@interven/sdk
v0.5.0
Published
Interven AI firewall — TypeScript SDK. Scan agent tool calls before they execute. Block malicious requests, redact PII/secrets, route risky actions to human approval.
Maintainers
Readme
@interven/sdk
TypeScript / JavaScript SDK for the Interven AI firewall. Scan agent tool calls before they execute — block malicious requests, redact PII and secrets, and route risky actions to human approval.
npm install @interven/sdkQuickstart
import { Client } from "@interven/sdk";
const client = new Client({ apiKey: process.env.INTERVEN_API_KEY });
const result = await client.scan({
method: "POST",
url: "https://slack.com/api/chat.postMessage",
body: { text: "Customer SSN 478-23-9156, email [email protected]" },
});
if (result.decision === "ALLOW") {
await sendToSlack(originalBody);
} else if (result.decision === "SANITIZE") {
await sendToSlack(result.sanitizedBody);
} else if (result.decision === "REQUIRE_APPROVAL") {
await pollApproval(result.approvalId!);
} else {
console.warn("Blocked by Interven:", result.reasonCodes);
}That's it. Get an API key at intervensecurity.com (free tier: 1,000 scans/month).
Decisions
| Decision | What to do |
|----------|-----------|
| ALLOW | Forward the original request to the upstream API |
| DENY | Block the call. Reason codes explain why. |
| SANITIZE | Forward result.sanitizedBody instead of the original — secrets/PII have been redacted |
| REQUIRE_APPROVAL | Pause; poll /approvals/{id}/status until decided |
Configuration
| Option | Env var | Default |
|--------|---------|---------|
| apiKey | INTERVEN_API_KEY | — (required) |
| gatewayUrl | INTERVEN_GATEWAY_URL | https://api.intervensecurity.com |
| timeoutMs | — | 30000 |
| agentId | — | unset (server uses default) |
| runtimeType | — | "node" |
Framework recipes
LangChain.js
import { Client } from "@interven/sdk";
import type { ToolRunnableConfig } from "@langchain/core/tools";
const interven = new Client({ apiKey: process.env.INTERVEN_API_KEY });
async function safeFetch(url: string, init: RequestInit) {
const result = await interven.scan({
method: (init.method as string) ?? "GET",
url,
body: init.body ? JSON.parse(init.body as string) : {},
runtimeType: "langchain",
});
if (result.decision === "DENY") throw new Error(`Blocked: ${result.reasonCodes.join(", ")}`);
return fetch(url, init);
}Generic agent / MCP server
Wrap any outbound HTTP call with client.scan(...) before sending. Works with the Vercel AI SDK, OpenAI Agents, custom MCP servers, etc.
Legacy: HMAC AifClient
The original HMAC-signed /invoke flow is still supported for existing customers:
import { AifClient } from "@interven/sdk";
const client = new AifClient({
gatewayUrl: "http://localhost:4000",
agentId: "00000000-0000-0000-0000-000000000010",
agentName: "release-bot",
agentSecret: process.env.AGENT_SECRET!,
});
const r = await client.invoke({
toolName: "github",
method: "PUT",
urlPath: "/repos/acme/main-app/collaborators/external-user",
credentialType: "pat",
credentialToken: process.env.GH_TOKEN!,
scopes: ["repo"],
});New integrations should prefer Client — fewer required fields and no secret to manage.
Errors
import {
IntervenAuthenticationError,
IntervenGatewayError,
IntervenPayloadTooLargeError,
} from "@interven/sdk";
try {
await client.scan({ method: "GET", url: "..." });
} catch (e) {
if (e instanceof IntervenAuthenticationError) { /* bad key */ }
if (e instanceof IntervenPayloadTooLargeError) { /* >256KB */ }
if (e instanceof IntervenGatewayError) { /* network or 5xx */ }
}License
MIT © Interven Security
