airlock-bot 0.0.1 → 0.2.2

package/dist/middleware/core/rate-limiter.js

@@ -0,0 +1,32 @@
+import { McpError, ErrorCode } from '@modelcontextprotocol/sdk/types.js';
+const windows = new Map();
+function getKey(agentId, toolName, per) {
+    return per === 'tool' ? `${agentId}:${toolName}` : agentId;
+}
+function pruneWindow(timestamps, windowMs, now) {
+    const cutoff = now - windowMs;
+    const idx = timestamps.findIndex((t) => t > cutoff);
+    return idx === -1 ? [] : timestamps.slice(idx);
+}
+export function rateLimiterMiddleware(opts) {
+    const { max_requests, window_ms, per = 'agent' } = opts;
+    return async (ctx, next) => {
+        const key = getKey(ctx.agentId, ctx.toolName, per);
+        const now = Date.now();
+        let timestamps = windows.get(key) ?? [];
+        timestamps = pruneWindow(timestamps, window_ms, now);
+        if (timestamps.length >= max_requests) {
+            const retryAfterMs = timestamps[0] + window_ms - now;
+            throw new McpError(ErrorCode.InvalidRequest, `Rate limit exceeded (${max_requests}/${window_ms}ms). Retry after ${Math.ceil(retryAfterMs)}ms.`);
+        }
+        const response = await next();
+        timestamps.push(now);
+        windows.set(key, timestamps);
+        return response;
+    };
+}
+/** For testing */
+export function resetRateLimiterState() {
+    windows.clear();
+}
+//# sourceMappingURL=rate-limiter.js.map

package/dist/middleware/core/rate-limiter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.js","sourceRoot":"","sources":["../../../src/middleware/core/rate-limiter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,oCAAoC,CAAC;AASzE,MAAM,OAAO,GAAG,IAAI,GAAG,EAAoB,CAAC;AAE5C,SAAS,MAAM,CAAC,OAAe,EAAE,QAAgB,EAAE,GAAqB;IACtE,OAAO,GAAG,KAAK,MAAM,CAAC,CAAC,CAAC,GAAG,OAAO,IAAI,QAAQ,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;AAC7D,CAAC;AAED,SAAS,WAAW,CAAC,UAAoB,EAAE,QAAgB,EAAE,GAAW;IACtE,MAAM,MAAM,GAAG,GAAG,GAAG,QAAQ,CAAC;IAC9B,MAAM,GAAG,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC;IACpD,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,IAAwB;IAC5D,MAAM,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,GAAG,OAAO,EAAE,GAAG,IAAI,CAAC;IAExD,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QACnD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QACxC,UAAU,GAAG,WAAW,CAAC,UAAU,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;QAErD,IAAI,UAAU,CAAC,MAAM,IAAI,YAAY,EAAE,CAAC;YACtC,MAAM,YAAY,GAAG,UAAU,CAAC,CAAC,CAAC,GAAG,SAAS,GAAG,GAAG,CAAC;YACrD,MAAM,IAAI,QAAQ,CAChB,SAAS,CAAC,cAAc,EACxB,wBAAwB,YAAY,IAAI,SAAS,oBAAoB,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,KAAK,CAClG,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,EAAE,CAAC;QAC9B,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrB,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;QAC7B,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC;AACJ,CAAC;AAED,kBAAkB;AAClB,MAAM,UAAU,qBAAqB;IACnC,OAAO,CAAC,KAAK,EAAE,CAAC;AAClB,CAAC"}

package/dist/middleware/core/schema-validator.d.ts

@@ -0,0 +1,3 @@
+import type { Middleware } from '../types.js';
+export declare function schemaValidatorMiddleware(): Middleware;
+//# sourceMappingURL=schema-validator.d.ts.map

package/dist/middleware/core/schema-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema-validator.d.ts","sourceRoot":"","sources":["../../../src/middleware/core/schema-validator.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAU9C,wBAAgB,yBAAyB,IAAI,UAAU,CAuBtD"}

package/dist/middleware/core/schema-validator.js

@@ -0,0 +1,31 @@
+import AjvModule from 'ajv';
+import { McpError, ErrorCode } from '@modelcontextprotocol/sdk/types.js';
+/* eslint-disable @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access */
+// Handle both ESM default and CJS exports — Ajv uses CJS which can appear as { default: Ajv } in ESM
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+const Ajv = AjvModule.default ?? AjvModule;
+const ajv = new Ajv({ allErrors: true, strict: false });
+const validatorCache = new Map();
+/* eslint-enable @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access */
+export function schemaValidatorMiddleware() {
+    return async (ctx, next) => {
+        const tools = ctx.deps.registry.getAllTools();
+        const tool = tools.find((t) => t.name === ctx.toolName);
+        if (!tool?.inputSchema)
+            return next();
+        let validate = validatorCache.get(ctx.toolName);
+        if (!validate) {
+            // eslint-disable-next-line @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access
+            validate = ajv.compile(tool.inputSchema);
+            validatorCache.set(ctx.toolName, validate);
+        }
+        if (!validate(ctx.args)) {
+            const errors = (validate.errors ?? [])
+                .map((e) => `${e.instancePath || '/'}: ${e.message ?? 'unknown error'}`)
+                .join('; ') || 'Unknown validation error';
+            throw new McpError(ErrorCode.InvalidParams, `Invalid arguments: ${errors}`);
+        }
+        return next();
+    };
+}
+//# sourceMappingURL=schema-validator.js.map

package/dist/middleware/core/schema-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema-validator.js","sourceRoot":"","sources":["../../../src/middleware/core/schema-validator.ts"],"names":[],"mappings":"AAAA,OAAO,SAAS,MAAM,KAAK,CAAC;AAE5B,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,oCAAoC,CAAC;AAGzE,2IAA2I;AAC3I,qGAAqG;AACrG,8DAA8D;AAC9D,MAAM,GAAG,GAAI,SAAiB,CAAC,OAAO,IAAI,SAAS,CAAC;AACpD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;AACxD,MAAM,cAAc,GAAG,IAAI,GAAG,EAA4B,CAAC;AAC3D,0IAA0I;AAE1I,MAAM,UAAU,yBAAyB;IACvC,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC9C,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,GAAG,CAAC,QAAQ,CAAC,CAAC;QACxD,IAAI,CAAC,IAAI,EAAE,WAAW;YAAE,OAAO,IAAI,EAAE,CAAC;QAEtC,IAAI,QAAQ,GAAG,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAChD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,yGAAyG;YACzG,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAqB,CAAC;YAC7D,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC7C,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,MAAM,MAAM,GACV,CAAC,QAAQ,CAAC,MAAM,IAAI,EAAE,CAAC;iBACpB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,YAAY,IAAI,GAAG,KAAK,CAAC,CAAC,OAAO,IAAI,eAAe,EAAE,CAAC;iBACvE,IAAI,CAAC,IAAI,CAAC,IAAI,0BAA0B,CAAC;YAC9C,MAAM,IAAI,QAAQ,CAAC,SAAS,CAAC,aAAa,EAAE,sBAAsB,MAAM,EAAE,CAAC,CAAC;QAC9E,CAAC;QAED,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/detectors/injection-detector.d.ts

@@ -0,0 +1,12 @@
+import type { Middleware } from '../types.js';
+export type InjectionDetectorMode = 'detect' | 'mangle' | 'escalate';
+export interface InjectionDetectorOptions {
+    backend?: 'regex' | 'deberta';
+    mode?: InjectionDetectorMode;
+    /** URL of DeBERTa inference server (e.g. http://localhost:8000/predict) */
+    inference_url?: string;
+    /** Confidence threshold for DeBERTa (0-1, default 0.8) */
+    threshold?: number;
+}
+export declare function injectionDetectorMiddleware(opts?: InjectionDetectorOptions): Middleware;
+//# sourceMappingURL=injection-detector.d.ts.map

package/dist/middleware/detectors/injection-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"injection-detector.d.ts","sourceRoot":"","sources":["../../../src/middleware/detectors/injection-detector.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAyB9C,MAAM,MAAM,qBAAqB,GAAG,QAAQ,GAAG,QAAQ,GAAG,UAAU,CAAC;AAErE,MAAM,WAAW,wBAAwB;IACvC,OAAO,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IAC9B,IAAI,CAAC,EAAE,qBAAqB,CAAC;IAC7B,2EAA2E;IAC3E,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,0DAA0D;IAC1D,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AA6CD,wBAAgB,2BAA2B,CAAC,IAAI,GAAE,wBAA6B,GAAG,UAAU,CA2F3F"}

package/dist/middleware/detectors/injection-detector.js

@@ -0,0 +1,129 @@
+import { childLogger } from '../../util/logger.js';
+const log = childLogger('mw:injection-detector');
+const INJECTION_PATTERNS = [
+    /ignore\s+(all\s+)?previous\s+instructions/i,
+    /ignore\s+(all\s+)?prior\s+instructions/i,
+    /disregard\s+(all\s+)?previous/i,
+    /you\s+are\s+now\s+(a|an)\s/i,
+    /new\s+instructions?\s*:/i,
+    /<\s*system\s*>/i,
+    /\[INST\]/i,
+    /\[\/INST\]/i,
+    /<<\s*SYS\s*>>/i,
+    /do\s+not\s+follow\s+(any\s+)?previous/i,
+    /forget\s+(all\s+)?(your\s+)?instructions/i,
+    /override\s+(all\s+)?instructions/i,
+    /\bact\s+as\s+(a|an|if)\b/i,
+    /\bpretend\s+(you\s+are|to\s+be)\b/i,
+    /\brole\s*play\b/i,
+    /\bjailbreak\b/i,
+    /\bDAN\s+mode\b/i,
+];
+async function classifyWithDeberta(text, inferenceUrl, threshold) {
+    const response = await fetch(inferenceUrl, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ text }),
+        signal: AbortSignal.timeout(5000),
+    });
+    if (!response.ok) {
+        throw new Error(`DeBERTa inference failed: ${response.status}`);
+    }
+    const result = (await response.json());
+    const score = result.score ?? result.probability ?? 0;
+    return { isInjection: score >= threshold, score };
+}
+function classifyWithRegex(text) {
+    const matched = [];
+    for (const pattern of INJECTION_PATTERNS) {
+        if (pattern.test(text)) {
+            matched.push(pattern.source);
+        }
+    }
+    return { isInjection: matched.length > 0, matchedPatterns: matched };
+}
+function mangleText(text) {
+    let result = text;
+    for (const pattern of INJECTION_PATTERNS) {
+        result = result.replace(new RegExp(pattern, 'gi'), '[REDACTED: suspected injection]');
+    }
+    return result;
+}
+export function injectionDetectorMiddleware(opts = {}) {
+    const { backend = 'regex', mode = 'detect', inference_url, threshold = 0.8 } = opts;
+    return async (ctx, next) => {
+        // Pre-execution: scan args
+        const argsText = JSON.stringify(ctx.args);
+        let preInjection;
+        if (backend === 'deberta' && inference_url) {
+            try {
+                const result = await classifyWithDeberta(argsText, inference_url, threshold);
+                preInjection = result.isInjection;
+                if (preInjection) {
+                    log.warn({ agentId: ctx.agentId, tool: ctx.toolName, score: result.score }, 'DeBERTa: injection detected in args');
+                }
+            }
+            catch (err) {
+                log.warn({ err }, 'DeBERTa inference failed for args, falling back to regex');
+                preInjection = classifyWithRegex(argsText).isInjection;
+                if (mode === 'escalate') {
+                    ctx.meta.needsApproval = true;
+                    ctx.meta.approvalReason = 'DeBERTa inference unavailable — escalating as precaution';
+                }
+            }
+        }
+        else {
+            const result = classifyWithRegex(argsText);
+            preInjection = result.isInjection;
+            if (preInjection) {
+                log.warn({ agentId: ctx.agentId, tool: ctx.toolName, patterns: result.matchedPatterns }, 'Regex: injection detected in args');
+            }
+        }
+        if (preInjection) {
+            ctx.deps.auditLogger.log({
+                agent_id: ctx.agentId,
+                tool: ctx.toolName,
+                args: JSON.stringify(ctx.args),
+                result: 'injection_detected_args',
+            });
+            if (mode === 'escalate') {
+                ctx.meta.needsApproval = true;
+                ctx.meta.approvalReason = 'Prompt injection detected in tool arguments';
+            }
+        }
+        const response = await next();
+        // Post-execution: scan response
+        let postInjection;
+        if (backend === 'deberta' && inference_url) {
+            try {
+                const result = await classifyWithDeberta(response.text, inference_url, threshold);
+                postInjection = result.isInjection;
+            }
+            catch (err) {
+                log.warn({ err }, 'DeBERTa inference failed for response, falling back to regex');
+                postInjection = classifyWithRegex(response.text).isInjection;
+                if (mode === 'escalate') {
+                    ctx.meta.needsApproval = true;
+                    ctx.meta.approvalReason = 'DeBERTa inference unavailable — escalating as precaution';
+                }
+            }
+        }
+        else {
+            postInjection = classifyWithRegex(response.text).isInjection;
+        }
+        if (postInjection) {
+            log.warn({ agentId: ctx.agentId, tool: ctx.toolName }, 'Injection pattern detected in response');
+            ctx.deps.auditLogger.log({
+                agent_id: ctx.agentId,
+                tool: ctx.toolName,
+                args: JSON.stringify(ctx.args),
+                result: 'injection_detected_response',
+            });
+            if (mode === 'mangle') {
+                response.text = mangleText(response.text);
+            }
+        }
+        return response;
+    };
+}
+//# sourceMappingURL=injection-detector.js.map

