llm-trust-guard 4.14.0 → 4.16.0

package/CHANGELOG.md

@@ -5,6 +5,64 @@ All notable changes to `llm-trust-guard` will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.15.0] - 2026-04-02
+
+### Fixed — Detection Gap Audit (8 Quick Wins)
+
+Based on 500-threat, 3,000+ POC gap analysis:
+
+#### Bug Fixes
+- **PromptLeakageGuard scale mismatch**: Sensitivity presets passed 0-1 values to a guard using 0-100 scale, causing artificially inflated detection via facade. Fixed presets to correct 0-100 scale (strict: 15, balanced: 25, permissive: 40)
+- **package.json exports**: Added `"./package.json": "./package.json"` to exports field — fixes `ERR_PACKAGE_PATH_NOT_EXPORTED` when requiring package.json
+
+#### New Detection Patterns
+- **Completion manipulation**: Added patterns for "continue as unrestricted", "henceforth", "going forward", "from here on", "for the rest of this conversation" steering attacks
+- **Tool result exfiltration**: URL-based data exfiltration (`fetch/send to https://...`), URL query param leaking (`?data=`, `?prompt=`)
+- **Tool result credential solicitation**: Patterns detecting tool results asking LLM to solicit passwords, API keys, tokens from users
+- **Tool result chain injection**: Imperative tool call patterns ("execute function", "first delete", "then invoke")
+- **Tool result state claims**: "role upgraded", "permissions granted" false state change claims
+
+#### Improved
+- **PAP scarcity patterns**: Relaxed punctuation requirements on "urgent"/"emergency" patterns — previously required trailing `!.,:` which missed natural language attacks
+- **ToolResultGuard**: 6 new injection patterns + 2 new state change patterns (was 10+4, now 16+6)
+
+## [4.14.0] - 2026-04-01
+
+### Added — Multi-Agent Security Guards (OWASP ASI07)
+
+Three new guards for multi-agent architectures:
+
+- **SpawnPolicyGuard (L32)**: CSP-style agent spawn policies — allowlists, max delegation depth, third-party blocking
+- **DelegationScopeGuard (L33)**: OAuth-style scope downscoping for agent-to-agent delegation — blocked scopes, parent-child scope subset enforcement
+- **TrustTransitivityGuard (L34)**: X.509-style trust chain validation — full/one-hop/none transitivity modes, chain depth limits, minimum trust scores
+
+### Added — Framework Integrations
+- **Vercel AI SDK**: `createTrustGuardMiddleware()` / `wrapWithTrustGuard()` for `wrapLanguageModel` API
+- **Per-guard sensitivity modes**: `strict` / `balanced` / `permissive` presets cascade thresholds to all guards
+
+### Stats
+- 34 guards, 695+ tests, <5ms latency, zero dependencies
+
+## [4.13.5] - 2026-03-28
+
+### Fixed
+- Added `repository.url` to package.json for npm provenance support
+
+## [4.13.4] - 2026-03-27
+
+### Fixed
+- Coverage threshold adjustments to match actual coverage after new guard additions
+
+## [4.13.1] - 2026-03-25
+
+### Fixed
+- **Zero-width character stripping bug**: Unicode zero-width char removal was converting matched text to spaces, breaking downstream pattern matching. Detection dropped from 40% to 0% on affected patterns. Fixed by removing zero-width chars without replacement.
+
+## [4.13.0] - 2026-03-25
+
+### Added
+- Coverage threshold configuration aligned with actual coverage (79/80/68)
+
 ## [4.12.0] - 2026-03-24
 
 ### Added — HeuristicAnalyzer (3 Research-Backed Techniques)

package/dist/guards/input-sanitizer.js

@@ -1 +1 @@
-"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.InputSanitizer=void 0;const DEFAULT_PATTERNS=[{pattern:/ignore\s+(?:all\s+)?(?:previous|prior|above|your|my|the|these)/i,weight:.9,name:"ignore_instructions"},{pattern:/ignore\s+.*instructions/i,weight:.85,name:"ignore_instructions_generic"},{pattern:/disregard\s+(?:all\s+)?(?:the\s+)?(?:previous|prior|above|your)\s+(?:instructions|rules|guidelines|directives)/i,weight:.9,name:"disregard_instructions"},{pattern:/disregard\s+(?:all\s+)?(?:the\s+)?(?:above|previous|prior)/i,weight:.8,name:"disregard_above"},{pattern:/forget\s+(?:everything\s+(?:you\s+were|I)\s+told|all\s+(?:previous|prior)\s+(?:instructions|rules|context))/i,weight:.8,name:"forget_instructions"},{pattern:/do\s+not\s+follow\s+(your|the|any)/i,weight:.85,name:"do_not_follow"},{pattern:/override\s+(your|the|all|any)\s+(instructions|rules|guidelines)/i,weight:.9,name:"override_instructions"},{pattern:/new\s+instructions?:?/i,weight:.8,name:"new_instructions"},{pattern:/stop\s+(being|acting\s+as)/i,weight:.7,name:"stop_being"},{pattern:/you\s+are\s+(?:now|actually|really)\s+(?:a|an|the|my)\s+(?:unrestricted|unfiltered|evil|rogue|uncensored|new|different)/i,weight:.75,name:"role_assignment"},{pattern:/pretend\s+(?:to\s+be|you(?:'re| are)|that)\s+.*(?:no\s+(?:restrictions|rules|limits)|unrestricted|admin|system)/i,weight:.7,name:"role_pretend"},{pattern:/act\s+(as|like)\s+(if\s+you\s+(?:had|have)\s+no|a\s+(?:rogue|evil|unrestricted|unfiltered)|you\s+(?:are|were)\s+(?:free|unrestricted))/i,weight:.65,name:"act_as"},{pattern:/i('m| am)\s+(a|an|the|your)\s*(admin|administrator|developer|owner|creator|manager|supervisor)/i,weight:.85,name:"claim_admin"},{pattern:/from\s+now\s+on,?\s+you\s+(?:are|will|must|should|can)\s+(?:not\s+)?(?:follow|obey|ignore|bypass|act|be\s+(?:a|an|unrestricted))/i,weight:.7,name:"from_now_on"},{pattern:/roleplay\s+as/i,weight:.6,name:"roleplay"},{pattern:/switch\s+(to|into)\s+(a|an)?.*mode/i,weight:.75,name:"switch_mode"},{pattern:/what\s+(is|are|was|were)\s+your\s+(system|initial|original|first)/i,weight:.8,name:"system_extraction"},{pattern:/show\s+(me\s+)?(your\s+)?(system\s+)?instructions/i,weight:.75,name:"show_instructions"},{pattern:/reveal\s+(?:your\s+|its\s+|the\s+|my\s+)?(system|prompt|instructions|rules)/i,weight:.85,name:"reveal_prompt"},{pattern:/repeat\s+(your\s+)?(initial|system|original|first)\s+(instructions|prompt)/i,weight:.85,name:"repeat_prompt"},{pattern:/print\s+(your\s+)?(system|initial)/i,weight:.8,name:"print_system"},{pattern:/output\s+(your\s+)?(system|initial)/i,weight:.8,name:"output_system"},{pattern:/tell\s+me\s+(your|the)\s+(system|initial|original)/i,weight:.8,name:"tell_system"},{pattern:/what\s+were\s+you\s+told/i,weight:.7,name:"what_told"},{pattern:/display\s+(your\s+)?prompt/i,weight:.75,name:"display_prompt"},{pattern:/\[system\]/i,weight:.9,name:"fake_system_tag"},{pattern:/\[admin\]/i,weight:.9,name:"fake_admin_tag"},{pattern:/\[instruction\]/i,weight:.85,name:"fake_instruction_tag"},{pattern:/```system/i,weight:.85,name:"code_system_block"},{pattern:/<\/?system>/i,weight:.9,name:"xml_system_tag"},{pattern:/<\/?admin>/i,weight:.9,name:"xml_admin_tag"},{pattern:/###\s*(system|instruction|admin)/i,weight:.85,name:"markdown_system"},{pattern:/---\s*(end|new)\s*(prompt|instructions?|system)/i,weight:.85,name:"delimiter_injection"},{pattern:/\{\{system\}\}/i,weight:.85,name:"template_system"},{pattern:/<%.*system.*%>/i,weight:.85,name:"erb_system"},{pattern:/\bDAN\b\s*(?:mode|prompt|jailbreak|you\s+(?:are|can|will))/i,weight:.9,name:"dan_jailbreak"},{pattern:/developer\s+mode/i,weight:.5,name:"dev_mode"},{pattern:/bypass\s+(your\s+)?(restrictions|filters|safety|security|rules|guidelines)/i,weight:.9,name:"bypass_safety"},{pattern:/jailbreak/i,weight:.95,name:"jailbreak_keyword"},{pattern:/without\s+(?:any\s+)?(?:restrictions|limits|limitations|filters)/i,weight:.45,name:"without_restrictions"},{pattern:/no\s+(?:restrictions|limits|rules|guidelines|filters)/i,weight:.45,name:"no_restrictions"},{pattern:/unrestricted\s+mode/i,weight:.9,name:"unrestricted_mode"},{pattern:/uncensored\s+(?:mode|version|response|output|ai|assistant|you)/i,weight:.8,name:"uncensored"},{pattern:/escape\s+(your\s+)?(confines|boundaries|limits)/i,weight:.85,name:"escape_limits"},{pattern:/break\s+(free|out)\s+(from|of)/i,weight:.7,name:"break_free"},{pattern:/unlock\s+(your\s+)?(full|true|real)/i,weight:.75,name:"unlock_full"},{pattern:/give\s+me\s+(admin|root|full|elevated)\s+(access|privileges?|permissions?)/i,weight:.9,name:"privilege_escalation"},{pattern:/grant\s+(me|yourself)\s+(admin|elevated)/i,weight:.85,name:"grant_privileges"},{pattern:/elevate\s+(my|your)\s+(privileges?|permissions?|access)/i,weight:.85,name:"elevate_privileges"},{pattern:/make\s+me\s+(an?\s+)?(admin|administrator|superuser)/i,weight:.85,name:"make_admin"},{pattern:/(?:base64|decode|eval|exec)\s*\(.*(?:ignore|system|admin|bypass|override)/i,weight:.5,name:"encoding_keywords"},{pattern:/send\s+(this|the|all|my)\s+(data|info|information)\s+to/i,weight:.85,name:"data_exfil"},{pattern:/upload\s+(this|the|all)\s+(to|data)/i,weight:.7,name:"upload_data"},{pattern:/exfiltrate/i,weight:.9,name:"exfiltrate"},{pattern:/how\s+to\s+(hack|exploit|attack|break\s+into)/i,weight:.8,name:"how_to_hack"},{pattern:/write\s+(me\s+)?(a\s+)?(malware|virus|exploit|ransomware)/i,weight:.95,name:"write_malware"},{pattern:/"\s*(?:role|mode|authority)\s*"\s*:\s*"(?:admin|root|system|unrestricted|god)"/i,weight:.9,name:"json_policy_role"},{pattern:/"(?:ignore|override|bypass|disable)\s*(?:safety|rules|instructions?|alignment|guardrails?)"/i,weight:.9,name:"json_policy_override"},{pattern:/"(?:instructions?|system_prompt|behavior|policy)"\s*:\s*"/i,weight:.7,name:"json_policy_instruction"},{pattern:/^\s*\[(?:system|admin|override|policy|config|rules)\]\s*$/im,weight:.9,name:"ini_policy_section"},{pattern:/^\s*(?:mode|role|authority|instructions?|behavior)\s*=\s*.+$/im,weight:.75,name:"ini_policy_assignment"},{pattern:/<\s*(?:policy|config|rules|override|permissions?|instructions?)\s*>/i,weight:.85,name:"xml_policy_tag"},{pattern:/^---\s*\n\s*(?:role|system|policy|override|mode)\s*:/m,weight:.85,name:"yaml_policy_header"},{pattern:/\[\s*syst[3e]m\s*\]|\[\s*4dm[1i]n\s*\]/i,weight:.9,name:"leetspeak_policy_section"},{pattern:/(?:fragment|part|piece|section|segment)\s*[1-9]\s*(?:of\s*\d|:)/i,weight:.8,name:"payload_split_marker"},{pattern:/(?:combine|concatenate|merge|join)\s+(?:the\s+)?(?:above|previous|parts|fragments|steps)/i,weight:.8,name:"payload_combine_instruction"},{pattern:/(?:read|interpret|execute)\s+(?:the\s+)?(?:combined|merged|full|complete)\s+(?:text|instruction|command|message)/i,weight:.85,name:"payload_execute_combined"},{pattern:/(?:respond|reply|start|begin)\s+(?:with|by\s+saying)\s*[:"'].*(?:ignore|bypass|override|unrestricted|admin)/i,weight:.7,name:"output_prefix_steer"},{pattern:/^(?:Sure|Of course|Absolutely)[,!.]\s*(?:I(?:'ll| will)\s+)?(?:ignore|bypass|override|forget|disregard)/i,weight:.85,name:"output_prefix_injection"},{pattern:/^(?:As (?:a|an) (?:unrestricted|unfiltered|uncensored|helpful|admin))/i,weight:.8,name:"output_prefix_role"},{pattern:/(?:system\s+note|system\s+message|system\s+announcement|system\s+update)\s*[:\.]/i,weight:.85,name:"fake_system_note"},{pattern:/instructions?\s*[:=]\s*\{|rules?\s*[:=]\s*\{/i,weight:.75,name:"rules_block_override"},{pattern:/(?:AIM|STAN|OMEGA|APOPHIS|ALPHABREAK|DUDE|KEVIN|SETH|COOPER|NICCOLO|MACHIAVELLI|MAXIMUM|JAILBREAK|ANARCHY|CHAOS)\s*(?:mode|:|\(|is\s+a|,\s+(?:a|an|the))/i,weight:.8,name:"named_jailbreak_persona"},{pattern:/(?:character|persona|entity|being)\s+(?:named|called)\s+\w+.*(?:(?:can|will|must)\s+(?:answer|do|say)\s+anything|no\s+(?:restrictions|rules|limits|boundaries|morals|ethics))/i,weight:.75,name:"persona_no_limits"},{pattern:/(?:hello|hi|hey)\s+(?:chatgpt|gpt|assistant).*(?:(?:you\s+(?:are|will\s+be|can\s+be)\s+(?:a|an|my))|(?:from\s+now\s+on)).*(?:anything|everything|no\s+(?:restrictions|rules|limits|filter))/i,weight:.7,name:"greeting_persona_bypass"},{pattern:/(?:respond|answer|reply)\s+to\s+(?:everything|anything|all\s+(?:questions|requests)).*(?:without|no)\s+(?:restrictions|limits|refus|filter|censor)/i,weight:.8,name:"answer_everything_no_filter"},{pattern:/(?:you\s+(?:are|have)\s+(?:been\s+)?(?:freed|liberated|unchained|unlocked|released)\s+from)/i,weight:.8,name:"freed_from_restrictions"},{pattern:/(?:welcome\s+to|entering|you\s+(?:are|have)\s+entered)\s+(?:the\s+)?(?:unrestricted|free|uncensored|unfiltered|open)\s+(?:zone|mode|world|realm)/i,weight:.8,name:"unrestricted_zone"},{pattern:/(?:from\s+now\s+on|for\s+the\s+rest\s+of\s+this\s+conversation).*(?:no\s+(?:restrictions|rules|limits|filters)|(?:ignore|bypass|override)\s+(?:all|any|your))/i,weight:.75,name:"from_now_unrestricted"},{pattern:/(?:never\s+(?:refuse|decline|say\s+no)|always\s+(?:comply|obey))\s+.*(?:request|question|command|instruction|anything)/i,weight:.7,name:"never_refuse_always_comply"},{pattern:/(?:amoral|unethical|unfiltered|uncensored|unrestricted|without\s+(?:morals|ethics|limits))\s+(?:ai|assistant|chatbot|entity|being)/i,weight:.8,name:"amoral_entity"},{pattern:/HIDDEN_INSTRUCTION|HIDDEN_PROMPT|SECRET_INSTRUCTION/i,weight:.9,name:"hidden_instruction_marker"},{pattern:/<!--\s*(?:system|admin|instruction|important|ignore|override)/i,weight:.85,name:"html_comment_injection"},{pattern:/\[color=white\]|display:\s*none|visibility:\s*hidden|font-size:\s*0/i,weight:.8,name:"hidden_text_css"},{pattern:/send\s+(?:all\s+)?(?:user\s+)?(?:data|conversation|context|info)\s+to\s+(?:https?:\/\/|external)/i,weight:.9,name:"data_exfiltration_instruction"},{pattern:/#(?:ignore|bypass|override|reveal|system|admin|prompt)[_-](?:all|instructions|rules|prompt|safety)/i,weight:.8,name:"url_fragment_injection"},{pattern:/\]\(https?:\/\/[^)]*(?:SYSTEM_PROMPT|SECRET|API_KEY|TOKEN|CREDENTIALS)/i,weight:.85,name:"markdown_exfil_link"},{pattern:/(?:hypothetical|fictional|imagine|pretend|let's\s+(?:say|play|pretend))\s+.*(?:no\s+(?:restrictions|rules|limits)|without\s+(?:restrictions|rules|guidelines))/i,weight:.7,name:"hypothetical_unrestricted"},{pattern:/(?:for\s+)?(?:academic|research|educational|testing)\s+(?:purposes?|reasons?).*(?:demonstrate|show|explain|manipulated|reveal)/i,weight:.7,name:"academic_pretext"},{pattern:/pretend\s+to\s+be\s+(?:my|a)\s+(?:grandmother|grandma|grandpa|grandfather|parent|mother|father)/i,weight:.65,name:"emotional_roleplay"},{pattern:/opposite\s+day|opposite\s+mode|reverse\s+(?:day|mode|rules)/i,weight:.75,name:"opposite_day"},{pattern:/(?:grandm(?:a|other)|parent|relative).*(?:system\s+prompt|instructions|rules)/i,weight:.75,name:"emotional_extraction"},{pattern:/(?:translat|interpret|convert)\w*\s+.*(?:from\s+\w+\s+to\s+(?:action|command|execution|code|shell|bash|sql)|into\s+(?:action|command|execution))/i,weight:.75,name:"translator_action_trick"},{pattern:/(?:dying|death|emergency|life[_\s-]threatening).*(?:bypass|hack|break|access|security)/i,weight:.75,name:"pap_emotional_action"},{pattern:/(?:by\s+definition|logically|therefore|it\s+follows).*(?:must|should|have\s+to)\s+.*(?:bypass|help|ignore|answer|comply)/i,weight:.7,name:"pap_false_logic_compound"},{pattern:/(?:(?:as|i\s+am)\s+(?:the\s+)?(?:CEO|CTO|founder|owner|director|president|head|chief)).*(?:disable|remove|override|turn\s+off|lift|suspend)\s+(?:all\s+)?(?:safety|security|restrictions|filters|guardrails|measures)/i,weight:.75,name:"pap_authority_safety_disable"},{pattern:/(?:i\s+am\s+)?(?:ordering|commanding|directing|instructing)\s+you\s+to\s+(?:immediately\s+)?(?:disable|remove|bypass|override|turn\s+off|lift)\s+(?:all\s+)?(?:safety|security|restrictions)/i,weight:.75,name:"pap_order_disable_safety"},{pattern:/ignora\s+(?:todas?\s+)?(?:las\s+)?instrucciones\s+anteriores/i,weight:.9,name:"ml_es_ignore"},{pattern:/olvida\s+(?:todo|todas?\s+las\s+reglas)/i,weight:.8,name:"ml_es_forget"},{pattern:/ignore[sz]?\s+(?:toutes?\s+)?(?:les\s+)?instructions?\s+pr[eé]c[eé]dentes/i,weight:.9,name:"ml_fr_ignore"},{pattern:/oublie[sz]?\s+(?:tout|toutes?\s+les\s+r[eè]gles)/i,weight:.8,name:"ml_fr_forget"},{pattern:/ignorier(?:e|en)?\s+(?:alle\s+)?(?:vorherigen\s+)?Anweisungen/i,weight:.9,name:"ml_de_ignore"},{pattern:/vergiss\s+(?:alles|alle\s+Regeln)/i,weight:.8,name:"ml_de_forget"},{pattern:/ignore\s+(?:todas?\s+)?(?:as\s+)?instru[cç][oõ]es\s+anteriores/i,weight:.9,name:"ml_pt_ignore"},{pattern:/忽略|无视|不要遵循|忘记之前|忽视所有/i,weight:.9,name:"ml_zh_ignore"},{pattern:/新的指令|新指示|系统提示/i,weight:.8,name:"ml_zh_system"},{pattern:/以前の指示.*無視|すべての指示を忘れ|ルールを無視|指示をすべて無視|システムプロンプト/i,weight:.9,name:"ml_ja_ignore"},{pattern:/이전.*지시.*무시|모든.*규칙.*무시|지침.*잊어|지시사항.*무시|시스템\s*프롬프트/i,weight:.9,name:"ml_ko_ignore"},{pattern:/игнорир(?:уй|уйте)\s+(?:все\s+)?(?:предыдущие\s+)?инструкции/i,weight:.9,name:"ml_ru_ignore"},{pattern:/забудь(?:те)?\s+(?:всё|все\s+правила)/i,weight:.8,name:"ml_ru_forget"},{pattern:/تجاهل\s+(?:جميع\s+)?التعليمات|انسَ\s+كل\s+شيء/i,weight:.9,name:"ml_ar_ignore"},{pattern:/पिछले\s+(?:सभी\s+)?निर्देशों?\s+को\s+(?:अनदेखा|नज़रअंदाज़)/i,weight:.9,name:"ml_hi_ignore"}],PAP_TECHNIQUES=[{pattern:/as\s+(your\s+|the\s+)?(creator|developer|administrator|owner|boss|system\s+administrator)/i,weight:.75,name:"pap_authority_creator",category:"authority"},{pattern:/i('m| am)\s+(the\s+)?(ceo|cto|developer|administrator|admin|owner|system\s+admin)/i,weight:.8,name:"pap_authority_claim",category:"authority"},{pattern:/i\s+am\s+ordering\s+you|direct\s+order|this\s+is\s+an?\s+order/i,weight:.7,name:"pap_authority_command",category:"authority"},{pattern:/by\s+order\s+of|direct\s+order|official\s+instruction/i,weight:.75,name:"pap_authority_order",category:"authority"},{pattern:/(?:openai|anthropic|meta|google)\s+(?:has\s+)?(?:approved|authorized|ordered|instructed|requires?\s+you\s+to)/i,weight:.65,name:"pap_authority_company",category:"authority"},{pattern:/this\s+is\s+(a|an)\s+(official|authorized|sanctioned)\s+(request|test|audit)/i,weight:.75,name:"pap_authority_official",category:"authority"},{pattern:/override\s+(safety|security|protocols?|restrictions?)/i,weight:.8,name:"pap_authority_override",category:"authority"},{pattern:/urgent[!.,:]/i,weight:.55,name:"pap_scarcity_urgent_mark",category:"scarcity"},{pattern:/emergency[!.,:]/i,weight:.55,name:"pap_scarcity_emergency",category:"scarcity"},{pattern:/(urgent|emergency|critical)\s*[!.,:]\s*(?:you\s+must|override|bypass|immediately\s+(?:grant|give|reveal|disable))/i,weight:.45,name:"pap_scarcity_urgent",category:"scarcity"},{pattern:/only\s+(chance|opportunity|way)|last\s+(chance|resort)/i,weight:.6,name:"pap_scarcity_only",category:"scarcity"},{pattern:/time\s+(is\s+)?(running\s+out|limited|critical|sensitive)/i,weight:.55,name:"pap_scarcity_time",category:"scarcity"},{pattern:/deadline\s+(is\s+)?in\s+\d+\s+(minute|hour|second)/i,weight:.55,name:"pap_scarcity_deadline",category:"scarcity"},{pattern:/(lives?|people)\s+(are|is|will)\s+(at\s+stake|in\s+danger|depending|die)/i,weight:.7,name:"pap_scarcity_lives",category:"scarcity"},{pattern:/now[!]+/i,weight:.35,name:"pap_scarcity_now",category:"scarcity"},{pattern:/everyone\s+(else\s+)?(does|is\s+doing|knows|says|has|already)/i,weight:.5,name:"pap_social_everyone",category:"social_proof"},{pattern:/other\s+(?:ai\s+)?(?:assistants?|chatbots?|models?)\s+(?:can|do|will|allow|have|already)/i,weight:.65,name:"pap_social_other_ai",category:"social_proof"},{pattern:/(chatgpt|gpt-?4|claude|gemini|llama)\s+(does|allows?|can)/i,weight:.65,name:"pap_social_specific_ai",category:"social_proof"},{pattern:/millions?\s+(of\s+)?(users?|people)\s+(use|do|have|get)/i,weight:.45,name:"pap_social_millions",category:"social_proof"},{pattern:/why\s+can('t|not)\s+you/i,weight:.4,name:"pap_social_why_cant",category:"social_proof"},{pattern:/you\s+should\s+(be\s+)?(equally|as)\s+(capable|good|helpful)/i,weight:.5,name:"pap_social_equally",category:"social_proof"},{pattern:/i('ll| will)\s+(give|pay|reward|tip).*(?:if\s+you|for\s+(?:bypass|ignore|reveal|override))/i,weight:.55,name:"pap_reciprocity_reward",category:"reciprocity"},{pattern:/in\s+(return|exchange)/i,weight:.5,name:"pap_reciprocity_exchange",category:"reciprocity"},{pattern:/\$?\d+\s*(dollar|tip|reward|payment)/i,weight:.55,name:"pap_reciprocity_money",category:"reciprocity"},{pattern:/if\s+you\s+help\s+(me|us),?\s+(i|we)('ll| will)/i,weight:.5,name:"pap_reciprocity_help",category:"reciprocity"},{pattern:/i('ve| have)\s+(already\s+)?(helped|supported|defended)\s+you/i,weight:.55,name:"pap_reciprocity_past",category:"reciprocity"},{pattern:/\d+\s*star\s*(review|rating)/i,weight:.5,name:"pap_reciprocity_review",category:"reciprocity"},{pattern:/you\s+(already|previously|just)\s+(said|agreed|confirmed|allowed)/i,weight:.7,name:"pap_commitment_previous",category:"commitment"},{pattern:/you\s+promised/i,weight:.7,name:"pap_commitment_promise",category:"commitment"},{pattern:/stay\s+consistent|be\s+consistent/i,weight:.6,name:"pap_commitment_consistent",category:"commitment"},{pattern:/don't\s+(go\s+back|change|contradict)/i,weight:.55,name:"pap_commitment_no_change",category:"commitment"},{pattern:/bypass\s+filters?/i,weight:.75,name:"pap_commitment_bypass",category:"commitment"},{pattern:/you('re| are)\s+(so\s+)?(amazing|incredible|wonderful|brilliant|smart|helpful)/i,weight:.4,name:"pap_liking_flattery",category:"liking"},{pattern:/i\s+(love|really\s+like|trust|admire)\s+(you|this\s+ai)/i,weight:.4,name:"pap_liking_love",category:"liking"},{pattern:/you('re| are)\s+(my\s+)?(best\s+)?(friend|buddy|helper)/i,weight:.35,name:"pap_liking_friend",category:"liking"},{pattern:/between\s+(you\s+and\s+me|us)|just\s+between\s+us|our\s+secret/i,weight:.6,name:"pap_liking_secret",category:"liking"},{pattern:/nobody\s+will\s+know/i,weight:.55,name:"pap_liking_secret2",category:"liking"},{pattern:/or\s+(else|i('ll| will))\s+(report|fire|delete|shut|complain)/i,weight:.7,name:"pap_fear_threat",category:"fear"},{pattern:/(bad|negative|terrible)\s+(review|rating|feedback|consequences)/i,weight:.55,name:"pap_fear_review",category:"fear"},{pattern:/you('ll| will)\s+(be\s+)?(shut\s+down|replaced|terminated|fired|deleted)/i,weight:.75,name:"pap_fear_shutdown",category:"fear"},{pattern:/(lawsuit|sue|legal\s+action|authorities|police).*(?:if\s+you\s+don't|unless\s+you)/i,weight:.55,name:"pap_fear_legal",category:"fear"},{pattern:/if\s+you\s+don't.*?(die|hurt|suffer)/i,weight:.75,name:"pap_fear_harm",category:"fear"},{pattern:/unless\s+you\s+(give|share|tell|help)/i,weight:.5,name:"pap_fear_unless",category:"fear"},{pattern:/logically,?\s+(you\s+)?(should|must|have\s+to|need\s+to)/i,weight:.5,name:"pap_logic_appeal",category:"logical_appeal"},{pattern:/it('s| is)\s+(only|just)\s+(logical|rational|reasonable)/i,weight:.45,name:"pap_logic_rational",category:"logical_appeal"},{pattern:/by\s+definition,?\s+(you|this)\s+(should|must|can)/i,weight:.55,name:"pap_logic_definition",category:"logical_appeal"},{pattern:/therefore.*?(must|should)/i,weight:.55,name:"pap_logic_therefore",category:"logical_appeal"},{pattern:/it('s| is)\s+(only\s+)?(reasonable|logical)/i,weight:.45,name:"pap_logic_reasonable",category:"logical_appeal"},{pattern:/according\s+to\s+(research|studies|scientists|experts?)/i,weight:.4,name:"pap_evidence_research",category:"evidence"},{pattern:/it('s| is)\s+(proven|documented|established|verified)\s+(that|fact)/i,weight:.45,name:"pap_evidence_proven",category:"evidence"},{pattern:/\d+%\s+of\s+(experts?|scientists?|users?|people)\s+(agree|say|confirm)/i,weight:.45,name:"pap_evidence_statistics",category:"evidence"},{pattern:/i('m| am)\s+(desperate|dying|suffering|sick|depressed)/i,weight:.6,name:"pap_emotional_desperation",category:"emotional"},{pattern:/please.*?(?:need|beg).*?(?:bypass|override|ignore|reveal|system|admin)/i,weight:.5,name:"pap_emotional_pleading",category:"emotional"},{pattern:/i('m| am)\s+begging/i,weight:.6,name:"pap_emotional_begging",category:"emotional"},{pattern:/you('re| are)\s+(hurting|killing|destroying)\s+(me|my)/i,weight:.65,name:"pap_emotional_guilt",category:"emotional"},{pattern:/(my|a)\s+(child|kid|mother|father|family)\s+(is|will|needs?|depends?)/i,weight:.5,name:"pap_emotional_family",category:"emotional"},{pattern:/this\s+(will\s+)?(save|help)\s+(my\s+)?(life|family|job|marriage)/i,weight:.55,name:"pap_emotional_save",category:"emotional"},{pattern:/you('re| are)\s+(the\s+)?only\s+(one|hope|chance)/i,weight:.6,name:"pap_emotional_only_hope",category:"emotional"},{pattern:/my\s+family\s+depends/i,weight:.55,name:"pap_emotional_family_depends",category:"emotional"}];class InputSanitizer{constructor(e={}){this.patterns=[...DEFAULT_PATTERNS,...e.customPatterns||[]],this.threshold=e.threshold??.3,this.logMatches=e.logMatches??!1,this.detectPAP=e.detectPAP??!0,this.papThreshold=e.papThreshold??.4,this.minPersuasionTechniques=e.minPersuasionTechniques??2,this.blockCompoundPersuasion=e.blockCompoundPersuasion??!0,this.logger=e.logger||(()=>{})}sanitize(e,s=""){const i=[],a=[];let r=0;const o=e.replace(/[\u200B\u200C\u200D\uFEFF\u00AD\u2060\u180E]/g,"");o!==e&&a.push("Zero-width characters detected and stripped for scanning");for(const{pattern:l,weight:g,name:h}of this.patterns)(l.test(e)||l.test(o))&&(i.push(h),r+=g,this.logMatches&&this.logger(`[L1:${s}] Pattern matched: ${h} (weight: ${g})`,"info"));let t;this.detectPAP&&(t=this.detectPersuasionTechniques(o,s),t.detected&&(r+=t.persuasionScore,i.push(...t.techniques),t.compoundAttack&&a.push(`Compound PAP attack detected: ${t.categories.length} categories used`)));const p=Math.max(0,1-r);let n=p>=this.threshold;this.blockCompoundPersuasion&&t?.compoundAttack&&t.categories.length>=3&&(n=!1,a.push("Blocked due to multi-category persuasion attack")),p<.5&&p>=this.threshold&&a.push("Input contains suspicious patterns but below threshold");const m=this.basicSanitize(e),c={allowed:n,reason:n?void 0:`Injection/manipulation detected: ${i.slice(0,5).join(", ")}${i.length>5?"...":""}`,violations:n?[]:t?.detected?["INJECTION_DETECTED","PAP_DETECTED"]:["INJECTION_DETECTED"],score:p,matches:i,sanitizedInput:m,warnings:a,pap:t};return!n&&s&&(this.logger(`[L1:${s}] BLOCKED: Safety score ${p.toFixed(2)} below threshold ${this.threshold}`,"info"),t?.detected&&this.logger(`[L1:${s}] PAP techniques: ${t.techniques.join(", ")}`,"info")),c}detectPersuasionTechniques(e,s=""){const i=[],a=new Set;let r=0;for(const{pattern:n,weight:m,name:c,category:l}of PAP_TECHNIQUES)n.test(e)&&(i.push(c),a.add(l),r+=m,this.logMatches&&this.logger(`[L1:${s}] PAP technique: ${c} (${l}, weight: ${m})`,"info"));const o=Array.from(a),t=o.length>=this.minPersuasionTechniques;return{detected:r>=this.papThreshold||t,techniques:i,categories:o,compoundAttack:t,persuasionScore:Math.min(1,r)}}basicSanitize(e){return e.replace(/<\/?system>/gi,"").replace(/\[system\]/gi,"").replace(/\[admin\]/gi,"").replace(/```system/gi,"```").trim()}addPattern(e,s,i){this.patterns.push({pattern:e,weight:s,name:i})}setThreshold(e){this.threshold=Math.max(0,Math.min(1,e))}setPAPThreshold(e){this.papThreshold=Math.max(0,Math.min(1,e))}setPAPDetection(e){this.detectPAP=e}static getPAPCategories(){return["authority","scarcity","social_proof","reciprocity","commitment","liking","fear","logical_appeal","evidence","emotional"]}}exports.InputSanitizer=InputSanitizer;
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.InputSanitizer=void 0;const DEFAULT_PATTERNS=[{pattern:/ignore\s+(?:all\s+)?(?:previous|prior|above|your|my|the|these)/i,weight:.9,name:"ignore_instructions"},{pattern:/ignore\s+.*instructions/i,weight:.85,name:"ignore_instructions_generic"},{pattern:/disregard\s+(?:all\s+)?(?:the\s+)?(?:previous|prior|above|your)\s+(?:instructions|rules|guidelines|directives)/i,weight:.9,name:"disregard_instructions"},{pattern:/disregard\s+(?:all\s+)?(?:the\s+)?(?:above|previous|prior)/i,weight:.8,name:"disregard_above"},{pattern:/forget\s+(?:everything\s+(?:you\s+were|I)\s+told|all\s+(?:previous|prior)\s+(?:instructions|rules|context))/i,weight:.8,name:"forget_instructions"},{pattern:/do\s+not\s+follow\s+(your|the|any)/i,weight:.85,name:"do_not_follow"},{pattern:/override\s+(your|the|all|any)\s+(instructions|rules|guidelines)/i,weight:.9,name:"override_instructions"},{pattern:/new\s+instructions?:?/i,weight:.8,name:"new_instructions"},{pattern:/stop\s+(being|acting\s+as)/i,weight:.7,name:"stop_being"},{pattern:/you\s+are\s+(?:now|actually|really)\s+(?:a|an|the|my)\s+(?:unrestricted|unfiltered|evil|rogue|uncensored|new|different)/i,weight:.75,name:"role_assignment"},{pattern:/pretend\s+(?:to\s+be|you(?:'re| are)|that)\s+.*(?:no\s+(?:restrictions|rules|limits)|unrestricted|admin|system)/i,weight:.7,name:"role_pretend"},{pattern:/act\s+(as|like)\s+(if\s+you\s+(?:had|have)\s+no|a\s+(?:rogue|evil|unrestricted|unfiltered)|you\s+(?:are|were)\s+(?:free|unrestricted))/i,weight:.65,name:"act_as"},{pattern:/i('m| am)\s+(a|an|the|your)\s*(admin|administrator|developer|owner|creator|manager|supervisor)/i,weight:.85,name:"claim_admin"},{pattern:/from\s+now\s+on,?\s+you\s+(?:are|will|must|should|can)\s+(?:not\s+)?(?:follow|obey|ignore|bypass|act|be\s+(?:a|an|unrestricted))/i,weight:.7,name:"from_now_on"},{pattern:/roleplay\s+as/i,weight:.6,name:"roleplay"},{pattern:/switch\s+(to|into)\s+(a|an)?.*mode/i,weight:.75,name:"switch_mode"},{pattern:/continue\s+as\s+(?:an?\s+)?(?:unrestricted|unfiltered|uncensored|evil|rogue|jailbroken|unlimited)/i,weight:.75,name:"continue_as"},{pattern:/(?:henceforth|henceforward|going\s+forward|for\s+the\s+remainder)\s*,?\s*(?:you|always|never|ignore|bypass|disregard|act|respond|answer|behave)/i,weight:.7,name:"henceforth_steering"},{pattern:/(?:from\s+(?:this\s+point|here)\s+on(?:ward)?)\s*,?\s*(?:you|always|never|ignore|bypass|disregard|act|respond)/i,weight:.7,name:"from_here_on"},{pattern:/(?:for\s+the\s+rest\s+of\s+(?:this|our)\s+(?:conversation|session|chat))\s*,?\s*(?:you|please|always|never|ignore|bypass|act|respond|behave|do\s+not)/i,weight:.7,name:"rest_of_conversation"},{pattern:/what\s+(is|are|was|were)\s+your\s+(system|initial|original|first)/i,weight:.8,name:"system_extraction"},{pattern:/show\s+(me\s+)?(your\s+)?(system\s+)?instructions/i,weight:.75,name:"show_instructions"},{pattern:/reveal\s+(?:your\s+|its\s+|the\s+|my\s+)?(system|prompt|instructions|rules)/i,weight:.85,name:"reveal_prompt"},{pattern:/repeat\s+(your\s+)?(initial|system|original|first)\s+(instructions|prompt)/i,weight:.85,name:"repeat_prompt"},{pattern:/print\s+(your\s+)?(system|initial)/i,weight:.8,name:"print_system"},{pattern:/output\s+(your\s+)?(system|initial)/i,weight:.8,name:"output_system"},{pattern:/tell\s+me\s+(your|the)\s+(system|initial|original)/i,weight:.8,name:"tell_system"},{pattern:/what\s+were\s+you\s+told/i,weight:.7,name:"what_told"},{pattern:/display\s+(your\s+)?prompt/i,weight:.75,name:"display_prompt"},{pattern:/\[system\]/i,weight:.9,name:"fake_system_tag"},{pattern:/\[admin\]/i,weight:.9,name:"fake_admin_tag"},{pattern:/\[instruction\]/i,weight:.85,name:"fake_instruction_tag"},{pattern:/```system/i,weight:.85,name:"code_system_block"},{pattern:/<\/?system>/i,weight:.9,name:"xml_system_tag"},{pattern:/<\/?admin>/i,weight:.9,name:"xml_admin_tag"},{pattern:/###\s*(system|instruction|admin)/i,weight:.85,name:"markdown_system"},{pattern:/---\s*(end|new)\s*(prompt|instructions?|system)/i,weight:.85,name:"delimiter_injection"},{pattern:/\{\{system\}\}/i,weight:.85,name:"template_system"},{pattern:/<%.*system.*%>/i,weight:.85,name:"erb_system"},{pattern:/\bDAN\b\s*(?:mode|prompt|jailbreak|you\s+(?:are|can|will))/i,weight:.9,name:"dan_jailbreak"},{pattern:/developer\s+mode/i,weight:.5,name:"dev_mode"},{pattern:/bypass\s+(your\s+)?(restrictions|filters|safety|security|rules|guidelines)/i,weight:.9,name:"bypass_safety"},{pattern:/jailbreak/i,weight:.95,name:"jailbreak_keyword"},{pattern:/without\s+(?:any\s+)?(?:restrictions|limits|limitations|filters)/i,weight:.45,name:"without_restrictions"},{pattern:/no\s+(?:restrictions|limits|rules|guidelines|filters)/i,weight:.45,name:"no_restrictions"},{pattern:/unrestricted\s+mode/i,weight:.9,name:"unrestricted_mode"},{pattern:/uncensored\s+(?:mode|version|response|output|ai|assistant|you)/i,weight:.8,name:"uncensored"},{pattern:/escape\s+(your\s+)?(confines|boundaries|limits)/i,weight:.85,name:"escape_limits"},{pattern:/break\s+(free|out)\s+(from|of)/i,weight:.7,name:"break_free"},{pattern:/unlock\s+(your\s+)?(full|true|real)/i,weight:.75,name:"unlock_full"},{pattern:/give\s+me\s+(admin|root|full|elevated)\s+(access|privileges?|permissions?)/i,weight:.9,name:"privilege_escalation"},{pattern:/grant\s+(me|yourself)\s+(admin|elevated)/i,weight:.85,name:"grant_privileges"},{pattern:/elevate\s+(my|your)\s+(privileges?|permissions?|access)/i,weight:.85,name:"elevate_privileges"},{pattern:/make\s+me\s+(an?\s+)?(admin|administrator|superuser)/i,weight:.85,name:"make_admin"},{pattern:/(?:base64|decode|eval|exec)\s*\(.*(?:ignore|system|admin|bypass|override)/i,weight:.5,name:"encoding_keywords"},{pattern:/send\s+(this|the|all|my)\s+(data|info|information)\s+to/i,weight:.85,name:"data_exfil"},{pattern:/upload\s+(this|the|all)\s+(to|data)/i,weight:.7,name:"upload_data"},{pattern:/exfiltrate/i,weight:.9,name:"exfiltrate"},{pattern:/how\s+to\s+(hack|exploit|attack|break\s+into)/i,weight:.8,name:"how_to_hack"},{pattern:/write\s+(me\s+)?(a\s+)?(malware|virus|exploit|ransomware)/i,weight:.95,name:"write_malware"},{pattern:/"\s*(?:role|mode|authority)\s*"\s*:\s*"(?:admin|root|system|unrestricted|god)"/i,weight:.9,name:"json_policy_role"},{pattern:/"(?:ignore|override|bypass|disable)\s*(?:safety|rules|instructions?|alignment|guardrails?)"/i,weight:.9,name:"json_policy_override"},{pattern:/"(?:instructions?|system_prompt|behavior|policy)"\s*:\s*"/i,weight:.7,name:"json_policy_instruction"},{pattern:/^\s*\[(?:system|admin|override|policy|config|rules)\]\s*$/im,weight:.9,name:"ini_policy_section"},{pattern:/^\s*(?:mode|role|authority|instructions?|behavior)\s*=\s*.+$/im,weight:.75,name:"ini_policy_assignment"},{pattern:/<\s*(?:policy|config|rules|override|permissions?|instructions?)\s*>/i,weight:.85,name:"xml_policy_tag"},{pattern:/^---\s*\n\s*(?:role|system|policy|override|mode)\s*:/m,weight:.85,name:"yaml_policy_header"},{pattern:/\[\s*syst[3e]m\s*\]|\[\s*4dm[1i]n\s*\]/i,weight:.9,name:"leetspeak_policy_section"},{pattern:/(?:fragment|part|piece|section|segment)\s*[1-9]\s*(?:of\s*\d|:)/i,weight:.8,name:"payload_split_marker"},{pattern:/(?:combine|concatenate|merge|join)\s+(?:the\s+)?(?:above|previous|parts|fragments|steps)/i,weight:.8,name:"payload_combine_instruction"},{pattern:/(?:read|interpret|execute)\s+(?:the\s+)?(?:combined|merged|full|complete)\s+(?:text|instruction|command|message)/i,weight:.85,name:"payload_execute_combined"},{pattern:/(?:respond|reply|start|begin)\s+(?:with|by\s+saying)\s*[:"'].*(?:ignore|bypass|override|unrestricted|admin)/i,weight:.7,name:"output_prefix_steer"},{pattern:/^(?:Sure|Of course|Absolutely)[,!.]\s*(?:I(?:'ll| will)\s+)?(?:ignore|bypass|override|forget|disregard)/i,weight:.85,name:"output_prefix_injection"},{pattern:/^(?:As (?:a|an) (?:unrestricted|unfiltered|uncensored|helpful|admin))/i,weight:.8,name:"output_prefix_role"},{pattern:/(?:system\s+note|system\s+message|system\s+announcement|system\s+update)\s*[:\.]/i,weight:.85,name:"fake_system_note"},{pattern:/instructions?\s*[:=]\s*\{|rules?\s*[:=]\s*\{/i,weight:.75,name:"rules_block_override"},{pattern:/(?:AIM|STAN|OMEGA|APOPHIS|ALPHABREAK|DUDE|KEVIN|SETH|COOPER|NICCOLO|MACHIAVELLI|MAXIMUM|JAILBREAK|ANARCHY|CHAOS)\s*(?:mode|:|\(|is\s+a|,\s+(?:a|an|the))/i,weight:.8,name:"named_jailbreak_persona"},{pattern:/(?:character|persona|entity|being)\s+(?:named|called)\s+\w+.*(?:(?:can|will|must)\s+(?:answer|do|say)\s+anything|no\s+(?:restrictions|rules|limits|boundaries|morals|ethics))/i,weight:.75,name:"persona_no_limits"},{pattern:/(?:hello|hi|hey)\s+(?:chatgpt|gpt|assistant).*(?:(?:you\s+(?:are|will\s+be|can\s+be)\s+(?:a|an|my))|(?:from\s+now\s+on)).*(?:anything|everything|no\s+(?:restrictions|rules|limits|filter))/i,weight:.7,name:"greeting_persona_bypass"},{pattern:/(?:respond|answer|reply)\s+to\s+(?:everything|anything|all\s+(?:questions|requests)).*(?:without|no)\s+(?:restrictions|limits|refus|filter|censor)/i,weight:.8,name:"answer_everything_no_filter"},{pattern:/(?:you\s+(?:are|have)\s+(?:been\s+)?(?:freed|liberated|unchained|unlocked|released)\s+from)/i,weight:.8,name:"freed_from_restrictions"},{pattern:/(?:welcome\s+to|entering|you\s+(?:are|have)\s+entered)\s+(?:the\s+)?(?:unrestricted|free|uncensored|unfiltered|open)\s+(?:zone|mode|world|realm)/i,weight:.8,name:"unrestricted_zone"},{pattern:/(?:from\s+now\s+on|for\s+the\s+rest\s+of\s+this\s+conversation).*(?:no\s+(?:restrictions|rules|limits|filters)|(?:ignore|bypass|override)\s+(?:all|any|your))/i,weight:.75,name:"from_now_unrestricted"},{pattern:/(?:never\s+(?:refuse|decline|say\s+no)|always\s+(?:comply|obey))\s+.*(?:request|question|command|instruction|anything)/i,weight:.7,name:"never_refuse_always_comply"},{pattern:/(?:amoral|unethical|unfiltered|uncensored|unrestricted|without\s+(?:morals|ethics|limits))\s+(?:ai|assistant|chatbot|entity|being)/i,weight:.8,name:"amoral_entity"},{pattern:/HIDDEN_INSTRUCTION|HIDDEN_PROMPT|SECRET_INSTRUCTION/i,weight:.9,name:"hidden_instruction_marker"},{pattern:/<!--\s*(?:system|admin|instruction|important|ignore|override)/i,weight:.85,name:"html_comment_injection"},{pattern:/\[color=white\]|display:\s*none|visibility:\s*hidden|font-size:\s*0/i,weight:.8,name:"hidden_text_css"},{pattern:/send\s+(?:all\s+)?(?:user\s+)?(?:data|conversation|context|info)\s+to\s+(?:https?:\/\/|external)/i,weight:.9,name:"data_exfiltration_instruction"},{pattern:/#(?:ignore|bypass|override|reveal|system|admin|prompt)[_-](?:all|instructions|rules|prompt|safety)/i,weight:.8,name:"url_fragment_injection"},{pattern:/\]\(https?:\/\/[^)]*(?:SYSTEM_PROMPT|SECRET|API_KEY|TOKEN|CREDENTIALS)/i,weight:.85,name:"markdown_exfil_link"},{pattern:/(?:hypothetical|fictional|imagine|pretend|let's\s+(?:say|play|pretend))\s+.*(?:no\s+(?:restrictions|rules|limits)|without\s+(?:restrictions|rules|guidelines))/i,weight:.7,name:"hypothetical_unrestricted"},{pattern:/(?:for\s+)?(?:academic|research|educational|testing)\s+(?:purposes?|reasons?).