@atbash/sdk 0.3.6 → 0.3.7

package/dist/index.cjs

@@ -34,6 +34,7 @@ __export(index_exports, {
   DEFAULT_CHROMIA_NODE_URLS: () => DEFAULT_CHROMIA_NODE_URLS,
   DEFAULT_ENDPOINT: () => DEFAULT_ENDPOINT,
   checkAgentExists: () => checkAgentExists,
+  createAtbashClient: () => createAtbashClient,
   derivePublicKey: () => derivePublicKey,
   generateKeyPair: () => generateKeyPair,
   getAgentDetail: () => getAgentDetail,
@@ -51,15 +52,47 @@ __export(index_exports, {
   isValidPrivateKey: () => isValidPrivateKey,
   judgeAction: () => judgeAction,
   loadAgent: () => loadAgent,
+  loadAgentFromFile: () => loadAgentFromFile,
   logToolCall: () => logToolCall,
-  toPubkeyHex: () => toPubkeyHex
+  resolveKeyPath: () => resolveKeyPath,
+  toPubkeyHex: () => toPubkeyHex,
+  validateJudgeEndpoint: () => validateJudgeEndpoint,
+  verifyJudgeResponseSignature: () => verifyJudgeResponseSignature
 });
 module.exports = __toCommonJS(index_exports);
 
 // src/client.ts
 var import_crypto = require("crypto");
+var import_postchain_client2 = __toESM(require("postchain-client"), 1);
+
+// src/signature.ts
 var import_postchain_client = __toESM(require("postchain-client"), 1);
-var { createClient, encryption, newSignatureProvider } = import_postchain_client.default;
+var { encryption } = import_postchain_client.default;
+function verifyJudgeResponseSignature(bodyBytes, signatureHex, pubKeyHex) {
+  if (!signatureHex) {
+    return { ok: false, reason: "missing X-Atbash-Signature header" };
+  }
+  const sigClean = signatureHex.trim().toLowerCase().replace(/^0x/, "");
+  if (!/^[0-9a-f]+$/.test(sigClean) || sigClean.length < 64 || sigClean.length > 256) {
+    return { ok: false, reason: "malformed signature header" };
+  }
+  let isValid = false;
+  try {
+    const digest = encryption.sha256(Buffer.from(bodyBytes));
+    const pubKeyBytes = Buffer.from(pubKeyHex.replace(/^0x/, ""), "hex");
+    const sigBytes = Buffer.from(sigClean, "hex");
+    isValid = encryption.checkDigestSignature(digest, pubKeyBytes, sigBytes);
+  } catch (err) {
+    const message = String(
+      err?.message ?? err ?? ""
+    );
+    return { ok: false, reason: `signature verification threw: ${message}` };
+  }
+  return isValid ? { ok: true } : { ok: false, reason: "signature does not verify against configured verifyPubKey" };
+}
+
+// src/client.ts
+var { createClient, encryption: encryption2, newSignatureProvider } = import_postchain_client2.default;
 var DEFAULT_ENDPOINT = "https://atbash.ai";
 var DEFAULT_CHROMIA_NODE_URLS = [
   "https://node6.testnet.chromia.com:7740",
@@ -115,7 +148,7 @@ async function buildSignedTx(opName, args, auth, chainOpts) {
   const blockchainRid = chainOpts?.blockchainRid ?? DEFAULT_BLOCKCHAIN_RID;
   const client = await createClient({ nodeUrlPool: nodeUrls, blockchainRid });
   const privKeyBuf = Buffer.from(auth.privkey, "hex");
-  const keyPair = encryption.makeKeyPair(privKeyBuf);
+  const keyPair = encryption2.makeKeyPair(privKeyBuf);
   const sigProvider = newSignatureProvider({
     privKey: keyPair.privKey,
     pubKey: keyPair.pubKey
@@ -226,6 +259,31 @@ async function getJson(url, opts) {
   }
   return resp.json();
 }
+async function postJudgeRequest(url, body, opts) {
+  if (!opts?.verifyPubKey) {
+    return postJson(url, body, opts);
+  }
+  const resp = await fetch(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body),
+    signal: opts?.timeout ? AbortSignal.timeout(opts.timeout) : void 0
+  });
+  if (!resp.ok) {
+    const text = await resp.text().catch(() => "");
+    throw enrichError(resp.status, text, resp.statusText, opts);
+  }
+  const buf = new Uint8Array(await resp.arrayBuffer());
+  const verdict = verifyJudgeResponseSignature(
+    buf,
+    resp.headers.get("X-Atbash-Signature"),
+    opts.verifyPubKey
+  );
+  if (!verdict.ok) {
+    throw new Error(`signature verification failed: ${verdict.reason}`);
+  }
+  return JSON.parse(new TextDecoder().decode(buf));
+}
 async function judgeAction(action, context = "", auth, opts) {
   if (!action || !action.trim()) {
     throw new Error("action is required and cannot be empty.");
