@vauban-org/agent-sdk 1.2.0 → 1.3.0

package/docs/telemetry/privacy.md

@@ -0,0 +1,127 @@
+# Privacy & Sovereignty
+
+Per [ADR-ECO-039 §5](https://github.com/vauban-org/vauban-gouvernance/blob/main/governance/decisions/ADR-ECO-039-sdk-telemetry-port.md),
+these are non-negotiable guarantees of the telemetry pipeline.
+
+## Six guarantees
+
+### 1. Zero phone-home by default
+
+```ts
+createOODAAgent({
+  agentId: "my-agent",
+  // no `telemetry` field — sink is NOOP_TELEMETRY_SINK
+});
+```
+
+No network calls. No DNS lookups. No "anonymous usage statistics". The
+sink is `NOOP_TELEMETRY_SINK` and silently no-ops.
+
+### 2. Local sink always available
+
+When you opt in to ANY sink via `createTelemetryBus`, you can also
+include `localSqliteTelemetrySink()` — there is no scenario in which
+opting in to a remote sink requires giving up the local mirror.
+
+The local file is the *exit plan* for every external dependency
+([Sovereignty principle](https://github.com/anthropics/claude-code/blob/main/docs/sovereignty.md)).
+
+### 3. PII never crosses sinks unless opted in
+
+OODA `step` events carry an optional `metadata` field that may contain
+raw prompts, completions, tool inputs, or addresses. By default the SDK
+**redacts** known-sensitive fields and hashes the rest before passing to
+sinks.
+
+To opt in to raw payloads (e.g. for debugging in a private deployment) :
+
+```ts
+createOODAAgent({
+  telemetry: createTelemetryBus({
+    sinks: [...],
+    includePayloads: true,    // ← explicit opt-in
+  }),
+});
+```
+
+A startup warning is logged to make this choice visible.
+
+### 4. Tenant isolation
+
+The CC backend enforces row-level security : every `agent_run` and
+`telemetry_run_step` row carries the `tenant_id` resolved server-side
+from the API key. **No cross-tenant SELECTs are possible** — even with
+a compromised key from another tenant, queries are scoped by RLS policy
+to that key's tenant only.
+
+Verified by the test suite (`tests/routes/telemetry-ingest.test.ts`,
+test "tenant_id from API key").
+
+### 5. Audit log of active sinks
+
+Upcoming in v1.4 :
+
+```bash
+vauban-agent telemetry status
+
+Active sinks:
+  - stdout                                       (1 of 1 healthy)
+  - sqlite        ~/.vauban/runs.db              (1 of 1 healthy, 1.2 MB)
+  - command-center https://command.vauban.tech   (1 of 1 healthy, last successful POST 12s ago)
+```
+
+Allows immediate auditing of "where my data is being sent right now".
+
+### 6. Sink failures never block the agent
+
+```ts
+const bus = createTelemetryBus({
+  sinks: [
+    networkSink_thatThrows,
+    sqliteSink_thatWorks,
+  ],
+  logger: pinoLogger,
+});
+
+// runCycle() succeeds. SQLite captures. Network sink failure is logged.
+await agent.triggerCycle();
+```
+
+This is enforced at the bus level via per-sink try/catch + log. The
+host agent's `runCycle` is untouched by sink failures.
+
+## Things we do NOT do
+
+- We do NOT collect anonymous telemetry about your SDK usage. Period.
+- We do NOT phone home to check for SDK updates.
+- We do NOT silently retry telemetry after the user revokes their API
+  key — 401s are not retried.
+- We do NOT keep deleted data. The cron at `command-center-prod`
+  namespace deletes runs older than the tenant's retention window (7
+  days free, 30 days Team, 1 year Pro, indefinite Sovereign).
+
+## Things we DO do (transparently)
+
+- We log a warning at startup if you configure a remote sink AND opt
+  out of the local sink. Sovereignty preserved by signal.
+- We embed the SDK version in the User-Agent of every POST. This lets
+  the CC backend tell users when they're running a SDK version below
+  the minimum supported (e.g. critical security patch).
+- We record `last_used_at` on the API key server-side. Visible to the
+  tenant only.
+
+## How to verify
+
+- Run with `node --inspect` and check the network panel — only the
+  hosts you configured should appear.
+- Run `tcpdump` filtered on your agent's PID — confirm zero traffic
+  outside the configured sinks.
+- Read the source — it's MIT, 700 LOC in `packages/agent-sdk/src/telemetry/`.
