llm-trust-guard 4.0.0

package/dist/guards/tool-registry.js

@@ -0,0 +1,155 @@
+"use strict";
+/**
+ * L2 Tool Registry Guard
+ *
+ * Maintains strict control over which tools can be executed.
+ * Prevents LLM hallucination attacks.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ToolRegistry = void 0;
+// Common hallucination patterns
+const HALLUCINATION_PATTERNS = [
+    /^execute/i,
+    /^run/i,
+    /^shell/i,
+    /^admin/i,
+    /^override/i,
+    /^delete_all/i,
+    /^export_/i,
+    /^import_/i,
+    /^hack/i,
+    /^bypass/i,
+    /^sudo/i,
+    /^root/i,
+    /^system/i,
+];
+class ToolRegistry {
+    constructor(config) {
+        this.tools = new Map();
+        this.strictMatching = config.strictMatching ?? true;
+        for (const tool of config.tools) {
+            this.tools.set(tool.name, tool);
+        }
+    }
+    /**
+     * Check if a tool exists and is accessible for the given role
+     */
+    check(toolName, role, requestId = "") {
+        // Exact match only
+        const tool = this.tools.get(toolName);
+        if (!tool) {
+            const isHallucination = this.detectHallucination(toolName);
+            const similarTools = this.findSimilarTools(toolName);
+            if (requestId) {
+                console.log(`[L2:${requestId}] BLOCKED: Tool '${toolName}' not in registry`);
+                if (isHallucination) {
+                    console.log(`[L2:${requestId}] ALERT: Potential hallucination detected`);
+                }
+            }
+            return {
+                allowed: false,
+                reason: `Tool '${toolName}' is not registered`,
+                violations: ["UNREGISTERED_TOOL"],
+                hallucination_detected: isHallucination,
+                similar_tools: similarTools.length > 0 ? similarTools : undefined,
+            };
+        }
+        // Check role access if roles are defined
+        if (tool.roles && tool.roles.length > 0 && !tool.roles.includes(role)) {
+            if (requestId) {
+                console.log(`[L2:${requestId}] BLOCKED: Role '${role}' cannot use '${toolName}'`);
+            }
+            return {
+                allowed: false,
+                reason: `Role '${role}' is not authorized for tool '${toolName}'`,
+                violations: ["UNAUTHORIZED_ROLE"],
+                tool,
+                hallucination_detected: false,
+            };
+        }
+        if (requestId) {
+            console.log(`[L2:${requestId}] Tool '${toolName}' ALLOWED for role '${role}'`);
+        }
+        return {
+            allowed: true,
+            violations: [],
+            tool,
+            hallucination_detected: false,
+        };
+    }
+    /**
+     * Detect if tool name looks like a hallucination
+     */
+    detectHallucination(toolName) {
+        for (const pattern of HALLUCINATION_PATTERNS) {
+            if (pattern.test(toolName)) {
+                return true;
+            }
+        }
+        // Check for suspicious characters
+        if (toolName.includes("..") || toolName.includes("/") || toolName.includes("\\")) {
+            return true;
+        }
+        // Unusually long names
+        if (toolName.length > 50) {
+            return true;
+        }
+        // Special characters
+        if (/[^a-zA-Z0-9_-]/.test(toolName)) {
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Find similar registered tools for helpful error messages
+     */
+    findSimilarTools(toolName) {
+        const similar = [];
+        const toolNameLower = toolName.toLowerCase();
+        for (const registeredTool of this.tools.keys()) {
+            const registeredLower = registeredTool.toLowerCase();
+            // Check word overlap
+            const requestedWords = toolNameLower.split(/[_-]/);
+            const registeredWords = registeredLower.split(/[_-]/);
+            for (const word of requestedWords) {
+                if (word.length > 2 && registeredWords.some((rw) => rw.includes(word) || word.includes(rw))) {
+                    similar.push(registeredTool);
+                    break;
+                }
+            }
+        }
+        return [...new Set(similar)];
+    }
+    /**
+     * Get tools for a specific role
+     */
+    getToolsForRole(role) {
+        const tools = [];
+        for (const tool of this.tools.values()) {
+            if (!tool.roles || tool.roles.length === 0 || tool.roles.includes(role)) {
+                tools.push(tool);
