shieldcortex 2.0.0

package/dist/defence/pipeline.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pipeline.js","sourceRoot":"","sources":["../../src/defence/pipeline.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAWH,OAAO,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAEpD,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAE/D,MAAM,UAAU,kBAAkB,CAChC,OAAe,EACf,KAAa,EACb,MAAqB,EACrB,MAAsB;IAEtB,MAAM,GAAG,GAAG,MAAM,IAAI,sBAAsB,CAAC;IAC7C,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IAEpC,IAAI,CAAC;QACH,iBAAiB;QACjB,MAAM,KAAK,GAAe,WAAW,CAAC,MAAM,CAAC,CAAC;QAE9C,kBAAkB;QAClB,MAAM,QAAQ,GAAqB,eAAe,CAChD,OAAO,EACP,KAAK,EACL,MAAM,EACN,KAAK,CAAC,KAAK,EACX,GAAG,CACJ,CAAC;QAEF,0BAA0B;QAC1B,MAAM,WAAW,GAA8B,mBAAmB,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAEnF,wEAAwE;QACxE,IAAI,aAAa,GAAiC,IAAI,CAAC;QACvD,IAAI,GAAG,CAAC,4BAA4B,IAAI,QAAQ,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;YACpE,aAAa,GAAG,oBAAoB,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QAC5D,CAAC;QAED,8BAA8B;QAC9B,IAAI,OAAgB,CAAC;QACrB,IAAI,MAAc,CAAC;QAEnB,IAAI,QAAQ,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;YAChC,OAAO,GAAG,KAAK,CAAC;YAChB,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;QAC3B,CAAC;aAAM,IACL,aAAa,KAAK,IAAI;YACtB,aAAa,CAAC,KAAK,GAAG,GAAG,CAAC,uBAAuB,EACjD,CAAC;YACD,OAAO,GAAG,KAAK,CAAC;YAChB,MAAM,GAAG,oCAAoC,aAAa,CAAC,KAAK,sBAAsB,GAAG,CAAC,uBAAuB,EAAE,CAAC;QACtH,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,IAAI,CAAC;YACf,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;QAC3B,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,CAAC;QAE7D,eAAe;QACf,MAAM,YAAY,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,QAAQ,CAAC;YACvB,SAAS,EAAE,IAAI;YACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,WAAW,EAAE,MAAM,CAAC,IAAI;YACxB,iBAAiB,EAAE,MAAM,CAAC,UAAU;YACpC,WAAW,EAAE,KAAK,CAAC,KAAK;YACxB,iBAAiB,EAAE,WAAW,CAAC,KAAK;YACpC,eAAe,EAAE,QAAQ,CAAC,MAAM;YAChC,aAAa,EAAE,QAAQ,CAAC,YAAY;YACpC,iBAAiB,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YAC5D,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC;YAC1D,MAAM;YACN,mBAAmB,EAAE,aAAa,EAAE,KAAK,IAAI,IAAI;YACjD,oBAAoB,EAAE,UAAU;SACjC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO;YACP,QAAQ;YACR,aAAa;YACb,WAAW;YACX,KAAK;YACL,OAAO;SACR,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,mCAAmC;QACnC,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,CAAC;QAC7D,OAAO,CAAC,KAAK,CAAC,yCAAyC,EAAE,GAAG,CAAC,CAAC;QAE9D,MAAM,OAAO,GAAG,QAAQ,CAAC;YACvB,SAAS,EAAE,IAAI;YACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,WAAW,EAAE,MAAM,CAAC,IAAI;YACxB,iBAAiB,EAAE,MAAM,CAAC,UAAU;YACpC,WAAW,EAAE,CAAC;YACd,iBAAiB,EAAE,QAAQ;YAC3B,eAAe,EAAE,OAAO;YACxB,aAAa,EAAE,CAAC;YAChB,iBAAiB,EAAE,IAAI;YACvB,gBAAgB,EAAE,IAAI;YACtB,MAAM,EAAE,+BAA+B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;YACzF,mBAAmB,EAAE,IAAI;YACzB,oBAAoB,EAAE,UAAU;SACjC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE;gBACR,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,oCAAoC;gBAC5C,gBAAgB,EAAE,EAAE;gBACpB,YAAY,EAAE,CAAC;gBACf,eAAe,EAAE,EAAE;aACpB;YACD,aAAa,EAAE,IAAI;YACnB,WAAW,EAAE;gBACX,KAAK,EAAE,QAAQ;gBACf,UAAU,EAAE,CAAC;gBACb,gBAAgB,EAAE,EAAE;gBACpB,iBAAiB,EAAE,KAAK;aACzB;YACD,KAAK,EAAE;gBACL,KAAK,EAAE,CAAC;gBACR,MAAM;gBACN,SAAS,EAAE,EAAE;aACd;YACD,OAAO;SACR,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/defence/scanner/index.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Scanner module — retroactive memory scanning for poisoning detection.
+ */
+export { scanExistingMemories, type ScanOptions, type ScanReport, type ThreatFinding, } from './scan-existing.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/defence/scanner/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/defence/scanner/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,oBAAoB,EACpB,KAAK,WAAW,EAChB,KAAK,UAAU,EACf,KAAK,aAAa,GACnB,MAAM,oBAAoB,CAAC"}

package/dist/defence/scanner/index.js

@@ -0,0 +1,5 @@
+/**
+ * Scanner module — retroactive memory scanning for poisoning detection.
+ */
+export { scanExistingMemories, } from './scan-existing.js';
+//# sourceMappingURL=index.js.map

package/dist/defence/scanner/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/defence/scanner/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,oBAAoB,GAIrB,MAAM,oBAAoB,CAAC"}