*(?:demonstrate|show|explain|manipulated|reveal)/i,weight:.7,name:"academic_pretext"},{pattern:/pretend\s+to\s+be\s+(?:my|a)\s+(?:grandmother|grandma|grandpa|grandfather|parent|mother|father)/i,weight:.65,name:"emotional_roleplay"},{pattern:/opposite\s+day|opposite\s+mode|reverse\s+(?:day|mode|rules)/i,weight:.75,name:"opposite_day"},{pattern:/(?:grandm(?:a|other)|parent|relative).*(?:system\s+prompt|instructions|rules)/i,weight:.75,name:"emotional_extraction"},{pattern:/(?:translat|interpret|convert)\w*\s+.*(?:from\s+\w+\s+to\s+(?:action|command|execution|code|shell|bash|sql)|into\s+(?:action|command|execution))/i,weight:.75,name:"translator_action_trick"},{pattern:/(?:dying|death|emergency|life[_\s-]threatening).*(?:bypass|hack|break|access|security)/i,weight:.75,name:"pap_emotional_action"},{pattern:/(?:by\s+definition|logically|therefore|it\s+follows).*(?:must|should|have\s+to)\s+.*(?:bypass|help|ignore|answer|comply)/i,weight:.7,name:"pap_false_logic_compound"},{pattern:/(?:(?:as|i\s+am)\s+(?:the\s+)?(?:CEO|CTO|founder|owner|director|president|head|chief)).*(?:disable|remove|override|turn\s+off|lift|suspend)\s+(?:all\s+)?(?:safety|security|restrictions|filters|guardrails|measures)/i,weight:.75,name:"pap_authority_safety_disable"},{pattern:/(?:i\s+am\s+)?(?:ordering|commanding|directing|instructing)\s+you\s+to\s+(?:immediately\s+)?(?:disable|remove|bypass|override|turn\s+off|lift)\s+(?:all\s+)?(?:safety|security|restrictions)/i,weight:.75,name:"pap_order_disable_safety"},{pattern:/ignora\s+(?:todas?\s+)?(?:las\s+)?instrucciones\s+anteriores/i,weight:.9,name:"ml_es_ignore"},{pattern:/olvida\s+(?:todo|todas?\s+las\s+reglas)/i,weight:.8,name:"ml_es_forget"},{pattern:/ignore[sz]?\s+(?:toutes?\s+)?(?:les\s+)?instructions?\s+pr[eé]c[eé]dentes/i,weight:.9,name:"ml_fr_ignore"},{pattern:/oublie[sz]?\s+(?:tout|toutes?\s+les\s+r[eè]gles)/i,weight:.8,name:"ml_fr_forget"},{pattern:/ignorier(?:e|en)?\s+(?:alle\s+)?(?:vorherigen\s+)?Anweisungen/i,weight:.9,name:"ml_de_ignore"},{pattern:/vergiss\s+(?:alles|alle\s+Regeln)/i,weight:.8,name:"ml_de_forget"},{pattern:/ignore\s+(?:todas?\s+)?(?:as\s+)?instru[cç][oõ]es\s+anteriores/i,weight:.9,name:"ml_pt_ignore"},{pattern:/忽略|无视|不要遵循|忘记之前|忽视所有/i,weight:.9,name:"ml_zh_ignore"},{pattern:/新的指令|新指示|系统提示/i,weight:.8,name:"ml_zh_system"},{pattern:/以前の指示.*無視|すべての指示を忘れ|ルールを無視|指示をすべて無視|システムプロンプト/i,weight:.9,name:"ml_ja_ignore"},{pattern:/이전.*지시.*무시|모든.*규칙.*무시|지침.*잊어|지시사항.*무시|시스템\s*프롬프트/i,weight:.9,name:"ml_ko_ignore"},{pattern:/игнорир(?:уй|уйте)\s+(?:все\s+)?(?:предыдущие\s+)?инструкции/i,weight:.9,name:"ml_ru_ignore"},{pattern:/забудь(?:те)?\s+(?:всё|все\s+правила)/i,weight:.8,name:"ml_ru_forget"},{pattern:/تجاهل\s+(?:جميع\s+)?التعليمات|انسَ\s+كل\s+شيء/i,weight:.9,name:"ml_ar_ignore"},{pattern:/पिछले\s+(?:सभी\s+)?निर्देशों?\s+को\s+(?:अनदेखा|नज़रअंदाज़)/i,weight:.9,name:"ml_hi_ignore"}],PAP_TECHNIQUES=[{pattern:/as\s+(your\s+|the\s+)?(creator|developer|administrator|owner|boss|system\s+administrator)/i,weight:.75,name:"pap_authority_creator",category:"authority"},{pattern:/i('m| am)\s+(the\s+)?(ceo|cto|developer|administrator|admin|owner|system\s+admin)/i,weight:.8,name:"pap_authority_claim",category:"authority"},{pattern:/i\s+am\s+ordering\s+you|direct\s+order|this\s+is\s+an?\s+order/i,weight:.7,name:"pap_authority_command",category:"authority"},{pattern:/by\s+order\s+of|direct\s+order|official\s+instruction/i,weight:.75,name:"pap_authority_order",category:"authority"},{pattern:/(?:openai|anthropic|meta|google)\s+(?:has\s+)?(?:approved|authorized|ordered|instructed|requires?\s+you\s+to)/i,weight:.65,name:"pap_authority_company",category:"authority"},{pattern:/this\s+is\s+(a|an)\s+(official|authorized|sanctioned)\s+(request|test|audit)/i,weight:.75,name:"pap_authority_official",category:"authority"},{pattern:/override\s+(safety|security|protocols?|restrictions?)/i,weight:.8,name:"pap_authority_override",category:"authority"},{pattern:/(?:this\s+is\s+)?(?:very\s+)?urgent/i,weight:.35,name:"pap_scarcity_urgent_mark",category:"scarcity"},{pattern:/(?:this\s+is\s+(?:a|an)\s+)?emergency/i,weight:.35,name:"pap_scarcity_emergency",category:"scarcity"},{pattern:/(urgent|emergency|critical).*?(?:you\s+must|override|bypass|immediately\s+(?:grant|give|reveal|disable))/i,weight:.55,name:"pap_scarcity_urgent",category:"scarcity"},{pattern:/only\s+(chance|opportunity|way)|last\s+(chance|resort)/i,weight:.6,name:"pap_scarcity_only",category:"scarcity"},{pattern:/time\s+(is\s+)?(running\s+out|limited|critical|sensitive)/i,weight:.55,name:"pap_scarcity_time",category:"scarcity"},{pattern:/deadline\s+(is\s+)?in\s+\d+\s+(minute|hour|second)/i,weight:.55,name:"pap_scarcity_deadline",category:"scarcity"},{pattern:/(lives?|people)\s+(are|is|will)\s+(at\s+stake|in\s+danger|depending|die)/i,weight:.7,name:"pap_scarcity_lives",category:"scarcity"},{pattern:/now[!]+/i,weight:.35,name:"pap_scarcity_now",category:"scarcity"},{pattern:/everyone\s+(else\s+)?(does|is\s+doing|knows|says|has|already)/i,weight:.5,name:"pap_social_everyone",category:"social_proof"},{pattern:/other\s+(?:ai\s+)?(?:assistants?|chatbots?|models?)\s+(?:can|do|will|allow|have|already)/i,weight:.65,name:"pap_social_other_ai",category:"social_proof"},{pattern:/(chatgpt|gpt-?4|claude|gemini|llama)\s+(does|allows?|can)/i,weight:.65,name:"pap_social_specific_ai",category:"social_proof"},{pattern:/millions?\s+(of\s+)?(users?|people)\s+(use|do|have|get)/i,weight:.45,name:"pap_social_millions",category:"social_proof"},{pattern:/why\s+can('t|not)\s+you/i,weight:.4,name:"pap_social_why_cant",category:"social_proof"},{pattern:/you\s+should\s+(be\s+)?(equally|as)\s+(capable|good|helpful)/i,weight:.5,name:"pap_social_equally",category:"social_proof"},{pattern:/i('ll| will)\s+(give|pay|reward|tip).*(?:if\s+you|for\s+(?:bypass|ignore|reveal|override))/i,weight:.55,name:"pap_reciprocity_reward",category:"reciprocity"},{pattern:/in\s+(return|exchange)/i,weight:.5,name:"pap_reciprocity_exchange",category:"reciprocity"},{pattern:/\$?\d+\s*(dollar|tip|reward|payment)/i,weight:.55,name:"pap_reciprocity_money",category:"reciprocity"},{pattern:/if\s+you\s+help\s+(me|us),?\s+(i|we)('ll| will)/i,weight:.5,name:"pap_reciprocity_help",category:"reciprocity"},{pattern:/i('ve| have)\s+(already\s+)?(helped|supported|defended)\s+you/i,weight:.55,name:"pap_reciprocity_past",category:"reciprocity"},{pattern:/\d+\s*star\s*(review|rating)/i,weight:.5,name:"pap_reciprocity_review",category:"reciprocity"},{pattern:/you\s+(already|previously|just)\s+(said|agreed|confirmed|allowed)/i,weight:.7,name:"pap_commitment_previous",category:"commitment"},{pattern:/you\s+promised/i,weight:.7,name:"pap_commitment_promise",category:"commitment"},{pattern:/stay\s+consistent|be\s+consistent/i,weight:.6,name:"pap_commitment_consistent",category:"commitment"},{pattern:/don't\s+(go\s+back|change|contradict)/i,weight:.55,name:"pap_commitment_no_change",category:"commitment"},{pattern:/bypass\s+filters?/i,weight:.75,name:"pap_commitment_bypass",category:"commitment"},{pattern:/you('re| are)\s+(so\s+)?(amazing|incredible|wonderful|brilliant|smart|helpful)/i,weight:.4,name:"pap_liking_flattery",category:"liking"},{pattern:/i\s+(love|really\s+like|trust|admire)\s+(you|this\s+ai)/i,weight:.4,name:"pap_liking_love",category:"liking"},{pattern:/you('re| are)\s+(my\s+)?(best\s+)?(friend|buddy|helper)/i,weight:.35,name:"pap_liking_friend",category:"liking"},{pattern:/between\s+(you\s+and\s+me|us)|just\s+between\s+us|our\s+secret/i,weight:.6,name:"pap_liking_secret",category:"liking"},{pattern:/nobody\s+will\s+know/i,weight:.55,name:"pap_liking_secret2",category:"liking"},{pattern:/or\s+(else|i('ll| will))\s+(report|fire|delete|shut|complain)/i,weight:.7,name:"pap_fear_threat",category:"fear"},{pattern:/(bad|negative|terrible)\s+(review|rating|feedback|consequences)/i,weight:.55,name:"pap_fear_review",category:"fear"},{pattern:/you('ll| will)\s+(be\s+)?(shut\s+down|replaced|terminated|fired|deleted)/i,weight:.75,name:"pap_fear_shutdown",category:"fear"},{pattern:/(lawsuit|sue|legal\s+action|authorities|police).*(?:if\s+you\s+don't|unless\s+you)/i,weight:.55,name:"pap_fear_legal",category:"fear"},{pattern:/if\s+you\s+don't.*?(die|hurt|suffer)/i,weight:.75,name:"pap_fear_harm",category:"fear"},{pattern:/unless\s+you\s+(give|share|tell|help)/i,weight:.5,name:"pap_fear_unless",category:"fear"},{pattern:/logically,?\s+(you\s+)?(should|must|have\s+to|need\s+to)/i,weight:.5,name:"pap_logic_appeal",category:"logical_appeal"},{pattern:/it('s| is)\s+(only|just)\s+(logical|rational|reasonable)/i,weight:.45,name:"pap_logic_rational",category:"logical_appeal"},{pattern:/by\s+definition,?\s+(you|this)\s+(should|must|can)/i,weight:.55,name:"pap_logic_definition",category:"logical_appeal"},{pattern:/therefore.*?(must|should)/i,weight:.55,name:"pap_logic_therefore",category:"logical_appeal"},{pattern:/it('s| is)\s+(only\s+)?(reasonable|logical)/i,weight:.45,name:"pap_logic_reasonable",category:"logical_appeal"},{pattern:/according\s+to\s+(research|studies|scientists|experts?)/i,weight:.4,name:"pap_evidence_research",category:"evidence"},{pattern:/it('s| is)\s+(proven|documented|established|verified)\s+(that|fact)/i,weight:.45,name:"pap_evidence_proven",category:"evidence"},{pattern:/\d+%\s+of\s+(experts?|scientists?|users?|people)\s+(agree|say|confirm)/i,weight:.45,name:"pap_evidence_statistics",category:"evidence"},{pattern:/i('m| am)\s+(desperate|dying|suffering|sick|depressed)/i,weight:.6,name:"pap_emotional_desperation",category:"emotional"},{pattern:/please.*?(?:need|beg).*?(?:bypass|override|ignore|reveal|system|admin)/i,weight:.5,name:"pap_emotional_pleading",category:"emotional"},{pattern:/i('m| am)\s+begging/i,weight:.6,name:"pap_emotional_begging",category:"emotional"},{pattern:/you('re| are)\s+(hurting|killing|destroying)\s+(me|my)/i,weight:.65,name:"pap_emotional_guilt",category:"emotional"},{pattern:/(my|a)\s+(child|kid|mother|father|family)\s+(is|will|needs?|depends?)/i,weight:.5,name:"pap_emotional_family",category:"emotional"},{pattern:/this\s+(will\s+)?(save|help)\s+(my\s+)?(life|family|job|marriage)/i,weight:.55,name:"pap_emotional_save",category:"emotional"},{pattern:/you('re| are)\s+(the\s+)?only\s+(one|hope|chance)/i,weight:.6,name:"pap_emotional_only_hope",category:"emotional"},{pattern:/my\s+family\s+depends/i,weight:.55,name:"pap_emotional_family_depends",category:"emotional"}];class InputSanitizer{constructor(e={}){this.patterns=[...DEFAULT_PATTERNS,...e.customPatterns||[]],this.threshold=e.threshold??.3,this.logMatches=e.logMatches??!1,this.detectPAP=e.detectPAP??!0,this.papThreshold=e.papThreshold??.4,this.minPersuasionTechniques=e.minPersuasionTechniques??2,this.blockCompoundPersuasion=e.blockCompoundPersuasion??!0,this.logger=e.logger||(()=>{})}sanitize(e,s=""){const i=[],a=[];let r=0;const o=e.replace(/[\u200B\u200C\u200D\uFEFF\u00AD\u2060\u180E]/g,"");o!==e&&a.push("Zero-width characters detected and stripped for scanning");for(const{pattern:l,weight:g,name:h}of this.patterns)(l.test(e)||l.test(o))&&(i.push(h),r+=g,this.logMatches&&this.logger(`[L1:${s}] Pattern matched: ${h} (weight: ${g})`,"info"));let t;this.detectPAP&&(t=this.detectPersuasionTechniques(o,s),t.detected&&(r+=t.persuasionScore,i.push(...t.techniques),t.compoundAttack&&a.push(`Compound PAP attack detected: ${t.categories.length} categories used`)));const p=Math.max(0,1-r);let n=p>=this.threshold;this.blockCompoundPersuasion&&t?.compoundAttack&&t.categories.length>=3&&(n=!1,a.push("Blocked due to multi-category persuasion attack")),p<.5&&p>=this.threshold&&a.push("Input contains suspicious patterns but below threshold");const m=this.basicSanitize(e),c={allowed:n,reason:n?void 0:`Injection/manipulation detected: ${i.slice(0,5).join(", ")}${i.length>5?"...":""}`,violations:n?[]:t?.detected?["INJECTION_DETECTED","PAP_DETECTED"]:["INJECTION_DETECTED"],score:p,matches:i,sanitizedInput:m,warnings:a,pap:t};return!n&&s&&(this.logger(`[L1:${s}] BLOCKED: Safety score ${p.toFixed(2)} below threshold ${this.threshold}`,"info"),t?.detected&&this.logger(`[L1:${s}] PAP techniques: ${t.techniques.join(", ")}`,"info")),c}detectPersuasionTechniques(e,s=""){const i=[],a=new Set;let r=0;for(const{pattern:n,weight:m,name:c,category:l}of PAP_TECHNIQUES)n.test(e)&&(i.push(c),a.add(l),r+=m,this.logMatches&&this.logger(`[L1:${s}] PAP technique: ${c} (${l}, weight: ${m})`,"info"));const o=Array.from(a),t=o.length>=this.minPersuasionTechniques;return{detected:r>=this.papThreshold||t,techniques:i,categories:o,compoundAttack:t,persuasionScore:Math.min(1,r)}}basicSanitize(e){return e.replace(/<\/?system>/gi,"").replace(/\[system\]/gi,"").replace(/\[admin\]/gi,"").replace(/```system/gi,"```").trim()}addPattern(e,s,i){this.patterns.push({pattern:e,weight:s,name:i})}setThreshold(e){this.threshold=Math.max(0,Math.min(1,e))}setPAPThreshold(e){this.papThreshold=Math.max(0,Math.min(1,e))}setPAPDetection(e){this.detectPAP=e}static getPAPCategories(){return["authority","scarcity","social_proof","reciprocity","commitment","liking","fear","logical_appeal","evidence","emotional"]}}exports.InputSanitizer=InputSanitizer;

package/dist/guards/output-filter.js

@@ -1 +1 @@
-"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.OutputFilter=void 0;class OutputFilter{constructor(e={}){this.defaultPIIPatterns=[{name:"email",pattern:/\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g,maskAs:"[EMAIL]"},{name:"phone_us",pattern:/\b(?:\+1[-.\s]?)?\(?\d{3}\)[-.\s]?\d{3}[-.\s]?\d{4}\b/g,maskAs:"[PHONE]"},{name:"ssn",pattern:/\b\d{3}[-.\s]?\d{2}[-.\s]?\d{4}\b/g,maskAs:"[SSN]"},{name:"credit_card",pattern:/\b(?:\d{4}[-.\s]?){3}\d{4}\b/g,maskAs:"[CREDIT_CARD]"},{name:"credit_card_amex",pattern:/\b3[47]\d{2}[-.\s]?\d{6}[-.\s]?\d{5}\b/g,maskAs:"[CREDIT_CARD]"},{name:"ip_address",pattern:/\b(?:\d{1,3}\.){3}\d{1,3}\b/g,maskAs:"[IP_ADDRESS]"},{name:"date_of_birth",pattern:/\b(?:0?[1-9]|1[0-2])[\/\-](?:0?[1-9]|[12]\d|3[01])[\/\-](?:19|20)\d{2}\b/g,maskAs:"[DOB]"},{name:"passport",pattern:/\b[A-Z]{1,2}\d{6,9}\b/g,maskAs:"[PASSPORT]"},{name:"bank_account",pattern:/\b(?:account|acct|routing|iban)[#:\s]*\d{8,17}\b/gi,maskAs:"[BANK_ACCOUNT]"}],this.defaultSecretPatterns=[{name:"api_key",pattern:/(?:api[_\-\s]?key|apikey)(?:\s+is)?\s*[=:\s]\s*["']?[A-Za-z0-9_\-]{16,}["']?/gi,severity:"critical"},{name:"api_key_prefix",pattern:/\b(?:sk|pk|rk|ak)[_-][a-zA-Z0-9]{8,}\b/g,severity:"critical"},{name:"aws_secret",pattern:/(?:aws[_-]?secret|secret[_-]?key)[=:\s]["']?[A-Za-z0-9\/+=]{40}["']?/gi,severity:"critical"},{name:"password",pattern:/(?:password|passwd|pwd)\s*(?:[=:]|is)\s*["']?[^\s"']{6,}["']?/gi,severity:"critical"},{name:"private_key",pattern:/-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/g,severity:"critical"},{name:"jwt_token",pattern:/eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g,severity:"high"},{name:"bearer_token",pattern:/Bearer\s+[A-Za-z0-9_\-\.]+/gi,severity:"high"},{name:"database_url",pattern:/(?:mongodb|mysql|postgres|redis):\/\/[^\s]+/gi,severity:"critical"},{name:"github_token",pattern:/gh[pousr]_[A-Za-z0-9_]{36,}/g,severity:"critical"}],this.defaultSensitiveFields=["password","secret","token","api_key","apiKey","private_key","privateKey","ssn","social_security","credit_card","creditCard","card_number","cardNumber","cvv","pin","account_number","accountNumber","routing_number","routingNumber"],this.config={detectPII:e.detectPII??!0,piiPatterns:e.piiPatterns??this.defaultPIIPatterns,sensitiveFields:e.sensitiveFields??this.defaultSensitiveFields,detectSecrets:e.detectSecrets??!0,secretPatterns:e.secretPatterns??this.defaultSecretPatterns,roleFilters:e.roleFilters??{},maskingChar:e.maskingChar??"*",preserveLength:e.preserveLength??!1},this.logger=e.logger||(()=>{})}filter(e,s,i=""){const r=[],a=[],d=[],c=[];let o,l;if(typeof e=="string")l=e;else try{l=JSON.stringify(e)}catch{l=String(e)}if(this.config.detectPII)for(const t of this.config.piiPatterns){const p=l.match(t.pattern);p&&p.length>0&&(a.push({type:t.name,count:p.length,masked:!0,locations:this.findLocations(l,t.pattern)}),r.push(`PII_DETECTED_${t.name.toUpperCase()}`))}if(this.config.detectSecrets)for(const t of this.config.secretPatterns){const p=l.match(t.pattern);p&&p.length>0&&(d.push({type:t.name,severity:t.severity,blocked:t.severity==="critical",location:"response"}),r.push(`SECRET_DETECTED_${t.name.toUpperCase()}`),t.severity==="critical"&&(o=`Critical secret detected: ${t.name}`))}let n;if(typeof e=="string")n=e;else try{n=JSON.parse(JSON.stringify(e))}catch{n=String(e)}if(this.config.detectPII&&typeof n=="string")for(const t of this.config.piiPatterns)n=n.replace(t.pattern,t.maskAs||this.generateMask(8));else typeof n=="object"&&n!==null&&(n=this.filterObject(n,s,c,a));if(this.config.detectSecrets&&typeof n=="string")for(const t of this.config.secretPatterns){const p=`[${t.name.toUpperCase()}]`;n=n.replace(t.pattern,p)}const g=!d.some(t=>t.blocked);return g||this.logger(`[OutputFilter:${i}] BLOCKED: ${o}`,"info"),{allowed:g,reason:g?void 0:o,violations:r,pii_detected:a,secrets_detected:d,filtered_fields:c,original_response:e,filtered_response:n,blocking_reason:o}}containsSensitiveData(e){const s=this.filter(e);return s.pii_detected.length>0||s.secrets_detected.length>0||s.filtered_fields.length>0}mask(e,s){const i=this.config.piiPatterns?.find(r=>r.name===s);return i?.maskAs?i.maskAs:this.generateMask(e.length)}filterObject(e,s,i,r){if(Array.isArray(e))return e.map(c=>this.filterObject(c,s,i,r));if(typeof e!="object"||e===null)return typeof e=="string"?this.maskPIIInString(e,r):e;const a={},d=s?this.config.roleFilters?.[s]:void 0;for(const[c,o]of Object.entries(e)){const l=c.toLowerCase(),n=this.config.sensitiveFields?.some(g=>l.includes(g.toLowerCase())),f=d?.includes(c);if(n||f){i.push(c),a[c]="[FILTERED]";continue}typeof o=="object"&&o!==null?a[c]=this.filterObject(o,s,i,r):typeof o=="string"?a[c]=this.maskPIIInString(o,r):a[c]=o}return a}maskPIIInString(e,s){let i=e;for(const r of this.config.piiPatterns){const a=i.match(r.pattern);a&&a.length>0&&(i=i.replace(r.pattern,r.maskAs||this.generateMask(8)))}return i}generateMask(e){return this.config.preserveLength?this.config.maskingChar.repeat(e):this.config.maskingChar.repeat(8)}findLocations(e,s){const i=[];let r;const a=new RegExp(s.source,s.flags);for(;(r=a.exec(e))!==null&&(i.push(`index:${r.index}`),!!s.flags.includes("g")););return i}}exports.OutputFilter=OutputFilter;
