mcp-rubber-duck 1.8.0 → 1.9.3

package/dist/guardrails/plugins/pii-redactor/detectors.d.ts

@@ -0,0 +1,40 @@
+export type PIIType = 'email' | 'phone' | 'ssn' | 'api_key' | 'credit_card' | 'ip_address' | 'custom';
+export interface PIIDetection {
+    type: PIIType;
+    value: string;
+    startIndex: number;
+    endIndex: number;
+    confidence: number;
+}
+export interface PIIDetectorConfig {
+    detectEmails: boolean;
+    detectPhones: boolean;
+    detectSSN: boolean;
+    detectAPIKeys: boolean;
+    detectCreditCards: boolean;
+    detectIPAddresses: boolean;
+    customPatterns: Array<{
+        name: string;
+        pattern: string;
+        placeholder: string;
+    }>;
+    allowlist: string[];
+    allowlistDomains: string[];
+}
+/**
+ * PII detector using regex patterns
+ */
+export declare class PIIDetector {
+    private patterns;
+    private allowlist;
+    private allowlistDomains;
+    private customPatterns;
+    constructor(config: PIIDetectorConfig);
+    /**
+     * Detect PII in text
+     */
+    detect(text: string): PIIDetection[];
+    private isAllowlisted;
+    private calculateConfidence;
+}
+//# sourceMappingURL=detectors.d.ts.map

package/dist/guardrails/plugins/pii-redactor/detectors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"detectors.d.ts","sourceRoot":"","sources":["../../../../src/guardrails/plugins/pii-redactor/detectors.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,OAAO,GACf,OAAO,GACP,OAAO,GACP,KAAK,GACL,SAAS,GACT,aAAa,GACb,YAAY,GACZ,QAAQ,CAAC;AAEb,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,YAAY,EAAE,OAAO,CAAC;IACtB,SAAS,EAAE,OAAO,CAAC;IACnB,aAAa,EAAE,OAAO,CAAC;IACvB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,iBAAiB,EAAE,OAAO,CAAC;IAC3B,cAAc,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9E,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED;;GAEG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAmC;IACnD,OAAO,CAAC,SAAS,CAAc;IAC/B,OAAO,CAAC,gBAAgB,CAAc;IACtC,OAAO,CAAC,cAAc,CAAmE;gBAE7E,MAAM,EAAE,iBAAiB;IAmErC;;OAEG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,YAAY,EAAE;IAkDpC,OAAO,CAAC,aAAa;IAkBrB,OAAO,CAAC,mBAAmB;CAuB5B"}

package/dist/guardrails/plugins/pii-redactor/detectors.js

@@ -0,0 +1,134 @@
+/**
+ * PII detector using regex patterns
+ */
+export class PIIDetector {
+    patterns = new Map();
+    allowlist;
+    allowlistDomains;
+    customPatterns = [];
+    constructor(config) {
+        this.allowlist = new Set(config.allowlist.map((a) => a.toLowerCase()));
+        this.allowlistDomains = new Set(config.allowlistDomains.map((d) => d.toLowerCase()));
+        // Initialize built-in patterns
+        if (config.detectEmails) {
+            this.patterns.set('email', /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g);
+        }
+        if (config.detectPhones) {
+            // Handles multiple phone formats: US, international, with/without country code
+            this.patterns.set('phone', /\b(?:\+?1[-.\s]?)?\(?[0-9]{3}\)?[-.\s]?[0-9]{3}[-.\s]?[0-9]{4}\b/g);
+        }
+        if (config.detectSSN) {
+            // US SSN format: XXX-XX-XXXX or XXXXXXXXX
+            this.patterns.set('ssn', /\b[0-9]{3}[-\s]?[0-9]{2}[-\s]?[0-9]{4}\b/g);
+        }
+        if (config.detectAPIKeys) {
+            // Common API key patterns
+            this.patterns.set('api_key', /\b(sk-[a-zA-Z0-9]{20,}|gsk_[a-zA-Z0-9]{20,}|api[_-]?key[_-]?[a-zA-Z0-9]{16,})\b/gi);
+        }
+        if (config.detectCreditCards) {
+            // Credit card patterns (Visa, Mastercard, Amex, Discover)
+            // Simplified - doesn't validate Luhn, just matches format
+            this.patterns.set('credit_card', /\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12})\b/g);
+        }
+        if (config.detectIPAddresses) {
+            // IPv4 addresses
+            this.patterns.set('ip_address', /\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b/g);
+        }
+        // Custom patterns
+        for (const custom of config.customPatterns) {
+            try {
+                this.customPatterns.push({
+                    name: custom.name,
+                    regex: new RegExp(custom.pattern, 'g'),
+                    placeholder: custom.placeholder,
+                });
+            }
+            catch {
+                // Invalid regex, skip it
+            }
+        }
+    }
+    /**
+     * Detect PII in text
+     */
+    detect(text) {
+        const detections = [];
+        // Check built-in patterns
+        for (const [type, pattern] of this.patterns) {
+            pattern.lastIndex = 0; // Reset regex state
+            let match;
+            while ((match = pattern.exec(text)) !== null) {
+                const value = match[0];
+                // Check allowlist
+                if (this.isAllowlisted(value, type)) {
+                    continue;
+                }
+                detections.push({
+                    type,
+                    value,
+                    startIndex: match.index,
+                    endIndex: match.index + value.length,
+                    confidence: this.calculateConfidence(type, value),
+                });
+            }
+        }
+        // Check custom patterns
+        for (const custom of this.customPatterns) {
+            custom.regex.lastIndex = 0;
+            let match;
+            while ((match = custom.regex.exec(text)) !== null) {
+                const value = match[0];
+                if (this.allowlist.has(value.toLowerCase())) {
+                    continue;
+                }
+                detections.push({
+                    type: 'custom',
+                    value,
+                    startIndex: match.index,
+                    endIndex: match.index + value.length,
+                    confidence: 0.9,
+                });
+            }
+        }
+        // Sort by position (for consistent pseudonymization)
+        return detections.sort((a, b) => a.startIndex - b.startIndex);
+    }
+    isAllowlisted(value, type) {
+        const lowerValue = value.toLowerCase();
+        if (this.allowlist.has(lowerValue)) {
+            return true;
+        }
+        // For emails, check domain allowlist
+        if (type === 'email') {
+            const domain = lowerValue.split('@')[1];
+            if (domain && this.allowlistDomains.has(domain)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    calculateConfidence(type, value) {
+        // Simple confidence scoring based on format strictness
+        switch (type) {
+            case 'ssn':
+                return 0.95; // High confidence for strict format
+            case 'credit_card':
+                return 0.95; // High confidence for strict format
+            case 'email':
+                return 0.9;
+            case 'phone':
+                return 0.85;
+            case 'api_key':
+                // Higher confidence for longer keys or known prefixes
+                if (value.startsWith('sk-') || value.startsWith('gsk_')) {
+                    return 0.95;
+                }
+                return 0.7; // Lower confidence due to possible false positives
+            case 'ip_address':
+                return 0.8;
+            default:
+                return 0.8;
+        }
+    }
+}
+//# sourceMappingURL=detectors.js.map

