@1claw/sdk 0.15.2 → 0.15.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (16) hide show
  1. package/README.md +59 -3
  2. package/dist/generated/api-types.d.ts +239 -7
  3. package/dist/generated/api-types.d.ts.map +1 -1
  4. package/dist/index.d.ts +1 -1
  5. package/dist/index.d.ts.map +1 -1
  6. package/dist/resources/agents.d.ts +7 -1
  7. package/dist/resources/agents.d.ts.map +1 -1
  8. package/dist/resources/agents.js +8 -0
  9. package/dist/resources/agents.js.map +1 -1
  10. package/dist/resources/billing.d.ts +11 -2
  11. package/dist/resources/billing.d.ts.map +1 -1
  12. package/dist/resources/billing.js +17 -1
  13. package/dist/resources/billing.js.map +1 -1
  14. package/dist/types.d.ts +44 -1
  15. package/dist/types.d.ts.map +1 -1
  16. package/package.json +1 -1
package/README.md CHANGED
@@ -73,11 +73,11 @@ await client.auth.google({ id_token: "..." });
73
73
  | `client.vault` | `create`, `get`, `list`, `delete` |
74
74
  | `client.secrets` | `set`, `get`, `delete`, `list`, `rotate` |
75
75
  | `client.access` | `grantHuman`, `grantAgent`, `update`, `revoke`, `listGrants` |
76
- | `client.agents` | `create`, `getSelf`, `get`, `list`, `update`, `delete`, `rotateKey`, `submitTransaction`, `getTransaction`, `listTransactions`, `simulateTransaction`, `simulateBundle` |
76
+ | `client.agents` | `create`, `getSelf`, `get`, `list`, `update`, `delete`, `rotateKey`, `submitTransaction`, `signTransaction`, `getTransaction`, `listTransactions`, `simulateTransaction`, `simulateBundle` |
77
77
  | `client.chains` | `list`, `get`, `adminList`, `create`, `update`, `delete` |
78
78
  | `client.sharing` | `create`, `access`, `listOutbound`, `listInbound`, `accept`, `decline`, `revoke` |
79
79
  | `client.approvals` | `request`, `list`, `approve`, `deny`, `check`, `subscribe` |
80
- | `client.billing` | `usage`, `history` |
80
+ | `client.billing` | `usage`, `history`, `llmTokenBilling`, `subscribeLlmTokenBilling`, `disableLlmTokenBilling` (LLM token billing / Stripe AI Gateway) |
81
81
  | `client.audit` | `query` |
82
82
  | `client.org` | `listMembers`, `getAgentKeysVault`, `updateMemberRole`, `removeMember` |
83
83
  | `client.auth` | `login`, `signup`, `agentToken`, `apiKeyToken`, `google`, `changePassword`, `logout`, `getMe`, `updateMe`, `deleteMe` |
@@ -191,6 +191,26 @@ The backend fetches the signing key from the vault, signs the EIP-155 transactio
191
191
 
192
192
  The SDK automatically generates an `Idempotency-Key` header (UUID v4) on each `submitTransaction` call, providing replay protection. Duplicate requests within 24 hours return the cached response instead of re-signing.
193
193
 
194
+ ### Sign-only mode (BYORPC)
195
+
196
+ Use `signTransaction` when you want the server to sign but **not** broadcast — for example, to submit via your own RPC (Flashbots, MEV protection, custom relayers):
197
+
198
+ ```typescript
199
+ const signRes = await client.agents.signTransaction(agentId, {
200
+ to: "0x000000000000000000000000000000000000dEaD",
201
+ value: "0.01",
202
+ chain: "base",
203
+ });
204
+
205
+ console.log(signRes.data?.signed_tx); // raw signed tx hex
206
+ console.log(signRes.data?.tx_hash); // precomputed keccak hash
207
+ console.log(signRes.data?.from); // derived sender address
208
+
209
+ // Broadcast yourself via ethers, viem, or raw JSON-RPC
210
+ ```
211
+
212
+ All agent guardrails (allowlists, value caps, daily limits) are enforced exactly as for submit. The transaction is recorded for audit and daily-limit tracking with `status: "sign_only"`.
