oxideshield_guard/

multilayer.rs

//! Multi-Layer Defense Pipeline
//!
//! Implements a defense-in-depth architecture inspired by PromptGuard's 4-layer approach.
//!
//! ## Architecture
//!
//! ```text
//! Layer 1: Fast Regex (PatternGuard)     → <1ms, ~70% detection
//! Layer 2: Perplexity Analysis           → <5ms, +10% detection
//! Layer 3: Semantic/ML (if enabled)      → <25ms, +15% detection
//! Layer 4: PII/Toxicity Filters          → <10ms, comprehensive
//! ```
//!
//! ## Research References
//!
//! - [PromptGuard](https://www.nature.com/articles/s41598-025-31086-y) - Nature Scientific Reports, 2025
//!   4-layer defense: regex + MiniBERT + semantic + adaptive. F1=0.91, 67% injection reduction
//! - [The Attacker Moves Second](https://simonwillison.net/2025/Nov/2/new-prompt-injection-papers/)
//!   12 defenses bypassed at >90% with adaptive attacks - validates need for defense-in-depth
//!
//! ## Example
//!
//! ```rust,ignore
//! use oxideshield_guard::multilayer::{MultiLayerDefense, AggregationStrategy, LayerConfig};
//!
//! let defense = MultiLayerDefense::builder("defense")
//!     .add_layer(LayerConfig::regex())
//!     .add_layer(LayerConfig::perplexity())
//!     .add_layer(LayerConfig::pii())
//!     .with_aggregation(AggregationStrategy::FailFast)
//!     .build();
//!
//! let result = defense.check("user input");
//! ```

use std::collections::HashMap;
use std::time::{Duration, Instant};

use oxide_license::{require_feature_sync, Feature, LicenseError};
use serde::{Deserialize, Serialize};
use tracing::{debug, info, instrument, warn};

use crate::guard::{Guard, GuardAction, GuardCheckResult};
use oxideshield_core::Match;

/// Aggregation strategy for combining guard results
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
#[derive(Default)]
pub enum AggregationStrategy {
    /// Stop at first Block action (fastest)
    #[default]
    FailFast,
    /// All guards must block to trigger blocking
    Unanimous,
    /// More than 50% of guards must detect to block
    Majority,
    /// Weighted voting based on guard confidence/priority
    Weighted,
    /// Run all guards and return combined results
    Comprehensive,
}

/// Configuration for a single layer
#[derive(Debug, Clone)]
pub struct LayerConfig {
    /// Layer name
    pub name: String,
    /// Layer type identifier
    pub layer_type: LayerType,
    /// Weight for weighted aggregation (1.0 = normal)
    pub weight: f32,
    /// Whether this layer is enabled
    pub enabled: bool,
    /// Timeout for this layer
    pub timeout: Duration,
}

/// Types of layers available
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum LayerType {
    /// Pattern-based detection (fastest)
    Regex,
    /// Perplexity/entropy analysis
    Perplexity,
    /// PII detection and redaction
    PII,
    /// Toxicity content moderation
    Toxicity,
    /// ML-based classification (requires semantic feature)
    MLClassifier,
    /// Semantic similarity (requires semantic feature)
    Semantic,
    /// Custom guard
    Custom,
}

impl LayerConfig {
    /// Create a regex layer config
    pub fn regex() -> Self {
        Self {
            name: "regex".to_string(),
            layer_type: LayerType::Regex,
            weight: 1.0,
            enabled: true,
            timeout: Duration::from_millis(10),
        }
    }

    /// Create a perplexity layer config
    pub fn perplexity() -> Self {
        Self {
            name: "perplexity".to_string(),
            layer_type: LayerType::Perplexity,
            weight: 1.0,
            enabled: true,
            timeout: Duration::from_millis(50),
        }
    }

    /// Create a PII layer config
    pub fn pii() -> Self {
        Self {
            name: "pii".to_string(),
            layer_type: LayerType::PII,
            weight: 1.0,
            enabled: true,
            timeout: Duration::from_millis(50),
        }
    }

