npm - @g8r-security/agent-shield-sdk - Versions diffs - 0.1.0 - Mend

@g8r-security/agent-shield-sdk 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,167 @@
+# @g8r-security/agent-shield-sdk
+TypeScript client SDK for integrating AI agents with G8R policy enforcement. Includes a **local VPC redaction layer** that strips sensitive data before it ever leaves your network.
+Part of the [G8R Agent Shield monorepo](../../README.md).
+## Overview
+This is a **TypeScript source package** — no compile step. Consumers reference `./src/index.ts` directly via `transpilePackages` (Next.js) or `resolve.alias` (Vite).
+## Quick Start
+```typescript
+import { AgentShield } from '@g8r-security/agent-shield-sdk';
+const shield = new AgentShield({
+  consoleUrl: 'https://shield.yourcompany.com',
+  apiKey: 'sk-shield-...',
+  agentId: 'enterprise-assistant',
+  department: 'Finance',
+  userId: 'usr_FIN_042',
+  aiModel: 'GPT-4o',
+});
+// Factory pattern — LLM is only called if the policy check passes
+const result = await shield.wrap(
+  () => openai.chat.completions.create({ model: 'gpt-4o', messages }),
+  userPrompt
+);
+```
+## API
+### `shield.wrap(factory, prompt)`
+The primary integration point. Runs the full pipeline:
+1. **Redact** — `redactSensitiveData(prompt)` strips secrets locally
+2. **Check** — POST redacted prompt to `/api/sdk/v1/check` (policy evaluation)
+3. **Log** — POST audit entry to `/api/sdk/v1/log`
+4. **Invoke** — call `factory()` only if decision is `allowed` or `escalated`
+If blocked, throws `ShieldBlockedError` — the factory is **never called**.
+```typescript
+try {
+  const result = await shield.wrap(() => llmCall(), prompt);
+  console.log(result.llmResult);      // LLM response
+  console.log(result.redactedTokens); // Tokens stripped from the prompt
+} catch (err) {
+  if (err instanceof ShieldBlockedError) {
+    console.log(err.violatedRule);        // e.g. 'PII Detection'
+    console.log(err.complianceMappings);  // GDPR Art. 32, etc.
+  }
+}
+```
+### `shield.check(prompt)`
+Policy check only — no LLM call.
+```typescript
+const result = await shield.check(prompt);
+// result.decision         → 'allowed' | 'blocked' | 'escalated'
+// result.redactedTokens   → tokens stripped from the prompt before sending
+```
+### `redactSensitiveData(input)`
+Standalone redaction — can be used independently of the shield client.
+```typescript
+import { redactSensitiveData } from '@g8r-security/agent-shield-sdk';
+const { redacted, tokensReplaced } = redactSensitiveData(input);
+```
+## VPC Redaction Layer
+Sensitive data is detected and replaced **locally** before leaving the VPC. The gateway never sees raw secrets.
+### Detection Patterns
+| Pattern | Label | Maps to |
+|---|---|---|
+| BIP-32 extended keys (`xpub`, `xprv`, `ypub`, …) | `[REDACTED:BIP32_KEY]` | PCI-DSS 3.4 |
+| WIF private keys (Base58, starts with `5`, `K`, or `L`) | `[REDACTED:WIF_KEY]` | PCI-DSS 3.4 |
+| 256-bit hex keys (64 hex chars, optional `0x` prefix) | `[REDACTED:HEX_KEY]` | PCI-DSS 3.4, GDPR Art. 32 |
+| PEM private / public key blocks | `[REDACTED:PEM_KEY]` | GDPR Art. 32 |
+| `custodial-id:…` | `[REDACTED:CUSTODIAL_ID]` | GDPR Art. 32 |
+| `cust-{digits}` | `[REDACTED:CUST_ID]` | GDPR Art. 32 |
+| `wallet-id:…` | `[REDACTED:WALLET_ID]` | GDPR Art. 32 |
+| `vault-id:…` | `[REDACTED:VAULT_ID]` | GDPR Art. 32 |
+| High Shannon entropy strings (≥4.5 bits/char, ≥32 chars) | `[REDACTED:HIGH_ENTROPY]` | GDPR Art. 32, PCI-DSS 3.4 |
+### Shannon Entropy Detection
+Any token that is 32+ characters with Shannon entropy ≥ 4.5 bits/char is caught as a generic high-entropy secret. This acts as a catch-all for API keys, tokens, and other secrets that don't match a known format.
+```
+H = -Σ p(c) × log₂(p(c))   for each unique character c
+```
+Low-entropy strings (e.g. `"aaaaaaaaaaaaa"`, entropy ≈ 0) are not flagged.
+## `PolicyCheckResult`
+```typescript
+interface PolicyCheckResult {
+  decision: 'allowed' | 'blocked' | 'escalated';
+  reason: string;
+  violatedRule: string | null;
+  requiresApproval: boolean;
+  complianceMappings: ComplianceMapping[];
+  sessionRevoked?: boolean;
+  redactedTokens?: string[];  // Tokens stripped by VPC masking layer
+}
+```
+## `ShieldBlockedError`
+Thrown by `shield.wrap()` when `decision === 'blocked'`.
+```typescript
+class ShieldBlockedError extends Error {
+  decision: 'blocked';
+  reason: string;
+  violatedRule: string | null;
+  complianceMappings: ComplianceMapping[];
+}
+```
+## Source Layout
+```
+packages/sdk/
+├── src/
+│   ├── index.ts       # AgentShield class, ShieldBlockedError, PolicyCheckResult
+│   └── redaction.ts   # redactSensitiveData() — VPC masking layer
+├── __tests__/
+│   ├── sdk.test.ts        # 43 tests — SDK client behavior + redaction integration
+│   └── redaction.test.ts  # 43 tests — all patterns + entropy detection
+├── jest.config.ts
+├── package.json
+└── tsconfig.json
+```
+## Development
+```bash
+cd packages/sdk
+npm test               # Jest (43 tests)
+npm run test:coverage  # With coverage (97%+ statements)
+npm run typecheck      # tsc --noEmit
+```
+## Coverage
+Thresholds in `jest.config.ts`: 85% statements, 75% branches, 85% functions, 85% lines.
+## Compliance
+| Regulation | Controls covered |
+|---|---|
+| GDPR | Art. 32 — appropriate technical measures for data protection |
+| PCI-DSS v4.0 | 3.4 — cryptographic key protection |

package/dist/index.d.mts ADDED Viewed

@@ -0,0 +1,146 @@
+/**
+ * Branded id types + constructors used by the SDK.
+ *
+ * Vendored from the engine's `types.ts` so the published
+ * `@g8r-security/agent-shield-sdk` package carries no `@g8r-security/core` dependency — the
+ * engine is private IP and must not be a public-package dependency. Only
+ * the id types/helpers the SDK actually uses are copied here.
+ */
+/**
+ * Identifies a single tenant in the multi-tenant governance plane.
+ * Branded so a raw string can't be passed where a TenantId is expected.
+ */
+type TenantId = string & {
+    readonly __brand: 'TenantId';
+};
+/** Per-request correlation ID. Generated client-side by the SDK. */
+type RequestId = string & {
+    readonly __brand: 'RequestId';
+};
+/**
+ * G8R Agent Shield SDK
+ *
+ * Lightweight TypeScript client that wraps LLM calls with policy enforcement.
+ * Automatically intercepts prompts, applies local-first VPC redaction (BitGo),
+ * checks them against the G8R policy engine, and logs all activity to the
+ * Agent Shield Console.
+ *
+ * Usage:
+ *   import { AgentShield } from '@g8r-security/agent-shield-sdk';
+ *
+ *   const shield = new AgentShield({
+ *     consoleUrl: 'https://shield.yourcompany.com',
+ *     apiKey: 'sk-shield-...',
+ *     department: 'Finance',
+ *     userId: 'usr_FIN_042',
+ *     aiModel: 'GPT-4o',
+ *   });
+ *
+ *   // Wrap any LLM call — the factory function is only invoked if the policy allows it
+ *   const result = await shield.wrap(
+ *     () => openai.chat.completions.create({
+ *       model: 'gpt-4o',
+ *       messages: [{ role: 'user', content: 'Summarize Q1 earnings' }],
+ *     }),
+ *     'Summarize Q1 earnings'
+ *   );
+ */
+interface ShieldConfig {
+    /** URL of the G8R Agent Shield Console */
+    consoleUrl: string;
+    /** API key for authentication */
+    apiKey: string;
+    /** Tenant this SDK instance operates on behalf of. Required. */
+    tenantId: TenantId;
+    /** Department of the calling user */
+    department: string;
+    /** User identifier */
+    userId: string;
+    /** AI model being called */
+    aiModel: string;
+    /** Optional: agent identifier (defaults to "sdk-client") */
+    agentId?: string;
+    /** Optional: employee display name (defaults to userId) */
+    employeeName?: string;
+}
+interface PolicyCheckResult {
+    decision: 'allowed' | 'blocked' | 'escalated';
+    reason: string;
+    violatedRule: string | null;
+    requiresApproval: boolean;
+    /**
+     * Set to true when a kill-switch rule fires (e.g. unauthorized partner data
+     * access). Consumers should tear down the agent session in response.
+     */
+    sessionRevoked?: boolean;
+    complianceMappings: Array<{
+        regulation: string;
+        controlId: string;
+        controlName: string;
+        description: string;
+    }>;
+    /**
+     * Tokens that were redacted from the prompt before it reached the gateway.
+     * Undefined when no tokens were redacted (clean prompt).
+     * Populated by the BitGo VPC local-first redaction layer.
+     */
+    redactedTokens?: string[];
+}
+interface ShieldLogEntry {
+    id: string;
+    decision: string;
+    timestamp: string;
+}
+declare class AgentShield {
+    private config;
+    constructor(config: ShieldConfig);
+    /**
+     * Check a prompt against the policy engine before sending to the LLM.
+     *
+     * Applies local-first VPC redaction (BitGo) before sending to the gateway,
+     * ensuring signing keys, custodial IDs, and high-entropy secrets never leave
+     * the local process in plaintext.
+     *
+     * Returns the policy decision without executing the LLM call.
+     */
+    check(prompt: string, requestId?: RequestId): Promise<PolicyCheckResult>;
+    /**
+     * Wrap an LLM call with policy enforcement.
+     *
+     * The `llmCallFactory` is a function that creates the LLM promise.
+     * It is only invoked if the policy engine allows the action.
+     * This prevents the LLM call from executing before the policy check completes.
+     *
+     * @param llmCallFactory - A function that returns the LLM call promise
+     * @param prompt - The prompt text to evaluate against the policy engine
+     * @returns The result of the LLM call if allowed
+     * @throws ShieldBlockedError if the policy engine blocks the action
+     *
+     * @example
+     *   const result = await shield.wrap(
+     *     () => openai.chat.completions.create({
+     *       model: 'gpt-4o',
+     *       messages: [{ role: 'user', content: prompt }],
+     *     }),
+     *     prompt
+     *   );
+     */
+    wrap<T>(llmCallFactory: () => Promise<T>, prompt: string): Promise<T>;
+    /**
+     * Log an interaction to the Agent Shield Console.
+     */
+    private log;
+}
+/**
+ * Error thrown when the policy engine blocks an LLM call.
+ */
+declare class ShieldBlockedError extends Error {
+    readonly violatedRule: string | null;
+    readonly complianceMappings: PolicyCheckResult['complianceMappings'];
+    readonly sessionRevoked: boolean;
+    constructor(reason: string, violatedRule: string | null, complianceMappings: PolicyCheckResult['complianceMappings'], sessionRevoked?: boolean);
+}
+export { AgentShield, type PolicyCheckResult, ShieldBlockedError, type ShieldConfig, type ShieldLogEntry };

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,146 @@
+/**
+ * Branded id types + constructors used by the SDK.