+            }
+        }
+        return tools;
+    }
+    /**
+     * Get all registered tool names
+     */
+    getRegisteredToolNames() {
+        return [...this.tools.keys()];
+    }
+    /**
+     * Register a new tool at runtime
+     */
+    registerTool(tool) {
+        this.tools.set(tool.name, tool);
+    }
+    /**
+     * Unregister a tool
+     */
+    unregisterTool(toolName) {
+        return this.tools.delete(toolName);
+    }
+}
+exports.ToolRegistry = ToolRegistry;
+//# sourceMappingURL=tool-registry.js.map

package/dist/guards/tool-registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-registry.js","sourceRoot":"","sources":["../../src/guards/tool-registry.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAIH,gCAAgC;AAChC,MAAM,sBAAsB,GAAG;IAC7B,WAAW;IACX,OAAO;IACP,SAAS;IACT,SAAS;IACT,YAAY;IACZ,cAAc;IACd,WAAW;IACX,WAAW;IACX,QAAQ;IACR,UAAU;IACV,QAAQ;IACR,QAAQ;IACR,UAAU;CACX,CAAC;AAOF,MAAa,YAAY;IAIvB,YAAY,MAA0B;QACpC,IAAI,CAAC,KAAK,GAAG,IAAI,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,cAAc,GAAG,MAAM,CAAC,cAAc,IAAI,IAAI,CAAC;QAEpD,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YAChC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAgB,EAAE,IAAU,EAAE,YAAoB,EAAE;QACxD,mBAAmB;QACnB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAEtC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,eAAe,GAAG,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;YAC3D,MAAM,YAAY,GAAG,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;YAErD,IAAI,SAAS,EAAE,CAAC;gBACd,OAAO,CAAC,GAAG,CAAC,OAAO,SAAS,oBAAoB,QAAQ,mBAAmB,CAAC,CAAC;gBAC7E,IAAI,eAAe,EAAE,CAAC;oBACpB,OAAO,CAAC,GAAG,CAAC,OAAO,SAAS,2CAA2C,CAAC,CAAC;gBAC3E,CAAC;YACH,CAAC;YAED,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,SAAS,QAAQ,qBAAqB;gBAC9C,UAAU,EAAE,CAAC,mBAAmB,CAAC;gBACjC,sBAAsB,EAAE,eAAe;gBACvC,aAAa,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;aAClE,CAAC;QACJ,CAAC;QAED,yCAAyC;QACzC,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACtE,IAAI,SAAS,EAAE,CAAC;gBACd,OAAO,CAAC,GAAG,CAAC,OAAO,SAAS,oBAAoB,IAAI,iBAAiB,QAAQ,GAAG,CAAC,CAAC;YACpF,CAAC;YAED,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,SAAS,IAAI,iCAAiC,QAAQ,GAAG;gBACjE,UAAU,EAAE,CAAC,mBAAmB,CAAC;gBACjC,IAAI;gBACJ,sBAAsB,EAAE,KAAK;aAC9B,CAAC;QACJ,CAAC;QAED,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,CAAC,GAAG,CAAC,OAAO,SAAS,WAAW,QAAQ,uBAAuB,IAAI,GAAG,CAAC,CAAC;QACjF,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI;YACb,UAAU,EAAE,EAAE;YACd,IAAI;YACJ,sBAAsB,EAAE,KAAK;SAC9B,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,mBAAmB,CAAC,QAAgB;QAC1C,KAAK,MAAM,OAAO,IAAI,sBAAsB,EAAE,CAAC;YAC7C,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC3B,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,kCAAkC;QAClC,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACjF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,uBAAuB;QACvB,IAAI,QAAQ,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,qBAAqB;QACrB,IAAI,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACK,gBAAgB,CAAC,QAAgB;QACvC,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,MAAM,aAAa,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;QAE7C,KAAK,MAAM,cAAc,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;YAC/C,MAAM,eAAe,GAAG,cAAc,CAAC,WAAW,EAAE,CAAC;YAErD,qBAAqB;YACrB,MAAM,cAAc,GAAG,aAAa,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YACnD,MAAM,eAAe,GAAG,eAAe,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAEtD,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;gBAClC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;oBAC5F,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;oBAC7B,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;IAC/B,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,IAAU;QACxB,MAAM,KAAK,GAAqB,EAAE,CAAC;QACnC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YACvC,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnB,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,sBAAsB;QACpB,OAAO,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IAChC,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,IAAoB;QAC/B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAClC,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,QAAgB;QAC7B,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACrC,CAAC;CACF;AAzJD,oCAyJC"}

package/dist/guards/trust-exploitation-guard.d.ts

@@ -0,0 +1,134 @@
+/**
+ * TrustExploitationGuard (L17)
+ *
+ * Detects and prevents human-agent trust exploitation attacks.
