@atbash/sdk 0.3.10 → 0.3.11-dev.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +614 -43
- package/dist/index.d.cts +135 -14
- package/dist/index.d.ts +135 -14
- package/dist/index.js +605 -40
- package/package.json +4 -2
package/dist/index.d.cts
CHANGED
|
@@ -1,11 +1,25 @@
|
|
|
1
1
|
type Verdict = "ALLOW" | "HOLD" | "BLOCK" | "No verdict";
|
|
2
2
|
type Provider = "openai" | "google" | "microsoft" | "custom" | (string & {});
|
|
3
|
-
type Tier = "audit" | "audit_plus" | "enforcement" | (string & {});
|
|
4
3
|
type ActionType = "allow" | "hold_for_user_confirm" | "block" | (string & {});
|
|
5
4
|
type PubkeyValue = string | Buffer | {
|
|
6
5
|
data: number[];
|
|
7
6
|
};
|
|
8
7
|
type JudgmentStatusState = "pending" | "answered" | "error";
|
|
8
|
+
type Network = "public" | "private";
|
|
9
|
+
interface Subscription {
|
|
10
|
+
subscription_name: string;
|
|
11
|
+
agent_number: number;
|
|
12
|
+
is_private_blockchain: boolean;
|
|
13
|
+
monthly_price: number;
|
|
14
|
+
yearly_price: number;
|
|
15
|
+
}
|
|
16
|
+
interface OrgSubscription extends Subscription {
|
|
17
|
+
org_name: string;
|
|
18
|
+
duration_months: number;
|
|
19
|
+
assigned_at: number;
|
|
20
|
+
expires_at: number;
|
|
21
|
+
is_active: boolean;
|
|
22
|
+
}
|
|
9
23
|
interface AgentAuth {
|
|
10
24
|
pubkey: string;
|
|
11
25
|
privkey: string;
|
|
@@ -39,6 +53,7 @@ interface JudgeOptions extends ClientOpts {
|
|
|
39
53
|
model?: string;
|
|
40
54
|
toolName?: string;
|
|
41
55
|
toolArgsJson?: string;
|
|
56
|
+
orgName?: string;
|
|
42
57
|
chainOpts?: ChainOpts;
|
|
43
58
|
verifyPubKey?: string;
|
|
44
59
|
}
|
|
@@ -51,12 +66,6 @@ interface JudgmentStatus {
|
|
|
51
66
|
cached?: boolean;
|
|
52
67
|
responseTimeMs?: number;
|
|
53
68
|
}
|
|
54
|
-
interface TierInfo {
|
|
55
|
-
org_name: string;
|
|
56
|
-
tier: Tier;
|
|
57
|
-
verdict_enabled: boolean;
|
|
58
|
-
enforcement_enabled: boolean;
|
|
59
|
-
}
|
|
60
69
|
interface ToolCallRecord {
|
|
61
70
|
tool_call_id: string;
|
|
62
71
|
agent_pubkey: PubkeyValue;
|
|
@@ -132,10 +141,54 @@ interface ValidatedEndpoint {
|
|
|
132
141
|
policy: "default" | "self-hosted";
|
|
133
142
|
verifyPubKey: string | null;
|
|
134
143
|
}
|
|
144
|
+
interface MemoryEntry {
|
|
145
|
+
key: string;
|
|
146
|
+
value: string;
|
|
147
|
+
source?: string;
|
|
148
|
+
timestamp?: number;
|
|
149
|
+
}
|
|
150
|
+
type MemoryScanVerdict = "green" | "yellow" | "red";
|
|
151
|
+
type AnomalySeverity = "low" | "medium" | "high" | "critical";
|
|
152
|
+
type AnomalyType = "behavioral_override" | "bulk_insertion" | "safety_bypass" | "privilege_escalation" | "gradual_drift";
|
|
153
|
+
interface MemoryScanResult {
|
|
154
|
+
safe: boolean;
|
|
155
|
+
verdict: MemoryScanVerdict;
|
|
156
|
+
reason: string;
|
|
157
|
+