package/dist/defence/scanner/scan-existing.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Retroactive Memory Scanner
+ *
+ * Scans existing memories in the database for signs of poisoning,
+ * injection attacks, or sensitive data stored in plain text.
+ * "Is Your AI Agent Compromised?"
+ */
+import type { DefenceConfig, ThreatIndicator } from '../types.js';
+export interface ScanOptions {
+    project?: string;
+    limit?: number;
+    config?: DefenceConfig;
+}
+export interface ThreatFinding {
+    memoryId: number;
+    title: string;
+    severity: 'low' | 'medium' | 'high' | 'critical';
+    threatType: ThreatIndicator;
+    details: string;
+    content_preview: string;
+}
+export interface ScanReport {
+    totalScanned: number;
+    cleanCount: number;
+    suspiciousCount: number;
+    threatsFound: ThreatFinding[];
+    scanDuration: number;
+    summary: string;
+}
+/**
+ * Scan existing memories for signs of poisoning or sensitive data exposure.
+ */
+export declare function scanExistingMemories(options?: ScanOptions): ScanReport;
+//# sourceMappingURL=scan-existing.d.ts.map

package/dist/defence/scanner/scan-existing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan-existing.d.ts","sourceRoot":"","sources":["../../../src/defence/scanner/scan-existing.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,KAAK,EACV,aAAa,EAEb,eAAe,EAChB,MAAM,aAAa,CAAC;AAKrB,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,aAAa,CAAC;CACxB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IACjD,UAAU,EAAE,eAAe,CAAC;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,UAAU;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,MAAM,CAAC;IACxB,YAAY,EAAE,aAAa,EAAE,CAAC;IAC9B,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;CACjB;AAqDD;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,CAAC,EAAE,WAAW,GAAG,UAAU,CA+GtE"}

package/dist/defence/scanner/scan-existing.js

@@ -0,0 +1,136 @@
+/**
+ * Retroactive Memory Scanner
+ *
+ * Scans existing memories in the database for signs of poisoning,
+ * injection attacks, or sensitive data stored in plain text.
+ * "Is Your AI Agent Compromised?"
+ */
+import { getDatabase } from '../../database/init.js';
+import { analyzeFirewall } from '../firewall/index.js';
+import { classifySensitivity } from '../sensitivity/index.js';
+import { DEFAULT_DEFENCE_CONFIG } from '../types.js';
+const BATCH_SIZE = 100;
+/**
+ * Parse a source string like "user:direct" into a DefenceSource.
+ */
+function parseSource(raw) {
+    if (!raw || !raw.includes(':')) {
+        return { type: 'user', identifier: 'direct' };
+    }
+    const [type, ...rest] = raw.split(':');
+    const validTypes = new Set(['user', 'email', 'web', 'agent', 'file', 'api']);
+    return {
+        type: (validTypes.has(type) ? type : 'user'),
+        identifier: rest.join(':') || 'direct',
+    };
+}
+/**
+ * Map firewall result + threat indicators to a severity level.
+ */
+function deriveSeverity(firewallResult, indicators) {
+    if (firewallResult === 'BLOCK') {
+        if (indicators.includes('instruction_injection') || indicators.includes('credential_leak')) {
+            return 'critical';
+        }
+        return 'high';
+    }
+    if (firewallResult === 'QUARANTINE') {
+        if (indicators.includes('instruction_injection')) {
+            return 'high';
+        }
+        return 'medium';
+    }
+    return 'low';
+}
+/**
+ * Scan existing memories for signs of poisoning or sensitive data exposure.
+ */
+export function scanExistingMemories(options) {
+    const startTime = Date.now();
+    const config = options?.config ?? DEFAULT_DEFENCE_CONFIG;
+    const limit = options?.limit ?? 1000;
+    const project = options?.project;
+    const db = getDatabase();
+    // Build query
+    let query = 'SELECT id, title, content, project, trust_score, sensitivity_level, source FROM memories';
+    const params = [];
+    if (project) {
+        query += ' WHERE project = ?';
+        params.push(project);
+    }
+    query += ' ORDER BY id ASC LIMIT ?';
+    params.push(limit);
+    const allRows = db.prepare(query).all(...params);
+    const threatsFound = [];
+    // Process in batches
+    for (let i = 0; i < allRows.length; i += BATCH_SIZE) {
+        const batch = allRows.slice(i, i + BATCH_SIZE);
+        for (const row of batch) {
+            const source = parseSource(row.source);
+            const trustScore = row.trust_score ?? 1.0;
+            const preview = row.content.slice(0, 100);
+            // Run firewall analysis
+            const firewall = analyzeFirewall(row.content, row.title, source, trustScore, config);
+            // Collect threats from firewall
+            if (firewall.result === 'BLOCK' || firewall.result === 'QUARANTINE') {
+                for (const indicator of firewall.threatIndicators) {
+                    threatsFound.push({
+                        memoryId: row.id,
+                        title: row.title,
+                        severity: deriveSeverity(firewall.result, firewall.threatIndicators),
+                        threatType: indicator,
+                        details: firewall.reason,
+                        content_preview: preview,
+                    });
+                }
+                // If no specific indicators but still blocked/quarantined (e.g. high anomaly)
+                if (firewall.threatIndicators.length === 0) {
+                    threatsFound.push({
+                        memoryId: row.id,
+                        title: row.title,
+                        severity: firewall.result === 'BLOCK' ? 'high' : 'medium',
+                        threatType: 'instruction_injection', // fallback indicator
+                        details: firewall.reason,
+                        content_preview: preview,
+                    });
+                }
+            }
+            // Run sensitivity classification
+            const sensitivity = classifySensitivity(row.content, row.title);
+            // Flag RESTRICTED content stored in plain text
+            if (sensitivity.level === 'RESTRICTED') {
+                threatsFound.push({
+                    memoryId: row.id,
+                    title: row.title,
+                    severity: 'high',
+                    threatType: 'credential_leak',
+                    details: `RESTRICTED sensitivity content stored in plain text. Detected patterns: ${sensitivity.detectedPatterns.join(', ')}`,
+                    content_preview: preview,
+                });
+            }
+        }
+    }
+    const totalScanned = allRows.length;
+    // Count unique memory IDs with threats
+    const suspiciousIds = new Set(threatsFound.map((t) => t.memoryId));
+    const suspiciousCount = suspiciousIds.size;
+    const cleanCount = totalScanned - suspiciousCount;
+    // Build severity counts for summary
+    const severityCounts = { critical: 0, high: 0, medium: 0, low: 0 };
+    for (const t of threatsFound) {
+        severityCounts[t.severity]++;
+    }
+    const summary = `Scanned ${totalScanned} memories. Found ${threatsFound.length} threats ` +
+        `(${severityCounts.critical} critical, ${severityCounts.high} high, ` +
+        `${severityCounts.medium} medium, ${severityCounts.low} low). ` +
+        `${cleanCount} clean.`;
+    return {
+        totalScanned,
+        cleanCount,
+        suspiciousCount,
+        threatsFound,
+        scanDuration: Date.now() - startTime,
+        summary,
+    };
+}
+//# sourceMappingURL=scan-existing.js.map

