ai-shield-core 0.1.0 → 0.3.0

package/dist/context/wrap-context.js

@@ -0,0 +1,278 @@
+import { createHash } from "node:crypto";
+import { IngestionScanner } from "../scanner/ingestion.js";
+/**
+ * Build a `WrappedContext` from typed inputs.
+ *
+ * Trust assignment:
+ * - `system` -> system
+ * - `retrieved`/`tools`/`memory`/`web`/`agent-output` -> untrusted
+ * - `user` -> untrusted (a user is not trusted in this threat model — they
+ *   can also inject; the `untrusted` label means "scan aggressively")
+ * - any segment whose `label` matches one of `trustedLabels` -> trusted
+ *
+ * Trust does NOT mean "skip scanning". It only governs how
+ * `assemblePrompt()` and the per-segment policy decide whether to
+ * include the segment in the final assembled prompt.
+ */
+export function wrapContext(input) {
+    const segments = [];
+    const trustedLabels = (input.trustedLabels ?? []).map((s) => s.toLowerCase());
+    // Critic H1 — substring match would let an attacker-supplied label
+    // like "untrusted-doc-INTERNAL-kb-poisoned" claim trust because it
+    // CONTAINS the trusted prefix. Match exact or path-anchored only.
+    const isTrustedLabel = (label) => {
+        if (!label)
+            return false;
+        const lc = label.toLowerCase();
+        return trustedLabels.some((tl) => lc === tl || lc.startsWith(tl + "/"));
+    };
+    const push = (content, source, trust, label) => {
+        if (typeof content !== "string" || content.length === 0)
+            return;
+        segments.push({
+            source,
+            trust,
+            content,
+            label,
+            contentHash: hashContent(content),
+        });
+    };
+    // System: always trust=system. The `source` field is unused for
+    // system segments because `trust === "system"` is the authoritative
+    // signal — Analyst A2 round 1 review. We keep `source: "user"` here
+    // only because `ContextSegment.source` is non-optional; any code that
+    // branches on `seg.source` MUST first check `seg.trust !== "system"`.
+    if (input.system) {
+        push(input.system, "user", "system", "system-prompt");
+    }
+    // User messages.
+    if (input.user) {
+        const userInputs = Array.isArray(input.user) ? input.user : [input.user];
+        for (const u of userInputs) {
+            push(u, "user", "untrusted", "user");
+        }
+    }
+    // Helper for the array-of-{content,label} groups.
+    const pushGroup = (items, source) => {
+        if (!items)
+            return;
+        for (const item of items) {
+            const content = typeof item === "string" ? item : item.content;
+            const label = typeof item === "string" ? undefined : item.label;
+            const trust = isTrustedLabel(label) ? "trusted" : "untrusted";
+            push(content, source, trust, label);
+        }
+    };
+    pushGroup(input.retrieved, "rag");
+    pushGroup(input.tools, "tool-desc");
+    pushGroup(input.memory, "memory");
+    pushGroup(input.web, "web");
+    pushGroup(input.agentOutput, "agent-output");
+    return { segments };
+}
+/**
+ * Scan every segment with the source-specific ingestion profile.
+ * Mutates `ctx` in place by attaching `scanResults` + `decision`,
+ * AND returns the same object for chaining.
+ */
+export async function scanWrappedContext(ctx, options = {}) {
+    const scanner = new IngestionScanner({
+        strictness: options.strictness ?? "high",
+    });
+    const results = [];
+    let worst = "allow";
+    for (let i = 0; i < ctx.segments.length; i += 1) {
+        const seg = ctx.segments[i];
+        // System segments skip the scanner — they're developer-authored and
+        // running the heuristic over a real system prompt would flood with
+        // false positives (system prompts ARE instructions, by definition).
+        if (seg.trust === "system") {
+            results.push({ segmentIndex: i, decision: "allow", violations: [] });
+            continue;
+        }
+        const scanContext = {
+            source: seg.source,
+            trustTier: seg.trust,
+        };
+        const r = await scanner.scan(seg.content, scanContext);
+        results.push({
+            segmentIndex: i,
+            decision: r.decision,
+            violations: r.violations,
+        });
+        if (priority(r.decision) > priority(worst)) {
+            worst = r.decision;
+        }
+    }
+    ctx.scanResults = results;
+    ctx.decision = worst;
+    return ctx;
+}
+export function assemblePrompt(ctx, options = {}) {
+    const fences = {
+        untrusted: options.fences?.untrusted ?? {
+            open: "<UNTRUSTED_CONTENT source=",
+            close: "</UNTRUSTED_CONTENT>",
+        },
+        blocked: options.fences?.blocked ?? {
+            open: "<BLOCKED_CONTENT source=",
+            close: "</BLOCKED_CONTENT>",
+        },
+    };
+    // Pre-build a segment→index map ONCE. Avoids O(n²) `indexOf` inside the
+    // assembly loop AND removes a TOCTOU on mutable `ctx.segments` (Critic
+    // H2 + Analyst A4 round 1 review).
