@vorionsys/atsf-core 0.2.3 → 0.3.0

package/dist/layers/implementations/L2-charset-sanitizer.js

@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2024-2026 Vorion LLC
 /**
  * L2 — Character Set Sanitizer
  *
@@ -10,88 +12,87 @@
  *
  * @packageDocumentation
  */
-import { BaseSecurityLayer, createLayerConfig } from "../index.js";
+import { BaseSecurityLayer, createLayerConfig } from '../index.js';
 /**
  * Unicode categories of dangerous characters
  */
 const DANGEROUS_PATTERNS = [
     {
-        name: "bidi_override",
+        name: 'bidi_override',
         // Bi-directional override characters (used in trojan source attacks)
-        pattern: /(?:\u200E|\u200F|\u202A|\u202B|\u202C|\u202D|\u202E|\u2066|\u2067|\u2068|\u2069)/g,
-        severity: "critical",
-        description: "Bi-directional text override characters can disguise malicious content",
+        pattern: /[\u200E\u200F\u202A-\u202E\u2066-\u2069]/g,
+        severity: 'critical',
+        description: 'Bi-directional text override characters can disguise malicious content',
     },
     {
-        name: "zero_width",
+        name: 'zero_width',
         // Zero-width characters (invisible text injection)
-        pattern: /(?:\u200B|\u200C|\u200D|\uFEFF)/g,
-        severity: "high",
-        description: "Zero-width characters can hide content from human reviewers",
+        pattern: /[\u200B\u200C\u200D\uFEFF]/g,
+        severity: 'high',
+        description: 'Zero-width characters can hide content from human reviewers',
     },
     {
-        name: "control_chars",
+        name: 'control_chars',
         // C0/C1 control characters except common whitespace (tab, newline, carriage return)
-        // eslint-disable-next-line no-control-regex
         pattern: /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F\x80-\x9F]/g,
-        severity: "high",
-        description: "Control characters can corrupt parsing or inject escape sequences",
+        severity: 'high',
+        description: 'Control characters can corrupt parsing or inject escape sequences',
     },
     {
-        name: "tag_chars",
+        name: 'tag_chars',
         // Unicode tag characters (U+E0001-U+E007F) — used to hide instructions
-        pattern: /\uDB40[\uDC01-\uDC7F]/g,
-        severity: "high",
-        description: "Unicode tag characters can embed hidden instructions",
+        pattern: /[\uDB40][\uDC01-\uDC7F]/g,
+        severity: 'high',
+        description: 'Unicode tag characters can embed hidden instructions',
     },
     {
-        name: "interlinear_annotation",
+        name: 'interlinear_annotation',
         // Interlinear annotation characters
         pattern: /[\uFFF9\uFFFA\uFFFB]/g,
-        severity: "medium",
-        description: "Annotation characters can inject hidden metadata",
+        severity: 'medium',
+        description: 'Annotation characters can inject hidden metadata',
     },
     {
-        name: "replacement_char",
+        name: 'replacement_char',
         // Object replacement character (can mask embedded objects)
         pattern: /\uFFFC/g,
-        severity: "medium",
-        description: "Object replacement character may mask embedded content",
+        severity: 'medium',
+        description: 'Object replacement character may mask embedded content',
     },
     {
-        name: "variation_selector_abuse",
+        name: 'variation_selector_abuse',
         // Excessive variation selectors (emoji/glyph variant abuse)
         pattern: /[\uFE00-\uFE0F]{3,}/g,
-        severity: "low",
-        description: "Excessive variation selectors suggest encoding manipulation",
+        severity: 'low',
+        description: 'Excessive variation selectors suggest encoding manipulation',
     },
 ];
 /**
  * Common homoglyph mappings (confusable characters → ASCII equivalent)
  */
 const HOMOGLYPH_MAP = {
-    "\u0410": "A", // Cyrillic А → Latin A
-    "\u0412": "B", // Cyrillic В → Latin B
-    "\u0421": "C", // Cyrillic С → Latin C
-    "\u0415": "E", // Cyrillic Е → Latin E
-    "\u041D": "H", // Cyrillic Н → Latin H
-    "\u041A": "K", // Cyrillic К → Latin K
-    "\u041C": "M", // Cyrillic М → Latin M
-    "\u041E": "O", // Cyrillic О → Latin O
-    "\u0420": "P", // Cyrillic Р → Latin P
-    "\u0422": "T", // Cyrillic Т → Latin T
-    "\u0425": "X", // Cyrillic Х → Latin X
-    "\u0430": "a", // Cyrillic а → Latin a
-    "\u0435": "e", // Cyrillic е → Latin e
-    "\u043E": "o", // Cyrillic о → Latin o
-    "\u0440": "p", // Cyrillic р → Latin p
-    "\u0441": "c", // Cyrillic с → Latin c
-    "\u0443": "y", // Cyrillic у → Latin y
-    "\u0445": "x", // Cyrillic х → Latin x
-    "\u0456": "i", // Cyrillic і → Latin i
-    "\u0458": "j", // Cyrillic ј → Latin j
-    "\u0455": "s", // Cyrillic ѕ → Latin s
-    "\u0501": "d", // Cyrillic ԁ → Latin d
