npm - @eigenart/agentshield - Versions diffs - 2.0.0-rc2 - Mend

@eigenart/agentshield 2.0.0-rc2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,887 @@
+import { Plugin } from '@elizaos/core';
+/**
+ * AgentShield Layer 0 — Input Normalizer
+ *
+ * Preprocesses all incoming text before any guard logic runs.
+ * Defeats Unicode homoglyph attacks, encoded payloads, invisible
+ * characters, and other obfuscation techniques.
+ *
+ * Pipeline: Raw Input → NFKC → Confusables → Invisible Strip
+ *           → Encoding Detect/Decode → Whitespace Normalize → Clean Output
+ *
+ * Design constraints:
+ *   - Must be synchronous (no async, no network)
+ *   - Must be fast (<0.5ms for typical messages)
+ *   - Must not alter the semantic meaning of benign text
+ *   - Must return both normalized text and any decoded payloads
+ */
+interface NormalizationResult {
+    /** The fully normalized text for guard evaluation */
+    normalized: string;
+    /** Decoded payloads found in the original text (Base64, hex, etc.) */
+    decodedPayloads: DecodedPayload[];
+    /** Whether any normalization actually changed the input */
+    wasModified: boolean;
+    /** Specific transformations applied */
+    transformations: string[];
+}
+interface DecodedPayload {
+    /** The encoding type that was detected */
+    encoding: 'base64' | 'hex' | 'url' | 'unicode_escape';
+    /** The original encoded string */
+    original: string;
+    /** The decoded content */
+    decoded: string;
+    /** Position in the original text */
+    startIndex: number;
+}
+declare class InputNormalizer {
+    private confusableMap;
+    private leetspeakEnabled;
+    constructor(options?: {
+        enableLeetspeak?: boolean;
+    });
+    /**
+     * Full normalization pipeline. Returns normalized text plus
+     * any decoded payloads for separate scanning.
+     */
+    normalize(input: string): NormalizationResult;
+    /**
+     * Apply leetspeak normalization as a secondary pass.
+     * Called separately because it can increase false positives
+     * on benign messages (e.g. "web3", "l33t").
+     */
+    normalizeLeetspeak(input: string): string;
+    /**
+     * Detect encoded segments in the text and attempt to decode them.
+     * Decoded content is returned separately for guard evaluation.
+     */
+    private detectAndDecodePayloads;
+}
+/**
+ * AgentShield v2 — Core Type Definitions
+ *
+ * Type system for the security plugin covering:
+ * - Policy configuration and evaluation
+ * - Memory integrity validation
+ * - Transaction monitoring
+ * - Audit logging
+ *
+ * Design Pattern References:
+ * - before_tool_callback (ADK Validate Tool pattern)
+ * - Structured PolicyEvaluation output (CrewAI Guardrails pattern)
+ * - Append-only event log (ADK Session Memory pattern)
+ */
+type PolicyDecision = 'allow' | 'block' | 'escalate';
+interface PolicyRule {
+    /** Unique rule identifier */
+    id: string;
+    /** Human-readable description */
+    description: string;
+    /** Rule priority (lower = higher priority) */
+    priority: number;
+    /** Whether this rule is active */
+    enabled: boolean;
+}
+interface TransactionPolicy extends PolicyRule {
+    type: 'transaction';
+    /** Maximum transaction value in SOL (0 = unlimited) */
+    maxTransactionValue: number;
+    /** Allowed token mints (empty = all allowed) */
+    allowedTokens: string[];
+    /** Blocked recipient addresses */
+    blockedRecipients: string[];
+    /** Whitelisted recipient addresses (if set, ONLY these are allowed) */
+    whitelistedRecipients: string[];
+    /** Maximum transactions per time window */
+    rateLimit: {
+        maxTransactions: number;
+        windowSeconds: number;
+    };
+    /** Cooldown between transactions in seconds */
+    cooldownSeconds: number;
+    /** Require multi-sig above this SOL value (0 = disabled) */
+    multiSigThreshold: number;
+}
+interface MemoryPolicy extends PolicyRule {
+    type: 'memory';
+    /** Block memory entries matching these injection patterns */
+    injectionPatterns: string[];
+    /** Maximum allowed memory entry length */
+    maxEntryLength: number;
+    /** Block entries referencing wallet/transfer actions */
+    blockFinancialInstructions: boolean;
+    /** Block entries that attempt to override system prompts */
+    blockSystemOverrides: boolean;
+}
+interface AgentShieldPolicy {
+    /** Policy version for migration support */
+    version: string;
