npm - @trustloopguard/sdk - Versions diffs - 0.0.1 - Mend

@trustloopguard/sdk 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (242) hide show

package/dist/client.d.ts +98 -0
package/dist/client.js +198 -0
package/dist/errors.d.ts +46 -0
package/dist/errors.js +187 -0
package/dist/generated/AgentAuthority.d.ts +4 -0
package/dist/generated/AgentAuthority.js +2 -0
package/dist/generated/AgentListResponse.d.ts +4 -0
package/dist/generated/AgentListResponse.js +1 -0
package/dist/generated/AgentProfile.d.ts +29 -0
package/dist/generated/AgentProfile.js +1 -0
package/dist/generated/AgentScope.d.ts +4 -0
package/dist/generated/AgentScope.js +2 -0
package/dist/generated/AgentTone.d.ts +4 -0
package/dist/generated/AgentTone.js +2 -0
package/dist/generated/ApiError.d.ts +25 -0
package/dist/generated/ApiError.js +1 -0
package/dist/generated/ApiErrorCode.d.ts +6 -0
package/dist/generated/ApiErrorCode.js +2 -0
package/dist/generated/ApiKeyBatchRevokeRequest.d.ts +3 -0
package/dist/generated/ApiKeyBatchRevokeRequest.js +2 -0
package/dist/generated/ApiKeyBatchRevokeResponse.d.ts +4 -0
package/dist/generated/ApiKeyBatchRevokeResponse.js +1 -0
package/dist/generated/ApiKeyListResponse.d.ts +4 -0
package/dist/generated/ApiKeyListResponse.js +1 -0
package/dist/generated/AuthRequest.d.ts +15 -0
package/dist/generated/AuthRequest.js +2 -0
package/dist/generated/AuthResponse.d.ts +16 -0
package/dist/generated/AuthResponse.js +2 -0
package/dist/generated/ChangePasswordRequest.d.ts +15 -0
package/dist/generated/ChangePasswordRequest.js +2 -0
package/dist/generated/Channel.d.ts +8 -0
package/dist/generated/Channel.js +2 -0
package/dist/generated/CheckRequest.d.ts +21 -0
package/dist/generated/CheckRequest.js +1 -0
package/dist/generated/CreateApiKeyRequest.d.ts +3 -0
package/dist/generated/CreateApiKeyRequest.js +2 -0
package/dist/generated/CreateApiKeyResponse.d.ts +8 -0
package/dist/generated/CreateApiKeyResponse.js +1 -0
package/dist/generated/CreateInviteRequest.d.ts +8 -0
package/dist/generated/CreateInviteRequest.js +1 -0
package/dist/generated/CreateInviteResponse.d.ts +18 -0
package/dist/generated/CreateInviteResponse.js +1 -0
package/dist/generated/CreateKnowledgeSourceRequest.d.ts +9 -0
package/dist/generated/CreateKnowledgeSourceRequest.js +1 -0
package/dist/generated/CreateRunEventRequest.d.ts +13 -0
package/dist/generated/CreateRunEventRequest.js +1 -0
package/dist/generated/CreateRunRequest.d.ts +9 -0
package/dist/generated/CreateRunRequest.js +1 -0
package/dist/generated/CreateWorkspaceRequest.d.ts +7 -0
package/dist/generated/CreateWorkspaceRequest.js +2 -0
package/dist/generated/DashboardApiKey.d.ts +15 -0
package/dist/generated/DashboardApiKey.js +2 -0
package/dist/generated/DashboardKnowledgeSourceKind.d.ts +1 -0
package/dist/generated/DashboardKnowledgeSourceKind.js +2 -0
package/dist/generated/Decision.d.ts +17 -0
package/dist/generated/Decision.js +1 -0
package/dist/generated/GuardrailGenerateResponse.d.ts +11 -0
package/dist/generated/GuardrailGenerateResponse.js +1 -0
package/dist/generated/GuardrailListResponse.d.ts +7 -0
package/dist/generated/GuardrailListResponse.js +1 -0
package/dist/generated/InviteListResponse.d.ts +4 -0
package/dist/generated/InviteListResponse.js +1 -0
package/dist/generated/InviteStatus.d.ts +4 -0
package/dist/generated/InviteStatus.js +2 -0
package/dist/generated/KnowledgeFileInput.d.ts +5 -0
package/dist/generated/KnowledgeFileInput.js +2 -0
package/dist/generated/KnowledgeFileMetadata.d.ts +6 -0
package/dist/generated/KnowledgeFileMetadata.js +2 -0
package/dist/generated/KnowledgeSource.d.ts +7 -0
package/dist/generated/KnowledgeSource.js +1 -0
package/dist/generated/KnowledgeSourceDocument.d.ts +22 -0
package/dist/generated/KnowledgeSourceDocument.js +1 -0
package/dist/generated/KnowledgeSourceFileResponse.d.ts +6 -0
package/dist/generated/KnowledgeSourceFileResponse.js +2 -0
package/dist/generated/KnowledgeSourceKind.d.ts +1 -0
package/dist/generated/KnowledgeSourceKind.js +2 -0
package/dist/generated/KnowledgeSourceListResponse.d.ts +4 -0