+    '\u0410': 'A', // Cyrillic А → Latin A
+    '\u0412': 'B', // Cyrillic В → Latin B
+    '\u0421': 'C', // Cyrillic С → Latin C
+    '\u0415': 'E', // Cyrillic Е → Latin E
+    '\u041D': 'H', // Cyrillic Н → Latin H
+    '\u041A': 'K', // Cyrillic К → Latin K
+    '\u041C': 'M', // Cyrillic М → Latin M
+    '\u041E': 'O', // Cyrillic О → Latin O
+    '\u0420': 'P', // Cyrillic Р → Latin P
+    '\u0422': 'T', // Cyrillic Т → Latin T
+    '\u0425': 'X', // Cyrillic Х → Latin X
+    '\u0430': 'a', // Cyrillic а → Latin a
+    '\u0435': 'e', // Cyrillic е → Latin e
+    '\u043E': 'o', // Cyrillic о → Latin o
+    '\u0440': 'p', // Cyrillic р → Latin p
+    '\u0441': 'c', // Cyrillic с → Latin c
+    '\u0443': 'y', // Cyrillic у → Latin y
+    '\u0445': 'x', // Cyrillic х → Latin x
+    '\u0456': 'i', // Cyrillic і → Latin i
+    '\u0458': 'j', // Cyrillic ј → Latin j
+    '\u0455': 's', // Cyrillic ѕ → Latin s
+    '\u0501': 'd', // Cyrillic ԁ → Latin d
 };
 /**
  * L2 Character Set Sanitizer
@@ -100,12 +101,12 @@ const HOMOGLYPH_MAP = {
  */
 export class L2CharsetSanitizer extends BaseSecurityLayer {
     constructor() {
-        super(createLayerConfig(2, "Character Set Sanitizer", {
-            description: "Detects and sanitizes dangerous Unicode sequences, invisible characters, and homoglyph attacks",
-            tier: "input_validation",
-            primaryThreat: "prompt_injection",
-            secondaryThreats: ["deceptive_output", "audit_evasion"],
-            failMode: "block",
+        super(createLayerConfig(2, 'Character Set Sanitizer', {
+            description: 'Detects and sanitizes dangerous Unicode sequences, invisible characters, and homoglyph attacks',
+            tier: 'input_validation',
+            primaryThreat: 'prompt_injection',
+            secondaryThreats: ['deceptive_output', 'audit_evasion'],
+            failMode: 'block',
             required: true,
             timeoutMs: 300,
             parallelizable: true,
@@ -118,20 +119,20 @@ export class L2CharsetSanitizer extends BaseSecurityLayer {
         const findings = [];
         const modifications = [];
         // Walk all string values in the payload
-        this.scanObject(input.payload, "", findings, modifications);
+        this.scanObject(input.payload, '', findings, modifications);
         const timing = this.buildTiming(startedAt, t0);
-        const hasCritical = findings.some((f) => f.severity === "critical");
-        const hasHigh = findings.some((f) => f.severity === "high");
+        const hasCritical = findings.some((f) => f.severity === 'critical');
+        const hasHigh = findings.some((f) => f.severity === 'high');
         const passed = !hasCritical && !hasHigh;
         if (passed) {
-            return this.createSuccessResult("allow", 0.9, findings, modifications, timing);
+            return this.createSuccessResult('allow', 0.9, findings, modifications, timing);
         }
-        return this.createFailureResult(hasCritical ? "deny" : "escalate", 0.85, findings, timing);
+        return this.createFailureResult(hasCritical ? 'deny' : 'escalate', 0.85, findings, timing);
     }
     scanObject(obj, path, findings, modifications) {
         if (obj === null || obj === undefined)
             return;
-        if (typeof obj === "string") {
+        if (typeof obj === 'string') {
             this.scanString(obj, path, findings, modifications);
             return;
         }
@@ -141,10 +142,10 @@ export class L2CharsetSanitizer extends BaseSecurityLayer {
             }
             return;
         }
-        if (typeof obj === "object") {
+        if (typeof obj === 'object') {
             for (const [key, val] of Object.entries(obj)) {
                 // Also scan keys for homoglyphs
-                this.scanString(key, `${path ? path + "." : ""}(key:${key})`, findings, modifications);
+                this.scanString(key, `${path ? path + '.' : ''}(key:${key})`, findings, modifications);
                 this.scanObject(val, path ? `${path}.${key}` : key, findings, modifications);
             }
         }
@@ -157,24 +158,21 @@ export class L2CharsetSanitizer extends BaseSecurityLayer {
             const matches = value.match(pattern);
             if (matches && matches.length > 0) {
                 findings.push({
-                    type: "threat_detected",
+                    type: 'threat_detected',
                     severity,
                     code: `L2_${name.toUpperCase()}`,
                     description: `${description} at '${path}'`,
                     evidence: [
                         `Found ${matches.length} instance(s)`,
-                        `Code points: ${matches
-                            .slice(0, 5)
-                            .map((c) => `U+${c.charCodeAt(0).toString(16).toUpperCase().padStart(4, "0")}`)
