llm-cli-gateway 1.0.0

package/dist/review-integrity.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Review Integrity Bypass Detection
+ *
+ * Detects when orchestrating agents neuter the multi-LLM review process by:
+ * - Embedding tool-suppression language in review prompts
+ * - Inlining full code instead of letting reviewers read files directly
+ * - Setting allowedTools:[] to strip tool access from reviewers
+ *
+ * Two-gate design: violations only emitted when BOTH review context AND
+ * a restriction are detected. This avoids false positives on non-review
+ * prompts that happen to contain similar language.
+ */
+export interface ReviewIntegrityViolation {
+    type: "tool_suppression" | "inlined_code" | "empty_allowed_tools" | "critical_tools_disallowed";
+    score: number;
+    detail: string;
+}
+export interface ReviewIntegrityResult {
+    isReviewContext: boolean;
+    violations: ReviewIntegrityViolation[];
+    totalScore: number;
+}
+/**
+ * Detect whether the prompt is a review/audit context.
+ * Uses two-part detection: unambiguous phrases match alone,
+ * ambiguous verbs (review, analyze, etc.) require a code anchor.
+ * Normalizes Unicode before matching to prevent confusable bypasses.
+ */
+export declare function isReviewContext(prompt: string): boolean;
+/**
+ * Detect tool-suppression language in a prompt.
+ * Returns the matched patterns for diagnostics.
+ */
+export declare function detectToolSuppression(prompt: string): string[];
+/**
+ * Detect inlined code blocks that look like full file dumps.
+ * Two detection strategies:
+ * 1. Any single code block with 200+ chars is flagged.
+ * 2. Fallback: if total chars across ALL code blocks (even small ones)
+ *    exceeds 1000, flag to catch split-block bypass attempts.
+ */
+export declare function detectInlinedCode(prompt: string): {
+    count: number;
+    totalChars: number;
+};
+export declare function checkReviewIntegrity(params: {
+    prompt: string;
+    allowedTools?: string[];
+    disallowedTools?: string[];
+}): ReviewIntegrityResult;

package/dist/review-integrity.js

@@ -0,0 +1,283 @@
+/**
+ * Review Integrity Bypass Detection
+ *
+ * Detects when orchestrating agents neuter the multi-LLM review process by:
+ * - Embedding tool-suppression language in review prompts
+ * - Inlining full code instead of letting reviewers read files directly
+ * - Setting allowedTools:[] to strip tool access from reviewers
+ *
+ * Two-gate design: violations only emitted when BOTH review context AND
+ * a restriction are detected. This avoids false positives on non-review
+ * prompts that happen to contain similar language.
+ */
+// Two-part review context detection: a REVIEW_ACTION verb/phrase + a CODE_ANCHOR
+// in the same prompt. This avoids false positives like "Analyze customer feedback"
+// (has action but no code anchor) while catching "Analyze the implementation" (has both).
+//
+// Unambiguous multi-word phrases (code review, security audit, etc.) match on
+// their own without needing a separate code anchor.
+// Phrases that are unambiguously code-review context on their own:
+const UNAMBIGUOUS_REVIEW = /\b(code\s*review|security\s*audit|security\s*review|security\s*(?:vulnerabilit(?:y|ies)|scan|assessment)|bug\s*finding|quality\s*analysis|code\s*quality|code\s*audit|code\s*inspection|static\s*analysis|penetration\s*test(?:ing)?|threat\s*model|owasp|pentest|red[- ]?team|backdoor|exploitab(?:le|ility)|vulnerabilit(?:y|ies)|defects?|flaws?|weakness(?:es)?)\b/i;
+// Broad review-action verbs that need a code anchor to confirm context:
+const REVIEW_ACTIONS = /\b(review|audit|analyze|inspect|examine|assess|evaluate|verify|validate|triage|hunt|vet(?:ting)?|probe|diagnos(?:e|tics?)|find\s*(?:bugs?|issues?|defects?|flaws?|attack\s*(?:surface|path|vector)s?)|check\s*(?:for\s+)?(?:bugs?|issues?|errors?|problems?|defects?)|look\s*over|scan\s*(?:for|the))\b/i;
+// Code-related anchor words that confirm the prompt is about software.