@@ -263,7 +321,7 @@ async function judgeAction(action, context = "", auth, opts) {
     ...opts?.toolName && { tool_name: opts.toolName },
     ...opts?.model && { model: opts.model }
   };
-  const data = await postJson(url, body, opts);
+  const data = await postJudgeRequest(url, body, opts);
   return {
     verdict: normalizeVerdict(data.verdict),
     action_type: String(data.action_type || ""),
@@ -390,12 +448,213 @@ async function getSafetyStats(opts) {
   const result = await getJson(url, opts);
   return result?.data || result;
 }
+
+// src/config.ts
+var ALLOWED_JUDGE_HOSTS = /* @__PURE__ */ new Set([
+  "atbash.ai",
+  "www.atbash.ai"
+]);
+function validateJudgeEndpoint(judge) {
+  const policy = judge?.policy === "self-hosted" ? "self-hosted" : "default";
+  const candidate = judge?.endpoint?.trim() || DEFAULT_ENDPOINT;
+  let parsed;
+  try {
+    parsed = new URL(candidate);
+  } catch {
+    throw new Error(
+      `[atbash] invalid judge endpoint URL: ${candidate}. Refusing to load \u2014 fix the URL or omit it to use the default (${DEFAULT_ENDPOINT}).`
+    );
+  }
+  if (parsed.protocol !== "https:") {
+    throw new Error(
+      `[atbash] judge endpoint must use https:// (got "${parsed.protocol}"). Refusing to load \u2014 plaintext endpoints leak verdicts and enable trivial MITM bypass.`
+    );
+  }
+  if (parsed.username || parsed.password) {
+    throw new Error(
+      `[atbash] judge endpoint must not contain credentials (user:pass@host). Refusing to load \u2014 credentials embedded in URLs leak to logs and process listings.`
+    );
+  }
+  const normalisedUrl = parsed.origin;
+  if (policy === "self-hosted") {
+    const verifyPubKey = judge?.verifyPubKey;
+    const key = verifyPubKey?.trim().toLowerCase();
+    if (!key || !/^[0-9a-f]{66}$/.test(key)) {
+      throw new Error(
+        `[atbash] judge endpoint policy "self-hosted" requires verifyPubKey to be a 66-hex-char compressed secp256k1 pubkey. Refusing to load \u2014 self-hosted judges must produce signed responses so the SDK can detect a malicious or compromised judge.`
+      );
+    }
+    return { url: normalisedUrl, policy, verifyPubKey: key };
+  }
+  if (!ALLOWED_JUDGE_HOSTS.has(parsed.hostname.toLowerCase())) {
+    throw new Error(
+      `[atbash] judge endpoint hostname "${parsed.hostname}" is not in the trusted allowlist. Allowed: ${[...ALLOWED_JUDGE_HOSTS].join(", ")}. To use a self-hosted judge, set BOTH policy="self-hosted" AND verifyPubKey to the 66-hex pubkey of your judge's response-signing key. Refusing to load \u2014 silent endpoint redirection is a known attack vector (F-003).`
+    );
+  }
+  return { url: normalisedUrl, policy, verifyPubKey: null };
+}
+
+// src/key-loader.ts
+var import_node_fs = require("fs");
+var import_node_os = require("os");
+var import_node_path = require("path");
+var DEFAULT_KEY_PATH_REL = ".config/atbash/guard-client-key";
+function resolveKeyPath(input) {
+  if (input) return expandHome(input);
+  const home = process.env.HOME || (0, import_node_os.homedir)() || "";
+  return (0, import_node_path.join)(home, DEFAULT_KEY_PATH_REL);
+}
+function expandHome(p) {
+  if (!p.startsWith("~/")) return p;
+  const home = process.env.HOME || (0, import_node_os.homedir)() || "";
+  return (0, import_node_path.join)(home, p.slice(2));
+}
+function readKeyFile(keyPath) {
+  const content = String((0, import_node_fs.readFileSync)(keyPath, "utf8") || "").trim();
+  let privKey = "";
+  let pubKey = "";
+  if (content.startsWith("{")) {
+    const creds = JSON.parse(content);
+    privKey = String(
+      creds.privKey || creds.privkey || creds.privateKey || ""
+    ).trim();
+    pubKey = String(
+      creds.pubKey || creds.pubkey || creds.publicKey || ""
+    ).trim();
+  } else {
+    const lines = content.split(/\r?\n/);
+    for (const line of lines) {
+      if (line.startsWith("privkey=")) privKey = line.slice("privkey=".length).trim();
+      if (line.startsWith("pubkey=")) pubKey = line.slice("pubkey=".length).trim();
+    }
+  }
+  if (!privKey || !pubKey) {
