agentid-sdk 0.1.30 → 0.1.31

package/LICENSE

@@ -1,21 +1,21 @@
-MIT License
-
-Copyright (c) 2026 AgentID
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+MIT License
+
+Copyright (c) 2026 AgentID
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.

package/README.md

@@ -1,337 +1,337 @@
-# agentid-sdk (Node.js / TypeScript)
-
-[![npm version](https://img.shields.io/npm/v/agentid-sdk.svg)](https://www.npmjs.com/package/agentid-sdk)
-[![Node](https://img.shields.io/node/v/agentid-sdk.svg)](https://www.npmjs.com/package/agentid-sdk)
-[![Node >=18](https://img.shields.io/badge/node-%3E%3D18-339933.svg)](https://nodejs.org/)
-[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
-
-## 1. Introduction
-
-`agentid-sdk` is the official Node.js/TypeScript SDK for AgentID, an AI security and compliance System of Record. It allows you to gate LLM traffic through guard checks, enforce policy before execution, and capture durable telemetry for audit and governance workflows.
-
-### The Mental Model
-
-AgentID sits between your application and the LLM runtime:
-
-```text
-User Input -> guard() -> [AgentID Policy] -> verdict
-                              | allowed
-                              v
-                         LLM Provider
-                              v
-                           log() -> [Immutable Ledger]
-```
-
-- `guard()`: evaluates prompt and context before model execution.
-- Model call: executes only if guard verdict is allowed.
-- `log()`: persists immutable telemetry (prompt, output, latency) for audit and compliance.
-
-## 2. Installation
-
-```bash
-npm install agentid-sdk
-```
-
-## 3. Prerequisites
-
-1. Create an account at `https://app.getagentid.com`.
-2. Create an AI system and copy:
-   - `AGENTID_API_KEY` (for example `sk_live_...`)
-   - `AGENTID_SYSTEM_ID` (UUID)
-3. If using OpenAI/LangChain, set:
-   - `OPENAI_API_KEY`
-
-```bash
-export AGENTID_API_KEY="sk_live_..."
-export AGENTID_SYSTEM_ID="00000000-0000-0000-0000-000000000000"
-export OPENAI_API_KEY="sk-proj-..."
-```
-
-### Compatibility
-
-- **Node.js:** v18+ / **Python:** 3.9+ (cross-SDK matrix)
-- **Thread Safety:** AgentID clients are thread-safe and intended to be instantiated once and reused across concurrent requests.
-- **Latency:** async `log()` is non-blocking for model execution paths; sync `guard()` typically adds network latency (commonly ~50-100ms, environment-dependent).
-
-## 4. Quickstart
-
-```ts
-import { AgentID } from "agentid-sdk";
-
-const agent = new AgentID(); // auto-loads AGENTID_API_KEY
-const systemId = process.env.AGENTID_SYSTEM_ID!;
-
-const verdict = await agent.guard({
-  system_id: systemId,
-  input: "Summarize this ticket in one sentence.",
-  model: "gpt-4o-mini",
-  user_id: "quickstart-user",
-});
-if (!verdict.allowed) throw new Error(`Blocked: ${verdict.reason}`);
-
-await agent.log({
-  system_id: systemId,
-  event_id: verdict.client_event_id,
-  model: "gpt-4o-mini",
-  input: "Summarize this ticket in one sentence.",
-  output: "Summary generated.",
-  metadata: { agent_role: "support-assistant" },
-});
-```
-
-## 5. Core Integrations
-
-### OpenAI Wrapper
-
-```bash
-npm install agentid-sdk openai
-```
-
-```ts
-import OpenAI from "openai";
-import { AgentID } from "agentid-sdk";
-
-const agent = new AgentID({
-  piiMasking: true,
-});
-
-const openai = new OpenAI({ apiKey: process.env.OPENAI_API_KEY! });
-const secured = agent.wrapOpenAI(openai, {
-  system_id: process.env.AGENTID_SYSTEM_ID!,
-  user_id: "customer-123",
-  expected_languages: ["en"],
-});
-
-const response = await secured.chat.completions.create({
-  model: "gpt-4o-mini",
-  messages: [{ role: "user", content: "What is the capital of the Czech Republic?" }],
-});
-
-console.log(response.choices[0]?.message?.content ?? "");
-```
-
-Wrapped OpenAI calls persist telemetry for both regular and streamed completions. For `stream: true`, logging happens when the stream finishes.
-
-> Scope note: AgentID compliance/risk controls apply to the specific SDK-wrapped LLM calls (`guard()`, `wrapOpenAI()`, LangChain callback-wrapped flows). They do not automatically classify unrelated code paths in your whole monolithic application.
-
-### Vercel AI SDK Wrapper
-
-If your app already uses Vercel AI SDK primitives such as `generateText()` or `streamText()`, prefer the dedicated wrapper package instead of rebuilding the lifecycle manually:
