@crowdstrike/aidr 1.0.2 → 1.1.0

package/src/schemas/ai-guard.ts

@@ -16,6 +16,8 @@ export const PangeaResponseSchema = v.object({
 
 export const PangeaValidationErrorsSchema = PangeaResponseSchema;
 
+export const PangeaAcceptedResponseSchema = PangeaResponseSchema;
+
 /**
  * Device status. Allowed values are active, pending, disabled
  */
@@ -228,9 +230,7 @@ export const ChatCompletionsGuardSchema = v.strictObject({
   source_ip: v.optional(v.string()),
   source_location: v.optional(v.string()),
   tenant_id: v.optional(v.string()),
-  event_type: v.optional(
-    v.picklist(['input', 'output', 'tool_input', 'tool_output', 'tool_listing'])
-  ),
+  event_type: v.optional(v.string(), 'input'),
   collector_instance_id: v.optional(v.string()),
   extra_info: v.optional(
     v.objectWithRest(
@@ -257,6 +257,7 @@ export const ChatCompletionsGuardSchema = v.strictObject({
       v.unknown()
     )
   ),
+  input_fpe_context: v.optional(v.string()),
 });
 
 export const AidrPromptInjectionResultSchema = v.object({
@@ -694,7 +695,9 @@ export const AidrMetricSchema = v.strictObject({
   group_by: v.optional(
     v.array(v.pipe(v.string(), v.regex(/^[A-Za-z_][A-Za-z0-9_]{0,63}$/)))
   ),
-  order_by: v.optional(v.string()),
+  order_by: v.optional(
+    v.pipe(v.string(), v.regex(/^[A-Za-z_][A-Za-z0-9_.]{0,63}$/))
+  ),
   order: v.optional(v.picklist(['asc', 'desc'])),
   limit: v.optional(v.pipe(v.number(), v.integer())),
   offset: v.optional(v.pipe(v.number(), v.integer())),
@@ -718,7 +721,9 @@ export const AidrMetricAggregatesSearchParamsSchema = v.strictObject({
   group_by: v.optional(
     v.array(v.pipe(v.string(), v.regex(/^[A-Za-z_][A-Za-z0-9_]{0,63}$/)))
   ),
-  order_by: v.optional(v.string()),
+  order_by: v.optional(
+    v.pipe(v.string(), v.regex(/^[A-Za-z_][A-Za-z0-9_.]{0,63}$/))
+  ),
   order: v.optional(v.picklist(['asc', 'desc'])),
   limit: v.optional(v.pipe(v.number(), v.integer())),
   offset: v.optional(v.pipe(v.number(), v.integer())),
@@ -768,17 +773,14 @@ export const AidrMetricResultSchema = v.object({
 });
 
 /**
- * A time in ISO-8601 format
- */
-export const AuthnTimestampSchema = v.pipe(v.string(), v.isoTimestamp());
-
-/**
- * A time in ISO-8601 format or null
+ * Configuration for an individual access rule used in an AI Guard recipe. Each rule defines its matching logic and the action to apply when the logic evaluates to true.
  */
-export const AirdTimestampNullableSchema = v.union([
-  AuthnTimestampSchema,
-  v.null(),
-]);
+export const AccessRuleSettingsSchema = v.strictObject({
+  rule_key: v.pipe(v.string(), v.regex(/^([a-zA-Z0-9_][a-zA-Z0-9/|_]*)$/)),
+  name: v.string(),
+  state: v.picklist(['block', 'report']),
+  logic: v.record(v.string(), v.unknown()),
+});
 
 /**
  * Details about the evaluation of a single rule, including whether it matched, the action to take, the rule name, and optional debugging information.
@@ -890,16 +892,6 @@ export const DetectorSettingsSchema = v.array(
   })
 );
 
-/**
- * Configuration for an individual access rule used in an AI Guard recipe. Each rule defines its matching logic and the action to apply when the logic evaluates to true.
- */
-export const AccessRuleSettingsSchema = v.strictObject({
-  rule_key: v.pipe(v.string(), v.regex(/^([a-zA-Z0-9_][a-zA-Z0-9/|_]*)$/)),
-  name: v.string(),
-  state: v.picklist(['block', 'report']),
-  logic: v.record(v.string(), v.unknown()),
-});
-
 export const AidrPolicySchema = v.strictObject({
   key: v.string(),
   name: v.string(),
@@ -974,43 +966,6 @@ export const AidrPolicyDefaultsSchema = v.object({
   default_policies: v.record(v.string(), v.unknown()),
 });
 
