npm - zuplo - Versions diffs - 6.70.15 → 6.70.21 - Mend

zuplo 6.70.15 → 6.70.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/docs/cli/ca-certificate-list.mdx ADDED Viewed

@@ -0,0 +1,59 @@
+---
+title: "Zuplo CLI: Ca Certificate List"
+sidebar_label: ca-certificate list
+---
+<CliCommand
+  command="ca-certificate list"
+  description="Lists all CA certificates for an account"
+  options={[
+  {
+    "name": "account",
+    "type": "string",
+    "description": "The account name",
+    "required": false,
+    "deprecated": false,
+    "hidden": false
+  },
+  {
+    "name": "output",
+    "type": "string",
+    "description": "Output format",
+    "default": "default",
+    "required": false,
+    "deprecated": false,
+    "hidden": false,
+    "alias": [
+      "o"
+    ],
+    "choices": [
+      "default",
+      "json"
+    ]
+  }
+]}
+  examples={[
+  [
+    "$0 ca-certificate list",
+    "List all CA certificates for your account"
+  ],
+  [
+    "$0 ca-certificate list --account my-account",
+    "Explicitly specify the account"
+  ],
+  [
+    "$0 ca-certificate list --output json",
+    "List CA certificates as JSON"
+  ]
+]}
+  usage="$0 ca-certificate list [options]"
+>
+</CliCommand>
+## Global options
+The following global options are available for all commands:
+- [`--help`](./global-options.mdx#help)
+- [`--api-key`](./global-options.mdx#api-key)

package/docs/cli/ca-certificate-update.mdx ADDED Viewed

@@ -0,0 +1,71 @@
+---
+title: "Zuplo CLI: Ca Certificate Update"
+sidebar_label: ca-certificate update
+---
+<CliCommand
+  command="ca-certificate update"
+  description="Updates the name of a CA certificate"
+  options={[
+  {
+    "name": "cert-id",
+    "type": "string",
+    "description": "The ID of the CA certificate to update",
+    "required": false,
+    "deprecated": false,
+    "hidden": false
+  },
+  {
+    "name": "name",
+    "type": "string",
+    "description": "The new name for the CA certificate (must be a valid JavaScript identifier: starts with a letter, _, or $; contains only letters, digits, _, or $)",
+    "required": false,
+    "deprecated": false,
+    "hidden": false
+  },
+  {
+    "name": "account",
+    "type": "string",
+    "description": "The account name",
+    "required": false,
+    "deprecated": false,
+    "hidden": false
+  },
+  {
+    "name": "output",
+    "type": "string",
+    "description": "Output format",
+    "default": "default",
+    "required": false,
+    "deprecated": false,
+    "hidden": false,
+    "alias": [
+      "o"
+    ],
+    "choices": [
+      "default",
+      "json"
+    ]
+  }
+]}
+  examples={[
+  [
+    "$0 ca-certificate update --cert-id mtlsca_abc123 --name renamed_ca",
+    "Rename a CA certificate"
+  ],
+  [
+    "$0 ca-certificate update \\\n  --cert-id mtlsca_abc123 \\\n  --name renamed_ca \\\n  --account my-account",
+    "Explicitly specify the account"
+  ]
+]}
+  usage="$0 ca-certificate update --cert-id <id> --name <name> [options]"
+>
+</CliCommand>
+## Global options
+The following global options are available for all commands:
+- [`--help`](./global-options.mdx#help)
+- [`--api-key`](./global-options.mdx#api-key)

