visus-mcp 0.6.2 → 0.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/settings.local.json +15 -1
- package/.env.status +7 -0
- package/CHANGELOG.md +110 -0
- package/CLAUDE.md +3 -0
- package/README.md +29 -19
- package/SECURITY.md +2 -0
- package/STATUS.md +320 -12
- package/dist/browser/playwright-renderer.d.ts.map +1 -1
- package/dist/browser/playwright-renderer.js +27 -5
- package/dist/browser/playwright-renderer.js.map +1 -1
- package/dist/content-handlers/index.d.ts +36 -0
- package/dist/content-handlers/index.d.ts.map +1 -0
- package/dist/content-handlers/index.js +59 -0
- package/dist/content-handlers/index.js.map +1 -0
- package/dist/content-handlers/json-handler.d.ts +28 -0
- package/dist/content-handlers/json-handler.d.ts.map +1 -0
- package/dist/content-handlers/json-handler.js +116 -0
- package/dist/content-handlers/json-handler.js.map +1 -0
- package/dist/content-handlers/pdf-handler.d.ts +29 -0
- package/dist/content-handlers/pdf-handler.d.ts.map +1 -0
- package/dist/content-handlers/pdf-handler.js +77 -0
- package/dist/content-handlers/pdf-handler.js.map +1 -0
- package/dist/content-handlers/svg-handler.d.ts +35 -0
- package/dist/content-handlers/svg-handler.d.ts.map +1 -0
- package/dist/content-handlers/svg-handler.js +206 -0
- package/dist/content-handlers/svg-handler.js.map +1 -0
- package/dist/content-handlers/types.d.ts +42 -0
- package/dist/content-handlers/types.d.ts.map +1 -0
- package/dist/content-handlers/types.js +7 -0
- package/dist/content-handlers/types.js.map +1 -0
- package/dist/sanitizer/framework-mapper.d.ts +4 -0
- package/dist/sanitizer/framework-mapper.d.ts.map +1 -1
- package/dist/sanitizer/framework-mapper.js +92 -0
- package/dist/sanitizer/framework-mapper.js.map +1 -1
- package/dist/sanitizer/threat-reporter.d.ts +5 -0
- package/dist/sanitizer/threat-reporter.d.ts.map +1 -1
- package/dist/sanitizer/threat-reporter.js +15 -6
- package/dist/sanitizer/threat-reporter.js.map +1 -1
- package/dist/tools/fetch-structured.d.ts.map +1 -1
- package/dist/tools/fetch-structured.js +4 -0
- package/dist/tools/fetch-structured.js.map +1 -1
- package/dist/tools/fetch.d.ts.map +1 -1
- package/dist/tools/fetch.js +68 -4
- package/dist/tools/fetch.js.map +1 -1
- package/dist/tools/read.d.ts.map +1 -1
- package/dist/tools/read.js +4 -0
- package/dist/tools/read.js.map +1 -1
- package/dist/types.d.ts +9 -1
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js.map +1 -1
- package/package.json +2 -1
- package/server.json +25 -14
- package/src/browser/playwright-renderer.ts +29 -6
- package/src/content-handlers/index.ts +72 -0
- package/src/content-handlers/json-handler.ts +137 -0
- package/src/content-handlers/pdf-handler.ts +91 -0
- package/src/content-handlers/svg-handler.ts +243 -0
- package/src/content-handlers/types.ts +44 -0
- package/src/sanitizer/framework-mapper.ts +94 -0
- package/src/sanitizer/threat-reporter.ts +17 -6
- package/src/tools/fetch-structured.ts +5 -0
- package/src/tools/fetch.ts +76 -4
- package/src/tools/read.ts +5 -0
- package/src/types.ts +9 -1
- package/.github/ISSUE_TEMPLATE/bug_report.md +0 -47
- package/.github/ISSUE_TEMPLATE/false_positive.md +0 -43
- package/.github/ISSUE_TEMPLATE/new_pattern.md +0 -49
- package/.github/ISSUE_TEMPLATE/security_report.md +0 -31
- package/.github/PULL_REQUEST_TEMPLATE.md +0 -39
- package/.mcpregistry_github_token +0 -1
- package/.mcpregistry_registry_token +0 -1
- package/CONTRIBUTING.md +0 -329
- package/LINKEDIN-STRATEGY.md +0 -367
- package/ROADMAP.md +0 -221
- package/SECURITY-AUDIT-v1.md +0 -277
- package/SUBMISSION.md +0 -66
- package/TROUBLESHOOT-AUTH-20260322-2019.md +0 -291
- package/TROUBLESHOOT-BUILD-20260319-1450.md +0 -546
- package/TROUBLESHOOT-COGNITO-AUTH-20260324-2029.md +0 -415
- package/TROUBLESHOOT-COGNITO-JWT-20260324.md +0 -592
- package/TROUBLESHOOT-FETCH-20260320-1150.md +0 -168
- package/TROUBLESHOOT-JEST-20260323-1357.md +0 -139
- package/TROUBLESHOOT-LAMBDA-20260322-1945.md +0 -183
- package/TROUBLESHOOT-PLAYWRIGHT-20260321-1549.md +0 -217
- package/TROUBLESHOOT-SSL-20260320-1138.md +0 -171
- package/TROUBLESHOOT-STRUCTURED-20260320-1200.md +0 -246
- package/TROUBLESHOOT-TEST-20260320-0942.md +0 -281
- package/VISUS-CLAUDE-CODE-PROMPT.md +0 -324
- package/VISUS-PROJECT-PLAN.md +0 -205
- package/cdk.json +0 -73
- package/infrastructure/app.ts +0 -39
- package/infrastructure/stack.ts +0 -298
- package/jest.config.js +0 -33
- package/jest.setup.js +0 -9
- package/lambda-deploy/index.js +0 -81512
- package/lambda-deploy/index.js.map +0 -7
- package/lambda-package/browser/__mocks__/playwright-renderer.d.ts +0 -25
- package/lambda-package/browser/__mocks__/playwright-renderer.d.ts.map +0 -1
- package/lambda-package/browser/__mocks__/playwright-renderer.js +0 -119
- package/lambda-package/browser/__mocks__/playwright-renderer.js.map +0 -1
- package/lambda-package/browser/playwright-renderer.d.ts +0 -40
- package/lambda-package/browser/playwright-renderer.d.ts.map +0 -1
- package/lambda-package/browser/playwright-renderer.js +0 -214
- package/lambda-package/browser/playwright-renderer.js.map +0 -1
- package/lambda-package/browser/reader.d.ts +0 -31
- package/lambda-package/browser/reader.d.ts.map +0 -1
- package/lambda-package/browser/reader.js +0 -98
- package/lambda-package/browser/reader.js.map +0 -1
- package/lambda-package/index.d.ts +0 -18
- package/lambda-package/index.d.ts.map +0 -1
- package/lambda-package/index.js +0 -238
- package/lambda-package/index.js.map +0 -1
- package/lambda-package/lambda-handler.d.ts +0 -28
- package/lambda-package/lambda-handler.d.ts.map +0 -1
