TypeScript SDK
Full reference for the Thoth TypeScript SDK — ThothConfig, instrument(), wrapAnthropicTools(), wrapOpenAITools(), EnforcementMode, ThothPolicyViolation.
Installation
Node.js 18+ required. The package ships full TypeScript declarations and requires a runtime
with fetch + AbortSignal.timeout support.
ThothConfig
Fields
| Field | Type | Default | Description |
|---|---|---|---|
agentId | string | required | Unique identifier for this agent |
approvedScope | string[] | required | Tool names the agent is authorized to call |
tenantId | string | required | Your Thoth tenant identifier |
userId | string | "system" | User initiating the request |
enforcement | EnforcementMode | PROGRESSIVE | How to handle policy violations |
apiKey | string | process.env.THOTH_API_KEY | API key for authentication |
apiUrl | string | process.env.THOTH_API_URL | Required tenant API base URL used for both /v1/enforce and /v1/events/batch |
stepUpTimeoutMinutes | number | 15 | Max wait time for step-up approval |
stepUpPollIntervalMs | number | 5000 | Step-up polling interval in milliseconds |
sessionIntent | string | unset | Session purpose used for HIPAA minimum-necessary checks |
policyContext | Record<string, unknown> | unset | Tenant policy context sent as metadata.policy_context |
enforcementTraceId | string | generated session UUID | Correlation ID propagated to enforcer/services |
environment | string | "prod" | Environment tag for env-scoped policy resolution |
EnforcementMode
instrument()
Instrument a generic AI agent with Thoth governance. Wraps all tools with enforce/emit hooks. Returns the same agent object (mutated in-place).
Agent shape
The agent object must have a tools array where each element has a name: string and run: Function:
Example
Async generators
instrument() detects async generator functions automatically and wraps them correctly, yielding
all chunks while still emitting pre/post behavioral events:
Failure behavior
Current SDK behavior is fail-closed for policy checks: if /v1/enforce is unreachable or returns a
non-OK response, the decision falls back to BLOCK (reason: "enforcer unavailable"), and
instrument() will throw ThothPolicyViolation before running the tool.
emitBehavioralEvent()
Emit a single behavioral event directly to the Thoth API. Fire-and-forget — never blocks execution.
The function catches all errors internally and never throws. If the API is unreachable, the error is silently discarded to preserve agent availability.
BehavioralEvent schema
wrapAnthropicTools()
Wrap tool execution functions for use in an Anthropic Claude agentic loop. Returns a new map of governed callables.
Example
wrapOpenAITools()
Wrap tool execution functions for use in an OpenAI tool-calling loop.
Example
ThothPolicyViolation
Thrown when the enforcer blocks a tool call.
EnforcementDecision
The enforcer response shape (returned from POST /v1/enforce):
Environment Variables
| Variable | Description |
|---|---|
THOTH_API_KEY | API key for hosted Thoth authentication |
THOTH_API_URL | Required tenant API base URL for both policy checks and event ingestion |
The TypeScript SDK reads these environment variables automatically in Node.js environments.
If config.apiUrl and THOTH_API_URL are both missing, instrument() throws at startup.
TypeScript strict mode
The SDK is compiled with strict: true. All exported types are narrowed — no implicit any.
If you use instrument<T>(), the generic T preserves your agent's type through the instrumentation: