@atbash/sdk 0.3.4 → 0.3.6

package/README.md

@@ -119,8 +119,6 @@ interface JudgeOptions {
   endpoint?: string;          // API base URL (default: https://atbash.ai)
   timeout?: number;           // Request timeout in ms
   provider?: string;          // "openai" | "google" | "microsoft" | "custom"
-  apiKey?: string;            // API key for the AI provider
-  providerEndpoint?: string;  // Endpoint for microsoft/custom providers
   model?: string;             // Model override (e.g. "gpt-4o-mini")
   toolName?: string;          // Tool name for audit trail
   toolArgsJson?: string;      // Tool arguments JSON for audit trail
@@ -128,8 +126,8 @@ interface JudgeOptions {
 }
 
 interface ChainOpts {
-  nodeUrls?: string[];        // Chromia node URLs (defaults to testnet)
-  blockchainRid?: string;     // Blockchain RID (defaults to testnet)
+  nodeUrls?: string[];        // Chromia node URLs (uses the default  nodeurls)
+  blockchainRid?: string;     // Blockchain RID (uses the default chromia rid)
 }
 
 interface JudgeResult {
@@ -227,10 +225,9 @@ const result = await judgeAction(action, context, auth, {
   endpoint: "https://your-instance.example.com",
 });
 
-// Custom provider
+// Custom provider (API keys are saved in the dashboard, not passed here)
 const result = await judgeAction(action, context, auth, {
   provider: "openai",
-  apiKey: process.env.OPENAI_API_KEY,
   model: "gpt-4o",
 });
 
@@ -290,7 +287,7 @@ API error 404: {"error":"Agent not registered..."}
 | `Agent is jailed` | BLOCK verdict triggered auto-jail (Enforcement tier) | [atbash.ai/risk-engine/agents](https://atbash.ai/risk-engine/agents) |
 | `Org tier does not support verdicts` | Org is on Audit tier | [atbash.ai/risk-engine/settings](https://atbash.ai/risk-engine/settings) |
 | `API error 400: action is required` | Empty action string | Fix caller |
-| `API error 502: Incorrect API key` | Invalid provider API key | Check `apiKey` in `JudgeOptions` |
+| `API error 502: Incorrect API key` | Invalid provider API key | Check saved key at [atbash.ai/risk-engine/settings](https://atbash.ai/risk-engine/settings) |
 
 ```ts
 try {

package/dist/index.cjs

@@ -110,6 +110,25 @@ function generateToolCallId() {
   const rand = (0, import_crypto.randomBytes)(4).toString("hex");
   return `tc-${ts}-${rand}`;
 }
+async function buildSignedTx(opName, args, auth, chainOpts) {
+  const nodeUrls = chainOpts?.nodeUrls ?? DEFAULT_CHROMIA_NODE_URLS;
+  const blockchainRid = chainOpts?.blockchainRid ?? DEFAULT_BLOCKCHAIN_RID;
+  const client = await createClient({ nodeUrlPool: nodeUrls, blockchainRid });
+  const privKeyBuf = Buffer.from(auth.privkey, "hex");
+  const keyPair = encryption.makeKeyPair(privKeyBuf);
+  const sigProvider = newSignatureProvider({
+    privKey: keyPair.privKey,
+    pubKey: keyPair.pubKey
+  });
+  const signed = await client.signTransaction(
+    {
+      operations: [{ name: opName, args }],
+      signers: [keyPair.pubKey]
+    },
+    sigProvider
+  );
+  return Buffer.from(signed).toString("hex");
+}
 async function checkAgentExists(pubkey, opts) {
   const url = `${baseUrl(opts)}/api/ai/exists?pubkey=${encodeURIComponent(pubkey)}`;
   const data = await getJson(url, opts);
@@ -125,38 +144,25 @@ async function logToolCall(action, context, auth, chainOpts, extra, clientOpts)
     };
   }
   try {
-    const nodeUrls = chainOpts?.nodeUrls ?? DEFAULT_CHROMIA_NODE_URLS;
-    const blockchainRid = chainOpts?.blockchainRid ?? DEFAULT_BLOCKCHAIN_RID;
-    const client = await createClient({
-      nodeUrlPool: nodeUrls,
-      blockchainRid
-    });
-    const privKeyBuf = Buffer.from(auth.privkey, "hex");
-    const keyPair = encryption.makeKeyPair(privKeyBuf);
-    const sigProvider = newSignatureProvider({
-      privKey: keyPair.privKey,
-      pubKey: keyPair.pubKey
-    });
     const toolCallId = generateToolCallId();
-    await client.signAndSendUniqueTransaction(
-      {