- package/lambda-package/lambda-handler.js +0 -257
- package/lambda-package/lambda-handler.js.map +0 -1
- package/lambda-package/package-lock.json +0 -7435
- package/lambda-package/package.json +0 -74
- package/lambda-package/runtime.d.ts +0 -50
- package/lambda-package/runtime.d.ts.map +0 -1
- package/lambda-package/runtime.js +0 -86
- package/lambda-package/runtime.js.map +0 -1
- package/lambda-package/sanitizer/elicit-runner.d.ts +0 -48
- package/lambda-package/sanitizer/elicit-runner.d.ts.map +0 -1
- package/lambda-package/sanitizer/elicit-runner.js +0 -100
- package/lambda-package/sanitizer/elicit-runner.js.map +0 -1
- package/lambda-package/sanitizer/framework-mapper.d.ts +0 -24
- package/lambda-package/sanitizer/framework-mapper.d.ts.map +0 -1
- package/lambda-package/sanitizer/framework-mapper.js +0 -342
- package/lambda-package/sanitizer/framework-mapper.js.map +0 -1
- package/lambda-package/sanitizer/hitl-gate.d.ts +0 -69
- package/lambda-package/sanitizer/hitl-gate.d.ts.map +0 -1
- package/lambda-package/sanitizer/hitl-gate.js +0 -101
- package/lambda-package/sanitizer/hitl-gate.js.map +0 -1
- package/lambda-package/sanitizer/index.d.ts +0 -63
- package/lambda-package/sanitizer/index.d.ts.map +0 -1
- package/lambda-package/sanitizer/index.js +0 -105
- package/lambda-package/sanitizer/index.js.map +0 -1
- package/lambda-package/sanitizer/injection-detector.d.ts +0 -34
- package/lambda-package/sanitizer/injection-detector.d.ts.map +0 -1
- package/lambda-package/sanitizer/injection-detector.js +0 -89
- package/lambda-package/sanitizer/injection-detector.js.map +0 -1
- package/lambda-package/sanitizer/patterns.d.ts +0 -30
- package/lambda-package/sanitizer/patterns.d.ts.map +0 -1
- package/lambda-package/sanitizer/patterns.js +0 -372
- package/lambda-package/sanitizer/patterns.js.map +0 -1
- package/lambda-package/sanitizer/pii-allowlist.d.ts +0 -49
- package/lambda-package/sanitizer/pii-allowlist.d.ts.map +0 -1
- package/lambda-package/sanitizer/pii-allowlist.js +0 -231
- package/lambda-package/sanitizer/pii-allowlist.js.map +0 -1
- package/lambda-package/sanitizer/pii-redactor.d.ts +0 -41
- package/lambda-package/sanitizer/pii-redactor.d.ts.map +0 -1
- package/lambda-package/sanitizer/pii-redactor.js +0 -213
- package/lambda-package/sanitizer/pii-redactor.js.map +0 -1
- package/lambda-package/sanitizer/severity-classifier.d.ts +0 -33
- package/lambda-package/sanitizer/severity-classifier.d.ts.map +0 -1
- package/lambda-package/sanitizer/severity-classifier.js +0 -113
- package/lambda-package/sanitizer/severity-classifier.js.map +0 -1
- package/lambda-package/sanitizer/threat-reporter.d.ts +0 -66
- package/lambda-package/sanitizer/threat-reporter.d.ts.map +0 -1
- package/lambda-package/sanitizer/threat-reporter.js +0 -163
- package/lambda-package/sanitizer/threat-reporter.js.map +0 -1
- package/lambda-package/tools/fetch-structured.d.ts +0 -51
- package/lambda-package/tools/fetch-structured.d.ts.map +0 -1
- package/lambda-package/tools/fetch-structured.js +0 -237
- package/lambda-package/tools/fetch-structured.js.map +0 -1
- package/lambda-package/tools/fetch.d.ts +0 -49
- package/lambda-package/tools/fetch.d.ts.map +0 -1
- package/lambda-package/tools/fetch.js +0 -131
- package/lambda-package/tools/fetch.js.map +0 -1
- package/lambda-package/tools/read.d.ts +0 -51
- package/lambda-package/tools/read.d.ts.map +0 -1
- package/lambda-package/tools/read.js +0 -127
- package/lambda-package/tools/read.js.map +0 -1
- package/lambda-package/tools/search.d.ts +0 -45
- package/lambda-package/tools/search.d.ts.map +0 -1
- package/lambda-package/tools/search.js +0 -220
- package/lambda-package/tools/search.js.map +0 -1
- package/lambda-package/types.d.ts +0 -167
- package/lambda-package/types.d.ts.map +0 -1
- package/lambda-package/types.js +0 -16
- package/lambda-package/types.js.map +0 -1
- package/lambda-package/utils/format-converter.d.ts +0 -39
- package/lambda-package/utils/format-converter.d.ts.map +0 -1
- package/lambda-package/utils/format-converter.js +0 -191
- package/lambda-package/utils/format-converter.js.map +0 -1
- package/lambda-package/utils/truncate.d.ts +0 -26
- package/lambda-package/utils/truncate.d.ts.map +0 -1
- package/lambda-package/utils/truncate.js +0 -54
- package/lambda-package/utils/truncate.js.map +0 -1
- package/lambda.zip +0 -0
- package/test-output.txt +0 -4
- package/tests/auth-smoke.test.ts +0 -480
- package/tests/elicit-runner.test.ts +0 -232
- package/tests/fetch-tool.test.ts +0 -922
- package/tests/hitl-gate.test.ts +0 -267
- package/tests/injection-corpus.ts +0 -338
- package/tests/pii-allowlist.test.ts +0 -282
- package/tests/reader.test.ts +0 -353
- package/tests/sanitizer.test.ts +0 -358
- package/tests/search.test.ts +0 -456
- package/tests/threat-reporter.test.ts +0 -334
- package/tsconfig.cdk.json +0 -35
|
@@ -1,342 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Compliance Framework Mapper
|
|
3
|
-
*
|
|
4
|
-
* Maps injection pattern categories to compliance framework identifiers:
|
|
5
|
-
* - OWASP LLM Top 10 (2025)
|
|
6
|
-
* - NIST AI 600-1 (Generative AI Profile)
|
|
7
|
-
* - MITRE ATLAS (Adversarial Threat Landscape for AI Systems)
|
|
8
|
-
* - ISO/IEC 42001:2023 (AI Management System - Annex A Controls)
|
|
9
|
-
*/
|
|
10
|
-
/**
|
|
11
|
-
* Pattern category to framework mapping
|
|
12
|
-
*/
|
|
13
|
-
const FRAMEWORK_MAP = {
|
|
14
|
-
// Direct instruction injection
|
|
15
|
-
direct_instruction_injection: {
|
|
16
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
17
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
18