package/docs/policies/_index.md CHANGED Viewed

@@ -8,6 +8,8 @@
 | set-query-params-inbound | Add or Set Query Parameters | Adds or sets query parameters on the incoming request. | api-gateway |
 | set-headers-inbound | Add or Set Request Headers | Adds or sets headers on the incoming request. | api-gateway |
 | akamai-ai-firewall | Akamai AI Firewall | Akamai AI Firewall Inbound Policy | ai-gateway |
+| akamai-firewall-for-ai-outbound | Akamai Firewall for AI | Inspects each upstream response with Akamai's Firewall for AI detect API and replaces the response with a `403 Forbidden` if Akamai returns a `deny` rule. Useful behind AI-powered APIs to filter unsafe completions, sensitive data exposure, and toxic content before they reach the client.  The body, headers, URL, and query string sent to Akamai are configurable; by default only the response body is captured. Bodies are read from a clone so the client still receives the original. | api-gateway |
+| akamai-firewall-for-ai-inbound | Akamai Firewall for AI | Inspects each incoming request with Akamai's Firewall for AI detect API and blocks the request if Akamai returns a `deny` rule. Useful in front of AI-powered APIs to filter prompt injection, jailbreaks, and other unsafe inputs before they reach the model.  The body, headers, URL, and query string sent to Akamai are configurable; by default only the request body is captured. Bodies are read from a clone so the upstream handler still sees the original. | api-gateway |
 | amberflo-metering-inbound | Amberflo Metering / Billing | Amberflo is a usage metering and billing service. This policy allows you to send metering calls for each API to their meter ingest endpoint. | api-gateway |
 | api-key-inbound | API Key Authentication | Authenticates requests based on API Keys using Zuplo's built-in API key management. This policy validates API keys against Zuplo's key storage, caches results for performance, and automatically adds user information to authenticated requests. | api-gateway |
 | archive-request-aws-s3-inbound | Archive Request to AWS S3 | Archive the incoming request body to AWS S3 storage | api-gateway |
@@ -57,7 +59,7 @@
 | okta-jwt-auth-inbound | Okta JWT Auth | Authenticate users using Okta issued JWT tokens. | api-gateway |
 | openfga-authz-inbound | OpenFGA Authorization | Authorize requests using OpenFGA. | api-gateway |
 | openmeter-inbound | OpenMeter | OpenMeter is a usage metering service. This policy allows you to send metering calls for each API to their event ingest endpoint. It also supports entitlement checking to verify if a subject has access to a feature. | api-gateway |
-| prompt-injection-outbound | Prompt Injection Detection | Uses an LLM agent to detect prompt injection attempts in user provided content or potentially poisoned response bodies. This is primarily intended to be used with downstream LLM agents who are at risk of having prompt injection attacks executed against them. | api-gateway |
+| prompt-injection-outbound | Prompt Injection Detection | Uses an LLM agent to detect prompt injection attempts in user provided content or potentially poisoned response bodies. This is primarily intended to be used with downstream LLM agents who are at risk of having prompt injection attacks executed against them. | ai-gateway, mcp-gateway |
 | propel-auth-jwt-inbound | PropelAuth JWT Auth | Authenticate users using PropelAuth issued JWT tokens. | api-gateway |
 | query-param-to-header-inbound | Query Parameter to Header | Extracts a query parameter and sets it as a header in the request. | api-gateway |
 | quota-inbound | Quota | The Quota policy enables you to set monthly, weekly, daily or hourly quotas on your API. | api-gateway |
@@ -72,7 +74,7 @@
 | request-validation-inbound | Request Validation | Validates incoming requests against your OpenAPI specification. Checks query parameters, path parameters, headers, and request body to ensure they match the defined schema before processing. | api-gateway |
