@wire-protocol/core

Wire Protocol engine — secure API execution for LLM agents.

The core engine behind Wire Protocol. Intercepts bash curl commands, validates them against skill definitions, injects credentials at runtime, and maintains a full audit trail.

Install

npm install @wire-protocol/core

Usage

import { WireEngine, EnvSecretsProvider, FileAuditLog } from '@wire-protocol/core'

const engine = new WireEngine({
  skills: ['.wire/github.wire.yaml'],
  secrets: new EnvSecretsProvider(),
  onConfirm: async (endpoint, message) => {
    return await askUser(message ?? `Allow ${endpoint.method} ${endpoint.path}?`)
  },
  auditLog: new FileAuditLog('./wire-audit.ndjson')
})

await engine.init()

// Validate without executing
const check = await engine.intercept(bashCommand)
if (!check.allowed) console.error(check.reason)

// Execute with full security pipeline
const result = await engine.run(bashCommand)

Security pipeline

Every curl command goes through:

1. URL Guard — domain allowlist, method allowlist, SSRF protection (private IPs always blocked)
2. Token Injector — ${PLACEHOLDER} replaced with real secrets (below the logger)
3. Confirm Gate — write operations halt for user approval
4. Executor — sanitized command runs (30s timeout, 1MB buffer)
5. ScrubLogger — tokens replaced with [WIRE_REDACTED] in all output
6. Response Processor — jq extraction, truncation, SSE parsing
7. Audit Log — every execution logged: skill, endpoint, URL, timing, exit code

Secrets providers

import {
  EnvSecretsProvider,    // process.env + auto-loads .env
  AWSSecretsProvider,    // AWS Secrets Manager
  VaultSecretsProvider,  // HashiCorp Vault
  FileSecretsProvider,   // AES-256-CBC encrypted local file
} from '@wire-protocol/core'

Auth types supported

bearer · api_key · basic · query_param · oauth2 · oauth2_client_credentials · aws_sigv4

Links

• Full documentation & README
• Skill specification
• JSON Schema
• Issues
• @wire-protocol/cli — CLI tool

License

MIT © YuvakiranGC