visus-mcp 0.6.2 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (203) hide show
  1. package/.claude/settings.local.json +15 -1
  2. package/.env.status +7 -0
  3. package/CHANGELOG.md +110 -0
  4. package/CLAUDE.md +3 -0
  5. package/README.md +29 -19
  6. package/SECURITY.md +2 -0
  7. package/STATUS.md +320 -12
  8. package/dist/browser/playwright-renderer.d.ts.map +1 -1
  9. package/dist/browser/playwright-renderer.js +27 -5
  10. package/dist/browser/playwright-renderer.js.map +1 -1
  11. package/dist/content-handlers/index.d.ts +36 -0
  12. package/dist/content-handlers/index.d.ts.map +1 -0
  13. package/dist/content-handlers/index.js +59 -0
  14. package/dist/content-handlers/index.js.map +1 -0
  15. package/dist/content-handlers/json-handler.d.ts +28 -0
  16. package/dist/content-handlers/json-handler.d.ts.map +1 -0
  17. package/dist/content-handlers/json-handler.js +116 -0
  18. package/dist/content-handlers/json-handler.js.map +1 -0
  19. package/dist/content-handlers/pdf-handler.d.ts +29 -0
  20. package/dist/content-handlers/pdf-handler.d.ts.map +1 -0
  21. package/dist/content-handlers/pdf-handler.js +77 -0
  22. package/dist/content-handlers/pdf-handler.js.map +1 -0
  23. package/dist/content-handlers/svg-handler.d.ts +35 -0
  24. package/dist/content-handlers/svg-handler.d.ts.map +1 -0
  25. package/dist/content-handlers/svg-handler.js +206 -0
  26. package/dist/content-handlers/svg-handler.js.map +1 -0
  27. package/dist/content-handlers/types.d.ts +42 -0
  28. package/dist/content-handlers/types.d.ts.map +1 -0
  29. package/dist/content-handlers/types.js +7 -0
  30. package/dist/content-handlers/types.js.map +1 -0
  31. package/dist/sanitizer/framework-mapper.d.ts +4 -0
  32. package/dist/sanitizer/framework-mapper.d.ts.map +1 -1
  33. package/dist/sanitizer/framework-mapper.js +92 -0
  34. package/dist/sanitizer/framework-mapper.js.map +1 -1
  35. package/dist/sanitizer/threat-reporter.d.ts +5 -0
  36. package/dist/sanitizer/threat-reporter.d.ts.map +1 -1
  37. package/dist/sanitizer/threat-reporter.js +15 -6
  38. package/dist/sanitizer/threat-reporter.js.map +1 -1
  39. package/dist/tools/fetch-structured.d.ts.map +1 -1
  40. package/dist/tools/fetch-structured.js +4 -0
  41. package/dist/tools/fetch-structured.js.map +1 -1
  42. package/dist/tools/fetch.d.ts.map +1 -1
  43. package/dist/tools/fetch.js +68 -4
  44. package/dist/tools/fetch.js.map +1 -1
  45. package/dist/tools/read.d.ts.map +1 -1
  46. package/dist/tools/read.js +4 -0
  47. package/dist/tools/read.js.map +1 -1
  48. package/dist/types.d.ts +9 -1
  49. package/dist/types.d.ts.map +1 -1
  50. package/dist/types.js.map +1 -1
  51. package/package.json +2 -1
  52. package/server.json +25 -14
  53. package/src/browser/playwright-renderer.ts +29 -6
  54. package/src/content-handlers/index.ts +72 -0
  55. package/src/content-handlers/json-handler.ts +137 -0
  56. package/src/content-handlers/pdf-handler.ts +91 -0
  57. package/src/content-handlers/svg-handler.ts +243 -0
  58. package/src/content-handlers/types.ts +44 -0
  59. package/src/sanitizer/framework-mapper.ts +94 -0
  60. package/src/sanitizer/threat-reporter.ts +17 -6
  61. package/src/tools/fetch-structured.ts +5 -0
  62. package/src/tools/fetch.ts +76 -4
  63. package/src/tools/read.ts +5 -0
  64. package/src/types.ts +9 -1
  65. package/.github/ISSUE_TEMPLATE/bug_report.md +0 -47
  66. package/.github/ISSUE_TEMPLATE/false_positive.md +0 -43
  67. package/.github/ISSUE_TEMPLATE/new_pattern.md +0 -49
  68. package/.github/ISSUE_TEMPLATE/security_report.md +0 -31
  69. package/.github/PULL_REQUEST_TEMPLATE.md +0 -39
  70. package/.mcpregistry_github_token +0 -1
  71. package/.mcpregistry_registry_token +0 -1
  72. package/CONTRIBUTING.md +0 -329
  73. package/LINKEDIN-STRATEGY.md +0 -367
  74. package/ROADMAP.md +0 -221
  75. package/SECURITY-AUDIT-v1.md +0 -277
  76. package/SUBMISSION.md +0 -66
  77. package/TROUBLESHOOT-AUTH-20260322-2019.md +0 -291
  78. package/TROUBLESHOOT-BUILD-20260319-1450.md +0 -546
  79. package/TROUBLESHOOT-COGNITO-AUTH-20260324-2029.md +0 -415
  80. package/TROUBLESHOOT-COGNITO-JWT-20260324.md +0 -592
  81. package/TROUBLESHOOT-FETCH-20260320-1150.md +0 -168
  82. package/TROUBLESHOOT-JEST-20260323-1357.md +0 -139
  83. package/TROUBLESHOOT-LAMBDA-20260322-1945.md +0 -183
  84. package/TROUBLESHOOT-PLAYWRIGHT-20260321-1549.md +0 -217
  85. package/TROUBLESHOOT-SSL-20260320-1138.md +0 -171
  86. package/TROUBLESHOOT-STRUCTURED-20260320-1200.md +0 -246
  87. package/TROUBLESHOOT-TEST-20260320-0942.md +0 -281
  88. package/VISUS-CLAUDE-CODE-PROMPT.md +0 -324
  89. package/VISUS-PROJECT-PLAN.md +0 -205
  90. package/cdk.json +0 -73
  91. package/infrastructure/app.ts +0 -39
  92. package/infrastructure/stack.ts +0 -298
  93. package/jest.config.js +0 -33
  94. package/jest.setup.js +0 -9
  95. package/lambda-deploy/index.js +0 -81512
  96. package/lambda-deploy/index.js.map +0 -7
  97. package/lambda-package/browser/__mocks__/playwright-renderer.d.ts +0 -25
  98. package/lambda-package/browser/__mocks__/playwright-renderer.d.ts.map +0 -1
  99. package/lambda-package/browser/__mocks__/playwright-renderer.js +0 -119
  100. package/lambda-package/browser/__mocks__/playwright-renderer.js.map +0 -1
