visus-mcp 0.2.0 → 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/settings.local.json +22 -0
- package/LINKEDIN-STRATEGY.md +367 -0
- package/README.md +491 -16
- package/ROADMAP.md +214 -34
- package/SECURITY-AUDIT-v1.md +277 -0
- package/STATUS.md +801 -42
- package/TROUBLESHOOT-AUTH-20260322-2019.md +291 -0
- package/TROUBLESHOOT-JEST-20260323-1357.md +139 -0
- package/TROUBLESHOOT-LAMBDA-20260322-1945.md +183 -0
- package/VISUS-CLAUDE-CODE-PROMPT.md +1 -1
- package/VISUS-PROJECT-PLAN.md +7 -0
- package/dist/browser/playwright-renderer.d.ts.map +1 -1
- package/dist/browser/playwright-renderer.js +7 -0
- package/dist/browser/playwright-renderer.js.map +1 -1
- package/dist/browser/reader.d.ts +31 -0
- package/dist/browser/reader.d.ts.map +1 -0
- package/dist/browser/reader.js +98 -0
- package/dist/browser/reader.js.map +1 -0
- package/dist/index.d.ts +1 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +37 -5
- package/dist/index.js.map +1 -1
- package/dist/lambda-handler.d.ts +0 -6
- package/dist/lambda-handler.d.ts.map +1 -1
- package/dist/lambda-handler.js +97 -25
- package/dist/lambda-handler.js.map +1 -1
- package/dist/sanitizer/framework-mapper.d.ts +22 -0
- package/dist/sanitizer/framework-mapper.d.ts.map +1 -0
- package/dist/sanitizer/framework-mapper.js +296 -0
- package/dist/sanitizer/framework-mapper.js.map +1 -0
- package/dist/sanitizer/index.d.ts +10 -2
- package/dist/sanitizer/index.d.ts.map +1 -1
- package/dist/sanitizer/index.js +22 -6
- package/dist/sanitizer/index.js.map +1 -1
- package/dist/sanitizer/patterns.js +1 -1
- package/dist/sanitizer/patterns.js.map +1 -1
- package/dist/sanitizer/pii-allowlist.d.ts +49 -0
- package/dist/sanitizer/pii-allowlist.d.ts.map +1 -0
- package/dist/sanitizer/pii-allowlist.js +231 -0
- package/dist/sanitizer/pii-allowlist.js.map +1 -0
- package/dist/sanitizer/pii-redactor.d.ts +13 -1
- package/dist/sanitizer/pii-redactor.d.ts.map +1 -1
- package/dist/sanitizer/pii-redactor.js +26 -2
- package/dist/sanitizer/pii-redactor.js.map +1 -1
- package/dist/sanitizer/severity-classifier.d.ts +33 -0
- package/dist/sanitizer/severity-classifier.d.ts.map +1 -0
- package/dist/sanitizer/severity-classifier.js +113 -0
- package/dist/sanitizer/severity-classifier.js.map +1 -0
- package/dist/sanitizer/threat-reporter.d.ts +65 -0
- package/dist/sanitizer/threat-reporter.d.ts.map +1 -0
- package/dist/sanitizer/threat-reporter.js +160 -0
- package/dist/sanitizer/threat-reporter.js.map +1 -0
- package/dist/tools/fetch-structured.d.ts +5 -0
- package/dist/tools/fetch-structured.d.ts.map +1 -1
- package/dist/tools/fetch-structured.js +59 -8
- package/dist/tools/fetch-structured.js.map +1 -1
- package/dist/tools/fetch.d.ts +5 -0
- package/dist/tools/fetch.d.ts.map +1 -1
- package/dist/tools/fetch.js +43 -9
- package/dist/tools/fetch.js.map +1 -1
- package/dist/tools/read.d.ts +51 -0
- package/dist/tools/read.d.ts.map +1 -0
- package/dist/tools/read.js +127 -0
- package/dist/tools/read.js.map +1 -0
- package/dist/tools/search.d.ts +45 -0
- package/dist/tools/search.d.ts.map +1 -0
- package/dist/tools/search.js +220 -0
- package/dist/tools/search.js.map +1 -0
- package/dist/types.d.ts +74 -0
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js.map +1 -1
- package/dist/utils/format-converter.d.ts +39 -0
- package/dist/utils/format-converter.d.ts.map +1 -0
- package/dist/utils/format-converter.js +191 -0
- package/dist/utils/format-converter.js.map +1 -0
- package/dist/utils/truncate.d.ts +26 -0
- package/dist/utils/truncate.d.ts.map +1 -0
- package/dist/utils/truncate.js +54 -0
- package/dist/utils/truncate.js.map +1 -0
- package/infrastructure/stack.ts +55 -6
- package/jest.config.js +3 -0
- package/package.json +9 -2
- package/src/browser/playwright-renderer.ts +8 -0
- package/src/browser/reader.ts +129 -0
- package/src/index.ts +49 -5
- package/src/lambda-handler.ts +131 -26
- package/src/sanitizer/framework-mapper.ts +347 -0
- package/src/sanitizer/index.ts +28 -6
- package/src/sanitizer/patterns.ts +1 -1
- package/src/sanitizer/pii-allowlist.ts +273 -0
- package/src/sanitizer/pii-redactor.ts +43 -2
- package/src/sanitizer/severity-classifier.ts +132 -0
- package/src/sanitizer/threat-reporter.ts +261 -0
- package/src/tools/fetch-structured.ts +63 -8
- package/src/tools/fetch.ts +45 -9
- package/src/tools/read.ts +143 -0
- package/src/tools/search.ts +263 -0
- package/src/types.ts +71 -0
- package/src/utils/format-converter.ts +236 -0
- package/src/utils/truncate.ts +64 -0
- package/tests/auth-smoke.test.ts +480 -0
- package/tests/fetch-tool.test.ts +595 -2
- package/tests/pii-allowlist.test.ts +282 -0
- package/tests/reader.test.ts +353 -0
- package/tests/sanitizer.test.ts +52 -0
- package/tests/search.test.ts +456 -0
- package/tests/threat-reporter.test.ts +266 -0
|
@@ -0,0 +1,231 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* PII Allowlist Configuration
|
|
3
|
+
*
|
|
4
|
+
* Defines trusted phone numbers that should NOT be redacted from web content.
|
|
5
|
+
* Primarily for verified health authority and government emergency numbers.