-        name: "log_tool_call",
-        args: [
-          toolCallId,
-          action,
-          context || "",
-          extra?.toolName || "",
-          extra?.toolArgsJson || ""
-        ]
-      },
-      sigProvider
+    const signedHex = await buildSignedTx(
+      "log_tool_call",
+      [
+        toolCallId,
+        action,
+        context || "",
+        extra?.toolName || "",
+        extra?.toolArgsJson || ""
+      ],
+      auth,
+      chainOpts
     );
-    return { success: true, toolCallId };
+    return { success: true, toolCallId, signedHex };
   } catch (err) {
     return {
       success: false,
       toolCallId: null,
-      error: err instanceof Error ? err.message : "Failed to log tool call on-chain"
+      error: err instanceof Error ? err.message : "Failed to sign log_tool_call"
     };
   }
 }
@@ -220,7 +226,7 @@ async function getJson(url, opts) {
   }
   return resp.json();
 }
-async function judgeAction(action, context, auth, opts) {
+async function judgeAction(action, context = "", auth, opts) {
   if (!action || !action.trim()) {
     throw new Error("action is required and cannot be empty.");
   }
@@ -232,25 +238,32 @@ async function judgeAction(action, context, auth, opts) {
     { toolName: opts?.toolName, toolArgsJson: opts?.toolArgsJson },
     opts
   );
-  if (!logResult.success || !logResult.toolCallId) {
-    throw new Error(logResult.error || "Failed to log tool call on-chain");
+  if (!logResult.success || !logResult.toolCallId || !logResult.signedHex) {
+    throw new Error(logResult.error || "Failed to sign log_tool_call");
+  }
+  let signedJudgeActionHex;
+  if (!opts?.provider) {
+    const judgmentId = generateToolCallId();
+    signedJudgeActionHex = await buildSignedTx(
+      "judge_action",
+      [judgmentId, action, context || "", ""],
+      auth,
+      opts?.chainOpts
+    );
   }
   const url = `${baseUrl(opts)}/api/v1/judge`;
-  const data = await postJson(
-    url,
-    {
-      tool_call_id: logResult.toolCallId,
-      agent_pubkey: auth.pubkey,
-      action,
-      ...context && { context },
-      ...opts?.provider && { provider: opts.provider },
-      ...opts?.toolName && { tool_name: opts.toolName },
-      ...opts?.apiKey && { api_key: opts.apiKey },
-      ...opts?.providerEndpoint && { endpoint_url: opts.providerEndpoint },
-      ...opts?.model && { model: opts.model }
-    },
-    opts
-  );
+  const body = {
+    tool_call_id: logResult.toolCallId,
+    agent_pubkey: auth.pubkey,
+    action,
+    signed_log_tool_call: logResult.signedHex,
+    ...signedJudgeActionHex && { signed_judge_action: signedJudgeActionHex },
+    ...context && { context },
+    ...opts?.provider && { provider: opts.provider },
+    ...opts?.toolName && { tool_name: opts.toolName },
+    ...opts?.model && { model: opts.model }
+  };
+  const data = await postJson(url, body, opts);
   return {
     verdict: normalizeVerdict(data.verdict),
     action_type: String(data.action_type || ""),

package/dist/index.d.cts

@@ -21,6 +21,7 @@ interface ChainOpts {
 interface LogToolCallResult {
     success: boolean;
     toolCallId: string | null;
+    signedHex?: string;
     error?: string;
 }
 interface JudgeResult {
@@ -35,8 +36,6 @@ interface JudgeResult {
 }
 interface JudgeOptions extends ClientOpts {
     provider?: Provider;
-    apiKey?: string;
-    providerEndpoint?: string;
     model?: string;
     toolName?: string;
     toolArgsJson?: string;
@@ -125,16 +124,17 @@ declare function toPubkeyHex(val: unknown): string;
  */
 declare function checkAgentExists(pubkey: string, opts?: ClientOpts): Promise<boolean>;
 /**
- * Sign and broadcast `log_tool_call` to the Chromia chain.
+ * Sign `log_tool_call` locally and return the signed transaction hex.
  *
- * Checks that the agent is onboarded before signing. The agent's private
- * key is used to sign the transaction locally — never sent over the network.
