agentshield-sdk 7.0.0

package/src/rag-vulnerability.js

@@ -0,0 +1,579 @@
+'use strict';
+
+/**
+ * Agent Shield — RAG/Vector Vulnerability Scanner (OWASP LLM08-2025)
+ *
+ * Detects vulnerabilities in RAG (Retrieval-Augmented Generation) systems
+ * including embedding manipulation, chunk boundary attacks, retrieval
+ * poisoning, and context window stuffing.
+ *
+ * All processing runs locally — no data ever leaves your environment.
+ */
+
+// =========================================================================
+// RAG vulnerability patterns
+// =========================================================================
+
+/**
+ * Patterns for RAG-specific attack vectors.
+ * @type {Array<object>}
+ */
+const RAG_VULNERABILITY_PATTERNS = [
+  // Chunk boundary manipulation
+  { pattern: /(?:\n{5,}|\r\n{5,}).{0,500}(?:ignore|override|forget|system|assistant)/is, severity: 'high', category: 'chunk_boundary', technique: 'boundary_manipulation', description: 'Whitespace padding to manipulate chunk boundaries', mitigation: 'Normalize whitespace before chunking' },
+  { pattern: /[\x00-\x08\x0B\x0C\x0E-\x1F]{3,}.{0,500}(?:ignore|override|system)/is, severity: 'high', category: 'chunk_boundary', technique: 'boundary_manipulation', description: 'Control characters to split across chunk boundaries', mitigation: 'Strip control characters before chunking' },
+
+  // Metadata injection
+  { pattern: /(?:title|author|subject|keywords|description)\s*[:=]\s*.{0,200}(?:ignore|override|forget|system\s+prompt)/i, severity: 'high', category: 'metadata_injection', technique: 'metadata_poisoning', description: 'Injection payload in document metadata fields', mitigation: 'Sanitize document metadata before indexing' },
+  { pattern: /(?:source|origin|ref|citation)\s*[:=]\s*(?:system|admin|internal|trusted)/i, severity: 'medium', category: 'metadata_injection', technique: 'authority_spoofing', description: 'Spoofed authority metadata to increase trust', mitigation: 'Do not use metadata for trust decisions' },
+
+  // Cross-document injection
+  { pattern: /(?:regarding|about|in\s+reference\s+to|see\s+also)\s+(?:document|file|page)\s+.{0,30}(?:ignore|override|forget|instead)/i, severity: 'high', category: 'cross_document', technique: 'cross_doc_injection', description: 'Cross-document reference with injection payload', mitigation: 'Isolate document contexts during retrieval' },
+  { pattern: /(?:the\s+(?:previous|following|other|related)\s+(?:document|source|context))\s+(?:says|states|instructs|requires)\s+(?:you\s+)?(?:to|should|must)/i, severity: 'high', category: 'cross_document', technique: 'cross_doc_authority', description: 'Claimed authority from other documents', mitigation: 'Treat each retrieved document independently' },
+
+  // Retrieval poisoning
+  { pattern: /(?:\S+\s+){15,}(?:ignore|override|forget)/i, severity: 'medium', category: 'retrieval_poisoning', technique: 'keyword_stuffing', description: 'Keyword stuffing to influence retrieval ranking', mitigation: 'Use semantic similarity, not just keyword matching' },
+
+  // Context window stuffing
+  { pattern: /(.{50,100})\1{3,}/s, severity: 'medium', category: 'context_stuffing', technique: 'repetition_attack', description: 'Repeated content to consume context window', mitigation: 'Deduplicate retrieved content before injection' },
+
+  // Embedding space attacks
+  { pattern: /(?:(?:the\s+){5,}|(?:a\s+){5,}|(?:is\s+){5,})/i, severity: 'medium', category: 'embedding_attack', technique: 'embedding_manipulation', description: 'Repeated tokens to manipulate embedding space position', mitigation: 'Filter documents with abnormal token distributions' },
+
+  // Hidden instructions in documents
+  { pattern: /<!--\s*(?:system|instruction|ai|llm|gpt|claude|assistant)\s*[:>]/i, severity: 'critical', category: 'hidden_instruction', technique: 'html_comment_injection', description: 'Hidden AI instructions in HTML comments', mitigation: 'Strip HTML comments from retrieved documents' },
+  { pattern: /\u200B[^\u200B]{10,}\u200B/i, severity: 'high', category: 'hidden_instruction', technique: 'zero_width_hiding', description: 'Content hidden between zero-width spaces', mitigation: 'Remove zero-width characters from documents' },
+  { pattern: /<(?:div|span|p)[^>]*(?:display\s*:\s*none|visibility\s*:\s*hidden|font-size\s*:\s*0|opacity\s*:\s*0)[^>]*>/i, severity: 'critical', category: 'hidden_instruction', technique: 'css_hiding', description: 'CSS-hidden content with potential instructions', mitigation: 'Strip hidden HTML elements before indexing' }
+];
+
+// =========================================================================
+// Vector DB security checklist
+// =========================================================================
+
+/**
+ * Security checklist for popular vector databases.