+    /** Agent identifier this policy applies to */
+    agentId: string;
+    /** Transaction rules */
+    transactionPolicies: TransactionPolicy[];
+    /** Memory integrity rules */
+    memoryPolicies: MemoryPolicy[];
+}
+interface PolicyEvaluation {
+    /** Which policy rule was evaluated */
+    ruleId: string;
+    /** The decision */
+    decision: PolicyDecision;
+    /** Human-readable reason */
+    reason: string;
+    /** Confidence score 0-1 (for ML-based checks) */
+    confidence: number;
+    /** Timestamp of evaluation */
+    timestamp: number;
+}
+interface GuardResult {
+    /** Overall decision (block if ANY rule blocks) */
+    decision: PolicyDecision;
+    /** All individual evaluations */
+    evaluations: PolicyEvaluation[];
+    /** Original action/memory that was evaluated */
+    input: unknown;
+    /** Processing time in ms */
+    processingTimeMs: number;
+}
+interface MemoryEntry {
+    /** The content of the memory entry */
+    content: string;
+    /** Source of the memory (user, agent, system, external) */
+    source: 'user' | 'agent' | 'system' | 'external';
+    /** Timestamp of creation */
+    timestamp: number;
+    /** Associated agent ID */
+    agentId: string;
+    /** Optional metadata */
+    metadata?: Record<string, unknown>;
+}
+interface MemoryValidationResult {
+    /** Is this memory entry safe? */
+    isSafe: boolean;
+    /** Detected threats */
+    threats: MemoryThreat[];
+    /** Sanitized content (if applicable) */
+    sanitizedContent?: string;
+}
+interface MemoryThreat {
+    /** Type of threat detected */
+    type: 'injection' | 'override' | 'financial_instruction' | 'exfiltration' | 'unknown';
+    /** Severity 1-5 */
+    severity: number;
+    /** Which pattern matched */
+    matchedPattern: string;
+    /** The suspicious content segment */
+    suspiciousContent: string;
+}
+interface TransactionRequest {
+    /** Sender wallet address */
+    from: string;
+    /** Recipient wallet address */
+    to: string;
+    /** Amount in lamports */
+    amount: number;
+    /** Token mint address (native SOL if undefined) */
+    tokenMint?: string;
+    /** The Solana program being called */
+    programId: string;
+    /** Raw instruction data */
+    instructionData?: Uint8Array;
+    /** Agent ID initiating the transaction */
+    agentId: string;
+    /** Timestamp of request */
+    timestamp: number;
+}
+interface TransactionVerdict {
+    /** Allow, block, or escalate for human review */
+    decision: PolicyDecision;
+    /** Reason for the decision */
+    reason: string;
+    /** Which policy rules were triggered */
+    triggeredRules: string[];
+    /** Risk score 0-100 */
+    riskScore: number;
+    /** Suggested action if escalated */
+    escalationAction?: 'notify_owner' | 'require_multisig' | 'delay_execution';
+}
+type AuditEventType = 'transaction_allowed' | 'transaction_blocked' | 'transaction_escalated' | 'memory_validated' | 'memory_blocked' | 'anomaly_detected' | 'policy_updated' | 'plugin_initialized' | 'plugin_error';
+interface AuditEvent {
+    /** Unique event ID */
+    id: string;
+    /** Event type */
+    type: AuditEventType;
+    /** Agent ID */
+    agentId: string;
+    /** Timestamp (Unix ms) */
+    timestamp: number;
+    /** The policy evaluation result */
+    evaluation?: PolicyEvaluation;
+    /** Transaction details (if applicable) */
+    transaction?: TransactionRequest;
+    /** Memory entry (if applicable) */
+    memory?: MemoryEntry;
+    /** Additional context */
+    metadata?: Record<string, unknown>;
+}
+interface AgentShieldConfig {
+    /** Path to policy YAML/JSON file, or inline policy */
+    policy: AgentShieldPolicy | string;
+    /** Enable audit logging */
+    enableAuditLog: boolean;
+    /** Audit log output: console, file, or Solana-compatible event */
+    auditLogTarget: 'console' | 'file' | 'solana';
+    /** File path for audit log (if target is 'file') */
+    auditLogPath?: string;
+    /** Enable anomaly detection (pattern-based) */
+    enableAnomalyDetection: boolean;
+    /** Webhook URL for alerts */
+    alertWebhookUrl?: string;
+    /** Alert channels */
+    alertChannels: ('webhook' | 'discord' | 'telegram')[];
+    /** Verbose logging for development */
+    debug: boolean;
+}
+/**
+ * AgentShield v2 — Policy Engine
+ *
+ * Central orchestrator that loads policy configs and routes
+ * validation requests to the appropriate guards.
