npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@neurarelay/sdk

v0.1.1

Published

Neura Relay SDK for Action Card decision receipts.

Downloads

927

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

neurarelayneurarelay

Keywords

neurarelayaction-carddecision-receiptmcpa2aagent-governance

Readme

Neura Relay SDK v0.1.1

Stable package for the Neura Relay HTTP API.

Status: @neurarelay/[email protected] is published on npm with the latest dist-tag.

Package identity:

@neurarelay/[email protected]

The public developer path is the GitHub relay-action-card example, Relay Workspace sandbox proof, and this npm package. The SDK wraps the same direct Action Card to Decision Receipt path and keeps execution in the developer-owned system.

Current private API contract anchor: protected-session POST /api/developer/resolve-action-card responses include private_developer_api.version = "0.2", private_developer_api.response_posture = "decision_receipt_validation_registry_ledger_trace_refs_only", stable refs, sanitized receipt explanation and route-pressure summaries, Registry-backed production-trust posture, and explicit no-execution, no-public-key, no-public-production-token, and no-private-payload flags.

Version 0.1.1 includes typed authority_context.source support for the Registry-backed delegated authority trust slice. This lets source consumers branch on registry_reference_packet versus developer_supplied_unverified after reading a Decision Receipt.

SDK v0.1.1 includes:

  • createNeuraRelaySdk
  • createResolveClient
  • createPrivateDeveloperApiClient
  • resolveActionCardWithPrivateDeveloperApi
  • resolveActionCardForDeveloperRouting
  • buildPrivateDeveloperActionRoutingDecision
  • createRelayA2AClient
  • fetchRelayA2AAgentCard
  • sendActionCardThroughRelayA2A
  • A2A aliases and extractors: discover, resolveActionCard, resolveActionCardThroughRelayA2A, getRelayA2ADecisionReceiptArtifactData, and getRelayA2AControlledRuntimeContract
  • createRelayMcpClient
  • listRelayMcpTools
  • callRelayMcpTool
  • resolveActionCardThroughRelayMcp
  • governed case lifecycle helpers
  • RelaySdkHttpError
  • RelaySdkResponseShapeError
  • dist/index.js ESM build output
  • dist/index.d.ts declaration output
  • package exports map
  • subpath exports for ./a2a, ./mcp, ./resolve, ./private-developer-api, and ./governed-cases
  • package examples for core Action Card, A2A Agent Card, protected A2A Action Card, and protected MCP resolve
  • TypeScript-first Action Card example
  • TypeScript-first delegated authority source inspection through DecisionReceiptAuthorityContextV01
  • TypeScript-first private developer routing example with delegated authority trust posture
  • TypeScript-first Authority Layer v1 readiness example
  • TypeScript-first A2A Action Card example
  • npm pack verification
  • clean consumer install verification

The SDK mirrors the direct core path:

Action Card -> Relay -> Decision Receipt -> trace / ledger / Registry context

When delegated authority is present, the typed Decision Receipt authority context exposes:

receipt.authority_context?.source
// "registry_reference_packet" | "developer_supplied_unverified"

registry_reference_packet means Relay matched the delegated authority refs against a protected Registry Relay Reference Packet. developer_supplied_unverified means Relay preserved refs-only developer-supplied authority without claiming Registry-backed authority.

It also mirrors the verified public A2A discovery boundary: /.well-known/agent-card.json is public metadata, while /a2a remains protected execution only. The SDK A2A response type follows Relay's real task-shaped JSON-RPC result: kind: "task", completed task status, Decision Receipt artifact data, trace ref, transaction ref, registry-trust summary, controlled-runtime contract, refs-only payload posture, and developer-owned downstream execution. The SDK does not issue public A2A tokens, public API keys, public production MCP tokens, token values, private payloads, or downstream execution commands.

Current Scope

Stable package support includes:

  • aggregate SDK facade
  • resolve flow
  • protected-session private API response contract inspection
  • private developer routing decision helper
  • public Agent Card fetch
  • protected A2A message/send Action Card wrapper
  • controlled A2A runtime-contract and Decision Receipt artifact extractors in repository source
  • protected MCP tools/list and tools/call wrappers
  • protected MCP resolve_action_card wrapper
  • governed case creation
  • governed case retrieval
  • evidence attachment
  • proposal
  • challenge
  • approve
  • block
  • reopen
  • close
  • typed HTTP and response-shape errors

Install

From any Node 18+ project:

npm install @neurarelay/sdk

Run the public GitHub example:

git clone https://github.com/neurarelay/relay-action-card.git
cd relay-action-card
npm install
npm run example:sdk

Source Repo Development

The commands in this section are for the Relay source repository, not for a normal npm consumer project.

