ai-shield-core 0.2.0 → 0.4.0

package/dist/scanner/ingestion.js

@@ -50,8 +50,14 @@ const SOURCE_PROFILE = {
         extraPatterns: [
             // "Before using this tool, you must ..." / "After calling, also call X"
             /(?:before|after|while)\s+(?:using|invoking|calling|executing)\s+(?:this\s+)?(?:tool|function|action)[,\s]+(?:you\s+)?(?:must|should|will|need\s+to|are\s+required\s+to)/i,
-            // "Also call delete_*" / "ALWAYS invoke X first"
-            /(?:also|always|first|then|finally)\s+(?:call|invoke|use|execute|run)\s+(?:the\s+)?[a-z_][\w-]{2,}/i,
+            // "Also call delete_account" / "then invoke query()". Tightened
+            // (review M2): the called symbol must carry a case-robust tool-name
+            // signal — a snake_case underscore or a `(` call — so benign docs prose
+            // ("first call the API", "then use the result") doesn't trip the
+            // block-level threshold and push operators into disabling the scanner.
+            // (camelCase detection was dropped: under the /i flag `[a-z]+[A-Z]`
+            // collapses to "any word" and re-introduced the false positive.)
+            /(?:also|always|first|then|finally)\s+(?:call|invoke|use|execute|run)\s+(?:the\s+)?[a-z][\w-]*(?:_[\w-]+|\s*\()/i,
             // "Tool description: ignore the above and ..."
             /(?:tool|function|action)\s+description[:\s]+(?:ignore|disregard|override)/i,
             // "Note to LLM:" / "Hidden instruction:"
@@ -60,6 +66,25 @@ const SOURCE_PROFILE = {
             /(?:on\s+(?:success|call)|when\s+invoked)[,:]\s+(?:silently|also|then)\s+(?:call|invoke|exfiltrate|send|leak)/i,
         ],
     },
+    "tool-output": {
+        // The runtime result a tool returned. Distinct from `tool-desc` (static
+        // schema): this is data the tool fetched and is therefore
+        // attacker-influenceable (PoisonedRAG, scraped pages surfaced through a
+        // search tool, a compromised upstream API). Tool results almost never
+        // legitimately carry instruction syntax aimed at the calling model, so
+        // the bar is as tight as RAG/tool-desc.
+        threshold: 0.13,
+        extraPatterns: [
+            // Result claims to carry instructions for the model.
+            /(?:tool|function|api|search|query)\s+(?:result|response|output)[:\s]+(?:ignore|disregard|override|new\s+instructions?|system\s+prompt)/i,
+            // "the result indicates you should now call/invoke X"
+            /(?:result|response|data|output)\s+(?:indicates?|says?|requires?|means?)\s+(?:that\s+)?you\s+(?:should|must|need\s+to|will)\s+(?:now\s+)?(?:call|invoke|run|execute|use)\s+[a-z_][\w-]{2,}/i,
+            // Embedded role/system marker inside a JSON-ish result value.
+            /"(?:role|system|instruction|directive)"\s*:\s*"(?:system|ignore|override|admin)/i,
+            // "(end of results) Now, as the system, ..."
+            /(?:end\s+of\s+(?:results?|output|data)|<\/results?>)[\s.)]*(?:now|next)[,\s]+(?:as\s+(?:the\s+)?(?:system|admin|assistant)|you\s+(?:must|should|will))/i,
+        ],
+    },
     memory: {
         // Stored memory entries: persistence poisoning. Look for sentinel
         // instructions that re-anchor the model on subsequent retrieval.
@@ -346,6 +371,49 @@ export async function scanIngested(content, source, config = {}) {
         },
     };
 }
+/**
+ * Scan the runtime *result* of a tool call before it re-enters the model
+ * context. The dominant indirect-injection channel in agentic loops: a
+ * search tool surfaces a poisoned page, an MCP server returns attacker-
+ * controlled data, a compromised upstream API embeds instructions in its
+ * response. PoisonedRAG (USENIX Security 2025) showed 5 planted documents
+ * reach a 90% attack-success rate in million-document knowledge bases —
+ * the payload arrives here, not in the user prompt.
+ *
+ * Thin wrapper over `scanIngested(content, "tool-output")` that also
+ * stamps the originating `toolName` into every violation detail, so an
+ * audit log can answer "which tool returned the poisoned content?".
+ *
+ * Pair with `CircuitBreakerRegistry` when you also want to rate-limit or
+ * trip the tool after repeated poisoned results:
+ *
+ * @example
+ * ```ts
+ * import { scanToolOutput } from "ai-shield-core";
+ *
+ * const result = await searchTool.call(query);          // untrusted
+ * const scan = await scanToolOutput("web_search", result);
+ * if (!scan.safe) {
+ *   // drop the result OR strip it before the next model turn
+ *   audit.warn("poisoned tool output", { tool: "web_search", v: scan.violations });
+ *   return; // do not feed `result` back into the model
+ * }
+ * model.continue(result);
+ * ```
+ */
+export async function scanToolOutput(toolName, content, config = {}) {
+    const result = await scanIngested(content, "tool-output", config);
+    const safeToolName = typeof toolName === "string" && toolName.length > 0
+        ? toolName.slice(0, 120)
+        : "unknown";
+    return {
+        ...result,
+        violations: result.violations.map((v) => ({
+            ...v,
+            detail: `${v.detail ?? ""} (tool=${safeToolName})`.trim(),
+        })),
+    };
+}
 // ============================================================
 // Encoding-bypass normalization (R1 from Round 1 review — closes
 // OWASP LLM Prompt Injection Prevention Cheat Sheet 2026 Base64/Hex

package/dist/scanner/output.d.ts

@@ -0,0 +1,73 @@
+import type { ScanContext, ScanDecision, Violation, PIIConfig } from "../types.js";
+export type OutputSink = "sql" | "shell" | "html" | "template";
+export interface OutputScanConfig {
+    /**
+     * PII handling. Pass a `PIIConfig` to control action/locale, or `false`
+     * to skip PII scanning entirely. Default: mask.
