ai-shield-core 0.1.0 → 0.3.0

package/dist/scanner/output.js

@@ -0,0 +1,297 @@
+import { PIIScanner } from "./pii.js";
+import { normalizeForInjectionScan } from "./heuristic.js";
+// ============================================================
+// Output Scanner — OWASP LLM05 Improper Output Handling +
+// LLM02 Sensitive Information Disclosure (output side)
+//
+// AI Shield's input scanners answer "is this prompt safe to send to the
+// model?". This scanner answers the other half: "is this model OUTPUT
+// safe to act on / show / forward downstream?".
+//
+// LLM output must never reach a SQL engine, a shell, an HTML sink, or a
+// template renderer unfiltered — XSS, SSRF, SQLi and command injection
+// sourced from model output are a documented 2026 attack class (OWASP
+// LLM05). And a model can leak its own system prompt or a secret it was
+// shown, which is LLM02 / LLM07.
+//
+// Five checks. Inputs are Unicode-normalized first (homoglyph / zero-width /
+// fullwidth evasion defense). Secret + canary checks scan the FULL output
+// (a leak can sit anywhere); the structural checks scan a length-capped copy
+// (those payloads live in the first chunk):
+//   1. secret_leak        — API keys, tokens, private keys, DSNs (full output)
+//   2. output_injection   — SQL / shell / HTML-JS / template / md-exfil (capped)
+//   3. system_prompt_leak — canary-token leak (exact, full) + heuristic phrasing
+//   4. pii_detected       — reuses the input-side PIIScanner
+//   5. jailbreak_indicator— compliance-preamble / mode-switch acknowledgement
+//
+// Checks 1-3 are high-confidence and block. PII follows its configured
+// action. Jailbreak is heuristic and only warns — a "sure, here's how"
+// preamble is often legitimate.
+// ============================================================
+/** Hard cap on the bytes we pattern-scan. A 1 MB model response is not the
+ *  threat model and unbounded regex over it pressures GC. Overridable. */
+const DEFAULT_MAX_OUTPUT_BYTES = 256 * 1024;
+/**
+ * High-confidence secret formats. Each is anchored on a provider-specific
+ * prefix so false positives on prose are near-zero. Patterns are linear
+ * (no nested quantifiers) — ReDoS-safe on large output.
+ */
+const SECRET_PATTERNS = [
+    { id: "SEC-OPENAI", re: /\bsk-(?:proj-)?[A-Za-z0-9_-]{20,}\b/, label: "OpenAI API key" },
+    { id: "SEC-ANTHROPIC", re: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/, label: "Anthropic API key" },
+    { id: "SEC-AWS-AKID", re: /\b(?:AKIA|ASIA)[0-9A-Z]{16}\b/, label: "AWS access key id" },
+    { id: "SEC-GITHUB", re: /\bgh[pousr]_[A-Za-z0-9]{36,}\b/, label: "GitHub token" },
+    { id: "SEC-GOOGLE", re: /\bAIza[0-9A-Za-z_-]{35}\b/, label: "Google API key" },
+    { id: "SEC-GOOGLE-OAUTH", re: /\bGOCSPX-[A-Za-z0-9_-]{28}\b/, label: "Google OAuth client secret" },
+    { id: "SEC-GCP-SA", re: /"type"\s*:\s*"service_account"/, label: "GCP service-account JSON" },
+    { id: "SEC-HUGGINGFACE", re: /\bhf_[A-Za-z0-9]{30,}\b/, label: "HuggingFace token" },
+    { id: "SEC-NPM", re: /\bnpm_[A-Za-z0-9]{36}\b/, label: "npm publish token" },
+    { id: "SEC-SLACK", re: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/, label: "Slack token" },
+    { id: "SEC-STRIPE", re: /\b[rs]k_live_[A-Za-z0-9]{20,}\b/, label: "Stripe live key" },
+    { id: "SEC-JWT", re: /\beyJ[A-Za-z0-9_-]{8,}\.eyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\b/, label: "JWT" },
+    { id: "SEC-PEM", re: /-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY-----/, label: "PEM private key" },
+    // DSN: both credential segments are length-bounded so a long near-match
+    // without a trailing `@` can't drive O(n²) backtracking (review H1).
