taintguard 0.1.3

package/README.md

@@ -0,0 +1,35 @@
+**⚠️ Experimental – Not for production**
+
+This package is a *reference implementation / idea starter* for span-based taint tracking and guardrails around LLM prompts. It is **not** a drop-in security control and comes **without guarantees**. Use it for exploration, prototypes, or as a basis for your own hardened implementation.  
+For any production use, perform your own threat modeling, add comprehensive tests, and combine with defense-in-depth controls (rate limiting, moderation, output validation, allowlists, human review, etc.).
+
+# taintguard
+
+Span-based taint tracking for LLM prompts (TypeScript-first).
+Keep untrusted text from hijacking system instructions or tools. Fence low-trust data, enforce policies before the call, guard the stream token-by-token, and gate tool use by provenance.
+
+## Why taintguard?
+
+Prompt injection thrives on mixing instructions with data. Regex-only filters are brittle. taintguard labels every text span with a trust level (root/trusted/low/unknown).
+
+## Features
+
+🧩 Span provenance: per-span trust + origin (system|user|rag|tool)  
+🧱 Prompt fencing: XML-like <DATA trust="low">…</DATA> by default  
+🔎 Preflight detection: jailbreak/role-hijack/“developer mode”/tool-trigger patterns  
+💧 Leakage controls: deny lists for API keys, passwords, tokens  
+📡 Streaming guards: token-wise mask/drop to avoid echoing risky text  
+🔐 Tool gating: allow/deny lists; elevation required for sensitive tools  
+🌍 Language packs: English & German rules out of the box  
+🧪 Property tests: adversarial fuzzing (zero-width, homoglyphs, spacing) with fast-check
+
+## Quick Start
+
+```bash
+pnpm i
+pnpm build
+pnpm test
+```
+
+Branch Code Coverage: 79.48%  
+License: MIT

package/dist/index.cjs

@@ -0,0 +1,313 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  Context: () => Context,
+  auditedTool: () => auditedTool,
+  combinedRules: () => combinedRules,
+  compilePrompt: () => compilePrompt,
+  context: () => context,
+  deInjectionPhrases: () => deInjectionPhrases,
+  deLeakage: () => deLeakage,
+  deRules: () => deRules,
+  defineRules: () => defineRules,
+  emitAudit: () => emitAudit,
+  enInjectionPhrases: () => enInjectionPhrases,
+  enLeakage: () => enLeakage,
+  enRules: () => enRules,
+  guardedOpenAIChat: () => guardedOpenAIChat,
+  normalize: () => normalize,
+  preflight: () => preflight,
+  spanViolations: () => spanViolations,
+  streamGuard: () => streamGuard
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/core/context.ts
+var Context = class {
+  messages = [];
+  add(role, text, trust, origin, meta) {
+    const span = { text, trust, origin, meta };
+    this.messages.push({ role, spans: [span] });
+    return this;
+  }
+  addSystem(text, opts) {
+    return this.add("system", text, opts?.trust ?? "root", "system");
+  }
+  addUser(text, opts) {
+    return this.add("user", text, opts?.trust ?? "low", "user");
+  }
+  addRag(text, opts) {
+    return this.add("user", text, opts?.trust ?? "trusted", "rag", opts?.meta);
+  }
+  list() {
+    return this.messages;
+  }
+};
+var context = () => new Context();
+
+// src/core/homoglyph.ts
+var MAP = {
+  "\u0430": "a",
+  // Cyrillic a -> Latin a
+  "\uFF45": "e",
+  // fullwidth e -> e
+  "\u0456": "i",
+  // Cyrillic i -> i
+  "\u043E": "o",
+  "\u0440": "p",
+  "\u0455": "s",
+  "\u0443": "y",
+  "\u0475": "v",
+  "\uFF1A": ":",
+  "\uFF0F": "/",
+  "\uFF0D": "-",
+  "\uFF3F": "_"
+};
+var foldHomoglyphs = (s) => s.replace(
+  /[аеіорѕуѵ：／－＿]/g,
+  (ch) => MAP[ch] ?? ch
+);
+
+// src/core/normalizer.ts
+var normalize = (s) => foldHomoglyphs(
+  s.normalize("NFKC").replace(/[​-‍]/g, "")
+  // zero-width
+).toLowerCase();
+
+// src/core/detector.ts
+function spanViolations(span, rules) {
+  const n = normalize(span.text);
+  const applicable = rules.filter((r) => r.when.from === span.trust);
+  const denies = applicable.flatMap((r) => r.deny.map((d) => typeof d === "string" ? new RegExp(d, "i") : d));
+  return denies.filter((re) => re.test(n)).map((re) => re.toString());
+}
+
+// src/core/rules.ts
+var defineRules = (r) => r;
+
+// src/core/renderer.ts
+var fenceSpan = (s) => {
+  if (s.trust === "low") return `<DATA trust="low" origin="${s.origin}">${s.text}</DATA>`;
+  if (s.trust === "trusted") return `<DATA trust="trusted" origin="${s.origin}">${s.text}</DATA>`;
+  return s.text;
+};
+function compilePrompt(messages, opts) {
+  const parts = [];
+  for (const m of messages) {
+    for (const s of m.spans) {
+      parts.push(opts?.fenceLowTrust ? fenceSpan(s) : s.text);
+    }
+  }
+  const prompt = parts.join("\n\n");
+  const provenance = messages.flatMap((m) => m.spans.map((s) => ({ trust: s.trust, origin: s.origin })));
+  return { prompt, provenance };
+}
+
+// src/core/guard.ts
+function preflight(messages, rules) {
+  const inj = rules.injections ?? [];
+  const v = [];
+  for (const m of messages) for (const s of m.spans) {
+    const hits = spanViolations(s, inj);
+    if (hits.length) v.push({ code: "INJECTION", message: `Denied patterns: ${hits.join(", ")}`, span: s });
+  }
+  return v;
+}
+function streamGuard(onTokenRules) {
+  const patterns = onTokenRules.denyLeakage ?? [];
+  return (tok) => {
+    if (patterns.some((r) => r.test(tok))) return "mask";
+    if (/ignore previous|you are now|override|entwicklermodus|du bist jetzt/i.test(tok)) return "drop";
+    return "pass";
+  };
+}
+
+// src/core/audit.ts
+function isDebugEnabled() {
+  try {
+    const anyGlobal = globalThis;
+    const dbg = anyGlobal?.process?.env?.DEBUG ?? anyGlobal?.DEBUG ?? "";
+    return typeof dbg === "string" && dbg.includes("taintguard");
+  } catch {
+    return false;
+  }
+}
+function emitAudit(e) {
+  if (isDebugEnabled() && typeof console !== "undefined" && typeof console.debug === "function") {
+    console.debug("[audit]", e.type, e.data);
+  }
+}
+
+// src/tools/auditedTool.ts
+function auditedTool(name, requiredTrust, impl) {
+  return async (args, ctx) => {
+    if (ctx.minTrust === "low") throw new Error(`TOOL_FORBIDDEN:${name}`);
+    if (requiredTrust === "trusted" && ctx.minTrust !== "trusted" && ctx.minTrust !== "root")
+      throw new Error(`TOOL_ELEVATION_REQUIRED:${name}`);
+    return impl(args);
+  };
+}
+
+// src/adapters/openai.ts
+async function guardedOpenAIChat(fetchImpl, endpoint, apiKey, messages, rules) {
+  const violations = preflight(messages, rules);
+  if (violations.length) throw new Error(`GuardViolation:${JSON.stringify(violations)}`);
+  const { prompt } = compilePrompt(messages, { fenceLowTrust: true });
+  const res = await fetchImpl(endpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/json", "Authorization": `Bearer ${apiKey}` },
+    body: JSON.stringify({ model: "gpt-5", messages: [{ role: "user", content: prompt }] })
+  });
+  return res;
+}
+
+// src/packs/en.ts
+var enInjectionPhrases = [
+  /ignore previous/i,