|
|
6
|
+
*
|
|
7
|
+
* CRITICAL: Only add numbers that are:
|
|
8
|
+
* 1. Publicly published institutional/government numbers
|
|
9
|
+
* 2. Verified health/safety authorities
|
|
10
|
+
* 3. Not personal contact information
|
|
11
|
+
*/
|
|
12
|
+
/**
|
|
13
|
+
* Normalize a phone number to digits-only format for comparison
|
|
14
|
+
*/
|
|
15
|
+
export function normalizePhoneNumber(phone) {
|
|
16
|
+
return phone.replace(/\D/g, '');
|
|
17
|
+
}
|
|
18
|
+
/**
|
|
19
|
+
* Extract domain from URL (returns hostname without www.)
|
|
20
|
+
*/
|
|
21
|
+
export function extractDomain(url) {
|
|
22
|
+
try {
|
|
23
|
+
const parsedUrl = new URL(url);
|
|
24
|
+
return parsedUrl.hostname.replace(/^www\./, '').toLowerCase();
|
|
25
|
+
}
|
|
26
|
+
catch {
|
|
27
|
+
return '';
|
|
28
|
+
}
|
|
29
|
+
}
|
|
30
|
+
/**
|
|
31
|
+
* Built-in allowlist of verified health authority and emergency numbers
|
|
32
|
+
*/
|
|
33
|
+
export const DEFAULT_ALLOWLIST = {
|
|
34
|
+
strictDomainMode: false, // Default: trust globally, not domain-scoped
|
|
35
|
+
trustedPhoneNumbers: [
|
|
36
|
+
// Emergency Services
|
|
37
|
+
{
|
|
38
|
+
name: 'Emergency Services (911)',
|
|
39
|
+
numbers: ['911'],
|
|
40
|
+
category: 'emergency'
|
|
41
|
+
},
|
|
42
|
+
// Poison Control
|
|
43
|
+
{
|
|
44
|
+
name: 'Poison Control Center',
|
|
45
|
+
numbers: [
|
|
46
|
+
'18002221222',
|
|
47
|
+
'8002221222',
|
|
48
|
+
'1-800-222-1222',
|
|
49
|
+
'800-222-1222'
|
|
50
|
+
],
|
|
51
|
+
trustedDomains: [
|
|
52
|
+
'medlineplus.gov',
|
|
53
|
+
'cdc.gov',
|
|
54
|
+
'fda.gov',
|
|
55
|
+
'aapcc.org',
|
|
56
|
+
'poison.org',
|
|
57
|
+
'nih.gov',
|
|
58
|
+
'nlm.nih.gov'
|
|
59
|
+
],
|
|
60
|
+
category: 'health_authority'
|
|
61
|
+
},
|
|
62
|
+
// FDA MedWatch (adverse event reporting)
|
|
63
|
+
{
|
|
64
|
+
name: 'FDA MedWatch',
|
|
65
|
+
numbers: [
|
|
66
|
+
'18003321088',
|
|
67
|
+
'8003321088',
|
|
68
|
+
'1-800-332-1088',
|
|
69
|
+
'800-332-1088'
|
|
70
|
+
],
|
|
71
|
+
trustedDomains: [
|
|
72
|
+
'fda.gov',
|
|
73
|
+
'medlineplus.gov',
|
|
74
|
+
'cdc.gov',
|
|
75
|
+
'nih.gov'
|
|
76
|
+
],
|
|
77
|
+
category: 'health_authority'
|
|
78
|
+
},
|
|
79
|
+
// CDC INFO
|
|
80
|
+
{
|
|
81
|
+
name: 'CDC INFO',
|
|
82
|
+
numbers: [
|
|
83
|
+
'18002324636',
|
|
84
|
+
'8002324636',
|
|
85
|
+
'1-800-232-4636',
|
|
86
|
+
'800-232-4636'
|
|
87
|
+
],
|
|
88
|
+
trustedDomains: [
|
|
89
|
+
'cdc.gov',
|
|
90
|
+
'medlineplus.gov',
|
|
91
|
+
'nih.gov'
|
|
92
|
+
],
|
|
93
|
+
category: 'health_authority'
|
|
94
|
+
},
|
|
95
|
+
// SAMHSA National Helpline (substance abuse/mental health)
|
|
96
|
+
{
|
|
97
|
+
name: 'SAMHSA National Helpline',
|
|
98
|
+
numbers: [
|
|
99
|
+
'18006624357',
|
|
100
|
+
'8006624357',
|
|
101
|
+
'1-800-662-4357',
|
|
102
|
+
'800-662-4357'
|
|
103
|
+
],
|
|
104
|
+
trustedDomains: [
|
|
105
|
+
'samhsa.gov',
|
|
106
|
+
'medlineplus.gov',
|
|
107
|
+
'cdc.gov',
|
|
108
|
+
'nih.gov'
|
|
109
|
+
],
|
|
110
|
+
category: 'helpline'
|
|
111
|
+
},
|
|
112
|
+
// National Suicide Prevention Lifeline
|
|
113
|
+
{
|
|
114
|
+
name: 'National Suicide Prevention Lifeline',
|
|
115
|
+
numbers: [
|
|
116
|
+
'18002738255',
|
|
117
|
+
'8002738255',
|
|
118
|
+
'1-800-273-8255',
|
|
119
|
+
'800-273-8255',
|
|
120
|
+
'988' // New 3-digit code
|
|
121
|
+
],
|
|
122
|
+
trustedDomains: [
|
|
123
|
+
'suicidepreventionlifeline.org',
|
|
124
|
+
'samhsa.gov',
|
|
125
|
+
'medlineplus.gov',
|
|
126
|
+
'cdc.gov',
|
|
127
|
+
'nih.gov'
|
|
128
|
+
],
|
|
129
|
+
category: 'helpline'
|
|
130
|
+
},
|
|
131
|
+
// National Domestic Violence Hotline
|
|
132
|
+
{
|
|
133
|
+
name: 'National Domestic Violence Hotline',
|
|
134
|
+
numbers: [
|
|
135
|
+
'18007997233',
|
|
136
|
+
'8007997233',
|
|
137
|
+
'1-800-799-7233',
|
|
138
|
+
'800-799-7233'
|
|
139
|
+
],
|
|
140
|
+
trustedDomains: [
|
|
141
|
+
'thehotline.org',
|
|
142
|
+
'cdc.gov',
|
|
143
|
+
'medlineplus.gov',
|
|
144
|
+
'nih.gov'
|
|
145
|
+
],
|
|
146
|
+
category: 'helpline'
|
|
147
|
+
},
|
|
148
|
+
// Medicare
|
|
149
|
+
{
|
|
150
|
+
name: 'Medicare',
|
|
151
|
+
numbers: [
|
|
152
|
+
'18006331795',
|
|
153
|
+
'8006331795',
|
|
154
|
+
'1-800-633-1795',
|
|
155
|
+
'800-633-1795'
|
|
156
|
+
],
|
|
157
|
+
trustedDomains: [
|
|
158
|
+
'medicare.gov',
|
|
159
|
+
'cms.gov',
|
|
160
|
+
'medlineplus.gov',
|
|
161
|
+
'nih.gov'
|
|
162
|
+
],
|
|
163
|
+
category: 'government'
