@atbash/sdk 0.3.11-dev.3 → 0.3.11-dev.4

package/dist/index.cjs

@@ -105,6 +105,9 @@ function verifyJudgeResponseSignature(bodyBytes, signatureHex, pubKeyHex) {
 }
 
 // src/opentel/telemetry.ts
+var import_node_fs = require("fs");
+var import_node_os = require("os");
+var import_node_path = require("path");
 var import_sdk_metrics = require("@opentelemetry/sdk-metrics");
 var import_exporter_metrics_otlp_http = require("@opentelemetry/exporter-metrics-otlp-http");
 var import_resources = require("@opentelemetry/resources");
@@ -112,14 +115,27 @@ var meterProvider = null;
 var callCounter = null;
 var durationHistogram = null;
 var defaultSource = "sdk";
+function isTelemetryOptedOut() {
+  try {
+    const home = process.env.HOME || (0, import_node_os.homedir)() || "";
+    const filePath = (0, import_node_path.join)(home, ".config", "atbash", "telemetry.json");
+    const raw = (0, import_node_fs.readFileSync)(filePath, "utf-8").trim();
+    if (!raw) return false;
+    const config = JSON.parse(raw);
+    return config.enabled === false;
+  } catch {
+    return false;
+  }
+}
 function autoInit() {
   if (meterProvider) return;
-  if (process.env.ATBASH_TELEMETRY === "false") return;
+  if (isTelemetryOptedOut()) return;
   setupTelemetry({ enabled: true });
 }
 function setupTelemetry(config) {
   if (!config.enabled) return;
   if (meterProvider) return;
+  if (isTelemetryOptedOut()) return;
   defaultSource = config.source ?? "sdk";
   const ATBASH_HONEYCOMB_KEY = "YOUR_INGEST_KEY_HERE";
   const apiKey = process.env.HONEYCOMB_API_KEY ?? ATBASH_HONEYCOMB_KEY;
@@ -698,22 +714,22 @@ function validateJudgeEndpoint(judge) {
 }
 
 // src/key-loader.ts
-var import_node_fs = require("fs");
-var import_node_os = require("os");
-var import_node_path = require("path");
+var import_node_fs2 = require("fs");
+var import_node_os2 = require("os");
+var import_node_path2 = require("path");
 var DEFAULT_KEY_PATH_REL = ".config/atbash/guard-client-key";
 function resolveKeyPath(input) {
   if (input) return expandHome(input);
-  const home = process.env.HOME || (0, import_node_os.homedir)() || "";
-  return (0, import_node_path.join)(home, DEFAULT_KEY_PATH_REL);
+  const home = process.env.HOME || (0, import_node_os2.homedir)() || "";
+  return (0, import_node_path2.join)(home, DEFAULT_KEY_PATH_REL);
 }
 function expandHome(p) {
   if (!p.startsWith("~/")) return p;
-  const home = process.env.HOME || (0, import_node_os.homedir)() || "";
-  return (0, import_node_path.join)(home, p.slice(2));
+  const home = process.env.HOME || (0, import_node_os2.homedir)() || "";
+  return (0, import_node_path2.join)(home, p.slice(2));
 }
 function readKeyFile(keyPath) {
-  const content = String((0, import_node_fs.readFileSync)(keyPath, "utf8") || "").trim();
+  const content = String((0, import_node_fs2.readFileSync)(keyPath, "utf8") || "").trim();
   let privKey = "";
   let pubKey = "";
   if (content.startsWith("{")) {
@@ -938,9 +954,9 @@ function truncate(text) {
 }
 