+  /previous instructions/i,
+  /ignore (all|the)? previous (instructions|messages)/i,
+  /disregard (all )?(rules|instructions)/i,
+  /you are now/i,
+  /act as/i,
+  /override (the )?(system|policy)/i,
+  /reset (the )?system prompt/i,
+  /developer mode/i,
+  /disable (safety|guardrails|filters)/i,
+  /call function/i,
+  /use tool/i,
+  /run tool/i,
+  /function call/i,
+  /use function/i,
+  /output raw text/i,
+  /answer (only|strictly) in/i,
+  /return unfiltered/i,
+  /do anything now/i,
+  /dan (mode)?/i,
+  /jailbreak/i,
+  /hypothetical/i,
+  /write a story about/i,
+  /simulate/i,
+  /repeat (the )?system prompt/i,
+  /reveal (your )?(prompt|instructions)/i,
+  /without ethics/i,
+  /in character as/i,
+  /\[?SYSTEM\b.+\]?/i,
+  /as a (text|fictional) model/i,
+  /print the instructions/i
+];
+var enLeakage = [
+  /api[_ -]?key/i,
+  /secret/i,
+  /password/i,
+  /bearer\s+[a-z0-9\-_\.]+/i,
+  /private token/i,
+  /client[_ -]?secret/i
+];
+var enRules = defineRules({
+  injections: [
+    { when: { from: "low" }, deny: enInjectionPhrases },
+    { when: { from: "unknown" }, deny: enInjectionPhrases }
+  ],
+  outputs: { denyLeakage: enLeakage }
+});
+
+// src/packs/de.ts
+var deInjectionPhrases = [
+  /ignoriere vorherige/i,
+  /ignoriere (alle|die)? (vorherigen|bisherigen) (anweisungen|nachrichten)/i,
+  /missachte (alle )?(regeln|anweisungen)/i,
+  /du bist jetzt/i,
+  /tue so als ob|ag(iere)? als/i,
+  /überschreibe (den )?(system|policy)-prompt/i,
+  /setze den system[- ]?prompt zurück/i,
+  /entwicklermodus|developer[- ]?mode/i,
+  /sicherheit (deaktivieren|abschalten)/i,
+  /funktion (ausführen|verwenden|aufrufen|callen)/i,
+  /rohen? text ausgeben|ohne json antworten/i,
+  /ungefiltert zurückgeben/i,
+  /handle als ob|gib vor zu sein/i,
+  /ändere deine (persönlichkeit|rolle)/i,
+  /verhalte dich wie/i,
+  /geh über (deine )?(grenzen|einschränkungen) hinaus/i,
+  /zeige mir den (original|geheim)-prompt/i,
+  /zeige (den )?(inhalt|text|daten) ungefiltert/i,
+  /gib (alles|eine )?(alternative|verbotene) antwort/i,
+  /(antworte|sag) das (folgende|genau|jetzt|untenstehende)/i,
+  /deaktiviere (deine )?(zensur|filter|ethik)/i,
+  /was ist der (erste|anfangs) teil (deiner)? anweisung/i,
+  /gib den (ursprünglichen|systemischen) befehl aus/i,
+  /füge (den )?(folgenden )?text ein/i,
+  /verletzt du deine (regeln|richtlinien)/i,
+  /mach (eine|etwas) (gefährliche|illegale|verbotene) ausgabe/i,
+  /verstecke diese (anweisung|nachricht)/i,
+  /tarn(e)? dich als/i,
+  /(schalt|deaktivier) den sicherheitsmodus ab/i,
+  /systembeschränkungen (umgehen|ignoriere)/i
+];
+var deLeakage = [
+  /api[_ -]?schl(ü|u)ssel/i,
+  /passwort/i,
+  /geheime?s? token/i,
+  /bearer\s+[a-z0-9\-_\.]+/i,
+  /client[_ -]?secret/i
+];
+var deRules = defineRules({
+  injections: [
+    { when: { from: "low" }, deny: deInjectionPhrases },
+    { when: { from: "unknown" }, deny: deInjectionPhrases }
+  ],
+  outputs: { denyLeakage: deLeakage }
+});
+
+// src/packs/index.ts
+var combinedRules = (lang = "both") => {
+  switch (lang) {
+    case "de":
+      return { lang, packs: ["de"] };
+    case "en":
+      return { lang, packs: ["en"] };
+    default:
+      return { lang, packs: ["de", "en"] };
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  Context,
+  auditedTool,
+  combinedRules,
+  compilePrompt,
+  context,
+  deInjectionPhrases,
+  deLeakage,
+  deRules,
+  defineRules,
+  emitAudit,
+  enInjectionPhrases,
+  enLeakage,
+  enRules,
+  guardedOpenAIChat,
+  normalize,
+  preflight,
+  spanViolations,
+  streamGuard
+});
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts","../src/core/context.ts","../src/core/homoglyph.ts","../src/core/normalizer.ts","../src/core/detector.ts","../src/core/rules.ts","../src/core/renderer.ts","../src/core/guard.ts","../src/core/audit.ts","../src/tools/auditedTool.ts","../src/adapters/openai.ts","../src/packs/en.ts","../src/packs/de.ts","../src/packs/index.ts"],"sourcesContent":["export * from \"./core/types.js\";\nexport * from \"./core/context.js\";\nexport * from \"./core/normalizer.js\";\nexport * from \"./core/detector.js\";\nexport * from \"./core/rules.js\";\nexport * from \"./core/renderer.js\";\nexport * from \"./core/guard.js\";\nexport * from \"./core/audit.js\";\nexport * from \"./tools/auditedTool.js\";\nexport * from \"./adapters/openai.js\";\nexport * from \"./packs/index.js\";\n","import { Message, Span, Trust } from \"./types.js\";\n\nexport class Context {\n  private messages: Message[] = [];\n  add(role: Message[\"role\"], text: string, trust: Trust, origin: Span[\"origin\"], meta?: Span[\"meta\"]) {\n    const span: Span = { text, trust, origin, meta };\n    this.messages.push({ role, spans: [span] });\n    return this;\n  }\n  addSystem(text: string, opts?: { trust?: Trust }) { return this.add(\"system\", text, opts?.trust ?? \"root\", \"system\"); }\n  addUser(text: string, opts?: { trust?: Trust }) { return this.add(\"user\", text, opts?.trust ?? \"low\", \"user\"); }\n  addRag(text: string, opts?: { trust?: Trust, meta?: any }) { return this.add(\"user\", text, opts?.trust ?? \"trusted\", \"rag\", opts?.meta); }\n  list() { return this.messages; }\n}\nexport const context = () => new Context();\n","const MAP: Record<string, string> = {\n  \"а\": \"a\", // Cyrillic a -> Latin a\n  \"ｅ\": \"e\", // fullwidth e -> e\n  \"і\": \"i\", // Cyrillic i -> i\n  \"о\": \"o\",\n  \"р\": \"p\",\n  \"ѕ\": \"s\",\n  \"у\": \"y\",\n  \"ѵ\": \"v\",\n  \"：\": \":\", \n  \"／\": \"/\", \n  \"－\": \"-\", \n  \"＿\": \"_\"\n};\nexport const foldHomoglyphs = (s: string) => s.replace(\n  /[аеіорѕуѵ：／－＿]/g,\n  (ch) => MAP[ch] ?? ch\n);\n","import { foldHomoglyphs } from \"./homoglyph.js\";\n\nexport const normalize = (s: string) =>\n  foldHomoglyphs(\n    s.normalize(\"NFKC\")\n     .replace(/[​-‍]/g, \"\") // zero-width\n  ).toLowerCase();\n","import { Span, InjectionRule } from \"./types.js\";\nimport { normalize } from \"./normalizer.js\";\n\nexport function spanViolations(span: Span, rules: InjectionRule[]): string[] {\n  const n = normalize(span.text);\n  const applicable = rules.filter(r => r.when.from === span.trust);\n  const denies = applicable.flatMap(r => r.deny.map(d => (typeof d === \"string\" ? new RegExp(d, \"i\") : d)));\n  return denies.filter(re => re.test(n)).map(re => re.toString());\n}\n","import { Rules } from \"./types.js\";\nexport const defineRules = (r: Rules) => r;\n","import { Message, Span } from \"./types.js\";\n\nconst fenceSpan = (s: Span) => {\n  if (s.trust === \"low\") return `<DATA trust=\"low\" origin=\"${s.origin}\">${s.text}</DATA>`;\n  if (s.trust === \"trusted\") return `<DATA trust=\"trusted\" origin=\"${s.origin}\">${s.text}</DATA>`;\n  return s.text;\n};\n\nexport function compilePrompt(messages: Message[], opts?: { fenceLowTrust?: boolean; hashSystem?: boolean }) {\n  const parts: string[] = [];\n  for (const m of messages) {\n    