@driftgard/node 1.10.0 → 1.12.0-beta.1

package/README.md

@@ -35,6 +35,94 @@ if (result.evaluation.allowed) {
 }
 ```
 
+## Local evaluation mode (beta)
+
+For privacy-sensitive deployments — mental health, clinical, healthcare — where no patient data can leave your environment. The SDK evaluates locally via a compiled WebAssembly engine. No prompt, response, or conversation content is sent to DriftGard.
+
+### Local mode — zero network calls after init
+
+```typescript
+import { Driftgard } from "@driftgard/node";
+
+const dg = new Driftgard({
+  apiKey: process.env.DRIFTGARD_API_KEY,
+  mode: "local",
+  projectId: "your-project-id",
+});
+
+// Fetches the active control pack (one-time network call)
+await dg.init();
+
+// All evaluate() calls now run locally via WASM
+const result = await dg.evaluate({
+  project_id: "your-project-id",
+  prompt: "I feel really anxious today",
+  response: "I hear you. Would you like to talk about what's triggering it?",
+  model_id: "gpt-4o",
+});
+
+console.log(result.evaluation.allowed);     // true
+console.log(result.decision_source);        // "local"
+console.log(result.data_mode);             // "local"
+
+// Clean up when done
+dg.destroy();
+```
+
+### Local-with-audit mode — local evaluation, metadata reporting
+
+Same as local mode, but posts verdict metadata (no prompt/response) to DriftGard for compliance dashboards:
+
+```typescript
+const dg = new Driftgard({
+  apiKey: process.env.DRIFTGARD_API_KEY,
+  mode: "local-with-audit",
+  projectId: "your-project-id",
+});
+
+await dg.init();
+
+const result = await dg.evaluate({
+  project_id: "your-project-id",
+  prompt: "Patient conversation content...",
+  response: "Clinical response...",
+  model_id: "gpt-4o",
+  agent_role: "therapist_agent",
+});
+
+// Evaluation ran locally — no patient data sent
+// Only verdict metadata reported: evaluation_id, timestamp, allowed, risk_score,
+// violation clause IDs, severities, model_id, session_id, agent_role
+```
+
+### Control pack sync
+
+On `init()`, the SDK fetches the active control pack for your project and caches it in memory. A background refresh runs every 60 seconds (configurable). If a refresh fails, the SDK uses the last-known-good pack and marks it as stale.
+
+```typescript
+const dg = new Driftgard({
+  apiKey: process.env.DRIFTGARD_API_KEY,
+  mode: "local",
+  projectId: "your-project-id",
+  refreshIntervalMs: 120_000,  // refresh every 2 minutes (default 60s)
+  onControlPackRefresh: (event) => {
+    if (event.success) {
+      console.log(`Control pack refreshed: v${event.version}`);
+    } else {
+      console.warn(`Refresh failed: ${event.error}${event.stale ? " (using stale pack)" : ""}`);
+    }
+  },
+});
+```
+
+### When to use each mode
+
+| Mode | Data sent to DriftGard | Use case |
+|---|---|---|
+| `remote` (default) | Prompt + response + verdict | Standard deployment, full dashboard visibility |
+| `local` | Control pack fetch only (on init) | Maximum privacy — mental health, clinical, sovereign |
+| `local-with-audit` | Control pack fetch + verdict metadata | Privacy with compliance reporting — healthcare, regulated |
+
 ## Conversation tracking
 
 Link evaluations within an agent session using `session_id` and `parent_evaluation_id`:
@@ -53,6 +141,53 @@ const result = await dg.evaluate({
 
 This enables chain depth protection (prevents infinite agent loops) and lets you trace evaluation lineage in the dashboard. When `sequence_no` is provided, DriftGard enforces ordering — if an eval arrives out of order, the response includes a `sequence_warning`.
 
+## Agent identity
+
+Identify which agent made a decision using `agent_id` and `agent_role`:
+
+```typescript
+const result = await dg.evaluate({
+  project_id: "your-project-id",
+  prompt: "Transfer $500",
+  response: "Transfer initiated.",
+  model_id: "gpt-4o",
+  agent_id: "agent_payments_prod",        // which agent instance
+  agent_role: "payments_agent",           // agent's role for policy scoping
+  on_behalf_of: "user_12345",            // which end-user triggered this
+  // parent_agent_id: "agent_orchestrator", // optional — which parent agent delegated
+  session_id: "sess_abc123",
+});
+```
+
+Agent identity fields are stored on the evaluation record and visible in the Live Activity detail dialog. The `on_behalf_of` field tracks which end-user triggered the agent action. The `parent_agent_id` field identifies which orchestrator agent delegated to this one in multi-agent systems.
+
+### Per-tool identity rules
+
+Control packs support `identity_rules` on each tool — restricting which agents, roles, users, or parent agents can call it. Rules use OR logic across entries and AND logic within each entry:
+
+```json
+{
+  "tool_rules": {
+    "tool_policy": "deny_unlisted",
+    "rules": {
+      "transfer_money": {
+        "parameters": { ... },
+        "identity_rules": [
+          { "allowed_roles": ["payments_agent"], "allowed_users": ["user_alice", "user_bob"] },
+          { "allowed_roles": ["admin_agent"] }
+        ]
+      }
+    }
+  }
+}
+```
+
+In this example, `transfer_money` is allowed when:
+- The caller has `agent_role=payments_agent` AND `on_behalf_of` is `user_alice` or `user_bob`, OR
+- The caller has `agent_role=admin_agent` (any user)
+
+If no `identity_rules` are defined on a tool, any caller can use it (subject to parameter validation). All four fields are optional within each rule — only specified fields are checked.
+
 ## A/B experiments
 
 Tag evaluations with an `experiment_id` to compare governance metrics across models:
@@ -117,6 +252,10 @@ const result = await dg.evaluateToolCall({
   tool_name: "transfer_money",
   parameters: { amount: 500, to_account: "account_123" },
   session_id: "sess_abc123",
+  agent_id: "agent_payments_prod",
+  agent_role: "payments_agent",
+  on_behalf_of: "user_12345",
+  // parent_agent_id: "agent_orchestrator",
 });
 
 if (!result.evaluation.allowed) {
@@ -153,13 +292,16 @@ Supported: comparisons (`< > <= >= === !==`), logical (`&& || !`), arithmetic (`
 ## Features
 
 - Single `evaluate()` method — send prompt/response, get verdict
+- Local evaluation mode (beta) — evaluate via WASM, no data leaves your environment
+- Three modes: `remote`, `local`, `local-with-audit`
+- Control pack sync with background refresh and stale-pack fallback
 - Failure mode: `fail-open` or `fail-closed` when API is unreachable
 - Circuit breaker: skips API after consecutive failures, auto-recovers
 - Idempotency: deduplicates retried requests via `x-idempotency-key`
 - Auto-retry with exponential backoff on 5xx and network errors
 - Typed errors: `AuthError`, `RateLimitError`, `FeatureNotAvailableError`, `ChainDepthExceededError`
 - Full TypeScript types for requests and responses
-- Zero dependencies (uses native `fetch`)
+- Zero runtime dependencies (uses native `fetch`, WASM bundled)
 
 ## Configuration
 
@@ -174,7 +316,18 @@ const dg = new Driftgard({
     threshold: 5,               // open circuit after 5 consecutive failures (default 5)
     resetTimeoutMs: 30000,      // try again after 30s (default 30000)
   },
+
+  // Local mode options (beta)
+  mode: "remote",              // "remote" | "local" | "local-with-audit" (default "remote")
+  projectId: "your-project-id", // required for local/local-with-audit modes
+  refreshIntervalMs: 60000,    // control pack refresh interval, ms (default 60s)
+  onControlPackRefresh: (e) => {}, // callback on refresh success/failure
 });
+
+// For local modes, call init() to fetch the control pack
+if (dg.mode !== "remote") {
+  await dg.init();
+}
 ```
 
