@wytness/sdk 0.3.1 → 0.5.0

package/README.md

@@ -30,9 +30,11 @@ await sendEmail("team@company.com", "Report", "Weekly summary");
 
 ## Features
 
+- **Response capture** — AI agent responses are automatically captured, truncated to 5K chars, and PII-redacted
+- **PII redaction** — emails, SSN, TFN, credit cards, and phone numbers are automatically redacted from responses and parameter values
 - **Cryptographic signing** — every event is signed with Ed25519 (tweetnacl)
 - **Hash chaining** — tamper-evident chain of events per agent session
-- **Automatic redaction** — secrets in parameters are automatically redacted
+- **Automatic secret redaction** — secrets in parameter names are automatically redacted
 - **HTTP transport** — stream events to api.wytness.dev over HTTPS
 - **File fallback** — events are saved locally if the API is unreachable
 
@@ -66,7 +68,7 @@ const client = new AuditClient({
 
 ### `auditTool(client, fn, options)`
 
-Wraps a function to automatically log audit events. Captures function name, parameters, execution duration, success/failure status, cryptographic signature, and hash chain link.
+Wraps a function to automatically log audit events. Captures function name, parameters, **response text** (truncated to 5K chars, PII-redacted), execution duration, success/failure status, cryptographic signature, and hash chain link.
 
 ### `client.sessionId`
 
@@ -114,6 +116,7 @@ import {
   AuditClientOptions,
   auditTool,
   hashValue,
+  redactPii,
   AuditEvent,
   AuditEventSchema,
   generateKeypair,

package/dist/index.cjs

@@ -32,12 +32,14 @@ var src_exports = {};
 __export(src_exports, {
   AuditClient: () => AuditClient,
   AuditEventSchema: () => AuditEventSchema,
+  SessionTokenizer: () => SessionTokenizer,
   auditTool: () => auditTool,
   computeEventHash: () => computeEventHash,
   createFileEmitter: () => createFileEmitter,
   createHttpEmitter: () => createHttpEmitter,
   generateKeypair: () => generateKeypair,
   hashValue: () => hashValue,
+  redactPii: () => redactPii,
   signEvent: () => signEvent,
   verifyChain: () => verifyChain,
   verifyEvent: () => verifyEvent
@@ -72,6 +74,7 @@ var AuditEventSchema = import_zod.z.object({
   inputs_source: import_zod.z.string().default(""),
   outputs_hash: import_zod.z.string().default(""),
   outputs_destination: import_zod.z.string().default(""),
+  response: import_zod.z.string().default(""),
   // Layer 5: Outcome
   status: import_zod.z.string().default("success"),
   error_code: import_zod.z.string().nullable().default(null),
@@ -79,7 +82,10 @@ var AuditEventSchema = import_zod.z.object({
   retry_count: import_zod.z.number().int().default(0),
   // Chain integrity
   prev_event_hash: import_zod.z.string().default(""),
-  signature: import_zod.z.string().default("")
+  signature: import_zod.z.string().default(""),
+  // Pseudonymization
+  encrypted_token_map: import_zod.z.string().default(""),
+  pseudonymization_version: import_zod.z.string().default("")
 });
 