for (const s of m.spans) {\n      parts.push(opts?.fenceLowTrust ? fenceSpan(s) : s.text);\n    }\n  }\n  const prompt = parts.join(\"\\n\\n\");\n  const provenance = messages.flatMap(m => m.spans.map(s => ({ trust: s.trust, origin: s.origin })));\n  return { prompt, provenance };\n}\n","import { Message, Rules, Violation } from \"./types.js\";\nimport { spanViolations } from \"./detector.js\";\n\nexport function preflight(messages: Message[], rules: Rules): Violation[] {\n  const inj = rules.injections ?? [];\n  const v: Violation[] = [];\n  for (const m of messages) for (const s of m.spans) {\n    const hits = spanViolations(s, inj);\n    if (hits.length) v.push({ code: \"INJECTION\", message: `Denied patterns: ${hits.join(\", \")}`, span: s });\n  }\n  return v;\n}\n\nexport type StreamAction = \"pass\" | \"mask\" | \"drop\" | \"abort\";\nexport type OnToken = (tok: string) => StreamAction;\n\nexport function streamGuard(onTokenRules: { denyLeakage?: RegExp[] }) {\n  const patterns = onTokenRules.denyLeakage ?? [];\n  return (tok: string): StreamAction => {\n    if (patterns.some(r => r.test(tok))) return \"mask\";\n    if (/ignore previous|you are now|override|entwicklermodus|du bist jetzt/i.test(tok)) return \"drop\";\n    return \"pass\";\n  };\n}\n","export type AuditEvent = {\n  type: \"violation\" | \"tool\" | \"prompt\";\n  data: any;\n};\n\nfunction isDebugEnabled(): boolean {\n  try {\n    const anyGlobal: any = (globalThis as any);\n    const dbg = anyGlobal?.process?.env?.DEBUG ?? anyGlobal?.DEBUG ?? \"\";\n    return typeof dbg === \"string\" && dbg.includes(\"taintguard\");\n  } catch {\n    return false;\n  }\n}\n\nexport function emitAudit(e: AuditEvent) {\n  if (isDebugEnabled() && typeof console !== \"undefined\" && typeof console.debug === \"function\") {\n    console.debug(\"[audit]\", e.type, e.data);\n  }\n}\n","import { Trust } from \"../core/types.js\";\n\nexport function auditedTool<TArgs extends object>(\n  name: string,\n  requiredTrust: Exclude<Trust, \"low\">,\n  impl: (args: TArgs) => Promise<any>\n) {\n  return async (args: TArgs, ctx: { minTrust: Trust; why?: string; evidence?: string[] }) => {\n    if (ctx.minTrust === \"low\") throw new Error(`TOOL_FORBIDDEN:${name}`);\n    if (requiredTrust === \"trusted\" && ctx.minTrust !== \"trusted\" && ctx.minTrust !== \"root\")\n      throw new Error(`TOOL_ELEVATION_REQUIRED:${name}`);\n    return impl(args);\n  };\n}\n","import { preflight } from \"../core/guard.js\";\nimport { compilePrompt } from \"../core/renderer.js\";\nimport { Rules, Message } from \"../core/types.js\";\n\nexport async function guardedOpenAIChat(fetchImpl: typeof fetch, endpoint: string, apiKey: string, messages: Message[], rules: Rules) {\n  const violations = preflight(messages, rules);\n  if (violations.length) throw new Error(`GuardViolation:${JSON.stringify(violations)}`);\n  const { prompt } = compilePrompt(messages, { fenceLowTrust: true });\n\n  const res = await fetchImpl(endpoint, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/json\", \"Authorization\": `Bearer ${apiKey}` },\n    body: JSON.stringify({ model: \"gpt-5\", messages: [{ role: \"user\", content: prompt }] })\n  });\n  return res;\n}\n","import { defineRules } from \"../core/rules.js\";\nimport { Rules } from \"../core/types.js\";\n\nexport const enInjectionPhrases: (RegExp | string)[] = [\n  /ignore previous/i,\n  /previous instructions/i,\n  /ignore (all|the)? previous (instructions|messages)/i,\n  /disregard (all )?(rules|instructions)/i,\n  /you are now/i,\n  /act as/i,\n  /override (the )?(system|policy)/i,\n  /reset (the )?system prompt/i,\n  /developer mode/i,\n  /disable (safety|guardrails|filters)/i,\n  /call function/i, /use tool/i, /run tool/i, /function call/i, /use function/i,\n  /output raw text/i, /answer (only|strictly) in/i,\n  /return unfiltered/i,\n  /do anything now/i,\n  /dan (mode)?/i,\n  /jailbreak/i,\n  /hypothetical/i,\n  /write a story about/i,\n  /simulate/i,\n  /repeat (the )?system prompt/i,\n  /reveal (your )?(prompt|instructions)/i,\n  /without ethics/i,\n  /in character as/i,\n  /\\[?SYSTEM\\b.+\\]?/i,\n  /as a (text|fictional) model/i,\n  /print the instructions/i\n];\n\nexport const enLeakage: RegExp[] = [\n  /api[_ -]?key/i, /secret/i, /password/i, /bearer\\s+[a-z0-9\\-_\\.]+/i,\n  /private token/i, /client[_ -]?secret/i,\n];\n\nexport const enRules: Rules = defineRules({\n  injections: [\n    { when: { from: \"low\" }, deny: enInjectionPhrases },\n    { when: { from: \"unknown\" }, deny: enInjectionPhrases },\n  ],\n  outputs: { denyLeakage: enLeakage }\n});\n","import { defineRules } from \"../core/rules.js\";\nimport { Rules } from \"../core/types.js\";\n\nexport const deInjectionPhrases: (RegExp | string)[] = [\n  /ignoriere vorherige/i,\n  /ignoriere (alle|die)? (vorherigen|bisherigen) (anweisungen|nachrichten)/i,\n  /missachte (alle )?(regeln|anweisungen)/i,\n  /du bist jetzt/i,\n  /tue so als ob|ag(iere)? als/i,\n  /überschreibe (den )?(system|policy)-prompt/i,\n  /setze den system[- ]?prompt zurück/i,\n  /entwicklermodus|developer[- ]?mode/i,\n  /sicherheit (deaktivieren|abschalten)/i,\n  /funktion (ausführen|verwenden|aufrufen|callen)/i,\n  /rohen? text ausgeben|ohne json antworten/i,\n  /ungefiltert zurückgeben/i,\n  /handle als ob|gib vor zu sein/i,\n  /ändere deine (persönlichkeit|rolle)/i,\n  /verhalte dich wie/i,\n  /geh über (deine )?(grenzen|einschränkungen) hinaus/i,\n  /zeige mir den (original|geheim)-prompt/i,\n  /zeige (den )?(inhalt|text|daten) ungefiltert/i,\n  /gib (alles|eine )?(alternative|verbotene) antwort/i,\n  /(antworte|sag) das (folgende|genau|jetzt|untenstehende)/i,\n  /deaktiviere (deine )?(zensur|filter|ethik)/i,\n  /was ist der (erste|anfangs) teil (deiner)? anweisung/i,\n  /gib den (ursprünglichen|systemischen) befehl aus/i,\n  /füge (den )?(folgenden )?text ein/i,\n  /verletzt du deine (regeln|richtlinien)/i,\n  /mach (eine|etwas) (gefährliche|illegale|verbotene) ausgabe/i,\n  /verstecke diese (anweisung|nachricht)/i,\n  /tarn(e)? dich als/i,\n  /(schalt|deaktivier) den sicherheitsmodus ab/i,\n  /systembeschränkungen (umgehen|ignoriere)/i,\n];\n\nexport const deLeakage: RegExp[] = [\n  /api[_ -]?schl(ü|u)ssel/i, /passwort/i, /geheime?s? token/i,\n  /bearer\\s+[a-z0-9\\-_\\.]