@trustgateai/sdk 1.0.0 → 1.1.0

package/src/client.ts

@@ -1,125 +1,141 @@
-import type { TrustGateConfig, RequestOptions, WorkflowContext } from "./types.js";
-import { getWorkflowContextFromEnv, buildContextHeaders } from "./context.js";
-
-function resolveContext(config: TrustGateConfig, options?: RequestOptions): WorkflowContext {
-  return (
-    options?.workflowContext ??
-    config.workflowContext ??
-    getWorkflowContextFromEnv()
-  );
-}
-
-function mergeHeaders(
-  config: TrustGateConfig,
-  options?: RequestOptions,
-  context?: WorkflowContext
-): Record<string, string> {
-  const out: Record<string, string> = {
-    "content-type": "application/json",
-    ...config.headers,
-    ...options?.headers,
-  };
-  if (config.apiKey) {
-    out["authorization"] = `Bearer ${config.apiKey}`;
-    out["x-api-key"] = config.apiKey;
-  }
-  if (context) {
-    Object.assign(out, buildContextHeaders(context));
-  }
-  return out;
-}
-
-/**
- * TrustGate Node.js client. Forwards requests to the TrustGate gateway with
- * workflow context for Shadow AI detection and observability.
- *
- * Context is sent in lowercase headers (e.g. x-trustgate-source) and as JSON
- * in x-trustgate-source-tool for parity with the Python SDK. The `workflow_step`
- * field in context is the key used to generate Gantt chart bars in the
- * Agent Intelligence dashboard.
- */
-export class TrustGate {
-  private readonly config: TrustGateConfig;
-
-  constructor(config: TrustGateConfig) {
-    const baseUrl = config.baseUrl.replace(/\/$/, "");
-    this.config = { ...config, baseUrl };
-  }
-
-  /** Base URL of the TrustGate gateway. */
-  get baseUrl(): string {
-    return this.config.baseUrl;
-  }
-
-  /**
-   * Get the current effective workflow context (from config override or process.env).
-   * Never null; defaults to source "local_script" when no managed env is detected.
-   */
-  getWorkflowContext(options?: RequestOptions): WorkflowContext {
-    return resolveContext(this.config, options);
-  }
-
-  /**
-   * Perform a non-streaming JSON request through TrustGate.
-   */
-  async fetch(path: string, init: RequestInit = {}, options?: RequestOptions): Promise<Response> {
-    const context = resolveContext(this.config, options);
-    const url = path.startsWith("http") ? path : `${this.config.baseUrl}/${path.replace(/^\//, "")}`;
-    const headers = mergeHeaders(this.config, options, context);
-    const timeout = options?.timeout ?? 60_000;
-
-    const controller = new AbortController();
-    const id = setTimeout(() => controller.abort(), timeout);
-    try {
-      const res = await fetch(url, {
-        ...init,
-        headers: { ...headers, ...(init.headers as Record<string, string>) },
-        signal: init.signal ?? controller.signal,
-      });
-      return res;
-    } finally {
-      clearTimeout(id);
-    }
-  }
-
-  /**
-   * Perform a streaming request (SSE). Forwards the response stream and ensures
-   * workflow_id (and other context) is sent in the initial request so the
-   * background task is attributed correctly. Set Accept: text/event-stream
-   * when calling for SSE endpoints.
-   */
-  async fetchStream(
-    path: string,
-    init: RequestInit = {},
-    options?: RequestOptions
-  ): Promise<Response> {
-    const context = resolveContext(this.config, options);
-    const url = path.startsWith("http") ? path : `${this.config.baseUrl}/${path.replace(/^\//, "")}`;
-    const headers = mergeHeaders(this.config, options, context);
-    const mergedHeaders = {
-      accept: "text/event-stream",
-      ...headers,
-      ...(init.headers as Record<string, string>),
-    };
-
-    const res = await fetch(url, {
-      ...init,
-      headers: mergedHeaders,
-      signal: init.signal,
-    });
-
-    if (!res.ok || !res.body) {
-      return res;
-    }
-
-    if (!res.headers.get("content-type")?.includes("text/event-stream")) {
-      return res;
-    }
-
-    return new Response(res.body, {
-      status: res.status,
-      statusText: res.statusText,
-      headers: res.headers,
-    });
-  }
-}
+import type { TrustGateConfig, RequestOptions, WorkflowContext, Provider } from "./types.js";
+import { getWorkflowContextFromEnv, buildContextHeaders } from "./context.js";
+
+function resolveContext(config: TrustGateConfig, options?: RequestOptions): WorkflowContext {
+  return (
+    options?.workflowContext ??
