npm - @attestly/compliance-core - Versions diffs - 0.1.0 - Mend

@attestly/compliance-core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,83 @@
+# @attestly/compliance-core
+A zero-latency, Web Standard-based SDK that strictly enforces AI compliance at the route boundary, *before* your API executes.
+Built specifically to shift **EU AI Act Compliance**, **Model Version Locking**, and **PII Scrubbing** to the absolute left of your development cycle, without adding any overhead to your production environment.
+## 🚀 Key Value Propositions
+- **Zero-Dependency Core**: The SDK is incredibly lightweight and natively relies on Web Standard `Request` and `Response` objects. No heavy AST parsers or backend-bloat.
+- **Zero-Latency (TTFB Protected)**: Validation runs entirely synchronously in milliseconds. In production, the wrapper acts as a near-zero-cost pass-through unless explicitly configured to intercept.
+- **EU AI Act Shift-Left**: Catches Prohibited Practices (Article 5), auto-escalates High-Risk domains (like Law Enforcement or Biometrics), and strictly enforces required metadata traceability according to EU regulations.
+- **Vercel AI SDK First**: Out-of-the-box support for streaming UIs. It inspects the prompt, scrubs PII, and returns the native `DataStreamResponse` totally untouched so your Lighthouse scores remain pinned at 100.
+## 📦 Installation
+```bash
+npm install @attestly/compliance-core
+```
+## 🛠 Setup & Initialization
+Instead of hand-coding your manifest, use our interactive CLI to intelligently scan your local codebase and generate a compliant `ai-manifest.json`.
+```bash
+npx @attestly/cli init
+```
+The CLI will:
+1. Scan your project for AI model strings (e.g., `gpt-4o`, `claude-3-opus`).
+2. Ask you to classify your primary System Domain under the EU AI Act.
+3. Automatically escalate the risk category if you select high-risk domains.
+4. Output your locked-down `ai-manifest.json`.
+## 💻 Usage
+Wrap your existing API routes in Next.js, Remix, or Hono.
+### Standard API Route
+```typescript
+import { withAttestlyCompliance } from '@attestly/compliance-core';
+import manifest from '../../ai-manifest.json';
+async function handler(req: Request) {
+  // Your standard LLM logic here...
+  return new Response(JSON.stringify({ success: true }));
+}
+export const POST = withAttestlyCompliance(handler, manifest);
+```
+### Streaming API Route (Vercel AI SDK)
+```typescript
+import { withAttestlyStream } from '@attestly/compliance-core';
+import { streamText } from 'ai';
+import { openai } from '@ai-sdk/openai';
+import manifest from '../../ai-manifest.json';
+async function handler(req: Request) {
+  const result = await streamText({
+    model: openai('gpt-4-0613'),
+    prompt: 'Hello world',
+  });
+  return result.toDataStreamResponse();
+}
+export const POST = withAttestlyStream(handler, manifest);
+```
+## 📊 Attestly Studio (Local Telemetry)
+You don't need to deploy to test your compliance barriers! Spin up the Attestly Studio right inside your terminal to see a real-time, local dashboard of your AI traffic.
+```bash
+npx @attestly/cli studio
+```
+This launches a local dashboard at `http://localhost:5050`.
+- **Real-Time Feed**: Watch your local API requests stream in.
+- **Inspector**: Click on a request to see the raw payload, the PII-scrubbed output, and any triggered EU AI Act violations.
+- **Handoff**: Click the "Generate Trust Center" button to seamlessly hand off your local manifest to the Attestly SaaS platform to generate a public, SOC2-ready Trust Center!

package/dist/index.d.mts ADDED Viewed

@@ -0,0 +1,52 @@
+interface AiManifest {
+    /**
+     * Allowed AI models. Must be version-locked (e.g., 'gpt-4-0613' instead of 'gpt-4').
+     */
+    allowedModels: string[];
+    /**
+     * Required metadata tags for traceability. These keys must be present in the request payload or headers.
+     */
+    requiredMetadata: string[];
+    /**
+     * PII scrubbing configuration.
+     */
+    piiScrubbing: {
+        level: 'off' | 'standard' | 'strict';
+        redactString?: string;
+        customRegex?: string[];
+    };
+    /**
+     * EU AI Act Risk Category classification.
+     */
+    euRiskCategory: 'minimal' | 'limited' | 'high' | 'gpai';
+    /**
+     * Use case context domain under the EU AI Act.
+     */
+    systemDomain: 'general' | 'law-enforcement' | 'education' | 'employment' | 'critical-infrastructure' | 'biometrics';
+    /**
+     * Flag for explicit prohibited practices under Article 5 of the EU AI Act.
+     */
+    prohibitedPractices?: {
+        realTimeBiometrics?: boolean;
+        socialScoring?: boolean;
+        emotionRecognition?: boolean;
+        manipulativeAI?: boolean;
+        untargetedScraping?: boolean;
+    };
+}
+type RequestHandler = (req: Request, ...args: any[]) => Promise<Response> | Response;
+/**
+ * A higher-order function that wraps a standard Web API Request handler
+ * to enforce AI compliance according to the provided manifest.
+ */
+declare function withAttestlyCompliance(handler: RequestHandler, manifest: AiManifest): RequestHandler;
+type StreamHandler = (req: Request, ...args: any[]) => Promise<Response> | Response;
+/**
+ * A specialized wrapper for the Vercel AI SDK streams.
+ * Performs a synchronous compliance check upfront and returns the native stream untouched.
+ */
+declare function withAttestlyStream(handler: StreamHandler, manifest: AiManifest): StreamHandler;
+export { type AiManifest, type RequestHandler, type StreamHandler, withAttestlyCompliance, withAttestlyStream };

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,52 @@
+interface AiManifest {
+    /**
+     * Allowed AI models. Must be version-locked (e.g., 'gpt-4-0613' instead of 'gpt-4').
+     */
+    allowedModels: string[];
+    /**
+     * Required metadata tags for traceability. These keys must be present in the request payload or headers.
+     */
+    requiredMetadata: string[];
+    /**
+     * PII scrubbing configuration.
+     */
+    piiScrubbing: {
+        level: 'off' | 'standard' | 'strict';
+        redactString?: string;
+        customRegex?: string[];
+    };
+    /**
+     * EU AI Act Risk Category classification.
+     */
+    euRiskCategory: 'minimal' | 'limited' | 'high' | 'gpai';
+    /**
+     * Use case context domain under the EU AI Act.
+     */
+    systemDomain: 'general' | 'law-enforcement' | 'education' | 'employment' | 'critical-infrastructure' | 'biometrics';
+    /**
+     * Flag for explicit prohibited practices under Article 5 of the EU AI Act.
+     */
+    prohibitedPractices?: {
+        realTimeBiometrics?: boolean;
+        socialScoring?: boolean;
+        emotionRecognition?: boolean;
+        manipulativeAI?: boolean;
+        untargetedScraping?: boolean;
+    };
+}
+type RequestHandler = (req: Request, ...args: any[]) => Promise<Response> | Response;
+/**
+ * A higher-order function that wraps a standard Web API Request handler
+ * to enforce AI compliance according to the provided manifest.
+ */
+declare function withAttestlyCompliance(handler: RequestHandler, manifest: AiManifest): RequestHandler;
+type StreamHandler = (req: Request, ...args: any[]) => Promise<Response> | Response;
+/**
+ * A specialized wrapper for the Vercel AI SDK streams.
+ * Performs a synchronous compliance check upfront and returns the native stream untouched.
+ */
+declare function withAttestlyStream(handler: StreamHandler, manifest: AiManifest): StreamHandler;
+export { type AiManifest, type RequestHandler, type StreamHandler, withAttestlyCompliance, withAttestlyStream };

package/dist/index.js ADDED Viewed

@@ -0,0 +1,212 @@
+'use strict';
+// src/utils/errors.ts
+function createComplianceError(errors) {
+  const primaryCode = errors.length > 0 ? errors[0].code : "BLOCK_ENFORCED";
+  return new Response(
+    JSON.stringify({
+      error: "AttestlyComplianceViolation",
+      code: primaryCode,
+      details: errors
+    }),
+    {
+      status: 400,
+      headers: {
+        "Content-Type": "application/json",
+        "X-Attestly-Blocked": "true"
+      }
+    }
+  );
+}
+// src/utils/validator.ts
+function validateManifest(payload, headers, manifest) {
+  const errors = [];
+  if (payload && payload.model) {
+    const model = String(payload.model);
+    if (!manifest.allowedModels.includes(model)) {
+      errors.push({
+        code: "UNAUTHORIZED_MODEL",
+        message: `Model '${model}' is not in the allowedModels list.`
+      });
+    }
+    const versionRegex = /-[0-9]+(-[0-9]+)*$/;
+    if (!versionRegex.test(model)) {
+      errors.push({
+        code: "INVALID_MODEL_VERSION",
+        message: `Model '${model}' must contain a strict version or date suffix (e.g., 'gpt-4-0613').`
+      });
+    }
+  }
+  for (const requiredKey of manifest.requiredMetadata) {
+    const hasInPayload = payload && payload[requiredKey] !== void 0;
+    const hasInHeader = headers.has(requiredKey) || headers.has(`x-${requiredKey}`);
+    if (!hasInPayload && !hasInHeader) {
+      errors.push({
+        code: "MISSING_REQUIRED_METADATA",
+        message: `Missing required metadata: '${requiredKey}'.`
+      });
+    }
+  }
+  if (manifest.prohibitedPractices) {
+    const practices = Object.entries(manifest.prohibitedPractices);
+    for (const [practice, isEnabled] of practices) {
+      if (isEnabled === true) {
+        errors.push({
+          code: "EU_PROHIBITED_PRACTICE",
+          message: `Under Article 5 of the EU AI Act, the practice '${practice}' is prohibited. Execution blocked.`
+        });
+      }
+    }
+  }
+  if (manifest.systemDomain === "law-enforcement" || manifest.systemDomain === "biometrics") {
+    if (manifest.euRiskCategory === "minimal" || manifest.euRiskCategory === "limited") {
+      errors.push({
+        code: "EU_RISK_MISCLASSIFICATION",
+        message: `Under Annex III of the EU AI Act, ${manifest.systemDomain} systems are automatically high-risk. Cannot be classified as ${manifest.euRiskCategory}.`
+      });
+    }
+  }
+  if (manifest.euRiskCategory === "high") {
+    const hasSession = payload && payload.sessionId !== void 0 || headers.has("sessionId") || headers.has("x-sessionId");
+    const hasUserId = payload && payload.userId !== void 0 || headers.has("userId") || headers.has("x-userId");
+    const hasPurpose = payload && payload.purpose !== void 0 || headers.has("purpose") || headers.has("x-purpose");
+    if (!hasSession && !hasUserId && !hasPurpose) {
+      errors.push({
+        code: "MISSING_HIGH_RISK_TRACEABILITY",
+        message: "Under the EU AI Act, High-Risk systems require strict logging traceability. Missing metadata like sessionId, userId, or purpose."