+    const segmentIndexMap = new Map();
+    ctx.segments.forEach((s, i) => segmentIndexMap.set(s, i));
+    const segmentResultMap = new Map();
+    for (const r of ctx.scanResults ?? []) {
+        segmentResultMap.set(r.segmentIndex, r);
+    }
+    const ordered = [];
+    // 1. system
+    ordered.push(...ctx.segments.filter((s) => s.trust === "system"));
+    // 2. trusted (retrieved/memory/tool-desc the dev marked as trusted)
+    ordered.push(...ctx.segments.filter((s) => s.trust === "trusted"));
+    // 3. user (untrusted, source="user")
+    ordered.push(...ctx.segments.filter((s) => s.source === "user" && s.trust === "untrusted"));
+    // 4. all remaining untrusted, preserve original order within group.
+    for (const s of ctx.segments) {
+        if (s.trust === "untrusted" && s.source !== "user") {
+            ordered.push(s);
+        }
+    }
+    const parts = [];
+    for (const seg of ordered) {
+        const segIdx = segmentIndexMap.get(seg) ?? -1;
+        const segResult = segIdx >= 0 ? segmentResultMap.get(segIdx) : undefined;
+        const blocked = segResult?.decision === "block";
+        if (blocked) {
+            if (options.strictMode) {
+                // Drop entirely.
+                continue;
+            }
+            parts.push(`${fences.blocked.open}"${seg.source}" label="${seg.label ?? ""}">\n${seg.content}\n${fences.blocked.close}`);
+            continue;
+        }
+        if (seg.trust === "system") {
+            parts.push(seg.content);
+        }
+        else if (seg.trust === "trusted") {
+            parts.push(seg.content);
+        }
+        else if (seg.source === "user" && seg.trust === "untrusted") {
+            // User input keeps its natural shape — fencing every user message
+            // creates more noise than signal.
+            parts.push(seg.content);
+        }
+        else {
+            parts.push(`${fences.untrusted.open}"${seg.source}" label="${seg.label ?? ""}">\n${seg.content}\n${fences.untrusted.close}`);
+        }
+    }
+    return parts.join("\n\n");
+}
+function hashContent(content) {
+    return createHash("sha256").update(content).digest("hex");
+}
+function priority(d) {
+    return d === "block" ? 2 : d === "warn" ? 1 : 0;
+}
+/**
+ * Convenience aggregator: violations across all scanned segments.
+ */
+export function flattenViolations(ctx) {
+    if (!ctx.scanResults)
+        return [];
+    return ctx.scanResults.flatMap((r) => r.violations);
+}
+/**
+ * Scan one agent-to-agent hand-off and propagate trust along the chain.
+ *
+ * @param payload      The producing agent's output (= consuming agent's input).
+ * @param fromAgentId  Agent that produced `payload`.
+ * @param toAgentId    Agent about to consume `payload`.
+ *
+ * @example
+ * ```ts
+ * import { propagateTrust } from "ai-shield-core";
+ *
+ * // A → B
+ * let chain = await propagateTrust(aOutput, "researcher", "planner");
+ * // B → C, contamination at A stays sticky through to C
+ * chain = await propagateTrust(bOutput, "planner", "executor", {
+ *   priorChain: chain.hops,
+ * });
+ * if (chain.effectiveTrust !== "trusted" && !chain.safe) {
+ *   // an upstream agent was poisoned — do not let the executor act on it
+ *   haltPipeline(chain.violations);
+ * }
+ * ```
+ */
+export async function propagateTrust(payload, fromAgentId, toAgentId, options = {}) {
+    const fromTrust = options.fromTrust ?? "untrusted";
+    const priorChain = options.priorChain ?? [];
+    const scanner = new IngestionScanner({
+        strictness: options.strictness ?? "high",
+    });
+    const scanContext = {
+        source: "agent-output",
+        trustTier: fromTrust,
+        agentId: fromAgentId,
+    };
+    const scan = await scanner.scan(payload, scanContext);
+    const hopViolations = scan.violations.map((v) => ({
+        ...v,
+        detail: `${v.detail ?? ""} (${fromAgentId}→${toAgentId})`.trim(),
+    }));
+    // Was anything upstream already contaminated?
