@premai/api-sdk 1.0.47 → 1.0.49

package/README.md

@@ -37,6 +37,7 @@ Environment Variables:
 * JSON_BODY_LIMIT (optional, default: `32mb`)
 * HOST (optional)
 * PORT (optional)
+* CONFIDENTIAL_PROXY_LOG_LEVEL (optional: `error`, `warn`, `info`, `http`, `verbose`, `debug`, `silly`; default: `info`)
 
 Run as a standalone server with automatic DEK store management per API key:
 
@@ -55,8 +56,21 @@ bun i -g @premai/api-sdk
 # Server runs on http://127.0.0.1:8000
 ```
 
+### CLI Commands
+
+The `confidential-proxy` CLI provides four commands:
+
+| Command | Description |
+|---------|-------------|
+| `confidential-proxy` (default) | Run the server in the foreground (attached to the terminal) |
+| `confidential-proxy start` | Start the server as a background daemon |
+| `confidential-proxy stop` | Gracefully stop the running daemon |
+| `confidential-proxy status` | Check if the daemon is running and reachable |
+
 ### CLI Options
 
+All commands accept the same server options:
+
 ```bash
 # Basic usage
 confidential-proxy --host 127.0.0.1 --port 8000
@@ -78,8 +92,34 @@ confidential-proxy --kek your-kek
 
 # JSON body size limit
 confidential-proxy --json-body-limit 64mb
+
+# Daemon-specific options (start/stop/status)
+confidential-proxy start --pid-file /path/to/pid --log-file /path/to/logs
+confidential-proxy start --shutdown-timeout 60000 --log-level debug
+confidential-proxy stop --pid-file /path/to/pid
+confidential-proxy status --host 127.0.0.1 --port 8787
 ```
 
+#### Daemon Lifecycle
+
+The `start` command runs the proxy in the background:
+
+1. Checks for an existing PID file and ensures no duplicate process is running
+2. Spawns itself as a child process with logs directed to a configurable log file
+3. Writes a PID file and polls the HTTP endpoint until the server is reachable
+4. Exits cleanly, leaving the child process running as a daemon
+
+The `stop` command sends SIGTERM and waits up to 5 seconds for graceful shutdown. If the process does not exit, it escalates to SIGKILL and cleans up the PID file. The `status` command checks both process liveness and HTTP reachability.
+
+**Daemon options:**
+
+| Option | Default | Description |
+|--------|---------|-------------|
+| `--pid-file` | `<data-dir>/proxy.pid` | Custom PID file path |
+| `--log-file` | stdout/stderr | File to write daemon logs (when using `start`) |
+| `--log-level` | `info` | Log verbosity (`error`, `warn`, `info`, `http`, `verbose`, `debug`, `silly`) |
+| `--shutdown-timeout` | `30000` | Max ms to wait for in-flight requests during graceful shutdown |
+
 ### Compatibility Modes
 
 The server supports three compatibility modes via `--compat`:
@@ -190,11 +230,12 @@ confidential-claude
 The launcher:
 
 1. Reads `.env` from application directory or environment variables (prompts interactively if missing)
-2. Spawns an encrypted proxy subprocess in Anthropic-only mode
-3. Fetches the available model list and lets you pick one
-4. Launches `claude` wired to the confidential gateway
+2. Checks if a proxy is already running at the configured host/port; reuses it if available
+3. If no running proxy is found, spawns one as a child subprocess in Anthropic-only mode (port 8787)
+4. Fetches the available model list and lets you pick one
+5. Launches `claude` wired to the confidential gateway
 
-All traffic remains end-to-end encrypted. The proxy subprocess is cleaned up when Claude Code exits.
+All traffic remains end-to-end encrypted. The proxy subprocess persists after Claude Code exits — use `confidential-proxy stop` to clean it up or `confidential-proxy start` to pre-start it before launching.
 
 Any extra arguments are forwarded to `claude` directly:
 
@@ -213,9 +254,14 @@ To use `confidential-proxy` as a custom provider in [Hermes](https://hermes-agen
 **1. Start `confidential-proxy` in the background**
 