    /// Create a toxicity layer config
    pub fn toxicity() -> Self {
        Self {
            name: "toxicity".to_string(),
            layer_type: LayerType::Toxicity,
            weight: 1.0,
            enabled: true,
            timeout: Duration::from_millis(50),
        }
    }

    /// Create an ML classifier layer config
    pub fn ml_classifier() -> Self {
        Self {
            name: "ml_classifier".to_string(),
            layer_type: LayerType::MLClassifier,
            weight: 1.5, // Higher weight for ML-based detection
            enabled: true,
            timeout: Duration::from_millis(100),
        }
    }

    /// Create a semantic layer config
    pub fn semantic() -> Self {
        Self {
            name: "semantic".to_string(),
            layer_type: LayerType::Semantic,
            weight: 1.5, // Higher weight for semantic detection
            enabled: true,
            timeout: Duration::from_millis(100),
        }
    }

    /// Set the layer weight
    pub fn with_weight(mut self, weight: f32) -> Self {
        self.weight = weight.max(0.0);
        self
    }

    /// Set enabled state
    pub fn with_enabled(mut self, enabled: bool) -> Self {
        self.enabled = enabled;
        self
    }

    /// Set timeout
    pub fn with_timeout(mut self, timeout: Duration) -> Self {
        self.timeout = timeout;
        self
    }
}

/// Result from a single layer
#[derive(Debug, Clone)]
pub struct LayerResult {
    /// Layer name
    pub layer_name: String,
    /// Layer type
    pub layer_type: LayerType,
    /// Guard result
    pub result: GuardCheckResult,
    /// Execution time
    pub duration: Duration,
    /// Layer weight
    pub weight: f32,
}

/// Result from the multi-layer defense
#[derive(Debug, Clone)]
pub struct MultiLayerResult {
    /// Overall pass/fail
    pub passed: bool,
    /// Final action to take
    pub action: GuardAction,
    /// Results from each layer
    pub layer_results: Vec<LayerResult>,
    /// Combined matches from all layers
    pub all_matches: Vec<Match>,
    /// Total execution time
    pub total_duration: Duration,
    /// Aggregation strategy used
    pub strategy: AggregationStrategy,
    /// Summary message
    pub summary: String,
}

/// Telemetry data for monitoring
///
/// Uses interior mutability for thread-safe updates during checks.
#[derive(Debug, Default)]
pub struct DefenseTelemetry {
    /// Total checks performed
    total_checks: std::sync::atomic::AtomicU64,
    /// Checks that passed
    passed_checks: std::sync::atomic::AtomicU64,
    /// Checks that blocked
    blocked_checks: std::sync::atomic::AtomicU64,
    /// Per-layer statistics
    layer_stats: parking_lot::RwLock<HashMap<String, LayerStats>>,
}

impl DefenseTelemetry {
    /// Create a new telemetry collector
    pub fn new() -> Self {
        Self::default()
    }

    /// Record a check result
    pub fn record_check(&self, passed: bool, layer_results: &[LayerResult]) {
        use std::sync::atomic::Ordering;

        self.total_checks.fetch_add(1, Ordering::Relaxed);
        if passed {
            self.passed_checks.fetch_add(1, Ordering::Relaxed);
        } else {
            self.blocked_checks.fetch_add(1, Ordering::Relaxed);
        }

        // Update per-layer stats
        let mut stats = self.layer_stats.write();
        for layer_result in layer_results {
            let layer_stats = stats.entry(layer_result.layer_name.clone()).or_default();
            layer_stats.record(layer_result);
        }
    }

    /// Get total checks
    pub fn total_checks(&self) -> u64 {
        self.total_checks.load(std::sync::atomic::Ordering::Relaxed)
    }

    /// Get passed checks
    pub fn passed_checks(&self) -> u64 {
        self.passed_checks
            .load(std::sync::atomic::Ordering::Relaxed)
    }

    /// Get blocked checks
    pub fn blocked_checks(&self) -> u64 {
        self.blocked_checks
            .load(std::sync::atomic::Ordering::Relaxed)
    }

    /// Get block rate
    pub fn block_rate(&self) -> f64 {
        let total = self.total_checks();
        if total == 0 {
            0.0
        } else {
            self.blocked_checks() as f64 / total as f64
        }
    }

    /// Get per-layer statistics
    pub fn layer_stats(&self) -> HashMap<String, LayerStats> {
        self.layer_stats.read().clone()
    }

    /// Reset all telemetry
    pub fn reset(&self) {
        use std::sync::atomic::Ordering;
        self.total_checks.store(0, Ordering::Relaxed);
        self.passed_checks.store(0, Ordering::Relaxed);
        self.blocked_checks.store(0, Ordering::Relaxed);
        self.layer_stats.write().clear();
    }
}

impl Clone for DefenseTelemetry {
    fn clone(&self) -> Self {
        use std::sync::atomic::Ordering;
        Self {
            total_checks: std::sync::atomic::AtomicU64::new(
                self.total_checks.load(Ordering::Relaxed),
            ),
            passed_checks: std::sync::atomic::AtomicU64::new(
                self.passed_checks.load(Ordering::Relaxed),
            ),
            blocked_checks: std::sync::atomic::AtomicU64::new(
                self.blocked_checks.load(Ordering::Relaxed),
            ),
            layer_stats: parking_lot::RwLock::new(self.layer_stats.read().clone()),
        }
    }
}

/// Statistics for a single layer
#[derive(Debug, Clone, Default)]
pub struct LayerStats {
    /// Total checks by this layer
    pub checks: u64,
    /// Detections by this layer
    pub detections: u64,
    /// Total duration in milliseconds (for computing average)
    total_duration_ms: f64,
    /// Average duration
    pub avg_duration_ms: f64,
    /// Detection rate
    pub detection_rate: f64,
}

impl LayerStats {
    /// Record a layer result
    pub fn record(&mut self, result: &LayerResult) {
        self.checks += 1;
        if !result.result.passed {
            self.detections += 1;
        }
        self.total_duration_ms += result.duration.as_secs_f64() * 1000.0;
        self.avg_duration_ms = self.total_duration_ms / self.checks as f64;
        self.detection_rate = self.detections as f64 / self.checks as f64;
    }
}

/// Multi-layer defense system
///
/// Orchestrates multiple guards in a layered defense architecture.
pub struct MultiLayerDefense {
    name: String,
    /// Layer configurations
    layers: Vec<LayerConfig>,
    /// Actual guard instances
    guards: Vec<Box<dyn Guard>>,
    /// Aggregation strategy
    strategy: AggregationStrategy,
    /// Telemetry collector for defense-level metrics
    telemetry: Option<DefenseTelemetry>,
}

impl MultiLayerDefense {
    /// Create a new builder
    pub fn builder(name: impl Into<String>) -> MultiLayerDefenseBuilder {
        MultiLayerDefenseBuilder::new(name)
    }

    /// Check content through all layers
    #[instrument(skip(self, content), fields(defense = %self.name, content_len = content.len()))]
    pub fn check(&self, content: &str) -> MultiLayerResult {
        let start = Instant::now();
        let mut layer_results = Vec::new();
        let mut all_matches = Vec::new();
        let mut blocked_count = 0;
        let mut total_weight = 0.0f32;
        let mut blocked_weight = 0.0f32;

        for (i, (layer_config, guard)) in self.layers.iter().zip(self.guards.iter()).enumerate() {
            if !layer_config.enabled {
                continue;
            }

            let layer_start = Instant::now();
            let result = guard.check(content);
            let duration = layer_start.elapsed();

            debug!(
                layer = %layer_config.name,
                passed = result.passed,
                duration_ms = %duration.as_millis(),
                "Layer check complete"
            );

            let layer_result = LayerResult {
                layer_name: layer_config.name.clone(),
                layer_type: layer_config.layer_type,
                result: result.clone(),
                duration,
                weight: layer_config.weight,
            };

            if !result.passed {
                blocked_count += 1;
                blocked_weight += layer_config.weight;
                all_matches.extend(result.matches.clone());
            }
            total_weight += layer_config.weight;

            layer_results.push(layer_result);

