CleanLibrary JavaScript SDK
@cleanstart/cleanlib-sdk is the JavaScript / TypeScript client library for CleanLibrary. It wraps the same HTTP surface that powers the CLI, the MCP server, and the VS Code extension behind a small, typed API you can drop into any Node.js or browser-side program.
1. What it does
The JavaScript SDK answers the same package-manager-layer questions as the CLI, but from inside a JS / TS program rather than from a shell:
- Is this version safe to install? —
client.fetchVerdict(...) - What does my policy do with this package? —
client.policyPreview(...) - Should I accept the risk on this finding? —
client.riskAccept(...)
The wire contract is identical to every other CleanLibrary client. A verdict returned by the JavaScript SDK has the same shape as a verdict returned by the CLI or the MCP server, so you can mix-and-match clients within one workflow.
2. Install
npm install @cleanstart/cleanlib-sdk
pnpm / yarn users:
pnpm add @cleanstart/cleanlib-sdk
yarn add @cleanstart/cleanlib-sdk
The SDK ships as ESM + CJS dual-package and includes TypeScript types. It targets Node.js 18+ and modern browsers; it has no native dependencies.
3. Quickstart
import { HttpVerdictClient } from "@cleanstart/cleanlib-sdk";
const client = new HttpVerdictClient("https://cleanapp.clnstrt.dev", {
apiKey: process.env.CLEANLIB_API_KEY!,
});
const verdict = await client.fetchVerdict("npm", "lodash", "4.17.21");
console.log(`verdict_id: ${verdict.verdict_id}`);
console.log(`severity: ${verdict.severity}`);
console.log(`source: ${verdict.source}`);
Output:
verdict_id: <stable-identifier>
severity: NONE
source: ALLOWED_NO_FINDINGS
4. Configuration
The HttpVerdictClient constructor accepts an endpoint positional argument plus an options object:
| Option | Purpose | Default |
|---|---|---|
apiKey | Bearer token (typically from CLEANLIB_API_KEY env var); alias: bearer | (required) |
apiVersion | API version path segment | "v1" |
timeoutMs | Per-request timeout in milliseconds | 30_000 |
fetch | Optional fetch implementation override (for testing or custom transports) | global fetch |
The convention for production deployments is to read endpoint and apiKey from environment variables and let everything else default:
const client = new HttpVerdictClient(process.env.CLEANLIB_ENDPOINT!, {
apiKey: process.env.CLEANLIB_API_KEY!,
});
5. API reference
client.fetchVerdict(ecosystem, package, version) -> Promise<Verdict>
Returns a verdict for a single (ecosystem, package, version) tuple. The Verdict shape conforms to VerdictEnvelopeV1Schema and carries the verdict identifier, severity, source label, freshness fields, and remediation hints.
interface Verdict {
verdict_id: string; // stable identifier for this decision
source: string; // ALLOWED_NO_FINDINGS | VECTOR_VERDICT | DM_THRESHOLD_BLOCK | INSUFFICIENT_DATA
severity: string; // NONE | LOW | MEDIUM | HIGH | CRITICAL
composite_score: number; // 0-100 confidence in the decision
reasoning: string;
suggested_actions: string[];
// Plus freshness, similar_to, evidence_gaps, attestation, and rich-data fields
}
client.scan(packages) -> Promise<ScanResponse>
Scans a list of package references in one round-trip and returns a ScanResponse containing a verdict per package. Suitable for CI pipelines or admission controllers that need a single round-trip.
client.policyPreview(policyYaml, packages) -> Promise<PolicyPreviewResponse>
Returns what your candidate policy would decide for the given packages, with the matching policy rule attached. Useful for "if I add this rule, will it break my CI?" checks.
client.riskAccept(verdictId, justification) -> Promise<RiskAcceptResponse>
Records a customer-side risk-acceptance against a specific verdict.