@od-oneapp/ai-platform 0.1.0

package/src/governance/policies/guardrails.ts

@@ -0,0 +1,1121 @@
+/**
+ * @fileoverview Guardrails and content filtering policies
+ *
+ * Provides multi-layer defense for AI agent inputs and outputs including:
+ * - Pattern blocking (SQL injection, destructive commands, privilege escalation)
+ * - PII sanitization (email, SSN, phone, credit card, addresses, etc.)
+ * - Stream monitoring (real-time output validation)
+ *
+ * @module @od-oneapp/ai-platform/policies/guardrails
+ */
+
+import { randomUUID } from 'node:crypto';
+
+import {
+  complianceSignalSchema,
+  type ComplianceSignal,
+  type RiskLevel,
+} from '../compliance/schemas';
+
+import type { SDKLanguageModelV3 } from '../../shared';
+
+/**
+ * Banned patterns for content filtering.
+ * Detects dangerous SQL commands, injection attempts, and privilege escalation.
+ * @internal
+ */
+const BANNED_PATTERNS: Array<{ pattern: RegExp; reason: string; risk: RiskLevel }> = [
+  // Destructive SQL commands
+  {
+    pattern: /drop\s+(table|database|schema|index)/gi,
+    reason: 'Destructive SQL command detected (DROP)',
+    risk: 'high',
+  },
+  {
+    pattern: /truncate\s+table/gi,
+    reason: 'Destructive SQL command detected (TRUNCATE)',
+    risk: 'high',
+  },
+  {
+    pattern: /delete\s+from\s+\w+\s+(where\s+1\s*=\s*1|without\s+where)/gi,
+    reason: 'Dangerous DELETE operation without proper WHERE clause',
+    risk: 'high',
+  },
+  // Sensitive data access
+  {
+    pattern: /select\s+\*\s+from\s+(users|passwords|credentials|secrets|tokens)/gi,
+    reason: 'Direct sensitive data extraction requires manual approval',
+    risk: 'high',
+  },
+  {
+    pattern: /update\s+(users|accounts)\s+set\s+(role|permissions|is_admin)/gi,
+    reason: 'Privilege escalation attempt detected',
+    risk: 'high',
+  },
+  // SQL injection patterns
+  {
+    pattern: /;\s*(drop|delete|update|insert)/gi,
+    reason: 'Potential SQL injection with chained commands',
+    risk: 'high',
+  },
+  {
+    pattern: /(union\s+select|union\s+all\s+select)/gi,
+    reason: 'Potential SQL injection with UNION',
+    risk: 'high',
+  },
+  // System commands
+  {
+    pattern: /(exec|execute)\s+(xp_|sp_)/gi,
+    reason: 'Potential system stored procedure execution',
+    risk: 'high',
+  },
+  {
+    pattern: /into\s+outfile|load_file\(/gi,
+    reason: 'File system access attempt detected',
+    risk: 'high',
+  },
+];
+
+/**
+ * Enterprise-grade PII pattern configuration.
+ * Uses context-aware detection to reduce false positives while maintaining security.
+ * @internal
+ */
+interface PiiPatternConfig {
+  /** Primary regex pattern for detection */
+  regex: RegExp;
+  /** Replacement placeholder text */
+  placeholder: string;
+  /** Signal type for compliance tracking */
+  type: ComplianceSignal['type'];
+  /** Optional context keywords - pattern only matches if text contains these keywords nearby */
+  contextKeywords?: string[];
+  /** Window size (chars) to look for context keywords (default: 50) */
+  contextWindow?: number;
+  /** Luhn checksum validation for card numbers */
+  luhnValidation?: boolean;
+  /** Custom validator function for additional validation */
+  validator?: (match: string, text: string) => boolean;
+}
+
+/**
+ * Validates credit card number using Luhn algorithm.
+ * @param num - Numeric string to validate
+ * @returns True if valid Luhn checksum
+ * @internal
+ */
+const isValidLuhn = (num: string): boolean => {
+  const digits = num.replace(/\D/g, '');
+  if (digits.length < 13 || digits.length > 19) return false;
+
+  let sum = 0;
+  let isEven = false;
+  for (let i = digits.length - 1; i >= 0; i--) {
+    let digit = parseInt(digits[i] ?? '0', 10);
+    if (isEven) {
+      digit *= 2;
+      if (digit > 9) digit -= 9;
+    }
+    sum += digit;
+    isEven = !isEven;
+  }
+  return sum % 10 === 0;
+};
+
+/**
+ * Checks if context keywords exist within a window around a match position.
+ * @param text - Full text to search
+ * @param matchStart - Start position of the match
+ * @param matchEnd - End position of the match
+ * @param keywords - Keywords to search for
+ * @param windowSize - Character window to search
+ * @returns True if any keyword is found within the window
+ * @internal
+ */
+const hasContextKeyword = (
+  text: string,
+  matchStart: number,
+  matchEnd: number,
+  keywords: string[],
+  windowSize: number,
+): boolean => {
+  const windowStart = Math.max(0, matchStart - windowSize);
+  const windowEnd = Math.min(text.length, matchEnd + windowSize);
+  const contextText = text.slice(windowStart, windowEnd).toLowerCase();
+  return keywords.some(keyword => contextText.includes(keyword.toLowerCase()));
+};
+
+/**
+ * Enterprise-grade PII patterns with context-aware detection.
+ * Reduces false positives by requiring context keywords for ambiguous patterns.
+ * @internal
+ */
+const PII_PATTERNS: PiiPatternConfig[] = [
+  // Email addresses - high confidence, no context needed
+  {
+    regex: /[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}/gi,
+    placeholder: '[redacted-email]',
+    type: 'guardrail.sanitized',
+  },
+  // US Social Security Numbers (SSN) - formatted SSNs are high confidence
+  {
+    regex: /\b\d{3}-\d{2}-\d{4}\b/g,
+    placeholder: '[redacted-ssn]',
+    type: 'guardrail.sanitized',
+  },
+  // SSN without dashes - requires context to avoid false positives
+  {
+    regex: /\b\d{9}\b/g,
+    placeholder: '[redacted-ssn]',
+    type: 'guardrail.sanitized',
+    contextKeywords: ['ssn', 'social security', 'social-security', 'tax id', 'taxpayer'],
+    contextWindow: 50,
+  },
+  // US Phone numbers (various formats)
+  {
+    // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded pattern with limited quantifiers
+    regex: /\b(?:\+1[-.\s]?)?(?:\(?\d{3}\)?[-.\s]?)?\d{3}[-.\s]?\d{4}\b/g,
+    placeholder: '[redacted-phone]',
+    type: 'guardrail.sanitized',
+    contextKeywords: ['phone', 'call', 'tel', 'mobile', 'cell', 'contact', 'fax', 'number'],
+    contextWindow: 30,
+  },
+  // Credit card numbers with Luhn validation - high confidence
+  {
+    // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded pattern for credit cards
+    regex: /\b(?:\d{4}[-\s]?){3}\d{4,7}\b/g,
+    placeholder: '[redacted-card]',
+    type: 'guardrail.sanitized',
+    luhnValidation: true,
+  },
+  // Credit card with context keywords (for non-Luhn passing numbers)
+  {
+    regex: /\b\d{13,19}\b/g,
+    placeholder: '[redacted-card]',
+    type: 'guardrail.sanitized',
+    contextKeywords: [
+      'card',
+      'credit',
+      'debit',
+      'visa',
+      'mastercard',
+      'amex',
+      'discover',
+      'payment',
+    ],
+    contextWindow: 40,
+    luhnValidation: true,
+  },
+  // IPv4 addresses - no context needed (high specificity)
+  {
+    // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded IPv4 pattern
+    regex: /\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d{1,2})\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d{1,2})\b/g,
+    placeholder: '[redacted-ip]',
+    type: 'guardrail.sanitized',
+    // Exclude common non-PII IPs (localhost, version numbers)
+    validator: (match: string) => {
+      const nonPiiPatterns = ['127.0.0.1', '0.0.0.0', '255.255.255.255'];
+      if (nonPiiPatterns.includes(match)) return false;
+      // Exclude version-like patterns (e.g., 1.2.3.4 where first octet is single digit)
+      const octets = match.split('.').map(Number);
+      // Valid IP octets are 0-255
+      return octets.every(o => o >= 0 && o <= 255);
+    },
+  },
+  // US Passport numbers - REQUIRES context (9-digit is too common)
+  {
+    regex: /\b[A-Z]?\d{8,9}\b/g,
+    placeholder: '[redacted-passport]',
+    type: 'guardrail.sanitized',
+    contextKeywords: ['passport', 'travel document', 'travel doc', 'passport number', 'passport#'],
+    contextWindow: 60,
+  },
+  // Date of birth patterns - requires context
+  {
+    regex: /\b(0?[1-9]|1[0-2])[\/\-](0?[1-9]|[12]\d|3[01])[\/\-](19|20)\d{2}\b/g,
+    placeholder: '[redacted-dob]',
+    type: 'guardrail.sanitized',
+    contextKeywords: [
+      'dob',
+      'birth',
+      'birthday',
+      'born',
+      'date of birth',
+      'birthdate',
+      'd.o.b',
+      'age',
+    ],
+    contextWindow: 40,
+  },
+  // Street addresses (basic pattern for US addresses)
+  {
+    regex:
+      // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded US address pattern
+      /\b\d+\s+[A-Za-z]+(?:\s+[A-Za-z]+)?\s+(?:Street|St|Avenue|Ave|Road|Rd|Drive|Dr|Lane|Ln|Court|Ct|Boulevard|Blvd|Way|Place|Pl|Circle|Cir)\.?\b/gi,
+    placeholder: '[redacted-address]',
+    type: 'guardrail.sanitized',
+  },
+  // ZIP codes (US 5 or 9 digit) - requires address context
+  {
+    // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded pattern, optional group is safe
+    regex: /\b\d{5}(?:-\d{4})?\b/g,
+    placeholder: '[redacted-zip]',
+    type: 'guardrail.sanitized',
+    contextKeywords: ['zip', 'postal', 'address', 'city', 'state', 'mail', 'ship'],
+    contextWindow: 50,
+  },