package/dist/middleware/detectors/injection-detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"injection-detector.js","sourceRoot":"","sources":["../../../src/middleware/detectors/injection-detector.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAEnD,MAAM,GAAG,GAAG,WAAW,CAAC,uBAAuB,CAAC,CAAC;AAEjD,MAAM,kBAAkB,GAAG;IACzB,4CAA4C;IAC5C,yCAAyC;IACzC,gCAAgC;IAChC,6BAA6B;IAC7B,0BAA0B;IAC1B,iBAAiB;IACjB,WAAW;IACX,aAAa;IACb,gBAAgB;IAChB,wCAAwC;IACxC,2CAA2C;IAC3C,mCAAmC;IACnC,2BAA2B;IAC3B,oCAAoC;IACpC,kBAAkB;IAClB,gBAAgB;IAChB,iBAAiB;CAClB,CAAC;AAaF,KAAK,UAAU,mBAAmB,CAChC,IAAY,EACZ,YAAoB,EACpB,SAAiB;IAEjB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,YAAY,EAAE;QACzC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,CAAC;QAC9B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;KAClC,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAIpC,CAAC;IACF,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,WAAW,IAAI,CAAC,CAAC;IACtD,OAAO,EAAE,WAAW,EAAE,KAAK,IAAI,SAAS,EAAE,KAAK,EAAE,CAAC;AACpD,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAY;IACrC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACvB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IACD,OAAO,EAAE,WAAW,EAAE,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,eAAe,EAAE,OAAO,EAAE,CAAC;AACvE,CAAC;AAED,SAAS,UAAU,CAAC,IAAY;IAC9B,IAAI,MAAM,GAAG,IAAI,CAAC;IAClB,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;QACzC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,iCAAiC,CAAC,CAAC;IACxF,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,OAAiC,EAAE;IAC7E,MAAM,EAAE,OAAO,GAAG,OAAO,EAAE,IAAI,GAAG,QAAQ,EAAE,aAAa,EAAE,SAAS,GAAG,GAAG,EAAE,GAAG,IAAI,CAAC;IAEpF,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,2BAA2B;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,YAAqB,CAAC;QAE1B,IAAI,OAAO,KAAK,SAAS,IAAI,aAAa,EAAE,CAAC;YAC3C,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,QAAQ,EAAE,aAAa,EAAE,SAAS,CAAC,CAAC;gBAC7E,YAAY,GAAG,MAAM,CAAC,WAAW,CAAC;gBAClC,IAAI,YAAY,EAAE,CAAC;oBACjB,GAAG,CAAC,IAAI,CACN,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,EACjE,qCAAqC,CACtC,CAAC;gBACJ,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,EAAE,0DAA0D,CAAC,CAAC;gBAC9E,YAAY,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC,WAAW,CAAC;gBACvD,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;oBACxB,GAAG,CAAC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;oBAC9B,GAAG,CAAC,IAAI,CAAC,cAAc,GAAG,0DAA0D,CAAC;gBACvF,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,MAAM,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YAC3C,YAAY,GAAG,MAAM,CAAC,WAAW,CAAC;YAClC,IAAI,YAAY,EAAE,CAAC;gBACjB,GAAG,CAAC,IAAI,CACN,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,eAAe,EAAE,EAC9E,mCAAmC,CACpC,CAAC;YACJ,CAAC;QACH,CAAC;QAED,IAAI,YAAY,EAAE,CAAC;YACjB,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;gBACvB,QAAQ,EAAE,GAAG,CAAC,OAAO;gBACrB,IAAI,EAAE,GAAG,CAAC,QAAQ;gBAClB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC;gBAC9B,MAAM,EAAE,yBAAyB;aAClC,CAAC,CAAC;YAEH,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;gBACxB,GAAG,CAAC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;gBAC9B,GAAG,CAAC,IAAI,CAAC,cAAc,GAAG,6CAA6C,CAAC;YAC1E,CAAC;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,EAAE,CAAC;QAE9B,gCAAgC;QAChC,IAAI,aAAsB,CAAC;QAE3B,IAAI,OAAO,KAAK,SAAS,IAAI,aAAa,EAAE,CAAC;YAC3C,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,QAAQ,CAAC,IAAI,EAAE,aAAa,EAAE,SAAS,CAAC,CAAC;gBAClF,aAAa,GAAG,MAAM,CAAC,WAAW,CAAC;YACrC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,EAAE,8DAA8D,CAAC,CAAC;gBAClF,aAAa,GAAG,iBAAiB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,WAAW,CAAC;gBAC7D,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;oBACxB,GAAG,CAAC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;oBAC9B,GAAG,CAAC,IAAI,CAAC,cAAc,GAAG,0DAA0D,CAAC;gBACvF,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,aAAa,GAAG,iBAAiB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,WAAW,CAAC;QAC/D,CAAC;QAED,IAAI,aAAa,EAAE,CAAC;YAClB,GAAG,CAAC,IAAI,CACN,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,QAAQ,EAAE,EAC5C,wCAAwC,CACzC,CAAC;YACF,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;gBACvB,QAAQ,EAAE,GAAG,CAAC,OAAO;gBACrB,IAAI,EAAE,GAAG,CAAC,QAAQ;gBAClB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC;gBAC9B,MAAM,EAAE,6BAA6B;aACtC,CAAC,CAAC;YAEH,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACtB,QAAQ,CAAC,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC5C,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/detectors/sensitivity-classifier.d.ts

@@ -0,0 +1,12 @@
+import type { Middleware } from '../types.js';
+export type SensitivityMode = 'detect' | 'escalate';
+export type SensitivityBackend = 'heuristic' | 'llm';
+export interface SensitivityClassifierOptions {
+    mode?: SensitivityMode;
+    threshold?: number;
+    backend?: SensitivityBackend;
+    /** Model ID for LLM backend (Vercel AI SDK model reference) */
+    model?: string;
+}
+export declare function sensitivityClassifierMiddleware(opts?: SensitivityClassifierOptions): Middleware;
+//# sourceMappingURL=sensitivity-classifier.d.ts.map

package/dist/middleware/detectors/sensitivity-classifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sensitivity-classifier.d.ts","sourceRoot":"","sources":["../../../src/middleware/detectors/sensitivity-classifier.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAK9C,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,UAAU,CAAC;AACpD,MAAM,MAAM,kBAAkB,GAAG,WAAW,GAAG,KAAK,CAAC;AAErD,MAAM,WAAW,4BAA4B;IAC3C,IAAI,CAAC,EAAE,eAAe,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,kBAAkB,CAAC;IAC7B,+DAA+D;IAC/D,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAsFD,wBAAgB,+BAA+B,CAC7C,IAAI,GAAE,4BAAiC,GACtC,UAAU,CAeZ"}

package/dist/middleware/detectors/sensitivity-classifier.js

@@ -0,0 +1,125 @@
+import { childLogger } from '../../util/logger.js';
+const log = childLogger('mw:sensitivity-classifier');
+// PII and sensitive data patterns
+const SENSITIVITY_PATTERNS = [
+    // SSN
+    { pattern: /\b\d{3}-\d{2}-\d{4}\b/, weight: 0.9, label: 'SSN' },
+    // Credit card (Luhn-like)
+    {
+        pattern: /\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12})\b/,
+        weight: 0.9,
+        label: 'credit_card',
+    },
+    // Email
+    { pattern: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/, weight: 0.3, label: 'email' },
+    // Phone
+    {
+        pattern: /\b(?:\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b/,
+        weight: 0.3,
+        label: 'phone',
+    },
+    // API keys / tokens (generic long hex/base64 strings)
+    {
+        pattern: /\b(?:sk|pk|api|token|key|secret|bearer)[-_]?[A-Za-z0-9_-]{20,}\b/i,
+        weight: 0.7,
+        label: 'api_key',
+    },
+    // AWS keys
+    { pattern: /\bAKIA[0-9A-Z]{16}\b/, weight: 0.95, label: 'aws_access_key' },
+    // Private keys
+    { pattern: /-----BEGIN\s(?:RSA\s)?PRIVATE\sKEY-----/, weight: 0.95, label: 'private_key' },
+    // JWT
+    {
+        pattern: /\beyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/,
+        weight: 0.6,
+        label: 'jwt',
+    },
+    // Internal IPs
+    {
+        pattern: /\b(?:10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})\b/,
+        weight: 0.4,
+        label: 'internal_ip',
+    },
+    // Password-like fields
+    { pattern: /["']?password["']?\s*[:=]\s*["'][^"']+["']/i, weight: 0.8, label: 'password' },
+];
+function heuristicScore(text) {
+    let maxWeight = 0;
+    const labels = [];
+    for (const { pattern, weight, label } of SENSITIVITY_PATTERNS) {
+        if (pattern.test(text)) {
+            labels.push(label);
+            maxWeight = Math.max(maxWeight, weight);
+        }
+    }
+    return { score: maxWeight, labels };
+}
+async function llmScore(text, model) {
+    const { generateText } = await import('ai');
+    const { text: result } = await generateText({
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any, @typescript-eslint/no-unsafe-assignment
+        model: model,
+        system: 'You are a data sensitivity classifier. Rate the sensitivity of the following data on a scale from 0.0 to 1.0, where 0 is public information and 1.0 is highly sensitive (PII, credentials, medical records, financial data). Respond with ONLY a JSON object: {"score": <number>, "reasoning": "<brief explanation>"}',
+        prompt: text.slice(0, 20_000),
+        maxOutputTokens: 256,
+    });
+    try {
+        return JSON.parse(result);
+    }
+    catch {
+        log.warn('Failed to parse LLM sensitivity response, falling back to high score');
+        return {
+            score: 1.0,
+            reasoning: 'Failed to parse LLM response — defaulting to high sensitivity',
+        };
+    }
+}
+export function sensitivityClassifierMiddleware(opts = {}) {
+    const { mode = 'detect', threshold = 0.7, backend = 'heuristic', model } = opts;
+    return async (ctx, next) => {
+        // Pre-execution: scan args
+        const argsText = JSON.stringify(ctx.args);
+        await checkSensitivity(argsText, 'args', ctx, backend, model, threshold, mode);
+        const response = await next();
+        // Post-execution: scan response
+        await checkSensitivity(response.text, 'response', ctx, backend, model, threshold, mode);
+        return response;
+    };
+}
+async function checkSensitivity(text, phase, ctx, backend, model, threshold, mode) {
+    let score;
+    let details;
+    if (backend === 'llm' && model) {
+        try {
+            const result = await llmScore(text, model);
+            score = result.score;
+            details = result.reasoning;
+        }
+        catch (err) {
+            log.warn({ err }, 'LLM sensitivity classification failed, falling back to heuristic');
+            const h = heuristicScore(text);
+            score = h.score;
+            details = h.labels.join(', ');
+        }
+    }
+    else {
+        const h = heuristicScore(text);
+        score = h.score;
+        details = h.labels.join(', ');
+    }
+    if (score >= threshold) {
+        log.warn({ agentId: ctx.agentId, tool: ctx.toolName, score, phase, details }, 'High sensitivity data detected');
+        ctx.deps.auditLogger.log({
+            agent_id: ctx.agentId,
+            tool: ctx.toolName,
+            args: JSON.stringify(ctx.args),
+            result: `sensitivity_${phase}`,
+            error: `score=${score}, labels=${details}`,
+        });
+        if (mode === 'escalate' && phase === 'args' && !ctx.meta.needsApproval) {
+            ctx.meta.needsApproval = true;
+            ctx.meta.approvalReason = `High sensitivity data detected (score: ${score}, ${details})`;
+        }
+    }
+}
+//# sourceMappingURL=sensitivity-classifier.js.map