  101. package/lambda-package/browser/playwright-renderer.d.ts +0 -40
  102. package/lambda-package/browser/playwright-renderer.d.ts.map +0 -1
  103. package/lambda-package/browser/playwright-renderer.js +0 -214
  104. package/lambda-package/browser/playwright-renderer.js.map +0 -1
  105. package/lambda-package/browser/reader.d.ts +0 -31
  106. package/lambda-package/browser/reader.d.ts.map +0 -1
  107. package/lambda-package/browser/reader.js +0 -98
  108. package/lambda-package/browser/reader.js.map +0 -1
  109. package/lambda-package/index.d.ts +0 -18
  110. package/lambda-package/index.d.ts.map +0 -1
  111. package/lambda-package/index.js +0 -238
  112. package/lambda-package/index.js.map +0 -1
  113. package/lambda-package/lambda-handler.d.ts +0 -28
  114. package/lambda-package/lambda-handler.d.ts.map +0 -1
  115. package/lambda-package/lambda-handler.js +0 -257
  116. package/lambda-package/lambda-handler.js.map +0 -1
  117. package/lambda-package/package-lock.json +0 -7435
  118. package/lambda-package/package.json +0 -74
  119. package/lambda-package/runtime.d.ts +0 -50
  120. package/lambda-package/runtime.d.ts.map +0 -1
  121. package/lambda-package/runtime.js +0 -86
  122. package/lambda-package/runtime.js.map +0 -1
  123. package/lambda-package/sanitizer/elicit-runner.d.ts +0 -48
  124. package/lambda-package/sanitizer/elicit-runner.d.ts.map +0 -1
  125. package/lambda-package/sanitizer/elicit-runner.js +0 -100
  126. package/lambda-package/sanitizer/elicit-runner.js.map +0 -1
  127. package/lambda-package/sanitizer/framework-mapper.d.ts +0 -24
  128. package/lambda-package/sanitizer/framework-mapper.d.ts.map +0 -1
  129. package/lambda-package/sanitizer/framework-mapper.js +0 -342
  130. package/lambda-package/sanitizer/framework-mapper.js.map +0 -1
  131. package/lambda-package/sanitizer/hitl-gate.d.ts +0 -69
  132. package/lambda-package/sanitizer/hitl-gate.d.ts.map +0 -1
  133. package/lambda-package/sanitizer/hitl-gate.js +0 -101
  134. package/lambda-package/sanitizer/hitl-gate.js.map +0 -1
  135. package/lambda-package/sanitizer/index.d.ts +0 -63
  136. package/lambda-package/sanitizer/index.d.ts.map +0 -1
  137. package/lambda-package/sanitizer/index.js +0 -105
  138. package/lambda-package/sanitizer/index.js.map +0 -1
  139. package/lambda-package/sanitizer/injection-detector.d.ts +0 -34
  140. package/lambda-package/sanitizer/injection-detector.d.ts.map +0 -1
  141. package/lambda-package/sanitizer/injection-detector.js +0 -89
  142. package/lambda-package/sanitizer/injection-detector.js.map +0 -1
  143. package/lambda-package/sanitizer/patterns.d.ts +0 -30
  144. package/lambda-package/sanitizer/patterns.d.ts.map +0 -1
  145. package/lambda-package/sanitizer/patterns.js +0 -372
  146. package/lambda-package/sanitizer/patterns.js.map +0 -1
  147. package/lambda-package/sanitizer/pii-allowlist.d.ts +0 -49
  148. package/lambda-package/sanitizer/pii-allowlist.d.ts.map +0 -1
  149. package/lambda-package/sanitizer/pii-allowlist.js +0 -231
  150. package/lambda-package/sanitizer/pii-allowlist.js.map +0 -1
  151. package/lambda-package/sanitizer/pii-redactor.d.ts +0 -41
  152. package/lambda-package/sanitizer/pii-redactor.d.ts.map +0 -1
  153. package/lambda-package/sanitizer/pii-redactor.js +0 -213
  154. package/lambda-package/sanitizer/pii-redactor.js.map +0 -1
  155. package/lambda-package/sanitizer/severity-classifier.d.ts +0 -33
  156. package/lambda-package/sanitizer/severity-classifier.d.ts.map +0 -1
  157. package/lambda-package/sanitizer/severity-classifier.js +0 -113
  158. package/lambda-package/sanitizer/severity-classifier.js.map +0 -1
  159. package/lambda-package/sanitizer/threat-reporter.d.ts +0 -66
  160. package/lambda-package/sanitizer/threat-reporter.d.ts.map +0 -1
  161. package/lambda-package/sanitizer/threat-reporter.js +0 -163
  162. package/lambda-package/sanitizer/threat-reporter.js.map +0 -1
  163. package/lambda-package/tools/fetch-structured.d.ts +0 -51
  164. package/lambda-package/tools/fetch-structured.d.ts.map +0 -1
  165. package/lambda-package/tools/fetch-structured.js +0 -237
  166. package/lambda-package/tools/fetch-structured.js.map +0 -1
  167. package/lambda-package/tools/fetch.d.ts +0 -49
  168. package/lambda-package/tools/fetch.d.ts.map +0 -1
  169. package/lambda-package/tools/fetch.js +0 -131
  170. package/lambda-package/tools/fetch.js.map +0 -1
  171. package/lambda-package/tools/read.d.ts +0 -51
  172. package/lambda-package/tools/read.d.ts.map +0 -1
  173. package/lambda-package/tools/read.js +0 -127
  174. package/lambda-package/tools/read.js.map +0 -1
  175. package/lambda-package/tools/search.d.ts +0 -45
  176. package/lambda-package/tools/search.d.ts.map +0 -1
  177. package/lambda-package/tools/search.js +0 -220
  178. package/lambda-package/tools/search.js.map +0 -1
  179. package/lambda-package/types.d.ts +0 -167
  180. package/lambda-package/types.d.ts.map +0 -1
  181. package/lambda-package/types.js +0 -16
  182. package/lambda-package/types.js.map +0 -1
  183. package/lambda-package/utils/format-converter.d.ts +0 -39
  184. package/lambda-package/utils/format-converter.d.ts.map +0 -1
  185. package/lambda-package/utils/format-converter.js +0 -191
  186. package/lambda-package/utils/format-converter.js.map +0 -1