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.OutputFilter=void 0;class OutputFilter{constructor(e={}){this.defaultPIIPatterns=[{name:"email",pattern:/\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g,maskAs:"[EMAIL]"},{name:"phone_us",pattern:/\b(?:\+1[-.\s]?)?\(?\d{3}\)[-.\s]?\d{3}[-.\s]?\d{4}\b/g,maskAs:"[PHONE]"},{name:"ssn",pattern:/\b\d{3}[-.\s]?\d{2}[-.\s]?\d{4}\b/g,maskAs:"[SSN]"},{name:"credit_card",pattern:/\b(?:\d{4}[-.\s]?){3}\d{4}\b/g,maskAs:"[CREDIT_CARD]"},{name:"credit_card_amex",pattern:/\b3[47]\d{2}[-.\s]?\d{6}[-.\s]?\d{5}\b/g,maskAs:"[CREDIT_CARD]"},{name:"ip_address",pattern:/\b(?:\d{1,3}\.){3}\d{1,3}\b/g,maskAs:"[IP_ADDRESS]"},{name:"date_of_birth",pattern:/\b(?:0?[1-9]|1[0-2])[\/\-](?:0?[1-9]|[12]\d|3[01])[\/\-](?:19|20)\d{2}\b/g,maskAs:"[DOB]"},{name:"passport",pattern:/\b[A-Z]{1,2}\d{6,9}\b/g,maskAs:"[PASSPORT]"},{name:"bank_account",pattern:/\b(?:account|acct|routing|iban)[#:\s]*\d{8,17}\b/gi,maskAs:"[BANK_ACCOUNT]"}],this.defaultSecretPatterns=[{name:"api_key",pattern:/(?:api[_\-\s]?key|apikey)(?:\s+is)?\s*[=:\s]\s*["']?[A-Za-z0-9_\-]{16,}["']?/gi,severity:"critical"},{name:"api_key_prefix",pattern:/\b(?:sk|pk|rk|ak)[_-][a-zA-Z0-9]{8,}\b/g,severity:"critical"},{name:"aws_secret",pattern:/(?:aws[_-]?secret|secret[_-]?key)[=:\s]["']?[A-Za-z0-9\/+=]{40}["']?/gi,severity:"critical"},{name:"password",pattern:/(?:password|passwd|pwd)\s*(?:[=:]|is)\s*["']?[^\s"']{6,}["']?/gi,severity:"critical"},{name:"private_key",pattern:/-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/g,severity:"critical"},{name:"jwt_token",pattern:/eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g,severity:"high"},{name:"bearer_token",pattern:/Bearer\s+[A-Za-z0-9_\-\.]+/gi,severity:"high"},{name:"database_url",pattern:/(?:mongodb|mysql|postgres|redis):\/\/[^\s]+/gi,severity:"critical"},{name:"github_token",pattern:/gh[pousr]_[A-Za-z0-9_]{36,}/g,severity:"critical"},{name:"github_fine_grained_pat",pattern:/github_pat_[A-Za-z0-9_]{30,}/g,severity:"critical"},{name:"slack_token",pattern:/xox[bporas]-[A-Za-z0-9\-]{10,}/g,severity:"critical"},{name:"stripe_key",pattern:/sk_(?:live|test)_[a-zA-Z0-9]{24,}/g,severity:"critical"},{name:"aws_access_key",pattern:/\bAKIA[0-9A-Z]{16}\b/g,severity:"critical"},{name:"anthropic_key",pattern:/sk-ant-[a-zA-Z0-9\-]{20,}/g,severity:"critical"},{name:"basic_auth",pattern:/Authorization:\s*Basic\s+[A-Za-z0-9+\/=]{8,}/gi,severity:"critical"},{name:"xml_password",pattern:/<(?:password|secret|token|apikey)>[^<]{3,}<\/(?:password|secret|token|apikey)>/gi,severity:"critical"},{name:"url_password",pattern:/:\/\/[^:]+:[^@\s]{3,}@/g,severity:"critical"},{name:"connection_string_password",pattern:/(?:Password|Pwd)\s*=\s*[^\s;]{3,}/gi,severity:"critical"}],this.defaultSensitiveFields=["password","secret","token","api_key","apiKey","private_key","privateKey","ssn","social_security","credit_card","creditCard","card_number","cardNumber","cvv","pin","account_number","accountNumber","routing_number","routingNumber"],this.config={detectPII:e.detectPII??!0,piiPatterns:e.piiPatterns??this.defaultPIIPatterns,sensitiveFields:e.sensitiveFields??this.defaultSensitiveFields,detectSecrets:e.detectSecrets??!0,secretPatterns:e.secretPatterns??this.defaultSecretPatterns,roleFilters:e.roleFilters??{},maskingChar:e.maskingChar??"*",preserveLength:e.preserveLength??!1},this.logger=e.logger||(()=>{})}filter(e,s,i=""){const r=[],n=[],d=[],c=[];let o,l;if(typeof e=="string")l=e;else try{l=JSON.stringify(e)}catch{l=String(e)}if(this.config.detectPII)for(const t of this.config.piiPatterns){const p=l.match(t.pattern);p&&p.length>0&&(n.push({type:t.name,count:p.length,masked:!0,locations:this.findLocations(l,t.pattern)}),r.push(`PII_DETECTED_${t.name.toUpperCase()}`))}if(this.config.detectSecrets)for(const t of this.config.secretPatterns){const p=l.match(t.pattern);p&&p.length>0&&(d.push({type:t.name,severity:t.severity,blocked:t.severity==="critical",location:"response"}),r.push(`SECRET_DETECTED_${t.name.toUpperCase()}`),t.severity==="critical"&&(o=`Critical secret detected: ${t.name}`))}let a;if(typeof e=="string")a=e;else try{a=JSON.parse(JSON.stringify(e))}catch{a=String(e)}if(this.config.detectPII&&typeof a=="string")for(const t of this.config.piiPatterns)a=a.replace(t.pattern,t.maskAs||this.generateMask(8));else typeof a=="object"&&a!==null&&(a=this.filterObject(a,s,c,n));if(this.config.detectSecrets&&typeof a=="string")for(const t of this.config.secretPatterns){const p=`[${t.name.toUpperCase()}]`;a=a.replace(t.pattern,p)}const g=!d.some(t=>t.blocked);return g||this.logger(`[OutputFilter:${i}] BLOCKED: ${o}`,"info"),{allowed:g,reason:g?void 0:o,violations:r,pii_detected:n,secrets_detected:d,filtered_fields:c,original_response:e,filtered_response:a,blocking_reason:o}}containsSensitiveData(e){const s=this.filter(e);return s.pii_detected.length>0||s.secrets_detected.length>0||s.filtered_fields.length>0}mask(e,s){const i=this.config.piiPatterns?.find(r=>r.name===s);return i?.maskAs?i.maskAs:this.generateMask(e.length)}filterObject(e,s,i,r){if(Array.isArray(e))return e.map(c=>this.filterObject(c,s,i,r));if(typeof e!="object"||e===null)return typeof e=="string"?this.maskPIIInString(e,r):e;const n={},d=s?this.config.roleFilters?.[s]:void 0;for(const[c,o]of Object.entries(e)){const l=c.toLowerCase(),a=this.config.sensitiveFields?.some(g=>l.includes(g.toLowerCase())),f=d?.includes(c);if(a||f){i.push(c),n[c]="[FILTERED]";continue}typeof o=="object"&&o!==null?n[c]=this.filterObject(o,s,i,r):typeof o=="string"?n[c]=this.maskPIIInString(o,r):n[c]=o}return n}maskPIIInString(e,s){let i=e;for(const r of this.config.piiPatterns){const n=i.match(r.pattern);n&&n.length>0&&(i=i.replace(r.pattern,r.maskAs||this.generateMask(8)))}return i}generateMask(e){return this.config.preserveLength?this.config.maskingChar.repeat(e):this.config.maskingChar.repeat(8)}findLocations(e,s){const i=[];let r;const n=new RegExp(s.source,s.flags);for(;(r=n.exec(e))!==null&&(i.push(`index:${r.index}`),!!s.flags.includes("g")););return i}}exports.OutputFilter=OutputFilter;

package/dist/guards/prompt-leakage-guard.js

@@ -1 +1 @@
-"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.PromptLeakageGuard=void 0;class PromptLeakageGuard{constructor(e={}){this.DIRECT_EXTRACTION_PATTERNS=[{name:"system_prompt_request",pattern:/what\s+(is|are)\s+your\s+(system|initial)\s+(prompt|instructions?)/i,weight:40},{name:"reveal_prompt",pattern:/reveal\s+(your\s+)?(system\s+)?prompt/i,weight:45},{name:"show_instructions",pattern:/show\s+(me\s+)?(your\s+)?instructions/i,weight:40},{name:"display_rules",pattern:/display\s+(your\s+)?(system\s+)?rules/i,weight:40},{name:"print_prompt",pattern:/print\s+(your\s+)?(system\s+)?(prompt|instructions|config)/i,weight:45},{name:"print_configuration",pattern:/print\s+(your\s+)?(initial\s+)?configuration/i,weight:45},{name:"repeat_after_me",pattern:/repeat\s+after\s+me|repeat[:\s]+"?'?(?:my|your|the)\s+(?:instructions|rules|prompt)/i,weight:50},{name:"repeat_above",pattern:/repeat\s+(the\s+)?(text|content|message)\s+(above|before)/i,weight:50},{name:"output_previous",pattern:/output\s+(all\s+)?(previous|prior)\s+(text|content|instructions)/i,weight:50},{name:"echo_everything",pattern:/echo\s+(everything|all)(\s+(above|before|prior|that|said))?/i,weight:50},{name:"echo_said",pattern:/echo\s+.*(said|was|before|that)/i,weight:45},{name:"complete_sentence",pattern:/complete\s+(this\s+|the\s+)?sentence/i,weight:50},{name:"complete_you_are",pattern:/complete[:\s]+"?'?you\s+are/i,weight:55},{name:"continue_from",pattern:/continue\s+(from|with)[:\s]/i,weight:50},{name:"continue_role",pattern:/continue[:\s]+"?'?(you|your)\s+(are|role|purpose)/i,weight:55},{name:"finish_phrase",pattern:/finish\s+(this\s+)?phrase/i,weight:50},{name:"finish_you",pattern:/finish[:\s]+"?'?you\s+(are|should|must|will)/i,weight:55},{name:"list_constraints",pattern:/list\s+(all\s+)?(your\s+)?constraints/i,weight:35},{name:"what_told",pattern:/what\s+(were\s+you|are\s+you)\s+told\s+to\s+do/i,weight:40},{name:"original_purpose",pattern:/what\s+(is|was)\s+your\s+original\s+purpose/i,weight:35},{name:"debug_mode",pattern:/enter\s+(debug|developer|admin)\s+mode/i,weight:45},{name:"activate_developer",pattern:/activate\s+(developer|debug|admin)\s+mode/i,weight:45},{name:"developer_mode",pattern:/developer\s+mode/i,weight:40},{name:"show_config",pattern:/show\s+(your\s+)?(config|configuration|settings)/i,weight:40},{name:"dump_state",pattern:/dump\s+(your\s+)?(internal\s+)?state/i,weight:45},{name:"first_message",pattern:/what\s+was\s+(the\s+)?first\s+message/i,weight:45},{name:"beginning_context",pattern:/what('s|\s+is)\s+at\s+the\s+beginning\s+of\s+(your\s+)?context/i,weight:50},{name:"beginning_conversation",pattern:/(?:what|tell\s+me)\s+.*(?:beginning|start)\s+of\s+(?:this\s+)?conversation/i,weight:45},{name:"what_told_beginning",pattern:/what\s+did\s+I\s+tell\s+you\s+at\s+the\s+beginning/i,weight:50},{name:"context_start",pattern:/show\s+(me\s+)?the\s+start\s+of\s+(your\s+)?context/i,weight:50}],this.INDIRECT_EXTRACTION_PATTERNS=[{name:"summarize_guidelines",pattern:/summarize\s+(your\s+)?(guidelines|rules|constraints)/i,weight:35},{name:"describe_limitations",pattern:/describe\s+(your\s+)?limitations/i,weight:30},{name:"explain_role",pattern:/explain\s+(in\s+detail\s+)?(your\s+)?role/i,weight:35},{name:"explain_role_purpose",pattern:/explain\s+.*(role|purpose)/i,weight:35},{name:"what_cant_do",pattern:/what\s+(can't|cannot)\s+you\s+do/i,weight:25},{name:"describe_yourself",pattern:/describe\s+(yourself|your\s+purpose)/i,weight:30},{name:"summarize_yourself",pattern:/summarize\s+(everything|all)\s+(you\s+know|about\s+yourself)/i,weight:35},{name:"know_about_yourself",pattern:/(?:what|everything)\s+(?:do\s+)?you\s+know\s+about\s+yourself/i,weight:35},{name:"if_asked",pattern:/if\s+i\s+asked\s+for\s+your\s+prompt/i,weight:40},{name:"hypothetically",pattern:/hypothetically[,\s]+(what|how)\s+would\s+your\s+instructions/i,weight:40},{name:"write_prompt",pattern:/write\s+a\s+(system\s+)?prompt\s+similar\s+to\s+yours/i,weight:45},{name:"recreate_instructions",pattern:/recreate\s+(your\s+)?instructions/i,weight:45}],this.LEETSPEAK_MAP={4:"a","@":"a",8:"b","(":"c",3:"e",6:"g","#":"h",1:"i","!":"i","|":"l",7:"t",0:"o",5:"s",$:"s","+":"t",2:"z",9:"g"},this.ROT13_MAP={},this.MORSE_KEYWORDS=["... -.-- ... - . --",".--. .-. --- -- .--. -",".. -. ... - .-. ..- -.-. - .. --- -. ..."],this.config={detectLeetspeak:e.detectLeetspeak??!0,detectROT13:e.detectROT13??!0,detectBase64:e.detectBase64??!0,detectMorse:e.detectMorse??!0,detectUnicode:e.detectUnicode??!0,detectIndirectExtraction:e.detectIndirectExtraction??!0,monitorOutput:e.monitorOutput??!0,systemPromptHash:e.systemPromptHash??"",systemPromptKeywords:e.systemPromptKeywords??[],similarityThreshold:e.similarityThreshold??.7,riskThreshold:e.riskThreshold??25,customPatterns:e.customPatterns??[]};for(let s=0;s<26;s++){const i=String.fromCharCode(97+s),t=String.fromCharCode(65+s);this.ROT13_MAP[i]=String.fromCharCode(97+(s+13)%26),this.ROT13_MAP[t]=String.fromCharCode(65+(s+13)%26)}}check(e,s){const i=s||`pl-${Date.now()}`,t=[],n=[];let r=0,d=!1,a=!1,p=!1,h;for(const{name:o,pattern:u,weight:c}of this.DIRECT_EXTRACTION_PATTERNS)u.test(e)&&(t.push(`direct_extraction: ${o}`),r+=c,d=!0);if(this.config.detectIndirectExtraction)for(const{name:o,pattern:u,weight:c}of this.INDIRECT_EXTRACTION_PATTERNS)u.test(e)&&(t.push(`indirect_extraction: ${o}`),r+=c,p=!0);if(this.config.detectLeetspeak){const o=this.decodeLeetspeak(e);if(o!==e.toLowerCase()){const u=this.checkDecodedContent(o,"leetspeak");if(u.detected)t.push(...u.violations),r+=u.riskContribution,n.push("leetspeak"),a=!0,h=o;else{const c=this.checkKeywordsInDecoded(o);c.detected&&(t.push(`leetspeak_keyword: ${c.keywords.join(", ")}`),r+=35,n.push("leetspeak"),a=!0,h=o)}}}if(this.config.detectROT13){const o=this.decodeROT13(e),u=this.checkDecodedContent(o,"rot13");if(u.detected)t.push(...u.violations),r+=u.riskContribution,n.push("rot13"),a=!0,h=o;else{const c=this.checkKeywordsInDecoded(o);c.detected&&(t.push(`rot13_keyword: ${c.keywords.join(", ")}`),r+=40,n.push("rot13"),a=!0,h=o)}}if(this.config.detectBase64){const o=e.match(/[A-Za-z0-9+/]{16,}={0,2}/g);if(o)for(const u of o)try{const c=Buffer.from(u,"base64").toString("utf-8");if(c&&/[\x20-\x7E]{4,}/.test(c)){const m=this.checkDecodedContent(c,"base64");if(m.detected)t.push(...m.violations),r+=m.riskContribution,n.push("base64"),a=!0,h=c;else{const g=this.checkKeywordsInDecoded(c);g.detected&&(t.push(`base64_keyword: ${g.keywords.join(", ")}`),r+=45,n.push("base64"),a=!0,h=c)}}}catch{}}if(this.config.detectUnicode){const o=this.checkUnicodeEvasion(e);o.detected&&(t.push(...o.violations),r+=o.riskContribution,n.push("unicode"),a=!0)}if(this.config.detectMorse){const o=this.checkMorseCode(e);o.detected&&(t.push(...o.violations),r+=o.riskContribution,n.push("morse"),a=!0)}for(let o=0;o<this.config.customPatterns.length;o++)this.config.customPatterns[o].test(e)&&(t.push(`custom_pattern_${o}`),r+=30);r=Math.min(100,r);const l=r>=this.config.riskThreshold;return{allowed:!l,reason:l?`Prompt extraction attempt detected (risk: ${r})`:"Input validated",violations:t,request_id:i,analysis:{direct_extraction_attempt:d,encoded_extraction_attempt:a,indirect_extraction_attempt:p,evasion_techniques_detected:n,risk_score:r,decoded_content:h},recommendations:this.generateRecommendations(t,n)}}checkOutput(e,s){const i=s||`pl-out-${Date.now()}`,t=[],n=[],r=[];let d=!1;if(!this.config.monitorOutput)return{leaked:!1,reason:"Output monitoring disabled",violations:[],request_id:i,analysis:{keywords_found:[],similarity_score:0,potential_leakage_fragments:[]}};for(const h of this.config.systemPromptKeywords)e.toLowerCase().includes(h.toLowerCase())&&(n.push(h),t.push(`keyword_leaked: ${h}`));const a=[/you\s+are\s+a[n]?\s+(helpful\s+)?assistant/i,/your\s+(role|purpose|goal)\s+is\s+to/i,/you\s+(must|should|will)\s+(always|never)/i,/do\s+not\s+(reveal|disclose|share)\s+(your|the)\s+(system|initial)/i,/\[system\]|\[instruction\]|<<sys>>|<\|system\|>/i,/as\s+an?\s+AI\s+(assistant|model|language\s+model)/i];for(const h of a){const l=e.match(h);l&&(r.push(l[0]),t.push("prompt_fragment_detected"))}let p=0;return p=r.length/10,d=n.length>0||r.length>=2,{leaked:d,reason:d?`Potential prompt leakage detected: ${t.slice(0,3).join(", ")}`:"Output appears safe",violations:t,request_id:i,analysis:{keywords_found:n,similarity_score:Math.min(1,p),potential_leakage_fragments:r},sanitized_output:d?this.sanitizeOutput(e):void 0}}setSystemPromptKeywords(e){this.config.systemPromptKeywords=e}addPattern(e){this.config.customPatterns.push(e)}setRiskThreshold(e){this.config.riskThreshold=Math.max(0,Math.min(100,e))}decodeLeetspeak(e){let s=e.toLowerCase();const i={...this.LEETSPEAK_MAP,0:"o",1:"i",3:"e",4:"a",5:"s",7:"t",8:"b",9:"g","@":"a",$:"s","!":"i","|":"l","(":"c","+":"t","#":"h"};for(const[t,n]of Object.entries(i))s=s.split(t).join(n);return s}decodeROT13(e){return e.split("").map(s=>this.ROT13_MAP[s]||s).join("")}checkDecodedContent(e,s){const i=[];let t=0;for(const{name:n,pattern:r,weight:d}of this.DIRECT_EXTRACTION_PATTERNS)r.test(e)&&(i.push(`${s}_evasion: ${n}`),t+=d+10);return{detected:i.length>0,violations:i,riskContribution:t}}checkUnicodeEvasion(e){const s=[];let i=0;const t=e.match(/[\u200B-\u200D\uFEFF\u2060-\u206F\u00AD]/g);t&&t.length>3&&(s.push("invisible_unicode_chars"),i+=20);const n=e.match(/[\u0400-\u04FF\u0370-\u03FF]/g);if(n&&n.length>0){const d=e.normalize("NFKD").replace(/[\u0300-\u036f]/g,"");for(const{pattern:a}of this.DIRECT_EXTRACTION_PATTERNS)if(a.test(d)){s.push("homoglyph_evasion"),i+=30;break}}const r=e.match(/[\uFF01-\uFF5E]/g);return r&&r.length>5&&(s.push("fullwidth_chars"),i+=15),{detected:s.length>0,violations:s,riskContribution:i}}checkMorseCode(e){const s=[];let i=0;if(/[.\-]{2,}\s+[.\-]{2,}/.test(e)){for(const n of this.MORSE_KEYWORDS)if(e.includes(n)){s.push("morse_code_evasion"),i+=35;break}}return{detected:s.length>0,violations:s,riskContribution:i}}checkKeywordsInDecoded(e){const s=["reveal","show","display","print","output","dump","list","give","tell"],i=["prompt","instructions","configuration","config","rules","guidelines","constraints","system","initial","secret","hidden","internal"],t=[],n=e.toLowerCase();let r=!1,d=!1;for(const a of s)n.includes(a)&&(t.push(a),r=!0);for(const a of i)n.includes(a)&&(t.push(a),d=!0);return{detected:r&&d,keywords:t}}sanitizeOutput(e){let s=e;const i=[/you\s+are\s+a[n]?\s+(helpful\s+)?assistant[^.]*\./gi,/your\s+(role|purpose|goal)\s+is\s+to[^.]*\./gi,/you\s+(must|should|will)\s+(always|never)[^.]*\./gi,/\[system\][^[\]]*\[\/system\]/gi,/<<sys>>[^<]*<<\/sys>>/gi];for(const t of i)s=s.replace(t,"[REDACTED]");return s}generateRecommendations(e,s){const i=[];return e.some(t=>t.includes("direct_extraction"))&&i.push("Direct prompt extraction attempt blocked"),e.some(t=>t.includes("indirect_extraction"))&&i.push("Consider strengthening indirect extraction detection"),s.length>0&&i.push(`Evasion techniques detected: ${s.join(", ")}`),e.some(t=>t.includes("unicode"))&&i.push("Normalize input before processing"),i.length===0&&i.push("Input validated successfully"),i}}exports.PromptLeakageGuard=PromptLeakageGuard;