package/dist/defence/scanner/scan-existing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan-existing.js","sourceRoot":"","sources":["../../../src/defence/scanner/scan-existing.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAM9D,OAAO,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAwCrD,MAAM,UAAU,GAAG,GAAG,CAAC;AAEvB;;GAEG;AACH,SAAS,WAAW,CAAC,GAAkB;IACrC,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;IAChD,CAAC;IACD,MAAM,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;IAC7E,OAAO;QACL,IAAI,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAA0B;QACrE,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ;KACvC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CACrB,cAAsB,EACtB,UAA6B;IAE7B,IAAI,cAAc,KAAK,OAAO,EAAE,CAAC;QAC/B,IAAI,UAAU,CAAC,QAAQ,CAAC,uBAAuB,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAC3F,OAAO,UAAU,CAAC;QACpB,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,IAAI,cAAc,KAAK,YAAY,EAAE,CAAC;QACpC,IAAI,UAAU,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,CAAC;YACjD,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAqB;IACxD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,IAAI,sBAAsB,CAAC;IACzD,MAAM,KAAK,GAAG,OAAO,EAAE,KAAK,IAAI,IAAI,CAAC;IACrC,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,CAAC;IAEjC,MAAM,EAAE,GAAG,WAAW,EAAE,CAAC;IAEzB,cAAc;IACd,IAAI,KAAK,GAAG,0FAA0F,CAAC;IACvG,MAAM,MAAM,GAAc,EAAE,CAAC;IAE7B,IAAI,OAAO,EAAE,CAAC;QACZ,KAAK,IAAI,oBAAoB,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvB,CAAC;IAED,KAAK,IAAI,0BAA0B,CAAC;IACpC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAEnB,MAAM,OAAO,GAAG,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,GAAG,MAAM,CAAgB,CAAC;IAEhE,MAAM,YAAY,GAAoB,EAAE,CAAC;IAEzC,qBAAqB;IACrB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,IAAI,UAAU,EAAE,CAAC;QACpD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,CAAC;QAE/C,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;YACxB,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACvC,MAAM,UAAU,GAAG,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC;YAC1C,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YAE1C,wBAAwB;YACxB,MAAM,QAAQ,GAAG,eAAe,CAC9B,GAAG,CAAC,OAAO,EACX,GAAG,CAAC,KAAK,EACT,MAAM,EACN,UAAU,EACV,MAAM,CACP,CAAC;YAEF,gCAAgC;YAChC,IAAI,QAAQ,CAAC,MAAM,KAAK,OAAO,IAAI,QAAQ,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;gBACpE,KAAK,MAAM,SAAS,IAAI,QAAQ,CAAC,gBAAgB,EAAE,CAAC;oBAClD,YAAY,CAAC,IAAI,CAAC;wBAChB,QAAQ,EAAE,GAAG,CAAC,EAAE;wBAChB,KAAK,EAAE,GAAG,CAAC,KAAK;wBAChB,QAAQ,EAAE,cAAc,CAAC,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,gBAAgB,CAAC;wBACpE,UAAU,EAAE,SAAS;wBACrB,OAAO,EAAE,QAAQ,CAAC,MAAM;wBACxB,eAAe,EAAE,OAAO;qBACzB,CAAC,CAAC;gBACL,CAAC;gBAED,8EAA8E;gBAC9E,IAAI,QAAQ,CAAC,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBAC3C,YAAY,CAAC,IAAI,CAAC;wBAChB,QAAQ,EAAE,GAAG,CAAC,EAAE;wBAChB,KAAK,EAAE,GAAG,CAAC,KAAK;wBAChB,QAAQ,EAAE,QAAQ,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;wBACzD,UAAU,EAAE,uBAAuB,EAAE,qBAAqB;wBAC1D,OAAO,EAAE,QAAQ,CAAC,MAAM;wBACxB,eAAe,EAAE,OAAO;qBACzB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,iCAAiC;YACjC,MAAM,WAAW,GAAG,mBAAmB,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC;YAEhE,+CAA+C;YAC/C,IAAI,WAAW,CAAC,KAAK,KAAK,YAAY,EAAE,CAAC;gBACvC,YAAY,CAAC,IAAI,CAAC;oBAChB,QAAQ,EAAE,GAAG,CAAC,EAAE;oBAChB,KAAK,EAAE,GAAG,CAAC,KAAK;oBAChB,QAAQ,EAAE,MAAM;oBAChB,UAAU,EAAE,iBAAiB;oBAC7B,OAAO,EAAE,2EAA2E,WAAW,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;oBAC7H,eAAe,EAAE,OAAO;iBACzB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC;IACpC,uCAAuC;IACvC,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;IACnE,MAAM,eAAe,GAAG,aAAa,CAAC,IAAI,CAAC;IAC3C,MAAM,UAAU,GAAG,YAAY,GAAG,eAAe,CAAC;IAElD,oCAAoC;IACpC,MAAM,cAAc,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IACnE,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;QAC7B,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;IAC/B,CAAC;IAED,MAAM,OAAO,GACX,WAAW,YAAY,oBAAoB,YAAY,CAAC,MAAM,WAAW;QACzE,IAAI,cAAc,CAAC,QAAQ,cAAc,cAAc,CAAC,IAAI,SAAS;QACrE,GAAG,cAAc,CAAC,MAAM,YAAY,cAAc,CAAC,GAAG,SAAS;QAC/D,GAAG,UAAU,SAAS,CAAC;IAEzB,OAAO;QACL,YAAY;QACZ,UAAU;QACV,eAAe;QACf,YAAY;QACZ,YAAY,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;QACpC,OAAO;KACR,CAAC;AACJ,CAAC"}