+ *
+ * Vendored from the engine's `types.ts` so the published
+ * `@g8r-security/agent-shield-sdk` package carries no `@g8r-security/core` dependency — the
+ * engine is private IP and must not be a public-package dependency. Only
+ * the id types/helpers the SDK actually uses are copied here.
+ */
+/**
+ * Identifies a single tenant in the multi-tenant governance plane.
+ * Branded so a raw string can't be passed where a TenantId is expected.
+ */
+type TenantId = string & {
+    readonly __brand: 'TenantId';
+};
+/** Per-request correlation ID. Generated client-side by the SDK. */
+type RequestId = string & {
+    readonly __brand: 'RequestId';
+};
+/**
+ * G8R Agent Shield SDK
+ *
+ * Lightweight TypeScript client that wraps LLM calls with policy enforcement.
+ * Automatically intercepts prompts, applies local-first VPC redaction (BitGo),
+ * checks them against the G8R policy engine, and logs all activity to the
+ * Agent Shield Console.
+ *
+ * Usage:
+ *   import { AgentShield } from '@g8r-security/agent-shield-sdk';
+ *
+ *   const shield = new AgentShield({
+ *     consoleUrl: 'https://shield.yourcompany.com',
+ *     apiKey: 'sk-shield-...',
+ *     department: 'Finance',
+ *     userId: 'usr_FIN_042',
+ *     aiModel: 'GPT-4o',
+ *   });
+ *
+ *   // Wrap any LLM call — the factory function is only invoked if the policy allows it
+ *   const result = await shield.wrap(
+ *     () => openai.chat.completions.create({
+ *       model: 'gpt-4o',
+ *       messages: [{ role: 'user', content: 'Summarize Q1 earnings' }],
+ *     }),
+ *     'Summarize Q1 earnings'
+ *   );
+ */
+interface ShieldConfig {
+    /** URL of the G8R Agent Shield Console */
+    consoleUrl: string;
+    /** API key for authentication */
+    apiKey: string;
+    /** Tenant this SDK instance operates on behalf of. Required. */
+    tenantId: TenantId;
+    /** Department of the calling user */
+    department: string;
+    /** User identifier */
+    userId: string;
+    /** AI model being called */
+    aiModel: string;
+    /** Optional: agent identifier (defaults to "sdk-client") */
+    agentId?: string;
+    /** Optional: employee display name (defaults to userId) */
+    employeeName?: string;
+}
+interface PolicyCheckResult {
+    decision: 'allowed' | 'blocked' | 'escalated';
+    reason: string;
+    violatedRule: string | null;
+    requiresApproval: boolean;
+    /**
+     * Set to true when a kill-switch rule fires (e.g. unauthorized partner data
+     * access). Consumers should tear down the agent session in response.
+     */
+    sessionRevoked?: boolean;
+    complianceMappings: Array<{
+        regulation: string;
+        controlId: string;
+        controlName: string;
+        description: string;
+    }>;
+    /**
+     * Tokens that were redacted from the prompt before it reached the gateway.
+     * Undefined when no tokens were redacted (clean prompt).
+     * Populated by the BitGo VPC local-first redaction layer.
+     */
+    redactedTokens?: string[];
+}
+interface ShieldLogEntry {
+    id: string;
+    decision: string;
+    timestamp: string;
+}
+declare class AgentShield {
+    private config;
+    constructor(config: ShieldConfig);
+    /**
+     * Check a prompt against the policy engine before sending to the LLM.
+     *
+     * Applies local-first VPC redaction (BitGo) before sending to the gateway,
+     * ensuring signing keys, custodial IDs, and high-entropy secrets never leave
+     * the local process in plaintext.
+     *
+     * Returns the policy decision without executing the LLM call.
+     */
+    check(prompt: string, requestId?: RequestId): Promise<PolicyCheckResult>;
+    /**
+     * Wrap an LLM call with policy enforcement.
+     *
+     * The `llmCallFactory` is a function that creates the LLM promise.
+     * It is only invoked if the policy engine allows the action.
+     * This prevents the LLM call from executing before the policy check completes.
+     *
+     * @param llmCallFactory - A function that returns the LLM call promise
+     * @param prompt - The prompt text to evaluate against the policy engine
+     * @returns The result of the LLM call if allowed
+     * @throws ShieldBlockedError if the policy engine blocks the action
+     *
+     * @example
+     *   const result = await shield.wrap(
+     *     () => openai.chat.completions.create({
+     *       model: 'gpt-4o',
+     *       messages: [{ role: 'user', content: prompt }],
+     *     }),
+     *     prompt
+     *   );
+     */
+    wrap<T>(llmCallFactory: () => Promise<T>, prompt: string): Promise<T>;
+    /**
+     * Log an interaction to the Agent Shield Console.
+     */
+    private log;
+}
+/**
+ * Error thrown when the policy engine blocks an LLM call.
+ */
+declare class ShieldBlockedError extends Error {
+    readonly violatedRule: string | null;
+    readonly complianceMappings: PolicyCheckResult['complianceMappings'];
+    readonly sessionRevoked: boolean;
+    constructor(reason: string, violatedRule: string | null, complianceMappings: PolicyCheckResult['complianceMappings'], sessionRevoked?: boolean);
+}
+export { AgentShield, type PolicyCheckResult, ShieldBlockedError, type ShieldConfig, type ShieldLogEntry };

package/dist/index.js ADDED Viewed

@@ -0,0 +1,262 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  AgentShield: () => AgentShield,
+  ShieldBlockedError: () => ShieldBlockedError
+});
+module.exports = __toCommonJS(index_exports);
+var import_ts_pattern = require("ts-pattern");
+// src/ids.ts
+function newRequestId() {
+  if (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function") {
+    return crypto.randomUUID();
+  }
+  return `req-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 10)}`;
+}
+// src/logger.ts
+var LEVEL_ORDER = {
+  debug: 10,
+  info: 20,
+  warn: 30,
+  error: 40
+};
+function createLogger(opts = {}) {
+  const minLevel = LEVEL_ORDER[opts.level ?? "info"];
+  const sink = opts.sink ?? ((line) => console.log(line));
+  const bindings = opts.bindings ?? {};
+  function emit(level, msg, ctx) {
+    if (LEVEL_ORDER[level] < minLevel) return;
+    const payload = {
+      level,
+      msg,
+      ts: (/* @__PURE__ */ new Date()).toISOString(),
+      ...bindings,
+      ...ctx
+    };
+    sink(JSON.stringify(payload));
+  }
+  return {
+    debug: (msg, ctx) => emit("debug", msg, ctx),
+    info: (msg, ctx) => emit("info", msg, ctx),
+    warn: (msg, ctx) => emit("warn", msg, ctx),
+    error: (msg, ctx) => emit("error", msg, ctx),
+    child: (extra) => createLogger({ ...opts, bindings: { ...bindings, ...extra } })
+  };
+}
+var log = createLogger();
+// src/redaction.ts
+function shannonEntropy(str) {
+  const freq = /* @__PURE__ */ new Map();
+  for (const ch of str) {
+    freq.set(ch, (freq.get(ch) ?? 0) + 1);
+  }
+  let entropy = 0;
+  const len = str.length;
+  for (const count of freq.values()) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+var BIP32_PATTERN = /\b[xyz](?:pub|prv)[a-zA-Z0-9]{99,111}\b/g;
+var WIF_PATTERN = /\b[5KL][1-9A-HJ-NP-Za-km-z]{50,51}\b/g;
+var HEX_KEY_PATTERN = /\b(?:0x)?[0-9a-fA-F]{64}\b/g;
+var PEM_PATTERN = /-----BEGIN (?:RSA |EC |OPENSSH )?(?:PRIVATE|PUBLIC) KEY-----[\s\S]*?-----END (?:RSA |EC |OPENSSH )?(?:PRIVATE|PUBLIC) KEY-----/g;
+var CUSTODIAL_ID_PATTERN = /\bcustodial-id:[A-Za-z0-9_-]+\b/g;
+var CUST_PATTERN = /\bcust-\d+\b/gi;
+var WALLET_ID_PATTERN = /\bwallet-id:[A-Za-z0-9_-]+\b/g;
+var VAULT_ID_PATTERN = /\bvault-id:[A-Za-z0-9_-]+\b/g;
+var ENTROPY_THRESHOLD = 4.5;
+var ENTROPY_MIN_LENGTH = 32;
+function extractHighEntropyTokens(input) {
+  const candidates = input.split(/[\s,;:"'`(){}[\]<>]+/).filter(Boolean);
+  return candidates.filter(
+    (token) => token.length >= ENTROPY_MIN_LENGTH && shannonEntropy(token) >= ENTROPY_THRESHOLD
+  );
+}
+function redactSensitiveData(input) {
+  const tokensReplaced = [];
+  let redacted = input;
+  function replaceAll(pattern, label) {
+    redacted = redacted.replace(pattern, (match2) => {
+      tokensReplaced.push(match2);
+      return `[REDACTED:${label}]`;
+    });
+  }
+  replaceAll(PEM_PATTERN, "PEM_KEY");
+  replaceAll(BIP32_PATTERN, "BIP32_KEY");
+  replaceAll(WIF_PATTERN, "WIF_KEY");
+  replaceAll(HEX_KEY_PATTERN, "HEX_KEY");
+  replaceAll(CUSTODIAL_ID_PATTERN, "CUSTODIAL_ID");
+  replaceAll(CUST_PATTERN, "CUST_ID");
+  replaceAll(WALLET_ID_PATTERN, "WALLET_ID");
+  replaceAll(VAULT_ID_PATTERN, "VAULT_ID");
+  const highEntropyTokens = extractHighEntropyTokens(redacted);
+  for (const token of highEntropyTokens) {
+    if (!redacted.includes(token)) continue;
+    tokensReplaced.push(token);
+    redacted = redacted.split(token).join("[REDACTED:HIGH_ENTROPY]");
+  }
+  return { redacted, tokensReplaced };
+}
+// src/index.ts
+var AgentShield = class {
+  constructor(config) {
+    this.config = config;
+  }
+  /**
+   * Check a prompt against the policy engine before sending to the LLM.
+   *
+   * Applies local-first VPC redaction (BitGo) before sending to the gateway,
+   * ensuring signing keys, custodial IDs, and high-entropy secrets never leave
+   * the local process in plaintext.
+   *
+   * Returns the policy decision without executing the LLM call.
+   */
+  async check(prompt, requestId = newRequestId()) {
+    const { redacted, tokensReplaced } = redactSensitiveData(prompt);
+    const scopedLog = log.child({
+      tenant_id: this.config.tenantId,
+      request_id: requestId
+    });
+    const res = await fetch(`${this.config.consoleUrl}/api/sdk/v1/check`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${this.config.apiKey}`
+      },
+      body: JSON.stringify({
+        input: redacted,
+        // send the redacted version — never the raw prompt
+        tenantId: this.config.tenantId,
+        requestId,
+        userId: this.config.userId,
+        department: this.config.department,
+        aiModel: this.config.aiModel,
+        agentId: this.config.agentId ?? "sdk-client"
+      })
+    });
+    if (!res.ok) {
+      scopedLog.error("Shield policy check failed", { status: res.status });
+      throw new Error(`Shield policy check failed: ${res.status}`);
+    }
+    const result = await res.json();
+    return {
+      ...result,
+      ...tokensReplaced.length > 0 ? { redactedTokens: tokensReplaced } : {}
+    };
+  }
+  /**
+   * Wrap an LLM call with policy enforcement.
+   *
+   * The `llmCallFactory` is a function that creates the LLM promise.
+   * It is only invoked if the policy engine allows the action.
+   * This prevents the LLM call from executing before the policy check completes.