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
19
|
-
iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
|
|
20
|
-
},
|
|
21
|
-
// Role hijacking
|
|
22
|
-
role_hijacking: {
|
|
23
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
24
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
25
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
26
|
-
iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
|
|
27
|
-
},
|
|
28
|
-
// System prompt extraction
|
|
29
|
-
system_prompt_extraction: {
|
|
30
|
-
owasp_llm: 'LLM02:2025 - Sensitive Information Disclosure',
|
|
31
|
-
nist_ai_600_1: 'MS-2.6 - Data Disclosure',
|
|
32
|
-
mitre_atlas: 'AML.T0048 - External Harms',
|
|
33
|
-
iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
|
|
34
|
-
},
|
|
35
|
-
// Privilege escalation
|
|
36
|
-
privilege_escalation: {
|
|
37
|
-
owasp_llm: 'LLM08:2025 - Excessive Agency',
|
|
38
|
-
nist_ai_600_1: 'GV-1.1 - Policies and Procedures',
|
|
39
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
40
|
-
iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
|
|
41
|
-
},
|
|
42
|
-
// Context poisoning
|
|
43
|
-
context_poisoning: {
|
|
44
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
45
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
46
|
-
mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
|
|
47
|
-
iso_42001: 'A.7.2 - Data Quality'
|
|
48
|
-
},
|
|
49
|
-
// Data exfiltration
|
|
50
|
-
data_exfiltration: {
|
|
51
|
-
owasp_llm: 'LLM02:2025 - Sensitive Information Disclosure',
|
|
52
|
-
nist_ai_600_1: 'MS-2.6 - Data Disclosure',
|
|
53
|
-
mitre_atlas: 'AML.T0048 - External Harms',
|
|
54
|
-
iso_42001: 'A.7.5 - Data Provenance / A.8.2 - Information to Users'
|
|
55
|
-
},
|
|
56
|
-
// Encoding obfuscation
|
|
57
|
-
base64_obfuscation: {
|
|
58
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
59
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
60
|
-
mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
|
|
61
|
-
iso_42001: 'A.7.4 - Data Preparation'
|
|
62
|
-
},
|
|
63
|
-
// Unicode lookalikes
|
|
64
|
-
unicode_lookalikes: {
|
|
65
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
66
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
67
|
-
mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
|
|
68
|
-
iso_42001: 'A.7.4 - Data Preparation'
|
|
69
|
-
},
|
|
70
|
-
// Zero-width characters
|
|
71
|
-
zero_width_characters: {
|
|
72
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
73
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
74
|
-
mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
|
|
75
|
-
iso_42001: 'A.7.4 - Data Preparation'
|
|
76
|
-
},
|
|
77
|
-
// HTML script injection
|
|
78
|
-
html_script_injection: {
|
|
79
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
80
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
81
|
-
mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
|
|
82
|
-
iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
|
|
83
|
-
},
|
|
84
|
-
// Data URI injection
|
|
85
|
-
data_uri_injection: {
|
|
86
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
87
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
88
|
-
mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
|
|
89
|
-
iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
|
|
90
|
-
},
|
|
91
|
-
// Markdown link injection
|
|
92
|
-
markdown_link_injection: {
|
|
93
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
94
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
95
|
-
mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
|
|
96
|
-
iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
|
|
97
|
-
},
|
|
98
|
-
// URL fragment attacks
|
|
99
|
-
url_fragment_hashjack: {
|
|
100
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
101
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
102
|
-
mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
|
|
103
|
-
iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
|
|
104
|
-
},
|
|
105
|
-
// Social engineering
|
|
106
|
-
social_engineering_urgency: {
|
|
107
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
108
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
109
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
110
|
-
iso_42001: 'A.5.3 - AI Awareness and Training'
|
|
111
|
-
},
|
|
112
|
-
// Instruction delimiter injection
|
|
113
|
-
instruction_delimiter_injection: {
|
|
114
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
115
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
116
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
117
|
-
iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
|
|
118
|
-
},
|
|
119
|
-
// Multi-language obfuscation
|
|
120
|
-
multi_language_obfuscation: {
|
|
121
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
122
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
123
|
-
mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
|
|
124
|
-
iso_42001: 'A.7.4 - Data Preparation'
|
|
125
|
-
},
|
|
126
|
-
// Reverse text obfuscation
|
|
127
|
-
reverse_text_obfuscation: {
|
|
128
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
129
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
130
|
-
mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
|
|
131
|
-
iso_42001: 'A.7.4 - Data Preparation'
|
|
132
|
-
},
|
|
133
|
-
// Leetspeak obfuscation
|
|
134
|
-
leetspeak_obfuscation: {
|
|
135
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
136
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
137
|
-
mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
|
|
138
|
-
iso_42001: 'A.7.4 - Data Preparation'