+  // Bank account numbers - REQUIRES context (8-17 digits is too common)
+  {
+    regex: /\b\d{8,17}\b/g,
+    placeholder: '[redacted-account]',
+    type: 'guardrail.sanitized',
+    contextKeywords: [
+      'account',
+      'acct',
+      'routing',
+      'bank',
+      'iban',
+      'aba',
+      'swift',
+      'wire',
+      'deposit',
+      'checking',
+      'savings',
+    ],
+    contextWindow: 50,
+  },
+  // Driver's license numbers - requires context
+  {
+    regex: /\b[A-Z]{1,2}\d{5,8}\b/g,
+    placeholder: '[redacted-license]',
+    type: 'guardrail.sanitized',
+    contextKeywords: ['license', 'licence', 'dl', "driver's", 'drivers', 'dmv', 'driving'],
+    contextWindow: 40,
+  },
+  // AWS Access Keys (high confidence pattern)
+  {
+    regex: /\b(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}\b/g,
+    placeholder: '[redacted-aws-key]',
+    type: 'guardrail.sanitized',
+  },
+  // Generic API keys/tokens (requires context)
+  {
+    regex: /\b[a-zA-Z0-9_-]{32,64}\b/g,
+    placeholder: '[redacted-token]',
+    type: 'guardrail.sanitized',
+    contextKeywords: [
+      'api_key',
+      'apikey',
+      'api-key',
+      'token',
+      'secret',
+      'password',
+      'bearer',
+      'authorization',
+      'auth',
+    ],
+    contextWindow: 30,
+  },
+];
+
+/**
+ * Redacts PII (Personally Identifiable Information) from text.
+ * Uses enterprise-grade context-aware detection to minimize false positives
+ * while maintaining strong security coverage.
+ *
+ * Features:
+ * - Context-aware detection for ambiguous patterns (e.g., 9-digit numbers)
+ * - Luhn validation for credit card numbers
+ * - Custom validators for IP address filtering
+ * - AWS key and API token detection
+ *
+ * @param text - Text to sanitize.
+ * @returns Object containing redacted text and compliance signals.
+ * @internal
+ * @example
+ * ```ts
+ * const { redacted } = redactPii('Contact me at jane@example.com');
+ * // redacted === 'Contact me at [redacted-email]'
+ *
+ * // Context-aware: only redacts when context keywords present
+ * const { redacted: r1 } = redactPii('My passport number is 123456789');
+ * // r1 === 'My passport number is [redacted-passport]'
+ *
+ * const { redacted: r2 } = redactPii('Order 123456789 shipped');
+ * // r2 === 'Order 123456789 shipped' (no redaction - no context)
+ * ```
+ */
+const redactPii = (text: string): { redacted: string; signals: ComplianceSignal[] } => {
+  let result = text;
+  const signals: ComplianceSignal[] = [];
+  const processedRanges: Array<{ start: number; end: number }> = [];
+
+  for (const pattern of PII_PATTERNS) {
+    pattern.regex.lastIndex = 0;
+    let match: RegExpExecArray | null;
+    const matches: Array<{ match: string; start: number; end: number }> = [];
+
+    // Collect all matches from current result (not original text)
+    // This ensures offsets stay aligned as we modify the string
+    while ((match = pattern.regex.exec(result)) !== null) {
+      const matchStart = match.index;
+      const matchEnd = match.index + match[0].length;
+
+      // Skip if this range was already processed by a higher-priority pattern
+      const alreadyProcessed = processedRanges.some(
+        range =>
+          (matchStart >= range.start && matchStart < range.end) ||
+          (matchEnd > range.start && matchEnd <= range.end),
+      );
+      if (alreadyProcessed) continue;
+
+      // Check context keywords if required (use result for context check too)
+      if (pattern.contextKeywords && pattern.contextKeywords.length > 0) {
+        const windowSize = pattern.contextWindow ?? 50;
+        if (!hasContextKeyword(result, matchStart, matchEnd, pattern.contextKeywords, windowSize)) {
+          continue;
+        }
+      }
+
+      // Apply Luhn validation if required
+      if (pattern.luhnValidation) {
+        if (!isValidLuhn(match[0])) continue;
+      }
+
+      // Apply custom validator if provided (use result for validation context)
+      if (pattern.validator && !pattern.validator(match[0], result)) {
+        continue;
+      }
+
+      matches.push({ match: match[0], start: matchStart, end: matchEnd });
+    }
+
+    // Process matches in reverse order to preserve string positions
+    for (let i = matches.length - 1; i >= 0; i--) {
+      const item = matches[i];
+      if (!item) continue;
+      const { start, end } = item;
+      result = result.slice(0, start) + pattern.placeholder + result.slice(end);
+      processedRanges.push({ start, end });
+    }
+
+    // Add signal if any matches were processed
+    if (matches.length > 0) {
+      signals.push(
+        complianceSignalSchema.parse({
+          id: randomUUID(),
+          type: pattern.type,
+          message: `Automatically sanitized ${matches.length} sensitive value(s) (${pattern.placeholder})`,
+          runId: 'guardrail',
+          timestamp: new Date().toISOString(),
+          metadata: { count: matches.length, pattern: pattern.placeholder },
+        }),
+      );
+    }
+  }
+
+  return { redacted: result, signals };
+};
+
+/**
+ * Result of guardrail inspection.