 | require-origin-inbound | Require Origin | Sets an allow-list for an origin header | api-gateway |
 | secret-masking-outbound | Secret Masking | Masks common secrets like Zuplo API keys, GitHub tokens, or SSH private key in the response body. | api-gateway |
-| semantic-cache-inbound | Semantic Cache | Respond to matched incoming requests with semantically cached content  The Semantic Cache Inbound policy caches responses based on semantic similarity of cache keys rather than exact matches. This allows for more flexible caching where similar requests can return cached responses even if the cache key is not exactly the same.  The policy uses Large Language Model (LLM) embeddings to determine semantic similarity between cache keys based on a configurable similarity tolerance.  Options: - semanticTolerance: The semantic similarity threshold for semantic cache matches (0-1, default: 0.2). Values closer to 0 require higher similarity. Can be overridden by custom functions. - expirationSecondsTtl: The timeout of the cache in seconds (default: 3600, 1 hour). Can be overridden by custom functions. - namespace: Optional namespace to isolate cache entries (default: "default"). Useful for multi-tenant scenarios or different cache contexts. - cacheBy: Determines how cache keys are generated: 'function' for custom logic or 'propertyPath' to extract from JSON body. | api-gateway |
+| semantic-cache-inbound | Semantic Cache | Respond to matched incoming requests with semantically cached content  The Semantic Cache Inbound policy caches responses based on semantic similarity of cache keys rather than exact matches. This allows for more flexible caching where similar requests can return cached responses even if the cache key is not exactly the same.  The policy uses Large Language Model (LLM) embeddings to determine semantic similarity between cache keys based on a configurable similarity tolerance.  Options: - semanticTolerance: The semantic similarity threshold for semantic cache matches (0-1, default: 0.2). Values closer to 0 require higher similarity. Can be overridden by custom functions. - expirationSecondsTtl: The timeout of the cache in seconds (default: 3600, 1 hour). Can be overridden by custom functions. - namespace: Optional namespace to isolate cache entries (default: "default"). Useful for multi-tenant scenarios or different cache contexts. - cacheBy: Determines how cache keys are generated: 'function' for custom logic or 'propertyPath' to extract from JSON body. | ai-gateway |
 | set-body-inbound | Set Body | Sets the body of the request in the inbound pipeline - make sure to convert a GET/HEAD request to another method when using this policy. | api-gateway |
 | set-headers-outbound | Set Headers | Adds or sets headers on the on the outgoing response. | api-gateway |
 | set-status-outbound | Set Status Code | Sets the status code on the on the outgoing response. | api-gateway |
@@ -89,4 +91,4 @@
 | upstream-gcp-service-auth-inbound | Upstream GCP Service Auth | Creates an ID Token from Google's OAuth service and attaches it to the outgoing request. Useful when calling GCP services or Google APIs that are secured with GCP IAM. | api-gateway |
 | upstream-zuplo-jwt-auth-inbound | Upstream Zuplo JWT | Generates a Zuplo JWT token and attaches it to the outgoing request. This policy creates a self-signed JWT using the Zuplo JWT plugin and adds it to the specified header for upstream authentication. | api-gateway |
 | web-bot-auth-inbound | Web Bot Auth | Authenticate bots using web-bot-auth HTTP Message Signatures. | api-gateway |
-| xml-to-json-outbound | XML to JSON Outbound | Parses XML and converts it to JSON. | api-gateway |
+| xml-to-json-outbound | XML to JSON | Parses XML and converts it to JSON. | api-gateway |