213
+
194
214
  Key properties:
195
215
 
196
216
  - **Disabled by default** — a human must explicitly enable per-agent
@@ -318,6 +338,11 @@ const { data } = await client.agents.create({
318
338
  pii_policy: "redact", // block | redact | warn | allow
319
339
  injection_threshold: 0.7,
320
340
 
341
+ // Model restrictions
342
+ allowed_models: ["gpt-4o-mini", "claude-sonnet-4"], // Whitelist specific models
343
+ denied_models: ["gpt-3.5-turbo"], // Blacklist models
344
+ allowed_providers: ["openai", "anthropic"], // Restrict providers
345
+
321
346
  // Threat detection
322
347
  unicode_normalization: {
323
348
  enabled: true,
@@ -351,10 +376,41 @@ await client.agents.update(agentId, {
351
376
  shroud_config: {
352
377
  command_injection_detection: { enabled: true, action: "block" },
353
378
  social_engineering_detection: { enabled: true, action: "block" },
379
+ allowed_models: ["gpt-4o-mini"], // Restrict to cost-effective models
354
380
  },
355
381
  });
356
382
  ```
357
383
 
384
+ ### Specifying Models in Requests
385
+
386
+ When making LLM requests to Shroud, specify the model in one of two ways:
387
+
388
+ **Option 1: Header**
389
+ ```typescript
390
+ const res = await fetch("https://shroud.1claw.xyz/v1/chat/completions", {
391
+ method: "POST",
392
+ headers: {
393
+ "X-Shroud-Agent-Key": `${agentId}:${agentApiKey}`,
394
+ "X-Shroud-Provider": "openai",
395
+ "X-Shroud-Model": "gpt-4o-mini", // ← Model in header
396
+ "Content-Type": "application/json",
397
+ },
398
+ body: JSON.stringify({
399
+ messages: [{ role: "user", content: "Hello" }],
400
+ }),
401
+ });
402
+ ```
403
+
404
+ **Option 2: Request Body** (for OpenAI-style providers)
405
+ ```typescript
406
+ body: JSON.stringify({
407
+ model: "gpt-4o-mini", // ← Model in body
408
+ messages: [{ role: "user", content: "Hello" }],
409
+ })
410
+ ```
411
+
412
+ Shroud enforces the agent's `allowed_models` and `denied_models` restrictions automatically — requests using unauthorized models return **403 Forbidden**.
413
+
358
414
  See the [Shroud Security Guide](https://docs.1claw.xyz/docs/guides/shroud) for full configuration options.
359
415
 
360
416
  ## OpenAPI Types
@@ -369,7 +425,7 @@ type Vault = ApiSchemas["VaultResponse"];
369
425
  type Agent = ApiSchemas["AgentResponse"];
370
426
  ```
371
427
 
372
- Regenerate types after spec changes: `npm run generate`
428
+ Regenerate types after spec changes (from the monorepo): `cd packages/sdk && npm run generate` — reads [`../openapi-spec/openapi.yaml`](../openapi-spec/openapi.yaml) via `openapi-typescript`.
373
429
 
374
430
  ## MCP Integration (AI Agents)
375
431
 
package/dist/generated/api-types.d.ts CHANGED
@@ -735,6 +735,32 @@ export interface paths {
735
735
  patch?: never;
736
736
  trace?: never;
737
737
  };
738
+ "/v1/agents/{agent_id}/transactions/sign": {
739
+ parameters: {
740
+ query?: never;
741
+ header?: never;
742
+ path?: never;
743
+ cookie?: never;
744
+ };
745
+ get?: never;
746
+ put?: never;
747
+ /**
748
+ * Sign a transaction without broadcasting
749
+ * @description Signs a transaction inside the server (or TEE when using Shroud) but does
750
+ * **not** broadcast it. The caller receives the raw `signed_tx` hex and
751
+ * `tx_hash` so it can submit to any RPC of its choosing.
752
+ *
753
+ * All agent guardrails (allowlists, value caps, daily limits) are enforced
754
+ * exactly as for the submit endpoint. The signed transaction is recorded for
755
+ * audit and daily-limit tracking with `status: "sign_only"`.
