Integration architecture
Axtary is not limited to applications written in TypeScript, but its current embeddable libraries are Node.js packages. Most teams should install only the CLI and run Axtary beside the agent or service. TypeScript/JavaScript teams can instead embed the SDK or compose the lower-level packages. Other languages can call the local HTTP boundary for implemented connectors, use the MCP wrapper, or put a small trusted Node sidecar in front of a custom tool.
There is no hosted execution API that receives provider credentials and calls tools for you. The enforcement process runs in your infrastructure; the hosted dashboard is an optional approval and evidence plane.
Choose the smallest integration
| Your environment | Start with | Install | What changes |
|---|---|---|---|
| Claude Code, Cursor, or Codex in a repository | Local proxy + supported runtime hook | npm install -g @axtary/cli | One generated hook file and axtary.yml; Axtary runs on the same machine. |
| Any agent that calls MCP tools | Axtary MCP wrapper | npm install -g @axtary/cli | Point the MCP client at axtary mcp serve; the upstream stays behind policy, ActionPass verification, and definition pins. |
| Existing Node.js/TypeScript service that owns the tool call | In-process SDK | npm install @axtary/actionpass | Call authorize, verify the pass at the execution boundary, execute, then record. |
| Existing service in Python, Go, Java, Rust, or another language | Same-host local proxy | Install @axtary/cli in a Node runtime beside the service | Send normalized JSON to loopback POST /actions for a configured connector, or POST /authorize for decision-only integration. |
| Custom internal tool or API | MCP wrapper, or a custom Node enforcement host | CLI for MCP; otherwise @axtary/proxy plus the packages your host uses | Put the provider call behind a registered handler. A decision-only call is not an execution boundary by itself. |
| CI job or self-hosted runner | CLI in the job/runner | npx @axtary/cli … or install the CLI in the runner image | Inject credential env vars from the existing secret manager; keep the proxy and action on the same runner. |
| Team approval and shared audit review | Local runtime + hosted dashboard | Same local install; no provider package runs in the browser | Enable only the hosted approval and/or ledger-sync bridge you need. Provider execution remains local. |
If you are evaluating Axtary, use the CLI row. It installs one executable and brings the other eight runtime packages as dependencies. Do not install all nine packages individually unless you are building a custom host.
What runs where
agent or service
|
| hook, MCP, SDK call, or loopback HTTP JSON
v
customer-operated enforcement process
normalize -> policy -> exact approval? -> ActionPass -> ledger -> adapter
| |
| optional approval request / redacted evidence | provider credential
v v
hosted dashboard GitHub / Slack /
(people and proof only) Linear / Jira / …
The enforcement process owns the hot path and provider credentials. The dashboard cannot execute provider actions. Two optional bridges connect the planes:
- A hosted step-up request sends the exact normalized payload and hashes so a human can review that content. Do not enable this bridge for payloads your policy forbids sending to the hosted reviewer.
- Ledger sync sends a verified, redacted evidence projection. It excludes provider credentials, auth headers, raw responses, private signing keys, agent prompts, and payload bodies.
Local policy, execution, and ledger verification work without a hosted
account. Hosted approval is deliberately in the path only for actions whose
policy decision is step_up; routine local allows do not wait on the cloud.
TypeScript, JavaScript, and other languages
The published @axtary/*@0.4.0 packages are ESM Node.js packages supporting
Node ^20.19.0, ^22.13.0, or >=24.
- CLI users write no TypeScript. The
axtaryexecutable runs the local proxy, hooks, MCP wrapper, connectors, policy checks, and evidence commands. - JavaScript and TypeScript use the same SDK. Type declarations ship with every package; TypeScript is optional.
- Other languages use a process boundary today. Use MCP or loopback HTTP JSON, or run a small Node sidecar that owns the Axtary handler. Axtary does not currently publish maintained Python, Go, Java, or Rust SDKs.
- The hosted dashboard is not the language-neutral execution API. It coordinates people and evidence and never receives provider credentials.
The local proxy intentionally rejects non-loopback bind addresses because its
HTTP boundary has no general-purpose network authentication. Keep it on the
same machine, runner, or Kubernetes pod as the caller. A shared cross-host
proxy, public ingress, or central unauthenticated 0.0.0.0:7331 deployment is
not a supported topology.
The local HTTP JSON boundary
Start the proxy:
axtary proxy --config axtary.yml
It listens on 127.0.0.1:7331 by default and exposes two action endpoints:
| Endpoint | Behavior | Use it when |
|---|---|---|
POST /actions | Parses, decides, issues an ActionPass, records the decision, executes a registered handler if authorized, and records the outcome. | The configured Axtary adapter owns the provider call. This is the stronger default. |
POST /authorize | Parses, decides, issues an ActionPass for an allow, and records the decision, but does not call a provider handler. | A trusted hook or service owns the later execution boundary and will enforce the result. |
Both accept the public normalized action shape:
{
"schemaVersion": "axtary.action.v0",
"actor": {
"agentId": "agent:design-partner",
"humanOwner": "user:operator@example.com",
"runtime": "internal-service",
"tenant": "org:local"
},
"intent": {
"taskId": "INC-418",
"declaredGoal": "Search the approved runbook before remediation"
},
"capability": {
"tool": "docs.documents.search",
"resource": "docs:local",
"payload": {
"workspace": "local",
"query": "database failover",
"maxResults": 5
}
}
}
For a decision-only probe from any language:
curl --fail-with-body http://127.0.0.1:7331/authorize \
--header 'content-type: application/json' \
--data-binary @action.json
Read status, decision.decision, decision.reasons, explanation, and
ledger.record.payloadHash from the response. For an allow,
actionPass.claims.payloadHash must match that ledger hash. The proxy stamps
the configured tenant onto the normalized action rather than trusting a
caller-supplied tenant label. A successful HTTP status does not mean the action
was allowed: policy denials and step-ups are valid decision responses.