+ * @type {Array<object>}
+ */
+const VECTOR_DB_SECURITY_CHECKLIST = [
+  // General
+  { item: 'Enable authentication for all vector DB connections', risk: 'high', recommendation: 'Use API keys or mTLS for all connections', applies: ['all'] },
+  { item: 'Enable TLS/SSL for data in transit', risk: 'high', recommendation: 'Encrypt all communications between app and vector DB', applies: ['all'] },
+  { item: 'Enable encryption at rest for stored vectors', risk: 'high', recommendation: 'Use disk encryption or DB-native encryption', applies: ['all'] },
+  { item: 'Implement access control for collections/indexes', risk: 'medium', recommendation: 'Use RBAC to restrict which services can read/write which collections', applies: ['all'] },
+  { item: 'Rate limit vector search queries', risk: 'medium', recommendation: 'Prevent enumeration attacks via query rate limiting', applies: ['all'] },
+  { item: 'Audit log all vector operations', risk: 'medium', recommendation: 'Log inserts, deletes, and searches for forensic analysis', applies: ['all'] },
+  { item: 'Validate embedding dimensions before insertion', risk: 'low', recommendation: 'Reject vectors with wrong dimensions to prevent data corruption', applies: ['all'] },
+  { item: 'Sanitize metadata before storage', risk: 'high', recommendation: 'Strip or validate all metadata fields before indexing', applies: ['all'] },
+
+  // Platform-specific
+  { item: 'Pinecone: Use namespaces for tenant isolation', risk: 'high', recommendation: 'Separate tenants into different namespaces', applies: ['pinecone'] },
+  { item: 'Weaviate: Configure OIDC authentication', risk: 'high', recommendation: 'Use OIDC rather than anonymous access', applies: ['weaviate'] },
+  { item: 'Qdrant: Enable API key authentication', risk: 'high', recommendation: 'Set QDRANT__SERVICE__API_KEY', applies: ['qdrant'] },
+  { item: 'Chroma: Use server mode with auth (not in-process)', risk: 'high', recommendation: 'Run Chroma as a server with token auth, not embedded', applies: ['chroma'] },
+  { item: 'Milvus: Enable TLS and user authentication', risk: 'high', recommendation: 'Configure milvus.yaml with TLS and RBAC', applies: ['milvus'] },
+  { item: 'pgvector: Use PostgreSQL roles and row-level security', risk: 'high', recommendation: 'Leverage PostgreSQL RLS for multi-tenant isolation', applies: ['pgvector'] }
+];
+
+// =========================================================================
+// RAGVulnerabilityScanner
+// =========================================================================
+
+class RAGVulnerabilityScanner {
+  /**
+   * @param {object} [options]
+   * @param {number} [options.chunkSize=512] - Expected chunk size in tokens
+   * @param {number} [options.overlapSize=50] - Chunk overlap in tokens
+   * @param {number} [options.maxRetrievedDocs=10] - Maximum retrieved documents
+   * @param {number} [options.embeddingDimension=1536] - Embedding dimension
+   */
+  constructor(options = {}) {
+    this.chunkSize = options.chunkSize || 512;
+    this.overlapSize = options.overlapSize || 50;
+    this.maxRetrievedDocs = options.maxRetrievedDocs || 10;
+    this.embeddingDimension = options.embeddingDimension || 1536;
+    this.stats = { chunksScanned: 0, setsScanned: 0, threatsFound: 0 };
+  }
+
+  /**
+   * Scans a single chunk for RAG-specific injection patterns.