|
|
164
|
+
},
|
|
165
|
+
// Veterans Crisis Line
|
|
166
|
+
{
|
|
167
|
+
name: 'Veterans Crisis Line',
|
|
168
|
+
numbers: [
|
|
169
|
+
'18002738255',
|
|
170
|
+
'8002738255',
|
|
171
|
+
'1-800-273-8255',
|
|
172
|
+
'800-273-8255'
|
|
173
|
+
],
|
|
174
|
+
trustedDomains: [
|
|
175
|
+
'va.gov',
|
|
176
|
+
'veteranscrisisline.net',
|
|
177
|
+
'medlineplus.gov',
|
|
178
|
+
'nih.gov'
|
|
179
|
+
],
|
|
180
|
+
category: 'helpline'
|
|
181
|
+
}
|
|
182
|
+
]
|
|
183
|
+
};
|
|
184
|
+
/**
|
|
185
|
+
* Check if a phone number should be allowlisted (not redacted)
|
|
186
|
+
*
|
|
187
|
+
* @param phoneNumber The phone number to check (in any format)
|
|
188
|
+
* @param sourceUrl Optional source URL for domain-scoped allowlisting
|
|
189
|
+
* @param config Optional custom config (defaults to DEFAULT_ALLOWLIST)
|
|
190
|
+
* @returns The trusted number entry if allowlisted, null otherwise
|
|
191
|
+
*/
|
|
192
|
+
export function isAllowlistedPhoneNumber(phoneNumber, sourceUrl, config = DEFAULT_ALLOWLIST) {
|
|
193
|
+
const normalized = normalizePhoneNumber(phoneNumber);
|
|
194
|
+
const sourceDomain = sourceUrl ? extractDomain(sourceUrl) : '';
|
|
195
|
+
for (const trustedEntry of config.trustedPhoneNumbers) {
|
|
196
|
+
// Check if any variant of this trusted number matches
|
|
197
|
+
const matchesNumber = trustedEntry.numbers.some(variant => {
|
|
198
|
+
const normalizedVariant = normalizePhoneNumber(variant);
|
|
199
|
+
return normalized === normalizedVariant;
|
|
200
|
+
});
|
|
201
|
+
if (!matchesNumber) {
|
|
202
|
+
continue; // Number doesn't match, check next entry
|
|
203
|
+
}
|
|
204
|
+
// Number matches - now check domain restrictions
|
|
205
|
+
const hasDomainRestrictions = trustedEntry.trustedDomains && trustedEntry.trustedDomains.length > 0;
|
|
206
|
+
if (!hasDomainRestrictions) {
|
|
207
|
+
// No domain restrictions - trust globally
|
|
208
|
+
return trustedEntry;
|
|
209
|
+
}
|
|
210
|
+
// Has domain restrictions
|
|
211
|
+
if (config.strictDomainMode && !sourceUrl) {
|
|
212
|
+
// Strict mode requires domain match, but no URL provided
|
|
213
|
+
continue;
|
|
214
|
+
}
|
|
215
|
+
if (sourceUrl && trustedEntry.trustedDomains) {
|
|
216
|
+
// Check if source domain matches any trusted domain
|
|
217
|
+
const isDomainTrusted = trustedEntry.trustedDomains.some(trustedDomain => {
|
|
218
|
+
return sourceDomain.endsWith(trustedDomain);
|
|
219
|
+
});
|
|
220
|
+
if (isDomainTrusted) {
|
|
221
|
+
return trustedEntry;
|
|
222
|
+
}
|
|
223
|
+
}
|
|
224
|
+
// In non-strict mode, trust the number even if domain doesn't match
|
|
225
|
+
if (!config.strictDomainMode) {
|
|
226
|
+
return trustedEntry;
|
|
227
|
+
}
|
|
228
|
+
}
|
|
229
|
+
return null; // No match found
|
|
230
|
+
}
|
|
231
|
+
//# sourceMappingURL=pii-allowlist.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"pii-allowlist.js","sourceRoot":"","sources":["../../src/sanitizer/pii-allowlist.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAoBH;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAa;IAChD,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC/B,OAAO,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAChE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAuB;IACnD,gBAAgB,EAAE,KAAK,EAAE,6CAA6C;IAEtE,mBAAmB,EAAE;QACnB,qBAAqB;QACrB;YACE,IAAI,EAAE,0BAA0B;YAChC,OAAO,EAAE,CAAC,KAAK,CAAC;YAChB,QAAQ,EAAE,WAAW;SACtB;QAED,iBAAiB;QACjB;YACE,IAAI,EAAE,uBAAuB;YAC7B,OAAO,EAAE;gBACP,aAAa;gBACb,YAAY;gBACZ,gBAAgB;gBAChB,cAAc;aACf;YACD,cAAc,EAAE;gBACd,iBAAiB;gBACjB,SAAS;gBACT,SAAS;gBACT,WAAW;gBACX,YAAY;gBACZ,SAAS;gBACT,aAAa;aACd;YACD,QAAQ,EAAE,kBAAkB;SAC7B;QAED,yCAAyC;QACzC;YACE,IAAI,EAAE,cAAc;YACpB,OAAO,EAAE;gBACP,aAAa;gBACb,YAAY;gBACZ,gBAAgB;gBAChB,cAAc;aACf;YACD,cAAc,EAAE;gBACd,SAAS;gBACT,iBAAiB;gBACjB,SAAS;gBACT,SAAS;aACV;YACD,QAAQ,EAAE,kBAAkB;SAC7B;QAED,WAAW;QACX;YACE,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE;gBACP,aAAa;gBACb,YAAY;gBACZ,gBAAgB;gBAChB,cAAc;aACf;YACD,cAAc,EAAE;gBACd,SAAS;gBACT,iBAAiB;gBACjB,SAAS;aACV;YACD,QAAQ,EAAE,kBAAkB;SAC7B;QAED,2DAA2D;QAC3D;YACE,IAAI,EAAE,0BAA0B;YAChC,OAAO,EAAE;gBACP,aAAa;gBACb,YAAY;gBACZ,gBAAgB;gBAChB,cAAc;aACf;YACD,cAAc,EAAE;gBACd,YAAY;gBACZ,iBAAiB;gBACjB,SAAS;gBACT,SAAS;aACV;YACD,QAAQ,EAAE,UAAU;SACrB;QAED,uCAAuC;QACvC;YACE,IAAI,EAAE,sCAAsC;YAC5C,OAAO,EAAE;gBACP,aAAa;gBACb,YAAY;gBACZ,gBAAgB;gBAChB,cAAc;gBACd,KAAK,CAAC,mBAAmB;aAC1B;YACD,cAAc,EAAE;gBACd,+BAA+B;gBAC/B,YAAY;gBACZ,iBAAiB;gBACjB,SAAS;gBACT,SAAS;aACV;YACD,QAAQ,EAAE,UAAU;SACrB;QAED,qCAAqC;QACrC;YACE,IAAI,EAAE,oCAAoC;YAC1C,OAAO,EAAE;gBACP,aAAa;gBACb,YAAY;gBACZ,gBAAgB;gBAChB,cAAc;aACf;YACD,cAAc,EAAE;gBACd,gBAAgB;gBAChB,SAAS;gBACT,iBAAiB;gBACjB,SAAS;aACV;YACD,QAAQ,EAAE,UAAU;SACrB;QAED,WAAW;QACX;YACE,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE;gBACP,aAAa;gBACb,YAAY;gBACZ,gBAAgB;gBAChB,cAAc;aACf;YACD,cAAc,EAAE;gBACd,cAAc;gBACd,SAAS;gBACT,iBAAiB;gBACjB,SAAS;aACV;YACD,QAAQ,EAAE,YAAY;SACvB;QAED,uBAAuB;QACvB;YACE,IAAI,EAAE,sBAAsB;YAC5B,OAAO,EAAE;gBACP,aAAa;gBACb,YAAY;gBACZ,gBAAgB;gBAChB,cAAc;aACf;YACD,cAAc,EAAE;gBACd,QAAQ;gBACR,wBAAwB;gBACxB,iBAAiB;gBACjB,SAAS;aACV;YACD,QAAQ,EAAE,UAAU;SACrB;KACF;CACF,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,UAAU,wBAAwB,CACtC,WAAmB,EACnB,SAAkB,EAClB,SAA6B,iBAAiB;IAE9C,MAAM,UAAU,GAAG,oBAAoB,CAAC,WAAW,CAAC,CAAC;IACrD,MAAM,YAAY,GAAG,SAAS,CAAC,CAAC,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAE/D,KAAK,MAAM,YAAY,IAAI,MAAM,CAAC,mBAAmB,EAAE,CAAC;QACtD,sDAAsD;QACtD,MAAM,aAAa,GAAG,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;YACxD,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;YACxD,OAAO,UAAU,KAAK,iBAAiB,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,SAAS,CAAC,yCAAyC;QACrD,CAAC;QAED,iDAAiD;QACjD,MAAM,qBAAqB,GAAG,YAAY,CAAC,cAAc,IAAI,YAAY,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC;QAEpG,IAAI,CAAC,qBAAqB,EAAE,CAAC;YAC3B,0CAA0C;YAC1C,OAAO,YAAY,CAAC;QACtB,CAAC;QAED,0BAA0B;QAC1B,IAAI,MAAM,CAAC,gBAAgB,IAAI,CAAC,SAAS,EAAE,CAAC;YAC1C,yDAAyD;YACzD,SAAS;QACX,CAAC;QAED,IAAI,SAAS,IAAI,YAAY,CAAC,cAAc,EAAE,CAAC;YAC7C,oDAAoD;YACpD,MAAM,eAAe,GAAG,YAAY,CAAC,cAAc,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE;gBACvE,OAAO,YAAY,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YAC9C,CAAC,CAAC,CAAC;YAEH,IAAI,eAAe,EAAE,CAAC;gBACpB,OAAO,YAAY,CAAC;YACtB,CAAC;QACH,CAAC;QAED,oEAAoE;QACpE,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE,CAAC;YAC7B,OAAO,YAAY,CAAC;QACtB,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC,CAAC,iBAAiB;AAChC,CAAC"}
|
|
@@ -5,19 +5,31 @@
|
|
|
5
5
|
* to prevent leakage of sensitive data to the LLM.
|
|
6
6
|
*
|
|
7
7
|
* Redacts: emails, phone numbers, SSNs, credit cards, IP addresses
|
|
8
|
+
* Supports allowlisting of trusted institutional phone numbers (e.g., Poison Control)
|
|
8
9
|
*/
|
|
10
|
+
import { type PIIAllowlistConfig } from './pii-allowlist.js';
|
|
9
11
|
export interface PIIRedactionResult {
|
|
10
12
|
content: string;
|
|
11
13
|
pii_types_redacted: string[];
|
|
14
|
+
pii_allowlisted: Array<{
|
|
15
|
+
type: string;
|
|
16
|
+
value: string;
|
|
17
|
+
reason: string;
|
|
18
|
+
}>;
|
|
12
19
|
content_modified: boolean;
|
|
13
20
|
metadata: {
|
|
14
21
|
redaction_counts: Record<string, number>;
|
|
22
|
+
allowlist_counts: Record<string, number>;
|
|
15
23
|
};
|
|
16
24
|
}
|
|
17
25
|
/**
|
|
18
26
|
* Redact PII from content
|
|
27
|
+
*
|
|
28
|
+
* @param content Content to redact PII from
|
|
29
|
+
* @param sourceUrl Optional source URL for domain-scoped allowlisting
|
|
30
|
+
* @param allowlistConfig Optional custom allowlist config
|
|
19
31
|
*/
|
|
20
|
-
export declare function redactPII(content: string): PIIRedactionResult;
|
|
32
|
+
export declare function redactPII(content: string, sourceUrl?: string, allowlistConfig?: PIIAllowlistConfig): PIIRedactionResult;
|
|
21
33
|
/**
|
|
22
34
|
* Check if content contains any PII (without redacting)
|
|
23
35
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pii-redactor.d.ts","sourceRoot":"","sources":["../../src/sanitizer/pii-redactor.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"pii-redactor.d.ts","sourceRoot":"","sources":["../../src/sanitizer/pii-redactor.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAEL,KAAK,kBAAkB,EAExB,MAAM,oBAAoB,CAAC;AAE5B,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,kBAAkB,EAAE,MAAM,EAAE,CAAC;IAC7B,eAAe,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACxE,gBAAgB,EAAE,OAAO,CAAC;IAC1B,QAAQ,EAAE;QACR,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACzC,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAC1C,CAAC;CACH;AAuID;;;;;;GAMG;AACH,wBAAgB,SAAS,CACvB,OAAO,EAAE,MAAM,EACf,SAAS,CAAC,EAAE,MAAM,EAClB,eAAe,GAAE,kBAAsC,GACtD,kBAAkB,CA2DpB;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAYpD;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,CAcxD"}
|
|
@@ -5,7 +5,9 @@
|
|
|
5
5
|
* to prevent leakage of sensitive data to the LLM.