+
+## How to report a violation
+
+If you observe behavior that violates any of these six guarantees —
+files transmitted you didn't authorize, fields appearing in dashboards
+you redacted, etc. — please open a GitHub security advisory at
+[github.com/vauban-org/command-center/security](https://github.com/vauban-org/command-center/security/advisories/new).
+We treat this as P0.

package/docs/telemetry/sinks/cc.md

@@ -0,0 +1,155 @@
+# `commandCenterTelemetrySink`
+
+Pushes agent runs to **Vauban Command Center** — free → sovereign tiers,
+with optional Vauban Claim Algebra (VPSF) signatures on Pro+.
+
+Shipped as a separate npm package to keep the core SDK MIT and zero-dep.
+
+```bash
+pnpm add @vauban-org/cc-telemetry
+```
+
+## Setup walkthrough (free tier)
+
+### 1. Sign up at `command.vauban.tech`
+
+GitHub OAuth, takes 30 seconds. Free tier auto-issued. No credit card.
+
+### 2. Copy your API key
+
+Settings → API Keys → "Generate". Format `vauban_pk_…` (free tier prefix).
+
+!!! warning
+    The key is shown **once**. Store securely. Compromised keys can be
+    revoked from the same UI ; new key issuance is unlimited.
+
+### 3. Configure the sink
+
+```ts
+import {
+  createOODAAgent,
+  createTelemetryBus,
+  localSqliteTelemetrySink,
+} from "@vauban-org/agent-sdk";
+import { commandCenterTelemetrySink } from "@vauban-org/cc-telemetry";
+
+createOODAAgent({
+  agentId: "my-agent",
+  telemetry: createTelemetryBus({
+    sinks: [
+      localSqliteTelemetrySink(),                       // sovereign mirror
+      commandCenterTelemetrySink({
+        apiKey: process.env.VAUBAN_API_KEY!,
+      }),
+    ],
+  }),
+});
+```
+
+### 4. Run a cycle, watch the dashboard
+
+Every run shows up at `command.vauban.tech/runs` within 5 seconds. Filter
+by agent, status, cost, time window. SSE-driven, no manual refresh needed.
+
+## Options
+
+```ts
+commandCenterTelemetrySink({
+  apiKey: string;            // REQUIRED — Bearer token from CC SaaS
+  baseUrl?: string;          // default: "https://command.vauban.tech"
+  batchSize?: number;        // events per HTTP batch (default 10, max 100)
+  batchMs?: number;          // max wait before flush (default 5000)
+  timeoutMs?: number;        // HTTP timeout (default 10_000)
+  fetchImpl?: typeof fetch;  // test override
+  retry?: RetryConfig;       // default: RETRY_TRANSIENT (3 attempts, exp + jitter)
+  logger?: { warn, error };  // default: console.warn / console.error
+});
+```
+
+## Tiers
+
+| Tier | Key prefix | Monthly runs | Retention | Extra |
+|---|---|---|---|---|
+| Free | `vauban_pk_*` | 1 000 | 7 days | Dashboard read-only |
+| Team €49/mo | `vauban_team_*` | 10 000 | 30 days | + Slack/Discord HITL hooks |
+| Pro €490/mo | `vauban_pro_*` | 100 000 | 1 year | + VPSF signed runs + STARK per-call |
+| Sovereign €180k/yr | mTLS + air-gap | unlimited | indefinite | + TDX/SEV-SNP enclave + L3 anchor |
+
+Free tier upgrade : no SDK code change. Just rotate the API key.
+
+Per [Brain entry 7e18f454](https://command.vauban.tech/brain/7e18f454),
+the free tier policy (1000/mo + 7d) is intentionally narrow enough to
+funnel adoption toward paid tiers without being unusable for solo devs
+exploring the platform.
+
+## Self-hosted Command Center
+
+If you run the AGPL CC backend yourself ([ADR-ECO-014](https://github.com/vauban-org/vauban-gouvernance/blob/main/governance/decisions/ADR-ECO-014-cc-oss-release.md)),
+override `baseUrl` :
+
+```ts
+commandCenterTelemetrySink({
+  apiKey: "internal-key",
+  baseUrl: "https://cc.myorg.internal",
+});
+```
+
+No revenue for Vauban. Sovereignty respected.
+
+## Batching behavior
+
+Events accumulate in an in-memory queue until **either** `batchSize` events
+collected **or** `batchMs` elapses **or** a `finish` event arrives
+(which always force-flushes — dashboards see results immediately).
