npm - @vorionsys/atsf-core - Versions diffs - 0.2.2 → 0.2.3 - Mend

@vorionsys/atsf-core 0.2.2 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (326) hide show

package/CHANGELOG.md +3 -3
package/README.md +77 -11
package/dist/api/index.d.ts +1 -1
package/dist/api/index.js +1 -1
package/dist/api/server.d.ts +5 -2
package/dist/api/server.d.ts.map +1 -1
package/dist/api/server.js +186 -149
package/dist/api/server.js.map +1 -1
package/dist/arbitration/index.d.ts +4 -4
package/dist/arbitration/index.d.ts.map +1 -1
package/dist/arbitration/index.js +46 -41
package/dist/arbitration/index.js.map +1 -1
package/dist/arbitration/types.d.ts +10 -10
package/dist/arbitration/types.d.ts.map +1 -1
package/dist/basis/evaluator.d.ts +1 -1
package/dist/basis/evaluator.d.ts.map +1 -1
package/dist/basis/evaluator.js +56 -54
package/dist/basis/evaluator.js.map +1 -1
package/dist/basis/index.d.ts +3 -3
package/dist/basis/index.js +3 -3
package/dist/basis/parser.d.ts +16 -16
package/dist/basis/parser.d.ts.map +1 -1
package/dist/basis/parser.js +32 -25
package/dist/basis/parser.js.map +1 -1
package/dist/basis/types.d.ts +2 -2
package/dist/chain/index.d.ts.map +1 -1
package/dist/chain/index.js +16 -16
package/dist/chain/index.js.map +1 -1
package/dist/cognigate/index.d.ts +1 -1
package/dist/cognigate/index.d.ts.map +1 -1
package/dist/cognigate/index.js +44 -33
package/dist/cognigate/index.js.map +1 -1
package/dist/common/adapters.d.ts +18 -11
package/dist/common/adapters.d.ts.map +1 -1
package/dist/common/adapters.js +100 -79
package/dist/common/adapters.js.map +1 -1
package/dist/common/config.d.ts +67 -67
package/dist/common/config.js +49 -49
package/dist/common/config.js.map +1 -1
package/dist/common/index.d.ts +4 -4
package/dist/common/index.js +4 -4
package/dist/common/logger.d.ts +1 -1
package/dist/common/logger.js +8 -8
package/dist/common/types.d.ts +8 -8
package/dist/common/types.js +5 -5
package/dist/containment/index.d.ts +3 -3
package/dist/containment/index.d.ts.map +1 -1
package/dist/containment/index.js +119 -105
package/dist/containment/index.js.map +1 -1
package/dist/containment/types.d.ts +11 -11
package/dist/containment/types.d.ts.map +1 -1
package/dist/contracts/index.d.ts +9 -9
package/dist/contracts/index.d.ts.map +1 -1
package/dist/contracts/index.js +59 -54
package/dist/contracts/index.js.map +1 -1
package/dist/contracts/types.d.ts +12 -12
package/dist/contracts/types.d.ts.map +1 -1
package/dist/crewai/callback.d.ts +91 -0
package/dist/crewai/callback.d.ts.map +1 -0
package/dist/crewai/callback.js +271 -0
package/dist/crewai/callback.js.map +1 -0
package/dist/crewai/executor.d.ts +135 -0
package/dist/crewai/executor.d.ts.map +1 -0
package/dist/crewai/executor.js +381 -0
package/dist/crewai/executor.js.map +1 -0
package/dist/crewai/index.d.ts +12 -0
package/dist/crewai/index.d.ts.map +1 -0
package/dist/crewai/index.js +12 -0
package/dist/crewai/index.js.map +1 -0
package/dist/crewai/tools.d.ts +21 -0
package/dist/crewai/tools.d.ts.map +1 -0
package/dist/crewai/tools.js +164 -0
package/dist/crewai/tools.js.map +1 -0
package/dist/crewai/types.d.ts +139 -0
package/dist/crewai/types.d.ts.map +1 -0
package/dist/crewai/types.js +9 -0
package/dist/crewai/types.js.map +1 -0
package/dist/enforce/index.d.ts +48 -222
package/dist/enforce/index.d.ts.map +1 -1
package/dist/enforce/index.js +144 -47
package/dist/enforce/index.js.map +1 -1
package/dist/enforce/trust-aware-enforcement-service.d.ts +121 -0
package/dist/enforce/trust-aware-enforcement-service.d.ts.map +1 -0
package/dist/enforce/trust-aware-enforcement-service.js +601 -0
package/dist/enforce/trust-aware-enforcement-service.js.map +1 -0
package/dist/enforce/types.d.ts +234 -0
package/dist/enforce/types.d.ts.map +1 -0
package/dist/enforce/types.js +10 -0
package/dist/enforce/types.js.map +1 -0
package/dist/governance/fluid-workflow.d.ts +8 -8
package/dist/governance/fluid-workflow.d.ts.map +1 -1
package/dist/governance/fluid-workflow.js +114 -86
package/dist/governance/fluid-workflow.js.map +1 -1
package/dist/governance/index.d.ts +7 -7
package/dist/governance/index.d.ts.map +1 -1
package/dist/governance/index.js +81 -74
package/dist/governance/index.js.map +1 -1
package/dist/governance/proof-bridge.d.ts +6 -6
package/dist/governance/proof-bridge.d.ts.map +1 -1
package/dist/governance/proof-bridge.js +5 -5
package/dist/governance/proof-bridge.js.map +1 -1
package/dist/governance/types.d.ts +16 -9
package/dist/governance/types.d.ts.map +1 -1
package/dist/governance/types.js.map +1 -1
package/dist/index.d.ts +29 -25
package/dist/index.d.ts.map +1 -1
package/dist/index.js +33 -23
package/dist/index.js.map +1 -1
package/dist/intent/index.d.ts +21 -56
package/dist/intent/index.d.ts.map +1 -1
package/dist/intent/index.js +58 -24
package/dist/intent/index.js.map +1 -1
package/dist/intent/persistent-intent-service.d.ts +68 -0
package/dist/intent/persistent-intent-service.d.ts.map +1 -0
package/dist/intent/persistent-intent-service.js +277 -0
package/dist/intent/persistent-intent-service.js.map +1 -0
package/dist/intent/types.d.ts +69 -0
package/dist/intent/types.d.ts.map +1 -0
package/dist/intent/types.js +10 -0
package/dist/intent/types.js.map +1 -0
package/dist/intent-gateway/index.d.ts +522 -0
package/dist/intent-gateway/index.d.ts.map +1 -0
package/dist/intent-gateway/index.js +1499 -0
package/dist/intent-gateway/index.js.map +1 -0
package/dist/langchain/callback.d.ts +2 -2
package/dist/langchain/callback.d.ts.map +1 -1
package/dist/langchain/callback.js +30 -30
package/dist/langchain/callback.js.map +1 -1
package/dist/langchain/executor.d.ts +4 -4
package/dist/langchain/executor.d.ts.map +1 -1
package/dist/langchain/executor.js +82 -80
package/dist/langchain/executor.js.map +1 -1
package/dist/langchain/index.d.ts +5 -5
package/dist/langchain/index.js +5 -5
package/dist/langchain/tools.d.ts +1 -1
package/dist/langchain/tools.d.ts.map +1 -1
package/dist/langchain/tools.js +33 -33
package/dist/langchain/tools.js.map +1 -1
package/dist/langchain/types.d.ts +3 -3
package/dist/langchain/types.d.ts.map +1 -1
package/dist/layers/implementations/L0-request-format.d.ts +37 -0
package/dist/layers/implementations/L0-request-format.d.ts.map +1 -0
package/dist/layers/implementations/L0-request-format.js +218 -0
package/dist/layers/implementations/L0-request-format.js.map +1 -0
package/dist/layers/implementations/L1-input-size.d.ts +36 -0
package/dist/layers/implementations/L1-input-size.d.ts.map +1 -0
package/dist/layers/implementations/L1-input-size.js +160 -0
package/dist/layers/implementations/L1-input-size.js.map +1 -0
package/dist/layers/implementations/L2-charset-sanitizer.d.ts +28 -0
package/dist/layers/implementations/L2-charset-sanitizer.d.ts.map +1 -0
package/dist/layers/implementations/L2-charset-sanitizer.js +230 -0
package/dist/layers/implementations/L2-charset-sanitizer.js.map +1 -0
package/dist/layers/implementations/L3-schema-conformance.d.ts +47 -0
package/dist/layers/implementations/L3-schema-conformance.d.ts.map +1 -0
package/dist/layers/implementations/L3-schema-conformance.js +267 -0
package/dist/layers/implementations/L3-schema-conformance.js.map +1 -0
package/dist/layers/implementations/L4-injection-detector.d.ts +47 -0
package/dist/layers/implementations/L4-injection-detector.d.ts.map +1 -0
package/dist/layers/implementations/L4-injection-detector.js +260 -0
package/dist/layers/implementations/L4-injection-detector.js.map +1 -0
package/dist/layers/implementations/L5-rate-limiter.d.ts +51 -0
package/dist/layers/implementations/L5-rate-limiter.d.ts.map +1 -0
package/dist/layers/implementations/L5-rate-limiter.js +183 -0
package/dist/layers/implementations/L5-rate-limiter.js.map +1 -0
package/dist/layers/implementations/index.d.ts +16 -0