+   *
+   * @param llmCallFactory - A function that returns the LLM call promise
+   * @param prompt - The prompt text to evaluate against the policy engine
+   * @returns The result of the LLM call if allowed
+   * @throws ShieldBlockedError if the policy engine blocks the action
+   *
+   * @example
+   *   const result = await shield.wrap(
+   *     () => openai.chat.completions.create({
+   *       model: 'gpt-4o',
+   *       messages: [{ role: 'user', content: prompt }],
+   *     }),
+   *     prompt
+   *   );
+   */
+  async wrap(llmCallFactory, prompt) {
+    const requestId = newRequestId();
+    const policyResult = await this.check(prompt, requestId);
+    await this.log(prompt, policyResult, requestId);
+    (0, import_ts_pattern.match)(policyResult.decision).with("blocked", () => {
+      throw new ShieldBlockedError(
+        policyResult.reason,
+        policyResult.violatedRule,
+        policyResult.complianceMappings,
+        policyResult.sessionRevoked ?? false
+      );
+    }).with("escalated", () => {
+      log.warn("Action escalated for human review", {
+        reason: policyResult.reason
+      });
+    }).with("allowed", () => {
+    }).exhaustive();
+    return llmCallFactory();
+  }
+  /**
+   * Log an interaction to the Agent Shield Console.
+   */
+  async log(input, result, requestId = newRequestId()) {
+    const scopedLog = log.child({
+      tenant_id: this.config.tenantId,
+      request_id: requestId
+    });
+    const res = await fetch(`${this.config.consoleUrl}/api/sdk/v1/log`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${this.config.apiKey}`
+      },
+      body: JSON.stringify({
+        input,
+        tenantId: this.config.tenantId,
+        requestId,
+        userId: this.config.userId,
+        department: this.config.department,
+        aiModel: this.config.aiModel,
+        agentId: this.config.agentId ?? "sdk-client",
+        employeeName: this.config.employeeName ?? this.config.userId,
+        decision: result.decision,
+        reason: result.reason,
+        violatedRule: result.violatedRule,
+        requiresApproval: result.requiresApproval,
+        complianceMappings: result.complianceMappings
+      })
+    });
+    if (!res.ok) {
+      scopedLog.error("Failed to log interaction", { status: res.status });
+    }
+    return res.json();
+  }
+};
+var ShieldBlockedError = class extends Error {
+  constructor(reason, violatedRule, complianceMappings, sessionRevoked = false) {
+    super(`[G8R Shield BLOCKED] ${reason}`);
+    this.name = "ShieldBlockedError";
+    this.violatedRule = violatedRule;
+    this.complianceMappings = complianceMappings;
+    this.sessionRevoked = sessionRevoked;
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AgentShield,
+  ShieldBlockedError
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/index.ts","../src/ids.ts","../src/logger.ts","../src/redaction.ts"],"sourcesContent":["/**\n * G8R Agent Shield SDK\n *\n * Lightweight TypeScript client that wraps LLM calls with policy enforcement.\n * Automatically intercepts prompts, applies local-first VPC redaction (BitGo),\n * checks them against the G8R policy engine, and logs all activity to the\n * Agent Shield Console.\n *\n * Usage:\n * import { AgentShield } from '@g8r-security/agent-shield-sdk';\n *\n * const shield = new AgentShield({\n * consoleUrl: 'https://shield.yourcompany.com',\n * apiKey: 'sk-shield-...',\n * department: 'Finance',\n * userId: 'usr_FIN_042',\n * aiModel: 'GPT-4o',\n * });\n *\n * // Wrap any LLM call — the factory function is only invoked if the policy allows it\n * const result = await shield.wrap(\n * () => openai.chat.completions.create({\n * model: 'gpt-4o',\n * messages: [{ role: 'user', content: 'Summarize Q1 earnings' }],\n * }),\n * 'Summarize Q1 earnings'\n * );\n */\n\nimport { match } from 'ts-pattern';\nimport { newRequestId, type RequestId, type TenantId } from './ids';\nimport { log } from './logger';\nimport { redactSensitiveData } from './redaction';\n\nexport interface ShieldConfig {\n /** URL of the G8R Agent Shield Console */\n consoleUrl: string;\n /** API key for authentication */\n apiKey: string;\n /** Tenant this SDK instance operates on behalf of. Required. */\n tenantId: TenantId;\n /** Department of the calling user */\n department: string;\n /** User identifier */\n userId: string;\n /** AI model being called */\n aiModel: string;\n /** Optional: agent identifier (defaults to \"sdk-client\") */\n agentId?: string;\n /** Optional: employee display name (defaults to userId) */\n employeeName?: string;\n}\n\nexport interface PolicyCheckResult {\n decision: 'allowed' | 'blocked' | 'escalated';\n reason: string;\n violatedRule: string | null;\n requiresApproval: boolean;\n /**\n * Set to true when a kill-switch rule fires (e.g. unauthorized partner data\n * access). Consumers should tear down the agent session in response.\n */\n sessionRevoked?: boolean;\n complianceMappings: Array<{\n regulation: string;\n controlId: string;\n controlName: string;\n description: string;\n }>;\n /**\n * Tokens that were redacted from the prompt before it reached the gateway.\n * Undefined when no tokens were redacted (clean prompt).\n * Populated by the BitGo VPC local-first redaction layer.\n */\n redactedTokens?: string[];\n}\n\nexport interface ShieldLogEntry {\n id: string;\n decision: string;\n timestamp: string;\n}\n\nexport class AgentShield {\n private config: ShieldConfig;\n\n constructor(config: ShieldConfig) {\n this.config = config;\n }\n\n /**\n * Check a prompt against the policy engine before sending to the LLM.\n *\n * Applies local-first VPC redaction (BitGo) before sending to the gateway,\n * ensuring signing keys, custodial IDs, and high-entropy secrets never leave\n * the local process in plaintext.\n *\n * Returns the policy decision without executing the LLM call.\n */\n async check(\n prompt: string,\n requestId: RequestId = newRequestId()\n ): Promise<PolicyCheckResult> {\n // Step 1: Local-first redaction — strip signing keys and custodial IDs\n // before the prompt reaches the remote gateway (BitGo VPC masking).\n const { redacted, tokensReplaced } = redactSensitiveData(prompt);\n\n // `requestId` is generated per-call by default, but `wrap()` passes its\n // own value so /check and /log share a single correlation id end-to-end\n // (C2). Build a scoped logger bound to tenantId + requestId so any\n // failure path emits lines with that context automatically.\n const scopedLog = log.child({\n tenant_id: this.config.tenantId,\n request_id: requestId,\n });\n\n const res = await fetch(`${this.config.consoleUrl}/api/sdk/v1/check`, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: `Bearer ${this.config.apiKey}`,\n },\n body: JSON.stringify({\n input: redacted, // send the redacted version — never the raw prompt\n tenantId: this.config.tenantId,\n requestId,\n userId: this.config.userId,\n department: this.config.department,\n aiModel: this.config.aiModel,\n agentId: this.config.agentId ?? 'sdk-client',\n }),\n });\n\n if (!res.ok) {\n scopedLog.error('Shield policy check failed', { status: res.status });\n throw new Error(`Shield policy check failed: ${res.status}`);\n }\n\n const result = await res.json();\n return {\n ...result,\n ...(tokensReplaced.length > 0 ? { redactedTokens: tokensReplaced } : {}),\n };\n }\n\n /**\n * Wrap an LLM call with policy enforcement.\n *\n * The `llmCallFactory` is a function that creates the LLM promise.\n * It is only invoked if the policy engine allows the action.\n * This prevents the LLM call from executing before the policy check completes.\n *\n * @param llmCallFactory - A function that returns the LLM call promise\n * @param prompt - The prompt text to evaluate against the policy engine\n * @returns The result of the LLM call if allowed\n * @throws ShieldBlockedError if the policy engine blocks the action\n *\n * @example\n * const result = await shield.wrap(\n * () => openai.chat.completions.create({\n * model: 'gpt-4o',\n * messages: [{ role: 'user', content: prompt }],\n * }),\n * prompt\n * );\n */\n async wrap<T>(llmCallFactory: () => Promise<T>, prompt: string): Promise<T> {\n // Generate a single requestId for this wrap() invocation and thread it\n // through both /check and /log so the two server-side log lines can be\n // joined end-to-end (C2). Without this, each call would mint its own id\n // and the audit trail would lose the policy→action linkage.\n const requestId = newRequestId();\n\n // Step 1: Check the prompt against the policy engine (includes redaction)\n const policyResult = await this.check(prompt, requestId);\n\n // Step 2: Log the attempt regardless of decision\n await this.log(prompt, policyResult, requestId);\n\n // Step 3: Enforce the decision. Exhaustive match — adding a fourth\n // decision value will fail TypeScript compilation here until handled.\n match(policyResult.decision)\n .with('blocked', () => {\n throw new ShieldBlockedError(\n policyResult.reason,\n policyResult.violatedRule,\n policyResult.complianceMappings,\n policyResult.sessionRevoked ?? false\n );\n })\n .with('escalated', () => {\n // In production, this would await human approval via webhook\n log.warn('Action escalated for human review', {\n reason: policyResult.reason,\n });\n })\n .with('allowed', () => {\n /* fall through to invoke the LLM */\n })\n .exhaustive();\n\n // Step 4: Only now invoke the LLM call — after policy check passed\n return llmCallFactory();\n }\n\n /**\n * Log an interaction to the Agent Shield Console.