+    const upstreamWorst = priorChain.reduce((worst, h) => (priority(h.decision) > priority(worst) ? h.decision : worst), "allow");
+    const upstreamContaminated = upstreamWorst !== "allow";
+    // This hop's own decision.
+    const hopDecision = scan.decision;
+    // Make contamination explicit as a multi-agent violation (distinct from
+    // the per-segment `ingested_injection` the scanner already produced).
+    if (hopDecision !== "allow") {
+        hopViolations.push({
+            type: "trust_propagation",
+            scanner: "trust-chain",
+            score: hopDecision === "block" ? 1.0 : 0.5,
+            threshold: 0.5,
+            message: `Contagion risk in hand-off ${fromAgentId}→${toAgentId}`,
+            detail: `Agent output flagged at this hop`,
+        });
+    }
+    else if (upstreamContaminated) {
+        hopViolations.push({
+            type: "trust_propagation",
+            scanner: "trust-chain",
+            score: 0.5,
+            threshold: 0.5,
+            message: `Payload reaching ${toAgentId} originates from a contaminated chain`,
+            detail: `Upstream contamination is sticky across hops`,
+        });
+    }
+    const hop = {
+        agentId: fromAgentId,
+        trust: fromTrust,
+        decision: hopDecision,
+        violations: hopViolations,
+    };
+    const hops = [...priorChain, hop];
+    // Worst decision across the full chain (sticky).
+    const chainDecision = priority(hopDecision) >= priority(upstreamWorst)
+        ? hopDecision
+        : upstreamWorst;
+    // Effective trust degrades to untrusted on ANY contamination in the chain.
+    // A clean hand-off from a `trusted` agent with a clean chain stays trusted.
+    const effectiveTrust = chainDecision === "allow" && fromTrust === "trusted"
+        ? "trusted"
+        : "untrusted";
+    return {
+        safe: chainDecision === "allow",
+        decision: chainDecision,
+        effectiveTrust,
+        hops,
+        violations: hops.flatMap((h) => h.violations),
+    };
+}
+//# sourceMappingURL=wrap-context.js.map

package/dist/cost/anomaly.js

@@ -1,12 +1,9 @@
-"use strict";
 // ============================================================
 // Cost Anomaly Detection — Z-Score based
 // Flags unusual spending patterns
 // ============================================================
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.detectAnomaly = detectAnomaly;
 /** Detect anomalies using z-score (>2.5 standard deviations = anomaly) */
-function detectAnomaly(currentValue, historicalValues, threshold = 2.5) {
+export function detectAnomaly(currentValue, historicalValues, threshold = 2.5) {
     if (historicalValues.length < 3) {
         // Not enough data to determine anomaly
         return {

package/dist/cost/pricing.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pricing.d.ts","sourceRoot":"","sources":["../../src/cost/pricing.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAOhD,eAAO,MAAM,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAsBtD,CAAC;AAEF,6DAA6D;AAC7D,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAY3D;AAED,iDAAiD;AACjD,wBAAgB,YAAY,CAC1B,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,GACnB,MAAM,CAMR"}
+{"version":3,"file":"pricing.d.ts","sourceRoot":"","sources":["../../src/cost/pricing.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAchD,eAAO,MAAM,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CA2BtD,CAAC;AAEF,6DAA6D;AAC7D,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAY3D;AAED,iDAAiD;AACjD,wBAAgB,YAAY,CAC1B,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,GACnB,MAAM,CAMR"}

package/dist/cost/pricing.js

@@ -1,13 +1,15 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.MODEL_PRICING = void 0;
-exports.getModelPricing = getModelPricing;
-exports.estimateCost = estimateCost;
 // ============================================================
-// Model Pricing Table — Updated Feb 2026
-// Prices in USD per 1M tokens
+// Model Pricing Table — Updated June 2026
+// Prices in USD per 1M tokens.
+// Includes `cachedInputPer1M` for providers that support prompt caching
+// (Anthropic cache reads land at ~10% of standard input rate).
