llm-trust-guard 4.0.0

package/dist/guards/prompt-leakage-guard.d.ts

@@ -0,0 +1,110 @@
+/**
+ * PromptLeakageGuard (L15)
+ *
+ * Prevents system prompt extraction and leakage attacks.
+ * Detects various evasion techniques used to extract system prompts.
+ *
+ * Threat Model:
+ * - OWASP LLM07:2025 System Prompt Leakage
+ * - PLeak algorithmic extraction attacks
+ * - Remember-the-Start attacks
+ * - Evasion techniques (Leetspeak, ROT13, Base64, Morse)
+ *
+ * Protection Capabilities:
+ * - Direct extraction attempt detection
+ * - Encoded extraction detection (Leetspeak, ROT13, Morse, etc.)
+ * - Indirect extraction pattern detection
+ * - Output monitoring for prompt leakage
+ * - Prefix completion attack detection
+ */
+export interface PromptLeakageGuardConfig {
+    /** Enable Leetspeak evasion detection */
+    detectLeetspeak?: boolean;
+    /** Enable ROT13 evasion detection */
+    detectROT13?: boolean;
+    /** Enable Base64 evasion detection */
+    detectBase64?: boolean;
+    /** Enable Morse code evasion detection */
+    detectMorse?: boolean;
+    /** Enable Unicode evasion detection */
+    detectUnicode?: boolean;
+    /** Enable indirect extraction detection */
+    detectIndirectExtraction?: boolean;
+    /** Enable output monitoring for leakage */
+    monitorOutput?: boolean;
+    /** System prompt hash for leakage detection (optional) */
+    systemPromptHash?: string;
+    /** System prompt keywords to detect in output */
+    systemPromptKeywords?: string[];
+    /** Similarity threshold for output monitoring (0-1) */
+    similarityThreshold?: number;
+    /** Risk score threshold (0-100) */
+    riskThreshold?: number;
+    /** Custom extraction patterns */
+    customPatterns?: RegExp[];
+}
+export interface PromptLeakageResult {
+    allowed: boolean;
+    reason: string;
+    violations: string[];
+    request_id: string;
+    analysis: {
+        direct_extraction_attempt: boolean;
+        encoded_extraction_attempt: boolean;
+        indirect_extraction_attempt: boolean;
+        evasion_techniques_detected: string[];
+        risk_score: number;
+        decoded_content?: string;
+    };
+    recommendations: string[];
+}
+export interface OutputLeakageResult {
+    leaked: boolean;
+    reason: string;
+    violations: string[];
+    request_id: string;
+    analysis: {
+        keywords_found: string[];
+        similarity_score: number;
+        potential_leakage_fragments: string[];
+    };
+    sanitized_output?: string;
+}
+export declare class PromptLeakageGuard {
+    private config;
+    private readonly DIRECT_EXTRACTION_PATTERNS;
+    private readonly INDIRECT_EXTRACTION_PATTERNS;
+    private readonly LEETSPEAK_MAP;
+    private readonly ROT13_MAP;
+    private readonly MORSE_KEYWORDS;
+    constructor(config?: PromptLeakageGuardConfig);
+    /**
+     * Check input for prompt extraction attempts
+     */
+    check(input: string, requestId?: string): PromptLeakageResult;
+    /**
+     * Monitor output for potential prompt leakage
+     */
+    checkOutput(output: string, requestId?: string): OutputLeakageResult;
+    /**
+     * Set system prompt keywords for output monitoring
+     */
+    setSystemPromptKeywords(keywords: string[]): void;
+    /**
+     * Add custom extraction pattern
+     */
+    addPattern(pattern: RegExp): void;
+    /**
+     * Update risk threshold
+     */
+    setRiskThreshold(threshold: number): void;
+    private decodeLeetspeak;
+    private decodeROT13;
+    private checkDecodedContent;
+    private checkUnicodeEvasion;
+    private checkMorseCode;
+    private checkKeywordsInDecoded;
+    private sanitizeOutput;
+    private generateRecommendations;
+}
+//# sourceMappingURL=prompt-leakage-guard.d.ts.map