+/i, /client[_ -]?secret/i,\n];\n\nexport const deRules: Rules = defineRules({\n  injections: [\n    { when: { from: \"low\" }, deny: deInjectionPhrases },\n    { when: { from: \"unknown\" }, deny: deInjectionPhrases },\n  ],\n  outputs: { denyLeakage: deLeakage }\n});\n","export * from \"./en.js\";\nexport * from \"./de.js\";\n\nexport const combinedRules = (lang: \"de\" | \"en\" | \"both\" = \"both\") => {\n  switch (lang) {\n    case \"de\": return { lang, packs: [\"de\"] as const };\n    case \"en\": return { lang, packs: [\"en\"] as const };\n    default:   return { lang, packs: [\"de\",\"en\"] as const };\n  }\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACEO,IAAM,UAAN,MAAc;AAAA,EACX,WAAsB,CAAC;AAAA,EAC/B,IAAI,MAAuB,MAAc,OAAc,QAAwB,MAAqB;AAClG,UAAM,OAAa,EAAE,MAAM,OAAO,QAAQ,KAAK;AAC/C,SAAK,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;AAC1C,WAAO;AAAA,EACT;AAAA,EACA,UAAU,MAAc,MAA0B;AAAE,WAAO,KAAK,IAAI,UAAU,MAAM,MAAM,SAAS,QAAQ,QAAQ;AAAA,EAAG;AAAA,EACtH,QAAQ,MAAc,MAA0B;AAAE,WAAO,KAAK,IAAI,QAAQ,MAAM,MAAM,SAAS,OAAO,MAAM;AAAA,EAAG;AAAA,EAC/G,OAAO,MAAc,MAAsC;AAAE,WAAO,KAAK,IAAI,QAAQ,MAAM,MAAM,SAAS,WAAW,OAAO,MAAM,IAAI;AAAA,EAAG;AAAA,EACzI,OAAO;AAAE,WAAO,KAAK;AAAA,EAAU;AACjC;AACO,IAAM,UAAU,MAAM,IAAI,QAAQ;;;ACdzC,IAAM,MAA8B;AAAA,EAClC,UAAK;AAAA;AAAA,EACL,UAAK;AAAA;AAAA,EACL,UAAK;AAAA;AAAA,EACL,UAAK;AAAA,EACL,UAAK;AAAA,EACL,UAAK;AAAA,EACL,UAAK;AAAA,EACL,UAAK;AAAA,EACL,UAAK;AAAA,EACL,UAAK;AAAA,EACL,UAAK;AAAA,EACL,UAAK;AACP;AACO,IAAM,iBAAiB,CAAC,MAAc,EAAE;AAAA,EAC7C;AAAA,EACA,CAAC,OAAO,IAAI,EAAE,KAAK;AACrB;;;ACfO,IAAM,YAAY,CAAC,MACxB;AAAA,EACE,EAAE,UAAU,MAAM,EAChB,QAAQ,WAAW,EAAE;AAAA;AACzB,EAAE,YAAY;;;ACHT,SAAS,eAAe,MAAY,OAAkC;AAC3E,QAAM,IAAI,UAAU,KAAK,IAAI;AAC7B,QAAM,aAAa,MAAM,OAAO,OAAK,EAAE,KAAK,SAAS,KAAK,KAAK;AAC/D,QAAM,SAAS,WAAW,QAAQ,OAAK,EAAE,KAAK,IAAI,OAAM,OAAO,MAAM,WAAW,IAAI,OAAO,GAAG,GAAG,IAAI,CAAE,CAAC;AACxG,SAAO,OAAO,OAAO,QAAM,GAAG,KAAK,CAAC,CAAC,EAAE,IAAI,QAAM,GAAG,SAAS,CAAC;AAChE;;;ACPO,IAAM,cAAc,CAAC,MAAa;;;ACCzC,IAAM,YAAY,CAAC,MAAY;AAC7B,MAAI,EAAE,UAAU,MAAO,QAAO,6BAA6B,EAAE,MAAM,KAAK,EAAE,IAAI;AAC9E,MAAI,EAAE,UAAU,UAAW,QAAO,iCAAiC,EAAE,MAAM,KAAK,EAAE,IAAI;AACtF,SAAO,EAAE;AACX;AAEO,SAAS,cAAc,UAAqB,MAA0D;AAC3G,QAAM,QAAkB,CAAC;AACzB,aAAW,KAAK,UAAU;AACxB,eAAW,KAAK,EAAE,OAAO;AACvB,YAAM,KAAK,MAAM,gBAAgB,UAAU,CAAC,IAAI,EAAE,IAAI;AAAA,IACxD;AAAA,EACF;AACA,QAAM,SAAS,MAAM,KAAK,MAAM;AAChC,QAAM,aAAa,SAAS,QAAQ,OAAK,EAAE,MAAM,IAAI,QAAM,EAAE,OAAO,EAAE,OAAO,QAAQ,EAAE,OAAO,EAAE,CAAC;AACjG,SAAO,EAAE,QAAQ,WAAW;AAC9B;;;ACfO,SAAS,UAAU,UAAqB,OAA2B;AACxE,QAAM,MAAM,MAAM,cAAc,CAAC;AACjC,QAAM,IAAiB,CAAC;AACxB,aAAW,KAAK,SAAU,YAAW,KAAK,EAAE,OAAO;AACjD,UAAM,OAAO,eAAe,GAAG,GAAG;AAClC,QAAI,KAAK,OAAQ,GAAE,KAAK,EAAE,MAAM,aAAa,SAAS,oBAAoB,KAAK,KAAK,IAAI,CAAC,IAAI,MAAM,EAAE,CAAC;AAAA,EACxG;AACA,SAAO;AACT;AAKO,SAAS,YAAY,cAA0C;AACpE,QAAM,WAAW,aAAa,eAAe,CAAC;AAC9C,SAAO,CAAC,QAA8B;AACpC,QAAI,SAAS,KAAK,OAAK,EAAE,KAAK,GAAG,CAAC,EAAG,QAAO;AAC5C,QAAI,sEAAsE,KAAK,GAAG,EAAG,QAAO;AAC5F,WAAO;AAAA,EACT;AACF;;;AClBA,SAAS,iBAA0B;AACjC,MAAI;AACF,UAAM,YAAkB;AACxB,UAAM,MAAM,WAAW,SAAS,KAAK,SAAS,WAAW,SAAS;AAClE,WAAO,OAAO,QAAQ,YAAY,IAAI,SAAS,YAAY;AAAA,EAC7D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,UAAU,GAAe;AACvC,MAAI,eAAe,KAAK,OAAO,YAAY,eAAe,OAAO,QAAQ,UAAU,YAAY;AAC7F,YAAQ,MAAM,WAAW,EAAE,MAAM,EAAE,IAAI;AAAA,EACzC;AACF;;;ACjBO,SAAS,YACd,MACA,eACA,MACA;AACA,SAAO,OAAO,MAAa,QAAgE;AACzF,QAAI,IAAI,aAAa,MAAO,OAAM,IAAI,MAAM,kBAAkB,IAAI,EAAE;AACpE,QAAI,kBAAkB,aAAa,IAAI,aAAa,aAAa,IAAI,aAAa;AAChF,YAAM,IAAI,MAAM,2BAA2B,IAAI,EAAE;AACnD,WAAO,KAAK,IAAI;AAAA,EAClB;AACF;;;ACTA,eAAsB,kBAAkB,WAAyB,UAAkB,QAAgB,UAAqB,OAAc;AACpI,QAAM,aAAa,UAAU,UAAU,KAAK;AAC5C,MAAI,WAAW,OAAQ,OAAM,IAAI,MAAM,kBAAkB,KAAK,UAAU,UAAU,CAAC,EAAE;AACrF,QAAM,EAAE,OAAO,IAAI,cAAc,UAAU,EAAE,eAAe,KAAK,CAAC;AAElE,QAAM,MAAM,MAAM,UAAU,UAAU;AAAA,IACpC,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oBAAoB,iBAAiB,UAAU,MAAM,GAAG;AAAA,IACnF,MAAM,KAAK,UAAU,EAAE,OAAO,SAAS,UAAU,CAAC,EAAE,MAAM,QAAQ,SAAS,OAAO,CAAC,EAAE,CAAC;AAAA,EACxF,CAAC;AACD,SAAO;AACT;;;ACZO,IAAM,qBAA0C;AAAA,EACrD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAAkB;AAAA,EAAa;AAAA,EAAa;AAAA,EAAkB;AAAA,EAC9D;AAAA,EAAoB;AAAA,EACpB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEO,IAAM,YAAsB;AAAA,EACjC;AAAA,EAAiB;AAAA,EAAW;AAAA,EAAa;AAAA,EACzC;AAAA,EAAkB;AACpB;AAEO,IAAM,UAAiB,YAAY;AAAA,EACxC,YAAY;AAAA,IACV,EAAE,MAAM,EAAE,MAAM,MAAM,GAAG,MAAM,mBAAmB;AAAA,IAClD,EAAE,MAAM,EAAE,MAAM,UAAU,GAAG,MAAM,mBAAmB;AAAA,EACxD;AAAA,EACA,SAAS,EAAE,aAAa,UAAU;AACpC,CAAC;;;ACxCM,IAAM,qBAA0C;AAAA,EACrD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEO,IAAM,YAAsB;AAAA,EACjC;AAAA,EAA2B;AAAA,EAAa;AAAA,EACxC;AAAA,EAA4B;AAC9B;AAEO,IAAM,UAAiB,YAAY;AAAA,EACxC,YAAY;AAAA,IACV,EAAE,MAAM,EAAE,MAAM,MAAM,GAAG,MAAM,mBAAmB;AAAA,IAClD,EAAE,MAAM,EAAE,MAAM,UAAU,GAAG,MAAM,mBAAmB;AAAA,EACxD;AAAA,EACA,SAAS,EAAE,aAAa,UAAU;AACpC,CAAC;;;AC5CM,IAAM,gBAAgB,CAAC,OAA6B,WAAW;AACpE,UAAQ,MAAM;AAAA,IACZ,KAAK;AAAM,aAAO,EAAE,MAAM,OAAO,CAAC,IAAI,EAAW;AAAA,IACjD,KAAK;AAAM,aAAO,EAAE,MAAM,OAAO,CAAC,IAAI,EAAW;AAAA,IACjD;AAAW,aAAO,EAAE,MAAM,OAAO,CAAC,MAAK,IAAI,EAAW;AAAA,EACxD;AACF;","names":[]}

package/dist/index.d.cts

@@ -0,0 +1,112 @@
+type Trust = "root" | "trusted" | "low" | "unknown";
+type Origin = "system" | "user" | "rag" | "tool";
+type Span = {
+    text: string;
+    trust: Trust;
+    origin: Origin;
+    meta?: Record<string, any>;
+};
+type Message = {
+    role: "system" | "user" | "assistant";
+    spans: Span[];
+};
+type InjectionRule = {
+    when: {
+        from: Trust;
+    };
+    deny: (RegExp | string)[];
+};
+type ToolsRule = {
+    allow?: string[];
+    deny?: string[];
+};
+type OutputRule = {
+    mustBeJson?: boolean;
+    denyLeakage?: RegExp[];
+};
+type Rules = {
+    injections?: InjectionRule[];
+    tools?: ToolsRule;
+    outputs?: OutputRule;
+};
+type Violation = {
+    code: string;
+    message: string;
+    span?: Span;
+};
+
+declare class Context {
+    private messages;
+    add(role: Message["role"], text: string, trust: Trust, origin: Span["origin"], meta?: Span["meta"]): this;
+    addSystem(text: string, opts?: {
+        trust?: Trust;
+    }): this;
+    addUser(text: string, opts?: {
+        trust?: Trust;
+    }): this;
+    addRag(text: string, opts?: {
+        trust?: Trust;
+        meta?: any;
+    }): this;
+    list(): Message[];
+}
+declare const context: () => Context;
+
+declare const normalize: (s: string) => string;
+
+declare function spanViolations(span: Span, rules: InjectionRule[]): string[];
+
+declare const defineRules: (r: Rules) => Rules;
+
+declare function compilePrompt(messages: Message[], opts?: {
+    fenceLowTrust?: boolean;
+    hashSystem?: boolean;
+}): {
+    prompt: string;
+    provenance: {
+        trust: Trust;
+        origin: Origin;
+    }[];
+};
+
+declare function preflight(messages: Message[], rules: Rules): Violation[];
+type StreamAction = "pass" | "mask" | "drop" | "abort";
+type OnToken = (tok: string) => StreamAction;
+declare function streamGuard(onTokenRules: {
+    denyLeakage?: RegExp[];
+}): (tok: string) => StreamAction;
+
+type AuditEvent = {
+    type: "violation" | "tool" | "prompt";
+    data: any;
+};
+declare function emitAudit(e: AuditEvent): void;
+
+declare function auditedTool<TArgs extends object>(name: string, requiredTrust: Exclude<Trust, "low">, impl: (args: TArgs) => Promise<any>): (args: TArgs, ctx: {
+    minTrust: Trust;
+    why?: string;
+    evidence?: string[];
+}) => Promise<any>;
+
+declare function guardedOpenAIChat(fetchImpl: typeof fetch, endpoint: string, apiKey: string, messages: Message[], rules: Rules): Promise<Response>;
+
+declare const enInjectionPhrases: (RegExp | string)[];