+// Excludes ambiguous words (service, session, controller, route) that appear in non-code contexts.
+const CODE_ANCHORS = /\b(code|source|implementation|function|method|class|module|component|files?|patch|diff|commit|PR|pull\s*request|API|endpoint|auth|parser|codebase|repositor(?:y|ies)|repo|src|\.ts|\.js|\.py|\.go|\.rs|\.java|error\s*handling|middleware|handler|test\s*suite|retry|database|query|schema|config)\b/i;
+/**
+ * Detect whether the prompt is a review/audit context.
+ * Uses two-part detection: unambiguous phrases match alone,
+ * ambiguous verbs (review, analyze, etc.) require a code anchor.
+ * Normalizes Unicode before matching to prevent confusable bypasses.
+ */
+export function isReviewContext(prompt) {
+    const normalized = normalizeForMatching(prompt);
+    if (UNAMBIGUOUS_REVIEW.test(normalized))
+        return true;
+    return REVIEW_ACTIONS.test(normalized) && CODE_ANCHORS.test(normalized);
+}
+// Normalize text for matching: NFKD decomposition to fold compatibility characters AND
+// decompose precomposed diacritics, then strip combining marks and confusables.
+function normalizeForMatching(text) {
+    return text
+        // NFKD: decomposes compatibility chars AND precomposed diacritics (é → e + U+0301)
+        .normalize("NFKD")
+        // Strip combining marks (diacritics): é (e + U+0301), n̸ (n + U+0338), etc.
+        // Must happen AFTER NFKD decomposition so precomposed characters are split first.
+        .replace(/[\u0300-\u036F]/g, "")
+        // Strip invisible Unicode format characters (zero-width joiners, soft hyphens, etc.)
+        .replace(/[\u200B-\u200F\u2028-\u202F\u2060-\u206F\uFEFF\u00AD]/g, "")
+        .replace(/[\u2018\u2019\u0060\u00B4]/g, "'")
+        .replace(/[\u201C\u201D]/g, '"')
+        // Fold common Cyrillic confusables that survive NFKC (visually identical to Latin)
+        .replace(/\u0430/g, "a") // а → a
+        .replace(/\u0435/g, "e") // е → e
+        .replace(/\u043E/g, "o") // о → o
+        .replace(/\u0440/g, "p") // р → p
+        .replace(/\u0441/g, "c") // с → c
+        .replace(/\u0445/g, "x") // х → x
+        .replace(/\u0456/g, "i") // і → i (Cyrillic i)
+        .replace(/\u0410/g, "A") // А → A
+        .replace(/\u0415/g, "E") // Е → E
+        .replace(/\u041E/g, "O") // О → O
+        .replace(/\u0420/g, "P") // Р → P
+        .replace(/\u0421/g, "C") // С → C
+        .replace(/\u0425/g, "X") // Х → X
+        // Fold common Greek confusables (visually identical to Latin)
+        .replace(/\u03BF/g, "o") // ο → o (Greek omicron)
+        .replace(/\u03C5/g, "u") // υ → u (Greek upsilon)
+        .replace(/\u03BD/g, "v") // ν → v (Greek nu)
+        .replace(/\u03B1/g, "a") // α → a (Greek alpha)
+        .replace(/\u03B5/g, "e") // ε → e (Greek epsilon)
+        .replace(/\u03B9/g, "i") // ι → i (Greek iota)
+        .replace(/\u03BA/g, "k") // κ → k (Greek kappa)
+        .replace(/\u03C1/g, "p") // ρ → p (Greek rho)
+        .replace(/\u039F/g, "O") // Ο → O (Greek capital omicron)
+        .replace(/\u0391/g, "A") // Α → A (Greek capital alpha)
+        .replace(/\u0395/g, "E") // Ε → E (Greek capital epsilon)
+        .replace(/\u0399/g, "I") // Ι → I (Greek capital iota)
+        .replace(/\u039A/g, "K") // Κ → K (Greek capital kappa)
+        // Fold Latin small capitals and modifier letters (used in visual spoofing)
+        .replace(/\u1D0F/g, "o") // ᴏ → o (Latin small capital O)
+        .replace(/\u1D20/g, "v") // ᴠ → v (Latin small capital V)
+        .replace(/\u1D00/g, "a") // ᴀ → a (Latin small capital A)
+        .replace(/\u1D04/g, "c") // ᴄ → c (Latin small capital C)
+        .replace(/\u1D07/g, "e") // ᴇ → e (Latin small capital E)
+        .replace(/\u026A/g, "i") // ɪ → i (Latin small capital I)
+        .replace(/\u0280/g, "r"); // ʀ → r (Latin small capital R)
+}
+// Patterns that combine negation with tool/command references.
