docs(sdk): [29.8] update interceptor docs with axios, undici, env vars, ESM/CJS

Zie619 · claude · Zie619 · commit dfae34597bd4 · 2026-02-18T18:45:36.000+02:00
Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/BIBLE.md b/BIBLE.md
@@ -252,7 +252,9 @@ client.track({ type: EventType.TOOL_CALL, name: 'search', payload: {} });
 ```
 
 **Modules**: `client.ts`, `events.ts`, `cedar.ts`, `interceptor.ts`, `standalone.ts`
-**Build**: `tsc` (TypeScript), outputs to `dist/`
+**Interception**: `fetch` (always), `axios` (optional), `undici` (optional) -- auto-detected at install-time
+**Integrations**: LangChain.js (`TruseraLangChainHandler` with optional Cedar enforcement)
+**Build**: `tsup` -- dual ESM (`dist/index.js`) + CJS (`dist/index.cjs`) with `.d.ts` declarations
 **Test**: `vitest`
 
 ### Go SDK (`trusera-sdk-go/`)
@@ -267,8 +269,9 @@ client.Track(trusera.Event{Type: trusera.ToolCall, Name: "search"})
 
 **Modules**: `trusera.go`, `events.go`, `cedar.go`, `interceptor.go`, `standalone.go`
 **Build**: standard Go modules (`go.mod` points to `github.com/Trusera/ai-bom/trusera-sdk-go`)
-**Test**: `go test ./...`
+**Test**: `go test ./...` (CI gate in auto-release.yml runs tests before tagging)
 **Version**: git tag only (`trusera-sdk-go/vX.Y.Z`), no version file
+**Env vars**: `TRUSERA_API_KEY` (fallback for empty apiKey), `TRUSERA_API_URL` (fallback for base URL)
 
 ---
 
diff --git a/docs/interceptor-sdks.md b/docs/interceptor-sdks.md
@@ -69,14 +69,15 @@ Choose the SDK that matches your agent's language:
 |---------|--------|------------|-----|
 | **Package name** | `trusera-sdk` | `trusera-sdk` | `trusera-sdk-go` |
 | **Install command** | `pip install trusera-sdk` | `npm install trusera-sdk` | `go get github.com/Trusera/ai-bom/trusera-sdk-go` |
-| **HTTP Interception** | `@monitor` decorator | `fetch` monkey-patch | `http.RoundTripper` wrapper |
+| **HTTP Interception** | `@monitor` decorator | `fetch` + `axios` + `undici` | `http.RoundTripper` wrapper |
 | **LangChain Integration** | `TruseraCallbackHandler` | `TruseraLangChainHandler` | -- |
 | **CrewAI Integration** | `TruseraCrewCallback` (StepCallback) | -- | -- |
 | **AutoGen Integration** | `TruseraAutoGenHook` (MessageHook) | -- | -- |
 | **Enforcement Modes** | `log` / `warn` / `block` | `log` / `warn` / `block` | `log` / `warn` / `block` |
 | **Event Batching** | Thread-based queue | Timer-based queue | Goroutine-based queue |
 | **Async Support** | `asyncio` native | Native `Promise` / `async-await` | Goroutines |
-| **External Dependencies** | `httpx` | None (native `fetch`) | None (stdlib only) |
+| **Module Format** | -- | ESM + CJS (dual output via tsup) | -- |
+| **External Dependencies** | `httpx` | None (native `fetch`); optional `axios`, `undici` | None (stdlib only) |
 | **Min Runtime** | Python 3.9+ | Node.js 18+ | Go 1.21+ |
 | **Type Safety** | Type hints (mypy) | Full TypeScript generics | Static typing |
 | **Context Manager** | `with` statement | -- | `defer client.Close()` |
@@ -151,10 +152,14 @@ decorated function is called, the SDK captures input arguments, measures executi
 time, records the return value (or exception), and queues an event. A background
 thread flushes events to the Trusera API at configurable intervals.
 
-**TypeScript** -- The `TruseraInterceptor` replaces the global `fetch` function with
-a wrapper that captures request URL, method, headers, and body. After the real
-request completes, the SDK records the response status and queues an event. A
-`setInterval` timer drives periodic flushes.
+**TypeScript** -- The `TruseraInterceptor` patches up to three HTTP libraries
+automatically: native `fetch` (always available), `axios` (via request/response
+interceptors), and `undici` (via monkey-patching `request` and `fetch`). Libraries
+are detected at install-time using `require()` -- if absent, they are silently
+skipped. Each intercepted call captures URL, method, headers, and body; after the
+real request completes the SDK records the response status and queues an event. A
+`setInterval` timer drives periodic flushes. The SDK ships as both ESM and CJS
+(built with tsup) so it works in any Node.js or Bun environment.
 
 **Go** -- The SDK provides a custom `http.RoundTripper` that wraps the standard
 `http.Transport`. Every request passing through the wrapped `http.Client` is
@@ -293,8 +298,36 @@ await model.invoke("What are the top AI security risks?");
 await client.close();
 ```
 
