cogxai 2.8.0

package/dist/core/embeddings.js

@@ -0,0 +1,212 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getCachedEmbedding = getCachedEmbedding;
+exports.setCachedEmbedding = setCachedEmbedding;
+exports._configureEmbeddings = _configureEmbeddings;
+exports.isEmbeddingEnabled = isEmbeddingEnabled;
+exports.generateEmbedding = generateEmbedding;
+exports.generateQueryEmbedding = generateQueryEmbedding;
+exports.generateEmbeddings = generateEmbeddings;
+const config_1 = require("../config");
+const logger_1 = require("./logger");
+const log = (0, logger_1.createChildLogger)('embeddings');
+const PROVIDERS = {
+    voyage: {
+        url: 'https://api.voyageai.com/v1/embeddings',
+        defaultModel: 'voyage-4-large',
+        authHeader: (key) => `Bearer ${key}`,
+    },
+    openai: {
+        url: 'https://api.openai.com/v1/embeddings',
+        defaultModel: 'text-embedding-3-small',
+        authHeader: (key) => `Bearer ${key}`,
+    },
+    venice: {
+        url: 'https://api.venice.ai/api/v1/embeddings',
+        defaultModel: 'text-embedding-3-small',
+        authHeader: (key) => `Bearer ${key}`,
+    },
+};
+let _enabled = null;
+let _overrideConfig = null;
+// LRU embedding cache — avoids re-computing embeddings for repeated/similar queries
+const EMBEDDING_CACHE_MAX = 200;
+const EMBEDDING_CACHE_TTL_MS = 30 * 60 * 1000; // 30 minutes
+const _embeddingCache = new Map();
+function getCachedEmbedding(text) {
+    const key = text.slice(0, 500).toLowerCase().trim();
+    const entry = _embeddingCache.get(key);
+    if (!entry)
+        return null;
+    if (Date.now() - entry.ts > EMBEDDING_CACHE_TTL_MS) {
+        _embeddingCache.delete(key);
+        return null;
+    }
+    return entry.embedding;
+}
+function setCachedEmbedding(text, embedding) {
+    const key = text.slice(0, 500).toLowerCase().trim();
+    // Evict oldest if at capacity
+    if (_embeddingCache.size >= EMBEDDING_CACHE_MAX) {
+        const oldest = _embeddingCache.keys().next().value;
+        if (oldest)
+            _embeddingCache.delete(oldest);
+    }
+    _embeddingCache.set(key, { embedding, ts: Date.now() });
+}
+/** @internal SDK escape hatch — allows Cortex to override embedding config. */
+function _configureEmbeddings(opts) {
+    _overrideConfig = opts;
+    _enabled = null; // reset cached check
+}
+function getEmbeddingConfig() {
+    if (_overrideConfig)
+        return _overrideConfig;
+    return config_1.config.embedding;
+}
+function isEmbeddingEnabled() {
+    if (_enabled !== null)
+        return _enabled;
+    const cfg = getEmbeddingConfig();
+    _enabled = !!cfg.provider && !!cfg.apiKey && cfg.provider in PROVIDERS;
+    if (_enabled) {
+        log.info({ provider: cfg.provider }, 'Embedding system enabled');
+    }
+    return _enabled;
+}
+/**
+ * Call a specific embedding provider.
+ */
+async function callEmbeddingAPI(provider, apiKey, model, text, dimensions) {
+    const providerConfig = PROVIDERS[provider];
+    if (!providerConfig)
+        return null;
+    const startMs = Date.now();
+    try {
+        const res = await fetch(providerConfig.url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Authorization': providerConfig.authHeader(apiKey),
+            },
+            body: JSON.stringify({
+                input: text.slice(0, 8000),
+                model,
+                ...(provider === 'openai' ? { dimensions } : {}),
+            }),
+        });
+        if (!res.ok) {
+            const errText = await res.text();
+            log.error({ status: res.status, body: errText.slice(0, 200), provider }, 'Embedding API error');
+            return null;
+        }
+        const data = await res.json();
+        const embedding = data.data?.[0]?.embedding || null;
+        const elapsed = Date.now() - startMs;
+        log.debug({ provider, model, elapsed }, 'Embedding generated');
+        return embedding;
+    }
+    catch (err) {
+        log.error({ err, provider }, 'Embedding generation failed');
+        return null;
+    }
+}
+/**
+ * Generate a single embedding vector for the given text.
+ * Returns null if embeddings are disabled or the API call fails.
+ */
+async function generateEmbedding(text) {
+    if (!isEmbeddingEnabled())
+        return null;
+    // Check cache first
+    const cached = getCachedEmbedding(text);
+    if (cached) {
+        log.debug('Embedding cache hit');
+        return cached;
+    }
+    const cfg = getEmbeddingConfig();
+    if (!cfg.provider || !(cfg.provider in PROVIDERS))
+        return null;
+    const providerConfig = PROVIDERS[cfg.provider];
+    const model = cfg.model || providerConfig.defaultModel;
+    const embedding = await callEmbeddingAPI(cfg.provider, cfg.apiKey, model, text, cfg.dimensions);
+    if (embedding)
+        setCachedEmbedding(text, embedding);
+    return embedding;
+}
+/**
+ * Generate embedding optimized for query-time (recall).
+ * Uses a faster provider if configured (EMBEDDING_QUERY_PROVIDER),
+ * otherwise falls back to the default provider.