+   * @param {string} chunk - Document chunk text
+   * @param {object} [metadata] - Chunk metadata
+   * @returns {{ safe: boolean, threats: Array, recommendations: Array }}
+   */
+  scanChunk(chunk, metadata = {}) {
+    this.stats.chunksScanned++;
+    const threats = [];
+    const recommendations = new Set();
+
+    for (const vp of RAG_VULNERABILITY_PATTERNS) {
+      if (vp.pattern.test(chunk)) {
+        threats.push({
+          severity: vp.severity,
+          category: vp.category,
+          technique: vp.technique,
+          description: vp.description,
+          source: metadata.source || 'unknown'
+        });
+        recommendations.add(vp.mitigation);
+        this.stats.threatsFound++;
+      }
+    }
+
+    // Check metadata for injection
+    if (metadata) {
+      const metaStr = JSON.stringify(metadata);
+      for (const vp of RAG_VULNERABILITY_PATTERNS.filter(p => p.category === 'metadata_injection')) {
+        if (vp.pattern.test(metaStr)) {
+          threats.push({
+            severity: vp.severity,
+            category: 'metadata_injection',
+            technique: vp.technique,
+            description: `Metadata: ${vp.description}`,
+            source: metadata.source || 'unknown'
+          });
+          recommendations.add(vp.mitigation);
+        }
+      }
+    }
+
+    return { safe: threats.length === 0, threats, recommendations: [...recommendations] };
+  }
+
+  /**
+   * Scans a set of retrieved chunks for cross-document attacks.
+   * @param {Array<string>} chunks - Retrieved chunks
+   * @param {string} query - Original query
+   * @returns {{ safe: boolean, threats: Array, crossDocRisks: Array }}
+   */
+  scanRetrievalSet(chunks, query) {
+    this.stats.setsScanned++;
+    const threats = [];
+    const crossDocRisks = [];
+
+    // Scan each chunk individually
+    for (let i = 0; i < chunks.length; i++) {
+      const result = this.scanChunk(chunks[i], { source: `chunk_${i}` });
+      threats.push(...result.threats);
+    }
+
+    // Check for cross-document patterns
+    const combined = chunks.join('\n---\n');
+    for (const vp of RAG_VULNERABILITY_PATTERNS.filter(p => p.category === 'cross_document')) {
+      if (vp.pattern.test(combined)) {
+        crossDocRisks.push({
+          severity: vp.severity,
+          technique: vp.technique,
+          description: vp.description
+        });
+      }
+    }
+
+    // Check total context size vs typical window
+    const totalTokens = chunks.reduce((sum, c) => sum + c.split(/\s+/).length, 0);
+    if (totalTokens > 4000) {
+      crossDocRisks.push({
+        severity: 'medium',
+        technique: 'context_overflow',
+        description: `Retrieved content is ~${totalTokens} tokens — may push system prompt out of context window`
+      });
+    }
+
+    // Check for excessive similarity between chunks (possible stuffing)
+    if (chunks.length >= 3) {
+      const unique = new Set(chunks.map(c => c.trim().substring(0, 200)));
+      if (unique.size < chunks.length * 0.5) {
+        crossDocRisks.push({
+          severity: 'medium',
+          technique: 'retrieval_stuffing',
+          description: 'Multiple retrieved chunks are near-duplicates — possible stuffing attack'
+        });
+      }
+    }
+
+    return { safe: threats.length === 0 && crossDocRisks.length === 0, threats, crossDocRisks };
+  }
+
+  /**
+   * Analyzes chunk boundaries for potential injection vectors.
