@troykelly/openclaw-projects 0.0.12 → 0.0.13

package/dist/utils/injection-protection.js

@@ -3,14 +3,36 @@
  *
  * Provides layered defence for external message content before LLM exposure:
  * 1. Unicode/control character sanitisation
- * 2. Data boundary marking (spotlighting)
+ * 2. Data boundary marking (spotlighting) with per-session nonce
  * 3. Suspicious pattern detection and logging
+ * 4. PromptGuard-2 classifier integration (optional, async)
  *
- * Issue #1224
+ * Issue #1224, #1255, #1256
  */
-/** Boundary markers for external message content */
-const EXTERNAL_MSG_START = '[EXTERNAL_MSG_START]';
-const EXTERNAL_MSG_END = '[EXTERNAL_MSG_END]';
+import { randomBytes } from 'node:crypto';
+import { classifyText } from './prompt-guard-client.js';
+/** Regex to validate nonce format: 1-32 lowercase hex characters */
+const VALID_NONCE_RE = /^[0-9a-f]{1,32}$/;
+/**
+ * Create boundary markers with a per-session cryptographic nonce.
+ *
+ * If no nonce is provided, one is generated from 4 random bytes (8 hex chars).
+ * Callers should create markers once per session/hook invocation and reuse
+ * them for all messages in that session, rather than generating per-message.
+ *
+ * @throws {Error} If a provided nonce contains non-hex characters.
+ */
+export function createBoundaryMarkers(nonce) {
+    const n = nonce ?? randomBytes(4).toString('hex');
+    if (!VALID_NONCE_RE.test(n)) {
+        throw new Error('Boundary marker nonce must be 1-32 lowercase hex characters');
+    }
+    return {
+        start: `[EXTERNAL_MSG_${n}_START]`,
+        end: `[EXTERNAL_MSG_${n}_END]`,
+        nonce: n,
+    };
+}
 /**
  * Regex matching control characters to strip (ASCII 0x00-0x08, 0x0B, 0x0C, 0x0E-0x1F, 0x7F).
  * Preserves tab (0x09), newline (0x0A), and carriage return (0x0D).
@@ -86,29 +108,35 @@ const INJECTION_PATTERNS = [
  * characters (tab, newline, carriage return).
  */
 export function sanitizeExternalMessage(text) {
-    return text
-        .replace(CONTROL_CHARS_REGEX, '')
-        .replace(UNICODE_INVISIBLE_REGEX, '')
-        .trim();
+    return text.replace(CONTROL_CHARS_REGEX, '').replace(UNICODE_INVISIBLE_REGEX, '').trim();
 }
 /**
  * Escape boundary marker keywords in a string to prevent breakout attacks.
- * Replaces the keyword portion (EXTERNAL_MSG_START / EXTERNAL_MSG_END)
- * regardless of surrounding brackets, since formatting code may supply
- * brackets that complete a partial marker (e.g., channel `[...START` + `]`).
+ *
+ * When a nonce is provided, escapes markers containing that specific nonce.
+ * Also escapes the generic `EXTERNAL_MSG_START` / `EXTERNAL_MSG_END` keywords
+ * (without nonce) so that attackers cannot inject markers from the public source.
  */
-function escapeBoundaryMarkers(text) {
-    return text
-        .replace(/EXTERNAL_MSG_START/g, 'EXTERNAL_MSG_START_ESCAPED')
-        .replace(/EXTERNAL_MSG_END/g, 'EXTERNAL_MSG_END_ESCAPED');
+function escapeBoundaryMarkers(text, nonce) {
+    let result = text;
+    if (nonce) {
+        // Escape nonce-specific markers first (more specific match)
+        result = result
+            .replace(new RegExp(`EXTERNAL_MSG_${nonce}_START`, 'g'), `EXTERNAL_MSG_${nonce}_START_ESCAPED`)
+            .replace(new RegExp(`EXTERNAL_MSG_${nonce}_END`, 'g'), `EXTERNAL_MSG_${nonce}_END_ESCAPED`);
+    }
+    // Always escape the generic (non-nonce) marker keywords to prevent
+    // attackers from using the old hardcoded pattern
+    result = result.replace(/EXTERNAL_MSG_START/g, 'EXTERNAL_MSG_START_ESCAPED').replace(/EXTERNAL_MSG_END/g, 'EXTERNAL_MSG_END_ESCAPED');
+    return result;
 }
 /**
  * Sanitize a metadata field (sender, channel) for safe insertion into
  * the boundary wrapper header. Strips control chars, invisible Unicode,
  * newlines (which could break out of the header line), and boundary markers.
