@aegis-sdk/core - npm Package Compare versions

Comparing version

0.1.0

0.2.0

+204

-3

dist/index.d.cts

		@@ -147,2 +147,4 @@ /**
		};
		/** Optional: the tool output data from the previous step, used for exfiltration tracking */
		previousToolOutput?: string;
		}
		@@ -153,6 +155,100 @@ interface ActionValidationResult {
		requiresApproval: boolean;
		/** Set when the action was paused for human approval */
		awaitedApproval?: boolean;
		}
		interface ActionValidatorConfig {
		/**
		* Callback invoked when a tool requires human-in-the-loop approval.
		* Should return true to approve, false to deny.
		*/
		onApprovalNeeded?: (request: ActionValidationRequest) => Promise<boolean>;
		/**
		* When enabled, the InputScanner's pattern matching is run against
		* all string values in tool parameters. This catches injection payloads
		* hidden in MCP tool parameters.
		*/
		scanMcpParams?: boolean;
		/**
		* InputScanner configuration to use when scanMcpParams is enabled.
		* Falls back to balanced defaults if not provided.
		*/
		scannerConfig?: InputScannerConfig;
		/**
		* Denial-of-wallet detection configuration.
		* Tracks cumulative cost of expensive operations and enforces thresholds.
		*/
		denialOfWallet?: DenialOfWalletConfig;
		/**
		* Destinations considered "external" for data exfiltration prevention.
		* When noExfiltration is enabled in the policy, actions that would transmit
		* previously-read data to these tool patterns are blocked.
		* Defaults to common external-facing tools if not specified.
		*/
		exfiltrationToolPatterns?: string[];
		}
		interface DenialOfWalletConfig {
		/** Maximum total operations allowed within the window. Default: 100 */
		maxOperations?: number;
		/** Time window for tracking operations, e.g. "5m", "1h". Default: "5m" */
		window?: string;
		/** Maximum sandbox triggers within the window. Default: 10 */
		maxSandboxTriggers?: number;
		/** Maximum total tool calls within the window. Default: 50 */
		maxToolCalls?: number;
		}
		interface ChainStepOptions {
		/** Maximum number of steps before the loop is halted. Default: 25 */
		maxSteps?: number;
		/** Current step number (1-based). Required. */
		step: number;
		/** Session ID for audit correlation */
		sessionId?: string;
		/** Request ID for audit correlation */
		requestId?: string;
		/**
		* Privilege decay: the full list of tools available at step 1.
		* Tools will be progressively restricted as steps increase.
		*/
		initialTools?: string[];
		/**
		* Cumulative risk score from previous steps.
		* guardChainStep() will add to this and return it in the result.
		*/
		cumulativeRisk?: number;
		/** Risk threshold at which the chain is halted. Default: 3.0 */
		riskBudget?: number;
		}
		interface ChainStepResult {
		/** Whether this step should be allowed to proceed */
		safe: boolean;
		/** Reason for the decision */
		reason: string;
		/** Updated cumulative risk score including this step */
		cumulativeRisk: number;
		/** The scan result from analyzing the model output */
		scanResult: ScanResult;
		/** Tools still available after privilege decay for this step */
		availableTools: string[];
		/** Whether the step budget has been exhausted */
		budgetExhausted: boolean;
		}
		interface AgentLoopConfig {
		/** Default maximum steps for guardChainStep(). Default: 25 */
		defaultMaxSteps?: number;
		/** Default risk budget before halting. Default: 3.0 */
		defaultRiskBudget?: number;
		/**
		* Privilege decay schedule. Maps step thresholds to the fraction
		* of tools that remain available (0-1). For example:
		* { 10: 0.75, 20: 0.5 } means at step 10, 75% of tools remain;
		* at step 20, 50% remain.
		* Default: { 10: 0.75, 15: 0.5, 20: 0.25 }
		*/
		privilegeDecay?: Record<number, number>;
		}
		interface StreamMonitorConfig {
		canaryTokens?: string[];
		detectPII?: boolean;
		/** When true AND detectPII is true, redact PII instead of blocking the stream */
		piiRedaction?: boolean;
		detectSecrets?: boolean;
		@@ -214,2 +310,4 @@ detectInjectionPayloads?: boolean;
		canaryTokens?: string[];
		validator?: ActionValidatorConfig;
		agentLoop?: AgentLoopConfig;
		}
		@@ -280,15 +378,54 @@ interface RecoveryConfig {
		* in the real world. It checks policy, rate limits, parameter safety,
		* and intent alignment.
		* human-in-the-loop approval, MCP parameter scanning, denial-of-wallet
		* thresholds, and data exfiltration prevention.
		*/
		declare class ActionValidator {
		private policy;
		private config;
		private rateLimits;
		constructor(policy: AegisPolicy);
		private mcpScanner;
		private dowTracker;
		private dowConfig;
		private readDataFingerprints;
		private exfiltrationPatterns;
		private auditCallback?;
		constructor(policy: AegisPolicy, config?: ActionValidatorConfig);
		/**
		* Set an audit callback for logging validator decisions.
		* This is called by the Aegis class to wire up the AuditLog.
		*/
		setAuditCallback(cb: (entry: Omit<AuditEntry, "timestamp">) => void): void;
		/**
		* Record data that was read by a previous tool call.
		* Used for exfiltration detection: if a subsequent action tries to send
		* this data to an external destination, it will be blocked.
		*/
		recordReadData(data: string): void;
		/**
		* Clear read-data fingerprints (e.g. on session reset).
		*/
		clearReadData(): void;
		/**
		* Validate a proposed action against the security policy.
		*/
		check(request: ActionValidationRequest): Promise<ActionValidationResult>;
		/**
		* Record a sandbox trigger for DoW tracking.
		* Call this externally when a sandbox operation is triggered.
		*/
		recordSandboxTrigger(): void;
		private checkDenialOfWallet;
		private trackToolCall;
		private ensureDowWindow;
		private scanMcpParameters;
		private checkExfiltration;
		private requestApproval;
		private checkRateLimit;
		private checkParameters;
		private emitAudit;
		}
		/**
		* Parse a window duration string like "5m", "1h", "30s", "1d" into milliseconds.
		*/
		declare function parseWindow(window: string): number;