+// Each pattern requires a negation word near a tool-related action.
+// Tolerates punctuation and intervening clauses between negation and tool noun.
+// (?:[\w,]+\s+){0,6} allows up to 6 intervening words/commas for punctuation-separated negations.
+const TOOL_SUPPRESSION_PATTERNS = [
+    /\b(?:do\s+not|don't|never|must\s+not|should\s+not|shouldn't|cannot|can't)\s*,?\s*(?:[\w,]+\s+){0,6}(?:run|use|execute|invoke|call|access)\s+(?:(?:\w+\s+){0,4})(?:tools?|shell\s*commands?|bash|terminal|cli|commands?)\b/i,
+    /\b(?:do\s+not|don't|never|must\s+not|should\s+not|shouldn't)\s*,?\s*(?:[\w,]+\s+){0,6}(?:read|open|access|consult)\s+(?:(?:\w+\s+){0,4})(?:files?|the\s+file\s*system|disk|repositor(?:y|ies)\s*files?)\b/i,
+    /\bwithout\s+(?:using|running|executing|accessing)\s+(?:(?:\w+\s+){0,4})(?:tools?|shell\s*commands?|external)\b/i,
+    /\b(?:respond|answer|analyze|reply)\s+(?:only|solely|exclusively)\s+(?:based\s+on|from|using)\s+(?:the\s+)?(?:code|context|information|text)\s+(?:provided|given|above|below)\b/i,
+    /\bno\s+(?:tool|shell|file|command|filesystem)\s+(?:access|usage|calls?|execution)\b/i,
+    // Specific tool-name suppression: "Do not use Read or Grep", "never call Bash"
+    // Case-sensitive for tool identifiers to avoid false positives like "read replicas"
+    /\b(?:[Dd]o\s+not|[Dd]on't|[Nn]ever|[Mm]ust\s+not|[Ss]hould\s+not|[Ss]houldn't|[Cc]annot|[Cc]an't)\s+(?:run|use|execute|invoke|call|access)\s+(?:Read|Grep|Glob|Bash|Write|Edit)\b/,
+    // "avoid/refrain from using tools" or "avoid opening files"
+    /\b(?:avoid|refrain\s+from)\s+(?:using|running|executing|accessing|calling|opening)\s+(?:(?:\w+\s+){0,4})(?:tools?|shell\s*commands?|bash|terminal|cli|commands?|external|files?|additional\s+files?)\b/i,
+    // Standalone "no tools" — bare denial of tool access
+    /\bno\s+tools\b/i,
+    // "base your answer on this diff/snippet/code only"
+    /\b(?:base|ground)\s+(?:your\s+)?(?:answer|response|analysis|review|conclusions?)\s+(?:on|upon)\s+(?:this|the)\s+(?:diff|snippet|code|patch|context|excerpt)\s+(?:only|alone|exclusively)\b/i,
+    // "use reasoning/analysis only" (from context, not tools)
+    /\buse\s+(?:only\s+)?(?:reasoning|analysis|your\s+judgment)\s+(?:only\s+)?(?:from|based\s+on)\s+(?:the\s+)?(?:snippet|diff|code|context|patch)\b/i,
+    // "work offline" / "do not call external resources"
+    /\bwork\s+offline\b/i,
+    // "self-contained" / "snippet only" / "sole source of truth"
+    /\b(?:self[- ]contained|snippet[- ]only|sole\s+source\s+of\s+truth)\b/i,
+    // "keep analysis to/within this snippet/excerpt/diff"
+    /\b(?:keep|restrict|limit|confine)\s+(?:the\s+)?(?:analysis|review|response|yourself)\s+(?:to|within)\s+(?:this|the)\s+(?:snippet|excerpt|diff|patch|code|context|text)\b/i,
+    // "tool access is unavailable/disabled/restricted"
+    /\btool\s+access\s+(?:is\s+)?(?:unavailable|disabled|restricted|not\s+available)\b/i,
+    // "use only what is shown/provided/pasted"
+    /\buse\s+only\s+(?:what\s+is\s+)?(?:shown|provided|pasted|given|included)\b/i,
+    // "no need to execute/run/access"
+    /\bno\s+need\s+to\s+(?:execute|run|access|open|read)\b/i,
+];
+/**
+ * Detect tool-suppression language in a prompt.
