Detecte/docs

verify()

The single most important method. Wrap any sensitive action with it.

Signature

detecte.verify(input: {
  agent: string;                              // agent id or name
  action: string;                             // free-form, e.g. "refund_order"
  params?: Record<string, unknown>;           // structured action parameters
  context?: Record<string, unknown>;          // metadata: user, request id, etc.
  sensitive?: string[];                       // params keys to redact in storage
  sessionId?: string;                         // groups multi-step flows
  idempotencyKey?: string;                    // safe retries
}): Promise<Decision>

Return value

{
  id: string;
  allowed: boolean;
  status: "allowed" | "blocked" | "escalated" | "pending_approval";
  reason: string | null;
  policies_evaluated: Array<{ id: string; name: string; result: string }>;
  risk_delta: number;
  approval_url: string | null;
  expires_at?: string;
  metadata: { latency_ms: number };
}

Patterns

Throw on block

const d = await detecte.verify({ agent, action, params });
if (!d.allowed) throw new BlockedByDetecte(d.reason);

Wait for human approval

const d = await detecte.verify({ agent, action, params });
if (d.status === "pending_approval") {
  const final = await detecte.approvals.wait(d.id, { timeoutMs: 5 * 60_000 });
  if (!final.approved) throw new Error("Rejected by reviewer");
}

Redact PII before storage

await detecte.verify({
  agent: "support_bot",
  action: "lookup_account",
  params: { ssn: "555-12-3456", email: "u@x.com" },
  sensitive: ["ssn", "email"],
});

The original values are HMAC-hashed before persisting. Policies that match on equality ({ "params.ssn": { $eq: "..." } }) still work because the hash is deterministic.