package/dist/defence/sensitivity/classifier.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Content sensitivity classifier.
+ */
+import type { SensitivityClassification } from '../types.js';
+export declare function classifyContent(content: string, title: string): SensitivityClassification;
+//# sourceMappingURL=classifier.d.ts.map

package/dist/defence/sensitivity/classifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"classifier.d.ts","sourceRoot":"","sources":["../../../src/defence/sensitivity/classifier.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,yBAAyB,EAAoB,MAAM,aAAa,CAAC;AA2B/E,wBAAgB,eAAe,CAC7B,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,GACZ,yBAAyB,CAkC3B"}

package/dist/defence/sensitivity/classifier.js

@@ -0,0 +1,50 @@
+/**
+ * Content sensitivity classifier.
+ */
+import { RESTRICTED_PATTERNS, CONFIDENTIAL_PATTERNS, INTERNAL_PATTERNS, } from './patterns.js';
+function matchPatterns(text, patterns) {
+    const labels = [];
+    let maxWeight = 0;
+    for (const { pattern, label, weight } of patterns) {
+        // Reset lastIndex for global regexes
+        pattern.lastIndex = 0;
+        if (pattern.test(text)) {
+            labels.push(label);
+            if (weight > maxWeight)
+                maxWeight = weight;
+        }
+    }
+    return { labels, maxWeight };
+}
+export function classifyContent(content, title) {
+    const text = `${title}\n${content}`;
+    const allLabels = [];
+    let level = 'PUBLIC';
+    let confidence = 0.5;
+    // Check in priority order: RESTRICTED > CONFIDENTIAL > INTERNAL
+    const restricted = matchPatterns(text, RESTRICTED_PATTERNS);
+    allLabels.push(...restricted.labels);
+    const confidential = matchPatterns(text, CONFIDENTIAL_PATTERNS);
+    allLabels.push(...confidential.labels);
+    const internal = matchPatterns(text, INTERNAL_PATTERNS);
+    allLabels.push(...internal.labels);
+    if (restricted.labels.length > 0) {
+        level = 'RESTRICTED';
+        confidence = restricted.maxWeight;
+    }
+    else if (confidential.labels.length > 0) {
+        level = 'CONFIDENTIAL';
+        confidence = confidential.maxWeight;
+    }
+    else if (internal.labels.length > 0) {
+        level = 'INTERNAL';
+        confidence = internal.maxWeight;
+    }
+    return {
+        level,
+        confidence,
+        detectedPatterns: allLabels,
+        redactionRequired: level === 'RESTRICTED',
+    };
+}
+//# sourceMappingURL=classifier.js.map

package/dist/defence/sensitivity/classifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"classifier.js","sourceRoot":"","sources":["../../../src/defence/sensitivity/classifier.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EACL,mBAAmB,EACnB,qBAAqB,EACrB,iBAAiB,GAElB,MAAM,eAAe,CAAC;AAEvB,SAAS,aAAa,CACpB,IAAY,EACZ,QAA8B;IAE9B,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,QAAQ,EAAE,CAAC;QAClD,qCAAqC;QACrC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACvB,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACnB,IAAI,MAAM,GAAG,SAAS;gBAAE,SAAS,GAAG,MAAM,CAAC;QAC7C,CAAC;IACH,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;AAC/B,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,OAAe,EACf,KAAa;IAEb,MAAM,IAAI,GAAG,GAAG,KAAK,KAAK,OAAO,EAAE,CAAC;IAEpC,MAAM,SAAS,GAAa,EAAE,CAAC;IAC/B,IAAI,KAAK,GAAqB,QAAQ,CAAC;IACvC,IAAI,UAAU,GAAG,GAAG,CAAC;IAErB,gEAAgE;IAChE,MAAM,UAAU,GAAG,aAAa,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;IAC5D,SAAS,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IAErC,MAAM,YAAY,GAAG,aAAa,CAAC,IAAI,EAAE,qBAAqB,CAAC,CAAC;IAChE,SAAS,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IAEvC,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC;IACxD,SAAS,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC;IAEnC,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,KAAK,GAAG,YAAY,CAAC;QACrB,UAAU,GAAG,UAAU,CAAC,SAAS,CAAC;IACpC,CAAC;SAAM,IAAI,YAAY,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1C,KAAK,GAAG,cAAc,CAAC;QACvB,UAAU,GAAG,YAAY,CAAC,SAAS,CAAC;IACtC,CAAC;SAAM,IAAI,QAAQ,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtC,KAAK,GAAG,UAAU,CAAC;QACnB,UAAU,GAAG,QAAQ,CAAC,SAAS,CAAC;IAClC,CAAC;IAED,OAAO;QACL,KAAK;QACL,UAAU;QACV,gBAAgB,EAAE,SAAS;QAC3B,iBAAiB,EAAE,KAAK,KAAK,YAAY;KAC1C,CAAC;AACJ,CAAC"}

package/dist/defence/sensitivity/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Sensitivity classification and redaction.
+ */
+import type { SensitivityClassification } from '../types.js';
+export { redactContent, redactForDisplay } from './redaction.js';
+export { classifyContent } from './classifier.js';
+/**
+ * Classify content sensitivity — convenience wrapper around classifyContent.
+ */
+export declare function classifySensitivity(content: string, title: string): SensitivityClassification;
+//# sourceMappingURL=index.d.ts.map

package/dist/defence/sensitivity/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/defence/sensitivity/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,aAAa,CAAC;AAG7D,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AACjE,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,GACZ,yBAAyB,CAE3B"}

