rene/shieldx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
shieldx/CLAUDE.md
Rene Fichtmueller 1c4c034483 feat: ShieldX v0.3.0 — UnicodeScanner (L5), DNS Covert Channel rules, ATLAS v5.4 mappings 
- Layer 4 EntropyScanner: Shannon entropy, Base32/Base64 detection, CVE-2025-55284
  ping/nslookup exfil, EchoLeak markdown pattern, DNS tunneling (iodine/dnscat)
- Layer 5 UnicodeScanner: ASCII Smuggling (U+E0000 Tags Block), Variant Selectors,
  Zero-Width steganography, CamoLeak image-ordering (CVE-2025-53773), homoglyphs,
  BiDi override, high-entropy URL params
- 30 DNS covert channel rules (dns-001 to dns-030)
- ATLASMapper: 29 techniques (ATLAS v5.4.0 Feb 2026), added AML.T0062 (Agent Tool
  Invocation), AML.TA0015 (C2 tactic), memory poisoning, multi-agent trust,
  CamoLeak, Unicode steganography mappings
- Rule count: 72 → 102
- Build: tsup 316ms, zero TypeScript errors
2026-03-31 16:32:16 +02:00

1.9 KiB
Raw Blame History

ShieldX — LLM Prompt Injection Defense System

Project

  • npm: @shieldx/core
  • License: Apache 2.0
  • Stack: TypeScript strict, Node.js 20+, PostgreSQL 17 + pgvector, Vitest
  • Architecture: 10-layer defense pipeline + self-evolution engine
  • Philosophy: Local-first, zero mandatory cloud, self-evolving

Commands

  • npm run build — Build with tsup (CJS + ESM + DTS)
  • npm run dev — Watch mode build
  • npm test — Run tests with vitest
  • npm run test:coverage — Coverage report (target: 80%+)
  • npm run typecheck — Type checking
  • npm run db:migrate — Run database migrations
  • npm run db:seed — Seed initial patterns (500+)
  • npm run benchmark — Performance benchmarks
  • npm run self-test — Red team self-testing

Code Style

  • TypeScript strict mode, no any except explicitly marked with // eslint-disable-next-line
  • Immutable data patterns — return new objects, never mutate
  • All async operations must have proper error handling
  • All public methods must have JSDoc documentation
  • Files < 400 lines, functions < 50 lines
  • No raw input stored in database — always SHA-256 hashed

Architecture

  • 10 defense layers (L0-L10), each independently toggleable
  • Kill chain mapping: Schneier 2026 Promptware Kill Chain (7 phases)
  • Self-evolution: GAN red team, drift detection, active learning, federated sync
  • Compliance: MITRE ATLAS, OWASP LLM Top 10 2025, EU AI Act

Performance Targets

  • L0 (Preprocessing): <0.5ms
  • L1 (Rules): <2ms
  • L2 (Classifier): <10ms
  • Full pipeline (L0-L9): <50ms
  • Embedding scan: <200ms (Ollama local)

Testing

  • Vitest with v8 coverage
  • Attack corpus: 13 JSON files, 500+ patterns each
  • Benchmarks: ASR, latency, PINT, AgentDojo, false-positive rate
  • Coverage target: 80%+ global

Git

  • Gitea: gitea.context-x.org/rene/shieldx
  • Conventional commits: feat, fix, refactor, docs, test, chore, perf
  • No Co-Authored-By headers