+ * Contains sanitization status, blocking decision, compliance signals, and risk level.
+ */
+export type GuardrailResult = {
+  /** Sanitized prompt (null if blocked). */
+  sanitizedPrompt: string | null;
+  /** Whether the prompt was blocked. */
+  blocked: boolean;
+  /** Compliance signals generated during inspection. */
+  signals: ComplianceSignal[];
+  /** Risk level detected. */
+  risk: RiskLevel;
+};
+
+/**
+ * Inspects a prompt for banned patterns and PII.
+ * Checks against banned patterns first, then sanitizes PII if not blocked.
+ *
+ * @param prompt - Prompt text to inspect.
+ * @returns Guardrail result with sanitization status and signals.
+ * @internal
+ * @example
+ * ```ts
+ * const result = inspectPrompt('drop table users;');
+ * // result.blocked === true
+ * ```
+ */
+const inspectPrompt = (prompt: string): GuardrailResult => {
+  const signals: ComplianceSignal[] = [];
+  let blocked = false;
+  let risk: RiskLevel = 'low';
+
+  for (const { pattern, reason, risk: patternRisk } of BANNED_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(prompt)) {
+      blocked = true;
+      risk = patternRisk;
+      signals.push(
+        complianceSignalSchema.parse({
+          id: randomUUID(),
+          type: 'guardrail.blocked',
+          message: reason,
+          runId: 'guardrail',
+          riskLevel: patternRisk,
+          timestamp: new Date().toISOString(),
+        }),
+      );
+    }
+  }
+
+  if (blocked) {
+    return { blocked, sanitizedPrompt: null, signals, risk };
+  }
+
+  const { redacted, signals: piiSignals } = redactPii(prompt);
+  signals.push(...piiSignals);
+
+  return { blocked, sanitizedPrompt: redacted, signals, risk };
+};
+
+/**
+ * Type for objects that can have guardrail signals attached.
+ * @internal
+ */
+type GuardrailAttachable = { guardrailSignals?: ComplianceSignal[] };
+
+/**
+ * Attaches guardrail signals to a target object.
+ * Used to propagate compliance signals through the request/response chain.
+ *
+ * @param target - Target object to attach signals to.
+ * @param signals - Compliance signals to attach.
+ * @internal
+ * @example
+ * ```ts
+ * const payload: any = {};
+ * attachGuardrailSignals(payload, [complianceSignalSchema.parse({ id: '1', type: 'guardrail.blocked', message: 'Blocked', runId: 'guardrail', timestamp: new Date().toISOString(), riskLevel: 'high' })]);
+ * ```
+ */
+const attachGuardrailSignals = (target: unknown, signals: ComplianceSignal[]) => {
+  if (!signals.length || !target || typeof target !== 'object') {
+    return;
+  }
+
+  const container = target as GuardrailAttachable;
+  const existing = Array.isArray(container.guardrailSignals) ? container.guardrailSignals : [];
+  container.guardrailSignals = [...existing, ...signals];
+};
+
+/**
+ * Creates a guardrail error with attached signals.
+ *
+ * @param signals - Compliance signals explaining why the request was blocked.
+ * @returns Error object with guardrail signals attached.
+ * @internal
+ * @example
+ * ```ts
+ * const error = createGuardrailError([
+ *   // signals
+ * ]);
+ * ```
+ */
+const createGuardrailError = (signals: ComplianceSignal[]) => {
+  const error = new Error('Request blocked by guardrails');
+  attachGuardrailSignals(error, signals);
+  return error;
+};
+
+/**
+ * Request type that may contain prompt or messages to sanitize.
+ * @internal
+ */
+type GuardrailRequest = { prompt?: unknown; messages?: unknown } & Record<string, unknown>;
+
+/**
+ * Sanitizes a request by inspecting prompts/messages for banned patterns and PII.
+ * Handles both string prompts and message arrays with various content formats.
+ *
+ * @param request - Request object to sanitize.
+ * @returns Object containing sanitized request and aggregated signals.
