@crowdstrike/aidr 1.0.2 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (18) hide show
  1. package/.github/CODEOWNERS +1 -1
  2. package/.github/workflows/ci.yml +0 -43
  3. package/.github/workflows/publish.yml +52 -0
  4. package/README.md +91 -0
  5. package/dist/index.cjs +9 -0
  6. package/dist/index.d.cts +121 -99
  7. package/dist/index.d.mts +121 -99
  8. package/dist/index.mjs +9 -0
  9. package/dist/schemas/ai-guard.cjs +35 -68
  10. package/dist/schemas/ai-guard.d.cts +75 -42
  11. package/dist/schemas/ai-guard.d.mts +75 -42
  12. package/dist/schemas/ai-guard.mjs +33 -63
  13. package/package.json +1 -1
  14. package/specs/ai-guard.openapi.json +302 -210
  15. package/src/schemas/ai-guard.ts +121 -142
  16. package/src/services/ai-guard.ts +12 -0
  17. package/src/types/ai-guard.ts +125 -118
  18. package/tests/ai-guard.test.ts +26 -1
package/specs/ai-guard.openapi.json CHANGED
@@ -215,6 +215,133 @@
215
215
  },
216
216
  "description": "No description provided"
217
217
  },
218
+ "202": {
219
+ "description": "Asynchronous request in progress",
220
+ "content": {
221
+ "application/json": {
222
+ "schema": {
223
+ "allOf": [
224
+ {
225
+ "$ref": "#/components/schemas/pangea-response"
226
+ },
227
+ {
228
+ "$ref": "#/components/schemas/pangea-accepted-response"
229
+ }
230
+ ]
231
+ }
232
+ }
233
+ }
234
+ },
235
+ "400": {
236
+ "description": "Validation errors",
237
+ "content": {
238
+ "application/json": {
239
+ "schema": {
240
+ "allOf": [
241
+ {
242
+ "$ref": "#/components/schemas/pangea-response"
243
+ },
244
+ {
245
+ "$ref": "#/components/schemas/pangea-validation-errors"
246
+ }
247
+ ]
248
+ }
249
+ }
250
+ }
251
+ }
252
+ },
253
+ "tags": ["aidr"]
254
+ }
255
+ },
256
+ "/v1/unredact": {
257
+ "post": {
258
+ "operationId": "aidr_post_v1_unredact",
259
+ "summary": "Unredact text or structured JSON",
260
+ "description": "Decrypt or unredact fpe redactions",
261
+ "requestBody": {
262
+ "content": {
263
+ "application/json": {
264
+ "schema": {
265
+ "docs_anchor": "/v1/unredact",
266
+ "type": "object",
267
+ "required": ["redacted_data", "fpe_context"],
268
+ "additionalProperties": false,
269
+ "properties": {
270
+ "redacted_data": {
271
+ "description": "Data to unredact"
272
+ },
273
+ "fpe_context": {
274
+ "type": "string",
275
+ "format": "base64",
276
+ "description": "FPE context used to decrypt and unredact data"
277
+ }
278
+ },
279
+ "examples": [
280
+ {
281
+ "redacted_data": {
282
+ "telephone": "<PHONE_NUMBER>",
283
+ "ssn": "<US_SSN>"
284
+ },
285
+ "fpe_context": "gAyHpblmIoUXKTiYY8xKiQ=="
286
+ }
287
+ ]
288
+ }
289
+ }
290
+ }
291
+ },
292
+ "responses": {
293
+ "200": {
294
+ "description": "The unredacted data",
295
+ "content": {
296
+ "application/json": {
297
+ "schema": {
298
+ "allOf": [
299
+ {
300
+ "$ref": "#/components/schemas/pangea-response"
301
+ },
302
+ {
303
+ "properties": {
304
+ "result": {
305
+ "type": "object",
306
+ "required": ["data"],
307
+ "properties": {
308
+ "data": {
309
+ "description": "The unredacted data"
310
+ }
311
+ },
312
+ "examples": [
313
+ {
314
+ "data": {
315
+ "telephone": "(555)-555-5555",
316
+ "ssn": "457-55-5462"
317
+ }
318
+ }
319
+ ]
320
+ }
321
+ }
322
+ }
323
+ ]
324
+ }
325
+ }
326
+ }
327
+ },
328
+ "202": {
329
+ "description": "Asynchronous request in progress",
330
+ "content": {
331
+ "application/json": {
332
+ "schema": {
333
+ "allOf": [
334
+ {
335