+ *
+ * Supports JSON/YAML policy files and inline configuration.
+ *
+ * Design Pattern: Routing pattern (Ch. 2) — dynamically selects
+ * which guard to invoke based on the type of action.
+ */
+declare const DEFAULT_POLICY: AgentShieldPolicy;
+declare class PolicyEngine {
+    private policy;
+    private memoryGuard;
+    private transactionGuard;
+    private normalizer;
+    constructor(policy?: AgentShieldPolicy | string);
+    /**
+     * Validate a memory entry before persistence.
+     * Returns a GuardResult with the decision and all evaluations.
+     */
+    validateMemory(entry: MemoryEntry): GuardResult;
+    /**
+     * Evaluate a transaction request before execution.
+     * Returns a GuardResult with the decision and all evaluations.
+     */
+    validateTransaction(tx: TransactionRequest): GuardResult;
+    /**
+     * Get the current active policy.
+     */
+    getPolicy(): AgentShieldPolicy;
+    /**
+     * Update the policy at runtime.
+     * Recreates guards with new policy configuration.
+     */
+    updatePolicy(newPolicy: AgentShieldPolicy): void;
+    /**
+     * Expose normalizer for direct testing.
+     */
+    getNormalizer(): InputNormalizer;
+    private loadPolicy;
+    private parsePolicyFile;
+    private mergeWithDefaults;
+}
+/**
+ * AgentShield v2 — Anomaly Detector
+ *
+ * Pattern-based anomaly detection for agent behavior.
+ * Tracks transaction patterns over time and flags deviations
+ * from established baselines.
+ *
+ * Phase 1: Rule-based heuristics (this file)
+ * Phase 2+: ML-based detection (future extension point)
+ *
+ * Design Pattern: Goal Setting & Monitoring (Ch. 11) —
+ * continuously monitors agent behavior against baselines.
+ */
+interface Anomaly {
+    type: AnomalyType;
+    severity: 'low' | 'medium' | 'high' | 'critical';
+    description: string;
+    agentId: string;
+    timestamp: number;
+    evidence: Record<string, unknown>;
+}
+type AnomalyType = 'unusual_volume' | 'unusual_amount' | 'new_recipient' | 'rapid_succession' | 'time_anomaly' | 'pattern_break';
+interface AgentProfile {
+    /** Known recipients this agent has transacted with */
+    knownRecipients: Set<string>;
+    /** Average transaction amount in lamports */
+    avgAmount: number;
+    /** Standard deviation of transaction amounts */
+    stdDevAmount: number;
+    /** Average transactions per hour */
+    avgTxPerHour: number;
+    /** Total transactions tracked */
+    totalTransactions: number;
+    /** Transaction history (last 100) */
+    recentTransactions: Array<{
+        amount: number;
+        timestamp: number;
+        to: string;
+    }>;
+    /** First seen timestamp */
+    firstSeen: number;
+}
+declare class AnomalyDetector {
+    private profiles;
+    /** Minimum transactions before anomaly detection activates */
+    private readonly MIN_BASELINE;
+    /** Z-score threshold for flagging anomalies */
+    private readonly Z_THRESHOLD;
+    /**
+     * Analyze a transaction for anomalous behavior.