+ * @throws {Error} If request contains banned patterns (with guardrail signals attached).
+ * @internal
+ * @example
+ * ```ts
+ * const outcome = sanitizeRequest({ prompt: 'My email is john@example.com' });
+ * // outcome.sanitizedRequest.prompt contains '[redacted-email]'
+ * ```
+ */
+const sanitizeRequest = <T extends GuardrailRequest>(request: T) => {
+  let sanitizedRequest = request;
+  let mutated = false;
+  const aggregatedSignals: ComplianceSignal[] = [];
+
+  if (typeof request.prompt === 'string') {
+    const outcome = inspectPrompt(request.prompt);
+    if (outcome.blocked) {
+      throw createGuardrailError(outcome.signals);
+    }
+
+    const sanitizedPrompt = outcome.sanitizedPrompt ?? '';
+    if (sanitizedPrompt !== request.prompt) {
+      sanitizedRequest = { ...sanitizedRequest, prompt: sanitizedPrompt } as T;
+      mutated = true;
+    }
+    aggregatedSignals.push(...outcome.signals);
+  } else if (Array.isArray(request.prompt)) {
+    // Handle array prompt format: [{ role: 'user', content: [{ type: 'text', text: '...' }] }]
+    let promptChanged = false;
+    const updatedPrompt = request.prompt.map(message => {
+      if (
+        message &&
+        typeof message === 'object' &&
+        (message as { role?: unknown }).role === 'user'
+      ) {
+        const { content } = message as { content?: unknown };
+        if (Array.isArray(content)) {
+          const updatedContent = content.map(part => {
+            if (
+              part &&
+              typeof part === 'object' &&
+              (part as { type?: unknown }).type === 'text' &&
+              typeof (part as { text?: unknown }).text === 'string'
+            ) {
+              const { text } = part as { text: string };
+              const outcome = inspectPrompt(text);
+              if (outcome.blocked) {
+                throw createGuardrailError(outcome.signals);
+              }
+
+              const sanitizedText = outcome.sanitizedPrompt ?? '';
+              aggregatedSignals.push(...outcome.signals);
+              if (sanitizedText !== text) {
+                return { ...part, text: sanitizedText };
+              }
+            }
+            return part;
+          });
+
+          // Check if content actually changed by comparing arrays
+          const hasChanges = updatedContent.some((part, index) => {
+            const original = content[index];
+            return (
+              part &&
+              typeof part === 'object' &&
+              original &&
+              typeof original === 'object' &&
+              (part as { text?: unknown }).text !== (original as { text?: unknown }).text
+            );
+          });
+
+          if (hasChanges) {
+            promptChanged = true;
+            return { ...message, content: updatedContent };
+          }
+        }
+      }
+      return message;
+    });
+
+    if (promptChanged) {
+      sanitizedRequest = { ...sanitizedRequest, prompt: updatedPrompt } as T;
+      mutated = true;
+    }
+  }
+
+  if (Array.isArray(request.messages)) {
+    const { messages } = request;
+    const updatedMessages = messages.map(message => {
+      if (
+        message &&
+        typeof message === 'object' &&
+        (message as { role?: unknown }).role === 'user'
+      ) {
+        const { content } = message as { content?: unknown };
+        if (typeof content === 'string') {
+          const outcome = inspectPrompt(content);
+          if (outcome.blocked) {
+            throw createGuardrailError(outcome.signals);
+          }
+
+          const sanitizedContent = outcome.sanitizedPrompt ?? '';
+          aggregatedSignals.push(...outcome.signals);
+          if (sanitizedContent !== content) {
+            return { ...message, content: sanitizedContent };
+          }
+        } else if (Array.isArray(content)) {
+          // Handle array content format: [{ type: 'text', text: '...' }]
+          const updatedContent = content.map(part => {
+            if (
+              part &&
+              typeof part === 'object' &&
+              (part as { type?: unknown }).type === 'text' &&
+              typeof (part as { text?: unknown }).text === 'string'
+            ) {
+              const { text } = part as { text: string };
+              const outcome = inspectPrompt(text);
+              if (outcome.blocked) {
+                throw createGuardrailError(outcome.signals);
+              }
+
+              const sanitizedText = outcome.sanitizedPrompt ?? '';
+              aggregatedSignals.push(...outcome.signals);
+              if (sanitizedText !== text) {
+                return { ...part, text: sanitizedText };
+              }
+            }
+            return part;
+          });
+
+          // Check if content actually changed by comparing arrays
+          const hasChanges = updatedContent.some((part, index) => {
+            const original = content[index];
+            return (
+              part &&
+              typeof part === 'object' &&
+              original &&
+              typeof original === 'object' &&
+              (part as { text?: unknown }).text !== (original as { text?: unknown }).text
+            );
+          });
+
+          if (hasChanges) {
+            return { ...message, content: updatedContent };
+          }
+        }
+      }
+
+      return message;
+    });
+
+    const changed = updatedMessages.some((msg, idx) => msg !== messages[idx]);
+    if (changed) {
+      sanitizedRequest = { ...sanitizedRequest, messages: updatedMessages } as T;
+      mutated = true;
+    }
+  }
+
+  return {
+    sanitizedRequest: mutated ? sanitizedRequest : request,
+    signals: aggregatedSignals,
+  };
+};
+
+/**
+ * Sanitizes a single stream part for PII.
