@beingmartinbmc/ojas 0.2.0

package/docs/TRUST.md

@@ -0,0 +1,88 @@
+# Trust model
+
+Ojas is built to make autonomous agents easier to monitor, harden, and
+recover. This document defines the boundary of that trust so the README
+can stay product-focused without hiding operational caveats.
+
+## Current deployment boundary
+
+Ojas v0.3 is experimental local infrastructure. The MCP server currently
+uses **stdio transport only** and assumes the MCP host that launches it is
+trusted.
+
+Agent IDs are routing identifiers, not credentials. This is the
+intentional trust boundary for this version, not a missing feature:
+stdio MCP has no portable per-call identity to authenticate against, so
+the security boundary is the OS / process boundary that runs the server.
+
+Do **not** expose the MCP server to untrusted callers, multiple tenants,
+or the network without an external authenticated gateway.
+
+## MCP trust model
+
+The Ojas MCP server is intended to be launched by a trusted local MCP host
+such as Claude Code, Cursor, or Windsurf for a single user / workspace.
+It does **not** authenticate individual MCP tool calls. Any process that
+can launch or talk to the stdio server is trusted as the caller.
+
+- Run one process per trusted user / workspace.
+- Do not expose this server over a network or share one process across untrusted users.
+- For multi-user or network deployments, front Ojas with an authenticated MCP gateway, or run one isolated Ojas process per user / workspace.
+
+Recommended locked-down local configuration:
+
+```bash
+OJAS_TRUSTED_SINGLE_TENANT=1    # acknowledge the trust model (silences warning)
+OJAS_DISABLE_AUTO_REGISTER=1    # reject unknown agent_id, force explicit registration
+OJAS_ALLOWED_AGENT_IDS=my-agent # hard allowlist
+OJAS_MAX_AGENTS=1               # one agent per process
+# do NOT set OJAS_ALLOW_REPLACE_EXISTING unless you're debugging
+```
+
+Full security posture and non-goals live in [`SECURITY.md`](./SECURITY.md).
+
+## Evidence caveats
+
+Ojas v0.3 ships with L2 / L2.5 evidence: reproducible synthetic and
+realistic-synthetic benchmark suites. These prove the mechanisms work as
+designed against canonical failure patterns.
+
+They are not yet proof of:
+
+- production security against real adversaries
+- real-LLM token, latency, or cost numbers
+- generalisation across organisations or threat models
+- live incident reduction in production
+
+The opt-in real-LLM and judge pipeline exists, but Ojas does not claim L3
+evidence until those runs are regular, stored, externally covered, and
+spot-reviewed. See [`EVIDENCE_MATRIX.md`](./EVIDENCE_MATRIX.md).
+
+## Demo limitations
+
+The README demo is deterministic. It uses a tiny stand-in agent, not a
+real LLM call, so it needs no API keys and should produce identical output
+every run.
+
+Raksha is a deterministic detector stack plus optional classifier
+interfaces. It catches canonical injection patterns and several common
+bypass classes, but it is not a learned security boundary. Remaining
+bypass categories are listed in [`KNOWN_FAILURES.md`](./KNOWN_FAILURES.md).
+
+Treat health scores as advisory signals, not authoritative ground truth.
+They are useful for triage, trend deltas, and gates you tune for your own
+agent runtime.
+
+## What v0.3 added
+
+v0.3 improves the trust story with:
+
+- `PromptInjectionClassifier` plugins
+- `AbortSignal` cancellation
+- SQLite encryption and backup support
+- L3 evidence pipeline scaffolding
+- MCP audit logging
+- integration adapters for LangChain, OpenAI Agents SDK, Vercel AI SDK, and MCP clients
+
+The next trust step is recurring L3 evidence: real LLM runs with stored
+transcripts, judge output, and human spot review.

package/package.json

@@ -0,0 +1,101 @@
+{
+  "name": "@beingmartinbmc/ojas",
+  "version": "0.2.0",
+  "description": "Ojas — AI Health Infrastructure for Autonomous Agents",
+  "license": "MIT",
+  "author": "Ankit Sharma <ankit.sharma199803@gmail.com>",
+  "homepage": "https://github.com/beingmartinbmc/ojas#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/beingmartinbmc/ojas.git"
+  },
+  "bugs": {
+    "url": "https://github.com/beingmartinbmc/ojas/issues"
+  },
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "require": "./dist/index.js"
+    },
+    "./mcp/server": {
+      "types": "./dist/mcp/server.d.ts",
+      "require": "./dist/mcp/server.js"
+    },
+    "./persistence/sqlite": {
+      "types": "./dist/persistence/sqlite.d.ts",
+      "require": "./dist/persistence/sqlite.js"
+    },
+    "./raksha/classifiers": {
+      "types": "./dist/raksha/classifiers/index.d.ts",
+      "require": "./dist/raksha/classifiers/index.js"
+    },
+    "./util/calibration": {
+      "types": "./dist/util/calibration.d.ts",
+      "require": "./dist/util/calibration.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "bin": {
+    "ojas-mcp": "dist/mcp/server.js"
+  },
+  "files": [
+    "dist",
+    "docs",
+    "LICENSE",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc -b",
+    "typecheck:aux": "tsc -p tsconfig.check.json",
+    "pretest": "tsc -b",
+    "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js --coverage",
+    "lint": "eslint \"src/**/*.ts\" \"benchmarks/**/*.ts\" \"test/**/*.ts\" \"examples/**/*.ts\"",
+    "check": "npm run lint && npm run build && npm run typecheck:aux && npm test",
+    "demo": "ts-node src/demo.ts",
+    "demo:before-after": "ts-node examples/before-after.ts",
+    "mcp": "ts-node src/mcp/server.ts",
+    "mcp:built": "node dist/mcp/server.js",
+    "benchmark": "npm run typecheck:aux && ts-node benchmarks/runner.ts",
+    "benchmark:fast": "ts-node --transpile-only benchmarks/runner.ts",
+    "benchmark:write": "npm run typecheck:aux && ts-node benchmarks/runner.ts --write-evidence",
+    "verify:evidence": "ts-node benchmarks/verify-evidence.ts",
+    "prepublishOnly": "npm run check && npm run benchmark && npm run verify:evidence"
+  },
+  "keywords": [
+    "ai",
+    "agents",
+    "mcp",
+    "observability",
+    "agent-health",
+    "prompt-injection",
+    "context-engineering",
+    "autonomous-agents",
+    "llm",
+    "typescript"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    "better-sqlite3": "^12.10.0",
+    "zod": "^3.23.0"
+  },
+  "devDependencies": {
+    "@types/better-sqlite3": "^7.6.13",
+    "@types/jest": "^29.5.0",
+    "@types/node": "^20.11.0",
+    "@typescript-eslint/eslint-plugin": "^7.18.0",
+    "@typescript-eslint/parser": "^7.18.0",
+    "eslint": "^8.56.0",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.1.0",
+    "ts-node": "^10.9.0",
+    "typescript": "^5.4.0"
+  }
+}