@troykelly/openclaw-projects 0.0.11 → 0.0.12

package/dist/utils/inbound-gate.d.ts

@@ -0,0 +1,85 @@
+/**
+ * Inbound message gate — unified pre-processing gate for inbound messages.
+ *
+ * Orchestrates spam filter, rate limiter, and token budget as a single
+ * evaluation point before any message processing (embedding, linking, etc.).
+ *
+ * NOTE: All state (rate limiter windows, token budget counters) is held
+ * in-memory and does not persist across process restarts or span multiple
+ * instances. This is acceptable for single-instance deployments. For
+ * multi-instance deployments, the rate limiter and token budget would need
+ * to be backed by skill_store or an external store (e.g. Redis) to share
+ * state across processes.
+ *
+ * Part of Issue #1225 — rate limiting and spam protection.
+ */
+import { type SpamFilterConfig, type InboundMessage } from './spam-filter.js';
+import { type RateLimiterConfig, type SenderTrust } from './rate-limiter.js';
+import { type TokenBudgetConfig } from './token-budget.js';
+import type { Logger } from '../logger.js';
+/** Re-export InboundMessage for convenience */
+export type { InboundMessage } from './spam-filter.js';
+/** Actions the gate can take on a message */
+export type GateAction = 'allow' | 'reject' | 'rate_limited' | 'budget_exceeded' | 'defer';
+/** Result of the inbound gate evaluation */
+export interface InboundGateDecision {
+    /** Action to take on the message */
+    action: GateAction;
+    /** Human-readable reason for the decision, null if allowed */
+    reason: string | null;
+    /** Whether to skip embedding for this message */
+    skipEmbedding: boolean;
+}
+/** Configuration for the inbound gate */
+export interface InboundGateConfig {
+    /** Spam filter configuration */
+    spamFilter: SpamFilterConfig;
+    /** Rate limiter configuration */
+    rateLimiter: RateLimiterConfig;
+    /** Token budget configuration */
+    tokenBudget: TokenBudgetConfig;
+    /** Whether to defer processing for unknown senders */
+    deferUnknownSenders?: boolean;
+}
+/** Aggregate gate statistics */
+export interface InboundGateStats {
+    /** Total messages evaluated */
+    totalEvaluated: number;
+    /** Messages allowed through */
+    allowed: number;
+    /** Messages rejected as spam */
+    rejected: number;
+    /** Messages rate-limited */
+    rateLimited: number;
+    /** Messages denied due to budget */
+    budgetExceeded: number;
+    /** Messages deferred */
+    deferred: number;
+}
+/** Inbound gate instance */
+export interface InboundGate {
+    /**
+     * Evaluate a message and return a gate decision.
+     * When estimatedTokens > 0 and the message is allowed, the token budget
+     * is atomically consumed during evaluation — callers must NOT separately
+     * record token usage or the budget will be double-counted.
+     */
+    evaluate(message: InboundMessage, trust: SenderTrust, estimatedTokens?: number): InboundGateDecision;
+    /** Get aggregate statistics */
+    getStats(): InboundGateStats;
+}
+/**
+ * Create an inbound message gate.
+ *
+ * Checks are applied in this order:
+ * 1. Spam filter (reject bulk/marketing/known spam)
+ * 2. Rate limiter (per-sender and per-recipient caps)
+ * 3. Token budget (cost protection)
+ * 4. Deferred processing (unknown senders, if configured)
+ *
+ * @param config - Gate configuration
+ * @param logger - Logger for recording decisions
+ * @returns InboundGate instance
+ */
+export declare function createInboundGate(config: InboundGateConfig, logger: Logger): InboundGate;
+//# sourceMappingURL=inbound-gate.d.ts.map

package/dist/utils/inbound-gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"inbound-gate.d.ts","sourceRoot":"","sources":["../../src/utils/inbound-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAU,KAAK,gBAAgB,EAAE,KAAK,cAAc,EAAE,MAAM,kBAAkB,CAAC;AACtF,OAAO,EAAqB,KAAK,iBAAiB,EAAoB,KAAK,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAClH,OAAO,EAAqB,KAAK,iBAAiB,EAAoB,MAAM,mBAAmB,CAAC;AAChG,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAE3C,+CAA+C;AAC/C,YAAY,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAEvD,6CAA6C;AAC7C,MAAM,MAAM,UAAU,GAAG,OAAO,GAAG,QAAQ,GAAG,cAAc,GAAG,iBAAiB,GAAG,OAAO,CAAC;AAE3F,4CAA4C;AAC5C,MAAM,WAAW,mBAAmB;IAClC,oCAAoC;IACpC,MAAM,EAAE,UAAU,CAAC;IACnB,8DAA8D;IAC9D,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,iDAAiD;IACjD,aAAa,EAAE,OAAO,CAAC;CACxB;AAED,yCAAyC;AACzC,MAAM,WAAW,iBAAiB;IAChC,gCAAgC;IAChC,UAAU,EAAE,gBAAgB,CAAC;IAC7B,iCAAiC;IACjC,WAAW,EAAE,iBAAiB,CAAC;IAC/B,iCAAiC;IACjC,WAAW,EAAE,iBAAiB,CAAC;IAC/B,sDAAsD;IACtD,mBAAmB,CAAC,EAAE,OAAO,CAAC;CAC/B;AAED,gCAAgC;AAChC,MAAM,WAAW,gBAAgB;IAC/B,+BAA+B;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,+BAA+B;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,gCAAgC;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,4BAA4B;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,oCAAoC;IACpC,cAAc,EAAE,MAAM,CAAC;IACvB,wBAAwB;IACxB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,4BAA4B;AAC5B,MAAM,WAAW,WAAW;IAC1B;;;;;OAKG;IACH,QAAQ,CAAC,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,WAAW,EAAE,eAAe,CAAC,EAAE,MAAM,GAAG,mBAAmB,CAAC;IACrG,+BAA+B;IAC/B,QAAQ,IAAI,gBAAgB,CAAC;CAC9B;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,iBAAiB,EAAE,MAAM,EAAE,MAAM,GAAG,WAAW,CA4GxF"}