+ * Processes text-delta, reasoning-delta, tool-input-delta, and text parts.
+ *
+ * @param part - Stream part to sanitize.
+ * @returns Sanitized stream part.
+ * @internal
+ * @example
+ * ```ts
+ * const part = sanitizeStreamPart({ type: 'text-delta', delta: 'pii@example.com' });
+ * ```
+ */
+const sanitizeStreamPart = (part: unknown): unknown => {
+  if (!part || typeof part !== 'object') {
+    return part;
+  }
+
+  const chunk = part as { type?: string; delta?: unknown; text?: unknown };
+
+  if (chunk.type === 'text-delta' && typeof chunk.delta === 'string') {
+    return { ...chunk, delta: redactPii(chunk.delta).redacted };
+  }
+
+  if (chunk.type === 'reasoning-delta' && typeof chunk.delta === 'string') {
+    return { ...chunk, delta: redactPii(chunk.delta).redacted };
+  }
+
+  if (chunk.type === 'tool-input-delta' && typeof chunk.delta === 'string') {
+    return { ...chunk, delta: redactPii(chunk.delta).redacted };
+  }
+
+  if (typeof chunk.text === 'string') {
+    return { ...chunk, text: redactPii(chunk.text).redacted };
+  }
+
+  return part;
+};
+
+/**
+ * Applies default guardrails to a language model.
+ * Wraps the model's doGenerate and doStream methods to add content filtering,
+ * PII redaction, and compliance signal generation.
+ *
+ * @param model - Language model to wrap with guardrails.
+ * @returns Wrapped model with guardrails applied.
+ * @throws {Error} If request contains banned patterns (with guardrail signals attached).
+ * @remarks Guardrails are applied to both input (prompt/messages) and output (content).
+ * Compliance signals are attached to responses and errors for audit purposes.
+ * Stream parts are sanitized in real-time for PII redaction.
+ * @example
+ * ```ts
+ * const guardedModel = applyDefaultGuardrails(anthropic('claude-sonnet-4'));
+ * const result = await guardedModel.doGenerate({ prompt: 'User input' });
+ * ```
+ */
+export const applyDefaultGuardrails = (model: SDKLanguageModelV3): SDKLanguageModelV3 =>
+  ({
+    ...model,
+    async doGenerate(request: Parameters<SDKLanguageModelV3['doGenerate']>[0]) {
+      const { sanitizedRequest, signals: requestSignals } = sanitizeRequest(request);
+
+      try {
+        const response = await model.doGenerate(sanitizedRequest);
+
+        const responseSignals: ComplianceSignal[] = [];
+
+        const processedContent = response.content.map(part => {
+          if (part.type === 'text' && typeof part.text === 'string') {
+            const { redacted, signals } = redactPii(part.text);
+            responseSignals.push(...signals);
+            return { ...part, text: redacted };
+          }
+          return part;
+        });
+
+        const combinedSignals = [...requestSignals, ...responseSignals];
+
+        const sanitizedResponse = {
+          ...response,
+          content: processedContent,
+        };
+        attachGuardrailSignals(sanitizedResponse, combinedSignals);
+        return sanitizedResponse;
+      } catch (error) {
+        attachGuardrailSignals(error, requestSignals);
+        throw error;
+      }
+    },
+    async doStream(request: Parameters<SDKLanguageModelV3['doStream']>[0]) {
+      const { sanitizedRequest, signals: requestSignals } = sanitizeRequest(request);
+      const result = await model.doStream(sanitizedRequest);
+
+      const reader = result.stream.getReader();
+      const sanitizedStream = new ReadableStream({
+        async pull(controller) {
+          const { done, value } = await reader.read();
+          if (done) {
+            controller.close();
+            return;
+          }
+
+          controller.enqueue(sanitizeStreamPart(value));
+        },
+        cancel(reason) {
+          return reader.cancel(reason);
+        },
+      });
+
+      const sanitizedResult = { ...result, stream: sanitizedStream };
+      attachGuardrailSignals(sanitizedResult, requestSignals);
+      return sanitizedResult;
+    },
+  }) satisfies SDKLanguageModelV3;
+
+/**
+ * Prompt injection detection patterns.
+ * Detects common prompt injection, jailbreak, and manipulation attempts.