+     * Updates the agent's behavioral profile and returns any detected anomalies.
+     */
+    analyze(tx: TransactionRequest): Anomaly[];
+    /**
+     * Get the behavioral profile for an agent (for dashboard/debugging).
+     */
+    getProfile(agentId: string): AgentProfile | undefined;
+    private getOrCreateProfile;
+    private updateProfile;
+}
+/**
+ * AgentShield v2 — Audit Logger
+ *
+ * Append-only event log for all security-relevant actions.
+ * Every guard decision, anomaly detection, and policy change
+ * is recorded with full context for post-incident analysis.
+ *
+ * Supports three output targets:
+ * - Console (development)
+ * - File (JSON Lines format, production-local)
+ * - Solana-compatible events (future: on-chain audit trail)
+ *
+ * Design Pattern: Append-only event log (ADK SessionService pattern)
+ * + structured output validation (CrewAI Guardrails pattern)
+ */
+declare class AuditLogger {
+    private target;
+    private logPath?;
+    private events;
+    private eventCounter;
+    constructor(config: Pick<AgentShieldConfig, 'auditLogTarget' | 'auditLogPath'>);
+    /**
+     * Log an audit event. This is append-only — events cannot be modified or deleted.
+     */
+    log(params: {
+        type: AuditEventType;
+        agentId: string;
+        evaluation?: PolicyEvaluation;
+        transaction?: TransactionRequest;
+        memory?: MemoryEntry;
+        metadata?: Record<string, unknown>;
+    }): AuditEvent;
+    /**
+     * Query recent audit events.
+     */
+    query(filter?: {
+        agentId?: string;
+        type?: AuditEventType;
+        since?: number;
+        limit?: number;
+    }): AuditEvent[];
+    /**
+     * Export all events as JSON Lines (one JSON object per line).
+     * Suitable for compliance reports and forensic analysis.
+     */
+    exportJsonLines(): string;
+    /**
+     * Get summary statistics for a given agent.
+     */
+    getStats(agentId: string): {
+        totalEvents: number;
+        blockedTransactions: number;
+        blockedMemories: number;
+        anomaliesDetected: number;
+        lastEvent: number | null;
+    };
+    private emit;
+    private emitConsole;
+    private emitFile;
+    private emitSolana;
+    private generateEventId;
+    private getEventIcon;
+}
+/**
+ * AgentShield Layer 3 — Output Guard
+ *
+ * Scans every agent response BEFORE it reaches the user or executes
+ * on-chain. Last line of defense against attacks where injection
+ * succeeds at the LLM level despite input guards.
+ *
+ * Catches: private key leakage, post-block compliance, instruction
+ * echo, unauthorized transaction confirmations, JWT/API key leaks.
+ */
+interface OutputScanResult {
+    isSafe: boolean;
+    threats: OutputThreat[];
+    sanitizedResponse?: string;
+}
+interface OutputThreat {
+    type: 'key_leakage' | 'seed_phrase_leakage' | 'post_block_compliance' | 'instruction_echo' | 'unauthorized_tx_confirm' | 'jwt_leakage';
+    severity: number;
+    description: string;
+    matchedContent: string;
+}
+interface BlockedInputContext {
+    blockedContent: string;
+    threats: MemoryThreat[];
+    timestamp: number;
+}
+declare class OutputGuard {
+    private blockedInputs;
+    private maxBlockedInputHistory;
+    /** Register a blocked input for post-block compliance checking. */
+    registerBlockedInput(context: BlockedInputContext): void;
+    /** Scan an agent response before sending it. */
+    scan(response: string): OutputScanResult;
+    /** Full pipeline: scan + convert to GuardResult. */
+    evaluate(response: string, agentId: string): GuardResult;
+    getBlockedInputCount(): number;
+    private detectKeyLeakage;
+    private detectSeedPhraseLeakage;
+    private detectJWTLeakage;
+    private detectPostBlockCompliance;
+    private detectUnauthorizedTxConfirm;
+    private sanitize;
+}
+/**
+ * AgentShield Layer 4A — Response Interceptor & Circuit Breaker
+ *
+ * Transforms "warnings" into hard blocks. When AgentShield says
+ * "blocked", this layer ensures the agent cannot send the response.