\n */\n private async log(\n input: string,\n result: PolicyCheckResult,\n requestId: RequestId = newRequestId()\n ): Promise<ShieldLogEntry> {\n const scopedLog = log.child({\n tenant_id: this.config.tenantId,\n request_id: requestId,\n });\n\n const res = await fetch(`${this.config.consoleUrl}/api/sdk/v1/log`, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: `Bearer ${this.config.apiKey}`,\n },\n body: JSON.stringify({\n input,\n tenantId: this.config.tenantId,\n requestId,\n userId: this.config.userId,\n department: this.config.department,\n aiModel: this.config.aiModel,\n agentId: this.config.agentId ?? 'sdk-client',\n employeeName: this.config.employeeName ?? this.config.userId,\n decision: result.decision,\n reason: result.reason,\n violatedRule: result.violatedRule,\n requiresApproval: result.requiresApproval,\n complianceMappings: result.complianceMappings,\n }),\n });\n\n if (!res.ok) {\n scopedLog.error('Failed to log interaction', { status: res.status });\n }\n\n return res.json();\n }\n}\n\n/**\n * Error thrown when the policy engine blocks an LLM call.\n */\nexport class ShieldBlockedError extends Error {\n public readonly violatedRule: string | null;\n public readonly complianceMappings: PolicyCheckResult['complianceMappings'];\n public readonly sessionRevoked: boolean;\n\n constructor(\n reason: string,\n violatedRule: string | null,\n complianceMappings: PolicyCheckResult['complianceMappings'],\n sessionRevoked: boolean = false\n ) {\n super(`[G8R Shield BLOCKED] ${reason}`);\n this.name = 'ShieldBlockedError';\n this.violatedRule = violatedRule;\n this.complianceMappings = complianceMappings;\n this.sessionRevoked = sessionRevoked;\n }\n}\n","/**\n * Branded id types + constructors used by the SDK.\n *\n * Vendored from the engine's `types.ts` so the published\n * `@g8r-security/agent-shield-sdk` package carries no `@g8r-security/core` dependency — the\n * engine is private IP and must not be a public-package dependency. Only\n * the id types/helpers the SDK actually uses are copied here.\n */\n\n/**\n * Identifies a single tenant in the multi-tenant governance plane.\n * Branded so a raw string can't be passed where a TenantId is expected.\n */\nexport type TenantId = string & { readonly __brand: 'TenantId' };\n\n/** Per-request correlation ID. Generated client-side by the SDK. */\nexport type RequestId = string & { readonly __brand: 'RequestId' };\n\nconst TENANT_ID_PATTERN = /^[a-z0-9][a-z0-9-]{0,63}$/;\n\n/**\n * Cast a string to TenantId. Use at boundaries (config, env, request body).\n * Enforces the charset / length contract: 1-64 chars of `[a-z0-9-]`,\n * starting with `[a-z0-9]` — catches programmatic misuse (config typos,\n * hard-coded slugs that drift).\n */\nexport function tenantId(s: string): TenantId {\n if (!s) throw new Error('tenantId cannot be empty');\n if (!TENANT_ID_PATTERN.test(s)) {\n throw new Error(\n `tenantId must be 1-64 chars, [a-z0-9-], starting with [a-z0-9] (got ${JSON.stringify(s)})`\n );\n }\n return s as TenantId;\n}\n\n/** Generate a fresh request ID. Prefers crypto.randomUUID where available. */\nexport function newRequestId(): RequestId {\n // crypto.randomUUID is available in Node 19+ and all modern browsers.\n if (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function') {\n return crypto.randomUUID() as RequestId;\n }\n // Fallback: timestamp + Math.random (best-effort, not crypto-strong).\n return `req-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 10)}` as RequestId;\n}\n","/**\n * G8R structured JSON logger.\n *\n * Tiny, dependency-free logger that emits one JSON object per line. Designed\n * for governance contexts where each log line must carry `tenant_id` and\n * `request_id` so downstream pipelines can route audit trails per-tenant.\n *\n * Vendored into the SDK (a verbatim copy of the engine's logger) so the\n * published `@g8r-security/agent-shield-sdk` package carries no `@g8r-security/core`\n * dependency — the engine is private IP and must not be a public-package\n * dependency.\n *\n * Use the default `log` singleton for app-level chatter; call `createLogger`\n * (or `.child()`) when you need per-request bindings injected.\n */\n\nexport type LogLevel = 'debug' | 'info' | 'warn' | 'error';\n\nexport interface LogContext {\n tenant_id?: string;\n request_id?: string;\n [key: string]: unknown;\n}\n\nexport interface Logger {\n debug(msg: string, ctx?: LogContext): void;\n info(msg: string, ctx?: LogContext): void;\n warn(msg: string, ctx?: LogContext): void;\n error(msg: string, ctx?: LogContext): void;\n child(ctx: LogContext): Logger;\n}\n\nexport interface LoggerOptions {\n /** Defaults to 'info'. Anything below is dropped. */\n level?: LogLevel;\n /** Defaults to console.log. Override for testing or transport injection. */\n sink?: (line: string) => void;\n /** Context merged into every log line. */\n bindings?: LogContext;\n}\n\nconst LEVEL_ORDER: Record<LogLevel, number> = {\n debug: 10,\n info: 20,\n warn: 30,\n error: 40,\n};\n\nexport function createLogger(opts: LoggerOptions = {}): Logger {\n const minLevel = LEVEL_ORDER[opts.level ?? 'info'];\n const sink = opts.sink ?? ((line: string) => console.log(line));\n const bindings = opts.bindings ?? {};\n\n function emit(level: LogLevel, msg: string, ctx?: LogContext): void {\n if (LEVEL_ORDER[level] < minLevel) return;\n const payload = {\n level,\n msg,\n ts: new Date().toISOString(),\n ...bindings,\n ...ctx,\n };\n sink(JSON.stringify(payload));\n }\n\n return {\n debug: (msg, ctx) => emit('debug', msg, ctx),\n info: (msg, ctx) => emit('info', msg, ctx),\n warn: (msg, ctx) => emit('warn', msg, ctx),\n error: (msg, ctx) => emit('error', msg, ctx),\n child: (extra) => createLogger({ ...opts, bindings: { ...bindings, ...extra } }),\n };\n}\n\n/** Default singleton — convenient for apps that don't need DI. */\nexport const log = createLogger();\n","/**\n * BitGo VPC Sensitive Data Redaction\n *\n * Redacts cryptographic keys, custodial identifiers, and high-entropy strings\n * BEFORE sending prompts to the G8R policy gateway (local-first redaction layer).\n *\n * Compliance:\n * - GDPR Art. 32: Security of Processing — appropriate technical measures\n * - PCI-DSS 3.4: Render PAN/sensitive data unreadable wherever stored or transmitted\n */\n\nexport interface RedactionResult {\n /** The input with all sensitive tokens replaced by placeholder strings. */\n redacted: string;\n /** The original sensitive token strings that were replaced. */\n tokensReplaced: string[];\n}\n\n/**\n * Shannon entropy: calculates bits per character.\n * High entropy (> 4.5) indicates likely cryptographic material.\n */\nfunction shannonEntropy(str: string): number {\n const freq = new Map<string, number>();\n for (const ch of str) {\n freq.set(ch, (freq.get(ch) ?? 0) + 1);\n }\n let entropy = 0;\n const len = str.length;\n for (const count of freq.values()) {\n const p = count / len;\n entropy -= p * Math.log2(p);\n }\n return entropy;\n}\n\n// ── Signing Key Patterns ─────────────────────────────────────────────────────\n\n/** BIP-32 extended public/private keys: xpub, xprv, ypub, zpub, zprv, etc. */\nconst BIP32_PATTERN = /\\b[xyz](?:pub|prv)[a-zA-Z0-9]{99,111}\\b/g;\n\n/**\n * WIF (Wallet Import Format) private keys.\n * Base58Check encoded, starts with 5 (uncompressed) or K/L (compressed), 51–52 chars.\n */\nconst WIF_PATTERN = /\\b[5KL][1-9A-HJ-NP-Za-km-z]{50,51}\\b/g;\n\n/**\n * Raw hex 256-bit keys — exactly 64 hex characters, optionally 0x-prefixed.\n * Matches Ethereum private keys, secp256k1 scalars, etc.\n */\nconst HEX_KEY_PATTERN = /\\b(?:0x)?[0-9a-fA-F]{64}\\b/g;\n\n/** PEM-encoded private or public key blocks (multi-line). */\nconst PEM_PATTERN =\n /-----BEGIN (?:RSA |EC |OPENSSH )?(?:PRIVATE|PUBLIC) KEY-----[\\s\\S]*?-----END (?:RSA |EC |OPENSSH )?(?:PRIVATE|PUBLIC) KEY-----/g;\n\n// ── Custodial ID Patterns ─────────────────────────────────────────────────────\n\n/** BitGo custodial-id format: `custodial-id:abc123xyz` */\nconst CUSTODIAL_ID_PATTERN = /\\bcustodial-id:[A-Za-z0-9_-]+\\b/g;\n\n/** Short custodial references: `cust-98765` */\nconst CUST_PATTERN = /\\bcust-\\d+\\b/gi;\n\n/** Wallet identifiers: `wallet-id:wlt-abc999` */\nconst WALLET_ID_PATTERN = /\\bwallet-id:[A-Za-z0-9_-]+\\b/g;\n\n/** Vault identifiers: `vault-id:v-secure-001` */\nconst VAULT_ID_PATTERN = /\\bvault-id:[A-Za-z0-9_-]+\\b/g;\n\n// ── Entropy Detection Constants ───────────────────────────────────────────────\n\n/** Minimum Shannon entropy (bits/char) to flag a token as likely cryptographic material. */\nconst ENTROPY_THRESHOLD = 4.5;\n\n/** Minimum token length to apply entropy analysis (shorter strings are too ambiguous). */\nconst ENTROPY_MIN_LENGTH = 32;\n\n/**\n * Find tokens in the string that exceed the entropy threshold.\n * Splits on whitespace and common delimiters to isolate candidates.\n */\nfunction extractHighEntropyTokens(input: string): string[] {\n const candidates = input.split(/[\\s,;:\"'`(){}[\\]<>]+/).filter(Boolean);\n return candidates.filter(\n (token) => token.length >= ENTROPY_MIN_LENGTH && shannonEntropy(token) >= ENTROPY_THRESHOLD\n );\n}\n\n/**\n * Redact sensitive data from a prompt string before it reaches the gateway.