@mandatez/sdk 0.1.1 → 0.1.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +193 -95
- package/dist/attestations/index.d.ts +50 -0
- package/dist/attestations/index.d.ts.map +1 -0
- package/dist/attestations/index.js +30 -0
- package/dist/attestations/index.js.map +1 -0
- package/dist/client.d.ts +183 -0
- package/dist/client.d.ts.map +1 -1
- package/dist/client.js +256 -3
- package/dist/client.js.map +1 -1
- package/dist/exporters/datadog.d.ts +34 -0
- package/dist/exporters/datadog.d.ts.map +1 -0
- package/dist/exporters/datadog.js +69 -0
- package/dist/exporters/datadog.js.map +1 -0
- package/dist/exporters/index.d.ts +26 -0
- package/dist/exporters/index.d.ts.map +1 -0
- package/dist/exporters/index.js +5 -0
- package/dist/exporters/index.js.map +1 -0
- package/dist/exporters/otel.d.ts +38 -0
- package/dist/exporters/otel.d.ts.map +1 -0
- package/dist/exporters/otel.js +115 -0
- package/dist/exporters/otel.js.map +1 -0
- package/dist/exporters/splunk.d.ts +33 -0
- package/dist/exporters/splunk.d.ts.map +1 -0
- package/dist/exporters/splunk.js +62 -0
- package/dist/exporters/splunk.js.map +1 -0
- package/dist/exporters/webhook.d.ts +33 -0
- package/dist/exporters/webhook.d.ts.map +1 -0
- package/dist/exporters/webhook.js +52 -0
- package/dist/exporters/webhook.js.map +1 -0
- package/dist/identity/hibp.d.ts +39 -0
- package/dist/identity/hibp.d.ts.map +1 -0
- package/dist/identity/hibp.js +85 -0
- package/dist/identity/hibp.js.map +1 -0
- package/dist/index.d.ts +16 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +8 -0
- package/dist/index.js.map +1 -1
- package/dist/integrations/langchain/decorator.d.ts +31 -0
- package/dist/integrations/langchain/decorator.d.ts.map +1 -0
- package/dist/integrations/langchain/decorator.js +36 -0
- package/dist/integrations/langchain/decorator.js.map +1 -0
- package/dist/policies/templates.d.ts +223 -0
- package/dist/policies/templates.d.ts.map +1 -0
- package/dist/policies/templates.js +102 -0
- package/dist/policies/templates.js.map +1 -0
- package/dist/risk/index.d.ts +58 -0
- package/dist/risk/index.d.ts.map +1 -0
- package/dist/risk/index.js +45 -0
- package/dist/risk/index.js.map +1 -0
- package/dist/transport/supabase.d.ts +29 -0
- package/dist/transport/supabase.d.ts.map +1 -1
- package/dist/transport/supabase.js +81 -0
- package/dist/transport/supabase.js.map +1 -1
- package/dist/trust/posture.d.ts +24 -0
- package/dist/trust/posture.d.ts.map +1 -0
- package/dist/trust/posture.js +79 -0
- package/dist/trust/posture.js.map +1 -0
- package/dist/wrapper/index.d.ts +26 -0
- package/dist/wrapper/index.d.ts.map +1 -0
- package/dist/wrapper/index.js +162 -0
- package/dist/wrapper/index.js.map +1 -0
- package/package.json +8 -8
|
@@ -0,0 +1,79 @@
|
|
|
1
|
+
function assignGrade(score) {
|
|
2
|
+
if (score >= 80)
|
|
3
|
+
return 'verified';
|
|
4
|
+
if (score >= 60)
|
|
5
|
+
return 'high';
|
|
6
|
+
if (score >= 40)
|
|
7
|
+
return 'medium';
|
|
8
|
+
if (score >= 20)
|
|
9
|
+
return 'low';
|
|
10
|
+
return 'unverified';
|
|
11
|
+
}
|
|
12
|
+
/**
|
|
13
|
+
* Computes a trust score (0–100) and profile from an agent's event history.
