diff --git a/README.md b/README.md index 757542d7..1ef4d300 100644 --- a/README.md +++ b/README.md @@ -359,6 +359,87 @@ import { StackOneToolSet } from '@stackone/ai'; const toolset = new StackOneToolSet({ baseUrl: 'https://api.example-dev.com' }); ``` +### Defender + +The SDK includes built-in prompt injection protection via [StackOne Defender](https://www.npmjs.com/package/@stackone/defender). It runs on every tool call result before the content reaches your LLM, detecting and sanitizing injection attacks hidden in external data (emails, documents, CRM notes, etc.). + +**By default, the SDK defers to your project's dashboard defender setting.** Pass an explicit `defender` config to override the project setting per toolset. + +| `defender` option | Effective behavior | +| --------------------------------- | --------------------------------------------------------- | +| omitted _(default)_ | Project dashboard setting controls — SDK adds nothing | +| `{ useProjectSettings: true }` | Same as omitting; explicit, self-documenting form | +| `{ enabled, blockHighRisk, ... }` | SDK-level config wins, overrides the project setting | +| `null` | Defender forcibly disabled, overrides the project setting | + +When passing an explicit object, missing fields fall back to `DEFAULT_DEFENDER_CONFIG` (exported from `@stackone/ai`): `enabled: true`, `blockHighRisk: false`, both tiers on. + +#### Configuration modes + +```typescript +import { StackOneToolSet, DEFAULT_DEFENDER_CONFIG } from '@stackone/ai'; + +// Default — defer to project dashboard setting +const toolset = new StackOneToolSet({ apiKey: '...' }); + +// Same as default, explicit form +const toolset = new StackOneToolSet({ + apiKey: '...', + defender: { useProjectSettings: true }, +}); + +// Explicitly disabled — overrides any project setting +const toolset = new StackOneToolSet({ + apiKey: '...', + defender: null, +}); + +// Opt in with safe defaults, but block on HIGH/CRITICAL — overrides project setting +const toolset = new StackOneToolSet({ + apiKey: '...', + defender: { ...DEFAULT_DEFENDER_CONFIG, blockHighRisk: true }, +}); + +// Fully explicit SDK-level config +const toolset = new StackOneToolSet({ + apiKey: '...', + defender: { + enabled: true, + blockHighRisk: true, // throw on HIGH or CRITICAL risk + useTier1Classification: true, // pattern-based (regex, role markers) + useTier2Classification: true, // ML-based (ONNX model) + }, +}); +``` + +#### Inspecting and observing the resolved mode + +Use the `defenderMode` getter to check how a toolset will behave at runtime: + +```typescript +const toolset = new StackOneToolSet({ apiKey: '...', defender: null }); +toolset.defenderMode; // 'disabled' | 'explicit' | 'project' +``` + +When the SDK overrides the project dashboard (mode `disabled` or `explicit`), it emits a yellow `console.warn` line once per process per distinct override shape so the override is visible at runtime without spamming logs. Pass `NO_COLOR=1` to suppress color, or `FORCE_COLOR=1` to force it when piping output. The `project` mode is silent. + +#### Risk levels + +Defender assigns a risk level to each scanned result: + +| Level | Meaning | +| ---------- | --------------------------------------------------- | +| `low` | No threats detected | +| `medium` | Suspicious patterns detected, role markers stripped | +| `high` | Injection patterns found, content redacted | +| `critical` | Severe injection attempt with multiple indicators | + +When `blockHighRisk: false` (default), `high` and `critical` results are annotated and returned — the LLM sees the sanitized content. When `blockHighRisk: true`, those results are blocked entirely. + +[View full example](examples/defender-config.ts) + +For more detail on how the detection pipeline works, see the [`@stackone/defender`](https://www.npmjs.com/package/@stackone/defender) package. + ### Testing with dryRun You can use the `dryRun` option to return the api arguments from a tool call without making the actual api call: diff --git a/examples/README.md b/examples/README.md index 0b6faba3..7793ff3a 100644 --- a/examples/README.md +++ b/examples/README.md @@ -74,6 +74,10 @@ Covers five approaches to finding the right tools at runtime: direct fetch with Walks through every way to configure API keys and account IDs: reading from environment variables, passing them explicitly to the constructor, setting multiple accounts with `setAccounts()`, overriding per-tool collection or per individual tool, and fetching tools for multiple accounts in one call. +### [`defender-config.ts`](./defender-config.ts) -- Defender Configuration + +Demonstrates the four ways to configure prompt-injection detection on a `StackOneToolSet`: omit (defer to project dashboard), `{ useProjectSettings: true }` (explicit form of the default), `null` (force off), and explicit config objects. Shows the `defenderMode` getter and the once-per-process warning the SDK emits when it overrides the dashboard. Sections 