Integration architecture

Axtary is not limited to applications written in TypeScript, but its current embeddable libraries are Node.js packages. Most teams should install only the CLI and run Axtary beside the agent or service. TypeScript/JavaScript teams can instead embed the SDK or compose the lower-level packages. Other languages can call the local HTTP boundary for implemented connectors, use the MCP wrapper, or put a small trusted Node sidecar in front of a custom tool.

There is no hosted execution API that receives provider credentials and calls tools for you. The enforcement process runs in your infrastructure; the hosted dashboard is an optional approval and evidence plane.

Choose the smallest integration

Your environmentStart withInstallWhat changes
Claude Code, Cursor, or Codex in a repositoryLocal proxy + supported runtime hooknpm install -g @axtary/cliOne generated hook file and axtary.yml; Axtary runs on the same machine.
Any agent that calls MCP toolsAxtary MCP wrappernpm install -g @axtary/cliPoint the MCP client at axtary mcp serve; the upstream stays behind policy, ActionPass verification, and definition pins.
Existing Node.js/TypeScript service that owns the tool callIn-process SDKnpm install @axtary/actionpassCall authorize, verify the pass at the execution boundary, execute, then record.
Existing service in Python, Go, Java, Rust, or another languageSame-host local proxyInstall @axtary/cli in a Node runtime beside the serviceSend normalized JSON to loopback POST /actions for a configured connector, or POST /authorize for decision-only integration.
Custom internal tool or APIMCP wrapper, or a custom Node enforcement hostCLI for MCP; otherwise @axtary/proxy plus the packages your host usesPut the provider call behind a registered handler. A decision-only call is not an execution boundary by itself.
CI job or self-hosted runnerCLI in the job/runnernpx @axtary/cli … or install the CLI in the runner imageInject credential env vars from the existing secret manager; keep the proxy and action on the same runner.
Team approval and shared audit reviewLocal runtime + hosted dashboardSame local install; no provider package runs in the browserEnable only the hosted approval and/or ledger-sync bridge you need. Provider execution remains local.

If you are evaluating Axtary, use the CLI row. It installs one executable and brings the other eight runtime packages as dependencies. Do not install all nine packages individually unless you are building a custom host.

What runs where

agent or service
      |
      | hook, MCP, SDK call, or loopback HTTP JSON
      v
customer-operated enforcement process
  normalize -> policy -> exact approval? -> ActionPass -> ledger -> adapter
      |                                                        |
      | optional approval request / redacted evidence          | provider credential
      v                                                        v
hosted dashboard                                          GitHub / Slack /
(people and proof only)                                   Linear / Jira / …

The enforcement process owns the hot path and provider credentials. The dashboard cannot execute provider actions. Two optional bridges connect the planes:

  • A hosted step-up request sends the exact normalized payload and hashes so a human can review that content. Do not enable this bridge for payloads your policy forbids sending to the hosted reviewer.
  • Ledger sync sends a verified, redacted evidence projection. It excludes provider credentials, auth headers, raw responses, private signing keys, agent prompts, and payload bodies.

Local policy, execution, and ledger verification work without a hosted account. Hosted approval is deliberately in the path only for actions whose policy decision is step_up; routine local allows do not wait on the cloud.

TypeScript, JavaScript, and other languages

The published @axtary/*@0.4.0 packages are ESM Node.js packages supporting Node ^20.19.0, ^22.13.0, or >=24.

  • CLI users write no TypeScript. The axtary executable runs the local proxy, hooks, MCP wrapper, connectors, policy checks, and evidence commands.
  • JavaScript and TypeScript use the same SDK. Type declarations ship with every package; TypeScript is optional.
  • Other languages use a process boundary today. Use MCP or loopback HTTP JSON, or run a small Node sidecar that owns the Axtary handler. Axtary does not currently publish maintained Python, Go, Java, or Rust SDKs.
  • The hosted dashboard is not the language-neutral execution API. It coordinates people and evidence and never receives provider credentials.

The local proxy intentionally rejects non-loopback bind addresses because its HTTP boundary has no general-purpose network authentication. Keep it on the same machine, runner, or Kubernetes pod as the caller. A shared cross-host proxy, public ingress, or central unauthenticated 0.0.0.0:7331 deployment is not a supported topology.

The local HTTP JSON boundary

Start the proxy:

axtary proxy --config axtary.yml

It listens on 127.0.0.1:7331 by default and exposes two action endpoints:

EndpointBehaviorUse it when
POST /actionsParses, decides, issues an ActionPass, records the decision, executes a registered handler if authorized, and records the outcome.The configured Axtary adapter owns the provider call. This is the stronger default.
POST /authorizeParses, decides, issues an ActionPass for an allow, and records the decision, but does not call a provider handler.A trusted hook or service owns the later execution boundary and will enforce the result.

