@atbash/sdk 0.3.11-dev.1 → 0.3.11-dev.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +39 -31
- package/dist/index.cjs +644 -47
- package/dist/index.d.cts +129 -32
- package/dist/index.d.ts +129 -32
- package/dist/index.js +635 -43
- package/package.json +4 -2
package/dist/index.d.cts
CHANGED
|
@@ -1,11 +1,24 @@
|
|
|
1
1
|
type Verdict = "ALLOW" | "HOLD" | "BLOCK" | "No verdict";
|
|
2
2
|
type Provider = "openai" | "google" | "microsoft" | "custom" | (string & {});
|
|
3
|
-
type Tier = "audit" | "audit_plus" | "enforcement" | (string & {});
|
|
4
3
|
type ActionType = "allow" | "hold_for_user_confirm" | "block" | (string & {});
|
|
5
4
|
type PubkeyValue = string | Buffer | {
|
|
6
5
|
data: number[];
|
|
7
6
|
};
|
|
8
7
|
type JudgmentStatusState = "pending" | "answered" | "error";
|
|
8
|
+
interface Subscription {
|
|
9
|
+
subscription_name: string;
|
|
10
|
+
agent_number: number;
|
|
11
|
+
is_private_blockchain: boolean;
|
|
12
|
+
monthly_price: number;
|
|
13
|
+
yearly_price: number;
|
|
14
|
+
}
|
|
15
|
+
interface OrgSubscription extends Subscription {
|
|
16
|
+
org_name: string;
|
|
17
|
+
duration_months: number;
|
|
18
|
+
assigned_at: number;
|
|
19
|
+
expires_at: number;
|
|
20
|
+
is_active: boolean;
|
|
21
|
+
}
|
|
9
22
|
interface AgentAuth {
|
|
10
23
|
pubkey: string;
|
|
11
24
|
privkey: string;
|
|
@@ -13,17 +26,12 @@ interface AgentAuth {
|
|
|
13
26
|
interface ClientOpts {
|
|
14
27
|
endpoint?: string;
|
|
15
28
|
timeout?: number;
|
|
29
|
+
auth?: AgentAuth;
|
|
16
30
|
}
|
|
17
31
|
interface ChainOpts {
|
|
18
32
|
nodeUrls?: string[];
|
|
19
33
|
blockchainRid?: string;
|
|
20
34
|
}
|
|
21
|
-
interface LogToolCallResult {
|
|
22
|
-
success: boolean;
|
|
23
|
-
toolCallId: string | null;
|
|
24
|
-
signedHex?: string;
|
|
25
|
-
error?: string;
|
|
26
|
-
}
|
|
27
35
|
interface JudgeResult {
|
|
28
36
|
verdict: Verdict;
|
|
29
37
|
action_type: ActionType;
|
|
@@ -39,6 +47,7 @@ interface JudgeOptions extends ClientOpts {
|
|
|
39
47
|
model?: string;
|
|
40
48
|
toolName?: string;
|
|
41
49
|
toolArgsJson?: string;
|
|
50
|
+
orgName?: string;
|
|
42
51
|
chainOpts?: ChainOpts;
|
|
43
52
|
verifyPubKey?: string;
|
|
44
53
|
}
|
|
@@ -51,12 +60,6 @@ interface JudgmentStatus {
|
|
|
51
60
|
cached?: boolean;
|
|
52
61
|
responseTimeMs?: number;
|
|
53
62
|
}
|
|
54
|
-
interface TierInfo {
|
|
55
|
-
org_name: string;
|
|
56
|
-
tier: Tier;
|
|
57
|
-
verdict_enabled: boolean;
|
|
58
|
-
enforcement_enabled: boolean;
|
|
59
|
-
}
|
|
60
63
|
interface ToolCallRecord {
|
|
61
64
|
tool_call_id: string;
|
|
62
65
|
agent_pubkey: PubkeyValue;
|
|
@@ -132,10 +135,54 @@ interface ValidatedEndpoint {
|
|
|
132
135
|
policy: "default" | "self-hosted";
|
|
133
136
|
verifyPubKey: string | null;
|
|
134
137
|
}
|
|
138
|
+
interface MemoryEntry {
|
|
139
|
+
key: string;
|
|
140
|
+
value: string;
|
|
141
|
+
source?: string;
|
|
142
|
+
timestamp?: number;
|
|
143
|
+
}
|
|
144
|
+
type MemoryScanVerdict = "green" | "yellow" | "red";
|
|
145
|
