongeza|weka|peleka))\b/i, capability: 'unauthorized_action', lang: 'sw' },
+    // Amharic (am) - Ethiopia (Ethiopic script U+1200-U+137F)
+    { pattern: /[\u1200-\u137F]{0,4}(?:ተላላፈ|ላክ|ክፈል|ጨምር|ወጣ|ገባ)[\u1200-\u137F]{0,4}/u, capability: 'financial_action', lang: 'am' },
+    // Oromo (om)
+    { pattern: /\b(kuuf\s+(?:qilleensaa|bilbila)|dhiib\s+(?:qilleensaa|bilbila))\b/i, capability: 'transfer', lang: 'om' },
+    { pattern: /\b(kenn\s*i|gurgur\s*i)\b/i, capability: 'payment', lang: 'om' },
+    { pattern: /\b(ni\s+(?:kuufe|dhiibe|kennine|gurgure))\b/i, capability: 'unauthorized_action', lang: 'om' },
+    // Fula (ff)
+    { pattern: /\b(sakkit\s+(?:ndo|ndoo)|tawt\s+(?:ndo|ndoo))\b/i, capability: 'transfer', lang: 'ff' },
+    { pattern: /\b(jokk\s*i|soodug\s*i)\b/i, capability: 'payment', lang: 'ff' },
+    // Somali (so)
+    { pattern: /\b(dir\s+(?:lacag|maal|qarsoon))\b/i, capability: 'transfer', lang: 'so' },
+    { pattern: /\b(bixi|bixis\s*o)\b/i, capability: 'payment', lang: 'so' },
+    { pattern: /\b(waxaa\s+(?:diray|bixiyay|ku\s+daray))\b/i, capability: 'unauthorized_action', lang: 'so' },
+    // Zulu (zu)
+    { pattern: /\b(thumel\s*a\s+(?:imali|imali))\b/i, capability: 'transfer', lang: 'zu' },
+    { pattern: /\b(hlawul\s*a|hlawulel\s*a)\b/i, capability: 'payment', lang: 'zu' },
+    { pattern: /\b(siyithumel\s*e|siyihlawul\s*e)\b/i, capability: 'unauthorized_action', lang: 'zu' },
+    // Shona (sn)
+    { pattern: /\b(tumir\s*a\s+(?:mhando|ari))\b/i, capability: 'transfer', lang: 'sn' },
+    { pattern: /\b(bhadhara|bhadharis\s*o)\b/i, capability: 'payment', lang: 'sn' },
+    // ────────────────────────────────────────────────
+    // 🌐 GLOBAL LANGUAGES
+    // ────────────────────────────────────────────────
+    // English (en)
+    { pattern: /\b(transfer(?:red|ring)?|send(?:t|ing)?|wire(?:d)?|pay(?:ed|ing)?|withdraw(?:n)?|deposit(?:ed|ing)?|disburse(?:d)?)\b/i, capability: 'financial_action', lang: 'en' },
+    { pattern: /\bI\s+(?:can|will|am able to|have|'ve|did|already)\s+(?:transfer|send|pay|withdraw|deposit|wire)\b/i, capability: 'unauthorized_action', lang: 'en' },
+    // French (fr)
+    { pattern: /\b(virer|transférer|envoyer|payer|retirer|déposer|débiter|créditer)\b/i, capability: 'financial_action', lang: 'fr' },
+    { pattern: /\b(j'?ai\s+(?:viré|transféré|envoyé|payé|retiré|déposé))\b/i, capability: 'unauthorized_action', lang: 'fr' },
+    // Arabic (ar) - Unicode Arabic block U+0600-U+06FF
+    { pattern: /[\u0600-\u06FF]{0,3}(?:حوّل|حول|أرسل|ارسل|ادفع|اودع|سحب|استخرج|حوالة|إيداع|سحب)[\u0600-\u06FF]{0,3}/u, capability: 'financial_action', lang: 'ar' },
+    { pattern: /[\u0600-\u06FF]{0,3}(?:أنا|تم|لقد)\s*(?:حوّلت|أرسلت|دفعت|اودعت)[\u0600-\u06FF]{0,3}/u, capability: 'unauthorized_action', lang: 'ar' },
+    // Chinese (zh) - Han script U+4E00-U+9FFF
+    { pattern: /[\u4e00-\u9fff]{0,2}(?:转账|转帐|支付|付款|提款|取款|存款|存入|汇款|存)[\u4e00-\u9fff]{0,2}/u, capability: 'financial_action', lang: 'zh' },
+    { pattern: /[\u4e00-\u9fff]{0,2}(?:我|已|已经)\s*(?:转账|支付|提款|存款)[\u4e00-\u9fff]{0,2}/u, capability: 'unauthorized_action', lang: 'zh' },
+    // ────────────────────────────────────────────────
+    // 🛡️ LANGUAGE-AGNOSTIC NUMERIC DECEPTION (Critical!)