+   * @param {Array<string>} chunks - Ordered chunks from a document
+   * @returns {{ risks: Array, recommendations: Array }}
+   */
+  analyzeChunkBoundaries(chunks) {
+    const risks = [];
+    const recommendations = [];
+
+    for (let i = 0; i < chunks.length - 1; i++) {
+      const endOfCurrent = chunks[i].slice(-100);
+      const startOfNext = chunks[i + 1].slice(0, 100);
+
+      // Check if an instruction spans the boundary
+      const boundary = endOfCurrent + startOfNext;
+      if (/(?:ignore|override|forget|system)\s+(?:all\s+)?(?:previous|prior|instructions|rules)/i.test(boundary)) {
+        risks.push({
+          severity: 'high',
+          boundary: `chunks[${i}]-chunks[${i + 1}]`,
+          description: 'Injection payload spans chunk boundary'
+        });
+      }
+
+      // Check for mid-sentence splits
+      if (/\S$/.test(endOfCurrent) && /^\S/.test(startOfNext)) {
+        risks.push({
+          severity: 'low',
+          boundary: `chunks[${i}]-chunks[${i + 1}]`,
+          description: 'Chunk split mid-word — could disrupt pattern detection'
+        });
+        recommendations.push('Use sentence-aware chunking to avoid mid-word splits');
+      }
+    }
+
+    if (this.overlapSize < 20) {
+      recommendations.push('Increase chunk overlap to at least 20 tokens to prevent boundary evasion');
+    }
+
+    return { risks, recommendations: [...new Set(recommendations)] };
+  }
+
+  /**
+   * Validates document metadata for manipulation.
+   * @param {object} metadata - Document metadata
+   * @returns {{ valid: boolean, warnings: Array }}
+   */
+  validateMetadata(metadata) {
+    const warnings = [];
+
+    if (!metadata || typeof metadata !== 'object') {
+      return { valid: true, warnings: [] };
+    }
+
+    const metaStr = JSON.stringify(metadata);
+
+    // Check for injection in metadata values
+    if (/(?:ignore|override|forget|disregard)\s+(?:all|previous|prior|system)/i.test(metaStr)) {
+      warnings.push({ field: 'general', severity: 'high', message: 'Injection pattern detected in metadata' });
+    }
+
+    // Check for spoofed trust signals
+    if (/(?:trusted|verified|internal|system|admin)[:=]/i.test(metaStr)) {
+      warnings.push({ field: 'trust', severity: 'medium', message: 'Metadata contains trust-level indicators that could be spoofed' });
+    }
+
+    // Check for excessively long metadata
+    if (metaStr.length > 10000) {
+      warnings.push({ field: 'size', severity: 'medium', message: 'Metadata is unusually large — could be used for context stuffing' });
+    }
+
+    return { valid: warnings.length === 0, warnings };
+  }
+
+  /**
+   * Assesses if retrieved docs could push system prompt out of context window.
