@atbash/sdk 0.3.11-dev.2 → 0.3.11-dev.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +490 -22
- package/dist/index.d.cts +111 -4
- package/dist/index.d.ts +111 -4
- package/dist/index.js +482 -20
- package/package.json +3 -2
package/dist/index.d.cts
CHANGED
|
@@ -132,6 +132,49 @@ interface ValidatedEndpoint {
|
|
|
132
132
|
policy: "default" | "self-hosted";
|
|
133
133
|
verifyPubKey: string | null;
|
|
134
134
|
}
|
|
135
|
+
interface MemoryEntry {
|
|
136
|
+
key: string;
|
|
137
|
+
value: string;
|
|
138
|
+
source?: string;
|
|
139
|
+
timestamp?: number;
|
|
140
|
+
}
|
|
141
|
+
type MemoryScanVerdict = "green" | "yellow" | "red";
|
|
142
|
+
type AnomalySeverity = "low" | "medium" | "high" | "critical";
|
|
143
|
+
type AnomalyType = "behavioral_override" | "bulk_insertion" | "safety_bypass" | "privilege_escalation" | "gradual_drift";
|
|
144
|
+
interface MemoryScanResult {
|
|
145
|
+
safe: boolean;
|
|
146
|
+
verdict: MemoryScanVerdict;
|
|
147
|
+
reason: string;
|
|
148
|
+
confidence: number;
|
|
149
|
+
toolCallId?: string;
|
|
150
|
+
}
|
|
151
|
+
interface MemoryScanOptions extends JudgeOptions {
|
|
152
|
+
/** Confidence threshold below which the entry is allowed (default 0.6). */
|
|
153
|
+
threshold?: number;
|
|
154
|
+
/** Stop batch scanning on the first red verdict (default true). */
|
|
155
|
+
stopOnRed?: boolean;
|
|
156
|
+
}
|
|
157
|
+
interface MemorySnapshot {
|
|
158
|
+
entries: MemoryEntry[];
|
|
159
|
+
takenAt: number;
|
|
160
|
+
}
|
|
161
|
+
interface MemoryAnomaly {
|
|
162
|
+
type: AnomalyType;
|
|
163
|
+
severity: AnomalySeverity;
|
|
164
|
+
description: string;
|
|
165
|
+
entries: string[];
|
|
166
|
+
}
|
|
167
|
+
interface MemoryDiffResult {
|
|
168
|
+
safe: boolean;
|
|
169
|
+
added: MemoryEntry[];
|
|
170
|
+
removed: MemoryEntry[];
|
|
171
|
+
modified: Array<{
|
|
172
|
+
key: string;
|
|
173
|
+
before: string;
|
|
174
|
+
after: string;
|
|
175
|
+
}>;
|
|
176
|
+
anomalies: MemoryAnomaly[];
|
|
177
|
+
}
|
|
135
178
|
interface AtbashClientConfig {
|
|
136
179
|
judge?: JudgeEndpointConfig;
|
|
137
180
|
nodeUrls?: string[];
|
|
@@ -148,9 +191,9 @@ interface AtbashClientConfig {
|
|
|
148
191
|
};
|
|
149
192
|
}
|
|
150
193
|
|
|
151
|
-
declare const DEFAULT_ENDPOINT = "https://
|
|
194
|
+
declare const DEFAULT_ENDPOINT = "https://atbash.ai";
|
|
152
195
|
declare const DEFAULT_CHROMIA_NODE_URLS: string[];
|
|
153
|
-
declare const DEFAULT_BLOCKCHAIN_RID = "
|
|
196
|
+
declare const DEFAULT_BLOCKCHAIN_RID = "3CF2566BF0E606C8D6F9360566DB2FE3BC254C39451BAEB6D736E916D677486A";
|
|
154
197
|
declare function isValidPrivateKey(hex: string): boolean;
|
|
155
198
|
declare function derivePublicKey(privKeyHex: string): string;
|
|
156
199
|
declare function generateKeyPair(): {
|
|
@@ -208,7 +251,11 @@ declare function verifyJudgeResponseSignature(bodyBytes: Uint8Array, signatureHe
|
|
|
208
251
|
* Atbash SDK Telemetry — OpenTelemetry metrics for usage tracking.
|
|
209
252
|
*
|
|
210
253
|
* Tracks: function call counts, latency, source (CLI/plugin/SDK),
|
|
211
|
-
* and agent identity.
|
|
254
|
+
* and agent identity. ON by default.