+      });
+    }
+  }
+  return {
+    valid: errors.length === 0,
+    errors
+  };
+}
+// src/utils/scrubber.ts
+var STANDARD_PII_REGEX = [
+  // Emails
+  /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g,
+  // US SSN
+  /\b\d{3}-\d{2}-\d{4}\b/g,
+  // 16-digit Credit Cards (simple)
+  /\b(?:\d[ -]*?){13,16}\b/g,
+  // Generic API Keys (e.g., sk-..., AKIA...)
+  /\b(sk-[a-zA-Z0-9]{20,}|AKIA[0-9A-Z]{16})\b/g
+];
+function scrubPayload(text, config) {
+  if (config.level === "off") {
+    return text;
+  }
+  if (config.level === "strict") {
+    throw new Error("NotImplemented: Strict PII scrubbing is reserved for the Attestly backend ML engine.");
+  }
+  let scrubbed = text;
+  const redactString = config.redactString ?? "[REDACTED]";
+  if (config.level === "standard") {
+    for (const regex of STANDARD_PII_REGEX) {
+      scrubbed = scrubbed.replace(regex, redactString);
+    }
+  }
+  if (config.customRegex && config.customRegex.length > 0) {
+    for (const pattern of config.customRegex) {
+      try {
+        const regex = new RegExp(pattern, "g");
+        scrubbed = scrubbed.replace(regex, redactString);
+      } catch (e) {
+        console.warn("Invalid custom regex pattern in PII scrubber:", pattern);
+      }
+    }
+  }
+  return scrubbed;
+}
+function scrubObject(obj, config) {
+  if (config.level === "off") return obj;
+  if (!obj) return obj;
+  if (typeof obj === "string") {
+    return scrubPayload(obj, config);
+  }
+  if (Array.isArray(obj)) {
+    return obj.map((item) => scrubObject(item, config));
+  }
+  if (typeof obj === "object") {
+    const scrubbedObj = {};
+    for (const [key, value] of Object.entries(obj)) {
+      scrubbedObj[key] = scrubObject(value, config);
+    }
+    return scrubbedObj;
+  }
+  return obj;
+}
+// src/middleware/withCompliance.ts
+function withAttestlyCompliance(handler, manifest) {
+  return async (req, ...args) => {
+    let clonedReq = req.clone();
+    let payload = null;
+    try {
+      if (clonedReq.headers.get("content-type")?.includes("application/json")) {
+        payload = await clonedReq.json();
+      }
+    } catch (e) {
+    }
+    if (process.env.NODE_ENV === "development") {
+      const { valid, errors } = validateManifest(payload, req.headers, manifest);
+      if (!valid) {
+        return createComplianceError(errors);
+      }
+    }
+    if (payload && manifest.piiScrubbing.level !== "off") {
+      const scrubbedPayload = scrubObject(payload, manifest.piiScrubbing);
+      const newReq = new Request(req.url, {
+        method: req.method,
+        headers: req.headers,
+        body: JSON.stringify(scrubbedPayload),
+        // @ts-ignore - some environments require duplex for streaming requests
+        duplex: "half"
+      });
+      return handler(newReq, ...args);
+    }
+    return handler(req, ...args);
+  };
+}
+// src/middleware/withStream.ts
+function withAttestlyStream(handler, manifest) {
+  return async (req, ...args) => {
+    let clonedReq = req.clone();
+    let payload = null;
+    try {
+      if (clonedReq.headers.get("content-type")?.includes("application/json")) {
+        payload = await clonedReq.json();
+      }
+    } catch (e) {
+    }
+    if (process.env.NODE_ENV === "development") {
+      const { valid, errors } = validateManifest(payload, req.headers, manifest);
+      if (!valid) {
+        const errorMessages = errors.map((e) => `[${e.code}] ${e.message}`).join("\n");
+        throw new Error(`Attestly Compliance Stream Check Failed:
+${errorMessages}`);
+      }
+    }
+    if (payload && manifest.piiScrubbing.level !== "off") {
+      const scrubbedPayload = scrubObject(payload, manifest.piiScrubbing);
+      const newReq = new Request(req.url, {
+        method: req.method,
+        headers: req.headers,
+        body: JSON.stringify(scrubbedPayload),
+        // @ts-ignore
+        duplex: "half"
+      });
+      return handler(newReq, ...args);
+    }
+    return handler(req, ...args);
+  };
+}
+exports.withAttestlyCompliance = withAttestlyCompliance;
+exports.withAttestlyStream = withAttestlyStream;
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/utils/errors.ts","../src/utils/validator.ts","../src/utils/scrubber.ts","../src/middleware/withCompliance.ts","../src/middleware/withStream.ts"],"names":[],"mappings":";;;AAEO,SAAS,sBAAsB,MAAA,EAAqC;AAGzE,EAAA,MAAM,cAAc,MAAA,CAAO,MAAA,GAAS,IAAI,MAAA,CAAO,CAAC,EAAE,IAAA,GAAO,gBAAA;AAEzD,EAAA,OAAO,IAAI,QAAA;AAAA,IACT,KAAK,SAAA,CAAU;AAAA,MACb,KAAA,EAAO,6BAAA;AAAA,MACP,IAAA,EAAM,WAAA;AAAA,MACN,OAAA,EAAS;AAAA,KACV,CAAA;AAAA,IACD;AAAA,MACE,MAAA,EAAQ,GAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,cAAA,EAAgB,kBAAA;AAAA,QAChB,oBAAA,EAAsB;AAAA;AACxB;AACF,GACF;AACF;;;ACdO,SAAS,gBAAA,CACd,OAAA,EACA,OAAA,EACA,QAAA,EAC+C;AAC/C,EAAA,MAAM,SAA4B,EAAC;AAOnC,EAAA,IAAI,OAAA,IAAW,QAAQ,KAAA,EAAO;AAC5B,IAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,OAAA,CAAQ,KAAK,CAAA;AAGlC,IAAA,IAAI,CAAC,QAAA,CAAS,aAAA,CAAc,QAAA,CAAS,KAAK,CAAA,EAAG;AAC3C,MAAA,MAAA,CAAO,IAAA,CAAK;AAAA,QACV,IAAA,EAAM,oBAAA;AAAA,QACN,OAAA,EAAS,UAAU,KAAK,CAAA,mCAAA;AAAA,OACzB,CAAA;AAAA,IACH;AAGA,IAAA,MAAM,YAAA,GAAe,oBAAA;AACrB,IAAA,IAAI,CAAC,YAAA,CAAa,IAAA,CAAK,KAAK,CAAA,EAAG;AAC7B,MAAA,MAAA,CAAO,IAAA,CAAK;AAAA,QACV,IAAA,EAAM,uBAAA;AAAA,QACN,OAAA,EAAS,UAAU,KAAK,CAAA,oEAAA;AAAA,OACzB,CAAA;AAAA,IACH;AAAA,EACF;AAGA,EAAA,KAAA,MAAW,WAAA,IAAe,SAAS,gBAAA,EAAkB;AACnD,IAAA,MAAM,YAAA,GAAe,OAAA,IAAW,OAAA,CAAQ,WAAW,CAAA,KAAM,MAAA;AACzD,IAAA,MAAM,WAAA,GAAc,QAAQ,GAAA,CAAI,WAAW,KAAK,OAAA,CAAQ,GAAA,CAAI,CAAA,EAAA,EAAK,WAAW,CAAA,CAAE,CAAA;AAE9E,IAAA,IAAI,CAAC,YAAA,IAAgB,CAAC,WAAA,EAAa;AACjC,MAAA,MAAA,CAAO,IAAA,CAAK;AAAA,QACV,IAAA,EAAM,2BAAA;AAAA,QACN,OAAA,EAAS,+BAA+B,WAAW,CAAA,EAAA;AAAA,OACpD,CAAA;AAAA,IACH;AAAA,EACF;AAOA,EAAA,IAAI,SAAS,mBAAA,EAAqB;AAChC,IAAA,MAAM,SAAA,GAAY,MAAA,CAAO,OAAA,CAAQ,QAAA,CAAS,mBAAmB,CAAA;AAC7D,IAAA,KAAA,MAAW,CAAC,QAAA,EAAU,SAAS,CAAA,IAAK,SAAA,EAAW;AAC7C,MAAA,IAAI,cAAc,IAAA,EAAM;AACtB,QAAA,MAAA,CAAO,IAAA,CAAK;AAAA,UACV,IAAA,EAAM,wBAAA;AAAA,UACN,OAAA,EAAS,mDAAmD,QAAQ,CAAA,mCAAA;AAAA,SACrE,CAAA;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAGA,EAAA,IAAI,QAAA,CAAS,YAAA,KAAiB,iBAAA,IAAqB,QAAA,CAAS,iBAAiB,YAAA,EAAc;AACzF,IAAA,IAAI,QAAA,CAAS,cAAA,KAAmB,SAAA,IAAa,QAAA,CAAS,mBAAmB,SAAA,EAAW;AAClF,MAAA,MAAA,CAAO,IAAA,CAAK;AAAA,QACV,IAAA,EAAM,2BAAA;AAAA,QACN,SAAS,CAAA,kCAAA,EAAqC,QAAA,CAAS,YAAY,CAAA,8DAAA,EAAiE,SAAS,cAAc,CAAA,CAAA;AAAA,OAC5J,CAAA;AAAA,IACH;AAAA,EACF;AAGA,EAAA,IAAI,QAAA,CAAS,mBAAmB,MAAA,EAAQ;AACtC,IAAA,MAAM,UAAA,GAAc,OAAA,IAAW,OAAA,CAAQ,SAAA,KAAc,MAAA,IAAc,OAAA,CAAQ,GAAA,CAAI,WAAW,CAAA,IAAK,OAAA,CAAQ,GAAA,CAAI,aAAa,CAAA;AACxH,IAAA,MAAM,SAAA,GAAa,OAAA,IAAW,OAAA,CAAQ,MAAA,KAAW,MAAA,IAAc,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA,IAAK,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA;AAC9G,IAAA,MAAM,UAAA,GAAc,OAAA,IAAW,OAAA,CAAQ,OAAA,KAAY,MAAA,IAAc,OAAA,CAAQ,GAAA,CAAI,SAAS,CAAA,IAAK,OAAA,CAAQ,GAAA,CAAI,WAAW,CAAA;AAOlH,IAAA,IAAI,CAAC,UAAA,IAAc,CAAC,SAAA,IAAa,CAAC,UAAA,EAAY;AAC5C,MAAA,MAAA,CAAO,IAAA,CAAK;AAAA,QACV,IAAA,EAAM,gCAAA;AAAA,QACN,OAAA,EAAS;AAAA,OACV,CAAA;AAAA,IACH;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,OAAO,MAAA,KAAW,CAAA;AAAA,IACzB;AAAA,GACF;AACF;;;ACrGA,IAAM,kBAAA,GAAqB;AAAA;AAAA,EAEzB,iDAAA;AAAA;AAAA,EAEA,wBAAA;AAAA;AAAA,EAEA,0BAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAEO,SAAS,YAAA,CACd,MACA,MAAA,EACQ;AACR,EAAA,IAAI,MAAA,CAAO,UAAU,KAAA,EAAO;AAC1B,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI,MAAA,CAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,MAAM,IAAI,MAAM,sFAAsF,CAAA;AAAA,EACxG;AAEA,EAAA,IAAI,QAAA,GAAW,IAAA;AACf,EAAA,MAAM,YAAA,GAAe,OAAO,YAAA,IAAgB,YAAA;AAE5C,EAAA,IAAI,MAAA,CAAO,UAAU,UAAA,EAAY;AAC/B,IAAA,KAAA,MAAW,SAAS,kBAAA,EAAoB;AACtC,MAAA,QAAA,GAAW,QAAA,CAAS,OAAA,CAAQ,KAAA,EAAO,YAAY,CAAA;AAAA,IACjD;AAAA,EACF;AAEA,EAAA,IAAI,MAAA,CAAO,WAAA,IAAe,MAAA,CAAO,WAAA,CAAY,SAAS,CAAA,EAAG;AACvD,IAAA,KAAA,MAAW,OAAA,IAAW,OAAO,WAAA,EAAa;AACxC,MAAA,IAAI;AACF,QAAA,MAAM,KAAA,GAAQ,IAAI,MAAA,CAAO,OAAA,EAAS,GAAG,CAAA;AACrC,QAAA,QAAA,GAAW,QAAA,CAAS,OAAA,CAAQ,KAAA,EAAO,YAAY,CAAA;AAAA,MACjD,SAAS,CAAA,EAAG;AAEV,QAAA,OAAA,CAAQ,IAAA,CAAK,iDAAiD,OAAO,CAAA;AAAA,MACvE;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,QAAA;AACT;AAEO,SAAS,WAAA,CACd,KACA,MAAA,EACK;AACL,EAAA,IAAI,MAAA,CAAO,KAAA,KAAU,KAAA,EAAO,OAAO,GAAA;AACnC,EAAA,IAAI,CAAC,KAAK,OAAO,GAAA;AAEjB,EAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,IAAA,OAAO,YAAA,CAAa,KAAK,MAAM,CAAA;AAAA,EACjC;AAEA,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,IAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,WAAA,CAAY,IAAA,EAAM,MAAM,CAAC,CAAA;AAAA,EAClD;AAEA,EAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,IAAA,MAAM,cAAmB,EAAC;AAC1B,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAAG,CAAA,EAAG;AAC9C,MAAA,WAAA,CAAY,GAAG,CAAA,GAAI,WAAA,CAAY,KAAA,EAAO,MAAM,CAAA;AAAA,IAC9C;AACA,IAAA,OAAO,WAAA;AAAA,EACT;AAEA,EAAA,OAAO,GAAA;AACT;;;AC9DO,SAAS,sBAAA,CACd,SACA,QAAA,EACgB;AAChB,EAAA,OAAO,OAAO,QAAiB,IAAA,KAAgB;AAI7C,IAAA,IAAI,SAAA,GAAY,IAAI,KAAA,EAAM;AAC1B,IAAA,IAAI,OAAA,GAAU,IAAA;AAEd,IAAA,IAAI;AACF,MAAA,IAAI,UAAU,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,EAAG,QAAA,CAAS,kBAAkB,CAAA,EAAG;AACvE,QAAA,OAAA,GAAU,MAAM,UAAU,IAAA,EAAK;AAAA,MACjC;AAAA,IACF,SAAS,CAAA,EAAG;AAAA,IAEZ;AAEA,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,aAAA,EAAe;AAC1C,MAAA,MAAM,EAAE,OAAO,MAAA,EAAO,GAAI,iBAAiB,OAAA,EAAS,GAAA,CAAI,SAAS,QAAQ,CAAA;AAEzE,MAAA,IAAI,CAAC,KAAA,EAAO;AACV,QAAA,OAAO,sBAAsB,MAAM,CAAA;AAAA,MACrC;AAAA,IACF;AAMA,IAAA,IAAI,OAAA,IAAW,QAAA,CAAS,YAAA,CAAa,KAAA,KAAU,KAAA,EAAO;AACpD,MAAA,MAAM,eAAA,GAAkB,WAAA,CAAY,OAAA,EAAS,QAAA,CAAS,YAAY,CAAA;AAClE,MAAA,MAAM,MAAA,GAAS,IAAI,OAAA,CAAQ,GAAA,CAAI,GAAA,EAAK;AAAA,QAClC,QAAQ,GAAA,CAAI,MAAA;AAAA,QACZ,SAAS,GAAA,CAAI,OAAA;AAAA,QACb,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,eAAe,CAAA;AAAA;AAAA,QAEpC,MAAA,EAAQ;AAAA,OACT,CAAA;AACD,MAAA,OAAO,OAAA,CAAQ,MAAA,EAAQ,GAAG,IAAI,CAAA;AAAA,IAChC;AAGA,IAAA,OAAO,OAAA,CAAQ,GAAA,EAAK,GAAG,IAAI,CAAA;AAAA,EAC7B,CAAA;AACF;;;AC/CO,SAAS,kBAAA,CACd,SACA,QAAA,EACe;AACf,EAAA,OAAO,OAAO,QAAiB,IAAA,KAAgB;AAC7C,IAAA,IAAI,SAAA,GAAY,IAAI,KAAA,EAAM;AAC1B,IAAA,IAAI,OAAA,GAAU,IAAA;AAEd,IAAA,IAAI;AACF,MAAA,IAAI,UAAU,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,EAAG,QAAA,CAAS,kBAAkB,CAAA,EAAG;AACvE,QAAA,OAAA,GAAU,MAAM,UAAU,IAAA,EAAK;AAAA,MACjC;AAAA,IACF,SAAS,CAAA,EAAG;AAAA,IAEZ;AAEA,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,aAAA,EAAe;AAC1C,MAAA,MAAM,EAAE,OAAO,MAAA,EAAO,GAAI,iBAAiB,OAAA,EAAS,GAAA,CAAI,SAAS,QAAQ,CAAA;AAEzE,MAAA,IAAI,CAAC,KAAA,EAAO;AACV,QAAA,MAAM,aAAA,GAAgB,MAAA,CAAO,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAA,EAAI,CAAA,CAAE,IAAI,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA,CAAE,CAAA,CAAE,KAAK,IAAI,CAAA;AAC3E,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA;AAAA,EAA8C,aAAa,CAAA,CAAE,CAAA;AAAA,MAC/E;AAAA,IACF;AAEA,IAAA,IAAI,OAAA,IAAW,QAAA,CAAS,YAAA,CAAa,KAAA,KAAU,KAAA,EAAO;AACpD,MAAA,MAAM,eAAA,GAAkB,WAAA,CAAY,OAAA,EAAS,QAAA,CAAS,YAAY,CAAA;AAClE,MAAA,MAAM,MAAA,GAAS,IAAI,OAAA,CAAQ,GAAA,CAAI,GAAA,EAAK;AAAA,QAClC,QAAQ,GAAA,CAAI,MAAA;AAAA,QACZ,SAAS,GAAA,CAAI,OAAA;AAAA,QACb,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,eAAe,CAAA;AAAA;AAAA,QAEpC,MAAA,EAAQ;AAAA,OACT,CAAA;AACD,MAAA,OAAO,OAAA,CAAQ,MAAA,EAAQ,GAAG,IAAI,CAAA;AAAA,IAChC;AAGA,IAAA,OAAO,OAAA,CAAQ,GAAA,EAAK,GAAG,IAAI,CAAA;AAAA,EAC7B,CAAA;AACF","file":"index.js","sourcesContent":["import type { ValidationError } from './validator';\r\n\r\nexport function createComplianceError(errors: ValidationError[]): Response {\r\n // Use the code from the first error as the primary telemetry code, \r\n // or default to BLOCK_ENFORCED if none exists.\r\n const primaryCode = errors.length > 0 ? errors[0].code : 'BLOCK_ENFORCED';\r\n \r\n return new Response(\r\n JSON.stringify({\r\n error: 'AttestlyComplianceViolation',\r\n code: primaryCode,\r\n details: errors\r\n }),\r\n {\r\n status: 400,\r\n headers: {\r\n 'Content-Type': 'application/json',\r\n 'X-Attestly-Blocked': 'true'\r\n }\r\n }\r\n );\r\n}\r\n","import { AiManifest } from '../types';\r\n\r\nexport interface ValidationError {\r\n code: string;\r\n message: string;\r\n}\r\n\r\nexport function validateManifest(\r\n payload: any,\r\n headers: Headers,\r\n manifest: AiManifest\r\n): { valid: boolean; errors: ValidationError[] } {\r\n const errors: ValidationError[] = [];\r\n\r\n // ---------------------------------------------------------\r\n // Existing Rules\r\n // ---------------------------------------------------------\r\n\r\n // Rule 1: Strict Model Locking\r\n if (payload && payload.model) {\r\n const model = String(payload.model);\r\n \r\n // Check against allowedModels\r\n if (!manifest.allowedModels.includes(model)) {\r\n errors.push({\r\n code: 'UNAUTHORIZED_MODEL',\r\n message: `Model '${model}' is not in the allowedModels list.`\r\n });\r\n }\r\n\r\n // Enforce version/date suffixes regex\r\n const versionRegex = /-[0-9]+(-[0-9]+)*$/;\r\n if (!versionRegex.test(model)) {\r\n errors.push({\r\n code: 'INVALID_MODEL_VERSION',\r\n message: `Model '${model}' must contain a strict version or date suffix (e.g., 'gpt-4-0613').`\r\n });\r\n }\r\n }\r\n\r\n // Rule 2: Traceability\r\n for (const requiredKey of manifest.requiredMetadata) {\r\n const hasInPayload = payload && payload[requiredKey] !== undefined;\r\n const hasInHeader = headers.has(requiredKey) || headers.has(`x-${requiredKey}`);\r\n\r\n if (!hasInPayload && !hasInHeader) {\r\n errors.push({\r\n code: 'MISSING_REQUIRED_METADATA',\r\n message: `Missing required metadata: '${requiredKey}'.`\r\n });\r\n }\r\n }\r\n\r\n // ---------------------------------------------------------\r\n // EU AI Act Rules\r\n // ---------------------------------------------------------\r\n\r\n // Rule A (The Kill Switch): Prohibited Practices\r\n if (manifest.prohibitedPractices) {\r\n const practices = Object.entries(manifest.prohibitedPractices);\r\n for (const [practice, isEnabled] of practices) {\r\n if (isEnabled === true) {\r\n errors.push({\r\n code: 'EU_PROHIBITED_PRACTICE',\r\n message: `Under Article 5 of the EU AI Act, the practice '${practice}' is prohibited. Execution blocked.`\r\n });\r\n }\r\n }\r\n }\r\n\r\n // Rule B (Law Enforcement Escalation): Auto-classify high-risk domains\r\n if (manifest.systemDomain === 'law-enforcement' || manifest.systemDomain === 'biometrics') {\r\n if (manifest.euRiskCategory === 'minimal' || manifest.euRiskCategory === 'limited') {\r\n errors.push({\r\n code: 'EU_RISK_MISCLASSIFICATION',\r\n message: `Under Annex III of the EU AI Act, ${manifest.systemDomain} systems are automatically high-risk. Cannot be classified as ${manifest.euRiskCategory}.`\r\n });\r\n }\r\n }\r\n\r\n // Rule C (Conditional Traceability): High-Risk requires strict logging\r\n if (manifest.euRiskCategory === 'high') {\r\n const hasSession = (payload && payload.sessionId !== undefined) || headers.has('sessionId') || headers.has('x-sessionId');\r\n const hasUserId = (payload && payload.userId !== undefined) || headers.has('userId') || headers.has('x-userId');\r\n const hasPurpose = (payload && payload.purpose !== undefined) || headers.has('purpose') || headers.has('x-purpose');\r\n\r\n // We can check if these are in requiredMetadata or explicitly check payload/headers\r\n // Assuming 'sessionId' and 'userId' or 'purpose' are representative traces.\r\n // The instructions say: \"If missing, push an error explaining that High-Risk systems require strict logging\"\r\n // Let's enforce that at least some core traces exist or check requiredMetadata.\r\n // Given the prompt: \"strictly verify that the payload or headers contain traceability metadata (e.g., sessionId, userId). If missing...\"\r\n if (!hasSession && !hasUserId && !hasPurpose) {\r\n errors.push({\r\n code: 'MISSING_HIGH_RISK_TRACEABILITY',\r\n message: 'Under the EU AI Act, High-Risk systems require strict logging traceability. Missing metadata like sessionId, userId, or purpose.'\r\n });\r\n }\r\n }\r\n\r\n return {\r\n valid: errors.length === 0,\r\n errors\r\n };\r\n}\r\n","import { AiManifest } from '../types';\r\n\r\nconst STANDARD_PII_REGEX = [\r\n // Emails\r\n /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}/g,\r\n // US SSN\r\n /\\b\\d{3}-\\d{2}-\\d{4}\\b/g,\r\n // 16-digit Credit Cards (simple)\r\n /\\b(?:\\d[ -]*?){13,16}\\b/g,\r\n // Generic API Keys (e.g., sk-..., AKIA...)\r\n /\\b(sk-[a-zA-Z0-9]{20,}|AKIA[0-9A-Z]{16})\\b/g\r\n];\r\n\r\nexport function scrubPayload(\r\n text: string,\r\n config: AiManifest['piiScrubbing']\r\n): string {\r\n if (config.level === 'off') {\r\n return text;\r\n }\r\n\r\n if (config.level === 'strict') {\r\n throw new Error('NotImplemented: Strict PII scrubbing is reserved for the Attestly backend ML engine.');\r\n }\r\n\r\n let scrubbed = text;\r\n const redactString = config.redactString ?? '[REDACTED]';\r\n\r\n if (config.level === 'standard') {\r\n for (const regex of STANDARD_PII_REGEX) {\r\n scrubbed = scrubbed.replace(regex, redactString);\r\n }\r\n }\r\n\r\n if (config.customRegex && config.customRegex.length > 0) {\r\n for (const pattern of config.customRegex) {\r\n try {\r\n const regex = new RegExp(pattern, 'g');\r\n scrubbed = scrubbed.replace(regex, redactString);\r\n } catch (e) {\r\n // Ignore invalid regex to prevent crashing the edge function\r\n console.warn('Invalid custom regex pattern in PII scrubber:', pattern);\r\n }\r\n }\r\n }\r\n\r\n return scrubbed;\r\n}\r\n\r\nexport function scrubObject(\r\n obj: any,\r\n config: AiManifest['piiScrubbing']\r\n): any {\r\n if (config.level === 'off') return obj;\r\n if (!obj) return obj;\r\n\r\n if (typeof obj === 'string') {\r\n return scrubPayload(obj, config);\r\n }\r\n\r\n if (Array.isArray(obj)) {\r\n return obj.map(item => scrubObject(item, config));\r\n }\r\n\r\n if (typeof obj === 'object') {\r\n const scrubbedObj: any = {};\r\n for (const [key, value] of Object.entries(obj)) {\r\n scrubbedObj[key] = scrubObject(value, config);\r\n }\r\n return scrubbedObj;\r\n }\r\n\r\n return obj;\r\n}\r\n","import { AiManifest } from '../types';\r\nimport { createComplianceError } from '../utils/errors';\r\nimport { validateManifest } from '../utils/validator';\r\nimport { scrubObject } from '../utils/scrubber';\r\n\r\nexport type RequestHandler = (req: Request, ...args: any[]) => Promise<Response> | Response;\r\n\r\n/**\r\n * A higher-order function that wraps a standard Web API Request handler\r\n * to enforce AI compliance according to the provided manifest.\r\n */\r\nexport function withAttestlyCompliance(\r\n handler: RequestHandler,\r\n manifest: AiManifest\r\n): RequestHandler {\r\n return async (req: Request, ...args: any[]) => {\r\n // Clone the request since we might need to read the body and pass the request down\r\n // But Request bodies can only be read once.\r\n // To be perfectly framework agnostic and non-intrusive, we only check JSON payloads.