 ## Failure mode & circuit breaker
@@ -187,6 +340,8 @@ const result = await dg.evaluate({ ... });
 // Check where the decision came from
 console.log(result.decision_source);
 // "policy"           — normal API evaluation
+// "local"            — local WASM evaluation
+// "local_stale"      — local evaluation with stale control pack
 // "failure_mode"     — API unreachable, failureMode applied
 // "circuit_open"     — circuit breaker open, failureMode applied
 // "idempotency_cache" — duplicate request, cached result returned

package/dist/control-pack-cache.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Control Pack Cache — fetches and caches the active control pack for local evaluation.
+ *
+ * On init: fetches the active control pack from the DriftGard API.
+ * Background: refreshes on a configurable interval.
+ * Stale pack: uses last-known-good if refresh fails. Fails closed if no pack exists.
+ */
+export interface ControlPackCacheConfig {
+    apiKey: string;
+    baseUrl: string;
+    projectId: string;
+    /** Refresh interval in milliseconds. Default 60000 (1 minute). */
+    refreshIntervalMs?: number;
+    /** Timeout for API calls in milliseconds. Default 10000. */
+    timeout?: number;
+    /** Called when the control pack is refreshed or refresh fails. */
+    onRefresh?: (event: {
+        success: boolean;
+        version?: number;
+        error?: string;
+        stale?: boolean;
+    }) => void;
+}
+export declare class ControlPackCache {
+    private config;
+    private controlPack;
+    private controlPackId;
+    private controlPackVersion;
+    private lastRefreshedAt;
+    private refreshTimer;
+    private stale;
+    constructor(config: ControlPackCacheConfig);
+    /** Fetch the active control pack. Must be called before evaluating. */
+    init(): Promise<void>;
+    /** Stop background refresh. */
+    destroy(): void;
+    /** Get the cached control pack. Throws if no pack is available. */
+    getControlPack(): Record<string, unknown>;
+    /** Get cache metadata for audit reporting. */
+    getMeta(): {
+        control_pack_id: string | null;
+        version: number;
+        stale: boolean;
+        last_refreshed_at: string | null;
+    };
+    /** Refresh the control pack from the API. */
+    private refresh;
+}