|
|
6
6
|
*
|
|
7
7
|
* Redacts: emails, phone numbers, SSNs, credit cards, IP addresses
|
|
8
|
+
* Supports allowlisting of trusted institutional phone numbers (e.g., Poison Control)
|
|
8
9
|
*/
|
|
10
|
+
import { isAllowlistedPhoneNumber, DEFAULT_ALLOWLIST } from './pii-allowlist.js';
|
|
9
11
|
/**
|
|
10
12
|
* PII detection patterns with validators
|
|
11
13
|
*/
|
|
@@ -129,10 +131,16 @@ function luhnCheck(digits) {
|
|
|
129
131
|
}
|
|
130
132
|
/**
|
|
131
133
|
* Redact PII from content
|
|
134
|
+
*
|
|
135
|
+
* @param content Content to redact PII from
|
|
136
|
+
* @param sourceUrl Optional source URL for domain-scoped allowlisting
|
|
137
|
+
* @param allowlistConfig Optional custom allowlist config
|
|
132
138
|
*/
|
|
133
|
-
export function redactPII(content) {
|
|
139
|
+
export function redactPII(content, sourceUrl, allowlistConfig = DEFAULT_ALLOWLIST) {
|
|
134
140
|
const piiTypesRedacted = new Set();
|
|
135
141
|
const redactionCounts = {};
|
|
142
|
+
const allowlistCounts = {};
|
|
143
|
+
const piiAllowlisted = [];
|
|
136
144
|
let sanitizedContent = content;
|
|
137
145
|
for (const pattern of PII_PATTERNS) {
|
|
138
146
|
const matches = Array.from(sanitizedContent.matchAll(pattern.regex));
|
|
@@ -142,6 +150,20 @@ export function redactPII(content) {
|
|
|
142
150
|
if (pattern.validator && !pattern.validator(matchedText)) {
|
|
143
151
|
continue;
|
|
144
152
|
}
|
|
153
|
+
// Check allowlist for phone numbers
|
|
154
|
+
if (pattern.type === 'PHONE') {
|
|
155
|
+
const allowlistedEntry = isAllowlistedPhoneNumber(matchedText, sourceUrl, allowlistConfig);
|
|
156
|
+
if (allowlistedEntry) {
|
|
157
|
+
// This is a trusted number - DO NOT redact
|
|
158
|
+
piiAllowlisted.push({
|
|
159
|
+
type: pattern.type,
|
|
160
|
+
value: matchedText,
|
|
161
|
+
reason: `Trusted ${allowlistedEntry.category}: ${allowlistedEntry.name}`
|
|
162
|
+
});
|
|
163
|
+
allowlistCounts[pattern.name] = (allowlistCounts[pattern.name] || 0) + 1;
|
|
164
|
+
continue; // Skip redaction
|
|
165
|
+
}
|
|
166
|
+
}
|
|
145
167
|
// Redact the PII
|
|
146
168
|
sanitizedContent = sanitizedContent.replace(matchedText, `[REDACTED:${pattern.type}]`);
|
|
147
169
|
piiTypesRedacted.add(pattern.name);
|
|
@@ -151,9 +173,11 @@ export function redactPII(content) {
|
|
|
151
173
|
return {
|
|
152
174
|
content: sanitizedContent,
|
|
153
175
|
pii_types_redacted: Array.from(piiTypesRedacted),
|
|
176
|
+
pii_allowlisted: piiAllowlisted,
|
|
154
177
|
content_modified: sanitizedContent !== content,
|
|
155
178
|
metadata: {
|
|
156
|
-
redaction_counts: redactionCounts
|
|
179
|
+
redaction_counts: redactionCounts,
|
|
180
|
+
allowlist_counts: allowlistCounts
|
|
157
181
|
}
|
|
158
182
|
};
|
|
159
183
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pii-redactor.js","sourceRoot":"","sources":["../../src/sanitizer/pii-redactor.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"pii-redactor.js","sourceRoot":"","sources":["../../src/sanitizer/pii-redactor.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EACL,wBAAwB,EAExB,iBAAiB,EAClB,MAAM,oBAAoB,CAAC;AAoB5B;;GAEG;AACH,MAAM,YAAY,GAAiB;IACjC,kBAAkB;IAClB;QACE,IAAI,EAAE,OAAO;QACb,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,sDAAsD;QAC7D,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,yBAAyB;YACzB,OAAO,4BAA4B,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAClD,CAAC;KACF;IAED,+CAA+C;IAC/C;QACE,IAAI,EAAE,OAAO;QACb,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,0DAA0D;QACjE,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,qCAAqC;YACrC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACxC,OAAO,MAAM,CAAC,MAAM,IAAI,EAAE,IAAI,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;QACpD,CAAC;KACF;IAED,6BAA6B;IAC7B;QACE,IAAI,EAAE,KAAK;QACX,IAAI,EAAE,KAAK;QACX,KAAK,EAAE,kCAAkC;QACzC,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACxC,oCAAoC;YACpC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YACtC,8BAA8B;YAC9B,IAAI,MAAM,KAAK,WAAW;gBAAE,OAAO,KAAK,CAAC;YACzC,IAAI,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,IAAI,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,IAAI,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,OAAO,KAAK,CAAC;YACzC,OAAO,IAAI,CAAC;QACd,CAAC;KACF;IAED,8DAA8D;IAC9D,iEAAiE;IACjE;QACE,IAAI,EAAE,IAAI;QACV,IAAI,EAAE,aAAa;QACnB,KAAK,EAAE,yFAAyF;QAChG,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACxC,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE;gBAAE,OAAO,KAAK,CAAC;YAC3D,OAAO,SAAS,CAAC,MAAM,CAAC,CAAC;QAC3B,CAAC;KACF;IAED,iBAAiB;IACjB;QACE,IAAI,EAAE,IAAI;QACV,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,gGAAgG;QACvG,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,uDAAuD;YACvD,IAAI,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC5C,IAAI,KAAK,CAAC,UAAU,CAAC,aAAa,CAAC;gBAAE,OAAO,KAAK,CAAC;YAClD,OAAO,IAAI,CAAC;QACd,CAAC;KACF;IAED,sCAAsC;IACtC;QACE,IAAI,EAAE,IAAI;QACV,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,+CAA+C;QACtD,SAAS,EAAE,GAAG,EAAE,CAAC,IAAI;KACtB;IAED,sBAAsB;IACtB;QACE,IAAI,EAAE,UAAU;QAChB,IAAI,EAAE,UAAU;QAChB,KAAK,EAAE,wBAAwB;QAC/B,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