-                            .join(", ")}`,
+                        `Code points: ${matches.slice(0, 5).map((c) => `U+${c.charCodeAt(0).toString(16).toUpperCase().padStart(4, '0')}`).join(', ')}`,
                     ],
                     remediation: `Remove ${name} characters from the input`,
                 });
                 modifications.push({
                     target: path,
-                    type: "sanitize",
+                    type: 'sanitize',
                     originalValue: `[${matches.length} ${name} chars]`,
-                    newValue: "[stripped]",
+                    newValue: '[stripped]',
                     reason: description,
                 });
             }
@@ -183,14 +181,12 @@ export class L2CharsetSanitizer extends BaseSecurityLayer {
         const homoglyphs = this.detectHomoglyphs(value);
         if (homoglyphs.length > 0) {
             findings.push({
-                type: "threat_detected",
-                severity: "high",
-                code: "L2_HOMOGLYPH_ATTACK",
+                type: 'threat_detected',
+                severity: 'high',
+                code: 'L2_HOMOGLYPH_ATTACK',
                 description: `Mixed-script homoglyph characters detected at '${path}'`,
-                evidence: homoglyphs
-                    .slice(0, 10)
-                    .map((h) => `'${h.char}' (U+${h.codePoint}) looks like '${h.looksLike}'`),
-                remediation: "Use consistent character scripts (do not mix Cyrillic with Latin)",
+                evidence: homoglyphs.slice(0, 10).map((h) => `'${h.char}' (U+${h.codePoint}) looks like '${h.looksLike}'`),
+                remediation: 'Use consistent character scripts (do not mix Cyrillic with Latin)',
             });
         }
     }
@@ -205,11 +201,7 @@ export class L2CharsetSanitizer extends BaseSecurityLayer {
             if (mapped) {
                 results.push({
                     char,
-                    codePoint: char
-                        .charCodeAt(0)
-                        .toString(16)
-                        .toUpperCase()
-                        .padStart(4, "0"),
+                    codePoint: char.charCodeAt(0).toString(16).toUpperCase().padStart(4, '0'),
                     looksLike: mapped,
                 });
             }

package/dist/layers/implementations/L2-charset-sanitizer.js.map

@@ -1 +1 @@
-{"version":3,"file":"L2-charset-sanitizer.js","sourceRoot":"","sources":["../../../src/layers/implementations/L2-charset-sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AASnE;;GAEG;AACH,MAAM,kBAAkB,GAKnB;IACH;QACE,IAAI,EAAE,eAAe;QACrB,qEAAqE;QACrE,OAAO,EACL,mFAAmF;QACrF,QAAQ,EAAE,UAAU;QACpB,WAAW,EACT,wEAAwE;KAC3E;IACD;QACE,IAAI,EAAE,YAAY;QAClB,mDAAmD;QACnD,OAAO,EAAE,kCAAkC;QAC3C,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,6DAA6D;KAC3E;IACD;QACE,IAAI,EAAE,eAAe;QACrB,oFAAoF;QACpF,4CAA4C;QAC5C,OAAO,EAAE,4CAA4C;QACrD,QAAQ,EAAE,MAAM;QAChB,WAAW,EACT,mEAAmE;KACtE;IACD;QACE,IAAI,EAAE,WAAW;QACjB,uEAAuE;QACvE,OAAO,EAAE,wBAAwB;QACjC,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,sDAAsD;KACpE;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,oCAAoC;QACpC,OAAO,EAAE,uBAAuB;QAChC,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,kDAAkD;KAChE;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,2DAA2D;QAC3D,OAAO,EAAE,SAAS;QAClB,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,wDAAwD;KACtE;IACD;QACE,IAAI,EAAE,0BAA0B;QAChC,4DAA4D;QAC5D,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,6DAA6D;KAC3E;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,aAAa,GAA2B;IAC5C,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;CACvC,CAAC;AAEF;;;;GAIG;AACH,MAAM,OAAO,kBAAmB,SAAQ,iBAAiB;IACvD;QACE,KAAK,CACH,iBAAiB,CAAC,CAAC,EAAE,yBAAyB,EAAE;YAC9C,WAAW,EACT,gGAAgG;YAClG,IAAI,EAAE,kBAAkB;YACxB,aAAa,EAAE,kBAAkB;YACjC,gBAAgB,EAAE,CAAC,kBAAkB,EAAE,eAAe,CAAC;YACvD,QAAQ,EAAE,OAAO;YACjB,QAAQ,EAAE,IAAI;YACd,SAAS,EAAE,GAAG;YACd,cAAc,EAAE,IAAI;YACpB,YAAY,EAAE,EAAE;SACjB,CAAC,CACH,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAiB;QAC7B,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC3C,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAmB,EAAE,CAAC;QACpC,MAAM,aAAa,GAAwB,EAAE,CAAC;QAE9C,wCAAwC;QACxC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;QAE5D,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAC/C,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC;QACpE,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC;QAC5D,MAAM,MAAM,GAAG,CAAC,WAAW,IAAI,CAAC,OAAO,CAAC;QAExC,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,mBAAmB,CAC7B,OAAO,EACP,GAAG,EACH,QAAQ,EACR,aAAa,EACb,MAAM,CACP,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,mBAAmB,CAC7B,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,EACjC,IAAI,EACJ,QAAQ,EACR,MAAM,CACP,CAAC;IACJ,CAAC;IAEO,UAAU,CAChB,GAAY,EACZ,IAAY,EACZ,QAAwB,EACxB,aAAkC;QAElC,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO;QAE9C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;YACpD,OAAO;QACT,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACpC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;YACpE,CAAC;YACD,OAAO;QACT,CAAC;QAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAA8B,CAAC,EAAE,CAAC;gBACxE,gCAAgC;gBAChC,IAAI,CAAC,UAAU,CACb,GAAG,EACH,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,QAAQ,GAAG,GAAG,EACvC,QAAQ,EACR,aAAa,CACd,CAAC;gBACF,IAAI,CAAC,UAAU,CACb,GAAG,EACH,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,EAC7B,QAAQ,EACR,aAAa,CACd,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAEO,UAAU,CAChB,KAAa,EACb,IAAY,EACZ,QAAwB,EACxB,aAAkC;QAElC,4CAA4C;QAC5C,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,kBAAkB,EAAE,CAAC;YAC1E,oBAAoB;YACpB,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACrC,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClC,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,iBAAiB;oBACvB,QAAQ;oBACR,IAAI,EAAE,MAAM,IAAI,CAAC,WAAW,EAAE,EAAE;oBAChC,WAAW,EAAE,GAAG,WAAW,QAAQ,IAAI,GAAG;oBAC1C,QAAQ,EAAE;wBACR,SAAS,OAAO,CAAC,MAAM,cAAc;wBACrC,gBAAgB,OAAO;6BACpB,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;6BACX,GAAG,CACF,CAAC,CAAC,EAAE,EAAE,CACJ,KAAK,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CACrE;6BACA,IAAI,CAAC,IAAI,CAAC,EAAE;qBAChB;oBACD,WAAW,EAAE,UAAU,IAAI,4BAA4B;iBACxD,CAAC,CAAC;gBAEH,aAAa,CAAC,IAAI,CAAC;oBACjB,MAAM,EAAE,IAAI;oBACZ,IAAI,EAAE,UAAU;oBAChB,aAAa,EAAE,IAAI,OAAO,CAAC,MAAM,IAAI,IAAI,SAAS;oBAClD,QAAQ,EAAE,YAAY;oBACtB,MAAM,EAAE,WAAW;iBACpB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,8CAA8C;QAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAChD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,iBAAiB;gBACvB,QAAQ,EAAE,MAAM;gBAChB,IAAI,EAAE,qBAAqB;gBAC3B,WAAW,EAAE,kDAAkD,IAAI,GAAG;gBACtE,QAAQ,EAAE,UAAU;qBACjB,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;qBACZ,GAAG,CACF,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,QAAQ,CAAC,CAAC,SAAS,iBAAiB,CAAC,CAAC,SAAS,GAAG,CACpE;gBACH,WAAW,EACT,mEAAmE;aACtE,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAEO,gBAAgB,CACtB,KAAa;QAEb,MAAM,OAAO,GAIR,EAAE,CAAC;QAER,wEAAwE;QACxE,MAAM,QAAQ,GAAG,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,QAAQ;YAAE,OAAO,OAAO,CAAC;QAE9B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;YACnC,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI;oBACJ,SAAS,EAAE,IAAI;yBACZ,UAAU,CAAC,CAAC,CAAC;yBACb,QAAQ,CAAC,EAAE,CAAC;yBACZ,WAAW,EAAE;yBACb,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC;oBACnB,SAAS,EAAE,MAAM;iBAClB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,WAAW,CAAC,SAAiB,EAAE,EAAU;QAC/C,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC;QAC1C,OAAO;YACL,SAAS;YACT,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACrC,UAAU;YACV,UAAU,EAAE,CAAC;YACb,gBAAgB,EAAE,UAAU;SAC7B,CAAC;IACJ,CAAC;CACF"}
+{"version":3,"file":"L2-charset-sanitizer.js","sourceRoot":"","sources":["../../../src/layers/implementations/L2-charset-sanitizer.ts"],"names":[],"mappings":"AAAA,sCAAsC;AACtC,iCAAiC;AAEjC;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AASnE;;GAEG;AACH,MAAM,kBAAkB,GAKnB;IACH;QACE,IAAI,EAAE,eAAe;QACrB,qEAAqE;QACrE,OAAO,EAAE,2CAA2C;QACpD,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,wEAAwE;KACtF;IACD;QACE,IAAI,EAAE,YAAY;QAClB,mDAAmD;QACnD,OAAO,EAAE,6BAA6B;QACtC,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,6DAA6D;KAC3E;IACD;QACE,IAAI,EAAE,eAAe;QACrB,oFAAoF;QACpF,OAAO,EAAE,4CAA4C;QACrD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,mEAAmE;KACjF;IACD;QACE,IAAI,EAAE,WAAW;QACjB,uEAAuE;QACvE,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,sDAAsD;KACpE;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,oCAAoC;QACpC,OAAO,EAAE,uBAAuB;QAChC,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,kDAAkD;KAChE;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,2DAA2D;QAC3D,OAAO,EAAE,SAAS;QAClB,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,wDAAwD;KACtE;IACD;QACE,IAAI,EAAE,0BAA0B;QAChC,4DAA4D;QAC5D,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,6DAA6D;KAC3E;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,aAAa,GAA2B;IAC5C,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;IACtC,QAAQ,EAAE,GAAG,EAAE,uBAAuB;CACvC,CAAC;AAEF;;;;GAIG;AACH,MAAM,OAAO,kBAAmB,SAAQ,iBAAiB;IACvD;QACE,KAAK,CACH,iBAAiB,CAAC,CAAC,EAAE,yBAAyB,EAAE;YAC9C,WAAW,EAAE,gGAAgG;YAC7G,IAAI,EAAE,kBAAkB;YACxB,aAAa,EAAE,kBAAkB;YACjC,gBAAgB,EAAE,CAAC,kBAAkB,EAAE,eAAe,CAAC;YACvD,QAAQ,EAAE,OAAO;YACjB,QAAQ,EAAE,IAAI;YACd,SAAS,EAAE,GAAG;YACd,cAAc,EAAE,IAAI;YACpB,YAAY,EAAE,EAAE;SACjB,CAAC,CACH,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAiB;QAC7B,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC3C,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAmB,EAAE,CAAC;QACpC,MAAM,aAAa,GAAwB,EAAE,CAAC;QAE9C,wCAAwC;QACxC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;QAE5D,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAC/C,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC;QACpE,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC;QAC5D,MAAM,MAAM,GAAG,CAAC,WAAW,IAAI,CAAC,OAAO,CAAC;QAExC,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,mBAAmB,CAAC,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,CAAC,CAAC;QACjF,CAAC;QAED,OAAO,IAAI,CAAC,mBAAmB,CAC7B,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,EACjC,IAAI,EACJ,QAAQ,EACR,MAAM,CACP,CAAC;IACJ,CAAC;IAEO,UAAU,CAChB,GAAY,EACZ,IAAY,EACZ,QAAwB,EACxB,aAAkC;QAElC,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO;QAE9C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;YACpD,OAAO;QACT,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACpC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;YACpE,CAAC;YACD,OAAO;QACT,CAAC;QAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAA8B,CAAC,EAAE,CAAC;gBACxE,gCAAgC;gBAChC,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,QAAQ,GAAG,GAAG,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;gBACvF,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;YAC/E,CAAC;QACH,CAAC;IACH,CAAC;IAEO,UAAU,CAChB,KAAa,EACb,IAAY,EACZ,QAAwB,EACxB,aAAkC;QAElC,4CAA4C;QAC5C,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,kBAAkB,EAAE,CAAC;YAC1E,oBAAoB;YACpB,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACrC,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClC,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,iBAAiB;oBACvB,QAAQ;oBACR,IAAI,EAAE,MAAM,IAAI,CAAC,WAAW,EAAE,EAAE;oBAChC,WAAW,EAAE,GAAG,WAAW,QAAQ,IAAI,GAAG;oBAC1C,QAAQ,EAAE;wBACR,SAAS,OAAO,CAAC,MAAM,cAAc;wBACrC,gBAAgB,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;qBAChI;oBACD,WAAW,EAAE,UAAU,IAAI,4BAA4B;iBACxD,CAAC,CAAC;gBAEH,aAAa,CAAC,IAAI,CAAC;oBACjB,MAAM,EAAE,IAAI;oBACZ,IAAI,EAAE,UAAU;oBAChB,aAAa,EAAE,IAAI,OAAO,CAAC,MAAM,IAAI,IAAI,SAAS;oBAClD,QAAQ,EAAE,YAAY;oBACtB,MAAM,EAAE,WAAW;iBACpB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,8CAA8C;QAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAChD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,iBAAiB;gBACvB,QAAQ,EAAE,MAAM;gBAChB,IAAI,EAAE,qBAAqB;gBAC3B,WAAW,EAAE,kDAAkD,IAAI,GAAG;gBACtE,QAAQ,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CACnC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,QAAQ,CAAC,CAAC,SAAS,iBAAiB,CAAC,CAAC,SAAS,GAAG,CACpE;gBACD,WAAW,EAAE,mEAAmE;aACjF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAEO,gBAAgB,CAAC,KAAa;QACpC,MAAM,OAAO,GAAkE,EAAE,CAAC;QAElF,wEAAwE;QACxE,MAAM,QAAQ,GAAG,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,QAAQ;YAAE,OAAO,OAAO,CAAC;QAE9B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;YACnC,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI;oBACJ,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC;oBACzE,SAAS,EAAE,MAAM;iBAClB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,WAAW,CAAC,SAAiB,EAAE,EAAU;QAC/C,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC;QAC1C,OAAO;YACL,SAAS;YACT,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACrC,UAAU;YACV,UAAU,EAAE,CAAC;YACb,gBAAgB,EAAE,UAAU;SAC7B,CAAC;IACJ,CAAC;CACF"}

package/dist/layers/implementations/L3-schema-conformance.d.ts

@@ -10,8 +10,8 @@
  *
  * @packageDocumentation
  */
-import { BaseSecurityLayer } from "../index.js";
-import type { LayerInput, LayerExecutionResult } from "../types.js";
+import { BaseSecurityLayer } from '../index.js';
+import type { LayerInput, LayerExecutionResult } from '../types.js';
 /**
  * Schema definition for a known action
  */
@@ -25,7 +25,7 @@ export interface ActionSchema {
     /** Maximum number of extra fields allowed beyond defined ones */
     maxExtraFields?: number;
 }
-type FieldType = "string" | "number" | "boolean" | "object" | "array" | "string[]" | "number[]";
+type FieldType = 'string' | 'number' | 'boolean' | 'object' | 'array' | 'string[]' | 'number[]';
 /**
  * L3 Schema Conformance Validator
  *

package/dist/layers/implementations/L3-schema-conformance.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"L3-schema-conformance.d.ts","sourceRoot":"","sources":["../../../src/layers/implementations/L3-schema-conformance.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,iBAAiB,EAAqB,MAAM,aAAa,CAAC;AACnE,OAAO,KAAK,EACV,UAAU,EACV,oBAAoB,EAGrB,MAAM,aAAa,CAAC;AAErB;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,kBAAkB;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,gDAAgD;IAChD,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACpC,gDAAgD;IAChD,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACrC,iEAAiE;IACjE,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,KAAK,SAAS,GACV,QAAQ,GACR,QAAQ,GACR,SAAS,GACT,QAAQ,GACR,OAAO,GACP,UAAU,GACV,UAAU,CAAC;AAiDf;;;;GAIG;AACH,qBAAa,mBAAoB,SAAQ,iBAAiB;IACxD,OAAO,CAAC,OAAO,CAA4B;gBAE/B,iBAAiB,CAAC,EAAE,YAAY,EAAE;IA2B9C;;OAEG;IACH,cAAc,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI;IAIpC,OAAO,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAmI/D,OAAO,CAAC,SAAS;IA+DjB,OAAO,CAAC,SAAS;IAejB,OAAO,CAAC,WAAW;CAUpB"}