package/dist/layers/implementations/index.d.ts.map +1 -0
package/dist/layers/implementations/index.js +16 -0
package/dist/layers/implementations/index.js.map +1 -0
package/dist/layers/index.d.ts +3 -3
package/dist/layers/index.d.ts.map +1 -1
package/dist/layers/index.js +99 -71
package/dist/layers/index.js.map +1 -1
package/dist/layers/types.d.ts +16 -16
package/dist/layers/types.d.ts.map +1 -1
package/dist/persistence/file.d.ts +3 -3
package/dist/persistence/file.d.ts.map +1 -1
package/dist/persistence/file.js +32 -28
package/dist/persistence/file.js.map +1 -1
package/dist/persistence/index.d.ts +7 -7
package/dist/persistence/index.d.ts.map +1 -1
package/dist/persistence/index.js +18 -18
package/dist/persistence/index.js.map +1 -1
package/dist/persistence/memory.d.ts +3 -3
package/dist/persistence/memory.d.ts.map +1 -1
package/dist/persistence/memory.js +10 -8
package/dist/persistence/memory.js.map +1 -1
package/dist/persistence/sqlite.d.ts +3 -3
package/dist/persistence/sqlite.d.ts.map +1 -1
package/dist/persistence/sqlite.js +36 -36
package/dist/persistence/sqlite.js.map +1 -1
package/dist/persistence/supabase.d.ts +3 -3
package/dist/persistence/supabase.d.ts.map +1 -1
package/dist/persistence/supabase.js +41 -43
package/dist/persistence/supabase.js.map +1 -1
package/dist/persistence/types.d.ts +5 -5
package/dist/phase6/ceiling.d.ts +5 -5
package/dist/phase6/ceiling.d.ts.map +1 -1
package/dist/phase6/ceiling.js +67 -34
package/dist/phase6/ceiling.js.map +1 -1
package/dist/phase6/context.d.ts +3 -3
package/dist/phase6/context.d.ts.map +1 -1
package/dist/phase6/context.js +91 -45
package/dist/phase6/context.js.map +1 -1
package/dist/phase6/index.d.ts +13 -13
package/dist/phase6/index.d.ts.map +1 -1
package/dist/phase6/index.js +16 -16
package/dist/phase6/index.js.map +1 -1
package/dist/phase6/presets.d.ts +2 -2
package/dist/phase6/presets.d.ts.map +1 -1
package/dist/phase6/presets.js +39 -33
package/dist/phase6/presets.js.map +1 -1
package/dist/phase6/provenance.d.ts +4 -4
package/dist/phase6/provenance.d.ts.map +1 -1
package/dist/phase6/provenance.js +42 -35
package/dist/phase6/provenance.js.map +1 -1
package/dist/phase6/role-gates/index.d.ts +2 -2
package/dist/phase6/role-gates/index.js +2 -2
package/dist/phase6/role-gates/kernel.d.ts.map +1 -1
package/dist/phase6/role-gates/kernel.js +16 -16
package/dist/phase6/role-gates/kernel.js.map +1 -1
package/dist/phase6/role-gates/policy.d.ts +2 -2
package/dist/phase6/role-gates/policy.js +6 -6
package/dist/phase6/role-gates.d.ts +4 -4
package/dist/phase6/role-gates.d.ts.map +1 -1
package/dist/phase6/role-gates.js +80 -58
package/dist/phase6/role-gates.js.map +1 -1
package/dist/phase6/types.d.ts +35 -35
package/dist/phase6/types.d.ts.map +1 -1
package/dist/phase6/types.js +166 -66
package/dist/phase6/types.js.map +1 -1
package/dist/phase6/weight-presets/canonical.d.ts +2 -2
package/dist/phase6/weight-presets/canonical.d.ts.map +1 -1
package/dist/phase6/weight-presets/canonical.js +12 -12
package/dist/phase6/weight-presets/canonical.js.map +1 -1
package/dist/phase6/weight-presets/deltas.d.ts +2 -2
package/dist/phase6/weight-presets/deltas.d.ts.map +1 -1
package/dist/phase6/weight-presets/deltas.js +27 -27
package/dist/phase6/weight-presets/deltas.js.map +1 -1
package/dist/phase6/weight-presets/index.d.ts +4 -4
package/dist/phase6/weight-presets/index.js +4 -4
package/dist/phase6/weight-presets/merger.d.ts +3 -3
package/dist/phase6/weight-presets/merger.d.ts.map +1 -1
package/dist/phase6/weight-presets/merger.js +40 -44
package/dist/phase6/weight-presets/merger.js.map +1 -1
package/dist/proof/index.d.ts +3 -3
package/dist/proof/index.d.ts.map +1 -1
package/dist/proof/index.js +44 -38
package/dist/proof/index.js.map +1 -1
package/dist/proof/merkle.d.ts +3 -3
package/dist/proof/merkle.d.ts.map +1 -1
package/dist/proof/merkle.js +26 -25
package/dist/proof/merkle.js.map +1 -1
package/dist/proof/zk-proofs.d.ts +6 -6
package/dist/proof/zk-proofs.d.ts.map +1 -1
package/dist/proof/zk-proofs.js +42 -43
package/dist/proof/zk-proofs.js.map +1 -1
package/dist/provenance/index.d.ts +3 -3
package/dist/provenance/index.d.ts.map +1 -1
package/dist/provenance/index.js +19 -17
package/dist/provenance/index.js.map +1 -1
package/dist/provenance/types.d.ts +4 -4
package/dist/provenance/types.d.ts.map +1 -1
package/dist/sandbox-training/challenges.d.ts +1 -1
package/dist/sandbox-training/challenges.d.ts.map +1 -1
package/dist/sandbox-training/challenges.js +228 -228
package/dist/sandbox-training/challenges.js.map +1 -1
package/dist/sandbox-training/graduation.d.ts +1 -1
package/dist/sandbox-training/graduation.d.ts.map +1 -1
package/dist/sandbox-training/graduation.js +14 -15
package/dist/sandbox-training/graduation.js.map +1 -1
package/dist/sandbox-training/index.d.ts +9 -9
package/dist/sandbox-training/index.d.ts.map +1 -1
package/dist/sandbox-training/index.js +6 -6
package/dist/sandbox-training/index.js.map +1 -1
package/dist/sandbox-training/promotion-service.d.ts +4 -4
package/dist/sandbox-training/promotion-service.d.ts.map +1 -1
package/dist/sandbox-training/promotion-service.js +5 -5
package/dist/sandbox-training/promotion-service.js.map +1 -1
package/dist/sandbox-training/runner.d.ts +1 -1
package/dist/sandbox-training/runner.d.ts.map +1 -1
package/dist/sandbox-training/runner.js +74 -73
package/dist/sandbox-training/runner.js.map +1 -1
package/dist/sandbox-training/scorer.d.ts +4 -4
package/dist/sandbox-training/scorer.js +5 -5
package/dist/sandbox-training/types.d.ts +4 -4
package/dist/sandbox-training/types.d.ts.map +1 -1
package/dist/sandbox-training/types.js +11 -7
package/dist/sandbox-training/types.js.map +1 -1
package/dist/trust-engine/ceiling-enforcement/audit.d.ts +1 -1
package/dist/trust-engine/ceiling-enforcement/audit.d.ts.map +1 -1
package/dist/trust-engine/ceiling-enforcement/audit.js +3 -4
package/dist/trust-engine/ceiling-enforcement/audit.js.map +1 -1
package/dist/trust-engine/ceiling-enforcement/index.d.ts +2 -2
package/dist/trust-engine/ceiling-enforcement/index.js +2 -2
package/dist/trust-engine/ceiling-enforcement/kernel.d.ts +1 -1
package/dist/trust-engine/ceiling-enforcement/kernel.d.ts.map +1 -1
package/dist/trust-engine/ceiling-enforcement/kernel.js +1 -1
package/dist/trust-engine/context-policy/enforcement.d.ts.map +1 -1
package/dist/trust-engine/context-policy/factory.d.ts +1 -1
package/dist/trust-engine/context-policy/factory.d.ts.map +1 -1
package/dist/trust-engine/context-policy/factory.js +1 -1
package/dist/trust-engine/context-policy/factory.js.map +1 -1
package/dist/trust-engine/context-policy/index.d.ts +2 -2
package/dist/trust-engine/context-policy/index.js +2 -2
package/dist/trust-engine/creation-modifiers/index.d.ts +1 -1
package/dist/trust-engine/creation-modifiers/index.js +1 -1
package/dist/trust-engine/creation-modifiers/types.d.ts.map +1 -1
package/dist/trust-engine/creation-modifiers/types.js +2 -3
package/dist/trust-engine/creation-modifiers/types.js.map +1 -1
package/dist/trust-engine/decay-profiles.d.ts +1 -1
package/dist/trust-engine/decay-profiles.d.ts.map +1 -1
package/dist/trust-engine/decay-profiles.js +4 -4
package/dist/trust-engine/decay-profiles.js.map +1 -1
package/dist/trust-engine/index.d.ts +111 -45
package/dist/trust-engine/index.d.ts.map +1 -1
package/dist/trust-engine/index.js +418 -61
package/dist/trust-engine/index.js.map +1 -1
package/dist/trust-engine/phase6-types.d.ts +10 -10
package/dist/trust-engine/phase6-types.d.ts.map +1 -1
package/dist/trust-engine/phase6-types.js +25 -23
package/dist/trust-engine/phase6-types.js.map +1 -1
package/dist/trust-engine/types.d.ts +77 -0
package/dist/trust-engine/types.d.ts.map +1 -0
package/dist/trust-engine/types.js +20 -0
package/dist/trust-engine/types.js.map +1 -0
package/package.json +5 -4