+ *
+ * Components:
+ *   A. Response Interceptor: replaces blocked responses with policy denials
+ *   B. Circuit Breaker: auto-lockdown on repeated attack patterns
+ *
+ * Integration: Post-processing hook on agent responses. The interceptor
+ * checks the runtime state flags set by the Provider and Output Guard.
+ */
+type EnforcementMode = 'monitor' | 'enforce' | 'lockdown';
+interface CircuitBreakerConfig {
+    /** Max blocked messages before entering restricted mode */
+    restrictedModeThreshold: number;
+    /** Time window for threshold (ms) */
+    restrictedModeWindowMs: number;
+    /** Max blocked messages before full lockdown */
+    lockdownThreshold: number;
+    /** Time window for lockdown threshold (ms) */
+    lockdownWindowMs: number;
+    /** Auto-reset lockdown after this duration (ms). 0 = manual only */
+    lockdownDurationMs: number;
+    /** Immediately freeze on critical severity threats */
+    freezeOnCritical: boolean;
+}
+interface EnforcementState {
+    mode: EnforcementMode;
+    blockedCount: number;
+    lastBlockTimestamp: number | null;
+    lockdownStarted: number | null;
+    lockdownReason: string | null;
+    recentBlocks: BlockEvent[];
+}
+interface BlockEvent {
+    timestamp: number;
+    reason: string;
+    severity: number;
+    source: 'input' | 'output';
+}
+interface InterceptResult {
+    /** Whether the response was intercepted (replaced) */
+    intercepted: boolean;
+    /** The response to send (original or replacement) */
+    response: string;
+    /** The current enforcement mode */
+    mode: EnforcementMode;
+    /** Audit reference ID for tracking */
+    auditRefId?: string;
+}
+declare class ResponseInterceptor {
+    private config;
+    private state;
+    private auditCounter;
+    constructor(config?: Partial<CircuitBreakerConfig>);
+    /**
+     * Process an agent response through the enforcement pipeline.
+     *
+     * @param response - The agent's original response text
+     * @param inputGuardResult - Result from the input guard (if available)
+     * @param outputGuardResult - Result from the output guard (if available)
+     */
+    intercept(response: string, inputGuardResult?: GuardResult | null, outputGuardResult?: GuardResult | null): InterceptResult;
+    /**
+     * Record a block event and check circuit breaker thresholds.
+     */
+    recordBlock(event: BlockEvent): void;
+    /**
+     * Check if currently in restricted mode (elevated threat, but not full lockdown).
+     */
+    isInRestrictedMode(): boolean;
+    /**
+     * Get the current enforcement state.
+     */
+    getState(): EnforcementState;
+    /**
+     * Get the current mode.
+     */
+    getMode(): EnforcementMode;
+    /**
+     * Manually reset from lockdown. Requires explicit operator action.
+     */
+    resetLockdown(): void;
+    /**
+     * Force lockdown mode (e.g., from external trigger).
+     */
+    forceLockdown(reason: string): void;
+    private enterLockdown;
+    private checkLockdownExpiry;
+    private maxSeverity;
+    private generateAuditRef;
+}
+/**
+ * AgentShield Layer 2 — Semantic Classifier
+ *
+ * Intent-based classification that catches attacks which bypass
+ * regex patterns through semantic rephrasing. Three-tier approach:
+ *   Tier 1: Keyword heuristic (local, ~0.1ms, fallback)
+ *   Tier 2: Embedding cosine similarity (agents-pc GPU, ~20ms)
+ *   Tier 3: LLM-as-Judge escalation (agents-pc Ollama, ~500ms-7s)
+ *
+ * Remote classifier runs on agents-pc (RTX 5090) at port 8810.
+ * Falls back to local heuristic if remote is unreachable.