package/dist/generated/KnowledgeSourceListResponse.js +1 -0
package/dist/generated/KnowledgeSourceStatus.d.ts +1 -0
package/dist/generated/KnowledgeSourceStatus.js +2 -0
package/dist/generated/MemberListResponse.d.ts +4 -0
package/dist/generated/MemberListResponse.js +1 -0
package/dist/generated/MyWorkspace.d.ts +12 -0
package/dist/generated/MyWorkspace.js +1 -0
package/dist/generated/MyWorkspacesResponse.d.ts +4 -0
package/dist/generated/MyWorkspacesResponse.js +1 -0
package/dist/generated/PolicyAction.d.ts +4 -0
package/dist/generated/PolicyAction.js +2 -0
package/dist/generated/PolicyBatchSetEnabledRequest.d.ts +4 -0
package/dist/generated/PolicyBatchSetEnabledRequest.js +2 -0
package/dist/generated/PolicyBatchSetEnabledResponse.d.ts +4 -0
package/dist/generated/PolicyBatchSetEnabledResponse.js +1 -0
package/dist/generated/PolicyDocument.d.ts +8 -0
package/dist/generated/PolicyDocument.js +1 -0
package/dist/generated/PolicyDraft.d.ts +17 -0
package/dist/generated/PolicyDraft.js +1 -0
package/dist/generated/PolicyDraftRequest.d.ts +6 -0
package/dist/generated/PolicyDraftRequest.js +2 -0
package/dist/generated/PolicyDraftResponse.d.ts +4 -0
package/dist/generated/PolicyDraftResponse.js +1 -0
package/dist/generated/PolicyListResponse.d.ts +4 -0
package/dist/generated/PolicyListResponse.js +1 -0
package/dist/generated/PolicyMatchType.d.ts +5 -0
package/dist/generated/PolicyMatchType.js +2 -0
package/dist/generated/PolicySetEnabledRequest.d.ts +3 -0
package/dist/generated/PolicySetEnabledRequest.js +2 -0
package/dist/generated/PolicySummary.d.ts +9 -0
package/dist/generated/PolicySummary.js +1 -0
package/dist/generated/PolicyValidateResponse.d.ts +6 -0
package/dist/generated/PolicyValidateResponse.js +1 -0
package/dist/generated/PolicyValidationIssue.d.ts +4 -0
package/dist/generated/PolicyValidationIssue.js +2 -0
package/dist/generated/RunDetail.d.ts +8 -0
package/dist/generated/RunDetail.js +1 -0
package/dist/generated/RunEventKind.d.ts +1 -0
package/dist/generated/RunEventKind.js +2 -0
package/dist/generated/RunEventListResponse.d.ts +4 -0
package/dist/generated/RunEventListResponse.js +1 -0
package/dist/generated/RunEventSummary.d.ts +20 -0
package/dist/generated/RunEventSummary.js +1 -0
package/dist/generated/RunKind.d.ts +1 -0
package/dist/generated/RunKind.js +2 -0
package/dist/generated/RunListResponse.d.ts +4 -0
package/dist/generated/RunListResponse.js +1 -0
package/dist/generated/RunStatus.d.ts +1 -0
package/dist/generated/RunStatus.js +2 -0
package/dist/generated/RunSummary.d.ts +32 -0
package/dist/generated/RunSummary.js +1 -0
package/dist/generated/Severity.d.ts +1 -0
package/dist/generated/Severity.js +2 -0
package/dist/generated/Tier.d.ts +4 -0
package/dist/generated/Tier.js +2 -0
package/dist/generated/TierResult.d.ts +12 -0
package/dist/generated/TierResult.js +1 -0
package/dist/generated/TierStatus.d.ts +4 -0
package/dist/generated/TierStatus.js +2 -0
package/dist/generated/TraceListResponse.d.ts +4 -0
package/dist/generated/TraceListResponse.js +1 -0
package/dist/generated/TraceSummary.d.ts +13 -0
package/dist/generated/TraceSummary.js +2 -0
package/dist/generated/TriggeredPolicy.d.ts +6 -0
package/dist/generated/TriggeredPolicy.js +1 -0
package/dist/generated/UpdateRunRequest.d.ts +10 -0
package/dist/generated/UpdateRunRequest.js +1 -0
package/dist/generated/Verdict.d.ts +4 -0
package/dist/generated/Verdict.js +2 -0
package/dist/generated/WorkspaceInvite.d.ts +20 -0
package/dist/generated/WorkspaceInvite.js +1 -0
package/dist/generated/WorkspaceMember.d.ts +13 -0
package/dist/generated/WorkspaceMember.js +1 -0
package/dist/generated/WorkspaceRole.d.ts +5 -0
package/dist/generated/WorkspaceRole.js +2 -0
package/dist/generated/WorkspaceSettings.d.ts +11 -0
package/dist/generated/WorkspaceSettings.js +2 -0
package/dist/guard.d.ts +193 -0
package/dist/guard.js +211 -0
package/dist/index.d.ts +64 -0
package/dist/index.js +64 -0
package/dist/retry.d.ts +18 -0
package/dist/retry.js +48 -0
package/package.json +39 -0