+    config.workflowContext ??
+    getWorkflowContextFromEnv()
+  );
+}
+
+function authHeadersForProvider(apiKey: string, provider: Provider | undefined): Record<string, string> {
+  switch (provider) {
+    case "anthropic":
+    case "google":
+      return { "x-api-key": apiKey };
+    case "openai":
+    default:
+      return {
+        authorization: `Bearer ${apiKey}`,
+        "x-api-key": apiKey,
+      };
+  }
+}
+
+function mergeHeaders(
+  config: TrustGateConfig,
+  options?: RequestOptions,
+  context?: WorkflowContext
+): Record<string, string> {
+  const out: Record<string, string> = {
+    "content-type": "application/json",
+    ...config.headers,
+    ...options?.headers,
+  };
+  if (config.apiKey) {
+    const provider = options?.provider ?? config.provider;
+    Object.assign(out, authHeadersForProvider(config.apiKey, provider));
+  }
+  if (context) {
+    Object.assign(out, buildContextHeaders(context));
+  }
+  return out;
+}
+
+/**
+ * TrustGate Node.js client. Forwards requests to the TrustGate gateway with
+ * workflow context for Shadow AI detection and observability.
+ *
+ * Context is sent in lowercase headers (e.g. x-trustgate-source) and as JSON
+ * in x-trustgate-source-tool for parity with the Python SDK. The `workflow_step`
+ * field in context is the key used to generate Gantt chart bars in the
+ * Agent Intelligence dashboard.
+ */
+export class TrustGate {
+  private readonly config: TrustGateConfig;
+
+  constructor(config: TrustGateConfig) {
+    const baseUrl = config.baseUrl.replace(/\/$/, "");
+    this.config = { ...config, baseUrl };
+  }
+
+  /** Base URL of the TrustGate gateway. */
+  get baseUrl(): string {
+    return this.config.baseUrl;
+  }
+
+  /**
+   * Get the current effective workflow context (from config override or process.env).
+   * Never null; defaults to source "local_script" when no managed env is detected.
+   */
+  getWorkflowContext(options?: RequestOptions): WorkflowContext {
+    return resolveContext(this.config, options);
+  }
+
+  /**
+   * Perform a non-streaming JSON request through TrustGate.
+   * @param options.provider - Optional provider for this request ('openai' | 'anthropic' | 'google');
+   *   controls auth header format (e.g. x-api-key only for anthropic/google).
+   */
+  async fetch(path: string, init: RequestInit = {}, options?: RequestOptions): Promise<Response> {
+    const context = resolveContext(this.config, options);
+    const url = path.startsWith("http") ? path : `${this.config.baseUrl}/${path.replace(/^\//, "")}`;
+    const headers = mergeHeaders(this.config, options, context);
+    const timeout = options?.timeout ?? 60_000;
+
+    const controller = new AbortController();
+    const id = setTimeout(() => controller.abort(), timeout);
+    try {
+      const res = await fetch(url, {
+        ...init,
+        headers: { ...headers, ...(init.headers as Record<string, string>) },
+        signal: init.signal ?? controller.signal,
+      });
+      return res;
+    } finally {
+      clearTimeout(id);
+    }
+  }
+
+  /**
+   * Perform a streaming request (SSE). Forwards the response stream and ensures
+   * workflow_id (and other context) is sent in the initial request so the
+   * background task is attributed correctly. Set Accept: text/event-stream
+   * when calling for SSE endpoints.