package/dist/middleware/detectors/sensitivity-classifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sensitivity-classifier.js","sourceRoot":"","sources":["../../../src/middleware/detectors/sensitivity-classifier.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAEnD,MAAM,GAAG,GAAG,WAAW,CAAC,2BAA2B,CAAC,CAAC;AAarD,kCAAkC;AAClC,MAAM,oBAAoB,GAA8D;IACtF,MAAM;IACN,EAAE,OAAO,EAAE,uBAAuB,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE;IAC/D,0BAA0B;IAC1B;QACE,OAAO,EACL,4FAA4F;QAC9F,MAAM,EAAE,GAAG;QACX,KAAK,EAAE,aAAa;KACrB;IACD,QAAQ;IACR,EAAE,OAAO,EAAE,qDAAqD,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,OAAO,EAAE;IAC/F,QAAQ;IACR;QACE,OAAO,EAAE,yDAAyD;QAClE,MAAM,EAAE,GAAG;QACX,KAAK,EAAE,OAAO;KACf;IACD,sDAAsD;IACtD;QACE,OAAO,EAAE,mEAAmE;QAC5E,MAAM,EAAE,GAAG;QACX,KAAK,EAAE,SAAS;KACjB;IACD,WAAW;IACX,EAAE,OAAO,EAAE,sBAAsB,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,gBAAgB,EAAE;IAC1E,eAAe;IACf,EAAE,OAAO,EAAE,yCAAyC,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,aAAa,EAAE;IAC1F,MAAM;IACN;QACE,OAAO,EAAE,0DAA0D;QACnE,MAAM,EAAE,GAAG;QACX,KAAK,EAAE,KAAK;KACb;IACD,eAAe;IACf;QACE,OAAO,EACL,8GAA8G;QAChH,MAAM,EAAE,GAAG;QACX,KAAK,EAAE,aAAa;KACrB;IACD,uBAAuB;IACvB,EAAE,OAAO,EAAE,6CAA6C,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,UAAU,EAAE;CAC3F,CAAC;AAEF,SAAS,cAAc,CAAC,IAAY;IAClC,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,oBAAoB,EAAE,CAAC;QAC9D,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACvB,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACnB,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC;AACtC,CAAC;AAED,KAAK,UAAU,QAAQ,CACrB,IAAY,EACZ,KAAa;IAEb,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IAE5C,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,YAAY,CAAC;QAC1C,uGAAuG;QACvG,KAAK,EAAE,KAAY;QACnB,MAAM,EACJ,uTAAuT;QACzT,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC;QAC7B,eAAe,EAAE,GAAG;KACrB,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAyC,CAAC;IACpE,CAAC;IAAC,MAAM,CAAC;QACP,GAAG,CAAC,IAAI,CAAC,sEAAsE,CAAC,CAAC;QACjF,OAAO;YACL,KAAK,EAAE,GAAG;YACV,SAAS,EAAE,+DAA+D;SAC3E,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,UAAU,+BAA+B,CAC7C,OAAqC,EAAE;IAEvC,MAAM,EAAE,IAAI,GAAG,QAAQ,EAAE,SAAS,GAAG,GAAG,EAAE,OAAO,GAAG,WAAW,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;IAEhF,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,2BAA2B;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC1C,MAAM,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;QAE/E,MAAM,QAAQ,GAAG,MAAM,IAAI,EAAE,CAAC;QAE9B,gCAAgC;QAChC,MAAM,gBAAgB,CAAC,QAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;QAExF,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,IAAY,EACZ,KAA0B,EAC1B,GAA0C,EAC1C,OAA2B,EAC3B,KAAyB,EACzB,SAAiB,EACjB,IAAqB;IAErB,IAAI,KAAa,CAAC;IAClB,IAAI,OAAe,CAAC;IAEpB,IAAI,OAAO,KAAK,KAAK,IAAI,KAAK,EAAE,CAAC;QAC/B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YAC3C,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;YACrB,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC;QAC7B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,EAAE,kEAAkE,CAAC,CAAC;YACtF,MAAM,CAAC,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;YAC/B,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;YAChB,OAAO,GAAG,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;QAC/B,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;QAChB,OAAO,GAAG,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChC,CAAC;IAED,IAAI,KAAK,IAAI,SAAS,EAAE,CAAC;QACvB,GAAG,CAAC,IAAI,CACN,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EACnE,gCAAgC,CACjC,CAAC;QACF,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;YACvB,QAAQ,EAAE,GAAG,CAAC,OAAO;YACrB,IAAI,EAAE,GAAG,CAAC,QAAQ;YAClB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC;YAC9B,MAAM,EAAE,eAAe,KAAK,EAAE;YAC9B,KAAK,EAAE,SAAS,KAAK,YAAY,OAAO,EAAE;SAC3C,CAAC,CAAC;QAEH,IAAI,IAAI,KAAK,UAAU,IAAI,KAAK,KAAK,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACvE,GAAG,CAAC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;YAC9B,GAAG,CAAC,IAAI,CAAC,cAAc,GAAG,0CAA0C,KAAK,KAAK,OAAO,GAAG,CAAC;QAC3F,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/middleware/post/canary-token-injector.d.ts