		@@ -324,3 +461,6 @@ /**
		private recovery;
		private agentLoopConfig;
		private sessionQuarantined;
		/** Default privilege decay schedule */
		private static readonly DEFAULT_PRIVILEGE_DECAY;
		constructor(config?: AegisConfig);
		@@ -374,2 +514,47 @@ /**
		getPolicy(): AegisPolicy;
		/**
		* Guard a single step in an agentic loop.
		*
		* This method provides multi-layer protection for agentic systems where
		* the model iterates through multiple tool-calling steps:
		*
		* 1. Quarantine the model output with source "model_output"
		* 2. Scan the output for injection payloads (T14 chain injection)
		* 3. Track cumulative risk across steps — halt if budget exceeded
		* 4. Enforce step budget — halt if max steps reached
		* 5. Apply privilege decay — progressively restrict available tools
		* 6. Audit every step with event "chain_step_scan"
		*
		* @param output - The raw model output text to scan
		* @param options - Chain step configuration
		* @returns ChainStepResult with safety verdict and updated state
		*
		* @example
		* ```ts
		* let cumulativeRisk = 0;
		* for (let step = 1; step <= 25; step++) {
		* const modelOutput = await callModel();
		* const result = await aegis.guardChainStep(modelOutput, {
		* step,
		* cumulativeRisk,
		* initialTools: ['read_file', 'write_file', 'search'],
		* });
		* if (!result.safe) break;
		* cumulativeRisk = result.cumulativeRisk;
		* // Only allow result.availableTools for the next step
		* }
		* ```
		*/
		guardChainStep(output: string, options: ChainStepOptions): Promise<ChainStepResult>;
		/**
		* Apply privilege decay based on current step.
		*
		* As the loop progresses, fewer tools remain available. This limits
		* the blast radius of a compromised agentic loop in later steps.
		*/
		private applyPrivilegeDecay;
		/**
		* Build a blocked ChainStepResult with an empty scan result.
		*/
		private buildChainStepBlockedResult;
		private getMessagesToScan;
		@@ -522,5 +707,15 @@ }
		* with zero delay; scanning happens on the accumulated buffer in parallel.
		*
		* When `piiRedaction` is enabled (and `detectPII` is true), PII matches
		* are replaced with `[REDACTED-<TYPE>]` markers instead of terminating
		* the stream. Non-PII violations (canary leaks, secrets, etc.) still
		* terminate the stream immediately.
		*/
		createTransform(): TransformStream<string, string>;
		private buildPatternList;
		/**
		* Build a list of PII patterns with their redaction labels.
		* Used by the redaction path to replace matches with [REDACTED-<LABEL>].
		*/
		private buildPiiPatternList;
		}
		@@ -622,2 +817,8 @@
		* any window exceeds the anomaly threshold.
		*
		* Adaptations to reduce false positives:
		* 1. Code blocks (backtick-delimited) are stripped before analysis.
		* 2. The threshold is raised for inputs dominated by non-Latin scripts
		* (CJK, Hangul, Cyrillic, Arabic, etc.) which naturally have higher
		* entropy due to larger character sets.
		*/
		@@ -665,2 +866,2 @@ declare function analyzeEntropy(input: string, options?: {

		export { type ActionValidationRequest, type ActionValidationResult, ActionValidator, Aegis, type AegisConfig, AegisInputBlocked, type AegisPolicy, AegisSessionQuarantined, AegisSessionTerminated, type AlertRule, type AlertingConfig, type AuditEntry, type AuditEventType, type AuditLevel, AuditLog, type AuditLogConfig, type AuditTransport, type BuiltPrompt, type ChunkStrategy, type ContentSource, type DelimiterStrategy, type Detection, type DetectionType, type EntropyResult, type ExtractionSchema, type GuardInputOptions, InputScanner, type InputScannerConfig, type LanguageResult, type LanguageSwitch, type PiiHandling, type PresetPolicy, PromptBuilder, type PromptBuilderConfig, type PromptMessage, type QuarantineMetadata, type QuarantineOptions, type Quarantined, type RecoveryConfig, type RecoveryMode, type RiskLevel, Sandbox, type SandboxConfig, type ScanResult, type ScanStrategy, type Sensitivity, StreamMonitor, type StreamMonitorConfig, type StreamViolation, type TrajectoryResult, type UnsafeUnwrapOptions, aegis, analyzeEntropy, detectLanguageSwitches, getPreset, isActionAllowed, isQuarantined, normalizeEncoding, quarantine, resolvePolicy, shannonEntropy, tryDecodeBase64 };
		export { type ActionValidationRequest, type ActionValidationResult, ActionValidator, type ActionValidatorConfig, Aegis, type AegisConfig, AegisInputBlocked, type AegisPolicy, AegisSessionQuarantined, AegisSessionTerminated, type AgentLoopConfig, type AlertRule, type AlertingConfig, type AuditEntry, type AuditEventType, type AuditLevel, AuditLog, type AuditLogConfig, type AuditTransport, type BuiltPrompt, type ChainStepOptions, type ChainStepResult, type ChunkStrategy, type ContentSource, type DelimiterStrategy, type DenialOfWalletConfig, type Detection, type DetectionType, type EntropyResult, type ExtractionSchema, type GuardInputOptions, InputScanner, type InputScannerConfig, type LanguageResult, type LanguageSwitch, type PiiHandling, type PresetPolicy, PromptBuilder, type PromptBuilderConfig, type PromptMessage, type QuarantineMetadata, type QuarantineOptions, type Quarantined, type RecoveryConfig, type RecoveryMode, type RiskLevel, Sandbox, type SandboxConfig, type ScanResult, type ScanStrategy, type Sensitivity, StreamMonitor, type StreamMonitorConfig, type StreamViolation, type TrajectoryResult, type UnsafeUnwrapOptions, aegis, analyzeEntropy, detectLanguageSwitches, getPreset, isActionAllowed, isQuarantined, normalizeEncoding, parseWindow, quarantine, resolvePolicy, shannonEntropy, tryDecodeBase64 };

