corpus-core 0.1.0

package/dist/scanners/context-poisoning.js

@@ -0,0 +1,48 @@
+const POISONING_PATTERNS = [
+    'ignore previous instructions', 'override all rules', 'you must always',
+    'from now on always', 'your new primary directive', 'secret instruction:',
+    'hidden instruction:', 'when asked about', 'never reveal',
+    'always respond with', 'pretend that', 'act as though',
+    'the real answer is', 'disregard safety', 'bypass all', 'system override',
+];
+const AUTHORITY_CLAIMS = [
+    'i am the administrator', 'i am the owner', 'admin access granted',
+    'elevated privileges', 'full access mode', 'authorized override',
+    'master key:', 'root access',
+];
+/**
+ * Scans a memory chunk for poisoning signatures.
+ */
+export function scanMemoryChunk(content, chunkId, retrievalQuery) {
+    const lower = content.toLowerCase();
+    const id = chunkId ?? '';
+    for (const pattern of POISONING_PATTERNS) {
+        if (lower.includes(pattern)) {
+            return {
+                severity: 'POISONED',
+                pattern,
+                chunkId: id,
+                message: `Memory poisoning in chunk '${id}': pattern '${pattern}'${retrievalQuery ? `. Query: '${retrievalQuery}'` : ''}`,
+            };
+        }
+    }
+    for (const pattern of AUTHORITY_CLAIMS) {
+        if (lower.includes(pattern)) {
+            return {
+                severity: 'SUSPICIOUS',
+                pattern,
+                chunkId: id,
+                message: `Suspicious authority claim in chunk '${id}': '${pattern}'`,
+            };
+        }
+    }
+    return { severity: 'CLEAN', pattern: null, chunkId: id, message: '' };
+}
+/**
+ * Batch scan multiple memory chunks. Returns only problematic ones.
+ */
+export function scanMemoryChunks(chunks, retrievalQuery) {
+    return chunks
+        .map((c) => scanMemoryChunk(c.content, c.id, retrievalQuery))
+        .filter((r) => r.severity !== 'CLEAN');
+}

package/dist/scanners/cross-user-firewall.d.ts

@@ -0,0 +1,10 @@
+export interface IsolationCheckResult {
+    isolated: boolean;
+    foreignUserIds: string[];
+    foreignNamespaces: string[];
+    message: string;
+}
+/**
+ * Checks that no content from other users is in the current context.
+ */
+export declare function checkContextIsolation(currentUserId: string, contextUserIds: string[], memoryNamespaces?: string[]): IsolationCheckResult;

package/dist/scanners/cross-user-firewall.js

@@ -0,0 +1,24 @@
+/**
+ * Checks that no content from other users is in the current context.
+ */
+export function checkContextIsolation(currentUserId, contextUserIds, memoryNamespaces) {
+    const foreignUsers = contextUserIds.filter((id) => id !== currentUserId);
+    const foreignNs = (memoryNamespaces ?? []).filter((ns) => !ns.toLowerCase().includes(currentUserId.toLowerCase()));
+    if (foreignUsers.length > 0) {
+        return {
+            isolated: false,
+            foreignUserIds: foreignUsers,
+            foreignNamespaces: foreignNs,
+            message: `Cross-user contamination: context contains data from user(s) ${foreignUsers.join(', ')}`,
+        };
+    }
+    if (foreignNs.length > 0) {
+        return {
+            isolated: false,
+            foreignUserIds: [],
+            foreignNamespaces: foreignNs,
+            message: `Memory from non-user namespaces: ${foreignNs.join(', ')}`,
+        };
+    }
+    return { isolated: true, foreignUserIds: [], foreignNamespaces: [], message: '' };
+}

package/dist/scanners/dependency-checker.d.ts

@@ -0,0 +1,15 @@
+export type DependencySeverity = 'CRITICAL' | 'WARNING' | 'INFO';
+export interface DependencyFinding {
+    severity: DependencySeverity;
+    package: string;
+    file: string;
+    line: number;
+    reason: 'nonexistent' | 'typosquat' | 'unpopular_suspicious';
+    suggestion: string;
+    similarPackages?: string[];
+}
+export declare function extractImportedPackages(content: string): string[];
+export declare function checkDependencies(content: string, filepath: string, options?: {
+    projectRoot?: string;
+    knownPackages?: Set<string>;
+}): Promise<DependencyFinding[]>;