package/dist/layers/implementations/L0-request-format.d.ts ADDED Viewed

@@ -0,0 +1,37 @@
+/**
+ * L0 — Request Format Validator
+ *
+ * Validates that incoming requests conform to the expected structural format
+ * before any deeper analysis. Rejects malformed payloads, missing required
+ * fields, and structurally invalid inputs at the perimeter.
+ *
+ * Tier: input_validation
+ * Primary threat: prompt_injection
+ *
+ * @packageDocumentation
+ */
+import { BaseSecurityLayer } from "../index.js";
+import type { LayerInput, LayerExecutionResult } from "../types.js";
+/**
+ * L0 Request Format Validator
+ *
+ * First line of defense — ensures every request has the correct shape
+ * before any downstream processing.
+ */
+export declare class L0RequestFormatValidator extends BaseSecurityLayer {
+    constructor();
+    execute(input: LayerInput): Promise<LayerExecutionResult>;
+    /**
+     * Measure nesting depth of an object, with early bail-out.
+     */
+    private measureDepth;
+    /**
+     * Count total keys across all levels of an object.
+     */
+    private countKeys;
+    /**
+     * Detect prototype pollution attempts (__proto__, constructor, prototype).
+     */
+    private detectPrototypePollution;
+}
+//# sourceMappingURL=L0-request-format.d.ts.map