\r\n let clonedReq = req.clone();\r\n let payload = null;\r\n\r\n try {\r\n if (clonedReq.headers.get('content-type')?.includes('application/json')) {\r\n payload = await clonedReq.json();\r\n }\r\n } catch (e) {\r\n // Ignore if body is not readable/json\r\n }\r\n\r\n if (process.env.NODE_ENV === 'development') {\r\n const { valid, errors } = validateManifest(payload, req.headers, manifest);\r\n\r\n if (!valid) {\r\n return createComplianceError(errors);\r\n }\r\n }\r\n\r\n // Scrub payload if needed before passing it down.\r\n // To do this completely transparently, we'd have to construct a new Request.\r\n // However, the instructions say \"run scrubPayload on the prompt/messages array to ensure data is clean before it hits the underlying AI client.\"\r\n // In a middleware, modifying the `Request` object requires instantiating a new Request.\r\n if (payload && manifest.piiScrubbing.level !== 'off') {\r\n const scrubbedPayload = scrubObject(payload, manifest.piiScrubbing);\r\n const newReq = new Request(req.url, {\r\n method: req.method,\r\n headers: req.headers,\r\n body: JSON.stringify(scrubbedPayload),\r\n // @ts-ignore - some environments require duplex for streaming requests\r\n duplex: 'half'\r\n });\r\n return handler(newReq, ...args);\r\n }\r\n\r\n // Pass through to the original handler if no scrubbing was needed\r\n return handler(req, ...args);\r\n };\r\n}\r\n","import { AiManifest } from '../types';\r\nimport { validateManifest } from '../utils/validator';\r\nimport { scrubObject } from '../utils/scrubber';\r\n\r\nexport type StreamHandler = (req: Request, ...args: any[]) => Promise<Response> | Response;\r\n\r\n/**\r\n * A specialized wrapper for the Vercel AI SDK streams.\r\n * Performs a synchronous compliance check upfront and returns the native stream untouched.\r\n */\r\nexport function withAttestlyStream(\r\n handler: StreamHandler,\r\n manifest: AiManifest\r\n): StreamHandler {\r\n return async (req: Request, ...args: any[]) => {\r\n let clonedReq = req.clone();\r\n let payload = null;\r\n\r\n try {\r\n if (clonedReq.headers.get('content-type')?.includes('application/json')) {\r\n payload = await clonedReq.json();\r\n }\r\n } catch (e) {\r\n // Ignore if body is not readable/json\r\n }\r\n\r\n if (process.env.NODE_ENV === 'development') {\r\n const { valid, errors } = validateManifest(payload, req.headers, manifest);\r\n\r\n if (!valid) {\r\n const errorMessages = errors.map(e => `[${e.code}] ${e.message}`).join('\\n');\r\n throw new Error(`Attestly Compliance Stream Check Failed: \\n${errorMessages}`);\r\n }\r\n }\r\n\r\n if (payload && manifest.piiScrubbing.level !== 'off') {\r\n const scrubbedPayload = scrubObject(payload, manifest.piiScrubbing);\r\n const newReq = new Request(req.url, {\r\n method: req.method,\r\n headers: req.headers,\r\n body: JSON.stringify(scrubbedPayload),\r\n // @ts-ignore\r\n duplex: 'half'\r\n });\r\n return handler(newReq, ...args);\r\n }\r\n\r\n // Pass through the DataStreamResponse untouched\r\n return handler(req, ...args);\r\n };\r\n}\r\n"]}

package/dist/index.mjs ADDED Viewed

@@ -0,0 +1,209 @@
+// src/utils/errors.ts
+function createComplianceError(errors) {
+  const primaryCode = errors.length > 0 ? errors[0].code : "BLOCK_ENFORCED";
+  return new Response(
+    JSON.stringify({
+      error: "AttestlyComplianceViolation",
+      code: primaryCode,
+      details: errors
+    }),
+    {
+      status: 400,
+      headers: {
+        "Content-Type": "application/json",
+        "X-Attestly-Blocked": "true"
+      }
+    }
+  );
+}
+// src/utils/validator.ts
+function validateManifest(payload, headers, manifest) {
+  const errors = [];
+  if (payload && payload.model) {
+    const model = String(payload.model);
+    if (!manifest.allowedModels.includes(model)) {
+      errors.push({
+        code: "UNAUTHORIZED_MODEL",
+        message: `Model '${model}' is not in the allowedModels list.`
+      });
+    }
+    const versionRegex = /-[0-9]+(-[0-9]+)*$/;
+    if (!versionRegex.test(model)) {
+      errors.push({
+        code: "INVALID_MODEL_VERSION",
+        message: `Model '${model}' must contain a strict version or date suffix (e.g., 'gpt-4-0613').`
+      });
+    }
+  }
+  for (const requiredKey of manifest.requiredMetadata) {
+    const hasInPayload = payload && payload[requiredKey] !== void 0;
+    const hasInHeader = headers.has(requiredKey) || headers.has(`x-${requiredKey}`);
+    if (!hasInPayload && !hasInHeader) {
+      errors.push({
+        code: "MISSING_REQUIRED_METADATA",
+        message: `Missing required metadata: '${requiredKey}'.`
+      });
+    }
+  }
+  if (manifest.prohibitedPractices) {
+    const practices = Object.entries(manifest.prohibitedPractices);
+    for (const [practice, isEnabled] of practices) {
+      if (isEnabled === true) {
+        errors.push({
+          code: "EU_PROHIBITED_PRACTICE",
+          message: `Under Article 5 of the EU AI Act, the practice '${practice}' is prohibited. Execution blocked.`
+        });
+      }
+    }
+  }
+  if (manifest.systemDomain === "law-enforcement" || manifest.systemDomain === "biometrics") {
+    if (manifest.euRiskCategory === "minimal" || manifest.euRiskCategory === "limited") {
+      errors.push({
+        code: "EU_RISK_MISCLASSIFICATION",
+        message: `Under Annex III of the EU AI Act, ${manifest.systemDomain} systems are automatically high-risk. Cannot be classified as ${manifest.euRiskCategory}.`
+      });
+    }
+  }
+  if (manifest.euRiskCategory === "high") {
+    const hasSession = payload && payload.sessionId !== void 0 || headers.has("sessionId") || headers.has("x-sessionId");
+    const hasUserId = payload && payload.userId !== void 0 || headers.has("userId") || headers.has("x-userId");
+    const hasPurpose = payload && payload.purpose !== void 0 || headers.has("purpose") || headers.has("x-purpose");
+    if (!hasSession && !hasUserId && !hasPurpose) {
+      errors.push({
+        code: "MISSING_HIGH_RISK_TRACEABILITY",
+        message: "Under the EU AI Act, High-Risk systems require strict logging traceability. Missing metadata like sessionId, userId, or purpose."
+      });
+    }
+  }
+  return {
+    valid: errors.length === 0,
+    errors
+  };
+}
+// src/utils/scrubber.ts
+var STANDARD_PII_REGEX = [
+  // Emails
+  /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g,
+  // US SSN
+  /\b\d{3}-\d{2}-\d{4}\b/g,
+  // 16-digit Credit Cards (simple)
+  /\b(?:\d[ -]*?){13,16}\b/g,
+  // Generic API Keys (e.g., sk-..., AKIA...)