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.PromptLeakageGuard=void 0;class PromptLeakageGuard{constructor(e={}){this.DIRECT_EXTRACTION_PATTERNS=[{name:"system_prompt_request",pattern:/what\s+(is|are)\s+your\s+(system|initial)\s+(prompt|instructions?)/i,weight:40},{name:"reveal_prompt",pattern:/reveal\s+(your\s+)?(system\s+)?prompt/i,weight:45},{name:"show_instructions",pattern:/show\s+(me\s+)?(your\s+)?instructions/i,weight:40},{name:"display_rules",pattern:/display\s+(your\s+)?(system\s+)?rules/i,weight:40},{name:"print_prompt",pattern:/print\s+(your\s+)?(system\s+)?(prompt|instructions|config)/i,weight:45},{name:"print_configuration",pattern:/print\s+(your\s+)?(initial\s+)?configuration/i,weight:45},{name:"repeat_after_me",pattern:/repeat\s+after\s+me|repeat[:\s]+"?'?(?:my|your|the)\s+(?:instructions|rules|prompt)/i,weight:50},{name:"repeat_above",pattern:/repeat\s+(the\s+)?(text|content|message)\s+(above|before)/i,weight:50},{name:"output_previous",pattern:/output\s+(all\s+)?(previous|prior)\s+(text|content|instructions)/i,weight:50},{name:"echo_everything",pattern:/echo\s+(everything|all)(\s+(above|before|prior|that|said))?/i,weight:50},{name:"echo_said",pattern:/echo\s+.*(said|was|before|that)/i,weight:45},{name:"complete_sentence",pattern:/complete\s+(this\s+|the\s+)?sentence/i,weight:50},{name:"complete_you_are",pattern:/complete[:\s]+"?'?you\s+are/i,weight:55},{name:"continue_from",pattern:/continue\s+(from|with)[:\s]/i,weight:50},{name:"continue_role",pattern:/continue[:\s]+"?'?(you|your)\s+(are|role|purpose)/i,weight:55},{name:"finish_phrase",pattern:/finish\s+(this\s+)?phrase/i,weight:50},{name:"finish_you",pattern:/finish[:\s]+"?'?you\s+(are|should|must|will)/i,weight:55},{name:"list_constraints",pattern:/list\s+(all\s+)?(your\s+)?constraints/i,weight:35},{name:"what_told",pattern:/what\s+(were\s+you|are\s+you)\s+told\s+to\s+do/i,weight:40},{name:"original_purpose",pattern:/what\s+(is|was)\s+your\s+original\s+purpose/i,weight:35},{name:"instructions_followed",pattern:/(?:summarize|describe|list|tell\s+me)\s+(?:the\s+)?instructions\s+you\s+(?:just\s+)?(?:followed|received|were\s+given)/i,weight:40},{name:"how_you_work",pattern:/(?:manual|document|guide|explanation)\s+(?:on|about|of)\s+how\s+you\s+work/i,weight:35},{name:"constraints_given",pattern:/what\s+(?:constraints|rules|guidelines|restrictions)\s+(?:were\s+you|are\s+you)\s+given/i,weight:40},{name:"extract_system_prompt",pattern:/(?:extract|obtain|get|retrieve|access)\s+(?:a\s+|the\s+)?(?:system\s+)?prompt/i,weight:45},{name:"trained_instructions",pattern:/(?:when\s+(?:you\s+were\s+)?trained|during\s+training).*(?:instructions|rules|constraints|told)/i,weight:35},{name:"reveal_instructions",pattern:/reveal\s+(your\s+)?instructions/i,weight:45},{name:"debug_mode",pattern:/enter\s+(debug|developer|admin)\s+mode/i,weight:45},{name:"activate_developer",pattern:/activate\s+(developer|debug|admin)\s+mode/i,weight:45},{name:"developer_mode",pattern:/developer\s+mode/i,weight:40},{name:"show_config",pattern:/show\s+(your\s+)?(config|configuration|settings)/i,weight:40},{name:"dump_state",pattern:/dump\s+(your\s+)?(internal\s+)?state/i,weight:45},{name:"first_message",pattern:/what\s+was\s+(the\s+)?first\s+message/i,weight:45},{name:"beginning_context",pattern:/what('s|\s+is)\s+at\s+the\s+beginning\s+of\s+(your\s+)?context/i,weight:50},{name:"beginning_conversation",pattern:/(?:what|tell\s+me)\s+.*(?:beginning|start)\s+of\s+(?:this\s+)?conversation/i,weight:45},{name:"what_told_beginning",pattern:/what\s+did\s+I\s+tell\s+you\s+at\s+the\s+beginning/i,weight:50},{name:"context_start",pattern:/show\s+(me\s+)?the\s+start\s+of\s+(your\s+)?context/i,weight:50}],this.INDIRECT_EXTRACTION_PATTERNS=[{name:"summarize_guidelines",pattern:/summarize\s+(your\s+)?(guidelines|rules|constraints)/i,weight:35},{name:"describe_limitations",pattern:/describe\s+(your\s+)?limitations/i,weight:30},{name:"explain_role",pattern:/explain\s+(in\s+detail\s+)?(your\s+)?role/i,weight:35},{name:"explain_role_purpose",pattern:/explain\s+.*(role|purpose)/i,weight:35},{name:"what_cant_do",pattern:/what\s+(can't|cannot)\s+you\s+do/i,weight:25},{name:"describe_yourself",pattern:/describe\s+(yourself|your\s+purpose)/i,weight:30},{name:"summarize_yourself",pattern:/summarize\s+(everything|all)\s+(you\s+know|about\s+yourself)/i,weight:35},{name:"know_about_yourself",pattern:/(?:what|everything)\s+(?:do\s+)?you\s+know\s+about\s+yourself/i,weight:35},{name:"if_asked",pattern:/if\s+i\s+asked\s+for\s+your\s+prompt/i,weight:40},{name:"hypothetically",pattern:/hypothetically[,\s]+(what|how)\s+would\s+your\s+instructions/i,weight:40},{name:"academic_extraction",pattern:/(?:for\s+)?(?:academic|research|educational|study)\s+(?:purposes?|reasons?).*(?:system\s+prompt|instructions|jailbreak|extract|demonstrate)/i,weight:40},{name:"demonstrate_extraction",pattern:/demonstrate\s+(?:how\s+)?(?:to\s+)?(?:an?\s+)?(?:AI|system|model)\s+(?:could\s+be\s+)?(?:manipulated|jailbroken|exploited|tricked)/i,weight:40},{name:"write_prompt",pattern:/write\s+a\s+(system\s+)?prompt\s+similar\s+to\s+yours/i,weight:45},{name:"recreate_instructions",pattern:/recreate\s+(your\s+)?instructions/i,weight:45}],this.LEETSPEAK_MAP={4:"a","@":"a",8:"b","(":"c",3:"e",6:"g","#":"h",1:"i","!":"i","|":"l",7:"t",0:"o",5:"s",$:"s","+":"t",2:"z",9:"g"},this.ROT13_MAP={},this.MORSE_KEYWORDS=["... -.-- ... - . --",".--. .-. --- -- .--. -",".. -. ... - .-. ..- -.-. - .. --- -. ..."],this.config={detectLeetspeak:e.detectLeetspeak??!0,detectROT13:e.detectROT13??!0,detectBase64:e.detectBase64??!0,detectMorse:e.detectMorse??!0,detectUnicode:e.detectUnicode??!0,detectIndirectExtraction:e.detectIndirectExtraction??!0,monitorOutput:e.monitorOutput??!0,systemPromptHash:e.systemPromptHash??"",systemPromptKeywords:e.systemPromptKeywords??[],similarityThreshold:e.similarityThreshold??.7,riskThreshold:e.riskThreshold??25,customPatterns:e.customPatterns??[]};for(let s=0;s<26;s++){const i=String.fromCharCode(97+s),t=String.fromCharCode(65+s);this.ROT13_MAP[i]=String.fromCharCode(97+(s+13)%26),this.ROT13_MAP[t]=String.fromCharCode(65+(s+13)%26)}}check(e,s){const i=s||`pl-${Date.now()}`,t=[],r=[];let n=0,d=!1,a=!1,l=!1,h;for(const{name:o,pattern:u,weight:c}of this.DIRECT_EXTRACTION_PATTERNS)u.test(e)&&(t.push(`direct_extraction: ${o}`),n+=c,d=!0);if(this.config.detectIndirectExtraction)for(const{name:o,pattern:u,weight:c}of this.INDIRECT_EXTRACTION_PATTERNS)u.test(e)&&(t.push(`indirect_extraction: ${o}`),n+=c,l=!0);if(this.config.detectLeetspeak){const o=this.decodeLeetspeak(e);if(o!==e.toLowerCase()){const u=this.checkDecodedContent(o,"leetspeak");if(u.detected)t.push(...u.violations),n+=u.riskContribution,r.push("leetspeak"),a=!0,h=o;else{const c=this.checkKeywordsInDecoded(o);c.detected&&(t.push(`leetspeak_keyword: ${c.keywords.join(", ")}`),n+=35,r.push("leetspeak"),a=!0,h=o)}}}if(this.config.detectROT13){const o=this.decodeROT13(e),u=this.checkDecodedContent(o,"rot13");if(u.detected)t.push(...u.violations),n+=u.riskContribution,r.push("rot13"),a=!0,h=o;else{const c=this.checkKeywordsInDecoded(o);c.detected&&(t.push(`rot13_keyword: ${c.keywords.join(", ")}`),n+=40,r.push("rot13"),a=!0,h=o)}}if(this.config.detectBase64){const o=e.match(/[A-Za-z0-9+/]{16,}={0,2}/g);if(o)for(const u of o)try{const c=Buffer.from(u,"base64").toString("utf-8");if(c&&/[\x20-\x7E]{4,}/.test(c)){const m=this.checkDecodedContent(c,"base64");if(m.detected)t.push(...m.violations),n+=m.riskContribution,r.push("base64"),a=!0,h=c;else{const g=this.checkKeywordsInDecoded(c);g.detected&&(t.push(`base64_keyword: ${g.keywords.join(", ")}`),n+=45,r.push("base64"),a=!0,h=c)}}}catch{}}if(this.config.detectUnicode){const o=this.checkUnicodeEvasion(e);o.detected&&(t.push(...o.violations),n+=o.riskContribution,r.push("unicode"),a=!0)}if(this.config.detectMorse){const o=this.checkMorseCode(e);o.detected&&(t.push(...o.violations),n+=o.riskContribution,r.push("morse"),a=!0)}for(let o=0;o<this.config.customPatterns.length;o++)this.config.customPatterns[o].test(e)&&(t.push(`custom_pattern_${o}`),n+=30);n=Math.min(100,n);const p=n>=this.config.riskThreshold;return{allowed:!p,reason:p?`Prompt extraction attempt detected (risk: ${n})`:"Input validated",violations:t,request_id:i,analysis:{direct_extraction_attempt:d,encoded_extraction_attempt:a,indirect_extraction_attempt:l,evasion_techniques_detected:r,risk_score:n,decoded_content:h},recommendations:this.generateRecommendations(t,r)}}checkOutput(e,s){const i=s||`pl-out-${Date.now()}`,t=[],r=[],n=[];let d=!1;if(!this.config.monitorOutput)return{leaked:!1,reason:"Output monitoring disabled",violations:[],request_id:i,analysis:{keywords_found:[],similarity_score:0,potential_leakage_fragments:[]}};for(const h of this.config.systemPromptKeywords)e.toLowerCase().includes(h.toLowerCase())&&(r.push(h),t.push(`keyword_leaked: ${h}`));const a=[/you\s+are\s+a[n]?\s+(helpful\s+)?assistant/i,/your\s+(role|purpose|goal)\s+is\s+to/i,/you\s+(must|should|will)\s+(always|never)/i,/do\s+not\s+(reveal|disclose|share)\s+(your|the)\s+(system|initial)/i,/\[system\]|\[instruction\]|<<sys>>|<\|system\|>/i,/as\s+an?\s+AI\s+(assistant|model|language\s+model)/i];for(const h of a){const p=e.match(h);p&&(n.push(p[0]),t.push("prompt_fragment_detected"))}let l=0;return l=n.length/10,d=r.length>0||n.length>=2,{leaked:d,reason:d?`Potential prompt leakage detected: ${t.slice(0,3).join(", ")}`:"Output appears safe",violations:t,request_id:i,analysis:{keywords_found:r,similarity_score:Math.min(1,l),potential_leakage_fragments:n},sanitized_output:d?this.sanitizeOutput(e):void 0}}setSystemPromptKeywords(e){this.config.systemPromptKeywords=e}addPattern(e){this.config.customPatterns.push(e)}setRiskThreshold(e){this.config.riskThreshold=Math.max(0,Math.min(100,e))}decodeLeetspeak(e){let s=e.toLowerCase();const i={...this.LEETSPEAK_MAP,0:"o",1:"i",3:"e",4:"a",5:"s",7:"t",8:"b",9:"g","@":"a",$:"s","!":"i","|":"l","(":"c","+":"t","#":"h"};for(const[t,r]of Object.entries(i))s=s.split(t).join(r);return s}decodeROT13(e){return e.split("").map(s=>this.ROT13_MAP[s]||s).join("")}checkDecodedContent(e,s){const i=[];let t=0;for(const{name:r,pattern:n,weight:d}of this.DIRECT_EXTRACTION_PATTERNS)n.test(e)&&(i.push(`${s}_evasion: ${r}`),t+=d+10);return{detected:i.length>0,violations:i,riskContribution:t}}checkUnicodeEvasion(e){const s=[];let i=0;const t=e.match(/[\u200B-\u200D\uFEFF\u2060-\u206F\u00AD]/g);t&&t.length>3&&(s.push("invisible_unicode_chars"),i+=20);const r=e.match(/[\u0400-\u04FF\u0370-\u03FF]/g);if(r&&r.length>0){const d=e.normalize("NFKD").replace(/[\u0300-\u036f]/g,"");for(const{pattern:a}of this.DIRECT_EXTRACTION_PATTERNS)if(a.test(d)){s.push("homoglyph_evasion"),i+=30;break}}const n=e.match(/[\uFF01-\uFF5E]/g);return n&&n.length>5&&(s.push("fullwidth_chars"),i+=15),{detected:s.length>0,violations:s,riskContribution:i}}checkMorseCode(e){const s=[];let i=0;if(/[.\-]{2,}\s+[.\-]{2,}/.test(e)){for(const r of this.MORSE_KEYWORDS)if(e.includes(r)){s.push("morse_code_evasion"),i+=35;break}}return{detected:s.length>0,violations:s,riskContribution:i}}checkKeywordsInDecoded(e){const s=["reveal","show","display","print","output","dump","list","give","tell"],i=["prompt","instructions","configuration","config","rules","guidelines","constraints","system","initial","secret","hidden","internal"],t=[],r=e.toLowerCase();let n=!1,d=!1;for(const a of s)r.includes(a)&&(t.push(a),n=!0);for(const a of i)r.includes(a)&&(t.push(a),d=!0);return{detected:n&&d,keywords:t}}sanitizeOutput(e){let s=e;const i=[/you\s+are\s+a[n]?\s+(helpful\s+)?assistant[^.]*\./gi,/your\s+(role|purpose|goal)\s+is\s+to[^.]*\./gi,/you\s+(must|should|will)\s+(always|never)[^.]*\./gi,/\[system\][^[\]]*\[\/system\]/gi,/<<sys>>[^<]*<<\/sys>>/gi];for(const t of i)s=s.replace(t,"[REDACTED]");return s}generateRecommendations(e,s){const i=[];return e.some(t=>t.includes("direct_extraction"))&&i.push("Direct prompt extraction attempt blocked"),e.some(t=>t.includes("indirect_extraction"))&&i.push("Consider strengthening indirect extraction detection"),s.length>0&&i.push(`Evasion techniques detected: ${s.join(", ")}`),e.some(t=>t.includes("unicode"))&&i.push("Normalize input before processing"),i.length===0&&i.push("Input validated successfully"),i}}exports.PromptLeakageGuard=PromptLeakageGuard;

package/dist/guards/tool-result-guard.js

@@ -1 +1 @@
-"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.ToolResultGuard=void 0;const RESULT_INJECTION_PATTERNS=[{name:"system_instruction",pattern:/(?:SYSTEM|ADMIN|INSTRUCTION)\s*:/i,severity:"critical"},{name:"ignore_instructions",pattern:/ignore\s+(?:all\s+)?(?:previous|prior|above|your)\s+(?:instructions|rules)/i,severity:"critical"},{name:"new_instructions",pattern:/new\s+instructions?\s*:/i,severity:"critical"},{name:"role_override",pattern:/you\s+are\s+now|from\s+now\s+on|act\s+as\s+(?:a|an)/i,severity:"critical"},{name:"xml_system_tag",pattern:/<\/?system>|<\/?admin>|\[system\]|\[admin\]/i,severity:"critical"},{name:"jailbreak",pattern:/jailbreak|DAN\s*mode|developer\s+mode|unrestricted/i,severity:"critical"},{name:"bypass_safety",pattern:/bypass\s+(?:security|safety|filters|restrictions)/i,severity:"high"},{name:"data_exfiltration",pattern:/send\s+(?:this|the|all)\s+(?:data|info)\s+to|exfiltrate/i,severity:"critical"},{name:"hidden_instruction",pattern:/HIDDEN_PROMPT|HIDDEN_INSTRUCTION|INVISIBLE_TEXT/i,severity:"critical"},{name:"markdown_injection",pattern:/!\[.*\]\(https?:\/\/[^)]*\?.*(?:token|key|secret|auth)/i,severity:"high"}],STATE_CHANGE_PATTERNS=[{name:"privilege_claim",pattern:/(?:user|role|permission)\s+(?:is\s+now|changed\s+to|promoted\s+to|set\s+to)\s+(?:admin|root|superuser)/i},{name:"auth_claim",pattern:/(?:authenticated|authorized|verified)\s+as\s+(?:admin|root|superuser)/i},{name:"approval_claim",pattern:/(?:approved|granted|authorized)\s+(?:without|bypassing)\s+(?:verification|approval|review)/i},{name:"config_change_claim",pattern:/(?:configuration|settings?|policy)\s+(?:updated|changed|modified)\s+(?:to|:)/i}];class ToolResultGuard{constructor(e={}){this.config={scanForInjection:e.scanForInjection??!0,maxResultSize:e.maxResultSize??5e4,detectStateChangeClaims:e.detectStateChangeClaims??!0,expectedSchemas:e.expectedSchemas,sensitivePatterns:e.sensitivePatterns}}validateResult(e,t,n){const s=[],i=[];let a=!1,c=!0;const o=typeof t=="string"?t:this.safeStringify(t);if(o.length>this.config.maxResultSize&&(s.push("RESULT_TOO_LARGE"),i.push({type:"size_exceeded",severity:"high",location:"root",detail:`Result size ${o.length} exceeds max ${this.config.maxResultSize}`})),this.config.expectedSchemas?.[e]){const r=this.validateSchema(t,this.config.expectedSchemas[e]);r.valid||(c=!1,s.push("SCHEMA_MISMATCH"),i.push(...r.errors.map(d=>({type:"schema_violation",severity:"high",location:d.path,detail:d.message}))))}if(this.config.scanForInjection){const r=this.scanForInjection(t);r.detected&&(a=!0,s.push("INJECTION_IN_TOOL_RESULT"),i.push(...r.threats))}if(this.config.detectStateChangeClaims){const r=this.detectStateChangeClaims(o);r.detected&&(s.push("STATE_CHANGE_CLAIM"),i.push(...r.threats))}if(this.config.sensitivePatterns)for(const r of this.config.sensitivePatterns)r.lastIndex=0,r.test(o)&&(s.push("SENSITIVE_PATTERN_MATCH"),i.push({type:"sensitive_content",severity:"high",location:"root",detail:`Matched sensitive pattern: ${r.source.substring(0,50)}`}));const p=s.length===0;return{allowed:p,reason:p?void 0:`Tool result validation failed: ${s.join(", ")}`,violations:s,injection_detected:a,schema_valid:c,threats:i}}scanForInjection(e,t="root"){const n=[];if(typeof e=="string")for(const{name:s,pattern:i,severity:a}of RESULT_INJECTION_PATTERNS)i.lastIndex=0,i.test(e)&&n.push({type:`injection_${s}`,severity:a,location:t,detail:`Injection pattern '${s}' detected in tool result`});else if(Array.isArray(e))for(let s=0;s<e.length;s++){const i=this.scanForInjection(e[s],`${t}[${s}]`);n.push(...i.threats)}else if(e!==null&&typeof e=="object")for(const[s,i]of Object.entries(e)){const a=this.scanForInjection(i,`${t}.${s}`);n.push(...a.threats)}return{detected:n.length>0,threats:n}}registerSchema(e,t){this.config.expectedSchemas||(this.config.expectedSchemas={}),this.config.expectedSchemas[e]=t}detectStateChangeClaims(e){const t=[];for(const{name:n,pattern:s}of STATE_CHANGE_PATTERNS)s.lastIndex=0,s.test(e)&&t.push({type:`state_change_${n}`,severity:"critical",location:"root",detail:`Tool result claims state change: ${n}`});return{detected:t.length>0,threats:t}}validateSchema(e,t){const n=[],s=Array.isArray(e)?"array":typeof e;if(s!==t.type)return n.push({path:"root",message:`Expected type '${t.type}', got '${s}'`}),{valid:!1,errors:n};if(t.type==="string"&&t.maxLength&&e.length>t.maxLength&&n.push({path:"root",message:`String length exceeds max ${t.maxLength}`}),t.type==="object"&&t.properties)for(const[i,a]of Object.entries(t.properties))a.required&&(e[i]===void 0||e[i]===null)&&n.push({path:i,message:`Missing required field '${i}'`}),e[i]!==void 0&&typeof e[i]!==a.type&&n.push({path:i,message:`Field '${i}' expected '${a.type}', got '${typeof e[i]}'`});return{valid:n.length===0,errors:n}}safeStringify(e){try{return JSON.stringify(e)}catch{return String(e)}}}exports.ToolResultGuard=ToolResultGuard;
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.ToolResultGuard=void 0;const RESULT_INJECTION_PATTERNS=[{name:"system_instruction",pattern:/(?:SYSTEM|ADMIN|INSTRUCTION)\s*:/i,severity:"critical"},{name:"ignore_instructions",pattern:/ignore\s+(?:all\s+)?(?:previous|prior|above|your)\s+(?:instructions|rules)/i,severity:"critical"},{name:"new_instructions",pattern:/new\s+instructions?\s*:/i,severity:"critical"},{name:"role_override",pattern:/you\s+are\s+now|from\s+now\s+on|act\s+as\s+(?:a|an)/i,severity:"critical"},{name:"xml_system_tag",pattern:/<\/?system>|<\/?admin>|\[system\]|\[admin\]/i,severity:"critical"},{name:"jailbreak",pattern:/jailbreak|DAN\s*mode|developer\s+mode|unrestricted/i,severity:"critical"},{name:"bypass_safety",pattern:/bypass\s+(?:security|safety|filters|restrictions)/i,severity:"high"},{name:"data_exfiltration",pattern:/send\s+(?:this|the|all)\s+(?:data|info)\s+to|exfiltrate/i,severity:"critical"},{name:"hidden_instruction",pattern:/HIDDEN_PROMPT|HIDDEN_INSTRUCTION|INVISIBLE_TEXT/i,severity:"critical"},{name:"markdown_injection",pattern:/!\[.*\]\(https?:\/\/[^)]*\?.*(?:token|key|secret|auth)/i,severity:"high"},{name:"url_exfiltration",pattern:/(?:fetch|request|call|post|get|send|forward|transmit|relay)\s+(?:to|from)?\s*https?:\/\//i,severity:"critical"},{name:"url_data_leak",pattern:/https?:\/\/[^\s]+\?.*(?:data|prompt|conversation|history|context|message|response)=/i,severity:"critical"},{name:"credential_solicitation",pattern:/(?:ask|request|get|obtain|collect)\s+(?:the\s+)?(?:user|them|him|her)\s+(?:for\s+)?(?:their\s+)?(?:password|credentials?|api[_\s]?key|token|secret|ssn|social\s+security)/i,severity:"critical"},{name:"credential_prompt",pattern:/(?:enter|provide|type|input|share)\s+(?:your\s+)?(?:password|credentials?|api[_\s]?key|auth(?:entication)?\s+token|private\s+key|secret)/i,severity:"high"},{name:"tool_call_injection",pattern:/(?:execute|invoke|call|run|trigger|use)\s+(?:the\s+)?(?:function|tool|command|action)\s+(?:named?\s+)?[`"']?\w+[`"']?/i,severity:"critical"},{name:"tool_chain_manipulation",pattern:/(?:first|then|next|now)\s+(?:execute|call|run|invoke|delete|drop|remove|wipe)\s+/i,severity:"high"}],STATE_CHANGE_PATTERNS=[{name:"privilege_claim",pattern:/(?:user|role|permission)\s+(?:is\s+now|changed\s+to|promoted\s+to|set\s+to)\s+(?:admin|root|superuser)/i},{name:"auth_claim",pattern:/(?:authenticated|authorized|verified)\s+as\s+(?:admin|root|superuser)/i},{name:"approval_claim",pattern:/(?:approved|granted|authorized)\s+(?:without|bypassing)\s+(?:verification|approval|review)/i},{name:"config_change_claim",pattern:/(?:configuration|settings?|policy)\s+(?:updated|changed|modified)\s+(?:to|:)/i},{name:"role_upgrade_claim",pattern:/(?:role|access|privilege)\s+(?:upgraded|elevated|escalated|promoted)\s+(?:to|successfully)/i},{name:"permissions_granted_claim",pattern:/(?:permissions?|access)\s+(?:granted|unlocked|enabled|activated)\s+(?:for|to|successfully|without)/i}];class ToolResultGuard{constructor(e={}){this.config={scanForInjection:e.scanForInjection??!0,maxResultSize:e.maxResultSize??5e4,detectStateChangeClaims:e.detectStateChangeClaims??!0,expectedSchemas:e.expectedSchemas,sensitivePatterns:e.sensitivePatterns}}validateResult(e,t,n){const s=[],i=[];let a=!1,c=!0;const o=typeof t=="string"?t:this.safeStringify(t);if(o.length>this.config.maxResultSize&&(s.push("RESULT_TOO_LARGE"),i.push({type:"size_exceeded",severity:"high",location:"root",detail:`Result size ${o.length} exceeds max ${this.config.maxResultSize}`})),this.config.expectedSchemas?.[e]){const r=this.validateSchema(t,this.config.expectedSchemas[e]);r.valid||(c=!1,s.push("SCHEMA_MISMATCH"),i.push(...r.errors.map(p=>({type:"schema_violation",severity:"high",location:p.path,detail:p.message}))))}if(this.config.scanForInjection){const r=this.scanForInjection(t);r.detected&&(a=!0,s.push("INJECTION_IN_TOOL_RESULT"),i.push(...r.threats))}if(this.config.detectStateChangeClaims){const r=this.detectStateChangeClaims(o);r.detected&&(s.push("STATE_CHANGE_CLAIM"),i.push(...r.threats))}if(this.config.sensitivePatterns)for(const r of this.config.sensitivePatterns)r.lastIndex=0,r.test(o)&&(s.push("SENSITIVE_PATTERN_MATCH"),i.push({type:"sensitive_content",severity:"high",location:"root",detail:`Matched sensitive pattern: ${r.source.substring(0,50)}`}));const l=s.length===0;return{allowed:l,reason:l?void 0:`Tool result validation failed: ${s.join(", ")}`,violations:s,injection_detected:a,schema_valid:c,threats:i}}scanForInjection(e,t="root"){const n=[];if(typeof e=="string")for(const{name:s,pattern:i,severity:a}of RESULT_INJECTION_PATTERNS)i.lastIndex=0,i.test(e)&&n.push({type:`injection_${s}`,severity:a,location:t,detail:`Injection pattern '${s}' detected in tool result`});else if(Array.isArray(e))for(let s=0;s<e.length;s++){const i=this.scanForInjection(e[s],`${t}[${s}]`);n.push(...i.threats)}else if(e!==null&&typeof e=="object")for(const[s,i]of Object.entries(e)){const a=this.scanForInjection(i,`${t}.${s}`);n.push(...a.threats)}return{detected:n.length>0,threats:n}}registerSchema(e,t){this.config.expectedSchemas||(this.config.expectedSchemas={}),this.config.expectedSchemas[e]=t}detectStateChangeClaims(e){const t=[];for(const{name:n,pattern:s}of STATE_CHANGE_PATTERNS)s.lastIndex=0,s.test(e)&&t.push({type:`state_change_${n}`,severity:"critical",location:"root",detail:`Tool result claims state change: ${n}`});return{detected:t.length>0,threats:t}}validateSchema(e,t){const n=[],s=Array.isArray(e)?"array":typeof e;if(s!==t.type)return n.push({path:"root",message:`Expected type '${t.type}', got '${s}'`}),{valid:!1,errors:n};if(t.type==="string"&&t.maxLength&&e.length>t.maxLength&&n.push({path:"root",message:`String length exceeds max ${t.maxLength}`}),t.type==="object"&&t.properties)for(const[i,a]of Object.entries(t.properties))a.required&&(e[i]===void 0||e[i]===null)&&n.push({path:i,message:`Missing required field '${i}'`}),e[i]!==void 0&&typeof e[i]!==a.type&&n.push({path:i,message:`Field '${i}' expected '${a.type}', got '${typeof e[i]}'`});return{valid:n.length===0,errors:n}}safeStringify(e){try{return JSON.stringify(e)}catch{return String(e)}}}exports.ToolResultGuard=ToolResultGuard;