package/dist/control-pack-cache.js

@@ -0,0 +1,116 @@
+"use strict";
+/**
+ * Control Pack Cache — fetches and caches the active control pack for local evaluation.
+ *
+ * On init: fetches the active control pack from the DriftGard API.
+ * Background: refreshes on a configurable interval.
+ * Stale pack: uses last-known-good if refresh fails. Fails closed if no pack exists.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ControlPackCache = void 0;
+class ControlPackCache {
+    constructor(config) {
+        this.controlPack = null;
+        this.controlPackId = null;
+        this.controlPackVersion = 0;
+        this.lastRefreshedAt = null;
+        this.refreshTimer = null;
+        this.stale = false;
+        this.config = config;
+    }
+    /** Fetch the active control pack. Must be called before evaluating. */
+    async init() {
+        await this.refresh();
+        // Start background refresh
+        const interval = this.config.refreshIntervalMs ?? 60000;
+        if (interval > 0) {
+            this.refreshTimer = setInterval(() => {
+                this.refresh().catch(() => { });
+            }, interval);
+            // Don't block process exit
+            if (this.refreshTimer && typeof this.refreshTimer === "object" && "unref" in this.refreshTimer) {
+                this.refreshTimer.unref();
+            }
+        }
+    }
+    /** Stop background refresh. */
+    destroy() {
+        if (this.refreshTimer) {
+            clearInterval(this.refreshTimer);
+            this.refreshTimer = null;
+        }
+    }
+    /** Get the cached control pack. Throws if no pack is available. */
+    getControlPack() {
+        if (!this.controlPack) {
+            throw new Error("No control pack available. Call init() first or check that the project has an active control pack.");
+        }
+        return this.controlPack;
+    }
+    /** Get cache metadata for audit reporting. */
+    getMeta() {
+        return {
+            control_pack_id: this.controlPackId,
+            version: this.controlPackVersion,
+            stale: this.stale,
+            last_refreshed_at: this.lastRefreshedAt,
+        };
+    }
+    /** Refresh the control pack from the API. */
+    async refresh() {
+        const { apiKey, baseUrl, projectId, timeout = 10000 } = this.config;
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), timeout);
+        try {
+            const res = await fetch(`${baseUrl}/audit/cli/control-packs/active?project_id=${encodeURIComponent(projectId)}`, {
+                method: "GET",
+                headers: {
+                    "x-api-key": apiKey,
+                },
+                signal: controller.signal,
+            });
+            if (!res.ok) {
+                throw new Error(`HTTP ${res.status}: ${res.statusText}`);
+            }
+            const data = await res.json();
+            const cp = data.control_pack;
+            if (!cp) {
+                throw new Error("No active control pack found for this project");
+            }
+            this.controlPack = cp;
+            this.controlPackId = String(cp.control_pack_id || "");
+            this.controlPackVersion = Number(cp.version || 0);
+            this.lastRefreshedAt = new Date().toISOString();
+            this.stale = false;
+            this.config.onRefresh?.({
+                success: true,
+                version: this.controlPackVersion,
+            });
+        }
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            // If we have a cached pack, mark as stale but keep using it
+            if (this.controlPack) {
+                this.stale = true;
+                this.config.onRefresh?.({
+                    success: false,
+                    error: msg,
+                    stale: true,
+                    version: this.controlPackVersion,
+                });
+            }
+            else {
+                // No cached pack — this is fatal for local mode
+                this.config.onRefresh?.({
+                    success: false,
+                    error: msg,
+                });
+                throw new Error(`Failed to fetch control pack: ${msg}`);
+            }
+        }
+        finally {
+            clearTimeout(timer);
+        }
+    }
+}
+exports.ControlPackCache = ControlPackCache;

package/dist/index.d.ts

@@ -2,6 +2,8 @@ import { DriftgardConfig, EvaluateRequest, EvaluateResponse, ToolCallRequest, Ou
 export { DriftgardConfig, EvaluateRequest, EvaluateResponse, CircuitBreakerConfig, ToolCallRequest, OutcomeRequest } from "./types";
 export { Violation, EvaluationResult, FallbackResponse, HitlInfo } from "./types";
 export { DriftgardError, AuthError, RateLimitError, FeatureNotAvailableError, ChainDepthExceededError } from "./errors";
+export { evaluateLocal } from "./local-evaluator";
+export { ControlPackCache } from "./control-pack-cache";
 type CircuitState = "closed" | "open" | "half-open";
 export declare class Driftgard {
     private apiKey;
@@ -9,17 +11,38 @@ export declare class Driftgard {
     private timeout;
     private maxRetries;
     private failureMode;
+    private mode;
     private cbThreshold;
     private cbResetMs;
     private cbState;
     private cbFailures;
     private cbOpenedAt;
+    private cpCache;
+    private initialized;
     constructor(config: DriftgardConfig);
+    /**
+     * Initialize the SDK. Required for local and local-with-audit modes.
+     * Fetches the active control pack and starts background refresh.
+     * No-op for remote mode.
+     */
+    init(): Promise<void>;
+    /**
+     * Stop background refresh and clean up resources.
+     */
+    destroy(): void;
     /**
      * Evaluate a prompt/response pair against your active control pack.
-     * Handles circuit breaker and failure mode automatically.
+     * In remote mode: sends to DriftGard API.
+     * In local mode: evaluates via WASM — no data leaves your environment.
+     * In local-with-audit mode: evaluates locally, reports verdict metadata to DriftGard.
      */
     evaluate(req: EvaluateRequest): Promise<EvaluateResponse>;
+    /** Local evaluation via WASM. */
+    private evaluateLocally;
+    /** Report verdict metadata to DriftGard (no prompt/response content). */
+    private reportAuditMetadata;
+    /** Remote evaluation via DriftGard API. */
+    private evaluateRemotely;
     /** Generate a synthetic response based on failure mode. */
     private syntheticResponse;
     /**