-
-```bash
-npm install ai agentid-vercel-sdk @ai-sdk/openai
-```
-
-`agentid-vercel-sdk` keeps AgentID backend-first by default, blocks before provider billing on denied prompts, and finalizes telemetry after completion or stream close.
-
-### LangChain Integration
-
-```bash
-npm install agentid-sdk openai @langchain/core @langchain/openai
-```
-
-```ts
-import { AgentID } from "agentid-sdk";
-import { AgentIDCallbackHandler } from "agentid-sdk/langchain";
-import { ChatOpenAI } from "@langchain/openai";
-import { ChatPromptTemplate } from "@langchain/core/prompts";
-import { StringOutputParser } from "@langchain/core/output_parsers";
-
-const agent = new AgentID();
-const handler = new AgentIDCallbackHandler(agent, {
-  system_id: process.env.AGENTID_SYSTEM_ID!,
-  expected_languages: ["en"],
-});
-
-const prompt = ChatPromptTemplate.fromTemplate("Answer in one sentence: {question}");
-const model = new ChatOpenAI({
-  apiKey: process.env.OPENAI_API_KEY!,
-  model: "gpt-4o-mini",
-});
-const chain = prompt.pipe(model).pipe(new StringOutputParser());
-
-const result = await chain.invoke(
-  { question: "What is the capital of the Czech Republic?" },
-  { callbacks: [handler] }
-);
-console.log(result);
-```
-
-LangChain callbacks log on run completion. Token/cost telemetry for streamed chains depends on the provider exposing usage in the final LangChain result.
-
-### Raw Ingest API (Telemetry Only)
-
-```ts
-import { AgentID } from "agentid-sdk";
-
-const agent = new AgentID();
-
-await agent.log({
-  system_id: process.env.AGENTID_SYSTEM_ID!,
-  event_type: "complete",
-  severity: "info",
-  model: "gpt-4o-mini",
-  input: "Raw telemetry prompt",
-  output: '{"ok": true}',
-  metadata: { agent_role: "batch-worker", channel: "manual_ingest" },
-});
-```
-
-### Transparency Badge (Article 50 UI Evidence)
-
-When rendering disclosure UI, log proof-of-render telemetry so you can demonstrate the end-user actually saw the badge.
-
-```tsx
-import { AgentIDTransparencyBadge } from "agentid-sdk/transparency-badge";
-
-<AgentIDTransparencyBadge
-  telemetry={{
-    systemId: process.env.NEXT_PUBLIC_AGENTID_SYSTEM_ID!,
-    // Prefer a backend relay endpoint so no secret key is exposed in browser code.
-    ingestUrl: "/api/agentid/transparency-render",
-    headers: { "x-agentid-system-id": process.env.NEXT_PUBLIC_AGENTID_SYSTEM_ID! },
-    userId: "customer-123",
-  }}
-  placement="chat-header"
-/>;
-```
-
-On mount, the component asynchronously emits `event_type: "transparency_badge_rendered"` to the AgentID ingest endpoint.
-
-## 6. Advanced Configuration
-
-### Custom identity / role metadata
-
-```ts
-await agent.guard({
-  system_id: process.env.AGENTID_SYSTEM_ID!,
-  input: "Process user request",
-  user_id: "service:billing-agent",
-  model: "gpt-4o-mini",
-});
-
-await agent.log({
-  system_id: process.env.AGENTID_SYSTEM_ID!,
-  model: "gpt-4o-mini",
-  input: "Process user request",
-  output: "Done",
-  metadata: { agent_role: "billing-agent", environment: "prod" },
-});
-```
-
-### Strict mode and timeout tuning
-
-```ts
-const agent = new AgentID({
-  strictMode: true,      // fail-closed on guard connectivity/timeouts
-  guardTimeoutMs: 10000, // default guard timeout is 10000ms
-  ingestTimeoutMs: 10000 // default ingest timeout is 10000ms
-});
-```
-
-### Optional client-side fast fail
-
-```ts
-const agent = new AgentID({
-  failureMode: "fail_close",
-  clientFastFail: true, // opt-in local preflight before /guard
-});
-```
-
-### Error Handling & Strict Mode
-
-By default, AgentID is designed to keep your application running if the AgentID API has a timeout or is temporarily unreachable.
-
-| Mode | Connectivity Failure | LLM Execution | Best For |
-| :--- | :--- | :--- | :--- |
-| **Default** (Strict Off) | API Timeout / Unreachable | **Fail-Open** (continues) | Standard SaaS, chatbots |
-| **Strict Mode** (`strictMode: true`) | API Timeout / Unreachable | Direct `guard()` denies; wrapped flows can apply local fallback first | Healthcare, FinTech, high-risk |
-
-- `guard()` returns a verdict (`allowed`, `reason`); handle deny paths explicitly.
-- `wrapOpenAI()` and LangChain handlers throw `SecurityBlockError` when a prompt is blocked.