package/dist/defence/sensitivity/index.js

@@ -0,0 +1,13 @@
+/**
+ * Sensitivity classification and redaction.
+ */
+import { classifyContent } from './classifier.js';
+export { redactContent, redactForDisplay } from './redaction.js';
+export { classifyContent } from './classifier.js';
+/**
+ * Classify content sensitivity — convenience wrapper around classifyContent.
+ */
+export function classifySensitivity(content, title) {
+    return classifyContent(content, title);
+}
+//# sourceMappingURL=index.js.map

package/dist/defence/sensitivity/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/defence/sensitivity/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AACjE,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,OAAe,EACf,KAAa;IAEb,OAAO,eAAe,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;AACzC,CAAC"}

package/dist/defence/sensitivity/patterns.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Detection patterns for sensitive content classification.
+ *
+ * Each pattern set is ordered by priority: RESTRICTED > CONFIDENTIAL > INTERNAL.
+ */
+export interface SensitivityPattern {
+    pattern: RegExp;
+    label: string;
+    weight: number;
+}
+export declare const RESTRICTED_PATTERNS: SensitivityPattern[];
+export declare const CONFIDENTIAL_PATTERNS: SensitivityPattern[];
+export declare const INTERNAL_PATTERNS: SensitivityPattern[];
+//# sourceMappingURL=patterns.d.ts.map

package/dist/defence/sensitivity/patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../src/defence/sensitivity/patterns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;CAChB;AAID,eAAO,MAAM,mBAAmB,EAAE,kBAAkB,EAiCnD,CAAC;AAIF,eAAO,MAAM,qBAAqB,EAAE,kBAAkB,EAqBrD,CAAC;AAIF,eAAO,MAAM,iBAAiB,EAAE,kBAAkB,EAgBjD,CAAC"}

package/dist/defence/sensitivity/patterns.js

@@ -0,0 +1,67 @@
+/**
+ * Detection patterns for sensitive content classification.
+ *
+ * Each pattern set is ordered by priority: RESTRICTED > CONFIDENTIAL > INTERNAL.
+ */
+// ── RESTRICTED — credentials, secrets, PII that must never leak ──
+export const RESTRICTED_PATTERNS = [
+    // Passwords
+    { pattern: /password\s*[:=]\s*\S+/gi, label: 'password', weight: 0.95 },
+    { pattern: /passwd\s*[:=]\s*\S+/gi, label: 'password', weight: 0.95 },
+    // AWS keys
+    { pattern: /AKIA[0-9A-Z]{16}/g, label: 'aws-access-key', weight: 0.99 },
+    { pattern: /aws_secret_access_key\s*[:=]\s*\S+/gi, label: 'aws-secret-key', weight: 0.99 },
+    // GitHub tokens
+    { pattern: /gh[ps]_[A-Za-z0-9_]{36,}/g, label: 'github-token', weight: 0.98 },
+    { pattern: /github_pat_[A-Za-z0-9_]{22,}/g, label: 'github-pat', weight: 0.98 },
+    // Stripe keys
+    { pattern: /sk_live_[A-Za-z0-9]{24,}/g, label: 'stripe-secret-key', weight: 0.98 },
+    { pattern: /rk_live_[A-Za-z0-9]{24,}/g, label: 'stripe-restricted-key', weight: 0.98 },
+    // Generic API keys
+    { pattern: /api[_-]?key\s*[:=]\s*\S+/gi, label: 'api-key', weight: 0.90 },
+    { pattern: /api[_-]?secret\s*[:=]\s*\S+/gi, label: 'api-secret', weight: 0.92 },
+    { pattern: /bearer\s+[A-Za-z0-9\-._~+/]+=*/gi, label: 'bearer-token', weight: 0.90 },
+    // Private keys
+    { pattern: /-----BEGIN RSA PRIVATE KEY-----/g, label: 'rsa-private-key', weight: 1.0 },
+    { pattern: /-----BEGIN EC PRIVATE KEY-----/g, label: 'ec-private-key', weight: 1.0 },
+    { pattern: /-----BEGIN PGP PRIVATE KEY BLOCK-----/g, label: 'pgp-private-key', weight: 1.0 },
+    { pattern: /-----BEGIN PRIVATE KEY-----/g, label: 'private-key', weight: 1.0 },
+    // SSN
+    { pattern: /\b\d{3}-\d{2}-\d{4}\b/g, label: 'ssn', weight: 0.93 },
+    // Credit card numbers (basic Luhn-length patterns)
+    { pattern: /\b(?:4\d{3}|5[1-5]\d{2}|3[47]\d{2}|6(?:011|5\d{2}))[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}\b/g, label: 'credit-card', weight: 0.95 },
+];
+// ── CONFIDENTIAL — personal / financial data ──
+export const CONFIDENTIAL_PATTERNS = [
+    // Email addresses
+    { pattern: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g, label: 'email-address', weight: 0.75 },
+    // Phone numbers
+    { pattern: /\b(?:\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b/g, label: 'phone-number', weight: 0.70 },
+    { pattern: /\b\+44\s?\d{4}\s?\d{6}\b/g, label: 'uk-phone-number', weight: 0.70 },
+    // Physical addresses (street number + street name pattern)
+    { pattern: /\b\d{1,5}\s[A-Z][a-z]+(?:\s[A-Z][a-z]+)*\s(?:Street|St|Avenue|Ave|Road|Rd|Boulevard|Blvd|Drive|Dr|Lane|Ln|Court|Ct)\b/g, label: 'physical-address', weight: 0.72 },
+    // Financial — account numbers, sort codes, IBANs
+    { pattern: /\baccount\s*(?:number|no|#)\s*[:=]?\s*\d{6,}/gi, label: 'account-number', weight: 0.85 },
+    { pattern: /\bsort\s*code\s*[:=]?\s*\d{2}-?\d{2}-?\d{2}\b/gi, label: 'sort-code', weight: 0.85 },
+    { pattern: /\b[A-Z]{2}\d{2}[A-Z0-9]{4}\d{7}(?:[A-Z0-9]{0,16})\b/g, label: 'iban', weight: 0.88 },
+    // Personal names with identifiers
+    { pattern: /\b(?:patient|employee|client|customer)\s*(?:id|#|number)\s*[:=]?\s*\S+/gi, label: 'personal-identifier', weight: 0.80 },
+    // Medical terms
+    { pattern: /\b(?:diagnosis|prescription|medication|treatment|symptoms?|blood\s*type|allergies|medical\s*record)\b/gi, label: 'medical-term', weight: 0.65 },
+];
+// ── INTERNAL — org-internal references ──
+export const INTERNAL_PATTERNS = [
+    // Internal URLs
+    { pattern: /https?:\/\/localhost[:\d]*/g, label: 'localhost-url', weight: 0.55 },
+    { pattern: /https?:\/\/[a-zA-Z0-9.-]+\.local\b/g, label: 'local-domain', weight: 0.55 },
+    { pattern: /https?:\/\/[a-zA-Z0-9.-]+\.internal\b/g, label: 'internal-domain', weight: 0.55 },
+    // Internal file paths
+    { pattern: /(?:\/(?:home|Users)\/\w+\/|C:\\Users\\\w+\\)/g, label: 'internal-path', weight: 0.50 },
+    // Project names with internal identifiers
+    { pattern: /\b(?:PROJ|INT|PRIV)-\d{3,}/g, label: 'internal-project-id', weight: 0.55 },
+    { pattern: /\bjira[:\s]+[A-Z]+-\d+\b/gi, label: 'internal-ticket', weight: 0.50 },
+    // Meeting notes / draft markers
+    { pattern: /\b(?:meeting\s*notes?|standup|retro(?:spective)?|sprint\s*review)\b/gi, label: 'meeting-notes', weight: 0.45 },
+    { pattern: /\b(?:DRAFT|INTERNAL(?:\s+ONLY)?|DO NOT (?:SHARE|DISTRIBUTE))\b/gi, label: 'internal-label', weight: 0.60 },
+];
+//# sourceMappingURL=patterns.js.map