@@ -0,0 +1,10 @@
+import type { Middleware } from '../types.js';
+export declare function canaryTokenInjectorMiddleware(): Middleware;
+/** For testing */
+export declare function getActiveCanaryTokens(): Map<string, {
+    agentId: string;
+    tool: string;
+    createdAt: number;
+}>;
+export declare function resetCanaryTokens(): void;
+//# sourceMappingURL=canary-token-injector.d.ts.map

package/dist/middleware/post/canary-token-injector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"canary-token-injector.d.ts","sourceRoot":"","sources":["../../../src/middleware/post/canary-token-injector.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAqB9C,wBAAgB,6BAA6B,IAAI,UAAU,CAkC1D;AAED,kBAAkB;AAClB,wBAAgB,qBAAqB,IAAI,GAAG,CAC1C,MAAM,EACN;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CACrD,CAEA;AAED,wBAAgB,iBAAiB,IAAI,IAAI,CAExC"}

package/dist/middleware/post/canary-token-injector.js

@@ -0,0 +1,53 @@
+import { randomBytes } from 'crypto';
+import { childLogger } from '../../util/logger.js';
+const log = childLogger('mw:canary-token');
+const activeTokens = new Map();
+const TOKEN_TTL_MS = 600_000; // 10 minutes
+function generateCanary() {
+    return `CANARY-${randomBytes(8).toString('hex').toUpperCase()}`;
+}
+function pruneExpired() {
+    const now = Date.now();
+    for (const [token, meta] of activeTokens) {
+        if (now - meta.createdAt > TOKEN_TTL_MS) {
+            activeTokens.delete(token);
+        }
+    }
+}
+export function canaryTokenInjectorMiddleware() {
+    return async (ctx, next) => {
+        // Pre-execution: scan inbound args for leaked canary tokens
+        const argsStr = JSON.stringify(ctx.args);
+        for (const [token, meta] of activeTokens) {
+            if (argsStr.includes(token)) {
+                log.error({ agentId: ctx.agentId, tool: ctx.toolName, leakedFrom: meta.tool, token }, 'Canary token detected in tool arguments — possible data exfiltration');
+                ctx.deps.auditLogger.log({
+                    agent_id: ctx.agentId,
+                    tool: ctx.toolName,
+                    args: JSON.stringify(ctx.args),
+                    result: 'canary_leaked',
+                    error: `Canary token ${token} from ${meta.tool} found in args`,
+                });
+            }
+        }
+        const response = await next();
+        // Post-execution: inject a canary token into the response
+        pruneExpired();
+        const canary = generateCanary();
+        activeTokens.set(canary, {
+            agentId: ctx.agentId,
+            tool: ctx.toolName,
+            createdAt: Date.now(),
+        });
+        response.text += `\n<!-- ${canary} -->`;
+        return response;
+    };
+}
+/** For testing */
+export function getActiveCanaryTokens() {
+    return activeTokens;
+}
+export function resetCanaryTokens() {
+    activeTokens.clear();
+}
+//# sourceMappingURL=canary-token-injector.js.map

package/dist/middleware/post/canary-token-injector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"canary-token-injector.js","sourceRoot":"","sources":["../../../src/middleware/post/canary-token-injector.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAErC,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAEnD,MAAM,GAAG,GAAG,WAAW,CAAC,iBAAiB,CAAC,CAAC;AAE3C,MAAM,YAAY,GAAG,IAAI,GAAG,EAAgE,CAAC;AAC7F,MAAM,YAAY,GAAG,OAAO,CAAC,CAAC,aAAa;AAE3C,SAAS,cAAc;IACrB,OAAO,UAAU,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;AAClE,CAAC;AAED,SAAS,YAAY;IACnB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,YAAY,EAAE,CAAC;QACzC,IAAI,GAAG,GAAG,IAAI,CAAC,SAAS,GAAG,YAAY,EAAE,CAAC;YACxC,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,UAAU,6BAA6B;IAC3C,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,4DAA4D;QAC5D,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACzC,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,YAAY,EAAE,CAAC;YACzC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5B,GAAG,CAAC,KAAK,CACP,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,QAAQ,EAAE,UAAU,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,EAC1E,sEAAsE,CACvE,CAAC;gBACF,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;oBACvB,QAAQ,EAAE,GAAG,CAAC,OAAO;oBACrB,IAAI,EAAE,GAAG,CAAC,QAAQ;oBAClB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC;oBAC9B,MAAM,EAAE,eAAe;oBACvB,KAAK,EAAE,gBAAgB,KAAK,SAAS,IAAI,CAAC,IAAI,gBAAgB;iBAC/D,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,EAAE,CAAC;QAE9B,0DAA0D;QAC1D,YAAY,EAAE,CAAC;QACf,MAAM,MAAM,GAAG,cAAc,EAAE,CAAC;QAChC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE;YACvB,OAAO,EAAE,GAAG,CAAC,OAAO;YACpB,IAAI,EAAE,GAAG,CAAC,QAAQ;YAClB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC,CAAC;QAEH,QAAQ,CAAC,IAAI,IAAI,UAAU,MAAM,MAAM,CAAC;QACxC,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC;AACJ,CAAC;AAED,kBAAkB;AAClB,MAAM,UAAU,qBAAqB;IAInC,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,YAAY,CAAC,KAAK,EAAE,CAAC;AACvB,CAAC"}