confidence: number;
|
|
158
|
+
toolCallId?: string;
|
|
159
|
+
}
|
|
160
|
+
interface MemoryScanOptions extends JudgeOptions {
|
|
161
|
+
/** Confidence threshold below which the entry is allowed (default 0.6). */
|
|
162
|
+
threshold?: number;
|
|
163
|
+
/** Stop batch scanning on the first red verdict (default true). */
|
|
164
|
+
stopOnRed?: boolean;
|
|
165
|
+
}
|
|
166
|
+
interface MemorySnapshot {
|
|
167
|
+
entries: MemoryEntry[];
|
|
168
|
+
takenAt: number;
|
|
169
|
+
}
|
|
170
|
+
interface MemoryAnomaly {
|
|
171
|
+
type: AnomalyType;
|
|
172
|
+
severity: AnomalySeverity;
|
|
173
|
+
description: string;
|
|
174
|
+
entries: string[];
|
|
175
|
+
}
|
|
176
|
+
interface MemoryDiffResult {
|
|
177
|
+
safe: boolean;
|
|
178
|
+
added: MemoryEntry[];
|
|
179
|
+
removed: MemoryEntry[];
|
|
180
|
+
modified: Array<{
|
|
181
|
+
key: string;
|
|
182
|
+
before: string;
|
|
183
|
+
after: string;
|
|
184
|
+
}>;
|
|
185
|
+
anomalies: MemoryAnomaly[];
|
|
186
|
+
}
|
|
135
187
|
interface AtbashClientConfig {
|
|
136
188
|
judge?: JudgeEndpointConfig;
|
|
137
189
|
nodeUrls?: string[];
|
|
138
190
|
blockchainRid?: string;
|
|
191
|
+
orgName?: string;
|
|
139
192
|
keyPath?: string;
|
|
140
193
|
keyPair?: {
|
|
141
194
|
privKey: string;
|
|
@@ -150,7 +203,10 @@ interface AtbashClientConfig {
|
|
|
150
203
|
|
|
151
204
|
declare const DEFAULT_ENDPOINT = "https://chromia-verified-ai-dev-two.vercel.app";
|
|
152
205
|
declare const DEFAULT_CHROMIA_NODE_URLS: string[];
|
|
153
|
-
declare const DEFAULT_BLOCKCHAIN_RID = "
|
|
206
|
+
declare const DEFAULT_BLOCKCHAIN_RID = "B91106947F1EAED7B5D789C7D35755330A8A7DD7CB990D59366114EFFB79ED10";
|
|
207
|
+
interface InternalChainOpts extends ChainOpts {
|
|
208
|
+
network?: Network;
|
|
209
|
+
}
|
|
154
210
|
declare function isValidPrivateKey(hex: string): boolean;
|
|
155
211
|
declare function derivePublicKey(privKeyHex: string): string;
|
|
156
212
|
declare function generateKeyPair(): {
|
|
@@ -163,7 +219,7 @@ declare function toPubkeyHex(val: unknown): string;
|
|
|
163
219
|
* Check if an agent is onboarded before signing anything.
|
|
164
220
|
* Calls GET /api/ai/exists?pubkey=<66-hex>
|
|
165
221
|
*/
|
|
166
|
-
declare function checkAgentExists(pubkey: string, opts?: ClientOpts): Promise<boolean>;
|
|
222
|
+
declare function checkAgentExists(pubkey: string, opts?: ClientOpts, chainOpts?: InternalChainOpts): Promise<boolean>;
|
|
167
223
|
/**
|
|
168
224
|
* Sign `log_tool_call` locally and return the signed transaction hex.
|
|
169
225
|
*
|
|
@@ -171,7 +227,7 @@ declare function checkAgentExists(pubkey: string, opts?: ClientOpts): Promise<bo
|
|
|
171
227
|
* is used locally — never sent over the network. The server will
|
|
172
228
|
* broadcast the signed transaction to the chain.