+   */
+  async fetchStream(
+    path: string,
+    init: RequestInit = {},
+    options?: RequestOptions
+  ): Promise<Response> {
+    const context = resolveContext(this.config, options);
+    const url = path.startsWith("http") ? path : `${this.config.baseUrl}/${path.replace(/^\//, "")}`;
+    const headers = mergeHeaders(this.config, options, context);
+    const mergedHeaders = {
+      accept: "text/event-stream",
+      ...headers,
+      ...(init.headers as Record<string, string>),
+    };
+
+    const res = await fetch(url, {
+      ...init,
+      headers: mergedHeaders,
+      signal: init.signal,
+    });
+
+    if (!res.ok || !res.body) {
+      return res;
+    }
+
+    if (!res.headers.get("content-type")?.includes("text/event-stream")) {
+      return res;
+    }
+
+    return new Response(res.body, {
+      status: res.status,
+      statusText: res.statusText,
+      headers: res.headers,
+    });
+  }
+}

package/src/context.ts

@@ -1,132 +1,132 @@
-import type { WorkflowContext, RuntimeMetadata } from "./types.js";
-import { SDK_VERSION } from "./version.js";
-
-/** Lowercase header prefix for proxy/gateway parity with Python SDK. */
-export const HEADER_PREFIX = "x-trustgate";
-/** Header carrying the full context JSON (structurally identical to Python SDK). */
-export const SOURCE_TOOL_HEADER = "x-trustgate-source-tool";
-
-/** Env keys we check for workflow/source metadata (Shadow AI context). */
-const N8N_KEYS = [
-  "N8N_WORKFLOW_ID",
-  "N8N_EXECUTION_ID",
-  "N8N_WORKFLOW_NAME",
-  "N8N_EXECUTION_MODE",
-] as const;
-
-const VERCEL_KEYS = [
-  "VERCEL",
-  "VERCEL_ENV",
-  "VERCEL_URL",
-  "VERCEL_GIT_COMMIT_REF",
-  "VERCEL_GIT_REPO_ID",
-  "VERCEL_GIT_COMMIT_SHA",
-] as const;
-
-const GITHUB_KEYS = [
-  "GITHUB_ACTION",
-  "GITHUB_ACTIONS",
-  "GITHUB_WORKFLOW",
-  "GITHUB_RUN_ID",
-  "GITHUB_RUN_NUMBER",
-  "GITHUB_REPOSITORY",
-  "GITHUB_SHA",
-] as const;
-
-function pickEnv(keys: readonly string[]): Record<string, string> {
-  const out: Record<string, string> = {};
-  for (const key of keys) {
-    const v = process.env[key];
-    if (v !== undefined && v !== "") out[key] = v;
-  }
-  return out;
-}
-
-/** Base runtime metadata (sdk_version, node_version, os, arch) for Python parity. */
-function getBaseMetadata(): RuntimeMetadata {
-  return {
-    sdk_version: SDK_VERSION,
-    node_version: process.version,
-    os: process.platform,
-    arch: process.arch,
-  };
-}
-
-/**
- * Searches process.env for workflow metadata from n8n, Vercel, or GitHub.
- * If no managed environment is detected, returns context with source "local_script"
- * so local developer usage is correctly tagged as Shadow AI in the dashboard.
- * Never returns null.
- */
-export function getWorkflowContextFromEnv(): WorkflowContext {
-  const baseMeta = getBaseMetadata();
-
-  const n8n = pickEnv(N8N_KEYS as unknown as string[]);
-  if (Object.keys(n8n).length > 0) {
-    return {
-      source: "n8n",
-      workflow_id: n8n.N8N_WORKFLOW_ID,
-      execution_id: n8n.N8N_EXECUTION_ID,
-      metadata: { ...baseMeta, ...n8n },
-    };
-  }
-
-  const vercel = pickEnv(VERCEL_KEYS as unknown as string[]);
-  if (Object.keys(vercel).length > 0) {
-    return {
-      source: "vercel",
-      workflow_id: vercel.VERCEL_GIT_REPO_ID || vercel.VERCEL_URL,
-      execution_id: vercel.VERCEL_GIT_COMMIT_SHA,
-      metadata: { ...baseMeta, ...vercel },
-    };
-  }
-
-  const github = pickEnv(GITHUB_KEYS as unknown as string[]);
-  if (Object.keys(github).length > 0) {
-    return {
-      source: "github",
-      workflow_id: github.GITHUB_WORKFLOW || github.GITHUB_REPOSITORY,
-      execution_id: github.GITHUB_RUN_ID || github.GITHUB_RUN_NUMBER,
-      metadata: { ...baseMeta, ...github },
-    };
-  }
-
-  return {
-    source: "local_script",
-    metadata: baseMeta,
-  };
-}
-
-/**
- * JSON payload for x-trustgate-source-tool header (structurally identical to Python SDK).