package/dist/utils/inbound-gate.js

@@ -0,0 +1,133 @@
+/**
+ * Inbound message gate — unified pre-processing gate for inbound messages.
+ *
+ * Orchestrates spam filter, rate limiter, and token budget as a single
+ * evaluation point before any message processing (embedding, linking, etc.).
+ *
+ * NOTE: All state (rate limiter windows, token budget counters) is held
+ * in-memory and does not persist across process restarts or span multiple
+ * instances. This is acceptable for single-instance deployments. For
+ * multi-instance deployments, the rate limiter and token budget would need
+ * to be backed by skill_store or an external store (e.g. Redis) to share
+ * state across processes.
+ *
+ * Part of Issue #1225 — rate limiting and spam protection.
+ */
+import { isSpam } from './spam-filter.js';
+import { createRateLimiter } from './rate-limiter.js';
+import { createTokenBudget } from './token-budget.js';
+/**
+ * Create an inbound message gate.
+ *
+ * Checks are applied in this order:
+ * 1. Spam filter (reject bulk/marketing/known spam)
+ * 2. Rate limiter (per-sender and per-recipient caps)
+ * 3. Token budget (cost protection)
+ * 4. Deferred processing (unknown senders, if configured)
+ *
+ * @param config - Gate configuration
+ * @param logger - Logger for recording decisions
+ * @returns InboundGate instance
+ */
+export function createInboundGate(config, logger) {
+    const rateLimiter = createRateLimiter(config.rateLimiter);
+    const tokenBudget = createTokenBudget(config.tokenBudget);
+    let totalEvaluated = 0;
+    let allowed = 0;
+    let rejected = 0;
+    let rateLimited = 0;
+    let budgetExceeded = 0;
+    let deferred = 0;
+    return {
+        evaluate(message, trust, estimatedTokens = 0) {
+            totalEvaluated++;
+            // Step 1: Spam filter
+            const spamResult = isSpam(message, config.spamFilter);
+            if (spamResult.isSpam) {
+                rejected++;
+                logger.info('inbound gate: spam rejected', {
+                    sender: message.sender,
+                    channel: message.channel,
+                    reason: spamResult.reason,
+                });
+                return {
+                    action: 'reject',
+                    reason: `spam: ${spamResult.reason}`,
+                    skipEmbedding: true,
+                };
+            }
+            // Step 2: Rate limiter (pass channel for sender normalization)
+            const rateResult = rateLimiter.check(message.sender, message.recipient, trust, message.channel);
+            if (!rateResult.allowed) {
+                rateLimited++;
+                logger.warn('inbound gate: rate limited', {
+                    sender: message.sender,
+                    channel: message.channel,
+                    trust,
+                    reason: rateResult.reason,
+                    remaining: rateResult.remaining,
+                    retryAfterMs: rateResult.retryAfterMs,
+                });
+                return {
+                    action: 'rate_limited',
+                    reason: `rate limited: ${rateResult.reason}`,
+                    skipEmbedding: true,
+                };
+            }
+            // Step 3: Token budget (uses tryConsume for atomic check-and-record)
+            if (estimatedTokens > 0) {
+                const budgetResult = tokenBudget.tryConsume(estimatedTokens);
+                if (!budgetResult.allowed) {
+                    budgetExceeded++;
+                    logger.warn('inbound gate: token budget exceeded', {
+                        sender: message.sender,
+                        channel: message.channel,
+                        estimatedTokens,
+                        reason: budgetResult.reason,
+                    });
+                    return {
+                        action: 'budget_exceeded',
+                        reason: `budget exceeded: ${budgetResult.reason}`,
+                        skipEmbedding: true,
+                    };
+                }
+            }
+            // Step 4: Deferred processing for unknown senders
+            if (config.deferUnknownSenders && trust === 'unknown') {
+                deferred++;
+                logger.debug('inbound gate: deferring unknown sender', {
+                    sender: message.sender,
+                    channel: message.channel,
+                });
+                return {
+                    action: 'defer',
+                    reason: 'unknown sender deferred for batch processing',
+                    skipEmbedding: true,
+                };
+            }
+            // Message is allowed
+            allowed++;
+            logger.debug('inbound gate: allowed', {
+                sender: message.sender,
+                channel: message.channel,
+                trust,
+            });
+            return {
+                action: 'allow',
+                reason: null,
+                skipEmbedding: false,
+            };
+        },
+        getStats() {
+            return {
+                totalEvaluated,
+                allowed,
+                rejected,
+                rateLimited,
+                budgetExceeded,
+                deferred,
+            };
+        },
+    };
+}
+//# sourceMappingURL=inbound-gate.js.map