1–7 are construction-only; section 8 makes a live RPC call when `STACKONE_API_KEY` is set so you can inspect the `defenderMetadata` shape the backend returns. + ## Environment Variables | Variable | Required | Used By | diff --git a/examples/defender-config.ts b/examples/defender-config.ts new file mode 100644 index 00000000..506d7e38 --- /dev/null +++ b/examples/defender-config.ts @@ -0,0 +1,182 @@ +/** + * Defender configuration patterns. + * + * Sections 1–7 are construction-only: the four configuration modes, + * the `defenderMode` getter, the once-per-process override warning, + * and the runtime validation error. No API key required. + * + * Section 8 makes a live RPC call so you can see the defender + * annotations the backend returns. It's gated on `STACKONE_API_KEY` + * and skips with a friendly message if you don't have one set. + * + * Run with: + * pnpm run:example examples/defender-config.ts + * + * Or override the connector and tool for section 8: + * TOOL_NAME=calendly_get_current_user TOOL_BODY_JSON='{}' pnpm run:example examples/defender-config.ts + * TOOL_NAME=hibob_list_employees TOOL_BODY_JSON='{"page_size": 5}' pnpm run:example examples/defender-config.ts + * + * Live section env vars: + * STACKONE_API_KEY (required to run section 8; read from .env via run:example) + * STACKONE_ACCOUNT_ID (required for tool execution unless your key has a default account) + * TOOL_NAME (defaults to gmail_list_messages) + * TOOL_BODY_JSON (JSON body, defaults to `{}`) + */ + +import process from 'node:process'; +import type { JsonObject } from '@stackone/ai'; +import { DEFAULT_DEFENDER_CONFIG, StackOneToolSet, ToolSetConfigError } from '@stackone/ai'; + +const heading = (label: string): void => { + console.log(`\n=== ${label} ===`); +}; + +// --- 1. Default — defer to project dashboard --- +const defaultMode = (): void => { + heading('1. Default (omit defender) — defer to dashboard'); + const toolset = new StackOneToolSet({ apiKey: 'demo-key' }); + console.log(` defenderMode: ${toolset.defenderMode}`); + console.log(' SDK adds no defender_config to the RPC payload.'); +}; + +// --- 2. Explicit form of the default --- +const explicitProject = (): void => { + heading('2. defender: { useProjectSettings: true } — same as default'); + const toolset = new StackOneToolSet({ + apiKey: 'demo-key', + defender: { useProjectSettings: true }, + }); + console.log(` defenderMode: ${toolset.defenderMode}`); +}; + +// --- 3. Force off — overrides dashboard --- +const disabled = (): void => { + heading('3. defender: null — forcibly disabled (overrides dashboard)'); + const toolset = new StackOneToolSet({ apiKey: 'demo-key', defender: null }); + console.log(` defenderMode: ${toolset.defenderMode}`); + console.log(' SDK sends defender_config with all fields false.'); +}; + +// --- 4. Spread defaults + tweak one field --- +const explicitOptIn = (): void => { + heading('4. Spread DEFAULT_DEFENDER_CONFIG + override one field'); + const toolset = new StackOneToolSet({ + apiKey: 'demo-key', + defender: { ...DEFAULT_DEFENDER_CONFIG, blockHighRisk: true }, + }); + console.log(` defenderMode: ${toolset.defenderMode}`); +}; + +// --- 5. Repeat the same shape — dedupe should suppress the warning --- +const repeatedExplicit = (): void => { + heading('5. Repeat the same explicit shape — warning suppressed'); + const toolset = new StackOneToolSet({ + apiKey: 'demo-key', + defender: { ...DEFAULT_DEFENDER_CONFIG, blockHighRisk: true }, + }); + console.log(` defenderMode: ${toolset.defenderMode}`); +}; + +// --- 6. Different explicit shape — fresh warning fires --- +const differentExplicit = (): void => { + heading('6. Different explicit shape — fresh warning'); + const toolset = new StackOneToolSet({ + apiKey: 'demo-key', + defender: { + enabled: true, + blockHighRisk: false, + useTier1Classification: true, + useTier2Classification: false, + }, + }); + console.log(` defenderMode: ${toolset.defenderMode}`); +}; + +// --- 7. Runtime validation --- +const invalidCombo = (): void => { + heading('7. useProjectSettings: true + other fields → throws'); + try { + new StackOneToolSet({ + apiKey: 'demo-key', + // @ts-expect-error - intentionally testing invalid runtime input + defender: { useProjectSettings: true, enabled: true }, + }); + console.log(' (no throw — unexpected!)'); + } catch (err) { + if (err instanceof ToolSetConfigError) { + console.log(` caught ToolSetConfigError: ${err.message}`); + } else { + throw err; + } + } +}; + +// --- 8. Live tool call — inspect defender annotations in the real response --- +const liveCall = async (): Promise => { + heading('8. Live tool call — inspect defender annotations'); + + if (!process.env.STACKONE_API_KEY) { + console.log(' Skipping — set STACKONE_API_KEY to run this section.'); + console.log(' Optional: STACKONE_ACCOUNT_ID, TOOL_NAME, TOOL_BODY_JSON.'); + return; + } + + const toolName = process.env.TOOL_NAME ?? 'gmail_list_messages'; + let body: JsonObject; + try { + body = JSON.parse(process.env.TOOL_BODY_JSON ?? '{}') as JsonObject; + } catch (err) { + console.log(` Invalid TOOL_BODY_JSON: ${(err as Error).message}`); + return; + } + + const toolset = new StackOneToolSet({ + defender: { ...DEFAULT_DEFENDER_CONFIG, blockHighRisk: false }, + }); + + console.log(` Fetching tools and calling ${toolName}...`); + const tools = await toolset.fetchTools(); + const tool = tools.toArray().find((t) => t.name === toolName); + if (!tool) { + console.log(` Tool "${toolName}" not in this account.`); + return; + } + + const result = await tool.execute({ body }); + + // The backend surfaces defender annotations alongside the tool data: + // + // { + // data: , + // defenderMetadata: { + // applied: boolean, // false if defender ran but did nothing + // result: { + // allowed: boolean, // false → backend blocked (with blockHighRisk: true) + // riskLevel: 'low' | 'medium' | 'high' | 'critical', + // fieldsSanitized: string[], + // patternsByField: Record, + // detections: unknown[], + // tier2SkipReason?: string, // only when Tier 2 didn't run (e.g. no strings) + // latencyMs: number, + // } + // } + // } + const metadata = (result as { defenderMetadata?: unknown }).defenderMetadata; + if (metadata) { + console.log(' defenderMetadata:', JSON.stringify(metadata, null, 2)); + } else { + console.log(' (no defenderMetadata in response — defender may not have run)'); + } +}; + +// --- Run all sections --- +defaultMode(); +explicitProject(); +disabled(); +explicitOptIn(); +repeatedExplicit(); +differentExplicit(); +invalidCombo(); +await liveCall(); + +console.log('\nDone — defender patterns demonstrated.'); diff --git a/mocks/handlers.stackone-rpc.ts b/mocks/handlers.stackone-rpc.ts index 804e9c2a..3ed0bed6 100644 --- a/mocks/handlers.stackone-rpc.ts +++ b/mocks/handlers.stackone-rpc.ts @@ -20,6 +20,12 @@ export const stackoneRpcHandlers = [ const body = (await request.json()) as { action?: string; body?: Record; + defender_config?: { + enabled?: boolean; + block_high_risk?: boolean; + use_tier1_classification?: boolean; + use_tier2_classification?: boolean; + }; headers?: Record; path?: Record; query?: Record; @@ -70,17 +76,34 @@ export const stackoneRpcHandlers = [ ); } - // Default response for other actions + // Synthetic defender annotations + const defenderMetadata = body.defender_config + ? { + applied: body.defender_config.enabled !== false, + result: { + allowed: true, + riskLevel: 'low', + fieldsSanitized: [], + patternsByField: {}, + detections: [], + latencyMs: 0, + }, + } + : undefined; + + // Default response for other actions — echo back received fields return HttpResponse.json({ data: { action: body.action, received: { body: body.body, + defender_config: body.defender_config, headers: body.headers, path: body.path, query: body.query, }, }, + ...(defenderMetadata ? { defenderMetadata } : {}), }); }), ]; diff --git a/src/index.ts b/src/index.ts index da37d4ca..97269851 100644 --- a/src/index.ts +++ b/src/index.ts @@ -30,9 +30,13 @@ export { type SemanticSearchResult, } from './semantic-search'; +export { DEFAULT_DEFENDER_CONFIG } from './types'; + export type { AISDKToolDefinition, AISDKToolResult, + DefenderConfig, + DefenderMode, ExecuteConfig, ExecuteOptions, JsonObject, diff --git a/src/rpc-client.test.ts b/src/rpc-client.test.ts index 6d69f15f..3bba979a 100644 --- a/src/rpc-client.test.ts +++ b/src/rpc-client.test.ts @@ -128,3 +128,32 @@ test('should send x-account-id as HTTP header', async () => { bodyHeader: 'test-account-123', }); }); + +test('should forward defender_config in request payload', async () => { + const client = new RpcClient({ + serverURL: TEST_BASE_URL, + security: { username: 'test-api-key' }, + }); + + const response = await client.actions.rpcAction({ + action: 'custom_action', + defender_config: { enabled: true, block_high_risk: false }, + }); + + expect(response.data).toMatchObject({ + received: { defender_config: { enabled: true, block_high_risk: false } }, + }); +}); + +test('should omit defender_config from payload when not provided', async () => { + const client = new RpcClient({ + serverURL: TEST_BASE_URL, + security: { username: 'test-api-key' }, + }); + + const response = await client.actions.rpcAction({ + action: 'custom_action', + }); + + expect((response.data as Record).received).not.toHaveProperty('defender_config'); +}); diff --git a/src/rpc-client.ts b/src/rpc-client.ts index bc2f88a5..cd6840a7 100644 --- a/src/rpc-client.ts +++ b/src/rpc-client.ts @@ -52,10 +52,13 @@ export class RpcClient { const requestBody = { action: validatedRequest.action, body: validatedRequest.body, + ...(validatedRequest.defender_config !== undefined && { + defender_config: validatedRequest.defender_config, + }), headers: validatedRequest.headers, path: validatedRequest.path, query: validatedRequest.query, - } as const satisfies RpcActionRequest; + } satisfies RpcActionRequest; // Forward StackOne-specific headers as HTTP headers const requestHeaders = validatedRequest.headers; diff --git a/src/schema.ts b/src/schema.ts index 4e9ccac2..345abfa8 100644 --- a/src/schema.ts +++ b/src/schema.ts @@ -1,6 +1,16 @@ import { z } from 'zod/v4-mini'; import { stackOneHeadersSchema } from './headers'; +/** + * Zod schema for nested defender configuration sent with each RPC request + */ +const defenderConfigRequestSchema = z.object({ + enabled: z.optional(z.boolean()), + block_high_risk: z.optional(z.boolean()), + use_tier1_classification: z.optional(z.boolean()), + use_tier2_classification: z.optional(z.boolean()), +}); + /** * Zod schema for RPC action request validation * @see https://docs.stackone.com/platform/api-reference/actions/make-an-rpc-call-to-an-action @@ -8,6 +18,7 @@ import { stackOneHeadersSchema } from './headers'; export const rpcActionRequestSchema = z.object({ action: z.string(), body: z.optional(z.record(z.string(), z.unknown())), + defender_config: z.optional(defenderConfigRequestSchema), headers: z.optional(stackOneHeadersSchema), path: z.optional(z.record(z.string(), z.unknown())), query: z.optional(z.record(z.string(), z.unknown())), diff --git a/src/toolsets.test.ts b/src/toolsets.test.ts index 388d61c7..74c0f3b4 100644 --- a/src/toolsets.test.ts +++ b/src/toolsets.test.ts @@ -12,7 +12,12 @@ import { type McpToolDefinition, createMcpApp } from '../mocks/mcp-server'; import { server } from '../mocks/node'; import { TEST_BASE_URL } from '../mocks/constants'; import { SemanticSearchError } from './semantic-search'; -import { SearchTool, StackOneToolSet, ToolSetConfigError } from './toolsets'; +import { + SearchTool, + StackOneToolSet, + ToolSetConfigError, + __resetDefenderInfoLog, +} from './toolsets'; describe('StackOneToolSet', () => { beforeEach(() => { @@ -560,6 +565,208 @@ describe('StackOneToolSet', () => { }); }); + describe('defender config', () => { + it('should store defender config from constructor', () => { + const toolset = new StackOneToolSet({ + apiKey: 'test-key', + defender: { enabled: false }, + }); + + // @ts-expect-error - Accessing private property for testing + expect(toolset.defenderConfig).toEqual({ enabled: false }); + }); + + it('should normalize omitted defender to useProjectSettings: true', () => { + const toolset = new StackOneToolSet({ apiKey: 'test-key' }); + + // @ts-expect-error - Accessing private property for testing + expect(toolset.defenderConfig).toEqual({ useProjectSettings: true }); + }); + + it('should include defender_config in dryRun payload when defender.enabled is set', async () => { + const toolset = new StackOneToolSet({ + baseUrl: TEST_BASE_URL, + apiKey: 'test-key', + accountId: 'test-account', + defender: { enabled: false }, + }); + + const tools = await toolset.fetchTools(); + const tool = tools.toArray().find((t) => t.name === 'dummy_action'); + assert(tool, 'tool should be defined'); + + const result = await tool.execute({ body: { name: 'test' } }, { dryRun: true }); + + const parsedBody = JSON.parse(result.body as string); + expect(parsedBody.defender_config.enabled).toBe(false); + }); + + it('should omit defender_config from dryRun payload when defender config is not set', async () => { + const toolset = new StackOneToolSet({ + baseUrl: TEST_BASE_URL, + apiKey: 'test-key', + accountId: 'test-account', + }); + + const tools = await toolset.fetchTools(); + const tool = tools.toArray().find((t) => t.name === 'dummy_action'); + assert(tool, 'tool should be defined'); + + const result = await tool.execute({ body: { name: 'test' } }, { dryRun: true }); + + const parsedBody = JSON.parse(result.body as string); + expect(parsedBody).not.toHaveProperty('defender_config'); + }); + + it('should forward defender_config in live RPC call when defender.enabled is set', async () => { + const toolset = new StackOneToolSet({ + baseUrl: TEST_BASE_URL, + apiKey: 'test-key', + accountId: 'test-account', + defender: { enabled: true }, + }); + + const tools = await toolset.fetchTools(); + const tool = tools.toArray().find((t) => t.name === 'dummy_action'); + assert(tool, 'tool should be defined'); + + const result = await tool.execute({ body: { name: 'test' } }); + + expect(result).toMatchObject({ + data: { received: { defender_config: { enabled: true } } }, + }); + }); + + it('should send defender_config with all fields false when defender is null', async () => { + const toolset = new StackOneToolSet({ + baseUrl: TEST_BASE_URL, + apiKey: 'test-key', + accountId: 'test-account', + defender: null, + }); + + const tools = await toolset.fetchTools(); + const tool = tools.toArray().find((t) => t.name === 'dummy_action'); + assert(tool, 'tool should be defined'); + + const result = await tool.execute({ body: { name: 'test' } }, { dryRun: true }); + + const parsedBody = JSON.parse(result.body as string); + expect(parsedBody.defender_config).toEqual({ + enabled: false, + block_high_risk: false, + use_tier1_classification: false, + use_tier2_classification: false, + }); + }); + + it('should omit defender_config from payload when useProjectSettings is true', async () => { + const toolset = new StackOneToolSet({ + baseUrl: TEST_BASE_URL, + apiKey: 'test-key', + accountId: 'test-account', + defender: { useProjectSettings: true }, + }); + + const tools = await toolset.fetchTools(); + const tool = tools.toArray().find((t) => t.name === 'dummy_action'); + assert(tool, 'tool should be defined'); + + const result = await tool.execute({ body: { name: 'test' } }, { dryRun: true }); + + const parsedBody = JSON.parse(result.body as string); + expect(parsedBody).not.toHaveProperty('defender_config'); + }); + + it('should throw ToolSetConfigError when useProjectSettings is combined with other defender options', () => { + expect( + () => + new StackOneToolSet({ + apiKey: 'test-key', + // @ts-expect-error - intentionally testing invalid runtime input + defender: { useProjectSettings: true, enabled: true }, + }), + ).toThrow(ToolSetConfigError); + }); + + describe('defenderMode getter', () => { + it('returns "project" when defender is omitted', () => { + const toolset = new StackOneToolSet({ apiKey: 'test-key' }); + expect(toolset.defenderMode).toBe('project'); + }); + + it('returns "project" when defender is { useProjectSettings: true }', () => { + const toolset = new StackOneToolSet({ + apiKey: 'test-key', + defender: { useProjectSettings: true }, + }); + expect(toolset.defenderMode).toBe('project'); + }); + + it('returns "disabled" when defender is null', () => { + const toolset = new StackOneToolSet({ apiKey: 'test-key', defender: null }); + expect(toolset.defenderMode).toBe('disabled'); + }); + + it('returns "explicit" when defender is an explicit config object', () => { + const toolset = new StackOneToolSet({ + apiKey: 'test-key', + defender: { useTier2Classification: false }, + }); + expect(toolset.defenderMode).toBe('explicit'); + }); + }); + + describe('override info log', () => { + beforeEach(() => { + __resetDefenderInfoLog(); + }); + + it('logs once for disabled mode and dedupes repeat constructions', () => { + const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {}); + new StackOneToolSet({ apiKey: 'test-key', defender: null }); + new StackOneToolSet({ apiKey: 'test-key', defender: null }); + const disabledCalls = warnSpy.mock.calls.filter((args) => + String(args[0]).includes('forcibly disabled'), + ); + expect(disabledCalls).toHaveLength(1); + warnSpy.mockRestore(); + }); + + it('logs once for an explicit config and dedupes the same shape', () => { + const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {}); + new StackOneToolSet({ + apiKey: 'test-key', + defender: { enabled: true, useTier1Classification: false, useTier2Classification: false }, + }); + new StackOneToolSet({ + apiKey: 'test-key', + defender: { enabled: true, useTier1Classification: false, useTier2Classification: false }, + }); + const explicitCalls = warnSpy.mock.calls.filter((args) => + String(args[0]).includes('configured via SDK'), + ); + expect(explicitCalls).toHaveLength(1); + expect(String(explicitCalls[0]?.[0])).toContain('useTier1Classification=false'); + warnSpy.mockRestore(); + }); + + it('does not log when defender is omitted or useProjectSettings', () => { + const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {}); + new StackOneToolSet({ apiKey: 'test-key' }); + new StackOneToolSet({ + apiKey: 'test-key', + defender: { useProjectSettings: true }, + }); + const defenderCalls = warnSpy.mock.calls.filter((args) => + String(args[0]).toLowerCase().includes('defender'), + ); + expect(defenderCalls).toHaveLength(0); + warnSpy.mockRestore(); + }); + }); + }); + describe('provider and action filtering', () => { it('filters tools by providers', async () => { const toolset = new StackOneToolSet({ diff --git a/src/toolsets.ts b/src/toolsets.ts index 4098a78e..ed23f08f 100644 --- a/src/toolsets.ts +++ b/src/toolsets.ts @@ -14,6 +14,8 @@ import { } from './semantic-search'; import { BaseTool, Tools } from './tool'; import type { + DefenderConfig, + DefenderMode, ExecuteOptions, JsonObject, JsonSchemaProperties, @@ -22,6 +24,7 @@ import type { SearchConfig, ToolParameters, } from './types'; +import { DEFAULT_DEFENDER_CONFIG } from './types'; import { StackOneError } from './utils/error-stackone'; import { StackOneAPIError } from './utils/error-stackone-api'; import { normalizeActionName } from './utils/normalize'; @@ -163,6 +166,15 @@ interface StackOneToolSetBaseConfig extends BaseToolSetConfig { * Pass `{ accountIds: ['acc-1'] }` to scope tools to specific accounts. */ execute?: ExecuteToolsConfig; + /** + * Defender configuration. Controls prompt injection detection behavior for all tool calls. + * + * - Omit or pass `undefined` (default) → defer to the project dashboard setting + * - Pass `{ useProjectSettings: true }` → same as omitting; explicit form of the default + * - Pass `{ enabled, blockHighRisk, ... }` → explicit SDK-level config, overrides