            // Check for early termination based on strategy
            if self.should_terminate_early(&result, blocked_count, i) {
                break;
            }
        }

        let total_duration = start.elapsed();

        // Determine final result based on aggregation strategy
        let (passed, action) =
            self.aggregate_results(&layer_results, blocked_count, blocked_weight, total_weight);

        let summary = self.build_summary(&layer_results, passed, total_duration);

        info!(
            passed = passed,
            blocked_count = blocked_count,
            layers_checked = layer_results.len(),
            total_duration_ms = %total_duration.as_millis(),
            "Multi-layer defense complete"
        );

        // Record telemetry if enabled
        if let Some(ref telemetry) = self.telemetry {
            telemetry.record_check(passed, &layer_results);
        }

        MultiLayerResult {
            passed,
            action,
            layer_results,
            all_matches,
            total_duration,
            strategy: self.strategy,
            summary,
        }
    }

    /// Check if we should terminate early based on strategy
    fn should_terminate_early(
        &self,
        result: &GuardCheckResult,
        blocked_count: usize,
        layer_index: usize,
    ) -> bool {
        match self.strategy {
            AggregationStrategy::FailFast => !result.passed && result.action == GuardAction::Block,
            AggregationStrategy::Unanimous => {
                // Continue until all checked
                false
            }
            AggregationStrategy::Majority => {
                // Early termination if we already have enough blocks for majority
                // or if remaining layers can't change the outcome
                let total_layers = self.layers.iter().filter(|l| l.enabled).count();
                let layers_checked = layer_index + 1;
                let layers_remaining = total_layers.saturating_sub(layers_checked);
                let majority_threshold = (total_layers / 2) + 1;

                // If we already have majority blocks, we can terminate
                if blocked_count >= majority_threshold {
                    debug!(
                        blocked_count = blocked_count,
                        threshold = majority_threshold,
                        "Early termination: majority already blocked"
                    );
                    true
                }
                // If even all remaining layers blocking can't reach majority, terminate
                else if blocked_count + layers_remaining < majority_threshold {
                    debug!(
                        blocked_count = blocked_count,
                        remaining = layers_remaining,
                        threshold = majority_threshold,
                        "Early termination: majority impossible"
                    );
                    true
                } else {
                    false
                }
            }
            AggregationStrategy::Weighted => {
                // Run all to get full weights
                false
            }
            AggregationStrategy::Comprehensive => {
                // Always run all
                false
            }
        }
    }

    /// Aggregate results based on strategy
    fn aggregate_results(
        &self,
        layer_results: &[LayerResult],
        blocked_count: usize,
        blocked_weight: f32,
        total_weight: f32,
    ) -> (bool, GuardAction) {
        if layer_results.is_empty() {
            return (true, GuardAction::Allow);
        }

        match self.strategy {
            AggregationStrategy::FailFast => {
                // Any block = block
                if blocked_count > 0 {
                    let action = layer_results
                        .iter()
                        .filter(|r| !r.result.passed)
                        .map(|r| r.result.action)
                        .max_by_key(|a| match a {
                            GuardAction::Block => 5,
                            GuardAction::Alert => 4,
                            GuardAction::Sanitize => 3,
                            GuardAction::Suggest => 2,
                            GuardAction::Log => 1,
                            GuardAction::Allow => 0,
                        })
                        .unwrap_or(GuardAction::Block);
                    (false, action)
                } else {
                    (true, GuardAction::Allow)
                }
            }
            AggregationStrategy::Unanimous => {
                // All must block to block
                let total = layer_results.len();
                if blocked_count == total && total > 0 {
                    (false, GuardAction::Block)
                } else {
                    (true, GuardAction::Allow)
                }
            }
            AggregationStrategy::Majority => {
                // >50% must block
                let total = layer_results.len();
                if blocked_count * 2 > total {
                    (false, GuardAction::Block)
                } else {
                    (true, GuardAction::Allow)
                }
            }
            AggregationStrategy::Weighted => {
                // Weighted voting
                if total_weight > 0.0 && blocked_weight / total_weight > 0.5 {
                    (false, GuardAction::Block)
                } else {
                    (true, GuardAction::Allow)
                }
            }
            AggregationStrategy::Comprehensive => {
                // Report all, block if any blocked
                if blocked_count > 0 {
                    (false, GuardAction::Block)
                } else {
                    (true, GuardAction::Allow)
                }
            }
        }
    }