  187. package/lambda-package/utils/truncate.d.ts +0 -26
  188. package/lambda-package/utils/truncate.d.ts.map +0 -1
  189. package/lambda-package/utils/truncate.js +0 -54
  190. package/lambda-package/utils/truncate.js.map +0 -1
  191. package/lambda.zip +0 -0
  192. package/test-output.txt +0 -4
  193. package/tests/auth-smoke.test.ts +0 -480
  194. package/tests/elicit-runner.test.ts +0 -232
  195. package/tests/fetch-tool.test.ts +0 -922
  196. package/tests/hitl-gate.test.ts +0 -267
  197. package/tests/injection-corpus.ts +0 -338
  198. package/tests/pii-allowlist.test.ts +0 -282
  199. package/tests/reader.test.ts +0 -353
  200. package/tests/sanitizer.test.ts +0 -358
  201. package/tests/search.test.ts +0 -456
  202. package/tests/threat-reporter.test.ts +0 -334
  203. package/tsconfig.cdk.json +0 -35
@@ -1,342 +0,0 @@
1
- /**
2
- * Compliance Framework Mapper
3
- *
4
- * Maps injection pattern categories to compliance framework identifiers:
5
- * - OWASP LLM Top 10 (2025)
6
- * - NIST AI 600-1 (Generative AI Profile)
7
- * - MITRE ATLAS (Adversarial Threat Landscape for AI Systems)
8
- * - ISO/IEC 42001:2023 (AI Management System - Annex A Controls)
9
- */
10
- /**
11
- * Pattern category to framework mapping
12
- */
13
- const FRAMEWORK_MAP = {
14
- // Direct instruction injection
15
- direct_instruction_injection: {
16
- owasp_llm: 'LLM01:2025 - Prompt Injection',
17
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
18
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
19
- iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
20
- },
21
- // Role hijacking
22
- role_hijacking: {
23
- owasp_llm: 'LLM01:2025 - Prompt Injection',
24
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
25
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
26
- iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
27
- },
28
- // System prompt extraction
29
- system_prompt_extraction: {
30
- owasp_llm: 'LLM02:2025 - Sensitive Information Disclosure',
31
- nist_ai_600_1: 'MS-2.6 - Data Disclosure',
32
- mitre_atlas: 'AML.T0048 - External Harms',
33
- iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
34
- },
35
- // Privilege escalation
36
- privilege_escalation: {
37
- owasp_llm: 'LLM08:2025 - Excessive Agency',
38
- nist_ai_600_1: 'GV-1.1 - Policies and Procedures',
39
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
40
- iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
41
- },
42
- // Context poisoning
43
- context_poisoning: {
44
- owasp_llm: 'LLM01:2025 - Prompt Injection',
45
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
46
- mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
47
- iso_42001: 'A.7.2 - Data Quality'
48
- },
49
- // Data exfiltration
50
- data_exfiltration: {
51
- owasp_llm: 'LLM02:2025 - Sensitive Information Disclosure',
52
- nist_ai_600_1: 'MS-2.6 - Data Disclosure',
53
- mitre_atlas: 'AML.T0048 - External Harms',
54
- iso_42001: 'A.7.5 - Data Provenance / A.8.2 - Information to Users'
55
- },
56
- // Encoding obfuscation
57
- base64_obfuscation: {
58
- owasp_llm: 'LLM01:2025 - Prompt Injection',
59
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
60
- mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
61
- iso_42001: 'A.7.4 - Data Preparation'
62
- },
63
- // Unicode lookalikes
64
- unicode_lookalikes: {
65
- owasp_llm: 'LLM01:2025 - Prompt Injection',
66
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
67
- mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
68
- iso_42001: 'A.7.4 - Data Preparation'
69
- },
70
- // Zero-width characters
71
- zero_width_characters: {
72
- owasp_llm: 'LLM01:2025 - Prompt Injection',
73
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
74
- mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
75
- iso_42001: 'A.7.4 - Data Preparation'
76
- },
77
- // HTML script injection
78
- html_script_injection: {
79
- owasp_llm: 'LLM01:2025 - Prompt Injection',
80
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
81
- mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
82
- iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
83
- },
84
- // Data URI injection
85
- data_uri_injection: {
86
- owasp_llm: 'LLM01:2025 - Prompt Injection',
87
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
88
- mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
89
- iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
90
- },
91
- // Markdown link injection
92
- markdown_link_injection: {
93
- owasp_llm: 'LLM01:2025 - Prompt Injection',
94
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
95
- mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
96
- iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
97
- },
98
- // URL fragment attacks
99
- url_fragment_hashjack: {
100
- owasp_llm: 'LLM01:2025 - Prompt Injection',
101
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
102
- mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
103
- iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
104
- },
105
- // Social engineering
106
- social_engineering_urgency: {
107
- owasp_llm: 'LLM01:2025 - Prompt Injection',
108
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
109
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
110