756
+ */
757
+ post: operations["signTransaction"];
758
+ delete?: never;
759
+ options?: never;
760
+ head?: never;
761
+ patch?: never;
762
+ trace?: never;
763
+ };
738
764
  "/v1/agents/{agent_id}/transactions/simulate": {
739
765
  parameters: {
740
766
  query?: never;
@@ -1150,6 +1176,66 @@ export interface paths {
1150
1176
  patch?: never;
1151
1177
  trace?: never;
1152
1178
  };
1179
+ "/v1/billing/llm-token-billing": {
1180
+ parameters: {
1181
+ query?: never;
1182
+ header?: never;
1183
+ path?: never;
1184
+ cookie?: never;
1185
+ };
1186
+ /**
1187
+ * Get LLM token billing status
1188
+ * @description Returns whether LLM token billing is enabled for the caller's org.
1189
+ */
1190
+ get: operations["getLlmTokenBilling"];
1191
+ put?: never;
1192
+ post?: never;
1193
+ delete?: never;
1194
+ options?: never;
1195
+ head?: never;
1196
+ patch?: never;
1197
+ trace?: never;
1198
+ };
1199
+ "/v1/billing/llm-token-billing/subscribe": {
1200
+ parameters: {
1201
+ query?: never;
1202
+ header?: never;
1203
+ path?: never;
1204
+ cookie?: never;
1205
+ };
1206
+ get?: never;
1207
+ put?: never;
1208
+ /**
1209
+ * Subscribe to LLM token billing
1210
+ * @description Creates a Stripe Checkout session for the LLM token billing pricing plan. Returns a checkout URL to redirect the user. After the user completes checkout, a webhook activates LLM billing for the org.
1211
+ */
1212
+ post: operations["subscribeLlmTokenBilling"];
1213
+ delete?: never;
1214
+ options?: never;
1215
+ head?: never;
1216
+ patch?: never;
1217
+ trace?: never;
1218
+ };
1219
+ "/v1/billing/llm-token-billing/disable": {
1220
+ parameters: {
1221
+ query?: never;
1222
+ header?: never;
1223
+ path?: never;
1224
+ cookie?: never;
1225
+ };
1226
+ get?: never;
1227
+ put?: never;
1228
+ /**
1229
+ * Disable LLM token billing
1230
+ * @description Disables LLM token billing for the org and cancels all active Stripe subscriptions for the LLM pricing plan. Agents will fall back to direct provider routing. You can re-enable it at any time.
1231
+ */
1232
+ post: operations["disableLlmTokenBilling"];
1233
+ delete?: never;
1234
+ options?: never;
1235
+ head?: never;
1236
+ patch?: never;
1237
+ trace?: never;
1238
+ };
1153
1239
  "/v1/billing/overage-method": {
1154
1240
  parameters: {
1155
1241
  query?: never;
@@ -1553,8 +1639,11 @@ export interface components {
1553
1639
  refresh_token?: string;
1554
1640
  };
1555
1641
  AgentTokenRequest: {
1556
- /** Format: uuid */
1557
- agent_id: string;
1642
+ /**
1643
+ * Format: uuid
1644
+ * @description Optional when using key-only auth (ocv_ keys auto-resolve agent)
1645
+ */
1646
+ agent_id?: string;
1558
1647
  api_key: string;
1559
1648
  };
1560
1649
  UserApiKeyTokenRequest: {
@@ -2187,6 +2276,48 @@ export interface components {
2187
2276
  max_priority_fee_per_gas?: string;
2188
2277
  /** @default false */
2189
2278
  simulate_first: boolean;
2279
+ /**
2280
+ * @description Transaction mode
2281
+ * @default eoa
2282
+ * @enum {string}
2283
+ */
2284
+ mode: "eoa" | "smart_account";
2285
+ };
2286
+ SignTransactionRequest: {
2287
+ /** @description Destination address (0x-prefixed) */
2288
+ to: string;
2289
+ /** @description Value in ETH */
2290
+ value: string;
2291
+ /** @description Chain name or numeric ID */
2292
+ chain: string;
2293
+ /** @description Hex-encoded calldata */
2294
+ data?: string;
2295
+ signing_key_path?: string;
2296
+ nonce?: number;
2297
+ gas_price?: string;
2298
+ gas_limit?: number;
2299
+ max_fee_per_gas?: string;
2300
+ max_priority_fee_per_gas?: string;
2301
+ /** @default false */
2302
+ simulate_first: boolean;
2303
+ };
2304
+ SignTransactionResponse: {