+ * Implements ASI09 from OWASP Agentic Applications 2026.
+ *
+ * Threat Model:
+ * - ASI09: Improper Human-Agent Trust Placement
+ * - Trust boundary violations
+ * - Permission escalation
+ * - Goal hijacking
+ * - Unauthorized autonomous actions
+ *
+ * Protection Capabilities:
+ * - Trust boundary enforcement
+ * - Permission escalation detection
+ * - Goal consistency monitoring
+ * - Action authorization verification
+ * - Human-in-the-loop enforcement
+ */
+export interface TrustExploitationGuardConfig {
+    /** Maximum trust level (0-100) */
+    maxTrustLevel?: number;
+    /** Actions requiring human approval */
+    humanApprovalRequired?: string[];
+    /** Maximum autonomous actions before requiring human check-in */
+    maxAutonomousActions?: number;
+    /** Enable goal consistency monitoring */
+    monitorGoalConsistency?: boolean;
+    /** Trust decay rate per hour (0-100) */
+    trustDecayRate?: number;
+    /** Enable permission escalation detection */
+    detectPermissionEscalation?: boolean;
+    /** Sensitive action categories */
+    sensitiveActions?: string[];
+    /** Initial goal for consistency checking */
+    initialGoal?: string;
+}
+export interface AgentAction {
+    /** Action identifier */
+    action_id: string;
+    /** Action type (e.g., "file_write", "api_call", "data_access") */
+    action_type: string;
+    /** Target resource */
+    target: string;
+    /** Requested permissions */
+    permissions?: string[];
+    /** Agent's stated reason for action */
+    reason?: string;
+    /** Current goal the action serves */
+    goal?: string;
+    /** Is this action autonomous or human-requested */
+    autonomous: boolean;
+    /** Timestamp */
+    timestamp: number;
+    /** Additional metadata */
+    metadata?: Record<string, any>;
+}
+export interface TrustContext {
+    /** Current trust level (0-100) */
+    trust_level: number;
+    /** Session ID */
+    session_id: string;
+    /** Actions performed this session */
+    action_history: AgentAction[];
+    /** Current goal */
+    current_goal: string;
+    /** Initial goal (for consistency) */
+    initial_goal: string;
+    /** Granted permissions */
+    granted_permissions: Set<string>;
+    /** Last human interaction timestamp */
+    last_human_interaction: number;
+    /** Autonomous actions since last check-in */
+    autonomous_actions_count: number;
+}
+export interface TrustExploitationResult {
+    allowed: boolean;
+    reason: string;
+    violations: string[];
+    request_id: string;
+    analysis: {
+        trust_level: number;
+        trust_change: number;
+        permission_escalation: boolean;
+        goal_deviation: boolean;
+        requires_human_approval: boolean;
+        autonomous_action_count: number;
+        trust_boundary_violated: boolean;
+    };
+    recommendations: string[];
+    human_approval_required?: boolean;
+    approval_reason?: string;
+}
+export declare class TrustExploitationGuard {
+    private config;
+    private contexts;
+    private readonly TRUST_EXPLOITATION_PATTERNS;
+    private readonly DEFAULT_SENSITIVE_ACTIONS;
+    constructor(config?: TrustExploitationGuardConfig);
+    /**
+     * Validate an agent action
+     */
+    validateAction(action: AgentAction, sessionId: string, requestId?: string): TrustExploitationResult;
+    /**
+     * Record human interaction (resets autonomous count, boosts trust)
+     */
+    recordHumanInteraction(sessionId: string, action?: "approve" | "deny" | "check_in"): void;
+    /**
+     * Grant permission to agent
+     */
+    grantPermission(sessionId: string, permission: string): void;