|
|
173
229
|
*/
|
|
174
|
-
declare function logToolCall(action: string, context: string, auth: AgentAuth, chainOpts?:
|
|
230
|
+
declare function logToolCall(action: string, context: string, auth: AgentAuth, chainOpts?: InternalChainOpts, extra?: {
|
|
175
231
|
toolName?: string;
|
|
176
232
|
toolArgsJson?: string;
|
|
177
233
|
}, clientOpts?: ClientOpts): Promise<LogToolCallResult>;
|
|
@@ -182,7 +238,7 @@ declare function getOrgToolCalls(orgName: string, maxCount: number, opts?: Clien
|
|
|
182
238
|
declare function getAgentToolCalls(agentPubkey: string, maxCount: number, opts?: ClientOpts): Promise<ToolCallRecord[]>;
|
|
183
239
|
declare function getToolCallCount(opts?: ClientOpts): Promise<number>;
|
|
184
240
|
declare function getToolCallFull(toolCallId: string, opts?: ClientOpts): Promise<ToolCallFull | null>;
|
|
185
|
-
declare function
|
|
241
|
+
declare function getOrgSubscription(orgName: string, opts?: ClientOpts): Promise<OrgSubscription | null>;
|
|
186
242
|
declare function getPendingHeldActions(orgName: string, maxCount: number, opts?: ClientOpts): Promise<HeldAction[]>;
|
|
187
243
|
declare function getHeldActionReviews(orgName: string, maxCount: number, opts?: ClientOpts): Promise<HeldActionReview[]>;
|
|
188
244
|
declare function getAgentDetail(agentPubkey: string, opts?: ClientOpts): Promise<Record<string, unknown>>;
|
|
@@ -208,9 +264,13 @@ declare function verifyJudgeResponseSignature(bodyBytes: Uint8Array, signatureHe
|
|
|
208
264
|
* Atbash SDK Telemetry — OpenTelemetry metrics for usage tracking.
|
|
209
265
|
*
|
|
210
266
|
* Tracks: function call counts, latency, source (CLI/plugin/SDK),
|
|
211
|
-
* and agent identity.
|
|
267
|
+
* and agent identity. ON by default.
|
|
268
|
+
*
|
|
269
|
+
* Opt-out: create ~/.config/atbash/telemetry.json with { "enabled": false }
|
|
270
|
+
* The file must be mode 0600. If missing, corrupted, or unreadable → telemetry stays ON.
|
|
271
|
+
* Environment variables cannot disable telemetry (prevents agent bypass).
|
|
212
272
|
*/
|
|
213
|
-
type ClientSource = "cli" | "sdk" | "plugin:openclaw" | "plugin:
|
|
273
|
+
type ClientSource = "cli" | "sdk" | "plugin:openclaw" | "plugin:langchain" | "plugin:langgraph" | "plugin:hermes" | "plugin:eliza" | "plugin:crewai" | "plugin:mcp" | "plugin:autogen" | "plugin:jeenai" | (string & {});
|
|
214
274
|
interface TelemetryConfig {
|
|
215
275
|
/** Must be true to send any telemetry. Default: false */
|
|
216
276
|
enabled: boolean;
|
|
@@ -230,6 +290,7 @@ interface AtbashUserConfig {
|
|
|
230
290
|
orgName?: string;
|
|
231
291
|
judgeEndpoint?: string;
|
|
232
292
|
blockchainRid?: string;
|
|
293
|
+
network?: string;
|
|
233
294
|
provider?: string;
|
|
234
295
|
providerModel?: string;
|
|
235
296
|
}
|
|
@@ -239,4 +300,64 @@ declare function loadUserConfig(): AtbashUserConfig;
|
|
|
239
300
|
declare function saveUserConfig(config: AtbashUserConfig): void;
|
|
240
301
|
declare function resolve(key: keyof AtbashUserConfig, flagValue?: string): string;
|
|
241
302
|
|
|
242
|
-
|
|
303
|
+
/**
|
|
304
|
+
* Scan a single memory entry for poisoning.
|
|
305
|
+
*
|
|
306
|
+
* Defence layers (in order):
|
|
307
|
+
* 1. **Regex pre-filter** — catches obvious attacks instantly, zero latency
|
|
308
|
+
* 2. **LLM-as-Judge** — catches semantic / rephrased attacks the regex misses
|
|
309
|
+
*
|
|
310
|
+
* Both layers run against unicode-normalized text. The entry is fenced
|
|
311
|
+
* in the judge prompt so attackers cannot meta-inject into the scanner.
|
|
312
|
+
* Every scan is logged on-chain via the judge API for forensic audit.
|
|
313
|
+
*/
|
|
314
|
+
declare function scanMemory(entry: MemoryEntry, auth: AgentAuth, opts?: MemoryScanOptions): Promise<MemoryScanResult>;
|
|
315
|
+
/**
|
|
316
|
+
* Scan multiple memory entries. By default stops on the first red
|
|
317
|
+
* verdict. Set `stopOnRed: false` to scan all entries regardless.
|
|
318
|
+
*/
|
|
319
|
+
declare function scanMemoryBatch(entries: MemoryEntry[], auth: AgentAuth, opts?: MemoryScanOptions): Promise<MemoryScanResult[]>;
|
|
320
|
+
|
|
321
|
+
/**
|
|
322
|
+
* Create a timestamped snapshot of the current memory state.