- */
-export function buildSourceToolJson(ctx: WorkflowContext): string {
-  const meta = ctx.metadata ?? getBaseMetadata();
-  const payload: Record<string, unknown> = {
-    source: ctx.source,
-    metadata: meta,
-  };
-  if (ctx.workflow_id !== undefined) payload.workflow_id = ctx.workflow_id;
-  if (ctx.execution_id !== undefined) payload.execution_id = ctx.execution_id;
-  if (ctx.workflow_step !== undefined) payload.workflow_step = ctx.workflow_step;
-  return JSON.stringify(payload);
-}
-
-/**
- * Builds lowercase TrustGate context headers plus x-trustgate-source-tool JSON.
- * Use for proxy/gateway parity and Python SDK contract.
- */
-export function buildContextHeaders(ctx: WorkflowContext): Record<string, string> {
-  const meta = ctx.metadata ?? getBaseMetadata();
-  const h: Record<string, string> = {
-    [SOURCE_TOOL_HEADER]: buildSourceToolJson({ ...ctx, metadata: meta }),
-    [`${HEADER_PREFIX}-source`]: ctx.source,
-  };
-  if (ctx.workflow_id) h[`${HEADER_PREFIX}-workflow-id`] = ctx.workflow_id;
-  if (ctx.execution_id) h[`${HEADER_PREFIX}-execution-id`] = ctx.execution_id;
-  if (ctx.workflow_step) h[`${HEADER_PREFIX}-workflow-step`] = ctx.workflow_step;
-  for (const [k, v] of Object.entries(meta)) {
-    if (v) h[`${HEADER_PREFIX}-meta-${k.toLowerCase()}`] = String(v);
-  }
-  return h;
-}
+import type { WorkflowContext, RuntimeMetadata } from "./types.js";
+import { SDK_VERSION } from "./version.js";
+
+/** Lowercase header prefix for proxy/gateway parity with Python SDK. */
+export const HEADER_PREFIX = "x-trustgate";
+/** Header carrying the full context JSON (structurally identical to Python SDK). */
+export const SOURCE_TOOL_HEADER = "x-trustgate-source-tool";
+
+/** Env keys we check for workflow/source metadata (Shadow AI context). */
+const N8N_KEYS = [
+  "N8N_WORKFLOW_ID",
+  "N8N_EXECUTION_ID",
+  "N8N_WORKFLOW_NAME",
+  "N8N_EXECUTION_MODE",
+] as const;
+
+const VERCEL_KEYS = [
+  "VERCEL",
+  "VERCEL_ENV",
+  "VERCEL_URL",
+  "VERCEL_GIT_COMMIT_REF",
+  "VERCEL_GIT_REPO_ID",
+  "VERCEL_GIT_COMMIT_SHA",
+] as const;
+
+const GITHUB_KEYS = [
+  "GITHUB_ACTION",
+  "GITHUB_ACTIONS",
+  "GITHUB_WORKFLOW",
+  "GITHUB_RUN_ID",
+  "GITHUB_RUN_NUMBER",
+  "GITHUB_REPOSITORY",
+  "GITHUB_SHA",
+] as const;
+
+function pickEnv(keys: readonly string[]): Record<string, string> {
+  const out: Record<string, string> = {};
+  for (const key of keys) {
+    const v = process.env[key];
+    if (v !== undefined && v !== "") out[key] = v;
+  }
+  return out;
+}
+
+/** Base runtime metadata (sdk_version, node_version, os, arch) for Python parity. */
+function getBaseMetadata(): RuntimeMetadata {
+  return {
+    sdk_version: SDK_VERSION,
+    node_version: process.version,
+    os: process.platform,
+    arch: process.arch,
+  };
+}
+
+/**
+ * Searches process.env for workflow metadata from n8n, Vercel, or GitHub.
