Files · AWS Bedrock Security Guardrails for Stripe Payment Agents
79 (1 binary, 590.5 kB total)attempt 2
README.md·4347 B·markdown
markdown
# AWS Bedrock Security Guardrails for Stripe Payment Agents
> A guardrail layer that inspects and secures every Stripe API call initiated by AI agents, stopping unauthorized charges and PII leaks.
## What this does
This recipe builds an **MCP gateway** that intercepts every Stripe tool call from an AI agent, evaluates it against multiple guardrail layers (PII redaction, prompt injection detection, topic boundaries, HAI guardrails), runs a **Bedrock-powered policy evaluation**, then executes approved calls through the Stripe SDK with circuit breaker and idempotency protection.
## Architecture
```
AI Agent → Gateway API → Rate Limit → Guardrail Chain → HAI Guards → Local Policies → Bedrock Policy Eval → Stripe API
↓ ↓ ↓ ↓ ↓
429 error blocked blocked blocked approved → result
```
## Prerequisites
- AWS Bedrock access (for policy evaluation via Claude Sonnet)
- A Stripe account with API keys
- (Optional) Langfuse account for observability tracing
## Getting started
```bash
pnpm install
cp .env.example .env # fill in your API keys
pnpm dev # start Next.js dev server
pnpm test # run vitest with coverage
```
## API Reference
### `POST /api/gateway`
Submit a Stripe tool call for evaluation and execution.
**Request body:**
```json
{
"toolCall": {
"operation": "charge",
"params": { "amount": 1000, "currency": "usd", "source": "tok_visa" },
"idempotencyKey": "unique-key-123"
},
"authToken": "your-api-key",
"tenantId": "tenant-1"
}
```
**Responses:** `200` (success), `202` (human approval required), `400` (validation error), `403` (blocked), `429` (rate limited), `500` (internal error).
### `POST /api/gateway/webhook`
Human approval callback endpoint.
**Request body:**
```json
{
"operation": "charge",
"params": { "amount": 100 },
"approved": true,
"approver": "admin@example.com"
}
```
## Environment Variables
| Variable | Required | Description |
|---|---|---|
| `AWS_REGION` | Yes | AWS region for Bedrock (e.g. `us-east-1`) |
| `AWS_ACCESS_KEY_ID` | Yes | AWS access key |
| `AWS_SECRET_ACCESS_KEY` | Yes | AWS secret key |
| `STRIPE_SECRET_KEY` | Yes | Stripe API secret key |
| `STRIPE_API_VERSION` | No | Stripe API version (default: `2025-02-24.acacia`) |
| `LANGFUSE_SECRET_KEY` | No | Langfuse secret key for observability |
| `LANGFUSE_PUBLIC_KEY` | No | Langfuse public key |
| `LANGFUSE_BASE_URL` | No | Langfuse base URL |
| `HUMAN_APPROVAL_WEBHOOK_URL` | No | Callback URL for human approval flow |
## Testing
```bash
pnpm test # runs vitest with coverage
pnpm vitest run --coverage # with verbose coverage output
pnpm typecheck # TypeScript type checking
pnpm lint # ESLint
```
Coverage is measured on `src/**/*.ts` and `app/**/route.ts` only (UI components excluded). Current thresholds: 90% on lines, branches, functions, and statements.
## Guardrail Policies
Configured via `src/constants.ts` `DEFAULT_POLICY_CONFIG`:
- `maxRefundAmount` — block refunds above this threshold (default: $500)
- `blockedOperations` — operations always denied
- `requiredApprovalOperations` — operations requiring human approval (refund, cancel_subscription, delete_customer)
- `piiFields` — fields redacted in logs (email, phone, address, name)
## Key Packages
| Package | Role |
|---|---|
| `@reaatech/guardrail-chain-guardrails` | PII redaction, injection detection, topic boundaries, cost precheck |
| `@reaatech/mcp-gateway-auth` | API key and JWT authentication |
| `@reaatech/mcp-gateway-rate-limit` | Per-tenant token bucket rate limiting |
| `@reaatech/circuit-breaker-agents` | Circuit breaker for Stripe operations |
| `@reaatech/idempotency-middleware` | Idempotency key deduplication |
| `@aws-sdk/client-bedrock-runtime` | Bedrock Converse API for policy evaluation |
| `@presidio-dev/hai-guardrails` | Injection, PII, and secret guardrails |
| `stripe` | Stripe payment API integration |
| `zod` | Request body validation |
| `langfuse` | LLM observability tracing |
## License
MIT — see [LICENSE](./LICENSE).