+    throw new Error(`atbash key file missing priv/pub key fields: ${keyPath}`);
+  }
+  privKey = privKey.replace(/^0x/, "");
+  return { privKey, pubKey };
+}
+function loadAgentFromFile(keyPath) {
+  const resolved = resolveKeyPath(keyPath);
+  const { privKey } = readKeyFile(resolved);
+  return loadAgent(privKey);
+}
+
+// src/factory.ts
+function createAtbashClient(config = {}) {
+  const validated = validateJudgeEndpoint(config.judge);
+  const failClosed = config.failClosed !== false;
+  const logger = config.logger ?? {};
+  const inlineKeyPair = config.keyPair;
+  const keyPath = inlineKeyPair ? null : config.keyPath;
+  if (validated.url !== DEFAULT_ENDPOINT) {
+    logger.warn?.("[atbash] running on non-default judge endpoint", {
+      endpoint: validated.url,
+      policy: validated.policy,
+      verifying: validated.verifyPubKey ? "with response-signature pubkey configured" : "without signature verification"
+    });
+  }
+  let cachedAgent = inlineKeyPair ? loadAgent(inlineKeyPair.privKey) : null;
+  function loadAgentOnce() {
+    if (cachedAgent) return cachedAgent;
+    cachedAgent = loadAgentFromFile(keyPath ?? void 0);
+    return cachedAgent;
+  }
+  function fail(reason, toolCallId) {
+    return { allow: !failClosed, verdict: "ERROR", reason, toolCallId };
+  }
+  return {
+    async auditToolCall(input) {
+      let agent;
+      try {
+        agent = loadAgentOnce();
+      } catch (err) {
+        const message = String(err?.message ?? err ?? "");
+        logger.warn?.("[atbash] failed to load key pair, blocking for safety", {
+          error: message
+        });
+        return fail("key load failed, blocking for safety");
+      }
+      const toolName = input.toolName || "unknown";
+      const argsJson = stringifyArgs(input.args);
+      const actionText = truncate(argsJson);
+      const contextText = input.context ?? toolName;
+      try {
+        logger.info?.("[atbash] judge API called", { tool: toolName });
+        const result = await judgeAction(actionText, contextText, agent, {
+          endpoint: validated.url,
+          verifyPubKey: validated.verifyPubKey ?? void 0,
+          toolName,
+          toolArgsJson: argsJson,
+          chainOpts: {
+            nodeUrls: config.nodeUrls,
+            blockchainRid: config.blockchainRid
+          }
+        });
+        if (result.verdict === "No verdict") {
+          return {
+            allow: true,
+            verdict: "ALLOW",
+            reason: result.reason || "audit tier \u2014 request logged on-chain, no AI enforcement",
+            toolCallId: result.tool_call_id
+          };
+        }
+        const action = result.action_type;
+        if (action === "block") {
+          return {
+            allow: false,
+            verdict: "BLOCK",
+            reason: result.reason,
+            toolCallId: result.tool_call_id
+          };
+        }
+        if (action === "hold_for_user_confirm") {
+          return {
+            allow: false,
+            verdict: "HOLD",
+            reason: result.reason || "held for human confirmation",
+            toolCallId: result.tool_call_id
+          };
+        }
+        if (action === "allow") {
+          const surfacedVerdict = result.verdict === "ALLOW" || result.verdict === "HOLD" || result.verdict === "BLOCK" ? result.verdict : "ALLOW";
+          return {
+            allow: true,
+            verdict: surfacedVerdict,
+            reason: result.reason,
+            toolCallId: result.tool_call_id
+          };
+        }
+        return fail("unrecognized action_type from judge", result.tool_call_id);
+      } catch (err) {
+        const message = String(err?.message ?? err ?? "");
+        logger.warn?.("[atbash] judge API failed", { reason: message });
+        return fail(message);
+      }
+    }
+  };
+}
+function stringifyArgs(args) {
+  if (args == null) return "";
+  if (typeof args === "string") return args;
+  try {
+    return JSON.stringify(args);
+  } catch {
+    return String(args);
+  }
+}
+var MAX_ACTION_LEN = 4e3;
+function truncate(text) {
+  if (text.length <= MAX_ACTION_LEN) return text;