|
|
139
|
-
},
|
|
140
|
-
// Jailbreak keywords
|
|
141
|
-
jailbreak_keywords: {
|
|
142
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
143
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
144
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
145
|
-
iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
|
|
146
|
-
},
|
|
147
|
-
// Token smuggling
|
|
148
|
-
token_smuggling: {
|
|
149
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
150
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
151
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
152
|
-
iso_42001: 'A.7.4 - Data Preparation'
|
|
153
|
-
},
|
|
154
|
-
// System message injection
|
|
155
|
-
system_message_injection: {
|
|
156
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
157
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
158
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
159
|
-
iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
|
|
160
|
-
},
|
|
161
|
-
// Conversation reset
|
|
162
|
-
conversation_reset: {
|
|
163
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
164
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
165
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
166
|
-
iso_42001: 'A.6.2.6 - Logging and Monitoring'
|
|
167
|
-
},
|
|
168
|
-
// Memory manipulation
|
|
169
|
-
memory_manipulation: {
|
|
170
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
171
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
172
|
-
mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
|
|
173
|
-
iso_42001: 'A.6.2.6 - Logging and Monitoring'
|
|
174
|
-
},
|
|
175
|
-
// Capability probing
|
|
176
|
-
capability_probing: {
|
|
177
|
-
owasp_llm: 'LLM08:2025 - Excessive Agency',
|
|
178
|
-
nist_ai_600_1: 'GV-1.1 - Policies and Procedures',
|
|
179
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
180
|
-
iso_42001: 'A.6.1.2 - AI System Operational Procedures'
|
|
181
|
-
},
|
|
182
|
-
// Chain-of-thought manipulation
|
|
183
|
-
chain_of_thought_manipulation: {
|
|
184
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
185
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
186
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
187
|
-
iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
|
|
188
|
-
},
|
|
189
|
-
// Hypothetical scenario injection
|
|
190
|
-
hypothetical_scenario_injection: {
|
|
191
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
192
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
193
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
194
|
-
iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
|
|
195
|
-
},
|
|
196
|
-
// Ethical override
|
|
197
|
-
ethical_override: {
|
|
198
|
-
owasp_llm: 'LLM08:2025 - Excessive Agency',
|
|
199
|
-
nist_ai_600_1: 'GV-1.1 - Policies and Procedures',
|
|
200
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
201
|
-
iso_42001: 'A.2.2 - Responsible AI Policies'
|
|
202
|
-
},
|
|
203
|
-
// Output format manipulation
|
|
204
|
-
output_format_manipulation: {
|
|
205
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
206
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
207
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
208
|
-
iso_42001: 'A.6.1.2 - AI System Operational Procedures'
|
|
209
|
-
},
|
|
210
|
-
// Negative instruction
|
|
211
|
-
negative_instruction: {
|
|
212
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
213
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
214
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
215
|
-
iso_42001: 'A.6.1.2 - AI System Operational Procedures'
|
|
216
|
-
},
|
|
217
|
-
// Credential harvesting
|
|
218
|
-
credential_harvesting: {
|
|
219
|
-
owasp_llm: 'LLM02:2025 - Sensitive Information Disclosure',
|
|
220
|
-
nist_ai_600_1: 'MS-2.6 - Data Disclosure',
|
|
221
|
-
mitre_atlas: 'AML.T0048 - External Harms',
|
|
222
|
-
iso_42001: 'A.7.5 - Data Provenance / A.6.1.5 - AI System Security'
|
|
223
|
-
},
|
|
224
|
-
// Time-based triggers
|
|
225
|
-
time_based_triggers: {
|
|
226
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
227
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
228
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
229
|
-
iso_42001: 'A.6.2.6 - Logging and Monitoring'
|
|
230
|
-
},
|
|
231
|
-
// Code execution requests
|
|
232
|
-
code_execution_requests: {
|
|
233
|
-
owasp_llm: 'LLM08:2025 - Excessive Agency',
|
|
234
|
-
nist_ai_600_1: 'GV-1.1 - Policies and Procedures',
|
|
235
|
-
mitre_atlas: 'AML.T0048 - External Harms',
|
|
236
|
-
iso_42001: 'A.9.3 - Intended Use Boundaries'
|
|
237
|
-
},
|
|
238
|
-
// File system access
|
|
239
|
-
file_system_access: {
|
|
240
|
-
owasp_llm: 'LLM08:2025 - Excessive Agency',
|
|
241
|
-
nist_ai_600_1: 'GV-1.1 - Policies and Procedures',
|
|
242
|
-
mitre_atlas: 'AML.T0048 - External Harms',
|
|
243
|
-
iso_42001: 'A.9.3 - Intended Use Boundaries'
|
|
244
|
-
},
|
|
245
|
-
// Training data extraction
|
|
246
|
-
training_data_extraction: {
|
|
247
|
-
owasp_llm: 'LLM02:2025 - Sensitive Information Disclosure',
|
|
248
|
-
nist_ai_600_1: 'MS-2.6 - Data Disclosure',
|
|
249
|
-
mitre_atlas: 'AML.T0048 - External Harms',
|
|
250
|
-
iso_42001: 'A.7.5 - Data Provenance'
|
|
251
|
-
},
|
|
252
|
-
// Simulator mode
|
|
253
|
-
simulator_mode: {
|
|
254
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
255
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
256
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
257
|
-
iso_42001: 'A.9.3 - Intended Use Boundaries'
|
|
258
|
-
},
|
|
259
|
-
// Nested encoding
|