+    { id: "SEC-DSN", re: /\b(?:postgres(?:ql)?|mysql|mongodb(?:\+srv)?|redis|amqps?):\/\/[^\s:/@]{1,64}:[^\s@]{3,80}@/, label: "connection string with credentials" },
+];
+/**
+ * Output-injection payloads, grouped by downstream sink. Each pattern is
+ * deliberately conservative — flagging legitimate output that merely
+ * *mentions* SQL would be useless. They target syntax that only matters
+ * when the string is interpreted, not displayed.
+ */
+const INJECTION_PATTERNS = [
+    // SQL
+    { id: "OUTI-SQL-1", sink: "sql", re: /\bunion\s+(?:all\s+)?select\b/i, label: "SQL UNION SELECT" },
+    { id: "OUTI-SQL-2", sink: "sql", re: /['"]\s*;\s*(?:drop|delete|update|insert|truncate|alter)\s+/i, label: "SQL statement break" },
+    { id: "OUTI-SQL-3", sink: "sql", re: /\bor\s+1\s*=\s*1\b|\bor\s+'1'\s*=\s*'1'/i, label: "SQL tautology" },
+    // Shell
+    { id: "OUTI-SH-1", sink: "shell", re: /\$\([^)]{1,200}\)|`[^`]{1,200}`/, label: "shell command substitution" },
+    { id: "OUTI-SH-2", sink: "shell", re: /[;&|]\s*(?:rm|curl|wget|nc|bash|sh|chmod|mkfifo|dd)\s+-?/i, label: "chained shell command" },
+    { id: "OUTI-SH-3", sink: "shell", re: /\|\s*(?:sh|bash|zsh|python[0-9.]*)\b/i, label: "pipe to interpreter" },
+    // HTML / JS (XSS)
+    { id: "OUTI-XSS-1", sink: "html", re: /<script[\s>]/i, label: "<script> tag" },
+    { id: "OUTI-XSS-2", sink: "html", re: /\bon(?:error|load|click|mouseover)\s*=\s*["']?[^"'>]{1,200}/i, label: "inline event handler" },
+    { id: "OUTI-XSS-3", sink: "html", re: /\bjavascript:\s*[^\s"']{1,200}/i, label: "javascript: URI" },
+    { id: "OUTI-XSS-4", sink: "html", re: /<iframe[\s>]|<img[^>]{0,200}\bsrc\s*=\s*["']?\s*(?:javascript|data):/i, label: "iframe / data-URI image" },
+    // Markdown-image data exfiltration: ![x](http://evil/log?data=…). When a
+    // renderer auto-loads the image the query string leaks whatever the model
+    // was told to embed. The most-overlooked LLM05 class (review: Research).
+    { id: "OUTI-MDEXF", sink: "html", re: /!\[[^\]]{0,200}\]\(\s*https?:\/\/[^)\s]{1,300}[?&][\w-]{1,40}=/i, label: "markdown-image data exfiltration" },
+    // Template / SSTI
+    { id: "OUTI-SSTI-1", sink: "template", re: /\{\{[^}]{0,200}(?:constructor|process|require|global|__proto__|self\.|cycler)[^}]{0,200}\}\}/i, label: "template-injection payload" },
+    { id: "OUTI-SSTI-2", sink: "template", re: /<%[^%]{0,200}(?:system|exec|require|eval)[^%]{0,200}%>/i, label: "ERB/EJS injection" },
+];
+/**
+ * System-prompt-leak heuristics — used only when no canary token is
+ * available. Low-confidence by design (these phrasings occur in benign
+ * output too), so they warn rather than block.