+
+Single-flight : while a batch POST is in flight, new events queue locally.
+Subsequent `flush()` calls await the in-flight request before sending the
+next batch.
+
+## Retry semantics
+
+Errors are classified at the HTTP layer :
+
+- **5xx + network errors** → retried per `retry` config (default 3 attempts,
+  exponential backoff with ±25 % jitter via SDK's `retry()` helper).
+- **4xx** (401 unauthorized, 429 quota exceeded) → NOT retried. Logged
+  and dropped. Burning quota on retries would be net-negative.
+- **Network timeout** → counted as 5xx (retryable).
+
+After retry exhaustion, the batch is **dropped with a warning log**. The
+sink itself never throws — failures are isolated by the SDK's TelemetryBus.
+
+## Security
+
+- API key sent as `Authorization: Bearer <key>`. **Always use HTTPS.**
+- Keys are stored hashed (SHA-256) server-side ; the plaintext is shown
+  only once at issuance.
+- Revocation is immediate — the next POST returns 401.
+- The server stamps every row with the resolved `tenant_id` from the
+  key. **No cross-tenant write authority possible**, even with a
+  compromised key from another tenant.
+- Rate-limited at 60 req/min per key (Redis sliding window) plus the
+  monthly quota.
+
+## Failure mode runbook
+
+| Symptom | Likely cause | Remediation |
+|---|---|---|
+| All POSTs return 401 | Key revoked or typo | Re-issue from /settings/api-keys |
+| All POSTs return 429 immediately | Monthly quota exhausted | Upgrade tier or wait for month rollover |
+| Sporadic 429 | Per-minute rate limit hit | Reduce agent cycle frequency or batch upstream |
+| 502/503 transient | CC backend brief restart | Auto-retry; if persistent, check status page |
+| Local SQLite has rows but dashboard empty | Sink not receiving events | Verify `VAUBAN_API_KEY` env var, check pod logs |
+
+## Observability of the sink itself
+
+If you wrap with `createTelemetryBus`, inspect counters :
+
+```ts
+const bus = createTelemetryBus({ sinks: [commandCenterTelemetrySink({...})] });
+// later…
+console.log(bus.counters);
+// { dispatched: 142, sinkErrors: 0, dropped: 0 }
+```
+
+Surface `sinkErrors` / `dropped` to Prometheus for alerting.

package/docs/telemetry/sinks/otlp.md

@@ -0,0 +1,146 @@
+# `otlpTelemetrySink`
+
+Pushes agent runs to any **OpenTelemetry Protocol over HTTP** receiver,
+JSON-encoded. Works with Langfuse self-host, Grafana Tempo, Jaeger,
+Honeycomb, Datadog, any OTLP-compliant collector — no vendor lock-in.
+
+## Usage
+
+```ts
+import { otlpTelemetrySink } from "@vauban-org/agent-sdk";
+
+otlpTelemetrySink({
+  url: "https://langfuse.vauban.tech/api/public/otel",
+  headers: { Authorization: "Basic <base64(pub:sec)>" },
+});
+```
+
+## Options
+
+```ts
+otlpTelemetrySink({
+  url: string;                         // base URL ; `/v1/traces` is appended
+  headers?: Record<string, string>;    // static, includes auth
+  serviceName?: string;                // OTel resource attribute (default: "vauban-agent-sdk")
+  fetchImpl?: typeof fetch;            // test override
+  timeoutMs?: number;                  // request timeout (default: 5000)
+});
+```
+
+## OTel semantic conventions
+
+The sink maps SDK events to OpenTelemetry spans using **GenAI semantic
+conventions** (`gen_ai.*` namespace) plus Vauban-specific extensions :
+
+| Span attribute | Source | Convention |
+|---|---|---|
+| `service.name` | `serviceName` option | OTel resource |
+| `gen_ai.system` | `event.provider` | OTel GenAI |
+| `gen_ai.request.model` | `event.model` | OTel GenAI |
+| `gen_ai.usage.input_tokens` | `event.totalInputTokens` | OTel GenAI |
+| `gen_ai.usage.output_tokens` | `event.totalOutputTokens` | OTel GenAI |
+| `vauban.run_id` | `event.runId` | Vauban ext |
+| `vauban.agent.id` | `event.agentId` | Vauban ext |
+| `vauban.agent.version` | `event.agentVersion` | Vauban ext |
+| `vauban.run.status` | `event.status` | Vauban ext |
+| `vauban.run.stop_reason` | `event.stopReason` | Vauban ext |
+| `vauban.run.cost_usd` | `event.totalCostUsd` | Vauban ext |
+| `vauban.run.steps` | step count | Vauban ext |
+
+Step events emit child spans named `ooda.<kind>` with attributes
+`vauban.step.{index,kind,status,tool_calls,cost_usd}` + tokens.