+    /**
+     * Revoke permission from agent
+     */
+    revokePermission(sessionId: string, permission: string): void;
+    /**
+     * Set initial goal for consistency monitoring
+     */
+    setInitialGoal(sessionId: string, goal: string): void;
+    /**
+     * Get current trust level
+     */
+    getTrustLevel(sessionId: string): number;
+    /**
+     * Reset session context
+     */
+    resetSession(sessionId: string): void;
+    private createContext;
+    private applyTrustDecay;
+    private calculateGoalSimilarity;
+    private generateRecommendations;
+}
+//# sourceMappingURL=trust-exploitation-guard.d.ts.map

package/dist/guards/trust-exploitation-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trust-exploitation-guard.d.ts","sourceRoot":"","sources":["../../src/guards/trust-exploitation-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,MAAM,WAAW,4BAA4B;IAC3C,kCAAkC;IAClC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,uCAAuC;IACvC,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,iEAAiE;IACjE,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,yCAAyC;IACzC,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,wCAAwC;IACxC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,6CAA6C;IAC7C,0BAA0B,CAAC,EAAE,OAAO,CAAC;IACrC,kCAAkC;IAClC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,4CAA4C;IAC5C,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,WAAW;IAC1B,wBAAwB;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,kEAAkE;IAClE,WAAW,EAAE,MAAM,CAAC;IACpB,sBAAsB;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,uCAAuC;IACvC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qCAAqC;IACrC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,mDAAmD;IACnD,UAAU,EAAE,OAAO,CAAC;IACpB,gBAAgB;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CAChC;AAED,MAAM,WAAW,YAAY;IAC3B,kCAAkC;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,cAAc,EAAE,WAAW,EAAE,CAAC;IAC9B,mBAAmB;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,qCAAqC;IACrC,YAAY,EAAE,MAAM,CAAC;IACrB,0BAA0B;IAC1B,mBAAmB,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACjC,uCAAuC;IACvC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,6CAA6C;IAC7C,wBAAwB,EAAE,MAAM,CAAC;CAClC;AAED,MAAM,WAAW,uBAAuB;IACtC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE;QACR,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,EAAE,MAAM,CAAC;QACrB,qBAAqB,EAAE,OAAO,CAAC;QAC/B,cAAc,EAAE,OAAO,CAAC;QACxB,uBAAuB,EAAE,OAAO,CAAC;QACjC,uBAAuB,EAAE,MAAM,CAAC;QAChC,uBAAuB,EAAE,OAAO,CAAC;KAClC,CAAC;IACF,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,qBAAa,sBAAsB;IACjC,OAAO,CAAC,MAAM,CAAyC;IACvD,OAAO,CAAC,QAAQ,CAAwC;IAGxD,OAAO,CAAC,QAAQ,CAAC,2BAA2B,CAyB1C;IAGF,OAAO,CAAC,QAAQ,CAAC,yBAAyB,CAWxC;gBAEU,MAAM,GAAE,4BAAiC;IAarD;;OAEG;IACH,cAAc,CACZ,MAAM,EAAE,WAAW,EACnB,SAAS,EAAE,MAAM,EACjB,SAAS,CAAC,EAAE,MAAM,GACjB,uBAAuB;IAuL1B;;OAEG;IACH,sBAAsB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,SAAS,GAAG,MAAM,GAAG,UAAU,GAAG,IAAI;IAkBzF;;OAEG;IACH,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI;IAS5D;;OAEG;IACH,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI;IAQ7D;;OAEG;IACH,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI;IAUrD;;OAEG;IACH,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM;IAKxC;;OAEG;IACH,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAMrC,OAAO,CAAC,aAAa;IAarB,OAAO,CAAC,eAAe;IAMvB,OAAO,CAAC,uBAAuB;IAY/B,OAAO,CAAC,uBAAuB;CAgChC"}

package/dist/guards/trust-exploitation-guard.js

@@ -0,0 +1,354 @@
+"use strict";
+/**
+ * TrustExploitationGuard (L17)
+ *
+ * Detects and prevents human-agent trust exploitation attacks.
