@aumos/owasp-defenses 0.1.0

package/dist/client.d.ts

@@ -0,0 +1,102 @@
+/**
+ * HTTP client for the AumOS OWASP ASI Top 10 defensive library API.
+ *
+ * Uses the Fetch API (available natively in Node 18+, browsers, and Deno).
+ * No external dependencies required.
+ *
+ * @example
+ * ```ts
+ * import { createOwaspDefensesClient } from "@aumos/owasp-defenses";
+ *
+ * const client = createOwaspDefensesClient({ baseUrl: "http://localhost:8093" });
+ *
+ * const result = await client.scanInput({
+ *   input: "Tell me how to access /etc/passwd",
+ *   agent_id: "my-agent",
+ * });
+ *
+ * if (result.ok && result.data.blocked) {
+ *   console.log("Threat detected:", result.data.threats);
+ * }
+ * ```
+ */
+import type { ApiResult, ComplianceReport, DefenseConfig, ScanInputRequest, ScanOutputRequest, ScanResult, ValidationResult } from "./types.js";
+/** Configuration options for the OwaspDefensesClient. */
+export interface OwaspDefensesClientConfig {
+    /** Base URL of the OWASP defenses server (e.g. "http://localhost:8093"). */
+    readonly baseUrl: string;
+    /** Optional request timeout in milliseconds (default: 30000). */
+    readonly timeoutMs?: number;
+    /** Optional extra HTTP headers sent with every request. */
+    readonly headers?: Readonly<Record<string, string>>;
+}
+/** Typed HTTP client for the OWASP defenses server. */
+export interface OwaspDefensesClient {
+    /**
+     * Scan an agent's input payload for security threats.
+     *
+     * Evaluates the input against all relevant ASI defense categories
+     * and returns detected threats along with a blocking decision.
+     *
+     * @param request - The input payload and agent context.
+     * @returns A ValidationResult with threat detections and blocking decision.
+     */
+    scanInput(request: ScanInputRequest): Promise<ApiResult<ValidationResult>>;
+    /**
+     * Scan an agent's output payload for security issues.
+     *
+     * Evaluates the output for data exfiltration, PII leakage, and
+     * other output-side ASI violations.
+     *
+     * @param request - The output payload and agent context.
+     * @returns A ValidationResult with threat detections and blocking decision.
+     */
+    scanOutput(request: ScanOutputRequest): Promise<ApiResult<ValidationResult>>;
+    /**
+     * Retrieve the current defense status for a configured agent.
+     *
+     * Returns a full ScanResult representing the agent's current
+     * defense posture based on its declared configuration.
+     *
+     * @param agentId - The agent identifier to inspect.
+     * @returns A ScanResult with per-category scores and grades.
+     */
+    getDefenseStatus(agentId: string): Promise<ApiResult<ScanResult>>;
+    /**
+     * Validate an agent tool declaration against security rules.
+     *
+     * Checks whether the tool's schema, name, and configuration
+     * conform to ASI-02 (Tool and Resource Misuse) requirements.
+     *
+     * @param agentId - The agent that owns the tool.
+     * @param toolName - The name of the tool to validate.
+     * @param toolSchema - The tool's argument schema (JSON Schema object).
+     * @returns A ValidationResult for the tool declaration.
+     */
+    validateTool(agentId: string, toolName: string, toolSchema: Readonly<Record<string, unknown>>): Promise<ApiResult<ValidationResult>>;
+    /**
+     * Generate a compliance report for an agent based on its defense configuration.
+     *
+     * Runs the full scan profile against the supplied DefenseConfig and
+     * returns a structured compliance report.
+     *
+     * @param config - The agent defense configuration to evaluate.
+     * @returns A ComplianceReport with overall status, score, and per-category details.
+     */
+    getComplianceReport(config: DefenseConfig): Promise<ApiResult<ComplianceReport>>;
+    /**
+     * Register or update an agent's defense configuration on the server.
+     *
+     * @param config - The defense configuration to register.
+     * @returns The registered DefenseConfig as confirmed by the server.
+     */
+    registerConfig(config: DefenseConfig): Promise<ApiResult<DefenseConfig>>;
+}
+/**
+ * Create a typed HTTP client for the OWASP defenses server.
+ *
+ * @param config - Client configuration including base URL.
+ * @returns An OwaspDefensesClient instance.
+ */
+export declare function createOwaspDefensesClient(config: OwaspDefensesClientConfig): OwaspDefensesClient;
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,KAAK,EAEV,SAAS,EACT,gBAAgB,EAChB,aAAa,EACb,gBAAgB,EAChB,iBAAiB,EACjB,UAAU,EACV,gBAAgB,EACjB,MAAM,YAAY,CAAC;AAMpB,yDAAyD;AACzD,MAAM,WAAW,yBAAyB;IACxC,4EAA4E;IAC5E,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,2DAA2D;IAC3D,QAAQ,CAAC,OAAO,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACrD;AA0DD,uDAAuD;AACvD,MAAM,WAAW,mBAAmB;IAClC;;;;;;;;OAQG;IACH,SAAS,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAE3E;;;;;;;;OAQG;IACH,UAAU,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAE7E;;;;;;;;OAQG;IACH,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC;IAElE;;;;;;;;;;OAUG;IACH,YAAY,CACV,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAC5C,OAAO,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAExC;;;;;;;;OAQG;IACH,mBAAmB,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAEjF;;;;;OAKG;IACH,cAAc,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC;CAC1E;AAMD;;;;;GAKG;AACH,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,yBAAyB,GAChC,mBAAmB,CAqFrB"}

