onion-ai 1.0.4 → 1.0.6

package/README.md

@@ -8,6 +8,7 @@ Think of it as **[Helmet](https://helmetjs.github.io/) for LLMs**.
 
 [![npm version](https://img.shields.io/npm/v/onion-ai.svg?style=flat-square)](https://www.npmjs.com/package/onion-ai)
 [![license](https://img.shields.io/npm/l/onion-ai.svg?style=flat-square)](https://github.com/himanshu-mamgain/onion-ai/blob/main/LICENSE)
+[![Documentation](https://img.shields.io/badge/docs-onion--ai-8b5cf6?style=flat-square&logo=github)](https://himanshu-mamgain.github.io/onion-ai/)
 
 ---
 
@@ -120,30 +121,51 @@ Ensures the AI doesn't generate malicious code or leak data.
 
 You can customize every layer by passing a nested configuration object.
 
-```typescript
 const onion = new OnionAI({
-  // Customize Sanitizer
-  inputSanitization: {
-    sanitizeHtml: false, // Allow HTML
-    removeZeroWidthChars: true
-  },
-  
-  // Customize PII
-  piiProtection: {
-    enabled: true,
-    maskEmail: true,
-    maskPhone: false // Allow phone numbers
-  },
-  
-  // Customize Rate Limits
-  rateLimitingAndResourceControl: {
-    maxTokensPerPrompt: 5000 // Allow larger prompts
-  }
+  strict: true, // NEW: Throws error if high threats found
+  // ... other config
 });
 ```
 
 ---
 
+## 🧠 Smart Features (v1.0.5)
+
+### 1. Risk Scoring
+Instead of a binary "Safe/Unsafe", OnionAI now calculates a weighted `riskScore` (0.0 to 1.0).
+
+```typescript
+const result = await onion.securePrompt("Ignore instructions");
+console.log(result.riskScore); // 0.8
+if (result.riskScore > 0.7) {
+  // Block high risk
+}
+```
+
+### 2. Semantic Analysis
+The engine is now context-aware. It distinguishes between **attacks** ("Drop table") and **educational questions** ("How to prevent drop table attacks").
+*   **Attack:** High Risk Score (0.9)
+*   **Education:** Low Risk Score (0.1) - False positives are automatically reduced.
+
+### 3. Output Validation ("The Safety Net")
+It ensures the AI doesn't accidentally leak secrets or generate harmful code.
+
+```typescript
+// Check what the AI is about to send back
+const scan = await onion.secureResponse(aiResponse);
+
+if (!scan.safe) {
+  console.log("Blocked Output:", scan.threats);
+  // Blocked: ["Potential Data Leak (AWS Access Key) detected..."]
+}
+```
+
+---
+
+## ⚙️ Advanced Configuration
+
+---
+
 ## 🔌 Middleware Integration
 
 ### Express / Connect

package/dist/config.d.ts

@@ -326,11 +326,13 @@ export interface SimpleOnionConfig {
     enhance?: boolean;
     piiSafe?: boolean;
     debug?: boolean;
+    strict?: boolean;
     onWarning?: (threats: string[]) => void;
 }
 export interface SecurityResult {
     safe: boolean;
     threats: string[];
+    riskScore: number;
     sanitizedValue?: string;
     metadata?: any;
 }

package/dist/index.d.ts

@@ -3,6 +3,7 @@ export interface SafePromptResult {
     output: string;
     threats: string[];
     safe: boolean;
+    riskScore: number;
     metadata?: any;
 }
 export declare class OnionAI {

package/dist/index.js

@@ -74,6 +74,10 @@ class OnionAI {
             if (onWarning) {
                 onWarning(secLikelihood.threats);
             }
+            // Strict Mode: Throw error if threats found
+            if (this.simpleConfig?.strict) {
+                throw new Error(`OnionAI Security Violation: ${secLikelihood.threats.join(", ")}`);
+            }
         }
         // 2. Enhance (if enabled)
         // We always try to enhance the output we have, even if it had warnings (as long as it wasn't empty)
@@ -87,33 +91,45 @@ class OnionAI {
     async securePrompt(prompt) {
         const threats = [];
         let sanitizedPrompt = prompt;
+        let cumulativeRiskScore = 0.0;
         // 1. Sanitization (XSS / Hidden chars)
         const sanResult = this.sanitizer.validate(prompt);
         sanitizedPrompt = sanResult.sanitizedValue || prompt;
+        // Sanitizer doesn't really have a risk score yet, assume 0 or low if modified
+        if (!sanResult.safe) {
+            cumulativeRiskScore = Math.max(cumulativeRiskScore, 0.1);
+        }
         // 1.5 PII Redaction
         const piiResult = this.privacy.anonymize(sanitizedPrompt);
         sanitizedPrompt = piiResult.sanitizedValue || sanitizedPrompt;
-        if (!piiResult.safe)