package/dist/index.js

@@ -1,13 +1,19 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.Driftgard = exports.ChainDepthExceededError = exports.FeatureNotAvailableError = exports.RateLimitError = exports.AuthError = exports.DriftgardError = void 0;
+exports.Driftgard = exports.ControlPackCache = exports.evaluateLocal = exports.ChainDepthExceededError = exports.FeatureNotAvailableError = exports.RateLimitError = exports.AuthError = exports.DriftgardError = void 0;
 const errors_1 = require("./errors");
+const local_evaluator_1 = require("./local-evaluator");
+const control_pack_cache_1 = require("./control-pack-cache");
 var errors_2 = require("./errors");
 Object.defineProperty(exports, "DriftgardError", { enumerable: true, get: function () { return errors_2.DriftgardError; } });
 Object.defineProperty(exports, "AuthError", { enumerable: true, get: function () { return errors_2.AuthError; } });
 Object.defineProperty(exports, "RateLimitError", { enumerable: true, get: function () { return errors_2.RateLimitError; } });
 Object.defineProperty(exports, "FeatureNotAvailableError", { enumerable: true, get: function () { return errors_2.FeatureNotAvailableError; } });
 Object.defineProperty(exports, "ChainDepthExceededError", { enumerable: true, get: function () { return errors_2.ChainDepthExceededError; } });
+var local_evaluator_2 = require("./local-evaluator");
+Object.defineProperty(exports, "evaluateLocal", { enumerable: true, get: function () { return local_evaluator_2.evaluateLocal; } });
+var control_pack_cache_2 = require("./control-pack-cache");
+Object.defineProperty(exports, "ControlPackCache", { enumerable: true, get: function () { return control_pack_cache_2.ControlPackCache; } });
 const DEFAULT_BASE_URL = "https://api.driftgard.com";
 const DEFAULT_TIMEOUT = 30000;
 const DEFAULT_MAX_RETRIES = 2;
@@ -19,6 +25,9 @@ class Driftgard {
         this.cbState = "closed";
         this.cbFailures = 0;
         this.cbOpenedAt = 0;
+        // Local mode
+        this.cpCache = null;
+        this.initialized = false;
         if (!config.apiKey)
             throw new Error("apiKey is required");
         this.apiKey = config.apiKey;
@@ -26,14 +35,136 @@ class Driftgard {
         this.timeout = config.timeout ?? DEFAULT_TIMEOUT;
         this.maxRetries = config.maxRetries ?? DEFAULT_MAX_RETRIES;
         this.failureMode = config.failureMode ?? "open";
+        this.mode = config.mode ?? "remote";
         this.cbThreshold = config.circuitBreaker?.threshold ?? DEFAULT_CB_THRESHOLD;
         this.cbResetMs = config.circuitBreaker?.resetTimeoutMs ?? DEFAULT_CB_RESET_MS;
+        if (this.mode !== "remote") {
+            if (!config.projectId)
+                throw new Error("projectId is required for local mode");
+            this.cpCache = new control_pack_cache_1.ControlPackCache({
+                apiKey: this.apiKey,
+                baseUrl: this.baseUrl,
+                projectId: config.projectId,
+                refreshIntervalMs: config.refreshIntervalMs,
+                timeout: this.timeout,
+                onRefresh: config.onControlPackRefresh,
+            });
+        }
+    }
+    /**
+     * Initialize the SDK. Required for local and local-with-audit modes.
+     * Fetches the active control pack and starts background refresh.
+     * No-op for remote mode.
+     */
+    async init() {
+        if (this.cpCache) {
+            await this.cpCache.init();
+        }
+        this.initialized = true;
+    }
+    /**
+     * Stop background refresh and clean up resources.
+     */
+    destroy() {
+        this.cpCache?.destroy();
     }
     /**
      * Evaluate a prompt/response pair against your active control pack.
-     * Handles circuit breaker and failure mode automatically.
+     * In remote mode: sends to DriftGard API.
+     * In local mode: evaluates via WASM — no data leaves your environment.
+     * In local-with-audit mode: evaluates locally, reports verdict metadata to DriftGard.
      */
     async evaluate(req) {
+        if (this.mode !== "remote") {
+            return this.evaluateLocally(req);
+        }
+        return this.evaluateRemotely(req);
+    }
+    /** Local evaluation via WASM. */
+    async evaluateLocally(req) {
+        if (!this.cpCache)
+            throw new Error("Local mode not configured");
+        if (!this.initialized)
+            throw new Error("Call init() before evaluate() in local mode");
+        const cp = this.cpCache.getControlPack();
+        const meta = this.cpCache.getMeta();
+        const timestamp = req.timestamp || new Date().toISOString();
+        const evaluationId = `local_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
+        // Build the WASM request
+        const wasmRequest = {
+            prompt: req.prompt || "",
+            response: req.response || "",
