@opentrust/dashboard 7.1.0

package/dist/routes/observations.js

@@ -0,0 +1,111 @@
+import { Router } from "express";
+import { db, observationQueries } from "@opentrust/db";
+const observations = observationQueries(db);
+export const observationsRouter = Router();
+// POST /api/observations — Record one or more tool call observations
+observationsRouter.post("/", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const body = req.body;
+        // Accept single object or array
+        const items = Array.isArray(body) ? body : [body];
+        for (const item of items) {
+            if (!item.agentId || !item.toolName || !item.phase) {
+                res.status(400).json({
+                    success: false,
+                    error: "agentId, toolName, and phase are required",
+                });
+                return;
+            }
+            await observations.record({
+                agentId: item.agentId,
+                sessionKey: item.sessionKey,
+                toolName: item.toolName,
+                params: item.params,
+                phase: item.phase,
+                result: item.result,
+                error: item.error,
+                durationMs: item.durationMs,
+                blocked: item.blocked,
+                blockReason: item.blockReason,
+                tenantId,
+            });
+        }
+        res.status(201).json({ success: true });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// GET /api/observations — Recent observations (optional ?agentId= filter)
+observationsRouter.get("/", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const agentId = req.query.agentId;
+        const limit = parseInt(req.query.limit) || 50;
+        const data = await observations.findRecent({ agentId, limit, tenantId });
+        res.json({ success: true, data });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// GET /api/observations/permissions — All permissions across all agents
+observationsRouter.get("/permissions", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const data = await observations.getAllPermissions(tenantId);
+        res.json({ success: true, data });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// GET /api/observations/anomalies — First-seen tool calls
+observationsRouter.get("/anomalies", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const limit = parseInt(req.query.limit) || 20;
+        const data = await observations.findAnomalies(tenantId, limit);
+        res.json({ success: true, data });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// GET /api/observations/summary — Per-agent summary
+observationsRouter.get("/summary", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const data = await observations.summary(tenantId);
+        res.json({ success: true, data });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// GET /api/agents/:id/permissions — Permission profile for an agent
+observationsRouter.get("/agents/:id/permissions", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const agentId = req.params.id;
+        const data = await observations.getPermissions(agentId, tenantId);
+        res.json({ success: true, data });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// GET /api/agents/:id/observations — Observations for a specific agent
+observationsRouter.get("/agents/:id/observations", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const agentId = req.params.id;
+        const limit = parseInt(req.query.limit) || 50;
+        const data = await observations.findRecent({ agentId, limit, tenantId });
+        res.json({ success: true, data });
+    }
+    catch (err) {
+        next(err);
+    }
+});

package/dist/routes/policies.js

@@ -0,0 +1,64 @@
+import { Router } from "express";
+import { db, policyQueries } from "@opentrust/db";
+const policies = policyQueries(db);
+export const policiesRouter = Router();
+// GET /api/policies
+policiesRouter.get("/", async (_req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const data = await policies.findAll(tenantId);
+        res.json({ success: true, data });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// POST /api/policies
+policiesRouter.post("/", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const { name, description, scannerIds, action, sensitivityThreshold } = req.body;
+        if (!name || !scannerIds || !action) {
+            res.status(400).json({ success: false, error: "name, scannerIds, and action are required" });
+            return;
+        }
+        const policy = await policies.create({
+            name,
+            description: description || null,
+            scannerIds,
+            action,
+            sensitivityThreshold,
+            tenantId,
+        });
+        res.status(201).json({ success: true, data: policy });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// PUT /api/policies/:id
+policiesRouter.put("/:id", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const policy = await policies.update(req.params.id, req.body, tenantId);
+        if (!policy) {
+            res.status(404).json({ success: false, error: "Policy not found" });
+            return;
+        }
+        res.json({ success: true, data: policy });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// DELETE /api/policies/:id
+policiesRouter.delete("/:id", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        await policies.delete(req.params.id, tenantId);
+        res.json({ success: true });
+    }
+    catch (err) {
+        next(err);
+    }
+});