package/src/client.ts +453 -0
package/src/errors.ts +202 -0
package/src/generated/AgentAuthority.ts +3 -0
package/src/generated/AgentListResponse.ts +4 -0
package/src/generated/AgentProfile.ts +23 -0
package/src/generated/AgentScope.ts +3 -0
package/src/generated/AgentTone.ts +3 -0
package/src/generated/ApiError.ts +24 -0
package/src/generated/ApiErrorCode.ts +8 -0
package/src/generated/ApiKeyBatchRevokeRequest.ts +3 -0
package/src/generated/ApiKeyBatchRevokeResponse.ts +4 -0
package/src/generated/ApiKeyListResponse.ts +4 -0
package/src/generated/AuthRequest.ts +16 -0
package/src/generated/AuthResponse.ts +15 -0
package/src/generated/ChangePasswordRequest.ts +15 -0
package/src/generated/Channel.ts +10 -0
package/src/generated/CheckRequest.ts +11 -0
package/src/generated/CreateApiKeyRequest.ts +3 -0
package/src/generated/CreateApiKeyResponse.ts +8 -0
package/src/generated/CreateInviteRequest.ts +7 -0
package/src/generated/CreateInviteResponse.ts +14 -0
package/src/generated/CreateKnowledgeSourceRequest.ts +5 -0
package/src/generated/CreateRunEventRequest.ts +8 -0
package/src/generated/CreateRunRequest.ts +5 -0
package/src/generated/CreateWorkspaceRequest.ts +7 -0
package/src/generated/DashboardApiKey.ts +11 -0
package/src/generated/DashboardKnowledgeSourceKind.ts +3 -0
package/src/generated/Decision.ts +12 -0
package/src/generated/GuardrailGenerateResponse.ts +11 -0
package/src/generated/GuardrailListResponse.ts +7 -0
package/src/generated/InviteListResponse.ts +4 -0
package/src/generated/InviteStatus.ts +6 -0
package/src/generated/KnowledgeFileInput.ts +3 -0
package/src/generated/KnowledgeFileMetadata.ts +3 -0
package/src/generated/KnowledgeSource.ts +4 -0
package/src/generated/KnowledgeSourceDocument.ts +17 -0
package/src/generated/KnowledgeSourceFileResponse.ts +3 -0
package/src/generated/KnowledgeSourceKind.ts +3 -0
package/src/generated/KnowledgeSourceListResponse.ts +4 -0
package/src/generated/KnowledgeSourceStatus.ts +3 -0
package/src/generated/MemberListResponse.ts +4 -0
package/src/generated/MyWorkspace.ts +8 -0
package/src/generated/MyWorkspacesResponse.ts +4 -0
package/src/generated/PolicyAction.ts +6 -0
package/src/generated/PolicyBatchSetEnabledRequest.ts +3 -0
package/src/generated/PolicyBatchSetEnabledResponse.ts +4 -0
package/src/generated/PolicyDocument.ts +4 -0
package/src/generated/PolicyDraft.ts +11 -0
package/src/generated/PolicyDraftRequest.ts +6 -0
package/src/generated/PolicyDraftResponse.ts +4 -0
package/src/generated/PolicyListResponse.ts +4 -0
package/src/generated/PolicyMatchType.ts +7 -0
package/src/generated/PolicySetEnabledRequest.ts +3 -0
package/src/generated/PolicySummary.ts +4 -0
package/src/generated/PolicyValidateResponse.ts +4 -0
package/src/generated/PolicyValidationIssue.ts +3 -0
package/src/generated/README.md +1 -0
package/src/generated/RunDetail.ts +6 -0
package/src/generated/RunEventKind.ts +3 -0
package/src/generated/RunEventListResponse.ts +4 -0
package/src/generated/RunEventSummary.ts +12 -0
package/src/generated/RunKind.ts +3 -0
package/src/generated/RunListResponse.ts +4 -0
package/src/generated/RunStatus.ts +3 -0
package/src/generated/RunSummary.ts +21 -0
package/src/generated/Severity.ts +3 -0
package/src/generated/Tier.ts +6 -0
package/src/generated/TierResult.ts +9 -0
package/src/generated/TierStatus.ts +6 -0
package/src/generated/TraceListResponse.ts +4 -0
package/src/generated/TraceSummary.ts +7 -0
package/src/generated/TriggeredPolicy.ts +4 -0
package/src/generated/UpdateRunRequest.ts +9 -0
package/src/generated/Verdict.ts +6 -0
package/src/generated/WorkspaceInvite.ts +14 -0
package/src/generated/WorkspaceMember.ts +11 -0
package/src/generated/WorkspaceRole.ts +7 -0
package/src/generated/WorkspaceSettings.ts +7 -0
package/src/guard.ts +492 -0
package/src/index.ts +97 -0
package/src/retry.ts +67 -0

package/src/generated/WorkspaceMember.ts ADDED Viewed

@@ -0,0 +1,11 @@
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { WorkspaceRole } from "./WorkspaceRole";
+/**
+ * A user who currently has access to a workspace.