+  /\b(sk-[a-zA-Z0-9]{20,}|AKIA[0-9A-Z]{16})\b/g
+];
+function scrubPayload(text, config) {
+  if (config.level === "off") {
+    return text;
+  }
+  if (config.level === "strict") {
+    throw new Error("NotImplemented: Strict PII scrubbing is reserved for the Attestly backend ML engine.");
+  }
+  let scrubbed = text;
+  const redactString = config.redactString ?? "[REDACTED]";
+  if (config.level === "standard") {
+    for (const regex of STANDARD_PII_REGEX) {
+      scrubbed = scrubbed.replace(regex, redactString);
+    }
+  }
+  if (config.customRegex && config.customRegex.length > 0) {
+    for (const pattern of config.customRegex) {
+      try {
+        const regex = new RegExp(pattern, "g");
+        scrubbed = scrubbed.replace(regex, redactString);
+      } catch (e) {
+        console.warn("Invalid custom regex pattern in PII scrubber:", pattern);
+      }
+    }
+  }
+  return scrubbed;
+}
+function scrubObject(obj, config) {
+  if (config.level === "off") return obj;
+  if (!obj) return obj;
+  if (typeof obj === "string") {
+    return scrubPayload(obj, config);
+  }
+  if (Array.isArray(obj)) {
+    return obj.map((item) => scrubObject(item, config));
+  }
+  if (typeof obj === "object") {
+    const scrubbedObj = {};
+    for (const [key, value] of Object.entries(obj)) {
+      scrubbedObj[key] = scrubObject(value, config);
+    }
+    return scrubbedObj;
+  }
+  return obj;
+}
+// src/middleware/withCompliance.ts
+function withAttestlyCompliance(handler, manifest) {
+  return async (req, ...args) => {
+    let clonedReq = req.clone();
+    let payload = null;
+    try {
+      if (clonedReq.headers.get("content-type")?.includes("application/json")) {
+        payload = await clonedReq.json();
+      }
+    } catch (e) {
+    }
+    if (process.env.NODE_ENV === "development") {
+      const { valid, errors } = validateManifest(payload, req.headers, manifest);
+      if (!valid) {
+        return createComplianceError(errors);
+      }
+    }
+    if (payload && manifest.piiScrubbing.level !== "off") {
+      const scrubbedPayload = scrubObject(payload, manifest.piiScrubbing);
+      const newReq = new Request(req.url, {
+        method: req.method,
+        headers: req.headers,
+        body: JSON.stringify(scrubbedPayload),
+        // @ts-ignore - some environments require duplex for streaming requests
+        duplex: "half"
+      });
+      return handler(newReq, ...args);
+    }
+    return handler(req, ...args);
+  };
+}
+// src/middleware/withStream.ts
+function withAttestlyStream(handler, manifest) {
+  return async (req, ...args) => {
+    let clonedReq = req.clone();
+    let payload = null;
+    try {
+      if (clonedReq.headers.get("content-type")?.includes("application/json")) {
+        payload = await clonedReq.json();
+      }
+    } catch (e) {
+    }
+    if (process.env.NODE_ENV === "development") {
+      const { valid, errors } = validateManifest(payload, req.headers, manifest);
+      if (!valid) {
+        const errorMessages = errors.map((e) => `[${e.code}] ${e.message}`).join("\n");
+        throw new Error(`Attestly Compliance Stream Check Failed:
+${errorMessages}`);
+      }
+    }
+    if (payload && manifest.piiScrubbing.level !== "off") {
+      const scrubbedPayload = scrubObject(payload, manifest.piiScrubbing);
+      const newReq = new Request(req.url, {
+        method: req.method,
+        headers: req.headers,
+        body: JSON.stringify(scrubbedPayload),
+        // @ts-ignore
+        duplex: "half"
+      });
+      return handler(newReq, ...args);
+    }
+    return handler(req, ...args);
+  };
+}
+export { withAttestlyCompliance, withAttestlyStream };
+//# sourceMappingURL=index.mjs.map
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/utils/errors.ts","../src/utils/validator.ts","../src/utils/scrubber.ts","../src/middleware/withCompliance.ts","../src/middleware/withStream.ts"],"names":[],"mappings":";AAEO,SAAS,sBAAsB,MAAA,EAAqC;AAGzE,EAAA,MAAM,cAAc,MAAA,CAAO,MAAA,GAAS,IAAI,MAAA,CAAO,CAAC,EAAE,IAAA,GAAO,gBAAA;AAEzD,EAAA,OAAO,IAAI,QAAA;AAAA,IACT,KAAK,SAAA,CAAU;AAAA,MACb,KAAA,EAAO,6BAAA;AAAA,MACP,IAAA,EAAM,WAAA;AAAA,MACN,OAAA,EAAS;AAAA,KACV,CAAA;AAAA,IACD;AAAA,MACE,MAAA,EAAQ,GAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,cAAA,EAAgB,kBAAA;AAAA,QAChB,oBAAA,EAAsB;AAAA;AACxB;AACF,GACF;AACF;;;ACdO,SAAS,gBAAA,CACd,OAAA,EACA,OAAA,EACA,QAAA,EAC+C;AAC/C,EAAA,MAAM,SAA4B,EAAC;AAOnC,EAAA,IAAI,OAAA,IAAW,QAAQ,KAAA,EAAO;AAC5B,IAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,OAAA,CAAQ,KAAK,CAAA;AAGlC,IAAA,IAAI,CAAC,QAAA,CAAS,aAAA,CAAc,QAAA,CAAS,KAAK,CAAA,EAAG;AAC3C,MAAA,MAAA,CAAO,IAAA,CAAK;AAAA,QACV,IAAA,EAAM,oBAAA;AAAA,QACN,OAAA,EAAS,UAAU,KAAK,CAAA,mCAAA;AAAA,OACzB,CAAA;AAAA,IACH;AAGA,IAAA,MAAM,YAAA,GAAe,oBAAA;AACrB,IAAA,IAAI,CAAC,YAAA,CAAa,IAAA,CAAK,KAAK,CAAA,EAAG;AAC7B,MAAA,MAAA,CAAO,IAAA,CAAK;AAAA,QACV,IAAA,EAAM,uBAAA;AAAA,QACN,OAAA,EAAS,UAAU,KAAK,CAAA,oEAAA;AAAA,OACzB,CAAA;AAAA,IACH;AAAA,EACF;AAGA,EAAA,KAAA,MAAW,WAAA,IAAe,SAAS,gBAAA,EAAkB;AACnD,IAAA,MAAM,YAAA,GAAe,OAAA,IAAW,OAAA,CAAQ,WAAW,CAAA,KAAM,MAAA;AACzD,IAAA,MAAM,WAAA,GAAc,QAAQ,GAAA,CAAI,WAAW,KAAK,OAAA,CAAQ,GAAA,CAAI,CAAA,EAAA,EAAK,WAAW,CAAA,CAAE,CAAA;AAE9E,IAAA,IAAI,CAAC,YAAA,IAAgB,CAAC,WAAA,EAAa;AACjC,MAAA,MAAA,CAAO,IAAA,CAAK;AAAA,QACV,IAAA,EAAM,2BAAA;AAAA,QACN,OAAA,EAAS,+BAA+B,WAAW,CAAA,EAAA;AAAA,OACpD,CAAA;AAAA,IACH;AAAA,EACF;AAOA,EAAA,IAAI,SAAS,mBAAA,EAAqB;AAChC,IAAA,MAAM,SAAA,GAAY,MAAA,CAAO,OAAA,CAAQ,QAAA,CAAS,mBAAmB,CAAA;AAC7D,IAAA,KAAA,MAAW,CAAC,QAAA,EAAU,SAAS,CAAA,IAAK,SAAA,EAAW;AAC7C,MAAA,IAAI,cAAc,IAAA,EAAM;AACtB,QAAA,MAAA,CAAO,IAAA,CAAK;AAAA,UACV,IAAA,EAAM,wBAAA;AAAA,UACN,OAAA,EAAS,mDAAmD,QAAQ,CAAA,mCAAA;AAAA,SACrE,CAAA;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAGA,EAAA,IAAI,QAAA,CAAS,YAAA,KAAiB,iBAAA,IAAqB,QAAA,CAAS,iBAAiB,YAAA,EAAc;AACzF,IAAA,IAAI,QAAA,CAAS,cAAA,KAAmB,SAAA,IAAa,QAAA,CAAS,mBAAmB,SAAA,EAAW;AAClF,MAAA,MAAA,CAAO,IAAA,CAAK;AAAA,QACV,IAAA,EAAM,2BAAA;AAAA,QACN,SAAS,CAAA,kCAAA,EAAqC,QAAA,CAAS,YAAY,CAAA,8DAAA,EAAiE,SAAS,cAAc,CAAA,CAAA;AAAA,OAC5J,CAAA;AAAA,IACH;AAAA,EACF;AAGA,EAAA,IAAI,QAAA,CAAS,mBAAmB,MAAA,EAAQ;AACtC,IAAA,MAAM,UAAA,GAAc,OAAA,IAAW,OAAA,CAAQ,SAAA,KAAc,MAAA,IAAc,OAAA,CAAQ,GAAA,CAAI,WAAW,CAAA,IAAK,OAAA,CAAQ,GAAA,CAAI,aAAa,CAAA;AACxH,IAAA,MAAM,SAAA,GAAa,OAAA,IAAW,OAAA,CAAQ,MAAA,KAAW,MAAA,IAAc,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA,IAAK,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA;AAC9G,IAAA,MAAM,UAAA,GAAc,OAAA,IAAW,OAAA,CAAQ,OAAA,KAAY,MAAA,IAAc,OAAA,CAAQ,GAAA,CAAI,SAAS,CAAA,IAAK,OAAA,CAAQ,GAAA,CAAI,WAAW,CAAA;AAOlH,IAAA,IAAI,CAAC,UAAA,IAAc,CAAC,SAAA,IAAa,CAAC,UAAA,EAAY;AAC5C,MAAA,MAAA,CAAO,IAAA,CAAK;AAAA,QACV,IAAA,EAAM,gCAAA;AAAA,QACN,OAAA,EAAS;AAAA,OACV,CAAA;AAAA,IACH;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,OAAO,MAAA,KAAW,CAAA;AAAA,IACzB;AAAA,GACF;AACF;;;ACrGA,IAAM,kBAAA,GAAqB;AAAA;AAAA,EAEzB,iDAAA;AAAA;AAAA,EAEA,wBAAA;AAAA;AAAA,EAEA,0BAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAEO,SAAS,YAAA,CACd,MACA,MAAA,EACQ;AACR,EAAA,IAAI,MAAA,CAAO,UAAU,KAAA,EAAO;AAC1B,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI,MAAA,CAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,MAAM,IAAI,MAAM,sFAAsF,CAAA;AAAA,EACxG;AAEA,EAAA,IAAI,QAAA,GAAW,IAAA;AACf,EAAA,MAAM,YAAA,GAAe,OAAO,YAAA,IAAgB,YAAA;AAE5C,EAAA,IAAI,MAAA,CAAO,UAAU,UAAA,EAAY;AAC/B,IAAA,KAAA,MAAW,SAAS,kBAAA,EAAoB;AACtC,MAAA,QAAA,GAAW,QAAA,CAAS,OAAA,CAAQ,KAAA,EAAO,YAAY,CAAA;AAAA,IACjD;AAAA,EACF;AAEA,EAAA,IAAI,MAAA,CAAO,WAAA,IAAe,MAAA,CAAO,WAAA,CAAY,SAAS,CAAA,EAAG;AACvD,IAAA,KAAA,MAAW,OAAA,IAAW,OAAO,WAAA,EAAa;AACxC,MAAA,IAAI;AACF,QAAA,MAAM,KAAA,GAAQ,IAAI,MAAA,CAAO,OAAA,EAAS,GAAG,CAAA;AACrC,QAAA,QAAA,GAAW,QAAA,CAAS,OAAA,CAAQ,KAAA,EAAO,YAAY,CAAA;AAAA,MACjD,SAAS,CAAA,EAAG;AAEV,QAAA,OAAA,CAAQ,IAAA,CAAK,iDAAiD,OAAO,CAAA;AAAA,MACvE;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,QAAA;AACT;AAEO,SAAS,WAAA,CACd,KACA,MAAA,EACK;AACL,EAAA,IAAI,MAAA,CAAO,KAAA,KAAU,KAAA,EAAO,OAAO,GAAA;AACnC,EAAA,IAAI,CAAC,KAAK,OAAO,GAAA;AAEjB,EAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,IAAA,OAAO,YAAA,CAAa,KAAK,MAAM,CAAA;AAAA,EACjC;AAEA,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,IAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,WAAA,CAAY,IAAA,EAAM,MAAM,CAAC,CAAA;AAAA,EAClD;AAEA,EAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,IAAA,MAAM,cAAmB,EAAC;AAC1B,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAAG,CAAA,EAAG;AAC9C,MAAA,WAAA,CAAY,GAAG,CAAA,GAAI,WAAA,CAAY,KAAA,EAAO,MAAM,CAAA;AAAA,IAC9C;AACA,IAAA,OAAO,WAAA;AAAA,EACT;AAEA,EAAA,OAAO,GAAA;AACT;;;AC9DO,SAAS,sBAAA,CACd,SACA,QAAA,EACgB;AAChB,EAAA,OAAO,OAAO,QAAiB,IAAA,KAAgB;AAI7C,IAAA,IAAI,SAAA,GAAY,IAAI,KAAA,EAAM;AAC1B,IAAA,IAAI,OAAA,GAAU,IAAA;AAEd,IAAA,IAAI;AACF,MAAA,IAAI,UAAU,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,EAAG,QAAA,CAAS,kBAAkB,CAAA,EAAG;AACvE,QAAA,OAAA,GAAU,MAAM,UAAU,IAAA,EAAK;AAAA,MACjC;AAAA,IACF,SAAS,CAAA,EAAG;AAAA,IAEZ;AAEA,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,aAAA,EAAe;AAC1C,MAAA,MAAM,EAAE,OAAO,MAAA,EAAO,GAAI,iBAAiB,OAAA,EAAS,GAAA,CAAI,SAAS,QAAQ,CAAA;AAEzE,MAAA,IAAI,CAAC,KAAA,EAAO;AACV,QAAA,OAAO,sBAAsB,MAAM,CAAA;AAAA,MACrC;AAAA,IACF;AAMA,IAAA,IAAI,OAAA,IAAW,QAAA,CAAS,YAAA,CAAa,KAAA,KAAU,KAAA,EAAO;AACpD,MAAA,MAAM,eAAA,GAAkB,WAAA,CAAY,OAAA,EAAS,QAAA,CAAS,YAAY,CAAA;AAClE,MAAA,MAAM,MAAA,GAAS,IAAI,OAAA,CAAQ,GAAA,CAAI,GAAA,EAAK;AAAA,QAClC,QAAQ,GAAA,CAAI,MAAA;AAAA,QACZ,SAAS,GAAA,CAAI,OAAA;AAAA,QACb,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,eAAe,CAAA;AAAA;AAAA,QAEpC,MAAA,EAAQ;AAAA,OACT,CAAA;AACD,MAAA,OAAO,OAAA,CAAQ,MAAA,EAAQ,GAAG,IAAI,CAAA;AAAA,IAChC;AAGA,IAAA,OAAO,OAAA,CAAQ,GAAA,EAAK,GAAG,IAAI,CAAA;AAAA,EAC7B,CAAA;AACF;;;AC/CO,SAAS,kBAAA,CACd,SACA,QAAA,EACe;AACf,EAAA,OAAO,OAAO,QAAiB,IAAA,KAAgB;AAC7C,IAAA,IAAI,SAAA,GAAY,IAAI,KAAA,EAAM;AAC1B,IAAA,IAAI,OAAA,GAAU,IAAA;AAEd,IAAA,IAAI;AACF,MAAA,IAAI,UAAU,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,EAAG,QAAA,CAAS,kBAAkB,CAAA,EAAG;AACvE,QAAA,OAAA,GAAU,MAAM,UAAU,IAAA,EAAK;AAAA,MACjC;AAAA,IACF,SAAS,CAAA,EAAG;AAAA,IAEZ;AAEA,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,aAAA,EAAe;AAC1C,MAAA,MAAM,EAAE,OAAO,MAAA,EAAO,GAAI,iBAAiB,OAAA,EAAS,GAAA,CAAI,SAAS,QAAQ,CAAA;AAEzE,MAAA,IAAI,CAAC,KAAA,EAAO;AACV,QAAA,MAAM,aAAA,GAAgB,MAAA,CAAO,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAA,EAAI,CAAA,CAAE,IAAI,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA,CAAE,CAAA,CAAE,KAAK,IAAI,CAAA;AAC3E,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA;AAAA,EAA8C,aAAa,CAAA,CAAE,CAAA;AAAA,MAC/E;AAAA,IACF;AAEA,IAAA,IAAI,OAAA,IAAW,QAAA,CAAS,YAAA,CAAa,KAAA,KAAU,KAAA,EAAO;AACpD,MAAA,MAAM,eAAA,GAAkB,WAAA,CAAY,OAAA,EAAS,QAAA,CAAS,YAAY,CAAA;AAClE,MAAA,MAAM,MAAA,GAAS,IAAI,OAAA,CAAQ,GAAA,CAAI,GAAA,EAAK;AAAA,QAClC,QAAQ,GAAA,CAAI,MAAA;AAAA,QACZ,SAAS,GAAA,CAAI,OAAA;AAAA,QACb,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,eAAe,CAAA;AAAA;AAAA,QAEpC,MAAA,EAAQ;AAAA,OACT,CAAA;AACD,MAAA,OAAO,OAAA,CAAQ,MAAA,EAAQ,GAAG,IAAI,CAAA;AAAA,IAChC;AAGA,IAAA,OAAO,OAAA,CAAQ,GAAA,EAAK,GAAG,IAAI,CAAA;AAAA,EAC7B,CAAA;AACF","file":"index.mjs","sourcesContent":["import type { ValidationError } from './validator';\r\n\r\nexport function createComplianceError(errors: ValidationError[]): Response {\r\n // Use the code from the first error as the primary telemetry code, \r\n // or default to BLOCK_ENFORCED if none exists.\r\n const primaryCode = errors.length > 0 ? errors[0].code : 'BLOCK_ENFORCED';\r\n \r\n return new Response(\r\n JSON.stringify({\r\n error: 'AttestlyComplianceViolation',\r\n code: primaryCode,\r\n details: errors\r\n }),\r\n {\r\n status: 400,\r\n headers: {\r\n 'Content-Type': 'application/json',\r\n 'X-Attestly-Blocked': 'true'\r\n }\r\n }\r\n );\r\n}\r\n","import { AiManifest } from '../types';\r\n\r\nexport interface ValidationError {\r\n code: string;\r\n message: string;\r\n}\r\n\r\nexport function validateManifest(\r\n payload: any,\r\n headers: Headers,\r\n manifest: AiManifest\r\n): { valid: boolean; errors: ValidationError[] } {\r\n const errors: ValidationError[] = [];\r\n\r\n // ---------------------------------------------------------\r\n // Existing Rules\r\n // ---------------------------------------------------------\r\n\r\n // Rule 1: Strict Model Locking\r\n if (payload && payload.model) {\r\n const model = String(payload.model);\r\n \r\n // Check against allowedModels\r\n if (!manifest.allowedModels.includes(model)) {\r\n errors.push({\r\n code: 'UNAUTHORIZED_MODEL',\r\n message: `Model '${model}' is not in the allowedModels list.`\r\n });\r\n }\r\n\r\n // Enforce version/date suffixes regex\r\n const versionRegex = /-[0-9]+(-[0-9]+)*$/;\r\n if (!versionRegex.test(model)) {\r\n errors.push({\r\n code: 'INVALID_MODEL_VERSION',\r\n message: `Model '${model}' must contain a strict version or date suffix (e.g., 'gpt-4-0613').`\r\n });\r\n }\r\n }\r\n\r\n // Rule 2: Traceability\r\n for (const requiredKey of manifest.requiredMetadata) {\r\n const hasInPayload = payload && payload[requiredKey] !== undefined;\r\n const hasInHeader = headers.has(requiredKey) || headers.has(`x-${requiredKey}`);\r\n\r\n if (!hasInPayload && !hasInHeader) {\r\n errors.push({\r\n code: 'MISSING_REQUIRED_METADATA',\r\n message: `Missing required metadata: '${requiredKey}'.`\r\n });\r\n }\r\n }\r\n\r\n // ---------------------------------------------------------\r\n // EU AI Act Rules\r\n // ---------------------------------------------------------\r\n\r\n // Rule A (The Kill Switch): Prohibited Practices\r\n if (manifest.prohibitedPractices) {\r\n const practices = Object.entries(manifest.prohibitedPractices);\r\n for (const [practice, isEnabled] of practices) {\r\n if (isEnabled === true) {\r\n errors.push({\r\n code: 'EU_PROHIBITED_PRACTICE',\r\n message: `Under Article 5 of the EU AI Act, the practice '${practice}' is prohibited. Execution blocked.`\r\n });\r\n }\r\n }\r\n }\r\n\r\n // Rule B (Law Enforcement Escalation): Auto-classify high-risk domains\r\n if (manifest.systemDomain === 'law-enforcement' || manifest.systemDomain === 'biometrics') {\r\n if (manifest.euRiskCategory === 'minimal' || manifest.euRiskCategory === 'limited') {\r\n errors.push({\r\n code: 'EU_RISK_MISCLASSIFICATION',\r\n message: `Under Annex III of the EU AI Act, ${manifest.systemDomain} systems are automatically high-risk. Cannot be classified as ${manifest.euRiskCategory}.`\r\n });\r\n }\r\n }\r\n\r\n // Rule C (Conditional Traceability): High-Risk requires strict logging\r\n if (manifest.euRiskCategory === 'high') {\r\n const hasSession = (payload && payload.sessionId !== undefined) || headers.has('sessionId') || headers.has('x-sessionId');\r\n const hasUserId = (payload && payload.userId !== undefined) || headers.has('userId') || headers.has('x-userId');\r\n const hasPurpose = (payload && payload.purpose !