npm - @bulwark-ai/gateway - Versions diffs - 0.1.0 - Mend

@bulwark-ai/gateway 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.d.mts ADDED Viewed

@@ -0,0 +1,1490 @@
+import { Request, Response as Response$1, NextFunction, Router } from 'express';
+interface PIIConfig {
+    enabled: boolean;
+    /** Action when PII detected: "block" rejects request, "redact" masks PII, "warn" logs but allows */
+    action?: "block" | "redact" | "warn";
+    /** PII types to detect */
+    types?: PIIType[];
+    /** Custom regex patterns */
+    customPatterns?: {
+        name: string;
+        pattern: string;
+        action?: "block" | "redact" | "warn";
+    }[];
+}
+type PIIType = "email" | "phone" | "ssn" | "credit_card" | "iban" | "ip_address" | "passport" | "drivers_license" | "date_of_birth" | "address" | "name" | "vat_number" | "national_id" | "medical_id";
+interface PIIMatch {
+    type: PIIType | string;
+    value: string;
+    redacted: string;
+    start: number;
+    end: number;
+}
+interface ContentPolicy {
+    /** Unique policy ID */
+    id: string;
+    /** Human-readable name */
+    name: string;
+    /** Policy type */
+    type: "topic_restriction" | "keyword_block" | "regex_block" | "max_tokens";
+    /** Keywords or patterns to match */
+    patterns?: string[];
+    /** Regex pattern */
+    regex?: string;
+    /** Max tokens (for max_tokens type) */
+    maxTokens?: number;
+    /** Action when violated */
+    action: "block" | "warn";
+    /** Apply to specific teams/users only (empty = all) */
+    applyTo?: {
+        teams?: string[];
+        users?: string[];
+    };
+    /** Tenant scope (multi-tenant mode) */
+    tenantId?: string;
+}
+interface BudgetConfig {
+    enabled: boolean;
+    /** Default monthly token budget per user (0 = unlimited) */
+    defaultUserLimit?: number;
+    /** Default monthly token budget per team (0 = unlimited) */
+    defaultTeamLimit?: number;
+    /** Action when budget exceeded: "block" or "warn" */
+    onExceeded?: "block" | "warn";
+    /** Alert thresholds (0-1) — triggers callback */
+    alertThresholds?: number[];
+    /** Callback when threshold hit */
+    onAlert?: (alert: BudgetAlert) => void | Promise<void>;
+}
+interface BudgetAlert {
+    type: "user" | "team" | "tenant";
+    id: string;
+    threshold: number;
+    used: number;
+    limit: number;
+    costUsd: number;
+}
+interface UsageRecord {
+    userId?: string;
+    teamId?: string;
+    tenantId?: string;
+    model: string;
+    inputTokens: number;
+    outputTokens: number;
+    costUsd: number;
+    timestamp: string;
+}
+interface CostRecord {
+    model: string;
+    provider: string;
+    inputTokens: number;
+    outputTokens: number;
+    inputCost: number;
+    outputCost: number;
+    totalCost: number;
+}
+/** Per million tokens pricing */
+declare const MODEL_PRICING: Record<string, {
+    input: number;
+    output: number;
+}>;
+interface RAGConfig {
+    enabled: boolean;
+    /** Embedding model */
+    embeddingModel?: string;
+    /** Chunk size in characters */
+    chunkSize?: number;
+    /** Chunk overlap */
+    chunkOverlap?: number;
+    /** Max chunks to retrieve per query */
+    topK?: number;
+    /** Minimum similarity score (0-1) */
+    minScore?: number;
+}
+interface Chunk {
+    id: string;
+    sourceId: string;
+    sourceName: string;
+    content: string;
+    embedding?: number[];
+    metadata?: Record<string, unknown>;
+    tenantId?: string;
+}
+interface SearchResult {
+    chunk: Chunk;
+    score: number;
+}
+interface KnowledgeSource {
+    id: string;
+    name: string;
+    type: "pdf" | "docx" | "text" | "markdown" | "csv" | "html" | "url" | "confluence" | "sharepoint";
+    status: "pending" | "indexing" | "active" | "error";
+    chunkCount: number;
+    tenantId?: string;
+    createdAt: string;
+    updatedAt: string;
+}
+interface ProviderConfig {
+    apiKey: string;
+    baseUrl?: string;
+    defaultModel?: string;
+}
+type GatewayProvider = "openai" | "anthropic" | "mistral" | "google" | "ollama" | "azure" | "custom";
+interface GatewayConfig {
+    /** LLM provider credentials */
+    providers: Partial<Record<GatewayProvider, ProviderConfig>>;
+    /** Database connection — SQLite path or Postgres URL */
+    database: string;
+    /** PII detection config */
+    pii?: PIIConfig | boolean;
+    /** Content policies */
+    policies?: ContentPolicy[];
+    /** Budget enforcement */
+    budgets?: BudgetConfig | boolean;
+    /** Audit logging — true = enabled with defaults */
+    audit?: boolean;
+    /** RAG knowledge base */
+    rag?: RAGConfig;
+    /** Multi-tenant mode */
+    multiTenant?: boolean;
+    /** Default model to use if not specified per request */
+    defaultModel?: string;
+    /** Model pricing overrides (per million tokens) */
+    modelPricing?: Record<string, {
+        input: number;
+        output: number;
+    }>;
+    /** Retry config for failed LLM calls */
+    retry?: {
+        /** Max retry attempts (default: 2) */
+        maxRetries?: number;
+        /** Base delay in ms before retry (default: 1000). Doubles each attempt (exponential backoff). */
+        baseDelayMs?: number;
+        /** Retry on these HTTP status codes (default: [429, 500, 502, 503, 504]) */
+        retryableStatuses?: number[];
+    };
+    /**
+     * Fallback models — tried in order when the primary model fails.
+     * Maps a model name to a list of fallback models.