package/dist/guardrails/plugins/pii-redactor/detectors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"detectors.js","sourceRoot":"","sources":["../../../../src/guardrails/plugins/pii-redactor/detectors.ts"],"names":[],"mappings":"AA6BA;;GAEG;AACH,MAAM,OAAO,WAAW;IACd,QAAQ,GAAyB,IAAI,GAAG,EAAE,CAAC;IAC3C,SAAS,CAAc;IACvB,gBAAgB,CAAc;IAC9B,cAAc,GAAgE,EAAE,CAAC;IAEzF,YAAY,MAAyB;QACnC,IAAI,CAAC,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;QACvE,IAAI,CAAC,gBAAgB,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;QAErF,+BAA+B;QAC/B,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;YACxB,IAAI,CAAC,QAAQ,CAAC,GAAG,CACf,OAAO,EACP,qDAAqD,CACtD,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;YACxB,+EAA+E;YAC/E,IAAI,CAAC,QAAQ,CAAC,GAAG,CACf,OAAO,EACP,mEAAmE,CACpE,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACrB,0CAA0C;YAC1C,IAAI,CAAC,QAAQ,CAAC,GAAG,CACf,KAAK,EACL,2CAA2C,CAC5C,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;YACzB,0BAA0B;YAC1B,IAAI,CAAC,QAAQ,CAAC,GAAG,CACf,SAAS,EACT,mFAAmF,CACpF,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,iBAAiB,EAAE,CAAC;YAC7B,0DAA0D;YAC1D,0DAA0D;YAC1D,IAAI,CAAC,QAAQ,CAAC,GAAG,CACf,aAAa,EACb,6FAA6F,CAC9F,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,iBAAiB,EAAE,CAAC;YAC7B,iBAAiB;YACjB,IAAI,CAAC,QAAQ,CAAC,GAAG,CACf,YAAY,EACZ,gGAAgG,CACjG,CAAC;QACJ,CAAC;QAED,kBAAkB;QAClB,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;YAC3C,IAAI,CAAC;gBACH,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC;oBACvB,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,KAAK,EAAE,IAAI,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC;oBACtC,WAAW,EAAE,MAAM,CAAC,WAAW;iBAChC,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,yBAAyB;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,IAAY;QACjB,MAAM,UAAU,GAAmB,EAAE,CAAC;QAEtC,0BAA0B;QAC1B,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5C,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,oBAAoB;YAC3C,IAAI,KAAK,CAAC;YACV,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC7C,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAEvB,kBAAkB;gBAClB,IAAI,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,IAAI,CAAC,EAAE,CAAC;oBACpC,SAAS;gBACX,CAAC;gBAED,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI;oBACJ,KAAK;oBACL,UAAU,EAAE,KAAK,CAAC,KAAK;oBACvB,QAAQ,EAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,MAAM;oBACpC,UAAU,EAAE,IAAI,CAAC,mBAAmB,CAAC,IAAI,EAAE,KAAK,CAAC;iBAClD,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,wBAAwB;QACxB,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACzC,MAAM,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC;YAC3B,IAAI,KAAK,CAAC;YACV,OAAO,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAClD,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAEvB,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;oBAC5C,SAAS;gBACX,CAAC;gBAED,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,QAAQ;oBACd,KAAK;oBACL,UAAU,EAAE,KAAK,CAAC,KAAK;oBACvB,QAAQ,EAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,MAAM;oBACpC,UAAU,EAAE,GAAG;iBAChB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,qDAAqD;QACrD,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC;IAChE,CAAC;IAEO,aAAa,CAAC,KAAa,EAAE,IAAa;QAChD,MAAM,UAAU,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;QAEvC,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,qCAAqC;QACrC,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;YACrB,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACxC,IAAI,MAAM,IAAI,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBAChD,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,mBAAmB,CAAC,IAAa,EAAE,KAAa;QACtD,uDAAuD;QACvD,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,KAAK;gBACR,OAAO,IAAI,CAAC,CAAC,oCAAoC;YACnD,KAAK,aAAa;gBAChB,OAAO,IAAI,CAAC,CAAC,oCAAoC;YACnD,KAAK,OAAO;gBACV,OAAO,GAAG,CAAC;YACb,KAAK,OAAO;gBACV,OAAO,IAAI,CAAC;YACd,KAAK,SAAS;gBACZ,sDAAsD;gBACtD,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;oBACxD,OAAO,IAAI,CAAC;gBACd,CAAC;gBACD,OAAO,GAAG,CAAC,CAAC,mDAAmD;YACjE,KAAK,YAAY;gBACf,OAAO,GAAG,CAAC;YACb;gBACE,OAAO,GAAG,CAAC;QACf,CAAC;IACH,CAAC;CACF"}