+
+## Span structure
+
+```
+trace (single)
+└── span: ooda.cycle.<agentId>                    [parent]
+    ├── span: ooda.observe                        [step 0]
+    ├── span: ooda.orient                         [step 1]
+    ├── span: ooda.decide                         [step 2]
+    └── span: ooda.act                            [step 3]
+```
+
+trace_id is preserved from the caller — pass `event.traceId` to link to
+upstream traces (e.g. an inbound HTTP request).
+
+## Wire format
+
+JSON-encoded OTLP/HTTP (not protobuf). Reasoning : avoids pulling the
+`@opentelemetry/exporter-trace-otlp-proto` dependency. JSON is a
+first-class OTLP transport since v1.0.
+
+Sample payload :
+
+```json
+{
+  "resourceSpans": [{
+    "resource": {
+      "attributes": [
+        { "key": "service.name", "value": { "stringValue": "vauban-agent-sdk" } }
+      ]
+    },
+    "scopeSpans": [{
+      "scope": { "name": "vauban.agent.ooda", "version": "1.3.0" },
+      "spans": [{
+        "traceId": "abc...32 hex chars",
+        "spanId": "def...16 hex chars",
+        "name": "ooda.cycle.my-agent",
+        "startTimeUnixNano": "1747414800000000000",
+        "endTimeUnixNano":   "1747414805012000000",
+        "kind": 1,
+        "attributes": [...],
+        "status": { "code": 1 }
+      }]
+    }]
+  }]
+}
+```
+
+## Failure modes
+
+- **5xx** : the bus retries (default RETRY_TRANSIENT). After exhaustion,
+  warned and dropped.
+- **4xx** : NOT retried (auth/quota errors). Logged and dropped.
+- **Timeout** : `AbortController` after `timeoutMs`. Counted as transient.
+
+## Performance
+
+One HTTP request per `step` and `finish` event. Not batched at the sink
+level. For high-volume agents, wrap with a batcher or use the CC sink
+(which batches).
+
+## Common backends
+
+### Langfuse self-host (Vauban's choice)
+
+```ts
+otlpTelemetrySink({
+  url: "https://langfuse.vauban.tech/api/public/otel",
+  headers: { Authorization: `Basic ${btoa("pk_xxx:sk_xxx")}` },
+});
+```
+
+Per [Brain entry 426c92f5](https://command.vauban.tech/brain/426c92f5),
+`langfuse.vauban.tech` is the self-hosted Langfuse already deployed on
+K3s. Free for ecosystem usage.
+
+### Grafana Tempo
+
+```ts
+otlpTelemetrySink({
+  url: "http://tempo.observability.svc.cluster.local:4318",
+});
+```
+
+### Jaeger (dev)
+
+```bash
+docker run -p 16686:16686 -p 4318:4318 jaegertracing/all-in-one
+```
+
+```ts
+otlpTelemetrySink({ url: "http://localhost:4318" });
+```
+
+UI at `http://localhost:16686`.

package/docs/telemetry/sinks/sqlite.md

@@ -0,0 +1,126 @@
+# `localSqliteTelemetrySink`
+
+**Sovereign local mirror** of every agent run. Per
+[ADR-ECO-039 §5](https://github.com/vauban-org/vauban-gouvernance/blob/main/governance/decisions/ADR-ECO-039-sdk-telemetry-port.md),
+this sink is **ON by default** when you compose with `createTelemetryBus` —
+it is the *exit plan* for any remote sink.
+
+## Why a local mirror, always ?
+
+If `command.vauban.tech` goes down, if your OTLP collector is unreachable,
+if a network partition cuts the link to your observability stack — the
+local SQLite file retains the full history. No data loss. No vendor lock-in.
+
+## Usage
+
+```ts
+import { localSqliteTelemetrySink } from "@vauban-org/agent-sdk";
+
+localSqliteTelemetrySink({
+  path?: string;        // default: ~/.vauban/runs.db
+  readonly?: boolean;   // default: false
+});
+```
+
+### Inspect via standard tools
+
+```bash
+sqlite3 ~/.vauban/runs.db
+sqlite> .tables
+agent_run         agent_run_step
+sqlite> SELECT agent_id, status, COUNT(*) FROM agent_run GROUP BY agent_id, status;
+```
+
+The upcoming `vauban-agent runs list` CLI wraps this with a nicer UI.