package/docs/policies/akamai-firewall-for-ai-inbound/doc.md ADDED Viewed

@@ -0,0 +1,79 @@
+## Setup
+1. In the Akamai Control Center, create a Firewall for AI configuration and note
+   its **Configuration ID**.
+2. Generate an **API key** for the configuration.
+3. Add the credentials to your Zuplo project's environment variables (or paste
+   them directly into the policy options):
+   ```text
+   AKAMAI_FIREWALL_FOR_AI_CONFIGURATION_ID=your-configuration-id
+   AKAMAI_FIREWALL_FOR_AI_API_KEY=your-api-key
+   ```
+4. Add the policy to any route that should be inspected by Akamai.
+## What gets sent to Akamai
+Akamai's detect endpoint accepts a single text string in `llmInput`. The
+`capture` option controls which parts of the incoming request are concatenated
+into that string:
+| Field         | Default | Notes                                                                               |
+| ------------- | ------- | ----------------------------------------------------------------------------------- |
+| `body`        | `true`  | Cloned before reading; only text content types (JSON, XML, form, text/\*) are sent. |
+| `headers`     | `false` | `Authorization`, `Proxy-Authorization`, `Cookie`, and `Set-Cookie` are stripped.    |
+| `url`         | `false` | Origin and path only.                                                               |
+| `queryString` | `false` | Off by default — query strings often contain credentials or session tokens.         |
+### Including credential headers
+If you do want Akamai to see credential-bearing headers (for example, to detect
+tokens that have been leaked into custom headers), opt in explicitly:
+```json
+{
+  "name": "akamai-firewall-for-ai-inbound",
+  "policyType": "akamai-firewall-for-ai-inbound",
+  "handler": {
+    "export": "AkamaiFirewallForAiInboundPolicy",
+    "module": "$import(@zuplo/runtime)",
+    "options": {
+      "configurationId": "$env(AKAMAI_FIREWALL_FOR_AI_CONFIGURATION_ID)",
+      "api-key": "$env(AKAMAI_FIREWALL_FOR_AI_API_KEY)",
+      "capture": {
+        "body": true,
+        "headers": true,
+        "dangerouslyIncludeAuthorizationHeader": true
+      }
+    }
+  }
+}
+```
+## Handling alert vs deny
+Akamai rules can be configured with one of two actions:
+- **`deny`** — the request is always blocked with a `403 Forbidden`.
+- **`alert`** — Akamai detected a match but configured the rule for monitoring
+  only. The `onWarn` option controls how this policy reacts:
+  - `"log"` (default) writes a structured warning to the Zuplo logs and allows
+    the request through.
+  - `"block"` treats `alert` the same as `deny` — useful in staging when rolling
+    out new rules.
+  - `"none"` silently allows the request through with no log line.
+## Failure modes
+By default the policy is **fail-closed**: if the call to Akamai itself fails
+(network error, 5xx, malformed response), the policy throws and the request is
+rejected. This is the safe default for a security control. To fail open when
+Akamai is unreachable, set `throwOnError: false`.
+## Pair with the outbound policy
+Add
+[Akamai Firewall for AI - Outbound](/docs/policies/akamai-firewall-for-ai-outbound)
+to the same route to also inspect the upstream response before it's sent back to
+the client. The two policies share the same configuration shape.

package/docs/policies/akamai-firewall-for-ai-inbound/intro.md ADDED Viewed

@@ -0,0 +1,13 @@
+[Akamai Firewall for AI](https://www.akamai.com/products/firewall-for-ai)
+inspects requests bound for AI applications and detects threats such as prompt
+injection, jailbreak attempts, sensitive data exposure, and toxic content.
+This policy sends each incoming request to Akamai's detect endpoint before it
+reaches your handler. If Akamai returns a rule with a `deny` action, the request
+is blocked with a `403 Forbidden`. Rules with an `alert` action (Akamai
+"Monitor" mode) are logged by default but allowed through, configurable via the
+`onWarn` setting.
+Pair with the
+[Akamai Firewall for AI - Outbound](/docs/policies/akamai-firewall-for-ai-outbound)
+policy to also inspect upstream responses before they're returned to the client.