+
type AnomalySeverity = "low" | "medium" | "high" | "critical";
|
|
146
|
+
type AnomalyType = "behavioral_override" | "bulk_insertion" | "safety_bypass" | "privilege_escalation" | "gradual_drift";
|
|
147
|
+
interface MemoryScanResult {
|
|
148
|
+
safe: boolean;
|
|
149
|
+
verdict: MemoryScanVerdict;
|
|
150
|
+
reason: string;
|
|
151
|
+
confidence: number;
|
|
152
|
+
toolCallId?: string;
|
|
153
|
+
}
|
|
154
|
+
interface MemoryScanOptions extends JudgeOptions {
|
|
155
|
+
/** Confidence threshold below which the entry is allowed (default 0.6). */
|
|
156
|
+
threshold?: number;
|
|
157
|
+
/** Stop batch scanning on the first red verdict (default true). */
|
|
158
|
+
stopOnRed?: boolean;
|
|
159
|
+
}
|
|
160
|
+
interface MemorySnapshot {
|
|
161
|
+
entries: MemoryEntry[];
|
|
162
|
+
takenAt: number;
|
|
163
|
+
}
|
|
164
|
+
interface MemoryAnomaly {
|
|
165
|
+
type: AnomalyType;
|
|
166
|
+
severity: AnomalySeverity;
|
|
167
|
+
description: string;
|
|
168
|
+
entries: string[];
|
|
169
|
+
}
|
|
170
|
+
interface MemoryDiffResult {
|
|
171
|
+
safe: boolean;
|
|
172
|
+
added: MemoryEntry[];
|
|
173
|
+
removed: MemoryEntry[];
|
|
174
|
+
modified: Array<{
|
|
175
|
+
key: string;
|
|
176
|
+
before: string;
|
|
177
|
+
after: string;
|
|
178
|
+
}>;
|
|
179
|
+
anomalies: MemoryAnomaly[];
|
|
180
|
+
}
|
|
135
181
|
interface AtbashClientConfig {
|
|
136
182
|
judge?: JudgeEndpointConfig;
|
|
137
183
|
nodeUrls?: string[];
|
|
138
184
|
blockchainRid?: string;
|
|
185
|
+
orgName?: string;
|
|
139
186
|
keyPath?: string;
|
|
140
187
|
keyPair?: {
|
|
141
188
|
privKey: string;
|
|
@@ -150,7 +197,7 @@ interface AtbashClientConfig {
|
|
|
150
197
|
|
|
151
198
|
declare const DEFAULT_ENDPOINT = "https://chromia-verified-ai-dev-two.vercel.app";
|
|
152
199
|
declare const DEFAULT_CHROMIA_NODE_URLS: string[];
|
|
153
|
-
declare const DEFAULT_BLOCKCHAIN_RID = "
|
|
200
|
+
declare const DEFAULT_BLOCKCHAIN_RID = "B91106947F1EAED7B5D789C7D35755330A8A7DD7CB990D59366114EFFB79ED10";
|
|
154
201
|
declare function isValidPrivateKey(hex: string): boolean;
|
|
155
202
|
declare function derivePublicKey(privKeyHex: string): string;
|
|
156
203
|
declare function generateKeyPair(): {
|
|
@@ -159,22 +206,7 @@ declare function generateKeyPair(): {
|
|
|
159
206
|
};
|
|
160
207
|
declare function loadAgent(privkey: string): AgentAuth;
|
|
161
208
|
declare function toPubkeyHex(val: unknown): string;
|
|
162
|
-
/**
|
|
163
|
-
* Check if an agent is onboarded before signing anything.
|
|
164
|
-
* Calls GET /api/ai/exists?pubkey=<66-hex>
|
|
165
|
-
*/
|
|
166
209
|
declare function checkAgentExists(pubkey: string, opts?: ClientOpts): Promise<boolean>;
|
|
167
|
-
/**
|
|
168
|
-
* Sign `log_tool_call` locally and return the signed transaction hex.
|
|
169
|
-
*
|
|
170
|
-
* Checks that the agent is onboarded before signing. The private key
|
|
171
|
-
* is used locally — never sent over the network. The server will
|
|
172
|
-
* broadcast the signed transaction to the chain.