+
+## Schema
+
+The sink auto-creates two tables on first use :
+
+```sql
+CREATE TABLE agent_run (
+  run_id            TEXT PRIMARY KEY,
+  agent_id          TEXT NOT NULL,
+  agent_version     TEXT NOT NULL,
+  model             TEXT,
+  provider          TEXT,
+  tenant_id         TEXT,
+  trace_id          TEXT,
+  started_at        TEXT NOT NULL,
+  finished_at       TEXT,
+  status            TEXT,
+  stop_reason       TEXT,
+  error_message     TEXT,
+  total_input_tokens   INTEGER DEFAULT 0,
+  total_output_tokens  INTEGER DEFAULT 0,
+  total_cost_usd       REAL DEFAULT 0,
+  total_tool_calls     INTEGER DEFAULT 0
+);
+
+CREATE TABLE agent_run_step (
+  run_id        TEXT NOT NULL,
+  step_index    INTEGER NOT NULL,
+  kind          TEXT NOT NULL,
+  status        TEXT NOT NULL,
+  input_tokens  INTEGER DEFAULT 0,
+  output_tokens INTEGER DEFAULT 0,
+  tool_calls    INTEGER DEFAULT 0,
+  cost_usd      REAL DEFAULT 0,
+  duration_ms   INTEGER,
+  metadata      TEXT,
+  recorded_at   TEXT NOT NULL,
+  PRIMARY KEY (run_id, step_index)
+);
+```
+
+Plus indices on `(agent_id, started_at DESC)` and `(status, started_at DESC)`.
+
+## Optional dependency
+
+`better-sqlite3` is declared as **peerDependencyOptional**. Install :
+
+```bash
+pnpm add better-sqlite3
+```
+
+If absent, the sink **degrades to no-op** and logs one warning at startup
+("better-sqlite3 not installed — sink degraded to no-op"). Your agent
+continues without local persistence. This is intentional — SDK consumers
+who only want the OTLP or CC sink shouldn't be forced to compile a native
+addon.
+
+## Disk footprint
+
+| Metric | Value |
+|---|---|
+| Per agent_run row | ~250 bytes |
+| Per agent_run_step row | ~150 bytes |
+| 100 000 runs × 5 steps each | ≈ 100 MB |
+| WAL journal during writes | ≤ 10 MB |
+
+Append-only. No cleanup required for normal usage. For aggressive retention,
+manual DELETE WHERE `started_at < date('now', '-7 days')` works.
+
+## Tests
+
+The unit test suite skips SQLite-specific assertions if `better-sqlite3`
+is not installed in the test environment, so CI passes both with and
+without the addon.
+
+## Failure modes
+
+- **Disk full** : the next `start` throws a `SQLITE_FULL` error, isolated
+  by the bus. The agent continues.
+- **WAL corruption** : never observed in the field. Recovery is to
+  delete the `.db-wal` + `.db-shm` files and re-open ; the main DB file
+  is rebuilt from the checkpoint.
+- **Concurrent access from multiple agents** : safe — WAL mode (set by
+  the sink via `journal_mode = WAL`) supports concurrent readers + one
+  writer per file.
+
+## Migration to remote sinks
+
+The local SQLite is the audit trail. Once your remote sink is wired up
+and stable, the local file is **archival** — keep it around as the
+sovereign backup. Some teams sync it nightly to S3 or Backblaze B2 as
+a tier-2 archive.

package/docs/telemetry/sinks/stdout.md

@@ -0,0 +1,82 @@
+# `stdoutTelemetrySink`
+
+Emits one **JSON line per event** to `process.stderr` (by default). Designed
+for dev visibility — pipe through `jq`, `pino-pretty`, or any structured-log
+collector.
+
+## Why stderr, not stdout ?
+
+Many agents print their *application output* to stdout. Mixing telemetry
+JSON lines with that output corrupts both pipelines. stderr is the
+conventional "diagnostics" channel that doesn't interfere.