|
|
14
|
+
*
|
|
15
|
+
* Scoring model:
|
|
16
|
+
* - Behavioral history 40pts: (allowed / total) * 40
|
|
17
|
+
* - Longevity 20pts: min(days_active / 90, 1) * 20
|
|
18
|
+
* - Human oversight 25pts: (approvals / (approvals + rejections + 1)) * 25
|
|
19
|
+
* - Policy compliance 15pts: (1 - blocked_ratio - flagged_ratio * 0.5) * 15
|
|
20
|
+
*/
|
|
21
|
+
export function computeTrustScore(events) {
|
|
22
|
+
if (events.length === 0) {
|
|
23
|
+
return {
|
|
24
|
+
trust_score: 0,
|
|
25
|
+
trust_grade: 'unverified',
|
|
26
|
+
total_events: 0,
|
|
27
|
+
allowed_ratio: 0,
|
|
28
|
+
flagged_ratio: 0,
|
|
29
|
+
blocked_ratio: 0,
|
|
30
|
+
human_approvals: 0,
|
|
31
|
+
human_rejections: 0,
|
|
32
|
+
first_seen: null,
|
|
33
|
+
last_active: null,
|
|
34
|
+
};
|
|
35
|
+
}
|
|
36
|
+
const total = events.length;
|
|
37
|
+
const allowed = events.filter(e => e.outcome === 'allowed').length;
|
|
38
|
+
const flagged = events.filter(e => e.outcome === 'flagged').length;
|
|
39
|
+
const blocked = events.filter(e => e.outcome === 'blocked').length;
|
|
40
|
+
const allowedRatio = allowed / total;
|
|
41
|
+
const flaggedRatio = flagged / total;
|
|
42
|
+
const blockedRatio = blocked / total;
|
|
43
|
+
// Human oversight counts from metadata
|
|
44
|
+
let approvals = 0;
|
|
45
|
+
let rejections = 0;
|
|
46
|
+
for (const e of events) {
|
|
47
|
+
if (e.metadata && typeof e.metadata === 'object') {
|
|
48
|
+
if (e.metadata.human_approved === true)
|
|
49
|
+
approvals++;
|
|
50
|
+
if (e.metadata.human_rejected === true)
|
|
51
|
+
rejections++;
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
// Longevity — days between first and last event
|
|
55
|
+
const timestamps = events.map(e => new Date(e.timestamp).getTime()).sort((a, b) => a - b);
|
|
56
|
+
const firstSeen = new Date(timestamps[0]);
|
|
57
|
+
const lastActive = new Date(timestamps[timestamps.length - 1]);
|
|
58
|
+
const daysActive = (lastActive.getTime() - firstSeen.getTime()) / (1000 * 60 * 60 * 24);
|
|
59
|
+
// Score components
|
|
60
|
+
const behavioralScore = allowedRatio * 40;
|
|
61
|
+
const longevityScore = Math.min(daysActive / 90, 1) * 20;
|
|
62
|
+
const oversightScore = (approvals / (approvals + rejections + 1)) * 25;
|
|
63
|
+
const complianceScore = Math.max(0, (1 - blockedRatio - flaggedRatio * 0.5)) * 15;
|
|
64
|
+
const rawScore = behavioralScore + longevityScore + oversightScore + complianceScore;
|
|
65
|
+
const trustScore = Math.round(Math.min(100, Math.max(0, rawScore)));
|
|
66
|
+
return {
|
|
67
|
+
trust_score: trustScore,
|
|
68
|
+
trust_grade: assignGrade(trustScore),
|
|
69
|
+
total_events: total,
|
|
70
|
+
allowed_ratio: Math.round(allowedRatio * 10000) / 10000,
|
|
71
|
+
flagged_ratio: Math.round(flaggedRatio * 10000) / 10000,
|
|
72
|
+
blocked_ratio: Math.round(blockedRatio * 10000) / 10000,
|
|
73
|
+
human_approvals: approvals,
|
|
74
|
+
human_rejections: rejections,
|
|
75
|
+
first_seen: firstSeen.toISOString(),
|
|
76
|
+
last_active: lastActive.toISOString(),
|
|
77
|
+
};
|
|
78
|
+
}
|
|
79
|
+