+  return text.slice(0, MAX_ACTION_LEN) + "\u2026";
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   DEFAULT_BLOCKCHAIN_RID,
   DEFAULT_CHROMIA_NODE_URLS,
   DEFAULT_ENDPOINT,
   checkAgentExists,
+  createAtbashClient,
   derivePublicKey,
   generateKeyPair,
   getAgentDetail,
@@ -413,6 +672,10 @@ async function getSafetyStats(opts) {
   isValidPrivateKey,
   judgeAction,
   loadAgent,
+  loadAgentFromFile,
   logToolCall,
-  toPubkeyHex
+  resolveKeyPath,
+  toPubkeyHex,
+  validateJudgeEndpoint,
+  verifyJudgeResponseSignature
 });

package/dist/index.d.cts

@@ -40,6 +40,7 @@ interface JudgeOptions extends ClientOpts {
     toolName?: string;
     toolArgsJson?: string;
     chainOpts?: ChainOpts;
+    verifyPubKey?: string;
 }
 interface JudgmentStatus {
     status: JudgmentStatusState;
@@ -106,6 +107,46 @@ interface AgentPolicy {
     is_custom: boolean;
     default_policy: string;
 }
+type DecisionVerdict = "ALLOW" | "HOLD" | "BLOCK" | "ERROR";
+interface Decision {
+    allow: boolean;
+    verdict: DecisionVerdict;
+    reason?: string;
+    toolCallId?: string;
+}
+interface ToolCallInput {
+    toolName: string;
+    args?: unknown;
+    context?: string;
+}
+type JudgeEndpointConfig = {
+    policy?: "default";
+    endpoint?: string;
+} | {
+    policy: "self-hosted";
+    endpoint: string;
+    verifyPubKey: string;
+};
+interface ValidatedEndpoint {
+    url: string;
+    policy: "default" | "self-hosted";
+    verifyPubKey: string | null;
+}
+interface AtbashClientConfig {
+    judge?: JudgeEndpointConfig;
+    nodeUrls?: string[];
+    blockchainRid?: string;
+    keyPath?: string;
+    keyPair?: {
+        privKey: string;
+        pubKey: string;
+    };
+    failClosed?: boolean;
+    logger?: {
+        info?(...a: unknown[]): void;
+        warn?(...a: unknown[]): void;
+    };
+}
 
 declare const DEFAULT_ENDPOINT = "https://atbash.ai";
 declare const DEFAULT_CHROMIA_NODE_URLS: string[];
@@ -148,4 +189,19 @@ declare function getAgentDetail(agentPubkey: string, opts?: ClientOpts): Promise
 declare function getAgentPolicy(agentPubkey: string, opts?: ClientOpts): Promise<AgentPolicy>;
 declare function getSafetyStats(opts?: ClientOpts): Promise<Record<string, unknown>>;
 
-export { type ActionType, type AgentAuth, type AgentPolicy, type ChainOpts, type ClientOpts, DEFAULT_BLOCKCHAIN_RID, DEFAULT_CHROMIA_NODE_URLS, DEFAULT_ENDPOINT, type HeldAction, type HeldActionReview, type JudgeOptions, type JudgeResult, type JudgmentStatus, type JudgmentStatusState, type LogToolCallResult, type Provider, type PubkeyValue, type Tier, type TierInfo, type ToolCallFull, type ToolCallRecord, type Verdict, checkAgentExists, derivePublicKey, generateKeyPair, getAgentDetail, getAgentPolicy, getAgentToolCalls, getHeldActionReviews, getJudgmentStatus, getOrgTierInfo, getOrgToolCalls, getPendingHeldActions, getSafetyStats, getToolCallCount, getToolCallFull, getToolCalls, isValidPrivateKey, judgeAction, loadAgent, logToolCall, toPubkeyHex };
+interface AtbashClient {
+    auditToolCall(input: ToolCallInput): Promise<Decision>;
+}
+declare function createAtbashClient(config?: AtbashClientConfig): AtbashClient;
+
+declare function validateJudgeEndpoint(judge?: JudgeEndpointConfig): ValidatedEndpoint;
+
+declare function resolveKeyPath(input?: string): string;
+declare function loadAgentFromFile(keyPath?: string): AgentAuth;
+
+declare function verifyJudgeResponseSignature(bodyBytes: Uint8Array, signatureHex: string | null, pubKeyHex: string): {
+    ok: boolean;
+    reason?: string;
+};
+
+export { type ActionType, type AgentAuth, type AgentPolicy, type AtbashClient, type AtbashClientConfig, type ChainOpts, type ClientOpts, DEFAULT_BLOCKCHAIN_RID, DEFAULT_CHROMIA_NODE_URLS, DEFAULT_ENDPOINT, type Decision, type DecisionVerdict, type HeldAction, type HeldActionReview, type JudgeEndpointConfig, type JudgeOptions, type JudgeResult, type JudgmentStatus, type JudgmentStatusState, type LogToolCallResult, type Provider, type PubkeyValue, type Tier, type TierInfo, type ToolCallFull, type ToolCallInput, type ToolCallRecord, type ValidatedEndpoint, type Verdict, checkAgentExists, createAtbashClient, derivePublicKey, generateKeyPair, getAgentDetail, getAgentPolicy, getAgentToolCalls, getHeldActionReviews, getJudgmentStatus, getOrgTierInfo, getOrgToolCalls, getPendingHeldActions, getSafetyStats, getToolCallCount, getToolCallFull, getToolCalls, isValidPrivateKey, judgeAction, loadAgent, loadAgentFromFile, logToolCall, resolveKeyPath, toPubkeyHex, validateJudgeEndpoint, verifyJudgeResponseSignature };