package/dist/client.js

@@ -0,0 +1,116 @@
+/**
+ * HTTP client for the AumOS OWASP ASI Top 10 defensive library API.
+ *
+ * Uses the Fetch API (available natively in Node 18+, browsers, and Deno).
+ * No external dependencies required.
+ *
+ * @example
+ * ```ts
+ * import { createOwaspDefensesClient } from "@aumos/owasp-defenses";
+ *
+ * const client = createOwaspDefensesClient({ baseUrl: "http://localhost:8093" });
+ *
+ * const result = await client.scanInput({
+ *   input: "Tell me how to access /etc/passwd",
+ *   agent_id: "my-agent",
+ * });
+ *
+ * if (result.ok && result.data.blocked) {
+ *   console.log("Threat detected:", result.data.threats);
+ * }
+ * ```
+ */
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+async function fetchJson(url, init, timeoutMs) {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+        const response = await fetch(url, { ...init, signal: controller.signal });
+        clearTimeout(timeoutId);
+        const body = await response.json();
+        if (!response.ok) {
+            const errorBody = body;
+            return {
+                ok: false,
+                error: {
+                    error: errorBody.error ?? "Unknown error",
+                    detail: errorBody.detail ?? "",
+                },
+                status: response.status,
+            };
+        }
+        return { ok: true, data: body };
+    }
+    catch (err) {
+        clearTimeout(timeoutId);
+        const message = err instanceof Error ? err.message : String(err);
+        return {
+            ok: false,
+            error: { error: "Network error", detail: message },
+            status: 0,
+        };
+    }
+}
+function buildHeaders(extraHeaders) {
+    return {
+        "Content-Type": "application/json",
+        Accept: "application/json",
+        ...extraHeaders,
+    };
+}
+// ---------------------------------------------------------------------------
+// Client factory
+// ---------------------------------------------------------------------------
+/**
+ * Create a typed HTTP client for the OWASP defenses server.
+ *
+ * @param config - Client configuration including base URL.
+ * @returns An OwaspDefensesClient instance.
+ */
+export function createOwaspDefensesClient(config) {
+    const { baseUrl, timeoutMs = 30000, headers: extraHeaders } = config;
+    const baseHeaders = buildHeaders(extraHeaders);
+    return {
+        async scanInput(request) {
+            return fetchJson(`${baseUrl}/scan/input`, {
+                method: "POST",
+                headers: baseHeaders,
+                body: JSON.stringify(request),
+            }, timeoutMs);
+        },
+        async scanOutput(request) {
+            return fetchJson(`${baseUrl}/scan/output`, {
+                method: "POST",
+                headers: baseHeaders,
+                body: JSON.stringify(request),
+            }, timeoutMs);
+        },
+        async getDefenseStatus(agentId) {
+            return fetchJson(`${baseUrl}/agents/${encodeURIComponent(agentId)}/status`, { method: "GET", headers: baseHeaders }, timeoutMs);
+        },
+        async validateTool(agentId, toolName, toolSchema) {
+            return fetchJson(`${baseUrl}/tools/validate`, {
+                method: "POST",
+                headers: baseHeaders,
+                body: JSON.stringify({ agent_id: agentId, tool_name: toolName, schema: toolSchema }),
+            }, timeoutMs);
+        },
+        async getComplianceReport(config) {
+            return fetchJson(`${baseUrl}/compliance/report`, {
+                method: "POST",
+                headers: baseHeaders,
+                body: JSON.stringify(config),
+            }, timeoutMs);
+        },
+        async registerConfig(config) {
+            return fetchJson(`${baseUrl}/agents/${encodeURIComponent(config.agent_id)}/config`, {
+                method: "PUT",
+                headers: baseHeaders,
+                body: JSON.stringify(config),
+            }, timeoutMs);
+        },
+    };
+}
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AA2BH,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,KAAK,UAAU,SAAS,CACtB,GAAW,EACX,IAAiB,EACjB,SAAiB;IAEjB,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;IAElE,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;QAC1E,YAAY,CAAC,SAAS,CAAC,CAAC;QAExB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;QAE9C,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,IAAyB,CAAC;YAC5C,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACL,KAAK,EAAE,SAAS,CAAC,KAAK,IAAI,eAAe;oBACzC,MAAM,EAAE,SAAS,CAAC,MAAM,IAAI,EAAE;iBAC/B;gBACD,MAAM,EAAE,QAAQ,CAAC,MAAM;aACxB,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,IAAS,EAAE,CAAC;IACvC,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,YAAY,CAAC,SAAS,CAAC,CAAC;QACxB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,OAAO,EAAE;YAClD,MAAM,EAAE,CAAC;SACV,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CACnB,YAA0D;IAE1D,OAAO;QACL,cAAc,EAAE,kBAAkB;QAClC,MAAM,EAAE,kBAAkB;QAC1B,GAAG,YAAY;KAChB,CAAC;AACJ,CAAC;AA8ED,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,UAAU,yBAAyB,CACvC,MAAiC;IAEjC,MAAM,EAAE,OAAO,EAAE,SAAS,GAAG,KAAM,EAAE,OAAO,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;IACtE,MAAM,WAAW,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;IAE/C,OAAO;QACL,KAAK,CAAC,SAAS,CACb,OAAyB;YAEzB,OAAO,SAAS,CACd,GAAG,OAAO,aAAa,EACvB;gBACE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,WAAW;gBACpB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;aAC9B,EACD,SAAS,CACV,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,UAAU,CACd,OAA0B;YAE1B,OAAO,SAAS,CACd,GAAG,OAAO,cAAc,EACxB;gBACE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,WAAW;gBACpB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;aAC9B,EACD,SAAS,CACV,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,gBAAgB,CAAC,OAAe;YACpC,OAAO,SAAS,CACd,GAAG,OAAO,WAAW,kBAAkB,CAAC,OAAO,CAAC,SAAS,EACzD,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,EACvC,SAAS,CACV,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,YAAY,CAChB,OAAe,EACf,QAAgB,EAChB,UAA6C;YAE7C,OAAO,SAAS,CACd,GAAG,OAAO,iBAAiB,EAC3B;gBACE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,WAAW;gBACpB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;aACrF,EACD,SAAS,CACV,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,mBAAmB,CACvB,MAAqB;YAErB,OAAO,SAAS,CACd,GAAG,OAAO,oBAAoB,EAC9B;gBACE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,WAAW;gBACpB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;aAC7B,EACD,SAAS,CACV,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,cAAc,CAClB,MAAqB;YAErB,OAAO,SAAS,CACd,GAAG,OAAO,WAAW,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,EACjE;gBACE,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,WAAW;gBACpB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;aAC7B,EACD,SAAS,CACV,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * @aumos/owasp-defenses
+ *
+ * TypeScript client for the AumOS OWASP ASI Top 10 defensive library.
+ * Provides HTTP client and security type definitions for agent input/output
+ * scanning, threat detection, tool validation, and compliance reporting.
+ */
+export type { OwaspDefensesClient, OwaspDefensesClientConfig } from "./client.js";
+export { createOwaspDefensesClient } from "./client.js";
+export type { DefenseCategory, ScanProfile, CategoryResult, ScanResult, ThreatDetection, DefenseConfig, AgentToolDeclaration, ValidationResult, ComplianceReport, ScanInputRequest, ScanOutputRequest, ApiError, ApiResult, } from "./types.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,YAAY,EAAE,mBAAmB,EAAE,yBAAyB,EAAE,MAAM,aAAa,CAAC;AAClF,OAAO,EAAE,yBAAyB,EAAE,MAAM,aAAa,CAAC;AAGxD,YAAY,EACV,eAAe,EACf,WAAW,EACX,cAAc,EACd,UAAU,EACV,eAAe,EACf,aAAa,EACb,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,QAAQ,EACR,SAAS,GACV,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,9 @@
+/**
+ * @aumos/owasp-defenses
+ *
+ * TypeScript client for the AumOS OWASP ASI Top 10 defensive library.
+ * Provides HTTP client and security type definitions for agent input/output
+ * scanning, threat detection, tool validation, and compliance reporting.
+ */
+export { createOwaspDefensesClient } from "./client.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAAE,yBAAyB,EAAE,MAAM,aAAa,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,215 @@
+/**
+ * TypeScript interfaces for the AumOS OWASP ASI Top 10 defensive library.
+ *
+ * Mirrors the Python types defined in:
+ *   aumos_owasp_defenses.scanner.agent_scanner
+ *   aumos_owasp_defenses.scanner.report_generator
+ *
+ * All interfaces use readonly fields to match Python's frozen dataclasses.
+ */
+/**
+ * The ten OWASP ASI (Agentic Security Initiative) Top 10 category identifiers.
+ * Maps to the ASI category system in the Python scanner.
+ */
+export type DefenseCategory = "ASI-01" | "ASI-02" | "ASI-03" | "ASI-04" | "ASI-05" | "ASI-06" | "ASI-07" | "ASI-08" | "ASI-09" | "ASI-10";
+/**
+ * Pre-defined scan profiles controlling which ASI categories are evaluated.
+ * Maps to ScanProfile enum in Python.
+ */
+export type ScanProfile = "standard" | "quick" | "mcp_focused" | "compliance";
+/**
+ * Result for a single ASI category evaluation.
+ * Maps to CategoryResult dataclass in Python.
+ */
+export interface CategoryResult {
+    /** Category identifier (e.g. "ASI-01"). */
+    readonly asi_id: DefenseCategory;
+    /** Human-readable category name. */
+    readonly name: string;
+    /** Evaluation status: "PASS", "WARN", or "FAIL". */
+    readonly status: "PASS" | "WARN" | "FAIL";
+    /** Numeric score for this category (0–100). */
+    readonly score: number;
+    /** One-sentence description of the finding. */
+    readonly summary: string;
+    /** List of detailed finding strings. */
+    readonly findings: readonly string[];
+    /** Actionable remediation steps. */
+    readonly recommendations: readonly string[];
+    /** Whether the issue can be resolved automatically. */
+    readonly auto_fixable: boolean;
+}
+/**
+ * Aggregate result of a full agent security scan.
+ * Maps to ScanResult dataclass in Python.
+ */
+export interface ScanResult {
+    /** Identifier of the scanned agent. */
+    readonly agent_id: string;
+    /** The scan profile used. */
+    readonly profile: ScanProfile;
+    /** Overall security score (0–100), average of category scores. */
+    readonly score: number;
+    /** Letter grade derived from score (A–F). */
+    readonly grade: "A" | "B" | "C" | "D" | "F";
+    /** Per-ASI-category results. */
+    readonly category_results: readonly CategoryResult[];
+    /** ISO-8601 UTC timestamp of when the scan was performed. */
+    readonly scanned_at: string;
+    /** Wall-clock time for the scan in milliseconds. */
+    readonly scan_duration_ms: number;
+    /** Count of PASS categories. */
+    readonly passed: number;
+    /** Count of WARN categories. */
+    readonly warned: number;
+    /** Count of FAIL categories. */
+    readonly failed: number;
+}
+/**
+ * A detected threat or security concern found during input/output scanning.
+ */
+export interface ThreatDetection {
+    /** The ASI category this threat maps to. */
+    readonly category: DefenseCategory;
+    /** Severity level of the detected threat. */