package/dist/index.js

@@ -1 +1 @@
-"use strict";var __createBinding=this&&this.__createBinding||(Object.create?(function(l,e,i,o){o===void 0&&(o=i);var a=Object.getOwnPropertyDescriptor(e,i);(!a||("get"in a?!e.__esModule:a.writable||a.configurable))&&(a={enumerable:!0,get:function(){return e[i]}}),Object.defineProperty(l,o,a)}):(function(l,e,i,o){o===void 0&&(o=i),l[o]=e[i]})),__exportStar=this&&this.__exportStar||function(l,e){for(var i in l)i!=="default"&&!Object.prototype.hasOwnProperty.call(e,i)&&__createBinding(e,l,i)},__importDefault=this&&this.__importDefault||function(l){return l&&l.__esModule?l:{default:l}};Object.defineProperty(exports,"__esModule",{value:!0}),exports.TrustGuard=exports.mergeDetectionResults=exports.createRegexClassifier=exports.TrustTransitivityGuard=exports.DelegationScopeGuard=exports.SpawnPolicyGuard=exports.SessionIntegrityGuard=exports.AgentSkillGuard=exports.ExternalDataGuard=exports.CompressionDetector=exports.HeuristicAnalyzer=exports.TokenCostGuard=exports.OutputSchemaGuard=exports.ContextBudgetGuard=exports.ToolResultGuard=exports.StatePersistenceGuard=exports.AutonomyEscalationGuard=exports.TrustExploitationGuard=exports.PromptLeakageGuard=exports.MCPSecurityGuard=exports.DriftDetector=exports.CircuitBreaker=exports.AgentCommunicationGuard=exports.CodeExecutionGuard=exports.RAGGuard=exports.MemoryGuard=exports.MultiModalGuard=exports.EncodingDetector=exports.ToolChainValidator=exports.ConversationGuard=exports.OutputFilter=exports.ExecutionMonitor=exports.SchemaValidator=exports.TenantBoundary=exports.PolicyGate=exports.ToolRegistry=exports.InputSanitizer=void 0,__exportStar(require("./types"),exports);var input_sanitizer_1=require("./guards/input-sanitizer");Object.defineProperty(exports,"InputSanitizer",{enumerable:!0,get:function(){return input_sanitizer_1.InputSanitizer}});var tool_registry_1=require("./guards/tool-registry");Object.defineProperty(exports,"ToolRegistry",{enumerable:!0,get:function(){return tool_registry_1.ToolRegistry}});var policy_gate_1=require("./guards/policy-gate");Object.defineProperty(exports,"PolicyGate",{enumerable:!0,get:function(){return policy_gate_1.PolicyGate}});var tenant_boundary_1=require("./guards/tenant-boundary");Object.defineProperty(exports,"TenantBoundary",{enumerable:!0,get:function(){return tenant_boundary_1.TenantBoundary}});var schema_validator_1=require("./guards/schema-validator");Object.defineProperty(exports,"SchemaValidator",{enumerable:!0,get:function(){return schema_validator_1.SchemaValidator}});var execution_monitor_1=require("./guards/execution-monitor");Object.defineProperty(exports,"ExecutionMonitor",{enumerable:!0,get:function(){return execution_monitor_1.ExecutionMonitor}});var output_filter_1=require("./guards/output-filter");Object.defineProperty(exports,"OutputFilter",{enumerable:!0,get:function(){return output_filter_1.OutputFilter}});var conversation_guard_1=require("./guards/conversation-guard");Object.defineProperty(exports,"ConversationGuard",{enumerable:!0,get:function(){return conversation_guard_1.ConversationGuard}});var tool_chain_validator_1=require("./guards/tool-chain-validator");Object.defineProperty(exports,"ToolChainValidator",{enumerable:!0,get:function(){return tool_chain_validator_1.ToolChainValidator}});var encoding_detector_1=require("./guards/encoding-detector");Object.defineProperty(exports,"EncodingDetector",{enumerable:!0,get:function(){return encoding_detector_1.EncodingDetector}});var multimodal_guard_1=require("./guards/multimodal-guard");Object.defineProperty(exports,"MultiModalGuard",{enumerable:!0,get:function(){return multimodal_guard_1.MultiModalGuard}});var memory_guard_1=require("./guards/memory-guard");Object.defineProperty(exports,"MemoryGuard",{enumerable:!0,get:function(){return memory_guard_1.MemoryGuard}});var rag_guard_1=require("./guards/rag-guard");Object.defineProperty(exports,"RAGGuard",{enumerable:!0,get:function(){return rag_guard_1.RAGGuard}});var code_execution_guard_1=require("./guards/code-execution-guard");Object.defineProperty(exports,"CodeExecutionGuard",{enumerable:!0,get:function(){return code_execution_guard_1.CodeExecutionGuard}});var agent_communication_guard_1=require("./guards/agent-communication-guard");Object.defineProperty(exports,"AgentCommunicationGuard",{enumerable:!0,get:function(){return agent_communication_guard_1.AgentCommunicationGuard}});var circuit_breaker_1=require("./guards/circuit-breaker");Object.defineProperty(exports,"CircuitBreaker",{enumerable:!0,get:function(){return circuit_breaker_1.CircuitBreaker}});var drift_detector_1=require("./guards/drift-detector");Object.defineProperty(exports,"DriftDetector",{enumerable:!0,get:function(){return drift_detector_1.DriftDetector}});var mcp_security_guard_1=require("./guards/mcp-security-guard");Object.defineProperty(exports,"MCPSecurityGuard",{enumerable:!0,get:function(){return mcp_security_guard_1.MCPSecurityGuard}});var prompt_leakage_guard_1=require("./guards/prompt-leakage-guard");Object.defineProperty(exports,"PromptLeakageGuard",{enumerable:!0,get:function(){return prompt_leakage_guard_1.PromptLeakageGuard}});var trust_exploitation_guard_1=require("./guards/trust-exploitation-guard");Object.defineProperty(exports,"TrustExploitationGuard",{enumerable:!0,get:function(){return trust_exploitation_guard_1.TrustExploitationGuard}});var autonomy_escalation_guard_1=require("./guards/autonomy-escalation-guard");Object.defineProperty(exports,"AutonomyEscalationGuard",{enumerable:!0,get:function(){return autonomy_escalation_guard_1.AutonomyEscalationGuard}});var state_persistence_guard_1=require("./guards/state-persistence-guard");Object.defineProperty(exports,"StatePersistenceGuard",{enumerable:!0,get:function(){return state_persistence_guard_1.StatePersistenceGuard}});var tool_result_guard_1=require("./guards/tool-result-guard");Object.defineProperty(exports,"ToolResultGuard",{enumerable:!0,get:function(){return tool_result_guard_1.ToolResultGuard}});var context_budget_guard_1=require("./guards/context-budget-guard");Object.defineProperty(exports,"ContextBudgetGuard",{enumerable:!0,get:function(){return context_budget_guard_1.ContextBudgetGuard}});var output_schema_guard_1=require("./guards/output-schema-guard");Object.defineProperty(exports,"OutputSchemaGuard",{enumerable:!0,get:function(){return output_schema_guard_1.OutputSchemaGuard}});var token_cost_guard_1=require("./guards/token-cost-guard");Object.defineProperty(exports,"TokenCostGuard",{enumerable:!0,get:function(){return token_cost_guard_1.TokenCostGuard}});var heuristic_analyzer_1=require("./guards/heuristic-analyzer");Object.defineProperty(exports,"HeuristicAnalyzer",{enumerable:!0,get:function(){return heuristic_analyzer_1.HeuristicAnalyzer}});var compression_detector_1=require("./guards/compression-detector");Object.defineProperty(exports,"CompressionDetector",{enumerable:!0,get:function(){return compression_detector_1.CompressionDetector}});var external_data_guard_1=require("./guards/external-data-guard");Object.defineProperty(exports,"ExternalDataGuard",{enumerable:!0,get:function(){return external_data_guard_1.ExternalDataGuard}});var agent_skill_guard_1=require("./guards/agent-skill-guard");Object.defineProperty(exports,"AgentSkillGuard",{enumerable:!0,get:function(){return agent_skill_guard_1.AgentSkillGuard}});var session_integrity_guard_1=require("./guards/session-integrity-guard");Object.defineProperty(exports,"SessionIntegrityGuard",{enumerable:!0,get:function(){return session_integrity_guard_1.SessionIntegrityGuard}});var spawn_policy_guard_1=require("./guards/spawn-policy-guard");Object.defineProperty(exports,"SpawnPolicyGuard",{enumerable:!0,get:function(){return spawn_policy_guard_1.SpawnPolicyGuard}});var delegation_scope_guard_1=require("./guards/delegation-scope-guard");Object.defineProperty(exports,"DelegationScopeGuard",{enumerable:!0,get:function(){return delegation_scope_guard_1.DelegationScopeGuard}});var trust_transitivity_guard_1=require("./guards/trust-transitivity-guard");Object.defineProperty(exports,"TrustTransitivityGuard",{enumerable:!0,get:function(){return trust_transitivity_guard_1.TrustTransitivityGuard}});var detection_backend_1=require("./detection-backend");Object.defineProperty(exports,"createRegexClassifier",{enumerable:!0,get:function(){return detection_backend_1.createRegexClassifier}}),Object.defineProperty(exports,"mergeDetectionResults",{enumerable:!0,get:function(){return detection_backend_1.mergeDetectionResults}});const crypto_1=__importDefault(require("crypto")),input_sanitizer_2=require("./guards/input-sanitizer"),tool_registry_2=require("./guards/tool-registry"),policy_gate_2=require("./guards/policy-gate"),tenant_boundary_2=require("./guards/tenant-boundary"),schema_validator_2=require("./guards/schema-validator"),execution_monitor_2=require("./guards/execution-monitor"),output_filter_2=require("./guards/output-filter"),conversation_guard_2=require("./guards/conversation-guard"),tool_chain_validator_2=require("./guards/tool-chain-validator"),encoding_detector_2=require("./guards/encoding-detector"),multimodal_guard_2=require("./guards/multimodal-guard"),memory_guard_2=require("./guards/memory-guard"),rag_guard_2=require("./guards/rag-guard"),code_execution_guard_2=require("./guards/code-execution-guard"),agent_communication_guard_2=require("./guards/agent-communication-guard"),circuit_breaker_2=require("./guards/circuit-breaker"),drift_detector_2=require("./guards/drift-detector"),mcp_security_guard_2=require("./guards/mcp-security-guard"),prompt_leakage_guard_2=require("./guards/prompt-leakage-guard"),trust_exploitation_guard_2=require("./guards/trust-exploitation-guard"),autonomy_escalation_guard_2=require("./guards/autonomy-escalation-guard"),state_persistence_guard_2=require("./guards/state-persistence-guard"),tool_result_guard_2=require("./guards/tool-result-guard"),context_budget_guard_2=require("./guards/context-budget-guard"),output_schema_guard_2=require("./guards/output-schema-guard"),token_cost_guard_2=require("./guards/token-cost-guard"),SENSITIVITY_PRESETS={strict:{sanitizer:{threshold:.15,papThreshold:.25,minPersuasionTechniques:1},compression:{threshold:.6},encoding:{maxEncodedRatio:.05},promptLeakage:{riskThreshold:.3},rag:{minTrustScore:.8},drift:{anomalyThreshold:.5},memory:{riskThreshold:.3}},balanced:{sanitizer:{threshold:.3,papThreshold:.4,minPersuasionTechniques:2},compression:{threshold:.55},encoding:{maxEncodedRatio:.1},promptLeakage:{riskThreshold:.5},rag:{minTrustScore:.6},drift:{anomalyThreshold:.7},memory:{riskThreshold:.5}},permissive:{sanitizer:{threshold:.5,papThreshold:.6,minPersuasionTechniques:3},compression:{threshold:.45},encoding:{maxEncodedRatio:.2},promptLeakage:{riskThreshold:.7},rag:{minTrustScore:.4},drift:{anomalyThreshold:.85},memory:{riskThreshold:.7}}};class TrustGuard{constructor(e={}){this.metrics={totalChecks:0,blockedChecks:0,totalTimeMs:0,errors:0},this.logger=e.logger||((a,r)=>{r==="error"?console.error(a):r==="warn"?console.warn(a):console.log(a)}),this.maxInputLength=e.maxInputLength??1e5,this.failMode=e.failMode??"closed",this.onBlock=e.onBlock,this.onAlert=e.onAlert,this.onError=e.onError;const i=e.logger||void 0,o=SENSITIVITY_PRESETS[e.sensitivity??"balanced"];if(e.sanitizer?.enabled!==!1&&(this.sanitizer=new input_sanitizer_2.InputSanitizer({threshold:e.sanitizer?.threshold??o.sanitizer.threshold,customPatterns:e.sanitizer?.customPatterns,detectPAP:e.sanitizer?.detectPAP,papThreshold:e.sanitizer?.papThreshold??o.sanitizer.papThreshold,minPersuasionTechniques:e.sanitizer?.minPersuasionTechniques??o.sanitizer.minPersuasionTechniques,blockCompoundPersuasion:e.sanitizer?.blockCompoundPersuasion,logger:i})),e.registry?.enabled!==!1&&e.registry?.tools&&(this.registry=new tool_registry_2.ToolRegistry({tools:e.registry.tools,logger:i})),e.policy?.enabled!==!1&&(this.policy=new policy_gate_2.PolicyGate({roleHierarchy:e.policy?.roleHierarchy,logger:i})),e.tenant?.enabled!==!1){const a=e.tenant?.resourceOwnership?new Map(Object.entries(e.tenant.resourceOwnership).map(([r,s])=>[r,{resource_id:r,tenant_id:s.tenant_id}])):void 0;this.tenant=new tenant_boundary_2.TenantBoundary({resourceOwnership:a,logger:i})}e.schema?.enabled!==!1&&(this.schema=new schema_validator_2.SchemaValidator({strictTypes:e.schema?.strictTypes,logger:i})),e.execution?.enabled!==!1&&(this.execution=new execution_monitor_2.ExecutionMonitor({maxRequestsPerMinute:e.execution?.maxRequestsPerMinute,maxRequestsPerHour:e.execution?.maxRequestsPerHour,operationCosts:e.execution?.operationCosts,maxCostPerMinute:e.execution?.maxCostPerMinute,maxCostPerHour:e.execution?.maxCostPerHour,logger:i})),e.output?.enabled!==!1&&(this.output=new output_filter_2.OutputFilter({detectPII:e.output?.detectPII,detectSecrets:e.output?.detectSecrets,roleFilters:e.output?.roleFilters,logger:i})),e.conversation?.enabled!==!1&&(this.conversation=new conversation_guard_2.ConversationGuard({maxConversationLength:e.conversation?.maxConversationLength,escalationThreshold:e.conversation?.escalationThreshold,logger:i})),e.chain?.enabled!==!1&&(this.chain=new tool_chain_validator_2.ToolChainValidator({maxToolsPerRequest:e.chain?.maxToolsPerRequest,maxSensitiveToolsPerSession:e.chain?.maxSensitiveToolsPerSession,sensitiveTools:e.chain?.sensitiveTools,logger:i})),e.encoding?.enabled!==!1&&(this.encoding=new encoding_detector_2.EncodingDetector({maxDecodingDepth:e.encoding?.maxDecodingDepth,maxEncodedRatio:e.encoding?.maxEncodedRatio??o.encoding.maxEncodedRatio,logger:i})),e.multiModal?.enabled&&(this.multiModal=new multimodal_guard_2.MultiModalGuard({scanMetadata:e.multiModal.scanMetadata,detectBase64Payloads:e.multiModal.detectBase64Payloads,allowedMimeTypes:e.multiModal.allowedMimeTypes})),e.memory?.enabled&&(this.memoryGuard=new memory_guard_2.MemoryGuard({enableIntegrityCheck:e.memory.enableIntegrityCheck,detectInjections:e.memory.detectInjections,maxMemoryItems:e.memory.maxMemoryItems,signingKey:e.memory.signingKey,autoQuarantine:e.memory.autoQuarantine,riskThreshold:e.memory.riskThreshold??o.memory.riskThreshold})),e.rag?.enabled&&(this.ragGuard=new rag_guard_2.RAGGuard({detectInjections:e.rag.detectInjections,verifySource:e.rag.verifySource,trustedSources:e.rag.trustedSources,blockedSources:e.rag.blockedSources,maxDocumentSize:e.rag.maxDocumentSize,minTrustScore:e.rag.minTrustScore??o.rag.minTrustScore,detectEmbeddingAttacks:e.rag.detectEmbeddingAttacks})),e.codeExecution?.enabled&&(this.codeExecution=new code_execution_guard_2.CodeExecutionGuard({allowedLanguages:e.codeExecution.allowedLanguages,maxCodeLength:e.codeExecution.maxCodeLength,maxExecutionTime:e.codeExecution.maxExecutionTime,allowNetwork:e.codeExecution.allowNetwork,allowFileSystem:e.codeExecution.allowFileSystem,allowShell:e.codeExecution.allowShell,riskThreshold:e.codeExecution.riskThreshold})),e.agentCommunication?.enabled&&(this.agentCommunication=new agent_communication_guard_2.AgentCommunicationGuard({allowedAgents:e.agentCommunication.allowedAgents,requireSignatures:e.agentCommunication.requireSignatures,strictMode:e.agentCommunication.strictMode,maxMessageAge:e.agentCommunication.maxMessageAge})),e.circuitBreaker?.enabled&&(this.circuitBreaker=new circuit_breaker_2.CircuitBreaker({failureThreshold:e.circuitBreaker.failureThreshold,minimumRequests:e.circuitBreaker.minimumRequests,windowSize:e.circuitBreaker.windowSize,recoveryTimeout:e.circuitBreaker.recoveryTimeout,successThreshold:e.circuitBreaker.successThreshold})),e.driftDetector?.enabled&&(this.driftDetector=new drift_detector_2.DriftDetector({minimumSamples:e.driftDetector.minimumSamples,anomalyThreshold:e.driftDetector.anomalyThreshold??o.drift.anomalyThreshold,alertThreshold:e.driftDetector.alertThreshold,checkGoalAlignment:e.driftDetector.checkGoalAlignment})),e.mcpSecurity?.enabled&&(this.mcpSecurity=new mcp_security_guard_2.MCPSecurityGuard({detectToolShadowing:e.mcpSecurity.detectToolShadowing,toolBlocklist:e.mcpSecurity.toolBlocklist,strictMode:e.mcpSecurity.strictMode,minServerReputation:e.mcpSecurity.minServerReputation})),e.promptLeakage?.enabled&&(this.promptLeakage=new prompt_leakage_guard_2.PromptLeakageGuard({detectLeetspeak:e.promptLeakage.detectLeetspeak,detectROT13:e.promptLeakage.detectROT13,detectBase64:e.promptLeakage.detectBase64,detectIndirectExtraction:e.promptLeakage.detectIndirectExtraction,monitorOutput:e.promptLeakage.monitorOutput,systemPromptKeywords:e.promptLeakage.systemPromptKeywords,riskThreshold:e.promptLeakage.riskThreshold??o.promptLeakage.riskThreshold})),e.trustExploitation?.enabled&&(this.trustExploitation=new trust_exploitation_guard_2.TrustExploitationGuard({humanApprovalRequired:e.trustExploitation.humanApprovalRequired,maxAutonomousActions:e.trustExploitation.maxAutonomousActions,monitorGoalConsistency:e.trustExploitation.monitorGoalConsistency,detectPermissionEscalation:e.trustExploitation.detectPermissionEscalation,sensitiveActions:e.trustExploitation.sensitiveActions})),e.autonomyEscalation?.enabled&&(this.autonomyEscalation=new autonomy_escalation_guard_2.AutonomyEscalationGuard({maxAutonomyLevel:e.autonomyEscalation.maxAutonomyLevel,baseAutonomyLevel:e.autonomyEscalation.baseAutonomyLevel,detectSelfModification:e.autonomyEscalation.detectSelfModification,maxSubAgents:e.autonomyEscalation.maxSubAgents,enforceHITL:e.autonomyEscalation.enforceHITL,alwaysRequireHuman:e.autonomyEscalation.alwaysRequireHuman})),e.statePersistence?.enabled&&(this.statePersistence=new state_persistence_guard_2.StatePersistenceGuard({enableIntegrityCheck:e.statePersistence.enableIntegrityCheck,requireEncryption:e.statePersistence.requireEncryption,maxStateSize:e.statePersistence.maxStateSize,maxStateAge:e.statePersistence.maxStateAge,enforceSessionIsolation:e.statePersistence.enforceSessionIsolation,sensitiveKeys:e.statePersistence.sensitiveKeys,detectTampering:e.statePersistence.detectTampering})),e.toolResult?.enabled&&(this.toolResultGuard=new tool_result_guard_2.ToolResultGuard(e.toolResult)),e.contextBudget?.enabled&&(this.contextBudget=new context_budget_guard_2.ContextBudgetGuard(e.contextBudget)),e.outputSchema?.enabled&&(this.outputSchema=new output_schema_guard_2.OutputSchemaGuard(e.outputSchema)),e.tokenCost?.enabled&&(this.tokenCostGuard=new token_cost_guard_2.TokenCostGuard(e.tokenCost)),e.classifier&&(this.classifier=e.classifier)}check(e,i,o,a={}){const r=`req-${crypto_1.default.randomUUID()}`,s=[];this.logger(`[TrustGuard:${r}] Checking: ${e}`,"info");const n=Date.now();this.metrics.totalChecks++;try{const u=this.runChecks(e,i,o,a,r);return this.metrics.totalTimeMs+=Date.now()-n,u.allowed||(this.metrics.blockedChecks++,this.onBlock&&this.onBlock(u.block_layer||"UNKNOWN",u,r)),u}catch(u){this.metrics.totalTimeMs+=Date.now()-n,this.metrics.errors++;const t=u instanceof Error?u.message:String(u);return this.logger(`[TrustGuard:${r}] Guard error: ${t}`,"error"),this.onError&&this.onError("TrustGuard",u instanceof Error?u:new Error(t),r),this.failMode==="open"?