shieldx/CLAUDE.md

# ShieldX — LLM Prompt Injection Defense System

## Project
- npm: @shieldx/core
- License: Apache 2.0
- Stack: TypeScript strict, Node.js 20+, PostgreSQL 17 + pgvector, Vitest
- Architecture: 10-layer defense pipeline + self-evolution engine
- Philosophy: Local-first, zero mandatory cloud, self-evolving

## Commands
- `npm run build` — Build with tsup (CJS + ESM + DTS)
- `npm run dev` — Watch mode build
- `npm test` — Run tests with vitest
- `npm run test:coverage` — Coverage report (target: 80%+)
- `npm run typecheck` — Type checking
- `npm run db:migrate` — Run database migrations
- `npm run db:seed` — Seed initial patterns (500+)
- `npm run benchmark` — Performance benchmarks
- `npm run self-test` — Red team self-testing

## Code Style
- TypeScript strict mode, no `any` except explicitly marked with `// eslint-disable-next-line`
- Immutable data patterns — return new objects, never mutate
- All async operations must have proper error handling
- All public methods must have JSDoc documentation
- Files < 400 lines, functions < 50 lines
- No raw input stored in database — always SHA-256 hashed

## Architecture
- 10 defense layers (L0-L10), each independently toggleable
- Kill chain mapping: Schneier 2026 Promptware Kill Chain (7 phases)
- Self-evolution: GAN red team, drift detection, active learning, federated sync
- Compliance: MITRE ATLAS, OWASP LLM Top 10 2025, EU AI Act

## Performance Targets
- L0 (Preprocessing): <0.5ms
- L1 (Rules): <2ms
- L2 (Classifier): <10ms
- Full pipeline (L0-L9): <50ms
- Embedding scan: <200ms (Ollama local)

## Testing
- Vitest with v8 coverage
- Attack corpus: 13 JSON files, 500+ patterns each
- Benchmarks: ASR, latency, PINT, AgentDojo, false-positive rate
- Coverage target: 80%+ global

## Git
- Gitea: gitea.context-x.org/rene/shieldx
- Conventional commits: feat, fix, refactor, docs, test, chore, perf
- No Co-Authored-By headers