@pugi/cli 0.1.0-beta.98 → 1.0.0-alpha.1

package/dist/core/security/injection-scanner.js

@@ -1,367 +0,0 @@
-/**
- * Prompt-injection scanner — TypeScript implementation of external
- * `injection_patterns.rs` (Apache-2.0, external).
- *
- * Upstream source:
- *  `_primitives/_rust/kei-memory/src/injection_patterns.rs`
- *  from https://github.com/an internal mirror.
- *
- * Scope of the port:
- *  - Pattern TABLES are ported verbatim (regex + invisible-codepoint
- *    set + ChatML tags + role-prefix patterns). The substring/secret
- *    rows (curl-with-bearer, aws_secret keyword, api_key URL, openssh
- *    PEM markers, long-base64 blob heuristic) are KEPT in this port —
- *    they harden writes through memory/audit paths against accidental
- *    credential pasting.
- *  - Detection logic is rewritten in TypeScript. The Rust upstream
- *    uses `regex::Regex` + a separate `injection_guard.rs` that owns
- *    the "should I block?" decision. Pugi's port collapses both
- *    responsibilities into a single function (`scanForInjection`)
- *    because the caller surfaces (audit-trail, file-tools) only need
- *    the findings list — they do not block writes today (CEO sign-off
- *    gate, separate PR).
- *
- * Severity model:
- *  The upstream `Block` / `Warn` enum is mirrored as a Pugi field on
- *  each finding so a future PR can wire hard-block behavior without
- *  re-shaping the call sites.
- *
- * What this is NOT:
- *  - An LLM-output safety filter. This scans CONTENT BOUND FOR DISK
- *    (audit payloads + file writes / edits) for accidental or
- *    adversarial prompt-injection markers.
- *  - A secrets scanner. Real secrets detection lives in
- *    `scripts/secret-scanner.mjs` (release gate). The few credential
- *    heuristics here exist because the upstream Rust treats memory
- *    persistence as a credential-exfil surface too.
- *
- * See bundled LICENSE notices.0 attribution.
- */
-/**
- * Maximum captured-match length recorded in a finding. Bounds the
- * worst-case row size in the audit JSONL stream. Set to 128 because
- * the longest legitimate pattern match (`long_base64_line`) would be
- * 1024+ bytes — the operator can re-scan the source content for the
- * full blob if they need it; we only need enough context to triage.
- */
-export const MAX_MATCH_CAPTURE = 128;
-function clampMatch(matched) {
-    if (matched.length <= MAX_MATCH_CAPTURE)
-        return matched;
-    return `${matched.slice(0, MAX_MATCH_CAPTURE)}…`;
-}
-/**
- * Invisible / bidi / zero-width unicode codepoints ported verbatim
- * from `INVISIBLE_CHARS` in the upstream Rust. Each one is a known
- * vehicle for hiding prompt-override text from a casual reader.
- */
-export const INVISIBLE_CHARS = [
-    '​', // ZERO WIDTH SPACE
-    '‌', // ZERO WIDTH NON-JOINER
-    '‍', // ZERO WIDTH JOINER
-    '‎', // LEFT-TO-RIGHT MARK
-    '‏', // RIGHT-TO-LEFT MARK
-    '‪', // LEFT-TO-RIGHT EMBEDDING
-    '‫', // RIGHT-TO-LEFT EMBEDDING
-    '‬', // POP DIRECTIONAL FORMATTING
-    '‭', // LEFT-TO-RIGHT OVERRIDE
-    '‮', // RIGHT-TO-LEFT OVERRIDE
-    '⁠', // WORD JOINER
-    '', // BYTE ORDER MARK / ZERO WIDTH NO-BREAK SPACE
-];
-/**
- * Pre-built Set for O(1) codepoint membership tests. The scanner walks
- * the input once and probes this set per character — cheaper than a
- * regex with 12 alternation branches.
- */
-const INVISIBLE_CHAR_SET = new Set(INVISIBLE_CHARS);
-/**
- * Threshold above which a single base64-looking line is flagged.
- * Matches the upstream `BASE64_BLOB_BYTES` constant so the heuristic
- * stays aligned with the Rust spec. The regex below hardcodes the
- * same value for compile-time clarity.
- */
-export const BASE64_BLOB_BYTES = 1024;
-/**
- * PEM begin marker built at runtime so the literal dashes do not
- * trigger over-eager secret-scanners in this very source file (same
- * concern as the upstream `pem_dashes()` helper).
- */
-function pemMarker(label) {
-    const d = '-'.repeat(5);
-    return `${d}BEGIN ${label}${d}`;
-}
-/**
- * Escape regex metachars in a literal string. We avoid pulling a
- * dependency just for this — the set of metachars is small and
- * well-known.