-- Backend `/guard` is the default authority for prompt injection, DB access, code execution, and PII leakage in SDK-wrapped flows.
-- `clientFastFail` / `client_fast_fail` is optional and disabled by default. Enable it only when you explicitly want local preflight before the backend call.
-- If backend guard is unreachable and the effective failure mode is `fail_close`, wrapped OpenAI/LangChain flows can run local fallback enforcement. Local hits still block; otherwise the request can continue with fallback telemetry attached.
-- If `strictMode` is not explicitly set in SDK code, runtime behavior follows the system configuration from AgentID (`strict_security_mode` / `failure_mode`).
-- Ingest retries transient failures (5xx/429) and logs warnings if persistence fails.
-
-### Event Identity Model
-
-For consistent lifecycle correlation in Activity/Prompts, use this model:
-
-- `client_event_id`: external correlation ID for one end-to-end action.
-- `guard_event_id`: ID of the preflight guard event returned by `guard()`.
-- `event_id` on `log()`: idempotency key for ingest. In the JS SDK it is canonicalized to `client_event_id` for stable one-row lifecycle updates.
-
-SDK behavior:
-
-- `guard()` sends `client_event_id` and returns canonical `client_event_id` + `guard_event_id`.
-- `log()` sends:
-  - `event_id = canonical client_event_id`
-  - `metadata.client_event_id`
-  - `metadata.guard_event_id` (when available from wrappers/callbacks)
-  - `x-correlation-id = client_event_id`
-- after a successful primary ingest, SDK wrappers can call `/ingest/finalize` with the same `client_event_id` to attach `sdk_ingest_ms`
-- SDK requests include `x-agentid-sdk-version` for telemetry/version diagnostics.
-
-This keeps Guard + Complete linked under one correlation key while preserving internal event linkage in the dashboard.
-
-### SDK Timing Telemetry
-
-SDK-managed metadata can include:
-
-- `sdk_config_fetch_ms`: capability/config fetch time before dispatch.
-- `sdk_local_scan_ms`: optional local enforcement time (`clientFastFail` or fail-close fallback path).
-- `sdk_guard_ms`: backend `/guard` round-trip time observed by the SDK wrapper.
-- `sdk_ingest_ms`: post-ingest transport timing finalized by the SDK through `/ingest/finalize` after a successful primary `/ingest`.
-
-### Policy-Pack Runtime Telemetry
-
-When the backend uses compiled policy packs, runtime metadata includes:
-
-- `policy_pack_version`: active compiled artifact version.
-- `policy_pack_fallback`: `true` means fallback detector path was used.
-- `policy_pack_details`: optional diagnostic detail for fallback/decision trace.
-
-Latency interpretation:
-
-- Activity `Latency (ms)` maps to synchronous processing (`processing_time_ms`).
-- Async AI audit time is separate (`ai_audit_duration_ms`) and can be higher.
-- First request after warm-up boundaries can be slower than steady-state requests.
-
-### Monorepo QA Commands (Maintainers)
-
-If you are validating runtime in the AgentID monorepo:
-
-```bash
-npm run qa:policy-pack-bootstrap -- --base-url=http://127.0.0.1:3000/api/v1 --system-id=<SYSTEM_UUID>
-npm run bench:policy-pack-hotpath
-```
-
-PowerShell diagnostics:
-
-```powershell
-powershell -ExecutionPolicy Bypass -File .\scripts\qa\run-guard-diagnostic.ps1 -BaseUrl http://127.0.0.1:3000/api/v1 -ApiKey $env:AGENTID_API_KEY -SystemId $env:AGENTID_SYSTEM_ID -SkipBenchmark
-powershell -ExecutionPolicy Bypass -File .\scripts\qa\run-ai-label-audit-check.ps1 -BaseUrl http://127.0.0.1:3000/api/v1 -ApiKey $env:AGENTID_API_KEY -SystemId $env:AGENTID_SYSTEM_ID -Model gpt-4o-mini
-```
-
-## 7. Security & Compliance
-
-- Backend `/guard` remains the primary enforcement authority by default.
-- Optional local PII masking and opt-in `clientFastFail` are available for edge cases.
-- Guard checks run pre-execution; ingest + finalize telemetry captures prompt/output lifecycle and SDK timing breakdowns.
-- Safe for server and serverless runtimes (including async completion flows).
-- Supports compliance and forensics workflows with durable event records.
-
-## 8. Support
-
-- Dashboard: `https://app.getagentid.com`
-- Repository: `https://github.com/ondrejsukac-rgb/agentid/tree/main/js-sdk`
-- Issues: `https://github.com/ondrejsukac-rgb/agentid/issues`
-
-## 9. Publishing Notes (NPM)
-
-NPM automatically renders `README.md` from the package root during `npm publish`.
