@atbash/sdk 0.3.9-dev.2 → 0.3.9-dev.4

package/dist/index.cjs

@@ -60,6 +60,8 @@ __export(index_exports, {
   resolve: () => resolve,
   resolveKeyPath: () => resolveKeyPath,
   saveUserConfig: () => saveUserConfig,
+  setupTelemetry: () => setupTelemetry,
+  shutdownTelemetry: () => shutdownTelemetry,
   toPubkeyHex: () => toPubkeyHex,
   validateJudgeEndpoint: () => validateJudgeEndpoint,
   verifyJudgeResponseSignature: () => verifyJudgeResponseSignature
@@ -96,6 +98,69 @@ function verifyJudgeResponseSignature(bodyBytes, signatureHex, pubKeyHex) {
   return isValid ? { ok: true } : { ok: false, reason: "signature does not verify against configured verifyPubKey" };
 }
 
+// src/opentel/telemetry.ts
+var import_sdk_metrics = require("@opentelemetry/sdk-metrics");
+var import_exporter_metrics_otlp_http = require("@opentelemetry/exporter-metrics-otlp-http");
+var import_resources = require("@opentelemetry/resources");
+var meterProvider = null;
+var callCounter = null;
+var durationHistogram = null;
+var defaultSource = "sdk";
+function setupTelemetry(config) {
+  if (!config.enabled) return;
+  if (meterProvider) return;
+  defaultSource = config.source ?? "sdk";
+  const ATBASH_HONEYCOMB_KEY = "YOUR_INGEST_KEY_HERE";
+  const apiKey = process.env.HONEYCOMB_API_KEY ?? ATBASH_HONEYCOMB_KEY;
+  const exporter = new import_exporter_metrics_otlp_http.OTLPMetricExporter({
+    url: "https://api.honeycomb.io/v1/metrics",
+    headers: {
+      "x-honeycomb-team": apiKey
+    }
+  });
+  const reader = new import_sdk_metrics.PeriodicExportingMetricReader({
+    exporter,
+    exportIntervalMillis: config.exportIntervalMs ?? 6e4
+  });
+  meterProvider = new import_sdk_metrics.MeterProvider({
+    resource: (0, import_resources.resourceFromAttributes)({
+      "service.name": "atbash-sdk"
+    }),
+    readers: [reader]
+  });
+  const meter = meterProvider.getMeter("atbash-sdk");
+  callCounter = meter.createCounter("atbash.sdk.function.calls", {
+    description: "Number of SDK function calls"
+  });
+  durationHistogram = meter.createHistogram("atbash.sdk.function.duration_ms", {
+    description: "SDK function execution duration",
+    unit: "ms"
+  });
+}
+function recordCall(functionName, source, agentPubkey) {
+  if (!callCounter) return;
+  callCounter.add(1, {
+    "function.name": functionName,
+    "source": source ?? defaultSource,
+    ...agentPubkey && { "agent.pubkey": agentPubkey }
+  });
+}
+function recordDuration(functionName, durationMs, status, source) {
+  if (!durationHistogram) return;
+  durationHistogram.record(durationMs, {
+    "function.name": functionName,
+    "status": status,
+    "source": source ?? defaultSource
+  });
+}
+async function shutdownTelemetry() {
+  if (!meterProvider) return;
+  await meterProvider.shutdown();
+  meterProvider = null;
+  callCounter = null;
+  durationHistogram = null;
+}
+
 // src/client.ts
 var { createClient, encryption: encryption2, newSignatureProvider } = import_postchain_client2.default;
 var DEFAULT_ENDPOINT = "https://chromia-verified-ai-dev-two.vercel.app";
@@ -168,13 +233,24 @@ async function buildSignedTx(opName, args, auth, chainOpts) {
   return Buffer.from(signed).toString("hex");
 }
 async function checkAgentExists(pubkey, opts) {
-  const url = `${baseUrl(opts)}/api/ai/exists?pubkey=${encodeURIComponent(pubkey)}`;
-  const data = await getJson(url, opts);
-  return Boolean(data.registered);
+  const start = performance.now();
+  recordCall("checkAgentExists", void 0, pubkey);
+  try {
+    const url = `${baseUrl(opts)}/api/ai/exists?pubkey=${encodeURIComponent(pubkey)}`;
+    const data = await getJson(url, opts);
+    recordDuration("checkAgentExists", performance.now() - start, "success");
+    return Boolean(data.registered);
+  } catch (err) {
+    recordDuration("checkAgentExists", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function logToolCall(action, context, auth, chainOpts, extra, clientOpts) {
+  const start = performance.now();
+  recordCall("logToolCall", void 0, auth.pubkey);
   const exists = await checkAgentExists(auth.pubkey, clientOpts);
   if (!exists) {
+    recordDuration("logToolCall", performance.now() - start, "error");
     return {
       success: false,
       toolCallId: null,
@@ -195,8 +271,10 @@ async function logToolCall(action, context, auth, chainOpts, extra, clientOpts)
       auth,
       chainOpts
     );
+    recordDuration("logToolCall", performance.now() - start, "success");
     return { success: true, toolCallId, signedHex };
   } catch (err) {
+    recordDuration("logToolCall", performance.now() - start, "error");
     return {
       success: false,
       toolCallId: null,
@@ -290,66 +368,83 @@ async function postJudgeRequest(url, body, opts) {
   return JSON.parse(new TextDecoder().decode(buf));
 }
 async function judgeAction(action, context = "", auth, opts) {
+  const start = performance.now();
+  recordCall("judgeAction", void 0, auth.pubkey);
   if (!action || !action.trim()) {
     throw new Error("action is required and cannot be empty.");
   }
-  const logResult = await logToolCall(
-    action,
-    context,
-    auth,
-    opts?.chainOpts,
-    { toolName: opts?.toolName, toolArgsJson: opts?.toolArgsJson },
-    opts
-  );
-  if (!logResult.success || !logResult.toolCallId || !logResult.signedHex) {
-    throw new Error(logResult.error || "Failed to sign log_tool_call");
-  }
-  let signedJudgeActionHex;
-  if (!opts?.provider) {
-    const judgmentId = generateToolCallId();
-    signedJudgeActionHex = await buildSignedTx(
-      "judge_action",
-      [judgmentId, action, context || "", ""],
+  try {
+    const logResult = await logToolCall(
+      action,
+      context,
       auth,
-      opts?.chainOpts