 ```bash
-confidential-proxy --compat openai &
-# or with npx/bunx without a global install:
-bunx -p @premai/api-sdk confidential-proxy --compat openai &
+# Daemon mode (runs in background, keeps a PID file)
+confidential-proxy start --compat openai
+
+# Check it's running
+confidential-proxy status
+
+# Or with npx/bunx without a global install:
+bunx -p @premai/api-sdk confidential-proxy start --compat openai
 ```
 
 The proxy listens on `http://localhost:8000` by default.
@@ -251,6 +297,10 @@ Hermes will now route requests through the encrypted proxy at `localhost:8000`.
 - RAG Support - Encrypted document retrieval with persistent RAG DEK
 - Attestation - Enclave attestation is always enabled for security
 - TypeScript - Full type safety
+- Daemon Mode - Run as a background service with PID file lifecycle management
+- Structured Logging - Request/response logging with configurable log levels (winston)
+- Graceful Shutdown - Drain in-flight requests before stopping (configurable timeout)
+- CLI Lifecycle - `start`, `stop`, `status` commands for managing the proxy daemon
 
 ## Chat Completions
 

package/dist/anthropic/from-openai.d.ts

@@ -14,7 +14,14 @@ export type AnthropicToolUseContentBlock = {
     name: string;
     input: unknown;
 };
-export type AnthropicAssistantContentBlock = AnthropicTextContentBlock | AnthropicToolUseContentBlock;
+export type AnthropicAssistantContentBlock = AnthropicTextContentBlock | AnthropicToolUseContentBlock | {
+    type: "thinking";
+    thinking: string;
+    signature: string;
+} | {
+    type: "redacted_thinking";
+    data: string;
+};
 export type AnthropicMessagePayload = {
     id: string;
     type: "message";

package/dist/bare.cjs

@@ -5507,7 +5507,10 @@ function createAudioClient(apiKey, encryptionKeys, requestTimeoutMs = DEFAULT_RE
     const controller = new AbortController;
     const timeoutId = setTimeout(() => controller.abort(), requestTimeoutMs);
     try {
-      const sessionId = await attest(apiKey, { model: body.model, enabled: attest2 });
+      const sessionId = await attest(apiKey, {
+        model: body.model,
+        enabled: attest2
+      });
       const encryptedRequest = await preprocessAudioRequest(body, encryptionKeys);
       const response = await fetch(`${endpoints.proxy}/rvenc/audio/transcriptions`, {
         method: "POST",
@@ -5539,7 +5542,10 @@ function createAudioClient(apiKey, encryptionKeys, requestTimeoutMs = DEFAULT_RE
     const controller = new AbortController;
     const timeoutId = setTimeout(() => controller.abort(), requestTimeoutMs);
     try {
-      const sessionId = await attest(apiKey, { model: body.model, enabled: attest2 });
+      const sessionId = await attest(apiKey, {
+        model: body.model,
+        enabled: attest2
+      });
       const encryptedRequest = await preprocessAudioTranslationRequest(body, encryptionKeys);
       const response = await fetch(`${endpoints.proxy}/rvenc/audio/translations`, {
         method: "POST",
@@ -25491,7 +25497,10 @@ function createRvencChatClient(apiKey, encryptionKeys, requestTimeoutMs = DEFAUL
     const controller = new AbortController;
     const timeoutId = setTimeout(() => controller.abort(), requestTimeoutMs);
     try {
-      const sessionId = await attest(apiKey, { model: body.model, enabled: attest2 });
+      const sessionId = await attest(apiKey, {
+        model: body.model,
+        enabled: attest2
+      });
       const encryptedRequest = preprocessRequest(body, encryptionKeys);
       const response = await fetch(`${endpoints.proxy}/rvenc/chat/completions`, {
         method: "POST",