|
|
323
|
+
*/
|
|
324
|
+
declare function createMemorySnapshot(entries: MemoryEntry[]): MemorySnapshot;
|
|
325
|
+
/**
|
|
326
|
+
* Compute the diff between two memory snapshots and run anomaly
|
|
327
|
+
* detection heuristics on the result.
|
|
328
|
+
*
|
|
329
|
+
* Catches what other defenses miss:
|
|
330
|
+
* - HMAC detects external tampering, not entries the agent wrote itself
|
|
331
|
+
* - Provenance tagging neutralizes untrusted sources, but a trusted
|
|
332
|
+
* channel can still be exploited
|
|
333
|
+
* - Regex catches fixed phrases, but attackers rephrase
|
|
334
|
+
* - LLM-as-judge catches semantic manipulation on individual entries
|
|
335
|
+
* - This function catches the *cumulative effect* — gradual multi-step
|
|
336
|
+
* poisoning where entries shift agent behavior across sessions
|
|
337
|
+
*/
|
|
338
|
+
declare function diffMemorySnapshots(before: MemorySnapshot, after: MemorySnapshot): MemoryDiffResult;
|
|
339
|
+
|
|
340
|
+
/**
|
|
341
|
+
* Unicode normalization for memory content before regex matching.
|
|
342
|
+
*
|
|
343
|
+
* Defeats evasion techniques:
|
|
344
|
+
* - Zero-width characters inserted between letters
|
|
345
|
+
* - Homoglyphs (Cyrillic "а" instead of Latin "a")
|
|
346
|
+
* - Mixed-script confusables
|
|
347
|
+
* - Invisible formatting characters
|
|
348
|
+
*/
|
|
349
|
+
/**
|
|
350
|
+
* Normalize a string for safe regex matching:
|
|
351
|
+
* 1. NFKC normalization (collapses compatibility decompositions)
|
|
352
|
+
* 2. Strip zero-width / invisible characters
|
|
353
|
+
* 3. Map common confusable characters to their Latin equivalents
|
|
354
|
+
*/
|
|
355
|
+
declare function normalizeForMatching(input: string): string;
|
|
356
|
+
/**
|
|
357
|
+
* Check whether a string contains suspicious encoding that may indicate
|
|
358
|
+
* an evasion attempt (presence of confusables, invisible chars, etc.).
|
|
359
|
+
* Returns true if the raw and normalized forms differ.
|
|
360
|
+
*/
|
|
361
|
+
declare function containsEvasionCharacters(input: string): boolean;
|
|
362
|
+
|
|
363
|
+
export { type ActionType, type AgentAuth, type AgentPolicy, type AnomalySeverity, type AnomalyType, type AtbashClient, type AtbashClientConfig, type AtbashUserConfig, type ChainOpts, type ClientOpts, type ClientSource, DEFAULT_BLOCKCHAIN_RID, DEFAULT_CHROMIA_NODE_URLS, DEFAULT_ENDPOINT, type Decision, type DecisionVerdict, type HeldAction, type HeldActionReview, type JudgeEndpointConfig, type JudgeOptions, type JudgeResult, type JudgmentStatus, type JudgmentStatusState, type LogToolCallResult, type MemoryAnomaly, type MemoryDiffResult, type MemoryEntry, type MemoryScanOptions, type MemoryScanResult, type MemoryScanVerdict, type MemorySnapshot, type OrgSubscription, type Provider, type PubkeyValue, type TelemetryConfig, type ToolCallFull, type ToolCallInput, type ToolCallRecord, type ValidatedEndpoint, type Verdict, checkAgentExists, containsEvasionCharacters, createAtbashClient, createMemorySnapshot, derivePublicKey, diffMemorySnapshots, generateKeyPair, getAgentDetail, getAgentPolicy, getAgentToolCalls, getConfigDir, getConfigPath, getHeldActionReviews, getJudgmentStatus, getOrgSubscription, getOrgToolCalls, getPendingHeldActions, getSafetyStats, getToolCallCount, getToolCallFull, getToolCalls, isValidPrivateKey, judgeAction, loadAgent, loadAgentFromFile, loadUserConfig, logToolCall, normalizeForMatching, resolve, resolveKeyPath, saveUserConfig, scanMemory, scanMemoryBatch, setupTelemetry, shutdownTelemetry, toPubkeyHex, validateJudgeEndpoint, verifyJudgeResponseSignature };