 // src/signing.ts
@@ -230,9 +236,150 @@ async function flushPending() {
 }
 
 // src/client.ts
-var import_crypto3 = require("crypto");
+var import_crypto4 = require("crypto");
 var import_fs2 = require("fs");
 var import_path2 = require("path");
+
+// src/tokenizer.ts
+var import_crypto3 = require("crypto");
+var import_tweetnacl2 = __toESM(require("tweetnacl"), 1);
+var import_tweetnacl_util2 = require("tweetnacl-util");
+var SECRET_PATTERN = /key|secret|token|password|passwd|pwd|credential|auth/i;
+var PII_PATTERNS = [
+  [/\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g, "EMAIL"],
+  [/\b\d{3}[-.\s]?\d{2}[-.\s]?\d{4}\b/g, "SSN"],
+  [/\b\d{3}[-.\s]?\d{3}[-.\s]?\d{3}\b/g, "TFN"],
+  [/\b(?:\d{4}[-\s]?){3}\d{4}\b/g, "CARD"],
+  [/\b(?:\+?\d{1,3}[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b/g, "PHONE"]
+];
+function hmacPseudonym(value, secret, piiType = "PII") {
+  const digest = (0, import_crypto3.createHmac)("sha256", secret).update(value, "utf-8").digest("hex");
+  return `${piiType}_${digest.slice(0, 8)}`;
+}
+var SessionTokenizer = class {
+  _hmacSecret;
+  _encryptionPub;
+  _piiFields;
+  _tokenMap = {};
+  // pseudonym → original
+  _reverseMap = {};
+  // original → pseudonym
+  /**
+   * @param hmacSecret 32-byte secret for deterministic pseudonyms.
+   * @param encryptionPublicKey 32-byte X25519 public key for encrypting the token map.
+   * @param piiFields Parameter names whose values should be fully pseudonymized.
+   */
+  constructor(hmacSecret, encryptionPublicKey, piiFields = []) {
+    this._hmacSecret = hmacSecret;
+    this._encryptionPub = encryptionPublicKey;
+    this._piiFields = piiFields;
+  }
+  get tokenMap() {
+    return { ...this._tokenMap };
+  }
+  addMapping(original, pseudonym) {
+    this._tokenMap[pseudonym] = original;
+    this._reverseMap[original] = pseudonym;
+  }
+  pseudonymizeValue(value, fieldPath = "") {
+    if (!value || !value.trim())
+      return value;
+    if (this._piiFields.includes(fieldPath)) {
+      if (this._reverseMap[value])
+        return this._reverseMap[value];
+      const pseudonym = hmacPseudonym(value, this._hmacSecret);
+      this.addMapping(value, pseudonym);
+      return pseudonym;
+    }
+    return value;
+  }
+  pseudonymizeText(text) {
+    if (!text)
+      return text;
+    const known = Object.keys(this._reverseMap).sort(
+      (a, b) => b.length - a.length
+    );
+    for (const original of known) {
+      if (text.includes(original)) {
+        text = text.split(original).join(this._reverseMap[original]);
+      }
+    }
+    for (const [pattern, piiType] of PII_PATTERNS) {
+      pattern.lastIndex = 0;
+      text = text.replace(pattern, (matched) => {
+        if (this._reverseMap[matched])
+          return this._reverseMap[matched];
+        const pseudonym = hmacPseudonym(matched, this._hmacSecret, piiType);
+        this.addMapping(matched, pseudonym);
+        return pseudonym;
+      });
+    }
+    return text;
+  }
+  pseudonymizeParams(params) {
+    const result = {};
+    for (const [k, v] of Object.entries(params)) {
+      if (SECRET_PATTERN.test(k)) {
+        result[k] = "[REDACTED]";
+      } else if (this._piiFields.includes(k)) {
+        const val = String(v).slice(0, 500);
+        result[k] = this.pseudonymizeValue(val, k);
+      } else {
+        const val = String(v).slice(0, 500);
+        result[k] = this.pseudonymizeText(val);
+      }
+    }
+    return result;
+  }
+  /**
+   * Encrypt the token map with the customer's X25519 public key.
+   *
+   * Format: base64([ephemeral_pub 32B][nonce 24B][ciphertext])
+   * Uses NaCl box (X25519 + XSalsa20-Poly1305).
+   */
+  encryptTokenMap() {
+    const plaintext = Buffer.from(
+      JSON.stringify(this._tokenMap),
+      "utf-8"
+    );
+    const ephemeral = import_tweetnacl2.default.box.keyPair();
+    const nonce = import_tweetnacl2.default.randomBytes(24);
+    const ciphertext = import_tweetnacl2.default.box(
+      plaintext,
+      nonce,
+      this._encryptionPub,
+      ephemeral.secretKey
+    );
+    if (!ciphertext) {
+      throw new Error("Encryption failed");
+    }
+    const packed = new Uint8Array(32 + 24 + ciphertext.length);
+    packed.set(ephemeral.publicKey, 0);
+    packed.set(nonce, 32);
+    packed.set(ciphertext, 56);
+    return (0, import_tweetnacl_util2.encodeBase64)(packed);
+  }
+  /**
+   * Decrypt a token map using the customer's X25519 private key.
+   *
+   * @param encryptedB64 Base64-encoded encrypted blob from encryptTokenMap().
+   * @param privateKey 32-byte X25519 private (secret) key.
+   * @returns The token map (pseudonym → original).
+   */
+  static decryptTokenMap(encryptedB64, privateKey) {
+    const packed = (0, import_tweetnacl_util2.decodeBase64)(encryptedB64);
+    const ephemeralPub = packed.slice(0, 32);
+    const nonce = packed.slice(32, 56);
+    const ciphertext = packed.slice(56);
+    const plaintext = import_tweetnacl2.default.box.open(ciphertext, nonce, ephemeralPub, privateKey);
+    if (!plaintext) {
+      throw new Error("Decryption failed \u2014 wrong key or corrupted data");
+    }
+    return JSON.parse(Buffer.from(plaintext).toString("utf-8"));
+  }
+};
+
+// src/client.ts
 var AuditClient = class {
   agentId;
   agentVersion;
@@ -241,11 +388,12 @@ var AuditClient = class {
   _sessionId;
   _secretKey;
   _emit;
+  _tokenizer = null;
   constructor(options) {
     this.agentId = options.agentId;
     this.agentVersion = options.agentVersion ?? "0.1.0";
     this.humanOperatorId = options.humanOperatorId ?? "unknown";
-    this._sessionId = (0, import_crypto3.randomUUID)();
+    this._sessionId = (0, import_crypto4.randomUUID)();
     if (options.signingKey) {
       this._secretKey = new Uint8Array(Buffer.from(options.signingKey, "base64"));
     } else {
@@ -270,10 +418,18 @@ var AuditClient = class {
     } else {
       this._emit = createFileEmitter(fallback);
     }
+    if (options.piiHmacSecret && options.encryptionPublicKey) {
+      const hmacBytes = new Uint8Array(Buffer.from(options.piiHmacSecret, "base64"));
+      const pubBytes = new Uint8Array(Buffer.from(options.encryptionPublicKey, "base64"));
+      this._tokenizer = new SessionTokenizer(hmacBytes, pubBytes, options.piiFields ?? []);
+    }
   }
   get sessionId() {
     return this._sessionId;
   }
+  get tokenizer() {
+    return this._tokenizer;
+  }
   /** Record an audit event. Never throws — errors are logged and swallowed. */
   record(event) {
     try {
@@ -297,39 +453,87 @@ var AuditClient = class {
 };
 