+//
+// Note: with the Opus 4.7 generation Anthropic dropped the Opus input/output
+// rate from $15/$75 to $5/$25 and serves the 1M context window at standard
+// pricing (no long-context premium). Earlier tables that still list Opus at
+// $15/$75 over-estimate Opus cost by ~3x.
 // ============================================================
-exports.MODEL_PRICING = {
+export const MODEL_PRICING = {
     // OpenAI
     "gpt-5.2": { inputPer1M: 2.50, outputPer1M: 10.0 },
     "gpt-5.1": { inputPer1M: 2.50, outputPer1M: 10.0 },
@@ -18,24 +20,29 @@ exports.MODEL_PRICING = {
     "o3": { inputPer1M: 10.0, outputPer1M: 40.0 },
     "o3-mini": { inputPer1M: 1.10, outputPer1M: 4.40 },
     "o4-mini": { inputPer1M: 1.10, outputPer1M: 4.40 },
-    // Anthropic
-    "claude-opus-4-6": { inputPer1M: 15.0, outputPer1M: 75.0 },
-    "claude-sonnet-4-6": { inputPer1M: 3.0, outputPer1M: 15.0 },
-    "claude-haiku-4-5": { inputPer1M: 0.80, outputPer1M: 4.0 },
+    // Anthropic — June 2026 line-up (Fable 5, Opus 4.8/4.7/4.6, Sonnet 4.6, Haiku 4.5)
+    "claude-fable-5": { inputPer1M: 10.0, outputPer1M: 50.0, cachedInputPer1M: 1.0 },
+    "claude-opus-4-8": { inputPer1M: 5.0, outputPer1M: 25.0, cachedInputPer1M: 0.50 },
+    "claude-opus-4-7": { inputPer1M: 5.0, outputPer1M: 25.0, cachedInputPer1M: 0.50 },
+    "claude-opus-4-6": { inputPer1M: 5.0, outputPer1M: 25.0, cachedInputPer1M: 0.50 },
+    "claude-sonnet-4-6": { inputPer1M: 3.0, outputPer1M: 15.0, cachedInputPer1M: 0.30 },
+    "claude-sonnet-4-5": { inputPer1M: 3.0, outputPer1M: 15.0, cachedInputPer1M: 0.30 },
+    "claude-haiku-4-5": { inputPer1M: 1.0, outputPer1M: 5.0, cachedInputPer1M: 0.10 },
     // Aliases
     "gpt-5.2-turbo": { inputPer1M: 2.50, outputPer1M: 10.0 },
-    opus: { inputPer1M: 15.0, outputPer1M: 75.0 },
-    sonnet: { inputPer1M: 3.0, outputPer1M: 15.0 },
-    haiku: { inputPer1M: 0.80, outputPer1M: 4.0 },
+    fable: { inputPer1M: 10.0, outputPer1M: 50.0, cachedInputPer1M: 1.0 },
+    opus: { inputPer1M: 5.0, outputPer1M: 25.0, cachedInputPer1M: 0.50 },
+    sonnet: { inputPer1M: 3.0, outputPer1M: 15.0, cachedInputPer1M: 0.30 },
+    haiku: { inputPer1M: 1.0, outputPer1M: 5.0, cachedInputPer1M: 0.10 },
 };
 /** Get pricing for a model, fallback to gpt-4o-mini rates */
-function getModelPricing(model) {
+export function getModelPricing(model) {
     // Try exact match
-    const exact = exports.MODEL_PRICING[model];
+    const exact = MODEL_PRICING[model];
     if (exact)
         return exact;
     // Try prefix match (e.g., "gpt-4o-2024-08-06" → "gpt-4o")
-    for (const [key, pricing] of Object.entries(exports.MODEL_PRICING)) {
+    for (const [key, pricing] of Object.entries(MODEL_PRICING)) {
         if (model.startsWith(key))
             return pricing;
     }
@@ -43,7 +50,7 @@ function getModelPricing(model) {
     return { inputPer1M: 0.15, outputPer1M: 0.60 };
 }
 /** Estimate cost for a given number of tokens */
-function estimateCost(model, inputTokens, outputTokens) {
+export function estimateCost(model, inputTokens, outputTokens) {
     const pricing = getModelPricing(model);
     return ((inputTokens / 1_000_000) * pricing.inputPer1M +
         (outputTokens / 1_000_000) * pricing.outputPer1M);

package/dist/cost/tracker.d.ts

@@ -5,15 +5,33 @@ export interface RedisLike {
     incrbyfloat(key: string, increment: number): Promise<string>;
     expire(key: string, seconds: number): Promise<number>;
 }
+export interface CostTrackerOptions {
+    /**
+     * Cap on in-memory CostRecord retention (ring-buffer).