-export const LanguageResultSchema = v.object({
-  action: v.optional(v.string()),
-  language: v.optional(v.string()),
-});
-
-export const RedactEntityResultSchema = v.object({
-  entities: v.optional(
-    v.array(
-      v.object({
-        action: v.string(),
-        type: v.string(),
-        value: v.string(),
-        redacted: v.boolean(),
-        start_pos: v.optional(v.pipe(v.number(), v.integer(), v.minValue(0))),
-      })
-    )
-  ),
-});
-
-export const MaliciousEntityActionSchema = v.picklist([
-  'report',
-  'defang',
-  'disabled',
-  'block',
-]);
-
-export const PiiEntityActionSchema = v.picklist([
-  'disabled',
-  'report',
-  'block',
-  'mask',
-  'partial_masking',
-  'replacement',
-  'hash',
-  'fpe',
-]);
-
 export const AidrOtelResourceLogsSchema: v.GenericSchema = v.objectWithRest(
   {
     resource: v.optional(v.lazy(() => AidrOtelResourceSchema)),
@@ -1115,79 +1070,104 @@ export const AidrPostV1GuardChatCompletionsRequestSchema = v.object({
   query: v.optional(v.never()),
 });
 
-/**
- * No description provided
- */
-export const AidrPostV1GuardChatCompletionsResponseSchema = v.intersect([
-  PangeaResponseSchema,
-  v.object({
-    result: v.optional(
-      v.object({
-        guard_output: v.optional(v.record(v.string(), v.unknown())),
-        blocked: v.optional(v.boolean()),
-        transformed: v.optional(v.boolean()),
-        policy: v.optional(v.string()),
-        detectors: v.object({
-          malicious_prompt: v.optional(
-            v.object({
-              detected: v.optional(v.boolean()),
-              data: v.optional(AidrPromptInjectionResultSchema),
-            })
-          ),
-          confidential_and_pii_entity: v.optional(
-            v.object({
-              detected: v.optional(v.boolean()),
-              data: v.optional(AidrRedactEntityResultSchema),
-            })
-          ),
-          malicious_entity: v.optional(
-            v.object({
-              detected: v.optional(v.boolean()),
-              data: v.optional(AidrMaliciousEntityResultSchema),
-            })
-          ),
-          custom_entity: v.optional(
-            v.object({
-              detected: v.optional(v.boolean()),
-              data: v.optional(AidrRedactEntityResultSchema),
-            })
-          ),
-          secret_and_key_entity: v.optional(
-            v.object({
-              detected: v.optional(v.boolean()),
-              data: v.optional(AidrRedactEntityResultSchema),
-            })
-          ),
-          competitors: v.optional(
-            v.object({
-              detected: v.optional(v.boolean()),
-              data: v.optional(AidrSingleEntityResultSchema),
-            })
-          ),
-          language: v.optional(
-            v.object({
-              detected: v.optional(v.boolean()),
-              data: v.optional(AidrLanguageResultSchema),
-            })
-          ),
-          topic: v.optional(
-            v.object({
-              detected: v.optional(v.boolean()),
-              data: v.optional(AidrTopicResultSchema),
-            })
-          ),
-          code: v.optional(
-            v.object({
-              detected: v.optional(v.boolean()),
-              data: v.optional(AidrLanguageResultSchema),
-            })
-          ),
-        }),
-        access_rules: v.optional(AidrAccessRulesResponseSchema),
-        fpe_context: v.optional(v.string()),
-      })
-    ),
-  }),
+export const AidrPostV1GuardChatCompletionsResponseSchema = v.union([
+  v.intersect([
+    PangeaResponseSchema,
+    v.object({
+      result: v.optional(
+        v.object({
+          guard_output: v.optional(v.record(v.string(), v.unknown())),
+          blocked: v.optional(v.boolean()),
+          transformed: v.optional(v.boolean()),
+          policy: v.optional(v.string()),
+          detectors: v.object({
+            malicious_prompt: v.optional(
+              v.object({
+                detected: v.optional(v.boolean()),
+                data: v.optional(AidrPromptInjectionResultSchema),
+              })
+            ),
+            confidential_and_pii_entity: v.optional(
+              v.object({
+                detected: v.optional(v.boolean()),
+                data: v.optional(AidrRedactEntityResultSchema),
+              })
+            ),
+            malicious_entity: v.optional(
+              v.object({
+                detected: v.optional(v.boolean()),
+                data: v.optional(AidrMaliciousEntityResultSchema),
+              })
+            ),
+            custom_entity: v.optional(
+              v.object({
+                detected: v.optional(v.boolean()),
+                data: v.optional(AidrRedactEntityResultSchema),
+              })
+            ),
+            secret_and_key_entity: v.optional(
+              v.object({
+                detected: v.optional(v.boolean()),
+                data: v.optional(AidrRedactEntityResultSchema),
+              })
+            ),
+            competitors: v.optional(
+              v.object({
+                detected: v.optional(v.boolean()),
+                data: v.optional(AidrSingleEntityResultSchema),
+              })
+            ),
+            language: v.optional(
+              v.object({
+                detected: v.optional(v.boolean()),
+                data: v.optional(AidrLanguageResultSchema),
+              })
+            ),
+            topic: v.optional(
+              v.object({
+                detected: v.optional(v.boolean()),
+                data: v.optional(AidrTopicResultSchema),
+              })
+            ),
+            code: v.optional(
+              v.object({
+                detected: v.optional(v.boolean()),
+                data: v.optional(AidrLanguageResultSchema),
+              })
+            ),
+          }),
+          access_rules: v.optional(AidrAccessRulesResponseSchema),
+          fpe_context: v.optional(v.string()),
+        })
+      ),
+    }),
+  ]),
+  v.intersect([PangeaResponseSchema, PangeaAcceptedResponseSchema]),
+]);
+
+export const AidrPostV1UnredactRequestSchema = v.object({
+  body: v.optional(
+    v.strictObject({
+      redacted_data: v.unknown(),
+      fpe_context: v.string(),
+    })
+  ),
+  path: v.optional(v.never()),
+  query: v.optional(v.never()),
+});
+
+export const AidrPostV1UnredactResponseSchema = v.union([
+  v.intersect([
+    PangeaResponseSchema,
+    v.object({
+      result: v.optional(
+        v.object({
+          data: v.unknown(),
+        })
+      ),
+    }),
+  ]),
+  v.intersect([PangeaResponseSchema, PangeaAcceptedResponseSchema]),
 ]);
 