+**With Cedar Policy Enforcement**:
+
+The handler supports optional Cedar policy enforcement for tool and LLM calls.
+Pass `enforcement` and a `cedarEvaluator` to activate runtime policy checks:
+
+```typescript
+import {
+  TruseraClient,
+  TruseraLangChainHandler,
+  CedarEvaluator,
+} from "trusera-sdk";
+
+const evaluator = new CedarEvaluator();
+await evaluator.loadPolicy(`
+  forbid (principal, action == Action::"*", resource)
+  when { resource.hostname == "langchain" };
+`);
+
+const handler = new TruseraLangChainHandler(client, {
+  enforcement: "block", // or "warn" or "log"
+  cedarEvaluator: evaluator,
+});
+
+// In block mode, denied tool/LLM calls throw:
+// Error: [Trusera] Policy violation: tool search denied - ...
+```
+
 **What gets tracked**: Same event types as the Python LangChain integration --
-`LLM_INVOKE`, `TOOL_CALL`, and `DECISION` events.
+`LLM_INVOKE`, `TOOL_CALL`, and `DECISION` events. When enforcement is active,
+`POLICY_VIOLATION` events are also tracked for denied actions.
 
 ---
 
@@ -1035,11 +1068,16 @@ client := trusera.NewClient("tsk_your_api_key",
 
 | Option Function | Type | Default | Description |
 |----------------|------|---------|-------------|
-| `WithBaseURL(url)` | `string` | `https://api.trusera.io` | API base URL |
+| `WithBaseURL(url)` | `string` | env `TRUSERA_API_URL` or `https://api.trusera.io` | API base URL |
 | `WithAgentID(id)` | `string` | `""` | Pre-registered agent ID |
 | `WithFlushInterval(d)` | `time.Duration` | `5s` | Duration between flushes |
 | `WithBatchSize(n)` | `int` | `100` | Maximum events per batch |
 
+**Environment Variable Fallbacks**: If the `apiKey` argument is empty,
+`NewClient` reads `TRUSERA_API_KEY`. The default base URL is read from
+`TRUSERA_API_URL` (falling back to `https://api.trusera.io`). Explicit
+`WithBaseURL()` overrides the environment variable.
+
 **Interceptor Options**:
 
 | Field | Type | Default | Description |
@@ -1124,7 +1162,7 @@ identically in the Trusera dashboard.
 
 **Key differences**:
 - TypeScript `flush()` and `close()` return Promises; always `await` them.
-- The TypeScript SDK uses `fetch` interception instead of a decorator pattern.
+- The TypeScript SDK intercepts `fetch`, `axios`, and `undici` automatically.
   Wrap tool functions manually with `createEvent()` if you need per-function tracking.
 - CrewAI and AutoGen integrations are Python-only.
 
diff --git a/trusera-sdk-go/README.md b/trusera-sdk-go/README.md
@@ -186,6 +186,29 @@ event := trusera.NewEvent(trusera.EventDecision, "approve_transaction").
 