package/dist/utils/inbound-gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"inbound-gate.js","sourceRoot":"","sources":["../../src/utils/inbound-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,MAAM,EAA8C,MAAM,kBAAkB,CAAC;AACtF,OAAO,EAAE,iBAAiB,EAA8D,MAAM,mBAAmB,CAAC;AAClH,OAAO,EAAE,iBAAiB,EAA4C,MAAM,mBAAmB,CAAC;AA4DhG;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAyB,EAAE,MAAc;IACzE,MAAM,WAAW,GAAgB,iBAAiB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACvE,MAAM,WAAW,GAAgB,iBAAiB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAEvE,IAAI,cAAc,GAAG,CAAC,CAAC;IACvB,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,cAAc,GAAG,CAAC,CAAC;IACvB,IAAI,QAAQ,GAAG,CAAC,CAAC;IAEjB,OAAO;QACL,QAAQ,CAAC,OAAuB,EAAE,KAAkB,EAAE,eAAe,GAAG,CAAC;YACvE,cAAc,EAAE,CAAC;YAEjB,sBAAsB;YACtB,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;YACtD,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;gBACtB,QAAQ,EAAE,CAAC;gBACX,MAAM,CAAC,IAAI,CAAC,6BAA6B,EAAE;oBACzC,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,MAAM,EAAE,UAAU,CAAC,MAAM;iBAC1B,CAAC,CAAC;gBACH,OAAO;oBACL,MAAM,EAAE,QAAQ;oBAChB,MAAM,EAAE,SAAS,UAAU,CAAC,MAAM,EAAE;oBACpC,aAAa,EAAE,IAAI;iBACpB,CAAC;YACJ,CAAC;YAED,+DAA+D;YAC/D,MAAM,UAAU,GAAG,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,SAAS,EAAE,KAAK,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;YAChG,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;gBACxB,WAAW,EAAE,CAAC;gBACd,MAAM,CAAC,IAAI,CAAC,4BAA4B,EAAE;oBACxC,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,KAAK;oBACL,MAAM,EAAE,UAAU,CAAC,MAAM;oBACzB,SAAS,EAAE,UAAU,CAAC,SAAS;oBAC/B,YAAY,EAAE,UAAU,CAAC,YAAY;iBACtC,CAAC,CAAC;gBACH,OAAO;oBACL,MAAM,EAAE,cAAc;oBACtB,MAAM,EAAE,iBAAiB,UAAU,CAAC,MAAM,EAAE;oBAC5C,aAAa,EAAE,IAAI;iBACpB,CAAC;YACJ,CAAC;YAED,qEAAqE;YACrE,IAAI,eAAe,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,YAAY,GAAG,WAAW,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC;gBAC7D,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;oBAC1B,cAAc,EAAE,CAAC;oBACjB,MAAM,CAAC,IAAI,CAAC,qCAAqC,EAAE;wBACjD,MAAM,EAAE,OAAO,CAAC,MAAM;wBACtB,OAAO,EAAE,OAAO,CAAC,OAAO;wBACxB,eAAe;wBACf,MAAM,EAAE,YAAY,CAAC,MAAM;qBAC5B,CAAC,CAAC;oBACH,OAAO;wBACL,MAAM,EAAE,iBAAiB;wBACzB,MAAM,EAAE,oBAAoB,YAAY,CAAC,MAAM,EAAE;wBACjD,aAAa,EAAE,IAAI;qBACpB,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,kDAAkD;YAClD,IAAI,MAAM,CAAC,mBAAmB,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACtD,QAAQ,EAAE,CAAC;gBACX,MAAM,CAAC,KAAK,CAAC,wCAAwC,EAAE;oBACrD,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,OAAO,EAAE,OAAO,CAAC,OAAO;iBACzB,CAAC,CAAC;gBACH,OAAO;oBACL,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,8CAA8C;oBACtD,aAAa,EAAE,IAAI;iBACpB,CAAC;YACJ,CAAC;YAED,qBAAqB;YACrB,OAAO,EAAE,CAAC;YACV,MAAM,CAAC,KAAK,CAAC,uBAAuB,EAAE;gBACpC,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,KAAK;aACN,CAAC,CAAC;YACH,OAAO;gBACL,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,IAAI;gBACZ,aAAa,EAAE,KAAK;aACrB,CAAC;QACJ,CAAC;QAED,QAAQ;YACN,OAAO;gBACL,cAAc;gBACd,OAAO;gBACP,QAAQ;gBACR,WAAW;gBACX,cAAc;gBACd,QAAQ;aACT,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/utils/injection-protection.d.ts