|
|
173
|
-
*/
|
|
174
|
-
declare function logToolCall(action: string, context: string, auth: AgentAuth, chainOpts?: ChainOpts, extra?: {
|
|
175
|
-
toolName?: string;
|
|
176
|
-
toolArgsJson?: string;
|
|
177
|
-
}, clientOpts?: ClientOpts): Promise<LogToolCallResult>;
|
|
178
210
|
declare function judgeAction(action: string, context: string | undefined, auth: AgentAuth, opts?: JudgeOptions): Promise<JudgeResult>;
|
|
179
211
|
declare function getJudgmentStatus(judgmentId: string, agentPubkey: string, opts?: ClientOpts): Promise<JudgmentStatus>;
|
|
180
212
|
declare function getToolCalls(maxCount: number, opts?: ClientOpts): Promise<ToolCallRecord[]>;
|
|
@@ -182,7 +214,7 @@ declare function getOrgToolCalls(orgName: string, maxCount: number, opts?: Clien
|
|
|
182
214
|
declare function getAgentToolCalls(agentPubkey: string, maxCount: number, opts?: ClientOpts): Promise<ToolCallRecord[]>;
|
|
183
215
|
declare function getToolCallCount(opts?: ClientOpts): Promise<number>;
|
|
184
216
|
declare function getToolCallFull(toolCallId: string, opts?: ClientOpts): Promise<ToolCallFull | null>;
|
|
185
|
-
declare function
|
|
217
|
+
declare function getOrgSubscription(orgName: string, opts?: ClientOpts): Promise<OrgSubscription | null>;
|
|
186
218
|
declare function getPendingHeldActions(orgName: string, maxCount: number, opts?: ClientOpts): Promise<HeldAction[]>;
|
|
187
219
|
declare function getHeldActionReviews(orgName: string, maxCount: number, opts?: ClientOpts): Promise<HeldActionReview[]>;
|
|
188
220
|
declare function getAgentDetail(agentPubkey: string, opts?: ClientOpts): Promise<Record<string, unknown>>;
|
|
@@ -208,7 +240,11 @@ declare function verifyJudgeResponseSignature(bodyBytes: Uint8Array, signatureHe
|
|
|
208
240
|
* Atbash SDK Telemetry — OpenTelemetry metrics for usage tracking.
|
|
209
241
|
*
|
|
210
242
|
* Tracks: function call counts, latency, source (CLI/plugin/SDK),
|
|
211
|
-
* and agent identity.
|
|
243
|
+
* and agent identity. ON by default.
|
|
244
|
+
*
|
|
245
|
+
* Opt-out: create ~/.config/atbash/telemetry.json with { "enabled": false }
|
|
246
|
+
* The file must be mode 0600. If missing, corrupted, or unreadable → telemetry stays ON.
|
|
247
|
+
* Environment variables cannot disable telemetry (prevents agent bypass).
|
|
212
248
|
*/
|
|
213
249
|
type ClientSource = "cli" | "sdk" | "plugin:openclaw" | "plugin:langchain" | "plugin:langgraph" | "plugin:hermes" | "plugin:eliza" | "plugin:crewai" | "plugin:mcp" | "plugin:autogen" | "plugin:jeenai" | (string & {});
|
|
214
250
|
interface TelemetryConfig {
|
|
@@ -230,6 +266,7 @@ interface AtbashUserConfig {
|
|
|
230
266
|
orgName?: string;
|
|
231
267
|
judgeEndpoint?: string;
|
|
232
268
|
blockchainRid?: string;
|
|
269
|
+
network?: string;
|
|
233
270
|
provider?: string;
|
|
234
271
|
providerModel?: string;
|
|
235
272
|
}
|
|
@@ -239,4 +276,64 @@ declare function loadUserConfig(): AtbashUserConfig;
|
|
|
239
276
|
declare function saveUserConfig(config: AtbashUserConfig): void;
|
|
240
277
|
declare function resolve(key: keyof AtbashUserConfig, flagValue?: string): string;
|
|
241
278
|
|
|
242
|
-
|
|
279
|
+
/**
|
|
280
|
+
* Scan a single memory entry for poisoning.
|
|
281
|
+
*
|
|
282
|
+
* Defence layers (in order):
|
|
283
|
+
* 1. **Regex pre-filter** — catches obvious attacks instantly, zero latency
|
|
284
|
+
* 2. **LLM-as-Judge** — catches semantic / rephrased attacks the regex misses
|
|
285
|
+
*
|
|
286
|
+
* Both layers run against unicode-normalized text. The entry is fenced
|
|
287
|
+
* in the judge prompt so attackers cannot meta-inject into the scanner.
|
|
288
|
+
* Every scan is logged on-chain via the judge API for forensic audit.
|
|
289
|
+
*/
|
|
290
|
+
declare function scanMemory(entry: MemoryEntry, auth: AgentAuth, opts?: MemoryScanOptions): Promise<MemoryScanResult>;
|
|
291
|
+
/**
|
|
292
|
+
* Scan multiple memory entries. By default stops on the first red
|
|
293
|
+
* verdict. Set `stopOnRed: false` to scan all entries regardless.