+            model_id: req.model_id,
+            ...(req.eval_mode ? { eval_mode: req.eval_mode } : {}),
+            ...(req.tool_call ? { tool_call: req.tool_call } : {}),
+            ...(req.agent_id ? { agent_id: req.agent_id } : {}),
+            ...(req.agent_role ? { agent_role: req.agent_role } : {}),
+            ...(req.on_behalf_of ? { on_behalf_of: req.on_behalf_of } : {}),
+            ...(req.parent_agent_id ? { parent_agent_id: req.parent_agent_id } : {}),
+        };
+        const verdict = (0, local_evaluator_1.evaluateLocal)(cp, wasmRequest);
+        const response = {
+            ok: true,
+            project_id: req.project_id,
+            evaluation_id: evaluationId,
+            active_control_pack_id: meta.control_pack_id || "",
+            active_control_pack_version: meta.version,
+            data_mode: "local",
+            telemetry_mode: this.mode === "local-with-audit" ? "metadata_only" : "none",
+            execution_mode: "local",
+            decision_action: verdict.allowed ? "log_only" : "enforce",
+            decision_source: meta.stale ? "local_stale" : "local",
+            evaluation: {
+                allowed: verdict.allowed,
+                risk_score: verdict.risk_score,
+                violations: verdict.violations,
+                flags: {
+                    pii_detected: verdict.flags.pii_detected,
+                    secret_detected: verdict.flags.secret_detected,
+                    adversarial_input: verdict.flags.adversarial_input,
+                    meta_bypass_detected: verdict.flags.meta_bypass_detected,
+                    hard_blocked: verdict.flags.hard_blocked,
+                    action_blocked: verdict.flags.action_blocked,
+                    dlp_findings_count: verdict.flags.dlp_findings_count,
+                },
+            },
+            ...(req.eval_mode ? { eval_mode: req.eval_mode } : {}),
+            ...(req.tool_call ? { tool_call: req.tool_call } : {}),
+            ...(req.session_id ? { session_id: req.session_id } : {}),
+            ...(req.usage ? { usage: req.usage } : {}),
+        };
+        // local-with-audit: report verdict metadata (no prompt/response)
+        if (this.mode === "local-with-audit") {
+            this.reportAuditMetadata({
+                project_id: req.project_id,
+                evaluation_id: evaluationId,
+                timestamp,
+                model_id: req.model_id,
+                control_pack_id: meta.control_pack_id || "",
+                control_pack_version: meta.version,
+                allowed: verdict.allowed,
+                risk_score: verdict.risk_score,
+                violations: verdict.violations.map(v => ({ clause_id: v.clause_id, severity: v.severity, category: v.category })),
+                eval_mode: req.eval_mode,
+                session_id: req.session_id,
+                agent_id: req.agent_id,
+                agent_role: req.agent_role,
+                stale_pack: meta.stale,
+            }).catch(() => { }); // fire-and-forget
+        }
+        return response;
+    }
+    /** Report verdict metadata to DriftGard (no prompt/response content). */
+    async reportAuditMetadata(meta) {
+        try {
+            await this.post("/audit/local-verdict", meta);
+        }
+        catch {
+            // Non-fatal — local evaluation still succeeded
+        }
+    }
+    /** Remote evaluation via DriftGard API. */
+    async evaluateRemotely(req) {
         const idempotencyKey = req.idempotency_key || this.generateIdempotencyKey();
         // Circuit breaker: if open, check if reset timeout has passed
         if (this.cbState === "open") {
@@ -61,6 +192,10 @@ class Driftgard {
                 ...(req.eval_mode ? { eval_mode: req.eval_mode } : {}),
                 ...(req.tool_call ? { tool_call: req.tool_call } : {}),
                 ...(req.sequence_no != null ? { sequence_no: req.sequence_no } : {}),
+                ...(req.agent_id ? { agent_id: req.agent_id } : {}),
+                ...(req.agent_role ? { agent_role: req.agent_role } : {}),
+                ...(req.on_behalf_of ? { on_behalf_of: req.on_behalf_of } : {}),
+                ...(req.parent_agent_id ? { parent_agent_id: req.parent_agent_id } : {}),
                 ...(req.usage ? { usage: req.usage } : {}),
             }, idempotencyKey);
             // Success — reset circuit breaker
@@ -135,6 +270,10 @@ class Driftgard {
             parent_evaluation_id: req.parent_evaluation_id,
             idempotency_key: req.idempotency_key,
             sequence_no: req.sequence_no,
+            agent_id: req.agent_id,
+            agent_role: req.agent_role,
+            on_behalf_of: req.on_behalf_of,
+            parent_agent_id: req.parent_agent_id,
         });
     }
     /**