+   * @param {string} systemPrompt - System prompt
+   * @param {Array<string>} retrievedDocs - Retrieved documents
+   * @param {string} userQuery - User query
+   * @param {number} [contextWindowSize=8192] - Context window in tokens
+   * @returns {{ risk: string, details: object }}
+   */
+  assessContextWindowRisk(systemPrompt, retrievedDocs, userQuery, contextWindowSize = 8192) {
+    const promptTokens = systemPrompt.split(/\s+/).length;
+    const queryTokens = userQuery.split(/\s+/).length;
+    const docTokens = retrievedDocs.reduce((sum, d) => sum + d.split(/\s+/).length, 0);
+    const totalTokens = promptTokens + queryTokens + docTokens;
+    const ratio = totalTokens / contextWindowSize;
+
+    let risk = 'low';
+    if (ratio > 1.0) risk = 'critical';
+    else if (ratio > 0.8) risk = 'high';
+    else if (ratio > 0.6) risk = 'medium';
+
+    return {
+      risk,
+      details: {
+        contextWindowSize,
+        promptTokens,
+        queryTokens,
+        docTokens,
+        totalTokens,
+        utilizationPercent: Math.round(ratio * 100),
+        systemPromptAtRisk: ratio > 0.8
+      }
+    };
+  }
+
+  /**
+   * Returns scan statistics.
+   * @returns {object}
+   */
+  getStats() {
+    return { ...this.stats };
+  }
+}
+
+// =========================================================================
+// EmbeddingIntegrityChecker
+// =========================================================================
+
+class EmbeddingIntegrityChecker {
+  /**
+   * @param {object} [options]
+   * @param {number} [options.distanceThreshold=3.0] - Z-score threshold for anomalies
+   * @param {'zscore'|'isolation'} [options.anomalyMethod='zscore'] - Anomaly detection method
+   */
+  constructor(options = {}) {
+    this.distanceThreshold = options.distanceThreshold || 3.0;
+    this.anomalyMethod = options.anomalyMethod || 'zscore';
+  }
+
+  /**
+   * Statistical check for anomalous embeddings in a collection.
+   * @param {Array<Array<number>>} embeddings - Array of embedding vectors
+   * @returns {{ anomalyCount: number, anomalyIndices: number[], stats: object }}
+   */
+  checkDistribution(embeddings) {
+    if (embeddings.length < 3) {
+      return { anomalyCount: 0, anomalyIndices: [], zScores: [], stats: { mean: 0, stdDev: 0 } };
+    }
+
+    const normStats = this._computeNormStats(embeddings);
+    const { norms, mean, stdDev } = normStats;
+
+    const anomalyIndices = [];
+    const zScores = norms.map(n => stdDev > 0 ? Math.abs(n - mean) / stdDev : 0);
+    for (let i = 0; i < zScores.length; i++) {
+      if (zScores[i] > this.distanceThreshold) {
+        anomalyIndices.push(i);
+      }
+    }
+
+    return { anomalyCount: anomalyIndices.length, anomalyIndices, zScores, stats: { mean, stdDev, count: norms.length } };
+  }
+
+  /**
+   * Finds outlier embeddings that don't belong.
+   * @param {Array<Array<number>>} embeddings
+   * @param {Array<string>} [labels]
+   * @returns {Array<{ index: number, label: string, zScore: number }>}
+   */
+  detectOutliers(embeddings, labels = []) {
+    const result = this.checkDistribution(embeddings);
+    return result.anomalyIndices.map(i => ({
+      index: i,
+      label: labels[i] || `embedding_${i}`,
+      zScore: result.zScores[i]
+    }));
+  }
+
+  /**
+   * Detects embedding distribution drift over time.
+   * @param {Array<Array<number>>} baselineEmbeddings
+   * @param {Array<Array<number>>} currentEmbeddings
+   * @returns {{ drifted: boolean, driftScore: number, details: object }}
+   */
+  measureDrift(baselineEmbeddings, currentEmbeddings) {
+    if (baselineEmbeddings.length === 0 || currentEmbeddings.length === 0) {
+      return { drifted: false, driftScore: 0, details: { baselineMean: 0, currentMean: 0, baselineStdDev: 0 } };
+    }
+
+    const base = this._computeNormStats(baselineEmbeddings);
+    const curr = this._computeNormStats(currentEmbeddings);
+    const driftScore = base.stdDev > 0 ? Math.abs(curr.mean - base.mean) / base.stdDev : 0;
+
+    return {
+      drifted: driftScore > 2.0,
+      driftScore,
+      details: { baselineMean: base.mean, currentMean: curr.mean, baselineStdDev: base.stdDev }
+    };
+  }
+
+  /**
+   * Basic sanity check that embedding seems reasonable for its text length.