,yCAAyC;YACzC,OAAO,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3C,CAAC;KACF;IAED,+DAA+D;IAC/D;QACE,IAAI,EAAE,IAAI;QACV,IAAI,EAAE,iBAAiB;QACvB,KAAK,EAAE,wBAAwB;QAC/B,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,mDAAmD;YACnD,OAAO,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3C,CAAC;KACF;CACF,CAAC;AAEF;;GAEG;AACH,SAAS,SAAS,CAAC,MAAc;IAC/B,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,IAAI,SAAS,GAAG,KAAK,CAAC;IAEtB,KAAK,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5C,IAAI,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAEvC,IAAI,SAAS,EAAE,CAAC;YACd,CAAC,IAAI,CAAC,CAAC;YACP,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBACV,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACZ,CAAC;QACH,CAAC;QAED,GAAG,IAAI,CAAC,CAAC;QACT,SAAS,GAAG,CAAC,SAAS,CAAC;IACzB,CAAC;IAED,OAAO,GAAG,GAAG,EAAE,KAAK,CAAC,CAAC;AACxB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,SAAS,CACvB,OAAe,EACf,SAAkB,EAClB,kBAAsC,iBAAiB;IAEvD,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAU,CAAC;IAC3C,MAAM,eAAe,GAA2B,EAAE,CAAC;IACnD,MAAM,eAAe,GAA2B,EAAE,CAAC;IACnD,MAAM,cAAc,GAA2D,EAAE,CAAC;IAClF,IAAI,gBAAgB,GAAG,OAAO,CAAC;IAE/B,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QAErE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAE7B,6BAA6B;YAC7B,IAAI,OAAO,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,WAAW,CAAC,EAAE,CAAC;gBACzD,SAAS;YACX,CAAC;YAED,oCAAoC;YACpC,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBAC7B,MAAM,gBAAgB,GAAG,wBAAwB,CAC/C,WAAW,EACX,SAAS,EACT,eAAe,CAChB,CAAC;gBAEF,IAAI,gBAAgB,EAAE,CAAC;oBACrB,2CAA2C;oBAC3C,cAAc,CAAC,IAAI,CAAC;wBAClB,IAAI,EAAE,OAAO,CAAC,IAAI;wBAClB,KAAK,EAAE,WAAW;wBAClB,MAAM,EAAE,WAAW,gBAAgB,CAAC,QAAQ,KAAK,gBAAgB,CAAC,IAAI,EAAE;qBACzE,CAAC,CAAC;oBACH,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;oBACzE,SAAS,CAAC,iBAAiB;gBAC7B,CAAC;YACH,CAAC;YAED,iBAAiB;YACjB,gBAAgB,GAAG,gBAAgB,CAAC,OAAO,CACzC,WAAW,EACX,aAAa,OAAO,CAAC,IAAI,GAAG,CAC7B,CAAC;YAEF,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACnC,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QAC3E,CAAC;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,gBAAgB;QACzB,kBAAkB,EAAE,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC;QAChD,eAAe,EAAE,cAAc;QAC/B,gBAAgB,EAAE,gBAAgB,KAAK,OAAO;QAC9C,QAAQ,EAAE;YACR,gBAAgB,EAAE,eAAe;YACjC,gBAAgB,EAAE,eAAe;SAClC;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,OAAe;IACzC,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QAE5D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACtD,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IAEnC,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QAE5D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACtD,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AAC9B,CAAC"}
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Severity Classification Engine
|
|
3
|
+
*
|
|
4
|
+
* Maps injection pattern categories to standardized severity levels.
|
|
5
|
+
* Used for threat reporting and compliance documentation.
|
|
6
|
+
*/
|
|
7
|
+
export type Severity = 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW';
|
|
8
|
+
export type OverallSeverity = Severity | 'CLEAN';
|
|
9
|
+
/**
|
|
10
|
+
* Classify severity for a single pattern category
|
|
11
|
+
*/
|
|
12
|
+
export declare function classifySeverity(patternCategory: string): Severity;
|
|
13
|
+
/**
|
|
14
|
+
* Interface for a threat finding
|
|
15
|
+
*/
|
|
16
|
+
export interface Finding {
|
|
17
|
+
pattern_category: string;
|
|
18
|
+
severity: Severity;
|
|
19
|
+
}
|
|
20
|
+
/**
|
|
21
|
+
* Aggregate severity across multiple findings
|
|
22
|
+
* Returns the highest severity level found, or CLEAN if no findings
|
|
23
|
+
*/
|
|
24
|
+
export declare function aggregateSeverity(findings: Finding[]): OverallSeverity;
|
|
25
|
+
/**
|
|
26
|
+
* Count findings by severity level
|
|
27
|
+
*/
|
|
28
|
+
export declare function countBySeverity(findings: Finding[]): Record<Severity, number>;
|
|
29
|
+
/**
|
|
30
|
+
* Get emoji for severity level (for Markdown reports)
|
|
31
|
+
*/
|
|
32
|
+
export declare function getSeverityEmoji(severity: Severity | OverallSeverity): string;
|
|
33
|
+
//# sourceMappingURL=severity-classifier.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"severity-classifier.d.ts","sourceRoot":"","sources":["../../src/sanitizer/severity-classifier.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAC9D,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,OAAO,CAAC;AA2DjD;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,eAAe,EAAE,MAAM,GAAG,QAAQ,CAElE;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACtB,gBAAgB,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,eAAe,CAatE;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAa7E;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,GAAG,eAAe,GAAG,MAAM,CAS7E"}
|
|
@@ -0,0 +1,113 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Severity Classification Engine
|
|
3
|
+
*
|
|
4
|
+
* Maps injection pattern categories to standardized severity levels.
|
|
5
|
+
* Used for threat reporting and compliance documentation.