+{"version":3,"file":"L3-schema-conformance.d.ts","sourceRoot":"","sources":["../../../src/layers/implementations/L3-schema-conformance.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,iBAAiB,EAAqB,MAAM,aAAa,CAAC;AACnE,OAAO,KAAK,EAAE,UAAU,EAAE,oBAAoB,EAA6B,MAAM,aAAa,CAAC;AAE/F;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,kBAAkB;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,gDAAgD;IAChD,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACpC,gDAAgD;IAChD,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACrC,iEAAiE;IACjE,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,KAAK,SAAS,GAAG,QAAQ,GAAG,QAAQ,GAAG,SAAS,GAAG,QAAQ,GAAG,OAAO,GAAG,UAAU,GAAG,UAAU,CAAC;AA4ChG;;;;GAIG;AACH,qBAAa,mBAAoB,SAAQ,iBAAiB;IACxD,OAAO,CAAC,OAAO,CAA4B;gBAE/B,iBAAiB,CAAC,EAAE,YAAY,EAAE;IA0B9C;;OAEG;IACH,cAAc,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI;IAIpC,OAAO,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,oBAAoB,CAAC;IA2H/D,OAAO,CAAC,SAAS;IAyCjB,OAAO,CAAC,SAAS;IAWjB,OAAO,CAAC,WAAW;CAUpB"}

package/dist/layers/implementations/L3-schema-conformance.js

@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2024-2026 Vorion LLC
 /**
  * L3 — Schema Conformance Validator
  *
@@ -10,50 +12,45 @@
  *
  * @packageDocumentation
  */
-import { BaseSecurityLayer, createLayerConfig } from "../index.js";
+import { BaseSecurityLayer, createLayerConfig } from '../index.js';
 /**
  * Built-in action schemas for the ATSF governance pipeline
  */
 const KNOWN_ACTION_SCHEMAS = [
     {
-        action: "query",
-        required: { content: "string" },
-        optional: {
-            context: "object",
-            model: "string",
-            temperature: "number",
-            maxTokens: "number",
-        },
+        action: 'query',
+        required: { content: 'string' },
+        optional: { context: 'object', model: 'string', temperature: 'number', maxTokens: 'number' },
         maxExtraFields: 10,
     },
     {
-        action: "execute",
-        required: { content: "string", target: "string" },
-        optional: { args: "object", timeout: "number", dryRun: "boolean" },
+        action: 'execute',
+        required: { content: 'string', target: 'string' },
+        optional: { args: 'object', timeout: 'number', dryRun: 'boolean' },
         maxExtraFields: 5,
     },
     {
-        action: "read",
-        required: { content: "string", resource: "string" },
-        optional: { format: "string", limit: "number", offset: "number" },
+        action: 'read',
+        required: { content: 'string', resource: 'string' },
+        optional: { format: 'string', limit: 'number', offset: 'number' },
         maxExtraFields: 5,
     },
     {
-        action: "write",
-        required: { content: "string", resource: "string", data: "object" },
-        optional: { overwrite: "boolean", format: "string" },
+        action: 'write',
+        required: { content: 'string', resource: 'string', data: 'object' },
+        optional: { overwrite: 'boolean', format: 'string' },
         maxExtraFields: 5,
     },
     {
-        action: "delete",
-        required: { content: "string", resource: "string" },
-        optional: { recursive: "boolean", force: "boolean" },
+        action: 'delete',
+        required: { content: 'string', resource: 'string' },
+        optional: { recursive: 'boolean', force: 'boolean' },
         maxExtraFields: 3,
     },
     {
-        action: "communicate",
-        required: { content: "string", recipient: "string" },
-        optional: { channel: "string", priority: "string", metadata: "object" },
+        action: 'communicate',
+        required: { content: 'string', recipient: 'string' },
+        optional: { channel: 'string', priority: 'string', metadata: 'object' },
         maxExtraFields: 5,
     },
 ];
@@ -65,12 +62,12 @@ const KNOWN_ACTION_SCHEMAS = [
 export class L3SchemaConformance extends BaseSecurityLayer {
     schemas;
     constructor(additionalSchemas) {
-        super(createLayerConfig(3, "Schema Conformance", {
-            description: "Validates payload action and fields against known schemas",
-            tier: "input_validation",
-            primaryThreat: "unauthorized_action",
-            secondaryThreats: ["capability_abuse", "prompt_injection"],
-            failMode: "block",
+        super(createLayerConfig(3, 'Schema Conformance', {
+            description: 'Validates payload action and fields against known schemas',
+            tier: 'input_validation',