+ * Checks that the agent is onboarded before signing. The private key
+ * is used locally — never sent over the network. The server will
+ * broadcast the signed transaction to the chain.
  */
 declare function logToolCall(action: string, context: string, auth: AgentAuth, chainOpts?: ChainOpts, extra?: {
     toolName?: string;
     toolArgsJson?: string;
 }, clientOpts?: ClientOpts): Promise<LogToolCallResult>;
-declare function judgeAction(action: string, context: string, auth: AgentAuth, opts?: JudgeOptions): Promise<JudgeResult>;
+declare function judgeAction(action: string, context: string | undefined, auth: AgentAuth, opts?: JudgeOptions): Promise<JudgeResult>;
 declare function getJudgmentStatus(judgmentId: string, opts?: ClientOpts): Promise<JudgmentStatus>;
 declare function getToolCalls(maxCount: number, opts?: ClientOpts): Promise<ToolCallRecord[]>;
 declare function getOrgToolCalls(orgName: string, maxCount: number, opts?: ClientOpts): Promise<ToolCallRecord[]>;

package/dist/index.d.ts

@@ -21,6 +21,7 @@ interface ChainOpts {
 interface LogToolCallResult {
     success: boolean;
     toolCallId: string | null;
+    signedHex?: string;
     error?: string;
 }
 interface JudgeResult {
@@ -35,8 +36,6 @@ interface JudgeResult {
 }
 interface JudgeOptions extends ClientOpts {
     provider?: Provider;
-    apiKey?: string;
-    providerEndpoint?: string;
     model?: string;
     toolName?: string;
     toolArgsJson?: string;
@@ -125,16 +124,17 @@ declare function toPubkeyHex(val: unknown): string;
  */
 declare function checkAgentExists(pubkey: string, opts?: ClientOpts): Promise<boolean>;
 /**
- * Sign and broadcast `log_tool_call` to the Chromia chain.
+ * Sign `log_tool_call` locally and return the signed transaction hex.
  *
- * Checks that the agent is onboarded before signing. The agent's private
- * key is used to sign the transaction locally — never sent over the network.
+ * Checks that the agent is onboarded before signing. The private key
+ * is used locally — never sent over the network. The server will
+ * broadcast the signed transaction to the chain.
  */
 declare function logToolCall(action: string, context: string, auth: AgentAuth, chainOpts?: ChainOpts, extra?: {
     toolName?: string;
     toolArgsJson?: string;
 }, clientOpts?: ClientOpts): Promise<LogToolCallResult>;
-declare function judgeAction(action: string, context: string, auth: AgentAuth, opts?: JudgeOptions): Promise<JudgeResult>;
+declare function judgeAction(action: string, context: string | undefined, auth: AgentAuth, opts?: JudgeOptions): Promise<JudgeResult>;
 declare function getJudgmentStatus(judgmentId: string, opts?: ClientOpts): Promise<JudgmentStatus>;
 declare function getToolCalls(maxCount: number, opts?: ClientOpts): Promise<ToolCallRecord[]>;
 declare function getOrgToolCalls(orgName: string, maxCount: number, opts?: ClientOpts): Promise<ToolCallRecord[]>;

package/dist/index.js

@@ -52,6 +52,25 @@ function generateToolCallId() {
   const rand = randomBytes(4).toString("hex");
   return `tc-${ts}-${rand}`;
 }
+async function buildSignedTx(opName, args, auth, chainOpts) {
+  const nodeUrls = chainOpts?.nodeUrls ?? DEFAULT_CHROMIA_NODE_URLS;
+  const blockchainRid = chainOpts?.blockchainRid ?? DEFAULT_BLOCKCHAIN_RID;
+  const client = await createClient({ nodeUrlPool: nodeUrls, blockchainRid });
+  const privKeyBuf = Buffer.from(auth.privkey, "hex");
+  const keyPair = encryption.makeKeyPair(privKeyBuf);
+  const sigProvider = newSignatureProvider({
+    privKey: keyPair.privKey,
+    pubKey: keyPair.pubKey
+  });
+  const signed = await client.signTransaction(
+    {
+      operations: [{ name: opName, args }],
+      signers: [keyPair.pubKey]
+    },
+    sigProvider
+  );
+  return Buffer.from(signed).toString("hex");
+}
 async function checkAgentExists(pubkey, opts) {
   const url = `${baseUrl(opts)}/api/ai/exists?pubkey=${encodeURIComponent(pubkey)}`;
   const data = await getJson(url, opts);