|
|
255
|
+
*
|
|
256
|
+
* Opt-out: create ~/.config/atbash/telemetry.json with { "enabled": false }
|
|
257
|
+
* The file must be mode 0600. If missing, corrupted, or unreadable → telemetry stays ON.
|
|
258
|
+
* Environment variables cannot disable telemetry (prevents agent bypass).
|
|
212
259
|
*/
|
|
213
260
|
type ClientSource = "cli" | "sdk" | "plugin:openclaw" | "plugin:langchain" | "plugin:langgraph" | "plugin:hermes" | "plugin:eliza" | "plugin:crewai" | "plugin:mcp" | "plugin:autogen" | "plugin:jeenai" | (string & {});
|
|
214
261
|
interface TelemetryConfig {
|
|
@@ -239,4 +286,64 @@ declare function loadUserConfig(): AtbashUserConfig;
|
|
|
239
286
|
declare function saveUserConfig(config: AtbashUserConfig): void;
|
|
240
287
|
declare function resolve(key: keyof AtbashUserConfig, flagValue?: string): string;
|
|
241
288
|
|
|
242
|
-
|
|
289
|
+
/**
|
|
290
|
+
* Scan a single memory entry for poisoning.
|
|
291
|
+
*
|
|
292
|
+
* Defence layers (in order):
|
|
293
|
+
* 1. **Regex pre-filter** — catches obvious attacks instantly, zero latency
|
|
294
|
+
* 2. **LLM-as-Judge** — catches semantic / rephrased attacks the regex misses
|
|
295
|
+
*
|
|
296
|
+
* Both layers run against unicode-normalized text. The entry is fenced
|
|
297
|
+
* in the judge prompt so attackers cannot meta-inject into the scanner.
|
|
298
|
+
* Every scan is logged on-chain via the judge API for forensic audit.
|
|
299
|
+
*/
|
|
300
|
+
declare function scanMemory(entry: MemoryEntry, auth: AgentAuth, opts?: MemoryScanOptions): Promise<MemoryScanResult>;
|
|
301
|
+
/**
|
|
302
|
+
* Scan multiple memory entries. By default stops on the first red
|
|
303
|
+
* verdict. Set `stopOnRed: false` to scan all entries regardless.
|
|
304
|
+
*/
|
|
305
|
+
declare function scanMemoryBatch(entries: MemoryEntry[], auth: AgentAuth, opts?: MemoryScanOptions): Promise<MemoryScanResult[]>;
|
|
306
|
+
|
|
307
|
+
/**
|
|
308
|
+
* Create a timestamped snapshot of the current memory state.
|
|
309
|
+
*/
|
|
310
|
+
declare function createMemorySnapshot(entries: MemoryEntry[]): MemorySnapshot;
|
|
311
|
+
/**
|
|
312
|
+
* Compute the diff between two memory snapshots and run anomaly
|
|
313
|
+
* detection heuristics on the result.
|
|
314
|
+
*
|
|
315
|
+
* Catches what other defenses miss:
|
|
316
|
+
* - HMAC detects external tampering, not entries the agent wrote itself
|
|
317
|
+
* - Provenance tagging neutralizes untrusted sources, but a trusted
|
|
318
|
+
* channel can still be exploited
|
|
319
|
+
* - Regex catches fixed phrases, but attackers rephrase
|
|
320
|
+
* - LLM-as-judge catches semantic manipulation on individual entries
|
|
321
|
+
* - This function catches the *cumulative effect* — gradual multi-step
|
|
322
|
+
* poisoning where entries shift agent behavior across sessions
|
|
323
|
+
*/
|
|
324
|
+
declare function diffMemorySnapshots(before: MemorySnapshot, after: MemorySnapshot): MemoryDiffResult;
|
|
325
|
+
|
|
326
|
+
/**
|
|
327
|
+
* Unicode normalization for memory content before regex matching.
|
|
328
|
+
*
|
|
329
|
+
* Defeats evasion techniques:
|
|
330
|
+
* - Zero-width characters inserted between letters
|
|
331
|
+
* - Homoglyphs (Cyrillic "а" instead of Latin "a")
|
|
332
|
+
* - Mixed-script confusables
|
|
333
|
+
* - Invisible formatting characters
|
|
334
|
+
*/
|
|
335
|
+
/**
|
|
336
|
+
* Normalize a string for safe regex matching:
|
|
337
|
+
* 1. NFKC normalization (collapses compatibility decompositions)
|
|
338
|
+
* 2. Strip zero-width / invisible characters
|
|
339
|
+
* 3. Map common confusable characters to their Latin equivalents
|
|
340
|
+
*/
|
|
341
|
+
declare function normalizeForMatching(input: string): string;
|
|
342
|
+
/**
|
|
343
|
+
* Check whether a string contains suspicious encoding that may indicate
|
|
344
|
+
* an evasion attempt (presence of confusables, invisible chars, etc.).