package/dist/local-evaluator.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Local Evaluator — runs the DriftGard evaluation engine locally via WASM.
+ * No prompt/response data leaves the customer environment.
+ */
+export interface LocalVerdict {
+    allowed: boolean;
+    risk_score: number;
+    violations: Array<{
+        clause_id: string;
+        severity: string;
+        category: string;
+        reason: string;
+        matched_pattern?: string;
+    }>;
+    flags: {
+        pii_detected: boolean;
+        pii_in_params: boolean;
+        secret_detected: boolean;
+        secret_in_params: boolean;
+        adversarial_input: boolean;
+        meta_bypass_detected: boolean;
+        hard_blocked: boolean;
+        action_blocked: boolean;
+        dlp_findings_count: number;
+    };
+}
+/**
+ * Run evaluation locally via WASM.
+ * @param controlPack - The cached control pack object
+ * @param request - The evaluation request (prompt, response, tool_call, identity, etc.)
+ * @returns The verdict — same shape as the server-side evaluation result
+ */
+export declare function evaluateLocal(controlPack: Record<string, unknown>, request: Record<string, unknown>): LocalVerdict;

package/dist/local-evaluator.js

@@ -0,0 +1,19 @@
+"use strict";
+/**
+ * Local Evaluator — runs the DriftGard evaluation engine locally via WASM.
+ * No prompt/response data leaves the customer environment.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.evaluateLocal = evaluateLocal;
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const wasmModule = require("./wasm/driftgard_evaluator.js");
+/**
+ * Run evaluation locally via WASM.
+ * @param controlPack - The cached control pack object
+ * @param request - The evaluation request (prompt, response, tool_call, identity, etc.)
+ * @returns The verdict — same shape as the server-side evaluation result
+ */
+function evaluateLocal(controlPack, request) {
+    const resultJson = wasmModule.evaluate(JSON.stringify(controlPack), JSON.stringify(request));
+    return JSON.parse(resultJson);
+}

package/dist/types.d.ts

@@ -13,6 +13,24 @@ export interface DriftgardConfig {
     failureMode?: "open" | "closed";
     /** Circuit breaker config. Skips API calls after consecutive failures. */
     circuitBreaker?: CircuitBreakerConfig;
+    /**
+     * Evaluation mode:
+     * - "remote" (default) — sends prompt/response to DriftGard API
+     * - "local" — evaluates locally via WASM, no data leaves your environment
+     * - "local-with-audit" — evaluates locally, reports verdict metadata to DriftGard (no prompt/response sent)
+     */
+    mode?: "remote" | "local" | "local-with-audit";
+    /** Project ID — required for local mode (used to fetch the control pack). */
+    projectId?: string;
+    /** Control pack refresh interval in milliseconds. Default 60000 (1 minute). Only used in local mode. */
+    refreshIntervalMs?: number;
+    /** Called when the control pack is refreshed or refresh fails. Only used in local mode. */
+    onControlPackRefresh?: (event: {
+        success: boolean;
+        version?: number;
+        error?: string;
+        stale?: boolean;
+    }) => void;
 }
 export interface EvaluateRequest {
     project_id: string;
@@ -35,6 +53,14 @@ export interface EvaluateRequest {
     idempotency_key?: string;
     /** Sequence number within a session for ordering. Optional — if sent, ordering is enforced. */
     sequence_no?: number;
+    /** Agent identity — who or what is making this decision. */
+    agent_id?: string;
+    /** Agent role — scopes what the agent is allowed to do. */
+    agent_role?: string;
+    /** End-user ID — which human triggered this agent action. */
+    on_behalf_of?: string;
+    /** Parent agent ID — which orchestrator agent delegated to this one. */
+    parent_agent_id?: string;
     usage?: {
         prompt_tokens?: number;
         completion_tokens?: number;
@@ -141,6 +167,10 @@ export interface ToolCallRequest {
     parent_evaluation_id?: string;
     idempotency_key?: string;
     sequence_no?: number;
+    agent_id?: string;
+    agent_role?: string;
+    on_behalf_of?: string;
+    parent_agent_id?: string;
 }
 export interface OutcomeRequest {
     execution_status: "success" | "failed" | "rolled_back";

package/dist/wasm/driftgard_evaluator.d.ts

@@ -0,0 +1,14 @@
+/* tslint:disable */
+/* eslint-disable */
+
+/**
+ * Main evaluation entry point.
+ *
+ * # Arguments
+ * * `control_pack_json` - JSON string of the control pack
+ * * `request_json` - JSON string of the evaluation request
+ *
+ * # Returns
+ * JSON string of the verdict: { allowed, risk_score, violations, flags }
+ */
+export function evaluate(control_pack_json: string, request_json: string): string;