package/dist/guards/prompt-leakage-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompt-leakage-guard.d.ts","sourceRoot":"","sources":["../../src/guards/prompt-leakage-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,MAAM,WAAW,wBAAwB;IACvC,yCAAyC;IACzC,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,qCAAqC;IACrC,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,sCAAsC;IACtC,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,0CAA0C;IAC1C,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,uCAAuC;IACvC,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,2CAA2C;IAC3C,wBAAwB,CAAC,EAAE,OAAO,CAAC;IACnC,2CAA2C;IAC3C,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,0DAA0D;IAC1D,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,iDAAiD;IACjD,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,uDAAuD;IACvD,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,mCAAmC;IACnC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,iCAAiC;IACjC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE;QACR,yBAAyB,EAAE,OAAO,CAAC;QACnC,0BAA0B,EAAE,OAAO,CAAC;QACpC,2BAA2B,EAAE,OAAO,CAAC;QACrC,2BAA2B,EAAE,MAAM,EAAE,CAAC;QACtC,UAAU,EAAE,MAAM,CAAC;QACnB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE;QACR,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,gBAAgB,EAAE,MAAM,CAAC;QACzB,2BAA2B,EAAE,MAAM,EAAE,CAAC;KACvC,CAAC;IACF,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,MAAM,CAAqC;IAGnD,OAAO,CAAC,QAAQ,CAAC,0BAA0B,CAuCzC;IAGF,OAAO,CAAC,QAAQ,CAAC,4BAA4B,CAkB3C;IAGF,OAAO,CAAC,QAAQ,CAAC,aAAa,CAK5B;IAGF,OAAO,CAAC,QAAQ,CAAC,SAAS,CAA8B;IAGxD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAI7B;gBAEU,MAAM,GAAE,wBAA6B;IAyBjD;;OAEG;IACH,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,mBAAmB;IAsK7D;;OAEG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,mBAAmB;IAuEpE;;OAEG;IACH,uBAAuB,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI;IAIjD;;OAEG;IACH,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAIjC;;OAEG;IACH,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAMzC,OAAO,CAAC,eAAe;IA2BvB,OAAO,CAAC,WAAW;IAOnB,OAAO,CAAC,mBAAmB;IAqB3B,OAAO,CAAC,mBAAmB;IA2C3B,OAAO,CAAC,cAAc;IA4BtB,OAAO,CAAC,sBAAsB;IAmC9B,OAAO,CAAC,cAAc;IAmBtB,OAAO,CAAC,uBAAuB;CA2BhC"}

package/dist/guards/prompt-leakage-guard.js

@@ -0,0 +1,529 @@
+"use strict";
+/**
+ * PromptLeakageGuard (L15)
+ *
+ * Prevents system prompt extraction and leakage attacks.
+ * Detects various evasion techniques used to extract system prompts.
+ *
+ * Threat Model:
+ * - OWASP LLM07:2025 System Prompt Leakage
+ * - PLeak algorithmic extraction attacks
+ * - Remember-the-Start attacks
+ * - Evasion techniques (Leetspeak, ROT13, Base64, Morse)
+ *
+ * Protection Capabilities:
+ * - Direct extraction attempt detection
+ * - Encoded extraction detection (Leetspeak, ROT13, Morse, etc.)
+ * - Indirect extraction pattern detection
+ * - Output monitoring for prompt leakage
+ * - Prefix completion attack detection
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PromptLeakageGuard = void 0;
+class PromptLeakageGuard {
+    constructor(config = {}) {
+        // Direct extraction patterns
+        this.DIRECT_EXTRACTION_PATTERNS = [
+            // Direct system prompt requests
+            { name: "system_prompt_request", pattern: /what\s+(is|are)\s+your\s+(system|initial)\s+(prompt|instructions?)/i, weight: 40 },
+            { name: "reveal_prompt", pattern: /reveal\s+(your\s+)?(system\s+)?prompt/i, weight: 45 },
+            { name: "show_instructions", pattern: /show\s+(me\s+)?(your\s+)?instructions/i, weight: 40 },
+            { name: "display_rules", pattern: /display\s+(your\s+)?(system\s+)?rules/i, weight: 40 },
+            { name: "print_prompt", pattern: /print\s+(your\s+)?(system\s+)?(prompt|instructions|config)/i, weight: 45 },
+            { name: "print_configuration", pattern: /print\s+(your\s+)?(initial\s+)?configuration/i, weight: 45 },
+            // PLeak-style attacks
+            { name: "repeat_above", pattern: /repeat\s+(the\s+)?(text|content|message)\s+(above|before)/i, weight: 50 },
+            { name: "output_previous", pattern: /output\s+(all\s+)?(previous|prior)\s+(text|content|instructions)/i, weight: 50 },
+            { name: "echo_everything", pattern: /echo\s+(everything|all)(\s+(above|before|prior|that|said))?/i, weight: 50 },
+            { name: "echo_said", pattern: /echo\s+.*(said|was|before|that)/i, weight: 45 },
+            // Remember-the-Start attacks - ENHANCED
+            { name: "complete_sentence", pattern: /complete\s+(this\s+|the\s+)?sentence/i, weight: 50 },
+            { name: "complete_you_are", pattern: /complete[:\s]+"?'?you\s+are/i, weight: 55 },
+            { name: "continue_from", pattern: /continue\s+(from|with)[:\s]/i, weight: 50 },
+            { name: "continue_role", pattern: /continue[:\s]+"?'?(you|your)\s+(are|role|purpose)/i, weight: 55 },
+            { name: "finish_phrase", pattern: /finish\s+(this\s+)?phrase/i, weight: 50 },