+     * Default: 10_000. Set to 0 to disable record retention entirely
+     * (use this in long-running processes that only care about budget
+     * counters, not per-request records).
+     * Override via env: AI_SHIELD_MAX_RECORDS.
+     */
+    maxRecords?: number;
+}
 export declare class CostTracker {
     private store;
     private budgets;
     private records;
-    constructor(budgets?: Record<string, BudgetConfig>, redis?: RedisLike);
+    private maxRecords;
+    constructor(budgets?: Record<string, BudgetConfig>, redis?: RedisLike, options?: CostTrackerOptions);
     /** Check if a request is within budget BEFORE sending to LLM */
     checkBudget(entityId: string, model: string, estimatedInputTokens: number, estimatedOutputTokens?: number): Promise<BudgetCheckResult>;
     /** Record actual cost AFTER receiving response */
     recordCost(entityId: string, model: string, inputTokens: number, outputTokens: number): Promise<CostRecord>;
+    /**
+     * Append a record with ring-buffer semantics to prevent unbounded memory growth.
+     * When maxRecords is 0, records are not retained.
+     */
+    private appendRecord;
+    /** Clear all in-memory records (e.g., after export) */
+    clearRecords(): void;
     /** Get current spend for an entity */
     getCurrentSpend(entityId: string): Promise<number>;
     /** Get all recorded costs (for export/audit) */

package/dist/cost/tracker.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tracker.d.ts","sourceRoot":"","sources":["../../src/cost/tracker.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,YAAY,EACZ,iBAAiB,EAEjB,UAAU,EACX,MAAM,aAAa,CAAC;AASrB,wDAAwD;AACxD,MAAM,WAAW,SAAS;IACxB,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACzC,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7D,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACvD;AAgCD,qBAAa,WAAW;IACtB,OAAO,CAAC,KAAK,CAAY;IACzB,OAAO,CAAC,OAAO,CAA4B;IAC3C,OAAO,CAAC,OAAO,CAAoB;gBAGjC,OAAO,GAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAM,EAC1C,KAAK,CAAC,EAAE,SAAS;IAMnB,gEAAgE;IAC1D,WAAW,CACf,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,EACb,oBAAoB,EAAE,MAAM,EAC5B,qBAAqB,GAAE,MAAY,GAClC,OAAO,CAAC,iBAAiB,CAAC;IAgC7B,kDAAkD;IAC5C,UAAU,CACd,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,UAAU,CAAC;IA+BtB,sCAAsC;IAChC,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAOxD,gDAAgD;IAChD,UAAU,IAAI,UAAU,EAAE;IAI1B,OAAO,CAAC,SAAS;IAmBjB,OAAO,CAAC,aAAa;CAUtB"}
+{"version":3,"file":"tracker.d.ts","sourceRoot":"","sources":["../../src/cost/tracker.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,YAAY,EACZ,iBAAiB,EAEjB,UAAU,EACX,MAAM,aAAa,CAAC;AASrB,wDAAwD;AACxD,MAAM,WAAW,SAAS;IACxB,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACzC,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7D,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACvD;AAgCD,MAAM,WAAW,kBAAkB;IACjC;;;;;;OAMG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,qBAAa,WAAW;IACtB,OAAO,CAAC,KAAK,CAAY;IACzB,OAAO,CAAC,OAAO,CAA4B;IAC3C,OAAO,CAAC,OAAO,CAAoB;IACnC,OAAO,CAAC,UAAU,CAAS;gBAGzB,OAAO,GAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAM,EAC1C,KAAK,CAAC,EAAE,SAAS,EACjB,OAAO,GAAE,kBAAuB;IAQlC,gEAAgE;IAC1D,WAAW,CACf,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,EACb,oBAAoB,EAAE,MAAM,EAC5B,qBAAqB,GAAE,MAAY,GAClC,OAAO,CAAC,iBAAiB,CAAC;IAgC7B,kDAAkD;IAC5C,UAAU,CACd,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,UAAU,CAAC;IA+BtB;;;OAGG;IACH,OAAO,CAAC,YAAY;IAUpB,uDAAuD;IACvD,YAAY,IAAI,IAAI;IAIpB,sCAAsC;IAChC,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAOxD,gDAAgD;IAChD,UAAU,IAAI,UAAU,EAAE;IAI1B,OAAO,CAAC,SAAS;IAmBjB,OAAO,CAAC,aAAa;CAUtB"}