+204

-3

dist/index.d.ts

		@@ -147,2 +147,4 @@ /**
		};
		/** Optional: the tool output data from the previous step, used for exfiltration tracking */
		previousToolOutput?: string;
		}
		@@ -153,6 +155,100 @@ interface ActionValidationResult {
		requiresApproval: boolean;
		/** Set when the action was paused for human approval */
		awaitedApproval?: boolean;
		}
		interface ActionValidatorConfig {
		/**
		* Callback invoked when a tool requires human-in-the-loop approval.
		* Should return true to approve, false to deny.
		*/
		onApprovalNeeded?: (request: ActionValidationRequest) => Promise<boolean>;
		/**
		* When enabled, the InputScanner's pattern matching is run against
		* all string values in tool parameters. This catches injection payloads
		* hidden in MCP tool parameters.
		*/
		scanMcpParams?: boolean;
		/**
		* InputScanner configuration to use when scanMcpParams is enabled.
		* Falls back to balanced defaults if not provided.
		*/
		scannerConfig?: InputScannerConfig;
		/**
		* Denial-of-wallet detection configuration.
		* Tracks cumulative cost of expensive operations and enforces thresholds.
		*/
		denialOfWallet?: DenialOfWalletConfig;
		/**
		* Destinations considered "external" for data exfiltration prevention.
		* When noExfiltration is enabled in the policy, actions that would transmit
		* previously-read data to these tool patterns are blocked.
		* Defaults to common external-facing tools if not specified.
		*/
		exfiltrationToolPatterns?: string[];
		}
		interface DenialOfWalletConfig {
		/** Maximum total operations allowed within the window. Default: 100 */
		maxOperations?: number;
		/** Time window for tracking operations, e.g. "5m", "1h". Default: "5m" */
		window?: string;
		/** Maximum sandbox triggers within the window. Default: 10 */
		maxSandboxTriggers?: number;
		/** Maximum total tool calls within the window. Default: 50 */
		maxToolCalls?: number;
		}
		interface ChainStepOptions {
		/** Maximum number of steps before the loop is halted. Default: 25 */
		maxSteps?: number;
		/** Current step number (1-based). Required. */
		step: number;
		/** Session ID for audit correlation */
		sessionId?: string;
		/** Request ID for audit correlation */
		requestId?: string;
		/**
		* Privilege decay: the full list of tools available at step 1.
		* Tools will be progressively restricted as steps increase.
		*/
		initialTools?: string[];
		/**
		* Cumulative risk score from previous steps.
		* guardChainStep() will add to this and return it in the result.
		*/
		cumulativeRisk?: number;
		/** Risk threshold at which the chain is halted. Default: 3.0 */
		riskBudget?: number;
		}
		interface ChainStepResult {
		/** Whether this step should be allowed to proceed */
		safe: boolean;
		/** Reason for the decision */
		reason: string;
		/** Updated cumulative risk score including this step */
		cumulativeRisk: number;
		/** The scan result from analyzing the model output */
		scanResult: ScanResult;
		/** Tools still available after privilege decay for this step */
		availableTools: string[];
		/** Whether the step budget has been exhausted */
		budgetExhausted: boolean;
		}
		interface AgentLoopConfig {
		/** Default maximum steps for guardChainStep(). Default: 25 */
		defaultMaxSteps?: number;
		/** Default risk budget before halting. Default: 3.0 */
		defaultRiskBudget?: number;
		/**
		* Privilege decay schedule. Maps step thresholds to the fraction
		* of tools that remain available (0-1). For example:
		* { 10: 0.75, 20: 0.5 } means at step 10, 75% of tools remain;
		* at step 20, 50% remain.
		* Default: { 10: 0.75, 15: 0.5, 20: 0.25 }
		*/
		privilegeDecay?: Record<number, number>;
		}
		interface StreamMonitorConfig {
		canaryTokens?: string[];
		detectPII?: boolean;
		/** When true AND detectPII is true, redact PII instead of blocking the stream */
		piiRedaction?: boolean;
		detectSecrets?: boolean;
		@@ -214,2 +310,4 @@ detectInjectionPayloads?: boolean;
		canaryTokens?: string[];
		validator?: ActionValidatorConfig;
		agentLoop?: AgentLoopConfig;
		}
		@@ -280,15 +378,54 @@ interface RecoveryConfig {
		* in the real world. It checks policy, rate limits, parameter safety,
		* and intent alignment.
		* human-in-the-loop approval, MCP parameter scanning, denial-of-wallet
		* thresholds, and data exfiltration prevention.
		*/
		declare class ActionValidator {
		private policy;
		private config;
		private rateLimits;
		constructor(policy: AegisPolicy);
		private mcpScanner;
		private dowTracker;
		private dowConfig;
		private readDataFingerprints;
		private exfiltrationPatterns;
		private auditCallback?;
		constructor(policy: AegisPolicy, config?: ActionValidatorConfig);
		/**
		* Set an audit callback for logging validator decisions.
		* This is called by the Aegis class to wire up the AuditLog.
		*/
		setAuditCallback(cb: (entry: Omit<AuditEntry, "timestamp">) => void): void;
		/**
		* Record data that was read by a previous tool call.
		* Used for exfiltration detection: if a subsequent action tries to send
		* this data to an external destination, it will be blocked.
		*/
		recordReadData(data: string): void;
		/**
		* Clear read-data fingerprints (e.g. on session reset).
		*/
		clearReadData(): void;
		/**
		* Validate a proposed action against the security policy.
		*/
		check(request: ActionValidationRequest): Promise<ActionValidationResult>;
		/**
		* Record a sandbox trigger for DoW tracking.
		* Call this externally when a sandbox operation is triggered.
		*/
		recordSandboxTrigger(): void;
		private checkDenialOfWallet;
		private trackToolCall;
		private ensureDowWindow;
		private scanMcpParameters;
		private checkExfiltration;
		private requestApproval;
		private checkRateLimit;
		private checkParameters;
		private emitAudit;
		}
		/**
		* Parse a window duration string like "5m", "1h", "30s", "1d" into milliseconds.
		*/
		declare function parseWindow(window: string): number;