+     *
+     * @example
+     * ```ts
+     * fallbacks: {
+     *   "gpt-4o": ["gpt-4o-mini", "claude-sonnet-4-20250514"],
+     *   "claude-opus-4-20250514": ["gpt-4o", "gemini-1.5-pro"],
+     * }
+     * ```
+     */
+    fallbacks?: Record<string, string[]>;
+}
+interface ChatMessage {
+    role: "system" | "user" | "assistant" | "tool";
+    content: string;
+    name?: string;
+}
+interface ChatRequest {
+    /** Model name — auto-routes to correct provider */
+    model?: string;
+    messages: ChatMessage[];
+    /** User ID for budget/audit tracking */
+    userId?: string;
+    /** Team ID for team-level budgets */
+    teamId?: string;
+    /** Tenant ID for multi-tenant isolation */
+    tenantId?: string;
+    /** RAG knowledge base to search */
+    knowledgeBase?: string;
+    /** Override PII settings for this request */
+    pii?: boolean;
+    /** Override policies for this request */
+    skipPolicies?: boolean;
+    /** Streaming */
+    stream?: boolean;
+    /** Pass-through params (temperature, max_tokens, etc) */
+    temperature?: number;
+    maxTokens?: number;
+    topP?: number;
+    stop?: string[];
+}
+interface ChatResponse {
+    /** Generated text */
+    content: string;
+    /** Model used */
+    model: string;
+    /** Provider used */
+    provider: GatewayProvider;
+    /** Token usage */
+    usage: {
+        inputTokens: number;
+        outputTokens: number;
+        totalTokens: number;
+    };
+    /** Cost in USD */
+    cost: {
+        input: number;
+        output: number;
+        total: number;
+    };
+    /** PII detections (if any were found and redacted) */
+    piiDetections?: {
+        type: string;
+        redacted: boolean;
+    }[];
+    /** Policy violations (if any) */
+    policyViolations?: {
+        policy: string;
+        action: "blocked" | "warned";
+    }[];
+    /** RAG sources used */
+    sources?: {
+        content: string;
+        source: string;
+        score: number;
+    }[];
+    /** Audit log entry ID */
+    auditId?: string;
+    /** Request duration in ms */
+    durationMs: number;
+}
+interface PolicyViolation {
+    policyId: string;
+    policyName: string;
+    action: "block" | "warn";
+    matchedPattern?: string;
+}
+interface CheckContext {
+    userId?: string;
+    teamId?: string;
+    tenantId?: string;
+}
+declare class PolicyEngine {
+    private policies;
+    constructor(policies: ContentPolicy[]);
+    /** Get all policies */
+    getPolicies(): ContentPolicy[];
+    /** Add a policy at runtime */
+    addPolicy(policy: ContentPolicy): void;
+    /** Remove a policy by ID */
+    removePolicy(id: string): void;
+    /** Check messages against all active policies */
+    check(messages: ChatMessage[], context: CheckContext): PolicyViolation[];
+}
+/**
+ * Pluggable database abstraction.
+ * SQLite by default (zero-config), Postgres for production.
+ */
+interface Database {
+    init(): void;
+    run(sql: string, params?: unknown[]): void;
+    queryOne<T>(sql: string, params?: unknown[]): T | undefined;
+    queryAll<T>(sql: string, params?: unknown[]): T[];
+    close(): void;
+}
+/** Create database instance based on connection string */
+declare function createDatabase(connection: string): Database;
+interface AuditEntry {
+    id: string;
+    tenantId?: string;
+    userId?: string;
+    teamId?: string;
+    action: "chat" | "embed" | "search" | "upload" | "policy_block" | "pii_detected" | "budget_exceeded" | "login";
+    model?: string;
+    provider?: string;
+    inputTokens?: number;
+    outputTokens?: number;
+    costUsd?: number;
+    durationMs?: number;
+    piiDetections?: number;
+    policyViolations?: string[];
+    metadata?: Record<string, unknown>;
+    timestamp: string;
+}
+interface AuditStore {
+    log(entry: Omit<AuditEntry, "id" | "timestamp">): Promise<string>;
+    query(filters: AuditQuery): Promise<{
+        entries: AuditEntry[];
+        total: number;
+    }>;
+}
+interface AuditQuery {
+    tenantId?: string;
+    userId?: string;
+    teamId?: string;
+    action?: string;
+    from?: string;
+    to?: string;
+    limit?: number;
+    offset?: number;
+}
+/**
+ * Document chunking — splits text into overlapping chunks for embedding.
+ * Supports: plain text, markdown, code.
+ */
+interface ChunkOptions {
+    /** Max characters per chunk */
+    chunkSize?: number;
+    /** Overlap between chunks */
+    chunkOverlap?: number;
+    /** Split strategy */
+    strategy?: "paragraph" | "sentence" | "fixed" | "markdown";
+}
+interface TextChunk {
+    content: string;
+    index: number;
+    metadata?: Record<string, unknown>;
+}
+declare function chunkText(text: string, options?: ChunkOptions): TextChunk[];
+/**
+ * Knowledge Base — document ingestion, chunking, embedding, and retrieval.
+ *
+ * Uses SQLite for chunk storage with in-process cosine similarity search.
+ * For production with large datasets, use Postgres + pgvector.
+ *
+ * @example
+ * ```ts
+ * const kb = gateway.knowledgeBase;
+ * await kb.ingest("My document content...", { name: "contract.pdf", type: "pdf" });
+ * const results = await kb.search("what are the payment terms?");
+ * ```
+ */
+declare class KnowledgeBase {
+    private db;
+    private config;
+    private embedder;
+    constructor(db: Database, config: RAGConfig, openaiApiKey: string);
+    /**
+     * Ingest text content into the knowledge base.
+     * Chunks the text, generates embeddings, and stores them.
+     */
+    ingest(content: string, source: {
+        name: string;
+        type: KnowledgeSource["type"];
+        tenantId?: string;
+    }, chunkOptions?: ChunkOptions): Promise<{
+        sourceId: string;
+        chunks: number;
+    }>;
+    /**
+     * Search the knowledge base using semantic similarity.
+     */
+    search(query: string, options?: {
+        tenantId?: string;
+        sourceId?: string;
+        topK?: number;
+        minScore?: number;
+    }): Promise<SearchResult[]>;
+    /** List all knowledge sources */
+    listSources(tenantId?: string): KnowledgeSource[];
+    /** Delete a knowledge source and all its chunks. If tenantId provided, verifies ownership. */
+    deleteSource(sourceId: string, tenantId?: string): void;
+}
+interface TenantConfig {
+    id: string;
+    name: string;
+    providerKeys?: Record<string, string>;
+    allowedModels?: string[];
+    monthlyBudgetUsd?: number;
+    policies?: string[];
+    settings?: Record<string, unknown>;
+    createdAt?: string;
+}
+/**
+ * Multi-tenant management.
+ * Handles tenant CRUD and ensures all queries are scoped by tenant_id.