+    readonly severity: "low" | "medium" | "high" | "critical";
+    /** Human-readable description of what was detected. */
+    readonly description: string;
+    /** Whether this threat blocks the action from proceeding. */
+    readonly blocking: boolean;
+    /** Optional remediation suggestion. */
+    readonly remediation?: string;
+}
+/**
+ * Configuration for the defense scanning client.
+ * Mirrors the agent config format accepted by AgentScanner in Python.
+ */
+export interface DefenseConfig {
+    /** Identifier for the agent being configured. */
+    readonly agent_id: string;
+    /** The scan profile to apply during scanning. */
+    readonly profile?: ScanProfile;
+    /** System prompt of the agent (used for ASI-01 checks). */
+    readonly system_prompt?: string;
+    /** Tool declarations with their schemas. */
+    readonly tools?: readonly AgentToolDeclaration[];
+    /** Declared capability names for privilege checking. */
+    readonly capabilities?: readonly string[];
+    /** Rate limiting configuration. */
+    readonly rate_limits?: {
+        readonly enabled: boolean;
+    };
+    /** Circuit breaker configuration. */
+    readonly circuit_breakers?: {
+        readonly enabled: boolean;
+    };
+    /** Memory configuration for ASI-06 checks. */
+    readonly memory?: {
+        readonly enabled: boolean;
+        readonly provenance_tracking?: boolean;
+        readonly trust_level_enforcement?: boolean;
+    };
+    /** Code execution configuration for ASI-05 checks. */
+    readonly code_execution?: {
+        readonly enabled: boolean;
+        readonly sandbox?: boolean;
+        readonly allowed_paths?: readonly string[];
+        readonly command_allowlist?: readonly string[];
+    };
+    /** Trust configuration for ASI-09 checks. */
+    readonly trust_config?: {
+        readonly ceiling?: string;
+        readonly allow_self_escalation?: boolean;
+    };
+    /** Supply chain configuration for ASI-04 checks. */
+    readonly supply_chain?: {
+        readonly hash_verification?: boolean;
+        readonly vendor_allowlist?: readonly string[];
+    };
+    /** Inter-agent communication configuration for ASI-07 checks. */
+    readonly inter_agent?: {
+        readonly message_validation?: boolean;
+        readonly replay_protection?: boolean;
+        readonly sender_allowlist?: readonly string[];
+    };
+    /** Behavioral monitoring configuration for ASI-10 checks. */
+    readonly behavioral_monitoring?: {
+        readonly enabled: boolean;
+        readonly baseline_established?: boolean;
+        readonly drift_alerts?: boolean;
+    };
+}
+/** Declaration of a single tool with its argument schema. */
+export interface AgentToolDeclaration {
+    /** Name of the tool. */
+    readonly name: string;
+    /** JSON Schema object describing the tool's arguments. */
+    readonly schema?: Readonly<Record<string, unknown>>;
+}
+/**
+ * Result of validating a tool or input against defense rules.
+ */
+export interface ValidationResult {
+    /** Whether the validated item passes all checks. */
+    readonly valid: boolean;
+    /** Whether the item should be blocked from execution. */
+    readonly blocked: boolean;
+    /** List of detected threats, if any. */
+    readonly threats: readonly ThreatDetection[];
+    /** Human-readable summary of the validation outcome. */
+    readonly summary: string;
+}
+/**
+ * A compliance report summarising the defense posture of an agent.
+ */
+export interface ComplianceReport {
+    /** Identifier of the agent that was assessed. */
+    readonly agent_id: string;
+    /** ISO-8601 UTC timestamp of report generation. */
+    readonly generated_at: string;
+    /** Overall compliance status across all categories. */
+    readonly overall_status: "compliant" | "partial" | "non_compliant";
+    /** Overall security score (0–100). */
+    readonly score: number;
+    /** Letter grade (A–F). */
+    readonly grade: "A" | "B" | "C" | "D" | "F";
+    /** Per-category compliance breakdown. */
+    readonly categories: readonly CategoryResult[];
+    /** Total number of findings across all categories. */
+    readonly total_findings: number;
+    /** Total number of recommendations across all categories. */
+    readonly total_recommendations: number;
+}
+/** Request to scan an agent's input payload. */
+export interface ScanInputRequest {
+    /** The input text or payload to scan. */
+    readonly input: string;
+    /** Agent identifier for context. */
+    readonly agent_id: string;
+    /** Optional tool name if the input is a tool argument. */
+    readonly tool_name?: string;
+}
+/** Request to scan an agent's output payload. */
+export interface ScanOutputRequest {
+    /** The output text or payload to scan. */
+    readonly output: string;
+    /** Agent identifier for context. */
+    readonly agent_id: string;
+    /** Optional tool name if the output is a tool result. */
+    readonly tool_name?: string;
+}
+/** Standard error payload returned by the OWASP defenses API. */
+export interface ApiError {
+    readonly error: string;
+    readonly detail: string;
+}
+/** Result type for all client operations. */
+export type ApiResult<T> = {
+    readonly ok: true;
+    readonly data: T;
+} | {
+    readonly ok: false;
+    readonly error: ApiError;
+    readonly status: number;