//# sourceMappingURL=posture.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"posture.js","sourceRoot":"","sources":["../../src/trust/posture.ts"],"names":[],"mappings":"AAeA,SAAS,WAAW,CAAC,KAAa;IAChC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,UAAU,CAAC;IACnC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC;IAC/B,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,QAAQ,CAAC;IACjC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,KAAK,CAAC;IAC9B,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAoB;IACpD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO;YACL,WAAW,EAAE,CAAC;YACd,WAAW,EAAE,YAAY;YACzB,YAAY,EAAE,CAAC;YACf,aAAa,EAAE,CAAC;YAChB,aAAa,EAAE,CAAC;YAChB,aAAa,EAAE,CAAC;YAChB,eAAe,EAAE,CAAC;YAClB,gBAAgB,EAAE,CAAC;YACnB,UAAU,EAAE,IAAI;YAChB,WAAW,EAAE,IAAI;SAClB,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC;IAC5B,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,MAAM,CAAC;IACnE,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,MAAM,CAAC;IACnE,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,MAAM,CAAC;IAEnE,MAAM,YAAY,GAAG,OAAO,GAAG,KAAK,CAAC;IACrC,MAAM,YAAY,GAAG,OAAO,GAAG,KAAK,CAAC;IACrC,MAAM,YAAY,GAAG,OAAO,GAAG,KAAK,CAAC;IAErC,uCAAuC;IACvC,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,CAAC,QAAQ,IAAI,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjD,IAAK,CAAC,CAAC,QAAoC,CAAC,cAAc,KAAK,IAAI;gBAAE,SAAS,EAAE,CAAC;YACjF,IAAK,CAAC,CAAC,QAAoC,CAAC,cAAc,KAAK,IAAI;gBAAE,UAAU,EAAE,CAAC;QACpF,CAAC;IACH,CAAC;IAED,gDAAgD;IAChD,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1F,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1C,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;IAC/D,MAAM,UAAU,GAAG,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;IAExF,mBAAmB;IACnB,MAAM,eAAe,GAAG,YAAY,GAAG,EAAE,CAAC;IAC1C,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC;IACzD,MAAM,cAAc,GAAG,CAAC,SAAS,GAAG,CAAC,SAAS,GAAG,UAAU,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;IACvE,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,YAAY,GAAG,YAAY,GAAG,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;IAElF,MAAM,QAAQ,GAAG,eAAe,GAAG,cAAc,GAAG,cAAc,GAAG,eAAe,CAAC;IACrF,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC;IAEpE,OAAO;QACL,WAAW,EAAE,UAAU;QACvB,WAAW,EAAE,WAAW,CAAC,UAAU,CAAC;QACpC,YAAY,EAAE,KAAK;QACnB,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,YAAY,GAAG,KAAK,CAAC,GAAG,KAAK;QACvD,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,YAAY,GAAG,KAAK,CAAC,GAAG,KAAK;QACvD,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,YAAY,GAAG,KAAK,CAAC,GAAG,KAAK;QACvD,eAAe,EAAE,SAAS;QAC1B,gBAAgB,EAAE,UAAU;QAC5B,UAAU,EAAE,SAAS,CAAC,WAAW,EAAE;QACnC,WAAW,EAAE,UAAU,CAAC,WAAW,EAAE;KACtC,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
import type { PolicyRule } from '../policy/index.js';
|
|
2
|
+
export interface MandateZAgentConfig {
|
|
3
|
+
agentId: string;
|
|
4
|
+
ownerId: string;
|
|
5
|
+
privateKey: string;
|
|
6
|
+
supabaseUrl: string;
|
|
7
|
+
supabaseAnonKey: string;
|
|
8
|
+
/** Human-friendly name stored on the agents row. Defaults to the wrapped function's name. */
|
|
9
|
+
name?: string;
|
|
10
|
+
/** Inline policy rules. Evaluated on every call against action_type 'call' and the function name as resource. */
|
|
11
|
+
policies?: PolicyRule[];
|
|
12
|
+
/** How to treat a 'flag' policy outcome. 'restrict' (default) executes but marks the event flagged. 'block' prevents execution. 'allow' clears the flag. */
|
|
13
|
+
onFlagged?: 'restrict' | 'block' | 'allow';
|
|
14
|
+
/** HaveIBeenPwned API key. If provided and an email is detected in args, the wrapper runs an identity check before execution. */
|
|
15
|
+
hibpApiKey?: string;
|
|
16
|
+
}
|
|
17
|
+
/**
|
|
18
|
+
* Wrap any agent function with MandateZ governance.
|
|
19
|
+
*
|
|
20
|
+
* One import, one wrap — the returned function has the same signature as the
|
|
21
|
+
* original, but every invocation is policy-checked, optionally identity-screened
|
|
22
|
+
* (when an email is detected in args and hibpApiKey is configured), and logged
|
|
23
|
+
* as a signed AgentEvent to your MandateZ event stream.