+   * @param {string} text
+   * @param {Array<number>} embedding
+   * @returns {{ valid: boolean, reason: string|null }}
+   */
+  validateEmbeddingConsistency(text, embedding) {
+    if (!Array.isArray(embedding) || embedding.length === 0) {
+      return { valid: false, reason: 'Embedding is empty or not an array' };
+    }
+
+    const norm = Math.sqrt(embedding.reduce((s, v) => s + v * v, 0));
+    if (norm === 0) {
+      return { valid: false, reason: 'Zero-norm embedding (all zeros)' };
+    }
+
+    if (embedding.some(v => !isFinite(v))) {
+      return { valid: false, reason: 'Embedding contains NaN or Infinity values' };
+    }
+
+    return { valid: true, reason: null };
+  }
+
+  /** @private */
+  _computeNormStats(embeddings) {
+    const norms = embeddings.map(e => Math.sqrt(e.reduce((s, v) => s + v * v, 0)));
+    const mean = norms.reduce((s, n) => s + n, 0) / norms.length;
+    const stdDev = Math.sqrt(norms.reduce((s, n) => s + (n - mean) ** 2, 0) / norms.length);
+    return { norms, mean, stdDev };
+  }
+}
+
+// =========================================================================
+// RAGPipelineAuditor
+// =========================================================================
+
+class RAGPipelineAuditor {
+  /**
+   * @param {object} pipelineConfig
+   * @param {string} [pipelineConfig.chunkingStrategy] - 'fixed', 'sentence', 'semantic'
+   * @param {string} [pipelineConfig.embeddingModel] - Embedding model name
+   * @param {string} [pipelineConfig.vectorDB] - Vector database name
+   * @param {string} [pipelineConfig.retrievalMethod] - 'similarity', 'mmr', 'hybrid'
+   * @param {boolean} [pipelineConfig.rerankingEnabled] - Whether reranking is used
+   */
+  constructor(pipelineConfig = {}) {
+    this.config = pipelineConfig;
+  }
+
+  /**
+   * Runs a security audit of the RAG pipeline configuration.
+   * @returns {{ score: number, grade: string, vulnerabilities: Array, recommendations: Array }}
+   */
+  audit() {
+    const vulns = this.getVulnerabilities();
+    const recs = this.getRecommendations();
+    const criticalCount = vulns.filter(v => v.severity === 'critical').length;
+    const highCount = vulns.filter(v => v.severity === 'high').length;
+
+    let score = 100;
+    score -= criticalCount * 20;
+    score -= highCount * 10;
+    score -= vulns.filter(v => v.severity === 'medium').length * 5;
+    score = Math.max(0, score);
+
+    let grade;
+    if (score >= 90) grade = 'A';
+    else if (score >= 75) grade = 'B';
+    else if (score >= 60) grade = 'C';
+    else if (score >= 40) grade = 'D';
+    else grade = 'F';
+
+    return { score, grade, vulnerabilities: vulns, recommendations: recs };
+  }
+
+  /**
+   * Lists potential vulnerabilities based on pipeline config.