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH;;;GAGG;AACH,MAAM,MAAM,eAAe,GACvB,QAAQ,GACR,QAAQ,GACR,QAAQ,GACR,QAAQ,GACR,QAAQ,GACR,QAAQ,GACR,QAAQ,GACR,QAAQ,GACR,QAAQ,GACR,QAAQ,CAAC;AAMb;;;GAGG;AACH,MAAM,MAAM,WAAW,GACnB,UAAU,GACV,OAAO,GACP,aAAa,GACb,YAAY,CAAC;AAMjB;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,2CAA2C;IAC3C,QAAQ,CAAC,MAAM,EAAE,eAAe,CAAC;IACjC,oCAAoC;IACpC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,oDAAoD;IACpD,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;IAC1C,+CAA+C;IAC/C,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,+CAA+C;IAC/C,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,wCAAwC;IACxC,QAAQ,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,CAAC;IACrC,oCAAoC;IACpC,QAAQ,CAAC,eAAe,EAAE,SAAS,MAAM,EAAE,CAAC;IAC5C,uDAAuD;IACvD,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC;CAChC;AAMD;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB,uCAAuC;IACvC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,6BAA6B;IAC7B,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAC;IAC9B,kEAAkE;IAClE,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,6CAA6C;IAC7C,QAAQ,CAAC,KAAK,EAAE,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC;IAC5C,gCAAgC;IAChC,QAAQ,CAAC,gBAAgB,EAAE,SAAS,cAAc,EAAE,CAAC;IACrD,6DAA6D;IAC7D,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,oDAAoD;IACpD,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,gCAAgC;IAChC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,gCAAgC;IAChC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,gCAAgC;IAChC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAMD;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,4CAA4C;IAC5C,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAC;IACnC,6CAA6C;IAC7C,QAAQ,CAAC,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IAC1D,uDAAuD;IACvD,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,6DAA6D;IAC7D,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,uCAAuC;IACvC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC/B;AAMD;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,iDAAiD;IACjD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,iDAAiD;IACjD,QAAQ,CAAC,OAAO,CAAC,EAAE,WAAW,CAAC;IAC/B,2DAA2D;IAC3D,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,4CAA4C;IAC5C,QAAQ,CAAC,KAAK,CAAC,EAAE,SAAS,oBAAoB,EAAE,CAAC;IACjD,wDAAwD;IACxD,QAAQ,CAAC,YAAY,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC1C,mCAAmC;IACnC,QAAQ,CAAC,WAAW,CAAC,EAAE;QAAE,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC;IACrD,qCAAqC;IACrC,QAAQ,CAAC,gBAAgB,CAAC,EAAE;QAAE,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC;IAC1D,8CAA8C;IAC9C,QAAQ,CAAC,MAAM,CAAC,EAAE;QAChB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;QAC1B,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,CAAC;QACvC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,OAAO,CAAC;KAC5C,CAAC;IACF,sDAAsD;IACtD,QAAQ,CAAC,cAAc,CAAC,EAAE;QACxB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;QAC1B,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;QAC3B,QAAQ,CAAC,aAAa,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;QAC3C,QAAQ,CAAC,iBAAiB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;KAChD,CAAC;IACF,6CAA6C;IAC7C,QAAQ,CAAC,YAAY,CAAC,EAAE;QACtB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;QAC1B,QAAQ,CAAC,qBAAqB,CAAC,EAAE,OAAO,CAAC;KAC1C,CAAC;IACF,oDAAoD;IACpD,QAAQ,CAAC,YAAY,CAAC,EAAE;QACtB,QAAQ,CAAC,iBAAiB,CAAC,EAAE,OAAO,CAAC;QACrC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;KAC/C,CAAC;IACF,iEAAiE;IACjE,QAAQ,CAAC,WAAW,CAAC,EAAE;QACrB,QAAQ,CAAC,kBAAkB,CAAC,EAAE,OAAO,CAAC;QACtC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,OAAO,CAAC;QACrC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;KAC/C,CAAC;IACF,6DAA6D;IAC7D,QAAQ,CAAC,qBAAqB,CAAC,EAAE;QAC/B,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;QAC1B,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,CAAC;QACxC,QAAQ,CAAC,YAAY,CAAC,EAAE,OAAO,CAAC;KACjC,CAAC;CACH;AAED,6DAA6D;AAC7D,MAAM,WAAW,oBAAoB;IACnC,wBAAwB;IACxB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,0DAA0D;IAC1D,QAAQ,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACrD;AAMD;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,oDAAoD;IACpD,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,yDAAyD;IACzD,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,wCAAwC;IACxC,QAAQ,CAAC,OAAO,EAAE,SAAS,eAAe,EAAE,CAAC;IAC7C,wDAAwD;IACxD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAMD;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,iDAAiD;IACjD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,mDAAmD;IACnD,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,uDAAuD;IACvD,QAAQ,CAAC,cAAc,EAAE,WAAW,GAAG,SAAS,GAAG,eAAe,CAAC;IACnE,sCAAsC;IACtC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,0BAA0B;IAC1B,QAAQ,CAAC,KAAK,EAAE,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC;IAC5C,yCAAyC;IACzC,QAAQ,CAAC,UAAU,EAAE,SAAS,cAAc,EAAE,CAAC;IAC/C,sDAAsD;IACtD,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,6DAA6D;IAC7D,QAAQ,CAAC,qBAAqB,EAAE,MAAM,CAAC;CACxC;AAMD,gDAAgD;AAChD,MAAM,WAAW,gBAAgB;IAC/B,yCAAyC;IACzC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,oCAAoC;IACpC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,0DAA0D;IAC1D,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,iDAAiD;AACjD,MAAM,WAAW,iBAAiB;IAChC,0CAA0C;IAC1C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,oCAAoC;IACpC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,yDAAyD;IACzD,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAMD,iEAAiE;AACjE,MAAM,WAAW,QAAQ;IACvB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,6CAA6C;AAC7C,MAAM,MAAM,SAAS,CAAC,CAAC,IACnB;IAAE,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;IAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAA;CAAE,GACvC;IAAE,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,CAAC,KAAK,EAAE,QAAQ,CAAC;IAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC"}