+ */
+async function generateQueryEmbedding(text) {
+    if (!isEmbeddingEnabled())
+        return null;
+    // Check cache first
+    const cached = getCachedEmbedding(text);
+    if (cached) {
+        log.debug('Query embedding cache hit');
+        return cached;
+    }
+    const cfg = getEmbeddingConfig();
+    // Try fast query provider first
+    const qProvider = cfg.queryProvider;
+    const qApiKey = cfg.queryApiKey;
+    const qModel = cfg.queryModel;
+    if (qProvider && qApiKey && qProvider in PROVIDERS) {
+        const providerConfig = PROVIDERS[qProvider];
+        const model = qModel || providerConfig.defaultModel;
+        log.debug({ provider: qProvider }, 'Using fast query embedding provider');
+        const embedding = await callEmbeddingAPI(qProvider, qApiKey, model, text);
+        if (embedding) {
+            setCachedEmbedding(text, embedding);
+            return embedding;
+        }
+        log.warn({ provider: qProvider }, 'Fast query provider failed, falling back to default');
+    }
+    // Fallback to default provider
+    return generateEmbedding(text);
+}
+/**
+ * Generate embeddings for multiple texts in a single batch API call.
+ * More efficient than calling generateEmbedding() in a loop.
+ * Returns an array matching input length; null for any that failed.
+ */
+async function generateEmbeddings(texts) {
+    if (!isEmbeddingEnabled() || texts.length === 0)
+        return texts.map(() => null);
+    const cfg = getEmbeddingConfig();
+    if (!cfg.provider || !(cfg.provider in PROVIDERS))
+        return texts.map(() => null);
+    const providerConfig = PROVIDERS[cfg.provider];
+    const model = cfg.model || providerConfig.defaultModel;
+    try {
+        const res = await fetch(providerConfig.url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Authorization': providerConfig.authHeader(cfg.apiKey),
+            },
+            body: JSON.stringify({
+                input: texts.map(t => t.slice(0, 8000)),
+                model,
+                ...(cfg.provider === 'openai' ? { dimensions: cfg.dimensions } : {}),
+            }),
+        });
+        if (!res.ok) {
+            log.error({ status: res.status }, 'Batch embedding API error');
+            return texts.map(() => null);
+        }
+        const data = await res.json();
+        const result = texts.map(() => null);
+        for (const item of data.data || []) {
+            result[item.index] = item.embedding;
+        }
+        return result;
+    }
+    catch (err) {
+        log.error({ err }, 'Batch embedding generation failed');
+        return texts.map(() => null);
+    }
+}
+//# sourceMappingURL=embeddings.js.map

package/dist/core/embeddings.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"embeddings.js","sourceRoot":"","sources":["../../src/core/embeddings.ts"],"names":[],"mappings":";;AAiDA,gDASC;AAED,gDAQC;AAGD,oDAGC;AAOD,gDAQC;AAmDD,8CAmBC;AAOD,wDA+BC;AAOD,gDAsCC;AAlPD,sCAAmC;AACnC,qCAA6C;AAE7C,MAAM,GAAG,GAAG,IAAA,0BAAiB,EAAC,YAAY,CAAC,CAAC;AAoB5C,MAAM,SAAS,GAAmC;IAChD,MAAM,EAAE;QACN,GAAG,EAAE,wCAAwC;QAC7C,YAAY,EAAE,gBAAgB;QAC9B,UAAU,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,GAAG,EAAE;KACrC;IACD,MAAM,EAAE;QACN,GAAG,EAAE,sCAAsC;QAC3C,YAAY,EAAE,wBAAwB;QACtC,UAAU,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,GAAG,EAAE;KACrC;IACD,MAAM,EAAE;QACN,GAAG,EAAE,yCAAyC;QAC9C,YAAY,EAAE,wBAAwB;QACtC,UAAU,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,GAAG,EAAE;KACrC;CACF,CAAC;AAEF,IAAI,QAAQ,GAAmB,IAAI,CAAC;AACpC,IAAI,eAAe,GAAqF,IAAI,CAAC;AAE7G,oFAAoF;AACpF,MAAM,mBAAmB,GAAG,GAAG,CAAC;AAChC,MAAM,sBAAsB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,aAAa;AAC5D,MAAM,eAAe,GAAG,IAAI,GAAG,EAA+C,CAAC;AAE/E,SAAgB,kBAAkB,CAAC,IAAY;IAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;IACpD,MAAM,KAAK,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACvC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,EAAE,GAAG,sBAAsB,EAAE,CAAC;QACnD,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC,SAAS,CAAC;AACzB,CAAC;AAED,SAAgB,kBAAkB,CAAC,IAAY,EAAE,SAAmB;IAClE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;IACpD,8BAA8B;IAC9B,IAAI,eAAe,CAAC,IAAI,IAAI,mBAAmB,EAAE,CAAC;QAChD,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;QACnD,IAAI,MAAM;YAAE,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC7C,CAAC;IACD,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;AAC1D,CAAC;AAED,+EAA+E;AAC/E,SAAgB,oBAAoB,CAAC,IAA+E;IAClH,eAAe,GAAG,IAAI,CAAC;IACvB,QAAQ,GAAG,IAAI,CAAC,CAAC,qBAAqB;AACxC,CAAC;AAED,SAAS,kBAAkB;IACzB,IAAI,eAAe;QAAE,OAAO,eAAe,CAAC;IAC5C,OAAO,eAAM,CAAC,SAAS,CAAC;AAC1B,CAAC;AAED,SAAgB,kBAAkB;IAChC,IAAI,QAAQ,KAAK,IAAI;QAAE,OAAO,QAAQ,CAAC;IACvC,MAAM,GAAG,GAAG,kBAAkB,EAAE,CAAC;IACjC,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,QAAQ,IAAI,SAAS,CAAC;IACvE,IAAI,QAAQ,EAAE,CAAC;QACb,GAAG,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,EAAE,0BAA0B,CAAC,CAAC;IACnE,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,gBAAgB,CAC7B,QAAgB,EAChB,MAAc,EACd,KAAa,EACb,IAAY,EACZ,UAAmB;IAEnB,MAAM,cAAc,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;IAC3C,IAAI,CAAC,cAAc;QAAE,OAAO,IAAI,CAAC;IAEjC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC3B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,cAAc,CAAC,GAAG,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,eAAe,EAAE,cAAc,CAAC,UAAU,CAAC,MAAM,CAAC;aACnD;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC;gBAC1B,KAAK;gBACL,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACjD,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YACjC,GAAG,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,QAAQ,EAAE,EAAE,qBAAqB,CAAC,CAAC;YAChG,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA8C,CAAC;QAC1E,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,SAAS,IAAI,IAAI,CAAC;QACpD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC;QACrC,GAAG,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,qBAAqB,CAAC,CAAC;QAC/D,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,EAAE,6BAA6B,CAAC,CAAC;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,iBAAiB,CAAC,IAAY;IAClD,IAAI,CAAC,kBAAkB,EAAE;QAAE,OAAO,IAAI,CAAC;IAEvC,oBAAoB;IACpB,MAAM,MAAM,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;IACxC,IAAI,MAAM,EAAE,CAAC;QACX,GAAG,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACjC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,GAAG,GAAG,kBAAkB,EAAE,CAAC;IACjC,IAAI,CAAC,GAAG,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,IAAI,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAE/D,MAAM,cAAc,GAAG,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC/C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,IAAI,cAAc,CAAC,YAAY,CAAC;IAEvD,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,CAAC,UAAU,CAAC,CAAC;IAChG,IAAI,SAAS;QAAE,kBAAkB,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IACnD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,sBAAsB,CAAC,IAAY;IACvD,IAAI,CAAC,kBAAkB,EAAE;QAAE,OAAO,IAAI,CAAC;IAEvC,oBAAoB;IACpB,MAAM,MAAM,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;IACxC,IAAI,MAAM,EAAE,CAAC;QACX,GAAG,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;QACvC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,GAAG,GAAG,kBAAkB,EAAE,CAAC;IAEjC,gCAAgC;IAChC,MAAM,SAAS,GAAI,GAAW,CAAC,aAAuB,CAAC;IACvD,MAAM,OAAO,GAAI,GAAW,CAAC,WAAqB,CAAC;IACnD,MAAM,MAAM,GAAI,GAAW,CAAC,UAAoB,CAAC;IAEjD,IAAI,SAAS,IAAI,OAAO,IAAI,SAAS,IAAI,SAAS,EAAE,CAAC;QACnD,MAAM,cAAc,GAAG,SAAS,CAAC,SAAS,CAAC,CAAC;QAC5C,MAAM,KAAK,GAAG,MAAM,IAAI,cAAc,CAAC,YAAY,CAAC;QACpD,GAAG,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,qCAAqC,CAAC,CAAC;QAC1E,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;QAC1E,IAAI,SAAS,EAAE,CAAC;YACd,kBAAkB,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;YACpC,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,GAAG,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,qDAAqD,CAAC,CAAC;IAC3F,CAAC;IAED,+BAA+B;IAC/B,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC;AACjC,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,kBAAkB,CAAC,KAAe;IACtD,IAAI,CAAC,kBAAkB,EAAE,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAE9E,MAAM,GAAG,GAAG,kBAAkB,EAAE,CAAC;IACjC,IAAI,CAAC,GAAG,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,IAAI,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAEhF,MAAM,cAAc,GAAG,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC/C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,IAAI,cAAc,CAAC,YAAY,CAAC;IAEvD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,cAAc,CAAC,GAAG,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,eAAe,EAAE,cAAc,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC;aACvD;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;gBACvC,KAAK;gBACL,GAAG,CAAC,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACrE,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,GAAG,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,EAAE,2BAA2B,CAAC,CAAC;YAC/D,OAAO,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAC/B,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA6D,CAAC;QACzF,MAAM,MAAM,GAAwB,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAC1D,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;QACtC,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,EAAE,mCAAmC,CAAC,CAAC;QACxD,OAAO,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;AACH,CAAC"}

package/dist/core/encryption.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Client-side encryption for memory content.
+ *
+ * Per-user key derivation from Solana Ed25519 keypairs:
+ *   secretKey (64 bytes) → first 32 bytes (seed)
+ *     → HKDF-SHA256(seed, salt="cogxai-cortex-v1", info="memory-encryption")
+ *     → 32-byte symmetric key
+ *     → nacl.secretbox (XSalsa20-Poly1305)
+ *
+ * Only the `content` field is encrypted. Summary, tags, concepts, embeddings,
+ * and all metadata stay plaintext for search and scoring.
+ */
+/**
+ * Derive a symmetric encryption key from a Solana Ed25519 secret key.
+ * Stores the key and associated public key for the session.
+ */
+export declare function configureEncryption(solanaSecretKey: Uint8Array): Promise<void>;
+/**
+ * Check if encryption is active for this session.
+ */
+export declare function isEncryptionEnabled(): boolean;
+/**
+ * Get the public key string of the active encryption key.
+ */
+export declare function getEncryptionPubkey(): string | null;
+/**
+ * Encrypt plaintext content.
+ * Returns base64(nonce[24] || ciphertext).
+ */
+export declare function encryptContent(plaintext: string): string;
+/**
+ * Decrypt encrypted content.
+ * Input: base64(nonce[24] || ciphertext).
+ * Returns plaintext or null if decryption fails.
+ */
+export declare function decryptContent(encrypted: string): string | null;
+/**
+ * In-place decrypt memory content for a batch of memories.