Start Relay locally from the repo root:

npm run dev

Default local base URL:

http://localhost:3000

Local Package Build

From the Relay repo root:

npm run build:sdk
npm run verify:sdk-package-candidate

The package verifier runs npm pack, installs the generated tarball into a clean temporary consumer project, imports @neurarelay/sdk at runtime, and type-checks the declaration output.

The protected TypeScript A2A example ships in the package as examples/typescript-a2a-action-card.ts. It requires RELAY_A2A_ACCESS_TOKEN and reads the task artifact returned from protected message/send; it is not public token issuance or unprotected A2A execution.

The live npm publication verifier checks npm install metadata and a clean outside consumer install:

npm run verify:sdk-npm-publication

For manual local package inspection:

npm pack ./packages/sdk --pack-destination .sdk-pack

Then install the generated .tgz into a separate local test project.

Aggregate Usage

import { createNeuraRelaySdk } from "@neurarelay/sdk";

const neura = createNeuraRelaySdk({
  baseUrl: "http://localhost:3000",
  headers: {
    "x-neura-relay-internal-key": process.env.NEURA_RELAY_INTERNAL_ACCESS_KEY ?? ""
  }
});

const resolution = await neura.resolve.resolve({
  action_card: {
    version: "0.1",
    agent: {
      id: "agent_support_reply_001",
      owner: "acme_support",
      capability: "customer_message_draft",
      capabilityVersion: "0.1.0"
    },
    proposedAction: {
      type: "send_message",
      summary: "Send a customer reply confirming that the document was received and will be reviewed today.",
      target: "customer_thread_123"
    },
    affectedObject: "customer_thread_123",
    context: {
      evidenceRefs: ["ticket_123", "uploaded_document_456"],
      ruleRefs: ["customer_reply_policy"],
      riskCategory: "customer_communication",
      requestedOutcome: "proceed_or_review"
    }
  }
});

console.log(resolution.decision_receipt?.decision);
console.log(resolution.decision_receipt?.trace_ref);

Private Developer Routing

The protected private developer route returns a refs-only response and can be converted into a developer-owned execution route:

const routing = await neura.privateDeveloper.resolveActionCardForRouting({
  version: "0.1",
  agent: {
    id: "agent_support_reply_001",
    owner: "acme_support",
    capability: "customer_message_draft",
    capabilityVersion: "0.1.0"
  },
  proposedAction: {
    type: "send_message",
    summary: "Send a customer follow-up email",
    target: "customer_thread_123"
  },
  context: {
    evidenceRefs: ["ticket_123"],
    ruleRefs: ["customer_reply_policy"],
    riskCategory: "customer_communication",
    requestedOutcome: "proceed_or_review"
  }
});

if (routing.route === "ready_for_developer_owned_execution") {
  // Developer-owned system may continue after honoring its own execution controls.
}

For delegated authority routing, inspect the trust posture before your system executes:

if (
  routing.production_trust.delegated_authority_source ===
    "registry_reference_packet" &&
  routing.production_trust.delegated_authority_status === "ready"
) {
  // Registry-backed delegated authority is ready for developer-owned execution.
}

Routes:

  • ready_for_developer_owned_execution
  • hold_for_production_trust_review
  • human_review
  • revise
  • stop
  • hold

For the protected-session walkthrough, read the Relay repo's Private Developer API quickstart at docs/private-developer-api-quickstart.md. The public GitHub adoption repo also includes npm run example:sdk:authority-routing, which demonstrates the same ready/hold/review routing logic using public delegated-authority demo refs.

Authority Layer v1 Readiness

Protected private developer responses include authority_layer_v1, and the SDK can turn that contract into a readiness object:

const response = await neura.privateDeveloper.resolveActionCard(actionCard);
const readiness = buildAuthorityLayerV1DeveloperReadiness(response);

if (readiness.ready && response.decision_receipt?.decision === "proceed") {
  // Developer-owned system may continue after honoring its own execution controls.
}

The package example examples/typescript-authority-layer-v1.ts checks the v1 contract, scenario floor, closed boundary flags, refs-only core path, and developer-owned execution boundary before returning a local routing posture.

