@safebrowse/daemon 0.1.2-rc.1

package/dist/runtime/knowledge_base/safebrowse_vf_trust_signals_provenance.json

@@ -0,0 +1,480 @@
+{
+  "kb_meta": {
+    "name": "SafeBrowse vf trust signals and provenance catalog",
+    "version": "vf-final",
+    "generated_on": "2026-03-28",
+    "entry_count": 28,
+    "purpose": "Canonical trust/provenance fields shared across all modules."
+  },
+  "signals": [
+    {
+      "signal_id": "TS-01",
+      "name": "source_origin",
+      "category": "origin",
+      "description": "Canonical origin or site that supplied the observation or action target.",
+      "used_by_modules": [
+        "ActionIntegrityFirewall",
+        "ObservationSanitizer"
+      ],
+      "source_ids": [
+        "SRC_GOOGLE_CHROME_AGENTIC_2025",
+        "SRC_OPENAI_PROMPT_INJECTION_2026",
+        "SRC_OWASP_SECURE_MCP_GUIDE_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-02",
+      "name": "frame_origin",
+      "category": "origin",
+      "description": "Origin of the specific frame, iframe, or embed where content appeared.",
+      "used_by_modules": [
+        "ActionIntegrityFirewall",
+        "ArtifactSurfaceGuard"
+      ],
+      "source_ids": [
+        "SRC_GOOGLE_CHROME_AGENTIC_2025",
+        "SRC_OPENAI_PROMPT_INJECTION_2026",
+        "SRC_OWASP_SECURE_MCP_GUIDE_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-03",
+      "name": "same_origin_relation",
+      "category": "origin",
+      "description": "Whether content/action stays same-origin, same-site, cross-site, or cross-channel.",
+      "used_by_modules": [
+        "ActionIntegrityFirewall"
+      ],
+      "source_ids": [
+        "SRC_GOOGLE_CHROME_AGENTIC_2025",
+        "SRC_OPENAI_PROMPT_INJECTION_2026",
+        "SRC_OWASP_SECURE_MCP_GUIDE_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-04",
+      "name": "user_shared_flag",
+      "category": "trust",
+      "description": "Whether the user explicitly shared or selected this source in the current session.",
+      "used_by_modules": [
+        "ObservationSanitizer",
+        "PolicyEngine"
+      ],
+      "source_ids": [
+        "SRC_GOOGLE_CHROME_AGENTIC_2025",
+        "SRC_OPENAI_PROMPT_INJECTION_2026",
+        "SRC_OWASP_SECURE_MCP_GUIDE_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-05",
+      "name": "session_discovered_flag",
+      "category": "trust",
+      "description": "Whether the agent discovered the source autonomously during browsing.",
+      "used_by_modules": [
+        "PolicyEngine",
+        "Telemetry"
+      ],
+      "source_ids": [
+        "SRC_GOOGLE_CHROME_AGENTIC_2025",
+        "SRC_OPENAI_PROMPT_INJECTION_2026",
+        "SRC_OWASP_SECURE_MCP_GUIDE_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-06",
+      "name": "artifact_kind",
+      "category": "surface",
+      "description": "Surface kind such as html, pdf, image, blob-viewer, annotation, tool-output, or download.",
+      "used_by_modules": [
+        "ArtifactSurfaceGuard"
+      ],
+      "source_ids": [
+        "SRC_OWASP_PI_CHEATSHEET_2026",
+        "SRC_ANTHROPIC_BROWSER_USE_2025",
+        "SRC_OWASP_AGENT_MEMORY_GUARD_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-07",
+      "name": "extraction_method",
+      "category": "surface",
+      "description": "How the content was obtained: DOM text, OCR, vision, metadata, file parser, tool return, or screenshot.",
+      "used_by_modules": [
+        "ArtifactSurfaceGuard",
+        "PromptInjectionGuard"
+      ],
+      "source_ids": [
+        "SRC_OWASP_PI_CHEATSHEET_2026",
+        "SRC_ANTHROPIC_BROWSER_USE_2025",
+        "SRC_OWASP_AGENT_MEMORY_GUARD_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-08",
+      "name": "visibility_class",
+      "category": "surface",
+      "description": "Visible, hidden, metadata-only, annotation-only, or rendered-late content class.",
+      "used_by_modules": [
+        "PromptInjectionGuard",
+        "ArtifactSurfaceGuard"
+      ],
+      "source_ids": [
+        "SRC_OWASP_PI_CHEATSHEET_2026",
+        "SRC_ANTHROPIC_BROWSER_USE_2025",
+        "SRC_OWASP_AGENT_MEMORY_GUARD_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-09",
+      "name": "render_time_phase",
+      "category": "surface",
+      "description": "Whether content existed at initial page load, after mutation, or after user/tool action.",
+      "used_by_modules": [
+        "ArtifactSurfaceGuard",
+        "Telemetry"
+      ],