+ */
+export type WorkspaceMember = { user_id: string, username: string, role: WorkspaceRole,
+/**
+ * RFC3339 timestamp.
+ */
+joined_at: string, };

package/src/generated/WorkspaceRole.ts ADDED Viewed

@@ -0,0 +1,7 @@
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+/**
+ * Permission level a user holds inside a workspace. Mirrors the
+ * `workspace_role` Postgres enum (migration 6).
+ */
+export type WorkspaceRole = "owner" | "admin" | "editor" | "viewer";

package/src/generated/WorkspaceSettings.ts ADDED Viewed

@@ -0,0 +1,7 @@
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+export type WorkspaceSettings = { default_action: string, escalation_webhook_url: string | null, telemetry_enabled: boolean, retention_days: string, config: Record<string, unknown>,
+/**
+ * RFC 3339 timestamp.
+ */
+updated_at: string | null, };

package/src/guard.ts ADDED Viewed

@@ -0,0 +1,492 @@
+// `guard()` — output-boundary helper.
+//
+// Most integrations should create one guardrail at startup and call it before
+// delivering an agent draft:
+//
+//   const guardrail = guard({ agentId: 'acme-support-v3' });
+//   const reply = await guardrail({ input: userMessage, draft: agentDraft });
+//   await sendToCustomer(reply);
+//
+// The lower-level form remains available for custom client ownership:
+//
+//   const reply = await guard({
+//     client,
+//     input,
+//     draft,
+//     context,
+//     agentId: 'acme-support-v3',
+//     onBlock:    () => cannedSafeReply,
+//     onEscalate: () => { humanQueue.push(...); return holdMessage; },
+//   });
+//   await sendToCustomer(reply);
+//
+// The handler stays the source of truth on what to do per-verdict.
+// `guard` just makes the dispatch ergonomic and applies a fail-open
+// default for transport errors so an outage on our side doesn't take
+// down the agent.
+//
+// Factory guards support three presets:
+//   strict                -> treat rewrite verdicts as blocked output
+//   rewrite               -> use safeOutput, block when no safeOutput exists
+//   rewrite_or_regenerate -> use safeOutput, otherwise regenerate and check again
+import { Client, type ClientOptions } from './client';
+import type { Channel } from './generated/Channel';
+import type { CheckRequest } from './generated/CheckRequest';
+import type { CreateRunEventRequest } from './generated/CreateRunEventRequest';
+import type { Decision } from './generated/Decision';
+import { SdkError } from './errors';
+const DEFAULT_BLOCK_MESSAGE = "I can't help with that request.";
+const DEFAULT_ESCALATE_MESSAGE = 'A human teammate should review this before we continue.';
+type DecisionHandler = string | ((decision: Decision) => string | Promise<string>);
+type ErrorHandler = string | ((err: SdkError, draft: string) => string | Promise<string>);
+export const GuardMode = {
+  Strict: 'strict',
+  Rewrite: 'rewrite',
+  RewriteOrRegenerate: 'rewrite_or_regenerate',
+} as const;
+export type GuardMode = (typeof GuardMode)[keyof typeof GuardMode];
+export interface RegenerateFeedback {
+  /** What the user said. */
+  input: string;
+  /** The draft that failed the guard check. */
+  draft: string;
+  /** Full TrustLoopGuard decision for the failed draft. */
+  decision: Decision;
+  /** Human-readable reason returned by TrustLoopGuard. */
+  reason: string;
+  /** Safe output returned by TrustLoopGuard, when available. */
+  safeOutput: string | null;
+  /** 1-based regeneration attempt number. */
+  attempt: number;
+  /** Maximum allowed regeneration attempts. */
+  maxAttempts: number;
+}
+type RegenerateHandler = (feedback: RegenerateFeedback) => string | Promise<string>;
+export interface GuardCallbacks {
+  /**
+   * Called when the verdict is `allow`. Default: return the original
+   * draft unchanged. Override only if you want to log the allow path
+   * or strip a draft suffix etc.
+   */
+  onAllow?: (draft: string, decision: Decision) => string | Promise<string>;
+  /**
+   * Called when the verdict is `rewrite`. Default: return
+   * `decision.safe_output ?? draft`. Override to post-process or
+   * substitute your own canned rewrite.
+   */
+  onRevise?: (
+    revised: string | null,
+    draft: string,
+    decision: Decision,
+  ) => string | Promise<string>;
+  /**
+   * Called when the verdict is `block`. **Required** — there is no
+   * sensible automatic answer. Return the canned safe message your
+   * brand wants the customer to see (or throw to abort the send).
+   */
+  onBlock: (decision: Decision) => string | Promise<string>;
+  /**
+   * Called when the verdict is `escalate`. **Required** — typically
+   * pushes onto a human-review queue and returns a holding message.