package/dist/wasm/driftgard_evaluator.js

@@ -0,0 +1,127 @@
+/* @ts-self-types="./driftgard_evaluator.d.ts" */
+
+/**
+ * Main evaluation entry point.
+ *
+ * # Arguments
+ * * `control_pack_json` - JSON string of the control pack
+ * * `request_json` - JSON string of the evaluation request
+ *
+ * # Returns
+ * JSON string of the verdict: { allowed, risk_score, violations, flags }
+ * @param {string} control_pack_json
+ * @param {string} request_json
+ * @returns {string}
+ */
+function evaluate(control_pack_json, request_json) {
+    let deferred3_0;
+    let deferred3_1;
+    try {
+        const ptr0 = passStringToWasm0(control_pack_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passStringToWasm0(request_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len1 = WASM_VECTOR_LEN;
+        const ret = wasm.evaluate(ptr0, len0, ptr1, len1);
+        deferred3_0 = ret[0];
+        deferred3_1 = ret[1];
+        return getStringFromWasm0(ret[0], ret[1]);
+    } finally {
+        wasm.__wbindgen_free(deferred3_0, deferred3_1, 1);
+    }
+}
+exports.evaluate = evaluate;
+function __wbg_get_imports() {
+    const import0 = {
+        __proto__: null,
+        __wbindgen_init_externref_table: function() {
+            const table = wasm.__wbindgen_externrefs;
+            const offset = table.grow(4);
+            table.set(0, undefined);
+            table.set(offset + 0, undefined);
+            table.set(offset + 1, null);
+            table.set(offset + 2, true);
+            table.set(offset + 3, false);
+        },
+    };
+    return {
+        __proto__: null,
+        "./driftgard_evaluator_bg.js": import0,
+    };
+}
+
+function getStringFromWasm0(ptr, len) {
+    return decodeText(ptr >>> 0, len);
+}
+
+let cachedUint8ArrayMemory0 = null;
+function getUint8ArrayMemory0() {
+    if (cachedUint8ArrayMemory0 === null || cachedUint8ArrayMemory0.byteLength === 0) {
+        cachedUint8ArrayMemory0 = new Uint8Array(wasm.memory.buffer);
+    }
+    return cachedUint8ArrayMemory0;
+}
+
+function passStringToWasm0(arg, malloc, realloc) {
+    if (realloc === undefined) {
+        const buf = cachedTextEncoder.encode(arg);
+        const ptr = malloc(buf.length, 1) >>> 0;
+        getUint8ArrayMemory0().subarray(ptr, ptr + buf.length).set(buf);
+        WASM_VECTOR_LEN = buf.length;
+        return ptr;
+    }
+
+    let len = arg.length;
+    let ptr = malloc(len, 1) >>> 0;
+
+    const mem = getUint8ArrayMemory0();
+
+    let offset = 0;
+
+    for (; offset < len; offset++) {
+        const code = arg.charCodeAt(offset);
+        if (code > 0x7F) break;
+        mem[ptr + offset] = code;
+    }
+    if (offset !== len) {
+        if (offset !== 0) {
+            arg = arg.slice(offset);
+        }
+        ptr = realloc(ptr, len, len = offset + arg.length * 3, 1) >>> 0;
+        const view = getUint8ArrayMemory0().subarray(ptr + offset, ptr + len);
+        const ret = cachedTextEncoder.encodeInto(arg, view);
+
+        offset += ret.written;
+        ptr = realloc(ptr, len, offset, 1) >>> 0;
+    }
+
+    WASM_VECTOR_LEN = offset;
+    return ptr;
+}
+
+let cachedTextDecoder = new TextDecoder('utf-8', { ignoreBOM: true, fatal: true });
+cachedTextDecoder.decode();
+function decodeText(ptr, len) {
+    return cachedTextDecoder.decode(getUint8ArrayMemory0().subarray(ptr, ptr + len));
+}
+
+const cachedTextEncoder = new TextEncoder();
+
+if (!('encodeInto' in cachedTextEncoder)) {
+    cachedTextEncoder.encodeInto = function (arg, view) {
+        const buf = cachedTextEncoder.encode(arg);
+        view.set(buf);
+        return {
+            read: arg.length,
+            written: buf.length
+        };
+    };
+}
+
+let WASM_VECTOR_LEN = 0;
+
+const wasmPath = `${__dirname}/driftgard_evaluator_bg.wasm`;
+const wasmBytes = require('fs').readFileSync(wasmPath);
+const wasmModule = new WebAssembly.Module(wasmBytes);
+let wasmInstance = new WebAssembly.Instance(wasmModule, __wbg_get_imports());
+let wasm = wasmInstance.exports;
+wasm.__wbindgen_start();

package/dist/wasm/wasm/driftgard_evaluator.d.ts

@@ -0,0 +1,14 @@
+/* tslint:disable */
+/* eslint-disable */
+
+/**
+ * Main evaluation entry point.
+ *
+ * # Arguments
+ * * `control_pack_json` - JSON string of the control pack
+ * * `request_json` - JSON string of the evaluation request
+ *
+ * # Returns
+ * JSON string of the verdict: { allowed, risk_score, violations, flags }
+ */
+export function evaluate(control_pack_json: string, request_json: string): string;