+ "$ref": "#/components/schemas/pangea-response"
336
+ },
337
+ {
338
+ "$ref": "#/components/schemas/pangea-accepted-response"
339
+ }
340
+ ]
341
+ }
342
+ }
343
+ }
344
+ },
218
345
  "400": {
219
346
  "description": "Validation errors",
220
347
  "content": {
@@ -254,16 +381,6 @@
254
381
  }
255
382
  ],
256
383
  "responses": {
257
- "200": {
258
- "description": "Response",
259
- "content": {
260
- "application/json": {
261
- "schema": {
262
- "$ref": "#/components/schemas/pangea-response"
263
- }
264
- }
265
- }
266
- },
267
384
  "202": {
268
385
  "description": "Asynchronous request in progress",
269
386
  "content": {
@@ -274,6 +391,7 @@
274
391
  "$ref": "#/components/schemas/pangea-response"
275
392
  },
276
393
  {
394
+ "required": ["result", "status"],
277
395
  "properties": {
278
396
  "result": {
279
397
  "type": "object",
@@ -288,6 +406,9 @@
288
406
  "type": "string"
289
407
  }
290
408
  }
409
+ },
410
+ "status": {
411
+ "enum": ["Accepted"]
291
412
  }
292
413
  }
293
414
  }
@@ -295,6 +416,16 @@
295
416
  }
296
417
  }
297
418
  }
419
+ },
420
+ "200": {
421
+ "description": "Response",
422
+ "content": {
423
+ "application/json": {
424
+ "schema": {
425
+ "$ref": "#/components/schemas/pangea-response"
426
+ }
427
+ }
428
+ }
298
429
  }
299
430
  }
300
431
  }
@@ -440,7 +571,7 @@
440
571
  },
441
572
  "path": {
442
573
  "type": "string",
443
- "description": "The Schema path where the error ocurred",
574
+ "description": "The Schema path where the error occurred",
444
575
  "format": "json-pointer"
445
576
  }
446
577
  }
@@ -450,6 +581,35 @@
450
581
  }
451
582
  }
452
583
  },
584
+ "pangea-accepted-response": {
585
+ "$ref": "#/components/schemas/pangea-response",
586
+ "required": ["status", "result"],
587
+ "properties": {
588
+ "status": {
589
+ "enum": ["Accepted"]
590
+ },
591
+ "result": {
592
+ "type": "object",
593
+ "required": ["ttl_mins", "retry_counter", "location"],
594
+ "properties": {
595
+ "ttl_mins": {
596
+ "type": "integer",
597
+ "description": "TTL from now until which results are stored for retrieval"
598
+ },
599
+ "retry_counter": {
600
+ "type": "integer",
601
+ "description": "Number of retry counts performed so far to fetch the results"
602
+ },
603
+ "location": {
604
+ "type": "string",
605
+ "description": "The location to check results of the asynchronous request"
606
+ }
607
+ },
608
+ "additionalProperties": false
609
+ }
610
+ },
611
+ "additionalProperties": false
612
+ },
453
613
  "aidr-device-status": {
454
614
  "type": "string",
455
615
  "description": "Device status. Allowed values are active, pending, disabled",
@@ -1174,6 +1334,7 @@
1174
1334
  },
1175
1335
  "content": {
1176
1336
  "type": "array",
1337
+ "items": {},
1177
1338
  "description": "Content of the list based on type"
1178
1339
  }
1179
1340
  }
@@ -1231,7 +1392,7 @@
1231
1392
  "event_type": {
1232
1393
  "type": "string",
1233
1394
  "description": "(AIDR) Event Type.",
1234
- "enum": [
1395
+ "examples": [
1235
1396
  "input",
1236
1397
  "output",
1237
1398
  "tool_input",
@@ -1306,6 +1467,11 @@
1306
1467
  }
1307
1468
  },
1308
1469
  "additionalProperties": true
1470
+ },
1471
+ "input_fpe_context": {
1472
+ "type": "string",
1473
+ "format": "base64",
1474
+ "description": "FPE (Format Preserving Encryption) context from a previous guard request. When provided, the encrypted input will be unredacted before processing."