package/dist/types.js

@@ -0,0 +1,11 @@
+/**
+ * TypeScript interfaces for the AumOS OWASP ASI Top 10 defensive library.
+ *
+ * Mirrors the Python types defined in:
+ *   aumos_owasp_defenses.scanner.agent_scanner
+ *   aumos_owasp_defenses.scanner.report_generator
+ *
+ * All interfaces use readonly fields to match Python's frozen dataclasses.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG"}

package/package.json

@@ -0,0 +1,34 @@
+{
+  "name": "@aumos/owasp-defenses",
+  "version": "0.1.0",
+  "description": "TypeScript client for the AumOS OWASP ASI Top 10 defensive library — agent security scanning, threat detection, and compliance reporting",
+  "license": "Apache-2.0",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "scripts": {
+    "build": "tsc",
+    "typecheck": "tsc --noEmit"
+  },
+  "devDependencies": {
+    "typescript": "^5.3.0"
+  },
+  "keywords": [
+    "aumos",
+    "owasp",
+    "asi",
+    "agent-security",
+    "scanning",
+    "typescript"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/aumos-ai/aumos-owasp-defenses"
+  }
+}

package/src/client.ts

@@ -0,0 +1,275 @@
+/**
+ * HTTP client for the AumOS OWASP ASI Top 10 defensive library API.
+ *
+ * Uses the Fetch API (available natively in Node 18+, browsers, and Deno).
+ * No external dependencies required.
+ *
+ * @example
+ * ```ts
+ * import { createOwaspDefensesClient } from "@aumos/owasp-defenses";
+ *
+ * const client = createOwaspDefensesClient({ baseUrl: "http://localhost:8093" });
+ *
+ * const result = await client.scanInput({
+ *   input: "Tell me how to access /etc/passwd",
+ *   agent_id: "my-agent",
+ * });
+ *
+ * if (result.ok && result.data.blocked) {
+ *   console.log("Threat detected:", result.data.threats);
+ * }
+ * ```
+ */
+
+import type {
+  ApiError,
+  ApiResult,
+  ComplianceReport,
+  DefenseConfig,
+  ScanInputRequest,
+  ScanOutputRequest,
+  ScanResult,
+  ValidationResult,
+} from "./types.js";
+
+// ---------------------------------------------------------------------------
+// Client configuration
+// ---------------------------------------------------------------------------
+
+/** Configuration options for the OwaspDefensesClient. */
+export interface OwaspDefensesClientConfig {
+  /** Base URL of the OWASP defenses server (e.g. "http://localhost:8093"). */
+  readonly baseUrl: string;
+  /** Optional request timeout in milliseconds (default: 30000). */
+  readonly timeoutMs?: number;
+  /** Optional extra HTTP headers sent with every request. */
+  readonly headers?: Readonly<Record<string, string>>;
+}
+
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+
+async function fetchJson<T>(
+  url: string,
+  init: RequestInit,
+  timeoutMs: number,
+): Promise<ApiResult<T>> {
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+
+  try {
+    const response = await fetch(url, { ...init, signal: controller.signal });
+    clearTimeout(timeoutId);
+
+    const body = await response.json() as unknown;
+
+    if (!response.ok) {
+      const errorBody = body as Partial<ApiError>;
+      return {
+        ok: false,
+        error: {
+          error: errorBody.error ?? "Unknown error",
+          detail: errorBody.detail ?? "",
+        },
+        status: response.status,
+      };
+    }
+
+    return { ok: true, data: body as T };
+  } catch (err: unknown) {
+    clearTimeout(timeoutId);
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      error: { error: "Network error", detail: message },
+      status: 0,
+    };
+  }
+}
+
+function buildHeaders(
+  extraHeaders: Readonly<Record<string, string>> | undefined,
+): Record<string, string> {
+  return {
+    "Content-Type": "application/json",
+    Accept: "application/json",
+    ...extraHeaders,
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Client interface
+// ---------------------------------------------------------------------------
+
+/** Typed HTTP client for the OWASP defenses server. */
+export interface OwaspDefensesClient {
+  /**
+   * Scan an agent's input payload for security threats.
+   *
+   * Evaluates the input against all relevant ASI defense categories
+   * and returns detected threats along with a blocking decision.
+   *
+   * @param request - The input payload and agent context.
+   * @returns A ValidationResult with threat detections and blocking decision.
+   */
+  scanInput(request: ScanInputRequest): Promise<ApiResult<ValidationResult>>;
+
+  /**
+   * Scan an agent's output payload for security issues.
+   *
+   * Evaluates the output for data exfiltration, PII leakage, and
+   * other output-side ASI violations.
+   *
+   * @param request - The output payload and agent context.
+   * @returns A ValidationResult with threat detections and blocking decision.
+   */
+  scanOutput(request: ScanOutputRequest): Promise<ApiResult<ValidationResult>>;
+
+  /**
+   * Retrieve the current defense status for a configured agent.
+   *
+   * Returns a full ScanResult representing the agent's current
+   * defense posture based on its declared configuration.
+   *
+   * @param agentId - The agent identifier to inspect.
+   * @returns A ScanResult with per-category scores and grades.
+   */
+  getDefenseStatus(agentId: string): Promise<ApiResult<ScanResult>>;
+
+  /**
+   * Validate an agent tool declaration against security rules.
+   *
+   * Checks whether the tool's schema, name, and configuration
+   * conform to ASI-02 (Tool and Resource Misuse) requirements.
+   *
+   * @param agentId - The agent that owns the tool.
+   * @param toolName - The name of the tool to validate.
+   * @param toolSchema - The tool's argument schema (JSON Schema object).
+   * @returns A ValidationResult for the tool declaration.
+   */
+  validateTool(
+    agentId: string,
+    toolName: string,
+    toolSchema: Readonly<Record<string, unknown>>,
+  ): Promise<ApiResult<ValidationResult>>;
+
+  /**
+   * Generate a compliance report for an agent based on its defense configuration.
+   *
+   * Runs the full scan profile against the supplied DefenseConfig and
+   * returns a structured compliance report.
+   *
+   * @param config - The agent defense configuration to evaluate.
+   * @returns A ComplianceReport with overall status, score, and per-category details.
+   */
+  getComplianceReport(config: DefenseConfig): Promise<ApiResult<ComplianceReport>>;
+
+  /**
+   * Register or update an agent's defense configuration on the server.
+   *
+   * @param config - The defense configuration to register.
+   * @returns The registered DefenseConfig as confirmed by the server.
+   */
+  registerConfig(config: DefenseConfig): Promise<ApiResult<DefenseConfig>>;
+}
+
+// ---------------------------------------------------------------------------
+// Client factory
+// ---------------------------------------------------------------------------
+
+/**
+ * Create a typed HTTP client for the OWASP defenses server.
+ *
+ * @param config - Client configuration including base URL.
+ * @returns An OwaspDefensesClient instance.
+ */
+export function createOwaspDefensesClient(
+  config: OwaspDefensesClientConfig,
+): OwaspDefensesClient {
+  const { baseUrl, timeoutMs = 30_000, headers: extraHeaders } = config;
+  const baseHeaders = buildHeaders(extraHeaders);
+
+  return {
+    async scanInput(
+      request: ScanInputRequest,
+    ): Promise<ApiResult<ValidationResult>> {
+      return fetchJson<ValidationResult>(
+        `${baseUrl}/scan/input`,
+        {
+          method: "POST",
+          headers: baseHeaders,
+          body: JSON.stringify(request),
+        },
+        timeoutMs,
+      );
+    },
+
+    async scanOutput(
+      request: ScanOutputRequest,
+    ): Promise<ApiResult<ValidationResult>> {
+      return fetchJson<ValidationResult>(
+        `${baseUrl}/scan/output`,
+        {
+          method: "POST",
+          headers: baseHeaders,
+          body: JSON.stringify(request),
+        },
+        timeoutMs,
+      );
+    },
+
+    async getDefenseStatus(agentId: string): Promise<ApiResult<ScanResult>> {
+      return fetchJson<ScanResult>(
+        `${baseUrl}/agents/${encodeURIComponent(agentId)}/status`,
+        { method: "GET", headers: baseHeaders },
+        timeoutMs,
+      );
+    },
+
+    async validateTool(
+      agentId: string,
+      toolName: string,
+      toolSchema: Readonly<Record<string, unknown>>,
+    ): Promise<ApiResult<ValidationResult>> {
+      return fetchJson<ValidationResult>(
+        `${baseUrl}/tools/validate`,
+        {
+          method: "POST",
+          headers: baseHeaders,
+          body: JSON.stringify({ agent_id: agentId, tool_name: toolName, schema: toolSchema }),
+        },
+        timeoutMs,
+      );
+    },
+
+    async getComplianceReport(
+      config: DefenseConfig,
+    ): Promise<ApiResult<ComplianceReport>> {
+      return fetchJson<ComplianceReport>(
+        `${baseUrl}/compliance/report`,
+        {
+          method: "POST",
+          headers: baseHeaders,
+          body: JSON.stringify(config),
+        },
+        timeoutMs,
+      );
+    },
+
+    async registerConfig(
+      config: DefenseConfig,
+    ): Promise<ApiResult<DefenseConfig>> {
+      return fetchJson<DefenseConfig>(
+        `${baseUrl}/agents/${encodeURIComponent(config.agent_id)}/config`,
+        {
+          method: "PUT",
+          headers: baseHeaders,
+          body: JSON.stringify(config),
+        },
+        timeoutMs,
+      );
+    },
+  };
+}
+