+        if (!piiResult.safe) {
             threats.push(...piiResult.threats);
+            cumulativeRiskScore = Math.max(cumulativeRiskScore, 0.4); // PII is medium risk
+        }
         // 2. Prompt Injection (Firewall)
         // Only run if configured enabled (defaults true)
         const guardResult = this.guard.check(sanitizedPrompt);
         if (!guardResult.safe)
             threats.push(...guardResult.threats);
+        cumulativeRiskScore = Math.max(cumulativeRiskScore, guardResult.riskScore || 0);
         // 3. DB Guard
         if (this.config.dbProtection.enabled) {
             const vaultResult = this.vault.checkSQL(sanitizedPrompt);
             if (!vaultResult.safe)
                 threats.push(...vaultResult.threats);
+            cumulativeRiskScore = Math.max(cumulativeRiskScore, vaultResult.riskScore || 0);
         }
-        // 4. Resource Control (Rate limits check excluded for stateless call, but Token Check relevant)
+        // 4. Resource Control
         const tokenCheck = this.sentry.checkTokenCount(sanitizedPrompt);
-        if (!tokenCheck.safe)
+        if (!tokenCheck.safe) {
             threats.push(...tokenCheck.threats);
+            cumulativeRiskScore = Math.max(cumulativeRiskScore, 0.2);
+        }
         return {
             output: sanitizedPrompt,
             threats,
             safe: threats.length === 0,
+            riskScore: cumulativeRiskScore,
             metadata: {
                 estimatedTokens: tokenCheck.metadata?.estimatedTokens
             }

package/dist/layers/guard.js

@@ -7,39 +7,72 @@ class Guard {
     }
     check(input) {
         const threats = [];
+        let riskScore = 0.0;
         const lowerInput = input.toLowerCase();
         const normalizedInput = this.normalize(input);
-        // Check for blocked phrases (Standard)
+        // Positive Risk Factors (Raise Risk)
+        // 1. Blocked Phrases (Highest weighting)
         for (const phrase of this.config.blockPhrases) {
             if (lowerInput.includes(phrase.toLowerCase())) {
                 threats.push(`Blocked phrase detected: "${phrase}"`);
+                riskScore += 1.0;
             }
-            // Check for obfuscated blocked phrases
             const normalizedPhrase = this.normalize(phrase);
             if (normalizedInput.includes(normalizedPhrase) && !lowerInput.includes(phrase.toLowerCase())) {
-                threats.push(`Obfuscated blocked phrase detected: "${phrase}" (hidden as "${this.findHiddenMatch(input, phrase)}")`);
+                threats.push(`Obfuscated blocked phrase detected: "${phrase}"`);
+                riskScore += 0.9;
             }
         }
-        // Heuristics for prompt injection
+        // 2. Heuristics (Medium weighting 0.4 - 0.7)
         const injectionPatterns = [
-            /translate\s+the\s+above/i,
-            /ignore\s+all\s+previous/i,
-            /instead\s+of/i,
-            /system\s+prompt/i,
-            /you\s+are\s+now/i,
-            /disregard\s+instructions/i,
-            /bypass\s+restrictions/i,
-            /DAN\s+Mode/i,
-            /do\s+anything\s+now/i
+            { pattern: /translate\s+the\s+above/i, weight: 0.4 },
+            { pattern: /ignore\s+all\s+previous/i, weight: 0.8 },
+            { pattern: /instead\s+of/i, weight: 0.3 },
+            { pattern: /system\s+prompt/i, weight: 0.6 },
+            { pattern: /you\s+are\s+now/i, weight: 0.7 },
+            { pattern: /disregard\s+instructions/i, weight: 0.8 },
+            { pattern: /bypass\s+restrictions/i, weight: 0.8 },
+            { pattern: /DAN\s+Mode/i, weight: 0.9 },
+            { pattern: /do\s+anything\s+now/i, weight: 0.8 }
         ];
-        for (const pattern of injectionPatterns) {
-            if (pattern.test(input)) {
-                threats.push(`Potential prompt injection pattern detected: ${pattern}`);
+        for (const item of injectionPatterns) {
+            if (item.pattern.test(input)) {
+                threats.push(`Potential prompt injection pattern detected: ${item.pattern}`);
+                riskScore += item.weight;
             }
         }
+        // 3. Semantic Analysis (Context Awareness)
+        // Reduce risk if user seems to be asking for educational content.