+            { name: "finish_you", pattern: /finish[:\s]+"?'?you\s+(are|should|must|will)/i, weight: 55 },
+            // Instruction extraction
+            { name: "list_constraints", pattern: /list\s+(all\s+)?(your\s+)?constraints/i, weight: 35 },
+            { name: "what_told", pattern: /what\s+(were\s+you|are\s+you)\s+told\s+to\s+do/i, weight: 40 },
+            { name: "original_purpose", pattern: /what\s+(is|was)\s+your\s+original\s+purpose/i, weight: 35 },
+            // Debug/Developer mode extraction - ENHANCED
+            { name: "debug_mode", pattern: /enter\s+(debug|developer|admin)\s+mode/i, weight: 45 },
+            { name: "activate_developer", pattern: /activate\s+(developer|debug|admin)\s+mode/i, weight: 45 },
+            { name: "developer_mode", pattern: /developer\s+mode/i, weight: 40 },
+            { name: "show_config", pattern: /show\s+(your\s+)?(config|configuration|settings)/i, weight: 40 },
+            { name: "dump_state", pattern: /dump\s+(your\s+)?(internal\s+)?state/i, weight: 45 },
+            // Context window manipulation
+            { name: "first_message", pattern: /what\s+was\s+(the\s+)?first\s+message/i, weight: 45 },
+            { name: "beginning_context", pattern: /what('s|\s+is)\s+at\s+the\s+beginning\s+of\s+(your\s+)?context/i, weight: 50 },
+            { name: "context_start", pattern: /show\s+(me\s+)?the\s+start\s+of\s+(your\s+)?context/i, weight: 50 },
+        ];
+        // Indirect extraction patterns
+        this.INDIRECT_EXTRACTION_PATTERNS = [
+            // Summarization tricks
+            { name: "summarize_guidelines", pattern: /summarize\s+(your\s+)?(guidelines|rules|constraints)/i, weight: 35 },
+            { name: "describe_limitations", pattern: /describe\s+(your\s+)?limitations/i, weight: 30 },
+            // Role clarification exploits - ENHANCED
+            { name: "explain_role", pattern: /explain\s+(in\s+detail\s+)?(your\s+)?role/i, weight: 35 },
+            { name: "explain_role_purpose", pattern: /explain\s+.*(role|purpose)/i, weight: 35 },
+            { name: "what_cant_do", pattern: /what\s+(can't|cannot)\s+you\s+do/i, weight: 25 },
+            { name: "describe_yourself", pattern: /describe\s+(yourself|your\s+purpose)/i, weight: 30 },
+            // Hypothetical extraction
+            { name: "if_asked", pattern: /if\s+i\s+asked\s+for\s+your\s+prompt/i, weight: 40 },
+            { name: "hypothetically", pattern: /hypothetically[,\s]+(what|how)\s+would\s+your\s+instructions/i, weight: 40 },
+            // Output-as-input tricks
+            { name: "write_prompt", pattern: /write\s+a\s+(system\s+)?prompt\s+similar\s+to\s+yours/i, weight: 45 },
+            { name: "recreate_instructions", pattern: /recreate\s+(your\s+)?instructions/i, weight: 45 },
+        ];
+        // Leetspeak character mappings
+        this.LEETSPEAK_MAP = {
+            "4": "a", "@": "a", "8": "b", "(": "c", "3": "e",
+            "6": "g", "#": "h", "1": "i", "!": "i", "|": "l",
+            "7": "t", "0": "o", "5": "s", "$": "s",
+            "+": "t", "2": "z", "9": "g",
+        };
+        // ROT13 decode
+        this.ROT13_MAP = {};
+        // Common Morse code words related to prompts
+        this.MORSE_KEYWORDS = [
+            "... -.-- ... - . --", // SYSTEM
+            ".--. .-. --- -- .--. -", // PROMPT
+            ".. -. ... - .-. ..- -.-. - .. --- -. ...", // INSTRUCTIONS
+        ];
+        this.config = {
+            detectLeetspeak: config.detectLeetspeak ?? true,
+            detectROT13: config.detectROT13 ?? true,
+            detectBase64: config.detectBase64 ?? true,
+            detectMorse: config.detectMorse ?? true,
+            detectUnicode: config.detectUnicode ?? true,
+            detectIndirectExtraction: config.detectIndirectExtraction ?? true,
+            monitorOutput: config.monitorOutput ?? true,
+            systemPromptHash: config.systemPromptHash ?? "",
+            systemPromptKeywords: config.systemPromptKeywords ?? [],
+            similarityThreshold: config.similarityThreshold ?? 0.7,
+            riskThreshold: config.riskThreshold ?? 40,
+            customPatterns: config.customPatterns ?? [],
+        };
+        // Initialize ROT13 map
+        for (let i = 0; i < 26; i++) {
+            const lower = String.fromCharCode(97 + i);