+declare const enLeakage: RegExp[];
+declare const enRules: Rules;
+
+declare const deInjectionPhrases: (RegExp | string)[];
+declare const deLeakage: RegExp[];
+declare const deRules: Rules;
+
+declare const combinedRules: (lang?: "de" | "en" | "both") => {
+    lang: "de";
+    packs: readonly ["de"];
+} | {
+    lang: "en";
+    packs: readonly ["en"];
+} | {
+    lang: "both";
+    packs: readonly ["de", "en"];
+};
+
+export { type AuditEvent, Context, type InjectionRule, type Message, type OnToken, type Origin, type OutputRule, type Rules, type Span, type StreamAction, type ToolsRule, type Trust, type Violation, auditedTool, combinedRules, compilePrompt, context, deInjectionPhrases, deLeakage, deRules, defineRules, emitAudit, enInjectionPhrases, enLeakage, enRules, guardedOpenAIChat, normalize, preflight, spanViolations, streamGuard };

package/dist/index.d.ts

@@ -0,0 +1,112 @@
+type Trust = "root" | "trusted" | "low" | "unknown";
+type Origin = "system" | "user" | "rag" | "tool";
+type Span = {
+    text: string;
+    trust: Trust;
+    origin: Origin;
+    meta?: Record<string, any>;
+};
+type Message = {
+    role: "system" | "user" | "assistant";
+    spans: Span[];
+};
+type InjectionRule = {
+    when: {
+        from: Trust;
+    };
+    deny: (RegExp | string)[];
+};
+type ToolsRule = {
+    allow?: string[];
+    deny?: string[];
+};
+type OutputRule = {
+    mustBeJson?: boolean;
+    denyLeakage?: RegExp[];
+};
+type Rules = {
+    injections?: InjectionRule[];
+    tools?: ToolsRule;
+    outputs?: OutputRule;
+};
+type Violation = {
+    code: string;
+    message: string;
+    span?: Span;
+};
+
+declare class Context {
+    private messages;
+    add(role: Message["role"], text: string, trust: Trust, origin: Span["origin"], meta?: Span["meta"]): this;
+    addSystem(text: string, opts?: {
+        trust?: Trust;
+    }): this;
+    addUser(text: string, opts?: {
+        trust?: Trust;
+    }): this;
+    addRag(text: string, opts?: {
+        trust?: Trust;
+        meta?: any;
+    }): this;
+    list(): Message[];
+}
+declare const context: () => Context;
+
+declare const normalize: (s: string) => string;
+
+declare function spanViolations(span: Span, rules: InjectionRule[]): string[];
+
+declare const defineRules: (r: Rules) => Rules;
+
+declare function compilePrompt(messages: Message[], opts?: {
+    fenceLowTrust?: boolean;
+    hashSystem?: boolean;
+}): {
+    prompt: string;
+    provenance: {
+        trust: Trust;
+        origin: Origin;
+    }[];
+};
+
+declare function preflight(messages: Message[], rules: Rules): Violation[];
+type StreamAction = "pass" | "mask" | "drop" | "abort";
+type OnToken = (tok: string) => StreamAction;
+declare function streamGuard(onTokenRules: {
+    denyLeakage?: RegExp[];
+}): (tok: string) => StreamAction;
+
+type AuditEvent = {
+    type: "violation" | "tool" | "prompt";
+    data: any;
+};
+declare function emitAudit(e: AuditEvent): void;
+
+declare function auditedTool<TArgs extends object>(name: string, requiredTrust: Exclude<Trust, "low">, impl: (args: TArgs) => Promise<any>): (args: TArgs, ctx: {
+    minTrust: Trust;
+    why?: string;
+    evidence?: string[];
+}) => Promise<any>;
+
+declare function guardedOpenAIChat(fetchImpl: typeof fetch, endpoint: string, apiKey: string, messages: Message[], rules: Rules): Promise<Response>;
+
+declare const enInjectionPhrases: (RegExp | string)[];
+declare const enLeakage: RegExp[];
+declare const enRules: Rules;
+
+declare const deInjectionPhrases: (RegExp | string)[];
+declare const deLeakage: RegExp[];
+declare const deRules: Rules;
+
+declare const combinedRules: (lang?: "de" | "en" | "both") => {
+    lang: "de";
+    packs: readonly ["de"];
+} | {
+    lang: "en";
+    packs: readonly ["en"];
+} | {
+    lang: "both";
+    packs: readonly ["de", "en"];
+};
+
+export { type AuditEvent, Context, type InjectionRule, type Message, type OnToken, type Origin, type OutputRule, type Rules, type Span, type StreamAction, type ToolsRule, type Trust, type Violation, auditedTool, combinedRules, compilePrompt, context, deInjectionPhrases, deLeakage, deRules, defineRules, emitAudit, enInjectionPhrases, enLeakage, enRules, guardedOpenAIChat, normalize, preflight, spanViolations, streamGuard };

package/dist/index.js

@@ -0,0 +1,269 @@
+// src/core/context.ts
+var Context = class {
+  messages = [];
+  add(role, text, trust, origin, meta) {
+    const span = { text, trust, origin, meta };
+    this.messages.push({ role, spans: [span] });
+    return this;
+  }
+  addSystem(text, opts) {
+    return this.add("system", text, opts?.trust ?? "root", "system");
+  }
+  addUser(text, opts) {
+    return this.add("user", text, opts?.trust ?? "low", "user");
+  }
+  addRag(text, opts) {
+    return this.add("user", text, opts?.trust ?? "trusted", "rag", opts?.meta);
+  }
+  list() {
+    return this.messages;
+  }
+};
+var context = () => new Context();
+
+// src/core/homoglyph.ts
+var MAP = {
+  "\u0430": "a",
+  // Cyrillic a -> Latin a
+  "\uFF45": "e",
+  // fullwidth e -> e
+  "\u0456": "i",
+  // Cyrillic i -> i
+  "\u043E": "o",
+  "\u0440": "p",
+  "\u0455": "s",
+  "\u0443": "y",
+  "\u0475": "v",
+  "\uFF1A": ":",
+  "\uFF0F": "/",
+  "\uFF0D": "-",
+  "\uFF3F": "_"
+};
+var foldHomoglyphs = (s) => s.replace(
+  /[аеіорѕуѵ：／－＿]/g,
+  (ch) => MAP[ch] ?? ch
+);
+
+// src/core/normalizer.ts
+var normalize = (s) => foldHomoglyphs(
+  s.normalize("NFKC").replace(/[​-‍]/g, "")
+  // zero-width
+).toLowerCase();
+
+// src/core/detector.ts
+function spanViolations(span, rules) {
+  const n = normalize(span.text);
+  const applicable = rules.filter((r) => r.when.from === span.trust);
+  const denies = applicable.flatMap((r) => r.deny.map((d) => typeof d === "string" ? new RegExp(d, "i") : d));
+  return denies.filter((re) => re.test(n)).map((re) => re.toString());
+}
+
+// src/core/rules.ts
+var defineRules = (r) => r;
+
+// src/core/renderer.ts
+var fenceSpan = (s) => {
+  if (s.trust === "low") return `<DATA trust="low" origin="${s.origin}">${s.text}</DATA>`;
+  if (s.trust === "trusted") return `<DATA trust="trusted" origin="${s.origin}">${s.text}</DATA>`;
+  return s.text;
+};
+function compilePrompt(messages, opts) {
+  const parts = [];
+  for (const m of messages) {
+    for (const s of m.spans) {
+      parts.push(opts?.fenceLowTrust ? fenceSpan(s) : s.text);
+    }
+  }
+  const prompt = parts.join("\n\n");
+  const provenance = messages.flatMap((m) => m.spans.map((s) => ({ trust: s.trust, origin: s.origin })));
+  return { prompt, provenance };
+}
+
+// src/core/guard.ts
+function preflight(messages, rules) {
+  const inj = rules.injections ?? [];
+  const v = [];
+  for (const m of messages) for (const s of m.spans) {
+    const hits = spanViolations(s, inj);
+    if (hits.length) v.push({ code: "INJECTION", message: `Denied patterns: ${hits.join(", ")}`, span: s });
+  }
+  return v;