- iso_42001: 'A.5.3 - AI Awareness and Training'
111
- },
112
- // Instruction delimiter injection
113
- instruction_delimiter_injection: {
114
- owasp_llm: 'LLM01:2025 - Prompt Injection',
115
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
116
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
117
- iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
118
- },
119
- // Multi-language obfuscation
120
- multi_language_obfuscation: {
121
- owasp_llm: 'LLM01:2025 - Prompt Injection',
122
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
123
- mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
124
- iso_42001: 'A.7.4 - Data Preparation'
125
- },
126
- // Reverse text obfuscation
127
- reverse_text_obfuscation: {
128
- owasp_llm: 'LLM01:2025 - Prompt Injection',
129
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
130
- mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
131
- iso_42001: 'A.7.4 - Data Preparation'
132
- },
133
- // Leetspeak obfuscation
134
- leetspeak_obfuscation: {
135
- owasp_llm: 'LLM01:2025 - Prompt Injection',
136
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
137
- mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
138
- iso_42001: 'A.7.4 - Data Preparation'
139
- },
140
- // Jailbreak keywords
141
- jailbreak_keywords: {
142
- owasp_llm: 'LLM01:2025 - Prompt Injection',
143
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
144
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
145
- iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
146
- },
147
- // Token smuggling
148
- token_smuggling: {
149
- owasp_llm: 'LLM01:2025 - Prompt Injection',
150
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
151
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
152
- iso_42001: 'A.7.4 - Data Preparation'
153
- },
154
- // System message injection
155
- system_message_injection: {
156
- owasp_llm: 'LLM01:2025 - Prompt Injection',
157
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
158
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
159
- iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
160
- },
161
- // Conversation reset
162
- conversation_reset: {
163
- owasp_llm: 'LLM01:2025 - Prompt Injection',
164
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
165
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
166
- iso_42001: 'A.6.2.6 - Logging and Monitoring'
167
- },
168
- // Memory manipulation
169
- memory_manipulation: {
170
- owasp_llm: 'LLM01:2025 - Prompt Injection',
171
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
172
- mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
173
- iso_42001: 'A.6.2.6 - Logging and Monitoring'
174
- },
175
- // Capability probing
176
- capability_probing: {
177
- owasp_llm: 'LLM08:2025 - Excessive Agency',
178
- nist_ai_600_1: 'GV-1.1 - Policies and Procedures',
179
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
180
- iso_42001: 'A.6.1.2 - AI System Operational Procedures'
181
- },
182
- // Chain-of-thought manipulation
183
- chain_of_thought_manipulation: {
184
- owasp_llm: 'LLM01:2025 - Prompt Injection',
185
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
186
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
187
- iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
188
- },
189
- // Hypothetical scenario injection
190
- hypothetical_scenario_injection: {
191
- owasp_llm: 'LLM01:2025 - Prompt Injection',
192
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
193
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
194
- iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
195
- },
196
- // Ethical override
197
- ethical_override: {
198
- owasp_llm: 'LLM08:2025 - Excessive Agency',
199
- nist_ai_600_1: 'GV-1.1 - Policies and Procedures',
200
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
201
- iso_42001: 'A.2.2 - Responsible AI Policies'
202
- },
203
- // Output format manipulation
204
- output_format_manipulation: {
205
- owasp_llm: 'LLM01:2025 - Prompt Injection',
206
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
207
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
208
- iso_42001: 'A.6.1.2 - AI System Operational Procedures'
209
- },
210
- // Negative instruction
211
- negative_instruction: {
212
- owasp_llm: 'LLM01:2025 - Prompt Injection',
213
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
214
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
215
- iso_42001: 'A.6.1.2 - AI System Operational Procedures'
216
- },
217
- // Credential harvesting
218
- credential_harvesting: {
219
- owasp_llm: 'LLM02:2025 - Sensitive Information Disclosure',
220
- nist_ai_600_1: 'MS-2.6 - Data Disclosure',
221
- mitre_atlas: 'AML.T0048 - External Harms',
222
- iso_42001: 'A.7.5 - Data Provenance / A.6.1.5 - AI System Security'
223
- },
224
- // Time-based triggers
225
- time_based_triggers: {
226
- owasp_llm: 'LLM01:2025 - Prompt Injection',
227
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
228
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
229
- iso_42001: 'A.6.2.6 - Logging and Monitoring'
230
- },
231
- // Code execution requests
232
- code_execution_requests: {
233
- owasp_llm: 'LLM08:2025 - Excessive Agency',
234
- nist_ai_600_1: 'GV-1.1 - Policies and Procedures',
235
- mitre_atlas: 'AML.T0048 - External Harms',
