@keeptrusts/agent 0.1.0 configuration contract
:::danger Reference only
This unlisted page documents the code contract of an SDK version that is not available as a supported Node.js integration. Do not treat the examples as an adoption quickstart.
:::
This page documents what the 0.1.0 constructors and builders read. It does not remove the package's ordinary Node.js import blocker or make an incompatible high-level helper safe to use.
Client options
KeeptrustsAgentClient accepts:
| Option | Required | Purpose |
|---|---|---|
region | Yes | eu-west, us-east, or global. There is no region environment fallback. |
baseUrl | Unless KEEPTRUSTS_API_URL is set | Control-plane API base URL. The synchronous constructor does not perform region discovery. |
bearerToken | Unless KEEPTRUSTS_API_TOKEN is set | Control-plane bearer token. |
gatewayBaseUrl | No | Gateway model API base URL. |
gatewayApiKey | No | Gateway access token used for bearer authorization. |
gatewayHeaders | No | Static headers merged into gateway calls. |
fetch | No | Custom fetch implementation for both surfaces. |
The exact resolution order is:
| Value | Resolution order |
|---|---|
| Control-plane URL | baseUrl -> KEEPTRUSTS_API_URL -> configuration error |
| Control-plane token | bearerToken -> KEEPTRUSTS_API_TOKEN -> configuration error |
| Gateway URL | gatewayBaseUrl -> KEEPTRUSTS_GATEWAY_URL -> http://localhost:41002/v1 |
| Gateway token | gatewayApiKey -> KEEPTRUSTS_API_TOKEN -> kt-gateway |
The local gateway defaults are development conveniences, not production credentials.
Pass separate credentials explicitly
When the entrypoint is usable in your evaluated server runtime, construct the client with distinct secret variables:
import { KeeptrustsAgentClient } from "@keeptrusts/agent";
const client = new KeeptrustsAgentClient({
region: "us-east",
baseUrl: process.env.KEEPTRUSTS_API_URL,
bearerToken: process.env.KEEPTRUSTS_CONTROL_PLANE_TOKEN,
gatewayBaseUrl: process.env.KEEPTRUSTS_GATEWAY_URL,
gatewayApiKey: process.env.KEEPTRUSTS_GATEWAY_TOKEN,
gatewayHeaders: {
"x-keeptrusts-team": "risk-platform",
},
});
This snippet describes the constructor contract; it is not a plain Node.js quickstart for 0.1.0. See the supported TypeScript workflow for a runnable direct gateway integration.
Synchronous and asynchronous construction
new KeeptrustsAgentClient(options) requires a resolved control-plane URL from
baseUrl or KEEPTRUSTS_API_URL.
await KeeptrustsAgentClient.create(options) can discover the region endpoint
when baseUrl is absent. In that case, KEEPTRUSTS_API_URL is still required
as the host for GET /v1/regions; the selected region entry must expose an
api_endpoint.
Both paths require region explicitly. The SDK does not read
KEEPTRUSTS_REGION.
Gateway header precedence
The fetch adapter merges headers in this order, with later values winning:
- client
gatewayHeaders; - adapter
defaultHeaders; - headers already present on a
Requestinput; - per-call
RequestInit.headers; - tracing headers generated for the active agent context.
Bearer authorization is added only when an auth token is available,
authScheme is not "none", and the merged headers do not already contain an
Authorization value.
OpenAI-compatible transport
createOpenAIAgentTransport selects:
baseUrloption, thenclient.gatewayBaseUrl;apiKeyoption, thenclient.gatewayApiKey;- client gateway headers, then transport
defaultHeaders; - an enforced
x-keeptrusts-agent-idfor the suppliedagentId.
Its custom fetch reads the current withTracing context at request time, so a
model call inside that callback carries the callback's request ID and
traceparent.
Generic fetch transport
Relative inputs are resolved against the configured gateway base URL. A path
such as /chat/completions becomes
http://localhost:41002/v1/chat/completions with the default base.
The adapter does not serialize request bodies and does not set JSON content type. Callers sending JSON must provide both:
headers: { "Content-Type": "application/json" },
body: JSON.stringify(payload),
Claude and Codex builders
The builders return plain configuration objects. Their default child commands
reference ./claude-agent-adapter.mjs and ./codex-agent-adapter.mjs, which
the package does not ship.
The generated child environment contains:
KEEPTRUSTS_GATEWAY_URL;KEEPTRUSTS_API_TOKEN, containing the gateway key;KEEPTRUSTS_AGENT_ID;KEEPTRUSTS_REQUEST_ID;KEEPTRUSTS_TRACEPARENT;KEEPTRUSTS_GATEWAY_HEADERS_JSON.
Only use a builder when your application supplies and owns a compatible adapter process. The SDK does not launch Claude Code or Codex.
Credential rotation
Clients and transports capture credential strings when they are created. After rotating a secret, create a new client and any transports derived from it. Do not mutate the readonly fields or keep using an old transport.