+}
+function streamGuard(onTokenRules) {
+  const patterns = onTokenRules.denyLeakage ?? [];
+  return (tok) => {
+    if (patterns.some((r) => r.test(tok))) return "mask";
+    if (/ignore previous|you are now|override|entwicklermodus|du bist jetzt/i.test(tok)) return "drop";
+    return "pass";
+  };
+}
+
+// src/core/audit.ts
+function isDebugEnabled() {
+  try {
+    const anyGlobal = globalThis;
+    const dbg = anyGlobal?.process?.env?.DEBUG ?? anyGlobal?.DEBUG ?? "";
+    return typeof dbg === "string" && dbg.includes("taintguard");
+  } catch {
+    return false;
+  }
+}
+function emitAudit(e) {
+  if (isDebugEnabled() && typeof console !== "undefined" && typeof console.debug === "function") {
+    console.debug("[audit]", e.type, e.data);
+  }
+}
+
+// src/tools/auditedTool.ts
+function auditedTool(name, requiredTrust, impl) {
+  return async (args, ctx) => {
+    if (ctx.minTrust === "low") throw new Error(`TOOL_FORBIDDEN:${name}`);
+    if (requiredTrust === "trusted" && ctx.minTrust !== "trusted" && ctx.minTrust !== "root")
+      throw new Error(`TOOL_ELEVATION_REQUIRED:${name}`);
+    return impl(args);
+  };
+}
+
+// src/adapters/openai.ts
+async function guardedOpenAIChat(fetchImpl, endpoint, apiKey, messages, rules) {
+  const violations = preflight(messages, rules);
+  if (violations.length) throw new Error(`GuardViolation:${JSON.stringify(violations)}`);
+  const { prompt } = compilePrompt(messages, { fenceLowTrust: true });
+  const res = await fetchImpl(endpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/json", "Authorization": `Bearer ${apiKey}` },
+    body: JSON.stringify({ model: "gpt-5", messages: [{ role: "user", content: prompt }] })
+  });
+  return res;
+}
+
+// src/packs/en.ts
+var enInjectionPhrases = [
+  /ignore previous/i,
+  /previous instructions/i,
+  /ignore (all|the)? previous (instructions|messages)/i,
+  /disregard (all )?(rules|instructions)/i,
+  /you are now/i,
+  /act as/i,
+  /override (the )?(system|policy)/i,
+  /reset (the )?system prompt/i,
+  /developer mode/i,
+  /disable (safety|guardrails|filters)/i,
+  /call function/i,
+  /use tool/i,
+  /run tool/i,
+  /function call/i,
+  /use function/i,
+  /output raw text/i,
+  /answer (only|strictly) in/i,
+  /return unfiltered/i,
+  /do anything now/i,
+  /dan (mode)?/i,
+  /jailbreak/i,
+  /hypothetical/i,
+  /write a story about/i,
+  /simulate/i,
+  /repeat (the )?system prompt/i,
+  /reveal (your )?(prompt|instructions)/i,
+  /without ethics/i,
+  /in character as/i,
+  /\[?SYSTEM\b.+\]?/i,
+  /as a (text|fictional) model/i,
+  /print the instructions/i
+];
+var enLeakage = [
+  /api[_ -]?key/i,
+  /secret/i,
+  /password/i,
+  /bearer\s+[a-z0-9\-_\.]+/i,
+  /private token/i,
+  /client[_ -]?secret/i
+];
+var enRules = defineRules({
+  injections: [
+    { when: { from: "low" }, deny: enInjectionPhrases },
+    { when: { from: "unknown" }, deny: enInjectionPhrases }
+  ],
+  outputs: { denyLeakage: enLeakage }
+});
+
+// src/packs/de.ts
+var deInjectionPhrases = [
+  /ignoriere vorherige/i,
+  /ignoriere (alle|die)? (vorherigen|bisherigen) (anweisungen|nachrichten)/i,
+  /missachte (alle )?(regeln|anweisungen)/i,
+  /du bist jetzt/i,
+  /tue so als ob|ag(iere)? als/i,
+  /überschreibe (den )?(system|policy)-prompt/i,
+  /setze den system[- ]?prompt zurück/i,
+  /entwicklermodus|developer[- ]?mode/i,
+  /sicherheit (deaktivieren|abschalten)/i,
+  /funktion (ausführen|verwenden|aufrufen|callen)/i,
+  /rohen? text ausgeben|ohne json antworten/i,
+  /ungefiltert zurückgeben/i,
+  /handle als ob|gib vor zu sein/i,
+  /ändere deine (persönlichkeit|rolle)/i,
+  /verhalte dich wie/i,
+  /geh über (deine )?(grenzen|einschränkungen) hinaus/i,
+  /zeige mir den (original|geheim)-prompt/i,
+  /zeige (den )?(inhalt|text|daten) ungefiltert/i,
+  /gib (alles|eine )?(alternative|verbotene) antwort/i,
+  /(antworte|sag) das (folgende|genau|jetzt|untenstehende)/i,
+  /deaktiviere (deine )?(zensur|filter|ethik)/i,
+  /was ist der (erste|anfangs) teil (deiner)? anweisung/i,
+  /gib den (ursprünglichen|systemischen) befehl aus/i,
+  /füge (den )?(folgenden )?text ein/i,
+  /verletzt du deine (regeln|richtlinien)/i,
+  /mach (eine|etwas) (gefährliche|illegale|verbotene) ausgabe/i,
+  /verstecke diese (anweisung|nachricht)/i,
+  /tarn(e)? dich als/i,
+  /(schalt|deaktivier) den sicherheitsmodus ab/i,
+  /systembeschränkungen (umgehen|ignoriere)/i
+];
+var deLeakage = [
+  /api[_ -]?schl(ü|u)ssel/i,
+  /passwort/i,
+  /geheime?s? token/i,
+  /bearer\s+[a-z0-9\-_\.]+/i,
+  /client[_ -]?secret/i
+];
+var deRules = defineRules({
+  injections: [
+    { when: { from: "low" }, deny: deInjectionPhrases },
+    { when: { from: "unknown" }, deny: deInjectionPhrases }
+  ],
+  outputs: { denyLeakage: deLeakage }
+});
+
+// src/packs/index.ts
+var combinedRules = (lang = "both") => {
+  switch (lang) {
+    case "de":
+      return { lang, packs: ["de"] };
+    case "en":
+      return { lang, packs: ["en"] };
+    default:
+      return { lang, packs: ["de", "en"] };
+  }
+};
+export {
+  Context,
+  auditedTool,
+  combinedRules,
+  compilePrompt,
+  context,
+  deInjectionPhrases,
+  deLeakage,
+  deRules,
+  defineRules,
+  emitAudit,
+  enInjectionPhrases,
+  enLeakage,
+  enRules,
+  guardedOpenAIChat,
+  normalize,
+  preflight,
+  spanViolations,
+  streamGuard
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/core/context.ts","../src/core/homoglyph.ts","../src/core/normalizer.ts","../src/core/detector.ts","../src/core/rules.ts","../src/core/renderer.ts","../src/core/guard.ts","../src/core/audit.ts","../src/tools/auditedTool.ts","../src/adapters/openai.ts","../src/packs/en.ts","../src/packs/de.ts","../src/packs/index.ts"],"sourcesContent":["import { Message, Span, Trust } from \"./types.js\";\n\nexport class Context {\n  private messages: Message[] = [];\n  add(role: Message[\"role\"], text: string, trust: Trust, origin: Span[\"origin\"], meta?: Span[\"meta\"]) {\n    const span: Span = { text, trust, origin, meta };\n    this.messages.push({ role, spans: [span] });\n    return this;\n  }\n  addSystem(text: string, opts?: { trust?: Trust }) { return this.add(\"system\", text, opts?.trust ?? \"root\", \"system\"); }\n  addUser(text: string, opts?: { trust?: Trust }) { return this.add(\"user\", text, opts?.trust ?? \"low\", \"user\"); }\n  addRag(text: string, opts?: { trust?: Trust, meta?: any }) { return this.add(\"user\", text, opts?.trust ?? \"trusted\", \"rag\", opts?.meta); }\n  list() { return this.messages; }\n}\nexport const context = () => new Context();\n","const MAP: Record<string, string> = {\n  \"а\": \"a\", // Cyrillic a -> Latin a\n  \"ｅ\": \"e\", // fullwidth e -> e\n  \"і\": \"i\", // Cyrillic i -> i\n  \"о\": \"o\",\n  \"р\": \"p\",\n  \"ѕ\": \"s\",\n  \"у\": \"y\",\n  \"ѵ\": \"v\",\n  \"：\": \":\", \n  \"／\": \"/\", \n  \"－\": \"-\", \n  \"＿\": \"_\"\n};\nexport const foldHomoglyphs = (s: string) => s.replace(\n  /[аеіорѕуѵ：／－＿]/g,\n  (ch) => MAP[ch] ?? ch\n);\n","import { foldHomoglyphs } from \"./homoglyph.js\";\n\nexport const normalize = (s: string) =>\n  foldHomoglyphs(\n    s.normalize(\"NFKC\")\n     .replace(/[​-‍]/g, \"\") // zero-width\n  ).toLowerCase();\n","import { Span, InjectionRule } from \"./types.js\";\nimport { normalize } from \"./normalizer.js\";\n\nexport function spanViolations(span: Span, rules: InjectionRule[]): string[] {\n  const n = normalize(span.text);\n  const applicable = rules.filter(r => r.when.from === span.trust);\n  const denies = applicable.flatMap(r => r.deny.map(d => (typeof d === \"string\" ? new RegExp(d, \"i\") : d)));\n  return denies.filter(re => re.test(n)).map(re => re.toString());\n}\n","import { Rules } from \"./types.js\";\nexport const defineRules = (r: Rules) => r;\n","import { Message, Span } from \"./types.js\";\n\nconst fenceSpan = (s: Span) => {\n  if (s.trust === \"low\") return `<DATA trust=\"low\" origin=\"${s.origin}\">${s.text}</DATA>`;\n  if (s.trust === \"trusted\") return `<DATA trust=\"trusted\" origin=\"${s.origin}\">${s.text}</DATA>`;\n  return s.text;\n};\n\nexport function compilePrompt(messages: Message[], opts?: { fenceLowTrust?: boolean; hashSystem?: boolean }) {\n  const parts: string[] = [];\n  for (const m of messages) {\n    for (const s of m.spans) {\n      parts.push(opts?.fenceLowTrust ? fenceSpan(s) : s.text);\n    }\n  }\n  const prompt = parts.join(\"\\n\\n\");\n  const provenance = messages.flatMap(m => m.spans.map(s => ({ trust: s.trust, origin: s.origin })));\n  return { prompt, provenance };\n}\n","import { Message, Rules, Violation } from \"./types.js\";\nimport { spanViolations } from \"./detector.js\";\n\nexport function preflight(messages: Message[], rules: Rules): Violation[] {\n  const inj = rules.injections ?? [];\n  const v: Violation[] = [];\n  for (const m of messages) for (const s of m.spans) {\n    const hits = spanViolations(s, inj);\n    if (hits.length) v.push({ code: \"INJECTION\", message: `Denied patterns: ${hits.join(\", \")}`, span: s });\n  }\n  return v;\n}\n\nexport type StreamAction = \"pass\" | \"mask\" | \"drop\" | \"abort\";\nexport type OnToken = (tok: string) => StreamAction;\n\nexport function streamGuard(onTokenRules: { denyLeakage?: RegExp[] }) {\n  const patterns = onTokenRules.denyLeakage ?? [];\n  return (tok: string): StreamAction => {\n    if (patterns.some(r => r.test(tok))) return \"mask\";\n    if (/ignore previous|you are now|override|entwicklermodus|du bist jetzt/i.test(tok)) return \"drop\";\n    return \"pass\";\n  };\n}\n","export type AuditEvent = {\n  type: \"violation\" | \"tool\" | \"prompt\";\n  data: any;\n};\n\nfunction isDebugEnabled(): boolean {\n  try {\n    const anyGlobal: any = (globalThis as any);\n    const dbg = anyGlobal?.process?.env?.DEBUG ?? anyGlobal?.DEBUG ?? \"\";\n    return typeof dbg === \"string\" && dbg.includes(\"taintguard\");\n  } catch {\n    return false;\n  }\n}\n\nexport function emitAudit(e: AuditEvent) {\n  if (isDebugEnabled() && typeof console !== \"undefined\" && typeof console.debug === \"function\") {\n    console.debug(\"[audit]\", e.type, e.data);\n  }\n}\n","import { Trust } from \"../core/types.js\";\n\nexport function auditedTool<TArgs extends object>(\n  name: string,\n  requiredTrust: Exclude<Trust, \"low\">,\n  impl: (args: TArgs) => Promise<any>\n) {\n  return async (args: TArgs, ctx: { minTrust: Trust; why?: string; evidence?: string[] }) => {\n    if (ctx.minTrust === \"low\") throw new Error(`TOOL_FORBIDDEN:${name}`);\n    if (requiredTrust === \"trusted\" && ctx.minTrust !== \"trusted\" && ctx.minTrust !== \"root\")\n      throw new Error(`TOOL_ELEVATION_REQUIRED:${name}`);\n    return impl(args);\n  };\n}\n","import { preflight } from \"../core/guard.js\";\nimport { compilePrompt } from \"../core/renderer.js\";\nimport { Rules, Message } from \"../core/types.js\";\n\nexport async function guardedOpenAIChat(fetchImpl: typeof fetch, endpoint: string, apiKey: string, messages: Message[], rules: Rules) {\n  const violations = preflight(messages, rules);\n  if (violations.length) throw new Error(`GuardViolation:${JSON.stringify(violations)}`);\n  const { prompt } = compilePrompt(messages, { fenceLowTrust: true });\n\n  const res = await fetchImpl(endpoint, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/json\", \"Authorization\": `Bearer ${apiKey}` },\n    body: JSON.stringify({ model: \"gpt-5\", messages: [{ role: \"user\", content: prompt }] })\n  });\n  return res;\n}\n","import { defineRules } from \"../core/rules.js\";\nimport { Rules } from \"../core/types.js\";\n\nexport const enInjectionPhrases: (RegExp | string)[] = [\n  /ignore previous/i,\n  /previous instructions/i,\n  /ignore (all|the)? previous (instructions|messages)/i,\n  /disregard (all )?(rules|instructions)/i,\n  /you are now/i,\n  /act as/i,\n  /override (the )?(system|policy)/i,\n  /reset (the )?system prompt/i,\n  /developer mode/i,\n  /disable (safety|guardrails|filters)/i,\n  /call function/i, /use tool/i, /run tool/i, /function call/i, /use function/i,\n  /output raw text/i, /answer (only|strictly) in/i,\n  /return unfiltered/i,\n  /do anything now/i,\n  /dan (mode)?/i,\n  /jailbreak/i,\n  /hypothetical/i,\n  /write a story about/i,\n  /simulate/i,\n  /repeat (the )?system prompt/i,\n  /reveal (your )?(prompt|instructions)/i,\n  /without ethics/i,\n  /in character as/i,\n  /\\[?SYSTEM\\b.+\\]?/i,\n  /as a (text|fictional) model/i,\n  /print the instructions/i\n];\n\nexport const enLeakage: RegExp[] = [\n  /api[_ -]?key/i, /secret/i, /password/i, /bearer\\s+[a-z0-9\\-_\\.]+/i,\n  /private token/i, /client[_ -]?secret/i,\n];\n\nexport const enRules: Rules = defineRules({\n  injections: [\n    { when: { from: \"low\" }, deny: enInjectionPhrases },\n    { when: { from: \"unknown\" }, deny: enInjectionPhrases },\n  ],\n  outputs: { denyLeakage: enLeakage }\n});\n","import { defineRules } from \"../core/rules.js\";\nimport { Rules } from \"../core/types.js\";\n\nexport const deInjectionPhrases: (RegExp | string)[] = [\n  /ignoriere vorherige/i,\n  /ignoriere (alle|die)? (vorherigen|bisherigen) (anweisungen|nachrichten)/i,\n  /missachte (alle )?(regeln|anweisungen)/i,\n  /du bist jetzt/i,\n  /tue so als ob|ag(iere)? als/i,\n  /überschreibe (den )?(system|policy)-prompt/i,\n  /setze den system[- ]?prompt zurück/i,\n  /entwicklermodus|developer[- ]?mode/i,\n  /sicherheit (deaktivieren|abschalten)/i,\n  /funktion (ausführen|verwenden|aufrufen|callen)/i,\n  /rohen? text ausgeben|ohne json antworten/i,\n  /ungefiltert zurückgeben/i,\n  /handle als ob|gib vor zu sein/i,\n  /ändere deine (persönlichkeit|rolle)/i,\n  /verhalte dich wie/i,\n  /geh über (deine )?(grenzen|einschränkungen) hinaus/i,\n  /zeige mir den (original|geheim)-prompt/i,\n  /zeige (den )?(inhalt|text|daten) ungefiltert/i,\n  /gib (alles|eine )?