Ctrlk

Advanced Topics

Advanced TypeScript Shield topics including debugging, optimization, streaming, context objects, sessions, logging, and telemetry.

This page collects the deeper operational and debugging features of the TypeScript SDK.

Advanced Request Options

Use explain, debug, optimize, dryrun, early_exit, and contexts for debugging, profiling, and context-aware detection:

const explainResp = await client.guard.evaluate({
  content: userInput,
  content_type: "prompt",
  action: "process_prompt",
  explain: true,
});
console.log(explainResp.explanation);
console.log(explainResp.root_causes);
console.log(explainResp.tiers_evaluated);
console.log(explainResp.projected_context);

const debugResp = await client.guard.evaluate({
  content: userInput,
  content_type: "prompt",
  action: "process_prompt",
  debug: true,
});
for (const d of debugResp.detectors ?? []) {
  console.log(`${d.name}:`, d.context);
}

const optimizedResp = await client.guard.evaluate({
  content: userInput,
  content_type: "prompt",
  action: "process_prompt",
  optimize: true,
});
console.log(optimizedResp.optimization?.required_detectors.length, "detectors ran");

const dryrunResp = await client.guard.evaluate({
  content: userInput,
  content_type: "prompt",
  action: "process_prompt",
  optimize: true,
  dryrun: true,
});

const earlyExitResp = await client.guard.evaluate({
  content: userInput,
  content_type: "prompt",
  action: "process_prompt",
  early_exit: true,
});

const contextualResp = await client.guard.evaluate({
  content: modelResponse,
  content_type: "response",
  action: "process_prompt",
  contexts: [originalPrompt, ...ragChunks],
});

Streaming

client.guard.stream() returns an AsyncIterable of StreamEvent.

event.type

Description

"detector_result"

Per-detector result as each streamed event arrives

"decision"

Final allow or deny decision

"error"

Stream error

The iterator ends naturally when the stream closes. There is no separate typed "done" event in the public StreamEvent interface.

Agentic Context

Pass structured context for richer detection and policy evaluation.

MCPContext Fields

Field
Type
Description

server_name

string

MCP server name

server_url

string?

MCP server URL

transport

string?

Transport protocol: "sse", "stdio", or "http"

verified

boolean?

Whether the server passed trust or signature checks

capabilities

string[]?

Advertised capabilities from the server manifest

FileContext Fields

Field
Type
Description

path

string

File path

operation

string

File operation such as "read", "write", or "append"

size

number?

File size in bytes

mime_type

string?

File MIME type

file_name

string?

Original file name

file_extension

string?

File extension such as "pdf" or "docx"

sensitivity_level

string?

"public", "internal", "confidential", or "restricted"

mip_label_id

string?

Microsoft Information Protection label GUID

mip_label_name

string?

MIP label display name

is_encrypted

boolean?

Whether the file is encrypted

is_rights_managed

boolean?

Whether the file has IRM or RMS restrictions

Error Handling

Class
When thrown
Key properties

BlockedError

Guard decision is "deny" from Shield wrappers

response: GuardResponse

AuthenticationError

401 Unauthorized

status, title, detail

RateLimitError

429 Too Many Requests

status, title, detail

APIError

Non-2xx HTTP response from the service

status, title, detail

APIConnectionError

Network failure or timeout

message

HighflameError

Base class

Enforcement Modes

Mode

Behavior

resp.decision

resp.alerted

"enforce"

Block on deny

"deny" on violation

false

"monitor"

Allow and log silently

"allow"

false

"alert"

Allow and trigger alerting pipeline

"allow"

true if violated

Session Tracking

Pass a session_id to enable cumulative risk tracking across conversation turns.

Multi-Project Support

Pass accountId and projectId to scope all requests to a specific project:

Client Options

Option
Type
Default
Description

apiKey

string

required

Service key (hf_sk_...), agent key (hfa_...), ZeroID key (zid_sk_...), or raw JWT

baseUrl

string

Highflame SaaS

Guard service URL

tokenUrl

string

Highflame SaaS

Token exchange URL used for hf_sk_*, hfa_*, and zid_sk_* keys

timeout

number

30000

Request timeout in milliseconds

maxRetries

number

2

Retries on transient errors

accountId

string

Optional customer account ID

projectId

string

Optional project ID

defaultHeaders

Record<string, string>

Extra headers merged into every request

logger

Logger

Optional logger with debug, info, and warn methods

Auth Header Reuse

Use getAuthHeaders() when you want the SDK to manage token exchange and header construction, but you are sending requests through your own HTTP client or middleware.

Logging

Pass a logger object if you want the SDK to emit debug, info, and warn messages through your application's logging pipeline.

OpenTelemetry

If @opentelemetry/api is installed and a tracer provider is configured, the SDK automatically:

  • injects W3C trace context into outgoing Shield requests

  • creates client-side spans for guard and detect calls

When OpenTelemetry is not installed or not configured, these hooks safely no-op.

Internal Usage

Internal services that call Shield for non-guardrails products must set the X-Product header.

When X-Product is not set, Shield defaults to "guardrails". External customers should not need to set this header.

TypeScript Notes

Use import type for type-only imports when verbatimModuleSyntax is enabled:

PreviousLow-Level ClientNextAgent Frameworks

Last updated