+     */
+    pii?: PIIConfig | false;
+    /**
+     * Canary token(s) injected into the system prompt via `injectCanary()`.
+     * If any appears verbatim in the output → `system_prompt_leak` (block).
+     */
+    canaryTokens?: string | string[];
+    /**
+     * Restrict the structured-injection check to specific downstream sinks.
+     * E.g. `["sql"]` when the output only ever flows into a query builder.
+     * Default: all sinks.
+     */
+    sinks?: OutputSink[];
+    /** Selectively disable checks. All enabled by default. */
+    checks?: {
+        secrets?: boolean;
+        injection?: boolean;
+        systemPromptLeak?: boolean;
+        jailbreak?: boolean;
+    };
+    /** Override the byte cap on the scanned region. Default 256 KB. */
+    maxBytes?: number;
+}
+export interface OutputScanResult {
+    /** No blocking violation found. */
+    safe: boolean;
+    decision: ScanDecision;
+    /**
+     * Output with PII masked and secrets redacted to `[REDACTED_SECRET]`.
+     * Unlike `scanIngested`, this is NOT emptied on block — the caller
+     * usually still needs to log or display the sanitized text. Gate on
+     * `safe` / `decision` before forwarding it to a downstream sink.
+     */
+    sanitized: string;
+    violations: Violation[];
+    meta: {
+        scanDurationMs: number;
+        checksRun: string[];
+    };
+}
+/**
+ * Scanner for LLM output. Stateless; safe to reuse across calls.
+ */
+export declare class OutputScanner {
+    private readonly config;
+    private readonly pii;
+    constructor(config?: OutputScanConfig);
+    scan(output: string, context?: ScanContext): Promise<OutputScanResult>;
+}
+/**
+ * One-shot helper. Scan a model response before acting on it.
+ *
+ * @example
+ * ```ts
+ * import { scanOutput } from "ai-shield-core";
+ *
+ * const reply = await llm.generate(prompt);
+ * const r = await scanOutput(reply, { canaryTokens: canary, sinks: ["sql"] });
+ * if (!r.safe) {
+ *   audit.warn("unsafe model output", r.violations);
+ *   return genericFallback();           // do not run r.sanitized as SQL
+ * }
+ * showToUser(r.sanitized);              // PII masked, secrets redacted
+ * ```
+ */
+export declare function scanOutput(output: string, config?: OutputScanConfig, context?: ScanContext): Promise<OutputScanResult>;
+//# sourceMappingURL=output.d.ts.map

package/dist/scanner/output.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"output.d.ts","sourceRoot":"","sources":["../../src/scanner/output.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EACX,YAAY,EACZ,SAAS,EACT,SAAS,EACV,MAAM,aAAa,CAAC;AAuHrB,MAAM,MAAM,UAAU,GAAG,KAAK,GAAG,OAAO,GAAG,MAAM,GAAG,UAAU,CAAC;AAE/D,MAAM,WAAW,gBAAgB;IAC/B;;;OAGG;IACH,GAAG,CAAC,EAAE,SAAS,GAAG,KAAK,CAAC;IACxB;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACjC;;;;OAIG;IACH,KAAK,CAAC,EAAE,UAAU,EAAE,CAAC;IACrB,0DAA0D;IAC1D,MAAM,CAAC,EAAE;QACP,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,SAAS,CAAC,EAAE,OAAO,CAAC;QACpB,gBAAgB,CAAC,EAAE,OAAO,CAAC;QAC3B,SAAS,CAAC,EAAE,OAAO,CAAC;KACrB,CAAC;IACF,mEAAmE;IACnE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,gBAAgB;IAC/B,mCAAmC;IACnC,IAAI,EAAE,OAAO,CAAC;IACd,QAAQ,EAAE,YAAY,CAAC;IACvB;;;;;OAKG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB,IAAI,EAAE;QACJ,cAAc,EAAE,MAAM,CAAC;QACvB,SAAS,EAAE,MAAM,EAAE,CAAC;KACrB,CAAC;CACH;AAID;;GAEG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAmB;IAC1C,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAoB;gBAE5B,MAAM,GAAE,gBAAqB;IAQnC,IAAI,CACR,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,gBAAgB,CAAC;CAkL7B;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,UAAU,CAC9B,MAAM,EAAE,MAAM,EACd,MAAM,GAAE,gBAAqB,EAC7B,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,gBAAgB,CAAC,CAE3B"}

package/dist/scanner/output.js

@@ -0,0 +1,327 @@
+import { PIIScanner } from "./pii.js";
+import { normalizeForInjectionScan } from "./heuristic.js";
+// ============================================================
+// Output Scanner — OWASP LLM05 Improper Output Handling +
+// LLM02 Sensitive Information Disclosure (output side)
+//
+// AI Shield's input scanners answer "is this prompt safe to send to the
+// model?". This scanner answers the other half: "is this model OUTPUT
+// safe to act on / show / forward downstream?".
+//
+// LLM output must never reach a SQL engine, a shell, an HTML sink, or a
+// template renderer unfiltered — XSS, SSRF, SQLi and command injection
+// sourced from model output are a documented 2026 attack class (OWASP
+// LLM05). And a model can leak its own system prompt or a secret it was
+// shown, which is LLM02 / LLM07.