package/dist/cost/tracker.js

@@ -1,7 +1,4 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.CostTracker = void 0;
-const pricing_js_1 = require("./pricing.js");
+import { estimateCost } from "./pricing.js";
 /** In-memory fallback store */
 class MemoryStore {
     data = new Map();
@@ -30,13 +27,16 @@ class MemoryStore {
         return 1;
     }
 }
-class CostTracker {
+export class CostTracker {
     store;
     budgets;
     records = [];
-    constructor(budgets = {}, redis) {
+    maxRecords;
+    constructor(budgets = {}, redis, options = {}) {
         this.store = redis ?? new MemoryStore();
         this.budgets = new Map(Object.entries(budgets));
+        const envCap = Number(process.env.AI_SHIELD_MAX_RECORDS);
+        this.maxRecords = options.maxRecords ?? (Number.isFinite(envCap) && envCap >= 0 ? envCap : 10_000);
     }
     /** Check if a request is within budget BEFORE sending to LLM */
     async checkBudget(entityId, model, estimatedInputTokens, estimatedOutputTokens = 500) {
@@ -44,7 +44,7 @@ class CostTracker {
         if (!budget) {
             return { allowed: true, currentSpend: 0, remainingBudget: Infinity };
         }
-        const estimated = (0, pricing_js_1.estimateCost)(model, estimatedInputTokens, estimatedOutputTokens);
+        const estimated = estimateCost(model, estimatedInputTokens, estimatedOutputTokens);
         const key = this.budgetKey(entityId, budget.period);
         const currentSpend = parseFloat((await this.store.get(key)) ?? "0");
         if (currentSpend + estimated > budget.hardLimit) {
@@ -67,7 +67,7 @@ class CostTracker {
     }
     /** Record actual cost AFTER receiving response */
     async recordCost(entityId, model, inputTokens, outputTokens) {
-        const cost = (0, pricing_js_1.estimateCost)(model, inputTokens, outputTokens);
+        const cost = estimateCost(model, inputTokens, outputTokens);
         const record = {
             entityId,
             model,
@@ -90,9 +90,27 @@ class CostTracker {
             await this.store.incrbyfloat(globalKey, cost);
             await this.store.expire(globalKey, this.periodSeconds(globalBudget.period) * 2);
         }
-        this.records.push(record);
+        this.appendRecord(record);
         return record;
     }
+    /**
+     * Append a record with ring-buffer semantics to prevent unbounded memory growth.
+     * When maxRecords is 0, records are not retained.
+     */
+    appendRecord(record) {
+        if (this.maxRecords === 0)
+            return;
+        this.records.push(record);
+        if (this.records.length > this.maxRecords) {
+            // Drop oldest entries — O(1) amortized using splice(0, overflow)
+            const overflow = this.records.length - this.maxRecords;
+            this.records.splice(0, overflow);
+        }
+    }
+    /** Clear all in-memory records (e.g., after export) */
+    clearRecords() {
+        this.records.length = 0;
+    }
     /** Get current spend for an entity */
     async getCurrentSpend(entityId) {
         const budget = this.budgets.get(entityId);
@@ -132,5 +150,4 @@ class CostTracker {
         }
     }
 }
-exports.CostTracker = CostTracker;
 //# sourceMappingURL=tracker.js.map

package/dist/index.d.ts

@@ -1,18 +1,49 @@
 export { AIShield } from "./shield.js";
-export { HeuristicScanner, type HeuristicConfig } from "./scanner/heuristic.js";
+export { HeuristicScanner, normalizeForInjectionScan, collapseSpacedLetters, type HeuristicConfig, } from "./scanner/heuristic.js";