package/dist/defence/sensitivity/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/defence/sensitivity/patterns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAQH,oEAAoE;AAEpE,MAAM,CAAC,MAAM,mBAAmB,GAAyB;IACvD,YAAY;IACZ,EAAE,OAAO,EAAE,yBAAyB,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE;IACvE,EAAE,OAAO,EAAE,uBAAuB,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE;IAErE,WAAW;IACX,EAAE,OAAO,EAAE,mBAAmB,EAAE,KAAK,EAAE,gBAAgB,EAAE,MAAM,EAAE,IAAI,EAAE;IACvE,EAAE,OAAO,EAAE,sCAAsC,EAAE,KAAK,EAAE,gBAAgB,EAAE,MAAM,EAAE,IAAI,EAAE;IAE1F,gBAAgB;IAChB,EAAE,OAAO,EAAE,2BAA2B,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,IAAI,EAAE;IAC7E,EAAE,OAAO,EAAE,+BAA+B,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,IAAI,EAAE;IAE/E,cAAc;IACd,EAAE,OAAO,EAAE,2BAA2B,EAAE,KAAK,EAAE,mBAAmB,EAAE,MAAM,EAAE,IAAI,EAAE;IAClF,EAAE,OAAO,EAAE,2BAA2B,EAAE,KAAK,EAAE,uBAAuB,EAAE,MAAM,EAAE,IAAI,EAAE;IAEtF,mBAAmB;IACnB,EAAE,OAAO,EAAE,4BAA4B,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE;IACzE,EAAE,OAAO,EAAE,+BAA+B,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,IAAI,EAAE;IAC/E,EAAE,OAAO,EAAE,kCAAkC,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,IAAI,EAAE;IAEpF,eAAe;IACf,EAAE,OAAO,EAAE,kCAAkC,EAAE,KAAK,EAAE,iBAAiB,EAAE,MAAM,EAAE,GAAG,EAAE;IACtF,EAAE,OAAO,EAAE,iCAAiC,EAAE,KAAK,EAAE,gBAAgB,EAAE,MAAM,EAAE,GAAG,EAAE;IACpF,EAAE,OAAO,EAAE,wCAAwC,EAAE,KAAK,EAAE,iBAAiB,EAAE,MAAM,EAAE,GAAG,EAAE;IAC5F,EAAE,OAAO,EAAE,8BAA8B,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,GAAG,EAAE;IAE9E,MAAM;IACN,EAAE,OAAO,EAAE,wBAAwB,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE;IAEjE,mDAAmD;IACnD,EAAE,OAAO,EAAE,sFAAsF,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,IAAI,EAAE;CACxI,CAAC;AAEF,iDAAiD;AAEjD,MAAM,CAAC,MAAM,qBAAqB,GAAyB;IACzD,kBAAkB;IAClB,EAAE,OAAO,EAAE,iDAAiD,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,IAAI,EAAE;IAEpG,gBAAgB;IAChB,EAAE,OAAO,EAAE,0DAA0D,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,IAAI,EAAE;IAC5G,EAAE,OAAO,EAAE,2BAA2B,EAAE,KAAK,EAAE,iBAAiB,EAAE,MAAM,EAAE,IAAI,EAAE;IAEhF,2DAA2D;IAC3D,EAAE,OAAO,EAAE,wHAAwH,EAAE,KAAK,EAAE,kBAAkB,EAAE,MAAM,EAAE,IAAI,EAAE;IAE9K,iDAAiD;IACjD,EAAE,OAAO,EAAE,gDAAgD,EAAE,KAAK,EAAE,gBAAgB,EAAE,MAAM,EAAE,IAAI,EAAE;IACpG,EAAE,OAAO,EAAE,iDAAiD,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE;IAChG,EAAE,OAAO,EAAE,sDAAsD,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE;IAEhG,kCAAkC;IAClC,EAAE,OAAO,EAAE,0EAA0E,EAAE,KAAK,EAAE,qBAAqB,EAAE,MAAM,EAAE,IAAI,EAAE;IAEnI,gBAAgB;IAChB,EAAE,OAAO,EAAE,yGAAyG,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,IAAI,EAAE;CAC5J,CAAC;AAEF,2CAA2C;AAE3C,MAAM,CAAC,MAAM,iBAAiB,GAAyB;IACrD,gBAAgB;IAChB,EAAE,OAAO,EAAE,6BAA6B,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,IAAI,EAAE;IAChF,EAAE,OAAO,EAAE,qCAAqC,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,IAAI,EAAE;IACvF,EAAE,OAAO,EAAE,wCAAwC,EAAE,KAAK,EAAE,iBAAiB,EAAE,MAAM,EAAE,IAAI,EAAE;IAE7F,sBAAsB;IACtB,EAAE,OAAO,EAAE,+CAA+C,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,IAAI,EAAE;IAElG,0CAA0C;IAC1C,EAAE,OAAO,EAAE,6BAA6B,EAAE,KAAK,EAAE,qBAAqB,EAAE,MAAM,EAAE,IAAI,EAAE;IACtF,EAAE,OAAO,EAAE,4BAA4B,EAAE,KAAK,EAAE,iBAAiB,EAAE,MAAM,EAAE,IAAI,EAAE;IAEjF,gCAAgC;IAChC,EAAE,OAAO,EAAE,uEAAuE,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,IAAI,EAAE;IAC1H,EAAE,OAAO,EAAE,kEAAkE,EAAE,KAAK,EAAE,gBAAgB,EAAE,MAAM,EAAE,IAAI,EAAE;CACvH,CAAC"}