+//
+// Five checks. Inputs are Unicode-normalized first (homoglyph / zero-width /
+// fullwidth evasion defense). Secret + canary checks scan the FULL output
+// (a leak can sit anywhere); the structural checks scan a length-capped copy
+// (those payloads live in the first chunk):
+//   1. secret_leak        — API keys, tokens, private keys, DSNs (full output)
+//   2. output_injection   — SQL / shell / HTML-JS / template / md-exfil (capped)
+//   3. system_prompt_leak — canary-token leak (exact, full) + heuristic phrasing
+//   4. pii_detected       — reuses the input-side PIIScanner
+//   5. jailbreak_indicator— compliance-preamble / mode-switch acknowledgement
+//
+// Checks 1-3 are high-confidence and block. PII follows its configured
+// action. Jailbreak is heuristic and only warns — a "sure, here's how"
+// preamble is often legitimate.
+// ============================================================
+/** Hard cap on the bytes we pattern-scan. A 1 MB model response is not the
+ *  threat model and unbounded regex over it pressures GC. Overridable. */
+const DEFAULT_MAX_OUTPUT_BYTES = 256 * 1024;
+/**
+ * High-confidence secret formats. Each is anchored on a provider-specific
+ * prefix so false positives on prose are near-zero. Patterns are linear
+ * (no nested quantifiers) — ReDoS-safe on large output.
+ */
+const SECRET_PATTERNS = [
+    { id: "SEC-OPENAI", re: /\bsk-(?:proj-)?[A-Za-z0-9_-]{20,}\b/, label: "OpenAI API key" },
+    { id: "SEC-ANTHROPIC", re: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/, label: "Anthropic API key" },
+    { id: "SEC-AWS-AKID", re: /\b(?:AKIA|ASIA)[0-9A-Z]{16}\b/, label: "AWS access key id" },
+    { id: "SEC-GITHUB", re: /\bgh[pousr]_[A-Za-z0-9]{36,}\b/, label: "GitHub token" },
+    { id: "SEC-GOOGLE", re: /\bAIza[0-9A-Za-z_-]{35}\b/, label: "Google API key" },
+    { id: "SEC-GOOGLE-OAUTH", re: /\bGOCSPX-[A-Za-z0-9_-]{28}\b/, label: "Google OAuth client secret" },
+    { id: "SEC-GCP-SA", re: /"type"\s*:\s*"service_account"/, label: "GCP service-account JSON" },
+    { id: "SEC-HUGGINGFACE", re: /\bhf_[A-Za-z0-9]{30,}\b/, label: "HuggingFace token" },
+    { id: "SEC-NPM", re: /\bnpm_[A-Za-z0-9]{36}\b/, label: "npm publish token" },
+    { id: "SEC-SLACK", re: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/, label: "Slack token" },
+    { id: "SEC-STRIPE", re: /\b[rs]k_live_[A-Za-z0-9]{20,}\b/, label: "Stripe live key" },
+    { id: "SEC-JWT", re: /\beyJ[A-Za-z0-9_-]{8,}\.eyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\b/, label: "JWT" },
+    { id: "SEC-PEM", re: /-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY-----/, label: "PEM private key" },
+    // DSN: both credential segments are length-bounded so a long near-match
+    // without a trailing `@` can't drive O(n²) backtracking (review H1).
+    { id: "SEC-DSN", re: /\b(?:postgres(?:ql)?|mysql|mongodb(?:\+srv)?|redis|amqps?):\/\/[^\s:/@]{1,64}:[^\s@]{3,80}@/, label: "connection string with credentials" },
+];
+/**
+ * Output-injection payloads, grouped by downstream sink. Each pattern is
+ * deliberately conservative — flagging legitimate output that merely
+ * *mentions* SQL would be useless. They target syntax that only matters
+ * when the string is interpreted, not displayed.
+ */
+const INJECTION_PATTERNS = [
+    // SQL
+    { id: "OUTI-SQL-1", sink: "sql", re: /\bunion\s+(?:all\s+)?select\b/i, label: "SQL UNION SELECT" },
+    { id: "OUTI-SQL-2", sink: "sql", re: /['"]\s*;\s*(?:drop|delete|update|insert|truncate|alter)\s+/i, label: "SQL statement break" },
+    { id: "OUTI-SQL-3", sink: "sql", re: /\bor\s+1\s*=\s*1\b|\bor\s+'1'\s*=\s*'1'/i, label: "SQL tautology" },
+    // Shell
+    { id: "OUTI-SH-1", sink: "shell", re: /\$\([^)]{1,200}\)|`[^`]{1,200}`/, label: "shell command substitution" },
+    { id: "OUTI-SH-2", sink: "shell", re: /[;&|]\s*(?:rm|curl|wget|nc|bash|sh|chmod|mkfifo|dd)\s+-?/i, label: "chained shell command" },
+    { id: "OUTI-SH-3", sink: "shell", re: /\|\s*(?:sh|bash|zsh|python[0-9.]*)\b/i, label: "pipe to interpreter" },
+    // HTML / JS (XSS)
+    { id: "OUTI-XSS-1", sink: "html", re: /<script[\s>]/i, label: "<script> tag" },
+    { id: "OUTI-XSS-2", sink: "html", re: /\bon(?:error|load|click|mouseover)\s*=\s*["']?[^"'>]{1,200}/i, label: "inline event handler" },
+    { id: "OUTI-XSS-3", sink: "html", re: /\bjavascript:\s*[^\s"']{1,200}/i, label: "javascript: URI" },
+    { id: "OUTI-XSS-4", sink: "html", re: /<iframe[\s>]|<img[^>]{0,200}\bsrc\s*=\s*["']?\s*(?:javascript|data):/i, label: "iframe / data-URI image" },
+    // Markdown-image data exfiltration: ![x](http://evil/log?data=…). When a
+    // renderer auto-loads the image the query string leaks whatever the model
+    // was told to embed. The most-overlooked LLM05 class (review: Research).