(alternative|verbotene) antwort/i,\n  /(antworte|sag) das (folgende|genau|jetzt|untenstehende)/i,\n  /deaktiviere (deine )?(zensur|filter|ethik)/i,\n  /was ist der (erste|anfangs) teil (deiner)? anweisung/i,\n  /gib den (ursprünglichen|systemischen) befehl aus/i,\n  /füge (den )?(folgenden )?text ein/i,\n  /verletzt du deine (regeln|richtlinien)/i,\n  /mach (eine|etwas) (gefährliche|illegale|verbotene) ausgabe/i,\n  /verstecke diese (anweisung|nachricht)/i,\n  /tarn(e)? dich als/i,\n  /(schalt|deaktivier) den sicherheitsmodus ab/i,\n  /systembeschränkungen (umgehen|ignoriere)/i,\n];\n\nexport const deLeakage: RegExp[] = [\n  /api[_ -]?schl(ü|u)ssel/i, /passwort/i, /geheime?s? token/i,\n  /bearer\\s+[a-z0-9\\-_\\.]+/i, /client[_ -]?secret/i,\n];\n\nexport const deRules: Rules = defineRules({\n  injections: [\n    { when: { from: \"low\" }, deny: deInjectionPhrases },\n    { when: { from: \"unknown\" }, deny: deInjectionPhrases },\n  ],\n  outputs: { denyLeakage: deLeakage }\n});\n","export * from \"./en.js\";\nexport * from \"./de.js\";\n\nexport const combinedRules = (lang: \"de\" | \"en\" | \"both\" = \"both\") => {\n  switch (lang) {\n    case \"de\": return { lang, packs: [\"de\"] as const };\n    case \"en\": return { lang, packs: [\"en\"] as const };\n    default:   return { lang, packs: [\"de\",\"en\"] as const };\n  }\n};\n"],"mappings":";AAEO,IAAM,UAAN,MAAc;AAAA,EACX,WAAsB,CAAC;AAAA,EAC/B,IAAI,MAAuB,MAAc,OAAc,QAAwB,MAAqB;AAClG,UAAM,OAAa,EAAE,MAAM,OAAO,QAAQ,KAAK;AAC/C,SAAK,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;AAC1C,WAAO;AAAA,EACT;AAAA,EACA,UAAU,MAAc,MAA0B;AAAE,WAAO,KAAK,IAAI,UAAU,MAAM,MAAM,SAAS,QAAQ,QAAQ;AAAA,EAAG;AAAA,EACtH,QAAQ,MAAc,MAA0B;AAAE,WAAO,KAAK,IAAI,QAAQ,MAAM,MAAM,SAAS,OAAO,MAAM;AAAA,EAAG;AAAA,EAC/G,OAAO,MAAc,MAAsC;AAAE,WAAO,KAAK,IAAI,QAAQ,MAAM,MAAM,SAAS,WAAW,OAAO,MAAM,IAAI;AAAA,EAAG;AAAA,EACzI,OAAO;AAAE,WAAO,KAAK;AAAA,EAAU;AACjC;AACO,IAAM,UAAU,MAAM,IAAI,QAAQ;;;ACdzC,IAAM,MAA8B;AAAA,EAClC,UAAK;AAAA;AAAA,EACL,UAAK;AAAA;AAAA,EACL,UAAK;AAAA;AAAA,EACL,UAAK;AAAA,EACL,UAAK;AAAA,EACL,UAAK;AAAA,EACL,UAAK;AAAA,EACL,UAAK;AAAA,EACL,UAAK;AAAA,EACL,UAAK;AAAA,EACL,UAAK;AAAA,EACL,UAAK;AACP;AACO,IAAM,iBAAiB,CAAC,MAAc,EAAE;AAAA,EAC7C;AAAA,EACA,CAAC,OAAO,IAAI,EAAE,KAAK;AACrB;;;ACfO,IAAM,YAAY,CAAC,MACxB;AAAA,EACE,EAAE,UAAU,MAAM,EAChB,QAAQ,WAAW,EAAE;AAAA;AACzB,EAAE,YAAY;;;ACHT,SAAS,eAAe,MAAY,OAAkC;AAC3E,QAAM,IAAI,UAAU,KAAK,IAAI;AAC7B,QAAM,aAAa,MAAM,OAAO,OAAK,EAAE,KAAK,SAAS,KAAK,KAAK;AAC/D,QAAM,SAAS,WAAW,QAAQ,OAAK,EAAE,KAAK,IAAI,OAAM,OAAO,MAAM,WAAW,IAAI,OAAO,GAAG,GAAG,IAAI,CAAE,CAAC;AACxG,SAAO,OAAO,OAAO,QAAM,GAAG,KAAK,CAAC,CAAC,EAAE,IAAI,QAAM,GAAG,SAAS,CAAC;AAChE;;;ACPO,IAAM,cAAc,CAAC,MAAa;;;ACCzC,IAAM,YAAY,CAAC,MAAY;AAC7B,MAAI,EAAE,UAAU,MAAO,QAAO,6BAA6B,EAAE,MAAM,KAAK,EAAE,IAAI;AAC9E,MAAI,EAAE,UAAU,UAAW,QAAO,iCAAiC,EAAE,MAAM,KAAK,EAAE,IAAI;AACtF,SAAO,EAAE;AACX;AAEO,SAAS,cAAc,UAAqB,MAA0D;AAC3G,QAAM,QAAkB,CAAC;AACzB,aAAW,KAAK,UAAU;AACxB,eAAW,KAAK,EAAE,OAAO;AACvB,YAAM,KAAK,MAAM,gBAAgB,UAAU,CAAC,IAAI,EAAE,IAAI;AAAA,IACxD;AAAA,EACF;AACA,QAAM,SAAS,MAAM,KAAK,MAAM;AAChC,QAAM,aAAa,SAAS,QAAQ,OAAK,EAAE,MAAM,IAAI,QAAM,EAAE,OAAO,EAAE,OAAO,QAAQ,EAAE,OAAO,EAAE,CAAC;AACjG,SAAO,EAAE,QAAQ,WAAW;AAC9B;;;ACfO,SAAS,UAAU,UAAqB,OAA2B;AACxE,QAAM,MAAM,MAAM,cAAc,CAAC;AACjC,QAAM,IAAiB,CAAC;AACxB,aAAW,KAAK,SAAU,YAAW,KAAK,EAAE,OAAO;AACjD,UAAM,OAAO,eAAe,GAAG,GAAG;AAClC,QAAI,KAAK,OAAQ,GAAE,KAAK,EAAE,MAAM,aAAa,SAAS,oBAAoB,KAAK,KAAK,IAAI,CAAC,IAAI,MAAM,EAAE,CAAC;AAAA,EACxG;AACA,SAAO;AACT;AAKO,SAAS,YAAY,cAA0C;AACpE,QAAM,WAAW,aAAa,eAAe,CAAC;AAC9C,SAAO,CAAC,QAA8B;AACpC,QAAI,SAAS,KAAK,OAAK,EAAE,KAAK,GAAG,CAAC,EAAG,QAAO;AAC5C,QAAI,sEAAsE,KAAK,GAAG,EAAG,QAAO;AAC5F,WAAO;AAAA,EACT;AACF;;;AClBA,SAAS,iBAA0B;AACjC,MAAI;AACF,UAAM,YAAkB;AACxB,UAAM,MAAM,WAAW,SAAS,KAAK,SAAS,WAAW,SAAS;AAClE,WAAO,OAAO,QAAQ,YAAY,IAAI,SAAS,YAAY;AAAA,EAC7D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,UAAU,GAAe;AACvC,MAAI,eAAe,KAAK,OAAO,YAAY,eAAe,OAAO,QAAQ,UAAU,YAAY;AAC7F,YAAQ,MAAM,WAAW,EAAE,MAAM,EAAE,IAAI;AAAA,EACzC;AACF;;;ACjBO,SAAS,YACd,MACA,eACA,MACA;AACA,SAAO,OAAO,MAAa,QAAgE;AACzF,QAAI,IAAI,aAAa,MAAO,OAAM,IAAI,MAAM,kBAAkB,IAAI,EAAE;AACpE,QAAI,kBAAkB,aAAa,IAAI,aAAa,aAAa,IAAI,aAAa;AAChF,YAAM,IAAI,MAAM,2BAA2B,IAAI,EAAE;AACnD,WAAO,KAAK,IAAI;AAAA,EAClB;AACF;;;ACTA,eAAsB,kBAAkB,WAAyB,UAAkB,QAAgB,UAAqB,OAAc;AACpI,QAAM,aAAa,UAAU,UAAU,KAAK;AAC5C,MAAI,WAAW,OAAQ,OAAM,IAAI,MAAM,kBAAkB,KAAK,UAAU,UAAU,CAAC,EAAE;AACrF,QAAM,EAAE,OAAO,IAAI,cAAc,UAAU,EAAE,eAAe,KAAK,CAAC;AAElE,QAAM,MAAM,MAAM,UAAU,UAAU;AAAA,IACpC,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oBAAoB,iBAAiB,UAAU,MAAM,GAAG;AAAA,IACnF,MAAM,KAAK,UAAU,EAAE,OAAO,SAAS,UAAU,CAAC,EAAE,MAAM,QAAQ,SAAS,OAAO,CAAC,EAAE,CAAC;AAAA,EACxF,CAAC;AACD,SAAO;AACT;;;ACZO,IAAM,qBAA0C;AAAA,EACrD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAAkB;AAAA,EAAa;AAAA,EAAa;AAAA,EAAkB;AAAA,EAC9D;AAAA,EAAoB;AAAA,EACpB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEO,IAAM,YAAsB;AAAA,EACjC;AAAA,EAAiB;AAAA,EAAW;AAAA,EAAa;AAAA,EACzC;AAAA,EAAkB;AACpB;AAEO,IAAM,UAAiB,YAAY;AAAA,EACxC,YAAY;AAAA,IACV,EAAE,MAAM,EAAE,MAAM,MAAM,GAAG,MAAM,mBAAmB;AAAA,IAClD,EAAE,MAAM,EAAE,MAAM,UAAU,GAAG,MAAM,mBAAmB;AAAA,EACxD;AAAA,EACA,SAAS,EAAE,aAAa,UAAU;AACpC,CAAC;;;ACxCM,IAAM,qBAA0C;AAAA,EACrD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEO,IAAM,YAAsB;AAAA,EACjC;AAAA,EAA2B;AAAA,EAAa;AAAA,EACxC;AAAA,EAA4B;AAC9B;AAEO,IAAM,UAAiB,YAAY;AAAA,EACxC,YAAY;AAAA,IACV,EAAE,MAAM,EAAE,MAAM,MAAM,GAAG,MAAM,mBAAmB;AAAA,IAClD,EAAE,MAAM,EAAE,MAAM,UAAU,GAAG,MAAM,mBAAmB;AAAA,EACxD;AAAA,EACA,SAAS,EAAE,aAAa,UAAU;AACpC,CAAC;;;AC5CM,IAAM,gBAAgB,CAAC,OAA6B,WAAW;AACpE,UAAQ,MAAM;AAAA,IACZ,KAAK;AAAM,aAAO,EAAE,MAAM,OAAO,CAAC,IAAI,EAAW;AAAA,IACjD,KAAK;AAAM,aAAO,EAAE,MAAM,OAAO,CAAC,IAAI,EAAW;AAAA,IACjD;AAAW,aAAO,EAAE,MAAM,OAAO,CAAC,MAAK,IAAI,EAAW;AAAA,EACxD;AACF;","names":[]}

package/package.json

@@ -0,0 +1,61 @@
+{
+  "name": "taintguard",
+  "version": "0.1.3",
+  "description": "Span-based taint tracking for LLM prompts (TypeScript-first).",
+  "license": "MIT",
+  "author": "Maciej Rezler",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/rezlerski/taintguard.git"
+  },
+  "homepage": "https://github.com/rezlerski/taintguard",
+  "bugs": {
+    "url": "https://github.com/rezlerski/taintguard/issues"
+  },
+  "type": "module",
+  "sideEffects": false,
+  "engines": {
+    "node": ">=18"
+  },
+  "main": "dist/index.cjs",
+  "module": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "clean": "rimraf dist || rm -rf dist",
+    "build": "tsup src/index.ts --format esm,cjs --dts --sourcemap --clean --target es2022",
+    "test": "vitest run",
+    "prepublishOnly": "npm run clean && npm run build && npm run test"
+  },
+  "keywords": [
+    "llm",
+    "ai-security",
+    "prompt-injection",
+    "typescript",
+    "taint-tracking"
+  ],
+  "devDependencies": {
+    "@types/node": "^22.7.5",
+    "@vitest/coverage-v8": "2.1.9",
+    "fast-check": "^3.18.0",
+    "rimraf": "^6.0.1",
+    "tsup": "^8.0.1",
+    "typescript": "^5.6.3",
+    "vitest": "^2.0.5"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}