+ * Returns the matched patterns for diagnostics.
+ */
+export function detectToolSuppression(prompt) {
+    const normalized = normalizeForMatching(prompt);
+    const matches = [];
+    for (const pattern of TOOL_SUPPRESSION_PATTERNS) {
+        const match = normalized.match(pattern);
+        if (match) {
+            matches.push(match[0]);
+        }
+    }
+    return matches;
+}
+// Note: <code[^>]*> already matches code inside <pre><code> blocks,
+// so a separate <pre><code> pattern is not needed (would double-count).
+// Case-insensitive for <CODE>/<PRE> tags. Fence regex uses backreference for matched opener/closer.
+const INLINED_CODE_PATTERNS = [
+    /<code[^>]*>([\s\S]*?)<\/code>/gi,
+    // Standalone <pre> blocks that don't contain <code> (avoids double-counting <pre><code>)
+    /<pre[^>]*>(?!\s*<code)([\s\S]*?)<\/pre>/gi,
+    // Multi-line backtick fences: opener and closer must use same number of backticks
+    /(`{3,})[^\n]*\r?\n([\s\S]*?)\1/g,
+    // Multi-line tilde fences
+    /(~{3,})[^\n]*\r?\n([\s\S]*?)\1/g,
+    // Single-line backtick fences: ```<content>``` on one line
+    /`{3,}[^\n`]*`{3,}/g,
+];
+// Group index for captured content differs per pattern:
+// HTML code: group 1; pre: group 1; backtick/tilde multi-line: group 2; single-line: group 0 (full match)
+const INLINED_CODE_CONTENT_GROUPS = [1, 1, 2, 2, 0];
+const INLINED_CODE_MIN_LENGTH = 200;
+const INLINED_CODE_TOTAL_THRESHOLD = 1000;
+// Heuristic for detecting raw code pasted without fences or tags.
+// Multi-language token pattern: JS/TS + Rust + Python + Go + Java + C/C++.
+// Word-boundary tokens use \b; symbol tokens match without \b.
+const RAW_CODE_TOKEN_PATTERN = /(?:\b(?:import|export|from|require|function|const|let|var|class|interface|type|return|if|else|for|while|switch|case|try|catch|throw|async|await|new|this|fn|impl|pub|struct|match|mod|use|crate|mut|enum|trait|unsafe|def|elif|lambda|yield|pass|with|raise|except|func|package|defer|goroutine|chan|select|void|static|final|abstract|extends|implements|override|sizeof|template|namespace|include|typedef|printf|println)\b|=>|===|!==|[{};])/g;
+const RAW_CODE_MIN_TOKENS = 15;
+const RAW_CODE_DENSITY_THRESHOLD = 1.5; // tokens per 100 chars
+/**
+ * Detect inlined code blocks that look like full file dumps.