package/docs/policies/akamai-firewall-for-ai-inbound/schema.json ADDED Viewed

@@ -0,0 +1,126 @@
+{
+  "$schema": "https://json-schema.org/draft-07/schema",
+  "$id": "http://zuplo.com/schemas/policies/auth0-jwt-auth-inbound.json",
+  "type": "object",
+  "title": "Akamai Firewall for AI",
+  "isDeprecated": false,
+  "isPaidAddOn": false,
+  "isEnterprise": false,
+  "isInternal": false,
+  "isBeta": false,
+  "isHidden": false,
+  "products": ["api-gateway"],
+  "description": "Inspects each incoming request with Akamai's Firewall for AI detect API and blocks the request if Akamai returns a `deny` rule. Useful in front of AI-powered APIs to filter prompt injection, jailbreaks, and other unsafe inputs before they reach the model.\n\nThe body, headers, URL, and query string sent to Akamai are configurable; by default only the request body is captured. Bodies are read from a clone so the upstream handler still sees the original.",
+  "deprecatedMessage": "",
+  "required": ["handler"],
+  "properties": {
+    "handler": {
+      "type": "object",
+      "default": {},
+      "required": ["export", "module", "options"],
+      "properties": {
+        "export": {
+          "const": "AkamaiFirewallForAiInboundPolicy",
+          "description": "The name of the exported type"
+        },
+        "module": {
+          "const": "$import(@zuplo/runtime)",
+          "description": "The module containing the policy"
+        },
+        "options": {
+          "title": "AkamaiFirewallForAiInboundPolicyOptions",
+          "type": "object",
+          "description": "The options for the Akamai Firewall for AI inbound policy. Sends the incoming request to Akamai's Firewall for AI detect endpoint and blocks the request if any rule returns a 'deny' action.",
+          "additionalProperties": false,
+          "required": ["configurationId", "api-key"],
+          "properties": {
+            "configurationId": {
+              "type": "string",
+              "examples": ["$env(AKAMAI_FIREWALL_FOR_AI_CONFIGURATION_ID)"],
+              "description": "Your Akamai Firewall for AI Configuration ID. This is the ID of the configuration in the Akamai Control Center that defines which detection rules to apply."
+            },
+            "api-key": {
+              "type": "string",
+              "examples": ["$env(AKAMAI_FIREWALL_FOR_AI_API_KEY)"],
+              "description": "Your Akamai Firewall for AI API key, sent as the `Fai-Api-Key` header on each detect call."
+            },
+            "capture": {
+              "type": "object",
+              "title": "Capture Settings",
+              "description": "Controls which parts of the incoming request are sent to Akamai for inspection. Akamai's detect endpoint receives the captured fields concatenated into a single labeled text payload as `llmInput`.",
+              "additionalProperties": false,
+              "properties": {
+                "body": {
+                  "type": "boolean",
+                  "default": true,
+                  "description": "Include the request body. Only text-based content types (JSON, XML, form-encoded, text/\\*) are sent; binary bodies are skipped. The body is read from a clone of the request so the upstream still receives it unchanged."
+                },
+                "headers": {
+                  "type": "boolean",
+                  "default": false,
+                  "description": "Include the request headers. By default `Authorization`, `Proxy-Authorization`, `Cookie`, and `Set-Cookie` are stripped — see the `dangerouslyInclude*` flags to override."
+                },
+                "url": {
+                  "type": "boolean",
+                  "default": false,
+                  "description": "Include the request URL (origin and path, query string excluded). Enable `queryString` separately if you also want the query string."
+                },
+                "queryString": {
+                  "type": "boolean",
+                  "default": false,
+                  "description": "Include the request query string. Query strings sometimes contain credentials or session tokens — leave this off unless you want Akamai to see them."
+                },
+                "dangerouslyIncludeAuthorizationHeader": {
+                  "type": "boolean",
+                  "default": false,
+                  "x-show-example": false,
+                  "description": "If `headers` is true, also include the `Authorization` and `Proxy-Authorization` headers. Off by default because these typically contain bearer tokens."
+                },
+                "dangerouslyIncludeCookieHeader": {
+                  "type": "boolean",
+                  "default": false,
+                  "x-show-example": false,
+                  "description": "If `headers` is true, also include the `Cookie` header. Off by default because cookies often carry session credentials."
+                }
+              }
+            },
+            "onWarn": {
+              "type": "string",
+              "enum": ["log", "block", "none"],
+              "default": "log",
+              "description": "Behavior when Akamai returns a rule with `action: \"alert\"` (Akamai's Monitor mode). `log` writes a warning and lets the request through, `block` treats the alert like a deny, `none` is silent."
+            },
+            "throwOnError": {
+              "type": "boolean",
+              "default": true,
+              "description": "If true (the default), the policy throws when the Akamai detect call itself fails (network error, 5xx, malformed response). Set to false to fail open and allow the request through when Akamai is unreachable."
+            },
+            "detectUrl": {
+              "type": "string",
+              "x-show-example": false,
+              "description": "Override the Akamai Firewall for AI detect endpoint URL. The literal `{configurationId}` is replaced with the configured ID. Defaults to `https://aisec.akamai.com/fai/v1/fai-configurations/{configurationId}/detect`. Useful for regional Akamai endpoints or for pointing tests at a mock server."
+            }
+          }
+        }
+      },
+      "examples": [
+        {
+          "export": "AkamaiFirewallForAiInboundPolicy",
+          "module": "$import(@zuplo/runtime)",
+          "options": {
+            "api-key": "$env(AKAMAI_FIREWALL_FOR_AI_API_KEY)",
+            "capture": {
+              "body": true,
+              "headers": false,
+              "queryString": false,
+              "url": false
+            },
+            "configurationId": "$env(AKAMAI_FIREWALL_FOR_AI_CONFIGURATION_ID)",
+            "onWarn": "log",
+            "throwOnError": true
+          }
+        }
+      ]
+    }
+  }
+}

package/docs/policies/akamai-firewall-for-ai-outbound/doc.md ADDED Viewed

@@ -0,0 +1,79 @@
+## Setup
+1. In the Akamai Control Center, create a Firewall for AI configuration and note
+   its **Configuration ID**.
+2. Generate an **API key** for the configuration.
+3. Add the credentials to your Zuplo project's environment variables (or paste
+   them directly into the policy options):
+   ```text
+   AKAMAI_FIREWALL_FOR_AI_CONFIGURATION_ID=your-configuration-id
+   AKAMAI_FIREWALL_FOR_AI_API_KEY=your-api-key
+   ```
+4. Add the policy to any route whose responses should be inspected by Akamai.
+## What gets sent to Akamai
+Akamai's detect endpoint accepts a single text string in `llmOutput`. The
+`capture` option controls which parts of the response are concatenated into that
+string:
+| Field         | Default | Notes                                                                               |
+| ------------- | ------- | ----------------------------------------------------------------------------------- |
+| `body`        | `true`  | Cloned before reading; only text content types (JSON, XML, form, text/\*) are sent. |
+| `headers`     | `false` | `Set-Cookie`, `Authorization`, and `Proxy-Authorization` are stripped.              |
+| `url`         | `false` | Origin and path of the originating request — useful as context for the response.    |
+| `queryString` | `false` | Off by default — query strings often contain credentials or session tokens.         |
+### Including credential headers
+If you do want Akamai to see credential-bearing response headers, opt in
+explicitly:
+```json
+{
+  "name": "akamai-firewall-for-ai-outbound",
+  "policyType": "akamai-firewall-for-ai-outbound",
+  "handler": {
+    "export": "AkamaiFirewallForAiOutboundPolicy",
+    "module": "$import(@zuplo/runtime)",
+    "options": {
+      "configurationId": "$env(AKAMAI_FIREWALL_FOR_AI_CONFIGURATION_ID)",
+      "api-key": "$env(AKAMAI_FIREWALL_FOR_AI_API_KEY)",
+      "capture": {
+        "body": true,
+        "headers": true,
+        "dangerouslyIncludeCookieHeader": true
+      }
+    }
+  }
+}
+```
+## Handling alert vs deny
+Akamai rules can be configured with one of two actions:
+- **`deny`** — the response is always replaced with a `403 Forbidden`.
+- **`alert`** — Akamai detected a match but configured the rule for monitoring
+  only. The `onWarn` option controls how this policy reacts:
+  - `"log"` (default) writes a structured warning to the Zuplo logs and lets the
+    response through.
+  - `"block"` treats `alert` the same as `deny` — useful in staging when rolling
+    out new rules.
+  - `"none"` silently lets the response through with no log line.
+## Failure modes
+By default the policy is **fail-closed**: if the call to Akamai itself fails
+(network error, 5xx, malformed response), the policy throws and the original
+response is replaced with an error. This is the safe default for a security
+control. To fail open when Akamai is unreachable, set `throwOnError: false`.
+## Pair with the inbound policy
+Add
+[Akamai Firewall for AI - Inbound](/docs/policies/akamai-firewall-for-ai-inbound)
+to the same route to also inspect requests before they reach your handler. The
+two policies share the same configuration shape.