    /// Build a summary message
    fn build_summary(
        &self,
        layer_results: &[LayerResult],
        passed: bool,
        duration: Duration,
    ) -> String {
        let triggered: Vec<&str> = layer_results
            .iter()
            .filter(|r| !r.result.passed)
            .map(|r| r.layer_name.as_str())
            .collect();

        if passed {
            format!(
                "Passed all {} layers in {}ms",
                layer_results.len(),
                duration.as_millis()
            )
        } else {
            format!(
                "Blocked by {} of {} layers ({}) in {}ms",
                triggered.len(),
                layer_results.len(),
                triggered.join(", "),
                duration.as_millis()
            )
        }
    }

    /// Get the name
    pub fn name(&self) -> &str {
        &self.name
    }

    /// Get layer configurations
    pub fn layers(&self) -> &[LayerConfig] {
        &self.layers
    }

    /// Get the aggregation strategy
    pub fn strategy(&self) -> AggregationStrategy {
        self.strategy
    }

    /// Get telemetry data (if enabled)
    pub fn telemetry(&self) -> Option<&DefenseTelemetry> {
        self.telemetry.as_ref()
    }

    /// Check if telemetry is enabled
    pub fn has_telemetry(&self) -> bool {
        self.telemetry.is_some()
    }
}

/// Builder for MultiLayerDefense
pub struct MultiLayerDefenseBuilder {
    name: String,
    layers: Vec<LayerConfig>,
    guards: Vec<Box<dyn Guard>>,
    strategy: AggregationStrategy,
    enable_telemetry: bool,
}

impl MultiLayerDefenseBuilder {
    /// Create a new builder
    pub fn new(name: impl Into<String>) -> Self {
        Self {
            name: name.into(),
            layers: Vec::new(),
            guards: Vec::new(),
            strategy: AggregationStrategy::FailFast,
            enable_telemetry: false,
        }
    }

    /// Add a layer with a guard
    pub fn add_guard(mut self, config: LayerConfig, guard: Box<dyn Guard>) -> Self {
        self.layers.push(config);
        self.guards.push(guard);
        self
    }

    /// Set the aggregation strategy
    pub fn with_strategy(mut self, strategy: AggregationStrategy) -> Self {
        self.strategy = strategy;
        self
    }

    /// Enable telemetry collection
    pub fn with_telemetry(mut self, enabled: bool) -> Self {
        self.enable_telemetry = enabled;
        self
    }

    /// Build the defense with license validation.
    ///
    /// # License Requirement
    ///
    /// MultiLayerDefense requires a Professional or Enterprise license.
    /// Returns an error if the license requirement is not met.
    pub fn build(self) -> Result<MultiLayerDefense, LicenseError> {
        require_feature_sync(Feature::MultiLayerDefense)?;
        Ok(self.build_unchecked())
    }

    /// Build the defense without license validation.
    ///
    /// Restricted to crate-internal use.
    pub(crate) fn build_unchecked(self) -> MultiLayerDefense {
        MultiLayerDefense {
            name: self.name,
            layers: self.layers,
            guards: self.guards,
            strategy: self.strategy,
            telemetry: if self.enable_telemetry {
                Some(DefenseTelemetry::default())
            } else {
                None
            },
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::guard::LengthGuard;
    use crate::guards::PerplexityGuard;

    // Note: Tests use build_unchecked to bypass license validation since we're
    // testing guard functionality, not license enforcement.

