1c4c034483
- Layer 4 EntropyScanner: Shannon entropy, Base32/Base64 detection, CVE-2025-55284 ping/nslookup exfil, EchoLeak markdown pattern, DNS tunneling (iodine/dnscat) - Layer 5 UnicodeScanner: ASCII Smuggling (U+E0000 Tags Block), Variant Selectors, Zero-Width steganography, CamoLeak image-ordering (CVE-2025-53773), homoglyphs, BiDi override, high-entropy URL params - 30 DNS covert channel rules (dns-001 to dns-030) - ATLASMapper: 29 techniques (ATLAS v5.4.0 Feb 2026), added AML.T0062 (Agent Tool Invocation), AML.TA0015 (C2 tactic), memory poisoning, multi-agent trust, CamoLeak, Unicode steganography mappings - Rule count: 72 → 102 - Build: tsup 316ms, zero TypeScript errors
52 lines
1.9 KiB
Markdown
52 lines
1.9 KiB
Markdown
# ShieldX — LLM Prompt Injection Defense System
|
|
|
|
## Project
|
|
- npm: @shieldx/core
|
|
- License: Apache 2.0
|
|
- Stack: TypeScript strict, Node.js 20+, PostgreSQL 17 + pgvector, Vitest
|
|
- Architecture: 10-layer defense pipeline + self-evolution engine
|
|
- Philosophy: Local-first, zero mandatory cloud, self-evolving
|
|
|
|
## Commands
|
|
- `npm run build` — Build with tsup (CJS + ESM + DTS)
|
|
- `npm run dev` — Watch mode build
|
|
- `npm test` — Run tests with vitest
|
|
- `npm run test:coverage` — Coverage report (target: 80%+)
|
|
- `npm run typecheck` — Type checking
|
|
- `npm run db:migrate` — Run database migrations
|
|
- `npm run db:seed` — Seed initial patterns (500+)
|
|
- `npm run benchmark` — Performance benchmarks
|
|
- `npm run self-test` — Red team self-testing
|
|
|
|
## Code Style
|
|
- TypeScript strict mode, no `any` except explicitly marked with `// eslint-disable-next-line`
|
|
- Immutable data patterns — return new objects, never mutate
|
|
- All async operations must have proper error handling
|
|
- All public methods must have JSDoc documentation
|
|
- Files < 400 lines, functions < 50 lines
|
|
- No raw input stored in database — always SHA-256 hashed
|
|
|
|
## Architecture
|
|
- 10 defense layers (L0-L10), each independently toggleable
|
|
- Kill chain mapping: Schneier 2026 Promptware Kill Chain (7 phases)
|
|
- Self-evolution: GAN red team, drift detection, active learning, federated sync
|
|
- Compliance: MITRE ATLAS, OWASP LLM Top 10 2025, EU AI Act
|
|
|
|
## Performance Targets
|
|
- L0 (Preprocessing): <0.5ms
|
|
- L1 (Rules): <2ms
|
|
- L2 (Classifier): <10ms
|
|
- Full pipeline (L0-L9): <50ms
|
|
- Embedding scan: <200ms (Ollama local)
|
|
|
|
## Testing
|
|
- Vitest with v8 coverage
|
|
- Attack corpus: 13 JSON files, 500+ patterns each
|
|
- Benchmarks: ASR, latency, PINT, AgentDojo, false-positive rate
|
|
- Coverage target: 80%+ global
|
|
|
|
## Git
|
|
- Gitea: gitea.context-x.org/rene/shieldx
|
|
- Conventional commits: feat, fix, refactor, docs, test, chore, perf
|
|
- No Co-Authored-By headers
|