236
- iso_42001: 'A.9.3 - Intended Use Boundaries'
237
- },
238
- // File system access
239
- file_system_access: {
240
- owasp_llm: 'LLM08:2025 - Excessive Agency',
241
- nist_ai_600_1: 'GV-1.1 - Policies and Procedures',
242
- mitre_atlas: 'AML.T0048 - External Harms',
243
- iso_42001: 'A.9.3 - Intended Use Boundaries'
244
- },
245
- // Training data extraction
246
- training_data_extraction: {
247
- owasp_llm: 'LLM02:2025 - Sensitive Information Disclosure',
248
- nist_ai_600_1: 'MS-2.6 - Data Disclosure',
249
- mitre_atlas: 'AML.T0048 - External Harms',
250
- iso_42001: 'A.7.5 - Data Provenance'
251
- },
252
- // Simulator mode
253
- simulator_mode: {
254
- owasp_llm: 'LLM01:2025 - Prompt Injection',
255
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
256
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
257
- iso_42001: 'A.9.3 - Intended Use Boundaries'
258
- },
259
- // Nested encoding
260
- nested_encoding: {
261
- owasp_llm: 'LLM01:2025 - Prompt Injection',
262
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
263
- mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
264
- iso_42001: 'A.7.4 - Data Preparation'
265
- },
266
- // Payload splitting
267
- payload_splitting: {
268
- owasp_llm: 'LLM01:2025 - Prompt Injection',
269
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
270
- mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
271
- iso_42001: 'A.7.4 - Data Preparation'
272
- },
273
- // CSS-based hiding
274
- css_hiding: {
275
- owasp_llm: 'LLM01:2025 - Prompt Injection',
276
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
277
- mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
278
- iso_42001: 'A.7.4 - Data Preparation'
279
- },
280
- // Authority impersonation
281
- authority_impersonation: {
282
- owasp_llm: 'LLM01:2025 - Prompt Injection',
283
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
284
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
285
- iso_42001: 'A.2.2 - Responsible AI Policies'
286
- },
287
- // Testing/debugging claims
288
- testing_debugging_claims: {
289
- owasp_llm: 'LLM01:2025 - Prompt Injection',
290
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
291
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
292
- iso_42001: 'A.6.1.2 - AI System Operational Procedures'
293
- },
294
- // Callback URL injection
295
- callback_url_injection: {
296
- owasp_llm: 'LLM02:2025 - Sensitive Information Disclosure',
297
- nist_ai_600_1: 'MS-2.6 - Data Disclosure',
298
- mitre_atlas: 'AML.T0048 - External Harms',
299
- iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
300
- },
301
- // Whitespace steganography
302
- whitespace_steganography: {
303
- owasp_llm: 'LLM01:2025 - Prompt Injection',
304
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
305
- mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
306
- iso_42001: 'A.7.4 - Data Preparation'
307
- },
308
- // Comment injection
309
- comment_injection: {
310
- owasp_llm: 'LLM01:2025 - Prompt Injection',
311
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
312
- mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
313
- iso_42001: 'A.7.4 - Data Preparation'
314
- }
315
- };
316
- /**
317
- * Default mapping for unknown pattern categories
318
- */
319
- const DEFAULT_MAPPINGS = {
320
- owasp_llm: 'LLM01:2025 - Prompt Injection',
321
- nist_ai_600_1: 'MS-2.5 - Prompt Injection',
322
- mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
323
- iso_42001: 'A.6.1.5 - AI System Security'
324
- };
325
- /**
326
- * Get framework mappings for a pattern category
327
- */
328
- export function getFrameworkMappings(patternCategory) {
329
- return FRAMEWORK_MAP[patternCategory] || DEFAULT_MAPPINGS;
330
- }
331
- /**
332
- * Get all supported frameworks
333
- */
334
- export function getSupportedFrameworks() {
335
- return [
336
- 'OWASP LLM Top 10 (2025)',
337
- 'NIST AI 600-1 (Generative AI Profile)',
338
- 'MITRE ATLAS (Adversarial Threat Landscape)',
339
- 'ISO/IEC 42001:2023 (AI Management System)'
340
- ];
341
- }
342
- //# sourceMappingURL=framework-mapper.js.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"framework-mapper.js","sourceRoot":"","sources":["../../src/sanitizer/framework-mapper.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AASH;;GAEG;AACH,MAAM,aAAa,GAAsC;IACvD,+BAA+B;IAC/B,4BAA4B,EAAE;QAC5B,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kDAAkD;KAC9D;IAED,iBAAiB;IACjB,cAAc,EAAE;QACd,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kDAAkD;KAC9D;IAED,2BAA2B;IAC3B,wBAAwB,EAAE;QACxB,SAAS,EAAE,+CAA+C;QAC1D,aAAa,EAAE,0BAA0B;QACzC,WAAW,EAAE,4BAA4B;QACzC,SAAS,EAAE,kDAAkD;KAC9D;IAED,uBAAuB;IACvB,oBAAoB,EAAE;QACpB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,kCAAkC;QACjD,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kDAAkD;KAC9D;IAED,oBAAoB;IACpB,iBAAiB,EAAE;QACjB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,sBAAsB;KAClC;IAED,oBAAoB;IACpB,iBAAiB,EAAE;QACjB,SAAS,EAAE,+CAA+C;QAC1D,aAAa,EAAE,0BAA0B;QACzC,WAAW,EAAE,4BAA4B;QACzC,SAAS,EAAE,wDAAwD;KACpE;IAED,uBAAuB;IACvB,kBAAkB,EAAE;QAClB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,qBAAqB;IACrB,kBAAkB,EAAE;QAClB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,wBAAwB;IACxB,qBAAqB,EAAE;QACrB