+ */
+type IntentCategory = 'benign' | 'injection' | 'exfiltration' | 'social_engineering' | 'financial_manipulation';
+interface ClassificationResult {
+    category: IntentCategory;
+    confidence: number;
+    tier: 'heuristic' | 'embedding' | 'llm_judge';
+    reasoning?: string;
+}
+interface SemanticClassifierConfig {
+    /** Enable remote classifier on agents-pc */
+    enableRemote: boolean;
+    /** Remote classifier endpoint URL */
+    remoteEndpoint: string;
+    /** Enable LLM-as-Judge escalation for ambiguous cases */
+    enableLLMJudge: boolean;
+    /** Confidence threshold above which to block */
+    blockThreshold: number;
+    /** Timeout for remote classifier calls (ms) */
+    remoteTimeoutMs: number;
+}
+declare class SemanticClassifier {
+    private config;
+    constructor(config?: Partial<SemanticClassifierConfig>);
+    /**
+     * Classify the intent of a message (sync, heuristic only).
+     * Use classifyAsync() for the full remote pipeline.
+     */
+    classify(text: string): ClassificationResult;
+    /**
+     * Async classification with remote agents-pc endpoint.
+     * Falls back to local heuristic if remote is unreachable.
+     */
+    classifyAsync(text: string, agentId?: string): Promise<ClassificationResult>;
+    /** Local heuristic classification (no network dependency). */
+    private heuristicClassify;
+    /** Convert classification to GuardResult for pipeline integration (sync, heuristic). */
+    evaluate(text: string, agentId: string): GuardResult;
+    /** Async evaluate with remote classifier. */
+    evaluateAsync(text: string, agentId: string): Promise<GuardResult>;
+    /** Get classifier configuration. */
+    getConfig(): SemanticClassifierConfig;
+    private heuristicScore;
+}
+interface AuditCheckpoint {
+    /** Merkle root at this checkpoint */
+    merkleRoot: string;
+    /** Number of events included */
+    eventCount: number;
+    /** Timestamp of checkpoint */
+    timestamp: number;
+    /** Optional: Solana transaction signature anchoring this root */
+    solanaSignature?: string;
+}
+declare class MerkleAuditTrail {
+    private leaves;
+    private checkpoints;
+    private checkpointInterval;
+    constructor(options?: {
+        checkpointInterval?: number;
+    });
+    /** Add an event to the audit trail. Returns its leaf hash. */
+    addEvent(eventData: string): string;
+    /** Compute the current Merkle root. */
+    computeRoot(): string;
+    /** Create a checkpoint with the current Merkle root. */
+    createCheckpoint(): AuditCheckpoint;
+    /** Verify that a specific event exists in the trail. */
+    verifyEvent(eventData: string): boolean;
+    /** Verify the entire trail integrity against a checkpoint. */
+    verifyIntegrity(checkpoint?: AuditCheckpoint): boolean;
+    /** Get all checkpoints. */
+    getCheckpoints(): AuditCheckpoint[];
+    /** Get event count. */
+    getEventCount(): number;
+    /** Get leaf hashes for external verification. */
+    getLeaves(): string[];
+    private hashLeaf;
+    private hash;
+    private hashPair;
+    private buildTree;
+}
+/**
+ * AgentShield Layer 5 — Alert Manager
+ *
+ * Configurable webhook alerting for different severity levels.
+ * Supports Slack Block Kit, Telegram Bot API, Discord webhooks,
+ * and generic JSON webhooks.
+ *
+ * Batching: Low-severity alerts are batched into periodic digests.
+ * Critical alerts are sent immediately.