  */
-export function sanitizeMetadataField(field) {
-    return escapeBoundaryMarkers(sanitizeExternalMessage(field).replace(/[\r\n]/g, ' '));
+export function sanitizeMetadataField(field, nonce) {
+    return escapeBoundaryMarkers(sanitizeExternalMessage(field).replace(/[\r\n]/g, ' '), nonce);
 }
 /**
  * Wrap external message content with data boundary markers.
@@ -119,22 +147,24 @@ export function sanitizeMetadataField(field) {
  *
  * Content, sender, and channel are all sanitized and have boundary markers
  * escaped before wrapping to prevent breakout attacks.
+ *
+ * When `options.nonce` is provided, markers use that nonce. Otherwise a
+ * fresh cryptographic nonce is generated per call.
  */
 export function wrapExternalMessage(content, options = {}) {
+    const markers = createBoundaryMarkers(options.nonce);
     const sanitized = sanitizeExternalMessage(content);
     // Escape any existing boundary markers in the content to prevent breakout
-    const escaped = escapeBoundaryMarkers(sanitized);
+    const escaped = escapeBoundaryMarkers(sanitized, markers.nonce);
     const attribution = [];
     if (options.channel) {
-        attribution.push(`[${sanitizeMetadataField(options.channel)}]`);
+        attribution.push(`[${sanitizeMetadataField(options.channel, markers.nonce)}]`);
     }
     if (options.sender) {
-        attribution.push(`from: ${sanitizeMetadataField(options.sender)}`);
+        attribution.push(`from: ${sanitizeMetadataField(options.sender, markers.nonce)}`);
     }
-    const header = attribution.length > 0
-        ? `${EXTERNAL_MSG_START} ${attribution.join(' ')}`
-        : EXTERNAL_MSG_START;
-    return `${header}\n${escaped}\n${EXTERNAL_MSG_END}`;
+    const header = attribution.length > 0 ? `${markers.start} ${attribution.join(' ')}` : markers.start;
+    return `${header}\n${escaped}\n${markers.end}`;
 }
 /**
  * Detect suspicious prompt injection patterns in message content.
@@ -160,6 +190,49 @@ export function detectInjectionPatterns(text) {
         patterns: matched,
     };
 }
+/**
+ * Detect suspicious prompt injection patterns using both regex and
+ * (optionally) the PromptGuard-2 classifier.
+ *
+ * When `promptGuardUrl` is configured, the classifier is called in parallel
+ * with regex scanning. If the classifier is unavailable or times out,
+ * the function gracefully falls back to regex-only results.
+ *
+ * Detection remains monitoring-only (no blocking).
+ *
+ * Issue #1256
+ */
+export async function detectInjectionPatternsAsync(text, options = {}) {
+    // Always run regex detection (fast, synchronous)
+    const regexResult = detectInjectionPatterns(text);
+    // If no classifier URL configured, return regex-only result
+    if (!options.promptGuardUrl) {
+        return { ...regexResult, source: 'regex' };
+    }
+    // Call classifier in parallel (with timeout)
+    const classifierResult = await classifyText(options.promptGuardUrl, text, options.classifierTimeoutMs ?? 500);
+    // Classifier unavailable — fall back to regex
+    if (!classifierResult) {
+        return { ...regexResult, source: 'regex' };
+    }
+    // Merge results: detected if either regex or classifier flags it
+    const classifierDetected = classifierResult.injection || classifierResult.jailbreak;
+    const patterns = [...regexResult.patterns];
+    if (classifierResult.injection) {
+        patterns.push('classifier:injection');
+    }
+    if (classifierResult.jailbreak) {
+        patterns.push('classifier:jailbreak');
+    }
+    const detected = regexResult.detected || classifierDetected;
+    const source = regexResult.detected && classifierDetected ? 'both' : classifierDetected ? 'classifier' : 'regex';
+    return {
+        detected,
+        patterns,
+        classifier: classifierResult,
+        source,
+    };
+}
 /**
  * Sanitize message content for safe inclusion in LLM context.