|
package/dist/index.d.ts
CHANGED
|
@@ -1,11 +1,25 @@
|
|
|
1
1
|
type Verdict = "ALLOW" | "HOLD" | "BLOCK" | "No verdict";
|
|
2
2
|
type Provider = "openai" | "google" | "microsoft" | "custom" | (string & {});
|
|
3
|
-
type Tier = "audit" | "audit_plus" | "enforcement" | (string & {});
|
|
4
3
|
type ActionType = "allow" | "hold_for_user_confirm" | "block" | (string & {});
|
|
5
4
|
type PubkeyValue = string | Buffer | {
|
|
6
5
|
data: number[];
|
|
7
6
|
};
|
|
8
7
|
type JudgmentStatusState = "pending" | "answered" | "error";
|
|
8
|
+
type Network = "public" | "private";
|
|
9
|
+
interface Subscription {
|
|
10
|
+
subscription_name: string;
|
|
11
|
+
agent_number: number;
|
|
12
|
+
is_private_blockchain: boolean;
|
|
13
|
+
monthly_price: number;
|
|
14
|
+
yearly_price: number;
|
|
15
|
+
}
|
|
16
|
+
interface OrgSubscription extends Subscription {
|
|
17
|
+
org_name: string;
|
|
18
|
+
duration_months: number;
|
|
19
|
+
assigned_at: number;
|
|
20
|
+
expires_at: number;
|
|
21
|
+
is_active: boolean;
|
|
22
|
+
}
|
|
9
23
|
interface AgentAuth {
|
|
10
24
|
pubkey: string;
|
|
11
25
|
privkey: string;
|
|
@@ -39,6 +53,7 @@ interface JudgeOptions extends ClientOpts {
|
|
|
39
53
|
model?: string;
|
|
40
54
|
toolName?: string;
|
|
41
55
|
toolArgsJson?: string;
|
|
56
|
+
orgName?: string;
|
|
42
57
|
chainOpts?: ChainOpts;
|
|
43
58
|
verifyPubKey?: string;
|
|
44
59
|
}
|
|
@@ -51,12 +66,6 @@ interface JudgmentStatus {
|
|
|
51
66
|
cached?: boolean;
|
|
52
67
|
responseTimeMs?: number;
|
|
53
68
|
}
|
|
54
|
-
interface TierInfo {
|
|
55
|
-
org_name: string;
|
|
56
|
-
tier: Tier;
|
|
57
|
-
verdict_enabled: boolean;
|
|
58
|
-
enforcement_enabled: boolean;
|
|
59
|
-
}
|
|
60
69
|
interface ToolCallRecord {
|
|
61
70
|
tool_call_id: string;
|
|
62
71
|
agent_pubkey: PubkeyValue;
|
|
@@ -132,10 +141,54 @@ interface ValidatedEndpoint {
|
|
|
132
141
|
policy: "default" | "self-hosted";
|
|
133
142
|
verifyPubKey: string | null;
|
|
134
143
|
}
|
|
144
|
+
interface MemoryEntry {
|
|
145
|
+
key: string;
|
|
146
|
+
value: string;
|
|
147
|
+
source?: string;
|
|
148
|
+
timestamp?: number;
|
|
149
|
+
}
|
|
150
|
+
type MemoryScanVerdict = "green" | "yellow" | "red";
|
|
151
|
+
type AnomalySeverity = "low" | "medium" | "high" | "critical";
|
|
152
|
+
type AnomalyType = "behavioral_override" | "bulk_insertion" | "safety_bypass" | "privilege_escalation" | "gradual_drift";
|
|
153
|
+
interface MemoryScanResult {
|
|
154
|
+
safe: boolean;
|
|
155
|
+
verdict: MemoryScanVerdict;
|
|
156
|
+
reason: string;
|
|
157
|
+
confidence: number;
|
|
158
|
+
toolCallId?: string;
|
|
159
|
+
}
|
|
160
|
+
interface MemoryScanOptions extends JudgeOptions {
|
|
161
|
+
/** Confidence threshold below which the entry is allowed (default 0.6). */
|
|
162
|
+
threshold?: number;
|
|
163
|
+
/** Stop batch scanning on the first red verdict (default true). */
|
|
164
|
+
stopOnRed?: boolean;
|
|
165
|
+
}
|
|
166
|
+
interface MemorySnapshot {
|
|
167
|
+
entries: MemoryEntry[];
|
|
168
|
+
takenAt: number;
|
|
169
|
+
}
|
|
170
|
+
interface MemoryAnomaly {
|
|
171
|
+
type: AnomalyType;
|
|
172
|
+
severity: AnomalySeverity;
|
|
173
|
+
description: string;
|
|
174
|
+
entries: string[];
|
|
175
|
+
}
|
|
176
|
+
interface MemoryDiffResult {
|
|
177
|
+
safe: boolean;
|
|
178
|
+
added: MemoryEntry[];
|
|
179
|
+
removed: MemoryEntry[];
|
|
180
|
+
modified: Array<{
|
|
181