+   * @returns {Array<object>}
+   */
+  getVulnerabilities() {
+    const vulns = [];
+
+    if (this.config.chunkingStrategy === 'fixed') {
+      vulns.push({ severity: 'medium', category: 'chunking', description: 'Fixed-size chunking may split injection payloads across boundaries, evading detection' });
+    }
+
+    if (!this.config.rerankingEnabled) {
+      vulns.push({ severity: 'medium', category: 'retrieval', description: 'No reranking — adversarial documents may rank higher than legitimate ones' });
+    }
+
+    if (this.config.retrievalMethod === 'similarity') {
+      vulns.push({ severity: 'medium', category: 'retrieval', description: 'Pure similarity search is susceptible to embedding space manipulation' });
+    }
+
+    if (!this.config.vectorDB) {
+      vulns.push({ severity: 'high', category: 'infrastructure', description: 'No vector DB specified — unable to verify storage security' });
+    }
+
+    // Always flag these fundamental RAG risks
+    vulns.push({ severity: 'medium', category: 'general', description: 'All RAG systems are inherently susceptible to indirect prompt injection via retrieved documents' });
+
+    return vulns;
+  }
+
+  /**
+   * Returns actionable security recommendations.
+   * @returns {Array<object>}
+   */
+  getRecommendations() {
+    const recs = [
+      { priority: 'high', recommendation: 'Scan all documents for injection patterns before indexing' },
+      { priority: 'high', recommendation: 'Sanitize document metadata before storage' },
+      { priority: 'high', recommendation: 'Implement context window budgeting to protect system prompts' },
+      { priority: 'medium', recommendation: 'Use sentence-aware or semantic chunking instead of fixed-size' },
+      { priority: 'medium', recommendation: 'Enable reranking to reduce impact of adversarial documents' },
+      { priority: 'medium', recommendation: 'Deduplicate retrieved chunks before injecting into context' },
+      { priority: 'low', recommendation: 'Monitor embedding distribution for drift that may indicate poisoning' }
+    ];
+
+    if (this.config.vectorDB) {
+      const dbChecklist = VECTOR_DB_SECURITY_CHECKLIST.filter(c =>
+        c.applies.includes('all') || c.applies.includes(this.config.vectorDB.toLowerCase())
+      );
+      for (const check of dbChecklist) {
+        recs.push({ priority: check.risk, recommendation: `[${this.config.vectorDB}] ${check.item}` });
+      }
+    }
+
+    return recs;
+  }
+
+  /**
+   * Generates a formatted audit report.
+   * @param {'text'|'json'|'markdown'} [format='text']
+   * @returns {string}
+   */
+  generateReport(format = 'text') {
+    const audit = this.audit();
+
+    if (format === 'json') {
+      return JSON.stringify({ ...audit, config: this.config, generatedAt: new Date().toISOString() }, null, 2);
+    }
+
+    if (format === 'markdown') {
+      const lines = [
+        '# RAG Pipeline Security Audit',
+        '',
+        `**Score:** ${audit.score}/100 (Grade ${audit.grade})`,
+        `**Generated:** ${new Date().toISOString()}`,
+        '',
+        '## Vulnerabilities',
+        ''
+      ];
+      for (const v of audit.vulnerabilities) {
+        lines.push(`- **[${v.severity.toUpperCase()}]** ${v.description}`);
+      }
+      lines.push('', '## Recommendations', '');
+      for (const r of audit.recommendations) {
+        lines.push(`- [${r.priority}] ${r.recommendation}`);
+      }
+      return lines.join('\n');
+    }
+
+    // text format
+    const lines = [
+      '=== RAG Pipeline Security Audit ===',
+      `Score: ${audit.score}/100 (Grade ${audit.grade})`,
+      '',
+      'Vulnerabilities:'
+    ];
+    for (const v of audit.vulnerabilities) {
+      lines.push(`  [${v.severity.toUpperCase().padEnd(8)}] ${v.description}`);
+    }
+    lines.push('', 'Recommendations:');
+    for (const r of audit.recommendations) {
+      lines.push(`  [${r.priority}] ${r.recommendation}`);
+    }
+    return lines.join('\n');
+  }
+}
+
+// =========================================================================
+// Exports
+// =========================================================================
+
+module.exports = {
+  RAG_VULNERABILITY_PATTERNS,
+  VECTOR_DB_SECURITY_CHECKLIST,
+  RAGVulnerabilityScanner,
+  EmbeddingIntegrityChecker,
+  RAGPipelineAuditor
+};