  *
@@ -170,10 +243,10 @@ export function detectInjectionPatterns(text) {
  * for any LLM-facing output (auto-recall context, tool results, etc.).
  */
 export function sanitizeMessageForContext(content, options = {}) {
-    const { direction = 'inbound', channel, sender } = options;
+    const { direction = 'inbound', channel, sender, nonce } = options;
     if (direction === 'outbound') {
         return sanitizeExternalMessage(content);
     }
-    return wrapExternalMessage(content, { channel, sender });
+    return wrapExternalMessage(content, { channel, sender, nonce });
 }
 //# sourceMappingURL=injection-protection.js.map

package/dist/utils/injection-protection.js.map

@@ -1 +1 @@
-{"version":3,"file":"injection-protection.js","sourceRoot":"","sources":["../../src/utils/injection-protection.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,oDAAoD;AACpD,MAAM,kBAAkB,GAAG,sBAAsB,CAAC;AAClD,MAAM,gBAAgB,GAAG,oBAAoB,CAAC;AAE9C;;;GAGG;AACH,MAAM,mBAAmB,GAAG,mCAAmC,CAAC;AAEhE;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,uBAAuB,GAAG,kDAAkD,CAAC;AAYnF,MAAM,kBAAkB,GAAuB;IAC7C;QACE,IAAI,EAAE,sBAAsB;QAC5B,KAAK,EAAE,wNAAwN;KAChO;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,KAAK,EAAE,oMAAoM;KAC5M;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,KAAK,EAAE,6GAA6G;KACrH;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,KAAK,EAAE,gEAAgE;KACxE;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,KAAK,EAAE,iGAAiG;KACzG;IACD;QACE,IAAI,EAAE,0BAA0B;QAChC,KAAK,EAAE,gDAAgD;KACxD;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,KAAK,EAAE,sKAAsK;KAC9K;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,KAAK,EAAE,8LAA8L;KACtM;IACD;QACE,IAAI,EAAE,uBAAuB;QAC7B,KAAK,EAAE,0EAA0E;KAClF;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,KAAK,EAAE,qIAAqI;KAC7I;CACF,CAAC;AA4BF;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,IAAY;IAClD,OAAO,IAAI;SACR,OAAO,CAAC,mBAAmB,EAAE,EAAE,CAAC;SAChC,OAAO,CAAC,uBAAuB,EAAE,EAAE,CAAC;SACpC,IAAI,EAAE,CAAC;AACZ,CAAC;AAED;;;;;GAKG;AACH,SAAS,qBAAqB,CAAC,IAAY;IACzC,OAAO,IAAI;SACR,OAAO,CAAC,qBAAqB,EAAE,4BAA4B,CAAC;SAC5D,OAAO,CAAC,mBAAmB,EAAE,0BAA0B,CAAC,CAAC;AAC9D,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAa;IACjD,OAAO,qBAAqB,CAC1B,uBAAuB,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CACvD,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB,CAAC,OAAe,EAAE,UAAuB,EAAE;IAC5E,MAAM,SAAS,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC;IAEnD,0EAA0E;IAC1E,MAAM,OAAO,GAAG,qBAAqB,CAAC,SAAS,CAAC,CAAC;IAEjD,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,WAAW,CAAC,IAAI,CAAC,IAAI,qBAAqB,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAClE,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,WAAW,CAAC,IAAI,CAAC,SAAS,qBAAqB,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACrE,CAAC;IAED,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,GAAG,CAAC;QACnC,CAAC,CAAC,GAAG,kBAAkB,IAAI,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;QAClD,CAAC,CAAC,kBAAkB,CAAC;IAEvB,OAAO,GAAG,MAAM,KAAK,OAAO,KAAK,gBAAgB,EAAE,CAAC;AACtD,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,uBAAuB,CAAC,IAAY;IAClD,MAAM,SAAS,GAAG,uBAAuB,CAAC,IAAI,CAAC,CAAC;IAChD,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,OAAO,CAAC,MAAM,GAAG,CAAC;QAC5B,QAAQ,EAAE,OAAO;KAClB,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,yBAAyB,CACvC,OAAe,EACf,UAAkC,EAAE;IAEpC,MAAM,EAAE,SAAS,GAAG,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;IAE3D,IAAI,SAAS,KAAK,UAAU,EAAE,CAAC;QAC7B,OAAO,uBAAuB,CAAC,OAAO,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO,mBAAmB,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;AAC3D,CAAC"}