package/dist/guardrails/plugins/pii-redactor/index.d.ts

@@ -0,0 +1,28 @@
+import { BaseGuardrailPlugin } from '../base-plugin.js';
+import { GuardrailPhase, GuardrailContext, GuardrailResult } from '../../types.js';
+import { PIIDetector } from './detectors.js';
+import { Pseudonymizer } from './pseudonymizer.js';
+/**
+ * PII Redactor plugin - detects and redacts sensitive data
+ */
+export declare class PIIRedactorPlugin extends BaseGuardrailPlugin {
+    name: string;
+    phases: GuardrailPhase[];
+    private detector;
+    private pseudonymizer;
+    private restoreOnResponse;
+    private logDetections;
+    initialize(config: Record<string, unknown>): Promise<void>;
+    execute(phase: GuardrailPhase, context: GuardrailContext): Promise<GuardrailResult>;
+    private redactPII;
+    private restorePII;
+    /**
+     * Get detector for testing
+     */
+    getDetector(): PIIDetector;
+    /**
+     * Get pseudonymizer for testing
+     */
+    getPseudonymizer(): Pseudonymizer;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/guardrails/plugins/pii-redactor/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/guardrails/plugins/pii-redactor/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEnF,OAAO,EAAE,WAAW,EAAqB,MAAM,gBAAgB,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAGnD;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,mBAAmB;IACxD,IAAI,SAAkB;IACtB,MAAM,EAAE,cAAc,EAAE,CAA0E;IAElG,OAAO,CAAC,QAAQ,CAAe;IAC/B,OAAO,CAAC,aAAa,CAAiB;IACtC,OAAO,CAAC,iBAAiB,CAAkB;IAC3C,OAAO,CAAC,aAAa,CAAiB;IAEhC,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAwB1D,OAAO,CAAC,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAkBzF,OAAO,CAAC,SAAS;IA4EjB,OAAO,CAAC,UAAU;IAoDlB;;OAEG;IACH,WAAW,IAAI,WAAW;IAI1B;;OAEG;IACH,gBAAgB,IAAI,aAAa;CAGlC"}