+      opts?.chainOpts,
+      { toolName: opts?.toolName, toolArgsJson: opts?.toolArgsJson },
+      opts
     );
+    if (!logResult.success || !logResult.toolCallId || !logResult.signedHex) {
+      throw new Error(logResult.error || "Failed to sign log_tool_call");
+    }
+    let signedJudgeActionHex;
+    if (!opts?.provider) {
+      const judgmentId = generateToolCallId();
+      signedJudgeActionHex = await buildSignedTx(
+        "judge_action",
+        [judgmentId, action, context || "", ""],
+        auth,
+        opts?.chainOpts
+      );
+    }
+    const url = `${baseUrl(opts)}/api/v1/judge`;
+    const body = {
+      tool_call_id: logResult.toolCallId,
+      agent_pubkey: auth.pubkey,
+      action,
+      signed_log_tool_call: logResult.signedHex,
+      ...signedJudgeActionHex && { signed_judge_action: signedJudgeActionHex },
+      ...context && { context },
+      ...opts?.provider && { provider: opts.provider },
+      ...opts?.toolName && { tool_name: opts.toolName },
+      ...opts?.model && { model: opts.model }
+    };
+    const data = await postJudgeRequest(url, body, opts);
+    const result = {
+      verdict: normalizeVerdict(data.verdict),
+      action_type: String(data.action_type || ""),
+      reason: String(data.reason || ""),
+      confidence: Number(data.confidence ?? 0),
+      provider: String(data.provider || ""),
+      latency_ms: Number(data.latency_ms ?? 0),
+      tool_call_id: String(data.tool_call_id || logResult.toolCallId),
+      on_chain: Boolean(data.on_chain)
+    };
+    recordDuration("judgeAction", performance.now() - start, "success");
+    return result;
+  } catch (err) {
+    recordDuration("judgeAction", performance.now() - start, "error");
+    throw err;
   }
-  const url = `${baseUrl(opts)}/api/v1/judge`;
-  const body = {
-    tool_call_id: logResult.toolCallId,
-    agent_pubkey: auth.pubkey,
-    action,
-    signed_log_tool_call: logResult.signedHex,
-    ...signedJudgeActionHex && { signed_judge_action: signedJudgeActionHex },
-    ...context && { context },
-    ...opts?.provider && { provider: opts.provider },
-    ...opts?.toolName && { tool_name: opts.toolName },
-    ...opts?.model && { model: opts.model }
-  };
-  const data = await postJudgeRequest(url, body, opts);
-  return {
-    verdict: normalizeVerdict(data.verdict),
-    action_type: String(data.action_type || ""),
-    reason: String(data.reason || ""),
-    confidence: Number(data.confidence ?? 0),
-    provider: String(data.provider || ""),
-    latency_ms: Number(data.latency_ms ?? 0),
-    tool_call_id: String(data.tool_call_id || logResult.toolCallId),
-    on_chain: Boolean(data.on_chain)
-  };
 }
 async function getJudgmentStatus(judgmentId, agentPubkey, opts) {
-  const url = `${baseUrl(opts)}/api/v1/judge?tool_call_id=${encodeURIComponent(judgmentId)}&agent_pubkey=${encodeURIComponent(agentPubkey)}`;
-  const data = await getJson(url, opts);
-  return {
-    status: normalizeStatus(data.status),
-    verdict: normalizeVerdict(data.verdict),
-    reason: String(data.reason || ""),
-    judgmentId: String(data.judgmentId || judgmentId),
-    onChain: Boolean(data.onChain),
-    cached: Boolean(data.cached),
-    responseTimeMs: Number(data.responseTimeMs ?? 0)
-  };
+  const start = performance.now();
+  recordCall("getJudgmentStatus", void 0, agentPubkey);
+  try {
+    const url = `${baseUrl(opts)}/api/v1/judge?tool_call_id=${encodeURIComponent(judgmentId)}&agent_pubkey=${encodeURIComponent(agentPubkey)}`;
+    const data = await getJson(url, opts);
+    recordDuration("getJudgmentStatus", performance.now() - start, "success");
+    return {
+      status: normalizeStatus(data.status),
+      verdict: normalizeVerdict(data.verdict),
+      reason: String(data.reason || ""),
+      judgmentId: String(data.judgmentId || judgmentId),
+      onChain: Boolean(data.onChain),
+      cached: Boolean(data.cached),
+      responseTimeMs: Number(data.responseTimeMs ?? 0)
+    };
+  } catch (err) {
+    recordDuration("getJudgmentStatus", performance.now() - start, "error");
+    throw err;
+  }
 }
 function riskEngineUrl(action, params, opts) {
   const url = new URL(`${baseUrl(opts)}/api/risk-engine`);
@@ -360,98 +455,188 @@ function riskEngineUrl(action, params, opts) {
   return url.toString();
 }
 async function getToolCalls(maxCount, opts) {
-  return getJson(
-    riskEngineUrl("tool-calls", { limit: String(maxCount) }, opts),
-    opts
-  );
+  const start = performance.now();
+  recordCall("getToolCalls");
+  try {
+    const result = await getJson(
+      riskEngineUrl("tool-calls", { limit: String(maxCount) }, opts),
+      opts
+    );
+    recordDuration("getToolCalls", performance.now() - start, "success");
+    return result;
+  } catch (err) {
+    recordDuration("getToolCalls", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function getOrgToolCalls(orgName, maxCount, opts) {
-  return getJson(
-    riskEngineUrl(
-      "org-tool-calls",
-      { org: orgName, limit: String(maxCount) },
+  const start = performance.now();
+  recordCall("getOrgToolCalls");
+  try {
+    const result = await getJson(
+      riskEngineUrl(
+        "org-tool-calls",
+        { org: orgName, limit: String(maxCount) },
+        opts
+      ),
       opts
-    ),
-    opts
-  );
+    );
+    recordDuration("getOrgToolCalls", performance.now() - start, "success");
+    return result;
+  } catch (err) {
+    recordDuration("getOrgToolCalls", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function getAgentToolCalls(agentPubkey, maxCount, opts) {
-  return getJson(
-    riskEngineUrl(
-      "agent-tool-calls",
-      { agent: agentPubkey, limit: String(maxCount) },
+  const start = performance.now();