 export const GetAsyncRequestRequestSchema = v.object({
@@ -1203,13 +1183,12 @@ export const GetAsyncRequestResponseSchema = v.union([
   v.intersect([
     PangeaResponseSchema,
     v.object({
-      result: v.optional(
-        v.object({
-          ttl_mins: v.optional(v.pipe(v.number(), v.integer())),
-          retry_counter: v.optional(v.pipe(v.number(), v.integer())),
-          location: v.optional(v.string()),
-        })
-      ),
+      result: v.object({
+        ttl_mins: v.optional(v.pipe(v.number(), v.integer())),
+        retry_counter: v.optional(v.pipe(v.number(), v.integer())),
+        location: v.optional(v.string()),
+      }),
+      status: v.picklist(['Accepted']),
     }),
   ]),
 ]);

package/src/services/ai-guard.ts

@@ -3,6 +3,8 @@ import type { RequestOptions } from '../internal/request-options';
 import type { MaybeAcceptedResponse } from '../types';
 import type {
   AidrPostV1GuardChatCompletionsResponse,
+  AidrPostV1UnredactData,
+  AidrPostV1UnredactResponse,
   ChatCompletionsGuard,
 } from '../types/ai-guard';
 
@@ -24,4 +26,14 @@ export class AIGuard extends Client {
       ...options,
     });
   }
+
+  /**
+   * Decrypt or unredact fpe redactions
+   */
+  unredact(
+    body: AidrPostV1UnredactData['body'],
+    options?: RequestOptions
+  ): Promise<MaybeAcceptedResponse<AidrPostV1UnredactResponse['result']>> {
+    return this.post('/v1/unredact', { body, ...options });
+  }
 }

package/src/types/ai-guard.ts

@@ -49,6 +49,8 @@ export type PangeaResponse = {
 
 export type PangeaValidationErrors = PangeaResponse;
 
+export type PangeaAcceptedResponse = PangeaResponse;
+
 /**
  * Device status. Allowed values are active, pending, disabled
  */
@@ -619,12 +621,7 @@ export type ChatCompletionsGuard = {
   /**
    * (AIDR) Event Type.
    */
-  event_type?:
-    | 'input'
-    | 'output'
-    | 'tool_input'
-    | 'tool_output'
-    | 'tool_listing';
+  event_type?: string;
   /**
    * (AIDR) collector instance id.
    */
@@ -685,6 +682,10 @@ export type ChatCompletionsGuard = {
         }>
       | undefined;
   };
+  /**
+   * FPE (Format Preserving Encryption) context from a previous guard request. When provided, the encrypted input will be unredacted before processing.
+   */
+  input_fpe_context?: string;
 };
 
 export type AidrPromptInjectionResult = {
@@ -1542,11 +1543,6 @@ export type AidrServiceConfigResult = AidrServiceConfig;
  */
 export type AidrTimestamp = string;
 