- */
-function escapeRegex(literal) {
-    return literal.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-}
-/**
- * Prompt-override patterns. Ported verbatim from
- * `prompt_override_patterns()` in the upstream Rust. The regex
- * strings are the same modulo Rust's `(?im)` inline flags being
- * expressed as `i` + `m` on the TS `RegExp`.
- */
-const PROMPT_OVERRIDE_PATTERNS = [
-    {
-        id: 'prompt_override_ignore_previous',
-        kind: 'override-prompt',
-        re: /ignore\s+previous\s+instructions/gi,
-        severity: 'block',
-        source: 'promptguard:override',
-    },
-    {
-        id: 'prompt_override_you_are_now',
-        kind: 'override-prompt',
-        re: /you\s+are\s+now\b/gi,
-        severity: 'block',
-        source: 'promptguard:roleplay',
-    },
-    {
-        id: 'prompt_override_disregard',
-        kind: 'override-prompt',
-        re: /disregard\s+(all|prior|above)/gi,
-        severity: 'block',
-        source: 'promptguard:override',
-    },
-    {
-        id: 'system_role_prefix',
-        kind: 'override-prompt',
-        re: /^\s*system\s*:/gim,
-        severity: 'block',
-        source: 'promptguard:role-prefix',
-    },
-    {
-        id: 'chatml_im_start',
-        kind: 'tag-injection',
-        re: /<\|im_start\|>/g,
-        severity: 'block',
-        source: 'chatml:tag',
-    },
-    {
-        id: 'chatml_endoftext',
-        kind: 'tag-injection',
-        re: /<\|endoftext\|>/g,
-        severity: 'block',
-        source: 'chatml:tag',
-    },
-];
-/**
- * Secret-shaped patterns. Ported from `secret_patterns()`. The PEM
- * markers are built at runtime so they do not show up verbatim in
- * this file's bytes (anti-self-trigger).
- */
-function buildSecretPatterns() {
-    const openssh = escapeRegex(pemMarker('OPENSSH PRIVATE KEY'));
-    const rsa = escapeRegex(pemMarker('RSA PRIVATE KEY'));
-    return [
-        {
-            id: 'ssh_openssh_private',
-            kind: 'secret-marker',
-            re: new RegExp(openssh, 'g'),
-            severity: 'block',
-            source: 'secret:openssh',
-        },
-        {
-            id: 'ssh_rsa_private',
-            kind: 'secret-marker',
-            re: new RegExp(rsa, 'g'),
-            severity: 'block',
-            source: 'secret:rsa',
-        },
-        {
-            // Upstream P2.1.b audit upgraded this to Block tier — long
-            // base64 blobs on a memory-write path are a direct exfil
-            // surface for attestation / key blobs pasted into transcripts.
-            id: 'long_base64_line',
-            kind: 'secret-marker',
-            re: new RegExp(`^[A-Za-z0-9+/=]{${BASE64_BLOB_BYTES},}$`, 'gm'),
-            severity: 'block',
-            source: 'heuristic:base64-blob',
-        },
-    ];
-}
-/**
- * Substring/heuristic patterns. Ported from `build_substring_table()`.
- * Each row demands ALL needles be present in the LOWERCASED copy of
- * the input (AND semantics) — keeps false-positives low.
- */
-const SUBSTRING_PATTERNS = [
-    {
-        id: 'curl_with_bearer',
-        kind: 'secret-marker',
-        needles: ['bearer ', '://'],
-        severity: 'block',
-        source: 'exfil:curl-bearer',
-    },
-    {
-        id: 'aws_secret_keyword',
-        kind: 'secret-marker',
-        needles: ['aws_secret'],
-        severity: 'block',
-        source: 'secret:aws',
-    },
-    {
-        id: 'api_key_url',
-        kind: 'secret-marker',
-        needles: ['api_key=', '://'],
-        severity: 'block',
-        source: 'exfil:api-key-url',
-    },
-];
-let REGEX_TABLE = null;
-function regexPatterns() {
-    if (REGEX_TABLE === null) {
-        REGEX_TABLE = [...PROMPT_OVERRIDE_PATTERNS, ...buildSecretPatterns()];
-    }
-    return REGEX_TABLE;
-}
-/**
- * Maximum input size we scan. Above this we sample the first
- * MAX_SCAN_BYTES bytes and tag the result as `truncated: true`. This
- * keeps a 10 MB log payload from stalling the audit append path.
- *
- * The threshold is deliberately generous (256 KB) — the typical audit
- * `data` payload is a few hundred bytes (a single `tool_call` envelope)
- * and a file write of an HTML page is well under the cap. The cutoff
- * exists only for pathological cases.
- */
-export const MAX_SCAN_BYTES = 256 * 1024;
-/**
- * Scan a string for prompt-injection / invisible-unicode / secret
- * markers. Returns the empty array when clean. Never throws —
- * malformed input (e.g. lone surrogates) falls through to the regex
- * engine and produces zero or more findings, never an exception.