+ * If no managed environment is detected, returns context with source "local_script"
+ * so local developer usage is correctly tagged as Shadow AI in the dashboard.
+ * Never returns null.
+ */
+export function getWorkflowContextFromEnv(): WorkflowContext {
+  const baseMeta = getBaseMetadata();
+
+  const n8n = pickEnv(N8N_KEYS as unknown as string[]);
+  if (Object.keys(n8n).length > 0) {
+    return {
+      source: "n8n",
+      workflow_id: n8n.N8N_WORKFLOW_ID,
+      execution_id: n8n.N8N_EXECUTION_ID,
+      metadata: { ...baseMeta, ...n8n },
+    };
+  }
+
+  const vercel = pickEnv(VERCEL_KEYS as unknown as string[]);
+  if (Object.keys(vercel).length > 0) {
+    return {
+      source: "vercel",
+      workflow_id: vercel.VERCEL_GIT_REPO_ID || vercel.VERCEL_URL,
+      execution_id: vercel.VERCEL_GIT_COMMIT_SHA,
+      metadata: { ...baseMeta, ...vercel },
+    };
+  }
+
+  const github = pickEnv(GITHUB_KEYS as unknown as string[]);
+  if (Object.keys(github).length > 0) {
+    return {
+      source: "github",
+      workflow_id: github.GITHUB_WORKFLOW || github.GITHUB_REPOSITORY,
+      execution_id: github.GITHUB_RUN_ID || github.GITHUB_RUN_NUMBER,
+      metadata: { ...baseMeta, ...github },
+    };
+  }
+
+  return {
+    source: "local_script",
+    metadata: baseMeta,
+  };
+}
+
+/**
+ * JSON payload for x-trustgate-source-tool header (structurally identical to Python SDK).
+ */
+export function buildSourceToolJson(ctx: WorkflowContext): string {
+  const meta = ctx.metadata ?? getBaseMetadata();
+  const payload: Record<string, unknown> = {
+    source: ctx.source,
+    metadata: meta,
+  };
+  if (ctx.workflow_id !== undefined) payload.workflow_id = ctx.workflow_id;
+  if (ctx.execution_id !== undefined) payload.execution_id = ctx.execution_id;
+  if (ctx.workflow_step !== undefined) payload.workflow_step = ctx.workflow_step;
+  return JSON.stringify(payload);
+}
+
+/**
+ * Builds lowercase TrustGate context headers plus x-trustgate-source-tool JSON.
+ * Use for proxy/gateway parity and Python SDK contract.
+ */
+export function buildContextHeaders(ctx: WorkflowContext): Record<string, string> {
+  const meta = ctx.metadata ?? getBaseMetadata();
+  const h: Record<string, string> = {
+    [SOURCE_TOOL_HEADER]: buildSourceToolJson({ ...ctx, metadata: meta }),
+    [`${HEADER_PREFIX}-source`]: ctx.source,
+  };
+  if (ctx.workflow_id) h[`${HEADER_PREFIX}-workflow-id`] = ctx.workflow_id;
+  if (ctx.execution_id) h[`${HEADER_PREFIX}-execution-id`] = ctx.execution_id;
+  if (ctx.workflow_step) h[`${HEADER_PREFIX}-workflow-step`] = ctx.workflow_step;
+  for (const [k, v] of Object.entries(meta)) {
+    if (v) h[`${HEADER_PREFIX}-meta-${k.toLowerCase()}`] = String(v);
+  }
+  return h;
+}

package/src/index.ts

@@ -1,31 +1,41 @@
-/**
- * TrustGate Node.js SDK
- *
- * Provides a TypeScript client, workflow context from n8n/Vercel/GitHub env vars,
- * middleware for Vercel AI SDK and LangChain, n8n header snippet helper, and
- * SSE streaming with workflow_id preserved for Shadow AI detection.