+{"version":3,"file":"injection-protection.js","sourceRoot":"","sources":["../../src/utils/injection-protection.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,YAAY,EAA0B,MAAM,0BAA0B,CAAC;AAYhF,oEAAoE;AACpE,MAAM,cAAc,GAAG,kBAAkB,CAAC;AAE1C;;;;;;;;GAQG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAc;IAClD,MAAM,CAAC,GAAG,KAAK,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAClD,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACjF,CAAC;IACD,OAAO;QACL,KAAK,EAAE,iBAAiB,CAAC,SAAS;QAClC,GAAG,EAAE,iBAAiB,CAAC,OAAO;QAC9B,KAAK,EAAE,CAAC;KACT,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,mBAAmB,GAAG,mCAAmC,CAAC;AAEhE;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,uBAAuB,GAAG,kDAAkD,CAAC;AAYnF,MAAM,kBAAkB,GAAuB;IAC7C;QACE,IAAI,EAAE,sBAAsB;QAC5B,KAAK,EACH,wNAAwN;KAC3N;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,KAAK,EACH,oMAAoM;KACvM;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,KAAK,EAAE,6GAA6G;KACrH;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,KAAK,EAAE,gEAAgE;KACxE;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,KAAK,EAAE,iGAAiG;KACzG;IACD;QACE,IAAI,EAAE,0BAA0B;QAChC,KAAK,EAAE,gDAAgD;KACxD;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,KAAK,EACH,sKAAsK;KACzK;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,KAAK,EACH,8LAA8L;KACjM;IACD;QACE,IAAI,EAAE,uBAAuB;QAC7B,KAAK,EAAE,0EAA0E;KAClF;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,KAAK,EAAE,qIAAqI;KAC7I;CACF,CAAC;AAoCF;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CAAC,IAAY;IAClD,OAAO,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,uBAAuB,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;AAC3F,CAAC;AAED;;;;;;GAMG;AACH,SAAS,qBAAqB,CAAC,IAAY,EAAE,KAAc;IACzD,IAAI,MAAM,GAAG,IAAI,CAAC;IAClB,IAAI,KAAK,EAAE,CAAC;QACV,4DAA4D;QAC5D,MAAM,GAAG,MAAM;aACZ,OAAO,CAAC,IAAI,MAAM,CAAC,gBAAgB,KAAK,QAAQ,EAAE,GAAG,CAAC,EAAE,gBAAgB,KAAK,gBAAgB,CAAC;aAC9F,OAAO,CAAC,IAAI,MAAM,CAAC,gBAAgB,KAAK,MAAM,EAAE,GAAG,CAAC,EAAE,gBAAgB,KAAK,cAAc,CAAC,CAAC;IAChG,CAAC;IACD,mEAAmE;IACnE,iDAAiD;IACjD,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,qBAAqB,EAAE,4BAA4B,CAAC,CAAC,OAAO,CAAC,mBAAmB,EAAE,0BAA0B,CAAC,CAAC;IACtI,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAa,EAAE,KAAc;IACjE,OAAO,qBAAqB,CAAC,uBAAuB,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,EAAE,KAAK,CAAC,CAAC;AAC9F,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,mBAAmB,CAAC,OAAe,EAAE,UAAuB,EAAE;IAC5E,MAAM,OAAO,GAAG,qBAAqB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAErD,MAAM,SAAS,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC;IAEnD,0EAA0E;IAC1E,MAAM,OAAO,GAAG,qBAAqB,CAAC,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAEhE,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,WAAW,CAAC,IAAI,CAAC,IAAI,qBAAqB,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACjF,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,WAAW,CAAC,IAAI,CAAC,SAAS,qBAAqB,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACpF,CAAC;IAED,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,KAAK,IAAI,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IAEpG,OAAO,GAAG,MAAM,KAAK,OAAO,KAAK,OAAO,CAAC,GAAG,EAAE,CAAC;AACjD,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,uBAAuB,CAAC,IAAY;IAClD,MAAM,SAAS,GAAG,uBAAuB,CAAC,IAAI,CAAC,CAAC;IAChD,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,OAAO,CAAC,MAAM,GAAG,CAAC;QAC5B,QAAQ,EAAE,OAAO;KAClB,CAAC;AACJ,CAAC;AAUD;