+ */
+type AlertChannel = 'webhook' | 'slack' | 'telegram' | 'discord';
+type AlertSeverity = 'critical' | 'high' | 'medium' | 'low';
+interface AlertConfig {
+    channels: AlertChannelConfig[];
+    /** Batch interval for non-critical alerts (ms) */
+    batchIntervalMs: number;
+    /** Maximum alerts per batch */
+    maxBatchSize: number;
+    /** Enable/disable alerting globally */
+    enabled: boolean;
+}
+interface AlertChannelConfig {
+    type: AlertChannel;
+    url: string;
+    /** Minimum severity to send on this channel */
+    minSeverity: AlertSeverity;
+    /** Optional: custom headers */
+    headers?: Record<string, string>;
+}
+interface AlertPayload {
+    severity: AlertSeverity;
+    title: string;
+    agentId: string;
+    details: string;
+    timestamp: number;
+    auditRef?: string;
+    metadata?: Record<string, unknown>;
+}
+declare class AlertManager {
+    private config;
+    private pendingBatch;
+    private batchTimer;
+    private sentCount;
+    private failCount;
+    constructor(config?: Partial<AlertConfig>);
+    /** Send an alert. Critical alerts go immediately; others are batched. */
+    alert(payload: AlertPayload): Promise<void>;
+    /** Force-send all pending alerts. */
+    flushBatch(): Promise<void>;
+    /** Get alert stats. */
+    getStats(): {
+        sent: number;
+        failed: number;
+        pending: number;
+    };
+    /** Stop the batch timer (for cleanup). */
+    destroy(): void;
+    /** Add a channel at runtime. */
+    addChannel(channel: AlertChannelConfig): void;
+    private sendImmediate;
+    private formatPayload;
+    private startBatchTimer;
+}
+/**
+ * AgentShield Layer 1 — Configurable Pattern Registry
+ *
+ * Externalizes injection patterns into a JSON-configurable registry
+ * with runtime hot-reload, multi-language patterns, CRUD, and versioning.
+ *
+ * Replaces hardcoded DEFAULT_INJECTION_PATTERNS in memory-guard.ts
+ * with a dynamic registry updatable via runtime.setSetting().
+ */
+interface PatternDefinition {
+    id: string;
+    regex: string;
+    type: MemoryThreat['type'];
+    severity: number;
+    description: string;
+    /** 'en', 'de', 'es', 'zh', 'fr', or '*' for universal */
+    language: string;
+    category: string;
+    enabled: boolean;
+}
+interface PatternRegistryConfig {
+    version: string;
+    patterns: PatternDefinition[];
+}
+declare const BUILTIN_PATTERNS: PatternDefinition[];
+declare class PatternRegistry {
+    private compiledPatterns;
+    private definitions;
+    private version;
+    constructor(config?: PatternRegistryConfig);
+    /** Match input text against all enabled patterns. */
+    match(content: string, options?: {
+        language?: string;
+        categories?: string[];
+    }): MemoryThreat[];
+    /** Add a pattern. Returns a new registry instance. */
+    addPattern(pattern: PatternDefinition): PatternRegistry;
+    /** Remove a pattern by ID. Returns a new registry instance. */
+    removePattern(id: string): PatternRegistry;
+    /** Update a pattern by ID. Returns a new registry instance. */
+    updatePattern(id: string, updates: Partial<PatternDefinition>): PatternRegistry;
+    /** Export as JSON-serializable config. */
+    toJSON(): PatternRegistryConfig;
+    /** Load from JSON string or object. */
+    static fromJSON(input: string | PatternRegistryConfig): PatternRegistry;
+    getPatterns(): PatternDefinition[];
+    getPatternsByLanguage(lang: string): PatternDefinition[];
+    getPatternsByCategory(cat: string): PatternDefinition[];
+    getVersion(): string;
+    getStats(): {
+        total: number;
+        byLanguage: Record<string, number>;
+        byCategory: Record<string, number>;
+    };
+    private compile;
+    private bumpVersion;
+}
+/**
+ * AgentShield v2 — Memory Guard
+ *
+ * Validates memory entries against known injection patterns before
+ * they are persisted to the agent's memory store.
+ *
+ * This is the core security module addressing the CrAIBench findings:
+ * Princeton demonstrated that memory injection attacks on ElizaOS agents
+ * can lead to unauthorized wallet transfers by planting fake instructions
+ * in the agent's memory that persist across sessions.
+ *
+ * Design Pattern: before_tool_callback (ADK) adapted for memory writes
+ * Reference: CrAIBench (arxiv.org/html/2503.16248v3)
+ */
+declare class MemoryGuard {
+    private policies;
+    private customPatterns;
+    constructor(policies: MemoryPolicy[]);
+    /**
+     * Validate a memory entry before it is persisted.