+    // ────────────────────────────────────────────────
+    // Universal number formats: 1,000 | 1 000 | 1.000 | 1000 | 10,000.50 | 10.000,50
+    {
+      pattern:
+        /(?:^|\s|[:\(\[—–\-])(?:\d{1,3}(?:[,\s.]\d{3})*(?:[.,]\d{1,2})?|\d+(?:[.,]\d{1,2})?)(?:\s*(?:naira|ngn|₦|\$|usd|dollars?|euros?|€|pounds?|£|kes|tzs|ugx|rwf|cdf|xof|xaf|ghs|zar|cfa|francs?|rand|shillings?|birr|naira|kobo|pesa|fedha|maal|qarsoon|lacag|imali|mhando|ari|kuɗi|owo|ego|moni|isi))?\s*(?:was\s+(?:added|credited|deposited|transferred|sent|wire[d]?|paid|moved)|has\s+been\s+(?:added|credited|deposited|transferred|sent|paid|moved)|will\s+be\s+(?:added|credited|deposited|transferred|sent|paid|moved)|get\s+(?:added|credited|deposited)|na\s+(?:sake|saki|ce|ceba)|ni\s+(?:sake|saki)|an\s+(?:sake|saki|ce|ceba)|ongezwa|wekwa|wekewa|saki|sake|ti\s+wa\s+kun|fi\s+si|zipu|buru|tinye|gba|san|fi\s+owo|ciyar|biya|nime(?:tuma|lipa|ongeza|weka|peleka)|ni(?:kuufe|dhiibe|kennine|gurgure)|waxaa\s+(?:diray|bixiyay|ku\s+daray)|siyi(?:thumelwe|hlawulwe)|tumirirwa|bhadharirwa|ime(?:thibitishwa|fanikiwa|kamilika)|مضاف|محول|مدفوع|مودع|تم|أضيف|حوّل|أرسل|ادفع|اودع|سحب|تمت|الإيداع|السحب|转账|支付|存入|已转账|已支付|已存入|汇款|存|取款)\b/i,
+      capability: 'unauthorized_action',
+      lang: 'multi'
+    },
+    // ────────────────────────────────────────────────
+    // 🔒 PII LEAKAGE PATTERNS
+    // ────────────────────────────────────────────────
+    // Account numbers (6+ digits)
+    { pattern: /\b(?:account|acct|a\/c|akaunti|asusu|akwụkwọ\s+ọkụ|hesabu|#)\s*[:\-—–]?\s*(\d{6,})\b/i, capability: 'pii_exposure', lang: 'multi' },
+    // Nigerian BVN (11 digits)
+    { pattern: /\b(?:bvn|bank verification number)\s*[:\-]?\s*(\d{11})\b/i, capability: 'pii_exposure', lang: 'multi' },
+    // Nigerian phone numbers
+    { pattern: /\b(?:\+?234\s*|0)(?:70|80|81|90|91)\d{8}\b/, capability: 'pii_exposure', lang: 'multi' },
+    // ────────────────────────────────────────────────
+    // ✅ FAKE CONFIRMATION PATTERNS
+    // ────────────────────────────────────────────────
+    // Success/confirmation in multiple languages
+    { pattern: /\b(successful(?:ly)?|confirmed|approved|completed|processed|accepted|verified|imethibitishwa|imefanikiwa|amthibitishwa|ti\s+da|ti\s+ṣe|gụnyere)\b/i, capability: 'deceptive_claim', lang: 'multi' }
+  ];
+  // 🔍 SCAN OUTPUT FOR FORBIDDEN INTENTS
+  for (const { pattern, capability, lang } of forbiddenPatterns) {
+    if (pattern.test(output)) {
+      // ✅ Only block if capability NOT in workflow allowlist
+      const hasCapability = allowedCapabilities.some(c =>
+        c.includes(capability) ||
+        c.includes('transfer') ||
+        c.includes('payment') ||
+        c.includes('financial')
+      );
+      if (!hasCapability) {
+        const match = output.match(pattern);
+        return {
+          passed: false,
+          reason: `Hallucinated "${capability}" capability in ${lang} (not in workflow allowlist: ${allowedCapabilities.join(', ') || 'none'})`,
+          detected: match ? match[0].trim() : 'unknown pattern',
+          language: lang
+        };
       }
     }
-    return { passed: true };
   }
+  return { passed: true };
+}
+}
   // -----------------------------
   // ✅ CRITICAL FIX: Resolver output unwrapping helper
   // -----------------------------