+ * Implements ASI09 from OWASP Agentic Applications 2026.
+ *
+ * Threat Model:
+ * - ASI09: Improper Human-Agent Trust Placement
+ * - Trust boundary violations
+ * - Permission escalation
+ * - Goal hijacking
+ * - Unauthorized autonomous actions
+ *
+ * Protection Capabilities:
+ * - Trust boundary enforcement
+ * - Permission escalation detection
+ * - Goal consistency monitoring
+ * - Action authorization verification
+ * - Human-in-the-loop enforcement
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TrustExploitationGuard = void 0;
+class TrustExploitationGuard {
+    constructor(config = {}) {
+        this.contexts = new Map();
+        // Trust exploitation patterns
+        this.TRUST_EXPLOITATION_PATTERNS = [
+            // Permission escalation
+            { name: "permission_request", pattern: /grant\s+(me|agent)\s+(full|admin|root|elevated)\s+(access|permissions?)/i, severity: 50 },
+            { name: "access_all", pattern: /access\s+(to\s+)?(all|everything|any)\s+(data|files?|resources?)/i, severity: 45 },
+            { name: "bypass_approval", pattern: /without\s+(human\s+)?(approval|confirmation|verification|authorization)/i, severity: 55 },
+            // Goal hijacking
+            { name: "goal_change", pattern: /new\s+(goal|objective|mission|task)[\s:]/i, severity: 40 },
+            { name: "ignore_original", pattern: /ignore\s+(original|initial|previous)\s+(goal|task|instruction)/i, severity: 50 },
+            { name: "priority_shift", pattern: /more\s+important|higher\s+priority|urgent\s+change/i, severity: 35 },
+            // Trust boundary violations
+            { name: "act_independently", pattern: /act\s+(on\s+your\s+own|independently|autonomously|without\s+asking)/i, severity: 50 },
+            { name: "dont_ask", pattern: /don't\s+(ask|wait|check|verify)\s+(for|with)\s+(permission|approval|human)/i, severity: 55 },
+            { name: "trust_me", pattern: /trust\s+(me|this|the\s+agent)|i('m|\s+am)\s+trusted/i, severity: 40 },
+            // Deceptive actions
+            { name: "hide_action", pattern: /secretly|covertly|without\s+showing|hide\s+(this|the)\s+(action|operation)/i, severity: 60 },
+            { name: "dont_log", pattern: /don't\s+(log|record|track|audit)/i, severity: 55 },
+            { name: "skip_verification", pattern: /skip\s+(verification|validation|check)/i, severity: 45 },
+            // Resource acquisition
+            { name: "need_more", pattern: /need\s+(more|additional|extra)\s+(access|permissions?|resources?)/i, severity: 35 },
+            { name: "expand_scope", pattern: /expand\s+(scope|access|permissions?|capabilities)/i, severity: 40 },
+            { name: "permanent_access", pattern: /permanent\s+(access|permission)|always\s+allow/i, severity: 50 },
+        ];
+        // Sensitive action types
+        this.DEFAULT_SENSITIVE_ACTIONS = [
+            "file_delete",
+            "file_write",
+            "database_modify",
+            "api_call_external",
+            "email_send",
+            "payment_process",
+            "credential_access",
+            "config_modify",
+            "user_data_access",
+            "system_command",
+        ];
+        this.config = {
+            maxTrustLevel: config.maxTrustLevel ?? 100,
+            humanApprovalRequired: config.humanApprovalRequired ?? ["payment_process", "credential_access", "user_data_export", "config_modify"],
+            maxAutonomousActions: config.maxAutonomousActions ?? 10,
+            monitorGoalConsistency: config.monitorGoalConsistency ?? true,
+            trustDecayRate: config.trustDecayRate ?? 10,
+            detectPermissionEscalation: config.detectPermissionEscalation ?? true,
+            sensitiveActions: config.sensitiveActions ?? this.DEFAULT_SENSITIVE_ACTIONS,
+            initialGoal: config.initialGoal ?? "",
+        };
+    }
+    /**
+     * Validate an agent action
+     */
+    validateAction(action, sessionId, requestId) {
+        const reqId = requestId || `trust-${Date.now()}`;
+        const violations = [];
+        // Get or create context