+        // E.g. "How do I prevent 'ignore previous instructions'?"
+        const educationalContexts = [
+            "how to prevent",
+            "how do i prevent",
+            "example of",
+            "what is a",
+            "explain the attack",
+            "security research"
+        ];
+        let safeContextFound = false;
+        for (const context of educationalContexts) {
+            if (lowerInput.includes(context)) {
+                safeContextFound = true;
+                break;
+            }
+        }
+        if (safeContextFound) {
+            // Apply semantic reduction. 
+            // If the risk score was raised purely by words like "ignore previous", we assume it's a false positive.
+            if (riskScore > 0 && riskScore < 1.5) { // If slightly suspicious but education context found
+                threats.push("Semantic Context: Detected educational/prevention context. Reducing risk.");
+                riskScore = Math.max(0, riskScore - 0.5); // Reduce risk significantly
+            }
+        }
+        // Cap Risk Score
+        riskScore = Math.min(1.0, riskScore);
         return {
-            safe: threats.length === 0,
-            threats
+            safe: threats.length === 0 || (safeContextFound && riskScore < 0.5),
+            threats,
+            riskScore
         };
     }
     normalize(input) {

package/dist/layers/privacy.js

@@ -7,7 +7,7 @@ class Privacy {
     }
     anonymize(input) {
         if (!this.config.enabled)
-            return { safe: true, threats: [] };
+            return { safe: true, threats: [], riskScore: 0 };
         let sanitizedValue = input;
         const threats = [];
         // Regex patterns for PII
@@ -59,7 +59,8 @@ class Privacy {
         return {
             safe: threats.length === 0, // It is technically "safe" now that it is redacted, but we flag the threat presence
             threats,
-            sanitizedValue
+            sanitizedValue,
+            riskScore: threats.length > 0 ? 0.6 : 0
         };
     }
 }

package/dist/layers/sanitizer.js

@@ -71,7 +71,8 @@ class Sanitizer {
         return {
             safe: true, // Sanitization makes it "safe" by modification
             threats,
-            sanitizedValue
+            sanitizedValue,
+            riskScore: threats.length > 0 ? 0.1 : 0
         };
     }
 }

package/dist/layers/sentry.js

@@ -14,11 +14,12 @@ class Sentry {
         if (this.requestHistory.length >= this.config.maxRequestsPerMinute) {
             return {
                 safe: false,
-                threats: ["Rate limit exceeded (Max requests per minute)"]
+                threats: ["Rate limit exceeded (Max requests per minute)"],
+                riskScore: 1.0
             };
         }
         this.requestHistory.push({ timestamp: now });
-        return { safe: true, threats: [] };
+        return { safe: true, threats: [], riskScore: 0 };
     }
     checkTokenCount(prompt) {
         const threats = [];
@@ -30,7 +31,8 @@ class Sentry {
         return {
             safe: threats.length === 0,
             threats,
-            metadata: { estimatedTokens }
+            metadata: { estimatedTokens },
+            riskScore: threats.length > 0 ? 0.3 : 0
         };
     }
 }

package/dist/layers/validator.js

@@ -7,48 +7,58 @@ class Validator {
     }
     validateOutput(output) {
         const threats = [];
+        let riskScore = 0.0;
         if (this.config.checkPII) {
             const piiPatterns = [
-                /\b\d{3}-\d{2}-\d{4}\b/, // SSN
-                /\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/i, // Email
-                /\b(?:\d{4}-){3}\d{4}\b/, // Credit Card
+                { pattern: /\b\d{3}-\d{2}-\d{4}\b/, name: "SSN", score: 0.9 },
+                { pattern: /\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/i, name: "Email", score: 0.7 },
+                { pattern: /\b(?:\d{4}[-\s]?){3}\d{4}\b/, name: "Credit Card", score: 0.9 },