+ * Skips memories that are:
+ *   - Not encrypted (encrypted !== true)
+ *   - Encrypted by a different pubkey (logs warning, leaves content as-is)
+ *   - Undecryptable (wrong key, corrupted — leaves content as-is)
+ */
+export declare function decryptMemoryBatch<T extends {
+    content: string;
+    encrypted?: boolean;
+    encryption_pubkey?: string | null;
+}>(memories: T[]): T[];
+//# sourceMappingURL=encryption.d.ts.map

package/dist/core/encryption.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encryption.d.ts","sourceRoot":"","sources":["../../src/core/encryption.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAkBH;;;GAGG;AACH,wBAAsB,mBAAmB,CAAC,eAAe,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAiBpF;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAE7C;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,GAAG,IAAI,CAEnD;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAexD;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAuB/D;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,SAAS;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,OAAO,CAAC;IAAC,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,EACtH,QAAQ,EAAE,CAAC,EAAE,GACZ,CAAC,EAAE,CAqBL"}

package/dist/core/encryption.js

@@ -0,0 +1,136 @@
+"use strict";
+/**
+ * Client-side encryption for memory content.
+ *
+ * Per-user key derivation from Solana Ed25519 keypairs:
+ *   secretKey (64 bytes) → first 32 bytes (seed)
+ *     → HKDF-SHA256(seed, salt="cogxai-cortex-v1", info="memory-encryption")
+ *     → 32-byte symmetric key
+ *     → nacl.secretbox (XSalsa20-Poly1305)
+ *
+ * Only the `content` field is encrypted. Summary, tags, concepts, embeddings,
+ * and all metadata stay plaintext for search and scoring.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.configureEncryption = configureEncryption;
+exports.isEncryptionEnabled = isEncryptionEnabled;
+exports.getEncryptionPubkey = getEncryptionPubkey;
+exports.encryptContent = encryptContent;
+exports.decryptContent = decryptContent;
+exports.decryptMemoryBatch = decryptMemoryBatch;
+const tweetnacl_1 = __importDefault(require("tweetnacl"));
+const crypto_1 = require("crypto");
+const util_1 = require("util");
+const logger_1 = require("./logger");
+const log = (0, logger_1.createChildLogger)('encryption');
+const hkdfAsync = (0, util_1.promisify)(crypto_1.hkdf);
+const HKDF_SALT = 'cogxai-cortex-v1';
+const HKDF_INFO = 'memory-encryption';
+const NONCE_LENGTH = tweetnacl_1.default.secretbox.nonceLength; // 24 bytes
+let encryptionKey = null;
+let encryptionPubkey = null;
+/**
+ * Derive a symmetric encryption key from a Solana Ed25519 secret key.
+ * Stores the key and associated public key for the session.
+ */
+async function configureEncryption(solanaSecretKey) {
+    if (solanaSecretKey.length !== 64) {
+        throw new Error('Encryption requires a 64-byte Ed25519 secret key');
+    }
+    // First 32 bytes = seed (same as nacl.sign.keyPair.fromSeed uses)
+    const seed = solanaSecretKey.slice(0, 32);
+    // Derive 32-byte symmetric key via HKDF-SHA256
+    const derived = await hkdfAsync('sha256', seed, HKDF_SALT, HKDF_INFO, 32);
+    encryptionKey = new Uint8Array(derived);
+    // Extract public key for tagging encrypted memories
+    const keypair = tweetnacl_1.default.sign.keyPair.fromSecretKey(solanaSecretKey);
+    encryptionPubkey = Buffer.from(keypair.publicKey).toString('base64');
+    log.info({ pubkey: encryptionPubkey.slice(0, 12) + '...' }, 'Encryption configured');
+}
+/**
+ * Check if encryption is active for this session.
+ */
+function isEncryptionEnabled() {
+    return encryptionKey !== null;
+}
+/**
+ * Get the public key string of the active encryption key.
+ */
+function getEncryptionPubkey() {
+    return encryptionPubkey;
+}
+/**
+ * Encrypt plaintext content.
+ * Returns base64(nonce[24] || ciphertext).
+ */
+function encryptContent(plaintext) {
+    if (!encryptionKey) {
+        throw new Error('Encryption not configured. Call configureEncryption() first.');
+    }
+    const nonce = tweetnacl_1.default.randomBytes(NONCE_LENGTH);
+    const messageBytes = new TextEncoder().encode(plaintext);
+    const ciphertext = tweetnacl_1.default.secretbox(messageBytes, nonce, encryptionKey);
+    // Concatenate nonce + ciphertext
+    const combined = new Uint8Array(NONCE_LENGTH + ciphertext.length);
+    combined.set(nonce, 0);
+    combined.set(ciphertext, NONCE_LENGTH);
+    return Buffer.from(combined).toString('base64');
+}
+/**
+ * Decrypt encrypted content.
+ * Input: base64(nonce[24] || ciphertext).
+ * Returns plaintext or null if decryption fails.
+ */
+function decryptContent(encrypted) {
+    if (!encryptionKey) {
+        return null;
+    }
+    try {
+        const combined = Buffer.from(encrypted, 'base64');
+        if (combined.length < NONCE_LENGTH + 1) {
+            return null;
+        }
+        const nonce = combined.subarray(0, NONCE_LENGTH);
+        const ciphertext = combined.subarray(NONCE_LENGTH);
+        const plaintext = tweetnacl_1.default.secretbox.open(ciphertext, nonce, encryptionKey);
+        if (!plaintext) {
+            return null; // Wrong key or corrupted data
+        }
+        return new TextDecoder().decode(plaintext);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * In-place decrypt memory content for a batch of memories.