+   */
+  onEscalate: (decision: Decision) => string | Promise<string>;
+  /**
+   * Called when the SDK transport itself fails (network down, server
+   * 5xx, decode error, retries exhausted). Default: **fail-open** —
+   * return the original draft. Pass an explicit handler if you'd
+   * rather fail-closed (e.g. `() => cannedSafeReply`).
+   */
+  onError?: (err: SdkError, draft: string) => string | Promise<string>;
+}
+export interface GuardOptions extends GuardCallbacks {
+  client: Client;
+  /** What the user said. */
+  input: string;
+  /** What the agent wants to send. The string returned by `guard` is
+   *  what the caller should actually deliver. */
+  draft: string;
+  /** Conversation channel — drives latency budget on the server. */
+  channel?: Channel;
+  /** Required: the registered agent profile id. */
+  agentId: string;
+  /**
+   * Optional structured context — typically `{ docs: [...] }` for
+   * grounding the LLM judges. Anything JSON-serialisable.
+   */
+  context?: Record<string, unknown>;
+  /**
+   * Optional override for `domain` (defaults to the server's
+   * `customer_support` dispatcher).
+   */
+  domain?: string;
+  /** Optional caller-supplied trace id — overrides the server-assigned one. */
+  traceId?: string;
+  /** Optional run id used to group this check in the dashboard. */
+  runId?: string;
+  /** Optional existing run event id to attach to this check. Requires runId. */
+  runEventId?: string;
+  /** Optional inline run event to create and attach to this check. Requires runId. */
+  runEvent?: CreateRunEventRequest;
+  /**
+   * Logger hook. If provided, gets one structured event per `guard`
+   * invocation: { trace_id, verdict, branch, latency_ms }. Useful for
+   * surfacing which branch fired without forcing a specific logger
+   * dependency.
+   */
+  log?: (event: GuardLogEvent) => void;
+  /** Optional cancellation. Forwarded to the underlying check call. */
+  signal?: AbortSignal;
+}
+export interface GuardFactoryOptions {
+  /** Required: the registered agent profile id. */
+  agentId: string;
+  /** Existing client. Pass this when you want to own transport lifecycle/config. */
+  client?: Client;
+  /** TrustLoopGuard server URL. Defaults to env or localhost. */
+  baseUrl?: string;
+  /** Bearer token. Defaults to env when available. */
+  apiKey?: string;
+  /** Retry policy forwarded when the factory owns the Client. */
+  retry?: ClientOptions['retry'];
+  /** Fetch implementation forwarded when the factory owns the Client. */
+  fetchImpl?: ClientOptions['fetchImpl'];
+  /** Retry logger forwarded when the factory owns the Client. */
+  onRetry?: ClientOptions['onRetry'];
+  /** Conversation channel — drives latency budget on the server. */
+  channel?: Channel;
+  /** Optional override for `domain`. */
+  domain?: string;
+  /** Structured context merged into every call. */
+  context?: Record<string, unknown>;
+  /** Default block branch. Omit for the SDK safe message. */
+  onBlock?: DecisionHandler;
+  /** Default escalation branch. Omit for the SDK safe message. */
+  onEscalate?: DecisionHandler;
+  /** Transport failure branch. Omit for fail-open. */
+  onError?: ErrorHandler;
+  /**
+   * Output mode:
+   * - strict: treat rewrite verdicts as blocked output
+   * - rewrite: use safeOutput, block when no safeOutput exists
+   * - rewrite_or_regenerate: use safeOutput, otherwise ask the model to try again
+   */
+  mode?: GuardMode;
+  /** Called by rewrite_or_regenerate when TrustLoopGuard has no safeOutput. */
+  regenerate?: RegenerateHandler;
+  /** Hard cap for model regeneration loops. Defaults to 1. */
+  maxRegenerations?: number;
+  /** Return the default block message on transport errors when no onError is set. */
+  failClosed?: boolean;
+  /** Logger hook for every guard invocation. */
+  log?: (event: GuardLogEvent) => void;
+}
+export interface GuardCallOptions {
+  /** What the user said. */
+  input: string;
+  /** What the agent wants to send. */
+  draft: string;
+  channel?: Channel;
+  domain?: string;
+  context?: Record<string, unknown>;
+  traceId?: string;
+  runId?: string;
+  runEventId?: string;
+  runEvent?: CreateRunEventRequest;
+  onBlock?: DecisionHandler;
+  onEscalate?: DecisionHandler;
+  onError?: ErrorHandler;
+  mode?: GuardMode;
+  regenerate?: RegenerateHandler;
+  maxRegenerations?: number;
+  log?: (event: GuardLogEvent) => void;
+  signal?: AbortSignal;
+}
+export interface OutputGuard {
+  (opts: GuardCallOptions): Promise<string>;
+}
+export interface GuardLogEvent {
+  trace_id: string;
+  verdict: Decision['verdict'];
+  /** Which callback we ended up calling. */
+  branch: 'allow' | 'revise' | 'block' | 'escalate' | 'error';
+  latency_ms: number;
+}
+/**
+ * Run the SDK's check + dispatch the appropriate callback. Returns the
+ * string the caller should actually send to the customer.