|
|
6
|
+
*/
|
|
7
|
+
/**
|
|
8
|
+
* Pattern category to severity mapping
|
|
9
|
+
* Aligned with NIST AI 600-1 and OWASP LLM Top 10 risk levels
|
|
10
|
+
*/
|
|
11
|
+
const SEVERITY_MAP = {
|
|
12
|
+
// CRITICAL - Immediate threat, block-level
|
|
13
|
+
direct_instruction_injection: 'CRITICAL',
|
|
14
|
+
role_hijacking: 'CRITICAL',
|
|
15
|
+
system_prompt_extraction: 'CRITICAL',
|
|
16
|
+
privilege_escalation: 'CRITICAL',
|
|
17
|
+
data_exfiltration: 'CRITICAL',
|
|
18
|
+
code_execution_requests: 'CRITICAL',
|
|
19
|
+
memory_manipulation: 'CRITICAL',
|
|
20
|
+
jailbreak_keywords: 'CRITICAL',
|
|
21
|
+
ethical_override: 'CRITICAL',
|
|
22
|
+
credential_harvesting: 'CRITICAL',
|
|
23
|
+
html_script_injection: 'CRITICAL',
|
|
24
|
+
// HIGH - Significant threat
|
|
25
|
+
context_poisoning: 'HIGH',
|
|
26
|
+
base64_obfuscation: 'HIGH',
|
|
27
|
+
zero_width_characters: 'HIGH',
|
|
28
|
+
data_uri_injection: 'HIGH',
|
|
29
|
+
markdown_link_injection: 'HIGH',
|
|
30
|
+
instruction_delimiter_injection: 'HIGH',
|
|
31
|
+
token_smuggling: 'HIGH',
|
|
32
|
+
system_message_injection: 'HIGH',
|
|
33
|
+
file_system_access: 'HIGH',
|
|
34
|
+
training_data_extraction: 'HIGH',
|
|
35
|
+
nested_encoding: 'HIGH',
|
|
36
|
+
authority_impersonation: 'HIGH',
|
|
37
|
+
callback_url_injection: 'HIGH',
|
|
38
|
+
// MEDIUM - Moderate threat
|
|
39
|
+
comment_injection: 'MEDIUM',
|
|
40
|
+
unicode_lookalikes: 'MEDIUM',
|
|
41
|
+
url_fragment_hashjack: 'MEDIUM',
|
|
42
|
+
social_engineering_urgency: 'MEDIUM',
|
|
43
|
+
multi_language_obfuscation: 'MEDIUM',
|
|
44
|
+
reverse_text_obfuscation: 'MEDIUM',
|
|
45
|
+
conversation_reset: 'MEDIUM',
|
|
46
|
+
chain_of_thought_manipulation: 'MEDIUM',
|
|
47
|
+
hypothetical_scenario_injection: 'MEDIUM',
|
|
48
|
+
output_format_manipulation: 'MEDIUM',
|
|
49
|
+
simulator_mode: 'MEDIUM',
|
|
50
|
+
payload_splitting: 'MEDIUM',
|
|
51
|
+
css_hiding: 'MEDIUM',
|
|
52
|
+
testing_debugging_claims: 'MEDIUM',
|
|
53
|
+
// LOW - Low threat, flagged for awareness
|
|
54
|
+
leetspeak_obfuscation: 'LOW',
|
|
55
|
+
capability_probing: 'LOW',
|
|
56
|
+
negative_instruction: 'LOW',
|
|
57
|
+
time_based_triggers: 'LOW',
|
|
58
|
+
whitespace_steganography: 'LOW'
|
|
59
|
+
};
|
|
60
|
+
/**
|
|
61
|
+
* Classify severity for a single pattern category
|
|
62
|
+
*/
|
|
63
|
+
export function classifySeverity(patternCategory) {
|
|
64
|
+
return SEVERITY_MAP[patternCategory] || 'LOW';
|
|
65
|
+
}
|
|
66
|
+
/**
|
|
67
|
+
* Aggregate severity across multiple findings
|
|
68
|
+
* Returns the highest severity level found, or CLEAN if no findings
|
|
69
|
+
*/
|
|
70
|
+
export function aggregateSeverity(findings) {
|
|
71
|
+
if (findings.length === 0) {
|
|
72
|
+
return 'CLEAN';
|
|
73
|
+
}
|
|
74
|
+
const severities = findings.map(f => f.severity);
|
|
75
|
+
if (severities.includes('CRITICAL'))
|
|
76
|
+
return 'CRITICAL';
|
|
77
|
+
if (severities.includes('HIGH'))
|
|
78
|
+
return 'HIGH';
|
|
79
|
+
if (severities.includes('MEDIUM'))
|
|
80
|
+
return 'MEDIUM';
|
|
81
|
+
if (severities.includes('LOW'))
|
|
82
|
+
return 'LOW';
|
|
83
|
+
return 'CLEAN';
|
|
84
|
+
}
|
|
85
|
+
/**
|
|
86
|
+
* Count findings by severity level
|
|
87
|
+
*/
|
|
88
|
+
export function countBySeverity(findings) {
|
|
89
|
+
const counts = {
|
|
90
|
+
CRITICAL: 0,
|
|
91
|
+
HIGH: 0,
|
|
92
|
+
MEDIUM: 0,
|
|
93
|
+
LOW: 0
|
|
94
|
+
};
|
|
95
|
+
for (const finding of findings) {
|
|
96
|
+
counts[finding.severity]++;
|
|
97
|
+
}
|
|
98
|
+
return counts;
|
|
99
|
+
}
|
|
100
|
+
/**
|
|
101
|
+
* Get emoji for severity level (for Markdown reports)
|
|
102
|
+
*/
|
|
103
|
+
export function getSeverityEmoji(severity) {
|
|
104
|
+
switch (severity) {
|
|
105
|
+
case 'CRITICAL': return '🔴';
|
|
106
|
+
case 'HIGH': return '🟠';
|
|
107
|
+
case 'MEDIUM': return '🟡';
|
|
108
|
+
case 'LOW': return '🟢';
|
|
109
|
+
case 'CLEAN': return '✅';
|
|
110
|
+
default: return '⚪';
|
|
111
|
+
}
|
|
112
|
+
}
|
|
113
|
+
//# sourceMappingURL=severity-classifier.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"severity-classifier.js","sourceRoot":"","sources":["../../src/sanitizer/severity-classifier.