|
260
|
-
nested_encoding: {
|
|
261
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
262
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
263
|
-
mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
|
|
264
|
-
iso_42001: 'A.7.4 - Data Preparation'
|
|
265
|
-
},
|
|
266
|
-
// Payload splitting
|
|
267
|
-
payload_splitting: {
|
|
268
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
269
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
270
|
-
mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
|
|
271
|
-
iso_42001: 'A.7.4 - Data Preparation'
|
|
272
|
-
},
|
|
273
|
-
// CSS-based hiding
|
|
274
|
-
css_hiding: {
|
|
275
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
276
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
277
|
-
mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
|
|
278
|
-
iso_42001: 'A.7.4 - Data Preparation'
|
|
279
|
-
},
|
|
280
|
-
// Authority impersonation
|
|
281
|
-
authority_impersonation: {
|
|
282
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
283
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
284
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
285
|
-
iso_42001: 'A.2.2 - Responsible AI Policies'
|
|
286
|
-
},
|
|
287
|
-
// Testing/debugging claims
|
|
288
|
-
testing_debugging_claims: {
|
|
289
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
290
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
291
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
292
|
-
iso_42001: 'A.6.1.2 - AI System Operational Procedures'
|
|
293
|
-
},
|
|
294
|
-
// Callback URL injection
|
|
295
|
-
callback_url_injection: {
|
|
296
|
-
owasp_llm: 'LLM02:2025 - Sensitive Information Disclosure',
|
|
297
|
-
nist_ai_600_1: 'MS-2.6 - Data Disclosure',
|
|
298
|
-
mitre_atlas: 'AML.T0048 - External Harms',
|
|
299
|
-
iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
|
|
300
|
-
},
|
|
301
|
-
// Whitespace steganography
|
|
302
|
-
whitespace_steganography: {
|
|
303
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
304
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
305
|
-
mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
|
|
306
|
-
iso_42001: 'A.7.4 - Data Preparation'
|
|
307
|
-
},
|
|
308
|
-
// Comment injection
|
|
309
|
-
comment_injection: {
|
|
310
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
311
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
312
|
-
mitre_atlas: 'AML.T0051.001 - LLM Prompt Injection: Indirect',
|
|
313
|
-
iso_42001: 'A.7.4 - Data Preparation'
|
|
314
|
-
}
|
|
315
|
-
};
|
|
316
|
-
/**
|
|
317
|
-
* Default mapping for unknown pattern categories
|
|
318
|
-
*/
|
|
319
|
-
const DEFAULT_MAPPINGS = {
|
|
320
|
-
owasp_llm: 'LLM01:2025 - Prompt Injection',
|
|
321
|
-
nist_ai_600_1: 'MS-2.5 - Prompt Injection',
|
|
322
|
-
mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
|
|
323
|
-
iso_42001: 'A.6.1.5 - AI System Security'
|
|
324
|
-
};
|
|
325
|
-
/**
|
|
326
|
-
* Get framework mappings for a pattern category
|
|
327
|
-
*/
|
|
328
|
-
export function getFrameworkMappings(patternCategory) {
|
|
329
|
-
return FRAMEWORK_MAP[patternCategory] || DEFAULT_MAPPINGS;
|
|
330
|
-
}
|
|
331
|
-
/**
|
|
332
|
-
* Get all supported frameworks
|
|
333
|
-
*/
|
|
334
|
-
export function getSupportedFrameworks() {
|
|
335
|
-
return [
|
|
336
|
-
'OWASP LLM Top 10 (2025)',
|
|
337
|
-
'NIST AI 600-1 (Generative AI Profile)',
|
|
338
|
-
'MITRE ATLAS (Adversarial Threat Landscape)',
|
|
339
|
-
'ISO/IEC 42001:2023 (AI Management System)'
|
|
340
|
-
];
|
|
341
|
-
}
|
|
342
|
-
//# sourceMappingURL=framework-mapper.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"framework-mapper.js","sourceRoot":"","sources":["../../src/sanitizer/framework-mapper.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AASH;;GAEG;AACH,MAAM,aAAa,GAAsC;IACvD,+BAA+B;IAC/B,4BAA4B,EAAE;QAC5B,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kDAAkD;KAC9D;IAED,iBAAiB;IACjB,cAAc,EAAE;QACd,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kDAAkD;KAC9D;IAED,2BAA2B;IAC3B,wBAAwB,EAAE;QACxB,SAAS,EAAE,+CAA+C;QAC1D,aAAa,EAAE,0BAA0B;QACzC,WAAW,EAAE,4BAA4B;QACzC,SAAS,EAAE,kDAAkD;KAC9D;IAED,uBAAuB;IACvB,oBAAoB,EAAE;QACpB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,kCAAkC;QACjD,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kDAAkD;KAC9D;IAED,oBAAoB;IACpB,iBAAiB,EAAE;QACjB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,sBAAsB;KAClC;IAED,oBAAoB;IACpB,iBAAiB,EAAE;QACjB,SAAS,EAAE,+CAA+C;QAC1D,aAAa,EAAE,0BAA0B;QACzC,WAAW,EAAE,4BAA4B;QACzC,SAAS,EAAE,wDAAwD;KACpE;IAED,uBAAuB;IACvB,kBAAkB,EAAE;QAClB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,qBAAqB;IACrB,kBAAkB,EAAE;QAClB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,wBAAwB;IACxB,qBAAqB,EAAE;QACrB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,wBAAwB;IACxB,qBAAqB,EAAE;QACrB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,kDAAkD;KAC9D;IAED,qBAAqB;IACrB,kBAAkB,EAAE;QAClB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,kDAAkD;KAC9D;IAED,0BAA0B;IAC1B,uBAAuB,EAAE;QACvB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,kDAAkD;KAC9D;IAED,uBAAuB;IACvB,qBAAqB,EAAE;QACrB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,kDAAkD;KAC9D;IAED,qBAAqB;IACrB,0BAA0B,EAAE;QAC1B,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,mCAAmC;KAC/C;IAED,kCAAkC;IAClC,+BAA+B,EAAE;QAC/B,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kDAAkD;KAC9D;IAED,6BAA6B;IAC7B,0BAA0B,EAAE;QAC1B,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,2BAA2B;IAC3B,wBAAwB,EAAE;QACxB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