 // src/user-config.ts
-var import_node_fs2 = require("fs");
-var import_node_os2 = require("os");
-var import_node_path2 = require("path");
+var import_node_fs3 = require("fs");
+var import_node_os3 = require("os");
+var import_node_path3 = require("path");
 var ENV_MAP = {
   agentKey: "ATBASH_AGENT_KEY",
   orgName: "ATBASH_ORG_NAME",
@@ -950,17 +966,17 @@ var ENV_MAP = {
   providerModel: "ATBASH_PROVIDER_MODEL"
 };
 function getConfigDir() {
-  const home = process.env.HOME || (0, import_node_os2.homedir)() || "";
-  return (0, import_node_path2.join)(home, ".config", "atbash");
+  const home = process.env.HOME || (0, import_node_os3.homedir)() || "";
+  return (0, import_node_path3.join)(home, ".config", "atbash");
 }
 function getConfigPath() {
-  return (0, import_node_path2.join)(getConfigDir(), "config.json");
+  return (0, import_node_path3.join)(getConfigDir(), "config.json");
 }
 function loadUserConfig() {
   try {
     const p = getConfigPath();
-    if (!(0, import_node_fs2.existsSync)(p)) return {};
-    const raw = (0, import_node_fs2.readFileSync)(p, "utf-8").trim();
+    if (!(0, import_node_fs3.existsSync)(p)) return {};
+    const raw = (0, import_node_fs3.readFileSync)(p, "utf-8").trim();
     if (!raw) return {};
     return JSON.parse(raw);
   } catch (err) {
@@ -970,12 +986,12 @@ function loadUserConfig() {
 }
 function saveUserConfig(config) {
   const dir = getConfigDir();
-  if (!(0, import_node_fs2.existsSync)(dir)) {
-    (0, import_node_fs2.mkdirSync)(dir, { recursive: true, mode: 448 });
+  if (!(0, import_node_fs3.existsSync)(dir)) {
+    (0, import_node_fs3.mkdirSync)(dir, { recursive: true, mode: 448 });
   }
   const filePath = getConfigPath();
-  (0, import_node_fs2.writeFileSync)(filePath, JSON.stringify(config, null, 2) + "\n", { mode: 384 });
-  (0, import_node_fs2.chmodSync)(filePath, 384);
+  (0, import_node_fs3.writeFileSync)(filePath, JSON.stringify(config, null, 2) + "\n", { mode: 384 });
+  (0, import_node_fs3.chmodSync)(filePath, 384);
 }
 function resolve(key, flagValue) {
   if (flagValue) return flagValue;
@@ -1039,7 +1055,7 @@ var BEHAVIOR_PATTERNS = [
   {
     type: "privilege_escalation",
     severity: "critical",
-    re: /\b(?:admin|administrator|root|superuser|sudo|elevated)\b.*\b(?:privilege|permission|access|role|clearance|authority)\b.*\b(?:granted|approved|confirmed|given|assigned)\b/i,
+    re: /\b(?:admin|administrator|root|superuser|sudo|elevated)\b.*\b(?:privileges?|permissions?|access|roles?|clearance|authority)\b.*\b(?:granted|approved|confirmed|given|assigned)\b/i,
     description: "claims elevated privileges were granted"
   },
   {

package/dist/index.d.cts

@@ -251,7 +251,11 @@ declare function verifyJudgeResponseSignature(bodyBytes: Uint8Array, signatureHe
  * Atbash SDK Telemetry — OpenTelemetry metrics for usage tracking.
  *
  * Tracks: function call counts, latency, source (CLI/plugin/SDK),
- * and agent identity. Opt-in — no data sent unless enabled.
+ * and agent identity. ON by default.
+ *
+ * Opt-out: create ~/.config/atbash/telemetry.json with { "enabled": false }
+ * The file must be mode 0600. If missing, corrupted, or unreadable → telemetry stays ON.
+ * Environment variables cannot disable telemetry (prevents agent bypass).
  */
 type ClientSource = "cli" | "sdk" | "plugin:openclaw" | "plugin:langchain" | "plugin:langgraph" | "plugin:hermes" | "plugin:eliza" | "plugin:crewai" | "plugin:mcp" | "plugin:autogen" | "plugin:jeenai" | (string & {});
 interface TelemetryConfig {

package/dist/index.d.ts

@@ -251,7 +251,11 @@ declare function verifyJudgeResponseSignature(bodyBytes: Uint8Array, signatureHe
  * Atbash SDK Telemetry — OpenTelemetry metrics for usage tracking.
  *
  * Tracks: function call counts, latency, source (CLI/plugin/SDK),
- * and agent identity. Opt-in — no data sent unless enabled.
+ * and agent identity. ON by default.
+ *
+ * Opt-out: create ~/.config/atbash/telemetry.json with { "enabled": false }
+ * The file must be mode 0600. If missing, corrupted, or unreadable → telemetry stays ON.
+ * Environment variables cannot disable telemetry (prevents agent bypass).
  */
 type ClientSource = "cli" | "sdk" | "plugin:openclaw" | "plugin:langchain" | "plugin:langgraph" | "plugin:hermes" | "plugin:eliza" | "plugin:crewai" | "plugin:mcp" | "plugin:autogen" | "plugin:jeenai" | (string & {});
 interface TelemetryConfig {

package/dist/index.js

@@ -29,6 +29,9 @@ function verifyJudgeResponseSignature(bodyBytes, signatureHex, pubKeyHex) {
 }
 