1309
1475
  }
1310
1476
  },
1311
1477
  "additionalProperties": false
@@ -2326,7 +2492,7 @@
2326
2492
  "type": "string",
2327
2493
  "anyOf": [
2328
2494
  {
2329
- "pattern": "^[0-9]+(ns|us|µs|ms|s|m|h)$"
2495
+ "pattern": "^[0-9]+(ns|us|\u00b5s|ms|s|m|h)$"
2330
2496
  },
2331
2497
  {
2332
2498
  "pattern": "^$"
@@ -2636,17 +2802,6 @@
2636
2802
  "examples": ["2022-10-01T19:07:31.314Z"],
2637
2803
  "format": "date-time"
2638
2804
  },
2639
- "aird-timestamp-nullable": {
2640
- "oneOf": [
2641
- {
2642
- "$ref": "#/components/schemas/authn-timestamp"
2643
- },
2644
- {
2645
- "type": "null"
2646
- }
2647
- ],
2648
- "description": "A time in ISO-8601 format or null"
2649
- },
2650
2805
  "aidr-resource-field-mapping": {
2651
2806
  "type": "object",
2652
2807
  "description": "Define field name and path mapping to extract from the log",
@@ -2928,7 +3083,7 @@
2928
3083
  "interval": {
2929
3084
  "type": "string",
2930
3085
  "enum": ["hourly", "daily", "weekly", "monthly", "yearly"],
2931
- "description": "Bucket size for time‐series aggregation"
3086
+ "description": "Bucket size for time\u2010series aggregation"
2932
3087
  },
2933
3088
  "filters": {
2934
3089
  "type": "object",
@@ -2967,7 +3122,8 @@
2967
3122
  "^[a-zA-Z0-9_]+(__(contains|in|not_in))?$": {
2968
3123
  "type": "array",
2969
3124
  "items": {
2970
- "type": "string"
3125
+ "type": "string",
3126
+ "pattern": "^[^'\"`;\\\\/(=)]+$"
2971
3127
  }
2972
3128
  }
2973
3129
  },
@@ -2995,7 +3151,7 @@
2995
3151
  },
2996
3152
  "group_by": {
2997
3153
  "type": "array",
2998
- "description": "Optional list of tag keys to group by (for bar‑chart or Sankey)",
3154
+ "description": "Optional list of tag keys to group by (for bar\u2011chart or Sankey)",
2999
3155
  "items": {
3000
3156
  "type": "string",
3001
3157
  "pattern": "^[A-Za-z_][A-Za-z0-9_]{0,63}$"
@@ -3003,7 +3159,8 @@
3003
3159
  },
3004
3160
  "order_by": {
3005
3161
  "type": "string",
3006
- "description": "field to sort by"
3162
+ "description": "field to sort by",
3163
+ "pattern": "^[A-Za-z_][A-Za-z0-9_.]{0,63}$"
3007
3164
  },
3008
3165
  "order": {
3009
3166
  "type": "string",
@@ -3037,7 +3194,7 @@
3037
3194
  "interval": {
3038
3195
  "type": "string",
3039
3196
  "enum": ["hourly", "daily", "weekly", "monthly", "yearly"],
3040
- "description": "Bucket size for time‐series aggregation"
3197
+ "description": "Bucket size for time\u2010series aggregation"
3041
3198
  },
3042
3199
  "aggregate_fields": {
3043
3200
  "type": "array",
@@ -3104,7 +3261,8 @@
3104
3261
  "^[a-zA-Z0-9_]+(__(contains|in|not_in))?$": {
3105
3262
  "type": "array",
3106
3263
  "items": {
3107
- "type": "string"
3264
+ "type": "string",
3265
+ "pattern": "^[^'\"`;\\\\/(=)]+$"
3108
3266
  }
3109
3267
  }
3110
3268
  },
@@ -3112,7 +3270,7 @@
3112
3270
  },
3113
3271
  "group_by": {
3114
3272
  "type": "array",
3115
- "description": "Optional list of tag keys to group by (for bar‑chart or Sankey)",
3273
+ "description": "Optional list of tag keys to group by (for bar\u2011chart or Sankey)",
3116
3274
  "items": {
3117
3275
  "type": "string",
3118
3276
  "pattern": "^[A-Za-z_][A-Za-z0-9_]{0,63}$"
@@ -3120,7 +3278,8 @@
3120
3278
  },
3121
3279
  "order_by": {
3122
3280
  "type": "string",
3123
- "description": "field to sort by"
3281
+ "description": "field to sort by",
3282
+ "pattern": "^[A-Za-z_][A-Za-z0-9_.]{0,63}$"
3124
3283
  },
3125
3284
  "order": {
3126
3285
  "type": "string",