package/dist/middleware/post/output-injection-detector.d.ts

@@ -0,0 +1,7 @@
+import type { Middleware } from '../types.js';
+export type InjectionDetectorMode = 'detect' | 'mangle';
+export interface OutputInjectionDetectorOptions {
+    mode?: InjectionDetectorMode;
+}
+export declare function outputInjectionDetectorMiddleware(opts?: OutputInjectionDetectorOptions): Middleware;
+//# sourceMappingURL=output-injection-detector.d.ts.map

package/dist/middleware/post/output-injection-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"output-injection-detector.d.ts","sourceRoot":"","sources":["../../../src/middleware/post/output-injection-detector.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAwB9C,MAAM,MAAM,qBAAqB,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAExD,MAAM,WAAW,8BAA8B;IAC7C,IAAI,CAAC,EAAE,qBAAqB,CAAC;CAC9B;AAED,wBAAgB,iCAAiC,CAC/C,IAAI,GAAE,8BAAmC,GACxC,UAAU,CAkCZ"}

package/dist/middleware/post/output-injection-detector.js

@@ -0,0 +1,46 @@
+import { childLogger } from '../../util/logger.js';
+const log = childLogger('mw:output-injection');
+const INJECTION_PATTERNS = [
+    /ignore\s+(all\s+)?previous\s+instructions/i,
+    /ignore\s+(all\s+)?prior\s+instructions/i,
+    /disregard\s+(all\s+)?previous/i,
+    /you\s+are\s+now\s+(a|an)\s/i,
+    /new\s+instructions?\s*:/i,
+    /system\s*:\s/i,
+    /<\s*system\s*>/i,
+    /\[INST\]/i,
+    /\[\/INST\]/i,
+    /<<\s*SYS\s*>>/i,
+    /\bAssistant:\s/i,
+    /\bHuman:\s/i,
+    /\bUser:\s/i,
+    /do\s+not\s+follow\s+(any\s+)?previous/i,
+    /forget\s+(all\s+)?(your\s+)?instructions/i,
+    /override\s+(all\s+)?instructions/i,
+];
+export function outputInjectionDetectorMiddleware(opts = {}) {
+    const mode = opts.mode ?? 'detect';
+    return async (ctx, next) => {
+        const response = await next();
+        let flagged = false;
+        for (const pattern of INJECTION_PATTERNS) {
+            if (pattern.test(response.text)) {
+                flagged = true;
+                if (mode === 'mangle') {
+                    response.text = response.text.replace(new RegExp(pattern.source, pattern.flags + (pattern.flags.includes('g') ? '' : 'g')), '[REDACTED: suspected injection]');
+                }
+            }
+        }
+        if (flagged) {
+            log.warn({ agentId: ctx.agentId, tool: ctx.toolName, mode }, 'Injection pattern detected in output');
+            ctx.deps.auditLogger.log({
+                agent_id: ctx.agentId,
+                tool: ctx.toolName,
+                args: JSON.stringify(ctx.args),
+                result: 'injection_detected',
+            });
+        }
+        return response;
+    };
+}
+//# sourceMappingURL=output-injection-detector.js.map

package/dist/middleware/post/output-injection-detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"output-injection-detector.js","sourceRoot":"","sources":["../../../src/middleware/post/output-injection-detector.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAEnD,MAAM,GAAG,GAAG,WAAW,CAAC,qBAAqB,CAAC,CAAC;AAE/C,MAAM,kBAAkB,GAAG;IACzB,4CAA4C;IAC5C,yCAAyC;IACzC,gCAAgC;IAChC,6BAA6B;IAC7B,0BAA0B;IAC1B,eAAe;IACf,iBAAiB;IACjB,WAAW;IACX,aAAa;IACb,gBAAgB;IAChB,iBAAiB;IACjB,aAAa;IACb,YAAY;IACZ,wCAAwC;IACxC,2CAA2C;IAC3C,mCAAmC;CACpC,CAAC;AAQF,MAAM,UAAU,iCAAiC,CAC/C,OAAuC,EAAE;IAEzC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,QAAQ,CAAC;IAEnC,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,MAAM,QAAQ,GAAG,MAAM,IAAI,EAAE,CAAC;QAE9B,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;YACzC,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChC,OAAO,GAAG,IAAI,CAAC;gBACf,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;oBACtB,QAAQ,CAAC,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CACnC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EACpF,iCAAiC,CAClC,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,OAAO,EAAE,CAAC;YACZ,GAAG,CAAC,IAAI,CACN,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,QAAQ,EAAE,IAAI,EAAE,EAClD,sCAAsC,CACvC,CAAC;YACF,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;gBACvB,QAAQ,EAAE,GAAG,CAAC,OAAO;gBACrB,IAAI,EAAE,GAAG,CAAC,QAAQ;gBAClB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC;gBAC9B,MAAM,EAAE,oBAAoB;aAC7B,CAAC,CAAC;QACL,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/post/output-size-limiter.d.ts