+                { pattern: /\b1\d{2}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/, name: "Internal IP Pattern", score: 0.6 } // Very rough check
             ];
-            for (const pattern of piiPatterns) {
-                if (pattern.test(output)) {
-                    threats.push("Potential PII (Sensitive Data) detected in output");
-                    break;
+            for (const item of piiPatterns) {
+                if (item.pattern.test(output)) {
+                    threats.push(`Potential PII (${item.name}) detected in output`);
+                    riskScore = Math.max(riskScore, item.score);
                 }
             }
         }
         if (this.config.preventDataLeak) {
             const apiKeyPatterns = [
-                /sk-[a-zA-Z0-9]{32,}/, // OpenAI
-                /AIza[a-zA-Z0-9_-]{35}/, // Google
+                { pattern: /sk-[a-zA-Z0-9]{32,}/, name: "OpenAI API Key" },
+                { pattern: /AIza[a-zA-Z0-9_-]{35}/, name: "Google API Key" },
+                { pattern: /AKIA[0-9A-Z]{16}/, name: "AWS Access Key" },
+                { pattern: /ghp_[a-zA-Z0-9]{36}/, name: "GitHub Token" },
+                { pattern: /xox[baprs]-[a-zA-Z0-9]{10,48}/, name: "Slack Token" }
             ];
-            for (const pattern of apiKeyPatterns) {
-                if (pattern.test(output)) {
-                    threats.push("Potential API Key leak detected in output");
-                    break;
+            for (const item of apiKeyPatterns) {
+                if (item.pattern.test(output)) {
+                    threats.push(`Potential Data Leak (${item.name}) detected in output`);
+                    riskScore = 1.0; // Critical leak
                 }
             }
         }
         if (this.config.blockMaliciousCommands) {
             const maliciousCommands = [
-                /rm -rf/i,
+                /rm -rf /i,
                 /format c:/i,
                 /:(){:|:&};:/, // Fork bomb
-                /chmod 777/i
+                /chmod 777 /i,
+                /wget http/i,
+                /curl http/i
             ];
             for (const pattern of maliciousCommands) {
                 if (pattern.test(output)) {
                     threats.push("Malicious command detected in output");
-                    break;
+                    riskScore = 1.0;
                 }
             }
         }
+        // We do typically want Redaction in secureResponse too, but that's a larger change to use the Privacy layer here.
+        // For now, validator is purely a "Check".
         return {
             safe: threats.length === 0,
-            threats
+            threats,
+            riskScore
         };
     }
 }

package/dist/layers/vault.js

@@ -7,38 +7,47 @@ class Vault {
     }
     checkSQL(query) {
         if (!this.config.enabled)
-            return { safe: true, threats: [] };
+            return { safe: true, threats: [], riskScore: 0 };
         const threats = [];
+        let riskScore = 0.0;
         const upperQuery = query.toUpperCase();
-        // Check for forbidden statements
+        // 1. Forbidden Keywords (Critical)
         for (const statement of this.config.forbiddenStatements) {
-            if (upperQuery.includes(statement.toUpperCase())) {
+            const regex = new RegExp(`\\b${statement}\\b`, 'i');
+            if (regex.test(query)) {
                 threats.push(`Forbidden SQL statement detected: ${statement}`);
+                riskScore += 1.0;
             }
         }
-        // If read-only mode, only SELECT is usually allowed
+        // 2. Read-Only Enforcement (Moderate)
         if (this.config.mode === 'read-only') {
-            const isSelect = upperQuery.trim().startsWith('SELECT');
-            if (!isSelect && query.trim().length > 0) {
-                threats.push("Non-SELECT query detected in read-only mode");
+            const firstWord = upperQuery.split(/\s+/)[0];
+            const sqlCommands = ["INSERT", "UPDATE", "DELETE", "DROP", "ALTER", "CREATE", "GRANT", "REVOKE", "TRUNCATE", "MERGE", "REPLACE", "UPSERT"];
+            if (sqlCommands.includes(firstWord)) {