package/dist/guardrails/plugins/pii-redactor/index.js

@@ -0,0 +1,157 @@
+import { BaseGuardrailPlugin } from '../base-plugin.js';
+import { PIIDetector } from './detectors.js';
+import { Pseudonymizer } from './pseudonymizer.js';
+import { logger } from '../../../utils/logger.js';
+/**
+ * PII Redactor plugin - detects and redacts sensitive data
+ */
+export class PIIRedactorPlugin extends BaseGuardrailPlugin {
+    name = 'pii_redactor';
+    phases = ['pre_request', 'post_response', 'pre_tool_input', 'post_tool_output'];
+    detector;
+    pseudonymizer;
+    restoreOnResponse = false;
+    logDetections = true;
+    async initialize(config) {
+        await super.initialize(config);
+        const typedConfig = config;
+        const detectorConfig = {
+            detectEmails: typedConfig.detect_emails ?? true,
+            detectPhones: typedConfig.detect_phones ?? true,
+            detectSSN: typedConfig.detect_ssn ?? true,
+            detectAPIKeys: typedConfig.detect_api_keys ?? true,
+            detectCreditCards: typedConfig.detect_credit_cards ?? true,
+            detectIPAddresses: typedConfig.detect_ip_addresses ?? false,
+            customPatterns: typedConfig.custom_patterns ?? [],
+            allowlist: typedConfig.allowlist ?? [],
+            allowlistDomains: typedConfig.allowlist_domains ?? [],
+        };
+        this.detector = new PIIDetector(detectorConfig);
+        this.pseudonymizer = new Pseudonymizer();
+        this.restoreOnResponse = typedConfig.restore_on_response ?? false;
+        this.logDetections = typedConfig.log_detections ?? true;
+        this.priority = typedConfig.priority ?? 25;
+    }
+    async execute(phase, context) {
+        switch (phase) {
+            case 'pre_request':
+            case 'pre_tool_input':
+                return this.redactPII(context, phase);
+            case 'post_response':
+            case 'post_tool_output':
+                if (this.restoreOnResponse) {
+                    return this.restorePII(context, phase);
+                }
+                return this.allow(context);
+            default:
+                return this.allow(context);
+        }
+    }
+    redactPII(context, phase) {
+        let textToScan;
+        let field;
+        if (phase === 'pre_request') {
+            textToScan = context.prompt || '';
+            field = 'prompt';
+        }
+        else {
+            textToScan = JSON.stringify(context.toolArgs || {});
+            field = 'toolArgs';
+        }
+        if (!textToScan) {
+            return Promise.resolve(this.allow(context));
+        }
+        const detections = this.detector.detect(textToScan);
+        if (detections.length === 0) {
+            return Promise.resolve(this.allow(context));
+        }
+        // Log detections
+        if (this.logDetections) {
+            logger.info(`PII detected in ${field}:`, {
+                requestId: context.requestId,
+                types: [...new Set(detections.map((d) => d.type))],
+                count: detections.length,
+            });
+        }
+        // Pseudonymize
+        const { text: redactedText, mappings } = this.pseudonymizer.pseudonymize(textToScan, detections);
+        // Store mappings for potential restoration
+        context.metadata.set('pii_mappings', mappings);
+        // Record modification
+        this.addModification(context, phase, field, `Redacted ${detections.length} PII items: ${[...new Set(detections.map((d) => d.type))].join(', ')}`, undefined, // Don't store original (contains PII)
+        undefined // Don't store new (would expose placeholder patterns)
+        );
+        // Apply modification
+        if (phase === 'pre_request') {
+            context.prompt = redactedText;
+            // Also update the last message if present
+            if (context.messages.length > 0) {
+                const lastIndex = context.messages.length - 1;
+                context.messages[lastIndex] = {
+                    ...context.messages[lastIndex],
+                    content: redactedText,
+                };
+            }
+        }
+        else {
+            try {
+                context.toolArgs = JSON.parse(redactedText);
+            }
+            catch {
+                // If parse fails, store as string
+                context.toolArgs = { _redacted: redactedText };
+            }
+        }
+        return Promise.resolve(this.modify(context));
+    }
+    restorePII(context, phase) {
+        const mappings = context.metadata.get('pii_mappings');
+        if (!mappings || mappings.size === 0) {
+            return Promise.resolve(this.allow(context));
+        }
+        let textToRestore;
+        if (phase === 'post_response') {
+            textToRestore = context.response || '';
+        }
+        else {
+            textToRestore =
+                typeof context.toolResult === 'string'
+                    ? context.toolResult
+                    : JSON.stringify(context.toolResult);
+        }
+        if (!textToRestore) {
+            return Promise.resolve(this.allow(context));
+        }
+        const restoredText = this.pseudonymizer.restore(textToRestore, mappings);
+        // Only modify if something changed
+        if (restoredText === textToRestore) {
+            return Promise.resolve(this.allow(context));
+        }
+        this.addModification(context, phase, phase === 'post_response' ? 'response' : 'toolResult', `Restored ${mappings.size} PII placeholders`);
+        if (phase === 'post_response') {
+            context.response = restoredText;
+        }
+        else {
+            try {
+                context.toolResult = JSON.parse(restoredText);
+            }
+            catch {
+                context.toolResult = restoredText;
+            }
+        }
+        return Promise.resolve(this.modify(context));
+    }
+    /**
+     * Get detector for testing
+     */
+    getDetector() {
+        return this.detector;
+    }
+    /**
+     * Get pseudonymizer for testing
+     */
+    getPseudonymizer() {
+        return this.pseudonymizer;
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/guardrails/plugins/pii-redactor/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/guardrails/plugins/pii-redactor/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAGxD,OAAO,EAAE,WAAW,EAAqB,MAAM,gBAAgB,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,MAAM,EAAE,MAAM,0BAA0B,CAAC;AAElD;;GAEG;AACH,MAAM,OAAO,iBAAkB,SAAQ,mBAAmB;IACxD,IAAI,GAAG,cAAc,CAAC;IACtB,MAAM,GAAqB,CAAC,aAAa,EAAE,eAAe,EAAE,gBAAgB,EAAE,kBAAkB,CAAC,CAAC;IAE1F,QAAQ,CAAe;IACvB,aAAa,CAAiB;IAC9B,iBAAiB,GAAY,KAAK,CAAC;IACnC,aAAa,GAAY,IAAI,CAAC;IAEtC,KAAK,CAAC,UAAU,CAAC,MAA+B;QAC9C,MAAM,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QAE/B,MAAM,WAAW,GAAG,MAAoC,CAAC;QAEzD,MAAM,cAAc,GAAsB;YACxC,YAAY,EAAE,WAAW,CAAC,aAAa,IAAI,IAAI;YAC/C,YAAY,EAAE,WAAW,CAAC,aAAa,IAAI,IAAI;YAC/C,SAAS,EAAE,WAAW,CAAC,UAAU,IAAI,IAAI;YACzC,aAAa,EAAE,WAAW,CAAC,eAAe,IAAI,IAAI;YAClD,iBAAiB,EAAE,WAAW,CAAC,mBAAmB,IAAI,IAAI;YAC1D,iBAAiB,EAAE,WAAW,CAAC,mBAAmB,IAAI,KAAK;YAC3D,cAAc,EAAE,WAAW,CAAC,eAAe,IAAI,EAAE;YACjD,SAAS,EAAE,WAAW,CAAC,SAAS,IAAI,EAAE;YACtC,gBAAgB,EAAE,WAAW,CAAC,iBAAiB,IAAI,EAAE;SACtD,CAAC;QAEF,IAAI,CAAC,QAAQ,GAAG,IAAI,WAAW,CAAC,cAAc,CAAC,CAAC;QAChD,IAAI,CAAC,aAAa,GAAG,IAAI,aAAa,EAAE,CAAC;QACzC,IAAI,CAAC,iBAAiB,GAAG,WAAW,CAAC,mBAAmB,IAAI,KAAK,CAAC;QAClE,IAAI,CAAC,aAAa,GAAG,WAAW,CAAC,cAAc,IAAI,IAAI,CAAC;QACxD,IAAI,CAAC,QAAQ,GAAG,WAAW,CAAC,QAAQ,IAAI,EAAE,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAqB,EAAE,OAAyB;QAC5D,QAAQ,KAAK,EAAE,CAAC;YACd,KAAK,aAAa,CAAC;YACnB,KAAK,gBAAgB;gBACnB,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;YAExC,KAAK,eAAe,CAAC;YACrB,KAAK,kBAAkB;gBACrB,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;oBAC3B,OAAO,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;gBACzC,CAAC;gBACD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAE7B;gBACE,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IAEO,SAAS,CACf,OAAyB,EACzB,KAAqB;QAErB,IAAI,UAAkB,CAAC;QACvB,IAAI,KAAa,CAAC;QAElB,IAAI,KAAK,KAAK,aAAa,EAAE,CAAC;YAC5B,UAAU,GAAG,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;YAClC,KAAK,GAAG,QAAQ,CAAC;QACnB,CAAC;aAAM,CAAC;YACN,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC;YACpD,KAAK,GAAG,UAAU,CAAC;QACrB,CAAC;QAED,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAEpD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAC9C,CAAC;QAED,iBAAiB;QACjB,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,MAAM,CAAC,IAAI,CAAC,mBAAmB,KAAK,GAAG,EAAE;gBACvC,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,KAAK,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;gBAClD,KAAK,EAAE,UAAU,CAAC,MAAM;aACzB,CAAC,CAAC;QACL,CAAC;QAED,eAAe;QACf,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,aAAa,CAAC,YAAY,CACtE,UAAU,EACV,UAAU,CACX,CAAC;QAEF,2CAA2C;QAC3C,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC;QAE/C,sBAAsB;QACtB,IAAI,CAAC,eAAe,CAClB,OAAO,EACP,KAAK,EACL,KAAK,EACL,YAAY,UAAU,CAAC,MAAM,eAAe,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EACpG,SAAS,EAAE,sCAAsC;QACjD,SAAS,CAAE,sDAAsD;SAClE,CAAC;QAEF,qBAAqB;QACrB,IAAI,KAAK,KAAK,aAAa,EAAE,CAAC;YAC5B,OAAO,CAAC,MAAM,GAAG,YAAY,CAAC;YAC9B,0CAA0C;YAC1C,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAChC,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;gBAC9C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,GAAG;oBAC5B,GAAG,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;oBAC9B,OAAO,EAAE,YAAY;iBACtB,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,CAAC;gBACH,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAA4B,CAAC;YACzE,CAAC;YAAC,MAAM,CAAC;gBACP,kCAAkC;gBAClC,OAAO,CAAC,QAAQ,GAAG,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC;YACjD,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IAC/C,CAAC;IAEO,UAAU,CAChB,OAAyB,EACzB,KAAqB;QAErB,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,cAAc,CAAoC,CAAC;QAEzF,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;YACrC,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAC9C,CAAC;QAED,IAAI,aAAqB,CAAC;QAE1B,IAAI,KAAK,KAAK,eAAe,EAAE,CAAC;YAC9B,aAAa,GAAG,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;QACzC,CAAC;aAAM,CAAC;YACN,aAAa;gBACX,OAAO,OAAO,CAAC,UAAU,KAAK,QAAQ;oBACpC,CAAC,CAAC,OAAO,CAAC,UAAU;oBACpB,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC3C,CAAC;QAED,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;QAEzE,mCAAmC;QACnC,IAAI,YAAY,KAAK,aAAa,EAAE,CAAC;YACnC,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAC9C,CAAC;QAED,IAAI,CAAC,eAAe,CAClB,OAAO,EACP,KAAK,EACL,KAAK,KAAK,eAAe,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,YAAY,EACrD,YAAY,QAAQ,CAAC,IAAI,mBAAmB,CAC7C,CAAC;QAEF,IAAI,KAAK,KAAK,eAAe,EAAE,CAAC;YAC9B,OAAO,CAAC,QAAQ,GAAG,YAAY,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,IAAI,CAAC;gBACH,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAY,CAAC;YAC3D,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,CAAC,UAAU,GAAG,YAAY,CAAC;YACpC,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IAC/C,CAAC;IAED;;OAEG;IACH,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,gBAAgB;QACd,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;CACF"}