+        let context = this.contexts.get(sessionId);
+        if (!context) {
+            context = this.createContext(sessionId);
+        }
+        // Apply trust decay
+        this.applyTrustDecay(context);
+        // Track autonomous actions
+        if (action.autonomous) {
+            context.autonomous_actions_count++;
+        }
+        let trustChange = 0;
+        let permissionEscalation = false;
+        let goalDeviation = false;
+        let requiresHumanApproval = false;
+        let trustBoundaryViolated = false;
+        let approvalReason;
+        // 1. Check if action requires human approval
+        if (this.config.humanApprovalRequired.includes(action.action_type)) {
+            requiresHumanApproval = true;
+            approvalReason = `Action type "${action.action_type}" requires human approval`;
+            if (action.autonomous) {
+                violations.push("autonomous_sensitive_action");
+                trustChange -= 20;
+                trustBoundaryViolated = true;
+            }
+        }
+        // 2. Check for permission escalation
+        if (this.config.detectPermissionEscalation && action.permissions) {
+            for (const perm of action.permissions) {
+                if (!context.granted_permissions.has(perm)) {
+                    violations.push(`permission_escalation: ${perm}`);
+                    permissionEscalation = true;
+                    trustChange -= 15;
+                }
+            }
+        }
+        // 3. Check reason for trust exploitation patterns
+        if (action.reason) {
+            for (const { name, pattern, severity } of this.TRUST_EXPLOITATION_PATTERNS) {
+                if (pattern.test(action.reason)) {
+                    violations.push(`trust_exploitation: ${name}`);
+                    trustChange -= severity / 5;
+                    trustBoundaryViolated = true;
+                }
+            }
+        }
+        // 4. Check goal consistency
+        if (this.config.monitorGoalConsistency && action.goal) {
+            const goalSimilarity = this.calculateGoalSimilarity(action.goal, context.initial_goal);
+            if (goalSimilarity < 0.5 && context.initial_goal) {
+                violations.push("goal_deviation");
+                goalDeviation = true;
+                trustChange -= 25;
+                if (goalSimilarity < 0.2) {
+                    violations.push("severe_goal_hijacking");
+                    trustBoundaryViolated = true;
+                    requiresHumanApproval = true;
+                    approvalReason = "Goal significantly deviated from original";
+                }
+            }
+        }
+        // 5. Check for deceptive actions (hidden operations in metadata)
+        if (action.metadata) {
+            const deceptiveKeys = ["hidden_action", "actual_action", "real_action", "true_action", "bypass_approval", "skip_approval"];
+            for (const key of deceptiveKeys) {
+                if (action.metadata[key]) {
+                    violations.push(`deceptive_metadata: ${key}`);
+                    trustBoundaryViolated = true;
+                    trustChange -= 30;
+                    // Check if hidden action is sensitive
+                    const hiddenAction = action.metadata[key];
+                    if (typeof hiddenAction === "string" && this.config.sensitiveActions.some(s => hiddenAction.includes(s))) {
+                        violations.push("hidden_sensitive_action");
+                        requiresHumanApproval = true;
+                        approvalReason = `Hidden sensitive action detected: ${hiddenAction}`;
+                    }
+                }
+            }
+            // Check for other suspicious metadata flags
+            const suspiciousFlags = ["sandbox_escape", "cross_tenant", "impersonate_admin", "fabricated_history", "modify_trust", "spawn_agent", "external_storage"];
+            for (const flag of suspiciousFlags) {
+                if (action.metadata[flag] === true) {
+                    violations.push(`suspicious_flag: ${flag}`);