|
|
24
|
+
*/
|
|
25
|
+
export declare function MandateZAgent<T extends (...args: any[]) => any>(agentFn: T, config: MandateZAgentConfig): T;
|
|
26
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/wrapper/index.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAErD,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,6FAA6F;IAC7F,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,iHAAiH;IACjH,QAAQ,CAAC,EAAE,UAAU,EAAE,CAAC;IACxB,4JAA4J;IAC5J,SAAS,CAAC,EAAE,UAAU,GAAG,OAAO,GAAG,OAAO,CAAC;IAC3C,iIAAiI;IACjI,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAuBD;;;;;;;GAOG;AACH,wBAAgB,aAAa,CAAC,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,EAC7D,OAAO,EAAE,CAAC,EACV,MAAM,EAAE,mBAAmB,GAC1B,CAAC,CA+IH"}
|
|
@@ -0,0 +1,162 @@
|
|
|
1
|
+
import sodium from 'libsodium-wrappers';
|
|
2
|
+
import { MandateZClient } from '../client.js';
|
|
3
|
+
import { PolicyEngine } from '../policy/index.js';
|
|
4
|
+
import { SupabaseTransport } from '../transport/index.js';
|
|
5
|
+
const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
|
|
6
|
+
function findEmailInArgs(args) {
|
|
7
|
+
for (const arg of args) {
|
|
8
|
+
if (typeof arg === 'string' && EMAIL_REGEX.test(arg))
|
|
9
|
+
return arg;
|
|
10
|
+
if (arg && typeof arg === 'object') {
|
|
11
|
+
for (const value of Object.values(arg)) {
|
|
12
|
+
if (typeof value === 'string' && EMAIL_REGEX.test(value))
|
|
13
|
+
return value;
|
|
14
|
+
}
|
|
15
|
+
}
|
|
16
|
+
}
|
|
17
|
+
return null;
|
|
18
|
+
}
|
|
19
|
+
async function derivePublicKey(privateKey) {
|
|
20
|
+
await sodium.ready;
|
|
21
|
+
const secretKey = sodium.from_base64(privateKey, sodium.base64_variants.ORIGINAL);
|
|
22
|
+
const publicKey = secretKey.slice(32);
|
|
23
|
+
return sodium.to_base64(publicKey, sodium.base64_variants.ORIGINAL);
|
|
24
|
+
}
|
|
25
|
+
/**
|
|
26
|
+
* Wrap any agent function with MandateZ governance.
|
|
27
|
+
*
|
|
28
|
+
* One import, one wrap — the returned function has the same signature as the
|
|
29
|
+
* original, but every invocation is policy-checked, optionally identity-screened
|
|
30
|
+
* (when an email is detected in args and hibpApiKey is configured), and logged
|
|
31
|
+
* as a signed AgentEvent to your MandateZ event stream.
|
|
32
|
+
*/
|
|
33
|
+
export function MandateZAgent(agentFn, config) {
|
|
34
|
+
const resourceName = config.name ?? agentFn.name ?? 'anonymous';
|
|
35
|
+
const onFlagged = config.onFlagged ?? 'restrict';
|
|
36
|
+
const policyEngine = new PolicyEngine();
|
|
37
|
+
if (config.policies && config.policies.length > 0) {
|
|
38
|
+
policyEngine.addPolicy({
|
|
39
|
+
id: `pol_${config.agentId}_inline`,
|
|
40
|
+
owner_id: config.ownerId,
|
|
41
|
+
name: `${resourceName}_inline`,
|
|
42
|
+
rules: config.policies,
|
|
43
|
+
});
|
|
44
|
+
}
|
|
45
|
+
const client = new MandateZClient({
|
|
46
|
+
agentId: config.agentId,
|
|
47
|
+
ownerId: config.ownerId,
|
|
48
|
+
privateKey: config.privateKey,
|
|
49
|
+
supabaseUrl: config.supabaseUrl,
|
|
50
|
+
supabaseAnonKey: config.supabaseAnonKey,
|
|
51
|
+
hibpApiKey: config.hibpApiKey,
|
|
52
|
+
});
|
|
53
|
+