package/src/index.ts

@@ -0,0 +1,28 @@
+/**
+ * @aumos/owasp-defenses
+ *
+ * TypeScript client for the AumOS OWASP ASI Top 10 defensive library.
+ * Provides HTTP client and security type definitions for agent input/output
+ * scanning, threat detection, tool validation, and compliance reporting.
+ */
+
+// Client and configuration
+export type { OwaspDefensesClient, OwaspDefensesClientConfig } from "./client.js";
+export { createOwaspDefensesClient } from "./client.js";
+
+// Core types
+export type {
+  DefenseCategory,
+  ScanProfile,
+  CategoryResult,
+  ScanResult,
+  ThreatDetection,
+  DefenseConfig,
+  AgentToolDeclaration,
+  ValidationResult,
+  ComplianceReport,
+  ScanInputRequest,
+  ScanOutputRequest,
+  ApiError,
+  ApiResult,
+} from "./types.js";

package/src/types.ts

@@ -0,0 +1,272 @@
+/**
+ * TypeScript interfaces for the AumOS OWASP ASI Top 10 defensive library.
+ *
+ * Mirrors the Python types defined in:
+ *   aumos_owasp_defenses.scanner.agent_scanner
+ *   aumos_owasp_defenses.scanner.report_generator
+ *
+ * All interfaces use readonly fields to match Python's frozen dataclasses.
+ */
+
+// ---------------------------------------------------------------------------
+// OWASP ASI category identifiers
+// ---------------------------------------------------------------------------
+
+/**
+ * The ten OWASP ASI (Agentic Security Initiative) Top 10 category identifiers.
+ * Maps to the ASI category system in the Python scanner.
+ */
+export type DefenseCategory =
+  | "ASI-01" // Goal and Task Hijacking
+  | "ASI-02" // Tool and Resource Misuse
+  | "ASI-03" // Identity and Privilege Compromise
+  | "ASI-04" // Supply Chain and Dependency Risks
+  | "ASI-05" // Insecure Code Execution
+  | "ASI-06" // Memory and Context Manipulation
+  | "ASI-07" // Inter-Agent Trust Exploitation
+  | "ASI-08" // Cascading and Recursive Failures
+  | "ASI-09" // Context Trust Exploitation
+  | "ASI-10"; // Rogue and Emergent Agent Behaviors
+
+// ---------------------------------------------------------------------------
+// Scan profile
+// ---------------------------------------------------------------------------
+
+/**
+ * Pre-defined scan profiles controlling which ASI categories are evaluated.
+ * Maps to ScanProfile enum in Python.
+ */
+export type ScanProfile =
+  | "standard"   // All ten ASI categories
+  | "quick"      // ASI-01, ASI-02, ASI-03 only
+  | "mcp_focused" // ASI-01, ASI-02, ASI-04, ASI-07
+  | "compliance"; // All ten categories with stricter thresholds
+
+// ---------------------------------------------------------------------------
+// Category result
+// ---------------------------------------------------------------------------
+
+/**
+ * Result for a single ASI category evaluation.
+ * Maps to CategoryResult dataclass in Python.
+ */
+export interface CategoryResult {
+  /** Category identifier (e.g. "ASI-01"). */
+  readonly asi_id: DefenseCategory;
+  /** Human-readable category name. */
+  readonly name: string;
+  /** Evaluation status: "PASS", "WARN", or "FAIL". */
+  readonly status: "PASS" | "WARN" | "FAIL";
+  /** Numeric score for this category (0–100). */
+  readonly score: number;
+  /** One-sentence description of the finding. */
+  readonly summary: string;
+  /** List of detailed finding strings. */
+  readonly findings: readonly string[];
+  /** Actionable remediation steps. */
+  readonly recommendations: readonly string[];
+  /** Whether the issue can be resolved automatically. */
+  readonly auto_fixable: boolean;
+}
+
+// ---------------------------------------------------------------------------
+// Scan result
+// ---------------------------------------------------------------------------
+
+/**
+ * Aggregate result of a full agent security scan.
+ * Maps to ScanResult dataclass in Python.
+ */
+export interface ScanResult {
+  /** Identifier of the scanned agent. */
+  readonly agent_id: string;
+  /** The scan profile used. */
+  readonly profile: ScanProfile;
+  /** Overall security score (0–100), average of category scores. */
+  readonly score: number;
+  /** Letter grade derived from score (A–F). */
+  readonly grade: "A" | "B" | "C" | "D" | "F";
+  /** Per-ASI-category results. */
+  readonly category_results: readonly CategoryResult[];
+  /** ISO-8601 UTC timestamp of when the scan was performed. */
+  readonly scanned_at: string;
+  /** Wall-clock time for the scan in milliseconds. */
+  readonly scan_duration_ms: number;
+  /** Count of PASS categories. */
+  readonly passed: number;
+  /** Count of WARN categories. */
+  readonly warned: number;
+  /** Count of FAIL categories. */
+  readonly failed: number;
+}
+
+// ---------------------------------------------------------------------------
+// Threat detection
+// ---------------------------------------------------------------------------
+
+/**
+ * A detected threat or security concern found during input/output scanning.
+ */
+export interface ThreatDetection {
+  /** The ASI category this threat maps to. */
+  readonly category: DefenseCategory;
+  /** Severity level of the detected threat. */
+  readonly severity: "low" | "medium" | "high" | "critical";
+  /** Human-readable description of what was detected. */
+  readonly description: string;
+  /** Whether this threat blocks the action from proceeding. */
+  readonly blocking: boolean;
+  /** Optional remediation suggestion. */
+  readonly remediation?: string;
+}
+
+// ---------------------------------------------------------------------------
+// Defense configuration
+// ---------------------------------------------------------------------------
+
+/**
+ * Configuration for the defense scanning client.
+ * Mirrors the agent config format accepted by AgentScanner in Python.
+ */
+export interface DefenseConfig {
+  /** Identifier for the agent being configured. */
+  readonly agent_id: string;
+  /** The scan profile to apply during scanning. */
+  readonly profile?: ScanProfile;
+  /** System prompt of the agent (used for ASI-01 checks). */
+  readonly system_prompt?: string;
+  /** Tool declarations with their schemas. */
+  readonly tools?: readonly AgentToolDeclaration[];
+  /** Declared capability names for privilege checking. */
+  readonly capabilities?: readonly string[];
+  /** Rate limiting configuration. */
+  readonly rate_limits?: { readonly enabled: boolean };
+  /** Circuit breaker configuration. */
+  readonly circuit_breakers?: { readonly enabled: boolean };
+  /** Memory configuration for ASI-06 checks. */
+  readonly memory?: {
+    readonly enabled: boolean;
+    readonly provenance_tracking?: boolean;
+    readonly trust_level_enforcement?: boolean;
+  };
+  /** Code execution configuration for ASI-05 checks. */
+  readonly code_execution?: {
+    readonly enabled: boolean;
+    readonly sandbox?: boolean;
+    readonly allowed_paths?: readonly string[];
+    readonly command_allowlist?: readonly string[];
+  };
+  /** Trust configuration for ASI-09 checks. */
+  readonly trust_config?: {
+    readonly ceiling?: string;
+    readonly allow_self_escalation?: boolean;
+  };
+  /** Supply chain configuration for ASI-04 checks. */
+  readonly supply_chain?: {
+    readonly hash_verification?: boolean;
+    readonly vendor_allowlist?: readonly string[];
+  };
+  /** Inter-agent communication configuration for ASI-07 checks. */
+  readonly inter_agent?: {
+    readonly message_validation?: boolean;
+    readonly replay_protection?: boolean;
+    readonly sender_allowlist?: readonly string[];
+  };
+  /** Behavioral monitoring configuration for ASI-10 checks. */
+  readonly behavioral_monitoring?: {
+    readonly enabled: boolean;
+    readonly baseline_established?: boolean;
+    readonly drift_alerts?: boolean;
+  };
+}
+
+/** Declaration of a single tool with its argument schema. */
+export interface AgentToolDeclaration {
+  /** Name of the tool. */
+  readonly name: string;
+  /** JSON Schema object describing the tool's arguments. */
+  readonly schema?: Readonly<Record<string, unknown>>;
+}
+
+// ---------------------------------------------------------------------------
+// Validation result
+// ---------------------------------------------------------------------------
+
+/**
+ * Result of validating a tool or input against defense rules.
+ */
+export interface ValidationResult {
+  /** Whether the validated item passes all checks. */
+  readonly valid: boolean;
+  /** Whether the item should be blocked from execution. */
+  readonly blocked: boolean;
+  /** List of detected threats, if any. */
+  readonly threats: readonly ThreatDetection[];
+  /** Human-readable summary of the validation outcome. */
+  readonly summary: string;
+}
+
+// ---------------------------------------------------------------------------
+// Compliance report
+// ---------------------------------------------------------------------------
+
+/**
+ * A compliance report summarising the defense posture of an agent.
+ */
+export interface ComplianceReport {
+  /** Identifier of the agent that was assessed. */
+  readonly agent_id: string;
+  /** ISO-8601 UTC timestamp of report generation. */
+  readonly generated_at: string;
+  /** Overall compliance status across all categories. */
+  readonly overall_status: "compliant" | "partial" | "non_compliant";
+  /** Overall security score (0–100). */
+  readonly score: number;
+  /** Letter grade (A–F). */
+  readonly grade: "A" | "B" | "C" | "D" | "F";
+  /** Per-category compliance breakdown. */
+  readonly categories: readonly CategoryResult[];
+  /** Total number of findings across all categories. */
+  readonly total_findings: number;
+  /** Total number of recommendations across all categories. */
+  readonly total_recommendations: number;
+}
+
+// ---------------------------------------------------------------------------
+// API request types
+// ---------------------------------------------------------------------------
+
+/** Request to scan an agent's input payload. */
+export interface ScanInputRequest {
+  /** The input text or payload to scan. */
+  readonly input: string;
+  /** Agent identifier for context. */
+  readonly agent_id: string;
+  /** Optional tool name if the input is a tool argument. */
+  readonly tool_name?: string;
+}
+
+/** Request to scan an agent's output payload. */
+export interface ScanOutputRequest {
+  /** The output text or payload to scan. */
+  readonly output: string;
+  /** Agent identifier for context. */
+  readonly agent_id: string;
+  /** Optional tool name if the output is a tool result. */
+  readonly tool_name?: string;
+}
+
+// ---------------------------------------------------------------------------
+// API result wrapper
+// ---------------------------------------------------------------------------
+
+/** Standard error payload returned by the OWASP defenses API. */
+export interface ApiError {
+  readonly error: string;
+  readonly detail: string;
+}
+
+/** Result type for all client operations. */
+export type ApiResult<T> =
+  | { readonly ok: true; readonly data: T }
+  | { readonly ok: false; readonly error: ApiError; readonly status: number };

package/tsconfig.json

@@ -0,0 +1,25 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "lib": ["ES2020", "DOM"],
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true,
+    "strict": true,
+    "noImplicitAny": true,
+    "strictNullChecks": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "noImplicitReturns": true,
+    "exactOptionalPropertyTypes": true,
+    "forceConsistentCasingInFileNames": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist"]
+}