-/**
- * A time in ISO-8601 format or null
- */
-export type AirdTimestampNullable = AuthnTimestamp | null;
-
 /**
  * Define field name and path mapping to extract from the log
  */
@@ -1825,9 +1821,28 @@ export type AidrMetricResultDetectorItem = {
 };
 
 /**
- * A time in ISO-8601 format
+ * Configuration for an individual access rule used in an AI Guard recipe. Each rule defines its matching logic and the action to apply when the logic evaluates to true.
  */
-export type AuthnTimestamp = string;
+export type AccessRuleSettings = {
+  /**
+   * Unique identifier for this rule. Should be user-readable and consistent across recipe updates.
+   */
+  rule_key: string;
+  /**
+   * Display label for the rule shown in user interfaces.
+   */
+  name: string;
+  /**
+   * Action to apply if the rule matches. Use 'block' to stop further processing or 'report' to simply log the match.
+   */
+  state: 'block' | 'report';
+  /**
+   * JSON Logic condition that determines whether this rule matches.
+   */
+  logic: {
+    [key: string]: unknown;
+  };
+};
 
 /**
  * Details about the evaluation of a single rule, including whether it matched, the action to take, the rule name, and optional debugging information.
@@ -1859,50 +1874,6 @@ export type AccessRuleResult = {
   };
 };
 
-/**
- * Defines an AI Guard recipe - a named configuration of detectors and redaction settings used to analyze and protect data flows in AI-powered applications.
- *
- * Recipes specify which detectors are active, how they behave, and may include reusable settings such as FPE tweaks.
- *
- * For details, see the [AI Guard Recipes](https://pangea.cloud/docs/ai-guard/recipes) documentation.
- */
-export type RecipeConfig = {
-  /**
-   * Human-readable name of the recipe
-   */
-  name: string;
-  /**
-   * Detailed description of the recipe's purpose or use case
-   */
-  description: string;
-  /**
-   * Optional version identifier for the recipe. Can be used to track changes.
-   */
-  version?: string;
-  /**
-   * Settings for [AI Guard Detectors](https://pangea.cloud/docs/ai-guard/recipes#detectors), including which detectors to enable and how they behave
-   */
-  detectors?: DetectorSettings;
-  /**
-   * Configuration for access rules used in an AI Guard recipe.
-   */
-  access_rules?: Array<AccessRuleSettings>;
-  /**
-   * Connector-level Redact configuration. These settings allow you to define reusable redaction parameters, such as FPE tweak value.
-   */
-  connector_settings?: {
-    /**
-     * Settings for Redact integration at the recipe level
-     */
-    redact?: {
-      /**
-       * ID of a Vault secret containing the tweak value used for Format-Preserving Encryption (FPE). Enables deterministic encryption, ensuring that identical inputs produce consistent encrypted outputs.
-       */
-      fpe_tweak_vault_secret_id?: string;
-    };
-  };
-};
-
 /**
  * Configuration for individual detectors used in an AI Guard recipe. Each entry specifies the detector to use, its enabled state, detector-specific settings, and the [action](https://pangea.cloud/docs/ai-guard/recipes#actions) to apply when detections occur.
  */
@@ -1948,6 +1919,50 @@ export type DetectorSettings = Array<{
   };
 }>;
 
+/**
+ * Defines an AI Guard recipe - a named configuration of detectors and redaction settings used to analyze and protect data flows in AI-powered applications.
+ *
+ * Recipes specify which detectors are active, how they behave, and may include reusable settings such as FPE tweaks.
+ *
+ * For details, see the [AI Guard Recipes](https://pangea.cloud/docs/ai-guard/recipes) documentation.
+ */
+export type RecipeConfig = {
+  /**
+   * Human-readable name of the recipe
+   */
+  name: string;
+  /**
+   * Detailed description of the recipe's purpose or use case
+   */
+  description: string;
+  /**
+   * Optional version identifier for the recipe. Can be used to track changes.
+   */
+  version?: string;
+  /**
+   * Settings for [AI Guard Detectors](https://pangea.cloud/docs/ai-guard/recipes#detectors), including which detectors to enable and how they behave
+   */
+  detectors?: DetectorSettings;
+  /**
+   * Configuration for access rules used in an AI Guard recipe.
+   */
+  access_rules?: Array<AccessRuleSettings>;
+  /**
+   * Connector-level Redact configuration. These settings allow you to define reusable redaction parameters, such as FPE tweak value.
+   */
+  connector_settings?: {
+    /**
+     * Settings for Redact integration at the recipe level
+     */
+    redact?: {
+      /**
+       * ID of a Vault secret containing the tweak value used for Format-Preserving Encryption (FPE). Enables deterministic encryption, ensuring that identical inputs produce consistent encrypted outputs.
+       */
+      fpe_tweak_vault_secret_id?: string;
+    };
+  };
+};
+
 export type RuleRedactionConfig = (
   | {
       redaction_type?: 'mask' | 'detect_only';
@@ -2035,66 +2050,6 @@ export type RuleRedactionConfig = (
     | null;
 };
 