+ */
+declare class TenantManager {
+    private db;
+    constructor(db: Database);
+    /** Create a new tenant */
+    create(name: string, settings?: Record<string, unknown>): TenantConfig;
+    /** Get a tenant by ID */
+    get(id: string): TenantConfig | null;
+    /** List all tenants */
+    list(): TenantConfig[];
+    /** Update tenant settings */
+    update(id: string, updates: {
+        name?: string;
+        settings?: Record<string, unknown>;
+    }): void;
+    /** Delete a tenant and ALL its data */
+    delete(id: string): void;
+    /** Get usage stats for a tenant */
+    getUsage(id: string): {
+        requests: number;
+        tokens: number;
+        costUsd: number;
+        activeUsers: number;
+    };
+}
+/**
+ * Bulwark AI Gateway
+ *
+ * Enterprise AI governance layer — drop into any Node.js app.
+ * PII detection, budget control, audit logging, multi-tenant, RAG.
+ *
+ * @example
+ * ```ts
+ * const gateway = new AIGateway({
+ *   providers: { openai: { apiKey: process.env.OPENAI_API_KEY! } },
+ *   database: "bulwark.db",
+ *   pii: { enabled: true, action: "redact" },
+ *   budgets: true,
+ *   audit: true,
+ * });
+ *
+ * const res = await gateway.chat({
+ *   model: "gpt-4o",
+ *   userId: "user-123",
+ *   messages: [{ role: "user", content: "Hello" }],
+ * });
+ * ```
+ */
+declare class AIGateway {
+    private readonly db;
+    private readonly providers;
+    private readonly piiDetector;
+    private readonly promptGuard;
+    private readonly _policyEngine;
+    private readonly costCalculator;
+    private readonly budgetManager;
+    private readonly auditStore;
+    private readonly kb;
+    private readonly cache;
+    private readonly rateLimiter;
+    private readonly _tenantManager;
+    private readonly timeoutMs;
+    private readonly retryConfig;
+    private readonly fallbacks;
+    private initialized;
+    private shutdownRequested;
+    private activeRequests;
+    constructor(config: GatewayConfig);
+    /** Initialize database tables. Called automatically on first request. */
+    init(): Promise<void>;
+    /**
+     * Send a chat completion request through the governance pipeline.
+     *
+     * Pipeline: Validate → PII scan → Policy check → Rate limit → Budget check → [RAG augment] → LLM call (with timeout) → Token count → Cost calc → Audit log
+     */
+    chat(request: ChatRequest): Promise<ChatResponse>;
+    /**
+     * Streaming chat — runs the full governance pipeline, then streams the LLM response.
+     * Pre-flight checks (PII, policies, budget, rate limit) run BEFORE streaming starts.
+     * Output PII scanning runs on the accumulated full response after streaming ends.
+     *
+     * @example
+     * ```ts
+     * const stream = gateway.chatStream({ model: "gpt-4o", userId: "user-1", messages: [...] });
+     * for await (const chunk of stream) {
+     *   if (chunk.type === "delta") process.stdout.write(chunk.content);
+     *   if (chunk.type === "done") console.log("Cost:", chunk.cost);
+     * }
+     * ```
+     */
+    chatStream(request: ChatRequest): AsyncGenerator<{
+        type: "delta" | "sources" | "pii_warning" | "usage" | "done" | "error";
+        content?: string;
+        sources?: ChatResponse["sources"];
+        piiTypes?: string[];
+        usage?: ChatResponse["usage"];
+        cost?: ChatResponse["cost"];
+        auditId?: string;
+        durationMs?: number;
+    }>;
+    /** Validate chat request inputs */
+    private validateRequest;
+    /**
+     * Call LLM with retry + fallback chain.
+     * Tries the primary model with retries, then falls back to configured alternatives.
+     */
+    private callWithRetryAndFallback;
+    /** Call LLM with timeout */
+    private callWithTimeout;
+    /** Resolve which provider handles a given model */
+    private resolveProvider;
+    private getProvider;
+    /** Graceful shutdown — wait for in-flight requests, close connections */
+    shutdown(): Promise<void>;
+    /** Get the audit store for direct queries */
+    get audit(): AuditStore;
+    /** Get the knowledge base for document ingestion and search */
+    get rag(): KnowledgeBase | null;
+    /** Get database instance for admin operations */
+    get database(): Database;
+    /** Get the policy engine for runtime policy management */
+    get policies(): PolicyEngine;
+    /** Get the tenant manager (multi-tenant mode only) */
+    get tenants(): TenantManager | null;
+}
+/** Bulwark-specific error with code and metadata */
+declare class BulwarkError extends Error {
+    readonly code: string;
+    readonly details?: Record<string, unknown>;
+    readonly timestamp: string;
+    constructor(code: string, message: string, details?: Record<string, unknown>);
+    /** HTTP status code for this error */
+    get httpStatus(): number;
+    /** JSON-serializable representation */
+    toJSON(): {
+        error: string;
+        code: string;
+        details: Record<string, unknown> | undefined;
+        timestamp: string;
+    };
+}
+interface ScanResult {
+    text: string;
+    matches: PIIMatch[];
+    blocked: boolean;
+    redacted: boolean;
+}
+declare class PIIDetector {
+    private config;
+    private activeTypes;
+    constructor(config: PIIConfig);
+    /** Scan text for PII. Returns matches and optionally redacted text. */
+    scan(text: string): ScanResult;
+}
+/**
+ * Prompt injection detection and system prompt protection.
+ *
+ * Detects common prompt injection patterns:
+ * - "Ignore previous instructions"
+ * - "You are now..."
+ * - Role-play attacks ("Pretend you are DAN")
+ * - Delimiter injection (```, ----, ####)
+ * - Base64/encoded payloads
+ */
+interface PromptGuardConfig {
+    enabled: boolean;
+    /** Action on injection detected */
+    action: "block" | "warn" | "sanitize";
+    /** Sensitivity: "low" catches obvious attacks, "high" catches subtle ones (more false positives) */
+    sensitivity?: "low" | "medium" | "high";
+}
+interface PromptGuardResult {
+    safe: boolean;
+    injections: {
+        pattern: string;
+        severity: "low" | "medium" | "high";
+        matched: string;
+    }[];
+    sanitizedText?: string;
+}
+declare class PromptGuard {
+    private config;
+    private patterns;
+    constructor(config: PromptGuardConfig);
+    /** Scan user message for prompt injection attempts */
+    scan(text: string): PromptGuardResult;
+}
+/**
+ * Create a hardened system prompt that resists injection.