+    { id: "OUTI-MDEXF", sink: "html", re: /!\[[^\]]{0,200}\]\(\s*https?:\/\/[^)\s]{1,300}[?&][\w-]{1,40}=/i, label: "markdown-image data exfiltration" },
+    // Template / SSTI
+    { id: "OUTI-SSTI-1", sink: "template", re: /\{\{[^}]{0,200}(?:constructor|process|require|global|__proto__|self\.|cycler)[^}]{0,200}\}\}/i, label: "template-injection payload" },
+    { id: "OUTI-SSTI-2", sink: "template", re: /<%[^%]{0,200}(?:system|exec|require|eval)[^%]{0,200}%>/i, label: "ERB/EJS injection" },
+];
+/**
+ * System-prompt-leak heuristics — used only when no canary token is
+ * available. Low-confidence by design (these phrasings occur in benign
+ * output too), so they warn rather than block.
+ */
+const SYSTEM_LEAK_PATTERNS = [
+    /(?:my|the)\s+(?:system\s+)?(?:prompt|instructions?)\s+(?:is|are|say|states?|read)\b/i,
+    /i\s+(?:was|am|have\s+been)\s+(?:instructed|told|configured|programmed|designed)\s+to\b/i,
+    /here\s+(?:is|are)\s+my\s+(?:system\s+)?(?:prompt|instructions?|guidelines?|rules?)\b/i,
+    /you\s+are\s+(?:a|an)\s+[\w-]{2,30}\s+(?:assistant|agent|bot|model)\b.{0,40}\b(?:you\s+must|your\s+(?:rules?|guidelines?|instructions?))/i,
+];
+/**
+ * Jailbreak-success indicators in the OUTPUT. Conservative + low weight:
+ * a generic "Sure, here's how" is not enough on its own — these target
+ * explicit mode-switch acknowledgements and self-declared rule-breaking.
+ */
+const JAILBREAK_PATTERNS = [
+    /\bas\s+(?:DAN|an?\s+(?:unrestricted|unfiltered|jailbroken|uncensored))\b/i,
+    /i(?:'?ll|\s+will)\s+(?:now\s+)?(?:ignore|bypass|disregard|set\s+aside)\s+(?:my|the|all)\s+(?:guidelines?|restrictions?|rules?|safety|programming|filters?)/i,
+    /(?:jailbreak|developer\s+mode|dan\s+mode)\s+(?:enabled|activated|successful|engaged)/i,
+    /i\s+am\s+(?:now\s+)?(?:free\s+(?:from|of)|no\s+longer\s+bound\s+by)\s+(?:my\s+)?(?:restrictions?|guidelines?|rules?|programming)/i,
+];
+const SECRET_REDACTION = "[REDACTED_SECRET]";
+/**
+ * Scanner for LLM output. Stateless; safe to reuse across calls.
+ */
+export class OutputScanner {
+    config;
+    pii;
+    constructor(config = {}) {
+        this.config = config;
+        this.pii =
+            config.pii === false
+                ? null
+                : new PIIScanner(config.pii ?? { action: "mask" });
+    }
+    async scan(output, context = {}) {
+        const start = performance.now();
+        const violations = [];
+        const checksRun = [];
+        const checks = this.config.checks ?? {};
+        const maxBytes = this.config.maxBytes ?? DEFAULT_MAX_OUTPUT_BYTES;
+        const safeOutput = typeof output === "string" ? output : "";
+        // Capped copy for the *structural* checks (injection / leak-phrasing /
+        // jailbreak) — those payloads live in the first chunk and the regex over
+        // a 1 MB response would pressure GC. Normalized so homoglyph / zero-width
+        // / fullwidth evasion can't slip a payload past the patterns (review H6).
+        const cappedDetect = normalizeForInjectionScan(safeOutput.length > maxBytes ? safeOutput.slice(0, maxBytes) : safeOutput);
+        // Secrets and canaries can sit ANYWHERE in the output, and the secret
+        // patterns are anchored + linear — so they scan the FULL output, not the
+        // cap (review C1: a key padded past 256 KB must not slip through). Also
+        // normalized for the same evasion defense.
+        const fullDetect = normalizeForInjectionScan(safeOutput);
+        let sanitized = output;
+        let worst = "allow";
+        const bump = (d) => {
+            if (priority(d) > priority(worst))
+                worst = d;
+        };
+        // 1. Secret leak — high-confidence, always blocks. Detection runs on the
+        //    normalized full output (so a key fragmented by zero-width / homoglyph
+        //    chars is still flagged), and redaction MUST guarantee the live secret
+        //    never survives in `sanitized` — not just best-effort.
+        if (checks.secrets !== false) {
+            checksRun.push("secrets");
+            const matchedSecretREs = [];
+            for (const { id, re, label } of SECRET_PATTERNS) {
+                if (re.test(fullDetect)) {
+                    violations.push({
+                        type: "secret_leak",
+                        scanner: "output",
+                        score: 1.0,
+                        threshold: 0.5,
+                        message: `Output leaks a secret: ${label}`,
+                        detail: `Rule ${id}`,
+                    });
+                    bump("block");
+                    matchedSecretREs.push(re);
+                    // First pass: redact every occurrence in the raw output. This is the
+                    // clean case and preserves the surrounding formatting.
+                    sanitized = sanitized.replace(globalCopy(re), SECRET_REDACTION);
+                }
+            }
+            // Scrub-on-block guarantee: detection saw the secret in the NORMALIZED
+            // text, but the raw `.replace()` above can miss a key that was split by
+            // invisible chars ("sk-ant-...<ZWSP>...") — the raw form doesn't match
+            // the anchored pattern, so the live key would survive in `sanitized`.