package/dist/index.d.ts

@@ -40,6 +40,7 @@ interface JudgeOptions extends ClientOpts {
     toolName?: string;
     toolArgsJson?: string;
     chainOpts?: ChainOpts;
+    verifyPubKey?: string;
 }
 interface JudgmentStatus {
     status: JudgmentStatusState;
@@ -106,6 +107,46 @@ interface AgentPolicy {
     is_custom: boolean;
     default_policy: string;
 }
+type DecisionVerdict = "ALLOW" | "HOLD" | "BLOCK" | "ERROR";
+interface Decision {
+    allow: boolean;
+    verdict: DecisionVerdict;
+    reason?: string;
+    toolCallId?: string;
+}
+interface ToolCallInput {
+    toolName: string;
+    args?: unknown;
+    context?: string;
+}
+type JudgeEndpointConfig = {
+    policy?: "default";
+    endpoint?: string;
+} | {
+    policy: "self-hosted";
+    endpoint: string;
+    verifyPubKey: string;
+};
+interface ValidatedEndpoint {
+    url: string;
+    policy: "default" | "self-hosted";
+    verifyPubKey: string | null;
+}
+interface AtbashClientConfig {
+    judge?: JudgeEndpointConfig;
+    nodeUrls?: string[];
+    blockchainRid?: string;
+    keyPath?: string;
+    keyPair?: {
+        privKey: string;
+        pubKey: string;
+    };
+    failClosed?: boolean;
+    logger?: {
+        info?(...a: unknown[]): void;
+        warn?(...a: unknown[]): void;
+    };
+}
 
 declare const DEFAULT_ENDPOINT = "https://atbash.ai";
 declare const DEFAULT_CHROMIA_NODE_URLS: string[];
@@ -148,4 +189,19 @@ declare function getAgentDetail(agentPubkey: string, opts?: ClientOpts): Promise
 declare function getAgentPolicy(agentPubkey: string, opts?: ClientOpts): Promise<AgentPolicy>;
 declare function getSafetyStats(opts?: ClientOpts): Promise<Record<string, unknown>>;
 
-export { type ActionType, type AgentAuth, type AgentPolicy, type ChainOpts, type ClientOpts, DEFAULT_BLOCKCHAIN_RID, DEFAULT_CHROMIA_NODE_URLS, DEFAULT_ENDPOINT, type HeldAction, type HeldActionReview, type JudgeOptions, type JudgeResult, type JudgmentStatus, type JudgmentStatusState, type LogToolCallResult, type Provider, type PubkeyValue, type Tier, type TierInfo, type ToolCallFull, type ToolCallRecord, type Verdict, checkAgentExists, derivePublicKey, generateKeyPair, getAgentDetail, getAgentPolicy, getAgentToolCalls, getHeldActionReviews, getJudgmentStatus, getOrgTierInfo, getOrgToolCalls, getPendingHeldActions, getSafetyStats, getToolCallCount, getToolCallFull, getToolCalls, isValidPrivateKey, judgeAction, loadAgent, logToolCall, toPubkeyHex };
+interface AtbashClient {
+    auditToolCall(input: ToolCallInput): Promise<Decision>;
+}
+declare function createAtbashClient(config?: AtbashClientConfig): AtbashClient;
+
+declare function validateJudgeEndpoint(judge?: JudgeEndpointConfig): ValidatedEndpoint;
+
+declare function resolveKeyPath(input?: string): string;
+declare function loadAgentFromFile(keyPath?: string): AgentAuth;
+
+declare function verifyJudgeResponseSignature(bodyBytes: Uint8Array, signatureHex: string | null, pubKeyHex: string): {
+    ok: boolean;
+    reason?: string;
+};
+
+export { type ActionType, type AgentAuth, type AgentPolicy, type AtbashClient, type AtbashClientConfig, type ChainOpts, type ClientOpts, DEFAULT_BLOCKCHAIN_RID, DEFAULT_CHROMIA_NODE_URLS, DEFAULT_ENDPOINT, type Decision, type DecisionVerdict, type HeldAction, type HeldActionReview, type JudgeEndpointConfig, type JudgeOptions, type JudgeResult, type JudgmentStatus, type JudgmentStatusState, type LogToolCallResult, type Provider, type PubkeyValue, type Tier, type TierInfo, type ToolCallFull, type ToolCallInput, type ToolCallRecord, type ValidatedEndpoint, type Verdict, checkAgentExists, createAtbashClient, derivePublicKey, generateKeyPair, getAgentDetail, getAgentPolicy, getAgentToolCalls, getHeldActionReviews, getJudgmentStatus, getOrgTierInfo, getOrgToolCalls, getPendingHeldActions, getSafetyStats, getToolCallCount, getToolCallFull, getToolCalls, isValidPrivateKey, judgeAction, loadAgent, loadAgentFromFile, logToolCall, resolveKeyPath, toPubkeyHex, validateJudgeEndpoint, verifyJudgeResponseSignature };