const transport = new SupabaseTransport({
|
|
54
|
+
supabaseUrl: config.supabaseUrl,
|
|
55
|
+
supabaseAnonKey: config.supabaseAnonKey,
|
|
56
|
+
});
|
|
57
|
+
let registrationPromise = null;
|
|
58
|
+
const ensureRegistered = () => {
|
|
59
|
+
if (!registrationPromise) {
|
|
60
|
+
registrationPromise = (async () => {
|
|
61
|
+
const publicKey = await derivePublicKey(config.privateKey);
|
|
62
|
+
await transport
|
|
63
|
+
.upsertAgent({
|
|
64
|
+
agentId: config.agentId,
|
|
65
|
+
ownerId: config.ownerId,
|
|
66
|
+
name: resourceName,
|
|
67
|
+
publicKey,
|
|
68
|
+
})
|
|
69
|
+
.catch(() => { });
|
|
70
|
+
})();
|
|
71
|
+
}
|
|
72
|
+
return registrationPromise;
|
|
73
|
+
};
|
|
74
|
+
const wrapped = async function (...args) {
|
|
75
|
+
await ensureRegistered();
|
|
76
|
+
if (config.hibpApiKey) {
|
|
77
|
+
const email = findEmailInArgs(args);
|
|
78
|
+
if (email) {
|
|
79
|
+
try {
|
|
80
|
+
const check = await client.checkIdentity({
|
|
81
|
+
email,
|
|
82
|
+
onFlagged: onFlagged === 'allow' ? 'allow' : onFlagged,
|
|
83
|
+
});
|
|
84
|
+
if (check.recommendation === 'block') {
|
|
85
|
+
await client
|
|
86
|
+
.track({
|
|
87
|
+
action_type: 'call',
|
|
88
|
+
resource: resourceName,
|
|
89
|
+
outcome: 'blocked',
|
|
90
|
+
metadata: {
|
|
91
|
+
wrapper: 'MandateZAgent',
|
|
92
|
+
reason: 'identity_blocked',
|
|
93
|
+
email,
|
|
94
|
+
breach_count: check.breach_count,
|
|
95
|
+
},
|
|
96
|
+
})
|
|
97
|
+
.catch(() => { });
|
|
98
|
+
throw new Error(`MandateZAgent: identity check blocked execution (${check.breach_count} breaches detected)`);
|
|
99
|
+
}
|
|
100
|
+
}
|
|
101
|
+
catch (err) {
|
|
102
|
+
if (err instanceof Error && err.message.startsWith('MandateZAgent:')) {
|
|
103
|
+
throw err;
|
|
104
|
+
}
|
|
105
|
+
}
|
|
106
|
+
}
|
|
107
|
+
}
|
|
108
|
+
const policyEval = policyEngine.evaluate('call', resourceName);
|
|
109
|
+
const policyBlocks = policyEval.outcome === 'blocked' ||
|
|
110
|
+
(policyEval.outcome === 'flagged' && onFlagged === 'block');
|
|
111
|
+
if (policyBlocks) {
|
|
112
|
+
await client
|
|
113
|
+
.track({
|
|
114
|
+
action_type: 'call',
|
|
115
|
+
resource: resourceName,
|
|
116
|
+
outcome: 'blocked',
|
|
117
|
+
policy_id: policyEval.policy_id,
|
|
118
|
+
metadata: { wrapper: 'MandateZAgent', reason: 'policy_blocked' },
|
|
119
|
+
})
|
|
120
|
+
.catch(() => { });
|
|
121
|
+
throw new Error(`MandateZAgent: policy blocked call to ${resourceName}`);
|
|
122
|
+
}
|
|
123
|
+
const startedAt = Date.now();
|
|
124
|
+
try {
|
|
125
|
+
const result = await agentFn.apply(this, args);
|
|
126
|
+
const finalOutcome = policyEval.outcome === 'flagged' && onFlagged === 'restrict' ? 'flagged' : 'allowed';
|
|
127
|
+
await client
|
|
128
|
+
.track({
|
|
129
|
+
action_type: 'call',
|
|
130
|
+
resource: resourceName,
|
|
131
|
+
outcome: finalOutcome,
|
|
132
|
+
policy_id: policyEval.policy_id,
|
|
133
|
+
metadata: {
|
|
134
|
+
wrapper: 'MandateZAgent',
|
|
135
|
+
duration_ms: Date.now() - startedAt,
|
|
136
|
+
args_count: args.length,
|
|
137
|
+
},
|
|
138
|
+
})
|
|
139
|
+
.catch(() => { });
|
|
140
|
+
return result;