|
+
key: string;
|
|
182
|
+
before: string;
|
|
183
|
+
after: string;
|
|
184
|
+
}>;
|
|
185
|
+
anomalies: MemoryAnomaly[];
|
|
186
|
+
}
|
|
135
187
|
interface AtbashClientConfig {
|
|
136
188
|
judge?: JudgeEndpointConfig;
|
|
137
189
|
nodeUrls?: string[];
|
|
138
190
|
blockchainRid?: string;
|
|
191
|
+
orgName?: string;
|
|
139
192
|
keyPath?: string;
|
|
140
193
|
keyPair?: {
|
|
141
194
|
privKey: string;
|
|
@@ -150,7 +203,10 @@ interface AtbashClientConfig {
|
|
|
150
203
|
|
|
151
204
|
declare const DEFAULT_ENDPOINT = "https://chromia-verified-ai-dev-two.vercel.app";
|
|
152
205
|
declare const DEFAULT_CHROMIA_NODE_URLS: string[];
|
|
153
|
-
declare const DEFAULT_BLOCKCHAIN_RID = "
|
|
206
|
+
declare const DEFAULT_BLOCKCHAIN_RID = "B91106947F1EAED7B5D789C7D35755330A8A7DD7CB990D59366114EFFB79ED10";
|
|
207
|
+
interface InternalChainOpts extends ChainOpts {
|
|
208
|
+
network?: Network;
|
|
209
|
+
}
|
|
154
210
|
declare function isValidPrivateKey(hex: string): boolean;
|
|
155
211
|
declare function derivePublicKey(privKeyHex: string): string;
|
|
156
212
|
declare function generateKeyPair(): {
|
|
@@ -163,7 +219,7 @@ declare function toPubkeyHex(val: unknown): string;
|
|
|
163
219
|
* Check if an agent is onboarded before signing anything.
|
|
164
220
|
* Calls GET /api/ai/exists?pubkey=<66-hex>
|
|
165
221
|
*/
|
|
166
|
-
declare function checkAgentExists(pubkey: string, opts?: ClientOpts): Promise<boolean>;
|
|
222
|
+
declare function checkAgentExists(pubkey: string, opts?: ClientOpts, chainOpts?: InternalChainOpts): Promise<boolean>;
|
|
167
223
|
/**
|
|
168
224
|
* Sign `log_tool_call` locally and return the signed transaction hex.
|
|
169
225
|
*
|
|
@@ -171,7 +227,7 @@ declare function checkAgentExists(pubkey: string, opts?: ClientOpts): Promise<bo
|
|
|
171
227
|
* is used locally — never sent over the network. The server will
|
|
172
228
|
* broadcast the signed transaction to the chain.
|
|
173
229
|
*/
|
|
174
|
-
declare function logToolCall(action: string, context: string, auth: AgentAuth, chainOpts?:
|
|
230
|
+
declare function logToolCall(action: string, context: string, auth: AgentAuth, chainOpts?: InternalChainOpts, extra?: {
|
|
175
231
|
toolName?: string;
|
|
176
232
|
toolArgsJson?: string;
|
|
177
233
|
}, clientOpts?: ClientOpts): Promise<LogToolCallResult>;
|
|
@@ -182,7 +238,7 @@ declare function getOrgToolCalls(orgName: string, maxCount: number, opts?: Clien
|
|
|
182
238
|
declare function getAgentToolCalls(agentPubkey: string, maxCount: number, opts?: ClientOpts): Promise<ToolCallRecord[]>;
|
|
183
239
|
declare function getToolCallCount(opts?: ClientOpts): Promise<number>;
|
|
184
240
|
declare function getToolCallFull(toolCallId: string, opts?: ClientOpts): Promise<ToolCallFull | null>;
|
|
185
|
-
declare function
|
|
241
|
+
declare function getOrgSubscription(orgName: string, opts?: ClientOpts): Promise<OrgSubscription | null>;
|
|
186
242
|
declare function getPendingHeldActions(orgName: string, maxCount: number, opts?: ClientOpts): Promise<HeldAction[]>;
|
|
187
243
|
declare function getHeldActionReviews(orgName: string, maxCount: number, opts?: ClientOpts): Promise<HeldActionReview[]>;
|
|
188
244
|
declare function getAgentDetail(agentPubkey: string, opts?: ClientOpts): Promise<Record<string, unknown>>;
|
|
@@ -208,9 +264,13 @@ declare function verifyJudgeResponseSignature(bodyBytes: Uint8Array, signatureHe
|
|
|
208
264
|
* Atbash SDK Telemetry — OpenTelemetry metrics for usage tracking.