+  recordCall("getAgentToolCalls", void 0, agentPubkey);
+  try {
+    const result = await getJson(
+      riskEngineUrl(
+        "agent-tool-calls",
+        { agent: agentPubkey, limit: String(maxCount) },
+        opts
+      ),
       opts
-    ),
-    opts
-  );
+    );
+    recordDuration("getAgentToolCalls", performance.now() - start, "success");
+    return result;
+  } catch (err) {
+    recordDuration("getAgentToolCalls", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function getToolCallCount(opts) {
-  const result = await getJson(
-    riskEngineUrl("tool-call-count", {}, opts),
-    opts
-  );
-  return typeof result === "number" ? result : Number(result ?? 0);
+  const start = performance.now();
+  recordCall("getToolCallCount");
+  try {
+    const result = await getJson(
+      riskEngineUrl("tool-call-count", {}, opts),
+      opts
+    );
+    recordDuration("getToolCallCount", performance.now() - start, "success");
+    return typeof result === "number" ? result : Number(result ?? 0);
+  } catch (err) {
+    recordDuration("getToolCallCount", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function getToolCallFull(toolCallId, opts) {
-  return getJson(
-    riskEngineUrl("tool-call-full", { tool_call_id: toolCallId }, opts),
-    opts
-  );
+  const start = performance.now();
+  recordCall("getToolCallFull");
+  try {
+    const result = await getJson(
+      riskEngineUrl("tool-call-full", { tool_call_id: toolCallId }, opts),
+      opts
+    );
+    recordDuration("getToolCallFull", performance.now() - start, "success");
+    return result;
+  } catch (err) {
+    recordDuration("getToolCallFull", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function getOrgTierInfo(orgName, opts) {
-  return getJson(
-    riskEngineUrl("org-tier-info", { org: orgName }, opts),
-    opts
-  );
+  const start = performance.now();
+  recordCall("getOrgTierInfo");
+  try {
+    const result = await getJson(
+      riskEngineUrl("org-tier-info", { org: orgName }, opts),
+      opts
+    );
+    recordDuration("getOrgTierInfo", performance.now() - start, "success");
+    return result;
+  } catch (err) {
+    recordDuration("getOrgTierInfo", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function getPendingHeldActions(orgName, maxCount, opts) {
-  const raw = await getJson(
-    riskEngineUrl(
-      "pending-held-actions",
-      { org: orgName, limit: String(maxCount) },
+  const start = performance.now();
+  recordCall("getPendingHeldActions");
+  try {
+    const raw = await getJson(
+      riskEngineUrl(
+        "pending-held-actions",
+        { org: orgName, limit: String(maxCount) },
+        opts
+      ),
       opts
-    ),
-    opts
-  );
-  return raw.map((h) => ({ ...h, verdict: normalizeVerdict(h.verdict) }));
+    );
+    recordDuration("getPendingHeldActions", performance.now() - start, "success");
+    return raw.map((h) => ({ ...h, verdict: normalizeVerdict(h.verdict) }));
+  } catch (err) {
+    recordDuration("getPendingHeldActions", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function getHeldActionReviews(orgName, maxCount, opts) {
-  return getJson(
-    riskEngineUrl(
-      "held-action-reviews",
-      { org: orgName, limit: String(maxCount) },
+  const start = performance.now();
+  recordCall("getHeldActionReviews");
+  try {
+    const result = await getJson(
+      riskEngineUrl(
+        "held-action-reviews",
+        { org: orgName, limit: String(maxCount) },
+        opts
+      ),
       opts
-    ),
-    opts
-  );
+    );
+    recordDuration("getHeldActionReviews", performance.now() - start, "success");
+    return result;
+  } catch (err) {
+    recordDuration("getHeldActionReviews", performance.now() - start, "error");
+    throw err;
+  }
 }
 function riskEnginePostUrl(opts) {
   return `${baseUrl(opts)}/api/risk-engine`;
 }
 async function getAgentDetail(agentPubkey, opts) {
-  return postJson(
-    riskEnginePostUrl(opts),
-    {
-      action: "agent-detail-batch",
-      agent: agentPubkey
-    },
-    opts
-  );
+  const start = performance.now();
+  recordCall("getAgentDetail", void 0, agentPubkey);
+  try {
+    const result = await postJson(
+      riskEnginePostUrl(opts),
+      { action: "agent-detail-batch", agent: agentPubkey },
+      opts
+    );
+    recordDuration("getAgentDetail", performance.now() - start, "success");
+    return result;
+  } catch (err) {
+    recordDuration("getAgentDetail", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function getAgentPolicy(agentPubkey, opts) {
-  return postJson(
-    riskEnginePostUrl(opts),
-    {
-      action: "agent-policy-batch",
-      agent: agentPubkey
-    },
-    opts
-  );
+  const start = performance.now();
+  recordCall("getAgentPolicy", void 0, agentPubkey);
+  try {
+    const result = await postJson(
+      riskEnginePostUrl(opts),
+      { action: "agent-policy-batch", agent: agentPubkey },
+      opts
+    );
+    recordDuration("getAgentPolicy", performance.now() - start, "success");
+    return result;
+  } catch (err) {
+    recordDuration("getAgentPolicy", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function getSafetyStats(opts) {
-  const url = `${baseUrl(opts)}/api/insurance?action=safety-stats`;
-  const result = await getJson(url, opts);
-  return result?.data || result;
+  const start = performance.now();
+  recordCall("getSafetyStats");
+  try {
+    const url = `${baseUrl(opts)}/api/insurance?action=safety-stats`;
+    const result = await getJson(url, opts);
+    recordDuration("getSafetyStats", performance.now() - start, "success");
+    return result?.data || result;
+  } catch (err) {
+    recordDuration("getSafetyStats", performance.now() - start, "error");
+    throw err;
+  }
 }
 