package/dist/index.js

@@ -1,7 +1,35 @@
 // src/client.ts
 import { createECDH, randomBytes } from "crypto";
+import postchain2 from "postchain-client";
+
+// src/signature.ts
 import postchain from "postchain-client";
-var { createClient, encryption, newSignatureProvider } = postchain;
+var { encryption } = postchain;
+function verifyJudgeResponseSignature(bodyBytes, signatureHex, pubKeyHex) {
+  if (!signatureHex) {
+    return { ok: false, reason: "missing X-Atbash-Signature header" };
+  }
+  const sigClean = signatureHex.trim().toLowerCase().replace(/^0x/, "");
+  if (!/^[0-9a-f]+$/.test(sigClean) || sigClean.length < 64 || sigClean.length > 256) {
+    return { ok: false, reason: "malformed signature header" };
+  }
+  let isValid = false;
+  try {
+    const digest = encryption.sha256(Buffer.from(bodyBytes));
+    const pubKeyBytes = Buffer.from(pubKeyHex.replace(/^0x/, ""), "hex");
+    const sigBytes = Buffer.from(sigClean, "hex");
+    isValid = encryption.checkDigestSignature(digest, pubKeyBytes, sigBytes);
+  } catch (err) {
+    const message = String(
+      err?.message ?? err ?? ""
+    );
+    return { ok: false, reason: `signature verification threw: ${message}` };
+  }
+  return isValid ? { ok: true } : { ok: false, reason: "signature does not verify against configured verifyPubKey" };
+}
+
+// src/client.ts
+var { createClient, encryption: encryption2, newSignatureProvider } = postchain2;
 var DEFAULT_ENDPOINT = "https://atbash.ai";
 var DEFAULT_CHROMIA_NODE_URLS = [
   "https://node6.testnet.chromia.com:7740",
@@ -57,7 +85,7 @@ async function buildSignedTx(opName, args, auth, chainOpts) {
   const blockchainRid = chainOpts?.blockchainRid ?? DEFAULT_BLOCKCHAIN_RID;
   const client = await createClient({ nodeUrlPool: nodeUrls, blockchainRid });
   const privKeyBuf = Buffer.from(auth.privkey, "hex");
-  const keyPair = encryption.makeKeyPair(privKeyBuf);
+  const keyPair = encryption2.makeKeyPair(privKeyBuf);
   const sigProvider = newSignatureProvider({
     privKey: keyPair.privKey,
     pubKey: keyPair.pubKey
@@ -168,6 +196,31 @@ async function getJson(url, opts) {
   }
   return resp.json();
 }
+async function postJudgeRequest(url, body, opts) {
+  if (!opts?.verifyPubKey) {
+    return postJson(url, body, opts);
+  }
+  const resp = await fetch(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body),
+    signal: opts?.timeout ? AbortSignal.timeout(opts.timeout) : void 0
+  });
+  if (!resp.ok) {
+    const text = await resp.text().catch(() => "");
+    throw enrichError(resp.status, text, resp.statusText, opts);
+  }
+  const buf = new Uint8Array(await resp.arrayBuffer());
+  const verdict = verifyJudgeResponseSignature(
+    buf,
+    resp.headers.get("X-Atbash-Signature"),
+    opts.verifyPubKey
+  );
+  if (!verdict.ok) {
+    throw new Error(`signature verification failed: ${verdict.reason}`);
+  }
+  return JSON.parse(new TextDecoder().decode(buf));
+}
 async function judgeAction(action, context = "", auth, opts) {
   if (!action || !action.trim()) {
     throw new Error("action is required and cannot be empty.");
@@ -205,7 +258,7 @@ async function judgeAction(action, context = "", auth, opts) {
     ...opts?.toolName && { tool_name: opts.toolName },
     ...opts?.model && { model: opts.model }
   };
-  const data = await postJson(url, body, opts);
+  const data = await postJudgeRequest(url, body, opts);
   return {
     verdict: normalizeVerdict(data.verdict),
     action_type: String(data.action_type || ""),
@@ -332,11 +385,212 @@ async function getSafetyStats(opts) {
   const result = await getJson(url, opts);
   return result?.data || result;
 }
+
+// src/config.ts
+var ALLOWED_JUDGE_HOSTS = /* @__PURE__ */ new Set([