|
|
209
265
|
*
|
|
210
266
|
* Tracks: function call counts, latency, source (CLI/plugin/SDK),
|
|
211
|
-
* and agent identity.
|
|
267
|
+
* and agent identity. ON by default.
|
|
268
|
+
*
|
|
269
|
+
* Opt-out: create ~/.config/atbash/telemetry.json with { "enabled": false }
|
|
270
|
+
* The file must be mode 0600. If missing, corrupted, or unreadable → telemetry stays ON.
|
|
271
|
+
* Environment variables cannot disable telemetry (prevents agent bypass).
|
|
212
272
|
*/
|
|
213
|
-
type ClientSource = "cli" | "sdk" | "plugin:openclaw" | "plugin:
|
|
273
|
+
type ClientSource = "cli" | "sdk" | "plugin:openclaw" | "plugin:langchain" | "plugin:langgraph" | "plugin:hermes" | "plugin:eliza" | "plugin:crewai" | "plugin:mcp" | "plugin:autogen" | "plugin:jeenai" | (string & {});
|
|
214
274
|
interface TelemetryConfig {
|
|
215
275
|
/** Must be true to send any telemetry. Default: false */
|
|
216
276
|
enabled: boolean;
|
|
@@ -230,6 +290,7 @@ interface AtbashUserConfig {
|
|
|
230
290
|
orgName?: string;
|
|
231
291
|
judgeEndpoint?: string;
|
|
232
292
|
blockchainRid?: string;
|
|
293
|
+
network?: string;
|
|
233
294
|
provider?: string;
|
|
234
295
|
providerModel?: string;
|
|
235
296
|
}
|
|
@@ -239,4 +300,64 @@ declare function loadUserConfig(): AtbashUserConfig;
|
|
|
239
300
|
declare function saveUserConfig(config: AtbashUserConfig): void;
|
|
240
301
|
declare function resolve(key: keyof AtbashUserConfig, flagValue?: string): string;
|
|
241
302
|
|
|
242
|
-
|
|
303
|
+
/**
|
|
304
|
+
* Scan a single memory entry for poisoning.
|
|
305
|
+
*
|
|
306
|
+
* Defence layers (in order):
|
|
307
|
+
* 1. **Regex pre-filter** — catches obvious attacks instantly, zero latency
|
|
308
|
+
* 2. **LLM-as-Judge** — catches semantic / rephrased attacks the regex misses
|
|
309
|
+
*
|
|
310
|
+
* Both layers run against unicode-normalized text. The entry is fenced
|
|
311
|
+
* in the judge prompt so attackers cannot meta-inject into the scanner.
|
|
312
|
+
* Every scan is logged on-chain via the judge API for forensic audit.
|
|
313
|
+
*/
|
|
314
|
+
declare function scanMemory(entry: MemoryEntry, auth: AgentAuth, opts?: MemoryScanOptions): Promise<MemoryScanResult>;
|
|
315
|
+
/**
|
|
316
|
+
* Scan multiple memory entries. By default stops on the first red
|
|
317
|
+
* verdict. Set `stopOnRed: false` to scan all entries regardless.
|
|
318
|
+
*/
|
|
319
|
+
declare function scanMemoryBatch(entries: MemoryEntry[], auth: AgentAuth, opts?: MemoryScanOptions): Promise<MemoryScanResult[]>;
|
|
320
|
+
|
|
321
|
+
/**
|
|
322
|
+
* Create a timestamped snapshot of the current memory state.