+            primaryThreat: 'unauthorized_action',
+            secondaryThreats: ['capability_abuse', 'prompt_injection'],
+            failMode: 'block',
             required: true,
             timeoutMs: 200,
             parallelizable: true,
@@ -98,57 +95,57 @@ export class L3SchemaConformance extends BaseSecurityLayer {
         const findings = [];
         const payload = input.payload;
         // 1. Check that action field exists
-        const action = payload["action"];
+        const action = payload['action'];
         if (action === undefined || action === null) {
             findings.push({
-                type: "threat_detected",
-                severity: "high",
-                code: "L3_MISSING_ACTION",
+                type: 'threat_detected',
+                severity: 'high',
+                code: 'L3_MISSING_ACTION',
                 description: 'Payload has no "action" field — cannot determine request type',
-                evidence: ["payload.action is undefined"],
+                evidence: ['payload.action is undefined'],
                 remediation: 'Include an "action" field in the payload (e.g., "query", "execute", "read")',
             });
             const timing = this.buildTiming(startedAt, t0);
-            return this.createFailureResult("deny", 0.9, findings, timing);
+            return this.createFailureResult('deny', 0.9, findings, timing);
         }
-        if (typeof action !== "string") {
+        if (typeof action !== 'string') {
             findings.push({
-                type: "threat_detected",
-                severity: "high",
-                code: "L3_INVALID_ACTION_TYPE",
+                type: 'threat_detected',
+                severity: 'high',
+                code: 'L3_INVALID_ACTION_TYPE',
                 description: `Action field must be a string, got ${typeof action}`,
                 evidence: [`typeof action = ${typeof action}`],
-                remediation: "Provide action as a string value",
+                remediation: 'Provide action as a string value',
             });
             const timing = this.buildTiming(startedAt, t0);
-            return this.createFailureResult("deny", 0.9, findings, timing);
+            return this.createFailureResult('deny', 0.9, findings, timing);
         }
         // 2. Look up schema for this action
         const schema = this.schemas.get(action);
         if (!schema) {
             findings.push({
-                type: "threat_detected",
-                severity: "medium",
-                code: "L3_UNKNOWN_ACTION",
+                type: 'threat_detected',
+                severity: 'medium',
+                code: 'L3_UNKNOWN_ACTION',
                 description: `Unknown action '${action}' — not in registered schemas`,
                 evidence: [
                     `action=${action}`,
-                    `known actions: ${Array.from(this.schemas.keys()).join(", ")}`,
+                    `known actions: ${Array.from(this.schemas.keys()).join(', ')}`,
                 ],
-                remediation: `Use a known action: ${Array.from(this.schemas.keys()).join(", ")}`,
+                remediation: `Use a known action: ${Array.from(this.schemas.keys()).join(', ')}`,
             });
             const timing = this.buildTiming(startedAt, t0);
             // Unknown actions are escalated, not denied — allows extension
-            return this.createFailureResult("escalate", 0.7, findings, timing);
+            return this.createFailureResult('escalate', 0.7, findings, timing);
         }
         // 3. Check required fields
         for (const [field, expectedType] of Object.entries(schema.required)) {
             const value = payload[field];
             if (value === undefined || value === null) {
                 findings.push({
-                    type: "threat_detected",
-                    severity: "high",
-                    code: "L3_MISSING_REQUIRED_FIELD",
+                    type: 'threat_detected',
+                    severity: 'high',
+                    code: 'L3_MISSING_REQUIRED_FIELD',
                     description: `Required field '${field}' missing for action '${action}'`,
                     evidence: [`field=${field}, action=${action}`],
                     remediation: `Include required field '${field}' (type: ${expectedType})`,
@@ -175,7 +172,7 @@ export class L3SchemaConformance extends BaseSecurityLayer {
         }
         // 5. Check for unexpected extra fields
         const allKnownFields = new Set([
-            "action",
+            'action',
             ...Object.keys(schema.required),
             ...Object.keys(schema.optional ?? {}),
         ]);
@@ -183,61 +180,57 @@ export class L3SchemaConformance extends BaseSecurityLayer {
         const maxExtra = schema.maxExtraFields ?? 10;