\n *\n * Processing order (important — PEM first to avoid splitting on inner patterns):\n * 1. PEM private/public key blocks\n * 2. BIP-32 extended keys\n * 3. WIF private keys\n * 4. Raw hex 256-bit keys\n * 5. Custodial IDs (all four variants)\n * 6. High-entropy string catch-all\n */\nexport function redactSensitiveData(input: string): RedactionResult {\n const tokensReplaced: string[] = [];\n let redacted = input;\n\n function replaceAll(pattern: RegExp, label: string): void {\n redacted = redacted.replace(pattern, (match) => {\n tokensReplaced.push(match);\n return `[REDACTED:${label}]`;\n });\n }\n\n replaceAll(PEM_PATTERN, 'PEM_KEY');\n replaceAll(BIP32_PATTERN, 'BIP32_KEY');\n replaceAll(WIF_PATTERN, 'WIF_KEY');\n replaceAll(HEX_KEY_PATTERN, 'HEX_KEY');\n replaceAll(CUSTODIAL_ID_PATTERN, 'CUSTODIAL_ID');\n replaceAll(CUST_PATTERN, 'CUST_ID');\n replaceAll(WALLET_ID_PATTERN, 'WALLET_ID');\n replaceAll(VAULT_ID_PATTERN, 'VAULT_ID');\n\n // High-entropy catch-all — runs on the already-redacted string to avoid double-replacing.\n const highEntropyTokens = extractHighEntropyTokens(redacted);\n for (const token of highEntropyTokens) {\n if (!redacted.includes(token)) continue;\n tokensReplaced.push(token);\n redacted = redacted.split(token).join('[REDACTED:HIGH_ENTROPY]');\n }\n\n return { redacted, tokensReplaced };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA6BA,wBAAsB;;;ACQf,SAAS,eAA0B;AAExC,MAAI,OAAO,WAAW,eAAe,OAAO,OAAO,eAAe,YAAY;AAC5E,WAAO,OAAO,WAAW;AAAA,EAC3B;AAEA,SAAO,OAAO,KAAK,IAAI,EAAE,SAAS,EAAE,CAAC,IAAI,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,MAAM,GAAG,EAAE,CAAC;AAClF;;;ACHA,IAAM,cAAwC;AAAA,EAC5C,OAAO;AAAA,EACP,MAAM;AAAA,EACN,MAAM;AAAA,EACN,OAAO;AACT;AAEO,SAAS,aAAa,OAAsB,CAAC,GAAW;AAC7D,QAAM,WAAW,YAAY,KAAK,SAAS,MAAM;AACjD,QAAM,OAAO,KAAK,SAAS,CAAC,SAAiB,QAAQ,IAAI,IAAI;AAC7D,QAAM,WAAW,KAAK,YAAY,CAAC;AAEnC,WAAS,KAAK,OAAiB,KAAa,KAAwB;AAClE,QAAI,YAAY,KAAK,IAAI,SAAU;AACnC,UAAM,UAAU;AAAA,MACd;AAAA,MACA;AAAA,MACA,KAAI,oBAAI,KAAK,GAAE,YAAY;AAAA,MAC3B,GAAG;AAAA,MACH,GAAG;AAAA,IACL;AACA,SAAK,KAAK,UAAU,OAAO,CAAC;AAAA,EAC9B;AAEA,SAAO;AAAA,IACL,OAAO,CAAC,KAAK,QAAQ,KAAK,SAAS,KAAK,GAAG;AAAA,IAC3C,MAAM,CAAC,KAAK,QAAQ,KAAK,QAAQ,KAAK,GAAG;AAAA,IACzC,MAAM,CAAC,KAAK,QAAQ,KAAK,QAAQ,KAAK,GAAG;AAAA,IACzC,OAAO,CAAC,KAAK,QAAQ,KAAK,SAAS,KAAK,GAAG;AAAA,IAC3C,OAAO,CAAC,UAAU,aAAa,EAAE,GAAG,MAAM,UAAU,EAAE,GAAG,UAAU,GAAG,MAAM,EAAE,CAAC;AAAA,EACjF;AACF;AAGO,IAAM,MAAM,aAAa;;;ACrDhC,SAAS,eAAe,KAAqB;AAC3C,QAAM,OAAO,oBAAI,IAAoB;AACrC,aAAW,MAAM,KAAK;AACpB,SAAK,IAAI,KAAK,KAAK,IAAI,EAAE,KAAK,KAAK,CAAC;AAAA,EACtC;AACA,MAAI,UAAU;AACd,QAAM,MAAM,IAAI;AAChB,aAAW,SAAS,KAAK,OAAO,GAAG;AACjC,UAAM,IAAI,QAAQ;AAClB,eAAW,IAAI,KAAK,KAAK,CAAC;AAAA,EAC5B;AACA,SAAO;AACT;AAKA,IAAM,gBAAgB;AAMtB,IAAM,cAAc;AAMpB,IAAM,kBAAkB;AAGxB,IAAM,cACJ;AAKF,IAAM,uBAAuB;AAG7B,IAAM,eAAe;AAGrB,IAAM,oBAAoB;AAG1B,IAAM,mBAAmB;AAKzB,IAAM,oBAAoB;AAG1B,IAAM,qBAAqB;AAM3B,SAAS,yBAAyB,OAAyB;AACzD,QAAM,aAAa,MAAM,MAAM,sBAAsB,EAAE,OAAO,OAAO;AACrE,SAAO,WAAW;AAAA,IAChB,CAAC,UAAU,MAAM,UAAU,sBAAsB,eAAe,KAAK,KAAK;AAAA,EAC5E;AACF;AAaO,SAAS,oBAAoB,OAAgC;AAClE,QAAM,iBAA2B,CAAC;AAClC,MAAI,WAAW;AAEf,WAAS,WAAW,SAAiB,OAAqB;AACxD,eAAW,SAAS,QAAQ,SAAS,CAACA,WAAU;AAC9C,qBAAe,KAAKA,MAAK;AACzB,aAAO,aAAa,KAAK;AAAA,IAC3B,CAAC;AAAA,EACH;AAEA,aAAW,aAAa,SAAS;AACjC,aAAW,eAAe,WAAW;AACrC,aAAW,aAAa,SAAS;AACjC,aAAW,iBAAiB,SAAS;AACrC,aAAW,sBAAsB,cAAc;AAC/C,aAAW,cAAc,SAAS;AAClC,aAAW,mBAAmB,WAAW;AACzC,aAAW,kBAAkB,UAAU;AAGvC,QAAM,oBAAoB,yBAAyB,QAAQ;AAC3D,aAAW,SAAS,mBAAmB;AACrC,QAAI,CAAC,SAAS,SAAS,KAAK,EAAG;AAC/B,mBAAe,KAAK,KAAK;AACzB,eAAW,SAAS,MAAM,KAAK,EAAE,KAAK,yBAAyB;AAAA,EACjE;AAEA,SAAO,EAAE,UAAU,eAAe;AACpC;;;AH/CO,IAAM,cAAN,MAAkB;AAAA,EAGvB,YAAY,QAAsB;AAChC,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,MACJ,QACA,YAAuB,aAAa,GACR;AAG5B,UAAM,EAAE,UAAU,eAAe,IAAI,oBAAoB,MAAM;AAM/D,UAAM,YAAY,IAAI,MAAM;AAAA,MAC1B,WAAW,KAAK,OAAO;AAAA,MACvB,YAAY;AAAA,IACd,CAAC;AAED,UAAM,MAAM,MAAM,MAAM,GAAG,KAAK,OAAO,UAAU,qBAAqB;AAAA,MACpE,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,eAAe,UAAU,KAAK,OAAO,MAAM;AAAA,MAC7C;AAAA,MACA,MAAM,KAAK,UAAU;AAAA,QACnB,OAAO;AAAA;AAAA,QACP,UAAU,KAAK,OAAO;AAAA,QACtB;AAAA,QACA,QAAQ,KAAK,OAAO;AAAA,QACpB,YAAY,KAAK,OAAO;AAAA,QACxB,SAAS,KAAK,OAAO;AAAA,QACrB,SAAS,KAAK,OAAO,WAAW;AAAA,MAClC,CAAC;AAAA,IACH,CAAC;AAED,QAAI,CAAC,IAAI,IAAI;AACX,gBAAU,MAAM,8BAA8B,EAAE,QAAQ,IAAI,OAAO,CAAC;AACpE,YAAM,IAAI,MAAM,+BAA+B,IAAI,MAAM,EAAE;AAAA,IAC7D;AAEA,UAAM,SAAS,MAAM,IAAI,KAAK;AAC9B,WAAO;AAAA,MACL,GAAG;AAAA,MACH,GAAI,eAAe,SAAS,IAAI,EAAE,gBAAgB,eAAe,IAAI,CAAC;AAAA,IACxE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuBA,MAAM,KAAQ,gBAAkC,QAA4B;AAK1E,UAAM,YAAY,aAAa;AAG/B,UAAM,eAAe,MAAM,KAAK,MAAM,QAAQ,SAAS;AAGvD,UAAM,KAAK,IAAI,QAAQ,cAAc,SAAS;AAI9C,iCAAM,aAAa,QAAQ,EACxB,KAAK,WAAW,MAAM;AACrB,YAAM,IAAI;AAAA,QACR,aAAa;AAAA,QACb,aAAa;AAAA,QACb,aAAa;AAAA,QACb,aAAa,kBAAkB;AAAA,MACjC;AAAA,IACF,CAAC,EACA,KAAK,aAAa,MAAM;AAEvB,UAAI,KAAK,qCAAqC;AAAA,QAC5C,QAAQ,aAAa;AAAA,MACvB,CAAC;AAAA,IACH,CAAC,EACA,KAAK,WAAW,MAAM;AAAA,IAEvB,CAAC,EACA,WAAW;AAGd,WAAO,eAAe;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,IACZ,OACA,QACA,YAAuB,aAAa,GACX;AACzB,UAAM,YAAY,IAAI,MAAM;AAAA,MAC1B,WAAW,KAAK,OAAO;AAAA,MACvB,YAAY;AAAA,IACd,CAAC;AAED,UAAM,MAAM,MAAM,MAAM,GAAG,KAAK,OAAO,UAAU,mBAAmB;AAAA,MAClE,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,eAAe,UAAU,KAAK,OAAO,MAAM;AAAA,MAC7C;AAAA,MACA,MAAM,KAAK,UAAU;AAAA,QACnB;AAAA,QACA,UAAU,KAAK,OAAO;AAAA,QACtB;AAAA,QACA,QAAQ,KAAK,OAAO;AAAA,QACpB,YAAY,KAAK,OAAO;AAAA,QACxB,SAAS,KAAK,OAAO;AAAA,QACrB,SAAS,KAAK,OAAO,WAAW;AAAA,QAChC,cAAc,KAAK,OAAO,gBAAgB,KAAK,OAAO;AAAA,QACtD,UAAU,OAAO;AAAA,QACjB,QAAQ,OAAO;AAAA,QACf,cAAc,OAAO;AAAA,QACrB,kBAAkB,OAAO;AAAA,QACzB,oBAAoB,OAAO;AAAA,MAC7B,CAAC;AAAA,IACH,CAAC;AAED,QAAI,CAAC,IAAI,IAAI;AACX,gBAAU,MAAM,6BAA6B,EAAE,QAAQ,IAAI,OAAO,CAAC;AAAA,IACrE;AAEA,WAAO,IAAI,KAAK;AAAA,EAClB;AACF;AAKO,IAAM,qBAAN,cAAiC,MAAM;AAAA,EAK5C,YACE,QACA,cACA,oBACA,iBAA0B,OAC1B;AACA,UAAM,wBAAwB,MAAM,EAAE;AACtC,SAAK,OAAO;AACZ,SAAK,eAAe;AACpB,SAAK,qBAAqB;AAC1B,SAAK,iBAAiB;AAAA,EACxB;AACF;","names":["match"]}

package/dist/index.mjs ADDED Viewed

@@ -0,0 +1,236 @@
+// src/index.ts
+import { match } from "ts-pattern";
+// src/ids.ts
+function newRequestId() {
+  if (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function") {
+    return crypto.randomUUID();
+  }
+  return `req-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 10)}`;
+}
+// src/logger.ts
+var LEVEL_ORDER = {
+  debug: 10,
+  info: 20,
+  warn: 30,
+  error: 40
+};
+function createLogger(opts = {}) {
+  const minLevel = LEVEL_ORDER[opts.level ?? "info"];
+  const sink = opts.sink ?? ((line) => console.log(line));
+  const bindings = opts.bindings ?? {};
+  function emit(level, msg, ctx) {
+    if (LEVEL_ORDER[level] < minLevel) return;
+    const payload = {
+      level,
+      msg,
+      ts: (/* @__PURE__ */ new Date()).toISOString(),
+      ...bindings,
+      ...ctx
+    };
+    sink(JSON.stringify(payload));
+  }
+  return {
+    debug: (msg, ctx) => emit("debug", msg, ctx),
+    info: (msg, ctx) => emit("info", msg, ctx),
+    warn: (msg, ctx) => emit("warn", msg, ctx),
+    error: (msg, ctx) => emit("error", msg, ctx),
+    child: (extra) => createLogger({ ...opts, bindings: { ...bindings, ...extra } })
+  };
+}
+var log = createLogger();
+// src/redaction.ts
+function shannonEntropy(str) {
+  const freq = /* @__PURE__ */ new Map();
+  for (const ch of str) {
+    freq.set(ch, (freq.get(ch) ?? 0) + 1);
+  }
+  let entropy = 0;
+  const len = str.length;
+  for (const count of freq.values()) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+var BIP32_PATTERN = /\b[xyz](?:pub|prv)[a-zA-Z0-9]{99,111}\b/g;
+var WIF_PATTERN = /\b[5KL][1-9A-HJ-NP-Za-km-z]{50,51}\b/g;
+var HEX_KEY_PATTERN = /\b(?:0x)?[0-9a-fA-F]{64}\b/g;
+var PEM_PATTERN = /-----BEGIN (?:RSA |EC |OPENSSH )?(?:PRIVATE|PUBLIC) KEY-----[\s\S]*?-----END (?:RSA |EC |OPENSSH )?(?:PRIVATE|PUBLIC) KEY-----/g;
+var CUSTODIAL_ID_PATTERN = /\bcustodial-id:[A-Za-z0-9_-]+\b/g;
+var CUST_PATTERN = /\bcust-\d+\b/gi;
+var WALLET_ID_PATTERN = /\bwallet-id:[A-Za-z0-9_-]+\b/g;
+var VAULT_ID_PATTERN = /\bvault-id:[A-Za-z0-9_-]+\b/g;
+var ENTROPY_THRESHOLD = 4.5;
+var ENTROPY_MIN_LENGTH = 32;
+function extractHighEntropyTokens(input) {
+  const candidates = input.split(/[\s,;:"'`(){}[\]<>]+/).filter(Boolean);
+  return candidates.filter(
+    (token) => token.length >= ENTROPY_MIN_LENGTH && shannonEntropy(token) >= ENTROPY_THRESHOLD
+  );
+}
+function redactSensitiveData(input) {
+  const tokensReplaced = [];
+  let redacted = input;
+  function replaceAll(pattern, label) {
+    redacted = redacted.replace(pattern, (match2) => {
+      tokensReplaced.push(match2);
+      return `[REDACTED:${label}]`;
+    });
+  }
+  replaceAll(PEM_PATTERN, "PEM_KEY");
+  replaceAll(BIP32_PATTERN, "BIP32_KEY");
+  replaceAll(WIF_PATTERN, "WIF_KEY");
+  replaceAll(HEX_KEY_PATTERN, "HEX_KEY");
+  replaceAll(CUSTODIAL_ID_PATTERN, "CUSTODIAL_ID");
+  replaceAll(CUST_PATTERN, "CUST_ID");
+  replaceAll(WALLET_ID_PATTERN, "WALLET_ID");
+  replaceAll(VAULT_ID_PATTERN, "VAULT_ID");
+  const highEntropyTokens = extractHighEntropyTokens(redacted);
+  for (const token of highEntropyTokens) {
+    if (!redacted.includes(token)) continue;
+    tokensReplaced.push(token);
+    redacted = redacted.split(token).join("[REDACTED:HIGH_ENTROPY]");
+  }
+  return { redacted, tokensReplaced };
+}
+// src/index.ts
+var AgentShield = class {
+  constructor(config) {
+    this.config = config;
+  }
+  /**
+   * Check a prompt against the policy engine before sending to the LLM.