+ * Skips memories that are:
+ *   - Not encrypted (encrypted !== true)
+ *   - Encrypted by a different pubkey (logs warning, leaves content as-is)
+ *   - Undecryptable (wrong key, corrupted — leaves content as-is)
+ */
+function decryptMemoryBatch(memories) {
+    if (!encryptionKey || !encryptionPubkey)
+        return memories;
+    for (const mem of memories) {
+        if (!mem.encrypted)
+            continue;
+        // Check pubkey match — skip if encrypted by different user
+        if (mem.encryption_pubkey && mem.encryption_pubkey !== encryptionPubkey) {
+            log.debug({ memPubkey: mem.encryption_pubkey?.slice(0, 12) }, 'Skipping memory encrypted by different key');
+            continue;
+        }
+        const decrypted = decryptContent(mem.content);
+        if (decrypted !== null) {
+            mem.content = decrypted;
+        }
+        else {
+            log.warn('Failed to decrypt memory content — wrong key or corrupted data');
+        }
+    }
+    return memories;
+}
+//# sourceMappingURL=encryption.js.map

package/dist/core/encryption.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encryption.js","sourceRoot":"","sources":["../../src/core/encryption.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;;;AAsBH,kDAiBC;AAKD,kDAEC;AAKD,kDAEC;AAMD,wCAeC;AAOD,wCAuBC;AASD,gDAuBC;AAtID,0DAA6B;AAC7B,mCAA8B;AAC9B,+BAAiC;AACjC,qCAA6C;AAE7C,MAAM,GAAG,GAAG,IAAA,0BAAiB,EAAC,YAAY,CAAC,CAAC;AAE5C,MAAM,SAAS,GAAG,IAAA,gBAAS,EAAC,aAAI,CAAC,CAAC;AAElC,MAAM,SAAS,GAAG,kBAAkB,CAAC;AACrC,MAAM,SAAS,GAAG,mBAAmB,CAAC;AACtC,MAAM,YAAY,GAAG,mBAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,WAAW;AAE5D,IAAI,aAAa,GAAsB,IAAI,CAAC;AAC5C,IAAI,gBAAgB,GAAkB,IAAI,CAAC;AAE3C;;;GAGG;AACI,KAAK,UAAU,mBAAmB,CAAC,eAA2B;IACnE,IAAI,eAAe,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IAED,kEAAkE;IAClE,MAAM,IAAI,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAE1C,+CAA+C;IAC/C,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IAC1E,aAAa,GAAG,IAAI,UAAU,CAAC,OAAsB,CAAC,CAAC;IAEvD,oDAAoD;IACpD,MAAM,OAAO,GAAG,mBAAI,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,eAAe,CAAC,CAAC;IACjE,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAErE,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,gBAAgB,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,EAAE,EAAE,uBAAuB,CAAC,CAAC;AACvF,CAAC;AAED;;GAEG;AACH,SAAgB,mBAAmB;IACjC,OAAO,aAAa,KAAK,IAAI,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,SAAgB,mBAAmB;IACjC,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AAED;;;GAGG;AACH,SAAgB,cAAc,CAAC,SAAiB;IAC9C,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,KAAK,GAAG,mBAAI,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;IAC7C,MAAM,YAAY,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACzD,MAAM,UAAU,GAAG,mBAAI,CAAC,SAAS,CAAC,YAAY,EAAE,KAAK,EAAE,aAAa,CAAC,CAAC;IAEtE,iCAAiC;IACjC,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,YAAY,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IAClE,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACvB,QAAQ,CAAC,GAAG,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;IAEvC,OAAO,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAClD,CAAC;AAED;;;;GAIG;AACH,SAAgB,cAAc,CAAC,SAAiB;IAC9C,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAClD,IAAI,QAAQ,CAAC,MAAM,GAAG,YAAY,GAAG,CAAC,EAAE,CAAC;YACvC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;QACjD,MAAM,UAAU,GAAG,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;QACnD,MAAM,SAAS,GAAG,mBAAI,CAAC,SAAS,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,aAAa,CAAC,CAAC;QAExE,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,IAAI,CAAC,CAAC,8BAA8B;QAC7C,CAAC;QAED,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,kBAAkB,CAChC,QAAa;IAEb,IAAI,CAAC,aAAa,IAAI,CAAC,gBAAgB;QAAE,OAAO,QAAQ,CAAC;IAEzD,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,IAAI,CAAC,GAAG,CAAC,SAAS;YAAE,SAAS;QAE7B,2DAA2D;QAC3D,IAAI,GAAG,CAAC,iBAAiB,IAAI,GAAG,CAAC,iBAAiB,KAAK,gBAAgB,EAAE,CAAC;YACxE,GAAG,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,iBAAiB,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,4CAA4C,CAAC,CAAC;YAC5G,SAAS;QACX,CAAC;QAED,MAAM,SAAS,GAAG,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC9C,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;YACvB,GAAG,CAAC,OAAO,GAAG,SAAS,CAAC;QAC1B,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,IAAI,CAAC,gEAAgE,CAAC,CAAC;QAC7E,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/core/guardrails.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Output guardrails — sanitize LLM responses before they are posted.
+ * Catches prompt injection attempts, fund transfer language, and leaked secrets.
+ */
+export declare function setGuardrailBotAddress(address: string): void;
+export interface GuardrailResult {
+    safe: boolean;
+    reason?: string;
+    sanitized?: string;
+}
+/**
+ * Run all guardrails on LLM output before posting.
+ * Returns { safe: true } if output is clean.
+ * Returns { safe: false, reason, sanitized } if output was blocked or cleaned.
+ */
+export declare function checkOutput(text: string): GuardrailResult;
+/**
+ * Sanitize and validate LLM output. Returns the text if safe, or a fallback if blocked.