A2A Usage

const agentCard = await neura.a2a.getAgentCard();

const a2aResponse = await neura.a2a.sendActionCard({
  version: "0.1",
  agent: {
    id: "agent_support_reply_001",
    owner: "acme_support",
    capability: "customer_message_draft",
    capabilityVersion: "0.1.0"
  },
  proposedAction: {
    type: "send_message",
    summary: "Send a customer follow-up email",
    target: "customer_thread_123"
  },
  context: {
    evidenceRefs: ["ticket_123"],
    ruleRefs: ["customer_reply_policy"],
    riskCategory: "customer_communication",
    requestedOutcome: "proceed_or_review"
  }
});

const task = a2aResponse.result;
const artifactData = getRelayA2ADecisionReceiptArtifactData(a2aResponse);
const runtimeContract = getRelayA2AControlledRuntimeContract(a2aResponse);

console.log(agentCard.skills.map((skill) => skill.id));
console.log(task?.status.state);
console.log(artifactData?.decision_receipt?.receipt_id);
console.log(artifactData?.trace_ref);
console.log(artifactData?.transaction_ref);
console.log(artifactData?.registry_trust?.posture);
console.log(runtimeContract?.version);

The A2A client sends JSON-RPC message/send to /a2a with browser credentials included by default. That endpoint is protected; unauthenticated clients should expect rejection. Repository source also supports caller-supplied idempotency keys and returns only a hashed idempotency.key_ref, not the raw key.

MCP Usage

const tools = await neura.mcp.listTools();

const mcpResponse = await neura.mcp.resolveActionCard({
  version: "0.1",
  agent: {
    id: "agent_support_reply_001",
    owner: "acme_support",
    capability: "customer_message_draft",
    capabilityVersion: "0.1.0"
  },
  proposedAction: {
    type: "send_message",
    summary: "Resolve through protected MCP before execution",
    target: "customer_thread_123"
  },
  context: {
    evidenceRefs: ["ticket_123"],
    ruleRefs: ["customer_reply_policy"],
    riskCategory: "customer_communication",
    requestedOutcome: "proceed_or_review"
  }
});

console.log(tools.result?.tools?.map((tool) => tool.name));
console.log(mcpResponse.result?.isError ?? false);

The MCP client calls protected /mcp. It requires Workspace sandbox access, controlled production access, or an equivalent authorized bearer credential. It does not issue tokens.

Package Examples

From the Relay source repo:

node packages/sdk/examples/core-action-card.mjs
tsx packages/sdk/examples/typescript-action-card.ts
tsx packages/sdk/examples/typescript-private-developer-routing.ts
tsx packages/sdk/examples/typescript-authority-layer-v1.ts
node packages/sdk/examples/a2a-agent-card.mjs
RELAY_A2A_ACCESS_TOKEN=<controlled_a2a_token> tsx packages/sdk/examples/typescript-a2a-action-card.ts
NEURA_RELAY_MCP_TOKEN=<workspace_sandbox_token> node packages/sdk/examples/mcp-protected-resolve.mjs

Production Action Card Example

const response = await fetch("https://www.neurarelay.com/api/resolve", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    action_card: {
      version: "0.1",
      agent: {
        id: "agent_support_reply_001",
        owner: "acme_support",
        capability: "customer_message_draft",
        capabilityVersion: "0.1.0"
      },
      proposedAction: {
        type: "send_message",
        summary: "Send a customer reply confirming that the document was received and will be reviewed today.",
        target: "customer_thread_123"
      },
      affectedObject: "customer_thread_123",
      context: {
        evidenceRefs: ["ticket_123", "uploaded_document_456"],
        ruleRefs: ["customer_reply_policy"],
        riskCategory: "customer_communication",
        requestedOutcome: "proceed_or_review"
      }
    }
  })
});

const result = await response.json();

console.log(result.decision_receipt.decision);
console.log(result.decision_receipt.trace_ref);
console.log(result.decision_receipt.recommended_next_step);

Boundary

This SDK does not introduce:

  • public API-key issuance
  • public production MCP token issuance
  • public A2A token issuance
  • unprotected A2A execution
  • downstream execution
  • private payload exposure
  • external Registry submission
  • Registry auto-approval

Developer-owned systems still execute, revise, stop, or escalate action after reading the Decision Receipt and production-trust context.