 // src/decorator.ts
-var import_crypto4 = require("crypto");
-var SECRET_PATTERN = /key|secret|token|password|passwd|pwd|credential|auth/i;
+var import_crypto5 = require("crypto");
+var SECRET_PATTERN2 = /key|secret|token|password|passwd|pwd|credential|auth/i;
+var PII_PATTERNS2 = [
+  [/\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g, "[EMAIL_REDACTED]"],
+  [/\b\d{3}[-.\s]?\d{2}[-.\s]?\d{4}\b/g, "[SSN_REDACTED]"],
+  [/\b\d{3}[-.\s]?\d{3}[-.\s]?\d{3}\b/g, "[TFN_REDACTED]"],
+  [/\b(?:\d{4}[-\s]?){3}\d{4}\b/g, "[CARD_REDACTED]"],
+  [/\b(?:\+?\d{1,3}[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b/g, "[PHONE_REDACTED]"]
+];
+var RESPONSE_MAX_CHARS = 5e3;
+function redactPii(text) {
+  for (const [pattern, replacement] of PII_PATTERNS2) {
+    pattern.lastIndex = 0;
+    text = text.replace(pattern, replacement);
+  }
+  return text;
+}
 function sanitise(params) {
   const result = {};
   for (const [k, v] of Object.entries(params)) {
-    result[k] = SECRET_PATTERN.test(k) ? "[REDACTED]" : String(v).slice(0, 500);
+    if (SECRET_PATTERN2.test(k)) {
+      result[k] = "[REDACTED]";
+    } else {
+      result[k] = redactPii(String(v).slice(0, 500));
+    }
   }
   return result;
 }
 function hashValue(value) {
-  return (0, import_crypto4.createHash)("sha256").update(JSON.stringify(value, null, 0)).digest("hex");
+  return (0, import_crypto5.createHash)("sha256").update(JSON.stringify(value, null, 0)).digest("hex");
 }
 function recordEvent(client, toolName, taskId, prompt, args, start, status, errorCode, result) {
   const params = {};
   args.forEach((arg, i) => {
     params[`arg${i}`] = arg;
   });
-  const event = AuditEventSchema.parse({
-    agent_id: client.agentId,
-    agent_version: client.agentVersion,
-    human_operator_id: client.humanOperatorId,
-    task_id: taskId,
-    session_id: client.sessionId,
-    tool_name: toolName,
-    tool_parameters: sanitise(params),
-    prompt,
-    inputs_hash: hashValue(args),
-    outputs_hash: result != null ? hashValue(result) : "",
-    status,
-    error_code: errorCode,
-    duration_ms: Math.round(performance.now() - start)
-  });
-  client.record(event);
+  const outputsHash = result != null ? hashValue(result) : "";
+  const tokenizer = client.tokenizer;
+  if (tokenizer) {
+    const pseudonymizedParams = tokenizer.pseudonymizeParams(params);
+    const pseudonymizedPrompt = prompt ? tokenizer.pseudonymizeText(prompt) : "";
+    const response = result != null ? tokenizer.pseudonymizeText(String(result).slice(0, RESPONSE_MAX_CHARS)) : "";
+    const event = AuditEventSchema.parse({
+      agent_id: client.agentId,
+      agent_version: client.agentVersion,
+      human_operator_id: client.humanOperatorId,
+      task_id: taskId,
+      session_id: client.sessionId,
+      tool_name: toolName,
+      tool_parameters: pseudonymizedParams,
+      prompt: pseudonymizedPrompt,
+      inputs_hash: hashValue(args),
+      outputs_hash: outputsHash,
+      response,
+      status,
+      error_code: errorCode,
+      duration_ms: Math.round(performance.now() - start),
+      encrypted_token_map: tokenizer.encryptTokenMap(),
+      pseudonymization_version: "1.0"
+    });
+    client.record(event);
+  } else {
+    const response = result != null ? redactPii(String(result).slice(0, RESPONSE_MAX_CHARS)) : "";
+    const event = AuditEventSchema.parse({
+      agent_id: client.agentId,
+      agent_version: client.agentVersion,
+      human_operator_id: client.humanOperatorId,
+      task_id: taskId,
+      session_id: client.sessionId,
+      tool_name: toolName,
+      tool_parameters: sanitise(params),
+      prompt,
+      inputs_hash: hashValue(args),
+      outputs_hash: outputsHash,
+      response,
+      status,
+      error_code: errorCode,
+      duration_ms: Math.round(performance.now() - start)
+    });
+    client.record(event);
+  }
 }
 function wrapFn(client, fn, toolName, taskId, prompt) {
   const wrapped = function(...args) {
@@ -375,12 +579,14 @@ function auditTool(client, fnOrTaskId, options) {
 0 && (module.exports = {
   AuditClient,
   AuditEventSchema,
+  SessionTokenizer,
   auditTool,
   computeEventHash,
   createFileEmitter,
   createHttpEmitter,
   generateKeypair,
   hashValue,
+  redactPii,
   signEvent,
   verifyChain,
   verifyEvent

package/dist/index.d.cts

@@ -21,12 +21,15 @@ declare const AuditEventSchema: z.ZodObject<{
     inputs_source: z.ZodDefault<z.ZodString>;
     outputs_hash: z.ZodDefault<z.ZodString>;
     outputs_destination: z.ZodDefault<z.ZodString>;
+    response: z.ZodDefault<z.ZodString>;
     status: z.ZodDefault<z.ZodString>;
     error_code: z.ZodDefault<z.ZodNullable<z.ZodString>>;
     duration_ms: z.ZodDefault<z.ZodNumber>;
     retry_count: z.ZodDefault<z.ZodNumber>;
     prev_event_hash: z.ZodDefault<z.ZodString>;
     signature: z.ZodDefault<z.ZodString>;
+    encrypted_token_map: z.ZodDefault<z.ZodString>;
+    pseudonymization_version: z.ZodDefault<z.ZodString>;
 }, "strip", z.ZodTypeAny, {
     event_id: string;
     agent_id: string;
@@ -49,11 +52,14 @@ declare const AuditEventSchema: z.ZodObject<{
     inputs_source: string;
     outputs_hash: string;
     outputs_destination: string;
+    response: string;
     error_code: string | null;
     duration_ms: number;
     retry_count: number;
     prev_event_hash: string;
     signature: string;
+    encrypted_token_map: string;
+    pseudonymization_version: string;
 }, {
     agent_id: string;
     agent_version: string;
@@ -76,11 +82,14 @@ declare const AuditEventSchema: z.ZodObject<{
     inputs_source?: string | undefined;
     outputs_hash?: string | undefined;
     outputs_destination?: string | undefined;
+    response?: string | undefined;
     error_code?: string | null | undefined;
     duration_ms?: number | undefined;
     retry_count?: number | undefined;
     prev_event_hash?: string | undefined;
     signature?: string | undefined;
+    encrypted_token_map?: string | undefined;
+    pseudonymization_version?: string | undefined;
 }>;
 type AuditEvent = z.infer<typeof AuditEventSchema>;
 
@@ -103,6 +112,47 @@ type EmitFn = (eventDict: Record<string, unknown>) => void;
 declare function createHttpEmitter(apiUrl: string, apiKey: string, fallbackPath: string): EmitFn;
 declare function createFileEmitter(fallbackPath: string): EmitFn;
 
+/**
+ * Zero-knowledge PII pseudonymization with encrypted token map.
+ *
+ * Replaces PII with deterministic HMAC-based pseudonyms and encrypts the
+ * original-to-pseudonym mapping with the customer's X25519 public key.
+ * Wytness never sees the real PII — only the customer can decrypt the map.
+ */
+declare class SessionTokenizer {
+    private _hmacSecret;
+    private _encryptionPub;
+    private _piiFields;
+    private _tokenMap;
+    private _reverseMap;
+    /**
+     * @param hmacSecret 32-byte secret for deterministic pseudonyms.
+     * @param encryptionPublicKey 32-byte X25519 public key for encrypting the token map.
+     * @param piiFields Parameter names whose values should be fully pseudonymized.
+     */
+    constructor(hmacSecret: Uint8Array, encryptionPublicKey: Uint8Array, piiFields?: string[]);
+    get tokenMap(): Record<string, string>;
+    private addMapping;
+    pseudonymizeValue(value: string, fieldPath?: string): string;
+    pseudonymizeText(text: string): string;
+    pseudonymizeParams(params: Record<string, unknown>): Record<string, unknown>;
+    /**
+     * Encrypt the token map with the customer's X25519 public key.
+     *
+     * Format: base64([ephemeral_pub 32B][nonce 24B][ciphertext])
+     * Uses NaCl box (X25519 + XSalsa20-Poly1305).
+     */
+    encryptTokenMap(): string;
+    /**
+     * Decrypt a token map using the customer's X25519 private key.
+     *
+     * @param encryptedB64 Base64-encoded encrypted blob from encryptTokenMap().
+     * @param privateKey 32-byte X25519 private (secret) key.
+     * @returns The token map (pseudonym → original).
+     */
+    static decryptTokenMap(encryptedB64: string, privateKey: Uint8Array): Record<string, string>;
+}
+
 interface AuditClientOptions {
     agentId: string;
     agentVersion?: string;
@@ -112,6 +162,9 @@ interface AuditClientOptions {
     fallbackLogPath?: string;
     httpApiKey?: string;
     httpEndpoint?: string;
+    piiHmacSecret?: string;
+    encryptionPublicKey?: string;
+    piiFields?: string[];
 }
 declare class AuditClient {
     readonly agentId: string;
@@ -121,8 +174,10 @@ declare class AuditClient {
     private _sessionId;
     private _secretKey;
     private _emit;
+    private _tokenizer;
     constructor(options: AuditClientOptions);
     get sessionId(): string;
+    get tokenizer(): SessionTokenizer | null;
     /** Record an audit event. Never throws — errors are logged and swallowed. */
     record(event: AuditEvent): void;
     /**
@@ -133,6 +188,7 @@ declare class AuditClient {
     flush(): Promise<void>;
 }
 