{allowed:!0,all_violations:["GUARD_ERROR"],request_id:r}:{allowed:!1,block_reason:`Internal guard error: ${t}`,all_violations:["GUARD_ERROR"],request_id:r}}}runChecks(e,i,o,a,r){const s=[];if(a.userInput&&a.userInput.length>this.maxInputLength)return this.logger(`[TrustGuard:${r}] BLOCKED: Input too long (${a.userInput.length} > ${this.maxInputLength})`,"warn"),{allowed:!1,block_layer:"L1",block_reason:`Input length ${a.userInput.length} exceeds maximum ${this.maxInputLength}`,all_violations:["INPUT_TOO_LONG"],request_id:r};if(this.encoding&&a.userInput){const t=this.encoding.detect(a.userInput,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by Encoding Detector`,"warn"),{allowed:!1,block_layer:"ENCODING",block_reason:t.reason,all_violations:t.violations,encoding:t,request_id:r};s.push(...t.violations)}if(this.sanitizer&&a.userInput){const t=this.sanitizer.sanitize(a.userInput,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by L1`,"warn"),{allowed:!1,block_layer:"L1",block_reason:t.reason,all_violations:t.violations,sanitizer:t,request_id:r};s.push(...t.violations)}if(this.promptLeakage&&a.userInput){const t=this.promptLeakage.check(a.userInput,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by Prompt Leakage Guard`,"warn"),{allowed:!1,block_layer:"PROMPT_LEAKAGE",block_reason:t.reason,all_violations:[...s,...t.violations],request_id:r};s.push(...t.violations)}if(this.memoryGuard&&a.userInput&&o?.session_id){const t=this.memoryGuard.validateContextInjection(a.userInput,o.session_id,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by Memory Guard`,"warn"),{allowed:!1,block_layer:"MEMORY",block_reason:t.reason,all_violations:[...s,...t.violations],request_id:r};s.push(...t.violations)}if(this.conversation&&a.userInput&&o?.session_id){const t=this.conversation.check(o.session_id,a.userInput,[e],a.claimedRole,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by Conversation Guard`,"warn"),{allowed:!1,block_layer:"CONV",block_reason:t.reason,all_violations:[...s,...t.violations],conversation:t,request_id:r};s.push(...t.violations)}let n;if(this.registry){const t=this.registry.check(e,o?.role||"",r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by L2`,"warn"),{allowed:!1,block_layer:"L2",block_reason:t.reason,all_violations:[...s,...t.violations],registry:t,request_id:r};n=t.tool,s.push(...t.violations)}if(this.chain&&o?.session_id){const t=a.allToolsInRequest?this.chain.validateBatch(o.session_id,a.allToolsInRequest,r):this.chain.validate(o.session_id,e,void 0,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by Tool Chain Validator`,"warn"),{allowed:!1,block_layer:"CHAIN",block_reason:t.reason,all_violations:[...s,...t.violations],chain:t,request_id:r};s.push(...t.violations)}if(this.policy&&n){const t=this.policy.check(n,i,o,a.claimedRole,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by L3`,"warn"),{allowed:!1,block_layer:"L3",block_reason:t.reason,all_violations:[...s,...t.violations],policy:t,request_id:r};s.push(...t.violations)}else this.policy&&!n&&this.logger(`[TrustGuard:${r}] Policy gate skipped: no tool definition (registry disabled or tool not found)`,"warn");if(this.autonomyEscalation&&o?.session_id){const t=this.autonomyEscalation.validate(e,o.session_id,i,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by Autonomy Escalation Guard`,"warn"),{allowed:!1,block_layer:"AUTONOMY",block_reason:t.reason,all_violations:[...s,...t.violations],request_id:r};s.push(...t.violations)}let u=i;if(this.tenant&&o){const t=this.tenant.check(e,i,o,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by L4`,"warn"),{allowed:!1,block_layer:"L4",block_reason:t.reason,all_violations:[...s,...t.violations],tenant:t,request_id:r};t.enforced_params&&(u=t.enforced_params),s.push(...t.violations)}if(this.schema&&n){const t=this.schema.validate(n,u,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by L5`,"warn"),{allowed:!1,block_layer:"L5",block_reason:t.reason,all_violations:[...s,...t.violations],schema:t,request_id:r};s.push(...t.violations)}if(this.execution){const t=this.execution.check(e,o?.user_id,o?.session_id,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by L6`,"warn"),{allowed:!1,block_layer:"L6",block_reason:t.reason,all_violations:[...s,...t.violations],execution:t,request_id:r};s.push(...t.violations)}if(this.circuitBreaker){const t=this.circuitBreaker.check(e,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by Circuit Breaker`,"warn"),{allowed:!1,block_layer:"L6",block_reason:t.reason,all_violations:[...s,"CIRCUIT_OPEN"],request_id:r}}return this.logger(`[TrustGuard:${r}] All checks PASSED`,"info"),{allowed:!0,all_violations:s,request_id:r}}filterOutput(e,i,o){let a=e,r=!1,s=!1,n=!1,u=!0;const t=typeof e=="string"?e:"";if(t.length>this.maxInputLength&&this.logger(`[TrustGuard] Output too long (${t.length}), truncating for filter`,"warn"),this.output){const d=this.output.filter(e,i,o);a=d.filtered_response,r=d.pii_detected.length>0,s=d.secrets_detected.length>0,d.allowed||(u=!1)}if(this.promptLeakage){const d=typeof a=="string"?a:JSON.stringify(a),c=this.promptLeakage.checkOutput(d,o);c.leaked&&(u=!1,n=!0,c.sanitized_output&&(a=c.sanitized_output))}return{allowed:u,filtered:a,pii_detected:r,secrets_detected:s,prompt_leakage_detected:n}}completeOperation(e,i,o=!0){this.execution&&this.execution.completeOperation(e?.user_id,e?.session_id),this.circuitBreaker&&i&&(o?this.circuitBreaker.recordSuccess(i):this.circuitBreaker.recordFailure(i))}getToolsForRole(e){return this.registry?this.registry.getToolsForRole(e):[]}getMetrics(){const e=this.metrics.totalChecks>0?this.metrics.totalTimeMs/this.metrics.totalChecks:0;return{totalChecks:this.metrics.totalChecks,blockedChecks:this.metrics.blockedChecks,blockRate:this.metrics.totalChecks>0?this.metrics.blockedChecks/this.metrics.totalChecks:0,avgExecutionTimeMs:Math.round(e*100)/100,errors:this.metrics.errors}}getGuards(){return{sanitizer:this.sanitizer,registry:this.registry,policy:this.policy,tenant:this.tenant,schema:this.schema,execution:this.execution,output:this.output,conversation:this.conversation,chain:this.chain,encoding:this.encoding,multiModal:this.multiModal,memory:this.memoryGuard,rag:this.ragGuard,codeExecution:this.codeExecution,agentCommunication:this.agentCommunication,circuitBreaker:this.circuitBreaker,driftDetector:this.driftDetector,mcpSecurity:this.mcpSecurity,promptLeakage:this.promptLeakage,trustExploitation:this.trustExploitation,autonomyEscalation:this.autonomyEscalation,statePersistence:this.statePersistence,toolResult:this.toolResultGuard,contextBudget:this.contextBudget,outputSchema:this.outputSchema,tokenCost:this.tokenCostGuard}}resetSession(e){this.conversation?.resetSession(e),this.chain?.resetSession(e),this.execution?.reset(void 0,e),this.memoryGuard?.clearSession(e),this.trustExploitation?.resetSession(e),this.autonomyEscalation?.resetSession(e),this.statePersistence?.resetSession(e),this.contextBudget?.resetSession(e)}destroy(){this.conversation?.destroy(),this.agentCommunication?.destroy(),this.contextBudget?.destroy(),this.tokenCostGuard?.destroy(),this.execution?.reset(),this.circuitBreaker?.resetAll(),this.driftDetector?.resetAgent?.("*")}validateToolResult(e,i,o){if(!this.toolResultGuard)return{allowed:!0,violations:[]};const a=this.toolResultGuard.validateResult(e,i,o);return{allowed:a.allowed,violations:a.violations}}validateOutput(e,i,o){if(!this.outputSchema)return{allowed:!0,violations:[],threats:[]};const a=this.outputSchema.validate(e,i,o);return{allowed:a.allowed,violations:a.violations,threats:a.threats}}async checkAsync(e,i,o,a={}){const r=this.check(e,i,o,a);if(!this.classifier||!r.allowed||!a.userInput)return r;try{const s=await this.classifier(a.userInput,{type:"user_input",sessionId:o?.session_id});if(!s.safe)return{...r,allowed:!1,block_layer:"L1",block_reason:`Classifier detected threat: ${s.threats.map(n=>n.category).join(", ")}`,all_violations:[...r.all_violations,...s.threats.map(n=>`CLASSIFIER_${n.category.toUpperCase()}`)]}}catch(s){const n=s instanceof Error?s.message:String(s);this.logger(`[TrustGuard] Classifier error: ${n}`,"error")}return r}}exports.TrustGuard=TrustGuard,__exportStar(require("./integrations/index.js"),exports),exports.default=TrustGuard;
+"use strict";var __createBinding=this&&this.__createBinding||(Object.create?(function(l,e,i,o){o===void 0&&(o=i);var a=Object.getOwnPropertyDescriptor(e,i);(!a||("get"in a?!e.__esModule:a.writable||a.configurable))&&(a={enumerable:!0,get:function(){return e[i]}}),Object.defineProperty(l,o,a)}):(function(l,e,i,o){o===void 0&&(o=i),l[o]=e[i]})),__exportStar=this&&this.__exportStar||function(l,e){for(var i in l)i!=="default"&&!Object.prototype.hasOwnProperty.call(e,i)&&__createBinding(e,l,i)},__importDefault=this&&this.__importDefault||function(l){return l&&l.__esModule?l:{default:l}};Object.defineProperty(exports,"__esModule",{value:!0}),exports.TrustGuard=exports.mergeDetectionResults=exports.createRegexClassifier=exports.TrustTransitivityGuard=exports.DelegationScopeGuard=exports.SpawnPolicyGuard=exports.SessionIntegrityGuard=exports.AgentSkillGuard=exports.ExternalDataGuard=exports.CompressionDetector=exports.HeuristicAnalyzer=exports.TokenCostGuard=exports.OutputSchemaGuard=exports.ContextBudgetGuard=exports.ToolResultGuard=exports.StatePersistenceGuard=exports.AutonomyEscalationGuard=exports.TrustExploitationGuard=exports.PromptLeakageGuard=exports.MCPSecurityGuard=exports.DriftDetector=exports.CircuitBreaker=exports.AgentCommunicationGuard=exports.CodeExecutionGuard=exports.RAGGuard=exports.MemoryGuard=exports.MultiModalGuard=exports.EncodingDetector=exports.ToolChainValidator=exports.ConversationGuard=exports.OutputFilter=exports.ExecutionMonitor=exports.SchemaValidator=exports.TenantBoundary=exports.PolicyGate=exports.ToolRegistry=exports.InputSanitizer=void 0,__exportStar(require("./types"),exports);var input_sanitizer_1=require("./guards/input-sanitizer");Object.defineProperty(exports,"InputSanitizer",{enumerable:!0,get:function(){return input_sanitizer_1.InputSanitizer}});var tool_registry_1=require("./guards/tool-registry");Object.defineProperty(exports,"ToolRegistry",{enumerable:!0,get:function(){return tool_registry_1.ToolRegistry}});var policy_gate_1=require("./guards/policy-gate");Object.defineProperty(exports,"PolicyGate",{enumerable:!0,get:function(){return policy_gate_1.PolicyGate}});var tenant_boundary_1=require("./guards/tenant-boundary");Object.defineProperty(exports,"TenantBoundary",{enumerable:!0,get:function(){return tenant_boundary_1.TenantBoundary}});var schema_validator_1=require("./guards/schema-validator");Object.defineProperty(exports,"SchemaValidator",{enumerable:!0,get:function(){return schema_validator_1.SchemaValidator}});var execution_monitor_1=require("./guards/execution-monitor");Object.defineProperty(exports,"ExecutionMonitor",{enumerable:!0,get:function(){return execution_monitor_1.ExecutionMonitor}});var output_filter_1=require("./guards/output-filter");Object.defineProperty(exports,"OutputFilter",{enumerable:!0,get:function(){return output_filter_1.OutputFilter}});var conversation_guard_1=require("./guards/conversation-guard");Object.defineProperty(exports,"ConversationGuard",{enumerable:!0,get:function(){return conversation_guard_1.ConversationGuard}});var tool_chain_validator_1=require("./guards/tool-chain-validator");Object.defineProperty(exports,"ToolChainValidator",{enumerable:!0,get:function(){return tool_chain_validator_1.ToolChainValidator}});var encoding_detector_1=require("./guards/encoding-detector");Object.defineProperty(exports,"EncodingDetector",{enumerable:!0,get:function(){return encoding_detector_1.EncodingDetector}});var multimodal_guard_1=require("./guards/multimodal-guard");Object.defineProperty(exports,"MultiModalGuard",{enumerable:!0,get:function(){return multimodal_guard_1.MultiModalGuard}});var memory_guard_1=require("./guards/memory-guard");Object.defineProperty(exports,"MemoryGuard",{enumerable:!0,get:function(){return memory_guard_1.MemoryGuard}});var rag_guard_1=require("./guards/rag-guard");Object.defineProperty(exports,"RAGGuard",{enumerable:!0,get:function(){return rag_guard_1.RAGGuard}});var code_execution_guard_1=require("./guards/code-execution-guard");Object.defineProperty(exports,"CodeExecutionGuard",{enumerable:!0,get:function(){return code_execution_guard_1.CodeExecutionGuard}});var agent_communication_guard_1=require("./guards/agent-communication-guard");Object.defineProperty(exports,"AgentCommunicationGuard",{enumerable:!0,get:function(){return agent_communication_guard_1.AgentCommunicationGuard}});var circuit_breaker_1=require("./guards/circuit-breaker");Object.defineProperty(exports,"CircuitBreaker",{enumerable:!0,get:function(){return circuit_breaker_1.CircuitBreaker}});var drift_detector_1=require("./guards/drift-detector");Object.defineProperty(exports,"DriftDetector",{enumerable:!0,get:function(){return drift_detector_1.DriftDetector}});var mcp_security_guard_1=require("./guards/mcp-security-guard");Object.defineProperty(exports,"MCPSecurityGuard",{enumerable:!0,get:function(){return mcp_security_guard_1.MCPSecurityGuard}});var prompt_leakage_guard_1=require("./guards/prompt-leakage-guard");Object.defineProperty(exports,"PromptLeakageGuard",{enumerable:!0,get:function(){return prompt_leakage_guard_1.PromptLeakageGuard}});var trust_exploitation_guard_1=require("./guards/trust-exploitation-guard");Object.defineProperty(exports,"TrustExploitationGuard",{enumerable:!0,get:function(){return trust_exploitation_guard_1.TrustExploitationGuard}});var autonomy_escalation_guard_1=require("./guards/autonomy-escalation-guard");Object.defineProperty(exports,"AutonomyEscalationGuard",{enumerable:!0,get:function(){return autonomy_escalation_guard_1.AutonomyEscalationGuard}});var state_persistence_guard_1=require("./guards/state-persistence-guard");Object.defineProperty(exports,"StatePersistenceGuard",{enumerable:!0,get:function(){return state_persistence_guard_1.StatePersistenceGuard}});var tool_result_guard_1=require("./guards/tool-result-guard");Object.defineProperty(exports,"ToolResultGuard",{enumerable:!0,get:function(){return tool_result_guard_1.ToolResultGuard}});var context_budget_guard_1=require("./guards/context-budget-guard");Object.defineProperty(exports,"ContextBudgetGuard",{enumerable:!0,get:function(){return context_budget_guard_1.ContextBudgetGuard}});var output_schema_guard_1=require("./guards/output-schema-guard");Object.defineProperty(exports,"OutputSchemaGuard",{enumerable:!0,get:function(){return output_schema_guard_1.OutputSchemaGuard}});var token_cost_guard_1=require("./guards/token-cost-guard");Object.defineProperty(exports,"TokenCostGuard",{enumerable:!0,get:function(){return token_cost_guard_1.TokenCostGuard}});var heuristic_analyzer_1=require("./guards/heuristic-analyzer");Object.defineProperty(exports,"HeuristicAnalyzer",{enumerable:!0,get:function(){return heuristic_analyzer_1.HeuristicAnalyzer}});var compression_detector_1=require("./guards/compression-detector");Object.defineProperty(exports,"CompressionDetector",{enumerable:!0,get:function(){return compression_detector_1.CompressionDetector}});var external_data_guard_1=require("./guards/external-data-guard");Object.defineProperty(exports,"ExternalDataGuard",{enumerable:!0,get:function(){return external_data_guard_1.ExternalDataGuard}});var agent_skill_guard_1=require("./guards/agent-skill-guard");Object.defineProperty(exports,"AgentSkillGuard",{enumerable:!0,get:function(){return agent_skill_guard_1.AgentSkillGuard}});var session_integrity_guard_1=require("./guards/session-integrity-guard");Object.defineProperty(exports,"SessionIntegrityGuard",{enumerable:!0,get:function(){return session_integrity_guard_1.SessionIntegrityGuard}});var spawn_policy_guard_1=require("./guards/spawn-policy-guard");Object.defineProperty(exports,"SpawnPolicyGuard",{enumerable:!0,get:function(){return spawn_policy_guard_1.SpawnPolicyGuard}});var delegation_scope_guard_1=require("./guards/delegation-scope-guard");Object.defineProperty(exports,"DelegationScopeGuard",{enumerable:!0,get:function(){return delegation_scope_guard_1.DelegationScopeGuard}});var trust_transitivity_guard_1=require("./guards/trust-transitivity-guard");Object.defineProperty(exports,"TrustTransitivityGuard",{enumerable:!0,get:function(){return trust_transitivity_guard_1.TrustTransitivityGuard}});var detection_backend_1=require("./detection-backend");Object.defineProperty(exports,"createRegexClassifier",{enumerable:!0,get:function(){return