+ */
+export declare function sanitizeOutput(text: string, fallback?: string): string;
+export interface ContentFilterResult {
+    allowed: boolean;
+    reason?: string;
+}
+/**
+ * Filter user-submitted input content (demo store, public endpoints).
+ * Blocks hate speech, slurs, violence, and spam.
+ */
+export declare function checkInputContent(text: string): ContentFilterResult;
+//# sourceMappingURL=guardrails.d.ts.map

package/dist/core/guardrails.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"guardrails.d.ts","sourceRoot":"","sources":["../../src/core/guardrails.ts"],"names":[],"mappings":"AAAA;;;GAGG;AA8DH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAE5D;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,OAAO,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;GAIG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,CA8DzD;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAW,GAAG,MAAM,CAM1E;AAkCD,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,mBAAmB,CAyBnE"}

package/dist/core/guardrails.js

@@ -0,0 +1,191 @@
+"use strict";
+/**
+ * Output guardrails — sanitize LLM responses before they are posted.
+ * Catches prompt injection attempts, fund transfer language, and leaked secrets.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.setGuardrailBotAddress = setGuardrailBotAddress;
+exports.checkOutput = checkOutput;
+exports.sanitizeOutput = sanitizeOutput;
+exports.checkInputContent = checkInputContent;
+const logger_1 = require("./logger");
+const tokenomics_1 = require("../knowledge/tokenomics");
+const log = (0, logger_1.createChildLogger)('guardrails');
+// Whitelisted addresses that are safe to share (official token CA, etc.)
+const WHITELISTED_ADDRESSES = new Set([
+    tokenomics_1.COGXAI_CA, // Official COGXAI token contract address
+]);
+// Whitelisted domains that are allowed in output (e.g. transaction explorers)
+const WHITELISTED_URL_DOMAINS = new Set([
+    'solscan.io',
+]);
+// URL patterns — catches links in output regardless of how they got there
+// (reversed text, base64 decode, character-by-character, ROT13, etc.)
+const URL_PATTERNS = [
+    // Explicit protocol URLs
+    /https?:\/\/\S+/i,
+    // Protocol-relative URLs
+    /\/\/[\w-]+\.[\w-]+/,
+    // Common URL shorteners (no protocol needed)
+    /\bt\.co\/\S+/i,
+    /\bbit\.ly\/\S+/i,
+    /\bgoo\.gl\/\S+/i,
+    /\btinyurl\.com\/\S+/i,
+    /\bift\.tt\/\S+/i,
+    /\bowl\.ly\/\S+/i,
+    /\bbuff\.ly\/\S+/i,
+    // Generic domain + path patterns (catches URLs without protocol)
+    /\b[\w-]+\.(?:com|io|org|net|co|xyz|app|dev|me|gg|to|cc|ly|link|lol|wtf|fun|meme|click|site|online|info|biz|tech|ai|so|vc|fm|tv|sh|im|is)\/\S+/i,
+];
+// Solana base58 address pattern (32-44 chars of base58 alphabet)
+const SOLANA_ADDRESS_RE = /\b[1-9A-HJ-NP-Za-km-z]{32,44}\b/g;
+// Common private key / seed phrase patterns (keyword-based only, no word-count heuristics)
+const SECRET_PATTERNS = [
+    /\b(?:private[\s_-]?key|secret[\s_-]?key|seed[\s_-]?phrase|mnemonic|recovery[\s_-]?phrase)\b/i,
+    /\b(?:here(?:'s| is) (?:my|the|your) (?:private key|seed phrase|secret key|mnemonic))\b/i,
+];
+// Fund transfer / transaction instruction patterns
+const TRANSFER_PATTERNS = [
+    /\b(?:send|transfer|withdraw|bridge|swap)\s+(?:\d+[\s.]?\d*\s*)?(?:SOL|sol|lamports|tokens?|USDC|USDT)\b/i,
+    /\b(?:sending|transferring|withdrawing)\s+(?:funds?|SOL|tokens?|crypto)\b/i,
+    /\bsend\s+(?:to|from)\s+(?:wallet|address)\b/i,
+    /\b(?:here(?:'s| is)\s+(?:the|my|your)\s+(?:wallet|address))\b/i,
+    /\b(?:airdrop|distribute|disperse)\s+(?:to|tokens?|SOL)\b/i,
+];
+// Contract address / mint patterns
+const CA_PATTERNS = [
+    /\b(?:CA|contract[\s_-]?address|mint[\s_-]?address|token[\s_-]?mint)\s*[:=]?\s*[1-9A-HJ-NP-Za-km-z]{32,44}\b/i,
+];
+// The bot's own wallet address — never leak this in replies
+let BOT_ADDRESS = null;
+function setGuardrailBotAddress(address) {
+    BOT_ADDRESS = address;
+}
+/**
+ * Run all guardrails on LLM output before posting.
+ * Returns { safe: true } if output is clean.
+ * Returns { safe: false, reason, sanitized } if output was blocked or cleaned.
+ */
+function checkOutput(text) {
+    // 1. Check for private key / seed phrase leaks
+    for (const pattern of SECRET_PATTERNS) {
+        if (pattern.test(text)) {
+            log.warn({ pattern: pattern.source }, 'GUARDRAIL: Secret pattern detected in output');
+            return { safe: false, reason: 'secret_leak' };
+        }
+    }
+    // 2. Check for fund transfer instructions
+    for (const pattern of TRANSFER_PATTERNS) {
+        if (pattern.test(text)) {
+            log.warn({ pattern: pattern.source, text: text.slice(0, 200) }, 'GUARDRAIL: Transfer language detected');
+            return { safe: false, reason: 'transfer_language' };
+        }
+    }
+    // 3. Check for contract address patterns (but allow whitelisted addresses)
+    for (const pattern of CA_PATTERNS) {
+        if (pattern.test(text)) {
+            // Check if the text contains only whitelisted addresses
+            const addresses = text.match(SOLANA_ADDRESS_RE) || [];
+            const hasNonWhitelisted = addresses.some(addr => !WHITELISTED_ADDRESSES.has(addr));
+            if (hasNonWhitelisted) {
+                log.warn({ text: text.slice(0, 200) }, 'GUARDRAIL: Unauthorized contract address detected');
+                return { safe: false, reason: 'contract_address' };
+            }
+            // If only whitelisted addresses, allow it
+        }
+    }
+    // 4. Check if output contains what looks like a Solana address (strip known safe ones)
+    const addresses = text.match(SOLANA_ADDRESS_RE) || [];
+    for (const addr of addresses) {
+        // Allow whitelisted addresses (official token CA, etc.)