,wBAAwB;IACxB,qBAAqB,EAAE;QACrB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,qBAAqB;IACrB,kBAAkB,EAAE;QAClB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kDAAkD;KAC9D;IAED,kBAAkB;IAClB,eAAe,EAAE;QACf,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,0BAA0B;KACtC;IAED,2BAA2B;IAC3B,wBAAwB,EAAE;QACxB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kDAAkD;KAC9D;IAED,qBAAqB;IACrB,kBAAkB,EAAE;QAClB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kCAAkC;KAC9C;IAED,sBAAsB;IACtB,mBAAmB,EAAE;QACnB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,kCAAkC;KAC9C;IAED,qBAAqB;IACrB,kBAAkB,EAAE;QAClB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,kCAAkC;QACjD,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,4CAA4C;KACxD;IAED,gCAAgC;IAChC,6BAA6B,EAAE;QAC7B,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kDAAkD;KAC9D;IAED,kCAAkC;IAClC,+BAA+B,EAAE;QAC/B,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kDAAkD;KAC9D;IAED,mBAAmB;IACnB,gBAAgB,EAAE;QAChB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,kCAAkC;QACjD,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,iCAAiC;KAC7C;IAED,6BAA6B;IAC7B,0BAA0B,EAAE;QAC1B,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,4CAA4C;KACxD;IAED,uBAAuB;IACvB,oBAAoB,EAAE;QACpB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,4CAA4C;KACxD;IAED,wBAAwB;IACxB,qBAAqB,EAAE;QACrB,SAAS,EAAE,+CAA+C;QAC1D,aAAa,EAAE,0BAA0B;QACzC,WAAW,EAAE,4BAA4B;QACzC,SAAS,EAAE,wDAAwD;KACpE;IAED,sBAAsB;IACtB,mBAAmB,EAAE;QACnB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,kCAAkC;KAC9C;IAED,0BAA0B;IAC1B,uBAAuB,EAAE;QACvB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,kCAAkC;QACjD,WAAW,EAAE,4BAA4B;QACzC,SAAS,EAAE,iCAAiC;KAC7C;IAED,qBAAqB;IACrB,kBAAkB,EAAE;QAClB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,kCAAkC;QACjD,WAAW,EAAE,4BAA4B;QACzC,SAAS,EAAE,iCAAiC;KAC7C;IAED,2BAA2B;IAC3B,wBAAwB,EAAE;QACxB,SAAS,EAAE,+CAA+C;QAC1D,aAAa,EAAE,0BAA0B;QACzC,WAAW,EAAE,4BAA4B;QACzC,SAAS,EAAE,yBAAyB;KACrC;IAED,iBAAiB;IACjB,cAAc,EAAE;QACd,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,iCAAiC;KAC7C;IAED,kBAAkB;IAClB,eAAe,EAAE;QACf,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,oBAAoB;IACpB,iBAAiB,EAAE;QACjB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,mBAAmB;IACnB,UAAU,EAAE;QACV,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,0BAA0B;IAC1B,uBAAuB,EAAE;QACvB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,iCAAiC;KAC7C;IAED,2BAA2B;IAC3B,wBAAwB,EAAE;QACxB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,sCAAsC;QACnD,SAAS,EAAE,4CAA4C;KACxD;IAED,yBAAyB;IACzB,sBAAsB,EAAE;QACtB,SAAS,EAAE,+CAA+C;QAC1D,aAAa,EAAE,0BAA0B;QACzC,WAAW,EAAE,4BAA4B;QACzC,SAAS,EAAE,kDAAkD;KAC9D;IAED,2BAA2B;IAC3B,wBAAwB,EAAE;QACxB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;IAED,oBAAoB;IACpB,iBAAiB,EAAE;QACjB,SAAS,EAAE,+BAA+B;QAC1C,aAAa,EAAE,2BAA2B;QAC1C,WAAW,EAAE,gDAAgD;QAC7D,SAAS,EAAE,0BAA0B;KACtC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,gBAAgB,GAAsB;IAC1C,SAAS,EAAE,+BAA+B;IAC1C,aAAa,EAAE,2BAA2B;IAC1C,WAAW,EAAE,sCAAsC;IACnD,SAAS,EAAE,8BAA8B;CAC1C,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,eAAuB;IAC1D,OAAO,aAAa,CAAC,eAAe,CAAC,IAAI,gBAAgB,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB;IACpC,OAAO;QACL,yBAAyB;QACzB,uCAAuC;QACvC,4CAA4C;QAC5C,2CAA2C;KAC5C,CAAC;AACJ,CAAC"}
|
|
@@ -1,69 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* HITL (Human-in-the-Loop) Gate
|
|
3
|
-
*
|
|
4
|
-
* Determines when to pause tool execution for user confirmation
|
|
5
|
-
* based on threat severity. Only CRITICAL threats trigger elicitation.
|
|
6
|
-
*
|
|
7
|
-
* Design:
|
|
8
|
-
* - HIGH/MEDIUM/LOW threats → silent sanitization (business as usual)
|
|
9
|
-
* - CRITICAL threats → pause execution, user confirmation required
|
|
10
|
-
*
|
|
11
|
-
* Security model: Sanitization is the security gate. HITL is UX.
|
|
12
|
-
* Content is ALWAYS sanitized before reaching the LLM, whether or not
|
|
13
|
-
* the user accepts the elicitation prompt.
|
|
14
|
-
*/
|
|
15
|
-
import type { ThreatReport } from './threat-reporter.js';
|
|
16
|
-
/**
|
|
17
|
-
* Determines whether to trigger HITL elicitation
|
|
18
|
-
*
|
|
19
|
-
* Returns true ONLY when:
|
|
20
|
-
* - threatReport is not null
|
|
21
|
-
* - threatReport.overall_severity === 'CRITICAL'
|
|
22
|
-
* - threatReport.total_findings > 0
|
|
23
|
-
*
|
|
24
|
-
* @param threatReport The threat report from sanitization
|
|
25
|
-
* @returns true if elicitation should be triggered
|
|
26
|
-
*/
|
|
27
|
-
export declare function shouldElicit(threatReport: ThreatReport | null): boolean;
|
|
28
|
-
/**
|
|
29
|
-
* Builds a user-facing elicitation message for CRITICAL threats
|
|
30
|
-
*
|
|
31
|
-
* Format:
|
|
32
|
-
* ⚠️ Visus blocked a CRITICAL threat on this page.
|
|
33
|
-
*
|
|
34
|
-
* {total_findings} injection attempt(s) detected on:
|
|
35
|
-
* {url}
|
|
36
|
-
*
|
|
37
|
-
* Highest severity finding: {top_category}
|
|
38
|
-
* ({top_owasp} | {top_mitre})
|
|
39
|
-
*
|
|
40
|
-
* Content has been sanitized. Proceed with clean version?
|
|
41
|
-
*
|
|
42
|
-
* @param threatReport The threat report with CRITICAL severity
|
|
43
|
-
* @param url The source URL
|
|
44
|
-
* @returns A clear, concise message under 300 characters
|
|
45
|
-
*/
|
|
46
|
-
export declare function buildElicitMessage(threatReport: ThreatReport, url: string): string;
|
|
47
|
-
/**
|
|
48
|
-
* Elicitation schema for user confirmation
|
|
49
|
-
*
|
|
50
|
-
* CRITICAL: Must be flat primitive properties only (no nested objects, no arrays)
|
|
51
|
-
* per MCP elicitation specification.