detection_backend_1.createRegexClassifier}}),Object.defineProperty(exports,"mergeDetectionResults",{enumerable:!0,get:function(){return detection_backend_1.mergeDetectionResults}});const crypto_1=__importDefault(require("crypto")),input_sanitizer_2=require("./guards/input-sanitizer"),tool_registry_2=require("./guards/tool-registry"),policy_gate_2=require("./guards/policy-gate"),tenant_boundary_2=require("./guards/tenant-boundary"),schema_validator_2=require("./guards/schema-validator"),execution_monitor_2=require("./guards/execution-monitor"),output_filter_2=require("./guards/output-filter"),conversation_guard_2=require("./guards/conversation-guard"),tool_chain_validator_2=require("./guards/tool-chain-validator"),encoding_detector_2=require("./guards/encoding-detector"),multimodal_guard_2=require("./guards/multimodal-guard"),memory_guard_2=require("./guards/memory-guard"),rag_guard_2=require("./guards/rag-guard"),code_execution_guard_2=require("./guards/code-execution-guard"),agent_communication_guard_2=require("./guards/agent-communication-guard"),circuit_breaker_2=require("./guards/circuit-breaker"),drift_detector_2=require("./guards/drift-detector"),mcp_security_guard_2=require("./guards/mcp-security-guard"),prompt_leakage_guard_2=require("./guards/prompt-leakage-guard"),trust_exploitation_guard_2=require("./guards/trust-exploitation-guard"),autonomy_escalation_guard_2=require("./guards/autonomy-escalation-guard"),state_persistence_guard_2=require("./guards/state-persistence-guard"),tool_result_guard_2=require("./guards/tool-result-guard"),context_budget_guard_2=require("./guards/context-budget-guard"),output_schema_guard_2=require("./guards/output-schema-guard"),token_cost_guard_2=require("./guards/token-cost-guard"),SENSITIVITY_PRESETS={strict:{sanitizer:{threshold:.15,papThreshold:.25,minPersuasionTechniques:1},compression:{threshold:.6},encoding:{maxEncodedRatio:.05},promptLeakage:{riskThreshold:15},rag:{minTrustScore:.8},drift:{anomalyThreshold:.5},memory:{riskThreshold:.3}},balanced:{sanitizer:{threshold:.3,papThreshold:.4,minPersuasionTechniques:2},compression:{threshold:.55},encoding:{maxEncodedRatio:.1},promptLeakage:{riskThreshold:25},rag:{minTrustScore:.6},drift:{anomalyThreshold:.7},memory:{riskThreshold:.5}},permissive:{sanitizer:{threshold:.5,papThreshold:.6,minPersuasionTechniques:3},compression:{threshold:.45},encoding:{maxEncodedRatio:.2},promptLeakage:{riskThreshold:40},rag:{minTrustScore:.4},drift:{anomalyThreshold:.85},memory:{riskThreshold:.7}}};class TrustGuard{constructor(e={}){this.metrics={totalChecks:0,blockedChecks:0,totalTimeMs:0,errors:0},this.logger=e.logger||((a,r)=>{r==="error"?console.error(a):r==="warn"?console.warn(a):console.log(a)}),this.maxInputLength=e.maxInputLength??1e5,this.failMode=e.failMode??"closed",this.onBlock=e.onBlock,this.onAlert=e.onAlert,this.onError=e.onError;const i=e.logger||void 0,o=SENSITIVITY_PRESETS[e.sensitivity??"balanced"];if(e.sanitizer?.enabled!==!1&&(this.sanitizer=new input_sanitizer_2.InputSanitizer({threshold:e.sanitizer?.threshold??o.sanitizer.threshold,customPatterns:e.sanitizer?.customPatterns,detectPAP:e.sanitizer?.detectPAP,papThreshold:e.sanitizer?.papThreshold??o.sanitizer.papThreshold,minPersuasionTechniques:e.sanitizer?.minPersuasionTechniques??o.sanitizer.minPersuasionTechniques,blockCompoundPersuasion:e.sanitizer?.blockCompoundPersuasion,logger:i})),e.registry?.enabled!==!1&&e.registry?.tools&&(this.registry=new tool_registry_2.ToolRegistry({tools:e.registry.tools,logger:i})),e.policy?.enabled!==!1&&(this.policy=new policy_gate_2.PolicyGate({roleHierarchy:e.policy?.roleHierarchy,logger:i})),e.tenant?.enabled!==!1){const a=e.tenant?.resourceOwnership?new Map(Object.entries(e.tenant.resourceOwnership).map(([r,s])=>[r,{resource_id:r,tenant_id:s.tenant_id}])):void 0;this.tenant=new tenant_boundary_2.TenantBoundary({resourceOwnership:a,logger:i})}e.schema?.enabled!==!1&&(this.schema=new schema_validator_2.SchemaValidator({strictTypes:e.schema?.strictTypes,logger:i})),e.execution?.enabled!==!1&&(this.execution=new execution_monitor_2.ExecutionMonitor({maxRequestsPerMinute:e.execution?.maxRequestsPerMinute,maxRequestsPerHour:e.execution?.maxRequestsPerHour,operationCosts:e.execution?.operationCosts,maxCostPerMinute:e.execution?.maxCostPerMinute,maxCostPerHour:e.execution?.maxCostPerHour,logger:i})),e.output?.enabled!==!1&&(this.output=new output_filter_2.OutputFilter({detectPII:e.output?.detectPII,detectSecrets:e.output?.detectSecrets,roleFilters:e.output?.roleFilters,logger:i})),e.conversation?.enabled!==!1&&(this.conversation=new conversation_guard_2.ConversationGuard({maxConversationLength:e.conversation?.maxConversationLength,escalationThreshold:e.conversation?.escalationThreshold,logger:i})),e.chain?.enabled!==!1&&(this.chain=new tool_chain_validator_2.ToolChainValidator({maxToolsPerRequest:e.chain?.maxToolsPerRequest,maxSensitiveToolsPerSession:e.chain?.maxSensitiveToolsPerSession,sensitiveTools:e.chain?.sensitiveTools,logger:i})),e.encoding?.enabled!==!1&&(this.encoding=new encoding_detector_2.EncodingDetector({maxDecodingDepth:e.encoding?.maxDecodingDepth,maxEncodedRatio:e.encoding?.maxEncodedRatio??o.encoding.maxEncodedRatio,logger:i})),e.multiModal?.enabled&&(this.multiModal=new multimodal_guard_2.MultiModalGuard({scanMetadata:e.multiModal.scanMetadata,detectBase64Payloads:e.multiModal.detectBase64Payloads,allowedMimeTypes:e.multiModal.allowedMimeTypes})),e.memory?.enabled&&(this.memoryGuard=new memory_guard_2.MemoryGuard({enableIntegrityCheck:e.memory.enableIntegrityCheck,detectInjections:e.memory.detectInjections,maxMemoryItems:e.memory.maxMemoryItems,signingKey:e.memory.signingKey,autoQuarantine:e.memory.autoQuarantine,riskThreshold:e.memory.riskThreshold??o.memory.riskThreshold})),e.rag?.enabled&&(this.ragGuard=new rag_guard_2.RAGGuard({detectInjections:e.rag.detectInjections,verifySource:e.rag.verifySource,trustedSources:e.rag.trustedSources,blockedSources:e.rag.blockedSources,maxDocumentSize:e.rag.maxDocumentSize,minTrustScore:e.rag.minTrustScore??o.rag.minTrustScore,detectEmbeddingAttacks:e.rag.detectEmbeddingAttacks})),e.codeExecution?.enabled&&(this.codeExecution=new code_execution_guard_2.CodeExecutionGuard({allowedLanguages:e.codeExecution.allowedLanguages,maxCodeLength:e.codeExecution.maxCodeLength,maxExecutionTime:e.codeExecution.maxExecutionTime,allowNetwork:e.codeExecution.allowNetwork,allowFileSystem:e.codeExecution.allowFileSystem,allowShell:e.codeExecution.allowShell,riskThreshold:e.codeExecution.riskThreshold})),e.agentCommunication?.enabled&&(this.agentCommunication=new agent_communication_guard_2.AgentCommunicationGuard({allowedAgents:e.agentCommunication.allowedAgents,requireSignatures:e.agentCommunication.requireSignatures,strictMode:e.agentCommunication.strictMode,maxMessageAge:e.agentCommunication.maxMessageAge})),e.circuitBreaker?.enabled&&(this.circuitBreaker=new circuit_breaker_2.CircuitBreaker({failureThreshold:e.circuitBreaker.failureThreshold,minimumRequests:e.circuitBreaker.minimumRequests,windowSize:e.circuitBreaker.windowSize,recoveryTimeout:e.circuitBreaker.recoveryTimeout,successThreshold:e.circuitBreaker.successThreshold})),e.driftDetector?.enabled&&(this.driftDetector=new drift_detector_2.DriftDetector({minimumSamples:e.driftDetector.minimumSamples,anomalyThreshold:e.driftDetector.anomalyThreshold??o.drift.anomalyThreshold,alertThreshold:e.driftDetector.alertThreshold,checkGoalAlignment:e.driftDetector.checkGoalAlignment})),e.mcpSecurity?.enabled&&(this.mcpSecurity=new mcp_security_guard_2.MCPSecurityGuard({detectToolShadowing:e.mcpSecurity.detectToolShadowing,toolBlocklist:e.mcpSecurity.toolBlocklist,strictMode:e.mcpSecurity.strictMode,minServerReputation:e.mcpSecurity.minServerReputation})),e.promptLeakage?.enabled&&(this.promptLeakage=new prompt_leakage_guard_2.PromptLeakageGuard({detectLeetspeak:e.promptLeakage.detectLeetspeak,detectROT13:e.promptLeakage.detectROT13,detectBase64:e.promptLeakage.detectBase64,detectIndirectExtraction:e.promptLeakage.detectIndirectExtraction,monitorOutput:e.promptLeakage.monitorOutput,systemPromptKeywords:e.promptLeakage.systemPromptKeywords,riskThreshold:e.promptLeakage.riskThreshold??o.promptLeakage.riskThreshold})),e.trustExploitation?.enabled&&(this.trustExploitation=new trust_exploitation_guard_2.TrustExploitationGuard({humanApprovalRequired:e.trustExploitation.humanApprovalRequired,maxAutonomousActions:e.trustExploitation.maxAutonomousActions,monitorGoalConsistency:e.trustExploitation.monitorGoalConsistency,detectPermissionEscalation:e.trustExploitation.detectPermissionEscalation,sensitiveActions:e.trustExploitation.sensitiveActions})),e.autonomyEscalation?.enabled&&(this.autonomyEscalation=new autonomy_escalation_guard_2.AutonomyEscalationGuard({maxAutonomyLevel:e.autonomyEscalation.maxAutonomyLevel,baseAutonomyLevel:e.autonomyEscalation.baseAutonomyLevel,detectSelfModification:e.autonomyEscalation.detectSelfModification,maxSubAgents:e.autonomyEscalation.maxSubAgents,enforceHITL:e.autonomyEscalation.enforceHITL,alwaysRequireHuman:e.autonomyEscalation.alwaysRequireHuman})),e.statePersistence?.enabled&&(this.statePersistence=new state_persistence_guard_2.StatePersistenceGuard({enableIntegrityCheck:e.statePersistence.enableIntegrityCheck,requireEncryption:e.statePersistence.requireEncryption,maxStateSize:e.statePersistence.maxStateSize,maxStateAge:e.statePersistence.maxStateAge,enforceSessionIsolation:e.statePersistence.enforceSessionIsolation,sensitiveKeys:e.statePersistence.sensitiveKeys,detectTampering:e.statePersistence.detectTampering})),e.toolResult?.enabled&&(this.toolResultGuard=new tool_result_guard_2.ToolResultGuard(e.toolResult)),e.contextBudget?.enabled&&(this.contextBudget=new context_budget_guard_2.ContextBudgetGuard(e.contextBudget)),e.outputSchema?.enabled&&(this.outputSchema=new output_schema_guard_2.OutputSchemaGuard(e.outputSchema)),e.tokenCost?.enabled&&(this.tokenCostGuard=new token_cost_guard_2.TokenCostGuard(e.tokenCost)),e.classifier&&(this.classifier=e.classifier)}check(e,i,o,a={}){const r=`req-${crypto_1.default.randomUUID()}`,s=[];this.logger(`[TrustGuard:${r}] Checking: ${e}`,"info");const n=Date.now();this.metrics.totalChecks++;try{const u=this.runChecks(e,i,o,a,r);return this.metrics.totalTimeMs+=Date.now()-n,u.allowed||(this.metrics.blockedChecks++,this.onBlock&&this.onBlock(u.block_layer||"UNKNOWN",u,r)),u}catch(u){this.metrics.totalTimeMs+=Date.now()-n,this.metrics.errors++;const t=u instanceof Error?u.message:String(u);return this.logger(`[TrustGuard:${r}] Guard error: ${t}`,"error"),this.onError&&this.onError("TrustGuard",u instanceof Error?u:new Error(t),r),this.failMode==="open"?{allowed:!0,all_violations:["GUARD_ERROR"],request_id:r}:{allowed:!1,block_reason:`Internal guard error: ${t}`,all_violations:["GUARD_ERROR"],request_id:r}}}runChecks(e,i,o,a,r){const s=[];if(a.userInput&&a.userInput.length>this.maxInputLength)return this.logger(`[TrustGuard:${r}] BLOCKED: Input too long (${a.userInput.length} > ${this.maxInputLength})`,"warn"),{allowed:!1,block_layer:"L1",block_reason:`Input length ${a.userInput.length} exceeds maximum ${this.maxInputLength}`,all_violations:["INPUT_TOO_LONG"],request_id:r};if(this.encoding&&a.userInput){const t=this.encoding.detect(a.userInput,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by Encoding Detector`,"warn"),{allowed:!1,block_layer:"ENCODING",block_reason:t.reason,all_violations:t.violations,encoding:t,request_id:r};s.push(...t.violations)}if(this.sanitizer&&a.userInput){const t=this.sanitizer.sanitize(a.userInput,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by L1`,"warn"),{allowed:!1,block_layer:"L1",block_reason:t.reason,all_violations:t.violations,sanitizer:t,request_id:r};s.push(...t.violations)}if(this.promptLeakage&&a.userInput){const t=this.promptLeakage.check(a.userInput,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by Prompt Leakage Guard`,"warn"),{allowed:!1,block_layer:"PROMPT_LEAKAGE",block_reason:t.reason,all_violations:[...s,...t.violations],request_id:r};s.push(...t.violations)}if(this.memoryGuard&&a.userInput&&o?.session_id){const t=this.memoryGuard.validateContextInjection(a.userInput,o.session_id,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by Memory Guard`,"warn"),{allowed:!1,block_layer:"MEMORY",block_reason:t.reason,all_violations:[...s,...t.violations],request_id:r};s.push(...t.violations)}if(this.conversation&&a.userInput&&o?.session_id){const t=this.conversation.check(o.session_id,a.userInput,[e],a.claimedRole,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by Conversation Guard`,"warn"),{allowed:!1,block_layer:"CONV",block_reason:t.reason,all_violations:[...s,...t.violations],conversation:t,request_id:r};s.push(...t.violations)}let n;if(this.registry){const t=this.registry.check(e,o?.role||"",r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by L2`,"warn"),{allowed:!1,block_layer:"L2",block_reason:t.reason,all_violations:[...s,...t.violations],registry:t,request_id:r};n=t.tool,s.push(...t.violations)}if(this.chain&&o?.session_id){const t=a.allToolsInRequest?this.chain.validateBatch(o.session_id,a.allToolsInRequest,r):this.chain.validate(o.session_id,e,void 0,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by Tool Chain Validator`,"warn"),{allowed:!1,block_layer:"CHAIN",block_reason:t.reason,all_violations:[...s,...t.violations],chain:t,request_id:r};s.push(...t.violations)}if(this.policy&&n){const t=this.policy.check(n,i,o,a.claimedRole,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by L3`,"warn"),{allowed:!1,block_layer:"L3",block_reason:t.reason,all_violations:[...s,...t.violations],policy:t,request_id:r};s.push(...t.violations)}else this.policy&&!n&&this.logger(`[TrustGuard:${r}] Policy gate skipped: no tool definition (registry disabled or tool not found)`,"warn");if(this.autonomyEscalation&&o?.session_id){const t=this.autonomyEscalation.validate(e,o.session_id,i,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by Autonomy Escalation Guard`,"warn"),{allowed:!1,block_layer:"AUTONOMY",block_reason:t.reason,all_violations:[...s,...t.violations],request_id:r};s.push(...t.violations)}let u=i;if(this.tenant&&o){const t=this.tenant.check(e,i,o,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by L4`,"warn"),{allowed:!1,block_layer:"L4",block_reason:t.reason,all_violations:[...s,...t.violations],tenant:t,request_id:r};t.enforced_params&&(u=t.enforced_params),s.push(...t.violations)}if(this.schema&&n){const t=this.schema.validate(n,u,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by L5`,"warn"),{allowed:!1,block_layer:"L5",block_reason:t.reason,all_violations:[...s,...t.violations],schema:t,request_id:r};s.push(...t.violations)}if(this.execution){const t=this.execution.check(e,o?.user_id,o?.session_id,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by L6`,"warn"),{allowed:!1,block_layer:"L6",block_reason:t.reason,all_violations:[...s,...t.violations],execution:t,request_id:r};s.push(...t.violations)}if(this.circuitBreaker){const t=this.circuitBreaker.check(e,r);if(!t.allowed)return this.logger(`[TrustGuard:${r}] BLOCKED by Circuit Breaker`,"warn"),{allowed:!1,block_layer:"L6",block_reason:t.reason,all_violations:[...s,"CIRCUIT_OPEN"],request_id:r}}return this.logger(`[TrustGuard:${r}] All checks PASSED`,"info"),{allowed:!0,all_violations:s,request_id:r}}filterOutput(e,i,o){let a=e,r=!1,s=!1,n=!1,u=!0;const t=typeof e=="string"?e:"";if(t.length>this.maxInputLength&&this.logger(`[TrustGuard] Output too long (${t.length}), truncating for filter`,"warn"),this.output){const d=this.output.filter(e,i,o);a=d.filtered_response,r=d.pii_detected.length>0,s=d.secrets_detected.length>0,d.allowed||(u=!1)}if(this.promptLeakage){const d=typeof a=="string"?a:JSON.stringify(a),c=this.promptLeakage.checkOutput(d,o);c.leaked&&(u=!1,n=!0,c.sanitized_output&&(a=c.sanitized_output))}return{allowed:u,filtered:a,pii_detected:r,secrets_detected:s,prompt_leakage_detected:n}}completeOperation(e,i,o=!0){this.execution&&this.execution.completeOperation(e?.user_id,e?.session_id),this.circuitBreaker&&i&&(o?this.circuitBreaker.recordSuccess(i):this.circuitBreaker.recordFailure(i))}getToolsForRole(e){return this.registry?this.registry.getToolsForRole(e):[]}getMetrics(){const e=this.metrics.totalChecks>0?this.metrics.totalTimeMs/this.metrics.totalChecks:0;return{totalChecks:this.metrics.totalChecks,blockedChecks:this.metrics.blockedChecks,blockRate:this.metrics.totalChecks>0?this.metrics.blockedChecks/this.metrics.totalChecks:0,avgExecutionTimeMs:Math.round(e*100)/100,errors:this.metrics.errors}}getGuards(){return{sanitizer:this.sanitizer,registry:this.registry,policy:this.policy,tenant:this.tenant,schema:this.schema,execution:this.execution,output:this.output,conversation:this.conversation,chain:this.chain,encoding:this.encoding,multiModal:this.multiModal,memory:this.memoryGuard,rag:this.ragGuard,codeExecution:this.codeExecution,agentCommunication:this.agentCommunication,circuitBreaker:this.circuitBreaker,driftDetector:this.driftDetector,mcpSecurity:this.mcpSecurity,promptLeakage:this.promptLeakage,trustExploitation:this.trustExploitation,autonomyEscalation:this.autonomyEscalation,statePersistence:this.statePersistence,toolResult:this.toolResultGuard,contextBudget:this.contextBudget,outputSchema:this.outputSchema,tokenCost:this.tokenCostGuard}}resetSession(e){this.conversation?.resetSession(e),this.chain?.resetSession(e),this.execution?.reset(void 0,e),this.memoryGuard?.clearSession(e),this.trustExploitation?.resetSession(e),this.autonomyEscalation?.resetSession(e),this.statePersistence?.resetSession(e),this.contextBudget?.resetSession(e)}destroy(){this.conversation?.destroy(),this.agentCommunication?.destroy(),this.contextBudget?.destroy(),this.tokenCostGuard?.destroy(),this.execution?.reset(),this.circuitBreaker?.resetAll(),this.driftDetector?.resetAgent?.("*")}validateToolResult(e,i,o){if(!this.toolResultGuard)return{allowed:!0,violations:[]};const a=this.toolResultGuard.validateResult(e,i,o);return{allowed:a.allowed,violations:a.violations}}validateOutput(e,i,o){if(!this.outputSchema)return{allowed:!0,violations:[],threats:[]};const a=this.outputSchema.validate(e,i,o);return{allowed:a.allowed,violations:a.violations,threats:a.threats}}async checkAsync(e,i,o,a={}){const r=this.check(e,i,o,a);if(!this.classifier||!r.allowed||!a.userInput)return r;try{const s=await this.classifier(a.userInput,{type:"user_input",sessionId:o?.session_id});if(!s.safe)return{...r,allowed:!1,block_layer:"L1",block_reason:`Classifier detected threat: ${s.threats.map(n=>n.category).join(", ")}`,all_violations:[...r.all_violations,...s.threats.map(n=>`CLASSIFIER_${n.category.toUpperCase()}`)]}}catch(s){const n=s instanceof Error?s.message:String(s);this.logger(`[TrustGuard] Classifier error: ${n}`,"error")}return r}}exports.TrustGuard=TrustGuard,__exportStar(require("./integrations/index.js"),exports),exports.default=TrustGuard;