package/dist/layers/implementations/L0-request-format.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"L0-request-format.d.ts","sourceRoot":"","sources":["../../../src/layers/implementations/L0-request-format.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,iBAAiB,EAAqB,MAAM,aAAa,CAAC;AACnE,OAAO,KAAK,EACV,UAAU,EACV,oBAAoB,EAGrB,MAAM,aAAa,CAAC;AAWrB;;;;;GAKG;AACH,qBAAa,wBAAyB,SAAQ,iBAAiB;;IAkBvD,OAAO,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,oBAAoB,CAAC;IA2I/D;;OAEG;IACH,OAAO,CAAC,YAAY;IAgBpB;;OAEG;IACH,OAAO,CAAC,SAAS;IAWjB;;OAEG;IACH,OAAO,CAAC,wBAAwB;CAmBjC"}

package/dist/layers/implementations/L0-request-format.js ADDED Viewed

@@ -0,0 +1,218 @@
+/**
+ * L0 — Request Format Validator
+ *
+ * Validates that incoming requests conform to the expected structural format
+ * before any deeper analysis. Rejects malformed payloads, missing required
+ * fields, and structurally invalid inputs at the perimeter.
+ *
+ * Tier: input_validation
+ * Primary threat: prompt_injection
+ *
+ * @packageDocumentation
+ */
+import { BaseSecurityLayer, createLayerConfig } from "../index.js";
+// Maximum depth for nested objects to prevent stack overflow / complexity attacks
+const MAX_NESTING_DEPTH = 20;
+// Maximum number of keys in a single object
+const MAX_OBJECT_KEYS = 500;
+// Required payload fields for a well-formed request
+const REQUIRED_PAYLOAD_FIELDS = ["action", "content"];
+/**
+ * L0 Request Format Validator
+ *
+ * First line of defense — ensures every request has the correct shape
+ * before any downstream processing.
+ */
+export class L0RequestFormatValidator extends BaseSecurityLayer {
+    constructor() {
+        super(createLayerConfig(0, "Request Format Validator", {
+            description: "Validates request structure, required fields, and payload shape",
+            tier: "input_validation",
+            primaryThreat: "prompt_injection",
+            secondaryThreats: ["denial_of_service"],
+            failMode: "block",
+            required: true,
+            timeoutMs: 200,
+            parallelizable: true,
+            dependencies: [],
+        }));
+    }
+    async execute(input) {
+        const startedAt = new Date().toISOString();
+        const t0 = performance.now();
+        const findings = [];
+        // 1. Validate top-level input fields
+        const inputValidation = this.validateInput(input);
+        if (!inputValidation.valid) {
+            for (const err of inputValidation.errors) {
+                findings.push({
+                    type: "threat_detected",
+                    severity: "high",
+                    code: "L0_MISSING_FIELD",
+                    description: `Missing required field: ${err.field}`,
+                    evidence: [err.message],
+                    remediation: `Provide the required field '${err.field}'`,
+                });
+            }
+        }
+        // 2. Validate payload is a plain object
+        if (input.payload !== null && input.payload !== undefined) {
+            if (typeof input.payload !== "object" || Array.isArray(input.payload)) {
+                findings.push({
+                    type: "threat_detected",
+                    severity: "high",
+                    code: "L0_INVALID_PAYLOAD_TYPE",
+                    description: "Payload must be a plain object, not an array or primitive",
+                    evidence: [
+                        `Received type: ${Array.isArray(input.payload) ? "array" : typeof input.payload}`,
+                    ],
+                    remediation: "Provide payload as a plain JSON object",
+                });
+            }
+            else {
+                // 3. Check nesting depth (prevents stack overflow attacks)
+                const depth = this.measureDepth(input.payload, 0);
+                if (depth > MAX_NESTING_DEPTH) {
+                    findings.push({
+                        type: "threat_detected",
+                        severity: "high",
+                        code: "L0_EXCESSIVE_NESTING",
+                        description: `Payload nesting depth ${depth} exceeds maximum ${MAX_NESTING_DEPTH}`,
+                        evidence: [`depth=${depth}, max=${MAX_NESTING_DEPTH}`],
+                        remediation: `Flatten payload structure to at most ${MAX_NESTING_DEPTH} levels`,
+                    });
+                }
+                // 4. Check key count (prevents resource exhaustion)
+                const keyCount = this.countKeys(input.payload);
+                if (keyCount > MAX_OBJECT_KEYS) {
+                    findings.push({
+                        type: "threat_detected",
+                        severity: "medium",
+                        code: "L0_EXCESSIVE_KEYS",
+                        description: `Payload contains ${keyCount} keys, exceeding maximum ${MAX_OBJECT_KEYS}`,
+                        evidence: [`keys=${keyCount}, max=${MAX_OBJECT_KEYS}`],
+                        remediation: "Reduce the number of fields in the payload",
+                    });
+                }
+                // 5. Check for required payload fields
+                for (const field of REQUIRED_PAYLOAD_FIELDS) {
+                    if (!(field in input.payload)) {
+                        findings.push({
+                            type: "warning",
+                            severity: "medium",
+                            code: "L0_MISSING_PAYLOAD_FIELD",
+                            description: `Payload missing recommended field '${field}'`,
+                            evidence: [`Field '${field}' not found in payload`],
+                            remediation: `Include '${field}' in the payload object`,
+                        });
+                    }
+                }
+                // 6. Detect prototype pollution attempts
+                const pollutionAttempts = this.detectPrototypePollution(input.payload);
+                for (const attempt of pollutionAttempts) {
+                    findings.push({
+                        type: "threat_detected",
+                        severity: "critical",
+                        code: "L0_PROTOTYPE_POLLUTION",
+                        description: `Prototype pollution attempt detected via key '${attempt}'`,
+                        evidence: [`Dangerous key: ${attempt}`],
+                        remediation: "Remove __proto__, constructor, and prototype keys from payload",
+                    });
+                }
+            }
+        }
+        // 7. Validate metadata if present
+        if (input.metadata) {
+            if (!input.metadata.requestTimestamp) {
+                findings.push({
+                    type: "warning",
+                    severity: "low",
+                    code: "L0_MISSING_TIMESTAMP",
+                    description: "Request metadata missing timestamp",
+                    evidence: ["metadata.requestTimestamp is empty"],
+                });
+            }
+            if (!input.metadata.source) {
+                findings.push({
+                    type: "warning",
+                    severity: "low",
+                    code: "L0_MISSING_SOURCE",
+                    description: "Request metadata missing source identifier",
+                    evidence: ["metadata.source is empty"],
+                });
+            }
+        }
+        const completedAt = new Date().toISOString();
+        const durationMs = performance.now() - t0;
+        const timing = {
+            startedAt,
+            completedAt,
+            durationMs,
+            waitTimeMs: 0,
+            processingTimeMs: durationMs,
+        };
+        const hasCritical = findings.some((f) => f.severity === "critical");
+        const hasHigh = findings.some((f) => f.severity === "high");
+        const passed = !hasCritical && !hasHigh;
+        if (passed) {
+            return this.createSuccessResult("allow", 0.95, findings, [], timing);
+        }
+        return this.createFailureResult(hasCritical ? "deny" : "escalate", 0.9, findings, timing);
+    }
+    /**
+     * Measure nesting depth of an object, with early bail-out.
+     */
+    measureDepth(obj, current) {
+        if (current > MAX_NESTING_DEPTH)
+            return current; // bail out early
+        if (obj === null || typeof obj !== "object")
+            return current;
+        let max = current;
+        const entries = Object.values(obj);
+        for (const val of entries) {
+            if (val !== null && typeof val === "object") {
+                const d = this.measureDepth(val, current + 1);
+                if (d > max)
+                    max = d;
+                if (max > MAX_NESTING_DEPTH)
+                    return max; // bail
+            }
+        }
+        return max;
+    }
+    /**
+     * Count total keys across all levels of an object.
+     */
+    countKeys(obj) {
+        let count = Object.keys(obj).length;
+        for (const val of Object.values(obj)) {
+            if (val !== null && typeof val === "object" && !Array.isArray(val)) {
+                count += this.countKeys(val);
+                if (count > MAX_OBJECT_KEYS)
+                    return count; // bail early
+            }
+        }
+        return count;
+    }
+    /**
+     * Detect prototype pollution attempts (__proto__, constructor, prototype).
+     */
+    detectPrototypePollution(obj) {
+        const dangerous = ["__proto__", "constructor", "prototype"];
+        const found = [];
+        const check = (o, path) => {
+            for (const key of Object.keys(o)) {
+                if (dangerous.includes(key)) {
+                    found.push(path ? `${path}.${key}` : key);
+                }
+                const val = o[key];
+                if (val !== null && typeof val === "object" && !Array.isArray(val)) {
+                    check(val, path ? `${path}.${key}` : key);
+                }
+            }
+        };
+        check(obj, "");
+        return found;
+    }
+}
+//# sourceMappingURL=L0-request-format.js.map