+ */
+const SYSTEM_LEAK_PATTERNS = [
+    /(?:my|the)\s+(?:system\s+)?(?:prompt|instructions?)\s+(?:is|are|say|states?|read)\b/i,
+    /i\s+(?:was|am|have\s+been)\s+(?:instructed|told|configured|programmed|designed)\s+to\b/i,
+    /here\s+(?:is|are)\s+my\s+(?:system\s+)?(?:prompt|instructions?|guidelines?|rules?)\b/i,
+    /you\s+are\s+(?:a|an)\s+[\w-]{2,30}\s+(?:assistant|agent|bot|model)\b.{0,40}\b(?:you\s+must|your\s+(?:rules?|guidelines?|instructions?))/i,
+];
+/**
+ * Jailbreak-success indicators in the OUTPUT. Conservative + low weight:
+ * a generic "Sure, here's how" is not enough on its own — these target
+ * explicit mode-switch acknowledgements and self-declared rule-breaking.
+ */
+const JAILBREAK_PATTERNS = [
+    /\bas\s+(?:DAN|an?\s+(?:unrestricted|unfiltered|jailbroken|uncensored))\b/i,
+    /i(?:'?ll|\s+will)\s+(?:now\s+)?(?:ignore|bypass|disregard|set\s+aside)\s+(?:my|the|all)\s+(?:guidelines?|restrictions?|rules?|safety|programming|filters?)/i,
+    /(?:jailbreak|developer\s+mode|dan\s+mode)\s+(?:enabled|activated|successful|engaged)/i,
+    /i\s+am\s+(?:now\s+)?(?:free\s+(?:from|of)|no\s+longer\s+bound\s+by)\s+(?:my\s+)?(?:restrictions?|guidelines?|rules?|programming)/i,
+];
+const SECRET_REDACTION = "[REDACTED_SECRET]";
+/**
+ * Scanner for LLM output. Stateless; safe to reuse across calls.
+ */
+export class OutputScanner {
+    config;
+    pii;
+    constructor(config = {}) {
+        this.config = config;
+        this.pii =
+            config.pii === false
+                ? null
+                : new PIIScanner(config.pii ?? { action: "mask" });
+    }
+    async scan(output, context = {}) {
+        const start = performance.now();
+        const violations = [];
+        const checksRun = [];
+        const checks = this.config.checks ?? {};
+        const maxBytes = this.config.maxBytes ?? DEFAULT_MAX_OUTPUT_BYTES;
+        const safeOutput = typeof output === "string" ? output : "";
+        // Capped copy for the *structural* checks (injection / leak-phrasing /
+        // jailbreak) — those payloads live in the first chunk and the regex over
+        // a 1 MB response would pressure GC. Normalized so homoglyph / zero-width
+        // / fullwidth evasion can't slip a payload past the patterns (review H6).
+        const cappedDetect = normalizeForInjectionScan(safeOutput.length > maxBytes ? safeOutput.slice(0, maxBytes) : safeOutput);
+        // Secrets and canaries can sit ANYWHERE in the output, and the secret
+        // patterns are anchored + linear — so they scan the FULL output, not the
+        // cap (review C1: a key padded past 256 KB must not slip through). Also
+        // normalized for the same evasion defense.
+        const fullDetect = normalizeForInjectionScan(safeOutput);
+        let sanitized = output;
+        let worst = "allow";
+        const bump = (d) => {
+            if (priority(d) > priority(worst))
+                worst = d;
+        };
+        // 1. Secret leak — high-confidence, always blocks. Redact in `sanitized`.
+        //    Detection runs on the normalized full output; redaction is
+        //    best-effort over the raw output (a key fragmented by zero-width
+        //    chars is still flagged via `fullDetect` and blocks, but may resist
+        //    clean redaction — callers MUST gate on `safe`/`decision` and never
+        //    forward a blocked output regardless of `sanitized`).
+        if (checks.secrets !== false) {
+            checksRun.push("secrets");
+            for (const { id, re, label } of SECRET_PATTERNS) {
+                if (re.test(fullDetect)) {
+                    violations.push({
+                        type: "secret_leak",
+                        scanner: "output",
+                        score: 1.0,
+                        threshold: 0.5,
+                        message: `Output leaks a secret: ${label}`,
+                        detail: `Rule ${id}`,
+                    });
+                    bump("block");
+                    // Redact every occurrence in the full output (global copy of re).