@@ -3253,11 +3412,64 @@
3253
3412
  }
3254
3413
  }
3255
3414
  },
3256
- "authn-timestamp": {
3257
- "type": "string",
3258
- "description": "A time in ISO-8601 format",
3259
- "examples": ["2022-10-01T19:07:31.314Z"],
3260
- "format": "date-time"
3415
+ "access-rule-settings": {
3416
+ "type": "object",
3417
+ "description": "Configuration for an individual access rule used in an AI Guard recipe. Each rule defines its matching logic and the action to apply when the logic evaluates to true.",
3418
+ "properties": {
3419
+ "rule_key": {
3420
+ "type": "string",
3421
+ "pattern": "^([a-zA-Z0-9_][a-zA-Z0-9/|_]*)$",
3422
+ "description": "Unique identifier for this rule. Should be user-readable and consistent across recipe updates."
3423
+ },
3424
+ "name": {
3425
+ "type": "string",
3426
+ "description": "Display label for the rule shown in user interfaces."
3427
+ },
3428
+ "state": {
3429
+ "type": "string",
3430
+ "enum": ["block", "report"],
3431
+ "description": "Action to apply if the rule matches. Use 'block' to stop further processing or 'report' to simply log the match."
3432
+ },
3433
+ "logic": {
3434
+ "type": "object",
3435
+ "description": "JSON Logic condition that determines whether this rule matches.",
3436
+ "additionalProperties": true
3437
+ }
3438
+ },
3439
+ "required": ["rule_key", "name", "state", "logic"],
3440
+ "additionalProperties": false,
3441
+ "examples": [
3442
+ {
3443
+ "rule_key": "block_outside_us",
3444
+ "name": "Block Outside US",
3445
+ "state": "block",
3446
+ "logic": {
3447
+ "and": [
3448
+ {
3449
+ "!=": [
3450
+ {
3451
+ "var": "user.source_location"
3452
+ },
3453
+ "US"
3454
+ ]
3455
+ }
3456
+ ]
3457
+ }
3458
+ },
3459
+ {
3460
+ "rule_key": "report_high_token_usage",
3461
+ "name": "Report Large Requests",
3462
+ "state": "report",
3463
+ "logic": {
3464
+ ">": [
3465
+ {
3466
+ "var": "model.request_token_count"
3467
+ },
3468
+ 1000
3469
+ ]
3470
+ }
3471
+ }
3472
+ ]
3261
3473
  },
3262
3474
  "access-rule-result": {
3263
3475
  "type": "object",
@@ -3322,59 +3534,6 @@
3322
3534
  }
3323
3535
  ]
3324
3536
  },
3325
- "recipe-config": {
3326
- "type": "object",
3327
- "description": "Defines an AI Guard recipe - a named configuration of detectors and redaction settings used to analyze and protect data flows in AI-powered applications.\n\nRecipes specify which detectors are active, how they behave, and may include reusable settings such as FPE tweaks.\n\nFor details, see the [AI Guard Recipes](https://pangea.cloud/docs/ai-guard/recipes) documentation.",
3328
- "properties": {
3329
- "name": {
3330
- "type": "string",
3331
- "description": "Human-readable name of the recipe"
3332
- },
3333
- "description": {
3334
- "type": "string",
3335
- "description": "Detailed description of the recipe's purpose or use case"
3336
- },
3337
- "version": {
3338
- "type": "string",
3339
- "description": "Optional version identifier for the recipe. Can be used to track changes.",
3340
- "default": "v1",
3341
- "examples": ["v1"]
3342
- },
3343
- "detectors": {
3344
- "allOf": [
3345
- {
3346
- "$ref": "#/components/schemas/detector-settings"
3347
- }
3348
- ],
3349
- "description": "Settings for [AI Guard Detectors](https://pangea.cloud/docs/ai-guard/recipes#detectors), including which detectors to enable and how they behave"
3350
- },
3351
- "access_rules": {
3352
- "type": "array",
3353
- "description": "Configuration for access rules used in an AI Guard recipe.",
3354