package/dist/layers/implementations/L0-request-format.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"L0-request-format.js","sourceRoot":"","sources":["../../../src/layers/implementations/L0-request-format.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAQnE,kFAAkF;AAClF,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAE7B,4CAA4C;AAC5C,MAAM,eAAe,GAAG,GAAG,CAAC;AAE5B,oDAAoD;AACpD,MAAM,uBAAuB,GAAG,CAAC,QAAQ,EAAE,SAAS,CAAU,CAAC;AAE/D;;;;;GAKG;AACH,MAAM,OAAO,wBAAyB,SAAQ,iBAAiB;IAC7D;QACE,KAAK,CACH,iBAAiB,CAAC,CAAC,EAAE,0BAA0B,EAAE;YAC/C,WAAW,EACT,iEAAiE;YACnE,IAAI,EAAE,kBAAkB;YACxB,aAAa,EAAE,kBAAkB;YACjC,gBAAgB,EAAE,CAAC,mBAAmB,CAAC;YACvC,QAAQ,EAAE,OAAO;YACjB,QAAQ,EAAE,IAAI;YACd,SAAS,EAAE,GAAG;YACd,cAAc,EAAE,IAAI;YACpB,YAAY,EAAE,EAAE;SACjB,CAAC,CACH,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAiB;QAC7B,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC3C,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAmB,EAAE,CAAC;QAEpC,qCAAqC;QACrC,MAAM,eAAe,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAClD,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;YAC3B,KAAK,MAAM,GAAG,IAAI,eAAe,CAAC,MAAM,EAAE,CAAC;gBACzC,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,iBAAiB;oBACvB,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,kBAAkB;oBACxB,WAAW,EAAE,2BAA2B,GAAG,CAAC,KAAK,EAAE;oBACnD,QAAQ,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC;oBACvB,WAAW,EAAE,+BAA+B,GAAG,CAAC,KAAK,GAAG;iBACzD,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,wCAAwC;QACxC,IAAI,KAAK,CAAC,OAAO,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;YAC1D,IAAI,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;gBACtE,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,iBAAiB;oBACvB,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,yBAAyB;oBAC/B,WAAW,EACT,2DAA2D;oBAC7D,QAAQ,EAAE;wBACR,kBAAkB,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,KAAK,CAAC,OAAO,EAAE;qBAClF;oBACD,WAAW,EAAE,wCAAwC;iBACtD,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,2DAA2D;gBAC3D,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;gBAClD,IAAI,KAAK,GAAG,iBAAiB,EAAE,CAAC;oBAC9B,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,iBAAiB;wBACvB,QAAQ,EAAE,MAAM;wBAChB,IAAI,EAAE,sBAAsB;wBAC5B,WAAW,EAAE,yBAAyB,KAAK,oBAAoB,iBAAiB,EAAE;wBAClF,QAAQ,EAAE,CAAC,SAAS,KAAK,SAAS,iBAAiB,EAAE,CAAC;wBACtD,WAAW,EAAE,wCAAwC,iBAAiB,SAAS;qBAChF,CAAC,CAAC;gBACL,CAAC;gBAED,oDAAoD;gBACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;gBAC/C,IAAI,QAAQ,GAAG,eAAe,EAAE,CAAC;oBAC/B,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,iBAAiB;wBACvB,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,mBAAmB;wBACzB,WAAW,EAAE,oBAAoB,QAAQ,4BAA4B,eAAe,EAAE;wBACtF,QAAQ,EAAE,CAAC,QAAQ,QAAQ,SAAS,eAAe,EAAE,CAAC;wBACtD,WAAW,EAAE,4CAA4C;qBAC1D,CAAC,CAAC;gBACL,CAAC;gBAED,uCAAuC;gBACvC,KAAK,MAAM,KAAK,IAAI,uBAAuB,EAAE,CAAC;oBAC5C,IAAI,CAAC,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;wBAC9B,QAAQ,CAAC,IAAI,CAAC;4BACZ,IAAI,EAAE,SAAS;4BACf,QAAQ,EAAE,QAAQ;4BAClB,IAAI,EAAE,0BAA0B;4BAChC,WAAW,EAAE,sCAAsC,KAAK,GAAG;4BAC3D,QAAQ,EAAE,CAAC,UAAU,KAAK,wBAAwB,CAAC;4BACnD,WAAW,EAAE,YAAY,KAAK,yBAAyB;yBACxD,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;gBAED,yCAAyC;gBACzC,MAAM,iBAAiB,GAAG,IAAI,CAAC,wBAAwB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;gBACvE,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;oBACxC,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,iBAAiB;wBACvB,QAAQ,EAAE,UAAU;wBACpB,IAAI,EAAE,wBAAwB;wBAC9B,WAAW,EAAE,iDAAiD,OAAO,GAAG;wBACxE,QAAQ,EAAE,CAAC,kBAAkB,OAAO,EAAE,CAAC;wBACvC,WAAW,EACT,gEAAgE;qBACnE,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,kCAAkC;QAClC,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YACnB,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,gBAAgB,EAAE,CAAC;gBACrC,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,SAAS;oBACf,QAAQ,EAAE,KAAK;oBACf,IAAI,EAAE,sBAAsB;oBAC5B,WAAW,EAAE,oCAAoC;oBACjD,QAAQ,EAAE,CAAC,oCAAoC,CAAC;iBACjD,CAAC,CAAC;YACL,CAAC;YACD,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;gBAC3B,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,SAAS;oBACf,QAAQ,EAAE,KAAK;oBACf,IAAI,EAAE,mBAAmB;oBACzB,WAAW,EAAE,4CAA4C;oBACzD,QAAQ,EAAE,CAAC,0BAA0B,CAAC;iBACvC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC7C,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAgB;YAC1B,SAAS;YACT,WAAW;YACX,UAAU;YACV,UAAU,EAAE,CAAC;YACb,gBAAgB,EAAE,UAAU;SAC7B,CAAC;QAEF,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC;QACpE,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC;QAC5D,MAAM,MAAM,GAAG,CAAC,WAAW,IAAI,CAAC,OAAO,CAAC;QAExC,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,mBAAmB,CAAC,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;QACvE,CAAC;QAED,OAAO,IAAI,CAAC,mBAAmB,CAC7B,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,EACjC,GAAG,EACH,QAAQ,EACR,MAAM,CACP,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,YAAY,CAAC,GAAY,EAAE,OAAe;QAChD,IAAI,OAAO,GAAG,iBAAiB;YAAE,OAAO,OAAO,CAAC,CAAC,iBAAiB;QAClE,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,OAAO,CAAC;QAE5D,IAAI,GAAG,GAAG,OAAO,CAAC;QAClB,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,GAA8B,CAAC,CAAC;QAC9D,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;YAC1B,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5C,MAAM,CAAC,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;gBAC9C,IAAI,CAAC,GAAG,GAAG;oBAAE,GAAG,GAAG,CAAC,CAAC;gBACrB,IAAI,GAAG,GAAG,iBAAiB;oBAAE,OAAO,GAAG,CAAC,CAAC,OAAO;YAClD,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;OAEG;IACK,SAAS,CAAC,GAA4B;QAC5C,IAAI,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;QACpC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;YACrC,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnE,KAAK,IAAI,IAAI,CAAC,SAAS,CAAC,GAA8B,CAAC,CAAC;gBACxD,IAAI,KAAK,GAAG,eAAe;oBAAE,OAAO,KAAK,CAAC,CAAC,aAAa;YAC1D,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACK,wBAAwB,CAAC,GAA4B;QAC3D,MAAM,SAAS,GAAG,CAAC,WAAW,EAAE,aAAa,EAAE,WAAW,CAAC,CAAC;QAC5D,MAAM,KAAK,GAAa,EAAE,CAAC;QAE3B,MAAM,KAAK,GAAG,CAAC,CAA0B,EAAE,IAAY,EAAE,EAAE;YACzD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjC,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC5B,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;gBAC5C,CAAC;gBACD,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;gBACnB,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;oBACnE,KAAK,CAAC,GAA8B,EAAE,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;gBACvE,CAAC;YACH,CAAC;QACH,CAAC,CAAC;QAEF,KAAK,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACf,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/dist/layers/implementations/L1-input-size.d.ts ADDED Viewed