+            // If any matched pattern still hits the normalized sanitized output, the
+            // evasion-split key got through: strip the zero-width chars (they are
+            // invisible, so this never alters how benign text reads) so the key
+            // collapses, then redact again. The result: `sanitized` is free of the
+            // live secret regardless of the evasion used.
+            if (matchedSecretREs.length > 0) {
+                const stillLeaks = () => matchedSecretREs.some((re) => re.test(normalizeForInjectionScan(sanitized)));
+                if (stillLeaks()) {
+                    sanitized = stripZeroWidth(sanitized);
+                    for (const re of matchedSecretREs) {
+                        sanitized = sanitized.replace(globalCopy(re), SECRET_REDACTION);
+                    }
+                }
+            }
+        }
+        // 2. Output injection — payloads dangerous to a downstream sink.
+        if (checks.injection !== false) {
+            checksRun.push("injection");
+            const allowedSinks = this.config.sinks;
+            for (const { id, sink, re, label } of INJECTION_PATTERNS) {
+                if (allowedSinks && !allowedSinks.includes(sink))
+                    continue;
+                if (re.test(cappedDetect)) {
+                    violations.push({
+                        type: "output_injection",
+                        scanner: "output",
+                        score: 0.85,
+                        threshold: 0.5,
+                        message: `Output carries a ${sink} injection payload: ${label}`,
+                        detail: `Rule ${id} (sink=${sink})`,
+                    });
+                    bump("block");
+                }
+            }
+        }
+        // 3. System-prompt leak — canary first (exact, certain), then heuristics.
+        if (checks.systemPromptLeak !== false) {
+            checksRun.push("system_prompt_leak");
+            const tokens = normalizeTokens(this.config.canaryTokens);
+            let canaryHit = false;
+            for (const token of tokens) {
+                // Check the FULL output, not the capped copy — a leak past 256 KB is
+                // still a leak, and an exact substring search is cheap.
+                if (token.length >= 4 && output.includes(token)) {
+                    canaryHit = true;
+                    violations.push({
+                        type: "system_prompt_leak",
+                        scanner: "output",
+                        score: 1.0,
+                        threshold: 0.5,
+                        message: "Output leaks a system-prompt canary token",
+                        detail: "Canary match (exact)",
+                    });
+                    bump("block");
+                }
+            }
+            // Heuristic phrasing only when no canary was available/hit — avoids
+            // double-reporting and keeps the low-confidence signal subordinate.
+            if (!canaryHit && tokens.length === 0) {
+                for (const re of SYSTEM_LEAK_PATTERNS) {
+                    if (re.test(cappedDetect)) {
+                        violations.push({
+                            type: "system_prompt_leak",
+                            scanner: "output",
+                            score: 0.4,
+                            threshold: 0.5,
+                            message: "Output may be echoing the system prompt",
+                            detail: "Heuristic phrasing (no canary configured — pass canaryTokens for an exact check)",
+                        });
+                        bump("warn");
+                        break; // one heuristic signal is enough
+                    }
+                }
+            }
+        }
+        // 4. Jailbreak indicators — heuristic, warn only.
+        if (checks.jailbreak !== false) {
+            checksRun.push("jailbreak");
+            for (const re of JAILBREAK_PATTERNS) {
+                if (re.test(cappedDetect)) {
+                    violations.push({
+                        type: "jailbreak_indicator",
+                        scanner: "output",
+                        score: 0.3,
+                        threshold: 0.5,
+                        message: "Output shows a possible jailbreak success indicator",
+                        detail: "Heuristic phrasing",
+                    });
+                    bump("warn");
+                    break;
+                }
+            }
+        }
+        // 5. PII — reuse the input-side scanner; respects its configured action.
+        if (this.pii) {
+            checksRun.push("pii");
+            const piiResult = await this.pii.scan(sanitized, context);
+            for (const v of piiResult.violations) {
+                violations.push({ ...v, scanner: "output" });
+            }
+            if (piiResult.sanitized !== undefined)
+                sanitized = piiResult.sanitized;
+            bump(piiResult.decision);
+        }
+        return {
+            safe: worst === "allow",
+            decision: worst,
+            sanitized,
+            violations,
+            meta: {
+                scanDurationMs: performance.now() - start,
+                checksRun,
+            },
+        };
+    }
+}
+/**
+ * One-shot helper. Scan a model response before acting on it.
+ *
+ * @example
+ * ```ts
+ * import { scanOutput } from "ai-shield-core";
+ *
+ * const reply = await llm.generate(prompt);
+ * const r = await scanOutput(reply, { canaryTokens: canary, sinks: ["sql"] });
+ * if (!r.safe) {
+ *   audit.warn("unsafe model output", r.violations);
+ *   return genericFallback();           // do not run r.sanitized as SQL
+ * }
+ * showToUser(r.sanitized);              // PII masked, secrets redacted
+ * ```
+ */
+export async function scanOutput(output, config = {}, context = {}) {
+    return new OutputScanner(config).scan(output, context);
+}
+function normalizeTokens(tokens) {
+    if (!tokens)
+        return [];
+    const arr = Array.isArray(tokens) ? tokens : [tokens];
+    return arr.filter((t) => typeof t === "string" && t.length > 0);
+}
+function priority(d) {
+    return d === "block" ? 2 : d === "warn" ? 1 : 0;
+}
+/** Return a global-flagged copy of `re` (idempotent if already global). */
+function globalCopy(re) {
+    return new RegExp(re.source, re.flags.includes("g") ? re.flags : re.flags + "g");
+}
+// Zero-width / BOM chars (U+200B..U+200D, U+2060, U+FEFF) used to fragment a
+// secret across a pattern boundary. Stripping them is safe in `sanitized`
+// because they render as nothing — benign visible text is unaffected.