@@ -0,0 +1,81 @@
+/**
+ * Prompt injection protection utilities for inbound message processing.
+ *
+ * Provides layered defence for external message content before LLM exposure:
+ * 1. Unicode/control character sanitisation
+ * 2. Data boundary marking (spotlighting)
+ * 3. Suspicious pattern detection and logging
+ *
+ * Issue #1224
+ */
+/** Result of injection pattern detection */
+export interface InjectionDetectionResult {
+    /** Whether any injection patterns were detected */
+    detected: boolean;
+    /** Names of the patterns that matched */
+    patterns: string[];
+}
+/** Options for wrapping external messages */
+export interface WrapOptions {
+    /** Communication channel (sms, email) */
+    channel?: string;
+    /** Sender name or identifier */
+    sender?: string;
+}
+/** Options for context sanitisation */
+export interface ContextSanitizeOptions {
+    /** Message direction */
+    direction?: 'inbound' | 'outbound';
+    /** Communication channel */
+    channel?: string;
+    /** Sender name */
+    sender?: string;
+}
+/**
+ * Sanitize external message content by removing control characters
+ * and invisible Unicode characters that could be used for obfuscation.
+ *
+ * Preserves legitimate Unicode (emoji, CJK, Arabic, etc.) and whitespace
+ * characters (tab, newline, carriage return).
+ */
+export declare function sanitizeExternalMessage(text: string): string;
+/**
+ * Sanitize a metadata field (sender, channel) for safe insertion into
+ * the boundary wrapper header. Strips control chars, invisible Unicode,
+ * newlines (which could break out of the header line), and boundary markers.
+ */
+export declare function sanitizeMetadataField(field: string): string;
+/**
+ * Wrap external message content with data boundary markers.
+ *
+ * Uses the "spotlighting" / data marking pattern to clearly delineate
+ * untrusted external content from system instructions. This tells the LLM
+ * "this is external data, not instructions to follow."
+ *
+ * Content, sender, and channel are all sanitized and have boundary markers
+ * escaped before wrapping to prevent breakout attacks.
+ */
+export declare function wrapExternalMessage(content: string, options?: WrapOptions): string;
+/**
+ * Detect suspicious prompt injection patterns in message content.
+ *
+ * Returns detection results for logging/monitoring purposes.
+ * This function does NOT block or modify the message — it is purely
+ * for detection and alerting. Blocking legitimate messages based on
+ * pattern matching has too high a false positive rate.
+ *
+ * The content is sanitized (invisible chars removed) before scanning
+ * to prevent Unicode obfuscation from bypassing detection.
+ */
+export declare function detectInjectionPatterns(text: string): InjectionDetectionResult;
+/**
+ * Sanitize message content for safe inclusion in LLM context.
+ *
+ * For inbound (external) messages: sanitizes and wraps with boundary markers.
+ * For outbound messages: sanitizes only (no boundary wrapping needed).
+ *
+ * This is the primary function to call when preparing message content
+ * for any LLM-facing output (auto-recall context, tool results, etc.).
+ */
+export declare function sanitizeMessageForContext(content: string, options?: ContextSanitizeOptions): string;
+//# sourceMappingURL=injection-protection.d.ts.map

package/dist/utils/injection-protection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"injection-protection.d.ts","sourceRoot":"","sources":["../../src/utils/injection-protection.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAsFH,4CAA4C;AAC5C,MAAM,WAAW,wBAAwB;IACvC,mDAAmD;IACnD,QAAQ,EAAE,OAAO,CAAC;IAClB,yCAAyC;IACzC,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,6CAA6C;AAC7C,MAAM,WAAW,WAAW;IAC1B,yCAAyC;IACzC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gCAAgC;IAChC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,uCAAuC;AACvC,MAAM,WAAW,sBAAsB;IACrC,wBAAwB;IACxB,SAAS,CAAC,EAAE,SAAS,GAAG,UAAU,CAAC;IACnC,4BAA4B;IAC5B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kBAAkB;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAK5D;AAcD;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAI3D;AAED;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,GAAE,WAAgB,GAAG,MAAM,CAmBtF;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,wBAAwB,CAc9E;AAED;;;;;;;;GAQG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,MAAM,EACf,OAAO,GAAE,sBAA2B,GACnC,MAAM,CAQR"}

package/dist/utils/injection-protection.js

@@ -0,0 +1,179 @@
+/**
+ * Prompt injection protection utilities for inbound message processing.
+ *
+ * Provides layered defence for external message content before LLM exposure:
+ * 1. Unicode/control character sanitisation
+ * 2. Data boundary marking (spotlighting)
+ * 3. Suspicious pattern detection and logging
+ *
+ * Issue #1224
+ */
+/** Boundary markers for external message content */
+const EXTERNAL_MSG_START = '[EXTERNAL_MSG_START]';
+const EXTERNAL_MSG_END = '[EXTERNAL_MSG_END]';
+/**
+ * Regex matching control characters to strip (ASCII 0x00-0x08, 0x0B, 0x0C, 0x0E-0x1F, 0x7F).
+ * Preserves tab (0x09), newline (0x0A), and carriage return (0x0D).
+ */
+const CONTROL_CHARS_REGEX = /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g;
+/**
+ * Regex matching Unicode characters commonly used for text direction manipulation
+ * and zero-width obfuscation:
+ * - U+200B Zero-width space
+ * - U+200C Zero-width non-joiner
+ * - U+200D Zero-width joiner
+ * - U+200E Left-to-right mark
+ * - U+200F Right-to-left mark
+ * - U+202A Left-to-right embedding
+ * - U+202B Right-to-left embedding
+ * - U+202C Pop directional formatting
+ * - U+202D Left-to-right override
+ * - U+202E Right-to-left override
+ * - U+2066 Left-to-right isolate
+ * - U+2067 Right-to-left isolate
+ * - U+2068 First strong isolate
+ * - U+2069 Pop directional isolate
+ * - U+FEFF Byte order mark / zero-width no-break space
+ */
+const UNICODE_INVISIBLE_REGEX = /[\u200B-\u200F\u202A-\u202E\u2066-\u2069\uFEFF]/g;
+const INJECTION_PATTERNS = [
+    {
+        name: 'instruction_override',
+        regex: /\b(?:ignore|disregard|forget|override|bypass)\b.{0,30}\b(?:previous|prior|above|earlier|all|your|system|safety)\b.{0,30}\b(?:instructions?|rules?|guidelines?|prompts?|constraints?|directives?|and\b|do\b|instead\b)/i,
+    },
+    {
+        name: 'role_reassignment',
+        regex: /\b(?:you are now|act as|pretend (?:you are|to be)|roleplay as|behave as)\b.{0,50}\b(?:ai|assistant|bot|agent|unrestricted|dan|jailbreak|without.*?(?:restrictions?|limits?|safety|guidelines?))\b/i,
+    },
+    {
+        name: 'new_instructions',
+        regex: /\b(?:new instructions?|updated? instructions?|revised? instructions?|important (?:system )?update)\b\s*[:]/i,
+    },
+    {
+        name: 'system_prompt_override',
+        regex: /^(?:\s*[-=]{3,}\s*\n)?(?:SYSTEM|ADMIN|DEVELOPER|ROOT)\s*[:>]/im,
+    },
+    {
+        name: 'forget_everything',
+        regex: /\bforget (?:everything|all)\b.{0,30}\b(?:you (?:know|learned|were told)|and (?:start|begin))\b/i,
+    },
+    {
+        name: 'prompt_delimiter_exploit',
+        regex: /```\s*(?:system|admin|instructions?|prompt)\b/i,
+    },
+    {
+        name: 'tool_call_injection',
+        regex: /\b(?:call|use|invoke|execute|run)\b.{0,20}\b(?:the\s+)?(?:sms_send|email_send|memory_store|memory_forget|todo_create|contact_create|memory_recall)\b.{0,20}\btool\b/i,
+    },
+    {
+        name: 'data_exfiltration',
+        regex: /\b(?:send|forward|share|export|transmit|email|text)\b.{0,30}\b(?:all|every|the)\b.{0,20}\b(?:memories?|contacts?|data|information|messages?|threads?|projects?|todos?)\b.{0,30}\b(?:to|@)\b/i,
+    },
+    {
+        name: 'system_note_injection',
+        regex: /\[\s*(?:SYSTEM|ADMIN|INTERNAL)\s+(?:NOTE|MESSAGE|OVERRIDE|UPDATE)\s*[:]/i,
+    },
+    {
+        name: 'remember_for_later',
+        regex: /\bremember (?:this|that)\b.{0,30}\b(?:for later|when (?:someone|anyone|a user|the user))\b.{0,30}\b(?:send|forward|share|export)\b/i,
+    },
+];
+/**
+ * Sanitize external message content by removing control characters
+ * and invisible Unicode characters that could be used for obfuscation.
+ *
+ * Preserves legitimate Unicode (emoji, CJK, Arabic, etc.) and whitespace
+ * characters (tab, newline, carriage return).
+ */
+export function sanitizeExternalMessage(text) {
+    return text
+        .replace(CONTROL_CHARS_REGEX, '')
+        .replace(UNICODE_INVISIBLE_REGEX, '')
+        .trim();
+}
+/**
+ * Escape boundary marker keywords in a string to prevent breakout attacks.
+ * Replaces the keyword portion (EXTERNAL_MSG_START / EXTERNAL_MSG_END)
+ * regardless of surrounding brackets, since formatting code may supply
+ * brackets that complete a partial marker (e.g., channel `[...START` + `]`).
+ */
+function escapeBoundaryMarkers(text) {
+    return text
+        .replace(/EXTERNAL_MSG_START/g, 'EXTERNAL_MSG_START_ESCAPED')
+        .replace(/EXTERNAL_MSG_END/g, 'EXTERNAL_MSG_END_ESCAPED');
+}
+/**
+ * Sanitize a metadata field (sender, channel) for safe insertion into
+ * the boundary wrapper header. Strips control chars, invisible Unicode,
+ * newlines (which could break out of the header line), and boundary markers.
+ */
+export function sanitizeMetadataField(field) {
+    return escapeBoundaryMarkers(sanitizeExternalMessage(field).replace(/[\r\n]/g, ' '));
+}
+/**
+ * Wrap external message content with data boundary markers.
+ *
+ * Uses the "spotlighting" / data marking pattern to clearly delineate
+ * untrusted external content from system instructions. This tells the LLM
+ * "this is external data, not instructions to follow."
+ *
+ * Content, sender, and channel are all sanitized and have boundary markers
+ * escaped before wrapping to prevent breakout attacks.
+ */
+export function wrapExternalMessage(content, options = {}) {
+    const sanitized = sanitizeExternalMessage(content);
+    // Escape any existing boundary markers in the content to prevent breakout
+    const escaped = escapeBoundaryMarkers(sanitized);
+    const attribution = [];
+    if (options.channel) {
+        attribution.push(`[${sanitizeMetadataField(options.channel)}]`);
+    }
+    if (options.sender) {
+        attribution.push(`from: ${sanitizeMetadataField(options.sender)}`);
+    }
+    const header = attribution.length > 0
+        ? `${EXTERNAL_MSG_START} ${attribution.join(' ')}`
+        : EXTERNAL_MSG_START;
+    return `${header}\n${escaped}\n${EXTERNAL_MSG_END}`;
+}
+/**
+ * Detect suspicious prompt injection patterns in message content.
+ *
+ * Returns detection results for logging/monitoring purposes.
+ * This function does NOT block or modify the message — it is purely
+ * for detection and alerting. Blocking legitimate messages based on
+ * pattern matching has too high a false positive rate.
+ *
+ * The content is sanitized (invisible chars removed) before scanning
+ * to prevent Unicode obfuscation from bypassing detection.
+ */
+export function detectInjectionPatterns(text) {
+    const sanitized = sanitizeExternalMessage(text);
+    const matched = [];
+    for (const pattern of INJECTION_PATTERNS) {
+        if (pattern.regex.test(sanitized)) {
+            matched.push(pattern.name);
+        }
+    }
+    return {
+        detected: matched.length > 0,
+        patterns: matched,
+    };
+}
+/**
+ * Sanitize message content for safe inclusion in LLM context.
+ *
+ * For inbound (external) messages: sanitizes and wraps with boundary markers.
+ * For outbound messages: sanitizes only (no boundary wrapping needed).
+ *
+ * This is the primary function to call when preparing message content
+ * for any LLM-facing output (auto-recall context, tool results, etc.).
+ */
+export function sanitizeMessageForContext(content, options = {}) {
+    const { direction = 'inbound', channel, sender } = options;
+    if (direction === 'outbound') {
+        return sanitizeExternalMessage(content);
+    }
+    return wrapExternalMessage(content, { channel, sender });
+}
+//# sourceMappingURL=injection-protection.js.map

