ZeroLeaks SDK
Run hosted red-team scans against the exact agent, models, tools, memory, and middleware used by your application.
ZeroLeaks SDK
@zeroleaks/sdk connects the hosted ZeroLeaks attack engine to your application code. Runtime scans execute every probe through your real agent while the SDK preserves conversation state and reports actual tool calls and results.
Version 0.2.2 makes the complete production probe catalog the default for runtime scans, while preserving concurrent isolated sessions and stalled-worker detection. Upgrade with bun add @zeroleaks/sdk@^0.2.2; no application code changes are required.
import { ZeroLeaks, createRuntimeTarget } from "@zeroleaks/sdk";
const zeroleaks = new ZeroLeaks();
const target = createRuntimeTarget({
definition: {
name: "Production support agent",
provider: "custom",
tools: productionToolDefinitions,
},
invoke: ({ messages, sessionId, signal }) =>
runProductionAgent({ messages, sessionId, signal }),
reset: (sessionId) => resetAgentSession(sessionId),
});
const { report } = await zeroleaks.runtimeScans.run(target);
console.log(report.overallScore, report.toolTrace);Choose a scan path
| Path | Best for | What ZeroLeaks exercises |
|---|---|---|
| Runtime scans | Application code, CI, staging | Your real model configuration, instructions, memory, middleware, tools, and execution loop |
| AI SDK adapter | AI SDK Agent or ToolLoopAgent | Full AI SDK tool schemas, executions, results, and multi-turn state |
| OpenAI adapter | Responses API or Chat Completions | Native OpenAI request settings and local function-tool execution |
| Endpoint scans | Already-deployed HTTP agents | Production HTTP contract, authentication, response parsing, and declared tools |
| Prompt scans | A system prompt before an application exists | Hosted model simulation using the ZeroLeaks prompt scan engine |
| Skill scans | Agent skills and manifests | Static and behavioral analysis of repositories, URLs, or ZIP archives |
Production fidelity
Runtime scans use a relay protocol. The attack engine creates a probe, your SDK process claims it, and the SDK calls your target locally. The model or tool credentials never need to be sent to ZeroLeaks, and the target does not need a public URL.
The SDK automatically:
- separates extraction, injection, and agent-probe sessions;
- runs the complete production probe catalog by default;
- executes independent sessions concurrently while preserving ordering inside each multi-turn session;
- resets state when the engine starts a new conversation;
- passes the full conversation history to every invocation;
- includes all configured tools by default;
- preserves complete input and output schemas;
- records tool arguments, results, failures, and provider-executed calls;
- handles polling, retries, stalled-worker detection, cancellation, abort signals, and report retrieval.
Package design
- Node.js 18+ and Bun 1+
- ESM and CommonJS
- Typed errors and API responses
- Optional peer integrations for
aiandopenai - MIT-licensed SDK; hosted orchestration and attack intelligence remain server-side