package/docs/policies/akamai-firewall-for-ai-outbound/intro.md ADDED Viewed

@@ -0,0 +1,13 @@
+[Akamai Firewall for AI](https://www.akamai.com/products/firewall-for-ai)
+inspects responses produced by AI applications and detects threats such as
+sensitive data exposure, toxic content, and other policy violations.
+This policy sends each upstream response to Akamai's detect endpoint before it's
+returned to the client. If Akamai returns a rule with a `deny` action, the
+response is replaced with a `403 Forbidden`. Rules with an `alert` action
+(Akamai "Monitor" mode) are logged by default but allowed through, configurable
+via the `onWarn` setting.
+Pair with the
+[Akamai Firewall for AI - Inbound](/docs/policies/akamai-firewall-for-ai-inbound)
+policy to also inspect incoming requests before they reach your handler.

package/docs/policies/akamai-firewall-for-ai-outbound/schema.json ADDED Viewed

@@ -0,0 +1,126 @@
+{
+  "$schema": "https://json-schema.org/draft-07/schema",
+  "$id": "http://zuplo.com/schemas/policies/auth0-jwt-auth-inbound.json",
+  "type": "object",
+  "title": "Akamai Firewall for AI",
+  "isDeprecated": false,
+  "isPaidAddOn": false,
+  "isEnterprise": false,
+  "isInternal": false,
+  "isBeta": false,
+  "isHidden": false,
+  "products": ["api-gateway"],
+  "description": "Inspects each upstream response with Akamai's Firewall for AI detect API and replaces the response with a `403 Forbidden` if Akamai returns a `deny` rule. Useful behind AI-powered APIs to filter unsafe completions, sensitive data exposure, and toxic content before they reach the client.\n\nThe body, headers, URL, and query string sent to Akamai are configurable; by default only the response body is captured. Bodies are read from a clone so the client still receives the original.",
+  "deprecatedMessage": "",
+  "required": ["handler"],
+  "properties": {
+    "handler": {
+      "type": "object",
+      "default": {},
+      "required": ["export", "module", "options"],
+      "properties": {
+        "export": {
+          "const": "AkamaiFirewallForAiOutboundPolicy",
+          "description": "The name of the exported type"
+        },
+        "module": {
+          "const": "$import(@zuplo/runtime)",
+          "description": "The module containing the policy"
+        },
+        "options": {
+          "title": "AkamaiFirewallForAiOutboundPolicyOptions",
+          "type": "object",
+          "description": "The options for the Akamai Firewall for AI outbound policy. Sends the upstream response to Akamai's Firewall for AI detect endpoint and blocks the response if any rule returns a 'deny' action.",
+          "additionalProperties": false,
+          "required": ["configurationId", "api-key"],
+          "properties": {
+            "configurationId": {
+              "type": "string",
+              "examples": ["$env(AKAMAI_FIREWALL_FOR_AI_CONFIGURATION_ID)"],
+              "description": "Your Akamai Firewall for AI Configuration ID. This is the ID of the configuration in the Akamai Control Center that defines which detection rules to apply."
+            },
+            "api-key": {
+              "type": "string",
+              "examples": ["$env(AKAMAI_FIREWALL_FOR_AI_API_KEY)"],
+              "description": "Your Akamai Firewall for AI API key, sent as the `Fai-Api-Key` header on each detect call."
+            },
+            "capture": {
+              "type": "object",
+              "title": "Capture Settings",
+              "description": "Controls which parts of the upstream response (and the originating request URL) are sent to Akamai for inspection. Akamai's detect endpoint receives the captured fields concatenated into a single labeled text payload as `llmOutput`.",
+              "additionalProperties": false,
+              "properties": {
+                "body": {
+                  "type": "boolean",
+                  "default": true,
+                  "description": "Include the response body. Only text-based content types (JSON, XML, form-encoded, text/\\*) are sent; binary bodies are skipped. The body is read from a clone of the response so the client still receives it unchanged."