- "items": {
3355
- "$ref": "#/components/schemas/access-rule-settings"
3356
- }
3357
- },
3358
- "connector_settings": {
3359
- "type": "object",
3360
- "description": "Connector-level Redact configuration. These settings allow you to define reusable redaction parameters, such as FPE tweak value.",
3361
- "properties": {
3362
- "redact": {
3363
- "type": "object",
3364
- "description": "Settings for Redact integration at the recipe level",
3365
- "properties": {
3366
- "fpe_tweak_vault_secret_id": {
3367
- "type": "string",
3368
- "description": "ID of a Vault secret containing the tweak value used for Format-Preserving Encryption (FPE). Enables deterministic encryption, ensuring that identical inputs produce consistent encrypted outputs."
3369
- }
3370
- }
3371
- }
3372
- }
3373
- }
3374
- },
3375
- "required": ["name", "description"],
3376
- "additionalProperties": false
3377
- },
3378
3537
  "detector-settings": {
3379
3538
  "type": "array",
3380
3539
  "description": "Configuration for individual detectors used in an AI Guard recipe. Each entry specifies the detector to use, its enabled state, detector-specific settings, and the [action](https://pangea.cloud/docs/ai-guard/recipes#actions) to apply when detections occur.",
@@ -3437,6 +3596,59 @@
3437
3596
  "additionalProperties": false
3438
3597
  }
3439
3598
  },
3599
+ "recipe-config": {
3600
+ "type": "object",
3601
+ "description": "Defines an AI Guard recipe - a named configuration of detectors and redaction settings used to analyze and protect data flows in AI-powered applications.\n\nRecipes specify which detectors are active, how they behave, and may include reusable settings such as FPE tweaks.\n\nFor details, see the [AI Guard Recipes](https://pangea.cloud/docs/ai-guard/recipes) documentation.",
3602
+ "properties": {
3603
+ "name": {
3604
+ "type": "string",
3605
+ "description": "Human-readable name of the recipe"
3606
+ },
3607
+ "description": {
3608
+ "type": "string",
3609
+ "description": "Detailed description of the recipe's purpose or use case"
3610
+ },
3611
+ "version": {
3612
+ "type": "string",
3613
+ "description": "Optional version identifier for the recipe. Can be used to track changes.",
3614
+ "default": "v1",
3615
+ "examples": ["v1"]
3616
+ },
3617
+ "detectors": {
3618
+ "allOf": [
3619
+ {
3620
+ "$ref": "#/components/schemas/detector-settings"
3621
+ }
3622
+ ],
3623
+ "description": "Settings for [AI Guard Detectors](https://pangea.cloud/docs/ai-guard/recipes#detectors), including which detectors to enable and how they behave"
3624
+ },
3625
+ "access_rules": {
3626
+ "type": "array",
3627
+ "description": "Configuration for access rules used in an AI Guard recipe.",
3628
+ "items": {
3629
+ "$ref": "#/components/schemas/access-rule-settings"
3630
+ }
3631
+ },
3632
+ "connector_settings": {
3633
+ "type": "object",
3634
+ "description": "Connector-level Redact configuration. These settings allow you to define reusable redaction parameters, such as FPE tweak value.",
3635
+ "properties": {
3636
+ "redact": {
3637
+ "type": "object",
3638
+ "description": "Settings for Redact integration at the recipe level",
3639
+ "properties": {
3640
+ "fpe_tweak_vault_secret_id": {
3641
+ "type": "string",
3642
+ "description": "ID of a Vault secret containing the tweak value used for Format-Preserving Encryption (FPE). Enables deterministic encryption, ensuring that identical inputs produce consistent encrypted outputs."