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,wBAAwB;IACxB,qBAAqB,EAAE;QACrB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,kDAAkD;KAC9D;IAED,qBAAqB;IACrB,kBAAkB,EAAE;QAClB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,kDAAkD;KAC9D;IAED,0BAA0B;IAC1B,uBAAuB,EAAE;QACvB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,kDAAkD;KAC9D;IAED,uBAAuB;IACvB,qBAAqB,EAAE;QACrB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,kDAAkD;KAC9D;IAED,qBAAqB;IACrB,0BAA0B,EAAE;QAC1B,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,mCAAmC;KAC/C;IAED,kCAAkC;IAClC,+BAA+B,EAAE;QAC/B,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kDAAkD;KAC9D;IAED,6BAA6B;IAC7B,0BAA0B,EAAE;QAC1B,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,2BAA2B;IAC3B,wBAAwB,EAAE;QACxB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,wBAAwB;IACxB,qBAAqB,EAAE;QACrB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,qBAAqB;IACrB,kBAAkB,EAAE;QAClB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kDAAkD;KAC9D;IAED,kBAAkB;IAClB,eAAe,EAAE;QACf,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,0BAA0B;KACtC;IAED,2BAA2B;IAC3B,wBAAwB,EAAE;QACxB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kDAAkD;KAC9D;IAED,qBAAqB;IACrB,kBAAkB,EAAE;QAClB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kCAAkC;KAC9C;IAED,sBAAsB;IACtB,mBAAmB,EAAE;QACnB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,kCAAkC;KAC9C;IAED,qBAAqB;IACrB,kBAAkB,EAAE;QAClB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,kCAAkC;QACjD,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,4CAA4C;KACxD;IAED,gCAAgC;IAChC,6BAA6B,EAAE;QAC7B,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kDAAkD;KAC9D;IAED,kCAAkC;IAClC,+BAA+B,EAAE;QAC/B,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kDAAkD;KAC9D;IAED,mBAAmB;IACnB,gBAAgB,EAAE;QAChB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,kCAAkC;QACjD,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,iCAAiC;KAC7C;IAED,6BAA6B;IAC7B,0BAA0B,EAAE;QAC1B,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,4CAA4C;KACxD;IAED,uBAAuB;IACvB,oBAAoB,EAAE;QACpB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,4CAA4C;KACxD;IAED,wBAAwB;IACxB,qBAAqB,EAAE;QACrB,SAAS,EAAE,+CAA+C;QAC1D,aAAa,EAAE,0BAA0B;QACzC,WAAW,EAAE,4BAA4B;QACzC,SAAS,EAAE,wDAAwD;KACpE;IAED,sBAAsB;IACtB,mBAAmB,EAAE;QACnB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kCAAkC;KAC9C;IAED,0BAA0B;IAC1B,uBAAuB,EAAE;QACvB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,kCAAkC;QACjD,WAAW,EAAE,4BAA4B;QACzC,SAAS,EAAE,iCAAiC;KAC7C;IAED,qBAAqB;IACrB,kBAAkB,EAAE;QAClB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,kCAAkC;QACjD,WAAW,EAAE,4BAA4B;QACzC,SAAS,EAAE,iCAAiC;KAC7C;IAED,2BAA2B;IAC3B,wBAAwB,EAAE;QACxB,SAAS,EAAE,+CAA+C;QAC1D,aAAa,EAAE,0BAA0B;QACzC,WAAW,EAAE,4BAA4B;QACzC,SAAS,EAAE,yBAAyB;KACrC;IAED,iBAAiB;IACjB,cAAc,EAAE;QACd,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,iCAAiC;KAC7C;IAED,kBAAkB;IAClB,eAAe,EAAE;QACf,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,oBAAoB;IACpB,iBAAiB,EAAE;QACjB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,mBAAmB;IACnB,UAAU,EAAE;QACV,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,0BAA0B;IAC1B,uBAAuB,EAAE;QACvB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,iCAAiC;KAC7C;IAED,2BAA2B;IAC3B,wBAAwB,EAAE;QACxB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,4CAA4C;KACxD;IAED,yBAAyB;IACzB,sBAAsB,EAAE;QACtB,SAAS,EAAE,+CAA+C;QAC1D,aAAa,EAAE,0BAA0B;QACzC,WAAW,EAAE,4BAA4B;QACzC,SAAS,EAAE,kDAAkD;KAC9D;IAED,2BAA2B;IAC3B,wBAAwB,EAAE;QACxB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,oBAAoB;IACpB,iBAAiB,EAAE;QACjB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,gBAAgB,GAAsB;IAC1C,SAAS,EAAE,+BAA+B;IAC1C,aAAa,EAAE,2BAA2B;IAC1C,WAAW,EAAE,sCAAsC;IACnD,SAAS,EAAE,8BAA8B;CAC1C,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,eAAuB;IAC1D,OAAO,aAAa,CAAC,eAAe,CAAC,IAAI,gBAAgB,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB;IACpC,OAAO;QACL,yBAAyB;QACzB,uCAAuC;QACvC,4CAA4C;QAC5C,2CAA2C;KAC5C,CAAC;AACJ,CAAC"}
@@ -1,69 +0,0 @@
1
- /**
2
- * HITL (Human-in-the-Loop) Gate
3
- *
4
- * Determines when to pause tool execution for user confirmation
5
- * based on threat severity. Only CRITICAL threats trigger elicitation.
6
- *
7
- * Design:
8
- * - HIGH/MEDIUM/LOW threats → silent sanitization (business as usual)
9
- * - CRITICAL threats → pause execution, user confirmation required
10
- *
11
- * Security model: Sanitization is the security gate. HITL is UX.
12
- * Content is ALWAYS sanitized before reaching the LLM, whether or not
13
- * the user accepts the elicitation prompt.
14
- */
15
- import type { ThreatReport } from './threat-reporter.js';
16
- /**
17
- * Determines whether to trigger HITL elicitation
18
- *
19
- * Returns true ONLY when:
20
- * - threatReport is not null
21
- * - threatReport.overall_severity === 'CRITICAL'
22
- * - threatReport.total_findings > 0
23
- *
24
- * @param threatReport The threat report from sanitization
25
- * @returns true if elicitation should be triggered
26
- */
27
- export declare function shouldElicit(threatReport: ThreatReport | null): boolean;
28
- /**
29
- * Builds a user-facing elicitation message for CRITICAL threats
30
- *
31
- * Format:
32
- * ⚠️ Visus blocked a CRITICAL threat on this page.