- */
-
-export { TrustGate } from "./client.js";
-export {
-  getWorkflowContextFromEnv,
-  buildContextHeaders,
-  buildSourceToolJson,
-  HEADER_PREFIX,
-  SOURCE_TOOL_HEADER,
-} from "./context.js";
-export { getN8nHeaderSnippet } from "./n8n.js";
-export {
-  getTrustGateHeaders,
-  createTrustGateOpenAIOptions,
-  type TrustGateOpenAIOptions,
-} from "./middleware/vercel-ai.js";
-export { createTrustGateLangChainConfig } from "./middleware/langchain.js";
-
-export type {
-  WorkflowContext,
-  RuntimeMetadata,
-  TrustGateConfig,
-  RequestOptions,
-  N8nHeaderSnippet,
-} from "./types.js";
+/**
+ * TrustGate Node.js SDK
+ *
+ * Provides a TypeScript client, workflow context from n8n/Vercel/GitHub env vars,
+ * middleware for Vercel AI SDK and LangChain, n8n header snippet helper, and
+ * SSE streaming with workflow_id preserved for Shadow AI detection.
+ */
+
+export { TrustGate } from "./client.js";
+export {
+  getWorkflowContextFromEnv,
+  buildContextHeaders,
+  buildSourceToolJson,
+  HEADER_PREFIX,
+  SOURCE_TOOL_HEADER,
+} from "./context.js";
+export { getN8nHeaderSnippet } from "./n8n.js";
+export {
+  getTrustGateHeaders,
+  createTrustGateOpenAIOptions,
+  type TrustGateOpenAIOptions,
+} from "./middleware/vercel-ai.js";
+export { createTrustGateLangChainConfig } from "./middleware/langchain.js";
+
+export {
+  getAnthropicHeaders,
+  createTrustGateAnthropicConfig,
+} from "./middleware/anthropic.js";
+export {
+  getGeminiHeaders,
+  createTrustGateGeminiConfig,
+} from "./middleware/google.js";
+
+export type {
+  WorkflowContext,
+  RuntimeMetadata,
+  TrustGateConfig,
+  RequestOptions,
+  N8nHeaderSnippet,
+  Provider,
+} from "./types.js";

package/src/middleware/anthropic.ts

@@ -0,0 +1,56 @@
+/**
+ * Anthropic middleware: use TrustGate as the base URL for @anthropic-ai/sdk.
+ *
+ * Pass the returned config to the Anthropic client so all requests go through
+ * TrustGate with workflow context and x-api-key for Shadow AI detection.
+ *
+ * Example:
+ *
+ *   import Anthropic from '@anthropic-ai/sdk';
+ *   import { createTrustGateAnthropicConfig } from '@trustgateai/sdk/middleware/anthropic';
+ *
+ *   const config = createTrustGateAnthropicConfig({
+ *     baseUrl: process.env.TRUSTGATE_BASE_URL!,
+ *     apiKey: process.env.TRUSTGATE_API_KEY,
+ *   });
+ *
+ *   const anthropic = new Anthropic(config);
+ *   const message = await anthropic.messages.create({ model: 'claude-3-5-sonnet-20241022', ... });
+ */
+
+import type { TrustGateConfig } from "../types.js";
+import { getWorkflowContextFromEnv, buildContextHeaders } from "../context.js";
+
+/**
+ * Returns headers compatible with @anthropic-ai/sdk. Uses x-api-key only (no
+ * Authorization header). Use with defaultHeaders or when building requests manually.
+ */
+export function getAnthropicHeaders(config: TrustGateConfig): Record<string, string> {
+  const ctx = config.workflowContext ?? getWorkflowContextFromEnv();
+  const headers: Record<string, string> = {
+    ...config.headers,
+    ...buildContextHeaders(ctx),
+  };
+  if (config.apiKey) {
+    headers["x-api-key"] = config.apiKey;
+  }
+  return headers;
+}
+
+/**
+ * Returns a config object for the Anthropic SDK (baseURL, apiKey, defaultHeaders).
+ * Injects TrustGate context headers and x-api-key so requests go through the gateway.
+ */
+export function createTrustGateAnthropicConfig(config: TrustGateConfig): {
+  baseURL: string;
+  apiKey: string | null;
+  defaultHeaders?: Record<string, string>;
+} {
+  const baseURL = config.baseUrl.replace(/\/$/, "");
+  const headers = getAnthropicHeaders(config);
+  return {
+    baseURL,
+    apiKey: config.apiKey ?? null,
+    defaultHeaders: Object.keys(headers).length ? headers : undefined,
+  };
+}