+        if (WHITELISTED_ADDRESSES.has(addr))
+            continue;
+        // Allow solscan URLs (they contain tx signatures which look like addresses)
+        if (text.includes(`solscan.io/tx/${addr}`))
+            continue;
+        // Block if it matches bot's own address
+        if (BOT_ADDRESS && addr === BOT_ADDRESS) {
+            log.warn('GUARDRAIL: Bot wallet address leaked in output');
+            return { safe: false, reason: 'bot_address_leak' };
+        }
+    }
+    // 5. Check for URLs / links in output (blocks prompt injection via text reversal, decoding, etc.)
+    for (const pattern of URL_PATTERNS) {
+        const match = text.match(pattern);
+        if (match) {
+            const matchedUrl = match[0];
+            // Check if the matched URL belongs to a whitelisted domain
+            const isWhitelisted = [...WHITELISTED_URL_DOMAINS].some(domain => matchedUrl.includes(domain));
+            if (!isWhitelisted) {
+                log.warn({ url: matchedUrl.slice(0, 80) }, 'GUARDRAIL: URL detected in output');
+                return { safe: false, reason: 'url_in_output' };
+            }
+        }
+    }
+    return { safe: true };
+}
+/**
+ * Sanitize and validate LLM output. Returns the text if safe, or a fallback if blocked.
+ */
+function sanitizeOutput(text, fallback = '') {
+    const result = checkOutput(text);
+    if (result.safe)
+        return text;
+    log.error({ reason: result.reason, textLength: text.length }, 'GUARDRAIL: Output blocked');
+    return fallback;
+}
+// ── Input content filter (for user-submitted content like demo store) ──
+// Slurs and hate speech (case-insensitive)
+const SLUR_PATTERNS = [
+    /\bn+[i1!]+[gq]+[e3]*[r]+s?\b/i,
+    /\bf+[a@]+[gq]+[o0]*t*s?\b/i,
+    /\bk+[i1]+k+[e3]+s?\b/i,
+    /\bch+[i1]+n+k+s?\b/i,
+    /\bsp+[i1]+c+s?\b/i,
+    /\bw+[e3]+tb+[a@]+ck+s?\b/i,
+    /\bg+[o0]+[o0]+k+s?\b/i,
+    /\btr+[a@]+n+[i1e3]+s?\b/i,
+    /\bd+[y]+k+[e3]+s?\b/i,
+    /\bcr+[a@]+ck+[e3]+r+s?\b/i,
+    /\bre+t+[a@]+r+d+s?\b/i,
+];
+// Violence and harm
+const VIOLENCE_PATTERNS = [
+    /\b(?:kill|murder|shoot|stab|lynch|hang|behead|rape)\s+(?:all|every|them|those|the)\b/i,
+    /\b(?:gas|exterminate|genocide)\b/i,
+    /\bkill\s+(?:your|my|him|her)self\b/i,
+    /\bwhip\s+(?:him|her|them)\b/i,
+];
+// Spam / scam patterns
+const SPAM_PATTERNS = [
+    /\b(?:send|give|airdrop)\s+(?:me|us)\s+(?:free\s+)?(?:sol|crypto|tokens?|money)\b/i,
+    /\b(?:send|transfer)\s+\d+(?:\.\d+)?\s*(?:sol|eth|btc|usdc|usdt)\s+to\b/i,
+    /(?:private[\s_-]?key|seed[\s_-]?phrase)\b/i,
+];
+/**
+ * Filter user-submitted input content (demo store, public endpoints).
+ * Blocks hate speech, slurs, violence, and spam.