+declare function redactPii(text: string): string;
 declare function hashValue(value: unknown): string;
 interface AuditToolOptions {
     toolName?: string;
@@ -153,4 +209,4 @@ interface AuditToolOptions {
  */
 declare function auditTool(client: AuditClient, fnOrTaskId?: ((...args: unknown[]) => unknown) | string, options?: AuditToolOptions | string): any;
 
-export { AuditClient, type AuditClientOptions, type AuditEvent, AuditEventSchema, auditTool, computeEventHash, createFileEmitter, createHttpEmitter, generateKeypair, hashValue, signEvent, verifyChain, verifyEvent };
+export { AuditClient, type AuditClientOptions, type AuditEvent, AuditEventSchema, SessionTokenizer, auditTool, computeEventHash, createFileEmitter, createHttpEmitter, generateKeypair, hashValue, redactPii, signEvent, verifyChain, verifyEvent };

package/dist/index.d.ts

@@ -21,12 +21,15 @@ declare const AuditEventSchema: z.ZodObject<{
     inputs_source: z.ZodDefault<z.ZodString>;
     outputs_hash: z.ZodDefault<z.ZodString>;
     outputs_destination: z.ZodDefault<z.ZodString>;
+    response: z.ZodDefault<z.ZodString>;
     status: z.ZodDefault<z.ZodString>;
     error_code: z.ZodDefault<z.ZodNullable<z.ZodString>>;
     duration_ms: z.ZodDefault<z.ZodNumber>;
     retry_count: z.ZodDefault<z.ZodNumber>;
     prev_event_hash: z.ZodDefault<z.ZodString>;
     signature: z.ZodDefault<z.ZodString>;
+    encrypted_token_map: z.ZodDefault<z.ZodString>;
+    pseudonymization_version: z.ZodDefault<z.ZodString>;
 }, "strip", z.ZodTypeAny, {
     event_id: string;
     agent_id: string;
@@ -49,11 +52,14 @@ declare const AuditEventSchema: z.ZodObject<{
     inputs_source: string;
     outputs_hash: string;
     outputs_destination: string;
+    response: string;
     error_code: string | null;
     duration_ms: number;
     retry_count: number;
     prev_event_hash: string;
     signature: string;
+    encrypted_token_map: string;
+    pseudonymization_version: string;
 }, {
     agent_id: string;
     agent_version: string;
@@ -76,11 +82,14 @@ declare const AuditEventSchema: z.ZodObject<{
     inputs_source?: string | undefined;
     outputs_hash?: string | undefined;
     outputs_destination?: string | undefined;
+    response?: string | undefined;
     error_code?: string | null | undefined;
     duration_ms?: number | undefined;
     retry_count?: number | undefined;
     prev_event_hash?: string | undefined;
     signature?: string | undefined;
+    encrypted_token_map?: string | undefined;
+    pseudonymization_version?: string | undefined;
 }>;
 type AuditEvent = z.infer<typeof AuditEventSchema>;
 
@@ -103,6 +112,47 @@ type EmitFn = (eventDict: Record<string, unknown>) => void;
 declare function createHttpEmitter(apiUrl: string, apiKey: string, fallbackPath: string): EmitFn;
 declare function createFileEmitter(fallbackPath: string): EmitFn;
 
+/**
+ * Zero-knowledge PII pseudonymization with encrypted token map.
+ *
+ * Replaces PII with deterministic HMAC-based pseudonyms and encrypts the
+ * original-to-pseudonym mapping with the customer's X25519 public key.
+ * Wytness never sees the real PII — only the customer can decrypt the map.
+ */
+declare class SessionTokenizer {
+    private _hmacSecret;
+    private _encryptionPub;
+    private _piiFields;
+    private _tokenMap;
+    private _reverseMap;
+    /**
+     * @param hmacSecret 32-byte secret for deterministic pseudonyms.
+     * @param encryptionPublicKey 32-byte X25519 public key for encrypting the token map.
+     * @param piiFields Parameter names whose values should be fully pseudonymized.
+     */
+    constructor(hmacSecret: Uint8Array, encryptionPublicKey: Uint8Array, piiFields?: string[]);
+    get tokenMap(): Record<string, string>;
+    private addMapping;
+    pseudonymizeValue(value: string, fieldPath?: string): string;
+    pseudonymizeText(text: string): string;
+    pseudonymizeParams(params: Record<string, unknown>): Record<string, unknown>;
+    /**
+     * Encrypt the token map with the customer's X25519 public key.
+     *
+     * Format: base64([ephemeral_pub 32B][nonce 24B][ciphertext])
+     * Uses NaCl box (X25519 + XSalsa20-Poly1305).
+     */
+    encryptTokenMap(): string;
+    /**
+     * Decrypt a token map using the customer's X25519 private key.
+     *
+     * @param encryptedB64 Base64-encoded encrypted blob from encryptTokenMap().
+     * @param privateKey 32-byte X25519 private (secret) key.
+     * @returns The token map (pseudonym → original).
+     */
+    static decryptTokenMap(encryptedB64: string, privateKey: Uint8Array): Record<string, string>;
+}
+
 interface AuditClientOptions {
     agentId: string;
     agentVersion?: string;
@@ -112,6 +162,9 @@ interface AuditClientOptions {
     fallbackLogPath?: string;
     httpApiKey?: string;
     httpEndpoint?: string;
+    piiHmacSecret?: string;
+    encryptionPublicKey?: string;
+    piiFields?: string[];
 }
 declare class AuditClient {
     readonly agentId: string;
@@ -121,8 +174,10 @@ declare class AuditClient {
     private _sessionId;
     private _secretKey;
     private _emit;
+    private _tokenizer;
     constructor(options: AuditClientOptions);
     get sessionId(): string;
+    get tokenizer(): SessionTokenizer | null;
     /** Record an audit event. Never throws — errors are logged and swallowed. */
     record(event: AuditEvent): void;
     /**
@@ -133,6 +188,7 @@ declare class AuditClient {
     flush(): Promise<void>;
 }
 