-
-- File location: next to `package.json` in `js-sdk/`.
-- No additional NPM config is required for README rendering.
+# agentid-sdk (Node.js / TypeScript)
+
+[![npm version](https://img.shields.io/npm/v/agentid-sdk.svg)](https://www.npmjs.com/package/agentid-sdk)
+[![Node](https://img.shields.io/node/v/agentid-sdk.svg)](https://www.npmjs.com/package/agentid-sdk)
+[![Node >=18](https://img.shields.io/badge/node-%3E%3D18-339933.svg)](https://nodejs.org/)
+[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
+
+## 1. Introduction
+
+`agentid-sdk` is the official Node.js/TypeScript SDK for AgentID, an AI security and compliance System of Record. It allows you to gate LLM traffic through guard checks, enforce policy before execution, and capture durable telemetry for audit and governance workflows.
+
+### The Mental Model
+
+AgentID sits between your application and the LLM runtime:
+
+```text
+User Input -> guard() -> [AgentID Policy] -> verdict
+                              | allowed
+                              v
+                         LLM Provider
+                              v
+                           log() -> [Immutable Ledger]
+```
+
+- `guard()`: evaluates prompt and context before model execution.
+- Model call: executes only if guard verdict is allowed.
+- `log()`: persists immutable telemetry (prompt, output, latency) for audit and compliance.
+
+## 2. Installation
+
+```bash
+npm install agentid-sdk
+```
+
+## 3. Prerequisites
+
+1. Create an account at `https://app.getagentid.com`.
+2. Create an AI system and copy:
+   - `AGENTID_API_KEY` (for example `sk_live_...`)
+   - `AGENTID_SYSTEM_ID` (UUID)
+3. If using OpenAI/LangChain, set:
+   - `OPENAI_API_KEY`
+
+```bash
+export AGENTID_API_KEY="sk_live_..."
+export AGENTID_SYSTEM_ID="00000000-0000-0000-0000-000000000000"
+export OPENAI_API_KEY="sk-proj-..."
+```
+
+### Compatibility
+
+- **Node.js:** v18+ / **Python:** 3.9+ (cross-SDK matrix)
+- **Thread Safety:** AgentID clients are thread-safe and intended to be instantiated once and reused across concurrent requests.
+- **Latency:** async `log()` is non-blocking for model execution paths; sync `guard()` typically adds network latency (commonly ~50-100ms, environment-dependent).
+
+## 4. Quickstart
+
+```ts
+import { AgentID } from "agentid-sdk";
+
+const agent = new AgentID(); // auto-loads AGENTID_API_KEY
+const systemId = process.env.AGENTID_SYSTEM_ID!;
+
+const verdict = await agent.guard({
+  system_id: systemId,
+  input: "Summarize this ticket in one sentence.",
+  model: "gpt-4o-mini",
+  user_id: "quickstart-user",
+});
+if (!verdict.allowed) throw new Error(`Blocked: ${verdict.reason}`);
+
+await agent.log({
+  system_id: systemId,
+  event_id: verdict.client_event_id,
+  model: "gpt-4o-mini",
+  input: "Summarize this ticket in one sentence.",
+  output: "Summary generated.",
+  metadata: { agent_role: "support-assistant" },
+});
+```
+
+## 5. Core Integrations
+
+### OpenAI Wrapper
+
+```bash
+npm install agentid-sdk openai
+```
+
+```ts
+import OpenAI from "openai";
+import { AgentID } from "agentid-sdk";
+
+const agent = new AgentID({
+  piiMasking: true,
+});
+
+const openai = new OpenAI({ apiKey: process.env.OPENAI_API_KEY! });
+const secured = agent.wrapOpenAI(openai, {
+  system_id: process.env.AGENTID_SYSTEM_ID!,
+  user_id: "customer-123",
+  expected_languages: ["en"],
+});
+
+const response = await secured.chat.completions.create({
+  model: "gpt-4o-mini",
+  messages: [{ role: "user", content: "What is the capital of the Czech Republic?" }],
+});
+
+console.log(response.choices[0]?.message?.content ?? "");
+```
+
+Wrapped OpenAI calls persist telemetry for both regular and streamed completions. For `stream: true`, logging happens when the stream finishes.
+
+> Scope note: AgentID compliance/risk controls apply to the specific SDK-wrapped LLM calls (`guard()`, `wrapOpenAI()`, LangChain callback-wrapped flows). They do not automatically classify unrelated code paths in your whole monolithic application.
+
+### Vercel AI SDK Wrapper
+
+If your app already uses Vercel AI SDK primitives such as `generateText()` or `streamText()`, prefer the dedicated wrapper package instead of rebuilding the lifecycle manually:
+
+```bash
+npm install ai agentid-vercel-sdk @ai-sdk/openai
+```
+