+ * Wraps the original system prompt with protective instructions.
+ */
+declare function hardenSystemPrompt(originalPrompt: string, options?: {
+    preventExtraction?: boolean;
+    enforceGDPR?: boolean;
+}): string;
+declare class CostCalculator {
+    private pricing;
+    constructor(overrides?: Record<string, {
+        input: number;
+        output: number;
+    }>);
+    /** Calculate cost for a request. Returns USD amounts. */
+    calculate(model: string, inputTokens: number, outputTokens: number): CostRecord;
+    /** Update pricing for a model */
+    setModelPrice(model: string, input: number, output: number): void;
+}
+interface BudgetCheck {
+    ok: boolean;
+    used: number;
+    limit: number;
+    costUsd: number;
+}
+declare class BudgetManager {
+    enabled: boolean;
+    private config;
+    private db;
+    constructor(db: Database, config: BudgetConfig);
+    /** Check if a user/team has budget remaining this month */
+    checkBudget(scope: {
+        userId?: string;
+        teamId?: string;
+        tenantId?: string;
+    }): Promise<BudgetCheck>;
+    /** Record token usage */
+    recordUsage(record: UsageRecord): Promise<void>;
+}
+declare function createAuditStore(db: Database): AuditStore;
+/**
+ * Embedding generator — wraps OpenAI's embedding API.
+ * Produces 1536-dimensional vectors (text-embedding-3-small) or 3072 (text-embedding-3-large).
+ */
+interface EmbeddingProvider {
+    embed(texts: string[]): Promise<number[][]>;
+    dimensions: number;
+}
+declare class OpenAIEmbeddings implements EmbeddingProvider {
+    private client;
+    private model;
+    dimensions: number;
+    constructor(apiKey: string, model?: string);
+    embed(texts: string[]): Promise<number[][]>;
+}
+/**
+ * Cosine similarity between two vectors.
+ * Returns value between -1 and 1 (higher = more similar).
+ */
+declare function cosineSimilarity(a: number[], b: number[]): number;
+/**
+ * Document parsers for RAG ingestion.
+ * Extracts text from PDF, DOCX, HTML, and plain text files.
+ */
+/**
+ * Parse a PDF buffer into text.
+ * Requires `pdf-parse` as a peer dependency.
+ *
+ * @example
+ * ```ts
+ * const text = await parsePDF(fs.readFileSync("contract.pdf"));
+ * await kb.ingest(text, { name: "contract.pdf", type: "pdf" });
+ * ```
+ */
+declare function parsePDF(buffer: Buffer): Promise<string>;
+/**
+ * Parse an HTML string into plain text.
+ * Strips all tags, scripts, styles, and normalizes whitespace.
+ */
+declare function parseHTML(html: string): string;
+/**
+ * Parse a CSV string into text (row per line).
+ */
+declare function parseCSV(csv: string): string;
+/**
+ * Parse a Markdown file — strips formatting but preserves structure.
+ */
+declare function parseMarkdown(md: string): string;
+/**
+ * Auto-detect file type and parse to text.
+ */
+declare function parseDocument(buffer: Buffer, filename: string): Promise<string>;
+/**
+ * Cache and rate limiting abstraction.
+ * In-memory by default, Redis for production multi-instance deployments.
+ */
+interface CacheStore {
+    /** Get a cached value */
+    get<T>(key: string): Promise<T | null>;
+    /** Set a value with optional TTL in seconds */
+    set(key: string, value: unknown, ttlSeconds?: number): Promise<void>;
+    /** Delete a key */
+    del(key: string): Promise<void>;
+    /** Increment a counter, returns new value */
+    incr(key: string, by?: number): Promise<number>;
+    /** Get counter value */
+    getCounter(key: string): Promise<number>;
+    /** Set expiry on a key */
+    expire(key: string, ttlSeconds: number): Promise<void>;
+}
+interface RateLimitConfig {
+    enabled: boolean;
+    /** Requests per window */
+    maxRequests: number;
+    /** Window size in seconds */
+    windowSeconds: number;
+    /** Scope: per-user, per-team, per-tenant, or per-ip */
+    scope: "user" | "team" | "tenant" | "ip";
+}
+interface RateLimitResult {
+    allowed: boolean;
+    remaining: number;
+    resetAt: number;
+}
+interface ResponseCacheConfig {
+    enabled: boolean;
+    /** TTL for cached responses in seconds */
+    ttlSeconds: number;
+    /** Only cache responses below this token count */
+    maxTokens?: number;
+}
+/** In-memory cache store — works for single-instance deployments */
+declare class MemoryCacheStore implements CacheStore {
+    private store;
+    private counters;
+    private cleanupTimer;
+    constructor();
+    /** Stop background cleanup — call on shutdown */
+    close(): void;
+    private cleanup;
+    get<T>(key: string): Promise<T | null>;
+    set(key: string, value: unknown, ttlSeconds?: number): Promise<void>;
+    del(key: string): Promise<void>;
+    incr(key: string, by?: number): Promise<number>;
+    getCounter(key: string): Promise<number>;
+    expire(key: string, ttlSeconds: number): Promise<void>;
+}
+/**
+ * Redis cache store — for production multi-instance deployments.
+ * Requires `ioredis` as a peer dependency.
+ *
+ * @example
+ * ```ts
+ * import Redis from "ioredis";
+ * import { RedisCacheStore } from "@bulwark-ai/gateway/cache";
+ *
+ * const gateway = new AIGateway({
+ *   cache: new RedisCacheStore(new Redis("redis://localhost:6379")),
+ * });
+ * ```
+ */
+declare class RedisCacheStore implements CacheStore {
+    private client;
+    private prefix;
+    constructor(client: RedisLike, prefix?: string);
+    private key;
+    get<T>(key: string): Promise<T | null>;
+    set(key: string, value: unknown, ttlSeconds?: number): Promise<void>;
+    del(key: string): Promise<void>;
+    incr(key: string, by?: number): Promise<number>;
+    getCounter(key: string): Promise<number>;
+    expire(key: string, ttlSeconds: number): Promise<void>;
+}
+/** Minimal Redis client interface — compatible with ioredis and node-redis */
+interface RedisLike {
+    get(key: string): Promise<string | null>;
+    set(key: string, value: string): Promise<unknown>;
+    setex(key: string, seconds: number, value: string): Promise<unknown>;
+    del(key: string): Promise<unknown>;
+    incr(key: string): Promise<number>;
+    incrby(key: string, increment: number): Promise<number>;
+    expire(key: string, seconds: number): Promise<unknown>;
+}
+declare class RateLimiter {
+    private store;
+    private config;
+    constructor(store: CacheStore, config: RateLimitConfig);
+    /** Check and consume a rate limit token. Returns whether the request is allowed. */
+    check(scope: {
+        userId?: string;
+        teamId?: string;
+        tenantId?: string;
+        ip?: string;
+    }): Promise<RateLimitResult>;
+    private getScopeId;
+    private currentWindow;
+}
+/**
+ * Response cache — caches identical LLM requests to save money.