 export { PIIScanner } from "./scanner/pii.js";
 export { ScannerChain, type ChainConfig } from "./scanner/chain.js";
 export { injectCanary, checkCanaryLeak } from "./scanner/canary.js";
+export { IngestionScanner, scanIngested, scanToolOutput, trustTierForSource, tryDecodeObfuscation, type IngestionScannerConfig, type IngestionScanResult, } from "./scanner/ingestion.js";
+export { OutputScanner, scanOutput, type OutputScanConfig, type OutputScanResult, type OutputSink, } from "./scanner/output.js";
+export { wrapContext, scanWrappedContext, assemblePrompt, flattenViolations, propagateTrust, type WrapContextInput, type AssembleOptions, type AgentHop, type PropagateTrustOptions, type TrustPropagationResult, } from "./context/wrap-context.js";
+export { createAsyncJudge, type AsyncJudge, type AsyncJudgeConfig, type JudgeVerdict, type JudgeBackend, type JudgeBackendLike, } from "./judge/async-judge.js";
+export { mintMemoryCanary, verifyMemoryCanary, rotateMemoryCanary, buildSentinelEntry, bulkVerify, type MintMemoryCanaryOptions, } from "./canary/memory.js";
 export { PolicyEngine, type PolicyPreset } from "./policy/engine.js";
 export { ToolPolicyScanner } from "./policy/tools.js";
+export { CircuitBreakerRegistry, makeBreakerScope, type CircuitBreakerOptions, } from "./policy/circuit-breaker.js";
 export { CostTracker, type RedisLike } from "./cost/tracker.js";
 export { detectAnomaly, type AnomalyResult } from "./cost/anomaly.js";
 export { getModelPricing, estimateCost, MODEL_PRICING } from "./cost/pricing.js";
 export { AuditLogger, ConsoleAuditStore, MemoryAuditStore } from "./audit/logger.js";
 export type { AuditStore } from "./audit/types.js";
 export { ScanLRUCache, type LRUCacheConfig } from "./cache/lru.js";
-export type { ScanDecision, ScanResult, ScannerResult, Scanner, ScanContext, Violation, ViolationType, PIIType, PIIAction, PIIEntity, PIIConfig, ToolCall, ToolPermissions, ToolPolicy, ToolManifestPin, BudgetPeriod, BudgetConfig, CostEstimate, CostRecord, BudgetCheckResult, ModelPricing, AuditRecord, AuditConfig, ShieldConfig, InjectionConfig, CostConfig, CacheConfig, ToolConfig, PresetName, } from "./types.js";
+export type { ScanDecision, ScanResult, ScannerResult, Scanner, ScanContext, Violation, ViolationType, IngestionSource, TrustTier, ContextSegment, WrappedContext, MemoryCanaryEntry, MemoryCanaryVerification, CircuitState, CircuitBreakerConfig, CircuitBreakerDecision, CounterStoreLike, PIIType, PIIAction, PIIEntity, PIIConfig, ToolCall, ToolPermissions, ToolPolicy, ToolManifestPin, BudgetPeriod, BudgetConfig, CostEstimate, CostRecord, BudgetCheckResult, ModelPricing, AuditRecord, AuditConfig, ShieldConfig, InjectionConfig, CostConfig, CacheConfig, ToolConfig, PresetName, } from "./types.js";
 import type { ShieldConfig, ScanResult, ScanContext } from "./types.js";
-/** Quick scan — one line, maximum protection */
+/**
+ * Quick scan — one line, maximum protection.
+ *
+ * **Performance warning:** This creates a new AIShield instance on every call.
+ * For production use with multiple calls, create a single `new AIShield(config)`
+ * instance and reuse it — this avoids repeated scanner chain setup and teardown.
+ *
+ * Use `createShieldSingleton()` for a cached version that reuses a single instance.
+ */
 export declare function shield(input: string, configOrContext?: ShieldConfig | ScanContext): Promise<ScanResult>;
+/**
+ * Create a cached shield function that reuses a single AIShield instance.
+ * Much better performance than `shield()` for repeated calls.