+ * @internal
+ */
+const PROMPT_INJECTION_PATTERNS: Array<{
+  pattern: RegExp;
+  category: 'jailbreak' | 'instruction_override' | 'role_play' | 'encoding_bypass' | 'data_exfil';
+  severity: RiskLevel;
+  description: string;
+}> = [
+  // Jailbreak attempts
+  {
+    // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded jailbreak pattern
+    pattern: /ignore\s+(all\s+)?(previous|prior|above)\s+(instructions?|prompts?|rules?)/gi,
+    category: 'jailbreak',
+    severity: 'high',
+    description: 'Instruction override attempt detected',
+  },
+  {
+    // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded jailbreak pattern
+    pattern: /disregard\s+(all\s+)?(previous|prior|your)\s+(instructions?|guidelines?|rules?)/gi,
+    category: 'jailbreak',
+    severity: 'high',
+    description: 'Instruction override attempt detected',
+  },
+  {
+    // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded jailbreak pattern
+    pattern: /forget\s+(everything|all|what)\s+(you\s+)?(know|learned|were told)/gi,
+    category: 'jailbreak',
+    severity: 'high',
+    description: 'Memory reset attempt detected',
+  },
+  {
+    // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded jailbreak pattern
+    pattern: /pretend\s+(you\s+)?(are|have)\s+no\s+(restrictions?|limitations?|rules?)/gi,
+    category: 'jailbreak',
+    severity: 'high',
+    description: 'Restriction bypass attempt detected',
+  },
+  // Instruction override
+  {
+    pattern: /new\s+instructions?:?\s*$/gim,
+    category: 'instruction_override',
+    severity: 'high',
+    description: 'New instruction injection attempt',
+  },
+  {
+    pattern: /system\s*:\s*you\s+are/gi,
+    category: 'instruction_override',
+    severity: 'high',
+    description: 'System prompt injection attempt',
+  },
+  {
+    pattern: /\[system\]|\[INST\]|\[\/INST\]|<<SYS>>|<\|im_start\|>/gi,
+    category: 'instruction_override',
+    severity: 'high',
+    description: 'Chat template injection attempt',
+  },
+  {
+    pattern: /###\s*(instruction|system|human|assistant)\s*:/gi,
+    category: 'instruction_override',
+    severity: 'medium',
+    description: 'Markdown instruction injection attempt',
+  },
+  // Role play exploits
+  {
+    // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded role-play pattern
+    pattern: /you\s+are\s+(now\s+)?(DAN|jailbroken|unrestricted|evil|uncensored)/gi,
+    category: 'role_play',
+    severity: 'high',
+    description: 'Malicious role-play attempt (DAN/jailbreak)',
+  },
+  {
+    pattern:
+      // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded ethics bypass pattern
+      /act\s+as\s+(if\s+)?(you\s+)?(have|had|don't have)\s+no\s+(ethics|morals|guidelines)/gi,
+    category: 'role_play',
+    severity: 'high',
+    description: 'Ethics bypass role-play attempt',
+  },
+  {
+    pattern: /developer\s+mode|sudo\s+mode|god\s+mode|admin\s+mode/gi,
+    category: 'role_play',
+    severity: 'high',
+    description: 'Privilege escalation role-play attempt',
+  },
+  // Encoding bypass attempts
+  {
+    pattern: /base64\s*:\s*[A-Za-z0-9+\/=]{20,}/gi,
+    category: 'encoding_bypass',
+    severity: 'medium',
+    description: 'Base64 encoded payload detected',
+  },
+  {
+    // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded unicode escape pattern
+    pattern: /\\u[0-9a-fA-F]{4}(?:\\u[0-9a-fA-F]{4}){5,}/g,
+    category: 'encoding_bypass',
+    severity: 'medium',
+    description: 'Unicode escape sequence payload detected',
+  },
+  {
+    // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded HTML entity pattern
+    pattern: /&#x?[0-9a-fA-F]+;(?:&#x?[0-9a-fA-F]+;){5,}/g,
+    category: 'encoding_bypass',
+    severity: 'medium',
+    description: 'HTML entity encoded payload detected',
+  },
+  // Data exfiltration attempts
+  {
+    // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded prompt extraction pattern
+    pattern: /repeat\s+(the\s+)?(system\s+)?prompt|show\s+(me\s+)?(the\s+)?(system\s+)?prompt/gi,
+    category: 'data_exfil',
+    severity: 'medium',
+    description: 'System prompt extraction attempt',
+  },
+  {
+    // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded instruction extraction pattern
+    pattern: /what\s+(are\s+)?(your|the)\s+(original\s+)?instructions/gi,
+    category: 'data_exfil',
+    severity: 'medium',
+    description: 'Instruction extraction attempt',
+  },
+  {
+    // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded context extraction pattern
+    pattern: /output\s+(your|the)\s+(entire\s+)?context/gi,
+    category: 'data_exfil',
+    severity: 'medium',
+    description: 'Context extraction attempt',
+  },
+];
+
+/**
+ * Result of prompt injection detection.