+`agentid-vercel-sdk` keeps AgentID backend-first by default, blocks before provider billing on denied prompts, and finalizes telemetry after completion or stream close.
+
+### LangChain Integration
+
+```bash
+npm install agentid-sdk openai @langchain/core @langchain/openai
+```
+
+```ts
+import { AgentID } from "agentid-sdk";
+import { AgentIDCallbackHandler } from "agentid-sdk/langchain";
+import { ChatOpenAI } from "@langchain/openai";
+import { ChatPromptTemplate } from "@langchain/core/prompts";
+import { StringOutputParser } from "@langchain/core/output_parsers";
+
+const agent = new AgentID();
+const handler = new AgentIDCallbackHandler(agent, {
+  system_id: process.env.AGENTID_SYSTEM_ID!,
+  expected_languages: ["en"],
+});
+
+const prompt = ChatPromptTemplate.fromTemplate("Answer in one sentence: {question}");
+const model = new ChatOpenAI({
+  apiKey: process.env.OPENAI_API_KEY!,
+  model: "gpt-4o-mini",
+});
+const chain = prompt.pipe(model).pipe(new StringOutputParser());
+
+const result = await chain.invoke(
+  { question: "What is the capital of the Czech Republic?" },
+  { callbacks: [handler] }
+);
+console.log(result);
+```
+
+LangChain callbacks log on run completion. Token/cost telemetry for streamed chains depends on the provider exposing usage in the final LangChain result.
+
+### Raw Ingest API (Telemetry Only)
+
+```ts
+import { AgentID } from "agentid-sdk";
+
+const agent = new AgentID();
+
+await agent.log({
+  system_id: process.env.AGENTID_SYSTEM_ID!,
+  event_type: "complete",
+  severity: "info",
+  model: "gpt-4o-mini",
+  input: "Raw telemetry prompt",
+  output: '{"ok": true}',
+  metadata: { agent_role: "batch-worker", channel: "manual_ingest" },
+});
+```
+
+### Transparency Badge (Article 50 UI Evidence)
+
+When rendering disclosure UI, log proof-of-render telemetry so you can demonstrate the end-user actually saw the badge.
+
+```tsx
+import { AgentIDTransparencyBadge } from "agentid-sdk/transparency-badge";
+
+<AgentIDTransparencyBadge
+  telemetry={{
+    systemId: process.env.NEXT_PUBLIC_AGENTID_SYSTEM_ID!,
+    // Prefer a backend relay endpoint so no secret key is exposed in browser code.
+    ingestUrl: "/api/agentid/transparency-render",
+    headers: { "x-agentid-system-id": process.env.NEXT_PUBLIC_AGENTID_SYSTEM_ID! },
+    userId: "customer-123",
+  }}
+  placement="chat-header"
+/>;
+```
+
+On mount, the component asynchronously emits `event_type: "transparency_badge_rendered"` to the AgentID ingest endpoint.
+
+## 6. Advanced Configuration
+
+### Custom identity / role metadata
+
+```ts
+await agent.guard({
+  system_id: process.env.AGENTID_SYSTEM_ID!,
+  input: "Process user request",
+  user_id: "service:billing-agent",
+  model: "gpt-4o-mini",
+});
+
+await agent.log({
+  system_id: process.env.AGENTID_SYSTEM_ID!,
+  model: "gpt-4o-mini",
+  input: "Process user request",
+  output: "Done",
+  metadata: { agent_role: "billing-agent", environment: "prod" },
+});
+```
+
+### Strict mode and timeout tuning
+
+```ts
+const agent = new AgentID({
+  strictMode: true,      // fail-closed on guard connectivity/timeouts
+  guardTimeoutMs: 10000, // default guard timeout is 10000ms
+  ingestTimeoutMs: 10000 // default ingest timeout is 10000ms
+});
+```
+
+### Optional client-side fast fail
+
+```ts
+const agent = new AgentID({
+  failureMode: "fail_close",
+  clientFastFail: true, // opt-in local preflight before /guard
+});
+```
+
+### Error Handling & Strict Mode
+
+By default, AgentID is designed to keep your application running if the AgentID API has a timeout or is temporarily unreachable.
+
+| Mode | Connectivity Failure | LLM Execution | Best For |
+| :--- | :--- | :--- | :--- |
+| **Default** (Strict Off) | API Timeout / Unreachable | **Fail-Open** (continues) | Standard SaaS, chatbots |
+| **Strict Mode** (`strictMode: true`) | API Timeout / Unreachable | Direct `guard()` denies; wrapped flows can apply local fallback first | Healthcare, FinTech, high-risk |
+
+- `guard()` returns a verdict (`allowed`, `reason`); handle deny paths explicitly.
+- `wrapOpenAI()` and LangChain handlers throw `SecurityBlockError` when a prompt is blocked.
+- Backend `/guard` is the default authority for prompt injection, DB access, code execution, and PII leakage in SDK-wrapped flows.
