onion-ai 1.0.6 → 1.1.0

package/README.md

@@ -160,6 +160,52 @@ if (!scan.safe) {
 }
 ```
 
+## ⚙️ Advanced Customization
+
+### 4. Custom PII Validators (New!)
+Need to mask internal IDs (like `TRIP-1234`)? You can now add custom patterns.
+
+```typescript
+const onion = new OnionAI({
+  piiProtection: {
+    enabled: true,
+    custom: [
+      { 
+        name: "Trip ID", 
+        pattern: /TRIP-\d{4}/, 
+        replaceWith: "[TRIP_ID]" 
+      }
+    ]
+  }
+});
+```
+
+### 5. Bring Your Own Logger (BYOL)
+Integrate OnionAI with your existing observability tools (Datadog, Winston, etc.).
+
+```typescript
+const onion = new OnionAI({
+  logger: {
+    log: (msg, meta) => console.log(`[OnionInfo] ${msg}`, meta),
+    error: (msg, meta) => console.error(`[OnionAlert] ${msg}`, meta)
+  }
+});
+```
+
+---
+
+## 🔐 OWASP LLM Top 10 Compliance
+Onion AI is designed to mitigate specific risks outlined in the [OWASP Top 10 for Large Language Model Applications](https://owasp.org/www-project-top-10-for-large-language-model-applications/).
+
+| OWASP Vulnerability | Onion AI Defense Layer | Mechanism |
+| :--- | :--- | :--- |
+| **LLM01: Prompt Injection** | **Guard Layer** | Blocks "Ignore Previous Instructions" & Jailbreak patterns. |
+| **LLM02: Sensitive Info Disclosure** | **Privacy Layer** | Redacts PII (SSN, Email, Phone) from inputs. |
+| **LLM02: Sensitive Info Disclosure** | **Validator Layer** | Scans output for accidental PII or Key leakage. |
+| **LLM04: Model Denial of Service** | **Sentry Layer** | Enforces Token limits & Rate limiting logic. |
+| **LLM06: Excessive Agency** | **Vault Layer** | Prevents destructive actions (DROP, DELETE) in SQL agents. |
+| **LLM02: Insecure Output Handling** | **Sanitizer Layer** | Strips XSS vectors (Scripts, HTML) from inputs. |
+
 ---
 
 ## ⚙️ Advanced Configuration

package/dist/config.d.ts

@@ -166,6 +166,22 @@ export declare const OnionConfigSchema: z.ZodObject<{
         maskCreditCard: z.ZodDefault<z.ZodBoolean>;
         maskSSN: z.ZodDefault<z.ZodBoolean>;
         maskIP: z.ZodDefault<z.ZodBoolean>;
+        custom: z.ZodDefault<z.ZodOptional<z.ZodArray<z.ZodObject<{
+            name: z.ZodString;
+            pattern: z.ZodOptional<z.ZodType<RegExp, z.ZodTypeDef, RegExp>>;
+            validator: z.ZodOptional<z.ZodFunction<z.ZodTuple<[z.ZodString], z.ZodUnknown>, z.ZodBoolean>>;
+            replaceWith: z.ZodOptional<z.ZodString>;
+        }, "strip", z.ZodTypeAny, {
+            name: string;
+            pattern?: RegExp | undefined;
+            validator?: ((args_0: string, ...args: unknown[]) => boolean) | undefined;
+            replaceWith?: string | undefined;
+        }, {
+            name: string;
+            pattern?: RegExp | undefined;
+            validator?: ((args_0: string, ...args: unknown[]) => boolean) | undefined;
+            replaceWith?: string | undefined;
+        }>, "many">>>;
     }, "strip", z.ZodTypeAny, {
         enabled: boolean;
         maskEmail: boolean;
@@ -173,6 +189,12 @@ export declare const OnionConfigSchema: z.ZodObject<{
         maskCreditCard: boolean;
         maskSSN: boolean;
         maskIP: boolean;
+        custom: {
+            name: string;
+            pattern?: RegExp | undefined;
+            validator?: ((args_0: string, ...args: unknown[]) => boolean) | undefined;
+            replaceWith?: string | undefined;
+        }[];
     }, {
         enabled?: boolean | undefined;
         maskEmail?: boolean | undefined;
@@ -180,6 +202,19 @@ export declare const OnionConfigSchema: z.ZodObject<{
         maskCreditCard?: boolean | undefined;
         maskSSN?: boolean | undefined;
         maskIP?: boolean | undefined;
+        custom?: {
+            name: string;
+            pattern?: RegExp | undefined;
+            validator?: ((args_0: string, ...args: unknown[]) => boolean) | undefined;
+            replaceWith?: string | undefined;
+        }[] | undefined;
+    }>>;
+    logger: z.ZodOptional<z.ZodType<{
+        log: (message: string, meta?: any) => void;
+        error: (message: string, meta?: any) => void;
+    }, z.ZodTypeDef, {
+        log: (message: string, meta?: any) => void;
+        error: (message: string, meta?: any) => void;
     }>>;
 }, "strip", z.ZodTypeAny, {
     inputSanitization: {
@@ -248,7 +283,17 @@ export declare const OnionConfigSchema: z.ZodObject<{
         maskCreditCard: boolean;
         maskSSN: boolean;
         maskIP: boolean;
+        custom: {
+            name: string;
+            pattern?: RegExp | undefined;
+            validator?: ((args_0: string, ...args: unknown[]) => boolean) | undefined;
+            replaceWith?: string | undefined;
+        }[];
     };
+    logger?: {
+        log: (message: string, meta?: any) => void;
+        error: (message: string, meta?: any) => void;
+    } | undefined;
 }, {
     inputSanitization?: {
         sanitizeHtml?: boolean | undefined;
@@ -316,6 +361,16 @@ export declare const OnionConfigSchema: z.ZodObject<{
         maskCreditCard?: boolean | undefined;
         maskSSN?: boolean | undefined;
         maskIP?: boolean | undefined;
+        custom?: {
+            name: string;
+            pattern?: RegExp | undefined;
+            validator?: ((args_0: string, ...args: unknown[]) => boolean) | undefined;
+            replaceWith?: string | undefined;
+        }[] | undefined;
+    } | undefined;
+    logger?: {
+        log: (message: string, meta?: any) => void;
+        error: (message: string, meta?: any) => void;
     } | undefined;
 }>;
 export type OnionConfig = z.infer<typeof OnionConfigSchema>;
@@ -327,6 +382,10 @@ export interface SimpleOnionConfig {
     piiSafe?: boolean;
     debug?: boolean;
     strict?: boolean;
+    logger?: {
+        log: (message: string, meta?: any) => void;
+        error: (message: string, meta?: any) => void;
+    };
     onWarning?: (threats: string[]) => void;
 }
 export interface SecurityResult {

package/dist/config.js

@@ -132,7 +132,13 @@ exports.OnionConfigSchema = zod_1.z.object({
         maskPhone: zod_1.z.boolean().default(true),
         maskCreditCard: zod_1.z.boolean().default(true),
         maskSSN: zod_1.z.boolean().default(true),
-        maskIP: zod_1.z.boolean().default(true)
+        maskIP: zod_1.z.boolean().default(true),
+        custom: zod_1.z.array(zod_1.z.object({
+            name: zod_1.z.string(),
+            pattern: zod_1.z.instanceof(RegExp).optional(),
+            validator: zod_1.z.function().args(zod_1.z.string()).returns(zod_1.z.boolean()).optional(),
+            replaceWith: zod_1.z.string().optional()
+        })).optional().default([])
     }).default({
         enabled: false,
         maskEmail: true,
@@ -140,5 +146,7 @@ exports.OnionConfigSchema = zod_1.z.object({
         maskCreditCard: true,
         maskSSN: true,
         maskIP: true
-    })
+    }),
+    // Plugins & Logger (Optional runtime objects)
+    logger: zod_1.z.custom((val) => typeof val === 'object' && val !== null && 'log' in val).optional()
 });

package/dist/index.js

@@ -36,7 +36,8 @@ class OnionAI {
                 },
                 enhance: { enabled: config.enhance ?? false },
                 loggingMonitoringAndAudit: { logRequests: config.debug ?? false },
-                piiProtection: { enabled: config.piiSafe ?? false }
+                piiProtection: { enabled: config.piiSafe ?? false },
+                logger: config.logger
             };
         }
         else {
@@ -74,6 +75,10 @@ class OnionAI {
             if (onWarning) {
                 onWarning(secLikelihood.threats);
             }
+            // Custom Logger (Phase 1.2)
+            if (this.config.logger) {
+                this.config.logger.error("OnionAI Security Alert", { threats: secLikelihood.threats, riskScore: secLikelihood.riskScore });
+            }
             // Strict Mode: Throw error if threats found
             if (this.simpleConfig?.strict) {
                 throw new Error(`OnionAI Security Violation: ${secLikelihood.threats.join(", ")}`);

package/dist/layers/privacy.js

@@ -56,6 +56,28 @@ class Privacy {
                 threats.push("PII Detected: IP Address");
             }
         }
+        // Custom Validators (Phase 1.1)
+        if (this.config.custom && this.config.custom.length > 0) {
+            for (const validator of this.config.custom) {
+                // Regex Pattern Strategy
+                if (validator.pattern) {
+                    if (sanitizedValue.match(validator.pattern)) {
+                        const replacement = validator.replaceWith || `[${validator.name.toUpperCase()}_REDACTED]`;
+                        sanitizedValue = sanitizedValue.replace(validator.pattern, replacement);
+                        threats.push(`PII Detected: Custom (${validator.name})`);
+                    }
+                }
+                // Function Validator Strategy (Simple Check)
+                else if (validator.validator) {
+                    // Logic for validator function is harder for replacement unless it returns indices.
+                    // For now, we assume it just FLAGS it, unless we scan word by word?
+                    // Let's keep it simple: if it returns true, we flag it. Modification is hard without location.
+                    if (validator.validator(input)) {
+                        threats.push(`PII Detected: Custom (${validator.name}) - Detected by Validator`);
+                    }
+                }
+            }
+        }
         return {
             safe: threats.length === 0, // It is technically "safe" now that it is redacted, but we flag the threat presence
             threats,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "onion-ai",
-  "version": "1.0.6",
+  "version": "1.1.0",
   "description": "Layered security for AI prompting - input sanitization, injection protection, and output validation.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",