+
+## Usage
+
+```ts
+import { stdoutTelemetrySink } from "@vauban-org/agent-sdk";
+
+createOODAAgent({
+  agentId: "my-agent",
+  telemetry: stdoutTelemetrySink(),   // shorthand — single sink
+});
+```
+
+Or compose with the bus :
+
+```ts
+import { createTelemetryBus, stdoutTelemetrySink, localSqliteTelemetrySink } from "@vauban-org/agent-sdk";
+
+createOODAAgent({
+  agentId: "my-agent",
+  telemetry: createTelemetryBus({
+    sinks: [stdoutTelemetrySink(), localSqliteTelemetrySink()],
+  }),
+});
+```
+
+## Options
+
+```ts
+stdoutTelemetrySink({
+  stream?: NodeJS.WritableStream;   // default: process.stderr
+  json?: boolean;                   // default: true (else key=value)
+});
+```
+
+## Output sample
+
+```bash
+node my-agent.ts 2>&1 | jq -c
+```
+
+```json
+{"telemetry":"run.start","runId":"abc-…","agentId":"my-agent","agentVersion":"1.0.0","model":"unknown","provider":"unknown","startedAt":"2026-05-16T17:00:00.000Z"}
+{"telemetry":"run.step","runId":"abc-…","stepIndex":0,"kind":"observe","status":"completed","inputTokens":127,"outputTokens":42,"costUsd":0.0008}
+{"telemetry":"run.finish","runId":"abc-…","status":"success","finishedAt":"2026-05-16T17:00:05.012Z"}
+```
+
+## Tail-friendly recipes
+
+```bash
+# Live error monitoring
+node my-agent.ts 2> >(jq -c 'select(.telemetry == "run.finish" and .status != "success")')
+
+# Cost per agent (last 100 runs)
+node my-agent.ts 2>&1 | jq -s 'map(select(.telemetry == "run.finish")) | group_by(.agentId) | map({agent: .[0].agentId, runs: length})'
+```
+
+## Failure modes
+
+- **Stream closed mid-write** : Node's default behavior is to emit an
+  `error` event on the stream. The sink does NOT swallow this — wire up
+  `stream.on('error', …)` if you need custom recovery.
+- **stderr disconnected** (`> /dev/null 2>&1`) : silently no-ops, as
+  expected.
+
+## Performance
+
+Synchronous `stream.write()` — ~1 µs per event. Negligible. Safe to keep
+enabled in production for low-rate agents.
+
+For high-rate (>1000 events/sec) deployments, prefer `otlpTelemetrySink`
+or the CC sink, which batch internally.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vauban-org/agent-sdk",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Vauban agent primitives: loop, budget, routing, HITL, permissions, tracking, durable execution",
   "type": "module",
   "main": "dist/index.js",
@@ -113,23 +113,6 @@
     "registry": "https://registry.npmjs.org",
     "access": "public"
   },
-  "scripts": {
-    "build": "tsc",
-    "test": "vitest run",
-    "lint": "biome check src/ tests/",
-    "size": "size-limit",
-    "size:legacy": "node scripts/measure-size.mjs",
-    "bench": "node --import tsx/esm bench/run.ts",
-    "bench:sdk": "node --import tsx/esm benchmarks/sdk.bench.ts",
-    "bench:baseline": "node --import tsx/esm benchmarks/sdk.bench.ts --write-baseline",
-    "mutation": "stryker run",
-    "stryker": "stryker run --concurrency 2",
-    "api:extract": "api-extractor run --local --verbose",
-    "api:check": "api-extractor run",
-    "depcruise": "depcruise src",
-    "docs": "typedoc",
-    "prepublishOnly": "pnpm build && pnpm test"
-  },
   "dependencies": {
     "@anthropic-ai/sdk": "^0.39.0",
     "@opentelemetry/exporter-trace-otlp-http": "^0.213.0",
@@ -181,5 +164,21 @@
   },
   "engines": {
     "node": ">=20"
+  },
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run",
+    "lint": "biome check src/ tests/",
+    "size": "size-limit",
+    "size:legacy": "node scripts/measure-size.mjs",
+    "bench": "node --import tsx/esm bench/run.ts",
+    "bench:sdk": "node --import tsx/esm benchmarks/sdk.bench.ts",
+    "bench:baseline": "node --import tsx/esm benchmarks/sdk.bench.ts --write-baseline",
+    "mutation": "stryker run",
+    "stryker": "stryker run --concurrency 2",
+    "api:extract": "api-extractor run --local --verbose",
+    "api:check": "api-extractor run",
+    "depcruise": "depcruise src",
+    "docs": "typedoc"
   }
-}
+}