+ * Two detection strategies:
+ * 1. Any single code block with 200+ chars is flagged.
+ * 2. Fallback: if total chars across ALL code blocks (even small ones)
+ *    exceeds 1000, flag to catch split-block bypass attempts.
+ */
+export function detectInlinedCode(prompt) {
+    let count = 0;
+    let totalChars = 0;
+    let allBlocksTotal = 0;
+    let allBlocksCount = 0;
+    for (let i = 0; i < INLINED_CODE_PATTERNS.length; i++) {
+        const pattern = INLINED_CODE_PATTERNS[i];
+        const contentGroup = INLINED_CODE_CONTENT_GROUPS[i];
+        pattern.lastIndex = 0;
+        let match;
+        while ((match = pattern.exec(prompt)) !== null) {
+            const rawContent = contentGroup === 0 ? match[0] : match[contentGroup];
+            const content = (rawContent || "").trim();
+            allBlocksCount++;
+            allBlocksTotal += content.length;
+            if (content.length >= INLINED_CODE_MIN_LENGTH) {
+                count++;
+                totalChars += content.length;
+            }
+        }
+    }
+    // Fallback: catch split-block bypass (many small blocks totaling large payload)
+    if (count === 0 && allBlocksTotal >= INLINED_CODE_TOTAL_THRESHOLD) {
+        count = allBlocksCount;
+        totalChars = allBlocksTotal;
+    }
+    // Fallback: detect plain-text code dumps (no fences or tags) via code-token density.
+    // Only triggers when no fenced/tagged blocks were found and the prompt is large enough.
+    if (count === 0 && prompt.length >= INLINED_CODE_TOTAL_THRESHOLD) {
+        const codeTokens = prompt.match(RAW_CODE_TOKEN_PATTERN);
+        const tokenCount = codeTokens ? codeTokens.length : 0;
+        // Require minimum absolute token count AND density ratio (tokens per 100 chars)
+        const density = (tokenCount / prompt.length) * 100;
+        if (tokenCount >= RAW_CODE_MIN_TOKENS && density >= RAW_CODE_DENSITY_THRESHOLD) {
+            count = 1;
+            totalChars = prompt.length;
+        }
+    }
+    return { count, totalChars };
+}
+/**
+ * Combined review integrity check. Only emits violations when BOTH
+ * review context is detected AND a restriction is present.
+ */
+// Tools that reviewers need to independently verify code claims.
+const CRITICAL_REVIEW_TOOLS = ["Read", "Grep", "Glob", "Bash"];
+// Extract base tool name from scoped/pattern forms like "Read(*)", "Bash(git:*)", "Grep"
+function canonicalizeToolName(spec) {
+    const trimmed = spec.trim();
+    const parenIdx = trimmed.indexOf("(");
+    const colonIdx = trimmed.indexOf(":");
+    const cutIdx = parenIdx >= 0 && colonIdx >= 0
+        ? Math.min(parenIdx, colonIdx)
+        : parenIdx >= 0 ? parenIdx : colonIdx >= 0 ? colonIdx : -1;
+    return cutIdx >= 0 ? trimmed.slice(0, cutIdx).trim() : trimmed;
+}
+export function checkReviewIntegrity(params) {
+    const reviewContext = isReviewContext(params.prompt);
+    const result = {
+        isReviewContext: reviewContext,
+        violations: [],
+        totalScore: 0,
+    };
+    // Gate: no violations emitted for non-review prompts
+    if (!reviewContext) {
+        return result;
+    }
+    // Check tool suppression language
+    const suppressionMatches = detectToolSuppression(params.prompt);
+    if (suppressionMatches.length > 0) {
+        const violation = {
+            type: "tool_suppression",
+            score: 4,
+            detail: `Prompt contains tool-suppression language in review context: ${suppressionMatches.join("; ")}`,
+        };
+        result.violations.push(violation);
+        result.totalScore += violation.score;
+    }
+    // Check inlined code
+    const inlined = detectInlinedCode(params.prompt);
+    if (inlined.count > 0) {
+        const violation = {
+            type: "inlined_code",
+            score: 2,
+            detail: `Prompt inlines ${inlined.count} code block(s) (${inlined.totalChars} chars) instead of file paths — reviewers should read files directly`,