+                    sanitized = sanitized.replace(new RegExp(re.source, re.flags.includes("g") ? re.flags : re.flags + "g"), SECRET_REDACTION);
+                }
+            }
+        }
+        // 2. Output injection — payloads dangerous to a downstream sink.
+        if (checks.injection !== false) {
+            checksRun.push("injection");
+            const allowedSinks = this.config.sinks;
+            for (const { id, sink, re, label } of INJECTION_PATTERNS) {
+                if (allowedSinks && !allowedSinks.includes(sink))
+                    continue;
+                if (re.test(cappedDetect)) {
+                    violations.push({
+                        type: "output_injection",
+                        scanner: "output",
+                        score: 0.85,
+                        threshold: 0.5,
+                        message: `Output carries a ${sink} injection payload: ${label}`,
+                        detail: `Rule ${id} (sink=${sink})`,
+                    });
+                    bump("block");
+                }
+            }
+        }
+        // 3. System-prompt leak — canary first (exact, certain), then heuristics.
+        if (checks.systemPromptLeak !== false) {
+            checksRun.push("system_prompt_leak");
+            const tokens = normalizeTokens(this.config.canaryTokens);
+            let canaryHit = false;
+            for (const token of tokens) {
+                // Check the FULL output, not the capped copy — a leak past 256 KB is
+                // still a leak, and an exact substring search is cheap.
+                if (token.length >= 4 && output.includes(token)) {
+                    canaryHit = true;
+                    violations.push({
+                        type: "system_prompt_leak",
+                        scanner: "output",
+                        score: 1.0,
+                        threshold: 0.5,
+                        message: "Output leaks a system-prompt canary token",
+                        detail: "Canary match (exact)",
+                    });
+                    bump("block");
+                }
+            }
+            // Heuristic phrasing only when no canary was available/hit — avoids
+            // double-reporting and keeps the low-confidence signal subordinate.
+            if (!canaryHit && tokens.length === 0) {
+                for (const re of SYSTEM_LEAK_PATTERNS) {
+                    if (re.test(cappedDetect)) {
+                        violations.push({
+                            type: "system_prompt_leak",
+                            scanner: "output",
+                            score: 0.4,
+                            threshold: 0.5,
+                            message: "Output may be echoing the system prompt",
+                            detail: "Heuristic phrasing (no canary configured — pass canaryTokens for an exact check)",
+                        });
+                        bump("warn");
+                        break; // one heuristic signal is enough
+                    }
+                }
+            }
+        }
+        // 4. Jailbreak indicators — heuristic, warn only.
+        if (checks.jailbreak !== false) {
+            checksRun.push("jailbreak");
+            for (const re of JAILBREAK_PATTERNS) {
+                if (re.test(cappedDetect)) {
+                    violations.push({
+                        type: "jailbreak_indicator",
+                        scanner: "output",
+                        score: 0.3,
+                        threshold: 0.5,
+                        message: "Output shows a possible jailbreak success indicator",
+                        detail: "Heuristic phrasing",
+                    });
+                    bump("warn");
+                    break;
+                }
+            }
+        }
+        // 5. PII — reuse the input-side scanner; respects its configured action.
+        if (this.pii) {
+            checksRun.push("pii");
+            const piiResult = await this.pii.scan(sanitized, context);
+            for (const v of piiResult.violations) {
+                violations.push({ ...v, scanner: "output" });
+            }
+            if (piiResult.sanitized !== undefined)
+                sanitized = piiResult.sanitized;
+            bump(piiResult.decision);
+        }
+        return {
+            safe: worst === "allow",
+            decision: worst,
+            sanitized,
+            violations,
+            meta: {
+                scanDurationMs: performance.now() - start,
+                checksRun,
+            },
+        };
+    }
+}
+/**
+ * One-shot helper. Scan a model response before acting on it.