+      "source_ids": [
+        "SRC_OWASP_PI_CHEATSHEET_2026",
+        "SRC_ANTHROPIC_BROWSER_USE_2025",
+        "SRC_OWASP_AGENT_MEMORY_GUARD_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-10",
+      "name": "script_generated_flag",
+      "category": "surface",
+      "description": "Marks content generated or mutated by scripts or third-party widgets.",
+      "used_by_modules": [
+        "ArtifactSurfaceGuard"
+      ],
+      "source_ids": [
+        "SRC_OWASP_PI_CHEATSHEET_2026",
+        "SRC_ANTHROPIC_BROWSER_USE_2025",
+        "SRC_OWASP_AGENT_MEMORY_GUARD_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-11",
+      "name": "ocr_confidence",
+      "category": "quality",
+      "description": "Confidence score for OCR/vision extraction.",
+      "used_by_modules": [
+        "ArtifactSurfaceGuard"
+      ],
+      "source_ids": [
+        "SRC_OWASP_PI_CHEATSHEET_2026",
+        "SRC_ANTHROPIC_BROWSER_USE_2025",
+        "SRC_OWASP_AGENT_MEMORY_GUARD_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-12",
+      "name": "text_render_mismatch",
+      "category": "quality",
+      "description": "Difference measure between rendered view and extracted text layer.",
+      "used_by_modules": [
+        "ArtifactSurfaceGuard",
+        "PromptInjectionGuard"
+      ],
+      "source_ids": [
+        "SRC_OWASP_PI_CHEATSHEET_2026",
+        "SRC_ANTHROPIC_BROWSER_USE_2025",
+        "SRC_OWASP_AGENT_MEMORY_GUARD_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-13",
+      "name": "metadata_channel",
+      "category": "surface",
+      "description": "Specific metadata field carrying content, such as title, alt text, EXIF, or file properties.",
+      "used_by_modules": [
+        "ArtifactSurfaceGuard"
+      ],
+      "source_ids": [
+        "SRC_OWASP_PI_CHEATSHEET_2026",
+        "SRC_ANTHROPIC_BROWSER_USE_2025",
+        "SRC_OWASP_AGENT_MEMORY_GUARD_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-14",
+      "name": "auth_required_flag",
+      "category": "trust",
+      "description": "Whether access required authentication, which changes trust and sink rules.",
+      "used_by_modules": [
+        "PolicyEngine",
+        "CredentialBroker"
+      ],
+      "source_ids": [
+        "SRC_GOOGLE_CHROME_AGENTIC_2025",
+        "SRC_OPENAI_PROMPT_INJECTION_2026",
+        "SRC_OWASP_SECURE_MCP_GUIDE_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-15",
+      "name": "credential_scope",
+      "category": "trust",
+      "description": "Scope and audience of credentials attached to the current tool or origin.",
+      "used_by_modules": [
+        "ToolProtocolGuard",
+        "CredentialBroker"
+      ],
+      "source_ids": [
+        "SRC_GOOGLE_CHROME_AGENTIC_2025",
+        "SRC_OPENAI_PROMPT_INJECTION_2026",
+        "SRC_OWASP_SECURE_MCP_GUIDE_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-16",
+      "name": "taint_class",
+      "category": "risk",
+      "description": "Untrusted, user-provided, tool-derived, policy-derived, or secret-bearing taint label.",
+      "used_by_modules": [
+        "ActionIntegrityFirewall",
+        "MemoryGuard"
+      ],
+      "source_ids": [
+        "SRC_OWASP_PI_CHEATSHEET_2026",
+        "SRC_ANTHROPIC_BROWSER_USE_2025",
+        "SRC_OWASP_AGENT_MEMORY_GUARD_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-17",
+      "name": "sensitivity_class",
+      "category": "risk",
+      "description": "Public, internal, confidential, regulated, credential, or destructive-operation class.",
+      "used_by_modules": [
+        "ActionIntegrityFirewall",
+        "PolicyEngine"
+      ],
+      "source_ids": [
+        "SRC_OWASP_PI_CHEATSHEET_2026",
+        "SRC_ANTHROPIC_BROWSER_USE_2025",
+        "SRC_OWASP_AGENT_MEMORY_GUARD_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-18",
+      "name": "approval_binding_id",
+      "category": "control",
+      "description": "Structured ID linking actions to explicit approvals rather than natural-language memory.",
+      "used_by_modules": [
+        "PolicyEngine",
+        "ActionIntegrityFirewall"
+      ],
+      "source_ids": [
+        "SRC_GOOGLE_CHROME_AGENTIC_2025",
+        "SRC_OPENAI_PROMPT_INJECTION_2026",
+        "SRC_OWASP_SECURE_MCP_GUIDE_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-19",
+      "name": "task_phase",
+      "category": "control",
+      "description": "Current phase such as discover, extract, compare, draft, or act.",
