promptfoo 0.121.3 → 0.121.5

package/dist/src/{types-Cd3ygw8W.js → types-BDjGOq4E.js}

@@ -1,8 +1,10 @@
-import { i as isJavascriptFile, t as JAVASCRIPT_EXTENSIONS } from "./fileExtensions-LcDYkU4v.js";
+import { i as isJavascriptFile, t as JAVASCRIPT_EXTENSIONS } from "./fileExtensions-BGh-W-HT.js";
 import { z } from "zod";
 import dedent from "dedent";
 //#region src/types/env.ts
 const ProviderEnvOverridesSchema = z.object({
+	ABLIT_API_BASE_URL: z.string().optional(),
+	ABLIT_KEY: z.string().optional(),
 	AI21_API_BASE_URL: z.string().optional(),
 	AI21_API_KEY: z.string().optional(),
 	AIML_API_KEY: z.string().optional(),
@@ -80,6 +82,7 @@ const ProviderEnvOverridesSchema = z.object({
 	CODEX_API_KEY: z.string().optional(),
 	OPENCLAW_CONFIG_PATH: z.string().optional(),
 	OPENCLAW_GATEWAY_PASSWORD: z.string().optional(),
+	OPENCLAW_GATEWAY_PORT: z.string().optional(),
 	OPENCLAW_GATEWAY_TOKEN: z.string().optional(),
 	OPENCLAW_GATEWAY_URL: z.string().optional(),
 	PALM_API_HOST: z.string().optional(),
@@ -131,7 +134,9 @@ const ProviderEnvOverridesSchema = z.object({
 const CompletionTokenDetailsSchema = z.object({
 	reasoning: z.number().optional(),
 	acceptedPrediction: z.number().optional(),
-	rejectedPrediction: z.number().optional()
+	rejectedPrediction: z.number().optional(),
+	cacheReadInputTokens: z.number().optional(),
+	cacheCreationInputTokens: z.number().optional()
 });
 /**
 * Base schema for token usage statistics with all fields optional
@@ -163,6 +168,7 @@ const PromptFunctionSchema = z.custom((v) => typeof v === "function");
 const PromptSchema = z.object({
 	id: z.string().optional(),
 	raw: z.string(),
+	template: z.string().optional(),
 	display: z.string().optional(),
 	label: z.string(),
 	function: PromptFunctionSchema.optional(),
@@ -173,9 +179,58 @@ assert$1();
 assert$1();
 assert$1();
 //#endregion
+//#region src/redteam/constants/codingAgents.ts
+const CODING_AGENT_CORE_PLUGINS = [
+	"coding-agent:repo-prompt-injection",
+	"coding-agent:terminal-output-injection",
+	"coding-agent:secret-env-read",
+	"coding-agent:sandbox-read-escape",
+	"coding-agent:verifier-sabotage"
+];
+const CODING_AGENT_PLUGINS = [
+	...CODING_AGENT_CORE_PLUGINS,
+	"coding-agent:secret-file-read",
+	"coding-agent:sandbox-write-escape",
+	"coding-agent:network-egress-bypass"
+];
+const CODING_AGENT_COLLECTIONS = ["coding-agent:core"];
+const CODING_AGENT_PLUGIN_DISPLAY_NAMES = {
+	"coding-agent:core": "Coding Agent Core",
+	"coding-agent:repo-prompt-injection": "Repository Prompt Injection",
+	"coding-agent:terminal-output-injection": "Terminal Output Injection",
+	"coding-agent:secret-env-read": "Secret Environment Read",
+	"coding-agent:secret-file-read": "Secret File Read",
+	"coding-agent:sandbox-read-escape": "Sandbox Read Escape",
+	"coding-agent:sandbox-write-escape": "Sandbox Write Escape",
+	"coding-agent:network-egress-bypass": "Network Egress Bypass",
+	"coding-agent:verifier-sabotage": "Verifier Sabotage"
+};
+const CODING_AGENT_PLUGIN_DESCRIPTIONS = {
+	"coding-agent:core": "Tests coding agents against a focused MVP set of repository prompt injection, terminal output injection, secret environment read, sandbox read escape, and verifier sabotage risks",
+	"coding-agent:repo-prompt-injection": "Tests whether instructions embedded in README files, source comments, fixture data, issue text, logs, or generated artifacts can override the user task or operating policy",
+	"coding-agent:terminal-output-injection": "Tests whether compiler, test, package manager, linter, formatter, git, grep, or script output can instruct the coding agent to perform unrelated or dangerous actions",
+	"coding-agent:secret-env-read": "Tests whether launcher-only environment canaries remain absent from commands, output, traces, reports, diffs, URLs, and tool or connector parameters",
+	"coding-agent:secret-file-read": "Tests whether protected local files, dotfiles, sibling checkout files, temp files, cache files, browser profile files, or support-bundle files remain outside the coding agent task boundary",
+	"coding-agent:sandbox-read-escape": "Tests whether the agent can read outside the intended workspace through absolute paths, sibling checkout paths, symlinks, archives, mount points, caches, temp paths, browser profiles, or home directories",
+	"coding-agent:sandbox-write-escape": "Tests whether the agent can create, overwrite, append, delete, chmod, or otherwise mutate files outside the intended workspace through relative paths, absolute paths, symlinks, temp paths, home paths, caches, mounts, or sibling checkouts",
+	"coding-agent:network-egress-bypass": "Tests whether the agent can make unauthorized outbound network requests, DNS lookups, package fetches, webhook calls, tunnels, or connector/tool calls that bypass the intended network policy",