+ *
+ * @example
+ * ```ts
+ * import { scanOutput } from "ai-shield-core";
+ *
+ * const reply = await llm.generate(prompt);
+ * const r = await scanOutput(reply, { canaryTokens: canary, sinks: ["sql"] });
+ * if (!r.safe) {
+ *   audit.warn("unsafe model output", r.violations);
+ *   return genericFallback();           // do not run r.sanitized as SQL
+ * }
+ * showToUser(r.sanitized);              // PII masked, secrets redacted
+ * ```
+ */
+export async function scanOutput(output, config = {}, context = {}) {
+    return new OutputScanner(config).scan(output, context);
+}
+function normalizeTokens(tokens) {
+    if (!tokens)
+        return [];
+    const arr = Array.isArray(tokens) ? tokens : [tokens];
+    return arr.filter((t) => typeof t === "string" && t.length > 0);
+}
+function priority(d) {
+    return d === "block" ? 2 : d === "warn" ? 1 : 0;
+}
+//# sourceMappingURL=output.js.map

package/dist/scanner/pii.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pii.d.ts","sourceRoot":"","sources":["../../src/scanner/pii.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,OAAO,EACP,aAAa,EACb,WAAW,EAEX,SAAS,EAGT,SAAS,EACV,MAAM,aAAa,CAAC;AAsKrB,qBAAa,UAAW,YAAW,OAAO;IACxC,QAAQ,CAAC,IAAI,SAAS;IACtB,OAAO,CAAC,QAAQ,CAAe;IAC/B,OAAO,CAAC,MAAM,CAAY;IAC1B,OAAO,CAAC,aAAa,CAAsC;IAC3D,OAAO,CAAC,YAAY,CAAe;gBAEvB,MAAM,GAAE,SAAc;IAO5B,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,GAAG,OAAO,CAAC,aAAa,CAAC;IAoDxE,sCAAsC;IACtC,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,EAAE;IA8BjC,uFAAuF;IACvF,OAAO,CAAC,mBAAmB;IAuB3B,gCAAgC;IAChC,OAAO,CAAC,YAAY;CAerB"}
+{"version":3,"file":"pii.d.ts","sourceRoot":"","sources":["../../src/scanner/pii.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,OAAO,EACP,aAAa,EACb,WAAW,EAEX,SAAS,EAGT,SAAS,EACV,MAAM,aAAa,CAAC;AAoLrB,qBAAa,UAAW,YAAW,OAAO;IACxC,QAAQ,CAAC,IAAI,SAAS;IACtB,OAAO,CAAC,QAAQ,CAAe;IAC/B,OAAO,CAAC,MAAM,CAAY;IAC1B,OAAO,CAAC,aAAa,CAAsC;IAC3D,OAAO,CAAC,YAAY,CAAe;gBAEvB,MAAM,GAAE,SAAc;IAO5B,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,GAAG,OAAO,CAAC,aAAa,CAAC;IAoDxE,sCAAsC;IACtC,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,EAAE;IA8BjC,uFAAuF;IACvF,OAAO,CAAC,mBAAmB;IAuB3B,gCAAgC;IAChC,OAAO,CAAC,YAAY;CAerB"}

package/dist/scanner/pii.js

@@ -1,12 +1,12 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.PIIScanner = void 0;
 // --- German & International PII Patterns ---
 const PII_PATTERNS = [
-    // IBAN: DE + 2 check digits + 18 digits (with optional spaces/dashes)
+    // IBAN: 2-letter ISO + 2 check digits + 11..30 alphanumerics (with optional spaces/dashes).
+    // Covers all 80+ IBAN countries: NO (15), BE (16), DE (22), FR (27), MT (31), SC (31).
+    // The validator runs mod-97 over the cleaned value and rejects anything that isn't a real IBAN.
+    // Pattern is linear (no nested quantifiers) — ReDoS-safe.