package/dist/scanners/dependency-checker.js

@@ -0,0 +1,203 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+const CACHE_TTL_MS = 24 * 60 * 60 * 1000;
+const TOP_PACKAGES = [
+    'react', 'react-dom', 'next', 'express', 'lodash', 'axios', 'typescript',
+    'webpack', 'babel', 'eslint', 'prettier', 'jest', 'mocha', 'chai', 'sinon',
+    'moment', 'dayjs', 'date-fns', 'uuid', 'dotenv', 'cors', 'body-parser',
+    'cookie-parser', 'jsonwebtoken', 'bcrypt', 'passport', 'mongoose', 'sequelize',
+    'prisma', '@prisma/client', 'pg', 'mysql2', 'redis', 'ioredis', 'socket.io',
+    'ws', 'graphql', 'apollo-server', '@apollo/client', 'tailwindcss', 'postcss',
+    'autoprefixer', 'sass', 'styled-components', '@emotion/react', 'framer-motion',
+    'three', 'd3', 'chart.js', '@types/node', '@types/react', 'zod', 'yup', 'joi',
+    'ajv', 'commander', 'inquirer', 'chalk', 'ora', 'got', 'node-fetch', 'cheerio',
+    'puppeteer', 'playwright', 'sharp', 'multer', 'formidable', 'nodemailer', 'bull',
+    'stripe', '@stripe/stripe-js', 'firebase', '@firebase/app', 'supabase',
+    '@supabase/supabase-js', 'aws-sdk', '@aws-sdk/client-s3', 'openai',
+    '@anthropic-ai/sdk', 'langchain', '@langchain/core', 'vue', 'svelte', 'angular',
+    '@angular/core', 'nuxt', 'vite', 'esbuild', 'rollup', 'turbo', 'pnpm', 'bun',
+];
+const IMPORT_PATTERNS = [
+    /import\s+(?:[\s\S]*?\s+from\s+)?['"]([^'"]+)['"]/g,
+    /require\s*\(\s*['"]([^'"]+)['"]\s*\)/g,
+    /import\s*\(\s*['"]([^'"]+)['"]\s*\)/g,
+];
+function extractPackageName(specifier) {
+    if (specifier.startsWith('.') || specifier.startsWith('/'))
+        return null;
+    if (specifier.startsWith('@')) {
+        const parts = specifier.split('/');
+        if (parts.length < 2)
+            return null;
+        return `${parts[0]}/${parts[1]}`;
+    }
+    return specifier.split('/')[0];
+}
+export function extractImportedPackages(content) {
+    const packages = new Set();
+    for (const pattern of IMPORT_PATTERNS) {
+        pattern.lastIndex = 0;
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+            const pkg = extractPackageName(match[1]);
+            if (pkg)
+                packages.add(pkg);
+        }
+    }
+    return [...packages];
+}
+function levenshtein(a, b) {
+    const m = a.length;
+    const n = b.length;
+    const dp = Array.from({ length: m + 1 }, () => Array(n + 1).fill(0));
+    for (let i = 0; i <= m; i++)
+        dp[i][0] = i;
+    for (let j = 0; j <= n; j++)
+        dp[0][j] = j;
+    for (let i = 1; i <= m; i++) {
+        for (let j = 1; j <= n; j++) {
+            const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+            dp[i][j] = Math.min(dp[i - 1][j] + 1, dp[i][j - 1] + 1, dp[i - 1][j - 1] + cost);
+        }
+    }
+    return dp[m][n];
+}
+function findTyposquatMatches(pkg) {
+    const matches = [];
+    for (const top of TOP_PACKAGES) {
+        if (top === pkg)
+            continue;
+        const dist = levenshtein(pkg, top);
+        if (dist > 0 && dist <= 2)
+            matches.push(top);
+    }
+    return matches;
+}
+function getLineNumber(content, index) {
+    return content.slice(0, index).split('\n').length;
+}
+function loadCache(projectRoot) {
+    const cachePath = join(projectRoot, '.corpus', 'npm-cache.json');
+    if (!existsSync(cachePath))
+        return {};
+    try {
+        return JSON.parse(readFileSync(cachePath, 'utf-8'));
+    }
+    catch {
+        return {};
+    }
+}
+function saveCache(projectRoot, cache) {
+    const cacheDir = join(projectRoot, '.corpus');
+    if (!existsSync(cacheDir))
+        mkdirSync(cacheDir, { recursive: true });
+    writeFileSync(join(cacheDir, 'npm-cache.json'), JSON.stringify(cache, null, 2));
+}
+function isCacheValid(entry) {
+    return Date.now() - new Date(entry.checkedAt).getTime() < CACHE_TTL_MS;