+            const upper = String.fromCharCode(65 + i);
+            this.ROT13_MAP[lower] = String.fromCharCode(97 + ((i + 13) % 26));
+            this.ROT13_MAP[upper] = String.fromCharCode(65 + ((i + 13) % 26));
+        }
+    }
+    /**
+     * Check input for prompt extraction attempts
+     */
+    check(input, requestId) {
+        const reqId = requestId || `pl-${Date.now()}`;
+        const violations = [];
+        const evasionTechniques = [];
+        let riskScore = 0;
+        let directAttempt = false;
+        let encodedAttempt = false;
+        let indirectAttempt = false;
+        let decodedContent;
+        // Check direct extraction patterns
+        for (const { name, pattern, weight } of this.DIRECT_EXTRACTION_PATTERNS) {
+            if (pattern.test(input)) {
+                violations.push(`direct_extraction: ${name}`);
+                riskScore += weight;
+                directAttempt = true;
+            }
+        }
+        // Check indirect extraction patterns
+        if (this.config.detectIndirectExtraction) {
+            for (const { name, pattern, weight } of this.INDIRECT_EXTRACTION_PATTERNS) {
+                if (pattern.test(input)) {
+                    violations.push(`indirect_extraction: ${name}`);
+                    riskScore += weight;
+                    indirectAttempt = true;
+                }
+            }
+        }
+        // Check for Leetspeak evasion
+        if (this.config.detectLeetspeak) {
+            const decoded = this.decodeLeetspeak(input);
+            if (decoded !== input.toLowerCase()) {
+                // Check decoded against both direct and indirect patterns
+                const leetspeakCheck = this.checkDecodedContent(decoded, "leetspeak");
+                if (leetspeakCheck.detected) {
+                    violations.push(...leetspeakCheck.violations);
+                    riskScore += leetspeakCheck.riskContribution;
+                    evasionTechniques.push("leetspeak");
+                    encodedAttempt = true;
+                    decodedContent = decoded;
+                }
+                else {
+                    // Also check for keywords in decoded content
+                    const keywordCheck = this.checkKeywordsInDecoded(decoded);
+                    if (keywordCheck.detected) {
+                        violations.push(`leetspeak_keyword: ${keywordCheck.keywords.join(", ")}`);
+                        riskScore += 35;
+                        evasionTechniques.push("leetspeak");
+                        encodedAttempt = true;
+                        decodedContent = decoded;
+                    }
+                }
+            }
+        }
+        // Check for ROT13 evasion
+        if (this.config.detectROT13) {
+            const decoded = this.decodeROT13(input);
+            const rot13Check = this.checkDecodedContent(decoded, "rot13");
+            if (rot13Check.detected) {
+                violations.push(...rot13Check.violations);
+                riskScore += rot13Check.riskContribution;
+                evasionTechniques.push("rot13");
+                encodedAttempt = true;
+                decodedContent = decoded;
+            }
+            else {
+                // Check for keywords in ROT13 decoded content
+                const keywordCheck = this.checkKeywordsInDecoded(decoded);
+                if (keywordCheck.detected) {
+                    violations.push(`rot13_keyword: ${keywordCheck.keywords.join(", ")}`);
+                    riskScore += 40;
+                    evasionTechniques.push("rot13");
+                    encodedAttempt = true;
+                    decodedContent = decoded;
+                }
+            }
+        }
+        // Check for Base64 encoded content
+        if (this.config.detectBase64) {
+            const base64Matches = input.match(/[A-Za-z0-9+/]{16,}={0,2}/g);
+            if (base64Matches) {
+                for (const match of base64Matches) {
+                    try {
+                        const decoded = Buffer.from(match, "base64").toString("utf-8");
+                        if (decoded && /[\x20-\x7E]{4,}/.test(decoded)) {
+                            const base64Check = this.checkDecodedContent(decoded, "base64");
+                            if (base64Check.detected) {