3643
+ }
3644
+ }
3645
+ }
3646
+ }
3647
+ }
3648
+ },
3649
+ "required": ["name", "description"],
3650
+ "additionalProperties": false
3651
+ },
3440
3652
  "rule-redaction-config": {
3441
3653
  "type": "object",
3442
3654
  "required": ["redaction_type"],
@@ -3581,126 +3793,6 @@
3581
3793
  "description": "Alphabet used for Format-Preserving Encryption (FPE). Determines the character set for encryption."
3582
3794
  }
3583
3795
  }
3584
- },
3585
- "access-rule-settings": {
3586
- "type": "object",
3587
- "description": "Configuration for an individual access rule used in an AI Guard recipe. Each rule defines its matching logic and the action to apply when the logic evaluates to true.",
3588
- "properties": {
3589
- "rule_key": {
3590
- "type": "string",
3591
- "pattern": "^([a-zA-Z0-9_][a-zA-Z0-9/|_]*)$",
3592
- "description": "Unique identifier for this rule. Should be user-readable and consistent across recipe updates."
3593
- },
3594
- "name": {
3595
- "type": "string",
3596
- "description": "Display label for the rule shown in user interfaces."
3597
- },
3598
- "state": {
3599
- "type": "string",
3600
- "enum": ["block", "report"],
3601
- "description": "Action to apply if the rule matches. Use 'block' to stop further processing or 'report' to simply log the match."
3602
- },
3603
- "logic": {
3604
- "type": "object",
3605
- "description": "JSON Logic condition that determines whether this rule matches.",
3606
- "additionalProperties": true
3607
- }
3608
- },
3609
- "required": ["rule_key", "name", "state", "logic"],
3610
- "additionalProperties": false,
3611
- "examples": [
3612
- {
3613
- "rule_key": "block_outside_us",
3614
- "name": "Block Outside US",
3615
- "state": "block",
3616
- "logic": {
3617
- "and": [
3618
- {
3619
- "!=": [
3620
- {
3621
- "var": "user.source_location"
3622
- },
3623
- "US"
3624
- ]
3625
- }
3626
- ]
3627
- }
3628
- },
3629
- {
3630
- "rule_key": "report_high_token_usage",
3631
- "name": "Report Large Requests",
3632
- "state": "report",
3633
- "logic": {
3634
- ">": [
3635
- {
3636
- "var": "model.request_token_count"
3637
- },
3638
- 1000
3639
- ]
3640
- }
3641
- }
3642
- ]
3643
- },
3644
- "language-result": {
3645
- "type": "object",
3646
- "properties": {
3647
- "action": {
3648
- "type": "string",
3649
- "description": "The action taken by this Detector"
3650
- },
3651
- "language": {
3652
- "type": "string"
3653
- }
3654
- }
3655
- },
3656
- "redact-entity-result": {
3657
- "type": "object",
3658
- "properties": {
3659
- "entities": {
3660
- "type": "array",
3661
- "description": "Detected redaction rules.",
3662
- "items": {
3663
- "type": "object",
3664
- "required": ["type", "value", "redacted", "action"],
3665
- "properties": {
3666
- "action": {
3667
- "type": "string",
3668
- "description": "The action taken on this Entity"
3669
- },
3670
- "type": {
3671
- "type": "string"
3672
- },
3673
- "value": {
3674
- "type": "string"
3675
- },
3676
- "redacted": {
3677
- "type": "boolean"
3678
- },
3679
- "start_pos": {
3680
- "type": "integer",
3681
- "minimum": 0
3682
- }
3683
- }
3684
- }
3685
- }
3686
- }
3687
- },
3688
- "malicious-entity-action": {
3689
- "type": "string",
3690
- "enum": ["report", "defang", "disabled", "block"]
3691
- },
3692
- "pii-entity-action": {
3693
- "type": "string",
3694
- "enum": [
3695
- "disabled",
3696
- "report",
3697
- "block",
3698
- "mask",
3699
- "partial_masking",
3700
- "replacement",
3701
- "hash",
3702
- "fpe"
3703
- ]
3704
3796
  }
3705
3797
  },
3706
3798
  "securitySchemes": {