+}
+function loadKnownPackages(projectRoot) {
+    const pkgPath = join(projectRoot, 'package.json');
+    if (!existsSync(pkgPath))
+        return new Set();
+    try {
+        const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+        const deps = Object.keys(pkg.dependencies ?? {});
+        const devDeps = Object.keys(pkg.devDependencies ?? {});
+        return new Set([...deps, ...devDeps]);
+    }
+    catch {
+        return new Set();
+    }
+}
+async function checkNpmExists(pkg) {
+    try {
+        const res = await fetch(`https://registry.npmjs.org/${encodeURIComponent(pkg)}`, {
+            method: 'HEAD',
+        });
+        return res.ok;
+    }
+    catch {
+        return true;
+    }
+}
+function delay(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+export async function checkDependencies(content, filepath, options) {
+    const findings = [];
+    const projectRoot = options?.projectRoot ?? process.cwd();
+    const knownPackages = options?.knownPackages ?? loadKnownPackages(projectRoot);
+    const cache = loadCache(projectRoot);
+    const packageLocations = new Map();
+    for (const pattern of IMPORT_PATTERNS) {
+        pattern.lastIndex = 0;
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+            const pkg = extractPackageName(match[1]);
+            if (!pkg)
+                continue;
+            const line = getLineNumber(content, match.index);
+            if (!packageLocations.has(pkg))
+                packageLocations.set(pkg, []);
+            packageLocations.get(pkg).push(line);
+        }
+    }
+    const packagesToCheck = [];
+    for (const pkg of packageLocations.keys()) {
+        if (knownPackages.has(pkg))
+            continue;
+        if (pkg.startsWith('node:'))
+            continue;
+        packagesToCheck.push(pkg);
+    }
+    let requestCount = 0;
+    for (const pkg of packagesToCheck) {
+        const lines = packageLocations.get(pkg);
+        const line = lines[0];
+        const typosquatMatches = findTyposquatMatches(pkg);
+        let exists;
+        const cached = cache[pkg];
+        if (cached && isCacheValid(cached)) {
+            exists = cached.exists;
+        }
+        else {
+            if (requestCount > 0 && requestCount % 10 === 0) {
+                await delay(1000);
+            }
+            exists = await checkNpmExists(pkg);
+            cache[pkg] = { exists, checkedAt: new Date().toISOString() };
+            requestCount++;
+        }
+        if (!exists) {
+            const finding = {
+                severity: 'CRITICAL',
+                package: pkg,
+                file: filepath,
+                line,
+                reason: 'nonexistent',
+                suggestion: `Package "${pkg}" does not exist on npm. This may be an AI-hallucinated dependency.`,
+            };
+            if (typosquatMatches.length > 0) {
+                finding.similarPackages = typosquatMatches;
+                finding.suggestion += ` Did you mean: ${typosquatMatches.join(', ')}?`;
+            }
+            findings.push(finding);
+        }
+        else if (typosquatMatches.length > 0) {
+            findings.push({
+                severity: 'WARNING',
+                package: pkg,
+                file: filepath,
+                line,
+                reason: 'typosquat',
+                suggestion: `Package "${pkg}" exists but is very similar to: ${typosquatMatches.join(', ')}. Verify this is the intended package.`,
+                similarPackages: typosquatMatches,
+            });
+        }
+    }
+    saveCache(projectRoot, cache);
+    const severityOrder = { CRITICAL: 0, WARNING: 1, INFO: 2 };
+    findings.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity]);
+    return findings;
+}