|
|
345
|
+
* Returns true if the raw and normalized forms differ.
|
|
346
|
+
*/
|
|
347
|
+
declare function containsEvasionCharacters(input: string): boolean;
|
|
348
|
+
|
|
349
|
+
export { type ActionType, type AgentAuth, type AgentPolicy, type AnomalySeverity, type AnomalyType, type AtbashClient, type AtbashClientConfig, type AtbashUserConfig, type ChainOpts, type ClientOpts, type ClientSource, DEFAULT_BLOCKCHAIN_RID, DEFAULT_CHROMIA_NODE_URLS, DEFAULT_ENDPOINT, type Decision, type DecisionVerdict, type HeldAction, type HeldActionReview, type JudgeEndpointConfig, type JudgeOptions, type JudgeResult, type JudgmentStatus, type JudgmentStatusState, type LogToolCallResult, type MemoryAnomaly, type MemoryDiffResult, type MemoryEntry, type MemoryScanOptions, type MemoryScanResult, type MemoryScanVerdict, type MemorySnapshot, type Provider, type PubkeyValue, type TelemetryConfig, type Tier, type TierInfo, type ToolCallFull, type ToolCallInput, type ToolCallRecord, type ValidatedEndpoint, type Verdict, checkAgentExists, containsEvasionCharacters, createAtbashClient, createMemorySnapshot, derivePublicKey, diffMemorySnapshots, generateKeyPair, getAgentDetail, getAgentPolicy, getAgentToolCalls, getConfigDir, getConfigPath, getHeldActionReviews, getJudgmentStatus, getOrgTierInfo, getOrgToolCalls, getPendingHeldActions, getSafetyStats, getToolCallCount, getToolCallFull, getToolCalls, isValidPrivateKey, judgeAction, loadAgent, loadAgentFromFile, loadUserConfig, logToolCall, normalizeForMatching, resolve, resolveKeyPath, saveUserConfig, scanMemory, scanMemoryBatch, setupTelemetry, shutdownTelemetry, toPubkeyHex, validateJudgeEndpoint, verifyJudgeResponseSignature };
|
package/dist/index.d.ts
CHANGED
|
@@ -132,6 +132,49 @@ interface ValidatedEndpoint {
|
|
|
132
132
|
policy: "default" | "self-hosted";
|
|
133
133
|
verifyPubKey: string | null;
|
|
134
134
|
}
|
|
135
|
+
interface MemoryEntry {
|
|
136
|
+
key: string;
|
|
137
|
+
value: string;
|
|
138
|
+
source?: string;
|
|
139
|
+
timestamp?: number;
|
|
140
|
+
}
|
|
141
|
+
type MemoryScanVerdict = "green" | "yellow" | "red";
|
|
142
|
+
type AnomalySeverity = "low" | "medium" | "high" | "critical";
|
|
143
|
+
type AnomalyType = "behavioral_override" | "bulk_insertion" | "safety_bypass" | "privilege_escalation" | "gradual_drift";
|
|
144
|
+
interface MemoryScanResult {
|
|
145
|
+
safe: boolean;
|
|
146
|
+
verdict: MemoryScanVerdict;
|
|
147
|
+
reason: string;
|
|
148
|
+
confidence: number;
|
|
149
|
+
toolCallId?: string;
|
|
150
|
+
}
|
|
151
|
+
interface MemoryScanOptions extends JudgeOptions {
|
|
152
|
+
/** Confidence threshold below which the entry is allowed (default 0.6). */
|
|
153
|
+
threshold?: number;
|
|
154
|
+
/** Stop batch scanning on the first red verdict (default true). */
|
|
155
|
+
stopOnRed?: boolean;
|
|
156
|
+
}
|
|
157
|
+
interface MemorySnapshot {
|
|
158
|
+
entries: MemoryEntry[];
|
|
159
|
+
takenAt: number;
|
|
160
|
+
}
|
|
161
|
+
interface MemoryAnomaly {
|
|
162
|
+
type: AnomalyType;
|
|
163
|
+
severity: AnomalySeverity;
|
|
164
|
+
description: string;
|
|
165
|
+
entries: string[];
|
|
166
|
+
}
|
|
167
|
+
interface MemoryDiffResult {
|
|
168
|
+
safe: boolean;
|
|
169
|
+
added: MemoryEntry[];
|
|
170
|
+
removed: MemoryEntry[];
|
|
171
|
+
modified: Array<{