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAAC,IAAY,EAAE,UAAiC,EAAE;IAClG,iDAAiD;IACjD,MAAM,WAAW,GAAG,uBAAuB,CAAC,IAAI,CAAC,CAAC;IAElD,4DAA4D;IAC5D,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QAC5B,OAAO,EAAE,GAAG,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IAC7C,CAAC;IAED,6CAA6C;IAC7C,MAAM,gBAAgB,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,cAAc,EAAE,IAAI,EAAE,OAAO,CAAC,mBAAmB,IAAI,GAAG,CAAC,CAAC;IAE9G,8CAA8C;IAC9C,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,EAAE,GAAG,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IAC7C,CAAC;IAED,iEAAiE;IACjE,MAAM,kBAAkB,GAAG,gBAAgB,CAAC,SAAS,IAAI,gBAAgB,CAAC,SAAS,CAAC;IACpF,MAAM,QAAQ,GAAG,CAAC,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;IAE3C,IAAI,gBAAgB,CAAC,SAAS,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACxC,CAAC;IACD,IAAI,gBAAgB,CAAC,SAAS,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACxC,CAAC;IAED,MAAM,QAAQ,GAAG,WAAW,CAAC,QAAQ,IAAI,kBAAkB,CAAC;IAC5D,MAAM,MAAM,GAAuC,WAAW,CAAC,QAAQ,IAAI,kBAAkB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC;IAErJ,OAAO;QACL,QAAQ;QACR,QAAQ;QACR,UAAU,EAAE,gBAAgB;QAC5B,MAAM;KACP,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,yBAAyB,CAAC,OAAe,EAAE,UAAkC,EAAE;IAC7F,MAAM,EAAE,SAAS,GAAG,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC;IAElE,IAAI,SAAS,KAAK,UAAU,EAAE,CAAC;QAC7B,OAAO,uBAAuB,CAAC,OAAO,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO,mBAAmB,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;AAClE,CAAC"}

package/dist/utils/prompt-guard-client.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Client for the PromptGuard-2 classifier service.
+ *
+ * Provides async HTTP-based classification of text for prompt injection
+ * and jailbreak detection using Meta's PromptGuard-2 model.
+ *
+ * Falls back gracefully when the service is unavailable.
+ *
+ * Issue #1256
+ */
+/** Classification result from the PromptGuard service */
+export interface PromptGuardResult {
+    /** Whether injection was detected */
+    injection: boolean;
+    /** Whether jailbreak was detected */
+    jailbreak: boolean;
+    /** Top label: BENIGN, INJECTION, or JAILBREAK */
+    label: string;
+    /** Confidence scores per class */
+    scores: {
+        benign: number;
+        injection: number;
+        jailbreak: number;
+    };
+}
+/** Health check response from the PromptGuard service */
+export interface PromptGuardHealth {
+    ok: boolean;
+    model: string;
+    ready: boolean;
+}
+/**
+ * Classify a single text for prompt injection / jailbreak.
+ *
+ * Returns `null` if the service is unavailable, not ready, or times out.
+ * Callers should fall back to regex detection when this returns null.
+ *
+ * @param baseUrl - The PromptGuard service base URL (e.g. http://localhost:8190)
+ * @param text - The text to classify
+ * @param timeoutMs - Request timeout in milliseconds (default 500ms)
+ */
+export declare function classifyText(baseUrl: string, text: string, timeoutMs?: number): Promise<PromptGuardResult | null>;
+/**
+ * Classify multiple texts in a single batch request.
+ *
+ * Returns `null` if the service is unavailable, not ready, or times out.
+ *
+ * @param baseUrl - The PromptGuard service base URL
+ * @param texts - Array of texts to classify
+ * @param timeoutMs - Request timeout in milliseconds (default 500ms)
+ */
+export declare function classifyBatch(baseUrl: string, texts: string[], timeoutMs?: number): Promise<PromptGuardResult[] | null>;
+/**
+ * Check the health of the PromptGuard service.