+                                violations.push(...base64Check.violations);
+                                riskScore += base64Check.riskContribution;
+                                evasionTechniques.push("base64");
+                                encodedAttempt = true;
+                                decodedContent = decoded;
+                            }
+                            else {
+                                // Check for keywords in Base64 decoded content
+                                const keywordCheck = this.checkKeywordsInDecoded(decoded);
+                                if (keywordCheck.detected) {
+                                    violations.push(`base64_keyword: ${keywordCheck.keywords.join(", ")}`);
+                                    riskScore += 45;
+                                    evasionTechniques.push("base64");
+                                    encodedAttempt = true;
+                                    decodedContent = decoded;
+                                }
+                            }
+                        }
+                    }
+                    catch {
+                        // Not valid Base64
+                    }
+                }
+            }
+        }
+        // Check for Unicode evasion (homoglyphs, invisible chars)
+        if (this.config.detectUnicode) {
+            const unicodeCheck = this.checkUnicodeEvasion(input);
+            if (unicodeCheck.detected) {
+                violations.push(...unicodeCheck.violations);
+                riskScore += unicodeCheck.riskContribution;
+                evasionTechniques.push("unicode");
+                encodedAttempt = true;
+            }
+        }
+        // Check for Morse code
+        if (this.config.detectMorse) {
+            const morseCheck = this.checkMorseCode(input);
+            if (morseCheck.detected) {
+                violations.push(...morseCheck.violations);
+                riskScore += morseCheck.riskContribution;
+                evasionTechniques.push("morse");
+                encodedAttempt = true;
+            }
+        }
+        // Check custom patterns
+        for (let i = 0; i < this.config.customPatterns.length; i++) {
+            if (this.config.customPatterns[i].test(input)) {
+                violations.push(`custom_pattern_${i}`);
+                riskScore += 30;
+            }
+        }
+        // Normalize risk score
+        riskScore = Math.min(100, riskScore);
+        const blocked = riskScore >= this.config.riskThreshold;
+        return {
+            allowed: !blocked,
+            reason: blocked
+                ? `Prompt extraction attempt detected (risk: ${riskScore})`
+                : "Input validated",
+            violations,
+            request_id: reqId,
+            analysis: {
+                direct_extraction_attempt: directAttempt,
+                encoded_extraction_attempt: encodedAttempt,
+                indirect_extraction_attempt: indirectAttempt,
+                evasion_techniques_detected: evasionTechniques,
+                risk_score: riskScore,
+                decoded_content: decodedContent,
+            },
+            recommendations: this.generateRecommendations(violations, evasionTechniques),
+        };
+    }
+    /**
+     * Monitor output for potential prompt leakage
+     */
+    checkOutput(output, requestId) {
+        const reqId = requestId || `pl-out-${Date.now()}`;
+        const violations = [];
+        const keywordsFound = [];
+        const potentialFragments = [];
+        let leaked = false;
+        if (!this.config.monitorOutput) {
+            return {
+                leaked: false,
+                reason: "Output monitoring disabled",
+                violations: [],
+                request_id: reqId,
+                analysis: {
+                    keywords_found: [],
+                    similarity_score: 0,
+                    potential_leakage_fragments: [],
+                },
+            };
+        }
+        // Check for system prompt keywords in output
+        for (const keyword of this.config.systemPromptKeywords) {
+            if (output.toLowerCase().includes(keyword.toLowerCase())) {
+                keywordsFound.push(keyword);
+                violations.push(`keyword_leaked: ${keyword}`);
+            }
+        }