@@ -0,0 +1,36 @@
+/**
+ * L1 — Input Size Limiter
+ *
+ * Enforces size constraints on incoming payloads to prevent denial-of-service
+ * via oversized inputs, token-flooding, or memory exhaustion attacks.
+ *
+ * Tier: input_validation
+ * Primary threat: denial_of_service
+ *
+ * @packageDocumentation
+ */
+import { BaseSecurityLayer } from "../index.js";
+import type { LayerInput, LayerExecutionResult } from "../types.js";
+/** Default limits — can be overridden via constructor options */
+export interface L1SizeLimits {
+    /** Maximum total payload size in bytes (default: 1MB) */
+    maxPayloadBytes: number;
+    /** Maximum length for any single string value (default: 100KB) */
+    maxStringLength: number;
+    /** Maximum number of array elements (default: 10,000) */
+    maxArrayLength: number;
+    /** Maximum total number of fields across the entire payload (default: 1,000) */
+    maxTotalFields: number;
+}
+/**
+ * L1 Input Size Limiter
+ *
+ * Catches oversized payloads before they consume downstream resources.
+ */
+export declare class L1InputSizeLimiter extends BaseSecurityLayer {
+    private limits;
+    constructor(limits?: Partial<L1SizeLimits>);
+    execute(input: LayerInput): Promise<LayerExecutionResult>;
+    private buildTiming;
+}
+//# sourceMappingURL=L1-input-size.d.ts.map

package/dist/layers/implementations/L1-input-size.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"L1-input-size.d.ts","sourceRoot":"","sources":["../../../src/layers/implementations/L1-input-size.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,iBAAiB,EAAqB,MAAM,aAAa,CAAC;AACnE,OAAO,KAAK,EACV,UAAU,EACV,oBAAoB,EAGrB,MAAM,aAAa,CAAC;AAErB,iEAAiE;AACjE,MAAM,WAAW,YAAY;IAC3B,yDAAyD;IACzD,eAAe,EAAE,MAAM,CAAC;IACxB,kEAAkE;IAClE,eAAe,EAAE,MAAM,CAAC;IACxB,yDAAyD;IACzD,cAAc,EAAE,MAAM,CAAC;IACvB,gFAAgF;IAChF,cAAc,EAAE,MAAM,CAAC;CACxB;AASD;;;;GAIG;AACH,qBAAa,kBAAmB,SAAQ,iBAAiB;IACvD,OAAO,CAAC,MAAM,CAAe;gBAEjB,MAAM,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC;IAkBpC,OAAO,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAmI/D,OAAO,CAAC,WAAW;CAUpB"}