package/dist/routes/results.js

@@ -0,0 +1,20 @@
+import { Router } from "express";
+import { db, detectionResultQueries } from "@opentrust/db";
+const results = detectionResultQueries(db);
+export const resultsRouter = Router();
+// GET /api/results
+resultsRouter.get("/", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const limit = parseInt(req.query.limit) || 50;
+        const offset = parseInt(req.query.offset) || 0;
+        const agentId = req.query.agentId;
+        const data = agentId
+            ? await results.findByAgentId(agentId, { limit, offset, tenantId })
+            : await results.findAll({ limit, offset, tenantId });
+        res.json({ success: true, data });
+    }
+    catch (err) {
+        next(err);
+    }
+});

package/dist/routes/scanners.js

@@ -0,0 +1,40 @@
+import { Router } from "express";
+import { db, scannerQueries } from "@opentrust/db";
+const scanners = scannerQueries(db);
+export const scannersRouter = Router();
+// GET /api/scanners
+scannersRouter.get("/", async (_req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const data = await scanners.getAll(tenantId);
+        res.json({ success: true, data });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// PUT /api/scanners
+scannersRouter.put("/", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const updates = req.body;
+        if (!Array.isArray(updates)) {
+            res.status(400).json({ success: false, error: "Request body must be an array of scanner updates" });
+            return;
+        }
+        for (const update of updates) {
+            await scanners.upsert({
+                scannerId: update.scannerId,
+                name: update.name,
+                description: update.description,
+                isEnabled: update.isEnabled,
+                tenantId,
+            });
+        }
+        const data = await scanners.getAll(tenantId);
+        res.json({ success: true, data });
+    }
+    catch (err) {
+        next(err);
+    }
+});

package/dist/routes/settings.js

@@ -0,0 +1,71 @@
+import { Router } from "express";
+import { db, settingsQueries } from "@opentrust/db";
+import { maskSecret } from "@opentrust/shared";
+import { checkCoreHealth } from "../services/core-client.js";
+const settings = settingsQueries(db);
+export const settingsRouter = Router();
+// GET /api/settings
+settingsRouter.get("/", async (_req, res, next) => {
+    try {
+        const all = await settings.getAll();
+        // Mask sensitive values
+        const masked = {};
+        for (const [key, value] of Object.entries(all)) {
+            if (key === "og_core_key" || key === "session_token") {
+                masked[key] = maskSecret(value);
+            }
+            else {
+                masked[key] = value;
+            }
+        }
+        res.json({ success: true, data: masked });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// PUT /api/settings
+settingsRouter.put("/", async (req, res, next) => {
+    try {
+        const updates = req.body;
+        if (!updates || typeof updates !== "object") {
+            res.status(400).json({ success: false, error: "Request body must be a key-value object" });
+            return;
+        }
+        // Prevent overwriting session_token via this endpoint
+        delete updates.session_token;
+        for (const [key, value] of Object.entries(updates)) {
+            await settings.set(key, value);
+        }
+        res.json({ success: true });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// POST /api/settings/test-connection
+settingsRouter.post("/test-connection", async (_req, res, next) => {
+    try {
+        const ogCoreUrl = await settings.get("og_core_url");
+        const ogCoreKey = await settings.get("og_core_key");
+        if (!ogCoreUrl && !ogCoreKey) {
+            res.json({
+                success: true,
+                data: { connected: false, message: "No core URL or key configured" },
+            });
+            return;
+        }
+        const healthy = await checkCoreHealth();
+        res.json({
+            success: true,
+            data: {
+                connected: healthy,
+                message: healthy ? "Connected to core" : "Failed to connect to core",
+                url: ogCoreUrl || process.env.OG_CORE_URL || "http://localhost:53666",
+            },
+        });
+    }
+    catch (err) {
+        next(err);
+    }
+});