|
|
294
|
+
*/
|
|
295
|
+
declare function scanMemoryBatch(entries: MemoryEntry[], auth: AgentAuth, opts?: MemoryScanOptions): Promise<MemoryScanResult[]>;
|
|
296
|
+
|
|
297
|
+
/**
|
|
298
|
+
* Create a timestamped snapshot of the current memory state.
|
|
299
|
+
*/
|
|
300
|
+
declare function createMemorySnapshot(entries: MemoryEntry[]): MemorySnapshot;
|
|
301
|
+
/**
|
|
302
|
+
* Compute the diff between two memory snapshots and run anomaly
|
|
303
|
+
* detection heuristics on the result.
|
|
304
|
+
*
|
|
305
|
+
* Catches what other defenses miss:
|
|
306
|
+
* - HMAC detects external tampering, not entries the agent wrote itself
|
|
307
|
+
* - Provenance tagging neutralizes untrusted sources, but a trusted
|
|
308
|
+
* channel can still be exploited
|
|
309
|
+
* - Regex catches fixed phrases, but attackers rephrase
|
|
310
|
+
* - LLM-as-judge catches semantic manipulation on individual entries
|
|
311
|
+
* - This function catches the *cumulative effect* — gradual multi-step
|
|
312
|
+
* poisoning where entries shift agent behavior across sessions
|
|
313
|
+
*/
|
|
314
|
+
declare function diffMemorySnapshots(before: MemorySnapshot, after: MemorySnapshot): MemoryDiffResult;
|
|
315
|
+
|
|
316
|
+
/**
|
|
317
|
+
* Unicode normalization for memory content before regex matching.
|
|
318
|
+
*
|
|
319
|
+
* Defeats evasion techniques:
|
|
320
|
+
* - Zero-width characters inserted between letters
|
|
321
|
+
* - Homoglyphs (Cyrillic "а" instead of Latin "a")
|
|
322
|
+
* - Mixed-script confusables
|
|
323
|
+
* - Invisible formatting characters
|
|
324
|
+
*/
|
|
325
|
+
/**
|
|
326
|
+
* Normalize a string for safe regex matching:
|
|
327
|
+
* 1. NFKC normalization (collapses compatibility decompositions)
|
|
328
|
+
* 2. Strip zero-width / invisible characters
|
|
329
|
+
* 3. Map common confusable characters to their Latin equivalents
|
|
330
|
+
*/
|
|
331
|
+
declare function normalizeForMatching(input: string): string;
|
|
332
|
+
/**
|
|
333
|
+
* Check whether a string contains suspicious encoding that may indicate
|
|
334
|
+
* an evasion attempt (presence of confusables, invisible chars, etc.).
|
|
335
|
+
* Returns true if the raw and normalized forms differ.
|
|
336
|
+
*/
|
|
337
|
+
declare function containsEvasionCharacters(input: string): boolean;
|
|
338
|
+
|
|
339
|
+
export { type ActionType, type AgentAuth, type AgentPolicy, type AnomalySeverity, type AnomalyType, type AtbashClient, type AtbashClientConfig, type AtbashUserConfig, type ClientOpts, type ClientSource, DEFAULT_BLOCKCHAIN_RID, DEFAULT_CHROMIA_NODE_URLS, DEFAULT_ENDPOINT, type Decision, type DecisionVerdict, type HeldAction, type HeldActionReview, type JudgeEndpointConfig, type JudgeOptions, type JudgeResult, type JudgmentStatus, type JudgmentStatusState, type MemoryAnomaly, type MemoryDiffResult, type MemoryEntry, type MemoryScanOptions, type MemoryScanResult, type MemoryScanVerdict, type MemorySnapshot, type OrgSubscription, type Provider, type PubkeyValue, type TelemetryConfig, type ToolCallFull, type ToolCallInput, type ToolCallRecord, type ValidatedEndpoint, type