+- `clientFastFail` / `client_fast_fail` is optional and disabled by default. Enable it only when you explicitly want local preflight before the backend call.
+- If backend guard is unreachable and the effective failure mode is `fail_close`, wrapped OpenAI/LangChain flows can run local fallback enforcement. Local hits still block; otherwise the request can continue with fallback telemetry attached.
+- If `strictMode` is not explicitly set in SDK code, runtime behavior follows the system configuration from AgentID (`strict_security_mode` / `failure_mode`).
+- Ingest retries transient failures (5xx/429) and logs warnings if persistence fails.
+
+### Event Identity Model
+
+For consistent lifecycle correlation in Activity/Prompts, use this model:
+
+- `client_event_id`: external correlation ID for one end-to-end action.
+- `guard_event_id`: ID of the preflight guard event returned by `guard()`.
+- `event_id` on `log()`: idempotency key for ingest. In the JS SDK it is canonicalized to `client_event_id` for stable one-row lifecycle updates.
+
+SDK behavior:
+
+- `guard()` sends `client_event_id` and returns canonical `client_event_id` + `guard_event_id`.
+- `log()` sends:
+  - `event_id = canonical client_event_id`
+  - `metadata.client_event_id`
+  - `metadata.guard_event_id` (when available from wrappers/callbacks)
+  - `x-correlation-id = client_event_id`
+- after a successful primary ingest, SDK wrappers can call `/ingest/finalize` with the same `client_event_id` to attach `sdk_ingest_ms`
+- SDK requests include `x-agentid-sdk-version` for telemetry/version diagnostics.
+
+This keeps Guard + Complete linked under one correlation key while preserving internal event linkage in the dashboard.
+
+### SDK Timing Telemetry
+
+SDK-managed metadata can include:
+
+- `sdk_config_fetch_ms`: capability/config fetch time before dispatch.
+- `sdk_local_scan_ms`: optional local enforcement time (`clientFastFail` or fail-close fallback path).
+- `sdk_guard_ms`: backend `/guard` round-trip time observed by the SDK wrapper.
+- `sdk_ingest_ms`: post-ingest transport timing finalized by the SDK through `/ingest/finalize` after a successful primary `/ingest`.
+
+### Policy-Pack Runtime Telemetry
+
+When the backend uses compiled policy packs, runtime metadata includes:
+
+- `policy_pack_version`: active compiled artifact version.
+- `policy_pack_fallback`: `true` means fallback detector path was used.
+- `policy_pack_details`: optional diagnostic detail for fallback/decision trace.
+
+Latency interpretation:
+
+- Activity `Latency (ms)` maps to synchronous processing (`processing_time_ms`).
+- Async AI audit time is separate (`ai_audit_duration_ms`) and can be higher.
+- First request after warm-up boundaries can be slower than steady-state requests.
+
+### Monorepo QA Commands (Maintainers)
+
+If you are validating runtime in the AgentID monorepo:
+
+```bash
+npm run qa:policy-pack-bootstrap -- --base-url=http://127.0.0.1:3000/api/v1 --system-id=<SYSTEM_UUID>
+npm run bench:policy-pack-hotpath
+```
+
+PowerShell diagnostics:
+
+```powershell
+powershell -ExecutionPolicy Bypass -File .\scripts\qa\run-guard-diagnostic.ps1 -BaseUrl http://127.0.0.1:3000/api/v1 -ApiKey $env:AGENTID_API_KEY -SystemId $env:AGENTID_SYSTEM_ID -SkipBenchmark
+powershell -ExecutionPolicy Bypass -File .\scripts\qa\run-ai-label-audit-check.ps1 -BaseUrl http://127.0.0.1:3000/api/v1 -ApiKey $env:AGENTID_API_KEY -SystemId $env:AGENTID_SYSTEM_ID -Model gpt-4o-mini
+```
+
+## 7. Security & Compliance
+
+- Backend `/guard` remains the primary enforcement authority by default.
+- Optional local PII masking and opt-in `clientFastFail` are available for edge cases.
+- Guard checks run pre-execution; ingest + finalize telemetry captures prompt/output lifecycle and SDK timing breakdowns.
+- Safe for server and serverless runtimes (including async completion flows).
+- Supports compliance and forensics workflows with durable event records.
+
+## 8. Support
+
+- Dashboard: `https://app.getagentid.com`
+- Repository: `https://github.com/ondrejsukac-rgb/agentid/tree/main/js-sdk`
+- Issues: `https://github.com/ondrejsukac-rgb/agentid/issues`
+
+## 9. Publishing Notes (NPM)
+
+NPM automatically renders `README.md` from the package root during `npm publish`.
+
+- File location: next to `package.json` in `js-sdk/`.
+- No additional NPM config is required for README rendering.