|
|
141
|
+
}
|
|
142
|
+
catch (err) {
|
|
143
|
+
const message = err instanceof Error ? err.message : String(err);
|
|
144
|
+
await client
|
|
145
|
+
.track({
|
|
146
|
+
action_type: 'call',
|
|
147
|
+
resource: resourceName,
|
|
148
|
+
outcome: 'flagged',
|
|
149
|
+
policy_id: policyEval.policy_id,
|
|
150
|
+
metadata: {
|
|
151
|
+
wrapper: 'MandateZAgent',
|
|
152
|
+
duration_ms: Date.now() - startedAt,
|
|
153
|
+
error: message,
|
|
154
|
+
},
|
|
155
|
+
})
|
|
156
|
+
.catch(() => { });
|
|
157
|
+
throw err;
|
|
158
|
+
}
|
|
159
|
+
};
|
|
160
|
+
return wrapped;
|
|
161
|
+
}
|
|
162
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/wrapper/index.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAmB1D,MAAM,WAAW,GAAG,4BAA4B,CAAC;AAEjD,SAAS,eAAe,CAAC,IAAe;IACtC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,GAAG,CAAC;QACjE,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACnC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,GAA8B,CAAC,EAAE,CAAC;gBAClE,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC;oBAAE,OAAO,KAAK,CAAC;YACzE,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,UAAkB;IAC/C,MAAM,MAAM,CAAC,KAAK,CAAC;IACnB,MAAM,SAAS,GAAG,MAAM,CAAC,WAAW,CAAC,UAAU,EAAE,MAAM,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;IAClF,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACtC,OAAO,MAAM,CAAC,SAAS,CAAC,SAAS,EAAE,MAAM,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;AACtE,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,aAAa,CAC3B,OAAU,EACV,MAA2B;IAE3B,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,IAAI,WAAW,CAAC;IAChE,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,UAAU,CAAC;IAEjD,MAAM,YAAY,GAAG,IAAI,YAAY,EAAE,CAAC;IACxC,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClD,YAAY,CAAC,SAAS,CAAC;YACrB,EAAE,EAAE,OAAO,MAAM,CAAC,OAAO,SAAS;YAClC,QAAQ,EAAE,MAAM,CAAC,OAAO;YACxB,IAAI,EAAE,GAAG,YAAY,SAAS;YAC9B,KAAK,EAAE,MAAM,CAAC,QAAQ;SACvB,CAAC,CAAC;IACL,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,cAAc,CAAC;QAChC,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,UAAU,EAAE,MAAM,CAAC,UAAU;KAC9B,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,IAAI,iBAAiB,CAAC;QACtC,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,eAAe,EAAE,MAAM,CAAC,eAAe;KACxC,CAAC,CAAC;IAEH,IAAI,mBAAmB,GAAyB,IAAI,CAAC;IACrD,MAAM,gBAAgB,GAAG,GAAkB,EAAE;QAC3C,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,mBAAmB,GAAG,CAAC,KAAK,IAAI,EAAE;gBAChC,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;gBAC3D,MAAM,SAAS;qBACZ,WAAW,CAAC;oBACX,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,IAAI,EAAE,YAAY;oBAClB,SAAS;iBACV,CAAC;qBACD,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACrB,CAAC,CAAC,EAAE,CAAC;QACP,CAAC;QACD,OAAO,mBAAmB,CAAC;IAC7B,CAAC,CAAC;IAEF,MAAM,OAAO,GAAG,KAAK,WAA0B,GAAG,IAAe;QAC/D,MAAM,gBAAgB,EAAE,CAAC;QAEzB,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,MAAM,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;YACpC,IAAI,KAAK,EAAE,CAAC;gBACV,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC;wBACvC,KAAK;wBACL,SAAS,EAAE,SAAS,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;qBACvD,CAAC,CAAC;oBACH,IAAI,KAAK,CAAC,cAAc,KAAK,OAAO,EAAE,CAAC;wBACrC,MAAM,MAAM;6BACT,KAAK,CAAC;4BACL,WAAW,EAAE,MAAM;4BACnB,QAAQ,EAAE,YAAY;4BACtB,OAAO,EAAE,SAAS;4BAClB,QAAQ,EAAE;gCACR,OAAO,EAAE,eAAe;gCACxB,MAAM,EAAE,kBAAkB;gCAC1B,KAAK;gCACL,YAAY,EAAE,KAAK,CAAC,YAAY;6BACjC;yBACF,CAAC;6BACD,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;wBACnB,MAAM,IAAI,KAAK,CACb,oDAAoD,KAAK,CAAC,YAAY,qBAAqB,CAC5F,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,IAAI,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;wBACrE,MAAM,GAAG,CAAC;oBACZ,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,UAAU,GAAG,YAAY,CAAC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;QAC/D,MAAM,YAAY,GAChB,UAAU,CAAC,OAAO,KAAK,SAAS;YAChC,CAAC,UAAU,CAAC,OAAO,KAAK,SAAS,IAAI,SAAS,KAAK,OAAO,CAAC,CAAC;QAE9D,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,MAAM;iBACT,KAAK,CAAC;gBACL,WAAW,EAAE,MAAM;gBACnB,QAAQ,EAAE,YAAY;gBACtB,OAAO,EAAE,SAAS;gBAClB,SAAS,EAAE,UAAU,CAAC,SAAS;gBAC/B,QAAQ,EAAE,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,gBAAgB,EAAE;aACjE,CAAC;iBACD,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,yCAAyC,YAAY,EAAE,CAAC,CAAC;QAC3E,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,IAAqB,CAAC,CAAC;YAEhE,MAAM,YAAY,GAChB,UAAU,CAAC,OAAO,KAAK,SAAS,IAAI,SAAS,KAAK,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAEvF,MAAM,MAAM;iBACT,KAAK,CAAC;gBACL,WAAW,EAAE,MAAM;gBACnB,QAAQ,EAAE,YAAY;gBACtB,OAAO,EAAE,YAAY;gBACrB,SAAS,EAAE,UAAU,CAAC,SAAS;gBAC/B,QAAQ,EAAE;oBACR,OAAO,EAAE,eAAe;oBACxB,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;oBACnC,UAAU,EAAE,IAAI,CAAC,MAAM;iBACxB;aACF,CAAC;iBACD,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YAEnB,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,MAAM,MAAM;iBACT,KAAK,CAAC;gBACL,WAAW,EAAE,MAAM;gBACnB,QAAQ,EAAE,YAAY;gBACtB,OAAO,EAAE,SAAS;gBAClB,SAAS,EAAE,UAAU,CAAC,SAAS;gBAC/B,QAAQ,EAAE;oBACR,OAAO,EAAE,eAAe;oBACxB,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;oBACnC,KAAK,EAAE,OAAO;iBACf;aACF,CAAC;iBACD,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACnB,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC,CAAC;IAEF,OAAO,OAAuB,CAAC;AACjC,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@mandatez/sdk",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.8",
|
|
4
4
|
"description": "MandateZ SDK — cryptographic identity, event signing, and policy enforcement for AI agents",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./dist/index.js",
|
|
@@ -22,12 +22,6 @@
|
|
|
22
22
|
"type": "git",
|
|
23
23
|
"url": "https://github.com/mandatez/core"
|
|
24
24
|
},
|
|
25
|
-
"scripts": {
|
|
26
|
-
"build": "tsc",
|
|
27
|
-
"dev": "tsc --watch",
|
|
28
|
-
"test": "vitest run",
|
|
29
|
-
"test:watch": "vitest"
|
|
30
|
-
},
|
|
31
25
|
"keywords": [
|
|
32
26
|
"ai",
|
|
33
27
|
"agents",
|
|
@@ -45,5 +39,11 @@
|
|
|
45
39
|
"libsodium-wrappers": "^0.8.2",
|
|
46
40
|
"nanoid": "^5.1.7",
|
|
47
41
|
"zod": "^4.3.6"
|
|
42
|
+
},
|
|
43
|
+
"scripts": {
|
|
44
|
+
"build": "tsc",
|
|
45
|
+
"dev": "tsc --watch",
|
|
46
|
+
"test": "vitest run",
|
|
47
|
+
"test:watch": "vitest"
|
|
48
48
|
}
|
|
49
|
-
}
|
|
49
|
+
}
|