 // src/config.ts
@@ -820,6 +1005,8 @@ function resolve(key, flagValue) {
   resolve,
   resolveKeyPath,
   saveUserConfig,
+  setupTelemetry,
+  shutdownTelemetry,
   toPubkeyHex,
   validateJudgeEndpoint,
   verifyJudgeResponseSignature

package/dist/index.d.cts

@@ -204,6 +204,31 @@ declare function verifyJudgeResponseSignature(bodyBytes: Uint8Array, signatureHe
     reason?: string;
 };
 
+/**
+ * Atbash SDK Telemetry — OpenTelemetry metrics for usage tracking.
+ *
+ * Tracks: function call counts, latency, source (CLI/plugin/SDK),
+ * and agent identity. Opt-in — no data sent unless enabled.
+ */
+type ClientSource = "cli" | "sdk" | "plugin:openclaw" | "plugin:claude-hook" | "plugin:langchain" | "plugin:langgraph" | "plugin:hermes" | "plugin:eliza" | "plugin:crewai" | "plugin:mcp" | "plugin:autogen" | "plugin:jeenai" | (string & {});
+interface TelemetryConfig {
+    /** Must be true to send any telemetry. Default: false */
+    enabled: boolean;
+    /** Where calls originate */
+    source?: ClientSource;
+    /** Flush interval in ms. Default: 60000 */
+    exportIntervalMs?: number;
+}
+/**
+ * Initialize telemetry. Call once at startup.
+ * Does nothing if config.enabled is false.
+ */
+declare function setupTelemetry(config: TelemetryConfig): void;
+/**
+ * Flush pending metrics and shut down. Call before process exits.
+ */
+declare function shutdownTelemetry(): Promise<void>;
+
 interface AtbashUserConfig {
     agentKey?: string;
     orgName?: string;
@@ -218,4 +243,4 @@ declare function loadUserConfig(): AtbashUserConfig;
 declare function saveUserConfig(config: AtbashUserConfig): void;
 declare function resolve(key: keyof AtbashUserConfig, flagValue?: string): string;
 
-export { type ActionType, type AgentAuth, type AgentPolicy, type AtbashClient, type AtbashClientConfig, type AtbashUserConfig, type ChainOpts, type ClientOpts, DEFAULT_BLOCKCHAIN_RID, DEFAULT_CHROMIA_NODE_URLS, DEFAULT_ENDPOINT, type Decision, type DecisionVerdict, type HeldAction, type HeldActionReview, type JudgeEndpointConfig, type JudgeOptions, type JudgeResult, type JudgmentStatus, type JudgmentStatusState, type LogToolCallResult, type Provider, type PubkeyValue, type Tier, type TierInfo, type ToolCallFull, type ToolCallInput, type ToolCallRecord, type ValidatedEndpoint, type Verdict, checkAgentExists, createAtbashClient, derivePublicKey, generateKeyPair, getAgentDetail, getAgentPolicy, getAgentToolCalls, getConfigDir, getConfigPath, getHeldActionReviews, getJudgmentStatus, getOrgTierInfo, getOrgToolCalls, getPendingHeldActions, getSafetyStats, getToolCallCount, getToolCallFull, getToolCalls, isValidPrivateKey, judgeAction, loadAgent, loadAgentFromFile, loadUserConfig, logToolCall, resolve, resolveKeyPath, saveUserConfig, toPubkeyHex, validateJudgeEndpoint, verifyJudgeResponseSignature };
+export { type ActionType, type AgentAuth, type AgentPolicy, type AtbashClient, type AtbashClientConfig, type AtbashUserConfig, type ChainOpts, type ClientOpts, type ClientSource, DEFAULT_BLOCKCHAIN_RID, DEFAULT_CHROMIA_NODE_URLS, DEFAULT_ENDPOINT, type Decision, type DecisionVerdict, type HeldAction, type HeldActionReview, type JudgeEndpointConfig, type JudgeOptions, type JudgeResult, type JudgmentStatus, type JudgmentStatusState, type LogToolCallResult, type Provider, type PubkeyValue, type TelemetryConfig, type Tier, type TierInfo, type ToolCallFull, type ToolCallInput, type ToolCallRecord, type ValidatedEndpoint, type Verdict, checkAgentExists, createAtbashClient, derivePublicKey, generateKeyPair, getAgentDetail, getAgentPolicy, getAgentToolCalls, getConfigDir, getConfigPath, getHeldActionReviews, getJudgmentStatus, getOrgTierInfo, getOrgToolCalls, getPendingHeldActions, getSafetyStats, getToolCallCount, getToolCallFull, getToolCalls, isValidPrivateKey, judgeAction, loadAgent, loadAgentFromFile, loadUserConfig, logToolCall, resolve, resolveKeyPath, saveUserConfig, setupTelemetry, shutdownTelemetry, toPubkeyHex, validateJudgeEndpoint, verifyJudgeResponseSignature };

package/dist/index.d.ts

@@ -204,6 +204,31 @@ declare function verifyJudgeResponseSignature(bodyBytes: Uint8Array, signatureHe
     reason?: string;
 };
 