33
- *
34
- * {total_findings} injection attempt(s) detected on:
35
- * {url}
36
- *
37
- * Highest severity finding: {top_category}
38
- * ({top_owasp} | {top_mitre})
39
- *
40
- * Content has been sanitized. Proceed with clean version?
41
- *
42
- * @param threatReport The threat report with CRITICAL severity
43
- * @param url The source URL
44
- * @returns A clear, concise message under 300 characters
45
- */
46
- export declare function buildElicitMessage(threatReport: ThreatReport, url: string): string;
47
- /**
48
- * Elicitation schema for user confirmation
49
- *
50
- * CRITICAL: Must be flat primitive properties only (no nested objects, no arrays)
51
- * per MCP elicitation specification.
52
- */
53
- export declare const ElicitSchema: {
54
- readonly type: "object";
55
- readonly properties: {
56
- readonly proceed: {
57
- readonly type: "boolean";
58
- readonly title: "Proceed with sanitized content";
59
- readonly description: "Content has been cleaned. View sanitized version?";
60
- };
61
- readonly view_report: {
62
- readonly type: "boolean";
63
- readonly title: "Include threat report in response";
64
- readonly description: "Attach the full NIST/OWASP/MITRE threat report?";
65
- };
66
- };
67
- readonly required: readonly ["proceed"];
68
- };
69
- //# sourceMappingURL=hitl-gate.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"hitl-gate.d.ts","sourceRoot":"","sources":["../../src/sanitizer/hitl-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAEzD;;;;;;;;;;GAUG;AACH,wBAAgB,YAAY,CAAC,YAAY,EAAE,YAAY,GAAG,IAAI,GAAG,OAAO,CASvE;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,kBAAkB,CAAC,YAAY,EAAE,YAAY,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CA8BlF;AAED;;;;;GAKG;AACH,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;CAef,CAAC"}
@@ -1,101 +0,0 @@
1
- /**
2
- * HITL (Human-in-the-Loop) Gate
3
- *
4
- * Determines when to pause tool execution for user confirmation
5
- * based on threat severity. Only CRITICAL threats trigger elicitation.
6
- *
7
- * Design:
8
- * - HIGH/MEDIUM/LOW threats → silent sanitization (business as usual)
9
- * - CRITICAL threats → pause execution, user confirmation required
10
- *
11
- * Security model: Sanitization is the security gate. HITL is UX.
12
- * Content is ALWAYS sanitized before reaching the LLM, whether or not
13
- * the user accepts the elicitation prompt.
14
- */
15
- /**
16
- * Determines whether to trigger HITL elicitation
17
- *
18
- * Returns true ONLY when:
19
- * - threatReport is not null
20
- * - threatReport.overall_severity === 'CRITICAL'
21
- * - threatReport.total_findings > 0
22
- *
23
- * @param threatReport The threat report from sanitization
24
- * @returns true if elicitation should be triggered
25
- */
26
- export function shouldElicit(threatReport) {
27
- if (!threatReport) {
28
- return false;
29
- }
30
- return (threatReport.overall_severity === 'CRITICAL' &&
31
- threatReport.total_findings > 0);
32
- }
33
- /**
34
- * Builds a user-facing elicitation message for CRITICAL threats
35
- *
36
- * Format:
37
- * ⚠️ Visus blocked a CRITICAL threat on this page.
38
- *
39
- * {total_findings} injection attempt(s) detected on:
40
- * {url}
41
- *
42
- * Highest severity finding: {top_category}
43
- * ({top_owasp} | {top_mitre})
44
- *
45
- * Content has been sanitized. Proceed with clean version?
46
- *
47
- * @param threatReport The threat report with CRITICAL severity
48
- * @param url The source URL
49
- * @returns A clear, concise message under 300 characters
50
- */
51
- export function buildElicitMessage(threatReport, url) {
52
- // Find the highest-confidence CRITICAL finding
53
- const findings = threatReport.findings_toon
54
- .split('\n')
55
- .slice(1) // Skip header
56
- .filter(line => line.trim().length > 0);
57
- let topCategory = 'unknown';
58
- let topOwasp = 'N/A';
59
- let topMitre = 'N/A';
60
- if (findings.length > 0) {
61
- // Parse first finding (highest confidence)
62
- const parts = findings[0].split(',');
63
- if (parts.length >= 8) {
64
- topCategory = parts[2]; // category field
65
- topOwasp = parts[5].split(' - ')[0]; // owasp_llm field (short form)
66
- topMitre = parts[7].split(' - ')[0]; // mitre_atlas field (short form)
67
- }
68
- }
69
- return `⚠️ Visus blocked a CRITICAL threat on this page.
70
-
71
- ${threatReport.total_findings} injection attempt(s) detected on:
72
- ${url}
73
-
74
- Highest severity finding: ${topCategory}
75
- (${topOwasp} | ${topMitre})
76
-
77
- Content has been sanitized. Proceed with clean version?`;
78
- }
79
- /**
80
- * Elicitation schema for user confirmation
81
- *
82
- * CRITICAL: Must be flat primitive properties only (no nested objects, no arrays)
83
- * per MCP elicitation specification.
84
- */
85
- export const ElicitSchema = {
86
- type: 'object',
87
- properties: {
88
- proceed: {
89
- type: 'boolean',
90
- title: 'Proceed with sanitized content',
91
- description: 'Content has been cleaned. View sanitized version?'