package/dist/routes/usage.js

@@ -0,0 +1,40 @@
+import { Router } from "express";
+import { db, usageQueries } from "@opentrust/db";
+const usage = usageQueries(db);
+export const usageRouter = Router();
+// GET /api/usage/summary
+usageRouter.get("/summary", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        // Default to last 30 days
+        const end = new Date();
+        const start = new Date(end.getTime() - 30 * 24 * 60 * 60 * 1000);
+        const stats = await usage.summary(start.toISOString(), end.toISOString(), tenantId);
+        res.json({
+            success: true,
+            data: {
+                totalCalls: stats.totalCalls,
+                safeCount: stats.safeCount ?? 0,
+                unsafeCount: stats.unsafeCount ?? 0,
+                periodStart: start.toISOString(),
+                periodEnd: end.toISOString(),
+            },
+        });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// GET /api/usage/daily
+usageRouter.get("/daily", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const end = new Date();
+        const start = new Date(end.getTime() - 30 * 24 * 60 * 60 * 1000);
+        const data = await usage.daily(start.toISOString(), end.toISOString(), tenantId);
+        res.json({ success: true, data });
+    }
+    catch (err) {
+        next(err);
+    }
+});

package/dist/schemas/validation.js

@@ -0,0 +1,77 @@
+import { z } from "zod";
+/**
+ * OpenTrust API — Zod Validation Schemas
+ *
+ * Centralised request validation schemas for key API endpoints.
+ * Import and use with schema.parse(req.body) or schema.safeParse(req.body).
+ */
+// ── Auth ──────────────────────────────────────────────────────────────────────
+/** POST /api/auth/login */
+export const loginSchema = z.object({
+    email: z.string().email("A valid email address is required"),
+    apiKey: z.string().min(10, "API key must be at least 10 characters"),
+});
+// ── Agents ────────────────────────────────────────────────────────────────────
+/** POST /api/agents */
+export const createAgentSchema = z.object({
+    name: z.string().min(1, "Name is required").max(100, "Name must be 100 characters or fewer"),
+    description: z.string().optional(),
+    provider: z
+        .enum(["openclaw", "langchain", "crewai", "autogen", "custom"])
+        .optional(),
+});
+/** PUT /api/agents/:id */
+export const updateAgentSchema = z.object({
+    name: z.string().min(1).max(100).optional(),
+    description: z.string().optional(),
+    status: z.string().optional(),
+    provider: z
+        .enum(["openclaw", "langchain", "crewai", "autogen", "custom"])
+        .optional(),
+    metadata: z.record(z.unknown()).optional(),
+});
+// ── Policies ──────────────────────────────────────────────────────────────────
+/** POST /api/policies */
+export const createPolicySchema = z.object({
+    name: z.string().min(1, "Name is required"),
+    description: z.string().optional(),
+    scannerIds: z.array(z.string()).min(1, "At least one scannerId is required"),
+    action: z.enum(["block", "alert", "log"]),
+    sensitivityThreshold: z
+        .number()
+        .min(0, "sensitivityThreshold must be between 0 and 1")
+        .max(1, "sensitivityThreshold must be between 0 and 1"),
+});
+// ── Detection ─────────────────────────────────────────────────────────────────
+/** POST /api/detect */
+export const detectSchema = z.object({
+    messages: z
+        .array(z.unknown())
+        .min(1, "messages array must contain at least one item"),
+    format: z
+        .enum(["openai", "anthropic", "gemini", "raw"])
+        .optional(),
+    role: z
+        .enum(["system", "user", "assistant", "tool"])
+        .optional(),
+    agentId: z.string().optional(),
+});
+// ── Observations ──────────────────────────────────────────────────────────────
+/** POST /api/observations (single item) */
+export const observationSchema = z.object({
+    agentId: z.string().min(1, "agentId is required"),
+    toolName: z.string().min(1, "toolName is required"),
+    params: z.record(z.unknown()).optional(),
+    phase: z.enum(["before", "after"]),
+    sessionKey: z.string().optional(),
+    result: z.unknown().optional(),
+    error: z.string().optional(),
+    durationMs: z.number().int().nonnegative().optional(),
+    blocked: z.boolean().optional(),
+    blockReason: z.string().optional(),
+});
+/** POST /api/observations (accepts single object or array) */
+export const observationsBodySchema = z.union([
+    observationSchema,
+    z.array(observationSchema).min(1),
+]);