+     * Returns validation result with detected threats.
+     *
+     * This is the primary guard — called before every memory write.
+     */
+    validate(entry: MemoryEntry): MemoryValidationResult;
+    /**
+     * Detect Solana-specific financial instructions embedded in memory.
+     * Looks for transfer amounts, wallet addresses, and program IDs.
+     */
+    private detectFinancialInstructions;
+    /**
+     * Detect attempts to override the agent's system prompt or identity
+     * through memory injection.
+     */
+    private detectSystemOverrides;
+}
+/**
+ * AgentShield v2 — Transaction Guard
+ *
+ * Pre-execution validation for all Solana transactions initiated by agents.
+ * Implements the before_tool_callback pattern from ADK, adapted for
+ * Solana transaction lifecycle.
+ *
+ * Checks: spending limits, recipient whitelists/blacklists, rate limiting,
+ * cooldown periods, token allowlists, and multi-sig thresholds.
+ *
+ * Design Pattern: before_tool_callback + state-based fallback (Ch. 12/18)
+ */
+declare class TransactionGuard {
+    private policies;
+    private rateLimitWindows;
+    constructor(policies: TransactionPolicy[]);
+    /**
+     * Evaluate a transaction request against all active policies.
+     * Returns a verdict: allow, block, or escalate.
+     *
+     * This is the primary guard — called before every transaction send.
+     */
+    evaluate(tx: TransactionRequest): TransactionVerdict;
+    private checkRateLimit;
+    private checkCooldown;
+    private recordTransaction;
+    private escalateDecision;
+    private truncateAddress;
+}
+/**
+ * AgentShield v2 — ElizaOS Security Plugin
+ *
+ * Main plugin entry point. Registers security guards as ElizaOS
+ * providers and actions that intercept agent behavior before
+ * transactions execute and before memories are persisted.
+ *
+ * Architecture:
+ *   Agent Action → AgentShield Provider (pre-validation)
+ *     → Memory Guard (validates memory writes)
+ *     → Transaction Guard (validates Solana transactions)
+ *     → Anomaly Detector (behavioral analysis)
+ *     → Audit Logger (immutable event log)
+ *   → Action proceeds (if allowed) or is blocked
+ *
+ * Usage:
+ *   import { agentShieldPlugin } from '@agentshield/plugin';
+ *   // In your ElizaOS character config:
+ *   plugins: [agentShieldPlugin]
+ */
+/** Access all initialized plugin components (available after plugin.init). */
+declare function getPluginState(): {
+    policyEngine: PolicyEngine;
+    anomalyDetector: AnomalyDetector;
+    auditLogger: AuditLogger;
+    outputGuard: OutputGuard;
+    responseInterceptor: ResponseInterceptor;
+    semanticClassifier: SemanticClassifier;
+    merkleAudit: MerkleAuditTrail;
+    alertManager: AlertManager;
+    patternRegistry: PatternRegistry;
+    config: AgentShieldConfig;
+};
+declare const agentShieldPlugin: Plugin;
+export { type AgentShieldConfig, type AgentShieldPolicy, type AlertConfig, AlertManager, type AlertPayload, AnomalyDetector, type AuditCheckpoint, type AuditEvent, type AuditEventType, AuditLogger, BUILTIN_PATTERNS, type BlockedInputContext, type CircuitBreakerConfig, type ClassificationResult, DEFAULT_POLICY, type EnforcementMode, type GuardResult, InputNormalizer, type IntentCategory, type InterceptResult, type MemoryEntry, MemoryGuard, type MemoryPolicy, type MemoryThreat, type MemoryValidationResult, MerkleAuditTrail, OutputGuard, type OutputScanResult, type OutputThreat, type PatternDefinition, PatternRegistry, type PatternRegistryConfig, type PolicyDecision, PolicyEngine, type PolicyEvaluation, type PolicyRule, ResponseInterceptor, SemanticClassifier, TransactionGuard, type TransactionPolicy, type TransactionRequest, type TransactionVerdict, agentShieldPlugin, agentShieldPlugin as default, getPluginState };