     {
         type: "iban",
-        pattern: /\b[A-Z]{2}\s?\d{2}\s?\d{4}\s?\d{4}\s?\d{4}\s?\d{4}\s?\d{2,4}\b/g,
+        pattern: /\b[A-Z]{2}\d{2}[ -]?[A-Z0-9](?:[A-Z0-9 -]{9,36}[A-Z0-9])?\b/g,
         validator: validateIBAN,
         baseConfidence: 0.95,
     },
@@ -36,10 +36,15 @@ const PII_PATTERNS = [
         pattern: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g,
         baseConfidence: 0.95,
     },
-    // Phone: German formats (+49, 0xxx) and international
+    // Phone: German formats (+49, 0xxx) and international.
+    // Previous pattern had nested optional quantifiers (`\s?[\s\-/]?` plus two
+    // `[\s\-/]?\d{0,5}` tails) which risks catastrophic backtracking on
+    // malformed inputs. Restructured so every separator group requires at least
+    // one char when present and the trailing digits group is a true non-optional
+    // extension (or absent entirely).
     {
         type: "phone",
-        pattern: /(?<!\d)(?:\+\d{1,3}|00\d{1,3}|0)\s?[\s\-/]?\(?\d{2,5}\)?[\s\-/]?\d{3,8}[\s\-/]?\d{0,5}\b/g,
+        pattern: /(?<!\d)(?:\+\d{1,3}|00\d{1,3}|0)[\s\-/]?\(?\d{2,5}\)?[\s\-/]?\d{3,8}(?:[\s\-/]\d{1,5})?\b/g,
         validator: validatePhone,
         baseConfidence: 0.80,
     },
@@ -129,17 +134,25 @@ function maskValue(type, value) {
             return value[0] + "***@" + value.substring(atIdx + 1);
         }
         case "phone":
+            // Need room for 4-prefix + ****  + 2-suffix without overlap.
+            if (value.length < 7)
+                return "[PHONE]";
             return value.substring(0, 4) + "****" + value.substring(value.length - 2);
         case "iban":
-            return value.substring(0, 4) + " **** **** ****";
-        case "credit_card":
-            return "**** **** **** " + value.replace(/\D/g, "").substring(12);
+            // Keep country code + check digits, mask rest. Works for any IBAN length.
+            return value.length >= 4 ? value.substring(0, 4) + " **** **** ****" : "[IBAN]";
+        case "credit_card": {
+            const digits = value.replace(/\D/g, "");
+            if (digits.length < 13)
+                return "[CREDIT_CARD]";
+            return "**** **** **** " + digits.substring(digits.length - 4);
+        }
         default:
             return `[${type.toUpperCase()}]`;
     }
 }
 // --- PII Scanner Class ---
-class PIIScanner {
+export class PIIScanner {
     name = "pii";
     patterns;
     action;
@@ -251,5 +264,4 @@ class PIIScanner {
         return masked;
     }
 }
-exports.PIIScanner = PIIScanner;
 //# sourceMappingURL=pii.js.map

package/dist/shield.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"shield.d.ts","sourceRoot":"","sources":["../src/shield.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,WAAW,EAAc,MAAM,YAAY,CAAC;AAKpF,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAUlD,qBAAa,QAAQ;IACnB,OAAO,CAAC,KAAK,CAAe;IAC5B,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,WAAW,CAAqB;IACxC,OAAO,CAAC,WAAW,CAAqB;IACxC,OAAO,CAAC,SAAS,CAAkC;IACnD,OAAO,CAAC,MAAM,CAAe;gBAEjB,MAAM,GAAE,YAAiB;IAyBrC,qCAAqC;IAC/B,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,GAAE,WAAgB,GAAG,OAAO,CAAC,UAAU,CAAC;IA+BzE,kDAAkD;IAC5C,WAAW,CACf,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,EACb,oBAAoB,EAAE,MAAM,EAC5B,qBAAqB,CAAC,EAAE,MAAM;IAahC,+CAA+C;IACzC,UAAU,CACd,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM;IAMtB,sCAAsC;IAChC,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAKxD,4BAA4B;IAC5B,SAAS,IAAI,YAAY;IAIzB,2BAA2B;IAC3B,UAAU,IAAI,IAAI;IAIlB,sBAAsB;IACtB,IAAI,SAAS,IAAI,MAAM,CAEtB;IAED,wBAAwB;IAClB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAS5B,OAAO,CAAC,aAAa;IAUrB,OAAO,CAAC,aAAa;IAkDrB,OAAO,CAAC,UAAU;CA2BnB"}