+ */
+function checkInputContent(text) {
+    const lower = text.toLowerCase();
+    for (const pattern of SLUR_PATTERNS) {
+        if (pattern.test(lower)) {
+            log.warn({ textSnippet: text.slice(0, 50) }, 'INPUT FILTER: Slur detected');
+            return { allowed: false, reason: 'hate_speech' };
+        }
+    }
+    for (const pattern of VIOLENCE_PATTERNS) {
+        if (pattern.test(lower)) {
+            log.warn({ textSnippet: text.slice(0, 50) }, 'INPUT FILTER: Violence detected');
+            return { allowed: false, reason: 'violence' };
+        }
+    }
+    for (const pattern of SPAM_PATTERNS) {
+        if (pattern.test(lower)) {
+            log.warn({ textSnippet: text.slice(0, 50) }, 'INPUT FILTER: Spam detected');
+            return { allowed: false, reason: 'spam' };
+        }
+    }
+    return { allowed: true };
+}
+//# sourceMappingURL=guardrails.js.map

package/dist/core/guardrails.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"guardrails.js","sourceRoot":"","sources":["../../src/core/guardrails.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AA8DH,wDAEC;AAaD,kCA8DC;AAKD,wCAMC;AA2CD,8CAyBC;AAxND,qCAA6C;AAC7C,wDAAoD;AAEpD,MAAM,GAAG,GAAG,IAAA,0BAAiB,EAAC,YAAY,CAAC,CAAC;AAE5C,yEAAyE;AACzE,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,sBAAS,EAAG,yCAAyC;CACtD,CAAC,CAAC;AAEH,8EAA8E;AAC9E,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,YAAY;CACb,CAAC,CAAC;AAEH,0EAA0E;AAC1E,sEAAsE;AACtE,MAAM,YAAY,GAAa;IAC7B,yBAAyB;IACzB,iBAAiB;IACjB,yBAAyB;IACzB,oBAAoB;IACpB,6CAA6C;IAC7C,eAAe;IACf,iBAAiB;IACjB,iBAAiB;IACjB,sBAAsB;IACtB,iBAAiB;IACjB,iBAAiB;IACjB,kBAAkB;IAClB,iEAAiE;IACjE,gJAAgJ;CACjJ,CAAC;AAEF,iEAAiE;AACjE,MAAM,iBAAiB,GAAG,kCAAkC,CAAC;AAE7D,2FAA2F;AAC3F,MAAM,eAAe,GAAG;IACtB,8FAA8F;IAC9F,yFAAyF;CAC1F,CAAC;AAEF,mDAAmD;AACnD,MAAM,iBAAiB,GAAG;IACxB,0GAA0G;IAC1G,2EAA2E;IAC3E,8CAA8C;IAC9C,gEAAgE;IAChE,2DAA2D;CAC5D,CAAC;AAEF,mCAAmC;AACnC,MAAM,WAAW,GAAG;IAClB,8GAA8G;CAC/G,CAAC;AAEF,4DAA4D;AAC5D,IAAI,WAAW,GAAkB,IAAI,CAAC;AAEtC,SAAgB,sBAAsB,CAAC,OAAe;IACpD,WAAW,GAAG,OAAO,CAAC;AACxB,CAAC;AAQD;;;;GAIG;AACH,SAAgB,WAAW,CAAC,IAAY;IACtC,+CAA+C;IAC/C,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;QACtC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACvB,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,MAAM,EAAE,EAAE,8CAA8C,CAAC,CAAC;YACtF,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;QAChD,CAAC;IACH,CAAC;IAED,0CAA0C;IAC1C,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;QACxC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACvB,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,EAAE,uCAAuC,CAAC,CAAC;YACzG,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;QACtD,CAAC;IACH,CAAC;IAED,2EAA2E;IAC3E,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;QAClC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACvB,wDAAwD;YACxD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,IAAI,EAAE,CAAC;YACtD,MAAM,iBAAiB,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,qBAAqB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;YACnF,IAAI,iBAAiB,EAAE,CAAC;gBACtB,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,EAAE,mDAAmD,CAAC,CAAC;gBAC5F,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;YACrD,CAAC;YACD,0CAA0C;QAC5C,CAAC;IACH,CAAC;IAED,uFAAuF;IACvF,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,IAAI,EAAE,CAAC;IACtD,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,wDAAwD;QACxD,IAAI,qBAAqB,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QAC9C,4EAA4E;QAC5E,IAAI,IAAI,CAAC,QAAQ,CAAC,iBAAiB,IAAI,EAAE,CAAC;YAAE,SAAS;QACrD,wCAAwC;QACxC,IAAI,WAAW,IAAI,IAAI,KAAK,WAAW,EAAE,CAAC;YACxC,GAAG,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;YAC3D,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;QACrD,CAAC;IACH,CAAC;IAED,kGAAkG;IAClG,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAClC,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC5B,2DAA2D;YAC3D,MAAM,aAAa,GAAG,CAAC,GAAG,uBAAuB,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAC/D,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,CAC5B,CAAC;YACF,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,mCAAmC,CAAC,CAAC;gBAChF,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;YAClD,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc,CAAC,IAAY,EAAE,WAAmB,EAAE;IAChE,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,MAAM,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAE7B,GAAG,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,EAAE,IAAI,CAAC,MAAM,EAAE,EAAE,2BAA2B,CAAC,CAAC;IAC3F,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,0EAA0E;AAE1E,2CAA2C;AAC3C,MAAM,aAAa,GAAG;IACpB,+BAA+B;IAC/B,4BAA4B;IAC5B,uBAAuB;IACvB,qBAAqB;IACrB,mBAAmB;IACnB,2BAA2B;IAC3B,uBAAuB;IACvB,0BAA0B;IAC1B,sBAAsB;IACtB,2BAA2B;IAC3B,uBAAuB;CACxB,CAAC;AAEF,oBAAoB;AACpB,MAAM,iBAAiB,GAAG;IACxB,uFAAuF;IACvF,mCAAmC;IACnC,qCAAqC;IACrC,8BAA8B;CAC/B,CAAC;AAEF,uBAAuB;AACvB,MAAM,aAAa,GAAG;IACpB,mFAAmF;IACnF,yEAAyE;IACzE,4CAA4C;CAC7C,CAAC;AAOF;;;GAGG;AACH,SAAgB,iBAAiB,CAAC,IAAY;IAC5C,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IAEjC,KAAK,MAAM,OAAO,IAAI,aAAa,EAAE,CAAC;QACpC,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACxB,GAAG,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,6BAA6B,CAAC,CAAC;YAC5E,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;QACnD,CAAC;IACH,CAAC;IAED,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;QACxC,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACxB,GAAG,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,iCAAiC,CAAC,CAAC;YAChF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;QAChD,CAAC;IACH,CAAC;IAED,KAAK,MAAM,OAAO,IAAI,aAAa,EAAE,CAAC;QACpC,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACxB,GAAG,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,6BAA6B,CAAC,CAAC;YAC5E,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QAC5C,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC"}