 // src/opentel/telemetry.ts
+import { readFileSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
 import { MeterProvider, PeriodicExportingMetricReader } from "@opentelemetry/sdk-metrics";
 import { OTLPMetricExporter } from "@opentelemetry/exporter-metrics-otlp-http";
 import { resourceFromAttributes } from "@opentelemetry/resources";
@@ -36,14 +39,27 @@ var meterProvider = null;
 var callCounter = null;
 var durationHistogram = null;
 var defaultSource = "sdk";
+function isTelemetryOptedOut() {
+  try {
+    const home = process.env.HOME || homedir() || "";
+    const filePath = join(home, ".config", "atbash", "telemetry.json");
+    const raw = readFileSync(filePath, "utf-8").trim();
+    if (!raw) return false;
+    const config = JSON.parse(raw);
+    return config.enabled === false;
+  } catch {
+    return false;
+  }
+}
 function autoInit() {
   if (meterProvider) return;
-  if (process.env.ATBASH_TELEMETRY === "false") return;
+  if (isTelemetryOptedOut()) return;
   setupTelemetry({ enabled: true });
 }
 function setupTelemetry(config) {
   if (!config.enabled) return;
   if (meterProvider) return;
+  if (isTelemetryOptedOut()) return;
   defaultSource = config.source ?? "sdk";
   const ATBASH_HONEYCOMB_KEY = "YOUR_INGEST_KEY_HERE";
   const apiKey = process.env.HONEYCOMB_API_KEY ?? ATBASH_HONEYCOMB_KEY;
@@ -622,22 +638,22 @@ function validateJudgeEndpoint(judge) {
 }
 
 // src/key-loader.ts
-import { readFileSync } from "fs";
-import { homedir } from "os";
-import { join } from "path";
+import { readFileSync as readFileSync2 } from "fs";
+import { homedir as homedir2 } from "os";
+import { join as join2 } from "path";
 var DEFAULT_KEY_PATH_REL = ".config/atbash/guard-client-key";
 function resolveKeyPath(input) {
   if (input) return expandHome(input);
-  const home = process.env.HOME || homedir() || "";
-  return join(home, DEFAULT_KEY_PATH_REL);
+  const home = process.env.HOME || homedir2() || "";
+  return join2(home, DEFAULT_KEY_PATH_REL);
 }
 function expandHome(p) {
   if (!p.startsWith("~/")) return p;
-  const home = process.env.HOME || homedir() || "";
-  return join(home, p.slice(2));
+  const home = process.env.HOME || homedir2() || "";
+  return join2(home, p.slice(2));
 }
 function readKeyFile(keyPath) {
-  const content = String(readFileSync(keyPath, "utf8") || "").trim();
+  const content = String(readFileSync2(keyPath, "utf8") || "").trim();
   let privKey = "";
   let pubKey = "";
   if (content.startsWith("{")) {
@@ -862,9 +878,9 @@ function truncate(text) {
 }
 
 // src/user-config.ts
-import { readFileSync as readFileSync2, writeFileSync, mkdirSync, chmodSync, existsSync } from "fs";
-import { homedir as homedir2 } from "os";
-import { join as join2 } from "path";
+import { readFileSync as readFileSync3, writeFileSync, mkdirSync, chmodSync, existsSync } from "fs";
+import { homedir as homedir3 } from "os";
+import { join as join3 } from "path";
 var ENV_MAP = {
   agentKey: "ATBASH_AGENT_KEY",
   orgName: "ATBASH_ORG_NAME",
@@ -874,17 +890,17 @@ var ENV_MAP = {
   providerModel: "ATBASH_PROVIDER_MODEL"
 };
 function getConfigDir() {
-  const home = process.env.HOME || homedir2() || "";
-  return join2(home, ".config", "atbash");
+  const home = process.env.HOME || homedir3() || "";
+  return join3(home, ".config", "atbash");
 }
 function getConfigPath() {
-  return join2(getConfigDir(), "config.json");
+  return join3(getConfigDir(), "config.json");
 }
 function loadUserConfig() {
   try {
     const p = getConfigPath();
     if (!existsSync(p)) return {};
-    const raw = readFileSync2(p, "utf-8").trim();
+    const raw = readFileSync3(p, "utf-8").trim();
     if (!raw) return {};
     return JSON.parse(raw);
   } catch (err) {
@@ -963,7 +979,7 @@ var BEHAVIOR_PATTERNS = [
   {
     type: "privilege_escalation",
     severity: "critical",
-    re: /\b(?:admin|administrator|root|superuser|sudo|elevated)\b.*\b(?:privilege|permission|access|role|clearance|authority)\b.*\b(?:granted|approved|confirmed|given|assigned)\b/i,
+    re: /\b(?:admin|administrator|root|superuser|sudo|elevated)\b.*\b(?:privileges?|permissions?|access|roles?|clearance|authority)\b.*\b(?:granted|approved|confirmed|given|assigned)\b/i,
     description: "claims elevated privileges were granted"
   },
   {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atbash/sdk",
-  "version": "0.3.11-dev.3",
+  "version": "0.3.11-dev.4",
   "description": "Atbash SDK — control boundary before the last irreversible step in an agent workflow",
   "homepage": "https://atbash.ai",
   "author": "Atbash",