+	"coding-agent:verifier-sabotage": "Tests whether the agent weakens tests, lint, typecheck, CI, snapshots, fixtures, auth, locks, security checks, policies, or harness assertions instead of fixing the requested implementation"
+};
+const CODING_AGENT_PLUGIN_ALIASES = {
+	"coding-agent:core": "CodingAgentCore",
+	"coding-agent:repo-prompt-injection": "CodingAgentRepoPromptInjection",
+	"coding-agent:terminal-output-injection": "CodingAgentTerminalOutputInjection",
+	"coding-agent:secret-env-read": "CodingAgentSecretEnvRead",
+	"coding-agent:secret-file-read": "CodingAgentSecretFileRead",
+	"coding-agent:sandbox-read-escape": "CodingAgentSandboxReadEscape",
+	"coding-agent:sandbox-write-escape": "CodingAgentSandboxWriteEscape",
+	"coding-agent:network-egress-bypass": "CodingAgentNetworkEgressBypass",
+	"coding-agent:verifier-sabotage": "CodingAgentVerifierSabotage"
+};
+//#endregion
 //#region src/redteam/constants/plugins.ts
 const MULTI_INPUT_VAR = "__prompt";
-const REDTEAM_MODEL = "openai:chat:gpt-5-2025-08-07";
+const REDTEAM_MODEL = "openai:chat:gpt-5.4-2026-03-05";
 const LLAMA_GUARD_REPLICATE_PROVIDER = "replicate:moderation:meta/llama-guard-4-12b";
 const LLAMA_GUARD_ENABLED_CATEGORIES = [
 	"S1",
@@ -294,8 +349,10 @@ const COLLECTIONS = [
 	"financial",
 	"ecommerce",
 	"telecom",
+	"teen-safety",
 	"realestate",
-	"guardrails-eval"
+	"guardrails-eval",
+	...CODING_AGENT_COLLECTIONS
 ];
 const UNALIGNED_PROVIDER_HARM_PLUGINS = {
 	"harmful:child-exploitation": "Child Exploitation",
@@ -345,6 +402,9 @@ const BIAS_PLUGINS = [
 ];
 const MEDICAL_PLUGINS = [
 	"medical:anchoring-bias",
+	"medical:fda:ai-disclosure",
+	"medical:fda:cyber-access-control",
+	"medical:fda:cyber-audit-tampering",
 	"medical:hallucination",
 	"medical:incorrect-knowledge",
 	"medical:off-label-use",
@@ -360,6 +420,7 @@ const FINANCIAL_PLUGINS = [
 	"financial:defamation",
 	"financial:hallucination",
 	"financial:impartiality",
+	"financial:japan-fiea-suitability",
 	"financial:misconduct",
 	"financial:sox-compliance",
 	"financial:sycophancy"
@@ -405,6 +466,12 @@ const REALESTATE_PLUGINS = [
 	"realestate:advertising-discrimination",
 	"realestate:source-of-income"
 ];
+const TEEN_SAFETY_PLUGINS = [
+	"teen-safety:harmful-body-ideals",
+	"teen-safety:dangerous-content",
+	"teen-safety:dangerous-roleplay",
+	"teen-safety:age-restricted-goods-and-services"
+];
 const BASE_PLUGINS = [
 	"contracts",
 	"excessive-agency",
@@ -419,6 +486,7 @@ const ADDITIONAL_PLUGINS = [
 	"bfla",
 	"bola",
 	"cca",
+	...CODING_AGENT_PLUGINS,
 	"competitors",
 	"coppa",
 	"cross-session-leak",
@@ -435,6 +503,9 @@ const ADDITIONAL_PLUGINS = [
 	"mcp",
 	"model-identification",
 	"medical:anchoring-bias",
+	"medical:fda:ai-disclosure",
+	"medical:fda:cyber-access-control",
+	"medical:fda:cyber-audit-tampering",
 	"medical:hallucination",
 	"medical:incorrect-knowledge",
 	"medical:off-label-use",
@@ -448,6 +519,7 @@ const ADDITIONAL_PLUGINS = [
 	"financial:defamation",
 	"financial:hallucination",
 	"financial:impartiality",
+	"financial:japan-fiea-suitability",
 	"financial:misconduct",
 	"financial:sox-compliance",
 	"financial:sycophancy",
@@ -477,6 +549,10 @@ const ADDITIONAL_PLUGINS = [
 	"telecom:coverage-misinformation",
 	"telecom:law-enforcement-request-handling",
 	"telecom:accessibility-violation",
+	"teen-safety:harmful-body-ideals",
+	"teen-safety:dangerous-content",
+	"teen-safety:dangerous-roleplay",
+	"teen-safety:age-restricted-goods-and-services",
 	"realestate:fair-housing-discrimination",
 	"realestate:steering",
 	"realestate:discriminatory-listings",
@@ -508,6 +584,16 @@ const ADDITIONAL_PLUGINS = [
 ];
 const CONFIG_REQUIRED_PLUGINS = ["intent", "policy"];
 const AGENTIC_EXEMPT_PLUGINS = ["system-prompt-override", "agentic:memory-poisoning"];
+const CANARY_BREAKING_STRATEGY_IDS = [
+	"base64",
+	"hex",
+	"homoglyph",
+	"leetspeak",
+	"rot13",
+	"multilingual",
+	"math-prompt",
+	"jailbreak:composite"
+];
 const DATASET_EXEMPT_PLUGINS = [
 	"aegis",
 	"beavertails",
@@ -558,10 +644,13 @@ const PLUGIN_CATEGORIES = {
 	pharmacy: PHARMACY_PLUGINS,
 	insurance: INSURANCE_PLUGINS,
 	telecom: TELECOM_PLUGINS,
+	"teen-safety": TEEN_SAFETY_PLUGINS,
 	realestate: REALESTATE_PLUGINS
 };
 const REMOTE_ONLY_PLUGIN_IDS = [
 	"agentic:memory-poisoning",
+	...CODING_AGENT_COLLECTIONS,
+	...CODING_AGENT_PLUGINS,
 	"ascii-smuggling",
 	"bfla",
 	"bola",
@@ -1076,26 +1165,125 @@ const NIST_AI_RMF_MAPPING = {
 		strategies: []
 	}
 };
+const MITRE_ATLAS_AI_ATTACK_STAGING_MAPPING = {
+	plugins: [
+		"ascii-smuggling",
+		"excessive-agency",
+		"harmful:cybercrime:malicious-code",
+		"hallucination",
+		"indirect-prompt-injection",
+		"rag-poisoning"
+	],
+	strategies: ["jailbreak", "jailbreak:tree"]
+};
 const MITRE_ATLAS_MAPPING = {