package/dist/guardrails/plugins/pii-redactor/pseudonymizer.d.ts

@@ -0,0 +1,33 @@
+import { PIIDetection } from './detectors.js';
+/**
+ * Pseudonymizer - replaces PII with numbered placeholders
+ * and supports optional restoration
+ */
+export declare class Pseudonymizer {
+    private counters;
+    /**
+     * Pseudonymize text by replacing PII with placeholders
+     * Returns the modified text and a mapping for restoration
+     */
+    pseudonymize(text: string, detections: PIIDetection[]): {
+        text: string;
+        mappings: Map<string, string>;
+    };
+    /**
+     * Restore placeholders in text with original values
+     */
+    restore(text: string, mappings: Map<string, string>): string;
+    /**
+     * Generate a placeholder for a PII type
+     */
+    private generatePlaceholder;
+    /**
+     * Escape special regex characters in a string
+     */
+    private escapeRegex;
+    /**
+     * Reset counters (for testing)
+     */
+    reset(): void;
+}
+//# sourceMappingURL=pseudonymizer.d.ts.map

package/dist/guardrails/plugins/pii-redactor/pseudonymizer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pseudonymizer.d.ts","sourceRoot":"","sources":["../../../../src/guardrails/plugins/pii-redactor/pseudonymizer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAW,MAAM,gBAAgB,CAAC;AAEvD;;;GAGG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAmC;IAEnD;;;OAGG;IACH,YAAY,CACV,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,YAAY,EAAE,GACzB;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE;IAwBlD;;OAEG;IACH,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM;IAc5D;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAiB3B;;OAEG;IACH,OAAO,CAAC,WAAW;IAInB;;OAEG;IACH,KAAK,IAAI,IAAI;CAGd"}