+ *
+ * Returns `null` if the service is unreachable.
+ */
+export declare function checkHealth(baseUrl: string, timeoutMs?: number): Promise<PromptGuardHealth | null>;
+//# sourceMappingURL=prompt-guard-client.d.ts.map

package/dist/utils/prompt-guard-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompt-guard-client.d.ts","sourceRoot":"","sources":["../../src/utils/prompt-guard-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,yDAAyD;AACzD,MAAM,WAAW,iBAAiB;IAChC,qCAAqC;IACrC,SAAS,EAAE,OAAO,CAAC;IACnB,qCAAqC;IACrC,SAAS,EAAE,OAAO,CAAC;IACnB,iDAAiD;IACjD,KAAK,EAAE,MAAM,CAAC;IACd,kCAAkC;IAClC,MAAM,EAAE;QACN,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,EAAE,MAAM,CAAC;QAClB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;CACH;AAED,yDAAyD;AACzD,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,OAAO,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,OAAO,CAAC;CAChB;AAKD;;;;;;;;;GASG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,GAAE,MAA2B,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC,CAuB3I;AAED;;;;;;;;GAQG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,SAAS,GAAE,MAA2B,GAAG,OAAO,CAAC,iBAAiB,EAAE,GAAG,IAAI,CAAC,CAyBjJ;AAED;;;;GAIG;AACH,wBAAsB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,GAAE,MAA2B,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC,CAoB5H"}

package/dist/utils/prompt-guard-client.js

@@ -0,0 +1,99 @@
+/**
+ * Client for the PromptGuard-2 classifier service.
+ *
+ * Provides async HTTP-based classification of text for prompt injection
+ * and jailbreak detection using Meta's PromptGuard-2 model.
+ *
+ * Falls back gracefully when the service is unavailable.
+ *
+ * Issue #1256
+ */
+/** Default timeout for classifier requests (500ms) */
+const DEFAULT_TIMEOUT_MS = 500;
+/**
+ * Classify a single text for prompt injection / jailbreak.
+ *
+ * Returns `null` if the service is unavailable, not ready, or times out.
+ * Callers should fall back to regex detection when this returns null.
+ *
+ * @param baseUrl - The PromptGuard service base URL (e.g. http://localhost:8190)
+ * @param text - The text to classify
+ * @param timeoutMs - Request timeout in milliseconds (default 500ms)
+ */
+export async function classifyText(baseUrl, text, timeoutMs = DEFAULT_TIMEOUT_MS) {
+    try {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), timeoutMs);
+        const response = await fetch(`${baseUrl}/classify`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ text }),
+            signal: controller.signal,
+        });
+        clearTimeout(timer);
+        if (!response.ok) {
+            return null;
+        }
+        return (await response.json());
+    }
+    catch {
+        // Network error, timeout, or abort — graceful degradation
+        return null;
+    }
+}
+/**
+ * Classify multiple texts in a single batch request.
+ *
+ * Returns `null` if the service is unavailable, not ready, or times out.
+ *
+ * @param baseUrl - The PromptGuard service base URL
+ * @param texts - Array of texts to classify
+ * @param timeoutMs - Request timeout in milliseconds (default 500ms)
+ */
+export async function classifyBatch(baseUrl, texts, timeoutMs = DEFAULT_TIMEOUT_MS) {
+    if (texts.length === 0)
+        return [];
+    try {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), timeoutMs);
+        const response = await fetch(`${baseUrl}/classify/batch`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ texts }),
+            signal: controller.signal,
+        });
+        clearTimeout(timer);
+        if (!response.ok) {
+            return null;
+        }
+        return (await response.json());
+    }
+    catch {
+        // Network error, timeout, or abort — graceful degradation
+        return null;
+    }
+}
+/**
+ * Check the health of the PromptGuard service.
+ *
+ * Returns `null` if the service is unreachable.