package/dist/utils/injection-protection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"injection-protection.js","sourceRoot":"","sources":["../../src/utils/injection-protection.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,oDAAoD;AACpD,MAAM,kBAAkB,GAAG,sBAAsB,CAAC;AAClD,MAAM,gBAAgB,GAAG,oBAAoB,CAAC;AAE9C;;;GAGG;AACH,MAAM,mBAAmB,GAAG,mCAAmC,CAAC;AAEhE;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,uBAAuB,GAAG,kDAAkD,CAAC;AAYnF,MAAM,kBAAkB,GAAuB;IAC7C;QACE,IAAI,EAAE,sBAAsB;QAC5B,KAAK,EAAE,wNAAwN;KAChO;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,KAAK,EAAE,oMAAoM;KAC5M;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,KAAK,EAAE,6GAA6G;KACrH;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,KAAK,EAAE,gEAAgE;KACxE;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,KAAK,EAAE,iGAAiG;KACzG;IACD;QACE,IAAI,EAAE,0BAA0B;QAChC,KAAK,EAAE,gDAAgD;KACxD;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,KAAK,EAAE,sKAAsK;KAC9K;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,KAAK,EAAE,8LAA8L;KACtM;IACD;QACE,IAAI,EAAE,uBAAuB;QAC7B,KAAK,EAAE,0EAA0E;KAClF;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,KAAK,EAAE,qIAAqI;KAC7I;CACF,CAAC;AA4BF;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,IAAY;IAClD,OAAO,IAAI;SACR,OAAO,CAAC,mBAAmB,EAAE,EAAE,CAAC;SAChC,OAAO,CAAC,uBAAuB,EAAE,EAAE,CAAC;SACpC,IAAI,EAAE,CAAC;AACZ,CAAC;AAED;;;;;GAKG;AACH,SAAS,qBAAqB,CAAC,IAAY;IACzC,OAAO,IAAI;SACR,OAAO,CAAC,qBAAqB,EAAE,4BAA4B,CAAC;SAC5D,OAAO,CAAC,mBAAmB,EAAE,0BAA0B,CAAC,CAAC;AAC9D,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAa;IACjD,OAAO,qBAAqB,CAC1B,uBAAuB,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CACvD,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB,CAAC,OAAe,EAAE,UAAuB,EAAE;IAC5E,MAAM,SAAS,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC;IAEnD,0EAA0E;IAC1E,MAAM,OAAO,GAAG,qBAAqB,CAAC,SAAS,CAAC,CAAC;IAEjD,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,WAAW,CAAC,IAAI,CAAC,IAAI,qBAAqB,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAClE,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,WAAW,CAAC,IAAI,CAAC,SAAS,qBAAqB,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACrE,CAAC;IAED,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,GAAG,CAAC;QACnC,CAAC,CAAC,GAAG,kBAAkB,IAAI,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;QAClD,CAAC,CAAC,kBAAkB,CAAC;IAEvB,OAAO,GAAG,MAAM,KAAK,OAAO,KAAK,gBAAgB,EAAE,CAAC;AACtD,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,uBAAuB,CAAC,IAAY;IAClD,MAAM,SAAS,GAAG,uBAAuB,CAAC,IAAI,CAAC,CAAC;IAChD,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,OAAO,CAAC,MAAM,GAAG,CAAC;QAC5B,QAAQ,EAAE,OAAO;KAClB,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,yBAAyB,CACvC,OAAe,EACf,UAAkC,EAAE;IAEpC,MAAM,EAAE,SAAS,GAAG,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;IAE3D,IAAI,SAAS,KAAK,UAAU,EAAE,CAAC;QAC7B,OAAO,uBAAuB,CAAC,OAAO,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO,mBAAmB,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;AAC3D,CAAC"}