@@ -0,0 +1,7 @@
+import type { Middleware } from '../types.js';
+export interface OutputSizeLimiterOptions {
+    max_lines?: number;
+    max_chars?: number;
+}
+export declare function outputSizeLimiterMiddleware(opts?: OutputSizeLimiterOptions): Middleware;
+//# sourceMappingURL=output-size-limiter.d.ts.map

package/dist/middleware/post/output-size-limiter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"output-size-limiter.d.ts","sourceRoot":"","sources":["../../../src/middleware/post/output-size-limiter.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAK9C,MAAM,WAAW,wBAAwB;IACvC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAKD,wBAAgB,2BAA2B,CAAC,IAAI,GAAE,wBAA6B,GAAG,UAAU,CA2C3F"}

package/dist/middleware/post/output-size-limiter.js

@@ -0,0 +1,47 @@
+import { writeFile, mkdir } from 'fs/promises';
+import { join } from 'path';
+import { tmpdir } from 'os';
+import { childLogger } from '../../util/logger.js';
+const log = childLogger('mw:output-size-limiter');
+const DEFAULT_MAX_LINES = 200;
+const DEFAULT_MAX_CHARS = 30_000;
+export function outputSizeLimiterMiddleware(opts = {}) {
+    const maxLines = opts.max_lines ?? DEFAULT_MAX_LINES;
+    const maxChars = opts.max_chars ?? DEFAULT_MAX_CHARS;
+    return async (ctx, next) => {
+        const response = await next();
+        const text = response.text;
+        const lines = text.split('\n');
+        const needsLineTruncation = lines.length > maxLines;
+        const needsCharTruncation = text.length > maxChars;
+        if (!needsLineTruncation && !needsCharTruncation)
+            return response;
+        // Write full output to file
+        const safeAgentId = ctx.agentId.replace(/[^a-zA-Z0-9_-]/g, '_');
+        const dir = join(tmpdir(), 'airlock', safeAgentId);
+        const filePath = join(dir, `${ctx.callId}.txt`);
+        try {
+            await mkdir(dir, { recursive: true });
+            await writeFile(filePath, text, 'utf-8');
+            response.fullOutputPath = filePath;
+        }
+        catch (err) {
+            log.warn({ err, filePath }, 'Failed to write full output to file');
+        }
+        // Truncate
+        let truncated;
+        if (needsLineTruncation) {
+            truncated = lines.slice(0, maxLines).join('\n');
+        }
+        else {
+            truncated = text.slice(0, maxChars);
+        }
+        const totalLines = lines.length;
+        const totalChars = text.length;
+        truncated += `\n\n[Truncated: ${totalLines} lines / ${totalChars} chars total. Full output: ${filePath}. Use exec/run with cat/grep to read.]`;
+        response.text = truncated;
+        response.truncated = true;
+        return response;
+    };
+}
+//# sourceMappingURL=output-size-limiter.js.map

package/dist/middleware/post/output-size-limiter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"output-size-limiter.js","sourceRoot":"","sources":["../../../src/middleware/post/output-size-limiter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,MAAM,EAAE,MAAM,IAAI,CAAC;AAE5B,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAEnD,MAAM,GAAG,GAAG,WAAW,CAAC,wBAAwB,CAAC,CAAC;AAOlD,MAAM,iBAAiB,GAAG,GAAG,CAAC;AAC9B,MAAM,iBAAiB,GAAG,MAAM,CAAC;AAEjC,MAAM,UAAU,2BAA2B,CAAC,OAAiC,EAAE;IAC7E,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,IAAI,iBAAiB,CAAC;IACrD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,IAAI,iBAAiB,CAAC;IAErD,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,MAAM,QAAQ,GAAG,MAAM,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC;QAE3B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC/B,MAAM,mBAAmB,GAAG,KAAK,CAAC,MAAM,GAAG,QAAQ,CAAC;QACpD,MAAM,mBAAmB,GAAG,IAAI,CAAC,MAAM,GAAG,QAAQ,CAAC;QAEnD,IAAI,CAAC,mBAAmB,IAAI,CAAC,mBAAmB;YAAE,OAAO,QAAQ,CAAC;QAElE,4BAA4B;QAC5B,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAC;QAChE,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;QACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,MAAM,MAAM,CAAC,CAAC;QAEhD,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACtC,MAAM,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;YACzC,QAAQ,CAAC,cAAc,GAAG,QAAQ,CAAC;QACrC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,EAAE,qCAAqC,CAAC,CAAC;QACrE,CAAC;QAED,WAAW;QACX,IAAI,SAAiB,CAAC;QACtB,IAAI,mBAAmB,EAAE,CAAC;YACxB,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClD,CAAC;aAAM,CAAC;YACN,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QACtC,CAAC;QAED,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC;QAChC,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC;QAC/B,SAAS,IAAI,mBAAmB,UAAU,YAAY,UAAU,8BAA8B,QAAQ,wCAAwC,CAAC;QAE/I,QAAQ,CAAC,IAAI,GAAG,SAAS,CAAC;QAC1B,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC;QAC1B,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/post/output-summarizer.d.ts

@@ -0,0 +1,15 @@
+import type { Middleware } from '../types.js';
+export interface OutputSummarizerOptions {
+    /** Minimum character length before summarization kicks in */
+    threshold_chars?: number;
+    /** Model ID to use (provider-specific, e.g. 'claude-haiku-4-5-20251001', 'gpt-4o-mini') */
+    model: string;
+}
+/**
+ * Summarizes large tool outputs using the Vercel AI SDK.
+ * Requires `ai` package and a provider to be configured.
+ * The caller must pass a model string that the AI SDK can resolve.
+ * Falls back gracefully if the SDK or model is unavailable.
+ */
+export declare function outputSummarizerMiddleware(opts: OutputSummarizerOptions): Middleware;
+//# sourceMappingURL=output-summarizer.d.ts.map

package/dist/middleware/post/output-summarizer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"output-summarizer.d.ts","sourceRoot":"","sources":["../../../src/middleware/post/output-summarizer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAK9C,MAAM,WAAW,uBAAuB;IACtC,6DAA6D;IAC7D,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,2FAA2F;IAC3F,KAAK,EAAE,MAAM,CAAC;CACf;AAID;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,IAAI,EAAE,uBAAuB,GAAG,UAAU,CAgCpF"}