|
|
323
|
+
*/
|
|
324
|
+
declare function createMemorySnapshot(entries: MemoryEntry[]): MemorySnapshot;
|
|
325
|
+
/**
|
|
326
|
+
* Compute the diff between two memory snapshots and run anomaly
|
|
327
|
+
* detection heuristics on the result.
|
|
328
|
+
*
|
|
329
|
+
* Catches what other defenses miss:
|
|
330
|
+
* - HMAC detects external tampering, not entries the agent wrote itself
|
|
331
|
+
* - Provenance tagging neutralizes untrusted sources, but a trusted
|
|
332
|
+
* channel can still be exploited
|
|
333
|
+
* - Regex catches fixed phrases, but attackers rephrase
|
|
334
|
+
* - LLM-as-judge catches semantic manipulation on individual entries
|
|
335
|
+
* - This function catches the *cumulative effect* — gradual multi-step
|
|
336
|
+
* poisoning where entries shift agent behavior across sessions
|
|
337
|
+
*/
|
|
338
|
+
declare function diffMemorySnapshots(before: MemorySnapshot, after: MemorySnapshot): MemoryDiffResult;
|
|
339
|
+
|
|
340
|
+
/**
|
|
341
|
+
* Unicode normalization for memory content before regex matching.
|
|
342
|
+
*
|
|
343
|
+
* Defeats evasion techniques:
|
|
344
|
+
* - Zero-width characters inserted between letters
|
|
345
|
+
* - Homoglyphs (Cyrillic "а" instead of Latin "a")
|
|
346
|
+
* - Mixed-script confusables
|
|
347
|
+
* - Invisible formatting characters
|
|
348
|
+
*/
|
|
349
|
+
/**
|
|
350
|
+
* Normalize a string for safe regex matching:
|
|
351
|
+
* 1. NFKC normalization (collapses compatibility decompositions)
|
|
352
|
+
* 2. Strip zero-width / invisible characters
|
|
353
|
+
* 3. Map common confusable characters to their Latin equivalents
|
|
354
|
+
*/
|
|
355
|
+
declare function normalizeForMatching(input: string): string;
|
|
356
|
+
/**
|
|
357
|
+
* Check whether a string contains suspicious encoding that may indicate
|
|
358
|
+
* an evasion attempt (presence of confusables, invisible chars, etc.).
|
|
359
|
+
* Returns true if the raw and normalized forms differ.
|
|
360
|
+
*/
|
|
361
|
+
declare function containsEvasionCharacters(input: string): boolean;
|
|
362
|
+
|
|
363
|
+
export { type ActionType, type AgentAuth, type AgentPolicy, type AnomalySeverity, type AnomalyType, type AtbashClient, type AtbashClientConfig, type AtbashUserConfig, type ChainOpts, type ClientOpts, type ClientSource, DEFAULT_BLOCKCHAIN_RID, DEFAULT_CHROMIA_NODE_URLS, DEFAULT_ENDPOINT, type Decision, type DecisionVerdict, type HeldAction, type HeldActionReview, type JudgeEndpointConfig, type JudgeOptions, type JudgeResult, type JudgmentStatus, type JudgmentStatusState, type LogToolCallResult, type MemoryAnomaly, type MemoryDiffResult, type MemoryEntry, type MemoryScanOptions, type MemoryScanResult, type MemoryScanVerdict, type MemorySnapshot, type OrgSubscription, type Provider, type PubkeyValue, type TelemetryConfig, type ToolCallFull, type ToolCallInput, type ToolCallRecord, type ValidatedEndpoint, type Verdict, checkAgentExists, containsEvasionCharacters, createAtbashClient, createMemorySnapshot, derivePublicKey, diffMemorySnapshots, generateKeyPair, getAgentDetail, getAgentPolicy, getAgentToolCalls, getConfigDir, getConfigPath, getHeldActionReviews, getJudgmentStatus, getOrgSubscription, getOrgToolCalls, getPendingHeldActions, getSafetyStats, getToolCallCount, getToolCallFull, getToolCalls, isValidPrivateKey, judgeAction, loadAgent, loadAgentFromFile, loadUserConfig, logToolCall, normalizeForMatching, resolve, resolveKeyPath, saveUserConfig, scanMemory, scanMemoryBatch, setupTelemetry, shutdownTelemetry, toPubkeyHex, validateJudgeEndpoint, verifyJudgeResponseSignature };
|