@@ -67,38 +86,25 @@ async function logToolCall(action, context, auth, chainOpts, extra, clientOpts)
     };
   }
   try {
-    const nodeUrls = chainOpts?.nodeUrls ?? DEFAULT_CHROMIA_NODE_URLS;
-    const blockchainRid = chainOpts?.blockchainRid ?? DEFAULT_BLOCKCHAIN_RID;
-    const client = await createClient({
-      nodeUrlPool: nodeUrls,
-      blockchainRid
-    });
-    const privKeyBuf = Buffer.from(auth.privkey, "hex");
-    const keyPair = encryption.makeKeyPair(privKeyBuf);
-    const sigProvider = newSignatureProvider({
-      privKey: keyPair.privKey,
-      pubKey: keyPair.pubKey
-    });
     const toolCallId = generateToolCallId();
-    await client.signAndSendUniqueTransaction(
-      {
-        name: "log_tool_call",
-        args: [
-          toolCallId,
-          action,
-          context || "",
-          extra?.toolName || "",
-          extra?.toolArgsJson || ""
-        ]
-      },
-      sigProvider
+    const signedHex = await buildSignedTx(
+      "log_tool_call",
+      [
+        toolCallId,
+        action,
+        context || "",
+        extra?.toolName || "",
+        extra?.toolArgsJson || ""
+      ],
+      auth,
+      chainOpts
     );
-    return { success: true, toolCallId };
+    return { success: true, toolCallId, signedHex };
   } catch (err) {
     return {
       success: false,
       toolCallId: null,
-      error: err instanceof Error ? err.message : "Failed to log tool call on-chain"
+      error: err instanceof Error ? err.message : "Failed to sign log_tool_call"
     };
   }
 }
@@ -162,7 +168,7 @@ async function getJson(url, opts) {
   }
   return resp.json();
 }
-async function judgeAction(action, context, auth, opts) {
+async function judgeAction(action, context = "", auth, opts) {
   if (!action || !action.trim()) {
     throw new Error("action is required and cannot be empty.");
   }
@@ -174,25 +180,32 @@ async function judgeAction(action, context, auth, opts) {
     { toolName: opts?.toolName, toolArgsJson: opts?.toolArgsJson },
     opts
   );
-  if (!logResult.success || !logResult.toolCallId) {
-    throw new Error(logResult.error || "Failed to log tool call on-chain");
+  if (!logResult.success || !logResult.toolCallId || !logResult.signedHex) {
+    throw new Error(logResult.error || "Failed to sign log_tool_call");
+  }
+  let signedJudgeActionHex;
+  if (!opts?.provider) {
+    const judgmentId = generateToolCallId();
+    signedJudgeActionHex = await buildSignedTx(
+      "judge_action",
+      [judgmentId, action, context || "", ""],
+      auth,
+      opts?.chainOpts
+    );
   }
   const url = `${baseUrl(opts)}/api/v1/judge`;
-  const data = await postJson(
-    url,
-    {
-      tool_call_id: logResult.toolCallId,
-      agent_pubkey: auth.pubkey,
-      action,
-      ...context && { context },
-      ...opts?.provider && { provider: opts.provider },
-      ...opts?.toolName && { tool_name: opts.toolName },
-      ...opts?.apiKey && { api_key: opts.apiKey },
-      ...opts?.providerEndpoint && { endpoint_url: opts.providerEndpoint },
-      ...opts?.model && { model: opts.model }
-    },
-    opts
-  );
+  const body = {
+    tool_call_id: logResult.toolCallId,
+    agent_pubkey: auth.pubkey,
+    action,
+    signed_log_tool_call: logResult.signedHex,
+    ...signedJudgeActionHex && { signed_judge_action: signedJudgeActionHex },
+    ...context && { context },
+    ...opts?.provider && { provider: opts.provider },
+    ...opts?.toolName && { tool_name: opts.toolName },
+    ...opts?.model && { model: opts.model }
+  };
+  const data = await postJson(url, body, opts);
   return {
     verdict: normalizeVerdict(data.verdict),
     action_type: String(data.action_type || ""),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atbash/sdk",
-  "version": "0.3.4",
+  "version": "0.3.6",
   "description": "Atbash SDK — control boundary before the last irreversible step in an agent workflow",
   "homepage": "https://atbash.ai",
   "author": "Atbash",