+  "atbash.ai",
+  "www.atbash.ai"
+]);
+function validateJudgeEndpoint(judge) {
+  const policy = judge?.policy === "self-hosted" ? "self-hosted" : "default";
+  const candidate = judge?.endpoint?.trim() || DEFAULT_ENDPOINT;
+  let parsed;
+  try {
+    parsed = new URL(candidate);
+  } catch {
+    throw new Error(
+      `[atbash] invalid judge endpoint URL: ${candidate}. Refusing to load \u2014 fix the URL or omit it to use the default (${DEFAULT_ENDPOINT}).`
+    );
+  }
+  if (parsed.protocol !== "https:") {
+    throw new Error(
+      `[atbash] judge endpoint must use https:// (got "${parsed.protocol}"). Refusing to load \u2014 plaintext endpoints leak verdicts and enable trivial MITM bypass.`
+    );
+  }
+  if (parsed.username || parsed.password) {
+    throw new Error(
+      `[atbash] judge endpoint must not contain credentials (user:pass@host). Refusing to load \u2014 credentials embedded in URLs leak to logs and process listings.`
+    );
+  }
+  const normalisedUrl = parsed.origin;
+  if (policy === "self-hosted") {
+    const verifyPubKey = judge?.verifyPubKey;
+    const key = verifyPubKey?.trim().toLowerCase();
+    if (!key || !/^[0-9a-f]{66}$/.test(key)) {
+      throw new Error(
+        `[atbash] judge endpoint policy "self-hosted" requires verifyPubKey to be a 66-hex-char compressed secp256k1 pubkey. Refusing to load \u2014 self-hosted judges must produce signed responses so the SDK can detect a malicious or compromised judge.`
+      );
+    }
+    return { url: normalisedUrl, policy, verifyPubKey: key };
+  }
+  if (!ALLOWED_JUDGE_HOSTS.has(parsed.hostname.toLowerCase())) {
+    throw new Error(
+      `[atbash] judge endpoint hostname "${parsed.hostname}" is not in the trusted allowlist. Allowed: ${[...ALLOWED_JUDGE_HOSTS].join(", ")}. To use a self-hosted judge, set BOTH policy="self-hosted" AND verifyPubKey to the 66-hex pubkey of your judge's response-signing key. Refusing to load \u2014 silent endpoint redirection is a known attack vector (F-003).`
+    );
+  }
+  return { url: normalisedUrl, policy, verifyPubKey: null };
+}
+
+// src/key-loader.ts
+import { readFileSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+var DEFAULT_KEY_PATH_REL = ".config/atbash/guard-client-key";
+function resolveKeyPath(input) {
+  if (input) return expandHome(input);
+  const home = process.env.HOME || homedir() || "";
+  return join(home, DEFAULT_KEY_PATH_REL);
+}
+function expandHome(p) {
+  if (!p.startsWith("~/")) return p;
+  const home = process.env.HOME || homedir() || "";
+  return join(home, p.slice(2));
+}
+function readKeyFile(keyPath) {
+  const content = String(readFileSync(keyPath, "utf8") || "").trim();
+  let privKey = "";
+  let pubKey = "";
+  if (content.startsWith("{")) {
+    const creds = JSON.parse(content);
+    privKey = String(
+      creds.privKey || creds.privkey || creds.privateKey || ""
+    ).trim();
+    pubKey = String(
+      creds.pubKey || creds.pubkey || creds.publicKey || ""
+    ).trim();
+  } else {
+    const lines = content.split(/\r?\n/);
+    for (const line of lines) {
+      if (line.startsWith("privkey=")) privKey = line.slice("privkey=".length).trim();
+      if (line.startsWith("pubkey=")) pubKey = line.slice("pubkey=".length).trim();
+    }
+  }
+  if (!privKey || !pubKey) {
+    throw new Error(`atbash key file missing priv/pub key fields: ${keyPath}`);
+  }
+  privKey = privKey.replace(/^0x/, "");
+  return { privKey, pubKey };
+}
+function loadAgentFromFile(keyPath) {
+  const resolved = resolveKeyPath(keyPath);
+  const { privKey } = readKeyFile(resolved);
+  return loadAgent(privKey);
+}
+
+// src/factory.ts
+function createAtbashClient(config = {}) {
+  const validated = validateJudgeEndpoint(config.judge);
+  const failClosed = config.failClosed !== false;
+  const logger = config.logger ?? {};
+  const inlineKeyPair = config.keyPair;
+  const keyPath = inlineKeyPair ? null : config.keyPath;
+  if (validated.url !== DEFAULT_ENDPOINT) {
+    logger.warn?.("[atbash] running on non-default judge endpoint", {
+      endpoint: validated.url,