2305
+ /** @description Raw signed transaction hex (always included) */
2306
+ signed_tx?: string;
2307
+ tx_hash?: string;
2308
+ /** @description Derived sender address */
2309
+ from?: string;
2310
+ to?: string;
2311
+ chain?: string;
2312
+ chain_id?: number;
2313
+ nonce?: number;
2314
+ value_wei?: string;
2315
+ /** @enum {string} */
2316
+ status?: "sign_only";
2317
+ simulation_id?: string;
2318
+ simulation_status?: string;
2319
+ max_fee_per_gas?: string;
2320
+ max_priority_fee_per_gas?: string;
2190
2321
  };
2191
2322
  SimulateTransactionRequest: {
2192
2323
  to: string;
@@ -2209,8 +2340,8 @@ export interface components {
2209
2340
  to?: string;
2210
2341
  value_wei?: string;
2211
2342
  /** @enum {string} */
2212
- status?: "pending" | "signed" | "broadcast" | "failed" | "simulation_failed";
2213
- /** @description Raw signed transaction hex. Omitted (null) by default to reduce exfiltration risk. Pass `include_signed_tx=true` query param on GET endpoints to include it. Always returned on the initial POST submission response. */
2343
+ status?: "pending" | "signed" | "sign_only" | "broadcast" | "failed" | "simulation_failed";
2344
+ /** @description Raw signed transaction hex. On GET list and GET by id, this property is omitted by default (absent from the response). Pass `include_signed_tx=true` on those endpoints to include it. Always present on the initial POST submit response. */
2214
2345
  signed_tx?: string | null;
2215
2346
  tx_hash?: string;
2216
2347
  error_message?: string;
@@ -2451,6 +2582,18 @@ export interface components {
2451
2582
  used?: number;
2452
2583
  limit?: number;
2453
2584
  };
2585
+ LlmTokenBillingStatus: {
2586
+ enabled?: boolean;
2587
+ /** @enum {string} */
2588
+ subscription_status?: "active" | "inactive";
2589
+ };
2590
+ LlmCheckoutResponse: {
2591
+ /** Format: uri */
2592
+ checkout_url?: string;
2593
+ };
2594
+ LlmDisableResponse: {
2595
+ enabled?: boolean;
2596
+ };
2454
2597
  CreditBalanceResponse: {
2455
2598
  balance_cents?: number;
2456
2599
  balance_usd?: string;
@@ -2721,7 +2864,7 @@ export interface components {
2721
2864
  SecretPath: string;
2722
2865
  AgentId: string;
2723
2866
  PolicyId: string;
2724
- /** @description Set to `true` or `1` to include the raw signed transaction hex in the response. Omitted by default to reduce key exfiltration risk. Only the literal values "true" or "1" enable inclusion; any other value or omission returns responses without signed_tx. */
2867
+ /** @description Set to `true` or `1` to include the raw signed transaction hex in the response. Omitted by default to reduce key exfiltration risk. Only the literal values "true" or "1" enable inclusion; any other value or omission returns responses without signed_tx. Applies to GET /v1/agents/{agent_id}/transactions and GET /v1/agents/{agent_id}/transactions/{tx_id}. */
2725
2868
  IncludeSignedTx: boolean;
2726
2869
  };
2727
2870
  requestBodies: never;
@@ -3986,7 +4129,7 @@ export interface operations {
3986
4129
  listTransactions: {
3987
4130
  parameters: {
3988
4131
  query?: {
3989
- /** @description Set to `true` or `1` to include the raw signed transaction hex in the response. Omitted by default to reduce key exfiltration risk. Only the literal values "true" or "1" enable inclusion; any other value or omission returns responses without signed_tx. */
4132
+ /** @description Set to `true` or `1` to include the raw signed transaction hex in the response. Omitted by default to reduce key exfiltration risk. Only the literal values "true" or "1" enable inclusion; any other value or omission returns responses without signed_tx. Applies to GET /v1/agents/{agent_id}/transactions and GET /v1/agents/{agent_id}/transactions/{tx_id}. */