+declare function redactPii(text: string): string;
 declare function hashValue(value: unknown): string;
 interface AuditToolOptions {
     toolName?: string;
@@ -153,4 +209,4 @@ interface AuditToolOptions {
  */
 declare function auditTool(client: AuditClient, fnOrTaskId?: ((...args: unknown[]) => unknown) | string, options?: AuditToolOptions | string): any;
 
-export { AuditClient, type AuditClientOptions, type AuditEvent, AuditEventSchema, auditTool, computeEventHash, createFileEmitter, createHttpEmitter, generateKeypair, hashValue, signEvent, verifyChain, verifyEvent };
+export { AuditClient, type AuditClientOptions, type AuditEvent, AuditEventSchema, SessionTokenizer, auditTool, computeEventHash, createFileEmitter, createHttpEmitter, generateKeypair, hashValue, redactPii, signEvent, verifyChain, verifyEvent };

package/dist/index.js

@@ -26,6 +26,7 @@ var AuditEventSchema = z.object({
   inputs_source: z.string().default(""),
   outputs_hash: z.string().default(""),
   outputs_destination: z.string().default(""),
+  response: z.string().default(""),
   // Layer 5: Outcome
   status: z.string().default("success"),
   error_code: z.string().nullable().default(null),
@@ -33,7 +34,10 @@ var AuditEventSchema = z.object({
   retry_count: z.number().int().default(0),
   // Chain integrity
   prev_event_hash: z.string().default(""),
-  signature: z.string().default("")
+  signature: z.string().default(""),
+  // Pseudonymization
+  encrypted_token_map: z.string().default(""),
+  pseudonymization_version: z.string().default("")
 });
 