|
|
172
|
+
key: string;
|
|
173
|
+
before: string;
|
|
174
|
+
after: string;
|
|
175
|
+
}>;
|
|
176
|
+
anomalies: MemoryAnomaly[];
|
|
177
|
+
}
|
|
135
178
|
interface AtbashClientConfig {
|
|
136
179
|
judge?: JudgeEndpointConfig;
|
|
137
180
|
nodeUrls?: string[];
|
|
@@ -148,9 +191,9 @@ interface AtbashClientConfig {
|
|
|
148
191
|
};
|
|
149
192
|
}
|
|
150
193
|
|
|
151
|
-
declare const DEFAULT_ENDPOINT = "https://
|
|
194
|
+
declare const DEFAULT_ENDPOINT = "https://atbash.ai";
|
|
152
195
|
declare const DEFAULT_CHROMIA_NODE_URLS: string[];
|
|
153
|
-
declare const DEFAULT_BLOCKCHAIN_RID = "
|
|
196
|
+
declare const DEFAULT_BLOCKCHAIN_RID = "3CF2566BF0E606C8D6F9360566DB2FE3BC254C39451BAEB6D736E916D677486A";
|
|
154
197
|
declare function isValidPrivateKey(hex: string): boolean;
|
|
155
198
|
declare function derivePublicKey(privKeyHex: string): string;
|
|
156
199
|
declare function generateKeyPair(): {
|
|
@@ -208,7 +251,11 @@ declare function verifyJudgeResponseSignature(bodyBytes: Uint8Array, signatureHe
|
|
|
208
251
|
* Atbash SDK Telemetry — OpenTelemetry metrics for usage tracking.
|
|
209
252
|
*
|
|
210
253
|
* Tracks: function call counts, latency, source (CLI/plugin/SDK),
|
|
211
|
-
* and agent identity.
|
|
254
|
+
* and agent identity. ON by default.
|
|
255
|
+
*
|
|
256
|
+
* Opt-out: create ~/.config/atbash/telemetry.json with { "enabled": false }
|
|
257
|
+
* The file must be mode 0600. If missing, corrupted, or unreadable → telemetry stays ON.
|
|
258
|
+
* Environment variables cannot disable telemetry (prevents agent bypass).
|
|
212
259
|
*/
|
|
213
260
|
type ClientSource = "cli" | "sdk" | "plugin:openclaw" | "plugin:langchain" | "plugin:langgraph" | "plugin:hermes" | "plugin:eliza" | "plugin:crewai" | "plugin:mcp" | "plugin:autogen" | "plugin:jeenai" | (string & {});
|
|
214
261
|
interface TelemetryConfig {
|
|
@@ -239,4 +286,64 @@ declare function loadUserConfig(): AtbashUserConfig;
|
|
|
239
286
|
declare function saveUserConfig(config: AtbashUserConfig): void;
|
|
240
287
|
declare function resolve(key: keyof AtbashUserConfig, flagValue?: string): string;
|
|
241
288
|
|
|
242
|
-
|
|
289
|
+
/**
|
|
290
|
+
* Scan a single memory entry for poisoning.
|
|
291
|
+
*
|
|
292
|
+
* Defence layers (in order):
|
|
293
|
+
* 1. **Regex pre-filter** — catches obvious attacks instantly, zero latency
|
|
294
|
+
* 2. **LLM-as-Judge** — catches semantic / rephrased attacks the regex misses
|
|
295
|
+
*
|
|
296
|
+
* Both layers run against unicode-normalized text. The entry is fenced
|
|
297
|
+
* in the judge prompt so attackers cannot meta-inject into the scanner.
|
|
298
|
+
* Every scan is logged on-chain via the judge API for forensic audit.
|
|
299
|
+
*/
|
|
300
|
+
declare function scanMemory(entry: MemoryEntry, auth: AgentAuth, opts?: MemoryScanOptions): Promise<MemoryScanResult>;
|
|
301
|
+
/**
|
|
302
|
+
* Scan multiple memory entries. By default stops on the first red
|
|
303
|
+
* verdict. Set `stopOnRed: false` to scan all entries regardless.
|
|
304
|
+
*/
|
|
305
|
+
declare function scanMemoryBatch(entries: MemoryEntry[], auth: AgentAuth, opts?: MemoryScanOptions): Promise<MemoryScanResult[]>;
|
|
306
|
+
|
|
307
|
+
/**
|
|
308
|
+
* Create a timestamped snapshot of the current memory state.