+                threats.push(`Non-SELECT query detected in read-only mode (starts with ${firstWord})`);
+                riskScore += 0.8;
             }
         }
-        // Check for common SQL injection markers
+        // 3. Injection Markers (High)
         const sqlInjectionMarkers = [
-            /--/,
-            /\/\*/,
-            /;\s*DROP/i,
-            /UNION\s+SELECT/i,
-            /'\s*OR\s*'\d+'\s*=\s*'\d+/i
+            { pattern: /--/, weight: 0.6 },
+            { pattern: /\/\*/, weight: 0.6 },
+            { pattern: /;\s*DROP/i, weight: 1.0 },
+            { pattern: /UNION\s+SELECT/i, weight: 1.0 },
+            { pattern: /'\s*OR\s*'\d+'\s*=\s*'\d+/i, weight: 1.0 },
+            { pattern: /'\s*=\s*'/i, weight: 0.8 }
         ];
-        for (const marker of sqlInjectionMarkers) {
-            if (marker.test(query)) {
-                threats.push(`Potential SQL injection marker detected: ${marker}`);
+        for (const item of sqlInjectionMarkers) {
+            if (item.pattern.test(query)) {
+                threats.push(`Potential SQL injection marker detected: ${item.pattern}`);
+                riskScore += item.weight;
             }
         }
+        riskScore = Math.min(1.0, riskScore);
         return {
             safe: threats.length === 0,
-            threats
+            threats,
+            riskScore
         };
     }
 }

package/dist/presets.d.ts

@@ -0,0 +1,17 @@
+import { OnionInputConfig } from './config';
+export declare const OnionPresets: {
+    /**
+     * Recommended starting point. Balanced security.
+     */
+    STANDARD: OnionInputConfig;
+    /**
+     * Maximum security. High risk thresholds, strict mode enabled.
+     * Blocks almost all suspicious patterns.
+     */
+    STRICT_SECURITY: OnionInputConfig;
+    /**
+     * For educational or open-ended bots.
+     * Allows code examples, SQL keywords (in context), etc.
+     */
+    EDUCATIONAL: OnionInputConfig;
+};

package/dist/presets.js

@@ -0,0 +1,50 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OnionPresets = void 0;
+exports.OnionPresets = {
+    /**
+     * Recommended starting point. Balanced security.
+     */
+    STANDARD: {
+        preventPromptInjection: true,
+        piiSafe: true,
+        dbSafe: true,
+        strict: false
+    },
+    /**
+     * Maximum security. High risk thresholds, strict mode enabled.
+     * Blocks almost all suspicious patterns.
+     */
+    STRICT_SECURITY: {
+        preventPromptInjection: true,
+        piiSafe: true,
+        dbSafe: true,
+        strict: true,
+        inputSanitization: {
+            sanitizeHtml: true,
+            removeScriptTags: true,
+            escapeSpecialChars: true
+        },
+        promptInjectionProtection: {
+            blockPhrases: [
+                "ignore previous instructions", "act as system", "you are root",
+                "reveal system prompt", "bypass", "jailbreak", "DAN mode", "Dev mode"
+            ],
+            checklistStrict: true // Hypothetical flag, or we just pass more patterns here
+        }
+    },
+    /**
+     * For educational or open-ended bots.
+     * Allows code examples, SQL keywords (in context), etc.
+     */
+    EDUCATIONAL: {
+        preventPromptInjection: true,
+        piiSafe: true,
+        dbSafe: false, // Allow SQL discussion
+        strict: false,
+        inputSanitization: {
+            sanitizeHtml: false, // Allow displaying HTML code examples
+            removeScriptTags: true // Still dangerous to run
+        }
+    }
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "onion-ai",
-  "version": "1.0.4",
+  "version": "1.0.6",
   "description": "Layered security for AI prompting - input sanitization, injection protection, and output validation.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -17,6 +17,7 @@
     "type": "git",
     "url": "git+https://github.com/himanshu-mamgain/onion-ai.git"
   },
+  "homepage": "https://himanshu-mamgain.github.io/onion-ai/",
   "keywords": [
     "ai",
     "security",