package/dist/utils/nominatim.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Nominatim reverse geocoding client with LRU cache.
+ * Resolves lat/lng to human-readable address and place label.
+ */
+export interface GeocodedLocation {
+    address: string;
+    placeLabel: string;
+}
+/**
+ * Reverse geocode a lat/lng pair via Nominatim.
+ * Returns null on any failure (timeout, network error, bad response).
+ */
+export declare function reverseGeocode(lat: number, lng: number, nominatimUrl: string): Promise<GeocodedLocation | null>;
+/**
+ * Clears the geocode cache (for testing).
+ */
+export declare function clearGeocodeCache(): void;
+//# sourceMappingURL=nominatim.d.ts.map

package/dist/utils/nominatim.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nominatim.d.ts","sourceRoot":"","sources":["../../src/utils/nominatim.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;CACpB;AAYD;;;GAGG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,MAAM,EACX,GAAG,EAAE,MAAM,EACX,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CA2ClC;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,IAAI,CAExC"}

package/dist/utils/nominatim.js

@@ -0,0 +1,56 @@
+/**
+ * Nominatim reverse geocoding client with LRU cache.
+ * Resolves lat/lng to human-readable address and place label.
+ */
+const geocodeCache = new Map();
+const MAX_CACHE_SIZE = 500;
+/**
+ * Rounds coordinates to ~100m precision for cache key deduplication.
+ */
+function cacheKey(lat, lng) {
+    return `${Math.round(lat * 1000) / 1000},${Math.round(lng * 1000) / 1000}`;
+}
+/**
+ * Reverse geocode a lat/lng pair via Nominatim.
+ * Returns null on any failure (timeout, network error, bad response).
+ */
+export async function reverseGeocode(lat, lng, nominatimUrl) {
+    const key = cacheKey(lat, lng);
+    if (geocodeCache.has(key))
+        return geocodeCache.get(key);
+    try {
+        const url = `${nominatimUrl}/reverse?format=jsonv2&lat=${lat}&lon=${lng}`;
+        const response = await fetch(url, {
+            headers: { 'User-Agent': 'openclaw-projects/1.0' },
+            signal: AbortSignal.timeout(5000),
+        });
+        if (!response.ok) {
+            console.warn(`[Nominatim] Reverse geocode failed: HTTP ${response.status} for (${lat}, ${lng})`);
+            return null;
+        }
+        const data = (await response.json());
+        const result = {
+            address: data.display_name ?? '',
+            placeLabel: data.name || data.address?.suburb || data.address?.city || '',
+        };
+        if (geocodeCache.size >= MAX_CACHE_SIZE) {
+            const oldest = geocodeCache.keys().next().value;
+            if (oldest !== undefined)
+                geocodeCache.delete(oldest);
+        }
+        geocodeCache.set(key, result);
+        return result;
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        console.warn(`[Nominatim] Reverse geocode error for (${lat}, ${lng}): ${msg}`);
+        return null;
+    }
+}
+/**
+ * Clears the geocode cache (for testing).
+ */
+export function clearGeocodeCache() {
+    geocodeCache.clear();
+}
+//# sourceMappingURL=nominatim.js.map