+   *
+   * Applies local-first VPC redaction (BitGo) before sending to the gateway,
+   * ensuring signing keys, custodial IDs, and high-entropy secrets never leave
+   * the local process in plaintext.
+   *
+   * Returns the policy decision without executing the LLM call.
+   */
+  async check(prompt, requestId = newRequestId()) {
+    const { redacted, tokensReplaced } = redactSensitiveData(prompt);
+    const scopedLog = log.child({
+      tenant_id: this.config.tenantId,
+      request_id: requestId
+    });
+    const res = await fetch(`${this.config.consoleUrl}/api/sdk/v1/check`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${this.config.apiKey}`
+      },
+      body: JSON.stringify({
+        input: redacted,
+        // send the redacted version — never the raw prompt
+        tenantId: this.config.tenantId,
+        requestId,
+        userId: this.config.userId,
+        department: this.config.department,
+        aiModel: this.config.aiModel,
+        agentId: this.config.agentId ?? "sdk-client"
+      })
+    });
+    if (!res.ok) {
+      scopedLog.error("Shield policy check failed", { status: res.status });
+      throw new Error(`Shield policy check failed: ${res.status}`);
+    }
+    const result = await res.json();
+    return {
+      ...result,
+      ...tokensReplaced.length > 0 ? { redactedTokens: tokensReplaced } : {}
+    };
+  }
+  /**
+   * Wrap an LLM call with policy enforcement.
+   *
+   * The `llmCallFactory` is a function that creates the LLM promise.
+   * It is only invoked if the policy engine allows the action.
+   * This prevents the LLM call from executing before the policy check completes.
+   *
+   * @param llmCallFactory - A function that returns the LLM call promise
+   * @param prompt - The prompt text to evaluate against the policy engine
+   * @returns The result of the LLM call if allowed
+   * @throws ShieldBlockedError if the policy engine blocks the action
+   *
+   * @example
+   *   const result = await shield.wrap(
+   *     () => openai.chat.completions.create({
+   *       model: 'gpt-4o',
+   *       messages: [{ role: 'user', content: prompt }],
+   *     }),
+   *     prompt
+   *   );
+   */
+  async wrap(llmCallFactory, prompt) {
+    const requestId = newRequestId();
+    const policyResult = await this.check(prompt, requestId);
+    await this.log(prompt, policyResult, requestId);
+    match(policyResult.decision).with("blocked", () => {
+      throw new ShieldBlockedError(
+        policyResult.reason,
+        policyResult.violatedRule,
+        policyResult.complianceMappings,
+        policyResult.sessionRevoked ?? false
+      );
+    }).with("escalated", () => {
+      log.warn("Action escalated for human review", {
+        reason: policyResult.reason
+      });
+    }).with("allowed", () => {
+    }).exhaustive();
+    return llmCallFactory();
+  }
+  /**
+   * Log an interaction to the Agent Shield Console.
+   */
+  async log(input, result, requestId = newRequestId()) {
+    const scopedLog = log.child({
+      tenant_id: this.config.tenantId,
+      request_id: requestId
+    });
+    const res = await fetch(`${this.config.consoleUrl}/api/sdk/v1/log`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${this.config.apiKey}`
+      },
+      body: JSON.stringify({
+        input,
+        tenantId: this.config.tenantId,
+        requestId,
+        userId: this.config.userId,
+        department: this.config.department,
+        aiModel: this.config.aiModel,
+        agentId: this.config.agentId ?? "sdk-client",
+        employeeName: this.config.employeeName ?? this.config.userId,
+        decision: result.decision,
+        reason: result.reason,
+        violatedRule: result.violatedRule,
+        requiresApproval: result.requiresApproval,
+        complianceMappings: result.complianceMappings
+      })
+    });
+    if (!res.ok) {
+      scopedLog.error("Failed to log interaction", { status: res.status });
+    }
+    return res.json();
+  }
+};
+var ShieldBlockedError = class extends Error {
+  constructor(reason, violatedRule, complianceMappings, sessionRevoked = false) {
+    super(`[G8R Shield BLOCKED] ${reason}`);
+    this.name = "ShieldBlockedError";
+    this.violatedRule = violatedRule;
+    this.complianceMappings = complianceMappings;
+    this.sessionRevoked = sessionRevoked;
+  }
+};
+export {
+  AgentShield,
+  ShieldBlockedError
+};
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/index.ts","../src/ids.ts","../src/logger.ts","../src/redaction.ts"],"sourcesContent":["/**\n * G8R Agent Shield SDK\n *\n * Lightweight TypeScript client that wraps LLM calls with policy enforcement.\n * Automatically intercepts prompts, applies local-first VPC redaction (BitGo),\n * checks them against the G8R policy engine, and logs all activity to the\n * Agent Shield Console.\n *\n * Usage:\n * import { AgentShield } from '@g8r-security/agent-shield-sdk';\n *\n * const shield = new AgentShield({\n * consoleUrl: 'https://shield.yourcompany.com',\n * apiKey: 'sk-shield-...',\n * department: 'Finance',\n * userId: 'usr_FIN_042',\n * aiModel: 'GPT-4o',\n * });\n *\n * // Wrap any LLM call — the factory function is only invoked if the policy allows it\n * const result = await shield.wrap(\n * () => openai.chat.completions.create({\n * model: 'gpt-4o',\n * messages: [{ role: 'user', content: 'Summarize Q1 earnings' }],\n * }),\n * 'Summarize Q1 earnings'\n * );\n */\n\nimport { match } from 'ts-pattern';\nimport { newRequestId, type RequestId, type TenantId } from './ids';\nimport { log } from './logger';\nimport { redactSensitiveData } from './redaction';\n\nexport interface ShieldConfig {\n /** URL of the G8R Agent Shield Console */\n consoleUrl: string;\n /** API key for authentication */\n apiKey: string;\n /** Tenant this SDK instance operates on behalf of. Required. */\n tenantId: TenantId;\n /** Department of the calling user */\n department: string;\n /** User identifier */\n userId: string;\n /** AI model being called */\n aiModel: string;\n /** Optional: agent identifier (defaults to \"sdk-client\") */\n agentId?: string;\n /** Optional: employee display name (defaults to userId) */\n employeeName?: string;\n}\n\nexport interface PolicyCheckResult {\n decision: 'allowed' | 'blocked' | 'escalated';\n reason: string;\n violatedRule: string | null;\n requiresApproval: boolean;\n /**\n * Set to true when a kill-switch rule fires (e.g. unauthorized partner data\n * access). Consumers should tear down the agent session in response.\n */\n sessionRevoked?: boolean;\n complianceMappings: Array<{\n regulation: string;\n controlId: string;\n controlName: string;\n description: string;\n }>;\n /**\n * Tokens that were redacted from the prompt before it reached the gateway.\n * Undefined when no tokens were redacted (clean prompt).\n * Populated by the BitGo VPC local-first redaction layer.\n */\n redactedTokens?: string[];\n}\n\nexport interface ShieldLogEntry {\n id: string;\n decision: string;\n timestamp: string;\n}\n\nexport class AgentShield {\n private config: ShieldConfig;\n\n constructor(config: ShieldConfig) {\n this.config = config;\n }\n\n /**\n * Check a prompt against the policy engine before sending to the LLM.\n *\n * Applies local-first VPC redaction (BitGo) before sending to the gateway,\n * ensuring signing keys, custodial IDs, and high-entropy secrets never leave\n * the local process in plaintext.\n *\n * Returns the policy decision without executing the LLM call.\n */\n async check(\n prompt: string,\n requestId: RequestId = newRequestId()\n ): Promise<PolicyCheckResult> {\n // Step 1: Local-first redaction — strip signing keys and custodial IDs\n // before the prompt reaches the remote gateway (BitGo VPC masking).\n const { redacted, tokensReplaced } = redactSensitiveData(prompt);\n\n // `requestId` is generated per-call by default, but `wrap()` passes its\n // own value so /check and /log share a single correlation id end-to-end\n // (C2). Build a scoped logger bound to tenantId + requestId so any\n // failure path emits lines with that context automatically.\n const scopedLog = log.child({\n tenant_id: this.config.tenantId,\n request_id: requestId,\n });\n\n const res = await fetch(`${this.config.consoleUrl}/api/sdk/v1/check`, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: `Bearer ${this.config.apiKey}`,\n },\n body: JSON.stringify({\n input: redacted, // send the redacted version — never the raw prompt\n tenantId: this.config.tenantId,\n requestId,\n userId: this.config.userId,\n department: this.config.department,\n aiModel: this.config.aiModel,\n agentId: this.config.agentId ?? 'sdk-client',\n }),\n });\n\n if (!res.ok) {\n scopedLog.error('Shield policy check failed', { status: res.status });\n throw new Error(`Shield policy check failed: ${res.status}`);\n }\n\n const result = await res.json();\n return {\n ...result,\n ...(tokensReplaced.length > 0 ? { redactedTokens: tokensReplaced } : {}),\n };\n }\n\n /**\n * Wrap an LLM call with policy enforcement.\n *\n * The `llmCallFactory` is a function that creates the LLM promise.\n * It is only invoked if the policy engine allows the action.\n * This prevents the LLM call from executing before the policy check completes.