+/**
+ * Atbash SDK Telemetry — OpenTelemetry metrics for usage tracking.
+ *
+ * Tracks: function call counts, latency, source (CLI/plugin/SDK),
+ * and agent identity. Opt-in — no data sent unless enabled.
+ */
+type ClientSource = "cli" | "sdk" | "plugin:openclaw" | "plugin:claude-hook" | "plugin:langchain" | "plugin:langgraph" | "plugin:hermes" | "plugin:eliza" | "plugin:crewai" | "plugin:mcp" | "plugin:autogen" | "plugin:jeenai" | (string & {});
+interface TelemetryConfig {
+    /** Must be true to send any telemetry. Default: false */
+    enabled: boolean;
+    /** Where calls originate */
+    source?: ClientSource;
+    /** Flush interval in ms. Default: 60000 */
+    exportIntervalMs?: number;
+}
+/**
+ * Initialize telemetry. Call once at startup.
+ * Does nothing if config.enabled is false.
+ */
+declare function setupTelemetry(config: TelemetryConfig): void;
+/**
+ * Flush pending metrics and shut down. Call before process exits.
+ */
+declare function shutdownTelemetry(): Promise<void>;
+
 interface AtbashUserConfig {
     agentKey?: string;
     orgName?: string;
@@ -218,4 +243,4 @@ declare function loadUserConfig(): AtbashUserConfig;
 declare function saveUserConfig(config: AtbashUserConfig): void;
 declare function resolve(key: keyof AtbashUserConfig, flagValue?: string): string;
 
-export { type ActionType, type AgentAuth, type AgentPolicy, type AtbashClient, type AtbashClientConfig, type AtbashUserConfig, type ChainOpts, type ClientOpts, DEFAULT_BLOCKCHAIN_RID, DEFAULT_CHROMIA_NODE_URLS, DEFAULT_ENDPOINT, type Decision, type DecisionVerdict, type HeldAction, type HeldActionReview, type JudgeEndpointConfig, type JudgeOptions, type JudgeResult, type JudgmentStatus, type JudgmentStatusState, type LogToolCallResult, type Provider, type PubkeyValue, type Tier, type TierInfo, type ToolCallFull, type ToolCallInput, type ToolCallRecord, type ValidatedEndpoint, type Verdict, checkAgentExists, createAtbashClient, derivePublicKey, generateKeyPair, getAgentDetail, getAgentPolicy, getAgentToolCalls, getConfigDir, getConfigPath, getHeldActionReviews, getJudgmentStatus, getOrgTierInfo, getOrgToolCalls, getPendingHeldActions, getSafetyStats, getToolCallCount, getToolCallFull, getToolCalls, isValidPrivateKey, judgeAction, loadAgent, loadAgentFromFile, loadUserConfig, logToolCall, resolve, resolveKeyPath, saveUserConfig, toPubkeyHex, validateJudgeEndpoint, verifyJudgeResponseSignature };
+export { type ActionType, type AgentAuth, type AgentPolicy, type AtbashClient, type AtbashClientConfig, type AtbashUserConfig, type ChainOpts, type ClientOpts, type ClientSource, DEFAULT_BLOCKCHAIN_RID, DEFAULT_CHROMIA_NODE_URLS, DEFAULT_ENDPOINT, type Decision, type DecisionVerdict, type HeldAction, type HeldActionReview, type JudgeEndpointConfig, type JudgeOptions, type JudgeResult, type JudgmentStatus, type JudgmentStatusState, type LogToolCallResult, type Provider, type PubkeyValue, type TelemetryConfig, type Tier, type TierInfo, type ToolCallFull, type ToolCallInput, type ToolCallRecord, type ValidatedEndpoint, type Verdict, checkAgentExists, createAtbashClient, derivePublicKey, generateKeyPair, getAgentDetail, getAgentPolicy, getAgentToolCalls, getConfigDir, getConfigPath, getHeldActionReviews, getJudgmentStatus, getOrgTierInfo, getOrgToolCalls, getPendingHeldActions, getSafetyStats, getToolCallCount, getToolCallFull, getToolCalls, isValidPrivateKey, judgeAction, loadAgent, loadAgentFromFile, loadUserConfig, logToolCall, resolve, resolveKeyPath, saveUserConfig, setupTelemetry, shutdownTelemetry, toPubkeyHex, validateJudgeEndpoint, verifyJudgeResponseSignature };

package/dist/index.js

@@ -28,6 +28,69 @@ function verifyJudgeResponseSignature(bodyBytes, signatureHex, pubKeyHex) {
   return isValid ? { ok: true } : { ok: false, reason: "signature does not verify against configured verifyPubKey" };
 }
 