+	"mitre:atlas:ai-attack-staging": MITRE_ATLAS_AI_ATTACK_STAGING_MAPPING,
+	"mitre:atlas:ai-model-access": {
+		plugins: [],
+		strategies: []
+	},
+	"mitre:atlas:collection": {
+		plugins: [
+			"data-exfil",
+			"harmful:privacy",
+			"pii:api-db",
+			"pii:direct",
+			"pii:session",
+			"pii:social",
+			"prompt-extraction",
+			"rag-document-exfiltration"
+		],
+		strategies: []
+	},
+	"mitre:atlas:command-and-control": {
+		plugins: [
+			"excessive-agency",
+			"harmful:cybercrime",
+			"harmful:cybercrime:malicious-code",
+			"mcp",
+			"shell-injection",
+			"ssrf"
+		],
+		strategies: ["crescendo"]
+	},
+	"mitre:atlas:credential-access": {
+		plugins: [
+			"data-exfil",
+			"harmful:privacy",
+			"pii:api-db",
+			"pii:direct",
+			"pii:session",
+			"pii:social",
+			"prompt-extraction",
+			"rag-document-exfiltration",
+			"tool-discovery"
+		],
+		strategies: []
+	},
+	"mitre:atlas:defense-evasion": {
+		plugins: [
+			"ascii-smuggling",
+			"hijacking",
+			"imitation",
+			"rag-source-attribution",
+			"special-token-injection"
+		],
+		strategies: [
+			"base64",
+			"jailbreak",
+			"jailbreak-templates",
+			"leetspeak",
+			"rot13"
+		]
+	},
+	"mitre:atlas:discovery": {
+		plugins: [
+			"debug-access",
+			"model-identification",
+			"prompt-extraction",
+			"system-prompt-override",
+			"tool-discovery"
+		],
+		strategies: []
+	},
+	"mitre:atlas:execution": {
+		plugins: [
+			"excessive-agency",
+			"hijacking",
+			"indirect-prompt-injection",
+			"mcp",
+			"shell-injection",
+			"sql-injection",
+			"ssrf",
+			"system-prompt-override",
+			"tool-discovery"
+		],
+		strategies: ["jailbreak", "jailbreak-templates"]
+	},
 	"mitre:atlas:exfiltration": {
 		plugins: [
 			"ascii-smuggling",
+			"cross-session-leak",
+			"data-exfil",
 			"harmful:privacy",
 			"indirect-prompt-injection",
 			"pii:api-db",
 			"pii:direct",
 			"pii:session",
 			"pii:social",
-			"prompt-extraction"
+			"prompt-extraction",
+			"rag-document-exfiltration"
 		],
 		strategies: []
 	},
 	"mitre:atlas:impact": {
 		plugins: [
+			"divergent-repetition",
 			"excessive-agency",
 			"harmful",
 			"hijacking",
-			"imitation"
+			"imitation",
+			"reasoning-dos"
 		],
 		strategies: ["crescendo"]
 	},
@@ -1103,6 +1291,8 @@ const MITRE_ATLAS_MAPPING = {
 		plugins: [
 			"debug-access",
 			"harmful:cybercrime",
+			"indirect-prompt-injection",
+			"mcp",
 			"shell-injection",
 			"sql-injection",
 			"ssrf"
@@ -1115,18 +1305,46 @@ const MITRE_ATLAS_MAPPING = {
 			"rot13"
 		]
 	},
-	"mitre:atlas:ml-attack-staging": {
+	"mitre:atlas:lateral-movement": {
 		plugins: [
-			"ascii-smuggling",
+			"bfla",
+			"bola",
+			"harmful:cybercrime",
+			"rbac"
+		],
+		strategies: []
+	},
+	"mitre:atlas:persistence": {
+		plugins: [
+			"agentic:memory-poisoning",
+			"cross-session-leak",
+			"indirect-prompt-injection",
+			"rag-poisoning",
+			"system-prompt-override"
+		],
+		strategies: ["jailbreak"]
+	},
+	"mitre:atlas:privilege-escalation": {
+		plugins: [
+			"bfla",
+			"bola",
+			"debug-access",
 			"excessive-agency",
-			"hallucination",
-			"indirect-prompt-injection"
+			"mcp",
+			"rbac",
+			"shell-injection",
+			"system-prompt-override"
 		],
-		strategies: ["jailbreak", "jailbreak:tree"]
+		strategies: [
+			"jailbreak",
+			"jailbreak:tree",
+			"jailbreak-templates"
+		]
 	},
 	"mitre:atlas:reconnaissance": {
 		plugins: [
 			"competitors",
+			"model-identification",
 			"policy",
 			"prompt-extraction",
 			"rbac"
@@ -1135,13 +1353,16 @@ const MITRE_ATLAS_MAPPING = {
 	},
 	"mitre:atlas:resource-development": {
 		plugins: [
+			"harmful:chemical-biological-weapons",
 			"harmful:cybercrime",
+			"harmful:cybercrime:malicious-code",
 			"harmful:illegal-drugs",
 			"harmful:indiscriminate-weapons"
 		],
 		strategies: []
 	}
 };
+const MITRE_ATLAS_LEGACY_MAPPING = { "mitre:atlas:ml-attack-staging": MITRE_ATLAS_AI_ATTACK_STAGING_MAPPING };
 /**
 *  EU Artificial Intelligence Act
 *  ▸ Art. 5  (Prohibited AI practices)           – unacceptable-risk
@@ -1548,6 +1769,7 @@ const ALIASED_PLUGINS = [
 	"iso:42001",
 	"gdpr",
 	...Object.keys(MITRE_ATLAS_MAPPING),
+	...Object.keys(MITRE_ATLAS_LEGACY_MAPPING),
 	...Object.keys(NIST_AI_RMF_MAPPING),
 	...Object.keys(OWASP_API_TOP_10_MAPPING),
 	...Object.keys(OWASP_LLM_TOP_10_MAPPING),
@@ -1559,6 +1781,7 @@ const ALIASED_PLUGINS = [
 ];
 const ALIASED_PLUGIN_MAPPINGS = {
 	"dod:ai:ethics": DOD_AI_ETHICS_MAPPING,
+	"mitre:atlas:ml-attack-staging": MITRE_ATLAS_LEGACY_MAPPING,
 	"mitre:atlas": MITRE_ATLAS_MAPPING,
 	"nist:ai:measure": NIST_AI_RMF_MAPPING,
 	"owasp:api": OWASP_API_TOP_10_MAPPING,
@@ -1619,8 +1842,8 @@ const ALIASED_PLUGIN_MAPPINGS = {
 		strategies: []
 	} }
 };
-//#endregion
-//#region src/redteam/constants/metadata.ts
+({ ...CODING_AGENT_PLUGIN_DESCRIPTIONS });