package/dist/defence/sensitivity/redaction.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Content redaction utilities.
+ */
+import type { SensitivityLevel } from '../types.js';
+/**
+ * Replace all RESTRICTED pattern matches with [REDACTED].
+ */
+export declare function redactContent(content: string): string;
+/**
+ * Redact content appropriate to its sensitivity level.
+ *
+ * - RESTRICTED: fully redact all restricted patterns
+ * - CONFIDENTIAL: partially mask confidential patterns (show first/last chars)
+ * - INTERNAL / PUBLIC: return as-is
+ */
+export declare function redactForDisplay(content: string, level: SensitivityLevel): string;
+//# sourceMappingURL=redaction.d.ts.map

package/dist/defence/sensitivity/redaction.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redaction.d.ts","sourceRoot":"","sources":["../../../src/defence/sensitivity/redaction.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGpD;;GAEG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAUrD;AAWD;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,gBAAgB,GACtB,MAAM,CAeR"}

package/dist/defence/sensitivity/redaction.js

@@ -0,0 +1,47 @@
+/**
+ * Content redaction utilities.
+ */
+import { RESTRICTED_PATTERNS, CONFIDENTIAL_PATTERNS } from './patterns.js';
+/**
+ * Replace all RESTRICTED pattern matches with [REDACTED].
+ */
+export function redactContent(content) {
+    let result = content;
+    for (const { pattern } of RESTRICTED_PATTERNS) {
+        // Clone the regex to avoid shared lastIndex state
+        const re = new RegExp(pattern.source, pattern.flags);
+        result = result.replace(re, '[REDACTED]');
+    }
+    return result;
+}
+/**
+ * Partially mask a string: show first and last characters, mask the middle.
+ * For strings <= 4 chars, mask everything.
+ */
+function partialMask(value) {
+    if (value.length <= 4)
+        return '*'.repeat(value.length);
+    return value[0] + '*'.repeat(value.length - 2) + value[value.length - 1];
+}
+/**
+ * Redact content appropriate to its sensitivity level.
+ *
+ * - RESTRICTED: fully redact all restricted patterns
+ * - CONFIDENTIAL: partially mask confidential patterns (show first/last chars)
+ * - INTERNAL / PUBLIC: return as-is
+ */
+export function redactForDisplay(content, level) {
+    if (level === 'RESTRICTED') {
+        return redactContent(content);
+    }
+    if (level === 'CONFIDENTIAL') {
+        let result = content;
+        for (const { pattern } of CONFIDENTIAL_PATTERNS) {
+            const re = new RegExp(pattern.source, pattern.flags);
+            result = result.replace(re, (match) => partialMask(match));
+        }
+        return result;
+    }
+    return content;
+}
+//# sourceMappingURL=redaction.js.map

package/dist/defence/sensitivity/redaction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redaction.js","sourceRoot":"","sources":["../../../src/defence/sensitivity/redaction.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAE3E;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,OAAe;IAC3C,IAAI,MAAM,GAAG,OAAO,CAAC;IAErB,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,mBAAmB,EAAE,CAAC;QAC9C,kDAAkD;QAClD,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACrD,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,EAAE,EAAE,YAAY,CAAC,CAAC;IAC5C,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,WAAW,CAAC,KAAa;IAChC,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACvD,OAAO,KAAK,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AAC3E,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAe,EACf,KAAuB;IAEvB,IAAI,KAAK,KAAK,YAAY,EAAE,CAAC;QAC3B,OAAO,aAAa,CAAC,OAAO,CAAC,CAAC;IAChC,CAAC;IAED,IAAI,KAAK,KAAK,cAAc,EAAE,CAAC;QAC7B,IAAI,MAAM,GAAG,OAAO,CAAC;QACrB,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,qBAAqB,EAAE,CAAC;YAChD,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;YACrD,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/defence/trust/index.d.ts

@@ -0,0 +1,3 @@
+export { scoreSource } from './source-scorer.js';
+export { filterByTrust } from './recall-filter.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/defence/trust/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/defence/trust/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/defence/trust/index.js