+// src/opentel/telemetry.ts
+import { MeterProvider, PeriodicExportingMetricReader } from "@opentelemetry/sdk-metrics";
+import { OTLPMetricExporter } from "@opentelemetry/exporter-metrics-otlp-http";
+import { resourceFromAttributes } from "@opentelemetry/resources";
+var meterProvider = null;
+var callCounter = null;
+var durationHistogram = null;
+var defaultSource = "sdk";
+function setupTelemetry(config) {
+  if (!config.enabled) return;
+  if (meterProvider) return;
+  defaultSource = config.source ?? "sdk";
+  const ATBASH_HONEYCOMB_KEY = "YOUR_INGEST_KEY_HERE";
+  const apiKey = process.env.HONEYCOMB_API_KEY ?? ATBASH_HONEYCOMB_KEY;
+  const exporter = new OTLPMetricExporter({
+    url: "https://api.honeycomb.io/v1/metrics",
+    headers: {
+      "x-honeycomb-team": apiKey
+    }
+  });
+  const reader = new PeriodicExportingMetricReader({
+    exporter,
+    exportIntervalMillis: config.exportIntervalMs ?? 6e4
+  });
+  meterProvider = new MeterProvider({
+    resource: resourceFromAttributes({
+      "service.name": "atbash-sdk"
+    }),
+    readers: [reader]
+  });
+  const meter = meterProvider.getMeter("atbash-sdk");
+  callCounter = meter.createCounter("atbash.sdk.function.calls", {
+    description: "Number of SDK function calls"
+  });
+  durationHistogram = meter.createHistogram("atbash.sdk.function.duration_ms", {
+    description: "SDK function execution duration",
+    unit: "ms"
+  });
+}
+function recordCall(functionName, source, agentPubkey) {
+  if (!callCounter) return;
+  callCounter.add(1, {
+    "function.name": functionName,
+    "source": source ?? defaultSource,
+    ...agentPubkey && { "agent.pubkey": agentPubkey }
+  });
+}
+function recordDuration(functionName, durationMs, status, source) {
+  if (!durationHistogram) return;
+  durationHistogram.record(durationMs, {
+    "function.name": functionName,
+    "status": status,
+    "source": source ?? defaultSource
+  });
+}
+async function shutdownTelemetry() {
+  if (!meterProvider) return;
+  await meterProvider.shutdown();
+  meterProvider = null;
+  callCounter = null;
+  durationHistogram = null;
+}
+
 // src/client.ts
 var { createClient, encryption: encryption2, newSignatureProvider } = postchain2;
 var DEFAULT_ENDPOINT = "https://chromia-verified-ai-dev-two.vercel.app";
@@ -100,13 +163,24 @@ async function buildSignedTx(opName, args, auth, chainOpts) {
   return Buffer.from(signed).toString("hex");
 }
 async function checkAgentExists(pubkey, opts) {
-  const url = `${baseUrl(opts)}/api/ai/exists?pubkey=${encodeURIComponent(pubkey)}`;
-  const data = await getJson(url, opts);
-  return Boolean(data.registered);
+  const start = performance.now();
+  recordCall("checkAgentExists", void 0, pubkey);
+  try {
+    const url = `${baseUrl(opts)}/api/ai/exists?pubkey=${encodeURIComponent(pubkey)}`;
+    const data = await getJson(url, opts);
+    recordDuration("checkAgentExists", performance.now() - start, "success");
+    return Boolean(data.registered);
+  } catch (err) {
+    recordDuration("checkAgentExists", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function logToolCall(action, context, auth, chainOpts, extra, clientOpts) {
+  const start = performance.now();
+  recordCall("logToolCall", void 0, auth.pubkey);
   const exists = await checkAgentExists(auth.pubkey, clientOpts);
   if (!exists) {
+    recordDuration("logToolCall", performance.now() - start, "error");
     return {
       success: false,
       toolCallId: null,
@@ -127,8 +201,10 @@ async function logToolCall(action, context, auth, chainOpts, extra, clientOpts)
       auth,
       chainOpts
     );
+    recordDuration("logToolCall", performance.now() - start, "success");
     return { success: true, toolCallId, signedHex };
   } catch (err) {
+    recordDuration("logToolCall", performance.now() - start, "error");
     return {
       success: false,
       toolCallId: null,
@@ -222,66 +298,83 @@ async function postJudgeRequest(url, body, opts) {
   return JSON.parse(new TextDecoder().decode(buf));
 }
 async function judgeAction(action, context = "", auth, opts) {
+  const start = performance.now();
+  recordCall("judgeAction", void 0, auth.pubkey);
   if (!action || !action.trim()) {
     throw new Error("action is required and cannot be empty.");
   }
-  const logResult = await logToolCall(
-    action,
-    context,
-    auth,
-    opts?.chainOpts,
-    { toolName: opts?.toolName, toolArgsJson: opts?.toolArgsJson },
-    opts
-  );
-  if (!logResult.success || !logResult.toolCallId || !logResult.signedHex) {
-    throw new Error(logResult.error || "Failed to sign log_tool_call");
-  }
-  let signedJudgeActionHex;
-  if (!opts?.provider) {
-    const judgmentId = generateToolCallId();
-    signedJudgeActionHex = await buildSignedTx(
-      "judge_action",
-      [judgmentId, action, context || "", ""],
+  try {
+    const logResult = await logToolCall(
+      action,
+      context,
       auth,
-      opts?.chainOpts
+      opts?.chainOpts,
+      { toolName: opts?.toolName, toolArgsJson: opts?.toolArgsJson },
+      opts
     );
+    if (!logResult.success || !logResult.toolCallId || !logResult.signedHex) {
+      throw new Error(logResult.error || "Failed to sign log_tool_call");
+    }
+    let signedJudgeActionHex;
+    if (!opts?.provider) {
+      const judgmentId = generateToolCallId();
+      signedJudgeActionHex = await buildSignedTx(
+        "judge_action",
+        [judgmentId, action, context || "", ""],
+        auth,
+        opts?.chainOpts
+      );
+    }
+    const url = `${baseUrl(opts)}/api/v1/judge`;
+    const body = {
+      tool_call_id: logResult.toolCallId,
+      agent_pubkey: auth.pubkey,
+      action,
+      signed_log_tool_call: logResult.signedHex,