project settings + * - Pass `null` → defender explicitly disabled, overrides project settings + */ + defender?: DefenderConfig | null; } /** @@ -448,6 +460,106 @@ export function createExecuteTool( return tool; } +/** Wire-format defender config sent to the backend RPC action. */ +interface DefenderApiConfig { + enabled: boolean; + block_high_risk: boolean; + use_tier1_classification: boolean; + use_tier2_classification: boolean; +} + +/** Type guard: discriminate the `useProjectSettings: true` variant of DefenderConfig. */ +function usesProjectSettings(config: DefenderConfig): config is { useProjectSettings: true } { + return 'useProjectSettings' in config && config.useProjectSettings === true; +} + +/** + * Shapes already logged this process, keyed by mode + serialized wire payload. + * Ensures we surface one warning per distinct override shape, not per construction. + */ +const loggedDefenderShapes = new Set(); + +/** + * Test-only: clear the once-per-process dedupe cache for defender override warnings. + * @internal + */ +export function __resetDefenderInfoLog(): void { + loggedDefenderShapes.clear(); +} + +/** Wrap text in yellow ANSI, only when stderr is a TTY and color isn't suppressed. */ +function colorizeOverrideWarning(text: string): string { + if (process.env.NO_COLOR) return text; + if (!process.env.FORCE_COLOR && !process.stderr.isTTY) return text; + return `\x1b[33m${text}\x1b[0m`; +} + +/** + * Warn once when the SDK overrides the project dashboard's defender setting. + * Silent for `project` mode (no override) and for repeat constructions with the same shape. + */ +function logDefenderOverride( + config: DefenderConfig | null, + wireFields: { defender_config: DefenderApiConfig } | Record, +): void { + if (config === null) { + const key = 'disabled'; + if (loggedDefenderShapes.has(key)) return; + loggedDefenderShapes.add(key); + console.warn( + colorizeOverrideWarning( + 'Defender forcibly disabled via SDK config; project dashboard setting will be ignored.', + ), + ); + return; + } + if (usesProjectSettings(config)) return; + const key = `explicit:${JSON.stringify(wireFields)}`; + if (loggedDefenderShapes.has(key)) return; + loggedDefenderShapes.add(key); + const fields = (wireFields as { defender_config: DefenderApiConfig }).defender_config; + console.warn( + colorizeOverrideWarning( + `Defender configured via SDK (enabled=${fields.enabled}, blockHighRisk=${fields.block_high_risk}, useTier1Classification=${fields.use_tier1_classification}, useTier2Classification=${fields.use_tier2_classification}); project dashboard setting will be ignored.`, + ), + ); +} + +/** + * Map SDK DefenderConfig to the wire-format sent in the RPC body. + * + * - `null` → explicitly disabled (all fields false, overrides project setting) + * - `{ useProjectSettings: true }` → empty object (omitted from payload, project setting controls) + * - explicit object → wire format with missing fields filled from `DEFAULT_DEFENDER_CONFIG` + */ +function buildDefenderFields( + config: DefenderConfig | null, +): { defender_config: DefenderApiConfig } | Record { + if (config === null) { + return { + defender_config: { + enabled: false, + block_high_risk: false, + use_tier1_classification: false, + use_tier2_classification: false, + }, + }; + } + if (usesProjectSettings(config)) { + return {}; + } + return { + defender_config: { + enabled: config.enabled ?? DEFAULT_DEFENDER_CONFIG.enabled, + block_high_risk: config.blockHighRisk ?? DEFAULT_DEFENDER_CONFIG.blockHighRisk, + use_tier1_classification: + config.useTier1Classification ?? DEFAULT_DEFENDER_CONFIG.useTier1Classification, + use_tier2_classification: + config.useTier2Classification ?? DEFAULT_DEFENDER_CONFIG.useTier2Classification, + }, + }; +} + /** * Class for loading StackOne tools via MCP */ @@ -459,6 +571,8 @@ export class StackOneToolSet { private readonly timeout: number; private readonly searchConfig: SearchConfig | null; private readonly executeConfig: ExecuteToolsConfig | undefined; + private readonly defenderConfig: DefenderConfig | null; + private readonly defenderFields: { defender_config: DefenderApiConfig } | Record; /** * Account ID for StackOne API @@ -520,6 +634,26 @@ export class StackOneToolSet { this.searchConfig = config?.search != null ? { method: 'auto', ...config.search } : null; this.executeConfig = config?.execute; + // Resolve defender config: + // undefined → defer to project dashboard setting (normalized to { useProjectSettings: true }) + // null → explicitly disabled (overrides project setting) + // object → validate then store as-is + const defenderInput = config?.defender; + if ( + defenderInput != null && + typeof defenderInput === 'object' && + usesProjectSettings(defenderInput) && + Object.keys(defenderInput).length > 1 + ) { + throw new ToolSetConfigError( + 'Cannot combine useProjectSettings: true with explicit defender options. Use one or the other.', + ); + } + this.defenderConfig = + defenderInput === undefined ? { useProjectSettings: true } : defenderInput; + this.defenderFields = buildDefenderFields(this.defenderConfig); + logDefenderOverride(this.defenderConfig, this.defenderFields); + // Set Authentication headers if provided if (this.authentication) { // Only set auth headers if they don't already exist in custom headers @@ -560,6 +694,19 @@ export class StackOneToolSet { private catalogCache: Map = new Map(); private toolIndexCache?: { tools: Tools; index: ToolIndex }; + /** + * Resolved defender behavior for this toolset. + * + * - `'project'` — SDK adds no `defender_config` to the RPC payload; the project dashboard controls. + * - `'disabled'` — SDK forces defender off (overrides the dashboard). + * - `'explicit'` — SDK sends an explicit `defender_config` (overrides the dashboard). + */ + get defenderMode(): DefenderMode { + if (this.defenderConfig === null) return 'disabled'; + if (usesProjectSettings(this.defenderConfig)) return 'project'; + return 'explicit'; + } + /** * Set account IDs for filtering tools * @param accountIds Array of account IDs to filter tools by @@ -1274,6 +1421,7 @@ export class StackOneToolSet { const requestPayload = { action: name, body: rpcBody, + ...this.defenderFields, headers: actionHeaders, path: pathParams ?? undefined, query: queryParams ?? undefined, @@ -1291,6 +1439,7 @@ export class StackOneToolSet { const response = await actionsClient.actions.rpcAction({ action: name, body: rpcBody, + ...this.defenderFields, headers: actionHeaders, path: pathParams ?? undefined, query: queryParams ?? undefined, diff --git a/src/types.ts b/src/types.ts index ba3ebf55..2b2ff738 100644 --- a/src/types.ts +++ b/src/types.ts @@ -234,3 +234,64 @@ export interface ClaudeAgentSdkOptions { */ serverVersion?: string; } + +/** + * Defender configuration for controlling prompt injection detection behavior. + * Field names match the canonical `DefenderSettings` from `@stackone/core`. + * + * Four modes: + * - Omit `defender` entirely (default) — defer to whatever is configured in the project dashboard. + * The SDK sends no `defender_config` in the RPC payload, so the project setting controls behavior. + * - `{ useProjectSettings: true }` — same as omitting; provided as a self-documenting opt-in. + * No other fields may be set alongside this (TypeScript enforces it; a runtime error is also thrown). + * - An explicit config object — the SDK owns the defender settings and sends them with every + * RPC call, overriding any project-level config. + * - `null` — defender is explicitly disabled for all tool calls, overriding the project setting. + */ +export type DefenderConfig = + | { useProjectSettings: true } + | { + useProjectSettings?: false; + /** Whether to run defender at all. Default: `true`. */ + enabled?: boolean; + /** + * Whether to block tool execution when a HIGH risk score is detected. + * Default: `false` (scan and annotate, but do not block). + */ + blockHighRisk?: boolean; + /** Whether to enable tier 1 pattern-based (regex) detection. Default: `true`. */ + useTier1Classification?: boolean; + /** Whether to enable tier 2 ML-based detection. Default: `true`. */ + useTier2Classification?: boolean; + }; + +/** + * Reference values for a fully-enabled defender configuration with safe defaults + * (scan with both tiers, annotate but never block). + * + * Spread this into an explicit `defender` config to opt in with one tweak: + * ```ts + * defender: { ...DEFAULT_DEFENDER_CONFIG, blockHighRisk: true } + * ``` + * + * These values are also the per-field fallbacks applied when an explicit `defender` + * config object is passed with some fields omitted. + * + * Note: this is NOT applied when `defender` is omitted entirely — in that case the SDK + * defers to the project dashboard setting and sends no `defender_config` in the payload. + */ +export const DEFAULT_DEFENDER_CONFIG = { + enabled: true, + blockHighRisk: false, + useTier1Classification: true, + useTier2Classification: true, +} as const; + +/** + * Resolved defender behavior on a `StackOneToolSet`. + * + * - `'project'` — SDK adds no `defender_config` to the RPC payload; the project dashboard controls. + * - `'disabled'` — SDK forces defender off, overriding the dashboard. + * - `'explicit'` — SDK sends an explicit `defender_config`, overriding the dashboard. + */ +export type DefenderMode = 'project' | 'disabled' | 'explicit'; diff --git a/tests/examples/defender-config.test.ts b/tests/examples/defender-config.test.ts new file mode 100644 index 00000000..13368652 --- /dev/null +++ b/tests/examples/defender-config.test.ts @@ -0,0 +1,155 @@ +/** + * E2E test for defender-config.ts example. + * + * Exercises the same defender configuration patterns the example + * demonstrates and asserts the resulting wire payloads via dryRun. + * Construction-time `defenderMode` and override-warning behavior is + * covered in `src/toolsets.test.ts`. + */ + +import { TEST_BASE_URL } from '../../mocks/constants'; +import { DEFAULT_DEFENDER_CONFIG, StackOneToolSet, ToolSetConfigError } from '../../src'; + +describe('defender-config example e2e', () => { + beforeEach(() => { + vi.stubEnv('STACKONE_API_KEY', 'test-key'); + // Silence override warnings so they don't pollute test output. + vi.spyOn(console, 'warn').mockImplementation(() => {}); + }); + + afterEach(() => { + vi.unstubAllEnvs(); + vi.restoreAllMocks(); + }); + + const fetchDummyTool = async (toolset: StackOneToolSet) => { + const tools = await toolset.fetchTools(); + const tool = tools.toArray().find((t) => t.name === 'dummy_action'); + assert(tool, 'dummy_action tool should be defined in mocks'); + return tool; + }; + + it('omits defender_config when defender is not passed (mode 1)', async () => { + const toolset = new StackOneToolSet({ + baseUrl: TEST_BASE_URL, + accountId: 'test-account', + }); + expect(toolset.defenderMode).toBe('project'); + + const tool = await fetchDummyTool(toolset); + const result = await tool.execute({ body: { name: 'test' } }, { dryRun: true }); + const parsedBody = JSON.parse(result.body as string); + expect(parsedBody).not.toHaveProperty('defender_config'); + }); + + it('omits defender_config when defender is { useProjectSettings: true } (mode 2)', async () => { + const toolset = new StackOneToolSet({ + baseUrl: TEST_BASE_URL, + accountId: 'test-account', + defender: { useProjectSettings: true }, + }); + expect(toolset.defenderMode).toBe('project'); + + const tool = await fetchDummyTool(toolset); + const result = await tool.execute({ body: { name: 'test' } }, { dryRun: true }); + const parsedBody = JSON.parse(result.body as string); + expect(parsedBody).not.toHaveProperty('defender_config'); + }); + + it('sends all-false defender_config when defender is null (mode 3)', async () => { + const toolset = new StackOneToolSet({ + baseUrl: TEST_BASE_URL, + accountId: 'test-account', + defender: null, + }); + expect(toolset.defenderMode).toBe('disabled'); + + const tool = await fetchDummyTool(toolset); + const result = await tool.execute({ body: { name: 'test' } }, { dryRun: true }); + const parsedBody = JSON.parse(result.body as string); + expect(parsedBody.defender_config).toEqual({ + enabled: false, + block_high_risk: false, + use_tier1_classification: false, + use_tier2_classification: false, + }); + }); + + it('applies DEFAULT_DEFENDER_CONFIG fallbacks with explicit overrides (mode 4)', async () => { + const toolset = new StackOneToolSet({ + baseUrl: TEST_BASE_URL, + accountId: 'test-account', + defender: { ...DEFAULT_DEFENDER_CONFIG, blockHighRisk: true }, + }); + expect(toolset.defenderMode).toBe('explicit'); + + const tool = await fetchDummyTool(toolset); + const result = await tool.execute({ body: { name: 'test' } }, { dryRun: true }); + const parsedBody = JSON.parse(result.body as string); + expect(parsedBody.defender_config).toEqual({ + enabled: true, + block_high_risk: true, + use_tier1_classification: true, + use_tier2_classification: true, + }); + }); + + it('sends the exact explicit fields for a fully specified config (mode 6)', async () => { + const toolset = new StackOneToolSet({ + baseUrl: TEST_BASE_URL, + accountId: 'test-account', + defender: { + enabled: true, + blockHighRisk: false, + useTier1Classification: true, + useTier2Classification: false, + }, + }); + expect(toolset.defenderMode).toBe('explicit'); + + const tool = await fetchDummyTool(toolset); + const result = await tool.execute({ body: { name: 'test' } }, { dryRun: true }); + const parsedBody = JSON.parse(result.body as string); + expect(parsedBody.defender_config).toEqual({ + enabled: true, + block_high_risk: false, + use_tier1_classification: true, + use_tier2_classification: false, + }); + }); + + it('throws ToolSetConfigError when useProjectSettings is combined with other fields (mode 7)', () => { + expect( + () => + new StackOneToolSet({ + apiKey: 'demo-key', + // @ts-expect-error - intentionally testing invalid runtime input + defender: { useProjectSettings: true, enabled: true }, + }), + ).toThrow(ToolSetConfigError); + }); + + it('surfaces defenderMetadata alongside data in live RPC responses (mode 8)', async () => { + const toolset = new StackOneToolSet({ + baseUrl: TEST_BASE_URL, + accountId: 'test-account', + defender: { ...DEFAULT_DEFENDER_CONFIG, blockHighRisk: false }, + }); + + const tools = await toolset.fetchTools(); + const tool = tools.toArray().find((t) => t.name === 'dummy_action'); + assert(tool, 'dummy_action tool should be defined in mocks'); + + const result = await tool.execute({ body: { name: 'test' } }); + const metadata = (result as { defenderMetadata?: Record }).defenderMetadata; + + expect(metadata).toBeDefined(); + assert(metadata, 'defenderMetadata should be defined'); + expect(metadata.applied).toBe(true); + expect(metadata.result).toMatchObject({ + allowed: true, + riskLevel: expect.stringMatching(/^(low|medium|high|critical)$/), + fieldsSanitized: expect.any(Array), + }); + }); +});