POST /authorize cannot stop a caller that ignores its response and still
uses a provider credential. For a real security boundary, keep credentials in
the Axtary adapter/sidecar and use /actions, or verify the ActionPass again in
the trusted component that performs the side effect. Never give the provider
credential to the agent and call /authorize only as advisory logging.
Where the nine packages fit
The packages are composable implementation layers, not nine installation steps:
| Package | Responsibility | Who installs it directly |
|---|---|---|
@axtary/cli | Assembles the proxy, hooks, MCP, connectors, approvals, and evidence commands into the axtary executable. | Nearly every evaluator and normal deployment. |
@axtary/actionpass | Normalized action schema, canonical hashes, ActionPass issue/verify primitives, and the five-verb SDK facade. | Node services embedding Axtary or implementing independent verification. |
@axtary/config | Parses and validates axtary.yml; supports file-backed policy reload. | Custom Node runtime hosts using the shared config format. |
@axtary/policy | Deterministic allow / deny / step_up policy plus Cedar, Rego, and ACS mappings. | Custom policy hosts and conformance tooling. |
@axtary/ledger | Crash-durable local JSONL chain, attestations, proofs, forensics, SIEM, and OTLP projections. | Custom runtime or auditor implementations. |
@axtary/proxy | Composes policy, budgets, approval evidence, ActionPass issuance, ledger records, and registered handlers. | Teams building a custom Node enforcement host. |
@axtary/adapters | Demo and explicitly configured provider handlers; verifies ActionPass again before side effects. | Custom hosts that want Axtary's implemented connectors. |
@axtary/approvals | Exact-payload approval artifacts, queue contract, and hosted resolver/client. | Custom runtime/control-plane integrations. |
@axtary/mcp | MCP action normalization, tool-definition hashing, pins, signed provenance, and upstream invokers. | Custom MCP hosts; normal users get it through the CLI. |
The usual execution spine is:
config -> policy -> approval evidence -> ActionPass -> proxy -> adapter
\________________ ledger evidence ________________/
MCP adds tool-definition identity before policy.
CLI assembles and operates the entire spine.
Deployment patterns for an existing company
Developer workstation
Install the CLI globally, commit axtary.yml and the generated hook config,
keep .axtary/ runtime state ignored, and start one proxy per protected
workspace. This is the quickest design-partner path.
CI or self-hosted automation runner
Install the CLI in the runner image or invoke it with npx. Inject only the
named credential environment variables from Vault, 1Password, Doppler, SOPS,
or the runner's secret store. Run doctor connectors before protected work and
export/attest the ledger as a job artifact. Do not print the environment.
Kubernetes workload
The current safe shape is a same-pod sidecar or companion process sharing the pod network namespace and a private ledger volume. The application talks to loopback; the Axtary process owns provider credentials. This describes how the current boundary composes with Kubernetes—it is not a claim that Axtary ships a Helm chart, operator, or managed cluster ingress today.
Existing Node service
Use @axtary/actionpass when the service already owns and can protect the tool
execution boundary. Use @axtary/proxy plus registered handlers when you need
configurable policy, durable ledger state, budgets, or hosted approval
resolution. Use the CLI instead if the standard connectors are sufficient.
Existing non-Node service
For an implemented connector, keep the Axtary CLI proxy beside the service and
send normalized actions to /actions. For a custom internal API, expose the
operation as MCP and wrap it, or add a small trusted Node host using
@axtary/proxy. A language-specific SDK can be added with a design partner,
but it is not already shipped.
A design-partner integration sequence
- Pick one non-production action with a clear resource and payload.
- Decide the boundary: hook, MCP, implemented connector via
/actions, or in-process SDK. - Install the CLI unless a custom Node host is genuinely necessary.
- Start in credential-free demo mode and write policy fixtures for allow, deny, and step-up.
- Put the real credential in the local broker or the existing secret manager; keep only the environment-variable name in config.
- Run
doctor connectorsand a read/auth-onlysmokecheck. - Exercise the non-production action, then attest and independently verify the ledger.
- Add hosted approval only if a remote human must inspect the exact payload; add hosted sync only if the team wants shared evidence.
- Expand to another action only after the first boundary, policy, failure mode, and evidence are understood.
Next: run the Quickstart, choose a supported agent boundary, or embed the TypeScript/JavaScript SDK. Credential placement is covered in Credentials and connecting.