		@@ -324,3 +461,6 @@ /**
		private recovery;
		private agentLoopConfig;
		private sessionQuarantined;
		/** Default privilege decay schedule */
		private static readonly DEFAULT_PRIVILEGE_DECAY;
		constructor(config?: AegisConfig);
		@@ -374,2 +514,47 @@ /**
		getPolicy(): AegisPolicy;
		/**
		* Guard a single step in an agentic loop.
		*
		* This method provides multi-layer protection for agentic systems where
		* the model iterates through multiple tool-calling steps:
		*
		* 1. Quarantine the model output with source "model_output"
		* 2. Scan the output for injection payloads (T14 chain injection)
		* 3. Track cumulative risk across steps — halt if budget exceeded
		* 4. Enforce step budget — halt if max steps reached
		* 5. Apply privilege decay — progressively restrict available tools
		* 6. Audit every step with event "chain_step_scan"
		*
		* @param output - The raw model output text to scan
		* @param options - Chain step configuration
		* @returns ChainStepResult with safety verdict and updated state
		*
		* @example
		* ```ts
		* let cumulativeRisk = 0;
		* for (let step = 1; step <= 25; step++) {
		* const modelOutput = await callModel();
		* const result = await aegis.guardChainStep(modelOutput, {
		* step,
		* cumulativeRisk,
		* initialTools: ['read_file', 'write_file', 'search'],
		* });
		* if (!result.safe) break;
		* cumulativeRisk = result.cumulativeRisk;
		* // Only allow result.availableTools for the next step
		* }
		* ```
		*/
		guardChainStep(output: string, options: ChainStepOptions): Promise<ChainStepResult>;
		/**
		* Apply privilege decay based on current step.
		*
		* As the loop progresses, fewer tools remain available. This limits
		* the blast radius of a compromised agentic loop in later steps.
		*/
		private applyPrivilegeDecay;
		/**
		* Build a blocked ChainStepResult with an empty scan result.
		*/
		private buildChainStepBlockedResult;
		private getMessagesToScan;
		@@ -522,5 +707,15 @@ }
		* with zero delay; scanning happens on the accumulated buffer in parallel.
		*
		* When `piiRedaction` is enabled (and `detectPII` is true), PII matches
		* are replaced with `[REDACTED-<TYPE>]` markers instead of terminating
		* the stream. Non-PII violations (canary leaks, secrets, etc.) still
		* terminate the stream immediately.
		*/
		createTransform(): TransformStream<string, string>;
		private buildPatternList;
		/**
		* Build a list of PII patterns with their redaction labels.
		* Used by the redaction path to replace matches with [REDACTED-<LABEL>].
		*/
		private buildPiiPatternList;
		}
		@@ -622,2 +817,8 @@
		* any window exceeds the anomaly threshold.
		*
		* Adaptations to reduce false positives:
		* 1. Code blocks (backtick-delimited) are stripped before analysis.
		* 2. The threshold is raised for inputs dominated by non-Latin scripts
		* (CJK, Hangul, Cyrillic, Arabic, etc.) which naturally have higher
		* entropy due to larger character sets.
		*/
		@@ -665,2 +866,2 @@ declare function analyzeEntropy(input: string, options?: {