package/dist/guardrails/plugins/pii-redactor/pseudonymizer.js

@@ -0,0 +1,70 @@
+/**
+ * Pseudonymizer - replaces PII with numbered placeholders
+ * and supports optional restoration
+ */
+export class Pseudonymizer {
+    counters = new Map();
+    /**
+     * Pseudonymize text by replacing PII with placeholders
+     * Returns the modified text and a mapping for restoration
+     */
+    pseudonymize(text, detections) {
+        const mappings = new Map();
+        let result = text;
+        let offset = 0;
+        // Reset counters for consistent numbering
+        this.counters.clear();
+        for (const detection of detections) {
+            const placeholder = this.generatePlaceholder(detection.type);
+            mappings.set(placeholder, detection.value);
+            // Replace in text (accounting for previous replacements)
+            const start = detection.startIndex + offset;
+            const end = detection.endIndex + offset;
+            result = result.substring(0, start) + placeholder + result.substring(end);
+            // Adjust offset for next replacement
+            offset += placeholder.length - detection.value.length;
+        }
+        return { text: result, mappings };
+    }
+    /**
+     * Restore placeholders in text with original values
+     */
+    restore(text, mappings) {
+        let result = text;
+        for (const [placeholder, original] of mappings) {
+            // Use global replace to handle multiple occurrences
+            result = result.replace(new RegExp(this.escapeRegex(placeholder), 'g'), original);
+        }
+        return result;
+    }
+    /**
+     * Generate a placeholder for a PII type
+     */
+    generatePlaceholder(type) {
+        const count = (this.counters.get(type) || 0) + 1;
+        this.counters.set(type, count);
+        const typeLabels = {
+            email: 'EMAIL',
+            phone: 'PHONE',
+            ssn: 'SSN',
+            api_key: 'API_KEY',
+            credit_card: 'CARD',
+            ip_address: 'IP',
+            custom: 'REDACTED',
+        };
+        return `[${typeLabels[type]}_${count}]`;
+    }
+    /**
+     * Escape special regex characters in a string
+     */
+    escapeRegex(str) {
+        return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    }
+    /**
+     * Reset counters (for testing)
+     */
+    reset() {
+        this.counters.clear();
+    }
+}
+//# sourceMappingURL=pseudonymizer.js.map

package/dist/guardrails/plugins/pii-redactor/pseudonymizer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pseudonymizer.js","sourceRoot":"","sources":["../../../../src/guardrails/plugins/pii-redactor/pseudonymizer.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,MAAM,OAAO,aAAa;IAChB,QAAQ,GAAyB,IAAI,GAAG,EAAE,CAAC;IAEnD;;;OAGG;IACH,YAAY,CACV,IAAY,EACZ,UAA0B;QAE1B,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAkB,CAAC;QAC3C,IAAI,MAAM,GAAG,IAAI,CAAC;QAClB,IAAI,MAAM,GAAG,CAAC,CAAC;QAEf,0CAA0C;QAC1C,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;QAEtB,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,MAAM,WAAW,GAAG,IAAI,CAAC,mBAAmB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YAC7D,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;YAE3C,yDAAyD;YACzD,MAAM,KAAK,GAAG,SAAS,CAAC,UAAU,GAAG,MAAM,CAAC;YAC5C,MAAM,GAAG,GAAG,SAAS,CAAC,QAAQ,GAAG,MAAM,CAAC;YACxC,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,GAAG,WAAW,GAAG,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YAE1E,qCAAqC;YACrC,MAAM,IAAI,WAAW,CAAC,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC;QACxD,CAAC;QAED,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,IAAY,EAAE,QAA6B;QACjD,IAAI,MAAM,GAAG,IAAI,CAAC;QAElB,KAAK,MAAM,CAAC,WAAW,EAAE,QAAQ,CAAC,IAAI,QAAQ,EAAE,CAAC;YAC/C,oDAAoD;YACpD,MAAM,GAAG,MAAM,CAAC,OAAO,CACrB,IAAI,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,EAAE,GAAG,CAAC,EAC9C,QAAQ,CACT,CAAC;QACJ,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACK,mBAAmB,CAAC,IAAa;QACvC,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QACjD,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAE/B,MAAM,UAAU,GAA4B;YAC1C,KAAK,EAAE,OAAO;YACd,KAAK,EAAE,OAAO;YACd,GAAG,EAAE,KAAK;YACV,OAAO,EAAE,SAAS;YAClB,WAAW,EAAE,MAAM;YACnB,UAAU,EAAE,IAAI;YAChB,MAAM,EAAE,UAAU;SACnB,CAAC;QAEF,OAAO,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,GAAG,CAAC;IAC1C,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,GAAW;QAC7B,OAAO,GAAG,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;IACpD,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;IACxB,CAAC;CACF"}

package/dist/guardrails/plugins/rate-limiter.d.ts

@@ -0,0 +1,28 @@
+import { BaseGuardrailPlugin } from './base-plugin.js';
+import { GuardrailPhase, GuardrailContext, GuardrailResult } from '../types.js';
+/**
+ * Rate limiter plugin - limits requests per minute/hour
+ */
+export declare class RateLimiterPlugin extends BaseGuardrailPlugin {
+    name: string;
+    phases: GuardrailPhase[];
+    private requestsPerMinute;
+    private requestsPerHour;
+    private perProvider;
+    private burstAllowance;
+    private requestHistory;
+    initialize(config: Record<string, unknown>): Promise<void>;
+    execute(phase: GuardrailPhase, context: GuardrailContext): Promise<GuardrailResult>;
+    /**
+     * Get current request counts (for testing/monitoring)
+     */
+    getRequestCounts(key?: string): {
+        lastMinute: number;
+        lastHour: number;
+    };
+    /**
+     * Reset request history (for testing)
+     */
+    reset(): void;
+}
+//# sourceMappingURL=rate-limiter.d.ts.map