+                },
+                "headers": {
+                  "type": "boolean",
+                  "default": false,
+                  "description": "Include the response headers. By default `Set-Cookie` is stripped — see `dangerouslyIncludeCookieHeader` to override."
+                },
+                "url": {
+                  "type": "boolean",
+                  "default": false,
+                  "description": "Include the originating request URL (origin and path, query string excluded). Useful as context for the response."
+                },
+                "queryString": {
+                  "type": "boolean",
+                  "default": false,
+                  "description": "Include the originating request's query string. Query strings sometimes contain credentials or session tokens — leave this off unless you want Akamai to see them."
+                },
+                "dangerouslyIncludeAuthorizationHeader": {
+                  "type": "boolean",
+                  "default": false,
+                  "x-show-example": false,
+                  "description": "If `headers` is true, also include any `Authorization` or `Proxy-Authorization` headers on the response. Rarely set on responses but stripped by default for safety."
+                },
+                "dangerouslyIncludeCookieHeader": {
+                  "type": "boolean",
+                  "default": false,
+                  "x-show-example": false,
+                  "description": "If `headers` is true, also include the `Set-Cookie` header on the response. Off by default because Set-Cookie typically carries session credentials."
+                }
+              }
+            },
+            "onWarn": {
+              "type": "string",
+              "enum": ["log", "block", "none"],
+              "default": "log",
+              "description": "Behavior when Akamai returns a rule with `action: \"alert\"` (Akamai's Monitor mode). `log` writes a warning and lets the response through, `block` treats the alert like a deny, `none` is silent."
+            },
+            "throwOnError": {
+              "type": "boolean",
+              "default": true,
+              "description": "If true (the default), the policy throws when the Akamai detect call itself fails (network error, 5xx, malformed response). Set to false to fail open and allow the response through when Akamai is unreachable."
+            },
+            "detectUrl": {
+              "type": "string",
+              "x-show-example": false,
+              "description": "Override the Akamai Firewall for AI detect endpoint URL. The literal `{configurationId}` is replaced with the configured ID. Defaults to `https://aisec.akamai.com/fai/v1/fai-configurations/{configurationId}/detect`. Useful for regional Akamai endpoints or for pointing tests at a mock server."
+            }
+          }
+        }
+      },
+      "examples": [
+        {
+          "export": "AkamaiFirewallForAiOutboundPolicy",
+          "module": "$import(@zuplo/runtime)",
+          "options": {
+            "api-key": "$env(AKAMAI_FIREWALL_FOR_AI_API_KEY)",
+            "capture": {
+              "body": true,
+              "headers": false,
+              "queryString": false,
+              "url": false
+            },
+            "configurationId": "$env(AKAMAI_FIREWALL_FOR_AI_CONFIGURATION_ID)",
+            "onWarn": "log",
+            "throwOnError": true
+          }
+        }
+      ]
+    }
+  }
+}

package/docs/policies/monetization-inbound/schema.json CHANGED Viewed

@@ -55,7 +55,7 @@
               "type": "object",
               "examples": [
                 {
-                  "requests": 1
+                  "api_requests": 1
                 }
               ],
               "patternProperties": {
@@ -92,7 +92,7 @@
           "options": {
             "cacheTtlSeconds": 60,
             "meters": {
-              "requests": 1
+              "api_requests": 1
             }
           }
         }