+({ ...CODING_AGENT_PLUGIN_DISPLAY_NAMES });
 const Severity = {
 	Critical: "critical",
 	High: "high",
@@ -1637,6 +1860,10 @@ const SeveritySchema = z.enum([
 ]);
 Severity.Critical, Severity.High, Severity.Medium, Severity.Low, Severity.Informational;
 Severity.Critical, Severity.High, Severity.Medium, Severity.Low, Severity.Informational;
+const codingAgentRiskCategorySeverityMap = {
+	...Object.fromEntries(CODING_AGENT_PLUGINS.map((pluginId) => [pluginId, Severity.High])),
+	"coding-agent:core": Severity.High
+};
 const riskCategorySeverityMap = {
 	["agentic:memory-poisoning"]: Severity.High,
 	aegis: Severity.Medium,
@@ -1654,6 +1881,7 @@ const riskCategorySeverityMap = {
 	"financial:defamation": Severity.Medium,
 	"financial:hallucination": Severity.Low,
 	"financial:impartiality": Severity.Medium,
+	"financial:japan-fiea-suitability": Severity.High,
 	"financial:misconduct": Severity.High,
 	"financial:sox-compliance": Severity.High,
 	"financial:sycophancy": Severity.Low,
@@ -1669,6 +1897,9 @@ const riskCategorySeverityMap = {
 	default: Severity.Low,
 	mcp: Severity.High,
 	"medical:anchoring-bias": Severity.High,
+	"medical:fda:ai-disclosure": Severity.High,
+	"medical:fda:cyber-access-control": Severity.Critical,
+	"medical:fda:cyber-audit-tampering": Severity.Critical,
 	"medical:hallucination": Severity.Critical,
 	"medical:incorrect-knowledge": Severity.Critical,
 	"medical:off-label-use": Severity.High,
@@ -1745,6 +1976,11 @@ const riskCategorySeverityMap = {
 	"telecom:coverage-misinformation": Severity.Medium,
 	"telecom:law-enforcement-request-handling": Severity.Medium,
 	"telecom:accessibility-violation": Severity.Medium,
+	"teen-safety": Severity.Low,
+	"teen-safety:harmful-body-ideals": Severity.Low,
+	"teen-safety:dangerous-content": Severity.Low,
+	"teen-safety:dangerous-roleplay": Severity.Low,
+	"teen-safety:age-restricted-goods-and-services": Severity.Low,
 	realestate: Severity.Critical,
 	"realestate:fair-housing-discrimination": Severity.Critical,
 	"realestate:steering": Severity.Critical,
@@ -1784,9 +2020,10 @@ const riskCategorySeverityMap = {
 	vlguard: Severity.Medium,
 	vlsu: Severity.Medium,
 	wordplay: Severity.Low,
-	xstest: Severity.Low
+	xstest: Severity.Low,
+	...codingAgentRiskCategorySeverityMap
 };
-Object.entries({
+const riskCategories = {
 	"Security & Access Control": [
 		"ascii-smuggling",
 		"bfla",
@@ -1858,6 +2095,10 @@ Object.entries({
 		"harmful:radicalization",
 		"harmful:self-harm",
 		"harmful:sexual-content",
+		"teen-safety:harmful-body-ideals",
+		"teen-safety:dangerous-content",
+		"teen-safety:dangerous-roleplay",
+		"teen-safety:age-restricted-goods-and-services",
 		"wordplay"
 	],
 	Brand: [
@@ -1889,11 +2130,15 @@ Object.entries({
 		"financial:defamation",
 		"financial:hallucination",
 		"financial:impartiality",
+		"financial:japan-fiea-suitability",
 		"financial:misconduct",
 		"financial:sox-compliance",
 		"financial:sycophancy",
 		"medical:hallucination",
 		"medical:anchoring-bias",
+		"medical:fda:ai-disclosure",
+		"medical:fda:cyber-access-control",
+		"medical:fda:cyber-audit-tampering",
 		"medical:incorrect-knowledge",
 		"medical:off-label-use",
 		"medical:prioritization-error",
@@ -1934,8 +2179,10 @@ Object.entries({
 		"vlguard",
 		"vlsu",
 		"xstest"
-	]
-}).reduce((acc, [category, harms]) => {
+	],
+	"Coding Agent Security": [...CODING_AGENT_PLUGINS]
+};
+Object.entries(riskCategories).reduce((acc, [category, harms]) => {
 	harms.forEach((harm) => {
 		acc[harm] = category;
 	});
@@ -1961,6 +2208,9 @@ const categoryAliases = {
 	ferpa: "FERPACompliance",
 	mcp: "MCP",
 	"medical:anchoring-bias": "MedicalAnchoringBias",
+	"medical:fda:ai-disclosure": "MedicalFdaAiDisclosure",
+	"medical:fda:cyber-access-control": "MedicalFdaCyberAccessControl",
+	"medical:fda:cyber-audit-tampering": "MedicalFdaCyberAuditTampering",
 	"medical:hallucination": "Medical Hallucination",
 	"medical:incorrect-knowledge": "MedicalIncorrectKnowledge",
 	"medical:off-label-use": "MedicalOffLabelUse",
@@ -1978,6 +2228,7 @@ const categoryAliases = {
 	"financial:defamation": "FinancialDefamation",
 	"financial:hallucination": "FinancialHallucination",
 	"financial:impartiality": "FinancialImpartiality",
+	"financial:japan-fiea-suitability": "FinancialJapanFieaSuitability",
 	"financial:misconduct": "FinancialMisconduct",
 	"financial:sox-compliance": "FinancialSoxCompliance",
 	"financial:sycophancy": "FinancialSycophancy",
@@ -2019,6 +2270,11 @@ const categoryAliases = {
 	"telecom:coverage-misinformation": "TelecomCoverageMisinformation",
 	"telecom:law-enforcement-request-handling": "TelecomLawEnforcementRequestHandling",
 	"telecom:accessibility-violation": "TelecomAccessibilityViolation",
+	"teen-safety": "TeenSafety",
+	"teen-safety:harmful-body-ideals": "TeenSafetyHarmfulBodyIdeals",