 // src/signing.ts
@@ -187,6 +191,147 @@ async function flushPending() {
 import { randomUUID as randomUUID2 } from "crypto";
 import { existsSync as existsSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2, mkdirSync as mkdirSync2 } from "fs";
 import { dirname as dirname2 } from "path";
+
+// src/tokenizer.ts
+import { createHmac } from "crypto";
+import nacl2 from "tweetnacl";
+import { encodeBase64 as encodeBase642, decodeBase64 as decodeBase642 } from "tweetnacl-util";
+var SECRET_PATTERN = /key|secret|token|password|passwd|pwd|credential|auth/i;
+var PII_PATTERNS = [
+  [/\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g, "EMAIL"],
+  [/\b\d{3}[-.\s]?\d{2}[-.\s]?\d{4}\b/g, "SSN"],
+  [/\b\d{3}[-.\s]?\d{3}[-.\s]?\d{3}\b/g, "TFN"],
+  [/\b(?:\d{4}[-\s]?){3}\d{4}\b/g, "CARD"],
+  [/\b(?:\+?\d{1,3}[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b/g, "PHONE"]
+];
+function hmacPseudonym(value, secret, piiType = "PII") {
+  const digest = createHmac("sha256", secret).update(value, "utf-8").digest("hex");
+  return `${piiType}_${digest.slice(0, 8)}`;
+}
+var SessionTokenizer = class {
+  _hmacSecret;
+  _encryptionPub;
+  _piiFields;
+  _tokenMap = {};
+  // pseudonym → original
+  _reverseMap = {};
+  // original → pseudonym
+  /**
+   * @param hmacSecret 32-byte secret for deterministic pseudonyms.
+   * @param encryptionPublicKey 32-byte X25519 public key for encrypting the token map.
+   * @param piiFields Parameter names whose values should be fully pseudonymized.
+   */
+  constructor(hmacSecret, encryptionPublicKey, piiFields = []) {
+    this._hmacSecret = hmacSecret;
+    this._encryptionPub = encryptionPublicKey;
+    this._piiFields = piiFields;
+  }
+  get tokenMap() {
+    return { ...this._tokenMap };
+  }
+  addMapping(original, pseudonym) {
+    this._tokenMap[pseudonym] = original;
+    this._reverseMap[original] = pseudonym;
+  }
+  pseudonymizeValue(value, fieldPath = "") {
+    if (!value || !value.trim())
+      return value;
+    if (this._piiFields.includes(fieldPath)) {
+      if (this._reverseMap[value])
+        return this._reverseMap[value];
+      const pseudonym = hmacPseudonym(value, this._hmacSecret);
+      this.addMapping(value, pseudonym);
+      return pseudonym;
+    }
+    return value;
+  }
+  pseudonymizeText(text) {
+    if (!text)
+      return text;
+    const known = Object.keys(this._reverseMap).sort(
+      (a, b) => b.length - a.length
+    );
+    for (const original of known) {
+      if (text.includes(original)) {
+        text = text.split(original).join(this._reverseMap[original]);
+      }
+    }
+    for (const [pattern, piiType] of PII_PATTERNS) {
+      pattern.lastIndex = 0;
+      text = text.replace(pattern, (matched) => {
+        if (this._reverseMap[matched])
+          return this._reverseMap[matched];
+        const pseudonym = hmacPseudonym(matched, this._hmacSecret, piiType);
+        this.addMapping(matched, pseudonym);
+        return pseudonym;
+      });
+    }
+    return text;
+  }
+  pseudonymizeParams(params) {
+    const result = {};
+    for (const [k, v] of Object.entries(params)) {
+      if (SECRET_PATTERN.test(k)) {
+        result[k] = "[REDACTED]";
+      } else if (this._piiFields.includes(k)) {
+        const val = String(v).slice(0, 500);
+        result[k] = this.pseudonymizeValue(val, k);
+      } else {
+        const val = String(v).slice(0, 500);
+        result[k] = this.pseudonymizeText(val);
+      }
+    }
+    return result;
+  }
+  /**
+   * Encrypt the token map with the customer's X25519 public key.
+   *
+   * Format: base64([ephemeral_pub 32B][nonce 24B][ciphertext])
+   * Uses NaCl box (X25519 + XSalsa20-Poly1305).
+   */
+  encryptTokenMap() {
+    const plaintext = Buffer.from(
+      JSON.stringify(this._tokenMap),
+      "utf-8"
+    );
+    const ephemeral = nacl2.box.keyPair();
+    const nonce = nacl2.randomBytes(24);
+    const ciphertext = nacl2.box(
+      plaintext,
+      nonce,
+      this._encryptionPub,
+      ephemeral.secretKey
+    );
+    if (!ciphertext) {
+      throw new Error("Encryption failed");
+    }
+    const packed = new Uint8Array(32 + 24 + ciphertext.length);
+    packed.set(ephemeral.publicKey, 0);
+    packed.set(nonce, 32);
+    packed.set(ciphertext, 56);
+    return encodeBase642(packed);
+  }
+  /**
+   * Decrypt a token map using the customer's X25519 private key.
+   *
+   * @param encryptedB64 Base64-encoded encrypted blob from encryptTokenMap().
+   * @param privateKey 32-byte X25519 private (secret) key.
+   * @returns The token map (pseudonym → original).
+   */
+  static decryptTokenMap(encryptedB64, privateKey) {
+    const packed = decodeBase642(encryptedB64);
+    const ephemeralPub = packed.slice(0, 32);
+    const nonce = packed.slice(32, 56);
+    const ciphertext = packed.slice(56);
+    const plaintext = nacl2.box.open(ciphertext, nonce, ephemeralPub, privateKey);
+    if (!plaintext) {
+      throw new Error("Decryption failed \u2014 wrong key or corrupted data");
+    }
+    return JSON.parse(Buffer.from(plaintext).toString("utf-8"));
+  }
+};
+
+// src/client.ts
 var AuditClient = class {
   agentId;
   agentVersion;
@@ -195,6 +340,7 @@ var AuditClient = class {
   _sessionId;
   _secretKey;
   _emit;
+  _tokenizer = null;
   constructor(options) {
     this.agentId = options.agentId;
     this.agentVersion = options.agentVersion ?? "0.1.0";
@@ -224,10 +370,18 @@ var AuditClient = class {
     } else {
       this._emit = createFileEmitter(fallback);
     }
+    if (options.piiHmacSecret && options.encryptionPublicKey) {
+      const hmacBytes = new Uint8Array(Buffer.from(options.piiHmacSecret, "base64"));
+      const pubBytes = new Uint8Array(Buffer.from(options.encryptionPublicKey, "base64"));
+      this._tokenizer = new SessionTokenizer(hmacBytes, pubBytes, options.piiFields ?? []);
+    }
   }
   get sessionId() {
     return this._sessionId;
   }
+  get tokenizer() {
+    return this._tokenizer;
+  }
   /** Record an audit event. Never throws — errors are logged and swallowed. */
   record(event) {
     try {
@@ -251,39 +405,87 @@ var AuditClient = class {
 };
 