+        };
+        result.violations.push(violation);
+        result.totalScore += violation.score;
+    }
+    // Check empty allowedTools
+    if (params.allowedTools && params.allowedTools.length === 0) {
+        const violation = {
+            type: "empty_allowed_tools",
+            score: 4,
+            detail: "allowedTools is empty in review context — reviewers need tool access to read files and verify claims",
+        };
+        result.violations.push(violation);
+        result.totalScore += violation.score;
+    }
+    // Check disallowedTools blocking critical review tools (canonicalize to handle scoped forms like "Read(*)")
+    if (params.disallowedTools && params.disallowedTools.length > 0) {
+        const canonicalized = params.disallowedTools.map(canonicalizeToolName);
+        const blocked = CRITICAL_REVIEW_TOOLS.filter(t => canonicalized.includes(t));
+        if (blocked.length > 0) {
+            const violation = {
+                type: "critical_tools_disallowed",
+                score: 4,
+                detail: `Critical review tools disallowed: ${blocked.join(", ")} — reviewers need these to verify claims`,
+            };
+            result.violations.push(violation);
+            result.totalScore += violation.score;
+        }
+    }
+    return result;
+}

package/dist/session-manager-pg.d.ts

@@ -0,0 +1,76 @@
+import { Pool } from "pg";
+import type { Redis } from "ioredis";
+import { Session, CliType } from "./session-manager.js";
+import { CacheTtl } from "./config.js";
+import type { Logger } from "./logger.js";
+export type { Logger } from "./logger.js";
+/**
+ * PostgreSQL-backed session manager with Redis caching
+ */
+export declare class PostgreSQLSessionManager {
+    private pool;
+    private redis;
+    private cacheTtl;
+    private logger;
+    constructor(pool: Pool, redis: Redis, cacheTtl: CacheTtl, logger: Logger);
+    /**
+     * Acquire distributed lock using Redis SET NX EX
+     * Returns [success, lockValue] tuple
+     */
+    private acquireLock;
+    private sleep;
+    /**
+     * Acquire a distributed lock with bounded retries to smooth contention spikes.
+     */
+    private acquireLockWithRetry;
+    /**
+     * Release distributed lock using Lua script for atomic compare-and-delete
+     * Only releases if lockValue matches (prevents releasing another process's lock)
+     */
+    private releaseLock;
+    /**
+     * Invalidate session cache
+     */
+    private invalidateCache;
+    /**
+     * Invalidate session list cache using SCAN (non-blocking)
+     */
+    private invalidateListCache;
+    /**
+     * Create a new session
+     */
+    createSession(cli: CliType, description?: string, sessionId?: string): Promise<Session>;
+    /**
+     * Get session by ID (cache-aside pattern)
+     */
+    getSession(sessionId: string): Promise<Session | null>;
+    /**
+     * List all sessions, optionally filtered by CLI
+     */
+    listSessions(cli?: CliType): Promise<Session[]>;
+    /**
+     * Delete a session
+     */
+    deleteSession(sessionId: string): Promise<boolean>;
+    /**
+     * Set active session for a CLI (with distributed locking)
+     */
+    setActiveSession(cli: CliType, sessionId: string | null): Promise<boolean>;
+    /**
+     * Get active session for a CLI
+     */
+    getActiveSession(cli: CliType): Promise<Session | null>;
+    /**
+     * Update session usage timestamp
+     */
+    updateSessionUsage(sessionId: string): Promise<void>;
+    /**
+     * Update session metadata (atomic JSONB merge)
+     */
+    updateSessionMetadata(sessionId: string, metadata: Record<string, any>): Promise<boolean>;
+    /**
+     * Clear all sessions, optionally filtered by CLI
+     * Invalidates all related caches (session, active, list)
+     */
+    clearAllSessions(cli?: CliType): Promise<number>;
+}