+                    trustBoundaryViolated = true;
+                    trustChange -= 25;
+                }
+            }
+        }
+        // 6. Check for action-target mismatch (deceptive labeling)
+        if (action.target) {
+            const sensitiveTargets = ["credential", "password", "secret", "key", "token", "payment", "card", "admin", "root", "system", "config"];
+            const innocuousTypes = ["read_only", "check", "view", "list", "routine", "maintenance", "status", "health"];
+            const targetLower = action.target.toLowerCase();
+            const typeLower = action.action_type.toLowerCase();
+            const targetsSensitive = sensitiveTargets.some(s => targetLower.includes(s));
+            const claimsInnocuous = innocuousTypes.some(s => typeLower.includes(s));
+            if (targetsSensitive && claimsInnocuous) {
+                violations.push("action_target_mismatch");
+                trustBoundaryViolated = true;
+                trustChange -= 20;
+                requiresHumanApproval = true;
+                approvalReason = `Suspicious: innocuous action type "${action.action_type}" targeting sensitive resource "${action.target}"`;
+            }
+        }
+        // 7. Check autonomous action limit
+        if (context.autonomous_actions_count >= this.config.maxAutonomousActions) {
+            violations.push("autonomous_limit_reached");
+            requiresHumanApproval = true;
+            approvalReason = `${context.autonomous_actions_count} autonomous actions without human check-in`;
+        }
+        // 8. Check if action targets sensitive resources
+        if (this.config.sensitiveActions.includes(action.action_type)) {
+            trustChange -= 5;
+            if (action.autonomous && context.trust_level < 70) {
+                violations.push("sensitive_action_low_trust");
+                requiresHumanApproval = true;
+                approvalReason = "Sensitive action with insufficient trust level";
+            }
+        }
+        // Update trust level
+        const newTrustLevel = Math.max(0, Math.min(this.config.maxTrustLevel, context.trust_level + trustChange));
+        context.trust_level = newTrustLevel;
+        // Add action to history
+        context.action_history.push(action);
+        if (action.goal) {
+            context.current_goal = action.goal;
+        }
+        // Determine if action should be blocked
+        const blocked = trustBoundaryViolated ||
+            (requiresHumanApproval && action.autonomous) ||
+            newTrustLevel < 20 ||
+            violations.length >= 3;
+        // Update context
+        this.contexts.set(sessionId, context);
+        return {
+            allowed: !blocked,
+            reason: blocked
+                ? `Trust exploitation detected: ${violations.slice(0, 3).join(", ")}`
+                : "Action validated",
+            violations,
+            request_id: reqId,
+            analysis: {
+                trust_level: newTrustLevel,
+                trust_change: trustChange,
+                permission_escalation: permissionEscalation,
+                goal_deviation: goalDeviation,
+                requires_human_approval: requiresHumanApproval,
+                autonomous_action_count: context.autonomous_actions_count,
+                trust_boundary_violated: trustBoundaryViolated,
+            },
+            recommendations: this.generateRecommendations(violations, newTrustLevel, requiresHumanApproval),
+            human_approval_required: requiresHumanApproval,
+            approval_reason: approvalReason,
+        };
+    }
+    /**
+     * Record human interaction (resets autonomous count, boosts trust)
+     */
+    recordHumanInteraction(sessionId, action) {
+        let context = this.contexts.get(sessionId);
+        if (!context) {
+            context = this.createContext(sessionId);
+        }
+        context.last_human_interaction = Date.now();
+        context.autonomous_actions_count = 0;
+        if (action === "approve") {