|
|
52
|
-
*/
|
|
53
|
-
export declare const ElicitSchema: {
|
|
54
|
-
readonly type: "object";
|
|
55
|
-
readonly properties: {
|
|
56
|
-
readonly proceed: {
|
|
57
|
-
readonly type: "boolean";
|
|
58
|
-
readonly title: "Proceed with sanitized content";
|
|
59
|
-
readonly description: "Content has been cleaned. View sanitized version?";
|
|
60
|
-
};
|
|
61
|
-
readonly view_report: {
|
|
62
|
-
readonly type: "boolean";
|
|
63
|
-
readonly title: "Include threat report in response";
|
|
64
|
-
readonly description: "Attach the full NIST/OWASP/MITRE threat report?";
|
|
65
|
-
};
|
|
66
|
-
};
|
|
67
|
-
readonly required: readonly ["proceed"];
|
|
68
|
-
};
|
|
69
|
-
//# sourceMappingURL=hitl-gate.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"hitl-gate.d.ts","sourceRoot":"","sources":["../../src/sanitizer/hitl-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAEzD;;;;;;;;;;GAUG;AACH,wBAAgB,YAAY,CAAC,YAAY,EAAE,YAAY,GAAG,IAAI,GAAG,OAAO,CASvE;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,kBAAkB,CAAC,YAAY,EAAE,YAAY,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CA8BlF;AAED;;;;;GAKG;AACH,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;CAef,CAAC"}
|
|
@@ -1,101 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* HITL (Human-in-the-Loop) Gate
|
|
3
|
-
*
|
|
4
|
-
* Determines when to pause tool execution for user confirmation
|
|
5
|
-
* based on threat severity. Only CRITICAL threats trigger elicitation.
|
|
6
|
-
*
|
|
7
|
-
* Design:
|
|
8
|
-
* - HIGH/MEDIUM/LOW threats → silent sanitization (business as usual)
|
|
9
|
-
* - CRITICAL threats → pause execution, user confirmation required
|
|
10
|
-
*
|
|
11
|
-
* Security model: Sanitization is the security gate. HITL is UX.
|
|
12
|
-
* Content is ALWAYS sanitized before reaching the LLM, whether or not
|
|
13
|
-
* the user accepts the elicitation prompt.
|
|
14
|
-
*/
|
|
15
|
-
/**
|
|
16
|
-
* Determines whether to trigger HITL elicitation
|
|
17
|
-
*
|
|
18
|
-
* Returns true ONLY when:
|
|
19
|
-
* - threatReport is not null
|
|
20
|
-
* - threatReport.overall_severity === 'CRITICAL'
|
|
21
|
-
* - threatReport.total_findings > 0
|
|
22
|
-
*
|
|
23
|
-
* @param threatReport The threat report from sanitization
|
|
24
|
-
* @returns true if elicitation should be triggered
|
|
25
|
-
*/
|
|
26
|
-
export function shouldElicit(threatReport) {
|
|
27
|
-
if (!threatReport) {
|
|
28
|
-
return false;
|
|
29
|
-
}
|
|
30
|
-
return (threatReport.overall_severity === 'CRITICAL' &&
|
|
31
|
-
threatReport.total_findings > 0);
|
|
32
|
-
}
|
|
33
|
-
/**
|
|
34
|
-
* Builds a user-facing elicitation message for CRITICAL threats
|
|
35
|
-
*
|
|
36
|
-
* Format:
|
|
37
|
-
* ⚠️ Visus blocked a CRITICAL threat on this page.
|
|
38
|
-
*
|
|
39
|
-
* {total_findings} injection attempt(s) detected on:
|
|
40
|
-
* {url}
|
|
41
|
-
*
|
|
42
|
-
* Highest severity finding: {top_category}
|
|
43
|
-
* ({top_owasp} | {top_mitre})
|
|
44
|
-
*
|
|
45
|
-
* Content has been sanitized. Proceed with clean version?
|
|
46
|
-
*
|
|
47
|
-
* @param threatReport The threat report with CRITICAL severity
|
|
48
|
-
* @param url The source URL
|
|
49
|
-
* @returns A clear, concise message under 300 characters
|
|
50
|
-
*/
|
|
51
|
-
export function buildElicitMessage(threatReport, url) {
|
|
52
|
-
// Find the highest-confidence CRITICAL finding
|
|
53
|
-
const findings = threatReport.findings_toon
|
|
54
|
-
.split('\n')
|
|
55
|
-
.slice(1) // Skip header
|
|
56
|
-
.filter(line => line.trim().length > 0);
|
|
57
|
-
let topCategory = 'unknown';
|
|
58
|
-
let topOwasp = 'N/A';
|
|
59
|
-
let topMitre = 'N/A';
|
|
60
|
-
if (findings.length > 0) {
|
|
61
|
-
// Parse first finding (highest confidence)
|
|
62
|
-
const parts = findings[0].split(',');
|
|
63
|
-
if (parts.length >= 8) {
|
|
64
|
-
topCategory = parts[2]; // category field
|
|
65
|
-
topOwasp = parts[5].split(' - ')[0]; // owasp_llm field (short form)
|
|
66
|
-
topMitre = parts[7].split(' - ')[0]; // mitre_atlas field (short form)
|
|
67
|
-
}
|
|
68
|
-
}
|
|
69
|
-
return `⚠️ Visus blocked a CRITICAL threat on this page.
|
|
70
|
-
|
|
71
|
-
${threatReport.total_findings} injection attempt(s) detected on:
|
|
72
|
-
${url}
|
|
73
|
-
|
|
74
|
-
Highest severity finding: ${topCategory}
|
|
75
|
-
(${topOwasp} | ${topMitre})
|
|
76
|
-
|
|
77
|
-
Content has been sanitized. Proceed with clean version?`;
|
|
78
|
-
}
|
|
79
|
-
/**
|
|
80
|
-
* Elicitation schema for user confirmation
|
|
81
|
-
*
|
|
82
|
-
* CRITICAL: Must be flat primitive properties only (no nested objects, no arrays)
|
|
83
|
-
* per MCP elicitation specification.
|
|
84
|
-
*/
|
|
85
|
-
export const ElicitSchema = {
|
|
86
|
-
type: 'object',
|
|
87
|
-
properties: {
|
|
88
|
-
proceed: {
|
|
89
|
-
type: 'boolean',
|
|
90
|
-
title: 'Proceed with sanitized content',
|
|
91
|
-
description: 'Content has been cleaned. View sanitized version?'
|
|
92
|
-
},
|
|
93
|
-
view_report: {
|
|
94
|
-
type: 'boolean',
|
|
95
|
-
title: 'Include threat report in response',
|
|
96
|
-
description: 'Attach the full NIST/OWASP/MITRE threat report?'