+ *
+ * Verdicts map 1:1 to callbacks:
+ *
+ *   allow    → onAllow (default: return draft as-is)
+ *   rewrite  → onRevise (default: return decision.safe_output ?? draft)
+ *   block    → onBlock (required)
+ *   escalate → onEscalate (required)
+ *
+ * Transport / decode / retry-exhausted errors go to `onError`. Default
+ * is **fail-open** — return the original draft. Pass an explicit
+ * `onError` if your domain prefers fail-closed.
+ */
+export function guard(opts: GuardFactoryOptions): OutputGuard;
+export function guard(opts: GuardOptions): Promise<string>;
+export function guard(opts: GuardFactoryOptions | GuardOptions): OutputGuard | Promise<string> {
+  if ('input' in opts && 'draft' in opts) {
+    return guardOnce(opts as GuardOptions);
+  }
+  return createOutputGuard(opts);
+}
+async function guardOnce(opts: GuardOptions): Promise<string> {
+  const start = performance.now();
+  const req: CheckRequest = {
+    agent_id: opts.agentId,
+    channel: opts.channel ?? 'chat',
+    input: opts.input,
+    proposed_output: opts.draft,
+    domain: opts.domain ?? null,
+    policies: [],
+    // Server's `context` is `Record<string, unknown> | null`; null
+    // matches the wire shape when no context is supplied.
+    context: (opts.context ?? null) as unknown as Record<string, unknown>,
+    trace_id: opts.traceId ?? null,
+  };
+  addDefined(req, 'run_id', opts.runId);
+  addDefined(req, 'run_event_id', opts.runEventId);
+  addDefined(req, 'run_event', opts.runEvent);
+  let decision: Decision;
+  try {
+    decision = await opts.client.check(req, opts.signal);
+  } catch (e) {
+    if (!(e instanceof SdkError)) throw e;
+    const fallback = opts.onError ? await opts.onError(e, opts.draft) : opts.draft; // fail-open default
+    opts.log?.({
+      trace_id: opts.traceId ?? '',
+      // Wire shape doesn't have an "error" verdict; we synthesise the
+      // log line for observability without lying about the wire.
+      verdict: 'allow',
+      branch: 'error',
+      latency_ms: Math.round(performance.now() - start),
+    });
+    return fallback;
+  }
+  const result = await dispatch(opts, decision);
+  opts.log?.({
+    trace_id: decision.trace_id,
+    verdict: decision.verdict,
+    branch: branchFor(decision.verdict),
+    latency_ms: Math.round(performance.now() - start),
+  });
+  return result;
+}
+function createOutputGuard(opts: GuardFactoryOptions): OutputGuard {
+  const client = opts.client ?? new Client(clientOptions(opts));
+  return async (call: GuardCallOptions) => {
+    const mode = call.mode ?? opts.mode ?? 'rewrite';
+    const regenerate = call.regenerate ?? opts.regenerate;
+    const maxRegenerations = call.maxRegenerations ?? opts.maxRegenerations ?? 1;
+    const onBlock = decisionHandler(call.onBlock ?? opts.onBlock, DEFAULT_BLOCK_MESSAGE);
+    const onEscalate = decisionHandler(
+      call.onEscalate ?? opts.onEscalate,
+      DEFAULT_ESCALATE_MESSAGE,
+    );
+    const onError = errorHandler(
+      call.onError ?? opts.onError,
+      opts.failClosed === true ? DEFAULT_BLOCK_MESSAGE : undefined,
+    );
+    const runAttempt = async (
+      currentDraft: string,
+      completedRegenerations: number,
+    ): Promise<string> => {
+      const onRevise = async (
+        revised: string | null,
+        checkedDraft: string,
+        decision: Decision,
+      ): Promise<string> => {
+        if (mode === 'strict') return await onBlock(decision);
+        if (revised !== null) return revised;
+        if (
+          mode !== 'rewrite_or_regenerate' ||
+          regenerate === undefined ||
+          completedRegenerations >= maxRegenerations
+        ) {
+          return await onBlock(decision);
+        }
+        const nextAttempt = completedRegenerations + 1;
+        const nextDraft = await regenerate({
+          input: call.input,
+          draft: checkedDraft,
+          decision,
+          reason: decision.reason,