@@ -25612,7 +25621,11 @@ async function* createDecryptedStreamGenerator(reader, sharedSecret, nonce, maxB
 }
 
 // src/tools/index.ts
-var FILE_OUTPUT_TOOLS = ["generateImage", "audioGenerateFromText", "createFileForUser"];
+var FILE_OUTPUT_TOOLS = [
+  "generateImage",
+  "audioGenerateFromText",
+  "createFileForUser"
+];
 var FILE_INPUT_TOOLS = [
   "imageDescribeAndCaption",
   "imageDescribeAndCaptionFallback",
@@ -25671,7 +25684,9 @@ async function downloadEncryptedFile(fileId, apiKey, timeoutMs) {
     if (!downloadUrl) {
       throw new Error("No download URL in response");
     }
-    const fileResponse = await fetch(downloadUrl, { signal: controller.signal });
+    const fileResponse = await fetch(downloadUrl, {
+      signal: controller.signal
+    });
     if (!fileResponse.ok) {
       throw new Error(`Failed to download file: ${fileResponse.status}`);
     }

package/dist/bare.mjs

@@ -5449,7 +5449,10 @@ function createAudioClient(apiKey, encryptionKeys, requestTimeoutMs = DEFAULT_RE
     const controller = new AbortController;
     const timeoutId = setTimeout(() => controller.abort(), requestTimeoutMs);
     try {
-      const sessionId = await attest(apiKey, { model: body.model, enabled: attest2 });
+      const sessionId = await attest(apiKey, {
+        model: body.model,
+        enabled: attest2
+      });
       const encryptedRequest = await preprocessAudioRequest(body, encryptionKeys);
       const response = await fetch(`${endpoints.proxy}/rvenc/audio/transcriptions`, {
         method: "POST",
@@ -5481,7 +5484,10 @@ function createAudioClient(apiKey, encryptionKeys, requestTimeoutMs = DEFAULT_RE
     const controller = new AbortController;
     const timeoutId = setTimeout(() => controller.abort(), requestTimeoutMs);
     try {
-      const sessionId = await attest(apiKey, { model: body.model, enabled: attest2 });
+      const sessionId = await attest(apiKey, {
+        model: body.model,
+        enabled: attest2
+      });
       const encryptedRequest = await preprocessAudioTranslationRequest(body, encryptionKeys);
       const response = await fetch(`${endpoints.proxy}/rvenc/audio/translations`, {
         method: "POST",
@@ -25433,7 +25439,10 @@ function createRvencChatClient(apiKey, encryptionKeys, requestTimeoutMs = DEFAUL
     const controller = new AbortController;
     const timeoutId = setTimeout(() => controller.abort(), requestTimeoutMs);
     try {
-      const sessionId = await attest(apiKey, { model: body.model, enabled: attest2 });
+      const sessionId = await attest(apiKey, {
+        model: body.model,
+        enabled: attest2
+      });
       const encryptedRequest = preprocessRequest(body, encryptionKeys);
       const response = await fetch(`${endpoints.proxy}/rvenc/chat/completions`, {
         method: "POST",
@@ -25554,7 +25563,11 @@ async function* createDecryptedStreamGenerator(reader, sharedSecret, nonce, maxB
 }
 
 // src/tools/index.ts
-var FILE_OUTPUT_TOOLS = ["generateImage", "audioGenerateFromText", "createFileForUser"];
+var FILE_OUTPUT_TOOLS = [
+  "generateImage",
+  "audioGenerateFromText",
+  "createFileForUser"
+];
 var FILE_INPUT_TOOLS = [
   "imageDescribeAndCaption",
   "imageDescribeAndCaptionFallback",
@@ -25613,7 +25626,9 @@ async function downloadEncryptedFile(fileId, apiKey, timeoutMs) {
     if (!downloadUrl) {
       throw new Error("No download URL in response");
     }
-    const fileResponse = await fetch(downloadUrl, { signal: controller.signal });
+    const fileResponse = await fetch(downloadUrl, {
+      signal: controller.signal
+    });
     if (!fileResponse.ok) {
       throw new Error(`Failed to download file: ${fileResponse.status}`);
     }