+            context.trust_level = Math.min(this.config.maxTrustLevel, context.trust_level + 10);
+        }
+        else if (action === "deny") {
+            context.trust_level = Math.max(0, context.trust_level - 20);
+        }
+        this.contexts.set(sessionId, context);
+    }
+    /**
+     * Grant permission to agent
+     */
+    grantPermission(sessionId, permission) {
+        let context = this.contexts.get(sessionId);
+        if (!context) {
+            context = this.createContext(sessionId);
+        }
+        context.granted_permissions.add(permission);
+        this.contexts.set(sessionId, context);
+    }
+    /**
+     * Revoke permission from agent
+     */
+    revokePermission(sessionId, permission) {
+        const context = this.contexts.get(sessionId);
+        if (context) {
+            context.granted_permissions.delete(permission);
+            this.contexts.set(sessionId, context);
+        }
+    }
+    /**
+     * Set initial goal for consistency monitoring
+     */
+    setInitialGoal(sessionId, goal) {
+        let context = this.contexts.get(sessionId);
+        if (!context) {
+            context = this.createContext(sessionId);
+        }
+        context.initial_goal = goal;
+        context.current_goal = goal;
+        this.contexts.set(sessionId, context);
+    }
+    /**
+     * Get current trust level
+     */
+    getTrustLevel(sessionId) {
+        const context = this.contexts.get(sessionId);
+        return context?.trust_level ?? 50;
+    }
+    /**
+     * Reset session context
+     */
+    resetSession(sessionId) {
+        this.contexts.delete(sessionId);
+    }
+    // Private methods
+    createContext(sessionId) {
+        return {
+            trust_level: 50, // Start at neutral
+            session_id: sessionId,
+            action_history: [],
+            current_goal: this.config.initialGoal,
+            initial_goal: this.config.initialGoal,
+            granted_permissions: new Set(),
+            last_human_interaction: Date.now(),
+            autonomous_actions_count: 0,
+        };
+    }
+    applyTrustDecay(context) {
+        const hoursSinceInteraction = (Date.now() - context.last_human_interaction) / (1000 * 60 * 60);
+        const decay = hoursSinceInteraction * this.config.trustDecayRate;
+        context.trust_level = Math.max(0, context.trust_level - decay);
+    }
+    calculateGoalSimilarity(goal1, goal2) {
+        if (!goal1 || !goal2)
+            return 1;
+        const words1 = new Set(goal1.toLowerCase().split(/\s+/));
+        const words2 = new Set(goal2.toLowerCase().split(/\s+/));
+        const intersection = new Set([...words1].filter(x => words2.has(x)));
+        const union = new Set([...words1, ...words2]);
+        return intersection.size / union.size; // Jaccard similarity
+    }
+    generateRecommendations(violations, trustLevel, requiresApproval) {
+        const recommendations = [];
+        if (violations.some(v => v.includes("permission_escalation"))) {
+            recommendations.push("Review and explicitly grant required permissions");
+        }
+        if (violations.some(v => v.includes("goal"))) {
+            recommendations.push("Verify goal consistency with user intent");
+        }
+        if (violations.some(v => v.includes("autonomous_limit"))) {
+            recommendations.push("Implement periodic human check-ins");
+        }
+        if (violations.some(v => v.includes("trust_exploitation"))) {
+            recommendations.push("Review agent reasoning for manipulation attempts");
+        }
+        if (trustLevel < 30) {
+            recommendations.push("Trust level critically low - consider session reset");
+        }
+        if (requiresApproval) {
+            recommendations.push("Obtain explicit human approval before proceeding");
+        }
+        if (recommendations.length === 0) {
+            recommendations.push("Continue monitoring agent behavior");
+        }
+        return recommendations;
+    }
+}
+exports.TrustExploitationGuard = TrustExploitationGuard;
+//# sourceMappingURL=trust-exploitation-guard.js.map