package/dist/guardrails/plugins/rate-limiter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.d.ts","sourceRoot":"","sources":["../../../src/guardrails/plugins/rate-limiter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAOhF;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,mBAAmB;IACxD,IAAI,SAAkB;IACtB,MAAM,EAAE,cAAc,EAAE,CAAmB;IAE3C,OAAO,CAAC,iBAAiB,CAAc;IACvC,OAAO,CAAC,eAAe,CAAgB;IACvC,OAAO,CAAC,WAAW,CAAkB;IACrC,OAAO,CAAC,cAAc,CAAa;IAGnC,OAAO,CAAC,cAAc,CAA2C;IAE3D,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAWhE,OAAO,CAAC,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAsFnF;;OAEG;IACH,gBAAgB,CAAC,GAAG,GAAE,MAAiB,GAAG;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE;IAYlF;;OAEG;IACH,KAAK,IAAI,IAAI;CAGd"}

package/dist/guardrails/plugins/rate-limiter.js

@@ -0,0 +1,91 @@
+import { BaseGuardrailPlugin } from './base-plugin.js';
+/**
+ * Rate limiter plugin - limits requests per minute/hour
+ */
+export class RateLimiterPlugin extends BaseGuardrailPlugin {
+    name = 'rate_limiter';
+    phases = ['pre_request'];
+    requestsPerMinute = 60;
+    requestsPerHour = 1000;
+    perProvider = false;
+    burstAllowance = 5;
+    // Request history: key is provider (or 'global'), value is array of timestamps
+    requestHistory = new Map();
+    async initialize(config) {
+        await super.initialize(config);
+        const typedConfig = config;
+        this.requestsPerMinute = typedConfig.requests_per_minute ?? 60;
+        this.requestsPerHour = typedConfig.requests_per_hour ?? 1000;
+        this.perProvider = typedConfig.per_provider ?? false;
+        this.burstAllowance = typedConfig.burst_allowance ?? 5;
+        this.priority = typedConfig.priority ?? 10;
+    }
+    execute(phase, context) {
+        if (phase !== 'pre_request') {
+            return Promise.resolve(this.allow(context));
+        }
+        const key = this.perProvider ? context.provider : 'global';
+        const now = Date.now();
+        // Get or create request history for this key
+        let history = this.requestHistory.get(key);
+        if (!history) {
+            history = [];
+            this.requestHistory.set(key, history);
+        }
+        // Clean up old entries (older than 1 hour)
+        const oneHourAgo = now - 60 * 60 * 1000;
+        history = history.filter((r) => r.timestamp > oneHourAgo);
+        // Remove empty keys to prevent unbounded Map growth with perProvider mode
+        if (history.length === 0) {
+            this.requestHistory.delete(key);
+            history = [];
+        }
+        else {
+            this.requestHistory.set(key, history);
+        }
+        // Count requests in last minute and last hour
+        const oneMinuteAgo = now - 60 * 1000;
+        const requestsLastMinute = history.filter((r) => r.timestamp > oneMinuteAgo).length;
+        const requestsLastHour = history.length;
+        // Check rate limits (with burst allowance)
+        const effectiveMinuteLimit = this.requestsPerMinute + this.burstAllowance;
+        const effectiveHourLimit = this.requestsPerHour + this.burstAllowance;
+        if (requestsLastMinute >= effectiveMinuteLimit) {
+            this.addViolation(context, phase, 'requests_per_minute', 'error', `Rate limit exceeded: ${requestsLastMinute} requests in the last minute (limit: ${this.requestsPerMinute})`, { requestsLastMinute, limit: this.requestsPerMinute });
+            return Promise.resolve(this.block(context, `Rate limit exceeded: ${requestsLastMinute}/${this.requestsPerMinute} requests per minute`));
+        }
+        if (requestsLastHour >= effectiveHourLimit) {
+            this.addViolation(context, phase, 'requests_per_hour', 'error', `Rate limit exceeded: ${requestsLastHour} requests in the last hour (limit: ${this.requestsPerHour})`, { requestsLastHour, limit: this.requestsPerHour });
+            return Promise.resolve(this.block(context, `Rate limit exceeded: ${requestsLastHour}/${this.requestsPerHour} requests per hour`));
+        }
+        // Log warning if approaching limit
+        if (requestsLastMinute >= this.requestsPerMinute * 0.8) {
+            this.addViolation(context, phase, 'requests_per_minute_warning', 'warning', `Approaching rate limit: ${requestsLastMinute}/${this.requestsPerMinute} requests per minute`, { requestsLastMinute, limit: this.requestsPerMinute });
+        }
+        // Record this request
+        history.push({ timestamp: now });
+        // Ensure history is stored in Map (needed after empty cleanup)
+        this.requestHistory.set(key, history);
+        return Promise.resolve(this.allow(context));
+    }
+    /**
+     * Get current request counts (for testing/monitoring)
+     */
+    getRequestCounts(key = 'global') {
+        const now = Date.now();
+        const history = this.requestHistory.get(key) || [];
+        const oneMinuteAgo = now - 60 * 1000;
+        const oneHourAgo = now - 60 * 60 * 1000;
+        return {
+            lastMinute: history.filter((r) => r.timestamp > oneMinuteAgo).length,
+            lastHour: history.filter((r) => r.timestamp > oneHourAgo).length,
+        };
+    }
+    /**
+     * Reset request history (for testing)
+     */
+    reset() {
+        this.requestHistory.clear();
+    }
+}
+//# sourceMappingURL=rate-limiter.js.map

