@intelmesh/sdk 0.1.0

package/.github/scripts/compute-disttag.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+# Compute npm dist-tag and prerelease flag from a git tag name.
+#
+# Reads (env):
+#   GITHUB_REF_NAME  git tag name, e.g. "v1.2.3" or "v1.2.3-beta.1"
+#   GITHUB_OUTPUT    path to GitHub Actions step output file
+#
+# Writes to $GITHUB_OUTPUT:
+#   version          semver without leading "v"
+#   disttag          npm dist-tag ("latest" for stable, lowercased suffix prefix otherwise)
+#   is_prerelease    "true" for any tag with a "-" suffix, else "false"
+#
+# Exits:
+#   0  on success
+#   1  if GITHUB_REF_NAME or GITHUB_OUTPUT is unset or empty
+#   1  if GITHUB_REF_NAME is not a valid semver tag
+
+set -euo pipefail
+
+tag="${GITHUB_REF_NAME:?GITHUB_REF_NAME is required}"
+: "${GITHUB_OUTPUT:?GITHUB_OUTPUT is required}"
+
+semver_re='^v[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z.-]+)?$'
+if [[ ! "$tag" =~ $semver_re ]]; then
+  echo "::error::GITHUB_REF_NAME='$tag' is not a valid semver tag (expected vMAJOR.MINOR.PATCH[-PRERELEASE])" >&2
+  exit 1
+fi
+
+version="${tag#v}"
+
+if [[ "$version" == *-* ]]; then
+  suffix="${version#*-}"
+  disttag="${suffix%%.*}"
+  disttag="${disttag,,}"
+  is_prerelease=true
+else
+  disttag="latest"
+  is_prerelease=false
+fi
+
+{
+  echo "version=$version"
+  echo "disttag=$disttag"
+  echo "is_prerelease=$is_prerelease"
+} >> "$GITHUB_OUTPUT"
+
+echo "Resolved: tag=$tag version=$version disttag=$disttag prerelease=$is_prerelease" >&2

package/.github/workflows/release.yml

@@ -0,0 +1,206 @@
+name: release
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+      - 'v[0-9]+.[0-9]+.[0-9]+-*'
+
+permissions:
+  contents: write
+  id-token: write
+
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  verify-signature:
+    name: Verify commit and tag are signed
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    steps:
+      # No checkout needed: this job only queries the GitHub API via `gh`.
+      - name: Verify commit signature
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          commit_sha="${GITHUB_SHA}"
+          repo="${GITHUB_REPOSITORY}"
+
+          commit_json=$(gh api "repos/${repo}/commits/${commit_sha}")
+          verified=$(jq -r '.commit.verification.verified' <<<"${commit_json}")
+          reason=$(jq -r '.commit.verification.reason' <<<"${commit_json}")
+
+          echo "commit=${commit_sha} verified=${verified} reason=${reason}"
+
+          if [ "${verified}" != "true" ]; then
+            echo "::error title=Unsigned commit::Commit ${commit_sha} is NOT verified by GitHub. Reason: ${reason}. Refusing to release."
+            exit 1
+          fi
+
+      - name: Verify tag is a signed annotated tag
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          tag="${GITHUB_REF_NAME}"
+          repo="${GITHUB_REPOSITORY}"
+
+          ref_json=$(gh api "repos/${repo}/git/refs/tags/${tag}")
+          obj_type=$(jq -r '.object.type' <<<"${ref_json}")
+          obj_sha=$(jq -r '.object.sha' <<<"${ref_json}")
+
+          if [ "${obj_type}" != "tag" ]; then
+            echo "::error title=Lightweight tag::Tag ${tag} is a lightweight tag (object.type=${obj_type}). Use 'git tag -s ${tag}' to create a signed annotated tag. Refusing to release."
+            exit 1
+          fi
+
+          tag_json=$(gh api "repos/${repo}/git/tags/${obj_sha}")
+          verified=$(jq -r '.verification.verified' <<<"${tag_json}")
+          reason=$(jq -r '.verification.reason' <<<"${tag_json}")
+
+          echo "tag=${tag} object_sha=${obj_sha} verified=${verified} reason=${reason}"
+
+          if [ "${verified}" != "true" ]; then
+            echo "::error title=Unsigned tag::Tag ${tag} signature is NOT verified by GitHub. Reason: ${reason}. Refusing to release."
+            exit 1
+          fi
+
+  test:
+    name: Test on Node ${{ matrix.node-version }}
+    needs: verify-signature
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: true
+      matrix:
+        node-version: ['20', '22', '24']
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Setup Node ${{ matrix.node-version }}
+        uses: actions/setup-node@v5
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Lint
+        run: npm run lint
+
+      - name: Typecheck
+        run: npm run typecheck
+
+      - name: Test
+        run: npm test
+
+      - name: Build
+        run: npm run build
+
+  publish-npm:
+    name: Publish to npm
+    needs: test
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      id-token: write
+    outputs:
+      version: ${{ steps.disttag.outputs.version }}
+      disttag: ${{ steps.disttag.outputs.disttag }}
+      is_prerelease: ${{ steps.disttag.outputs.is_prerelease }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Setup Node
+        uses: actions/setup-node@v5
+        with:
+          node-version: '22'
+          registry-url: 'https://registry.npmjs.org'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Compute dist-tag from git tag
+        id: disttag
+        run: bash .github/scripts/compute-disttag.sh
+
+      - name: Verify package.json version matches git tag
+        run: |
+          set -euo pipefail
+          pkg_version=$(node -p "require('./package.json').version")
+          git_version="${{ steps.disttag.outputs.version }}"
+          if [ "${pkg_version}" != "${git_version}" ]; then
+            echo "::error title=Version mismatch::package.json version (${pkg_version}) does not match git tag (${git_version}). Bump package.json before tagging."
+            exit 1
+          fi
+          echo "package.json and git tag both at ${pkg_version}"
+
+      - name: Publish to npm
+        run: |
+          set -euo pipefail
+          npm publish \
+            --provenance \
+            --access public \
+            --tag "${{ steps.disttag.outputs.disttag }}"
+
+  github-release:
+    name: Create GitHub Release
+    needs: publish-npm
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node
+        uses: actions/setup-node@v5
+        with:
+          node-version: '22'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Pack tarball
+        run: npm pack
+
+      - name: Create GitHub Release (stable)
+        if: needs.publish-npm.outputs.is_prerelease == 'false'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          gh release create "${GITHUB_REF_NAME}" \
+            ./intelmesh-sdk-*.tgz \
+            --title "${GITHUB_REF_NAME}" \
+            --generate-notes
+
+      - name: Create GitHub Release (prerelease)
+        if: needs.publish-npm.outputs.is_prerelease == 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          gh release create "${GITHUB_REF_NAME}" \
+            ./intelmesh-sdk-*.tgz \
+            --title "${GITHUB_REF_NAME}" \
+            --generate-notes \
+            --prerelease