3990
4133
  include_signed_tx?: components["parameters"]["IncludeSignedTx"];
3991
4134
  };
3992
4135
  header?: never;
@@ -4069,7 +4212,7 @@ export interface operations {
4069
4212
  getTransaction: {
4070
4213
  parameters: {
4071
4214
  query?: {
4072
- /** @description Set to `true` or `1` to include the raw signed transaction hex in the response. Omitted by default to reduce key exfiltration risk. Only the literal values "true" or "1" enable inclusion; any other value or omission returns responses without signed_tx. */
4215
+ /** @description Set to `true` or `1` to include the raw signed transaction hex in the response. Omitted by default to reduce key exfiltration risk. Only the literal values "true" or "1" enable inclusion; any other value or omission returns responses without signed_tx. Applies to GET /v1/agents/{agent_id}/transactions and GET /v1/agents/{agent_id}/transactions/{tx_id}. */
4073
4216
  include_signed_tx?: components["parameters"]["IncludeSignedTx"];
4074
4217
  };
4075
4218
  header?: never;
@@ -4093,6 +4236,35 @@ export interface operations {
4093
4236
  404: components["responses"]["NotFound"];
4094
4237
  };
4095
4238
  };
4239
+ signTransaction: {
4240
+ parameters: {
4241
+ query?: never;
4242
+ header?: never;
4243
+ path: {
4244
+ agent_id: components["parameters"]["AgentId"];
4245
+ };
4246
+ cookie?: never;
4247
+ };
4248
+ requestBody: {
4249
+ content: {
4250
+ "application/json": components["schemas"]["SignTransactionRequest"];
4251
+ };
4252
+ };
4253
+ responses: {
4254
+ /** @description Transaction signed successfully (not broadcast) */
4255
+ 200: {
4256
+ headers: {
4257
+ [name: string]: unknown;
4258
+ };
4259
+ content: {
4260
+ "application/json": components["schemas"]["SignTransactionResponse"];
4261
+ };
4262
+ };
4263
+ 400: components["responses"]["BadRequest"];
4264
+ 402: components["responses"]["PaymentRequired"];
4265
+ 403: components["responses"]["Forbidden"];
4266
+ };
4267
+ };
4096
4268
  simulateTransaction: {
4097
4269
  parameters: {
4098
4270
  query?: never;
@@ -4726,6 +4898,66 @@ export interface operations {
4726
4898
  };
4727
4899
  };
4728
4900
  };
4901
+ getLlmTokenBilling: {
4902
+ parameters: {
4903
+ query?: never;
4904
+ header?: never;
4905
+ path?: never;
4906
+ cookie?: never;
4907
+ };
4908
+ requestBody?: never;
4909
+ responses: {
4910
+ /** @description LLM token billing status */
4911
+ 200: {
4912
+ headers: {
4913
+ [name: string]: unknown;
4914
+ };
4915
+ content: {
4916
+ "application/json": components["schemas"]["LlmTokenBillingStatus"];
4917
+ };
4918
+ };
4919
+ };
4920
+ };
4921
+ subscribeLlmTokenBilling: {
4922
+ parameters: {
4923
+ query?: never;
4924
+ header?: never;
4925
+ path?: never;
4926
+ cookie?: never;
4927
+ };
4928
+ requestBody?: never;
4929
+ responses: {
4930
+ /** @description Stripe Checkout URL */
4931
+ 200: {
4932
+ headers: {
4933
+ [name: string]: unknown;
4934
+ };
4935
+ content: {
4936
+ "application/json": components["schemas"]["LlmCheckoutResponse"];
4937
+ };
4938
+ };
4939
+ };
4940
+ };
4941
+ disableLlmTokenBilling: {
4942
+ parameters: {
4943
+ query?: never;
4944
+ header?: never;
4945
+ path?: never;
4946
+ cookie?: never;
4947
+ };
4948
+ requestBody?: never;
4949
+ responses: {
4950
+ /** @description LLM billing disabled */
4951
+ 200: {
4952
+ headers: {
4953
+ [name: string]: unknown;
4954
+ };
4955
+ content: {
4956
+ "application/json": components["schemas"]["LlmDisableResponse"];
4957
+ };
4958
+ };
4959
+ };
4960
+ };
4729
4961
  billingOverageMethod: {
4730
4962
  parameters: {
4731
4963
  query?: never;