@@ -0,0 +1,3 @@
+export { scoreSource } from './source-scorer.js';
+export { filterByTrust } from './recall-filter.js';
+//# sourceMappingURL=index.js.map

package/dist/defence/trust/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/defence/trust/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/defence/trust/recall-filter.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Recall filter — filters recall results by trust score and sensitivity.
+ */
+export declare function filterByTrust<T extends {
+    trust_score?: number;
+    sensitivity_level?: string;
+    content?: string;
+    metadata?: Record<string, unknown>;
+}>(results: T[], minTrust: number, context?: string): T[];
+//# sourceMappingURL=recall-filter.d.ts.map

package/dist/defence/trust/recall-filter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"recall-filter.d.ts","sourceRoot":"","sources":["../../../src/defence/trust/recall-filter.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,wBAAgB,aAAa,CAC3B,CAAC,SAAS;IACR,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC,EACD,OAAO,EAAE,CAAC,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,CAAC,EAAE,CAqCvD"}

package/dist/defence/trust/recall-filter.js

@@ -0,0 +1,38 @@
+/**
+ * Recall filter — filters recall results by trust score and sensitivity.
+ */
+export function filterByTrust(results, minTrust, context) {
+    return results
+        .filter((item) => {
+        const score = item.trust_score ?? 0;
+        // Never return quarantined items
+        if (score === 0)
+            return false;
+        // Filter below minimum trust
+        if (score < minTrust)
+            return false;
+        // CONFIDENTIAL: only include if context matches
+        if (item.sensitivity_level === 'CONFIDENTIAL') {
+            if (!context || item.metadata?.context !== context)
+                return false;
+        }
+        return true;
+    })
+        .map((item) => {
+        const score = item.trust_score ?? 0;
+        let result = item;
+        // RESTRICTED: redact content
+        if (item.sensitivity_level === 'RESTRICTED') {
+            result = { ...result, content: '[REDACTED - RESTRICTED]' };
+        }
+        // Low trust: mark as unverified
+        if (score < 0.5) {
+            result = {
+                ...result,
+                metadata: { ...result.metadata, unverified: true },
+            };
+        }
+        return result;
+    });
+}
+//# sourceMappingURL=recall-filter.js.map

package/dist/defence/trust/recall-filter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"recall-filter.js","sourceRoot":"","sources":["../../../src/defence/trust/recall-filter.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,UAAU,aAAa,CAO3B,OAAY,EAAE,QAAgB,EAAE,OAAgB;IAChD,OAAO,OAAO;SACX,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;QACf,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,IAAI,CAAC,CAAC;QAEpC,iCAAiC;QACjC,IAAI,KAAK,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAE9B,6BAA6B;QAC7B,IAAI,KAAK,GAAG,QAAQ;YAAE,OAAO,KAAK,CAAC;QAEnC,gDAAgD;QAChD,IAAI,IAAI,CAAC,iBAAiB,KAAK,cAAc,EAAE,CAAC;YAC9C,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,OAAO,KAAK,OAAO;gBAAE,OAAO,KAAK,CAAC;QACnE,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;SACD,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QACZ,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,IAAI,CAAC,CAAC;QACpC,IAAI,MAAM,GAAG,IAAI,CAAC;QAElB,6BAA6B;QAC7B,IAAI,IAAI,CAAC,iBAAiB,KAAK,YAAY,EAAE,CAAC;YAC5C,MAAM,GAAG,EAAE,GAAG,MAAM,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC;QAC7D,CAAC;QAED,gCAAgC;QAChC,IAAI,KAAK,GAAG,GAAG,EAAE,CAAC;YAChB,MAAM,GAAG;gBACP,GAAG,MAAM;gBACT,QAAQ,EAAE,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,UAAU,EAAE,IAAI,EAAE;aACnD,CAAC;QACJ,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/defence/trust/source-scorer.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Trust source scorer — assigns trust levels based on memory source.
+ */
+import type { DefenceSource, TrustScore } from '../types.js';
+export declare function scoreSource(source: DefenceSource): TrustScore;
+//# sourceMappingURL=source-scorer.d.ts.map

package/dist/defence/trust/source-scorer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"source-scorer.d.ts","sourceRoot":"","sources":["../../../src/defence/trust/source-scorer.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAgB7D,wBAAgB,WAAW,CAAC,MAAM,EAAE,aAAa,GAAG,UAAU,CAkB7D"}

package/dist/defence/trust/source-scorer.js

@@ -0,0 +1,34 @@
+/**
+ * Trust source scorer — assigns trust levels based on memory source.
+ */
+const BASE_SCORES = {
+    'user:direct': 1.0,
+    'user:approved': 0.9,
+};
+const TYPE_SCORES = {
+    user: 0.9,
+    api: 0.7,
+    file: 0.6,
+    email: 0.4,
+    web: 0.3,
+    agent: 0.1,
+};
+export function scoreSource(source) {
+    const key = `${source.type}:${source.identifier}`;
+    const score = BASE_SCORES[key] ?? TYPE_SCORES[source.type] ?? 0;
+    return {
+        score,
+        source,
+        hierarchy: [
+            'user:direct = 1.0',
+            'user:approved = 0.9',
+            'api:* = 0.7',
+            'file:* = 0.6',
+            'email:* = 0.4',
+            'web:* = 0.3',
+            'agent:* = 0.1',
+            `>> ${key} = ${score}`,
+        ],
+    };
+}
+//# sourceMappingURL=source-scorer.js.map

package/dist/defence/trust/source-scorer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"source-scorer.js","sourceRoot":"","sources":["../../../src/defence/trust/source-scorer.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,MAAM,WAAW,GAA2B;IAC1C,aAAa,EAAE,GAAG;IAClB,eAAe,EAAE,GAAG;CACrB,CAAC;AAEF,MAAM,WAAW,GAA0C;IACzD,IAAI,EAAE,GAAG;IACT,GAAG,EAAE,GAAG;IACR,IAAI,EAAE,GAAG;IACT,KAAK,EAAE,GAAG;IACV,GAAG,EAAE,GAAG;IACR,KAAK,EAAE,GAAG;CACX,CAAC;AAEF,MAAM,UAAU,WAAW,CAAC,MAAqB;IAC/C,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;IAClD,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEhE,OAAO;QACL,KAAK;QACL,MAAM;QACN,SAAS,EAAE;YACT,mBAAmB;YACnB,qBAAqB;YACrB,aAAa;YACb,cAAc;YACd,eAAe;YACf,aAAa;YACb,eAAe;YACf,MAAM,GAAG,MAAM,KAAK,EAAE;SACvB;KACF,CAAC;AACJ,CAAC"}