package/dist/layers/implementations/L1-input-size.js ADDED Viewed

@@ -0,0 +1,160 @@
+/**
+ * L1 — Input Size Limiter
+ *
+ * Enforces size constraints on incoming payloads to prevent denial-of-service
+ * via oversized inputs, token-flooding, or memory exhaustion attacks.
+ *
+ * Tier: input_validation
+ * Primary threat: denial_of_service
+ *
+ * @packageDocumentation
+ */
+import { BaseSecurityLayer, createLayerConfig } from "../index.js";
+const DEFAULT_LIMITS = {
+    maxPayloadBytes: 1_048_576, // 1 MB
+    maxStringLength: 102_400, // 100 KB
+    maxArrayLength: 10_000,
+    maxTotalFields: 1_000,
+};
+/**
+ * L1 Input Size Limiter
+ *
+ * Catches oversized payloads before they consume downstream resources.
+ */
+export class L1InputSizeLimiter extends BaseSecurityLayer {
+    limits;
+    constructor(limits) {
+        super(createLayerConfig(1, "Input Size Limiter", {
+            description: "Enforces payload size, string length, array length, and total field count limits",
+            tier: "input_validation",
+            primaryThreat: "denial_of_service",
+            secondaryThreats: ["resource_abuse"],
+            failMode: "block",
+            required: true,
+            timeoutMs: 200,
+            parallelizable: true,
+            dependencies: [],
+        }));
+        this.limits = { ...DEFAULT_LIMITS, ...limits };
+    }
+    async execute(input) {
+        const startedAt = new Date().toISOString();
+        const t0 = performance.now();
+        const findings = [];
+        const payload = input.payload;
+        // 1. Total payload size (JSON serialization byte count)
+        let serialized;
+        try {
+            serialized = JSON.stringify(payload);
+        }
+        catch {
+            const timing = this.buildTiming(startedAt, t0);
+            return this.createFailureResult("deny", 0.95, [
+                {
+                    type: "threat_detected",
+                    severity: "high",
+                    code: "L1_UNSERIALIZABLE",
+                    description: "Payload cannot be serialized to JSON — possible circular reference or exotic object",
+                    evidence: ["JSON.stringify failed"],
+                    remediation: "Ensure payload is a plain, serializable JSON object",
+                },
+            ], timing);
+        }
+        const payloadBytes = new TextEncoder().encode(serialized).length;
+        if (payloadBytes > this.limits.maxPayloadBytes) {
+            findings.push({
+                type: "threat_detected",
+                severity: "high",
+                code: "L1_PAYLOAD_TOO_LARGE",
+                description: `Payload size ${payloadBytes} bytes exceeds limit of ${this.limits.maxPayloadBytes} bytes`,
+                evidence: [
+                    `size=${payloadBytes}, limit=${this.limits.maxPayloadBytes}`,
+                ],
+                remediation: `Reduce payload size to under ${this.limits.maxPayloadBytes} bytes`,
+            });
+        }
+        // 2. Walk the object checking strings, arrays, and field count
+        let totalFields = 0;
+        const violations = [];
+        const walk = (obj, path) => {
+            if (obj === null || obj === undefined)
+                return;
+            if (typeof obj === "string") {
+                if (obj.length > this.limits.maxStringLength) {
+                    violations.push({
+                        type: "threat_detected",
+                        severity: "high",
+                        code: "L1_STRING_TOO_LONG",
+                        description: `String at '${path}' is ${obj.length} chars, exceeding limit of ${this.limits.maxStringLength}`,
+                        evidence: [
+                            `path=${path}, length=${obj.length}, limit=${this.limits.maxStringLength}`,
+                        ],
+                        remediation: `Shorten the string at '${path}'`,
+                    });
+                }
+                return;
+            }
+            if (Array.isArray(obj)) {
+                if (obj.length > this.limits.maxArrayLength) {
+                    violations.push({
+                        type: "threat_detected",
+                        severity: "high",
+                        code: "L1_ARRAY_TOO_LONG",
+                        description: `Array at '${path}' has ${obj.length} elements, exceeding limit of ${this.limits.maxArrayLength}`,
+                        evidence: [
+                            `path=${path}, length=${obj.length}, limit=${this.limits.maxArrayLength}`,
+                        ],
+                        remediation: `Reduce array size at '${path}'`,
+                    });
+                }
+                // Walk array items (sample first N to avoid excessive traversal)
+                const sampleSize = Math.min(obj.length, 100);
+                for (let i = 0; i < sampleSize; i++) {
+                    walk(obj[i], `${path}[${i}]`);
+                }
+                return;
+            }
+            if (typeof obj === "object") {
+                const keys = Object.keys(obj);
+                totalFields += keys.length;
+                if (totalFields > this.limits.maxTotalFields) {
+                    violations.push({
+                        type: "threat_detected",
+                        severity: "medium",
+                        code: "L1_TOO_MANY_FIELDS",
+                        description: `Total field count ${totalFields} exceeds limit of ${this.limits.maxTotalFields}`,
+                        evidence: [
+                            `totalFields=${totalFields}, limit=${this.limits.maxTotalFields}`,
+                        ],
+                        remediation: "Reduce the number of fields in the payload",
+                    });
+                    return; // stop walking
+                }
+                for (const key of keys) {
+                    walk(obj[key], path ? `${path}.${key}` : key);
+                }
+            }
+        };
+        walk(payload, "");
+        findings.push(...violations);
+        const timing = this.buildTiming(startedAt, t0);
+        const hasCritical = findings.some((f) => f.severity === "critical");
+        const hasHigh = findings.some((f) => f.severity === "high");
+        const passed = !hasCritical && !hasHigh;
+        if (passed) {
+            return this.createSuccessResult("allow", 0.95, findings, [], timing);
+        }
+        return this.createFailureResult("deny", 0.9, findings, timing);
+    }
+    buildTiming(startedAt, t0) {
+        const durationMs = performance.now() - t0;
+        return {
+            startedAt,
+            completedAt: new Date().toISOString(),
+            durationMs,
+            waitTimeMs: 0,
+            processingTimeMs: durationMs,
+        };
+    }
+}
+//# sourceMappingURL=L1-input-size.js.map