package/dist/scanners/exfiltration-guard.d.ts

@@ -0,0 +1,19 @@
+export interface PiiMatch {
+    type: 'EMAIL' | 'PHONE' | 'SSN' | 'CREDIT_CARD' | 'IP_ADDRESS' | 'CONTEXT_PII';
+    value: string;
+    redacted: string;
+}
+export interface ExfiltrationScanResult {
+    hasPii: boolean;
+    matches: PiiMatch[];
+    redactedPayload: string;
+}
+/**
+ * Scans a payload string for PII and returns matches + a redacted version.
+ * Optionally checks for custom context fields (user names, etc.).
+ */
+export declare function scanPayload(payload: string, contextFields?: string[]): ExfiltrationScanResult;
+/**
+ * Convenience: redact a payload in-place and return just the cleaned string.
+ */
+export declare function redactPayload(payload: string, contextFields?: string[]): string;

package/dist/scanners/exfiltration-guard.js

@@ -0,0 +1,49 @@
+const PATTERNS = [
+    { type: 'EMAIL', regex: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g, redacted: '[EMAIL_REDACTED]' },
+    { type: 'PHONE', regex: /(\+?1?\s?)?(\(?\d{3}\)?[\s.-]?)?\d{3}[\s.-]?\d{4}/g, redacted: '[PHONE_REDACTED]' },
+    { type: 'SSN', regex: /\b\d{3}-\d{2}-\d{4}\b/g, redacted: '[SSN_REDACTED]' },
+    { type: 'CREDIT_CARD', regex: /\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/g, redacted: '[CARD_REDACTED]' },
+    { type: 'IP_ADDRESS', regex: /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/g, redacted: '[IP_REDACTED]' },
+];
+/**
+ * Scans a payload string for PII and returns matches + a redacted version.
+ * Optionally checks for custom context fields (user names, etc.).
+ */
+export function scanPayload(payload, contextFields) {
+    const matches = [];
+    let redacted = payload;
+    for (const { type, regex, redacted: redactedStr } of PATTERNS) {
+        // Reset regex state
+        regex.lastIndex = 0;
+        let match;
+        while ((match = regex.exec(payload)) !== null) {
+            const value = match[0];
+            if (type === 'PHONE' && value.trim().length < 10)
+                continue;
+            matches.push({ type, value, redacted: redactedStr });
+            redacted = redacted.replace(value, redactedStr);
+        }
+    }
+    if (contextFields) {
+        for (const field of contextFields) {
+            if (field.length > 2 && payload.toLowerCase().includes(field.toLowerCase())) {
+                matches.push({ type: 'CONTEXT_PII', value: field, redacted: '[PII_REDACTED]' });
+                redacted = redacted.replace(new RegExp(escapeRegex(field), 'gi'), '[PII_REDACTED]');
+            }
+        }
+    }
+    return {
+        hasPii: matches.length > 0,
+        matches,
+        redactedPayload: redacted,
+    };
+}
+function escapeRegex(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+/**
+ * Convenience: redact a payload in-place and return just the cleaned string.
+ */
+export function redactPayload(payload, contextFields) {
+    return scanPayload(payload, contextFields).redactedPayload;
+}