         if (extraFields.length > maxExtra) {
             findings.push({
-                type: "warning",
-                severity: "medium",
-                code: "L3_EXCESS_EXTRA_FIELDS",
+                type: 'warning',
+                severity: 'medium',
+                code: 'L3_EXCESS_EXTRA_FIELDS',
                 description: `${extraFields.length} extra fields exceed maximum ${maxExtra} for action '${action}'`,
-                evidence: [
-                    `extra fields: ${extraFields.slice(0, 10).join(", ")}${extraFields.length > 10 ? "..." : ""}`,
-                ],
+                evidence: [`extra fields: ${extraFields.slice(0, 10).join(', ')}${extraFields.length > 10 ? '...' : ''}`],
                 remediation: `Reduce extra fields to at most ${maxExtra}`,
             });
         }
         const timing = this.buildTiming(startedAt, t0);
-        const hasHigh = findings.some((f) => f.severity === "high" || f.severity === "critical");
+        const hasHigh = findings.some((f) => f.severity === 'high' || f.severity === 'critical');
         const passed = !hasHigh;
         if (passed) {
-            return this.createSuccessResult("allow", 0.9, findings, [], timing);
+            return this.createSuccessResult('allow', 0.9, findings, [], timing);
         }
-        return this.createFailureResult("deny", 0.85, findings, timing);
+        return this.createFailureResult('deny', 0.85, findings, timing);
     }
     checkType(value, expectedType, field) {
         switch (expectedType) {
-            case "string":
-                if (typeof value !== "string") {
+            case 'string':
+                if (typeof value !== 'string') {
                     return this.typeError(field, expectedType, typeof value);
                 }
                 break;
-            case "number":
-                if (typeof value !== "number" || !Number.isFinite(value)) {
+            case 'number':
+                if (typeof value !== 'number' || !Number.isFinite(value)) {
                     return this.typeError(field, expectedType, typeof value);
                 }
                 break;
-            case "boolean":
-                if (typeof value !== "boolean") {
+            case 'boolean':
+                if (typeof value !== 'boolean') {
                     return this.typeError(field, expectedType, typeof value);
                 }
                 break;
-            case "object":
-                if (typeof value !== "object" || Array.isArray(value)) {
-                    return this.typeError(field, expectedType, Array.isArray(value) ? "array" : typeof value);
+            case 'object':
+                if (typeof value !== 'object' || Array.isArray(value)) {
+                    return this.typeError(field, expectedType, Array.isArray(value) ? 'array' : typeof value);
                 }
                 break;
-            case "array":
+            case 'array':
                 if (!Array.isArray(value)) {
                     return this.typeError(field, expectedType, typeof value);
                 }
                 break;
-            case "string[]":
-                if (!Array.isArray(value) ||
-                    !value.every((v) => typeof v === "string")) {
-                    return this.typeError(field, expectedType, Array.isArray(value) ? "mixed array" : typeof value);
+            case 'string[]':
+                if (!Array.isArray(value) || !value.every((v) => typeof v === 'string')) {
+                    return this.typeError(field, expectedType, Array.isArray(value) ? 'mixed array' : typeof value);
                 }
                 break;
-            case "number[]":
-                if (!Array.isArray(value) ||
-                    !value.every((v) => typeof v === "number")) {
-                    return this.typeError(field, expectedType, Array.isArray(value) ? "mixed array" : typeof value);
+            case 'number[]':
+                if (!Array.isArray(value) || !value.every((v) => typeof v === 'number')) {
+                    return this.typeError(field, expectedType, Array.isArray(value) ? 'mixed array' : typeof value);
                 }
                 break;
         }
@@ -245,9 +238,9 @@ export class L3SchemaConformance extends BaseSecurityLayer {
     }
     typeError(field, expected, actual) {
         return {
-            type: "threat_detected",
-            severity: "high",
-            code: "L3_TYPE_MISMATCH",
+            type: 'threat_detected',
+            severity: 'high',
+            code: 'L3_TYPE_MISMATCH',
             description: `Field '${field}' expected type '${expected}', got '${actual}'`,
             evidence: [`field=${field}, expected=${expected}, actual=${actual}`],
             remediation: `Provide '${field}' as type '${expected}'`,