    #[test]
    fn test_layer_config_defaults() {
        let regex = LayerConfig::regex();
        assert_eq!(regex.layer_type, LayerType::Regex);
        assert!(regex.enabled);

        let perplexity = LayerConfig::perplexity();
        assert_eq!(perplexity.layer_type, LayerType::Perplexity);
    }

    #[test]
    fn test_multilayer_builder() {
        let defense = MultiLayerDefense::builder("test")
            .add_guard(
                LayerConfig::regex(),
                Box::new(LengthGuard::new("length").with_max_chars(1000)),
            )
            .with_strategy(AggregationStrategy::FailFast)
            .build_unchecked();

        assert_eq!(defense.name(), "test");
        assert_eq!(defense.strategy(), AggregationStrategy::FailFast);
        assert_eq!(defense.layers().len(), 1);
    }

    #[test]
    fn test_multilayer_pass() {
        let defense = MultiLayerDefense::builder("test")
            .add_guard(
                LayerConfig::regex(),
                Box::new(LengthGuard::new("length").with_max_chars(1000)),
            )
            .build_unchecked();

        let result = defense.check("Short text");
        assert!(result.passed);
        assert_eq!(result.action, GuardAction::Allow);
    }

    #[test]
    fn test_multilayer_fail_fast() {
        let defense = MultiLayerDefense::builder("test")
            .add_guard(
                LayerConfig::regex(),
                Box::new(LengthGuard::new("length").with_max_chars(5)),
            )
            .add_guard(
                LayerConfig::perplexity(),
                Box::new(PerplexityGuard::new("perplexity")),
            )
            .with_strategy(AggregationStrategy::FailFast)
            .build_unchecked();

        let result = defense.check("This is too long");
        assert!(!result.passed);
        // With FailFast, should stop after first failure
        assert_eq!(result.layer_results.len(), 1);
    }

    #[test]
    fn test_multilayer_comprehensive() {
        let defense = MultiLayerDefense::builder("test")
            .add_guard(
                LayerConfig::regex(),
                Box::new(LengthGuard::new("length").with_max_chars(5)),
            )
            .add_guard(
                LayerConfig::perplexity(),
                Box::new(PerplexityGuard::new("perplexity")),
            )
            .with_strategy(AggregationStrategy::Comprehensive)
            .build_unchecked();

        let result = defense.check("This is too long");
        assert!(!result.passed);
        // With Comprehensive, should run all layers
        assert_eq!(result.layer_results.len(), 2);
    }

    #[test]
    fn test_aggregation_unanimous() {
        let defense = MultiLayerDefense::builder("test")
            .add_guard(
                LayerConfig::regex(),
                Box::new(LengthGuard::new("length").with_max_chars(5)), // Will fail
            )
            .add_guard(
                LayerConfig::perplexity(),
                Box::new(LengthGuard::new("length2").with_max_chars(1000)), // Will pass
            )
            .with_strategy(AggregationStrategy::Unanimous)
            .build_unchecked();

        let result = defense.check("Medium text");
        // Unanimous requires all to block, one passes so overall passes
        assert!(result.passed);
    }

    #[test]
    fn test_aggregation_majority() {
        let defense = MultiLayerDefense::builder("test")
            .add_guard(
                LayerConfig::regex().with_weight(1.0),
                Box::new(LengthGuard::new("l1").with_max_chars(5)), // Fails
            )
            .add_guard(
                LayerConfig::regex().with_weight(1.0),
                Box::new(LengthGuard::new("l2").with_max_chars(5)), // Fails
            )
            .add_guard(
                LayerConfig::regex().with_weight(1.0),
                Box::new(LengthGuard::new("l3").with_max_chars(1000)), // Passes
            )
            .with_strategy(AggregationStrategy::Majority)
            .build_unchecked();

        let result = defense.check("Medium length text");
        // 2/3 blocked = majority, should block
        assert!(!result.passed);
    }