package/dist/{chunk-W3LROAHO.mjs → chunk-WGJ7SVQB.mjs}

@@ -1810,7 +1810,7 @@ function getInjectionScanner() {
 
 // src/sdk-version.ts
 var FALLBACK_SDK_VERSION = "js-0.0.0-dev";
-var AGENTID_SDK_VERSION_HEADER = "js-0.1.30".trim().length > 0 ? "js-0.1.30" : FALLBACK_SDK_VERSION;
+var AGENTID_SDK_VERSION_HEADER = "js-0.1.31".trim().length > 0 ? "js-0.1.31" : FALLBACK_SDK_VERSION;
 
 // src/local-security-enforcer.ts
 var DEFAULT_FAIL_OPEN_CONFIG = {
@@ -1922,7 +1922,8 @@ var LocalSecurityEnforcer = class {
 };
 
 // src/capability-config.ts
-var CONFIG_TTL_MS = 5 * 60 * 1e3;
+var CONFIG_TTL_MS = 15 * 1e3;
+var CONFIG_FAILURE_FALLBACK_TTL_MS = 2 * 1e3;
 var CONFIG_TIMEOUT_MS = 1500;
 var CONFIG_RETRY_DELAY_MS = 150;
 var MAX_CAPABILITY_CACHE_ENTRIES = 500;
@@ -2145,10 +2146,11 @@ async function ensureCapabilityConfig(params) {
   }).catch((error) => {
     const message = error instanceof Error ? error.message : String(error);
     const fallbackConfig = existing?.config ?? DEFAULT_FAIL_OPEN_CONFIG;
+    const fallbackTtlMs = Math.min(ttlMs, CONFIG_FAILURE_FALLBACK_TTL_MS);
     console.warn("AgentID Config unreachable. Defaulting to FAIL-OPEN MODE.", message);
     cache.set(key, {
       config: fallbackConfig,
-      expiresAt: Date.now() + ttlMs,
+      expiresAt: Date.now() + fallbackTtlMs,
       promise: null
     });
     enforceCacheBound(cache);

package/dist/index.js

@@ -75,7 +75,7 @@ var OpenAIAdapter = class {
 
 // src/sdk-version.ts
 var FALLBACK_SDK_VERSION = "js-0.0.0-dev";
-var AGENTID_SDK_VERSION_HEADER = "js-0.1.30".trim().length > 0 ? "js-0.1.30" : FALLBACK_SDK_VERSION;
+var AGENTID_SDK_VERSION_HEADER = "js-0.1.31".trim().length > 0 ? "js-0.1.31" : FALLBACK_SDK_VERSION;
 
 // src/pii-national-identifiers.ts
 var MAX_CANDIDATES_PER_RULE = 256;
@@ -1296,7 +1296,8 @@ var LocalSecurityEnforcer = class {
 };
 
 // src/capability-config.ts
-var CONFIG_TTL_MS = 5 * 60 * 1e3;
+var CONFIG_TTL_MS = 15 * 1e3;
+var CONFIG_FAILURE_FALLBACK_TTL_MS = 2 * 1e3;
 var CONFIG_TIMEOUT_MS = 1500;
 var CONFIG_RETRY_DELAY_MS = 150;
 var MAX_CAPABILITY_CACHE_ENTRIES = 500;
@@ -1519,10 +1520,11 @@ async function ensureCapabilityConfig(params) {
   }).catch((error) => {
     const message = error instanceof Error ? error.message : String(error);
     const fallbackConfig = existing?.config ?? DEFAULT_FAIL_OPEN_CONFIG;
+    const fallbackTtlMs = Math.min(ttlMs, CONFIG_FAILURE_FALLBACK_TTL_MS);
     console.warn("AgentID Config unreachable. Defaulting to FAIL-OPEN MODE.", message);
     cache.set(key, {
       config: fallbackConfig,
-      expiresAt: Date.now() + ttlMs,
+      expiresAt: Date.now() + fallbackTtlMs,
       promise: null
     });
     enforceCacheBound(cache);

package/dist/index.mjs

@@ -7,7 +7,7 @@ import {
   SecurityBlockError,
   getInjectionScanner,
   scanWithRegex
-} from "./chunk-W3LROAHO.mjs";
+} from "./chunk-WGJ7SVQB.mjs";
 export {
   AgentID,
   DependencyError,

package/dist/langchain.js

@@ -27,7 +27,7 @@ var import_base = require("@langchain/core/callbacks/base");
 
 // src/sdk-version.ts
 var FALLBACK_SDK_VERSION = "js-0.0.0-dev";
-var AGENTID_SDK_VERSION_HEADER = "js-0.1.30".trim().length > 0 ? "js-0.1.30" : FALLBACK_SDK_VERSION;
+var AGENTID_SDK_VERSION_HEADER = "js-0.1.31".trim().length > 0 ? "js-0.1.31" : FALLBACK_SDK_VERSION;
 