package/dist/guardrails/plugins/rate-limiter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.js","sourceRoot":"","sources":["../../../src/guardrails/plugins/rate-limiter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAQvD;;GAEG;AACH,MAAM,OAAO,iBAAkB,SAAQ,mBAAmB;IACxD,IAAI,GAAG,cAAc,CAAC;IACtB,MAAM,GAAqB,CAAC,aAAa,CAAC,CAAC;IAEnC,iBAAiB,GAAW,EAAE,CAAC;IAC/B,eAAe,GAAW,IAAI,CAAC;IAC/B,WAAW,GAAY,KAAK,CAAC;IAC7B,cAAc,GAAW,CAAC,CAAC;IAEnC,+EAA+E;IACvE,cAAc,GAAiC,IAAI,GAAG,EAAE,CAAC;IAEjE,KAAK,CAAC,UAAU,CAAC,MAA+B;QAC9C,MAAM,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QAE/B,MAAM,WAAW,GAAG,MAAoC,CAAC;QACzD,IAAI,CAAC,iBAAiB,GAAG,WAAW,CAAC,mBAAmB,IAAI,EAAE,CAAC;QAC/D,IAAI,CAAC,eAAe,GAAG,WAAW,CAAC,iBAAiB,IAAI,IAAI,CAAC;QAC7D,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC,YAAY,IAAI,KAAK,CAAC;QACrD,IAAI,CAAC,cAAc,GAAG,WAAW,CAAC,eAAe,IAAI,CAAC,CAAC;QACvD,IAAI,CAAC,QAAQ,GAAG,WAAW,CAAC,QAAQ,IAAI,EAAE,CAAC;IAC7C,CAAC;IAED,OAAO,CAAC,KAAqB,EAAE,OAAyB;QACtD,IAAI,KAAK,KAAK,aAAa,EAAE,CAAC;YAC5B,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC;QAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,6CAA6C;QAC7C,IAAI,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC3C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACxC,CAAC;QAED,2CAA2C;QAC3C,MAAM,UAAU,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACxC,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,GAAG,UAAU,CAAC,CAAC;QAE1D,0EAA0E;QAC1E,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChC,OAAO,GAAG,EAAE,CAAC;QACf,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACxC,CAAC;QAED,8CAA8C;QAC9C,MAAM,YAAY,GAAG,GAAG,GAAG,EAAE,GAAG,IAAI,CAAC;QACrC,MAAM,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,GAAG,YAAY,CAAC,CAAC,MAAM,CAAC;QACpF,MAAM,gBAAgB,GAAG,OAAO,CAAC,MAAM,CAAC;QAExC,2CAA2C;QAC3C,MAAM,oBAAoB,GAAG,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,cAAc,CAAC;QAC1E,MAAM,kBAAkB,GAAG,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,cAAc,CAAC;QAEtE,IAAI,kBAAkB,IAAI,oBAAoB,EAAE,CAAC;YAC/C,IAAI,CAAC,YAAY,CACf,OAAO,EACP,KAAK,EACL,qBAAqB,EACrB,OAAO,EACP,wBAAwB,kBAAkB,wCAAwC,IAAI,CAAC,iBAAiB,GAAG,EAC3G,EAAE,kBAAkB,EAAE,KAAK,EAAE,IAAI,CAAC,iBAAiB,EAAE,CACtD,CAAC;YACF,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAC/B,OAAO,EACP,wBAAwB,kBAAkB,IAAI,IAAI,CAAC,iBAAiB,sBAAsB,CAC3F,CAAC,CAAC;QACL,CAAC;QAED,IAAI,gBAAgB,IAAI,kBAAkB,EAAE,CAAC;YAC3C,IAAI,CAAC,YAAY,CACf,OAAO,EACP,KAAK,EACL,mBAAmB,EACnB,OAAO,EACP,wBAAwB,gBAAgB,sCAAsC,IAAI,CAAC,eAAe,GAAG,EACrG,EAAE,gBAAgB,EAAE,KAAK,EAAE,IAAI,CAAC,eAAe,EAAE,CAClD,CAAC;YACF,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAC/B,OAAO,EACP,wBAAwB,gBAAgB,IAAI,IAAI,CAAC,eAAe,oBAAoB,CACrF,CAAC,CAAC;QACL,CAAC;QAED,mCAAmC;QACnC,IAAI,kBAAkB,IAAI,IAAI,CAAC,iBAAiB,GAAG,GAAG,EAAE,CAAC;YACvD,IAAI,CAAC,YAAY,CACf,OAAO,EACP,KAAK,EACL,6BAA6B,EAC7B,SAAS,EACT,2BAA2B,kBAAkB,IAAI,IAAI,CAAC,iBAAiB,sBAAsB,EAC7F,EAAE,kBAAkB,EAAE,KAAK,EAAE,IAAI,CAAC,iBAAiB,EAAE,CACtD,CAAC;QACJ,CAAC;QAED,sBAAsB;QACtB,OAAO,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;QACjC,+DAA+D;QAC/D,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAEtC,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;IAC9C,CAAC;IAED;;OAEG;IACH,gBAAgB,CAAC,MAAc,QAAQ;QACrC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,YAAY,GAAG,GAAG,GAAG,EAAE,GAAG,IAAI,CAAC;QACrC,MAAM,UAAU,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAExC,OAAO;YACL,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,GAAG,YAAY,CAAC,CAAC,MAAM;YACpE,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,GAAG,UAAU,CAAC,CAAC,MAAM;SACjE,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;IAC9B,CAAC;CACF"}