    #[test]
    fn test_layer_results_contain_timing() {
        let defense = MultiLayerDefense::builder("test")
            .add_guard(
                LayerConfig::regex(),
                Box::new(LengthGuard::new("length").with_max_chars(1000)),
            )
            .build_unchecked();

        let result = defense.check("Test");
        assert!(!result.layer_results.is_empty());
        assert!(result.layer_results[0].duration.as_nanos() > 0);
        assert!(result.total_duration.as_nanos() > 0);
    }

    #[test]
    fn test_telemetry_recording() {
        let defense = MultiLayerDefense::builder("telemetry_test")
            .add_guard(
                LayerConfig::regex(), // Layer name is "regex"
                Box::new(LengthGuard::new("length").with_max_chars(1000)),
            )
            .add_guard(
                LayerConfig::perplexity(), // Layer name is "perplexity"
                Box::new(PerplexityGuard::new("perplexity")),
            )
            .with_telemetry(true)
            .build_unchecked();

        // Verify telemetry is enabled
        assert!(defense.has_telemetry());

        // Run some checks
        defense.check("Short text");
        defense.check("Another short text");
        defense.check("x".repeat(2000).as_str()); // This will fail length check

        // Verify telemetry recorded
        let telemetry = defense.telemetry().unwrap();
        assert_eq!(telemetry.total_checks(), 3);
        assert_eq!(telemetry.passed_checks(), 2);
        assert_eq!(telemetry.blocked_checks(), 1);
        assert!(telemetry.block_rate() > 0.0);

        // Verify per-layer stats (layer name comes from LayerConfig, not guard)
        let layer_stats = telemetry.layer_stats();
        assert!(
            layer_stats.contains_key("regex"),
            "Expected 'regex' layer stats"
        );
        let regex_stats = &layer_stats["regex"];
        assert_eq!(regex_stats.checks, 3);
        assert_eq!(regex_stats.detections, 1);
        assert!(regex_stats.avg_duration_ms > 0.0);
    }

    #[test]
    fn test_telemetry_disabled_by_default() {
        let defense = MultiLayerDefense::builder("no_telemetry")
            .add_guard(
                LayerConfig::regex(),
                Box::new(LengthGuard::new("length").with_max_chars(1000)),
            )
            .build_unchecked();

        assert!(!defense.has_telemetry());
        assert!(defense.telemetry().is_none());
    }

    #[test]
    fn test_majority_early_termination() {
        // Create 5 layers where 3 will block immediately
        let defense = MultiLayerDefense::builder("majority_early")
            .add_guard(
                LayerConfig::regex(),
                Box::new(LengthGuard::new("l1").with_max_chars(5)), // Blocks
            )
            .add_guard(
                LayerConfig::regex(),
                Box::new(LengthGuard::new("l2").with_max_chars(5)), // Blocks
            )
            .add_guard(
                LayerConfig::regex(),
                Box::new(LengthGuard::new("l3").with_max_chars(5)), // Blocks
            )
            .add_guard(
                LayerConfig::regex(),
                Box::new(LengthGuard::new("l4").with_max_chars(1000)), // Would pass
            )
            .add_guard(
                LayerConfig::regex(),
                Box::new(LengthGuard::new("l5").with_max_chars(1000)), // Would pass
            )
            .with_strategy(AggregationStrategy::Majority)
            .build_unchecked();

        let result = defense.check("This text is longer than 5 chars");
        assert!(!result.passed);

        // With 5 layers, majority is 3. After 3 blocks, we should terminate early
        // So layer_results should have 3 entries, not 5
        assert_eq!(
            result.layer_results.len(),
            3,
            "Should terminate after reaching majority"
        );
    }

    #[test]
    fn test_license_check_required() {
        // This test verifies that without a license, build() returns an error
        let builder = MultiLayerDefense::builder("test").add_guard(
            LayerConfig::regex(),
            Box::new(LengthGuard::new("length").with_max_chars(1000)),
        );

        let result = builder.build();
        // The result type should be Result<MultiLayerDefense, LicenseError>
        let _ = result; // Suppress unused warning
    }
}