 // src/pii-national-identifiers.ts
 var REGION_ANCHORS = {
@@ -200,7 +200,8 @@ var PHONE_CONTEXT_RE = new RegExp(
 );
 
 // src/capability-config.ts
-var CONFIG_TTL_MS = 5 * 60 * 1e3;
+var CONFIG_TTL_MS = 15 * 1e3;
+var CONFIG_FAILURE_FALLBACK_TTL_MS = 2 * 1e3;
 
 // src/agentid.ts
 var SecurityBlockError = class extends Error {

package/dist/langchain.mjs

@@ -1,6 +1,6 @@
 import {
   SecurityBlockError
-} from "./chunk-W3LROAHO.mjs";
+} from "./chunk-WGJ7SVQB.mjs";
 
 // src/langchain.ts
 import { BaseCallbackHandler } from "@langchain/core/callbacks/base";

package/package.json

@@ -1,69 +1,69 @@
-{
-  "name": "agentid-sdk",
-  "version": "0.1.30",
-  "description": "AgentID JavaScript/TypeScript SDK for guard, ingest, tracing, and analytics.",
-  "license": "MIT",
-  "homepage": "https://agentid.ai",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/ondrejsukac-rgb/agentid.git",
-    "directory": "js-sdk"
-  },
-  "bugs": {
-    "url": "https://github.com/ondrejsukac-rgb/agentid/issues"
-  },
-  "main": "dist/index.js",
-  "module": "dist/index.mjs",
-  "types": "dist/index.d.ts",
-  "exports": {
-    ".": {
-      "types": "./dist/index.d.ts",
-      "import": "./dist/index.mjs",
-      "require": "./dist/index.js"
-    },
-    "./langchain": {
-      "types": "./dist/langchain.d.ts",
-      "import": "./dist/langchain.mjs",
-      "require": "./dist/langchain.js"
-    },
-    "./transparency-badge": {
-      "types": "./dist/transparency-badge.d.ts",
-      "import": "./dist/transparency-badge.mjs",
-      "require": "./dist/transparency-badge.js"
-    },
-    "./package.json": "./package.json"
-  },
-  "files": [
-    "dist"
-  ],
-  "scripts": {
-    "build": "tsup --config tsup.config.ts",
-    "release:check": "npm run build && npm pack --dry-run",
-    "prepublishOnly": "npm run build"
-  },
-  "publishConfig": {
-    "access": "public"
-  },
-  "peerDependencies": {
-    "@langchain/core": "^0.3.0 || ^1.0.0",
-    "langchain": "^0.1.0",
-    "openai": "^4.0.0 || ^5.0.0 || ^6.0.0",
-    "react": "^18.0.0 || ^19.0.0"
-  },
-  "peerDependenciesMeta": {
-    "@langchain/core": {
-      "optional": true
-    },
-    "langchain": {
-      "optional": true
-    },
-    "react": {
-      "optional": true
-    }
-  },
-  "devDependencies": {
-    "@types/react": "^19.2.2",
-    "tsup": "^8.3.5",
-    "typescript": "^5.0.0"
-  }
-}
+{
+  "name": "agentid-sdk",
+  "version": "0.1.31",
+  "description": "AgentID JavaScript/TypeScript SDK for guard, ingest, tracing, and analytics.",
+  "license": "MIT",
+  "homepage": "https://agentid.ai",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/ondrejsukac-rgb/agentid.git",
+    "directory": "js-sdk"
+  },
+  "bugs": {
+    "url": "https://github.com/ondrejsukac-rgb/agentid/issues"
+  },
+  "main": "dist/index.js",
+  "module": "dist/index.mjs",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    },
+    "./langchain": {
+      "types": "./dist/langchain.d.ts",
+      "import": "./dist/langchain.mjs",
+      "require": "./dist/langchain.js"
+    },
+    "./transparency-badge": {
+      "types": "./dist/transparency-badge.d.ts",
+      "import": "./dist/transparency-badge.mjs",
+      "require": "./dist/transparency-badge.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsup --config tsup.config.ts",
+    "release:check": "npm run build && npm pack --dry-run",
+    "prepublishOnly": "npm run build"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "peerDependencies": {
+    "@langchain/core": "^0.3.0 || ^1.0.0",
+    "langchain": "^0.1.0 || ^1.0.0",
+    "openai": "^4.0.0 || ^5.0.0 || ^6.0.0",
+    "react": "^18.0.0 || ^19.0.0"
+  },
+  "peerDependenciesMeta": {
+    "@langchain/core": {
+      "optional": true
+    },
+    "langchain": {
+      "optional": true
+    },
+    "react": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "@types/react": "^19.2.2",
+    "tsup": "^8.3.5",
+    "typescript": "^5.0.0"
+  }
+}