+      ...signedJudgeActionHex && { signed_judge_action: signedJudgeActionHex },
+      ...context && { context },
+      ...opts?.provider && { provider: opts.provider },
+      ...opts?.toolName && { tool_name: opts.toolName },
+      ...opts?.model && { model: opts.model }
+    };
+    const data = await postJudgeRequest(url, body, opts);
+    const result = {
+      verdict: normalizeVerdict(data.verdict),
+      action_type: String(data.action_type || ""),
+      reason: String(data.reason || ""),
+      confidence: Number(data.confidence ?? 0),
+      provider: String(data.provider || ""),
+      latency_ms: Number(data.latency_ms ?? 0),
+      tool_call_id: String(data.tool_call_id || logResult.toolCallId),
+      on_chain: Boolean(data.on_chain)
+    };
+    recordDuration("judgeAction", performance.now() - start, "success");
+    return result;
+  } catch (err) {
+    recordDuration("judgeAction", performance.now() - start, "error");
+    throw err;
   }
-  const url = `${baseUrl(opts)}/api/v1/judge`;
-  const body = {
-    tool_call_id: logResult.toolCallId,
-    agent_pubkey: auth.pubkey,
-    action,
-    signed_log_tool_call: logResult.signedHex,
-    ...signedJudgeActionHex && { signed_judge_action: signedJudgeActionHex },
-    ...context && { context },
-    ...opts?.provider && { provider: opts.provider },
-    ...opts?.toolName && { tool_name: opts.toolName },
-    ...opts?.model && { model: opts.model }
-  };
-  const data = await postJudgeRequest(url, body, opts);
-  return {
-    verdict: normalizeVerdict(data.verdict),
-    action_type: String(data.action_type || ""),
-    reason: String(data.reason || ""),
-    confidence: Number(data.confidence ?? 0),
-    provider: String(data.provider || ""),
-    latency_ms: Number(data.latency_ms ?? 0),
-    tool_call_id: String(data.tool_call_id || logResult.toolCallId),
-    on_chain: Boolean(data.on_chain)
-  };
 }
 async function getJudgmentStatus(judgmentId, agentPubkey, opts) {
-  const url = `${baseUrl(opts)}/api/v1/judge?tool_call_id=${encodeURIComponent(judgmentId)}&agent_pubkey=${encodeURIComponent(agentPubkey)}`;
-  const data = await getJson(url, opts);
-  return {
-    status: normalizeStatus(data.status),
-    verdict: normalizeVerdict(data.verdict),
-    reason: String(data.reason || ""),
-    judgmentId: String(data.judgmentId || judgmentId),
-    onChain: Boolean(data.onChain),
-    cached: Boolean(data.cached),
-    responseTimeMs: Number(data.responseTimeMs ?? 0)
-  };
+  const start = performance.now();
+  recordCall("getJudgmentStatus", void 0, agentPubkey);
+  try {
+    const url = `${baseUrl(opts)}/api/v1/judge?tool_call_id=${encodeURIComponent(judgmentId)}&agent_pubkey=${encodeURIComponent(agentPubkey)}`;
+    const data = await getJson(url, opts);
+    recordDuration("getJudgmentStatus", performance.now() - start, "success");
+    return {
+      status: normalizeStatus(data.status),
+      verdict: normalizeVerdict(data.verdict),
+      reason: String(data.reason || ""),
+      judgmentId: String(data.judgmentId || judgmentId),
+      onChain: Boolean(data.onChain),
+      cached: Boolean(data.cached),
+      responseTimeMs: Number(data.responseTimeMs ?? 0)
+    };
+  } catch (err) {
+    recordDuration("getJudgmentStatus", performance.now() - start, "error");
+    throw err;
+  }
 }
 function riskEngineUrl(action, params, opts) {
   const url = new URL(`${baseUrl(opts)}/api/risk-engine`);
@@ -292,98 +385,188 @@ function riskEngineUrl(action, params, opts) {
   return url.toString();
 }
 async function getToolCalls(maxCount, opts) {
-  return getJson(
-    riskEngineUrl("tool-calls", { limit: String(maxCount) }, opts),
-    opts
-  );
+  const start = performance.now();
+  recordCall("getToolCalls");
+  try {
+    const result = await getJson(
+      riskEngineUrl("tool-calls", { limit: String(maxCount) }, opts),
+      opts
+    );
+    recordDuration("getToolCalls", performance.now() - start, "success");
+    return result;
+  } catch (err) {
+    recordDuration("getToolCalls", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function getOrgToolCalls(orgName, maxCount, opts) {
-  return getJson(
-    riskEngineUrl(
-      "org-tool-calls",
-      { org: orgName, limit: String(maxCount) },
+  const start = performance.now();
+  recordCall("getOrgToolCalls");
+  try {
+    const result = await getJson(
+      riskEngineUrl(
+        "org-tool-calls",
+        { org: orgName, limit: String(maxCount) },
+        opts
+      ),
       opts
-    ),
-    opts
-  );
+    );
+    recordDuration("getOrgToolCalls", performance.now() - start, "success");
+    return result;
+  } catch (err) {
+    recordDuration("getOrgToolCalls", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function getAgentToolCalls(agentPubkey, maxCount, opts) {
-  return getJson(
-    riskEngineUrl(
-      "agent-tool-calls",
-      { agent: agentPubkey, limit: String(maxCount) },
+  const start = performance.now();
+  recordCall("getAgentToolCalls", void 0, agentPubkey);
+  try {
+    const result = await getJson(
+      riskEngineUrl(
+        "agent-tool-calls",
+        { agent: agentPubkey, limit: String(maxCount) },
+        opts
+      ),
       opts
-    ),
-    opts
-  );
+    );
+    recordDuration("getAgentToolCalls", performance.now() - start, "success");
+    return result;
+  } catch (err) {
+    recordDuration("getAgentToolCalls", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function getToolCallCount(opts) {
-  const result = await getJson(
-    riskEngineUrl("tool-call-count", {}, opts),
-    opts
-  );
-  return typeof result === "number" ? result : Number(result ?? 0);
+  const start = performance.now();
+  recordCall("getToolCallCount");
+  try {
+    const result = await getJson(