		export { type ActionValidationRequest, type ActionValidationResult, ActionValidator, Aegis, type AegisConfig, AegisInputBlocked, type AegisPolicy, AegisSessionQuarantined, AegisSessionTerminated, type AlertRule, type AlertingConfig, type AuditEntry, type AuditEventType, type AuditLevel, AuditLog, type AuditLogConfig, type AuditTransport, type BuiltPrompt, type ChunkStrategy, type ContentSource, type DelimiterStrategy, type Detection, type DetectionType, type EntropyResult, type ExtractionSchema, type GuardInputOptions, InputScanner, type InputScannerConfig, type LanguageResult, type LanguageSwitch, type PiiHandling, type PresetPolicy, PromptBuilder, type PromptBuilderConfig, type PromptMessage, type QuarantineMetadata, type QuarantineOptions, type Quarantined, type RecoveryConfig, type RecoveryMode, type RiskLevel, Sandbox, type SandboxConfig, type ScanResult, type ScanStrategy, type Sensitivity, StreamMonitor, type StreamMonitorConfig, type StreamViolation, type TrajectoryResult, type UnsafeUnwrapOptions, aegis, analyzeEntropy, detectLanguageSwitches, getPreset, isActionAllowed, isQuarantined, normalizeEncoding, quarantine, resolvePolicy, shannonEntropy, tryDecodeBase64 };
		export { type ActionValidationRequest, type ActionValidationResult, ActionValidator, type ActionValidatorConfig, Aegis, type AegisConfig, AegisInputBlocked, type AegisPolicy, AegisSessionQuarantined, AegisSessionTerminated, type AgentLoopConfig, type AlertRule, type AlertingConfig, type AuditEntry, type AuditEventType, type AuditLevel, AuditLog, type AuditLogConfig, type AuditTransport, type BuiltPrompt, type ChainStepOptions, type ChainStepResult, type ChunkStrategy, type ContentSource, type DelimiterStrategy, type DenialOfWalletConfig, type Detection, type DetectionType, type EntropyResult, type ExtractionSchema, type GuardInputOptions, InputScanner, type InputScannerConfig, type LanguageResult, type LanguageSwitch, type PiiHandling, type PresetPolicy, PromptBuilder, type PromptBuilderConfig, type PromptMessage, type QuarantineMetadata, type QuarantineOptions, type Quarantined, type RecoveryConfig, type RecoveryMode, type RiskLevel, Sandbox, type SandboxConfig, type ScanResult, type ScanStrategy, type Sensitivity, StreamMonitor, type StreamMonitorConfig, type StreamViolation, type TrajectoryResult, type UnsafeUnwrapOptions, aegis, analyzeEntropy, detectLanguageSwitches, getPreset, isActionAllowed, isQuarantined, normalizeEncoding, parseWindow, quarantine, resolvePolicy, shannonEntropy, tryDecodeBase64 };

+1

-1

package.json

		{
		"name": "@aegis-sdk/core",
		"version": "0.1.0",
		"version": "0.2.0",
		"description": "Streaming-first prompt injection defense for AI applications",
		@@ -5,0 +5,0 @@ "license": "MIT",

dist/index.cjs

Sorry, the diff of this file is too big to display

dist/index.cjs.map

Sorry, the diff of this file is too big to display

dist/index.js

Sorry, the diff of this file is too big to display

dist/index.js.map

Sorry, the diff of this file is too big to display

@aegis-sdk/core - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics