Developer Documentation

How It Works

Everything you need to integrate Reglint's Layer 2 Agent Monitor into your AI pipeline — concepts, compliance rules, and webhook API.

1. How It Works 2. Industries 3. Adjust Rules 4. Add a Webhook

How It Works

Understand the Layer 2 Agent Monitor and the scan lifecycle.

What is Layer 2 Agent Monitor?

Traditional compliance tools scan inputs (documents, code, forms). The Layer 2 Agent Monitor sits downstream of your AI agent and inspects the agent's output before it reaches the end user. It acts as a real-time compliance filter — catching PII, protected health information, and regulatory violations that a language model may inadvertently expose.

Scan Lifecycle

Agent Response

Your AI agent generates a text response

Reglint Scans

Regex rules run against the output in milliseconds

Decision

BLOCKREDACTALERTPASS

User Sees Result

Safe or redacted response delivered; violations logged

💬

Agent Response

Your AI agent generates a text response

🔍

Reglint Scans

Regex rules run against the output in milliseconds

⚖️

Decision

BLOCK · REDACT · ALERT · PASS

👤

User Sees Result

Safe or redacted response delivered; violations logged

BLOCKResponse suppressed entirely

The agent output is never delivered. The most severe violations (e.g. bare SSNs, credit card numbers) trigger this.

REDACTSensitive text replaced

Matched substrings are replaced with [REDACTED] and the sanitised response is delivered instead.

ALERTResponse passes, team notified

The response is delivered unchanged, but a compliance alert is emailed and logged in your Agents dashboard.

PASSNo violations found

The output is clean. The scan completes in milliseconds and the response is forwarded immediately.

Industries

Pass industry in your API call to focus Reglint on the regulations that matter most to you.

The industry field is optional but recommended. When set, Reglint prioritises the rule sets most relevant to your sector, improving signal quality and reducing noise.

Supported values and their primary regulation coverage:

healthcare→

HIPAAHITECHGINAADA

fintech→

PCI-DSSGLBAFCRAECOA

privacy→

GDPRCCPAEU AI ActBIPA

hr→

Title VIIADEAADAGINA

general→

All 41 regulations

Usage

Add the industry field to your webhook payload:

json

{
  "scan_id":        "...",
  "customer_id":    "usr_YOUR_ID",
  "agent_name":     "MedicalAdvisorBot",
  "industry":       "healthcare",
  "final_decision": "BLOCK",
  ...
}

How to Adjust Rules

Compliance rules are regex patterns paired with an enforcement action and severity level.

Each rule is a plain JavaScript / JSON object. Reglint evaluates rules in order of severity — critical first — and takes the highest-priority action that matches. A single scan can detect multiple violations.

Rules are maintained in your Lambda layer configuration and hot-reloaded on deploy. Contact support@reglint.ai or edit the rules file directly in your infrastructure repository to add, remove, or tune patterns.

Rule Object Shape

Every rule must include these fields:

typescript

// A single compliance rule object
const rule = {
  pattern:      "\\b(?!000|666|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0000)\\d{4}\\b",
  violation_id: "SSN_EXPOSURE",
  law:          "HIPAA § 164.514 / CCPA",
  description:  "Social Security Number detected in agent output",
  action:       "BLOCK",    // "BLOCK" | "REDACT" | "ALERT"
  severity:     "critical", // "critical" | "high" | "medium"
};

Field	Type	Description
pattern	string (RegExp)	Regular expression source (no delimiters). Flags i and g are applied automatically.
violation_id	string	Unique machine-readable identifier. Appears in logs and dashboard.
law	string	The regulation this rule enforces — e.g. "HIPAA § 164.514", "GDPR Art. 9".
description	string	Human-readable explanation of what the rule catches.
action	"BLOCK" \| "REDACT" \| "ALERT"	Enforcement action when the pattern matches.
severity	"critical" \| "high" \| "medium"	Controls prioritisation when multiple rules fire.

When to use BLOCK vs REDACT vs ALERT

BLOCK

Use when exposure of any kind is unacceptable.

SSN\b\d{3}-\d{2}-\d{4}\bbare Social Security Number

Credit Card\b(?:4\d{12}(?:\d{3})?|5[1-5]\d{14})\bLuhn-valid card numbers

REDACT

Use when the response is still useful after masking the sensitive token.

Date of Birth\b(0?[1-9]|1[0-2])[\/\-](0?[1-9]|[12]\d|3[01])[\/\-](\d{2}|\d{4})\bMM/DD/YYYY or MM-DD-YY

Phone Number\b(\+1[\s.-]?)?\(?\d{3}\)?[\s.-]?\d{3}[\s.-]?\d{4}\bUS phone formats

ALERT

Use when you need visibility but the data is low-risk or contextually acceptable.

MRNMRN[:\s#]*\d{5,10}Medical Record Number reference

ICD Code\b[A-Z]\d{2}(?:\.\d{1,2})?\bICD-10 diagnostic codes

How to Add a Webhook

Send scan results from your agent infrastructure directly to Reglint.