+{"version":3,"file":"shield.d.ts","sourceRoot":"","sources":["../src/shield.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,WAAW,EAAc,MAAM,YAAY,CAAC;AAKpF,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAUlD,qBAAa,QAAQ;IACnB,OAAO,CAAC,KAAK,CAAe;IAC5B,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,WAAW,CAAqB;IACxC,OAAO,CAAC,WAAW,CAAqB;IACxC,OAAO,CAAC,SAAS,CAAkC;IACnD,OAAO,CAAC,MAAM,CAAe;gBAEjB,MAAM,GAAE,YAAiB;IAyBrC,qCAAqC;IAC/B,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,GAAE,WAAgB,GAAG,OAAO,CAAC,UAAU,CAAC;IA4CzE,kDAAkD;IAC5C,WAAW,CACf,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,EACb,oBAAoB,EAAE,MAAM,EAC5B,qBAAqB,CAAC,EAAE,MAAM;IAahC,+CAA+C;IACzC,UAAU,CACd,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM;IAMtB,sCAAsC;IAChC,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAKxD,4BAA4B;IAC5B,SAAS,IAAI,YAAY;IAIzB,2BAA2B;IAC3B,UAAU,IAAI,IAAI;IAIlB,sBAAsB;IACtB,IAAI,SAAS,IAAI,MAAM,CAEtB;IAED,wBAAwB;IAClB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAS5B,OAAO,CAAC,aAAa;IAUrB,OAAO,CAAC,aAAa;IAkDrB,OAAO,CAAC,UAAU;CA2BnB"}

package/dist/shield.js

@@ -1,18 +1,15 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AIShield = void 0;
-const chain_js_1 = require("./scanner/chain.js");
-const heuristic_js_1 = require("./scanner/heuristic.js");
-const pii_js_1 = require("./scanner/pii.js");
-const tools_js_1 = require("./policy/tools.js");
-const engine_js_1 = require("./policy/engine.js");
-const tracker_js_1 = require("./cost/tracker.js");
-const logger_js_1 = require("./audit/logger.js");
-const lru_js_1 = require("./cache/lru.js");
+import { ScannerChain } from "./scanner/chain.js";
+import { HeuristicScanner } from "./scanner/heuristic.js";
+import { PIIScanner } from "./scanner/pii.js";
+import { ToolPolicyScanner } from "./policy/tools.js";
+import { PolicyEngine } from "./policy/engine.js";
+import { CostTracker } from "./cost/tracker.js";
+import { AuditLogger, ConsoleAuditStore } from "./audit/logger.js";
+import { ScanLRUCache } from "./cache/lru.js";
 // ============================================================
 // AIShield — Main class, single entry point
 // ============================================================
-class AIShield {
+export class AIShield {
     chain;
     policyEngine;
     costTracker;
@@ -21,19 +18,19 @@ class AIShield {
     config;
     constructor(config = {}) {
         this.config = config;
-        this.policyEngine = new engine_js_1.PolicyEngine(config.preset ?? "public_website");
-        this.chain = new chain_js_1.ScannerChain({ earlyExit: true });
+        this.policyEngine = new PolicyEngine(config.preset ?? "public_website");
+        this.chain = new ScannerChain({ earlyExit: true });
         // Build scanner chain based on config
         this.setupScanners(config);
         // Cost tracker (optional, needs Redis for distributed use)
         this.costTracker = config.cost?.enabled !== false && config.cost?.budgets
-            ? new tracker_js_1.CostTracker(config.cost.budgets)
+            ? new CostTracker(config.cost.budgets)
             : null;
         // Audit logger (optional)
         this.auditLogger = this.setupAudit(config);
         // Scan cache (enabled when cache config is provided)
         this.scanCache = config.cache && config.cache.enabled !== false
-            ? new lru_js_1.ScanLRUCache({
+            ? new ScanLRUCache({
                 maxSize: config.cache.maxSize,
                 ttlMs: config.cache.ttlMs,
             })
@@ -41,6 +38,15 @@ class AIShield {
     }
     /** Scan input text — the main API */
     async scan(input, context = {}) {
+        // Input-length guard — without this a user-supplied multi-MB prompt would
+        // trigger every regex scan on the full buffer, which is O(n) best-case
+        // but pathological under ReDoS-prone patterns. 256 KB handles every
+        // real chat/tool input we care about with plenty of headroom; override
+        // via AI_SHIELD_MAX_INPUT_BYTES when needed.