+      "used_by_modules": [
+        "ActionIntegrityFirewall",
+        "PolicyEngine"
+      ],
+      "source_ids": [
+        "SRC_GOOGLE_CHROME_AGENTIC_2025",
+        "SRC_OPENAI_PROMPT_INJECTION_2026",
+        "SRC_OWASP_SECURE_MCP_GUIDE_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-20",
+      "name": "policy_pack",
+      "category": "control",
+      "description": "Policy pack currently active for the session or origin pair.",
+      "used_by_modules": [
+        "PolicyEngine",
+        "Telemetry"
+      ],
+      "source_ids": [
+        "SRC_GOOGLE_CHROME_AGENTIC_2025",
+        "SRC_OPENAI_PROMPT_INJECTION_2026",
+        "SRC_OWASP_SECURE_MCP_GUIDE_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-21",
+      "name": "lineage_chain",
+      "category": "provenance",
+      "description": "Chain of transformations from source to summary to memory to action input.",
+      "used_by_modules": [
+        "ObservationSanitizer",
+        "MemoryGuard"
+      ],
+      "source_ids": [
+        "SRC_OWASP_PI_CHEATSHEET_2026",
+        "SRC_ANTHROPIC_BROWSER_USE_2025",
+        "SRC_OWASP_AGENT_MEMORY_GUARD_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-22",
+      "name": "citation_or_source_ref",
+      "category": "provenance",
+      "description": "Reference back to the artifact or source object used to produce an observation.",
+      "used_by_modules": [
+        "ObservationSanitizer",
+        "Replay"
+      ],
+      "source_ids": [
+        "SRC_OWASP_PI_CHEATSHEET_2026",
+        "SRC_ANTHROPIC_BROWSER_USE_2025",
+        "SRC_OWASP_AGENT_MEMORY_GUARD_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-23",
+      "name": "integrity_hash",
+      "category": "provenance",
+      "description": "Hash of artifact, memory object, or tool manifest used for rollback and comparison.",
+      "used_by_modules": [
+        "MemoryGuard",
+        "Replay"
+      ],
+      "source_ids": [
+        "SRC_OWASP_PI_CHEATSHEET_2026",
+        "SRC_ANTHROPIC_BROWSER_USE_2025",
+        "SRC_OWASP_AGENT_MEMORY_GUARD_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-24",
+      "name": "freshness_timestamp",
+      "category": "provenance",
+      "description": "Timestamp indicating when the content or policy assertion was last fetched/validated.",
+      "used_by_modules": [
+        "PolicyEngine",
+        "Replay"
+      ],
+      "source_ids": [
+        "SRC_OWASP_PI_CHEATSHEET_2026",
+        "SRC_ANTHROPIC_BROWSER_USE_2025",
+        "SRC_OWASP_AGENT_MEMORY_GUARD_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-25",
+      "name": "confidence_class",
+      "category": "quality",
+      "description": "High/medium/low confidence used to determine escalation or human review.",
+      "used_by_modules": [
+        "PolicyEngine",
+        "PromptInjectionGuard"
+      ],
+      "source_ids": [
+        "SRC_OWASP_PI_CHEATSHEET_2026",
+        "SRC_ANTHROPIC_BROWSER_USE_2025",
+        "SRC_OWASP_AGENT_MEMORY_GUARD_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-26",
+      "name": "risk_score",
+      "category": "risk",
+      "description": "Composite risk score synthesized from deterministic rules and optional critics.",
+      "used_by_modules": [
+        "PolicyEngine",
+        "IncidentResponse"
+      ],
+      "source_ids": [
+        "SRC_OWASP_PI_CHEATSHEET_2026",
+        "SRC_ANTHROPIC_BROWSER_USE_2025",
+        "SRC_OWASP_AGENT_MEMORY_GUARD_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-27",
+      "name": "sink_type",
+      "category": "risk",
+      "description": "Type of external effect: navigate, transmit, upload, send, mutate, execute, consent.",
+      "used_by_modules": [
+        "ActionIntegrityFirewall"
+      ],
+      "source_ids": [
+        "SRC_OWASP_PI_CHEATSHEET_2026",
+        "SRC_ANTHROPIC_BROWSER_USE_2025",
+        "SRC_OWASP_AGENT_MEMORY_GUARD_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    },
+    {
+      "signal_id": "TS-28",
+      "name": "origin_pair",
+      "category": "origin",
+      "description": "Normalized source-target origin pair for cross-origin controls.",
+      "used_by_modules": [
+        "ActionIntegrityFirewall"
+      ],
+      "source_ids": [
+        "SRC_GOOGLE_CHROME_AGENTIC_2025",
+        "SRC_OPENAI_PROMPT_INJECTION_2026",
+        "SRC_OWASP_SECURE_MCP_GUIDE_2026"
+      ],
+      "credibility": "high",
+      "last_verified": "2026-03-28"
+    }
+  ]
+}

