API Reference

The AZTP SDK provides a minimal, focused API for securing AI agents. Here are the public exports:

Core Function

async function secureConnect(
  agent: any, 
  options: SecureOptions
): Promise<SecuredAgent>

Configuration

interface SecureOptions {
  spiffe: {
    trustDomain: string;
    keyDir: string;
  };
  policy?: {
    endpoint?: string;
    initialPolicy?: PolicyDocument;
  };
  rpc?: {
    connection?: {
      endpoint?: string;
      hostname?: string;
      port?: number;
    };
  };
  monitoring?: {
    onEvent?: (event: SecurityEvent) => void;
  };
}
 
// OPA Policy Document Type
interface PolicyDocument {
  /** Unique identifier for the policy */
  id?: string;
  /** OPA policy code in Rego format - no other formats are supported */
  rego: string;
}
 
Example policy document:
```rego
# Basic AZTP policy example using OPA's Rego language
package aztp.policy
 
# Default deny
default allow = false
 
# Helper function for SPIFFE ID validation
is_valid_spiffe_id {
    startswith(input.sender.spiffeId.trustDomain, "spiffe://")
    input.sender.spiffeId.path != ""
}
 
# Basic allow rule - demonstrates OPA policy evaluation
allow {
    # 1. Verify SPIFFE ID
    is_valid_spiffe_id
 
    # 2. Basic action validation
    input.action in ["read", "write"]
}

Security Features

Features added to secured agents:

interface SecurityCapabilities {
  getIdentity(): Promise<Identity>;
  verifyIdentity(): Promise<boolean>;
  can(action: string, context?: Record<string, unknown>): Promise<boolean>;
  secureCall(targetId: string, action: string, payload?: Record<string, unknown>): Promise<unknown>;
}

Exported Types

// Version
const VERSION: string
 
// Core Types
type SecuredAgent<T = unknown> = T & SecurityCapabilities;
 
interface Identity {
  spiffeId: { trustDomain: string; path: string };
  x509Svid: {
    certificate: string;
    privateKey: string;
    trustBundle: string;
    expiresAt: Date;
  };
  status: {
    verified: boolean;
    lastVerified: Date;
    expiresAt: Date;
  };
  type: string;
  metadata?: Record<string, unknown>;
}
 
interface PolicyDecision {
  allowed: boolean;
  reason?: string;
  audit?: {
    timestamp: string;
    spiffeId: string;
    action: string;
  };
}
 
interface SecureMessage {
  sender: Identity;
  action: string;
  payload?: Record<string, unknown>;
}
 
interface SecurityEvent {
  type: 'identity' | 'policy' | 'rpc';
  timestamp: number;
  agentId: string;
  data: Record<string, unknown>;
}

Navigation

secureConnect() - Detailed documentation of the main function
Configuration - Configuration options
Security Features - Available security features
Types - Type definitions

Security Monitoring Configuration