|
|
309
|
+
*/
|
|
310
|
+
declare function createMemorySnapshot(entries: MemoryEntry[]): MemorySnapshot;
|
|
311
|
+
/**
|
|
312
|
+
* Compute the diff between two memory snapshots and run anomaly
|
|
313
|
+
* detection heuristics on the result.
|
|
314
|
+
*
|
|
315
|
+
* Catches what other defenses miss:
|
|
316
|
+
* - HMAC detects external tampering, not entries the agent wrote itself
|
|
317
|
+
* - Provenance tagging neutralizes untrusted sources, but a trusted
|
|
318
|
+
* channel can still be exploited
|
|
319
|
+
* - Regex catches fixed phrases, but attackers rephrase
|
|
320
|
+
* - LLM-as-judge catches semantic manipulation on individual entries
|
|
321
|
+
* - This function catches the *cumulative effect* — gradual multi-step
|
|
322
|
+
* poisoning where entries shift agent behavior across sessions
|
|
323
|
+
*/
|
|
324
|
+
declare function diffMemorySnapshots(before: MemorySnapshot, after: MemorySnapshot): MemoryDiffResult;
|
|
325
|
+
|
|
326
|
+
/**
|
|
327
|
+
* Unicode normalization for memory content before regex matching.
|
|
328
|
+
*
|
|
329
|
+
* Defeats evasion techniques:
|
|
330
|
+
* - Zero-width characters inserted between letters
|
|
331
|
+
* - Homoglyphs (Cyrillic "а" instead of Latin "a")
|
|
332
|
+
* - Mixed-script confusables
|
|
333
|
+
* - Invisible formatting characters
|
|
334
|
+
*/
|
|
335
|
+
/**
|
|
336
|
+
* Normalize a string for safe regex matching:
|
|
337
|
+
* 1. NFKC normalization (collapses compatibility decompositions)
|
|
338
|
+
* 2. Strip zero-width / invisible characters
|
|
339
|
+
* 3. Map common confusable characters to their Latin equivalents
|
|
340
|
+
*/
|
|
341
|
+
declare function normalizeForMatching(input: string): string;
|
|
342
|
+
/**
|
|
343
|
+
* Check whether a string contains suspicious encoding that may indicate
|
|
344
|
+
* an evasion attempt (presence of confusables, invisible chars, etc.).
|
|
345
|
+
* Returns true if the raw and normalized forms differ.
|
|
346
|
+
*/
|
|
347
|
+
declare function containsEvasionCharacters(input: string): boolean;
|
|
348
|
+
|
|
349
|
+
export { type ActionType, type AgentAuth, type AgentPolicy, type AnomalySeverity, type AnomalyType, type AtbashClient, type AtbashClientConfig, type AtbashUserConfig, type ChainOpts, type ClientOpts, type ClientSource, DEFAULT_BLOCKCHAIN_RID, DEFAULT_CHROMIA_NODE_URLS, DEFAULT_ENDPOINT, type Decision, type DecisionVerdict, type HeldAction, type HeldActionReview, type JudgeEndpointConfig, type JudgeOptions, type JudgeResult, type JudgmentStatus, type JudgmentStatusState, type LogToolCallResult, type MemoryAnomaly, type MemoryDiffResult, type MemoryEntry, type MemoryScanOptions, type MemoryScanResult, type MemoryScanVerdict, type MemorySnapshot, type Provider, type PubkeyValue, type TelemetryConfig, type Tier, type TierInfo, type ToolCallFull, type ToolCallInput, type ToolCallRecord, type ValidatedEndpoint, type Verdict, checkAgentExists, containsEvasionCharacters, createAtbashClient, createMemorySnapshot, derivePublicKey, diffMemorySnapshots, generateKeyPair, getAgentDetail, getAgentPolicy, getAgentToolCalls, getConfigDir, getConfigPath, getHeldActionReviews, getJudgmentStatus, getOrgTierInfo, getOrgToolCalls, getPendingHeldActions, getSafetyStats, getToolCallCount, getToolCallFull, getToolCalls, isValidPrivateKey, judgeAction, loadAgent, loadAgentFromFile, loadUserConfig, logToolCall, normalizeForMatching, resolve, resolveKeyPath, saveUserConfig, scanMemory, scanMemoryBatch, setupTelemetry, shutdownTelemetry, toPubkeyHex, validateJudgeEndpoint, verifyJudgeResponseSignature };
|