+      riskEngineUrl("tool-call-count", {}, opts),
+      opts
+    );
+    recordDuration("getToolCallCount", performance.now() - start, "success");
+    return typeof result === "number" ? result : Number(result ?? 0);
+  } catch (err) {
+    recordDuration("getToolCallCount", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function getToolCallFull(toolCallId, opts) {
-  return getJson(
-    riskEngineUrl("tool-call-full", { tool_call_id: toolCallId }, opts),
-    opts
-  );
+  const start = performance.now();
+  recordCall("getToolCallFull");
+  try {
+    const result = await getJson(
+      riskEngineUrl("tool-call-full", { tool_call_id: toolCallId }, opts),
+      opts
+    );
+    recordDuration("getToolCallFull", performance.now() - start, "success");
+    return result;
+  } catch (err) {
+    recordDuration("getToolCallFull", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function getOrgTierInfo(orgName, opts) {
-  return getJson(
-    riskEngineUrl("org-tier-info", { org: orgName }, opts),
-    opts
-  );
+  const start = performance.now();
+  recordCall("getOrgTierInfo");
+  try {
+    const result = await getJson(
+      riskEngineUrl("org-tier-info", { org: orgName }, opts),
+      opts
+    );
+    recordDuration("getOrgTierInfo", performance.now() - start, "success");
+    return result;
+  } catch (err) {
+    recordDuration("getOrgTierInfo", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function getPendingHeldActions(orgName, maxCount, opts) {
-  const raw = await getJson(
-    riskEngineUrl(
-      "pending-held-actions",
-      { org: orgName, limit: String(maxCount) },
+  const start = performance.now();
+  recordCall("getPendingHeldActions");
+  try {
+    const raw = await getJson(
+      riskEngineUrl(
+        "pending-held-actions",
+        { org: orgName, limit: String(maxCount) },
+        opts
+      ),
       opts
-    ),
-    opts
-  );
-  return raw.map((h) => ({ ...h, verdict: normalizeVerdict(h.verdict) }));
+    );
+    recordDuration("getPendingHeldActions", performance.now() - start, "success");
+    return raw.map((h) => ({ ...h, verdict: normalizeVerdict(h.verdict) }));
+  } catch (err) {
+    recordDuration("getPendingHeldActions", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function getHeldActionReviews(orgName, maxCount, opts) {
-  return getJson(
-    riskEngineUrl(
-      "held-action-reviews",
-      { org: orgName, limit: String(maxCount) },
+  const start = performance.now();
+  recordCall("getHeldActionReviews");
+  try {
+    const result = await getJson(
+      riskEngineUrl(
+        "held-action-reviews",
+        { org: orgName, limit: String(maxCount) },
+        opts
+      ),
       opts
-    ),
-    opts
-  );
+    );
+    recordDuration("getHeldActionReviews", performance.now() - start, "success");
+    return result;
+  } catch (err) {
+    recordDuration("getHeldActionReviews", performance.now() - start, "error");
+    throw err;
+  }
 }
 function riskEnginePostUrl(opts) {
   return `${baseUrl(opts)}/api/risk-engine`;
 }
 async function getAgentDetail(agentPubkey, opts) {
-  return postJson(
-    riskEnginePostUrl(opts),
-    {
-      action: "agent-detail-batch",
-      agent: agentPubkey
-    },
-    opts
-  );
+  const start = performance.now();
+  recordCall("getAgentDetail", void 0, agentPubkey);
+  try {
+    const result = await postJson(
+      riskEnginePostUrl(opts),
+      { action: "agent-detail-batch", agent: agentPubkey },
+      opts
+    );
+    recordDuration("getAgentDetail", performance.now() - start, "success");
+    return result;
+  } catch (err) {
+    recordDuration("getAgentDetail", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function getAgentPolicy(agentPubkey, opts) {
-  return postJson(
-    riskEnginePostUrl(opts),
-    {
-      action: "agent-policy-batch",
-      agent: agentPubkey
-    },
-    opts
-  );
+  const start = performance.now();
+  recordCall("getAgentPolicy", void 0, agentPubkey);
+  try {
+    const result = await postJson(
+      riskEnginePostUrl(opts),
+      { action: "agent-policy-batch", agent: agentPubkey },
+      opts
+    );
+    recordDuration("getAgentPolicy", performance.now() - start, "success");
+    return result;
+  } catch (err) {
+    recordDuration("getAgentPolicy", performance.now() - start, "error");
+    throw err;
+  }
 }
 async function getSafetyStats(opts) {
-  const url = `${baseUrl(opts)}/api/insurance?action=safety-stats`;
-  const result = await getJson(url, opts);
-  return result?.data || result;
+  const start = performance.now();
+  recordCall("getSafetyStats");
+  try {
+    const url = `${baseUrl(opts)}/api/insurance?action=safety-stats`;
+    const result = await getJson(url, opts);
+    recordDuration("getSafetyStats", performance.now() - start, "success");
+    return result?.data || result;
+  } catch (err) {
+    recordDuration("getSafetyStats", performance.now() - start, "error");
+    throw err;
+  }
 }
 
 // src/config.ts
@@ -751,6 +934,8 @@ export {
   resolve,
   resolveKeyPath,
   saveUserConfig,
+  setupTelemetry,
+  shutdownTelemetry,
   toPubkeyHex,
   validateJudgeEndpoint,
   verifyJudgeResponseSignature

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atbash/sdk",
-  "version": "0.3.9-dev.2",
+  "version": "0.3.9-dev.4",
   "description": "Atbash SDK — control boundary before the last irreversible step in an agent workflow",
   "homepage": "https://atbash.ai",
   "author": "Atbash",
@@ -41,6 +41,10 @@
     "ai-safety"
   ],
   "dependencies": {
+    "@opentelemetry/api": "^1.9.1",
+    "@opentelemetry/exporter-metrics-otlp-http": "^0.217.0",
+    "@opentelemetry/resources": "^2.7.1",
+    "@opentelemetry/sdk-metrics": "^2.7.1",
     "postchain-client": "^2.1.5"
   }
 }