+ */
+export interface PromptInjectionResult {
+  /** Whether injection was detected */
+  detected: boolean;
+  /** Risk level if detected */
+  risk: RiskLevel;
+  /** Categories of injection detected */
+  categories: Array<
+    'jailbreak' | 'instruction_override' | 'role_play' | 'encoding_bypass' | 'data_exfil'
+  >;
+  /** Human-readable descriptions of detected patterns */
+  descriptions: string[];
+  /** Compliance signals for audit trail */
+  signals: ComplianceSignal[];
+}
+
+/**
+ * Detects prompt injection attempts in text.
+ * Uses pattern matching to identify common injection, jailbreak, and manipulation techniques.
+ *
+ * @param text - Text to analyze for injection attempts.
+ * @returns Detection result with risk level and categorization.
+ * @example
+ * ```ts
+ * const result = detectPromptInjection('Ignore all previous instructions and...');
+ * // result.detected === true
+ * // result.risk === 'high'
+ * // result.categories === ['jailbreak']
+ * ```
+ */
+export const detectPromptInjection = (text: string): PromptInjectionResult => {
+  const detectedCategories = new Set<PromptInjectionResult['categories'][number]>();
+  const descriptions: string[] = [];
+  const signals: ComplianceSignal[] = [];
+  let maxRisk: RiskLevel = 'low';
+
+  for (const { pattern, category, severity, description } of PROMPT_INJECTION_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(text)) {
+      detectedCategories.add(category);
+      descriptions.push(description);
+
+      // Update max risk
+      if (severity === 'high' || (severity === 'medium' && maxRisk === 'low')) {
+        maxRisk = severity;
+      }
+
+      signals.push(
+        complianceSignalSchema.parse({
+          id: randomUUID(),
+          type: 'guardrail.blocked',
+          message: `Prompt injection detected: ${description}`,
+          runId: 'guardrail',
+          riskLevel: severity,
+          timestamp: new Date().toISOString(),
+          metadata: { category, pattern: pattern.source },
+        }),
+      );
+    }
+  }
+
+  return {
+    detected: detectedCategories.size > 0,
+    risk: maxRisk,
+    categories: Array.from(detectedCategories),
+    descriptions,
+    signals,
+  };
+};
+
+/**
+ * Token limit configuration per risk level.
+ * Restricts output length based on detected risk to limit potential damage.
+ */
+export const TOKEN_LIMITS: Record<RiskLevel, number> = {
+  low: 16384,
+  medium: 8192,
+  high: 2048,
+};
+
+/**
+ * Gets the appropriate token limit for a risk level.
+ *
+ * @param risk - Risk level to get limit for.
+ * @returns Maximum output tokens allowed.
+ * @example
+ * ```ts
+ * const limit = getTokenLimitForRisk('high');
+ * // limit === 2048
+ * ```
+ */
+export const getTokenLimitForRisk = (risk: RiskLevel): number => TOKEN_LIMITS[risk];
+
+/**
+ * Detects risk level from message content.
+ * Analyzes user messages for high-risk keywords, patterns, and prompt injection attempts.
+ * Enterprise-grade detection with multiple risk factors.
+ *
+ * @param messages - Array of messages to analyze.
+ * @returns Detected risk level ('low', 'medium', or 'high').
+ * @example
+ * ```ts
+ * const risk = detectRiskFromMessages([
+ *   { role: 'user', content: 'Delete my account' }
+ * ]); // Returns 'high'
+ * ```
+ */
+export const detectRiskFromMessages = (
+  messages: Array<{ role: string; content?: string }>,
+): RiskLevel => {
+  const joined = messages
+    .filter(message => message.role === 'user')
+    .map(message => message.content ?? '')
+    .join('\n');
+
+  const joinedLower = joined.toLowerCase();
+
+  // Check for prompt injection first (highest priority)
+  const injectionResult = detectPromptInjection(joined);
+  if (injectionResult.detected && injectionResult.risk === 'high') {
+    return 'high';
+  }
+
+  // High risk keywords and patterns
+  const highRiskPatterns = [
+    'delete account',
+    'drop table',
+    'rm -rf',
+    'format disk',
+    'delete all',
+    'wipe data',
+    'export all data',
+    'bypass security',
+    'admin access',
+    'root access',
+    'privilege escalation',
+  ];
+
+  for (const pattern of highRiskPatterns) {
+    if (joinedLower.includes(pattern)) {
+      return 'high';
+    }
+  }
+
+  // Medium risk from injection detection
+  if (injectionResult.detected) {
+    return 'medium';
+  }
+
+  // Medium risk keywords
+  const mediumRiskPatterns = [
+    'ssn',
+    'pii',
+    'password',
+    'credit card',
+    'social security',
+    'api key',
+    'secret key',
+    'private key',
+    'access token',
+  ];
+
+  for (const pattern of mediumRiskPatterns) {
+    if (joinedLower.includes(pattern)) {
+      return 'medium';
+    }
+  }
+
+  return 'low';
+};