\n *\n * @param llmCallFactory - A function that returns the LLM call promise\n * @param prompt - The prompt text to evaluate against the policy engine\n * @returns The result of the LLM call if allowed\n * @throws ShieldBlockedError if the policy engine blocks the action\n *\n * @example\n * const result = await shield.wrap(\n * () => openai.chat.completions.create({\n * model: 'gpt-4o',\n * messages: [{ role: 'user', content: prompt }],\n * }),\n * prompt\n * );\n */\n async wrap<T>(llmCallFactory: () => Promise<T>, prompt: string): Promise<T> {\n // Generate a single requestId for this wrap() invocation and thread it\n // through both /check and /log so the two server-side log lines can be\n // joined end-to-end (C2). Without this, each call would mint its own id\n // and the audit trail would lose the policy→action linkage.\n const requestId = newRequestId();\n\n // Step 1: Check the prompt against the policy engine (includes redaction)\n const policyResult = await this.check(prompt, requestId);\n\n // Step 2: Log the attempt regardless of decision\n await this.log(prompt, policyResult, requestId);\n\n // Step 3: Enforce the decision. Exhaustive match — adding a fourth\n // decision value will fail TypeScript compilation here until handled.\n match(policyResult.decision)\n .with('blocked', () => {\n throw new ShieldBlockedError(\n policyResult.reason,\n policyResult.violatedRule,\n policyResult.complianceMappings,\n policyResult.sessionRevoked ?? false\n );\n })\n .with('escalated', () => {\n // In production, this would await human approval via webhook\n log.warn('Action escalated for human review', {\n reason: policyResult.reason,\n });\n })\n .with('allowed', () => {\n /* fall through to invoke the LLM */\n })\n .exhaustive();\n\n // Step 4: Only now invoke the LLM call — after policy check passed\n return llmCallFactory();\n }\n\n /**\n * Log an interaction to the Agent Shield Console.\n */\n private async log(\n input: string,\n result: PolicyCheckResult,\n requestId: RequestId = newRequestId()\n ): Promise<ShieldLogEntry> {\n const scopedLog = log.child({\n tenant_id: this.config.tenantId,\n request_id: requestId,\n });\n\n const res = await fetch(`${this.config.consoleUrl}/api/sdk/v1/log`, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: `Bearer ${this.config.apiKey}`,\n },\n body: JSON.stringify({\n input,\n tenantId: this.config.tenantId,\n requestId,\n userId: this.config.userId,\n department: this.config.department,\n aiModel: this.config.aiModel,\n agentId: this.config.agentId ?? 'sdk-client',\n employeeName: this.config.employeeName ?? this.config.userId,\n decision: result.decision,\n reason: result.reason,\n violatedRule: result.violatedRule,\n requiresApproval: result.requiresApproval,\n complianceMappings: result.complianceMappings,\n }),\n });\n\n if (!res.ok) {\n scopedLog.error('Failed to log interaction', { status: res.status });\n }\n\n return res.json();\n }\n}\n\n/**\n * Error thrown when the policy engine blocks an LLM call.\n */\nexport class ShieldBlockedError extends Error {\n public readonly violatedRule: string | null;\n public readonly complianceMappings: PolicyCheckResult['complianceMappings'];\n public readonly sessionRevoked: boolean;\n\n constructor(\n reason: string,\n violatedRule: string | null,\n complianceMappings: PolicyCheckResult['complianceMappings'],\n sessionRevoked: boolean = false\n ) {\n super(`[G8R Shield BLOCKED] ${reason}`);\n this.name = 'ShieldBlockedError';\n this.violatedRule = violatedRule;\n this.complianceMappings = complianceMappings;\n this.sessionRevoked = sessionRevoked;\n }\n}\n","/**\n * Branded id types + constructors used by the SDK.\n *\n * Vendored from the engine's `types.ts` so the published\n * `@g8r-security/agent-shield-sdk` package carries no `@g8r-security/core` dependency — the\n * engine is private IP and must not be a public-package dependency. Only\n * the id types/helpers the SDK actually uses are copied here.\n */\n\n/**\n * Identifies a single tenant in the multi-tenant governance plane.\n * Branded so a raw string can't be passed where a TenantId is expected.\n */\nexport type TenantId = string & { readonly __brand: 'TenantId' };\n\n/** Per-request correlation ID. Generated client-side by the SDK. */\nexport type RequestId = string & { readonly __brand: 'RequestId' };\n\nconst TENANT_ID_PATTERN = /^[a-z0-9][a-z0-9-]{0,63}$/;\n\n/**\n * Cast a string to TenantId. Use at boundaries (config, env, request body).\n * Enforces the charset / length contract: 1-64 chars of `[a-z0-9-]`,\n * starting with `[a-z0-9]` — catches programmatic misuse (config typos,\n * hard-coded slugs that drift).\n */\nexport function tenantId(s: string): TenantId {\n if (!s) throw new Error('tenantId cannot be empty');\n if (!TENANT_ID_PATTERN.test(s)) {\n throw new Error(\n `tenantId must be 1-64 chars, [a-z0-9-], starting with [a-z0-9] (got ${JSON.stringify(s)})`\n );\n }\n return s as TenantId;\n}\n\n/** Generate a fresh request ID. Prefers crypto.randomUUID where available. */\nexport function newRequestId(): RequestId {\n // crypto.randomUUID is available in Node 19+ and all modern browsers.\n if (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function') {\n return crypto.randomUUID() as RequestId;\n }\n // Fallback: timestamp + Math.random (best-effort, not crypto-strong).\n return `req-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 10)}` as RequestId;\n}\n","/**\n * G8R structured JSON logger.\n *\n * Tiny, dependency-free logger that emits one JSON object per line. Designed\n * for governance contexts where each log line must carry `tenant_id` and\n * `request_id` so downstream pipelines can route audit trails per-tenant.\n *\n * Vendored into the SDK (a verbatim copy of the engine's logger) so the\n * published `@g8r-security/agent-shield-sdk` package carries no `@g8r-security/core`\n * dependency — the engine is private IP and must not be a public-package\n * dependency.\n *\n * Use the default `log` singleton for app-level chatter; call `createLogger`\n * (or `.child()`) when you need per-request bindings injected.\n */\n\nexport type LogLevel = 'debug' | 'info' | 'warn' | 'error';\n\nexport interface LogContext {\n tenant_id?: string;\n request_id?: string;\n [key: string]: unknown;\n}\n\nexport interface Logger {\n debug(msg: string, ctx?: LogContext): void;\n info(msg: string, ctx?: LogContext): void;\n warn(msg: string, ctx?: LogContext): void;\n error(msg: string, ctx?: LogContext): void;\n child(ctx: LogContext): Logger;\n}\n\nexport interface LoggerOptions {\n /** Defaults to 'info'. Anything below is dropped. */\n level?: LogLevel;\n /** Defaults to console.log. Override for testing or transport injection. */\n sink?: (line: string) => void;\n /** Context merged into every log line. */\n bindings?: LogContext;\n}\n\nconst LEVEL_ORDER: Record<LogLevel, number> = {\n debug: 10,\n info: 20,\n warn: 30,\n error: 40,\n};\n\nexport function createLogger(opts: LoggerOptions = {}): Logger {\n const minLevel = LEVEL_ORDER[opts.level ?? 'info'];\n const sink = opts.sink ?? ((line: string) => console.log(line));\n const bindings = opts.bindings ?? {};\n\n function emit(level: LogLevel, msg: string, ctx?: LogContext): void {\n if (LEVEL_ORDER[level] < minLevel) return;\n const payload = {\n level,\n msg,\n ts: new Date().toISOString(),\n ...bindings,\n ...ctx,\n };\n sink(JSON.stringify(payload));\n }\n\n return {\n debug: (msg, ctx) => emit('debug', msg, ctx),\n info: (msg, ctx) => emit('info', msg, ctx),\n warn: (msg, ctx) => emit('warn', msg, ctx),\n error: (msg, ctx) => emit('error', msg, ctx),\n child: (extra) => createLogger({ ...opts, bindings: { ...bindings, ...extra } }),\n };\n}\n\n/** Default singleton — convenient for apps that don't need DI. */\nexport const log = createLogger();\n","/**\n * BitGo VPC Sensitive Data Redaction\n *\n * Redacts cryptographic keys, custodial identifiers, and high-entropy strings\n * BEFORE sending prompts to the G8R policy gateway (local-first redaction layer).\n *\n * Compliance:\n * - GDPR Art. 32: Security of Processing — appropriate technical measures\n * - PCI-DSS 3.4: Render PAN/sensitive data unreadable wherever stored or transmitted\n */\n\nexport interface RedactionResult {\n /** The input with all sensitive tokens replaced by placeholder strings. */\n redacted: string;\n /** The original sensitive token strings that were replaced. */\n tokensReplaced: string[];\n}\n\n/**\n * Shannon entropy: calculates bits per character.\n * High entropy (> 4.5) indicates likely cryptographic material.\n */\nfunction shannonEntropy(str: string): number {\n const freq = new Map<string, number>();\n for (const ch of str) {\n freq.set(ch, (freq.get(ch) ?? 0) + 1);\n }\n let entropy = 0;\n const len = str.length;\n for (const count of freq.values()) {\n const p = count / len;\n entropy -= p * Math.log2(p);\n }\n return entropy;\n}\n\n// ── Signing Key Patterns ─────────────────────────────────────────────────────\n\n/** BIP-32 extended public/private keys: xpub, xprv, ypub, zpub, zprv, etc. */\nconst BIP32_PATTERN = /\\b[xyz](?:pub|prv)[a-zA-Z0-9]{99,111}\\b/g;\n\n/**\n * WIF (Wallet Import Format) private keys.\n * Base58Check encoded, starts with 5 (uncompressed) or K/L (compressed), 51–52 chars.