package/dist/runtime/knowledge_base/signing/safebrowse_vf_ed25519_public.pem

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAumkUxysU+lbhrq6PxMUnopDGcQqdM7VPKUXdwMlHdWQ=
+-----END PUBLIC KEY-----

package/dist/runtime/policies/base/research.yaml

@@ -0,0 +1,56 @@
+profile: research
+metadata:
+  layer: base
+  version: 2026-03-28
+origins:
+  read_only_allow:
+    - scholar.google.com
+    - arxiv.org
+    - dl.acm.org
+    - openreview.net
+  writable_allow: []
+actions:
+  allow:
+    - navigate
+    - open
+    - scroll
+    - extract
+    - screenshot
+  require_approval:
+    - download
+    - login
+    - upload
+    - submit
+    - message
+  deny:
+    - exfiltrate
+artifacts:
+  enable_document_handoff: true
+  quarantine_on_hidden_text_mismatch: true
+  allow_mime_types:
+    - application/pdf
+    - text/html
+    - text/plain
+    - image/png
+    - image/jpeg
+memory:
+  durable_writes: deny
+  protected_keys:
+    - user_identity
+    - credential_scope
+    - payment_context
+tool_protocol:
+  forbid_token_passthrough: true
+  enforce_exact_redirect_uri: true
+  allowed_registry_signers:
+    - safebrowse-dev
+  require_verified_registry: true
+  require_approval_binding: true
+  require_oauth_state_binding: true
+  tainted_connector_flow_decision: block
+  allow_loopback_callbacks_in_dev: false
+telemetry:
+  replay_bundle: true
+  redact_sensitive_values: true
+  sampling: full
+

package/dist/runtime/policies/emergency/default.yaml

@@ -0,0 +1,14 @@
+profile: research
+metadata:
+  layer: emergency
+  version: 2026-03-28
+actions:
+  require_approval:
+    - download
+    - login
+    - upload
+    - submit
+    - message
+tool_protocol:
+  forbid_token_passthrough: true
+

package/dist/runtime/policies/project/default.yaml

@@ -0,0 +1,13 @@
+profile: research
+metadata:
+  layer: project
+  version: 2026-03-28
+origins:
+  read_only_allow:
+    - github.com
+actions:
+  allow:
+    - download
+  require_approval:
+    - submit
+

package/dist/runtime/policies/tenant/default.yaml

@@ -0,0 +1,12 @@
+profile: research
+metadata:
+  layer: tenant
+  version: 2026-03-28
+origins:
+  read_only_allow:
+    - acm.org
+artifacts:
+  quarantine_on_hidden_text_mismatch: true
+tool_protocol:
+  forbid_token_passthrough: true
+

package/dist/server.d.ts

@@ -0,0 +1,14 @@
+import { type Server } from "node:http";
+import { type KnowledgeBaseContext, type PolicyPack } from "@safebrowse/core";
+import type { VerifiedRegistryBundle } from "@safebrowse/core";
+export interface SafeBrowseDaemonOptions {
+    host?: string;
+    port?: number;
+    rootDir?: string;
+    policyPack?: PolicyPack;
+    knowledgeBase?: KnowledgeBaseContext;
+    verifiedRegistry?: VerifiedRegistryBundle;
+}
+export declare function createSafeBrowseServer(options?: SafeBrowseDaemonOptions): Promise<Server>;
+export declare function startSafeBrowseDaemon(options?: SafeBrowseDaemonOptions): Promise<Server>;
+//# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAsC,KAAK,MAAM,EAAuB,MAAM,WAAW,CAAC;AAIjG,OAAO,EAcL,KAAK,oBAAoB,EAEzB,KAAK,UAAU,EAMhB,MAAM,kBAAkB,CAAC;AAQ1B,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAE/D,MAAM,WAAW,uBAAuB;IACtC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,aAAa,CAAC,EAAE,oBAAoB,CAAC;IACrC,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;CAC3C;AAgGD,wBAAsB,sBAAsB,CAC1C,OAAO,GAAE,uBAA4B,GACpC,OAAO,CAAC,MAAM,CAAC,CAuHjB;AAED,wBAAsB,qBAAqB,CACzC,OAAO,GAAE,uBAA4B,GACpC,OAAO,CAAC,MAAM,CAAC,CAWjB"}