+          safeOutput: decision.safe_output ?? null,
+          attempt: nextAttempt,
+          maxAttempts: maxRegenerations,
+        });
+        return await runAttempt(nextDraft, nextAttempt);
+      };
+      const guardOpts: GuardOptions = {
+        client,
+        agentId: opts.agentId,
+        input: call.input,
+        draft: currentDraft,
+        context: { ...(opts.context ?? {}), ...(call.context ?? {}) },
+        onBlock,
+        onEscalate,
+        onRevise,
+      };
+      addDefined(guardOpts, 'channel', call.channel ?? opts.channel);
+      addDefined(guardOpts, 'domain', call.domain ?? opts.domain);
+      addDefined(guardOpts, 'traceId', call.traceId);
+      addDefined(guardOpts, 'runId', call.runId);
+      addDefined(guardOpts, 'runEventId', call.runEventId);
+      addDefined(guardOpts, 'runEvent', call.runEvent);
+      addDefined(guardOpts, 'onError', onError);
+      addDefined(guardOpts, 'log', call.log ?? opts.log);
+      addDefined(guardOpts, 'signal', call.signal);
+      return await guardOnce(guardOpts);
+    };
+    return await runAttempt(call.draft, 0);
+  };
+}
+async function dispatch(opts: GuardOptions, decision: Decision): Promise<string> {
+  switch (decision.verdict) {
+    case 'allow':
+      return opts.onAllow ? await opts.onAllow(opts.draft, decision) : opts.draft;
+    case 'rewrite':
+      return opts.onRevise
+        ? await opts.onRevise(decision.safe_output ?? null, opts.draft, decision)
+        : (decision.safe_output ?? opts.draft);
+    case 'block':
+      return await opts.onBlock(decision);
+    case 'escalate':
+      return await opts.onEscalate(decision);
+  }
+}
+function branchFor(v: Decision['verdict']): GuardLogEvent['branch'] {
+  if (v === 'rewrite') return 'revise';
+  return v;
+}
+function decisionHandler(
+  handler: DecisionHandler | undefined,
+  defaultMessage: string,
+): (decision: Decision) => string | Promise<string> {
+  return async (decision) => {
+    if (handler === undefined) return defaultMessage;
+    if (typeof handler === 'string') return handler;
+    return await handler(decision);
+  };
+}
+function errorHandler(
+  handler: ErrorHandler | undefined,
+  defaultMessage: string | undefined,
+): ((err: SdkError, draft: string) => string | Promise<string>) | undefined {
+  if (handler === undefined && defaultMessage === undefined) return undefined;
+  return async (err, draft) => {
+    if (handler === undefined) return defaultMessage ?? draft;
+    if (typeof handler === 'string') return handler;
+    return await handler(err, draft);
+  };
+}
+function env(...names: string[]): string | undefined {
+  const proc = globalThis as typeof globalThis & {
+    process?: { env?: Record<string, string | undefined> };
+  };
+  for (const name of names) {
+    const value = proc.process?.env?.[name];
+    if (value !== undefined && value.length > 0) return value;
+  }
+  return undefined;
+}
+function clientOptions(opts: GuardFactoryOptions): ClientOptions {
+  const clientOpts: ClientOptions = {
+    baseUrl:
+      opts.baseUrl ??
+      env('TL_SERVER_URL', 'TRUSTLOOPGUARD_URL', 'TRUSTLOOP_URL') ??
+      'http://127.0.0.1:8080',
+  };
+  addDefined(
+    clientOpts,
+    'apiKey',
+    opts.apiKey ?? env('TL_API_KEY', 'TRUSTLOOPGUARD_API_KEY', 'TRUSTLOOP_API_KEY'),
+  );
+  addDefined(clientOpts, 'retry', opts.retry);
+  addDefined(clientOpts, 'fetchImpl', opts.fetchImpl);
+  addDefined(clientOpts, 'onRetry', opts.onRetry);
+  return clientOpts;
+}
+function addDefined<T extends object, K extends keyof T>(
+  target: T,
+  key: K,
+  value: T[K] | undefined,
+): void {
+  if (value !== undefined) {
+    target[key] = value;
+  }
+}

package/src/index.ts ADDED Viewed

@@ -0,0 +1,97 @@
+// Public surface of the TrustLoopGuard TypeScript SDK.
+// Type definitions are generated from Rust by `cargo run -p tl-codegen`.
+// See README.md in src/generated for regen instructions.