Both accept the public normalized action shape:

{
  "schemaVersion": "axtary.action.v0",
  "actor": {
    "agentId": "agent:design-partner",
    "humanOwner": "user:operator@example.com",
    "runtime": "internal-service",
    "tenant": "org:local"
  },
  "intent": {
    "taskId": "INC-418",
    "declaredGoal": "Search the approved runbook before remediation"
  },
  "capability": {
    "tool": "docs.documents.search",
    "resource": "docs:local",
    "payload": {
      "workspace": "local",
      "query": "database failover",
      "maxResults": 5
    }
  }
}

For a decision-only probe from any language:

curl --fail-with-body http://127.0.0.1:7331/authorize \
  --header 'content-type: application/json' \
  --data-binary @action.json

Read status, decision.decision, decision.reasons, explanation, and ledger.record.payloadHash from the response. For an allow, actionPass.claims.payloadHash must match that ledger hash. The proxy stamps the configured tenant onto the normalized action rather than trusting a caller-supplied tenant label. A successful HTTP status does not mean the action was allowed: policy denials and step-ups are valid decision responses.

POST /authorize cannot stop a caller that ignores its response and still uses a provider credential. For a real security boundary, keep credentials in the Axtary adapter/sidecar and use /actions, or verify the ActionPass again in the trusted component that performs the side effect. Never give the provider credential to the agent and call /authorize only as advisory logging.

Where the nine packages fit

The packages are composable implementation layers, not nine installation steps:

PackageResponsibilityWho installs it directly
@axtary/cliAssembles the proxy, hooks, MCP, connectors, approvals, and evidence commands into the axtary executable.Nearly every evaluator and normal deployment.
@axtary/actionpassNormalized action schema, canonical hashes, ActionPass issue/verify primitives, and the five-verb SDK facade.Node services embedding Axtary or implementing independent verification.
@axtary/configParses and validates axtary.yml; supports file-backed policy reload.Custom Node runtime hosts using the shared config format.
@axtary/policyDeterministic allow / deny / step_up policy plus Cedar, Rego, and ACS mappings.Custom policy hosts and conformance tooling.
@axtary/ledgerCrash-durable local JSONL chain, attestations, proofs, forensics, SIEM, and OTLP projections.Custom runtime or auditor implementations.
@axtary/proxyComposes policy, budgets, approval evidence, ActionPass issuance, ledger records, and registered handlers.Teams building a custom Node enforcement host.
@axtary/adaptersDemo and explicitly configured provider handlers; verifies ActionPass again before side effects.Custom hosts that want Axtary's implemented connectors.
@axtary/approvalsExact-payload approval artifacts, queue contract, and hosted resolver/client.Custom runtime/control-plane integrations.
@axtary/mcpMCP action normalization, tool-definition hashing, pins, signed provenance, and upstream invokers.Custom MCP hosts; normal users get it through the CLI.

The usual execution spine is:

config -> policy -> approval evidence -> ActionPass -> proxy -> adapter
                    \________________ ledger evidence ________________/

MCP adds tool-definition identity before policy.
CLI assembles and operates the entire spine.

Deployment patterns for an existing company

Developer workstation

Install the CLI globally, commit axtary.yml and the generated hook config, keep .axtary/ runtime state ignored, and start one proxy per protected workspace. This is the quickest design-partner path.

CI or self-hosted automation runner

Install the CLI in the runner image or invoke it with npx. Inject only the named credential environment variables from Vault, 1Password, Doppler, SOPS, or the runner's secret store. Run doctor connectors before protected work and export/attest the ledger as a job artifact. Do not print the environment.

Kubernetes workload

The current safe shape is a same-pod sidecar or companion process sharing the pod network namespace and a private ledger volume. The application talks to loopback; the Axtary process owns provider credentials. This describes how the current boundary composes with Kubernetes—it is not a claim that Axtary ships a Helm chart, operator, or managed cluster ingress today.

Existing Node service

Use @axtary/actionpass when the service already owns and can protect the tool execution boundary. Use @axtary/proxy plus registered handlers when you need configurable policy, durable ledger state, budgets, or hosted approval resolution. Use the CLI instead if the standard connectors are sufficient.

Existing non-Node service

For an implemented connector, keep the Axtary CLI proxy beside the service and send normalized actions to /actions. For a custom internal API, expose the operation as MCP and wrap it, or add a small trusted Node host using @axtary/proxy. A language-specific SDK can be added with a design partner, but it is not already shipped.

A design-partner integration sequence

  1. Pick one non-production action with a clear resource and payload.
  2. Decide the boundary: hook, MCP, implemented connector via /actions, or in-process SDK.
  3. Install the CLI unless a custom Node host is genuinely necessary.
  4. Start in credential-free demo mode and write policy fixtures for allow, deny, and step-up.
  5. Put the real credential in the local broker or the existing secret manager; keep only the environment-variable name in config.
  6. Run doctor connectors and a read/auth-only smoke check.
  7. Exercise the non-production action, then attest and independently verify the ledger.
  8. Add hosted approval only if a remote human must inspect the exact payload; add hosted sync only if the team wants shared evidence.
  9. Expand to another action only after the first boundary, policy, failure mode, and evidence are understood.

Next: run the Quickstart, choose a supported agent boundary, or embed the TypeScript/JavaScript SDK. Credential placement is covered in Credentials and connecting.