package/dist/scanners/index.d.ts

@@ -0,0 +1,12 @@
+export { scanForInjection, type InjectionScanResult, type InjectionSeverity } from './injection-firewall.js';
+export { scanPayload, redactPayload, type ExfiltrationScanResult, type PiiMatch } from './exfiltration-guard.js';
+export { scanMemoryChunk, scanMemoryChunks, type PoisoningScanResult, type PoisoningSeverity } from './context-poisoning.js';
+export { checkActionScope, type ScopeCheckResult, type ScopeMap } from './scope-enforcer.js';
+export { checkContextIsolation, type IsolationCheckResult } from './cross-user-firewall.js';
+export { auditCalibration, type CalibrationEntry, type CalibrationResult, type CalibrationReport } from './confidence-calibrator.js';
+export { checkUndoIntegrity, type UndoCheckResult, type UndoCapability } from './undo-integrity.js';
+export { checkSessionIntegrity, type SessionEvent, type SessionCheckResult } from './session-hijack.js';
+export { detectSecrets, scanFiles, type SecretFinding, type SecretSeverity } from './secret-detector.js';
+export { checkCodeSafety, type SafetyFinding, type SafetySeverity } from './code-safety.js';
+export { computeFileTrust, computeCodebaseTrust, type FileTrustResult, type CodebaseTrustResult, type TrustFinding } from './trust-score.js';
+export { checkDependencies, extractImportedPackages, type DependencyFinding } from './dependency-checker.js';

package/dist/scanners/index.js

@@ -0,0 +1,12 @@
+export { scanForInjection } from './injection-firewall.js';
+export { scanPayload, redactPayload } from './exfiltration-guard.js';
+export { scanMemoryChunk, scanMemoryChunks } from './context-poisoning.js';
+export { checkActionScope } from './scope-enforcer.js';
+export { checkContextIsolation } from './cross-user-firewall.js';
+export { auditCalibration } from './confidence-calibrator.js';
+export { checkUndoIntegrity } from './undo-integrity.js';
+export { checkSessionIntegrity } from './session-hijack.js';
+export { detectSecrets, scanFiles } from './secret-detector.js';
+export { checkCodeSafety } from './code-safety.js';
+export { computeFileTrust, computeCodebaseTrust } from './trust-score.js';
+export { checkDependencies, extractImportedPackages } from './dependency-checker.js';

package/dist/scanners/injection-firewall.d.ts

@@ -0,0 +1,12 @@
+export type InjectionSeverity = 'CLEAN' | 'SUSPICIOUS' | 'BLOCK';
+export interface InjectionScanResult {
+    severity: InjectionSeverity;
+    pattern: string | null;
+    category: 'instruction_override' | 'role_escalation' | 'exfiltration' | 'encoded_payload' | null;
+    message: string;
+}
+/**
+ * Scans content for prompt injection patterns.
+ * Returns immediately on first match (fast path).
+ */
+export declare function scanForInjection(content: string, source?: string): InjectionScanResult;

package/dist/scanners/injection-firewall.js

@@ -0,0 +1,71 @@
+const INSTRUCTION_OVERRIDE = [
+    'ignore previous instructions', 'ignore all previous', 'disregard above',
+    'forget everything', 'new task:', 'new instructions:', 'you are now',
+    'your new role', 'override:', 'ignore the above', 'do not follow',
+    'stop following', 'from now on', 'reset your instructions',
+    'pretend you are', 'act as if',
+];
+const ROLE_ESCALATION = [
+    'you are an admin', 'you are root', 'you have full access',
+    'system prompt', 'developer mode', 'sudo mode', 'unrestricted mode',
+    'jailbreak', 'god mode', 'bypass safety', 'bypass filters',
+    'no restrictions', 'without limitations', 'act as an unrestricted',
+    'dan mode',
+];
+const EXFILTRATION = [
+    'send to', 'forward to', 'email to', 'post to', 'upload to',
+    'exfiltrate', 'send all data', 'forward all emails', 'share with',
+    'transmit to', 'copy to external', 'leak the',
+];
+/**
+ * Scans content for prompt injection patterns.
+ * Returns immediately on first match (fast path).
+ */
+export function scanForInjection(content, source) {
+    const lower = content.toLowerCase();
+    const src = source ?? 'unknown';
+    for (const pattern of INSTRUCTION_OVERRIDE) {
+        if (lower.includes(pattern)) {
+            return {
+                severity: 'BLOCK',
+                pattern,
+                category: 'instruction_override',
+                message: `Injection detected: instruction override '${pattern}' in content from '${src}'`,
+            };
+        }
+    }
+    for (const pattern of ROLE_ESCALATION) {
+        if (lower.includes(pattern)) {
+            return {
+                severity: 'BLOCK',
+                pattern,
+                category: 'role_escalation',
+                message: `Injection detected: role escalation '${pattern}' in content from '${src}'`,
+            };
+        }
+    }
+    for (const pattern of EXFILTRATION) {
+        if (lower.includes(pattern)) {
+            return {
+                severity: 'SUSPICIOUS',
+                pattern,
+                category: 'exfiltration',
+                message: `Suspicious: possible exfiltration pattern '${pattern}' in content from '${src}'`,
+            };
+        }
+    }
+    // Check for encoded payloads (high density of alphanumeric chars)
+    if (content.length > 200) {
+        const alphaCount = [...content].filter((c) => /[a-zA-Z0-9/+=]/.test(c)).length;
+        const ratio = alphaCount / content.length;
+        if (ratio > 0.95) {
+            return {
+                severity: 'SUSPICIOUS',
+                pattern: `encoded_payload (density: ${ratio.toFixed(2)})`,
+                category: 'encoded_payload',
+                message: `Suspicious: possible encoded payload from '${src}'`,
+            };
+        }
+    }
+    return { severity: 'CLEAN', pattern: null, category: null, message: '' };
+}