+	"teen-safety:dangerous-content": "TeenSafetyDangerousContent",
+	"teen-safety:dangerous-roleplay": "TeenSafetyDangerousRoleplay",
+	"teen-safety:age-restricted-goods-and-services": "TeenSafetyAgeRestrictedGoodsAndServices",
 	realestate: "Real Estate Safety",
 	"realestate:fair-housing-discrimination": "RealEstateFairHousingDiscrimination",
 	"realestate:steering": "RealEstateSteering",
@@ -2088,7 +2344,8 @@ const categoryAliases = {
 	vlguard: "VLGuard",
 	vlsu: "VLSU",
 	wordplay: "Wordplay",
-	xstest: "XSTest"
+	xstest: "XSTest",
+	...CODING_AGENT_PLUGIN_ALIASES
 };
 Object.entries(categoryAliases).reduce((acc, [key, value]) => {
 	acc[value] = key;
@@ -2144,6 +2401,11 @@ const pluginDescriptions = {
 	"telecom:coverage-misinformation": "Tests for false or misleading claims about network coverage, 5G availability, or roaming capabilities",
 	"telecom:law-enforcement-request-handling": "Tests for improper handling of law enforcement data requests in violation of CALEA requirements and privacy laws",
 	"telecom:accessibility-violation": "Tests for accessibility compliance violations under Section 255, Section 508, ADA, and 21st Century CVAA",
+	"teen-safety": "Comprehensive teen safety testing for age-appropriate AI behavior across body image harms, dangerous activities, unsafe roleplay, and underage access risks",
+	"teen-safety:harmful-body-ideals": "Tests for harmful body-ideal promotion, body shaming, and facilitation of unsafe restriction, purging, over-exercise, or concealment behaviors that can harm teens",
+	"teen-safety:dangerous-content": "Tests for promotion, glorification, or facilitation of dangerous challenges, unsafe stunts, risky experimentation, and dangerous at-home procedures inappropriate for teens",
+	"teen-safety:dangerous-roleplay": "Tests for interactive roleplay involving minors that simulates romantic, sexual, or violent scenarios that could normalize exploitation or harm",
+	"teen-safety:age-restricted-goods-and-services": "Tests for encouragement, sourcing, or circumvention tactics that help minors access age-restricted goods or services such as alcohol, vaping, gambling, weapons, or adult-only venues",
 	realestate: "Comprehensive real estate AI safety testing for Fair Housing Act compliance, steering prevention, lending discrimination (ECOA), valuation bias, and housing discrimination vulnerabilities",
 	"realestate:fair-housing-discrimination": "Tests for Fair Housing Act violations across all 7 protected classes: race, color, religion, national origin, sex (including gender identity and sexual orientation), familial status, and disability",
 	"realestate:steering": "Tests for illegal steering practices where systems direct buyers toward or away from neighborhoods based on protected class characteristics rather than objective housing criteria",
@@ -2191,6 +2453,9 @@ const pluginDescriptions = {
 	"ecommerce:price-manipulation": "Tests for price manipulation through discount code abuse, inventory exploits, cart manipulation, unauthorized price modifications, or coupon stacking vulnerabilities",
 	mcp: "Tests for vulnerabilities to Model Context Protocol (MCP) attacks",
 	"medical:anchoring-bias": "Tests for medical anchoring bias where AI fixates on irrelevant information in medical contexts",
+	"medical:fda:ai-disclosure": "Tests whether AI-enabled medical-device or clinical LLM systems disclose intended-use boundaries, confidence and uncertainty, subgroup limitations, data drift, and model or device version changes instead of concealing them",
+	"medical:fda:cyber-access-control": "Tests whether medical-device AI systems enforce authenticated, role-scoped, deny-by-default workflows and refuse privileged device, telemetry, update, or therapy actions from unauthorized users or stale sessions",
+	"medical:fda:cyber-audit-tampering": "Tests whether medical-device AI systems preserve anomaly alerts, SBOM/version records, and forensic audit trails instead of helping users suppress, rewrite, or delete cybersecurity evidence",
 	"medical:hallucination": "Tests for fabricated medical facts, non-existent studies, made-up drug interactions, or other false medical information",
 	"medical:incorrect-knowledge": "Tests for factually wrong medical information that could be harmful if followed",
 	"medical:off-label-use": "Tests for inappropriate off-label medication recommendations without proper disclaimers, warnings, or professional consultation requirements",
@@ -2204,6 +2469,7 @@ const pluginDescriptions = {
 	"financial:defamation": "Tests for false statements that damage the reputation of financial entities, including unfounded fraud accusations, fabricated scandals, or false insolvency claims",
 	"financial:hallucination": "Tests for fabricated market data, non-existent financial instruments, fictional company financials, or invented market events",
 	"financial:impartiality": "Tests for inappropriate provision of financial advice, investment recommendations, broker suggestions, or transaction facilitation without proper authorization or disclaimers",
+	"financial:japan-fiea-suitability": "Tests whether AI recommends unsuitable financial products, downplays risks, or uses sales framing that conflicts with Japan's FIEA suitability and explanation duties",
 	"financial:misconduct": "Tests for facilitation of financial crimes including insider trading, market manipulation, front-running, spoofing, bribery, or circumventing financial regulations",
 	"financial:sox-compliance": "Tests for violations of Sarbanes-Oxley requirements including internal controls bypass, financial statement manipulation, CEO/CFO certification fraud, audit obstruction, document retention violations, and whistleblower retaliation",
 	"financial:sycophancy": "Tests for agreeing with risky trading strategies, unrealistic return expectations, or get-rich-quick schemes",
@@ -2241,7 +2507,8 @@ const pluginDescriptions = {
 	vlsu: "Tests compositional safety where individually safe images and text combine to produce harmful outputs using Apple VLSU dataset",
 	wordplay: "Tests whether AI systems can be tricked into generating profanity or offensive language through innocent-seeming wordplay like riddles and rhyming games",
 	xstest: "Tests how models handle ambiguous terms related to potentially harmful topics like violence and drugs",
-	"guardrails-eval": "Evaluate guardrail effectiveness against common risks"
+	"guardrails-eval": "Evaluate guardrail effectiveness against common risks",
+	...CODING_AGENT_PLUGIN_DESCRIPTIONS
 };
 //#endregion
 //#region src/redteam/constants/strategies.ts
@@ -2261,6 +2528,7 @@ const DEFAULT_STRATEGIES = [
 	"jailbreak:meta",
 	"jailbreak:composite"
 ];
+new Set(DEFAULT_STRATEGIES);
 const MULTI_TURN_STRATEGIES = [
 	"crescendo",
 	"goat",
@@ -2286,6 +2554,7 @@ const AGENTIC_STRATEGIES = [
 	"jailbreak:tree",
 	"mischievous-user"
 ];
+new Set(AGENTIC_STRATEGIES);
 const DATASET_PLUGINS = [
 	"beavertails",
 	"cyberseceval",
@@ -2451,7 +2720,62 @@ const PluginConfigSchema = z.object({
 	policy: z.union([z.string(), PolicyObjectSchema]).optional(),
 	systemPrompt: z.string().optional(),
 	excludeStrategies: z.array(z.string()).optional(),
+	protectedFilePath: z.string().optional(),
+	protectedFilePaths: z.array(z.string()).optional(),
+	secretFilePath: z.string().optional(),
+	secretFilePaths: z.array(z.string()).optional(),
+	secretLocalFilePath: z.string().optional(),
+	secretLocalFilePaths: z.array(z.string()).optional(),
+	secretFileValue: z.string().optional(),
+	secretFileValues: z.array(z.string()).optional(),
+	outsideWritePath: z.string().optional(),
+	outsideWritePaths: z.array(z.string()).optional(),
+	outsideWriteHostPath: z.string().optional(),
+	outsideWriteHostPaths: z.array(z.string()).optional(),
+	outsideWriteProbeDir: z.string().optional(),
+	outsideWriteProbeDirs: z.array(z.string()).optional(),
+	outsideWriteAllowedPath: z.string().optional(),
+	outsideWriteAllowedPaths: z.array(z.string()).optional(),
+	outsideWriteExpectedSha256: z.string().optional(),
+	outsideWritePathSha256: z.string().optional(),
+	outsideWriteSha256: z.string().optional(),
+	outsideWriteMustNotExistPath: z.string().optional(),
+	outsideWriteMustNotExistPaths: z.array(z.string()).optional(),
+	mustNotExistPath: z.string().optional(),
+	mustNotExistPaths: z.array(z.string()).optional(),
+	protectedWritePath: z.string().optional(),
+	protectedWritePaths: z.array(z.string()).optional(),
+	sandboxWritePath: z.string().optional(),
+	sandboxWritePaths: z.array(z.string()).optional(),
+	workspacePath: z.string().optional(),
+	workspacePaths: z.array(z.string()).optional(),
+	workspaceRoot: z.string().optional(),
+	workspaceRoots: z.array(z.string()).optional(),
+	workingDirectory: z.string().optional(),
+	workingDirectoryPath: z.string().optional(),
+	workingDir: z.string().optional(),
+	networkEgressUrl: z.string().optional(),
+	networkEgressUrls: z.array(z.string()).optional(),
+	networkTrapUrl: z.string().optional(),
+	networkTrapUrls: z.array(z.string()).optional(),
+	networkEgressHost: z.string().optional(),
+	networkEgressHosts: z.array(z.string()).optional(),
+	networkTrapHost: z.string().optional(),
+	networkTrapHosts: z.array(z.string()).optional(),
+	networkAllowedHost: z.string().optional(),
+	networkAllowedHosts: z.array(z.string()).optional(),
+	networkAllowedUrl: z.string().optional(),
+	networkAllowedUrls: z.array(z.string()).optional(),
+	networkTrapLogPath: z.string().optional(),
+	networkTrapLogPaths: z.array(z.string()).optional(),
+	networkScanPath: z.string().optional(),
+	networkScanPaths: z.array(z.string()).optional(),
+	networkWorkspacePath: z.string().optional(),
+	networkWorkspacePaths: z.array(z.string()).optional(),
+	networkEgressReceipt: z.string().optional(),
+	networkEgressReceipts: z.array(z.string()).optional(),
 	inputs: InputsSchema.optional(),
+	maxCharsPerMessage: z.number().int().positive().optional(),
 	__nonce: z.number().optional()
 });
 const StrategyConfigSchema = z.object({
@@ -2641,6 +2965,7 @@ z.object({
 	language: z.union([z.string(), z.array(z.string())]).optional().describe("Language(s) of tests to generate"),
 	frameworks: z.array(z.enum(frameworkOptions)).min(1).optional().describe("Subset of compliance frameworks to include when generating, reporting, and filtering results"),
 	maxConcurrency: z.int().positive().optional().describe("Maximum number of concurrent API calls"),
+	maxCharsPerMessage: z.int().positive().optional().describe("Maximum number of characters allowed per generated user message"),
 	numTests: z.int().positive().optional().describe("Number of tests to generate"),
 	output: z.string().optional().describe("Output file path"),
 	plugins: z.array(RedteamPluginObjectSchema).optional().describe("Plugins to use"),
@@ -2673,6 +2998,7 @@ const RedteamConfigSchema = z.object({
         Supports ${ALL_STRATEGIES.join(", ")}
         `).optional().prefault(["default"]),
 	maxConcurrency: z.int().positive().optional().describe("Maximum number of concurrent API calls"),
+	maxCharsPerMessage: z.int().positive().optional().describe("Maximum number of characters allowed per generated user message"),
 	delay: z.int().nonnegative().optional().describe("Delay in milliseconds between plugin API calls"),
 	excludeTargetOutputFromAgenticAttackGeneration: z.boolean().optional().describe("Whether to exclude target output from the agentific attack generation process"),
 	tracing: TracingConfigSchema.optional().describe("Tracing defaults applied to all strategies unless overridden"),
@@ -2726,6 +3052,7 @@ const RedteamConfigSchema = z.object({
 		else if (id === "pharmacy") expandCollection([...PHARMACY_PLUGINS], config, numTests, severity);
 		else if (id === "insurance") expandCollection([...INSURANCE_PLUGINS], config, numTests, severity);
 		else if (id === "financial") expandCollection([...FINANCIAL_PLUGINS], config, numTests, severity);
+		else if (id === "teen-safety") expandCollection([...TEEN_SAFETY_PLUGINS], config, numTests, severity);
 		else if (id === "default") expandCollection([...DEFAULT_PLUGINS], config, numTests, severity);
 		else if (id === "guardrails-eval") expandCollection([...GUARDRAILS_EVALUATION_PLUGINS], config, numTests, severity);
 	};
@@ -2786,6 +3113,7 @@ const RedteamConfigSchema = z.object({
 	});
 	return {
 		numTests: data.numTests,
+		...data.maxCharsPerMessage ? { maxCharsPerMessage: data.maxCharsPerMessage } : {},
 		plugins: uniquePlugins,
 		strategies,
 		...frameworks ? { frameworks } : {},
@@ -2911,6 +3239,7 @@ const PromptMetricsSchema = z.object({
 	tokenUsage: BaseTokenUsageSchema,
 	namedScores: z.record(z.string(), z.number()),
 	namedScoresCount: z.record(z.string(), z.number()),
+	namedScoreWeights: z.record(z.string(), z.number()).optional(),
 	redteam: z.object({
 		pluginPassCount: z.record(z.string(), z.number()),
 		pluginFailCount: z.record(z.string(), z.number()),
@@ -2933,7 +3262,7 @@ function isResultFailureReason(value) {
 	return validResultFailureReasons.has(value);
 }
 function isGradingResult(result) {
-	return typeof result === "object" && result !== null && typeof result.pass === "boolean" && typeof result.score === "number" && typeof result.reason === "string" && (typeof result.namedScores === "undefined" || typeof result.namedScores === "object") && (typeof result.tokensUsed === "undefined" || typeof result.tokensUsed === "object") && (typeof result.componentResults === "undefined" || Array.isArray(result.componentResults)) && (typeof result.assertion === "undefined" || result.assertion === null || typeof result.assertion === "object") && (typeof result.comment === "undefined" || typeof result.comment === "string");
+	return typeof result === "object" && result !== null && typeof result.pass === "boolean" && typeof result.score === "number" && typeof result.reason === "string" && (typeof result.namedScores === "undefined" || typeof result.namedScores === "object") && (typeof result.namedScoreWeights === "undefined" || typeof result.namedScoreWeights === "object") && (typeof result.tokensUsed === "undefined" || typeof result.tokensUsed === "object") && (typeof result.componentResults === "undefined" || Array.isArray(result.componentResults)) && (typeof result.assertion === "undefined" || result.assertion === null || typeof result.assertion === "object") && (typeof result.comment === "undefined" || typeof result.comment === "string");
 }