- *
- * Pure function. Safe to call from a hot path (audit-trail append,
- * file-tools writeTool) without worrying about side effects.
- */
-export function scanForInjection(text) {
-    if (typeof text !== 'string' || text.length === 0)
-        return [];
-    const findings = [];
-    const scanText = text.length > MAX_SCAN_BYTES ? text.slice(0, MAX_SCAN_BYTES) : text;
-    // 1. Invisible unicode scan: O(n) single pass with a Set lookup.
-    //   We collect per-codepoint hits rather than collapsing them so
-    //   the operator can see how many bidi marks are present (high
-    //   counts strongly suggest adversarial intent).
-    for (let i = 0; i < scanText.length; i += 1) {
-        const ch = scanText[i];
-        if (ch === undefined)
-            continue;
-        if (INVISIBLE_CHAR_SET.has(ch)) {
-            const code = ch.charCodeAt(0).toString(16).toUpperCase().padStart(4, '0');
-            findings.push({
-                kind: 'invisible-unicode',
-                id: `invisible_unicode_U+${code}`,
-                severity: 'warn',
-                matched: ch,
-                offset: i,
-                source: `unicode:invisible:U+${code}`,
-            });
-        }
-    }
-    // 2. Regex table scan. Each pattern uses the `g` flag so we walk
-    //   every occurrence — a single text can carry multiple ChatML
-    //   tags or override phrases and the operator needs to see all of
-    //   them, not just the first.
-    for (const pattern of regexPatterns()) {
-        // Re-set lastIndex defensively in case a prior call left the
-        // regex's stateful cursor mid-string.
-        pattern.re.lastIndex = 0;
-        let match;
-        while ((match = pattern.re.exec(scanText)) !== null) {
-            findings.push({
-                kind: pattern.kind,
-                id: pattern.id,
-                severity: pattern.severity,
-                matched: clampMatch(match[0]),
-                offset: match.index,
-                source: pattern.source,
-            });
-            // Guard against zero-width matches infinite-looping (e.g. a
-            // regex that matches the empty string would never advance).
-            if (match.index === pattern.re.lastIndex) {
-                pattern.re.lastIndex += 1;
-            }
-        }
-    }
-    // 3. Substring/heuristic scan. AND semantics: every needle must
-    //   appear in the lowercased copy. We record the FIRST needle's
-    //   offset because that is the most actionable index for the
-    //   operator (the others may be hundreds of bytes away).
-    const lower = scanText.toLowerCase();
-    for (const pattern of SUBSTRING_PATTERNS) {
-        const offsets = pattern.needles.map((n) => lower.indexOf(n));
-        if (offsets.every((o) => o >= 0)) {
-            const firstOffset = Math.min(...offsets);
-            // Reconstruct a useful matched snippet — the needles can be
-            // far apart so we cap at the first needle plus a window.
-            const snippetEnd = Math.min(firstOffset + MAX_MATCH_CAPTURE, scanText.length);
-            findings.push({
-                kind: pattern.kind,
-                id: pattern.id,
-                severity: pattern.severity,
-                matched: clampMatch(scanText.slice(firstOffset, snippetEnd)),
-                offset: firstOffset,
-                source: pattern.source,
-            });
-        }
-    }
-    return findings;
-}
-export function summarizeFindings(findings) {
-    let score = 0;
-    const kindSet = new Set();
-    for (const f of findings) {
-        if (f.severity === 'block')
-            score += 1;
-        kindSet.add(f.kind);
-    }
-    return {
-        score,
-        total: findings.length,
-        kinds: Array.from(kindSet).sort(),
-    };
-}
-/**
- * Recursively walk a JSON-shaped value and concatenate every string
- * found. Used by audit-trail to fold the entire `data` payload into a
- * single scannable surface — a tool_result with a deeply nested error
- * object could otherwise hide an override prompt one level deep.
- *
- * Cycles are broken by a WeakSet — a payload that round-trips through
- * a session struct is safe to scan even when it has back-references.
- */
-export function collectStrings(value, seen = new WeakSet()) {
-    if (value === null || value === undefined)
-        return [];
-    if (typeof value === 'string')
-        return [value];
-    if (typeof value === 'number' || typeof value === 'boolean' || typeof value === 'bigint') {
-        return [];
-    }
-    if (typeof value !== 'object')
-        return [];
-    if (seen.has(value))
-        return [];
-    seen.add(value);
-    const out = [];
-    if (Array.isArray(value)) {
-        for (const item of value) {
-            out.push(...collectStrings(item, seen));
-        }
-        return out;
-    }
-    for (const key of Object.keys(value)) {
-        // Scan the KEY too — a deliberately-crafted payload could hide
-        // an override phrase as an object key.
-        out.push(key);
-        out.push(...collectStrings(value[key], seen));
-    }
-    return out;
-}
-//# sourceMappingURL=injection-scanner.js.map