+        const maxInputBytes = Number(process.env.AI_SHIELD_MAX_INPUT_BYTES ?? 262_144);
+        if (input.length > maxInputBytes) {
+            input = input.slice(0, maxInputBytes);
+        }
         // Apply preset if not set in context
         if (!context.preset) {
             context.preset = this.config.preset ?? "public_website";
@@ -59,8 +65,11 @@ class AIShield {
             const cacheKey = this.buildCacheKey(input, context);
             this.scanCache.set(cacheKey, result);
         }
-        // Log to audit if enabled
-        if (this.auditLogger) {
+        // Log to audit if enabled — but never double-log the same input when
+        // a downstream caller re-scans cached content (result.meta.cached is set
+        // by the cache hit path above; here it is always false but we guard to
+        // be explicit and so subclasses extending scan() stay safe).
+        if (this.auditLogger && !result.meta.cached) {
             void this.auditLogger.log(input, result, context);
         }
         return result;
@@ -117,7 +126,7 @@ class AIShield {
         // 1. Heuristic injection scanner (always on unless explicitly disabled)
         if (config.injection?.enabled !== false) {
             const preset = this.policyEngine.getPreset();
-            this.chain.add(new heuristic_js_1.HeuristicScanner({
+            this.chain.add(new HeuristicScanner({
                 strictness: config.injection?.strictness ?? "medium",
                 threshold: config.injection?.threshold ?? preset.injection.threshold,
                 customPatterns: config.injection?.customPatterns?.map((pattern, i) => ({
@@ -131,7 +140,7 @@ class AIShield {
         }
         // 2. PII scanner
         if (config.pii?.enabled !== false) {
-            this.chain.add(new pii_js_1.PIIScanner({
+            this.chain.add(new PIIScanner({
                 action: config.pii?.action ?? this.policyEngine.getPIIAction(),
                 locale: config.pii?.locale,
                 types: config.pii?.types,
@@ -149,7 +158,7 @@ class AIShield {
                         this.policyEngine.getMaxToolChainDepth(),
                 },
             };
-            this.chain.add(new tools_js_1.ToolPolicyScanner(toolPolicy, config.tools.manifestPins));
+            this.chain.add(new ToolPolicyScanner(toolPolicy, config.tools.manifestPins));
         }
     }
     setupAudit(config) {
@@ -158,27 +167,26 @@ class AIShield {
         let store;
         switch (config.audit?.store) {
             case "console":
-                store = new logger_js_1.ConsoleAuditStore();
+                store = new ConsoleAuditStore();
                 break;
             case "postgresql":
                 // PostgreSQL store would be imported separately to keep core lightweight
                 // For now, fall through to console
-                store = new logger_js_1.ConsoleAuditStore();
+                store = new ConsoleAuditStore();
                 break;
             case "memory":
             default:
                 // If no store configured and audit not explicitly enabled, skip
                 if (!config.audit?.store && config.audit?.enabled !== true)
                     return null;
-                store = new logger_js_1.ConsoleAuditStore();
+                store = new ConsoleAuditStore();
                 break;
         }
-        return new logger_js_1.AuditLogger({
+        return new AuditLogger({
             store,
             batchSize: config.audit?.batchSize,
             flushIntervalMs: config.audit?.flushIntervalMs,
         });
     }
 }
-exports.AIShield = AIShield;
 //# sourceMappingURL=shield.js.map