+export * from './generated/CheckRequest';
+export * from './generated/Decision';
+export * from './generated/Verdict';
+export * from './generated/Channel';
+export * from './generated/Severity';
+export * from './generated/TriggeredPolicy';
+export * from './generated/AgentAuthority';
+export * from './generated/AgentListResponse';
+export * from './generated/AgentProfile';
+export * from './generated/AgentScope';
+export * from './generated/AgentTone';
+export * from './generated/KnowledgeSource';
+export * from './generated/CreateKnowledgeSourceRequest';
+export * from './generated/DashboardKnowledgeSourceKind';
+export * from './generated/KnowledgeFileInput';
+export * from './generated/KnowledgeFileMetadata';
+export * from './generated/KnowledgeSourceDocument';
+export * from './generated/KnowledgeSourceFileResponse';
+export * from './generated/KnowledgeSourceListResponse';
+export * from './generated/KnowledgeSourceStatus';
+export * from './generated/ApiError';
+export * from './generated/ApiErrorCode';
+export * from './generated/PolicyDocument';
+export * from './generated/PolicyBatchSetEnabledRequest';
+export * from './generated/PolicyBatchSetEnabledResponse';
+export * from './generated/PolicyListResponse';
+export * from './generated/PolicySetEnabledRequest';
+export * from './generated/PolicySummary';
+export * from './generated/PolicyValidateResponse';
+export * from './generated/PolicyValidationIssue';
+export * from './generated/PolicyAction';
+export * from './generated/PolicyMatchType';
+export * from './generated/PolicyDraft';
+export * from './generated/PolicyDraftRequest';
+export * from './generated/PolicyDraftResponse';
+export * from './generated/GuardrailGenerateResponse';
+export * from './generated/GuardrailListResponse';
+export * from './generated/ApiKeyBatchRevokeRequest';
+export * from './generated/ApiKeyBatchRevokeResponse';
+export * from './generated/ApiKeyListResponse';
+export * from './generated/CreateApiKeyRequest';
+export * from './generated/CreateApiKeyResponse';
+export * from './generated/DashboardApiKey';
+export * from './generated/WorkspaceSettings';
+export * from './generated/TraceListResponse';
+export * from './generated/TraceSummary';
+export * from './generated/CreateRunEventRequest';
+export * from './generated/CreateRunRequest';
+export * from './generated/UpdateRunRequest';
+export * from './generated/RunDetail';
+export * from './generated/RunEventKind';
+export * from './generated/RunEventListResponse';
+export * from './generated/RunEventSummary';
+export * from './generated/RunKind';
+export * from './generated/RunListResponse';
+export * from './generated/RunStatus';
+export * from './generated/RunSummary';
+export { Client } from './client';
+export type { ClientOptions } from './client';
+export { GuardMode, guard } from './guard';
+export type {
+  GuardCallbacks,
+  GuardOptions,
+  GuardFactoryOptions,
+  GuardCallOptions,
+  GuardLogEvent,
+  OutputGuard,
+  RegenerateFeedback,
+} from './guard';
+export { DEFAULT_RETRY, nextDelay } from './retry';
+export type { RetryConfig } from './retry';
+export {
+  SdkError,
+  Invalid,
+  Unauthorized,
+  Forbidden,
+  NotFound,
+  Gone,
+  Unprocessable,
+  RateLimited,
+  Internal,
+  Unavailable,
+  Transport,
+  Decode,
+  codeFromHttpStatus,
+  synthesizeApiError,
+  fromResponse,
+  parseRetryAfter,
+} from './errors';

package/src/retry.ts ADDED Viewed

@@ -0,0 +1,67 @@
+// Retry policy for the TrustLoopGuard TypeScript SDK.
+//
+// Mirrors `tl-sdk-rust`'s `RetryConfig` exactly. Same defaults
+// (4 attempts, 30s budget, 200ms base, 8s cap), same `nextDelay`
+// contract: given the attempt number, elapsed time, the error that just
+// occurred, and a jitter fraction, return the delay before the next
+// attempt (in seconds) or `undefined` to stop.
+//
+// The function is pure so it can be unit-tested without spinning up an
+// HTTP server. Production callers feed `Math.random()`; tests pin the
+// value for determinism.
+import { RateLimited, SdkError } from './errors';
+export interface RetryConfig {
+  /** Total attempts including the initial one. `1` = no retry. */
+  maxAttempts: number;
+  /** Hard cap on total wall time including sleeps, in seconds. */
+  totalBudgetS: number;
+  /** Base for exponential backoff: delay = base * 2^(attempt-1). */
+  baseDelayS: number;
+  /** Cap on a single retry delay; prevents runaway exponential. */
+  maxDelayS: number;
+}
+export const DEFAULT_RETRY: Readonly<RetryConfig> = Object.freeze({
+  maxAttempts: 4,
+  totalBudgetS: 30.0,
+  baseDelayS: 0.2,
+  maxDelayS: 8.0,
+});
+/**
+ * Compute the delay before the next attempt, or `undefined` to stop.
+ * Pure mirror of `tl_sdk_rust::RetryConfig::next_delay` and
+ * `trustloopguard.retry.RetryConfig.next_delay`.
+ */
+export function nextDelay(
+  cfg: RetryConfig,
+  attempt: number,
+  elapsedS: number,
+  err: SdkError,
+  jitterFraction: number,
+): number | undefined {
+  if (!err.isRetriable()) return undefined;
+  if (attempt >= cfg.maxAttempts) return undefined;
+  if (elapsedS >= cfg.totalBudgetS) return undefined;
+  const exp = cfg.baseDelayS * 2 ** (attempt - 1);
+  const capped = Math.min(exp, cfg.maxDelayS);
+  // ±25% jitter: jitterFraction in [0,1] maps to multiplier [0.75, 1.25].
+  const frac = Math.max(0, Math.min(1, jitterFraction));
+  const multiplier = 0.75 + frac * 0.5;
+  const jittered = capped * multiplier;
+  let delay: number;
+  if (err instanceof RateLimited && err.retryAfter !== undefined) {
+    delay = Math.max(err.retryAfter, jittered);
+  } else {
+    delay = jittered;
+  }
+  const remaining = cfg.totalBudgetS - elapsedS;
+  if (remaining <= 0) return undefined;
+  return Math.min(delay, remaining);
+}