+      policy: validated.policy,
+      verifying: validated.verifyPubKey ? "with response-signature pubkey configured" : "without signature verification"
+    });
+  }
+  let cachedAgent = inlineKeyPair ? loadAgent(inlineKeyPair.privKey) : null;
+  function loadAgentOnce() {
+    if (cachedAgent) return cachedAgent;
+    cachedAgent = loadAgentFromFile(keyPath ?? void 0);
+    return cachedAgent;
+  }
+  function fail(reason, toolCallId) {
+    return { allow: !failClosed, verdict: "ERROR", reason, toolCallId };
+  }
+  return {
+    async auditToolCall(input) {
+      let agent;
+      try {
+        agent = loadAgentOnce();
+      } catch (err) {
+        const message = String(err?.message ?? err ?? "");
+        logger.warn?.("[atbash] failed to load key pair, blocking for safety", {
+          error: message
+        });
+        return fail("key load failed, blocking for safety");
+      }
+      const toolName = input.toolName || "unknown";
+      const argsJson = stringifyArgs(input.args);
+      const actionText = truncate(argsJson);
+      const contextText = input.context ?? toolName;
+      try {
+        logger.info?.("[atbash] judge API called", { tool: toolName });
+        const result = await judgeAction(actionText, contextText, agent, {
+          endpoint: validated.url,
+          verifyPubKey: validated.verifyPubKey ?? void 0,
+          toolName,
+          toolArgsJson: argsJson,
+          chainOpts: {
+            nodeUrls: config.nodeUrls,
+            blockchainRid: config.blockchainRid
+          }
+        });
+        if (result.verdict === "No verdict") {
+          return {
+            allow: true,
+            verdict: "ALLOW",
+            reason: result.reason || "audit tier \u2014 request logged on-chain, no AI enforcement",
+            toolCallId: result.tool_call_id
+          };
+        }
+        const action = result.action_type;
+        if (action === "block") {
+          return {
+            allow: false,
+            verdict: "BLOCK",
+            reason: result.reason,
+            toolCallId: result.tool_call_id
+          };
+        }
+        if (action === "hold_for_user_confirm") {
+          return {
+            allow: false,
+            verdict: "HOLD",
+            reason: result.reason || "held for human confirmation",
+            toolCallId: result.tool_call_id
+          };
+        }
+        if (action === "allow") {
+          const surfacedVerdict = result.verdict === "ALLOW" || result.verdict === "HOLD" || result.verdict === "BLOCK" ? result.verdict : "ALLOW";
+          return {
+            allow: true,
+            verdict: surfacedVerdict,
+            reason: result.reason,
+            toolCallId: result.tool_call_id
+          };
+        }
+        return fail("unrecognized action_type from judge", result.tool_call_id);
+      } catch (err) {
+        const message = String(err?.message ?? err ?? "");
+        logger.warn?.("[atbash] judge API failed", { reason: message });
+        return fail(message);
+      }
+    }
+  };
+}
+function stringifyArgs(args) {
+  if (args == null) return "";
+  if (typeof args === "string") return args;
+  try {
+    return JSON.stringify(args);
+  } catch {
+    return String(args);
+  }
+}
+var MAX_ACTION_LEN = 4e3;
+function truncate(text) {
+  if (text.length <= MAX_ACTION_LEN) return text;
+  return text.slice(0, MAX_ACTION_LEN) + "\u2026";
+}
 export {
   DEFAULT_BLOCKCHAIN_RID,
   DEFAULT_CHROMIA_NODE_URLS,
   DEFAULT_ENDPOINT,
   checkAgentExists,
+  createAtbashClient,
   derivePublicKey,
   generateKeyPair,
   getAgentDetail,
@@ -354,6 +608,10 @@ export {
   isValidPrivateKey,
   judgeAction,
   loadAgent,
+  loadAgentFromFile,
   logToolCall,
-  toPubkeyHex
+  resolveKeyPath,
+  toPubkeyHex,
+  validateJudgeEndpoint,
+  verifyJudgeResponseSignature
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atbash/sdk",
-  "version": "0.3.6",
+  "version": "0.3.7",
   "description": "Atbash SDK — control boundary before the last irreversible step in an agent workflow",
   "homepage": "https://atbash.ai",
   "author": "Atbash",