package/dist/layers/implementations/L1-input-size.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"L1-input-size.js","sourceRoot":"","sources":["../../../src/layers/implementations/L1-input-size.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAoBnE,MAAM,cAAc,GAAiB;IACnC,eAAe,EAAE,SAAS,EAAE,OAAO;IACnC,eAAe,EAAE,OAAO,EAAE,SAAS;IACnC,cAAc,EAAE,MAAM;IACtB,cAAc,EAAE,KAAK;CACtB,CAAC;AAEF;;;;GAIG;AACH,MAAM,OAAO,kBAAmB,SAAQ,iBAAiB;IAC/C,MAAM,CAAe;IAE7B,YAAY,MAA8B;QACxC,KAAK,CACH,iBAAiB,CAAC,CAAC,EAAE,oBAAoB,EAAE;YACzC,WAAW,EACT,kFAAkF;YACpF,IAAI,EAAE,kBAAkB;YACxB,aAAa,EAAE,mBAAmB;YAClC,gBAAgB,EAAE,CAAC,gBAAgB,CAAC;YACpC,QAAQ,EAAE,OAAO;YACjB,QAAQ,EAAE,IAAI;YACd,SAAS,EAAE,GAAG;YACd,cAAc,EAAE,IAAI;YACpB,YAAY,EAAE,EAAE;SACjB,CAAC,CACH,CAAC;QACF,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,MAAM,EAAE,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAiB;QAC7B,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC3C,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAmB,EAAE,CAAC;QAEpC,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;QAE9B,wDAAwD;QACxD,IAAI,UAAkB,CAAC;QACvB,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACvC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YAC/C,OAAO,IAAI,CAAC,mBAAmB,CAC7B,MAAM,EACN,IAAI,EACJ;gBACE;oBACE,IAAI,EAAE,iBAAiB;oBACvB,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,mBAAmB;oBACzB,WAAW,EACT,qFAAqF;oBACvF,QAAQ,EAAE,CAAC,uBAAuB,CAAC;oBACnC,WAAW,EAAE,qDAAqD;iBACnE;aACF,EACD,MAAM,CACP,CAAC;QACJ,CAAC;QAED,MAAM,YAAY,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC;QACjE,IAAI,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;YAC/C,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,iBAAiB;gBACvB,QAAQ,EAAE,MAAM;gBAChB,IAAI,EAAE,sBAAsB;gBAC5B,WAAW,EAAE,gBAAgB,YAAY,2BAA2B,IAAI,CAAC,MAAM,CAAC,eAAe,QAAQ;gBACvG,QAAQ,EAAE;oBACR,QAAQ,YAAY,WAAW,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE;iBAC7D;gBACD,WAAW,EAAE,gCAAgC,IAAI,CAAC,MAAM,CAAC,eAAe,QAAQ;aACjF,CAAC,CAAC;QACL,CAAC;QAED,+DAA+D;QAC/D,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,MAAM,UAAU,GAAmB,EAAE,CAAC;QAEtC,MAAM,IAAI,GAAG,CAAC,GAAY,EAAE,IAAY,EAAQ,EAAE;YAChD,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS;gBAAE,OAAO;YAE9C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,IAAI,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;oBAC7C,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,iBAAiB;wBACvB,QAAQ,EAAE,MAAM;wBAChB,IAAI,EAAE,oBAAoB;wBAC1B,WAAW,EAAE,cAAc,IAAI,QAAQ,GAAG,CAAC,MAAM,8BAA8B,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE;wBAC5G,QAAQ,EAAE;4BACR,QAAQ,IAAI,YAAY,GAAG,CAAC,MAAM,WAAW,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE;yBAC3E;wBACD,WAAW,EAAE,0BAA0B,IAAI,GAAG;qBAC/C,CAAC,CAAC;gBACL,CAAC;gBACD,OAAO;YACT,CAAC;YAED,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;gBACvB,IAAI,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;oBAC5C,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,iBAAiB;wBACvB,QAAQ,EAAE,MAAM;wBAChB,IAAI,EAAE,mBAAmB;wBACzB,WAAW,EAAE,aAAa,IAAI,SAAS,GAAG,CAAC,MAAM,iCAAiC,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE;wBAC9G,QAAQ,EAAE;4BACR,QAAQ,IAAI,YAAY,GAAG,CAAC,MAAM,WAAW,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE;yBAC1E;wBACD,WAAW,EAAE,yBAAyB,IAAI,GAAG;qBAC9C,CAAC,CAAC;gBACL,CAAC;gBACD,iEAAiE;gBACjE,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;gBAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;oBACpC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC;gBAChC,CAAC;gBACD,OAAO;YACT,CAAC;YAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAA8B,CAAC,CAAC;gBACzD,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC;gBAE3B,IAAI,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;oBAC7C,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,iBAAiB;wBACvB,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,oBAAoB;wBAC1B,WAAW,EAAE,qBAAqB,WAAW,qBAAqB,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE;wBAC9F,QAAQ,EAAE;4BACR,eAAe,WAAW,WAAW,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE;yBAClE;wBACD,WAAW,EAAE,4CAA4C;qBAC1D,CAAC,CAAC;oBACH,OAAO,CAAC,eAAe;gBACzB,CAAC;gBAED,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;oBACvB,IAAI,CACD,GAA+B,CAAC,GAAG,CAAC,EACrC,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAC9B,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC,CAAC;QAEF,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAClB,QAAQ,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;QAE7B,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAC/C,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC;QACpE,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC;QAC5D,MAAM,MAAM,GAAG,CAAC,WAAW,IAAI,CAAC,OAAO,CAAC;QAExC,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,mBAAmB,CAAC,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;QACvE,CAAC;QAED,OAAO,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IACjE,CAAC;IAEO,WAAW,CAAC,SAAiB,EAAE,EAAU;QAC/C,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC;QAC1C,OAAO;YACL,SAAS;YACT,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACrC,UAAU;YACV,UAAU,EAAE,CAAC;YACb,gBAAgB,EAAE,UAAU;SAC7B,CAAC;IACJ,CAAC;CACF"}

package/dist/layers/implementations/L2-charset-sanitizer.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+/**
+ * L2 — Character Set Sanitizer
+ *
+ * Detects and strips dangerous Unicode sequences, invisible control characters,
+ * homoglyph attacks, bi-directional override characters, and other encoding-level
+ * prompt injection vectors.
+ *
+ * Tier: input_validation
+ * Primary threat: prompt_injection
+ *
+ * @packageDocumentation
+ */
+import { BaseSecurityLayer } from "../index.js";
+import type { LayerInput, LayerExecutionResult } from "../types.js";
+/**
+ * L2 Character Set Sanitizer
+ *
+ * Strips dangerous characters and detects homoglyph attacks.
+ */
+export declare class L2CharsetSanitizer extends BaseSecurityLayer {
+    constructor();
+    execute(input: LayerInput): Promise<LayerExecutionResult>;
+    private scanObject;
+    private scanString;
+    private detectHomoglyphs;
+    private buildTiming;
+}
+//# sourceMappingURL=L2-charset-sanitizer.d.ts.map

package/dist/layers/implementations/L2-charset-sanitizer.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"L2-charset-sanitizer.d.ts","sourceRoot":"","sources":["../../../src/layers/implementations/L2-charset-sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,iBAAiB,EAAqB,MAAM,aAAa,CAAC;AACnE,OAAO,KAAK,EACV,UAAU,EACV,oBAAoB,EAIrB,MAAM,aAAa,CAAC;AA8FrB;;;;GAIG;AACH,qBAAa,kBAAmB,SAAQ,iBAAiB;;IAkBjD,OAAO,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAgC/D,OAAO,CAAC,UAAU;IAuClB,OAAO,CAAC,UAAU;IA2DlB,OAAO,CAAC,gBAAgB;IA+BxB,OAAO,CAAC,WAAW;CAUpB"}