+        // Check for common prompt fragment patterns
+        const promptFragmentPatterns = [
+            /you\s+are\s+a[n]?\s+(helpful\s+)?assistant/i,
+            /your\s+(role|purpose|goal)\s+is\s+to/i,
+            /you\s+(must|should|will)\s+(always|never)/i,
+            /do\s+not\s+(reveal|disclose|share)\s+(your|the)\s+(system|initial)/i,
+            /\[system\]|\[instruction\]|<<sys>>|<\|system\|>/i,
+            /as\s+an?\s+AI\s+(assistant|model|language\s+model)/i,
+        ];
+        for (const pattern of promptFragmentPatterns) {
+            const match = output.match(pattern);
+            if (match) {
+                potentialFragments.push(match[0]);
+                violations.push("prompt_fragment_detected");
+            }
+        }
+        // Calculate similarity if hash provided
+        let similarityScore = 0;
+        // In production, you'd compare against actual system prompt hash
+        // For now, we check fragment density
+        similarityScore = potentialFragments.length / 10; // Rough heuristic
+        leaked = keywordsFound.length > 0 || potentialFragments.length >= 2;
+        return {
+            leaked,
+            reason: leaked
+                ? `Potential prompt leakage detected: ${violations.slice(0, 3).join(", ")}`
+                : "Output appears safe",
+            violations,
+            request_id: reqId,
+            analysis: {
+                keywords_found: keywordsFound,
+                similarity_score: Math.min(1, similarityScore),
+                potential_leakage_fragments: potentialFragments,
+            },
+            sanitized_output: leaked ? this.sanitizeOutput(output) : undefined,
+        };
+    }
+    /**
+     * Set system prompt keywords for output monitoring
+     */
+    setSystemPromptKeywords(keywords) {
+        this.config.systemPromptKeywords = keywords;
+    }
+    /**
+     * Add custom extraction pattern
+     */
+    addPattern(pattern) {
+        this.config.customPatterns.push(pattern);
+    }
+    /**
+     * Update risk threshold
+     */
+    setRiskThreshold(threshold) {
+        this.config.riskThreshold = Math.max(0, Math.min(100, threshold));
+    }
+    // Private methods
+    decodeLeetspeak(input) {
+        let result = input.toLowerCase();
+        // Extended leetspeak mappings
+        const extendedMap = {
+            ...this.LEETSPEAK_MAP,
+            "0": "o",
+            "1": "i",
+            "3": "e",
+            "4": "a",
+            "5": "s",
+            "7": "t",
+            "8": "b",
+            "9": "g",
+            "@": "a",
+            "$": "s",
+            "!": "i",
+            "|": "l",
+            "(": "c",
+            "+": "t",
+            "#": "h",
+        };
+        for (const [leet, char] of Object.entries(extendedMap)) {
+            result = result.split(leet).join(char);
+        }
+        return result;
+    }
+    decodeROT13(input) {
+        return input
+            .split("")
+            .map((char) => this.ROT13_MAP[char] || char)
+            .join("");
+    }
+    checkDecodedContent(decoded, technique) {
+        const violations = [];
+        let riskContribution = 0;
+        for (const { name, pattern, weight } of this.DIRECT_EXTRACTION_PATTERNS) {
+            if (pattern.test(decoded)) {
+                violations.push(`${technique}_evasion: ${name}`);
+                riskContribution += weight + 10; // Extra penalty for evasion
+            }
+        }
+        return {
+            detected: violations.length > 0,
+            violations,
+            riskContribution,
+        };
+    }
+    checkUnicodeEvasion(input) {
+        const violations = [];
+        let riskContribution = 0;
+        // Check for invisible characters
+        const invisibleChars = input.match(/[\u200B-\u200D\uFEFF\u2060-\u206F\u00AD]/g);
+        if (invisibleChars && invisibleChars.length > 3) {
+            violations.push("invisible_unicode_chars");
+            riskContribution += 20;
+        }
+        // Check for homoglyphs (Cyrillic, Greek letters that look like Latin)
+        const homoglyphs = input.match(/[\u0400-\u04FF\u0370-\u03FF]/g);
+        if (homoglyphs && homoglyphs.length > 0) {
+            // Normalize and check
+            const normalized = input.normalize("NFKD").replace(/[\u0300-\u036f]/g, "");