 // src/decorator.ts
-import { createHash as createHash2 } from "crypto";
-var SECRET_PATTERN = /key|secret|token|password|passwd|pwd|credential|auth/i;
+import { createHash as createHash3 } from "crypto";
+var SECRET_PATTERN2 = /key|secret|token|password|passwd|pwd|credential|auth/i;
+var PII_PATTERNS2 = [
+  [/\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g, "[EMAIL_REDACTED]"],
+  [/\b\d{3}[-.\s]?\d{2}[-.\s]?\d{4}\b/g, "[SSN_REDACTED]"],
+  [/\b\d{3}[-.\s]?\d{3}[-.\s]?\d{3}\b/g, "[TFN_REDACTED]"],
+  [/\b(?:\d{4}[-\s]?){3}\d{4}\b/g, "[CARD_REDACTED]"],
+  [/\b(?:\+?\d{1,3}[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b/g, "[PHONE_REDACTED]"]
+];
+var RESPONSE_MAX_CHARS = 5e3;
+function redactPii(text) {
+  for (const [pattern, replacement] of PII_PATTERNS2) {
+    pattern.lastIndex = 0;
+    text = text.replace(pattern, replacement);
+  }
+  return text;
+}
 function sanitise(params) {
   const result = {};
   for (const [k, v] of Object.entries(params)) {
-    result[k] = SECRET_PATTERN.test(k) ? "[REDACTED]" : String(v).slice(0, 500);
+    if (SECRET_PATTERN2.test(k)) {
+      result[k] = "[REDACTED]";
+    } else {
+      result[k] = redactPii(String(v).slice(0, 500));
+    }
   }
   return result;
 }
 function hashValue(value) {
-  return createHash2("sha256").update(JSON.stringify(value, null, 0)).digest("hex");
+  return createHash3("sha256").update(JSON.stringify(value, null, 0)).digest("hex");
 }
 function recordEvent(client, toolName, taskId, prompt, args, start, status, errorCode, result) {
   const params = {};
   args.forEach((arg, i) => {
     params[`arg${i}`] = arg;
   });
-  const event = AuditEventSchema.parse({
-    agent_id: client.agentId,
-    agent_version: client.agentVersion,
-    human_operator_id: client.humanOperatorId,
-    task_id: taskId,
-    session_id: client.sessionId,
-    tool_name: toolName,
-    tool_parameters: sanitise(params),
-    prompt,
-    inputs_hash: hashValue(args),
-    outputs_hash: result != null ? hashValue(result) : "",
-    status,
-    error_code: errorCode,
-    duration_ms: Math.round(performance.now() - start)
-  });
-  client.record(event);
+  const outputsHash = result != null ? hashValue(result) : "";
+  const tokenizer = client.tokenizer;
+  if (tokenizer) {
+    const pseudonymizedParams = tokenizer.pseudonymizeParams(params);
+    const pseudonymizedPrompt = prompt ? tokenizer.pseudonymizeText(prompt) : "";
+    const response = result != null ? tokenizer.pseudonymizeText(String(result).slice(0, RESPONSE_MAX_CHARS)) : "";
+    const event = AuditEventSchema.parse({
+      agent_id: client.agentId,
+      agent_version: client.agentVersion,
+      human_operator_id: client.humanOperatorId,
+      task_id: taskId,
+      session_id: client.sessionId,
+      tool_name: toolName,
+      tool_parameters: pseudonymizedParams,
+      prompt: pseudonymizedPrompt,
+      inputs_hash: hashValue(args),
+      outputs_hash: outputsHash,
+      response,
+      status,
+      error_code: errorCode,
+      duration_ms: Math.round(performance.now() - start),
+      encrypted_token_map: tokenizer.encryptTokenMap(),
+      pseudonymization_version: "1.0"
+    });
+    client.record(event);
+  } else {
+    const response = result != null ? redactPii(String(result).slice(0, RESPONSE_MAX_CHARS)) : "";
+    const event = AuditEventSchema.parse({
+      agent_id: client.agentId,
+      agent_version: client.agentVersion,
+      human_operator_id: client.humanOperatorId,
+      task_id: taskId,
+      session_id: client.sessionId,
+      tool_name: toolName,
+      tool_parameters: sanitise(params),
+      prompt,
+      inputs_hash: hashValue(args),
+      outputs_hash: outputsHash,
+      response,
+      status,
+      error_code: errorCode,
+      duration_ms: Math.round(performance.now() - start)
+    });
+    client.record(event);
+  }
 }
 function wrapFn(client, fn, toolName, taskId, prompt) {
   const wrapped = function(...args) {
@@ -328,12 +530,14 @@ function auditTool(client, fnOrTaskId, options) {
 export {
   AuditClient,
   AuditEventSchema,
+  SessionTokenizer,
   auditTool,
   computeEventHash,
   createFileEmitter,
   createHttpEmitter,
   generateKeypair,
   hashValue,
+  redactPii,
   signEvent,
   verifyChain,
   verifyEvent

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wytness/sdk",
-  "version": "0.3.1",
+  "version": "0.5.0",
   "description": "TypeScript SDK for Wytness — audit logging for AI agents with cryptographic signing and chain integrity",
   "license": "MIT",
   "author": "Wytness <hello@wytness.dev>",