package/.husky/commit-msg

@@ -0,0 +1 @@
+npx --no-install commitlint --edit "$1"

package/.husky/pre-commit

@@ -0,0 +1,2 @@
+npx lint-staged
+npx vitest run

package/.prettierrc

@@ -0,0 +1,8 @@
+{
+  "semi": true,
+  "singleQuote": true,
+  "trailingComma": "all",
+  "printWidth": 100,
+  "tabWidth": 2,
+  "arrowParens": "always"
+}

package/CLAUDE.md

@@ -0,0 +1,37 @@
+# @intelmesh/sdk — Development Guidelines
+
+## Overview
+Official Node.js client for the IntelMesh Risk Intelligence Engine API. Wraps REST endpoints with typed methods, cursor-based pagination, and structured errors. Zero runtime dependencies, uses native fetch (Node 20+).
+
+## Code Conventions
+- TypeScript strict mode, zero `any`
+- JSDoc on ALL exported symbols
+- Explicit return types on all functions
+- `readonly` on interface properties where possible
+- Max 50 lines per function, max complexity 10
+- One responsibility per file
+
+## Architecture
+- `src/types.ts` — All API types (mirrors swagger definitions)
+- `src/client/http.ts` — Base HTTP client (fetch wrapper, auth, JSON parsing)
+- `src/client/errors.ts` — Typed error hierarchy with status code mapping
+- `src/client/pagination.ts` — Async cursor iterator for paginated endpoints
+- `src/client/intelmesh.ts` — Main IntelMesh class (facade)
+- `src/resources/*.ts` — One file per API resource (events, rules, phases, etc.)
+- `src/builders/*.ts` — Fluent builders for events and rules
+- `src/generated/types.ts` — Auto-generated from swagger.json (do not edit)
+
+## Testing
+- Vitest, run with `npm test`
+- Tests in `tests/` mirror `src/` structure
+- No network calls in tests — mock fetch
+
+## Commands
+- `npm run build` — Build with tsup
+- `npm run lint` — ESLint check
+- `npm run test` — Vitest run
+- `npm run generate` — Regenerate types from swagger.json
+- `npm run typecheck` — tsc --noEmit
+
+## Key Principle
+This SDK has ZERO runtime dependencies. It uses native fetch, native URL, and native AbortController. The only dependencies are devDependencies for build, lint, and test tooling.

package/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2026 Intelmesh
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/commitlint.config.cjs

@@ -0,0 +1,3 @@
+module.exports = {
+  extends: ['@commitlint/config-conventional'],
+};