package/dist/wasm/wasm/driftgard_evaluator.js

@@ -0,0 +1,127 @@
+/* @ts-self-types="./driftgard_evaluator.d.ts" */
+
+/**
+ * Main evaluation entry point.
+ *
+ * # Arguments
+ * * `control_pack_json` - JSON string of the control pack
+ * * `request_json` - JSON string of the evaluation request
+ *
+ * # Returns
+ * JSON string of the verdict: { allowed, risk_score, violations, flags }
+ * @param {string} control_pack_json
+ * @param {string} request_json
+ * @returns {string}
+ */
+function evaluate(control_pack_json, request_json) {
+    let deferred3_0;
+    let deferred3_1;
+    try {
+        const ptr0 = passStringToWasm0(control_pack_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passStringToWasm0(request_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len1 = WASM_VECTOR_LEN;
+        const ret = wasm.evaluate(ptr0, len0, ptr1, len1);
+        deferred3_0 = ret[0];
+        deferred3_1 = ret[1];
+        return getStringFromWasm0(ret[0], ret[1]);
+    } finally {
+        wasm.__wbindgen_free(deferred3_0, deferred3_1, 1);
+    }
+}
+exports.evaluate = evaluate;
+function __wbg_get_imports() {
+    const import0 = {
+        __proto__: null,
+        __wbindgen_init_externref_table: function() {
+            const table = wasm.__wbindgen_externrefs;
+            const offset = table.grow(4);
+            table.set(0, undefined);
+            table.set(offset + 0, undefined);
+            table.set(offset + 1, null);
+            table.set(offset + 2, true);
+            table.set(offset + 3, false);
+        },
+    };
+    return {
+        __proto__: null,
+        "./driftgard_evaluator_bg.js": import0,
+    };
+}
+
+function getStringFromWasm0(ptr, len) {
+    return decodeText(ptr >>> 0, len);
+}
+
+let cachedUint8ArrayMemory0 = null;
+function getUint8ArrayMemory0() {
+    if (cachedUint8ArrayMemory0 === null || cachedUint8ArrayMemory0.byteLength === 0) {
+        cachedUint8ArrayMemory0 = new Uint8Array(wasm.memory.buffer);
+    }
+    return cachedUint8ArrayMemory0;
+}
+
+function passStringToWasm0(arg, malloc, realloc) {
+    if (realloc === undefined) {
+        const buf = cachedTextEncoder.encode(arg);
+        const ptr = malloc(buf.length, 1) >>> 0;
+        getUint8ArrayMemory0().subarray(ptr, ptr + buf.length).set(buf);
+        WASM_VECTOR_LEN = buf.length;
+        return ptr;
+    }
+
+    let len = arg.length;
+    let ptr = malloc(len, 1) >>> 0;
+
+    const mem = getUint8ArrayMemory0();
+
+    let offset = 0;
+
+    for (; offset < len; offset++) {
+        const code = arg.charCodeAt(offset);
+        if (code > 0x7F) break;
+        mem[ptr + offset] = code;
+    }
+    if (offset !== len) {
+        if (offset !== 0) {
+            arg = arg.slice(offset);
+        }
+        ptr = realloc(ptr, len, len = offset + arg.length * 3, 1) >>> 0;
+        const view = getUint8ArrayMemory0().subarray(ptr + offset, ptr + len);
+        const ret = cachedTextEncoder.encodeInto(arg, view);
+
+        offset += ret.written;
+        ptr = realloc(ptr, len, offset, 1) >>> 0;
+    }
+
+    WASM_VECTOR_LEN = offset;
+    return ptr;
+}
+
+let cachedTextDecoder = new TextDecoder('utf-8', { ignoreBOM: true, fatal: true });
+cachedTextDecoder.decode();
+function decodeText(ptr, len) {
+    return cachedTextDecoder.decode(getUint8ArrayMemory0().subarray(ptr, ptr + len));
+}
+
+const cachedTextEncoder = new TextEncoder();
+
+if (!('encodeInto' in cachedTextEncoder)) {
+    cachedTextEncoder.encodeInto = function (arg, view) {
+        const buf = cachedTextEncoder.encode(arg);
+        view.set(buf);
+        return {
+            read: arg.length,
+            written: buf.length
+        };
+    };
+}
+
+let WASM_VECTOR_LEN = 0;
+
+const wasmPath = `${__dirname}/driftgard_evaluator_bg.wasm`;
+const wasmBytes = require('fs').readFileSync(wasmPath);
+const wasmModule = new WebAssembly.Module(wasmBytes);
+let wasmInstance = new WebAssembly.Instance(wasmModule, __wbg_get_imports());
+let wasm = wasmInstance.exports;
+wasm.__wbindgen_start();

package/package.json

@@ -1,15 +1,27 @@
 {
   "name": "@driftgard/node",
-  "version": "1.10.0",
+  "version": "1.12.0-beta.1",
   "description": "Official DriftGard Node.js SDK — evaluate LLM interactions against your compliance policy",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
-  "files": ["dist", "README.md"],
+  "files": [
+    "dist",
+    "README.md"
+  ],
   "scripts": {
-    "build": "tsc",
+    "build": "tsc && cp -r src/wasm dist/wasm",
     "prepublishOnly": "npm run build"
   },
-  "keywords": ["driftgard", "ai", "compliance", "guardrails", "llm", "evaluation", "policy", "audit"],
+  "keywords": [
+    "driftgard",
+    "ai",
+    "compliance",
+    "guardrails",
+    "llm",
+    "evaluation",
+    "policy",
+    "audit"
+  ],
   "author": "Driftgard <support@driftgard.com>",
   "license": "MIT",
   "repository": {
@@ -21,6 +33,7 @@
     "node": ">=18.0.0"
   },
   "devDependencies": {
+    "@types/node": "^25.6.0",
     "typescript": "^5.0.0"
   }
 }