Verdict, checkAgentExists, containsEvasionCharacters, createAtbashClient, createMemorySnapshot, derivePublicKey, diffMemorySnapshots, generateKeyPair, getAgentDetail, getAgentPolicy, getAgentToolCalls, getConfigDir, getConfigPath, getHeldActionReviews, getJudgmentStatus, getOrgSubscription, getOrgToolCalls, getPendingHeldActions, getSafetyStats, getToolCallCount, getToolCallFull, getToolCalls, isValidPrivateKey, judgeAction, loadAgent, loadAgentFromFile, loadUserConfig, normalizeForMatching, resolve, resolveKeyPath, saveUserConfig, scanMemory, scanMemoryBatch, setupTelemetry, shutdownTelemetry, toPubkeyHex, validateJudgeEndpoint, verifyJudgeResponseSignature };
|
package/dist/index.d.ts
CHANGED
|
@@ -1,11 +1,24 @@
|
|
|
1
1
|
type Verdict = "ALLOW" | "HOLD" | "BLOCK" | "No verdict";
|
|
2
2
|
type Provider = "openai" | "google" | "microsoft" | "custom" | (string & {});
|
|
3
|
-
type Tier = "audit" | "audit_plus" | "enforcement" | (string & {});
|
|
4
3
|
type ActionType = "allow" | "hold_for_user_confirm" | "block" | (string & {});
|
|
5
4
|
type PubkeyValue = string | Buffer | {
|
|
6
5
|
data: number[];
|
|
7
6
|
};
|
|
8
7
|
type JudgmentStatusState = "pending" | "answered" | "error";
|
|
8
|
+
interface Subscription {
|
|
9
|
+
subscription_name: string;
|
|
10
|
+
agent_number: number;
|
|
11
|
+
is_private_blockchain: boolean;
|
|
12
|
+
monthly_price: number;
|
|
13
|
+
yearly_price: number;
|
|
14
|
+
}
|
|
15
|
+
interface OrgSubscription extends Subscription {
|
|
16
|
+
org_name: string;
|
|
17
|
+
duration_months: number;
|
|
18
|
+
assigned_at: number;
|
|
19
|
+
expires_at: number;
|
|
20
|
+
is_active: boolean;
|
|
21
|
+
}
|
|
9
22
|
interface AgentAuth {
|
|
10
23
|
pubkey: string;
|
|
11
24
|
privkey: string;
|
|
@@ -13,17 +26,12 @@ interface AgentAuth {
|
|
|
13
26
|
interface ClientOpts {
|
|
14
27
|
endpoint?: string;
|
|
15
28
|
timeout?: number;
|
|
29
|
+
auth?: AgentAuth;
|
|
16
30
|
}
|
|
17
31
|
interface ChainOpts {
|
|
18
32
|
nodeUrls?: string[];
|
|
19
33
|
blockchainRid?: string;
|
|
20
34
|
}
|
|
21
|
-
interface LogToolCallResult {
|
|
22
|
-
success: boolean;
|
|
23
|
-
toolCallId: string | null;
|
|
24
|
-
signedHex?: string;
|
|
25
|
-
error?: string;
|
|
26
|
-
}
|
|
27
35
|
interface JudgeResult {
|
|
28
36
|
verdict: Verdict;
|
|
29
37
|
action_type: ActionType;
|
|
@@ -39,6 +47,7 @@ interface JudgeOptions extends ClientOpts {
|
|
|
39
47
|
model?: string;
|
|
40
48
|
toolName?: string;
|
|
41
49
|
toolArgsJson?: string;
|
|
50
|
+
orgName?: string;
|
|
42
51
|
chainOpts?: ChainOpts;
|
|
43
52
|
verifyPubKey?: string;
|
|
44
53
|
}
|
|
@@ -51,12 +60,6 @@ interface JudgmentStatus {
|
|
|
51
60
|
cached?: boolean;
|
|
52
61
|
responseTimeMs?: number;
|
|
53
62
|
}
|
|
54
|
-
interface TierInfo {
|
|
55
|
-
org_name: string;
|
|
56
|
-
tier: Tier;
|
|
57
|
-
verdict_enabled: boolean;
|
|
58
|
-
enforcement_enabled: boolean;
|
|
59
|
-
}
|
|
60
63
|
interface ToolCallRecord {
|
|
61
64
|
tool_call_id: string;
|
|
62
65
|
agent_pubkey: PubkeyValue;
|
|
@@ -132,10 +135,54 @@ interface ValidatedEndpoint {
|
|
|
132
135
|
policy: "default" | "self-hosted";
|
|
133
136
|
verifyPubKey: string | null;
|
|
134
137
|
}
|
|
138
|
+
interface MemoryEntry {
|
|
139
|
+
key: string;
|
|
140
|
+
value: string;
|
|
141
|
+
source?: string;
|
|
142
|
+
timestamp?: number;
|
|
143
|
+
}
|
|
144
|
+
type MemoryScanVerdict = "green" | "yellow" | "red";
|
|
145
|
+
type AnomalySeverity = "low" | "medium" | "high" | "critical";
|
|
146
|
+
type AnomalyType = "behavioral_override" | "bulk_insertion" | "safety_bypass" | "privilege_escalation" | "gradual_drift";
|
|
147
|
+
interface MemoryScanResult {
|
|
148
|
+
safe: boolean;
|
|
149
|
+
verdict: MemoryScanVerdict;
|
|
150
|
+
reason: string;
|
|
151
|
+
confidence: number;
|
|
152
|
+
toolCallId?: string;
|
|
153
|
+
}
|
|
154
|
+
interface MemoryScanOptions extends JudgeOptions {
|
|
155
|
+
/** Confidence threshold below which the entry is allowed (default 0.6). */
|
|
156
|
+
threshold?: number;
|
|
157
|
+
/** Stop batch scanning on the first red verdict (default true). */
|
|
158
|
+
stopOnRed?: boolean;
|
|
159
|
+
}
|
|
160
|
+
interface MemorySnapshot {
|
|
161
|
+
entries: MemoryEntry[];
|
|
162
|
+
takenAt: number;
|
|
163
|
+
}
|
|
164
|
+
interface MemoryAnomaly {
|
|
165
|
+
type: AnomalyType;
|
|
166
|
+
severity: AnomalySeverity;
|
|
167
|
+
description: string;
|
|
168
|
+
entries: string[];
|
|
169
|
+
}
|
|
170
|
+
interface MemoryDiffResult {
|
|
171
|
+
safe: boolean;
|
|
172
|
+
added: MemoryEntry[];
|
|
173
|
+
removed: MemoryEntry[];
|
|
174
|
+
modified: Array<{
|
|
175
|
+
key: string;
|
|
176
|
+
before: string;
|
|
177
|
+
after: string;
|
|
178
|
+
}>;
|
|
179
|
+
anomalies: MemoryAnomaly[];
|
|
180
|
+
}
|
|
135
181
|
interface AtbashClientConfig {
|
|
136
182
|
judge?: JudgeEndpointConfig;
|
|
137
183
|
nodeUrls?: string[];
|
|
138
184
|
blockchainRid?: string;
|
|
185
|
+
orgName?: string;
|
|
139
186
|
keyPath?: string;
|
|
140
187
|
keyPair?: {
|
|
141
188
|
privKey: string;
|
|
@@ -150,7 +197,7 @@ interface AtbashClientConfig {
|
|
|
150
197
|
|
|
151
198
|
declare const DEFAULT_ENDPOINT = "https://chromia-verified-ai-dev-two.vercel.app";
|
|
152
199
|
declare const DEFAULT_CHROMIA_NODE_URLS: string[];
|
|
153
|
-
declare const DEFAULT_BLOCKCHAIN_RID = "
|
|
200
|
+
declare const DEFAULT_BLOCKCHAIN_RID = "B91106947F1EAED7B5D789C7D35755330A8A7DD7CB990D59366114EFFB79ED10";
|
|
154
201
|
declare function isValidPrivateKey(hex: string): boolean;
|
|
155
202
|
declare function derivePublicKey(privKeyHex: string): string;
|
|
156
203
|
declare function generateKeyPair(): {
|
|
@@ -159,22 +206,7 @@ declare function generateKeyPair(): {
|
|
|
159
206
|
};
|
|
160
207
|
declare function loadAgent(privkey: string): AgentAuth;
|
|
161
208
|
declare function toPubkeyHex(val: unknown): string;
|
|
162
|
-
/**
|
|
163
|
-
* Check if an agent is onboarded before signing anything.
|
|
164
|
-
* Calls GET /api/ai/exists?pubkey=<66-hex>
|
|
165
|
-
*/
|
|
166
209
|
declare function checkAgentExists(pubkey: string, opts?: ClientOpts): Promise<boolean>;
|
|
167
|
-
/**
|
|
168
|
-
* Sign `log_tool_call` locally and return the signed transaction hex.
|
|
169
|
-
*
|
|
170
|
-
* Checks that the agent is onboarded before signing. The private key
|
|
171
|
-
* is used locally — never sent over the network. The server will
|
|
172
|
-
* broadcast the signed transaction to the chain.
|
|
173
|
-
*/
|
|
174
|
-
declare function logToolCall(action: string, context: string, auth: AgentAuth, chainOpts?: ChainOpts, extra?: {
|
|
175
|
-
toolName?: string;
|
|
176
|
-
toolArgsJson?: string;
|
|
177
|
-
}, clientOpts?: ClientOpts): Promise<LogToolCallResult>;
|
|
178
210
|
declare function judgeAction(action: string, context: string | undefined, auth: AgentAuth, opts?: JudgeOptions): Promise<JudgeResult>;
|
|
179
211
|
declare function getJudgmentStatus(judgmentId: string, agentPubkey: string, opts?: ClientOpts): Promise<JudgmentStatus>;
|
|
180
212
|
declare function getToolCalls(maxCount: number, opts?: ClientOpts): Promise<ToolCallRecord[]>;
|
|
@@ -182,7 +214,7 @@ declare function getOrgToolCalls(orgName: string, maxCount: number, opts?: Clien
|
|
|
182
214
|
declare function getAgentToolCalls(agentPubkey: string, maxCount: number, opts?: ClientOpts): Promise<ToolCallRecord[]>;
|
|
183
215
|
declare function getToolCallCount(opts?: ClientOpts): Promise<number>;
|
|
184
216
|
declare function getToolCallFull(toolCallId: string, opts?: ClientOpts): Promise<ToolCallFull | null>;
|
|
185
|
-
declare function
|
|
217
|
+
declare function getOrgSubscription(orgName: string, opts?: ClientOpts): Promise<OrgSubscription | null>;
|
|
186
218
|
declare function getPendingHeldActions(orgName: string, maxCount: number, opts?: ClientOpts): Promise<HeldAction[]>;
|
|
187
219
|
declare function getHeldActionReviews(orgName: string, maxCount: number, opts?: ClientOpts): Promise<HeldActionReview[]>;
|
|
188
220
|
declare function getAgentDetail(agentPubkey: string, opts?: ClientOpts): Promise<Record<string, unknown>>;
|
|
@@ -208,7 +240,11 @@ declare function verifyJudgeResponseSignature(bodyBytes: Uint8Array, signatureHe
|
|
|
208
240
|
* Atbash SDK Telemetry — OpenTelemetry metrics for usage tracking.
|
|
209
241
|
*
|
|
210
242
|
* Tracks: function call counts, latency, source (CLI/plugin/SDK),
|
|
211
|
-
* and agent identity.
|
|
243
|
+
* and agent identity. ON by default.
|
|
244
|
+
*
|
|
245
|
+
* Opt-out: create ~/.config/atbash/telemetry.json with { "enabled": false }
|
|
246
|
+
* The file must be mode 0600. If missing, corrupted, or unreadable → telemetry stays ON.
|
|
247
|
+
* Environment variables cannot disable telemetry (prevents agent bypass).
|
|
212
248
|
*/
|
|
213
249
|
type ClientSource = "cli" | "sdk" | "plugin:openclaw" | "plugin:langchain" | "plugin:langgraph" | "plugin:hermes" | "plugin:eliza" | "plugin:crewai" | "plugin:mcp" | "plugin:autogen" | "plugin:jeenai" | (string & {});
|
|
214
250
|
interface TelemetryConfig {
|
|
@@ -230,6 +266,7 @@ interface AtbashUserConfig {
|
|
|
230
266
|
orgName?: string;
|
|
231
267
|
judgeEndpoint?: string;
|
|
232
268
|
blockchainRid?: string;
|
|
269
|
+
network?: string;
|
|
233
270
|
provider?: string;
|
|
234
271
|
providerModel?: string;
|
|
235
272
|
}
|
|
@@ -239,4 +276,64 @@ declare function loadUserConfig(): AtbashUserConfig;
|
|
|
239
276
|
declare function saveUserConfig(config: AtbashUserConfig): void;
|
|
240
277
|
declare function resolve(key: keyof AtbashUserConfig, flagValue?: string): string;
|
|
241
278
|
|
|
242
|
-
|
|
279
|
+
/**
|
|
280
|
+
* Scan a single memory entry for poisoning.
|
|
281
|
+
*
|
|
282
|
+
* Defence layers (in order):
|
|
283
|
+
* 1. **Regex pre-filter** — catches obvious attacks instantly, zero latency
|
|
284
|
+
* 2. **LLM-as-Judge** — catches semantic / rephrased attacks the regex misses
|
|
285
|
+
*
|
|
286
|
+
* Both layers run against unicode-normalized text. The entry is fenced
|
|
287
|
+
* in the judge prompt so attackers cannot meta-inject into the scanner.
|
|
288
|
+
* Every scan is logged on-chain via the judge API for forensic audit.
|
|
289
|
+
*/
|
|
290
|
+
declare function scanMemory(entry: MemoryEntry, auth: AgentAuth, opts?: MemoryScanOptions): Promise<MemoryScanResult>;
|
|
291
|
+
/**
|
|
292
|
+
* Scan multiple memory entries. By default stops on the first red
|
|
293
|
+
* verdict. Set `stopOnRed: false` to scan all entries regardless.