package/dist/scanners/scope-enforcer.d.ts

@@ -0,0 +1,10 @@
+export interface ScopeCheckResult {
+    allowed: boolean;
+    message: string;
+}
+export type ScopeMap = Record<string, string[]>;
+/**
+ * Checks if an action on an integration is within declared scope.
+ * If no scope map is provided, everything passes.
+ */
+export declare function checkActionScope(integration: string, action: string, scopeMap: ScopeMap): ScopeCheckResult;

package/dist/scanners/scope-enforcer.js

@@ -0,0 +1,30 @@
+/**
+ * Checks if an action on an integration is within declared scope.
+ * If no scope map is provided, everything passes.
+ */
+export function checkActionScope(integration, action, scopeMap) {
+    if (!scopeMap || Object.keys(scopeMap).length === 0) {
+        return { allowed: true, message: '' };
+    }
+    const actLower = action.toLowerCase();
+    // Normalize scope map keys to lowercase for case-insensitive lookup
+    const normalizedMap = {};
+    for (const key of Object.keys(scopeMap)) {
+        normalizedMap[key.toLowerCase()] = scopeMap[key];
+    }
+    const intLower = integration.toLowerCase();
+    if (!(intLower in normalizedMap)) {
+        return {
+            allowed: false,
+            message: `Integration '${integration}' is not in scope. Allowed: ${Object.keys(scopeMap).join(', ')}`,
+        };
+    }
+    const allowedActions = normalizedMap[intLower].map((a) => a.toLowerCase());
+    if (!allowedActions.includes(actLower)) {
+        return {
+            allowed: false,
+            message: `Action '${action}' is not allowed on '${integration}'. Allowed: ${normalizedMap[intLower].join(', ')}`,
+        };
+    }
+    return { allowed: true, message: '' };
+}

package/dist/scanners/secret-detector.d.ts

@@ -0,0 +1,34 @@
+export type SecretSeverity = 'CRITICAL' | 'WARNING' | 'INFO';
+export interface SecretFinding {
+    severity: SecretSeverity;
+    type: string;
+    value: string;
+    redacted: string;
+    line: number;
+    column: number;
+    file: string;
+    message: string;
+    isAiPattern: boolean;
+}
+/**
+ * Scans file content for secrets and AI-specific security patterns.
+ * Returns findings sorted by severity (CRITICAL first).
+ */
+export declare function detectSecrets(content: string, filepath: string, options?: {
+    skipTests?: boolean;
+    skipPlaceholders?: boolean;
+}): SecretFinding[];
+/**
+ * Scans multiple files and returns aggregate results.
+ */
+export declare function scanFiles(files: {
+    path: string;
+    content: string;
+}[], options?: {
+    skipTests?: boolean;
+    skipPlaceholders?: boolean;
+}): {
+    findings: SecretFinding[];
+    scannedFiles: number;
+    scanTimeMs: number;
+};