 ## Configuration Options
 
+### Environment Variables
+
+The Go SDK reads configuration from environment variables when explicit values
+are not provided:
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `TRUSERA_API_KEY` | API key (used when `apiKey` argument is `""`) | (none) |
+| `TRUSERA_API_URL` | Base URL for the Trusera API | `https://api.trusera.io` |
+
+```bash
+export TRUSERA_API_KEY=tsk_your_api_key
+export TRUSERA_API_URL=https://api.trusera.io
+```
+
+```go
+// Reads TRUSERA_API_KEY and TRUSERA_API_URL from environment
+client := trusera.NewClient("")
+defer client.Close()
+```
+
+Explicit values always take precedence over environment variables.
+
 ### Client Options
 
 ```go
diff --git a/trusera-sdk-js/README.md b/trusera-sdk-js/README.md
@@ -7,9 +7,10 @@ The official TypeScript/JavaScript SDK for monitoring AI agents with [Trusera](h
 
 ## Key Features
 
-- **Transparent HTTP Interception**: Zero-code instrumentation of all outbound HTTP calls
+- **Transparent HTTP Interception**: Zero-code instrumentation via `fetch`, `axios`, and `undici`
 - **Policy Enforcement**: Runtime evaluation against Cedar policies with configurable enforcement modes
-- **LangChain.js Integration**: First-class support for LangChain.js callbacks
+- **LangChain.js Integration**: First-class support for LangChain.js callbacks with optional Cedar enforcement
+- **ESM + CJS**: Dual-format output (built with tsup) -- works in any Node.js or Bun environment
 - **Rich Event Tracking**: Track LLM calls, tool executions, data access, and custom events
 - **Batched Transmission**: Automatic event batching and retry logic
 - **Type-Safe**: Full TypeScript support with strict typing
@@ -74,6 +75,54 @@ await model.invoke("What are the top AI security risks?");
 await client.close();
 ```
 
+### Axios and Undici Interception
+
+The interceptor automatically detects and patches `axios` and `undici` if they
+are installed. No additional configuration is needed:
+
+```typescript
+import axios from "axios";
+import { TruseraClient, TruseraInterceptor } from "trusera-sdk";
+
+const client = new TruseraClient({ apiKey: "tsk_xxx" });
+const interceptor = new TruseraInterceptor();
+interceptor.install(client, { enforcement: "warn" });
+
+// axios requests are now tracked automatically
+await axios.get("https://api.openai.com/v1/models");
+
+// undici requests too (if undici is installed)
+// import { request } from "undici";
+// await request("https://api.openai.com/v1/models");
+
+await client.close();
+interceptor.uninstall();
+```
+
+Libraries are detected via `require()` at install-time. If a library is not
+installed, it is silently skipped with no errors.
+
+### LangChain.js with Cedar Enforcement
+
+Add Cedar policy enforcement to tool and LLM calls:
+
+```typescript
+import { TruseraClient, TruseraLangChainHandler, CedarEvaluator } from "trusera-sdk";
+
+const evaluator = new CedarEvaluator();
+await evaluator.loadPolicy(`
+  forbid (principal, action == Action::"*", resource)
+  when { resource.hostname == "langchain" };
+`);
+
+const handler = new TruseraLangChainHandler(client, {
+  enforcement: "block",
+  cedarEvaluator: evaluator,
+});
+
+// Denied tool/LLM calls throw in block mode
+```
+
 ### Manual Event Tracking
 
 For custom instrumentation:
@@ -282,17 +331,28 @@ The SDK tracks six core event types:
 
 #### Methods
 
-- `install(client: TruseraClient, options?: InterceptorOptions): void`: Install HTTP interceptor
-- `uninstall(): void`: Restore original fetch and remove interceptor
+- `install(client: TruseraClient, options?: InterceptorOptions): void`: Install HTTP interceptor for `fetch`, `axios` (if available), and `undici` (if available)
+- `uninstall(): void`: Restore original fetch, eject axios interceptors, and restore undici functions
 
 ### `TruseraLangChainHandler`
 
 #### Methods
 
-- `constructor(client: TruseraClient)`: Create handler for LangChain callbacks
+- `constructor(client: TruseraClient, options?: LangChainHandlerOptions)`: Create handler for LangChain callbacks with optional Cedar enforcement
 - `getPendingEventCount(): number`: Get count of incomplete events
 - `clearPendingEvents(): void`: Clear all pending events
 
+#### LangChainHandlerOptions
+
+```typescript
+interface LangChainHandlerOptions {
+  enforcement?: "block" | "warn" | "log";
+  cedarEvaluator?: CedarEvaluator;
+}
+```
+
+When `enforcement` is `"block"` and a Cedar policy denies a tool/LLM call, the handler throws an `Error`. In `"warn"` mode it logs via `console.warn`. In `"log"` mode (default) violations are tracked silently.
+
 ### Utility Functions
 
 - `createEvent(type: EventType, name: string, payload?, metadata?): Event`: Create a well-formed event