+ * Uses SHA-256 hash of (model + messages) as cache key.
+ *
+ * @example
+ * ```ts
+ * const cache = new ResponseCache(store, { enabled: true, ttlSeconds: 3600 });
+ * const cached = await cache.get(request);
+ * if (cached) return cached; // saved $0.01
+ * const response = await llm.chat(request);
+ * await cache.set(request, response);
+ * ```
+ */
+declare class ResponseCache {
+    private store;
+    private config;
+    constructor(store: CacheStore, config: ResponseCacheConfig);
+    /** Generate deterministic cache key from request */
+    private key;
+    /** Check if a cached response exists */
+    get(request: ChatRequest): Promise<ChatResponse | null>;
+    /** Cache a response */
+    set(request: ChatRequest, response: ChatResponse): Promise<void>;
+}
+/**
+ * SSE Streaming support for chat responses.
+ * Wraps provider streaming with governance checks (PII, policies, audit).
+ *
+ * @example
+ * ```ts
+ * // Express endpoint
+ * app.post("/api/ai/stream", async (req, res) => {
+ *   res.setHeader("Content-Type", "text/event-stream");
+ *   res.setHeader("Cache-Control", "no-cache");
+ *   res.setHeader("Connection", "keep-alive");
+ *
+ *   const stream = gateway.chatStream({ model: "gpt-4o", messages: req.body.messages, userId: "user-1" });
+ *   for await (const event of stream) {
+ *     res.write(`event: ${event.type}\ndata: ${JSON.stringify(event.data)}\n\n`);
+ *   }
+ *   res.write("event: done\ndata: {}\n\n");
+ *   res.end();
+ * });
+ * ```
+ */
+interface StreamEvent {
+    type: "delta" | "sources" | "pii_warning" | "error" | "usage" | "done";
+    data: {
+        content?: string;
+        sources?: {
+            content: string;
+            source: string;
+            score: number;
+        }[];
+        piiTypes?: string[];
+        error?: string;
+        usage?: {
+            inputTokens: number;
+            outputTokens: number;
+            totalTokens: number;
+        };
+        cost?: {
+            input: number;
+            output: number;
+            total: number;
+        };
+        auditId?: string;
+        durationMs?: number;
+    };
+}
+/**
+ * Creates an async iterable of stream events.
+ * Pre-flight checks (PII, policies, budget, rate limit) run before streaming starts.
+ * Token counting and audit logging happen after stream completes.
+ */
+declare function createStreamAdapter(providerStream: AsyncIterable<string>, metadata: {
+    piiWarnings?: string[];
+    sources?: {
+        content: string;
+        source: string;
+        score: number;
+    }[];
+}): AsyncGenerator<StreamEvent>;
+/**
+ * GDPR Compliance Module
+ *
+ * Implements: Right to erasure (Art. 17), Data portability (Art. 20),
+ * Data retention, Consent tracking, Breach notification.
+ */
+interface GDPRConfig {
+    /** Auto-delete audit/usage records older than this many days (0 = disabled) */
+    retentionDays?: number;
+    /** Hash user IDs in audit logs instead of storing plaintext */
+    hashUserIds?: boolean;
+    /** Don't store message content in audit logs — metadata only */
+    metadataOnlyAudit?: boolean;
+    /** Callback when PII breach detected (for notification obligations) */
+    onBreachDetected?: (breach: BreachEvent) => void | Promise<void>;
+    /** Allowed LLM provider regions (block if provider is outside) */
+    allowedRegions?: string[];
+}
+interface BreachEvent {
+    type: "pii_sent_to_llm" | "pii_in_response" | "unauthorized_access";
+    userId?: string;
+    tenantId?: string;
+    piiTypes: string[];
+    provider: string;
+    timestamp: string;
+}
+interface UserDataExport {
+    userId: string;
+    exportedAt: string;
+    auditEntries: unknown[];
+    usageRecords: unknown[];
+    knowledgeChunks: unknown[];
+    totalRecords: number;
+}
+declare class GDPRManager {
+    private db;
+    private config;
+    constructor(db: Database, config?: GDPRConfig);
+    /**
+     * Right to Erasure (Article 17) — delete ALL data for a user.
+     * Returns count of deleted records per table.
+     */
+    eraseUserData(userId: string): {
+        audit: number;
+        usage: number;
+        chunks: number;
+    };
+    /**
+     * Right to Erasure for a tenant — delete ALL tenant data.
+     */
+    eraseTenantData(tenantId: string): {
+        audit: number;
+        usage: number;
+        chunks: number;
+        sources: number;
+        policies: number;
+    };
+    /**
+     * Data Portability (Article 20) — export all data for a user as JSON.
+     */
+    exportUserData(userId: string): UserDataExport;
+    /**
+     * Data Retention — delete records older than retention period.
+     * Call this on a schedule (e.g., daily cron).
+     */
+    enforceRetention(): {
+        auditDeleted: number;
+        usageDeleted: number;
+    };
+    /**
+     * Generate a Data Processing Activity Report (for DPIA).
+     */
+    generateProcessingReport(tenantId?: string): ProcessingReport;
+    private deleteAndCount;
+}
+interface ProcessingReport {
+    generatedAt: string;
+    tenantId: string;
+    totalRequests: number;
+    uniqueUsers: number;
+    piiDetections: number;
+    policyBlocks: number;
+    dataProcessors: {
+        name: string;
+        requestCount: number;
+    }[];
+    retentionPolicy: string;
+    piiHandling: string;
+    auditLevel: string;
+}
+/**
+ * SOC 2 Compliance Module
+ *
+ * Implements: Immutable audit logs, Change tracking, Health monitoring,
+ * Anomaly detection, Vendor tracking, Data classification.
+ */
+interface SOC2Config {
+    /** Enable immutable audit mode — prevents DELETE on audit table */
+    immutableAudit?: boolean;
+    /** Anomaly detection thresholds */
+    anomalyThresholds?: {
+        /** Max requests per user per hour before alerting */
+        maxRequestsPerUserPerHour?: number;
+        /** Max PII detections per hour before alerting */
+        maxPiiPerHour?: number;
+        /** Max cost per user per day (USD) */
+        maxCostPerUserPerDay?: number;
+    };
+    /** Callback for anomaly alerts */
+    onAnomaly?: (anomaly: AnomalyEvent) => void | Promise<void>;
+}
+interface AnomalyEvent {
+    type: "high_request_rate" | "pii_spike" | "cost_spike" | "policy_violation_spike" | "unauthorized_access";
+    severity: "low" | "medium" | "high" | "critical";
+    userId?: string;
+    tenantId?: string;
+    details: Record<string, unknown>;
+    timestamp: string;
+}
+interface HealthStatus {
+    status: "healthy" | "degraded" | "unhealthy";
+    database: "connected" | "error";
+    providers: Record<string, "available" | "error">;
+    uptime: number;
+    lastRequest?: string;
+    activeRequests: number;
+    version: string;
+}
+interface ChangeLogEntry {
+    id: string;
+    entityType: "policy" | "budget" | "tenant" | "config";
+    entityId: string;
+    action: "created" | "updated" | "deleted";
+    changedBy: string;
+    previousValue?: string;
+    newValue?: string;
+    timestamp: string;
+}
+interface VendorReport {
+    providers: {
+        name: string;
+        region: string;
+        requestCount: number;
+        totalTokens: number;
+        totalCost: number;
+        dataTypes: string[];
+    }[];
+    generatedAt: string;
+}
+declare class SOC2Manager {
+    private db;
+    private config;
+    private startTime;
+    constructor(db: Database, config?: SOC2Config);
+    /** Log a configuration change (for change management audit trail) */
+    logChange(entry: Omit<ChangeLogEntry, "id" | "timestamp">): void;
+    /** Get change history for an entity */
+    getChangeHistory(entityType: string, entityId: string): ChangeLogEntry[];
+    /** Run anomaly detection on recent activity */
+    detectAnomalies(): Promise<AnomalyEvent[]>;
+    /** Generate vendor/sub-processor report for SOC 2 auditors */
+    generateVendorReport(): VendorReport;
+    /** Health check endpoint data */
+    getHealthStatus(activeRequests: number): HealthStatus;
+}
+/**
+ * HIPAA Compliance Module
+ *
+ * Implements technical safeguards required for handling PHI (Protected Health Information)
+ * in AI/LLM applications:
+ * - PHI detection (18 HIPAA identifiers)
+ * - De-identification (Safe Harbor method)
+ * - Audit controls (access logging)
+ * - Encryption verification
+ * - BAA tracking
+ * - Minimum necessary standard
+ */
+/** The 18 HIPAA Safe Harbor identifiers that must be removed for de-identification */
+declare const HIPAA_IDENTIFIERS: readonly ["name", "address", "dates", "phone", "fax", "email", "ssn", "medical_record_number", "health_plan_id", "account_number", "certificate_license", "vehicle_id", "device_id", "url", "ip_address", "biometric_id", "photo", "other_unique_id"];
+interface HIPAAConfig {
+    enabled: boolean;
+    /** PHI handling: "block" rejects any request containing PHI, "deidentify" strips it */
+    action: "block" | "deidentify";
+    /** Log PHI access events */
+    auditPhiAccess?: boolean;
+    /** Require BAA verification before processing */
+    requireBAA?: boolean;
+    /** Verified BAA provider list */
+    baaProviders?: string[];
+    /** Data retention for PHI audit logs (days) */
+    phiRetentionDays?: number;
+}
+interface PHIAccessLog {
+    userId: string;
+    action: "view" | "process" | "export" | "delete";
+    phiTypes: string[];
+    provider?: string;
+    justification?: string;
+    timestamp: string;
+}
+declare class HIPAAManager {
+    private db;
+    private config;
+    constructor(db: Database, config: HIPAAConfig);
+    /** Log PHI access event (required by HIPAA audit controls) */
+    logAccess(entry: Omit<PHIAccessLog, "timestamp">): void;
+    /** Query PHI access log */
+    getAccessLog(userId?: string, limit?: number): PHIAccessLog[];
+    /** Register a BAA (Business Associate Agreement) with a provider */
+    registerBAA(provider: string, signedDate: string, expiryDate?: string, contactEmail?: string): void;
+    /** Check if a provider has a valid BAA */
+    hasValidBAA(provider: string): boolean;
+    /** Verify provider has BAA before sending data (if requireBAA is enabled) */
+    verifyProvider(provider: string): {
+        allowed: boolean;
+        reason?: string;
+    };
+    /** Get recommended PII types to enable for HIPAA compliance */
+    getRecommendedPIITypes(): PIIType[];
+    /** Generate HIPAA compliance report */
+    generateComplianceReport(): {
+        phiAccessEvents: number;
+        uniqueUsers: number;
+        activeBAAs: number;
+        deidentificationEnabled: boolean;
+        auditLogging: boolean;
+        recommendations: string[];
+    };
+    /** Enforce PHI retention policy — delete old PHI access logs */
+    enforceRetention(): {
+        deleted: number;
+    };
+}
+/**
+ * CCPA/CPRA Compliance Module (California Consumer Privacy Act)
+ *
+ * Implements:
+ * - Right to know (data access)
+ * - Right to delete
+ * - Right to opt-out of sale/sharing
+ * - Right to correct
+ * - Automated decision-making opt-out (ADMT)
+ * - Sensitive data consent tracking
+ * - "Do Not Sell or Share" signal handling
+ */
+interface CCPAConfig {
+    enabled: boolean;
+    /** Honor Global Privacy Control (GPC) opt-out signals */
+    honorGPC?: boolean;
+    /** Track "Do Not Sell or Share" preferences */
+    trackOptOut?: boolean;
+    /** Log automated decision-making for ADMT compliance */
+    logADMT?: boolean;
+}
+interface ConsumerRequest {
+    type: "access" | "delete" | "correct" | "opt-out" | "opt-in";
+    consumerId: string;
+    requestedAt: string;
+    completedAt?: string;
+    status: "pending" | "verified" | "completed" | "denied";
+}
+declare class CCPAManager {
+    private db;
+    private config;
+    constructor(db: Database, config: CCPAConfig);
+    /** Right to Know — return all data for a consumer */
+    accessRequest(consumerId: string): {
+        data: unknown[];
+        requestId: string;
+    };
+    /** Right to Delete — erase all consumer data */
+    deleteRequest(consumerId: string): {
+        requestId: string;
+        deleted: boolean;
+    };
+    /** Right to Opt-Out of Sale/Sharing */
+    optOut(consumerId: string, gpcSignal?: boolean): void;
+    /** Check if consumer has opted out */
+    isOptedOut(consumerId: string): boolean;
+    /** Handle Global Privacy Control signal */
+    handleGPC(consumerId: string): void;
+    /** Get all consumer requests (for compliance reporting) */
+    getRequests(consumerId?: string, limit?: number): ConsumerRequest[];
+    /** Generate CCPA compliance report */
+    generateReport(): {
+        totalRequests: number;
+        byType: Record<string, number>;
+        optedOutConsumers: number;
+        gpcSignals: number;
+        avgResponseTime: string;
+    };
+}
+/**
+ * Data Residency & Cross-Border Transfer Controls
+ *
+ * Implements:
+ * - Provider region tracking (where does data go?)
+ * - Region restriction (block requests to providers outside allowed regions)
+ * - Transfer impact assessment logging
+ * - Schrems II / EU-US Data Privacy Framework compliance
+ */
+interface DataResidencyConfig {
+    enabled: boolean;
+    /** Allowed regions for data processing. If set, blocks providers outside these regions. */
+    allowedRegions?: string[];
+    /** Block cross-border transfers entirely */
+    blockCrossBorder?: boolean;
+    /** Log all cross-border transfers */
+    logTransfers?: boolean;
+    /** Your organization's primary region */
+    primaryRegion?: string;
+}
+/** Known provider data processing regions */
+declare const PROVIDER_REGIONS: Record<string, {
+    regions: string[];
+    headquarters: string;
+    dpf: boolean;
+    description: string;
+}>;
+interface TransferAssessment {
+    provider: string;
+    sourceRegion: string;
+    destinationRegions: string[];
+    crossBorder: boolean;
+    dpfCertified: boolean;
+    allowed: boolean;
+    reason?: string;
+}
+declare class DataResidencyManager {
+    private config;
+    constructor(config: DataResidencyConfig);
+    /** Assess whether a transfer to a provider is allowed */
+    assessTransfer(provider: string): TransferAssessment;
+    /** Get all providers with their data residency status */
+    getProviderMap(): Record<string, TransferAssessment>;
+    /** Generate a Transfer Impact Assessment (TIA) report — required for GDPR cross-border */
+    generateTIA(): {
+        primaryRegion: string;
+        allowedRegions: string[];
+        providers: TransferAssessment[];
+        crossBorderCount: number;
+        blockedCount: number;
+        recommendations: string[];
+    };
+}
+interface LLMRequest {
+    model: string;
+    messages: ChatMessage[];
+    temperature?: number;
+    maxTokens?: number;
+    topP?: number;
+    stop?: string[];
+    stream?: boolean;
+}
+interface LLMResponse {
+    content: string;
+    usage: {
+        inputTokens: number;
+        outputTokens: number;
+        totalTokens: number;
+    };
+    finishReason?: string;
+}
+interface LLMStreamChunk {
+    content: string;
+    done: boolean;
+    usage?: LLMResponse["usage"];
+}
+interface LLMProvider {
+    chat(request: LLMRequest): Promise<LLMResponse>;
+    chatStream?(request: LLMRequest): AsyncIterable<LLMStreamChunk>;
+}
+declare class OpenAIProvider implements LLMProvider {
+    private client;
+    constructor(config: ProviderConfig);
+    chat(request: LLMRequest): Promise<LLMResponse>;
+    chatStream(request: LLMRequest): AsyncIterable<LLMStreamChunk>;
+}
+declare class AnthropicProvider implements LLMProvider {
+    private client;
+    constructor(config: ProviderConfig);
+    chat(request: LLMRequest): Promise<LLMResponse>;
+    chatStream(request: LLMRequest): AsyncIterable<LLMStreamChunk>;
+}
+/**
+ * Mistral AI provider — EU-based LLM (France).
+ * Uses OpenAI-compatible API format.
+ */
+declare class MistralProvider implements LLMProvider {
+    private apiKey;
+    private baseUrl;
+    constructor(config: ProviderConfig);
+    chat(request: LLMRequest): Promise<LLMResponse>;
+}
+/**
+ * Google Vertex AI / Gemini provider.
+ * Uses the Gemini REST API format.
+ *
+ * @example
+ * ```ts
+ * providers: {
+ *   google: { apiKey: process.env.GOOGLE_AI_KEY! }
+ * }
+ * ```
+ */
+declare class GoogleProvider implements LLMProvider {
+    private apiKey;
+    private baseUrl;
+    constructor(config: ProviderConfig);
+    chat(request: LLMRequest): Promise<LLMResponse>;
+}
+/**
+ * Ollama provider — run LLMs locally (Llama, Mistral, Phi, etc).
+ * Zero data leaves your machine. Perfect for maximum privacy.
+ *
+ * @example
+ * ```ts
+ * providers: {
+ *   ollama: { apiKey: "", baseUrl: "http://localhost:11434" }
+ * }
+ * // Then: gateway.chat({ model: "llama3.2", ... })
+ * ```
+ */
+declare class OllamaProvider implements LLMProvider {
+    private baseUrl;
+    constructor(config: ProviderConfig);
+    chat(request: LLMRequest): Promise<LLMResponse>;
+}
+/**
+ * Azure OpenAI provider — for enterprises using Azure's managed OpenAI service.
+ * Requires: resourceName, deploymentName, apiVersion in config.
+ *
+ * @example
+ * ```ts
+ * providers: {
+ *   custom: {
+ *     apiKey: process.env.AZURE_OPENAI_KEY!,
+ *     baseUrl: "https://YOUR-RESOURCE.openai.azure.com/openai/deployments/YOUR-DEPLOYMENT",
+ *   }
+ * }
+ * ```
+ */
+declare class AzureOpenAIProvider implements LLMProvider {
+    private apiKey;
+    private endpoint;
+    private apiVersion;
+    constructor(config: ProviderConfig & {
+        apiVersion?: string;
+    });
+    chat(request: LLMRequest): Promise<LLMResponse>;
+}
+/**
+ * Express middleware that adds gateway to req.
+ *
+ * @example
+ * ```ts
+ * app.use(bulwarkMiddleware(gateway));
+ * app.post("/api/chat", async (req, res) => {
+ *   const response = await req.bulwark.chat({ ... });
+ * });
+ * ```
+ */
+declare function bulwarkMiddleware(gateway: AIGateway): (req: Request & {
+    bulwark?: AIGateway;
+}, _res: Response$1, next: NextFunction) => void;
+/**
+ * Mount a complete chat API endpoint with governance pipeline.
+ *
+ * @example
+ * ```ts
+ * app.use("/api/ai", bulwarkRouter(gateway, {
+ *   auth: (req) => ({ userId: req.user.id, teamId: req.user.team }),
+ *   maxBodySize: "1mb",
+ * }));
+ * // POST /api/ai/chat — governed chat completion
+ * // GET  /api/ai/audit — query audit log
+ * ```
+ */
+declare function bulwarkRouter(gateway: AIGateway, options?: {
+    auth?: (req: Request) => {
+        userId?: string;
+        teamId?: string;
+        tenantId?: string;
+    } | null;
+    maxBodySize?: string;
+}): Router;
+/**
+ * Next.js App Router handler factory.
+ * No `next` dependency required — uses Web API Response.
+ *
+ * @example
+ * ```ts
+ * // app/api/ai/chat/route.ts
+ * import { createNextHandler } from "@bulwark-ai/gateway";
+ * import { gateway } from "@/lib/bulwark";
+ * export const POST = createNextHandler(gateway, {
+ *   auth: (req) => ({ userId: req.headers.get("x-user-id") || undefined }),
+ * });
+ * ```
+ */
+interface RequestLike {
+    json(): Promise<unknown>;
+    headers: {
+        get(key: string): string | null;
+    };
+    nextUrl?: {
+        searchParams: {
+            get(key: string): string | null;
+        };
+    };
+    url?: string;
+}
+declare function createNextHandler(gateway: AIGateway, options?: {
+    auth?: (req: RequestLike) => {
+        userId?: string;
+        teamId?: string;
+        tenantId?: string;
+    } | null;
+}): (req: RequestLike) => Promise<Response>;
+declare function createNextAuditHandler(gateway: AIGateway): (req: RequestLike) => Promise<Response>;
+/**
+ * Fastify plugin for Bulwark AI.
+ *
+ * @example
+ * ```ts
+ * import Fastify from "fastify";
+ * import { bulwarkPlugin } from "@bulwark-ai/gateway/middleware/fastify";
+ *
+ * const app = Fastify();
+ * app.register(bulwarkPlugin, {
+ *   gateway,
+ *   prefix: "/api/ai",
+ *   auth: (req) => ({ userId: req.headers["x-user-id"] }),
+ * });
+ * ```
+ */
+declare function bulwarkPlugin(fastify: FastifyLike, options: {
+    gateway: AIGateway;
+    prefix?: string;
+    auth?: (req: unknown) => {
+        userId?: string;
+        teamId?: string;
+        tenantId?: string;
+    } | null;
+}, done: () => void): void;
+/** Minimal Fastify interfaces to avoid requiring fastify as dependency */
+interface FastifyLike {
+    post(path: string, handler: (req: unknown, reply: FastifyReply) => Promise<unknown>): void;
+    get(path: string, handler: (req: unknown, reply: FastifyReply) => Promise<unknown>): void;
+}
+interface FastifyReply {
+    status(code: number): FastifyReply;
+    send(data: unknown): FastifyReply;
+}
+/**
+ * Admin API — full CRUD endpoints for the admin panel.
+ */
+interface AdminDashboard {
+    requestsToday: number;
+    requestsThisMonth: number;
+    costToday: number;
+    costThisMonth: number;
+    activeUsers: number;
+    topModels: {
+        model: string;
+        count: number;
+        cost: number;
+    }[];
+    topUsers: {
+        userId: string;
+        count: number;
+        cost: number;
+    }[];
+    costByTeam: {
+        teamId: string;
+        cost: number;
+        tokens: number;
+    }[];
+}
+declare function getDashboard(db: Database, tenantId?: string): AdminDashboard;
+declare function createAdminRouter(gateway: AIGateway, options: {
+    auth: (req: unknown) => boolean;
+}): any;
+export { AIGateway, type AdminDashboard, type AnomalyEvent, AnthropicProvider, type AuditEntry, type AuditQuery, type AuditStore, AzureOpenAIProvider, type BreachEvent, type BudgetAlert, type BudgetConfig, BudgetManager, BulwarkError, type CCPAConfig, CCPAManager, type CacheStore, type ChangeLogEntry, type ChatMessage, type ChatRequest, type ChatResponse, type Chunk, type ConsumerRequest, type ContentPolicy, CostCalculator, type CostRecord, type DataResidencyConfig, DataResidencyManager, type Database, type GDPRConfig, GDPRManager, type GatewayConfig, type GatewayProvider, GoogleProvider, type HIPAAConfig, HIPAAManager, HIPAA_IDENTIFIERS, type HealthStatus, KnowledgeBase, type KnowledgeSource, type LLMProvider, type LLMRequest, type LLMResponse, MODEL_PRICING, MemoryCacheStore, MistralProvider, OllamaProvider, OpenAIEmbeddings, OpenAIProvider, type PHIAccessLog, type PIIConfig, PIIDetector, type PIIMatch, type PIIType, PROVIDER_REGIONS, PolicyEngine, type ProcessingReport, PromptGuard, type PromptGuardConfig, type PromptGuardResult, type ProviderConfig, type RAGConfig, type RateLimitConfig, type RateLimitResult, RateLimiter, RedisCacheStore, ResponseCache, type ResponseCacheConfig, type SOC2Config, SOC2Manager, type SearchResult, type StreamEvent, type TenantConfig, TenantManager, type TransferAssessment, type UsageRecord, type UserDataExport, type VendorReport, bulwarkMiddleware, bulwarkPlugin, bulwarkRouter, chunkText, cosineSimilarity, createAdminRouter, createAuditStore, createDatabase, createNextAuditHandler, createNextHandler, createStreamAdapter, getDashboard, hardenSystemPrompt, parseCSV, parseDocument, parseHTML, parseMarkdown, parsePDF };