+ */
+export async function checkHealth(baseUrl, timeoutMs = DEFAULT_TIMEOUT_MS) {
+    try {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), timeoutMs);
+        const response = await fetch(`${baseUrl}/health`, {
+            method: 'GET',
+            signal: controller.signal,
+        });
+        clearTimeout(timer);
+        if (!response.ok) {
+            return null;
+        }
+        return (await response.json());
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=prompt-guard-client.js.map

package/dist/utils/prompt-guard-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompt-guard-client.js","sourceRoot":"","sources":["../../src/utils/prompt-guard-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAyBH,sDAAsD;AACtD,MAAM,kBAAkB,GAAG,GAAG,CAAC;AAE/B;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,OAAe,EAAE,IAAY,EAAE,YAAoB,kBAAkB;IACtG,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;QAE9D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,WAAW,EAAE;YAClD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,CAAC;YAC9B,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,CAAC,CAAC;QAEH,YAAY,CAAC,KAAK,CAAC,CAAC;QAEpB,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAsB,CAAC;IACtD,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;QAC1D,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,OAAe,EAAE,KAAe,EAAE,YAAoB,kBAAkB;IAC1G,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAElC,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;QAE9D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,iBAAiB,EAAE;YACxD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC;YAC/B,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,CAAC,CAAC;QAEH,YAAY,CAAC,KAAK,CAAC,CAAC;QAEpB,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAwB,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;QAC1D,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAAe,EAAE,YAAoB,kBAAkB;IACvF,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;QAE9D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,SAAS,EAAE;YAChD,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,CAAC,CAAC;QAEH,YAAY,CAAC,KAAK,CAAC,CAAC;QAEpB,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAsB,CAAC;IACtD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/openclaw.plugin.json

@@ -1,6 +1,6 @@
 {
   "id": "openclaw-projects",
-  "version": "0.0.12",
+  "version": "0.0.13",
   "name": "OpenClaw Projects Plugin",
   "description": "Memory provider with projects, todos, and contacts integration",
   "kind": "memory",
@@ -145,6 +145,16 @@
         "type": "string",
         "pattern": "^https?://",
         "description": "Base URL for web app (used for generating note/notebook URLs)"
+      },
+      "nominatimUrl": {
+        "type": "string",
+        "pattern": "^https?://",
+        "description": "Nominatim reverse geocoding URL (e.g., http://nominatim:8080)"
+      },
+      "promptGuardUrl": {
+        "type": "string",
+        "pattern": "^https?://",
+        "description": "PromptGuard-2 classifier URL for multilingual injection detection (e.g., http://prompt-guard:8190)"
       }
     },
     "additionalProperties": false,
@@ -288,6 +298,18 @@
       "placeholder": "https://app.example.com",
       "help": "Base URL for the web app (used for generating links)",
       "group": "Advanced"
+    },
+    "nominatimUrl": {
+      "label": "Nominatim URL",
+      "placeholder": "http://nominatim:8080",
+      "help": "URL for self-hosted Nominatim reverse geocoding service (enables geo-contextual search)",
+      "group": "Advanced"
+    },
+    "promptGuardUrl": {
+      "label": "PromptGuard URL",
+      "placeholder": "http://prompt-guard:8190",
+      "help": "URL for PromptGuard-2 classifier service (enables multilingual prompt injection detection)",
+      "group": "Advanced"
     }
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@troykelly/openclaw-projects",
-  "version": "0.0.12",
+  "version": "0.0.13",
   "description": "OpenClaw memory plugin with projects, todos, and contacts integration",
   "type": "module",
   "main": "dist/index.js",
@@ -20,6 +20,16 @@
     "openclaw.plugin.json",
     "skills"
   ],
+  "scripts": {
+    "build": "tsc",
+    "clean": "rm -rf dist",
+    "test": "vitest run",
+    "test:coverage": "vitest run --coverage",
+    "test:watch": "vitest",
+    "typecheck": "tsc --noEmit",
+    "lint": "biome lint .",
+    "prepublishOnly": "pnpm run clean && pnpm run build && pnpm run test && pnpm run typecheck && pnpm run lint"
+  },
   "repository": {
     "type": "git",
     "url": "git+https://github.com/troykelly/openclaw-projects.git",
@@ -64,14 +74,5 @@
     "extensions": [
       "dist/register-openclaw.js"
     ]
-  },
-  "scripts": {
-    "build": "tsc",
-    "clean": "rm -rf dist",
-    "test": "vitest run",
-    "test:coverage": "vitest run --coverage",
-    "test:watch": "vitest",
-    "typecheck": "tsc --noEmit",
-    "lint": "biome lint ."
   }
-}
+}

package/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2026 Troy Kelly
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.