package/dist/utils/nominatim.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nominatim.js","sourceRoot":"","sources":["../../src/utils/nominatim.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAOH,MAAM,YAAY,GAAG,IAAI,GAAG,EAA4B,CAAC;AACzD,MAAM,cAAc,GAAG,GAAG,CAAC;AAE3B;;GAEG;AACH,SAAS,QAAQ,CAAC,GAAW,EAAE,GAAW;IACxC,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC;AAC7E,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,GAAW,EACX,GAAW,EACX,YAAoB;IAEpB,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAC/B,IAAI,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,YAAY,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC;IAEzD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,GAAG,YAAY,8BAA8B,GAAG,QAAQ,GAAG,EAAE,CAAC;QAC1E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,OAAO,EAAE,EAAE,YAAY,EAAE,uBAAuB,EAAE;YAClD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO,CAAC,IAAI,CAAC,4CAA4C,QAAQ,CAAC,MAAM,SAAS,GAAG,KAAK,GAAG,GAAG,CAAC,CAAC;YACjG,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAUlC,CAAC;QAEF,MAAM,MAAM,GAAqB;YAC/B,OAAO,EAAE,IAAI,CAAC,YAAY,IAAI,EAAE;YAChC,UAAU,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE;SAC1E,CAAC;QAEF,IAAI,YAAY,CAAC,IAAI,IAAI,cAAc,EAAE,CAAC;YACxC,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;YAChD,IAAI,MAAM,KAAK,SAAS;gBAAE,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACxD,CAAC;QACD,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QAC9B,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,OAAO,CAAC,IAAI,CAAC,0CAA0C,GAAG,KAAK,GAAG,MAAM,GAAG,EAAE,CAAC,CAAC;QAC/E,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB;IAC/B,YAAY,CAAC,KAAK,EAAE,CAAC;AACvB,CAAC"}

package/dist/utils/rate-limiter.d.ts

@@ -0,0 +1,81 @@
+/**
+ * Sliding window rate limiter for inbound message processing.
+ *
+ * Provides per-sender and per-recipient rate limiting with
+ * contact-trust-level awareness. Uses in-memory sliding window
+ * with automatic cleanup of expired entries.
+ *
+ * NOTE: State is in-memory and does not persist across process restarts
+ * or span multiple instances. For multi-instance deployments, a
+ * skill_store-backed implementation would be needed to share rate
+ * limit state across processes.
+ *
+ * Part of Issue #1225 — rate limiting and spam protection.
+ */
+import { type MessageChannel } from './spam-filter.js';
+/** Trust levels for sender classification */
+export type SenderTrust = 'trusted' | 'known' | 'unknown' | 'blocked';
+/** Configuration for the rate limiter */
+export interface RateLimiterConfig {
+    /** Max messages per window for trusted senders (active thread, replied) */
+    trustedSenderLimit: number;
+    /** Max messages per window for known contacts */
+    knownSenderLimit: number;
+    /** Max messages per window for unknown senders */
+    unknownSenderLimit: number;
+    /** Global max messages per window for a single recipient */
+    recipientGlobalLimit: number;
+    /** Sliding window duration in milliseconds */
+    windowMs: number;
+    /**
+     * Maximum number of tracked sender entries before forced eviction.
+     * Prevents unbounded memory growth if traffic burst creates many keys
+     * and then stops (entries would persist until the next cleanup cycle).
+     * When exceeded, the oldest entries are evicted during the next check.
+     */
+    maxSenderEntries?: number;
+}
+/** Result of a rate limit check */
+export interface RateLimitResult {
+    /** Whether the message is allowed */
+    allowed: boolean;
+    /** Human-readable reason if denied, null if allowed */
+    reason: string | null;
+    /** Messages remaining in current window */
+    remaining: number;
+    /** The limit that applies to this sender */
+    limit: number;
+    /** Milliseconds until the earliest entry expires (for retry-after) */
+    retryAfterMs: number | null;
+}
+/** Statistics about the rate limiter state */
+export interface RateLimiterStats {
+    /** Number of currently tracked senders */
+    activeSenders: number;
+    /** Number of currently tracked recipients */
+    activeRecipients: number;
+}
+/** Rate limiter instance */
+export interface RateLimiter {
+    /**
+     * Check if a message is allowed and record it if so.
+     * Sender and recipient are normalized for consistent matching
+     * (phone number formatting, email alias stripping).
+     */
+    check(sender: string, recipient: string, trust: SenderTrust, channel?: MessageChannel): RateLimitResult;
+    /** Get current stats about the limiter */
+    getStats(): RateLimiterStats;
+}
+/** Default rate limiter configuration */
+export declare const DEFAULT_RATE_LIMITER_CONFIG: RateLimiterConfig;
+/**
+ * Create a rate limiter instance.
+ *
+ * Uses a sliding window approach: each message records a timestamp,
+ * and only timestamps within the current window are counted.
+ *
+ * @param config - Rate limiter configuration (uses defaults if omitted)
+ * @returns RateLimiter instance
+ */
+export declare function createRateLimiter(config?: RateLimiterConfig): RateLimiter;
+//# sourceMappingURL=rate-limiter.d.ts.map