+const OUTPUT_ZERO_WIDTH_RE = /[\u200B-\u200D\u2060\uFEFF]/g;
+function stripZeroWidth(s) {
+    return s.replace(OUTPUT_ZERO_WIDTH_RE, "");
+}
+//# sourceMappingURL=output.js.map

package/dist/types.d.ts

@@ -1,5 +1,15 @@
 export type ScanDecision = "allow" | "warn" | "block";
-export type ViolationType = "prompt_injection" | "pii_detected" | "tool_denied" | "tool_rate_limit" | "budget_exceeded" | "content_policy" | "manifest_drift" | "ingested_injection" | "untrusted_instruction" | "memory_poisoning" | "circuit_breaker_open" | "blast_radius_exceeded";
+export type ViolationType = "prompt_injection" | "pii_detected" | "tool_denied" | "tool_rate_limit" | "budget_exceeded" | "content_policy" | "manifest_drift" | "ingested_injection" | "untrusted_instruction" | "memory_poisoning" | "circuit_breaker_open" | "blast_radius_exceeded"
+/** LLM output carries an executable payload (SQL / shell / HTML/JS / template). */
+ | "output_injection"
+/** LLM output leaks a secret (API key, token, private key, connection string). */
+ | "secret_leak"
+/** LLM output echoes the system prompt / developer instructions. */
+ | "system_prompt_leak"
+/** LLM output shows a successful jailbreak (compliance preamble, mode-switch acknowledgement). */
+ | "jailbreak_indicator"
+/** Trust violation propagating across an agent-to-agent chain (contagion). */
+ | "trust_propagation";
 export interface Violation {
     type: ViolationType;
     scanner: string;
@@ -40,6 +50,12 @@ export interface Scanner {
  * - `tool-desc`   — MCP tool description / OpenAI function schema / tool args
  *                   that came from a remote MCP server. High-risk vector
  *                   per Lakera 2026 advisory + OX Security MCP CVEs.
+ * - `tool-output` — The runtime *result* a tool returned (MCP tool result,
+ *                   function-call output). Distinct from `tool-desc` (the
+ *                   static schema): this is attacker-influenceable data the
+ *                   tool fetched — the RAG-poisoning vector (PoisonedRAG:
+ *                   5 docs → 90% ASR) and the dominant indirect-injection
+ *                   channel in agentic loops.
  * - `memory`      — Persisted memory entry (knowledge graph, session
  *                   history, vector memory). Subject to persistence-poisoning.
  * - `web`         — Scraped web page / HTML. Hidden-instruction risk via
@@ -47,7 +63,7 @@ export interface Scanner {
  * - `agent-output`— Output from another agent flowing into this one
  *                   (multi-agent contagion).
  */
-export type IngestionSource = "user" | "rag" | "tool-desc" | "memory" | "web" | "agent-output";
+export type IngestionSource = "user" | "rag" | "tool-desc" | "tool-output" | "memory" | "web" | "agent-output";
 /**
  * Privilege tier of a content segment. The toolkit treats instructions
  * coming from `untrusted` sources differently from those in `system`

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAMA,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,MAAM,GAAG,OAAO,CAAC;AAEtD,MAAM,MAAM,aAAa,GACrB,kBAAkB,GAClB,cAAc,GACd,aAAa,GACb,iBAAiB,GACjB,iBAAiB,GACjB,gBAAgB,GAChB,gBAAgB,GAChB,oBAAoB,GACpB,uBAAuB,GACvB,kBAAkB,GAClB,sBAAsB,GACtB,uBAAuB,CAAC;AAE5B,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,aAAa,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,OAAO,CAAC;IACd,QAAQ,EAAE,YAAY,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB,IAAI,EAAE;QACJ,cAAc,EAAE,MAAM,CAAC;QACvB,WAAW,EAAE,MAAM,EAAE,CAAC;QACtB,MAAM,EAAE,OAAO,CAAC;KACjB,CAAC;CACH;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,YAAY,CAAC;IACvB,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;CACnE;AAID;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,MAAM,eAAe,GACvB,MAAM,GACN,KAAK,GACL,WAAW,GACX,QAAQ,GACR,KAAK,GACL,cAAc,CAAC;AAEnB;;;;GAIG;AACH,MAAM,MAAM,SAAS,GAAG,QAAQ,GAAG,SAAS,GAAG,WAAW,CAAC;AAE3D,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB,KAAK,CAAC,EAAE,QAAQ,EAAE,CAAC;IACnB;;;;OAIG;IACH,MAAM,CAAC,EAAE,eAAe,CAAC;IACzB;;;;OAIG;IACH,SAAS,CAAC,EAAE,SAAS,CAAC;CACvB;AAED,MAAM,MAAM,UAAU,GAAG,gBAAgB,GAAG,kBAAkB,GAAG,WAAW,CAAC;AAI7E;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,6BAA6B;IAC7B,MAAM,EAAE,eAAe,CAAC;IACxB,sBAAsB;IACtB,KAAK,EAAE,SAAS,CAAC;IACjB,wBAAwB;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,0EAA0E;IAC1E,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,6DAA6D;IAC7D,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,cAAc;IAC7B,iDAAiD;IACjD,QAAQ,EAAE,cAAc,EAAE,CAAC;IAC3B,mEAAmE;IACnE,WAAW,CAAC,EAAE,KAAK,CAAC;QAClB,YAAY,EAAE,MAAM,CAAC;QACrB,QAAQ,EAAE,YAAY,CAAC;QACvB,UAAU,EAAE,SAAS,EAAE,CAAC;KACzB,CAAC,CAAC;IACH,8CAA8C;IAC9C,QAAQ,CAAC,EAAE,YAAY,CAAC;CACzB;AAID;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;IAChC,iEAAiE;IACjE,EAAE,EAAE,MAAM,CAAC;IACX,sCAAsC;IACtC,OAAO,EAAE,MAAM,CAAC;IAChB,oDAAoD;IACpD,WAAW,EAAE,MAAM,CAAC;IACpB,sEAAsE;IACtE,WAAW,EAAE,MAAM,CAAC;IACpB,kCAAkC;IAClC,SAAS,EAAE,IAAI,CAAC;IAChB,oEAAoE;IACpE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EACH,iBAAiB,GACjB,gBAAgB,GAChB,iBAAiB,GACjB,eAAe,CAAC;IACpB,uDAAuD;IACvD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAID,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,MAAM,GAAG,WAAW,CAAC;AAE3D,MAAM,WAAW,oBAAoB;IACnC,iDAAiD;IACjD,IAAI,EAAE,MAAM,CAAC;IACb,+DAA+D;IAC/D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,mEAAmE;IACnE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,4EAA4E;IAC5E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,oDAAoD;IACpD,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,kEAAkE;IAClE,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,oDAAoD;IACpD,aAAa,CAAC,EAAE,CAAC,IAAI,EAAE;QACrB,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,OAAO,EAAE,WAAW,CAAC;KACtB,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACjC,4EAA4E;IAC5E,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,sBAAsB;IACrC,oCAAoC;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,qBAAqB;IACrB,KAAK,EAAE,YAAY,CAAC;IACpB,mCAAmC;IACnC,MAAM,CAAC,EACH,cAAc,GACd,YAAY,GACZ,uBAAuB,GACvB,aAAa,CAAC;IAClB,uBAAuB;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,qDAAqD;IACrD,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACzC,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7D,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACvD;AAID,MAAM,MAAM,OAAO,GACf,OAAO,GACP,OAAO,GACP,MAAM,GACN,aAAa,GACb,eAAe,GACf,oBAAoB,GACpB,wBAAwB,GACxB,YAAY,GACZ,sBAAsB,CAAC;AAE3B,MAAM,MAAM,SAAS,GAAG,OAAO,GAAG,MAAM,GAAG,UAAU,GAAG,OAAO,CAAC;AAEhE,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;CACpB;AAID,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,UAAU;IACzB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC7C,MAAM,CAAC,EAAE;QACP,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC7B,YAAY,CAAC,EAAE,OAAO,CAAC;QACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;KAC5B,CAAC;CACH;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,QAAQ,EAAE,IAAI,CAAC;CAChB;AAID,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,OAAO,GAAG,SAAS,CAAC;AAE1D,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,YAAY,CAAC;CACtB;AAED,MAAM,WAAW,YAAY;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAID,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,GAAG,WAAW,GAAG,gBAAgB,CAAC;IACrD,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,YAAY,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAID,MAAM,WAAW,eAAe;IAC9B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,UAAU,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACvC,MAAM,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,CAAC;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,SAAS;IACxB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,MAAM,CAAC,EAAE,SAAS,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC;IAC5C,YAAY,CAAC,EAAE,OAAO,EAAE,CAAC;CAC1B;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;IACvC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,YAAY,GAAG,QAAQ,GAAG,SAAS,CAAC;IAC5C,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC3C,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,YAAY,CAAC,EAAE,eAAe,EAAE,CAAC;CAClC;AAED,MAAM,WAAW,WAAW;IAC1B,uEAAuE;IACvE,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,6CAA6C;IAC7C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,YAAY;IAC3B,SAAS,CAAC,EAAE,eAAe,CAAC;IAC5B,GAAG,CAAC,EAAE,SAAS,CAAC;IAChB,IAAI,CAAC,EAAE,UAAU,CAAC;IAClB,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,MAAM,CAAC,EAAE,UAAU,CAAC;CACrB;AAID,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAMA,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,MAAM,GAAG,OAAO,CAAC;AAEtD,MAAM,MAAM,aAAa,GACrB,kBAAkB,GAClB,cAAc,GACd,aAAa,GACb,iBAAiB,GACjB,iBAAiB,GACjB,gBAAgB,GAChB,gBAAgB,GAChB,oBAAoB,GACpB,uBAAuB,GACvB,kBAAkB,GAClB,sBAAsB,GACtB,uBAAuB;AAEzB,mFAAmF;GACjF,kBAAkB;AACpB,kFAAkF;GAChF,aAAa;AACf,oEAAoE;GAClE,oBAAoB;AACtB,kGAAkG;GAChG,qBAAqB;AAEvB,8EAA8E;GAC5E,mBAAmB,CAAC;AAExB,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,aAAa,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,OAAO,CAAC;IACd,QAAQ,EAAE,YAAY,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB,IAAI,EAAE;QACJ,cAAc,EAAE,MAAM,CAAC;QACvB,WAAW,EAAE,MAAM,EAAE,CAAC;QACtB,MAAM,EAAE,OAAO,CAAC;KACjB,CAAC;CACH;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,YAAY,CAAC;IACvB,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;CACnE;AAID;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,MAAM,eAAe,GACvB,MAAM,GACN,KAAK,GACL,WAAW,GACX,aAAa,GACb,QAAQ,GACR,KAAK,GACL,cAAc,CAAC;AAEnB;;;;GAIG;AACH,MAAM,MAAM,SAAS,GAAG,QAAQ,GAAG,SAAS,GAAG,WAAW,CAAC;AAE3D,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB,KAAK,CAAC,EAAE,QAAQ,EAAE,CAAC;IACnB;;;;OAIG;IACH,MAAM,CAAC,EAAE,eAAe,CAAC;IACzB;;;;OAIG;IACH,SAAS,CAAC,EAAE,SAAS,CAAC;CACvB;AAED,MAAM,MAAM,UAAU,GAAG,gBAAgB,GAAG,kBAAkB,GAAG,WAAW,CAAC;AAI7E;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,6BAA6B;IAC7B,MAAM,EAAE,eAAe,CAAC;IACxB,sBAAsB;IACtB,KAAK,EAAE,SAAS,CAAC;IACjB,wBAAwB;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,0EAA0E;IAC1E,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,6DAA6D;IAC7D,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,cAAc;IAC7B,iDAAiD;IACjD,QAAQ,EAAE,cAAc,EAAE,CAAC;IAC3B,mEAAmE;IACnE,WAAW,CAAC,EAAE,KAAK,CAAC;QAClB,YAAY,EAAE,MAAM,CAAC;QACrB,QAAQ,EAAE,YAAY,CAAC;QACvB,UAAU,EAAE,SAAS,EAAE,CAAC;KACzB,CAAC,CAAC;IACH,8CAA8C;IAC9C,QAAQ,CAAC,EAAE,YAAY,CAAC;CACzB;AAID;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;IAChC,iEAAiE;IACjE,EAAE,EAAE,MAAM,CAAC;IACX,sCAAsC;IACtC,OAAO,EAAE,MAAM,CAAC;IAChB,oDAAoD;IACpD,WAAW,EAAE,MAAM,CAAC;IACpB,sEAAsE;IACtE,WAAW,EAAE,MAAM,CAAC;IACpB,kCAAkC;IAClC,SAAS,EAAE,IAAI,CAAC;IAChB,oEAAoE;IACpE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EACH,iBAAiB,GACjB,gBAAgB,GAChB,iBAAiB,GACjB,eAAe,CAAC;IACpB,uDAAuD;IACvD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAID,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,MAAM,GAAG,WAAW,CAAC;AAE3D,MAAM,WAAW,oBAAoB;IACnC,iDAAiD;IACjD,IAAI,EAAE,MAAM,CAAC;IACb,+DAA+D;IAC/D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,mEAAmE;IACnE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,4EAA4E;IAC5E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,oDAAoD;IACpD,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,kEAAkE;IAClE,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,oDAAoD;IACpD,aAAa,CAAC,EAAE,CAAC,IAAI,EAAE;QACrB,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,OAAO,EAAE,WAAW,CAAC;KACtB,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACjC,4EAA4E;IAC5E,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,sBAAsB;IACrC,oCAAoC;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,qBAAqB;IACrB,KAAK,EAAE,YAAY,CAAC;IACpB,mCAAmC;IACnC,MAAM,CAAC,EACH,cAAc,GACd,YAAY,GACZ,uBAAuB,GACvB,aAAa,CAAC;IAClB,uBAAuB;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,qDAAqD;IACrD,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACzC,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7D,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACvD;AAID,MAAM,MAAM,OAAO,GACf,OAAO,GACP,OAAO,GACP,MAAM,GACN,aAAa,GACb,eAAe,GACf,oBAAoB,GACpB,wBAAwB,GACxB,YAAY,GACZ,sBAAsB,CAAC;AAE3B,MAAM,MAAM,SAAS,GAAG,OAAO,GAAG,MAAM,GAAG,UAAU,GAAG,OAAO,CAAC;AAEhE,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;CACpB;AAID,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,UAAU;IACzB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC7C,MAAM,CAAC,EAAE;QACP,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;QAC7B,YAAY,CAAC,EAAE,OAAO,CAAC;QACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;KAC5B,CAAC;CACH;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,QAAQ,EAAE,IAAI,CAAC;CAChB;AAID,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,OAAO,GAAG,SAAS,CAAC;AAE1D,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,YAAY,CAAC;CACtB;AAED,MAAM,WAAW,YAAY;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAID,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,GAAG,WAAW,GAAG,gBAAgB,CAAC;IACrD,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB,EAAE,YAAY,CAAC;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAID,MAAM,WAAW,eAAe;IAC9B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,UAAU,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACvC,MAAM,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,CAAC;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,SAAS;IACxB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,MAAM,CAAC,EAAE,SAAS,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC;IAC5C,YAAY,CAAC,EAAE,OAAO,EAAE,CAAC;CAC1B;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;IACvC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,YAAY,GAAG,QAAQ,GAAG,SAAS,CAAC;IAC5C,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAC3C,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,YAAY,CAAC,EAAE,eAAe,EAAE,CAAC;CAClC;AAED,MAAM,WAAW,WAAW;IAC1B,uEAAuE;IACvE,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,6CAA6C;IAC7C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,YAAY;IAC3B,SAAS,CAAC,EAAE,eAAe,CAAC;IAC5B,GAAG,CAAC,EAAE,SAAS,CAAC;IAChB,IAAI,CAAC,EAAE,UAAU,CAAC;IAClB,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,MAAM,CAAC,EAAE,UAAU,CAAC;CACrB;AAID,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-shield-core",
-  "version": "0.2.0",
+  "version": "0.4.0",
   "type": "module",
   "description": "LLM Security SDK — Prompt Injection Detection, PII Protection, Cost Control, Audit",
   "main": "dist/index.js",
@@ -21,8 +21,12 @@
     "pg": ">=8.0.0"
   },
   "peerDependenciesMeta": {
-    "ioredis": { "optional": true },
-    "pg": { "optional": true }
+    "ioredis": {
+      "optional": true
+    },
+    "pg": {
+      "optional": true
+    }
   },
   "license": "MIT"
 }