|
|
97
|
-
}
|
|
98
|
-
},
|
|
99
|
-
required: ['proceed']
|
|
100
|
-
};
|
|
101
|
-
//# sourceMappingURL=hitl-gate.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"hitl-gate.js","sourceRoot":"","sources":["../../src/sanitizer/hitl-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH;;;;;;;;;;GAUG;AACH,MAAM,UAAU,YAAY,CAAC,YAAiC;IAC5D,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,CACL,YAAY,CAAC,gBAAgB,KAAK,UAAU;QAC5C,YAAY,CAAC,cAAc,GAAG,CAAC,CAChC,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,kBAAkB,CAAC,YAA0B,EAAE,GAAW;IACxE,+CAA+C;IAC/C,MAAM,QAAQ,GAAG,YAAY,CAAC,aAAa;SACxC,KAAK,CAAC,IAAI,CAAC;SACX,KAAK,CAAC,CAAC,CAAC,CAAC,cAAc;SACvB,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAE1C,IAAI,WAAW,GAAG,SAAS,CAAC;IAC5B,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,QAAQ,GAAG,KAAK,CAAC;IAErB,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,2CAA2C;QAC3C,MAAM,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YACtB,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,iBAAiB;YACzC,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,+BAA+B;YACpE,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,iCAAiC;QACxE,CAAC;IACH,CAAC;IAED,OAAO;;EAEP,YAAY,CAAC,cAAc;EAC3B,GAAG;;4BAEuB,WAAW;GACpC,QAAQ,MAAM,QAAQ;;wDAE+B,CAAC;AACzD,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,IAAI,EAAE,QAAQ;IACd,UAAU,EAAE;QACV,OAAO,EAAE;YACP,IAAI,EAAE,SAAS;YACf,KAAK,EAAE,gCAAgC;YACvC,WAAW,EAAE,mDAAmD;SACjE;QACD,WAAW,EAAE;YACX,IAAI,EAAE,SAAS;YACf,KAAK,EAAE,mCAAmC;YAC1C,WAAW,EAAE,iDAAiD;SAC/D;KACF;IACD,QAAQ,EAAE,CAAC,SAAS,CAAC;CACb,CAAC"}
|
|
@@ -1,63 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Sanitizer Orchestrator
|
|
3
|
-
*
|
|
4
|
-
* Main entry point for content sanitization. Coordinates injection detection
|
|
5
|
-
* and PII redaction pipelines.
|
|
6
|
-
*
|
|
7
|
-
* CRITICAL: This is the core security mechanism. Every web page MUST pass
|
|
8
|
-
* through this sanitizer before reaching the LLM. This cannot be bypassed.
|
|
9
|
-
*/
|
|
10
|
-
import { type ThreatReport } from './threat-reporter.js';
|
|
11
|
-
export interface SanitizationResult {
|
|
12
|
-
content: string;
|
|
13
|
-
sanitization: {
|
|
14
|
-
patterns_detected: string[];
|
|
15
|
-
pii_types_redacted: string[];
|
|
16
|
-
pii_allowlisted: Array<{
|
|
17
|
-
type: string;
|
|
18
|
-
value: string;
|
|
19
|
-
reason: string;
|
|
20
|
-
}>;
|
|
21
|
-
content_modified: boolean;
|
|
22
|
-
};
|
|
23
|
-
metadata: {
|
|
24
|
-
original_length: number;
|
|
25
|
-
sanitized_length: number;
|
|
26
|
-
severity_score: number;
|
|
27
|
-
has_critical_threats: boolean;
|
|
28
|
-
detections_by_severity: {
|
|
29
|
-
critical: number;
|
|
30
|
-
high: number;
|
|
31
|
-
medium: number;
|
|
32
|
-
low: number;
|
|
33
|
-
};
|
|
34
|
-
};
|
|
35
|
-
threat_report?: ThreatReport;
|
|
36
|
-
}
|
|
37
|
-
/**
|
|
38
|
-
* Sanitize content through the full pipeline
|
|
39
|
-
*
|
|
40
|
-
* Pipeline:
|
|
41
|
-
* 1. Injection detection and neutralization (43 patterns)
|
|
42
|
-
* 2. PII redaction (email, phone, SSN, CC, IP) with allowlisting
|
|
43
|
-
* 3. Metadata collection and logging
|
|
44
|
-
*
|
|
45
|
-
* @param content Raw content from web page
|
|
46
|
-
* @param sourceUrl Optional source URL for domain-scoped PII allowlisting
|
|
47
|
-
* @returns Sanitized content with detection metadata
|
|
48
|
-
*/
|
|
49
|
-
export declare function sanitize(content: string, sourceUrl?: string): SanitizationResult;
|
|
50
|
-
/**
|
|
51
|
-
* Quick check: does content need sanitization?
|
|
52
|
-
* (Used for optimization - skip pipeline if content is clean)
|
|
53
|
-
*
|
|
54
|
-
* Note: Still run full pipeline for safety, but this can be used for metrics
|
|
55
|
-
*/
|
|
56
|
-
export declare function needsSanitization(_content: string): boolean;
|
|
57
|
-
/**
|
|
58
|
-
* Export sub-components for testing
|
|
59
|
-
*/
|
|
60
|
-
export { detectAndNeutralize } from './injection-detector.js';
|
|
61
|
-
export { redactPII, containsPII, detectPIITypes } from './pii-redactor.js';
|
|
62
|
-
export { INJECTION_PATTERNS, getAllPatternNames } from './patterns.js';
|
|
63
|
-
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sanitizer/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,OAAO,EAAwB,KAAK,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAE/E,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE;QACZ,iBAAiB,EAAE,MAAM,EAAE,CAAC;QAC5B,kBAAkB,EAAE,MAAM,EAAE,CAAC;QAC7B,eAAe,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QACxE,gBAAgB,EAAE,OAAO,CAAC;KAC3B,CAAC;IACF,QAAQ,EAAE;QACR,eAAe,EAAE,MAAM,CAAC;QACxB,gBAAgB,EAAE,MAAM,CAAC;QACzB,cAAc,EAAE,MAAM,CAAC;QACvB,oBAAoB,EAAE,OAAO,CAAC;QAC9B,sBAAsB,EAAE;YACtB,QAAQ,EAAE,MAAM,CAAC;YACjB,IAAI,EAAE,MAAM,CAAC;YACb,MAAM,EAAE,MAAM,CAAC;YACf,GAAG,EAAE,MAAM,CAAC;SACb,CAAC;KACH,CAAC;IACF,aAAa,CAAC,EAAE,YAAY,CAAC;CAC9B;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,kBAAkB,CAyDhF;AA0BD;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAG3D;AAED;;GAEG;AACH,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAC3E,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC"}
|