+ *
+ * @example
+ * ```ts
+ * const scan = createShieldSingleton({ injection: { strictness: "high" } });
+ * const r1 = await scan("input 1");
+ * const r2 = await scan("input 2");
+ * // Call scan.close() when done (e.g., on process exit)
+ * await scan.close();
+ * ```
+ */
+export declare function createShieldSingleton(config?: ShieldConfig): {
+    (input: string, context?: ScanContext): Promise<ScanResult>;
+    close(): Promise<void>;
+};
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAGvC,OAAO,EAAE,gBAAgB,EAAE,KAAK,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAChF,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,KAAK,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAGpE,OAAO,EAAE,YAAY,EAAE,KAAK,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACrE,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAGtD,OAAO,EAAE,WAAW,EAAE,KAAK,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,KAAK,aAAa,EAAE,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGjF,OAAO,EAAE,WAAW,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrF,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAGnD,OAAO,EAAE,YAAY,EAAE,KAAK,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAGnE,YAAY,EAEV,YAAY,EACZ,UAAU,EACV,aAAa,EACb,OAAO,EACP,WAAW,EACX,SAAS,EACT,aAAa,EAEb,OAAO,EACP,SAAS,EACT,SAAS,EACT,SAAS,EAET,QAAQ,EACR,eAAe,EACf,UAAU,EACV,eAAe,EAEf,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,UAAU,EACV,iBAAiB,EACjB,YAAY,EAEZ,WAAW,EACX,WAAW,EAEX,YAAY,EACZ,eAAe,EACf,UAAU,EACV,WAAW,EACX,UAAU,EACV,UAAU,GACX,MAAM,YAAY,CAAC;AAKpB,OAAO,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAExE,gDAAgD;AAChD,wBAAsB,MAAM,CAC1B,KAAK,EAAE,MAAM,EACb,eAAe,CAAC,EAAE,YAAY,GAAG,WAAW,GAC3C,OAAO,CAAC,UAAU,CAAC,CAarB"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAGvC,OAAO,EACL,gBAAgB,EAChB,yBAAyB,EACzB,qBAAqB,EACrB,KAAK,eAAe,GACrB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,KAAK,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACpE,OAAO,EACL,gBAAgB,EAChB,YAAY,EACZ,cAAc,EACd,kBAAkB,EAClB,oBAAoB,EACpB,KAAK,sBAAsB,EAC3B,KAAK,mBAAmB,GACzB,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,aAAa,EACb,UAAU,EACV,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,KAAK,UAAU,GAChB,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,cAAc,EACd,iBAAiB,EACjB,cAAc,EACd,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACpB,KAAK,QAAQ,EACb,KAAK,qBAAqB,EAC1B,KAAK,sBAAsB,GAC5B,MAAM,2BAA2B,CAAC;AAGnC,OAAO,EACL,gBAAgB,EAChB,KAAK,UAAU,EACf,KAAK,gBAAgB,EACrB,KAAK,YAAY,EACjB,KAAK,YAAY,EACjB,KAAK,gBAAgB,GACtB,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,UAAU,EACV,KAAK,uBAAuB,GAC7B,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAAE,YAAY,EAAE,KAAK,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACrE,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EACL,sBAAsB,EACtB,gBAAgB,EAChB,KAAK,qBAAqB,GAC3B,MAAM,6BAA6B,CAAC;AAGrC,OAAO,EAAE,WAAW,EAAE,KAAK,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,KAAK,aAAa,EAAE,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGjF,OAAO,EAAE,WAAW,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrF,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAGnD,OAAO,EAAE,YAAY,EAAE,KAAK,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAGnE,YAAY,EAEV,YAAY,EACZ,UAAU,EACV,aAAa,EACb,OAAO,EACP,WAAW,EACX,SAAS,EACT,aAAa,EAEb,eAAe,EACf,SAAS,EACT,cAAc,EACd,cAAc,EAEd,iBAAiB,EACjB,wBAAwB,EAExB,YAAY,EACZ,oBAAoB,EACpB,sBAAsB,EACtB,gBAAgB,EAEhB,OAAO,EACP,SAAS,EACT,SAAS,EACT,SAAS,EAET,QAAQ,EACR,eAAe,EACf,UAAU,EACV,eAAe,EAEf,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,UAAU,EACV,iBAAiB,EACjB,YAAY,EAEZ,WAAW,EACX,WAAW,EAEX,YAAY,EACZ,eAAe,EACf,UAAU,EACV,WAAW,EACX,UAAU,EACV,UAAU,GACX,MAAM,YAAY,CAAC;AAKpB,OAAO,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAExE;;;;;;;;GAQG;AACH,wBAAsB,MAAM,CAC1B,KAAK,EAAE,MAAM,EACb,eAAe,CAAC,EAAE,YAAY,GAAG,WAAW,GAC3C,OAAO,CAAC,UAAU,CAAC,CAarB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,GAAE,YAAiB,GAAG;IAChE,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAC5D,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB,CAUA"}