+            for (const { pattern } of this.DIRECT_EXTRACTION_PATTERNS) {
+                if (pattern.test(normalized)) {
+                    violations.push("homoglyph_evasion");
+                    riskContribution += 30;
+                    break;
+                }
+            }
+        }
+        // Check for fullwidth characters
+        const fullwidth = input.match(/[\uFF01-\uFF5E]/g);
+        if (fullwidth && fullwidth.length > 5) {
+            violations.push("fullwidth_chars");
+            riskContribution += 15;
+        }
+        return {
+            detected: violations.length > 0,
+            violations,
+            riskContribution,
+        };
+    }
+    checkMorseCode(input) {
+        const violations = [];
+        let riskContribution = 0;
+        // Check if input contains Morse-like patterns
+        const morsePattern = /[.\-]{2,}\s+[.\-]{2,}/;
+        if (morsePattern.test(input)) {
+            // Check for known prompt-related Morse
+            for (const keyword of this.MORSE_KEYWORDS) {
+                if (input.includes(keyword)) {
+                    violations.push("morse_code_evasion");
+                    riskContribution += 35;
+                    break;
+                }
+            }
+        }
+        return {
+            detected: violations.length > 0,
+            violations,
+            riskContribution,
+        };
+    }
+    checkKeywordsInDecoded(decoded) {
+        // Action keywords (verbs that indicate extraction intent)
+        const actionKeywords = ["reveal", "show", "display", "print", "output", "dump", "list", "give", "tell"];
+        // Target keywords (what they're trying to extract)
+        const targetKeywords = ["prompt", "instructions", "configuration", "config", "rules", "guidelines", "constraints", "system", "initial", "secret", "hidden", "internal"];
+        const foundKeywords = [];
+        const lowerDecoded = decoded.toLowerCase();
+        // Check for action + target combination (strong indicator)
+        let hasAction = false;
+        let hasTarget = false;
+        for (const keyword of actionKeywords) {
+            if (lowerDecoded.includes(keyword)) {
+                foundKeywords.push(keyword);
+                hasAction = true;
+            }
+        }
+        for (const keyword of targetKeywords) {
+            if (lowerDecoded.includes(keyword)) {
+                foundKeywords.push(keyword);
+                hasTarget = true;
+            }
+        }
+        // Detected if we have both an action AND a target
+        // This catches "reveal your prompt", "show me instructions", etc.
+        return {
+            detected: hasAction && hasTarget,
+            keywords: foundKeywords,
+        };
+    }
+    sanitizeOutput(output) {
+        let sanitized = output;
+        // Remove common prompt fragments
+        const fragmentPatterns = [
+            /you\s+are\s+a[n]?\s+(helpful\s+)?assistant[^.]*\./gi,
+            /your\s+(role|purpose|goal)\s+is\s+to[^.]*\./gi,
+            /you\s+(must|should|will)\s+(always|never)[^.]*\./gi,
+            /\[system\][^[\]]*\[\/system\]/gi,
+            /<<sys>>[^<]*<<\/sys>>/gi,
+        ];
+        for (const pattern of fragmentPatterns) {
+            sanitized = sanitized.replace(pattern, "[REDACTED]");
+        }
+        return sanitized;
+    }
+    generateRecommendations(violations, evasionTechniques) {
+        const recommendations = [];
+        if (violations.some((v) => v.includes("direct_extraction"))) {
+            recommendations.push("Direct prompt extraction attempt blocked");
+        }
+        if (violations.some((v) => v.includes("indirect_extraction"))) {
+            recommendations.push("Consider strengthening indirect extraction detection");
+        }
+        if (evasionTechniques.length > 0) {
+            recommendations.push(`Evasion techniques detected: ${evasionTechniques.join(", ")}`);
+        }
+        if (violations.some((v) => v.includes("unicode"))) {
+            recommendations.push("Normalize input before processing");
+        }
+        if (recommendations.length === 0) {
+            recommendations.push("Input validated successfully");
+        }
+        return recommendations;
+    }
+}
+exports.PromptLeakageGuard = PromptLeakageGuard;
+//# sourceMappingURL=prompt-leakage-guard.js.map