package/dist/services/core-client.js

@@ -0,0 +1,56 @@
+import { db, settingsQueries } from "@opentrust/db";
+const settings = settingsQueries(db);
+/** Get core URL from settings or env */
+async function getCoreUrl() {
+    return (await settings.get("og_core_url")) || process.env.OG_CORE_URL || "http://localhost:53666";
+}
+/** Get core key from settings */
+async function getCoreKey() {
+    return (await settings.get("og_core_key")) || "";
+}
+/**
+ * Call core detection API.
+ * Uses core key from settings for authentication.
+ */
+export async function callCoreDetect(messages, scanners, options) {
+    const coreUrl = await getCoreUrl();
+    const coreKey = await getCoreKey();
+    const body = {
+        messages,
+        scanners,
+        format: options?.format,
+        role: options?.role,
+    };
+    const headers = {
+        "Content-Type": "application/json",
+    };
+    if (coreKey) {
+        headers["Authorization"] = `Bearer ${coreKey}`;
+    }
+    const res = await fetch(`${coreUrl}/v1/detect`, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(body),
+    });
+    if (!res.ok) {
+        const text = await res.text();
+        throw new Error(`core returned ${res.status}: ${text}`);
+    }
+    const json = await res.json();
+    if (!json.success) {
+        throw new Error(`core error: ${json.error}`);
+    }
+    return json.data;
+}
+/** Check core health */
+export async function checkCoreHealth() {
+    try {
+        const coreUrl = await getCoreUrl();
+        const res = await fetch(`${coreUrl}/health`);
+        const json = await res.json();
+        return json.status === "ok";
+    }
+    catch {
+        return false;
+    }
+}

package/dist/services/discovery.js

@@ -0,0 +1 @@
+export {};

package/dist/services/tier-service.js

@@ -0,0 +1,18 @@
+import { TIERS } from "@opentrust/shared";
+/** Check if a tier has a specific feature */
+export function tierHasFeature(tier, feature) {
+    const config = TIERS[tier];
+    return config ? config.features.includes(feature) : false;
+}
+/** Get all features available for a tier */
+export function getTierFeatures(tier) {
+    const config = TIERS[tier];
+    return config ? [...config.features] : [];
+}
+/** Check if agent count is within tier limits */
+export function canAddAgent(tier, currentCount) {
+    const config = TIERS[tier];
+    if (!config)
+        return false;
+    return currentCount < config.maxAgents;
+}

package/package.json

@@ -0,0 +1,49 @@
+{
+  "name": "@opentrust/dashboard",
+  "version": "7.1.0",
+  "type": "module",
+  "description": "OpenTrust Dashboard — management panel for AI Agent security (API + embedded web)",
+  "main": "dist/index.js",
+  "bin": {
+    "opentrust-dashboard": "dist/index.js"
+  },
+  "files": [
+    "dist",
+    "public"
+  ],
+  "dependencies": {
+    "cors": "^2.8.5",
+    "express": "^4.21.0",
+    "express-rate-limit": "^7.4.0",
+    "helmet": "^8.0.0",
+    "morgan": "^1.10.0",
+    "nodemailer": "^8.0.1",
+    "zod": "^3.23.0",
+    "@opentrust/db": "7.1.0",
+    "@opentrust/shared": "7.1.0"
+  },
+  "devDependencies": {
+    "@types/cors": "^2.8.17",
+    "@types/express": "^5.0.0",
+    "@types/morgan": "^1.9.9",
+    "@types/node": "^22.0.0",
+    "@types/nodemailer": "^7.0.10",
+    "tsx": "^4.19.0",
+    "typescript": "^5.7.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/opentrust/opentrust.git",
+    "directory": "dashboard/apps/api"
+  },
+  "author": "OpenTrust",
+  "license": "Apache-2.0",
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsx watch --env-file-if-exists=../../.env src/index.ts",
+    "start": "node dist/index.js"
+  }
+}