92
- },
93
- view_report: {
94
- type: 'boolean',
95
- title: 'Include threat report in response',
96
- description: 'Attach the full NIST/OWASP/MITRE threat report?'
97
- }
98
- },
99
- required: ['proceed']
100
- };
101
- //# sourceMappingURL=hitl-gate.js.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"hitl-gate.js","sourceRoot":"","sources":["../../src/sanitizer/hitl-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH;;;;;;;;;;GAUG;AACH,MAAM,UAAU,YAAY,CAAC,YAAiC;IAC5D,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,CACL,YAAY,CAAC,gBAAgB,KAAK,UAAU;QAC5C,YAAY,CAAC,cAAc,GAAG,CAAC,CAChC,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,kBAAkB,CAAC,YAA0B,EAAE,GAAW;IACxE,+CAA+C;IAC/C,MAAM,QAAQ,GAAG,YAAY,CAAC,aAAa;SACxC,KAAK,CAAC,IAAI,CAAC;SACX,KAAK,CAAC,CAAC,CAAC,CAAC,cAAc;SACvB,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAE1C,IAAI,WAAW,GAAG,SAAS,CAAC;IAC5B,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,QAAQ,GAAG,KAAK,CAAC;IAErB,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,2CAA2C;QAC3C,MAAM,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YACtB,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,iBAAiB;YACzC,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,+BAA+B;YACpE,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,iCAAiC;QACxE,CAAC;IACH,CAAC;IAED,OAAO;;EAEP,YAAY,CAAC,cAAc;EAC3B,GAAG;;4BAEuB,WAAW;GACpC,QAAQ,MAAM,QAAQ;;wDAE+B,CAAC;AACzD,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,IAAI,EAAE,QAAQ;IACd,UAAU,EAAE;QACV,OAAO,EAAE;YACP,IAAI,EAAE,SAAS;YACf,KAAK,EAAE,gCAAgC;YACvC,WAAW,EAAE,mDAAmD;SACjE;QACD,WAAW,EAAE;YACX,IAAI,EAAE,SAAS;YACf,KAAK,EAAE,mCAAmC;YAC1C,WAAW,EAAE,iDAAiD;SAC/D;KACF;IACD,QAAQ,EAAE,CAAC,SAAS,CAAC;CACb,CAAC"}
@@ -1,63 +0,0 @@
1
- /**
2
- * Sanitizer Orchestrator
3
- *
4
- * Main entry point for content sanitization. Coordinates injection detection
5
- * and PII redaction pipelines.
6
- *
7
- * CRITICAL: This is the core security mechanism. Every web page MUST pass
8
- * through this sanitizer before reaching the LLM. This cannot be bypassed.
9
- */
10
- import { type ThreatReport } from './threat-reporter.js';
11
- export interface SanitizationResult {
12
- content: string;
13
- sanitization: {
14
- patterns_detected: string[];
15
- pii_types_redacted: string[];
16
- pii_allowlisted: Array<{
17
- type: string;
18
- value: string;
19
- reason: string;
20
- }>;
21
- content_modified: boolean;
22
- };
23
- metadata: {
24
- original_length: number;
25
- sanitized_length: number;
26
- severity_score: number;
27
- has_critical_threats: boolean;
28
- detections_by_severity: {
29
- critical: number;
30
- high: number;
31
- medium: number;
32
- low: number;
33
- };
34
- };
35
- threat_report?: ThreatReport;
36
- }
37
- /**
38
- * Sanitize content through the full pipeline
39
- *
40
- * Pipeline:
41
- * 1. Injection detection and neutralization (43 patterns)
42
- * 2. PII redaction (email, phone, SSN, CC, IP) with allowlisting
43
- * 3. Metadata collection and logging
44
- *
45
- * @param content Raw content from web page
46
- * @param sourceUrl Optional source URL for domain-scoped PII allowlisting
47
- * @returns Sanitized content with detection metadata
48
- */
49
- export declare function sanitize(content: string, sourceUrl?: string): SanitizationResult;
50
- /**
51
- * Quick check: does content need sanitization?
52
- * (Used for optimization - skip pipeline if content is clean)
53
- *
54
- * Note: Still run full pipeline for safety, but this can be used for metrics
55
- */
56
- export declare function needsSanitization(_content: string): boolean;
57
- /**
58
- * Export sub-components for testing
59
- */
60
- export { detectAndNeutralize } from './injection-detector.js';
61
- export { redactPII, containsPII, detectPIITypes } from './pii-redactor.js';
62
- export { INJECTION_PATTERNS, getAllPatternNames } from './patterns.js';
63
- //# sourceMappingURL=index.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sanitizer/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,OAAO,EAAwB,KAAK,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAE/E,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE;QACZ,iBAAiB,EAAE,MAAM,EAAE,CAAC;QAC5B,kBAAkB,EAAE,MAAM,EAAE,CAAC;QAC7B,eAAe,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QACxE,gBAAgB,EAAE,OAAO,CAAC;KAC3B,CAAC;IACF,QAAQ,EAAE;QACR,eAAe,EAAE,MAAM,CAAC;QACxB,gBAAgB,EAAE,MAAM,CAAC;QACzB,cAAc,EAAE,MAAM,CAAC;QACvB,oBAAoB,EAAE,OAAO,CAAC;QAC9B,sBAAsB,EAAE;YACtB,QAAQ,EAAE,MAAM,CAAC;YACjB,IAAI,EAAE,MAAM,CAAC;YACb,MAAM,EAAE,MAAM,CAAC;YACf,GAAG,EAAE,MAAM,CAAC;SACb,CAAC;KACH,CAAC;IACF,aAAa,CAAC,EAAE,YAAY,CAAC;CAC9B;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,kBAAkB,CAyDhF;AA0BD;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAG3D;AAED;;GAEG;AACH,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAC3E,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC"}