\n */\nconst WIF_PATTERN = /\\b[5KL][1-9A-HJ-NP-Za-km-z]{50,51}\\b/g;\n\n/**\n * Raw hex 256-bit keys — exactly 64 hex characters, optionally 0x-prefixed.\n * Matches Ethereum private keys, secp256k1 scalars, etc.\n */\nconst HEX_KEY_PATTERN = /\\b(?:0x)?[0-9a-fA-F]{64}\\b/g;\n\n/** PEM-encoded private or public key blocks (multi-line). */\nconst PEM_PATTERN =\n /-----BEGIN (?:RSA |EC |OPENSSH )?(?:PRIVATE|PUBLIC) KEY-----[\\s\\S]*?-----END (?:RSA |EC |OPENSSH )?(?:PRIVATE|PUBLIC) KEY-----/g;\n\n// ── Custodial ID Patterns ─────────────────────────────────────────────────────\n\n/** BitGo custodial-id format: `custodial-id:abc123xyz` */\nconst CUSTODIAL_ID_PATTERN = /\\bcustodial-id:[A-Za-z0-9_-]+\\b/g;\n\n/** Short custodial references: `cust-98765` */\nconst CUST_PATTERN = /\\bcust-\\d+\\b/gi;\n\n/** Wallet identifiers: `wallet-id:wlt-abc999` */\nconst WALLET_ID_PATTERN = /\\bwallet-id:[A-Za-z0-9_-]+\\b/g;\n\n/** Vault identifiers: `vault-id:v-secure-001` */\nconst VAULT_ID_PATTERN = /\\bvault-id:[A-Za-z0-9_-]+\\b/g;\n\n// ── Entropy Detection Constants ───────────────────────────────────────────────\n\n/** Minimum Shannon entropy (bits/char) to flag a token as likely cryptographic material. */\nconst ENTROPY_THRESHOLD = 4.5;\n\n/** Minimum token length to apply entropy analysis (shorter strings are too ambiguous). */\nconst ENTROPY_MIN_LENGTH = 32;\n\n/**\n * Find tokens in the string that exceed the entropy threshold.\n * Splits on whitespace and common delimiters to isolate candidates.\n */\nfunction extractHighEntropyTokens(input: string): string[] {\n const candidates = input.split(/[\\s,;:\"'`(){}[\\]<>]+/).filter(Boolean);\n return candidates.filter(\n (token) => token.length >= ENTROPY_MIN_LENGTH && shannonEntropy(token) >= ENTROPY_THRESHOLD\n );\n}\n\n/**\n * Redact sensitive data from a prompt string before it reaches the gateway.\n *\n * Processing order (important — PEM first to avoid splitting on inner patterns):\n * 1. PEM private/public key blocks\n * 2. BIP-32 extended keys\n * 3. WIF private keys\n * 4. Raw hex 256-bit keys\n * 5. Custodial IDs (all four variants)\n * 6. High-entropy string catch-all\n */\nexport function redactSensitiveData(input: string): RedactionResult {\n const tokensReplaced: string[] = [];\n let redacted = input;\n\n function replaceAll(pattern: RegExp, label: string): void {\n redacted = redacted.replace(pattern, (match) => {\n tokensReplaced.push(match);\n return `[REDACTED:${label}]`;\n });\n }\n\n replaceAll(PEM_PATTERN, 'PEM_KEY');\n replaceAll(BIP32_PATTERN, 'BIP32_KEY');\n replaceAll(WIF_PATTERN, 'WIF_KEY');\n replaceAll(HEX_KEY_PATTERN, 'HEX_KEY');\n replaceAll(CUSTODIAL_ID_PATTERN, 'CUSTODIAL_ID');\n replaceAll(CUST_PATTERN, 'CUST_ID');\n replaceAll(WALLET_ID_PATTERN, 'WALLET_ID');\n replaceAll(VAULT_ID_PATTERN, 'VAULT_ID');\n\n // High-entropy catch-all — runs on the already-redacted string to avoid double-replacing.\n const highEntropyTokens = extractHighEntropyTokens(redacted);\n for (const token of highEntropyTokens) {\n if (!redacted.includes(token)) continue;\n tokensReplaced.push(token);\n redacted = redacted.split(token).join('[REDACTED:HIGH_ENTROPY]');\n }\n\n return { redacted, tokensReplaced };\n}\n"],"mappings":";AA6BA,SAAS,aAAa;;;ACQf,SAAS,eAA0B;AAExC,MAAI,OAAO,WAAW,eAAe,OAAO,OAAO,eAAe,YAAY;AAC5E,WAAO,OAAO,WAAW;AAAA,EAC3B;AAEA,SAAO,OAAO,KAAK,IAAI,EAAE,SAAS,EAAE,CAAC,IAAI,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,MAAM,GAAG,EAAE,CAAC;AAClF;;;ACHA,IAAM,cAAwC;AAAA,EAC5C,OAAO;AAAA,EACP,MAAM;AAAA,EACN,MAAM;AAAA,EACN,OAAO;AACT;AAEO,SAAS,aAAa,OAAsB,CAAC,GAAW;AAC7D,QAAM,WAAW,YAAY,KAAK,SAAS,MAAM;AACjD,QAAM,OAAO,KAAK,SAAS,CAAC,SAAiB,QAAQ,IAAI,IAAI;AAC7D,QAAM,WAAW,KAAK,YAAY,CAAC;AAEnC,WAAS,KAAK,OAAiB,KAAa,KAAwB;AAClE,QAAI,YAAY,KAAK,IAAI,SAAU;AACnC,UAAM,UAAU;AAAA,MACd;AAAA,MACA;AAAA,MACA,KAAI,oBAAI,KAAK,GAAE,YAAY;AAAA,MAC3B,GAAG;AAAA,MACH,GAAG;AAAA,IACL;AACA,SAAK,KAAK,UAAU,OAAO,CAAC;AAAA,EAC9B;AAEA,SAAO;AAAA,IACL,OAAO,CAAC,KAAK,QAAQ,KAAK,SAAS,KAAK,GAAG;AAAA,IAC3C,MAAM,CAAC,KAAK,QAAQ,KAAK,QAAQ,KAAK,GAAG;AAAA,IACzC,MAAM,CAAC,KAAK,QAAQ,KAAK,QAAQ,KAAK,GAAG;AAAA,IACzC,OAAO,CAAC,KAAK,QAAQ,KAAK,SAAS,KAAK,GAAG;AAAA,IAC3C,OAAO,CAAC,UAAU,aAAa,EAAE,GAAG,MAAM,UAAU,EAAE,GAAG,UAAU,GAAG,MAAM,EAAE,CAAC;AAAA,EACjF;AACF;AAGO,IAAM,MAAM,aAAa;;;ACrDhC,SAAS,eAAe,KAAqB;AAC3C,QAAM,OAAO,oBAAI,IAAoB;AACrC,aAAW,MAAM,KAAK;AACpB,SAAK,IAAI,KAAK,KAAK,IAAI,EAAE,KAAK,KAAK,CAAC;AAAA,EACtC;AACA,MAAI,UAAU;AACd,QAAM,MAAM,IAAI;AAChB,aAAW,SAAS,KAAK,OAAO,GAAG;AACjC,UAAM,IAAI,QAAQ;AAClB,eAAW,IAAI,KAAK,KAAK,CAAC;AAAA,EAC5B;AACA,SAAO;AACT;AAKA,IAAM,gBAAgB;AAMtB,IAAM,cAAc;AAMpB,IAAM,kBAAkB;AAGxB,IAAM,cACJ;AAKF,IAAM,uBAAuB;AAG7B,IAAM,eAAe;AAGrB,IAAM,oBAAoB;AAG1B,IAAM,mBAAmB;AAKzB,IAAM,oBAAoB;AAG1B,IAAM,qBAAqB;AAM3B,SAAS,yBAAyB,OAAyB;AACzD,QAAM,aAAa,MAAM,MAAM,sBAAsB,EAAE,OAAO,OAAO;AACrE,SAAO,WAAW;AAAA,IAChB,CAAC,UAAU,MAAM,UAAU,sBAAsB,eAAe,KAAK,KAAK;AAAA,EAC5E;AACF;AAaO,SAAS,oBAAoB,OAAgC;AAClE,QAAM,iBAA2B,CAAC;AAClC,MAAI,WAAW;AAEf,WAAS,WAAW,SAAiB,OAAqB;AACxD,eAAW,SAAS,QAAQ,SAAS,CAACA,WAAU;AAC9C,qBAAe,KAAKA,MAAK;AACzB,aAAO,aAAa,KAAK;AAAA,IAC3B,CAAC;AAAA,EACH;AAEA,aAAW,aAAa,SAAS;AACjC,aAAW,eAAe,WAAW;AACrC,aAAW,aAAa,SAAS;AACjC,aAAW,iBAAiB,SAAS;AACrC,aAAW,sBAAsB,cAAc;AAC/C,aAAW,cAAc,SAAS;AAClC,aAAW,mBAAmB,WAAW;AACzC,aAAW,kBAAkB,UAAU;AAGvC,QAAM,oBAAoB,yBAAyB,QAAQ;AAC3D,aAAW,SAAS,mBAAmB;AACrC,QAAI,CAAC,SAAS,SAAS,KAAK,EAAG;AAC/B,mBAAe,KAAK,KAAK;AACzB,eAAW,SAAS,MAAM,KAAK,EAAE,KAAK,yBAAyB;AAAA,EACjE;AAEA,SAAO,EAAE,UAAU,eAAe;AACpC;;;AH/CO,IAAM,cAAN,MAAkB;AAAA,EAGvB,YAAY,QAAsB;AAChC,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,MACJ,QACA,YAAuB,aAAa,GACR;AAG5B,UAAM,EAAE,UAAU,eAAe,IAAI,oBAAoB,MAAM;AAM/D,UAAM,YAAY,IAAI,MAAM;AAAA,MAC1B,WAAW,KAAK,OAAO;AAAA,MACvB,YAAY;AAAA,IACd,CAAC;AAED,UAAM,MAAM,MAAM,MAAM,GAAG,KAAK,OAAO,UAAU,qBAAqB;AAAA,MACpE,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,eAAe,UAAU,KAAK,OAAO,MAAM;AAAA,MAC7C;AAAA,MACA,MAAM,KAAK,UAAU;AAAA,QACnB,OAAO;AAAA;AAAA,QACP,UAAU,KAAK,OAAO;AAAA,QACtB;AAAA,QACA,QAAQ,KAAK,OAAO;AAAA,QACpB,YAAY,KAAK,OAAO;AAAA,QACxB,SAAS,KAAK,OAAO;AAAA,QACrB,SAAS,KAAK,OAAO,WAAW;AAAA,MAClC,CAAC;AAAA,IACH,CAAC;AAED,QAAI,CAAC,IAAI,IAAI;AACX,gBAAU,MAAM,8BAA8B,EAAE,QAAQ,IAAI,OAAO,CAAC;AACpE,YAAM,IAAI,MAAM,+BAA+B,IAAI,MAAM,EAAE;AAAA,IAC7D;AAEA,UAAM,SAAS,MAAM,IAAI,KAAK;AAC9B,WAAO;AAAA,MACL,GAAG;AAAA,MACH,GAAI,eAAe,SAAS,IAAI,EAAE,gBAAgB,eAAe,IAAI,CAAC;AAAA,IACxE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuBA,MAAM,KAAQ,gBAAkC,QAA4B;AAK1E,UAAM,YAAY,aAAa;AAG/B,UAAM,eAAe,MAAM,KAAK,MAAM,QAAQ,SAAS;AAGvD,UAAM,KAAK,IAAI,QAAQ,cAAc,SAAS;AAI9C,UAAM,aAAa,QAAQ,EACxB,KAAK,WAAW,MAAM;AACrB,YAAM,IAAI;AAAA,QACR,aAAa;AAAA,QACb,aAAa;AAAA,QACb,aAAa;AAAA,QACb,aAAa,kBAAkB;AAAA,MACjC;AAAA,IACF,CAAC,EACA,KAAK,aAAa,MAAM;AAEvB,UAAI,KAAK,qCAAqC;AAAA,QAC5C,QAAQ,aAAa;AAAA,MACvB,CAAC;AAAA,IACH,CAAC,EACA,KAAK,WAAW,MAAM;AAAA,IAEvB,CAAC,EACA,WAAW;AAGd,WAAO,eAAe;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,IACZ,OACA,QACA,YAAuB,aAAa,GACX;AACzB,UAAM,YAAY,IAAI,MAAM;AAAA,MAC1B,WAAW,KAAK,OAAO;AAAA,MACvB,YAAY;AAAA,IACd,CAAC;AAED,UAAM,MAAM,MAAM,MAAM,GAAG,KAAK,OAAO,UAAU,mBAAmB;AAAA,MAClE,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,eAAe,UAAU,KAAK,OAAO,MAAM;AAAA,MAC7C;AAAA,MACA,MAAM,KAAK,UAAU;AAAA,QACnB;AAAA,QACA,UAAU,KAAK,OAAO;AAAA,QACtB;AAAA,QACA,QAAQ,KAAK,OAAO;AAAA,QACpB,YAAY,KAAK,OAAO;AAAA,QACxB,SAAS,KAAK,OAAO;AAAA,QACrB,SAAS,KAAK,OAAO,WAAW;AAAA,QAChC,cAAc,KAAK,OAAO,gBAAgB,KAAK,OAAO;AAAA,QACtD,UAAU,OAAO;AAAA,QACjB,QAAQ,OAAO;AAAA,QACf,cAAc,OAAO;AAAA,QACrB,kBAAkB,OAAO;AAAA,QACzB,oBAAoB,OAAO;AAAA,MAC7B,CAAC;AAAA,IACH,CAAC;AAED,QAAI,CAAC,IAAI,IAAI;AACX,gBAAU,MAAM,6BAA6B,EAAE,QAAQ,IAAI,OAAO,CAAC;AAAA,IACrE;AAEA,WAAO,IAAI,KAAK;AAAA,EAClB;AACF;AAKO,IAAM,qBAAN,cAAiC,MAAM;AAAA,EAK5C,YACE,QACA,cACA,oBACA,iBAA0B,OAC1B;AACA,UAAM,wBAAwB,MAAM,EAAE;AACtC,SAAK,OAAO;AACZ,SAAK,eAAe;AACpB,SAAK,qBAAqB;AAC1B,SAAK,iBAAiB;AAAA,EACxB;AACF;","names":["match"]}

package/package.json ADDED Viewed

@@ -0,0 +1,64 @@
+{
+  "name": "@g8r-security/agent-shield-sdk",
+  "version": "0.1.0",
+  "description": "TypeScript client for G8R Agent Shield — wrap LLM and agent calls with policy enforcement, local-first redaction, and audit logging.",
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Gator-Security/g8r-agent-shield-sdk.git",
+    "directory": "js"
+  },
+  "homepage": "https://github.com/Gator-Security/g8r-agent-shield-sdk#readme",
+  "bugs": {
+    "url": "https://github.com/Gator-Security/g8r-agent-shield-sdk/issues"
+  },
+  "keywords": [
+    "ai-governance",
+    "llm",
+    "llm-guardrails",
+    "policy-enforcement",
+    "agent-security",
+    "owasp-llm",
+    "compliance",
+    "audit-log"
+  ],
+  "main": "./dist/index.js",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "sideEffects": false,
+  "engines": {
+    "node": ">=18"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "ts-pattern": "^5.9.0"
+  },
+  "scripts": {
+    "build": "tsup",
+    "test": "jest",
+    "test:coverage": "jest --coverage",
+    "typecheck": "tsc --noEmit",
+    "prepublishOnly": "npm run typecheck && npm run build"
+  },
+  "devDependencies": {
+    "@jest/globals": "^30.3.0",
+    "@types/jest": "^30.0.0",
+    "@types/node": "^20",
+    "jest": "^30.3.0",
+    "ts-jest": "^29.0.0",
+    "tsup": "^8.3.0",
+    "typescript": "^5"
+  }
+}