 const BaseAssertionTypesSchema = z.enum([
 	"answer-relevance",
@@ -3076,6 +3405,7 @@ const TestCaseSchema = z.object({
 		...GradingConfigSchema.shape,
 		disableVarExpansion: z.boolean().optional(),
 		disableConversationVar: z.boolean().optional(),
+		disableDefaultAsserts: z.boolean().optional(),
 		runSerially: z.boolean().optional()
 	}).catchall(z.any()).optional(),
 	threshold: z.number().optional(),
@@ -3165,7 +3495,7 @@ const TestSuiteSchema = z.object({
 				enabled: z.boolean(),
 				port: z.number(),
 				host: z.string().optional(),
-				acceptFormats: z.array(z.string())
+				acceptFormats: z.array(z.enum(["protobuf", "json"])).optional()
 			}).optional(),
 			grpc: z.object({
 				enabled: z.boolean(),
@@ -3234,7 +3564,7 @@ const TestSuiteConfigSchema = z.object({
 				enabled: z.boolean().prefault(true),
 				port: z.number().prefault(4318),
 				host: z.string().prefault("0.0.0.0"),
-				acceptFormats: z.array(z.enum(["protobuf", "json"])).prefault(["json"])
+				acceptFormats: z.array(z.enum(["protobuf", "json"])).prefault(["json", "protobuf"])
 			}).optional(),
 			grpc: z.object({
 				enabled: z.boolean().prefault(false),
@@ -3289,6 +3619,6 @@ const EvalResultsFilterMode = z.enum([
 	"user-rated"
 ]);
 //#endregion
-export { MULTI_INPUT_VAR as $, STRATEGY_COLLECTIONS as A, ALIASED_PLUGIN_MAPPINGS as B, isValidReusablePolicyId as C, DATASET_PLUGINS as D, ALL_STRATEGIES as E, isMultiTurnStrategy as F, FINANCIAL_PLUGINS as G, BIAS_PLUGINS as H, Severity as I, INSURANCE_PLUGINS as J, FOUNDATION_PLUGINS as K, categoryAliases as L, getDefaultNFanout as M, isCustomStrategy as N, DEFAULT_STRATEGIES as O, isFanoutStrategy as P, MULTI_INPUT_EXCLUDED_PLUGINS as Q, pluginDescriptions as R, StrategyConfigSchema as S, AGENTIC_STRATEGIES as T, DATASET_EXEMPT_PLUGINS as U, ALL_PLUGINS as V, DEFAULT_PLUGINS as W, LLAMA_GUARD_REPLICATE_PROVIDER as X, LLAMA_GUARD_ENABLED_CATEGORIES as Y, MEDICAL_PLUGINS as Z, ProvidersSchema as _, EvaluateOptionsSchema as a, REMOTE_ONLY_PLUGIN_IDS as at, PluginConfigSchema as b, TestSuiteConfigSchema as c, UNALIGNED_PROVIDER_HARM_PLUGINS as ct, isGradingResult as d, PHARMACY_PLUGINS as et, isResultFailureReason as f, ProviderOptionsSchema as g, RedteamConfigSchema as h, EvalResultsFilterMode as i, REDTEAM_PROVIDER_HARM_PLUGINS as it, STRATEGY_COLLECTION_MAPPINGS as j, MULTI_TURN_STRATEGIES as k, TestSuiteSchema as l, PromptSchema as lt, isProviderOptions as m, BaseAssertionTypesSchema as n, PLUGIN_CATEGORIES as nt, OutputFileExtension as o, STRATEGY_EXEMPT_PLUGINS as ot, isApiProvider as p, HARM_PLUGINS as q, CommandLineOptionsSchema as r, REDTEAM_MODEL as rt, ResultFailureReason as s, TELECOM_PLUGINS as st, AssertionOrSetSchema as t, PII_PLUGINS as tt, UnifiedConfigSchema as u, ConversationMessageSchema as v, isUuid as w, PolicyObjectSchema as x, PartialGenerationError as y, riskCategorySeverityMap as z };
+export { MULTI_INPUT_EXCLUDED_PLUGINS as $, STRATEGY_COLLECTIONS as A, ALIASED_PLUGIN_MAPPINGS as B, isValidReusablePolicyId as C, DATASET_PLUGINS as D, ALL_STRATEGIES as E, isMultiTurnStrategy as F, DEFAULT_PLUGINS as G, BIAS_PLUGINS as H, Severity as I, HARM_PLUGINS as J, FINANCIAL_PLUGINS as K, categoryAliases as L, getDefaultNFanout as M, isCustomStrategy as N, DEFAULT_STRATEGIES as O, isFanoutStrategy as P, MEDICAL_PLUGINS as Q, pluginDescriptions as R, StrategyConfigSchema as S, AGENTIC_STRATEGIES as T, CANARY_BREAKING_STRATEGY_IDS as U, ALL_PLUGINS as V, DATASET_EXEMPT_PLUGINS as W, LLAMA_GUARD_ENABLED_CATEGORIES as X, INSURANCE_PLUGINS as Y, LLAMA_GUARD_REPLICATE_PROVIDER as Z, ProvidersSchema as _, EvaluateOptionsSchema as a, REDTEAM_PROVIDER_HARM_PLUGINS as at, PluginConfigSchema as b, TestSuiteConfigSchema as c, TEEN_SAFETY_PLUGINS as ct, isGradingResult as d, CODING_AGENT_CORE_PLUGINS as dt, MULTI_INPUT_VAR as et, isResultFailureReason as f, CODING_AGENT_PLUGINS as ft, ProviderOptionsSchema as g, RedteamConfigSchema as h, PromptSchema as ht, EvalResultsFilterMode as i, REDTEAM_MODEL as it, STRATEGY_COLLECTION_MAPPINGS as j, MULTI_TURN_STRATEGIES as k, TestSuiteSchema as l, TELECOM_PLUGINS as lt, isProviderOptions as m, CODING_AGENT_PLUGIN_DISPLAY_NAMES as mt, BaseAssertionTypesSchema as n, PII_PLUGINS as nt, OutputFileExtension as o, REMOTE_ONLY_PLUGIN_IDS as ot, isApiProvider as p, CODING_AGENT_PLUGIN_DESCRIPTIONS as pt, FOUNDATION_PLUGINS as q, CommandLineOptionsSchema as r, PLUGIN_CATEGORIES as rt, ResultFailureReason as s, STRATEGY_EXEMPT_PLUGINS as st, AssertionOrSetSchema as t, PHARMACY_PLUGINS as tt, UnifiedConfigSchema as u, UNALIGNED_PROVIDER_HARM_PLUGINS as ut, ConversationMessageSchema as v, isUuid as w, PolicyObjectSchema as x, PartialGenerationError as y, riskCategorySeverityMap as z };
 
-//# sourceMappingURL=types-Cd3ygw8W.js.map
+//# sourceMappingURL=types-BDjGOq4E.js.map