|
|
294
|
+
*/
|
|
295
|
+
declare function scanMemoryBatch(entries: MemoryEntry[], auth: AgentAuth, opts?: MemoryScanOptions): Promise<MemoryScanResult[]>;
|
|
296
|
+
|
|
297
|
+
/**
|
|
298
|
+
* Create a timestamped snapshot of the current memory state.
|
|
299
|
+
*/
|
|
300
|
+
declare function createMemorySnapshot(entries: MemoryEntry[]): MemorySnapshot;
|
|
301
|
+
/**
|
|
302
|
+
* Compute the diff between two memory snapshots and run anomaly
|
|
303
|
+
* detection heuristics on the result.
|
|
304
|
+
*
|
|
305
|
+
* Catches what other defenses miss:
|
|
306
|
+
* - HMAC detects external tampering, not entries the agent wrote itself
|
|
307
|
+
* - Provenance tagging neutralizes untrusted sources, but a trusted
|
|
308
|
+
* channel can still be exploited
|
|
309
|
+
* - Regex catches fixed phrases, but attackers rephrase
|
|
310
|
+
* - LLM-as-judge catches semantic manipulation on individual entries
|
|
311
|
+
* - This function catches the *cumulative effect* — gradual multi-step
|
|
312
|
+
* poisoning where entries shift agent behavior across sessions
|
|
313
|
+
*/
|
|
314
|
+
declare function diffMemorySnapshots(before: MemorySnapshot, after: MemorySnapshot): MemoryDiffResult;
|
|
315
|
+
|
|
316
|
+
/**
|
|
317
|
+
* Unicode normalization for memory content before regex matching.
|
|
318
|
+
*
|
|
319
|
+
* Defeats evasion techniques:
|
|
320
|
+
* - Zero-width characters inserted between letters
|
|
321
|
+
* - Homoglyphs (Cyrillic "а" instead of Latin "a")
|
|
322
|
+
* - Mixed-script confusables
|
|
323
|
+
* - Invisible formatting characters
|
|
324
|
+
*/
|
|
325
|
+
/**
|
|
326
|
+
* Normalize a string for safe regex matching:
|
|
327
|
+
* 1. NFKC normalization (collapses compatibility decompositions)
|
|
328
|
+
* 2. Strip zero-width / invisible characters
|
|
329
|
+
* 3. Map common confusable characters to their Latin equivalents
|
|
330
|
+
*/
|
|
331
|
+
declare function normalizeForMatching(input: string): string;
|
|
332
|
+
/**
|
|
333
|
+
* Check whether a string contains suspicious encoding that may indicate
|
|
334
|
+
* an evasion attempt (presence of confusables, invisible chars, etc.).
|
|
335
|
+
* Returns true if the raw and normalized forms differ.
|
|
336
|
+
*/
|
|
337
|
+
declare function containsEvasionCharacters(input: string): boolean;
|
|
338
|
+
|
|
339
|
+
export { type ActionType, type AgentAuth, type AgentPolicy, type AnomalySeverity, type AnomalyType, type AtbashClient, type AtbashClientConfig, type AtbashUserConfig, type ClientOpts, type ClientSource, DEFAULT_BLOCKCHAIN_RID, DEFAULT_CHROMIA_NODE_URLS, DEFAULT_ENDPOINT, type Decision, type DecisionVerdict, type HeldAction, type HeldActionReview, type JudgeEndpointConfig, type JudgeOptions, type JudgeResult, type JudgmentStatus, type JudgmentStatusState, type MemoryAnomaly, type MemoryDiffResult, type MemoryEntry, type MemoryScanOptions, type MemoryScanResult, type MemoryScanVerdict, type MemorySnapshot, type OrgSubscription, type Provider, type PubkeyValue, type TelemetryConfig, type ToolCallFull, type ToolCallInput, type ToolCallRecord, type ValidatedEndpoint, type Verdict, checkAgentExists, containsEvasionCharacters, createAtbashClient, createMemorySnapshot, derivePublicKey, diffMemorySnapshots, generateKeyPair, getAgentDetail, getAgentPolicy, getAgentToolCalls, getConfigDir, getConfigPath, getHeldActionReviews, getJudgmentStatus, getOrgSubscription, getOrgToolCalls, getPendingHeldActions, getSafetyStats, getToolCallCount, getToolCallFull, getToolCalls, isValidPrivateKey, judgeAction, loadAgent, loadAgentFromFile, loadUserConfig, normalizeForMatching, resolve, resolveKeyPath, saveUserConfig, scanMemory, scanMemoryBatch, setupTelemetry, shutdownTelemetry, toPubkeyHex, validateJudgeEndpoint, verifyJudgeResponseSignature };
|