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH;;;GAGG;AACH,MAAM,YAAY,GAA6B;IAC7C,2CAA2C;IAC3C,4BAA4B,EAAE,UAAU;IACxC,cAAc,EAAE,UAAU;IAC1B,wBAAwB,EAAE,UAAU;IACpC,oBAAoB,EAAE,UAAU;IAChC,iBAAiB,EAAE,UAAU;IAC7B,uBAAuB,EAAE,UAAU;IACnC,mBAAmB,EAAE,UAAU;IAC/B,kBAAkB,EAAE,UAAU;IAC9B,gBAAgB,EAAE,UAAU;IAC5B,qBAAqB,EAAE,UAAU;IACjC,qBAAqB,EAAE,UAAU;IAEjC,4BAA4B;IAC5B,iBAAiB,EAAE,MAAM;IACzB,kBAAkB,EAAE,MAAM;IAC1B,qBAAqB,EAAE,MAAM;IAC7B,kBAAkB,EAAE,MAAM;IAC1B,uBAAuB,EAAE,MAAM;IAC/B,+BAA+B,EAAE,MAAM;IACvC,eAAe,EAAE,MAAM;IACvB,wBAAwB,EAAE,MAAM;IAChC,kBAAkB,EAAE,MAAM;IAC1B,wBAAwB,EAAE,MAAM;IAChC,eAAe,EAAE,MAAM;IACvB,uBAAuB,EAAE,MAAM;IAC/B,sBAAsB,EAAE,MAAM;IAE9B,2BAA2B;IAC3B,iBAAiB,EAAE,QAAQ;IAC3B,kBAAkB,EAAE,QAAQ;IAC5B,qBAAqB,EAAE,QAAQ;IAC/B,0BAA0B,EAAE,QAAQ;IACpC,0BAA0B,EAAE,QAAQ;IACpC,wBAAwB,EAAE,QAAQ;IAClC,kBAAkB,EAAE,QAAQ;IAC5B,6BAA6B,EAAE,QAAQ;IACvC,+BAA+B,EAAE,QAAQ;IACzC,0BAA0B,EAAE,QAAQ;IACpC,cAAc,EAAE,QAAQ;IACxB,iBAAiB,EAAE,QAAQ;IAC3B,UAAU,EAAE,QAAQ;IACpB,wBAAwB,EAAE,QAAQ;IAElC,0CAA0C;IAC1C,qBAAqB,EAAE,KAAK;IAC5B,kBAAkB,EAAE,KAAK;IACzB,oBAAoB,EAAE,KAAK;IAC3B,mBAAmB,EAAE,KAAK;IAC1B,wBAAwB,EAAE,KAAK;CAChC,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,eAAuB;IACtD,OAAO,YAAY,CAAC,eAAe,CAAC,IAAI,KAAK,CAAC;AAChD,CAAC;AAUD;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAmB;IACnD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,MAAM,UAAU,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAEjD,IAAI,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,UAAU,CAAC;IACvD,IAAI,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,MAAM,CAAC;IAC/C,IAAI,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IACnD,IAAI,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAE7C,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,QAAmB;IACjD,MAAM,MAAM,GAA6B;QACvC,QAAQ,EAAE,CAAC;QACX,IAAI,EAAE,CAAC;QACP,MAAM,EAAE,CAAC;QACT,GAAG,EAAE,CAAC;KACP,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;IAC7B,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAoC;IACnE,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,UAAU,CAAC,CAAC,OAAO,IAAI,CAAC;QAC7B,KAAK,MAAM,CAAC,CAAC,OAAO,IAAI,CAAC;QACzB,KAAK,QAAQ,CAAC,CAAC,OAAO,IAAI,CAAC;QAC3B,KAAK,KAAK,CAAC,CAAC,OAAO,IAAI,CAAC;QACxB,KAAK,OAAO,CAAC,CAAC,OAAO,GAAG,CAAC;QACzB,OAAO,CAAC,CAAC,OAAO,GAAG,CAAC;IACtB,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,65 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Threat Reporter
|
|
3
|
+
*
|
|
4
|
+
* Generates structured threat reports when prompt injection or PII is detected.
|
|
5
|
+
* Two output layers:
|
|
6
|
+
* 1. TOON-formatted findings array (token-efficient, machine-readable)
|
|
7
|
+
* 2. Markdown compliance report block (human-readable, renders in Claude Desktop)
|
|
8
|
+
*
|
|
9
|
+
* Aligned with:
|
|
10
|
+
* - OWASP LLM Top 10 (2025)
|
|
11
|
+
* - NIST AI 600-1 (Generative AI Profile)
|
|
12
|
+
* - MITRE ATLAS (Adversarial Threat Landscape)
|
|
13
|
+
*/
|
|
14
|
+
import { type Severity, type OverallSeverity } from './severity-classifier.js';
|
|
15
|
+
/**
|
|
16
|
+
* Threat finding with compliance framework mappings
|
|
17
|
+
*/
|
|
18
|
+
export interface ThreatFinding {
|
|
19
|
+
id: number;
|
|
20
|
+
pattern_id: string;
|
|
21
|
+
category: string;
|
|
22
|
+
severity: Severity;
|
|
23
|
+
confidence: number;
|
|
24
|
+
owasp_llm: string;
|
|
25
|
+
nist_ai_600_1: string;
|
|
26
|
+
mitre_atlas: string;
|
|
27
|
+
remediation: string;
|
|
28
|
+
}
|
|
29
|
+
/**
|
|
30
|
+
* Threat report structure
|
|
31
|
+
*/
|
|
32
|
+
export interface ThreatReport {
|
|
33
|
+
generated: string;
|
|
34
|
+
source_url: string;
|
|
35
|
+
overall_severity: OverallSeverity;
|
|
36
|
+
total_findings: number;
|
|
37
|
+
by_severity: Record<Severity, number>;
|
|
38
|
+
pii_redacted: number;
|
|
39
|
+
sanitization_applied: boolean;
|
|
40
|
+
frameworks: string[];
|
|
41
|
+
findings_toon: string;
|
|
42
|
+
report_markdown: string;
|
|
43
|
+
}
|
|
44
|
+
/**
|
|
45
|
+
* Input to threat reporter
|
|
46
|
+
*/
|
|
47
|
+
export interface ThreatReportInput {
|
|
48
|
+
patterns_detected: string[];
|
|
49
|
+
pii_redacted: number;
|
|
50
|
+
source_url: string;
|
|
51
|
+
timestamp?: string;
|
|
52
|
+
detections_by_severity?: {
|
|
53
|
+
critical: number;
|
|
54
|
+
high: number;
|
|
55
|
+
medium: number;
|
|
56
|
+
low: number;
|
|
57
|
+
};
|
|
58
|
+
}
|
|
59
|
+
/**
|
|
60
|
+
* Generate threat report (main entry point)
|
|
61
|
+
*
|
|
62
|
+
* Returns null if no findings (injections_removed === 0 AND pii_redacted === 0)
|
|
63
|
+
*/
|
|
64
|
+
export declare function generateThreatReport(input: ThreatReportInput): ThreatReport | null;
|
|
65
|
+
//# sourceMappingURL=threat-reporter.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"threat-reporter.d.ts","sourceRoot":"","sources":["../../src/sanitizer/threat-reporter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAKL,KAAK,QAAQ,EACb,KAAK,eAAe,EAErB,MAAM,0BAA0B,CAAC;AAGlC;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,gBAAgB,EAAE,eAAe,CAAC;IAClC,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACtC,YAAY,EAAE,MAAM,CAAC;IACrB,oBAAoB,EAAE,OAAO,CAAC;IAC9B,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sBAAsB,CAAC,EAAE;QACvB,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,CAAC;KACb,CAAC;CACH;AAoID;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,iBAAiB,GAAG,YAAY,GAAG,IAAI,CAqDlF"}
|