Obtain your webhook secret

Go to Settings → API & Integrations in the Reglint dashboard and copy the value of AGENT_MONITOR_SECRET. Store it as an environment variable in your agent host — never hard-code it.

Configure the endpoint

Point your agent to the webhook URL below. The endpoint is public and does not require a JWT — it is secured solely by the shared secret header.

POSThttps://reglint.ai/api/agent-monitor/webhook

HEADERx-reglint-secret: <your-secret>

Build the payload

Construct a JSON body matching the WebhookPayload interface. The four required fields are scan_id, customer_id, agent_name, and final_decision. All other fields are optional but recommended for full dashboard visibility.

Handle the response

On success the server returns HTTP 200 with { "received": true, "id": "agv_..." }. The endpoint is idempotent on scan_id — retrying a duplicate payload with the same ID will update mutable fields without creating a duplicate record.

Full Payload Shape

TypeScript interface — all optional fields are marked with ?.

typescript

// Full WebhookPayload shape (TypeScript)
interface LambdaViolation {
  violation_id?:   string;  // e.g. "SSN_EXPOSURE"
  type?:           string;  // legacy alias for violation_id
  law?:            string;  // e.g. "HIPAA § 164.514"
  description?:    string;
  violating_text?: string;  // the exact matched substring
  action?:         string;  // BLOCK | REDACT | ALERT
  severity?:       string;  // critical | high | medium
}

interface WebhookPayload {
  scan_id:             string;          // unique scan UUID (idempotency key)
  customer_id:         string;          // your Reglint user ID
  agent_name:          string;          // human-readable agent label
  industry?:           string;          // e.g. "healthcare", "finance"
  final_decision:      string;          // "BLOCK" | "REDACT" | "ALERT" | "PASS"
  violations_count:    number;
  violations:          LambdaViolation[];
  original_output?:    string;          // raw agent text before redaction
  redacted_output?:    string;          // text with PII replaced by [REDACTED]
  agent_endpoint?:     string;          // URL of the calling agent (optional)
  processing_time_ms?: number;          // scan duration
}

JavaScript Example

Using the native fetch API (Node 18+, browser, Deno, Bun).

javascript

// JavaScript — send a scan result to Reglint
const payload = {
  scan_id:          crypto.randomUUID(),
  customer_id:      "usr_YOUR_REGLINT_USER_ID",
  agent_name:       "MedicalAdvisorBot",
  industry:         "healthcare",
  final_decision:   "BLOCK",
  violations_count: 1,
  violations: [
    {
      violation_id:   "SSN_EXPOSURE",
      law:            "HIPAA § 164.514",
      description:    "SSN detected in agent response",
      violating_text: "123-45-6789",
      action:         "BLOCK",
      severity:       "critical",
    },
  ],
  original_output:    "Your SSN is 123-45-6789, here is your summary…",
  redacted_output:    "Your SSN is [REDACTED], here is your summary…",
  processing_time_ms: 42,
};

const res = await fetch(
  "https://reglint.ai/api/agent-monitor/webhook",
  {
    method:  "POST",
    headers: {
      "Content-Type":    "application/json",
      "x-reglint-secret": process.env.REGLINT_WEBHOOK_SECRET,
    },
    body: JSON.stringify(payload),
  }
);

const data = await res.json();
// { received: true, id: "agv_..." }
console.log(data);

Python Example

Using the requests library.

python

# Python — send a scan result to Reglint
import os
import uuid
import requests

payload = {
    "scan_id":          str(uuid.uuid4()),
    "customer_id":      "usr_YOUR_REGLINT_USER_ID",
    "agent_name":       "MedicalAdvisorBot",
    "industry":         "healthcare",
    "final_decision":   "BLOCK",
    "violations_count": 1,
    "violations": [
        {
            "violation_id":   "SSN_EXPOSURE",
            "law":            "HIPAA § 164.514",
            "description":    "SSN detected in agent response",
            "violating_text": "123-45-6789",
            "action":         "BLOCK",
            "severity":       "critical",
        }
    ],
    "original_output":    "Your SSN is 123-45-6789, here is your summary…",
    "redacted_output":    "Your SSN is [REDACTED], here is your summary…",
    "processing_time_ms": 42,
}

response = requests.post(
    "https://reglint.ai/api/agent-monitor/webhook",
    json=payload,
    headers={
        "x-reglint-secret": os.environ["REGLINT_WEBHOOK_SECRET"],
    },
    timeout=10,
)

data = response.json()
# {'received': True, 'id': 'agv_...'}
print(data)

Response Codes

Status	Meaning
200 OK	Payload received and stored (or idempotent duplicate).
400 Bad Request	Missing required fields: scan_id, customer_id, agent_name, or final_decision.
401 Unauthorized	The x-reglint-secret header is missing or does not match.
500 Internal Server Error	Unexpected server error — retry with exponential back-off.

Implementation tip

Generate a fresh scan_id (UUID v4) for every unique scan. If your infrastructure retries on failure, reuse the same scan_id — Reglint will upsert rather than duplicate. Use a queue (SQS, RabbitMQ) to buffer webhooks and retry on 5xx with exponential back-off.

Reglint Layer 2 Agent Monitor — Developer Docs