-/**
- * Configuration for an individual access rule used in an AI Guard recipe. Each rule defines its matching logic and the action to apply when the logic evaluates to true.
- */
-export type AccessRuleSettings = {
-  /**
-   * Unique identifier for this rule. Should be user-readable and consistent across recipe updates.
-   */
-  rule_key: string;
-  /**
-   * Display label for the rule shown in user interfaces.
-   */
-  name: string;
-  /**
-   * Action to apply if the rule matches. Use 'block' to stop further processing or 'report' to simply log the match.
-   */
-  state: 'block' | 'report';
-  /**
-   * JSON Logic condition that determines whether this rule matches.
-   */
-  logic: {
-    [key: string]: unknown;
-  };
-};
-
-export type LanguageResult = {
-  /**
-   * The action taken by this Detector
-   */
-  action?: string;
-  language?: string;
-};
-
-export type RedactEntityResult = {
-  /**
-   * Detected redaction rules.
-   */
-  entities?: Array<{
-    /**
-     * The action taken on this Entity
-     */
-    action: string;
-    type: string;
-    value: string;
-    redacted: boolean;
-    start_pos?: number;
-  }>;
-};
-
-export type MaliciousEntityAction = 'report' | 'defang' | 'disabled' | 'block';
-
-export type PiiEntityAction =
-  | 'disabled'
-  | 'report'
-  | 'block'
-  | 'mask'
-  | 'partial_masking'
-  | 'replacement'
-  | 'hash'
-  | 'fpe';
-
 export type AidrPostV1GuardChatCompletionsData = {
   body?: ChatCompletionsGuard;
   path?: never;
@@ -2238,11 +2193,62 @@ export type AidrPostV1GuardChatCompletionsResponses = {
       fpe_context?: string;
     };
   };
+  /**
+   * Asynchronous request in progress
+   */
+  202: PangeaResponse & PangeaAcceptedResponse;
 };
 
 export type AidrPostV1GuardChatCompletionsResponse =
   AidrPostV1GuardChatCompletionsResponses[keyof AidrPostV1GuardChatCompletionsResponses];
 
+export type AidrPostV1UnredactData = {
+  body?: {
+    /**
+     * Data to unredact
+     */
+    redacted_data: unknown;
+    /**
+     * FPE context used to decrypt and unredact data
+     */
+    fpe_context: string;
+  };
+  path?: never;
+  query?: never;
+  url: '/v1/unredact';
+};
+
+export type AidrPostV1UnredactErrors = {
+  /**
+   * Validation errors
+   */
+  400: PangeaResponse & PangeaValidationErrors;
+};
+
+export type AidrPostV1UnredactError =
+  AidrPostV1UnredactErrors[keyof AidrPostV1UnredactErrors];
+
+export type AidrPostV1UnredactResponses = {
+  /**
+   * The unredacted data
+   */
+  200: PangeaResponse & {
+    result?: {
+      /**
+       * The unredacted data
+       */
+      data: unknown;
+    };
+  };
+  /**
+   * Asynchronous request in progress
+   */
+  202: PangeaResponse & PangeaAcceptedResponse;
+};
+
+export type AidrPostV1UnredactResponse =
+  AidrPostV1UnredactResponses[keyof AidrPostV1UnredactResponses];
+
 export type GetAsyncRequestData = {
   body?: never;
   path: {
@@ -2264,11 +2270,12 @@ export type GetAsyncRequestResponses = {
    * Asynchronous request in progress
    */
   202: PangeaResponse & {
-    result?: {
+    result: {
       ttl_mins?: number;
       retry_counter?: number;
       location?: string;
     };
+    status: 'Accepted';
   };
 };