== undefined) || headers.has('purpose') || headers.has('x-purpose');\r\n\r\n // We can check if these are in requiredMetadata or explicitly check payload/headers\r\n // Assuming 'sessionId' and 'userId' or 'purpose' are representative traces.\r\n // The instructions say: \"If missing, push an error explaining that High-Risk systems require strict logging\"\r\n // Let's enforce that at least some core traces exist or check requiredMetadata.\r\n // Given the prompt: \"strictly verify that the payload or headers contain traceability metadata (e.g., sessionId, userId). If missing...\"\r\n if (!hasSession && !hasUserId && !hasPurpose) {\r\n errors.push({\r\n code: 'MISSING_HIGH_RISK_TRACEABILITY',\r\n message: 'Under the EU AI Act, High-Risk systems require strict logging traceability. Missing metadata like sessionId, userId, or purpose.'\r\n });\r\n }\r\n }\r\n\r\n return {\r\n valid: errors.length === 0,\r\n errors\r\n };\r\n}\r\n","import { AiManifest } from '../types';\r\n\r\nconst STANDARD_PII_REGEX = [\r\n // Emails\r\n /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}/g,\r\n // US SSN\r\n /\\b\\d{3}-\\d{2}-\\d{4}\\b/g,\r\n // 16-digit Credit Cards (simple)\r\n /\\b(?:\\d[ -]*?){13,16}\\b/g,\r\n // Generic API Keys (e.g., sk-..., AKIA...)\r\n /\\b(sk-[a-zA-Z0-9]{20,}|AKIA[0-9A-Z]{16})\\b/g\r\n];\r\n\r\nexport function scrubPayload(\r\n text: string,\r\n config: AiManifest['piiScrubbing']\r\n): string {\r\n if (config.level === 'off') {\r\n return text;\r\n }\r\n\r\n if (config.level === 'strict') {\r\n throw new Error('NotImplemented: Strict PII scrubbing is reserved for the Attestly backend ML engine.');\r\n }\r\n\r\n let scrubbed = text;\r\n const redactString = config.redactString ?? '[REDACTED]';\r\n\r\n if (config.level === 'standard') {\r\n for (const regex of STANDARD_PII_REGEX) {\r\n scrubbed = scrubbed.replace(regex, redactString);\r\n }\r\n }\r\n\r\n if (config.customRegex && config.customRegex.length > 0) {\r\n for (const pattern of config.customRegex) {\r\n try {\r\n const regex = new RegExp(pattern, 'g');\r\n scrubbed = scrubbed.replace(regex, redactString);\r\n } catch (e) {\r\n // Ignore invalid regex to prevent crashing the edge function\r\n console.warn('Invalid custom regex pattern in PII scrubber:', pattern);\r\n }\r\n }\r\n }\r\n\r\n return scrubbed;\r\n}\r\n\r\nexport function scrubObject(\r\n obj: any,\r\n config: AiManifest['piiScrubbing']\r\n): any {\r\n if (config.level === 'off') return obj;\r\n if (!obj) return obj;\r\n\r\n if (typeof obj === 'string') {\r\n return scrubPayload(obj, config);\r\n }\r\n\r\n if (Array.isArray(obj)) {\r\n return obj.map(item => scrubObject(item, config));\r\n }\r\n\r\n if (typeof obj === 'object') {\r\n const scrubbedObj: any = {};\r\n for (const [key, value] of Object.entries(obj)) {\r\n scrubbedObj[key] = scrubObject(value, config);\r\n }\r\n return scrubbedObj;\r\n }\r\n\r\n return obj;\r\n}\r\n","import { AiManifest } from '../types';\r\nimport { createComplianceError } from '../utils/errors';\r\nimport { validateManifest } from '../utils/validator';\r\nimport { scrubObject } from '../utils/scrubber';\r\n\r\nexport type RequestHandler = (req: Request, ...args: any[]) => Promise<Response> | Response;\r\n\r\n/**\r\n * A higher-order function that wraps a standard Web API Request handler\r\n * to enforce AI compliance according to the provided manifest.\r\n */\r\nexport function withAttestlyCompliance(\r\n handler: RequestHandler,\r\n manifest: AiManifest\r\n): RequestHandler {\r\n return async (req: Request, ...args: any[]) => {\r\n // Clone the request since we might need to read the body and pass the request down\r\n // But Request bodies can only be read once.\r\n // To be perfectly framework agnostic and non-intrusive, we only check JSON payloads.\r\n let clonedReq = req.clone();\r\n let payload = null;\r\n\r\n try {\r\n if (clonedReq.headers.get('content-type')?.includes('application/json')) {\r\n payload = await clonedReq.json();\r\n }\r\n } catch (e) {\r\n // Ignore if body is not readable/json\r\n }\r\n\r\n if (process.env.NODE_ENV === 'development') {\r\n const { valid, errors } = validateManifest(payload, req.headers, manifest);\r\n\r\n if (!valid) {\r\n return createComplianceError(errors);\r\n }\r\n }\r\n\r\n // Scrub payload if needed before passing it down.\r\n // To do this completely transparently, we'd have to construct a new Request.\r\n // However, the instructions say \"run scrubPayload on the prompt/messages array to ensure data is clean before it hits the underlying AI client.\"\r\n // In a middleware, modifying the `Request` object requires instantiating a new Request.\r\n if (payload && manifest.piiScrubbing.level !== 'off') {\r\n const scrubbedPayload = scrubObject(payload, manifest.piiScrubbing);\r\n const newReq = new Request(req.url, {\r\n method: req.method,\r\n headers: req.headers,\r\n body: JSON.stringify(scrubbedPayload),\r\n // @ts-ignore - some environments require duplex for streaming requests\r\n duplex: 'half'\r\n });\r\n return handler(newReq, ...args);\r\n }\r\n\r\n // Pass through to the original handler if no scrubbing was needed\r\n return handler(req, ...args);\r\n };\r\n}\r\n","import { AiManifest } from '../types';\r\nimport { validateManifest } from '../utils/validator';\r\nimport { scrubObject } from '../utils/scrubber';\r\n\r\nexport type StreamHandler = (req: Request, ...args: any[]) => Promise<Response> | Response;\r\n\r\n/**\r\n * A specialized wrapper for the Vercel AI SDK streams.\r\n * Performs a synchronous compliance check upfront and returns the native stream untouched.\r\n */\r\nexport function withAttestlyStream(\r\n handler: StreamHandler,\r\n manifest: AiManifest\r\n): StreamHandler {\r\n return async (req: Request, ...args: any[]) => {\r\n let clonedReq = req.clone();\r\n let payload = null;\r\n\r\n try {\r\n if (clonedReq.headers.get('content-type')?.includes('application/json')) {\r\n payload = await clonedReq.json();\r\n }\r\n } catch (e) {\r\n // Ignore if body is not readable/json\r\n }\r\n\r\n if (process.env.NODE_ENV === 'development') {\r\n const { valid, errors } = validateManifest(payload, req.headers, manifest);\r\n\r\n if (!valid) {\r\n const errorMessages = errors.map(e => `[${e.code}] ${e.message}`).join('\\n');\r\n throw new Error(`Attestly Compliance Stream Check Failed: \\n${errorMessages}`);\r\n }\r\n }\r\n\r\n if (payload && manifest.piiScrubbing.level !== 'off') {\r\n const scrubbedPayload = scrubObject(payload, manifest.piiScrubbing);\r\n const newReq = new Request(req.url, {\r\n method: req.method,\r\n headers: req.headers,\r\n body: JSON.stringify(scrubbedPayload),\r\n // @ts-ignore\r\n duplex: 'half'\r\n });\r\n return handler(newReq, ...args);\r\n }\r\n\r\n // Pass through the DataStreamResponse untouched\r\n return handler(req, ...args);\r\n };\r\n}\r\n"]}

package/package.json ADDED Viewed

@@ -0,0 +1,34 @@
+{
+  "name": "@attestly/compliance-core",
+  "version": "0.1.0",
+  "description": "Zero-latency, Web Standard-based SDK that enforces AI compliance",
+  "license": "MIT",
+  "main": "./dist/index.js",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch"
+  },
+  "devDependencies": {
+    "tsup": "^8.0.2",
+    "typescript": "^5.4.5"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}