// npm package
@almadar/llm
Multi-provider LLM client with rate limiting, token tracking, structured outputs, and continuation handling
versions
38
maintainers
1
first publish
2026-02-09
publisher
javasop
tarball
437,391 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-06-04
// exfil path
what is read → where it shipssteals
- ● AI API keys
sends to
- ⤳ api.moonshot.ai(api.moonshot.ai (via hostname var))
// offending code· @2.21.0· 3 files flagged
llm: malicious · 0.95→ Credential read (reads-ai-api-keys) paired with dest-via-hostname-var destination — classic exfiltration signature.
- @2.21.0··AUTO-PUBLISHED·publisher: javasopheuristic 64/100static flags 4llm malicious (0.95) via fast-tracknew-publisher:16dmature-packagehas-source-repopublisher-multi-name-burst:6publisher-version-pump:11public-github-pushreads-ai-api-keysreads-env-varsdest-via-hostname-var
→ Credential read (reads-ai-api-keys) paired with dest-via-hostname-var destination — classic exfiltration signature.
// offending code· 3 files flaggedpatterns: 4
--- package/package.json (excerpt) --- { "name": "@almadar/llm", "version": "2.21.0", "description": "Multi-provider LLM client with rate limiting, token tracking, structured outputs, and continuation handling", "type": "module", "main": "./dist/index.js", "types": "./dist/index.d.ts", "exports": { ".": { "types": "./dist/index.d.ts", "import": "./dist/index.js" }, "./client": { "types": "./dist/client.d.ts", "import": "./dist/client.js" }, "./json-parser": { "types": "./dist/json-parser.d.ts", "import": "./dist/json-parser.js" }, "./structured-output": { "types": "./dist/structured-output.d.ts", "import": "./dist/structured-output.js" }, "./providers": { "types": "./dist/providers/index.d.ts", "import": "./dist/providers/index.js" } }, "files": [ "dist", "src" ], "dependencies": { "@anthropic-ai/sdk": "^0.52.0", "@langchain/anthropic": "^1.3.23", "@langchain/core": "^1.1.32", "@langchain/openai": "^1.2.13", "openai": "^6.18.0", "zod": "^3.22.0" }, "peerDependencies": { "@almadar/core": ">=8.5.0" }, "devDependencies": { "@almadar/core": "^8.5.1", "@almadar/eslint-plugin": ">=2.3.0", "@types/node": "^22.0.0", "@typescript-eslint/parser": "8.56.0", "eslint": "10.0.0", "tsup": "^8.0.0", "typescript": "^5.3.0" }, "repository": { "type": "git", "url": "https://github.com/almadar-io/almadar-llm.git", "directory": --- package/src/client.ts (excerpt) --- /** * Shared LLM Client * * Multi-provider LLM client with: * - OpenAI, DeepSeek, Anthropic, and Kimi support * - Anthropic prompt caching (CachingChatAnthropic) * - Rate limiting and retry logic * - Token tracking * - Structured output parsing with Zod * * @packageDocumentation */ import { ChatOpenAI } from '@langchain/openai'; import { ChatAnthropic } from '@langchain/anthropic'; import type { BaseMessageLike } from '@langchain/core/messages'; import Anthropic from '@anthropic-ai/sdk'; import { z } from 'zod'; import { RateLimiter, getGlobalRateLimiter, type RateLimiterOptions, } from './rate-limiter.js'; import { TokenTracker, getGlobalTokenTracker } from './token-tracker.js'; import { parseJsonResponse } from './json-parser.js'; import { parseChatCompletionResponse, type ChatCompletionMessage, type ChatCompletionToolDef, } from './tool-call-types.js'; // ============================================================================ // Local type helpers (avoid Record<string, unknown> and unsafe casts) // ============================================================================ /** Anthropic generation output with usage metadata (not in Langchain's base types). */ interface AnthropicGenerationWithUsage { message?: { usage_metadata?: { cache_creation_input_tokens?: number; cache_read_input_tokens?: number; input_tokens?: number; output_tokens?: number; }; }; } /** Response metadata from OpenAI-compatible provid --- package/src/embedding-client.ts (excerpt) --- /** * Embedding Client * * Single-purpose client for text embeddings. Used by `@almadar-io/agent`'s * cosine-similarity catalog retrieval (rank organisms + atoms against the * user's request before rendering Stage A's prompt) and by * `@almadar/std`'s publish-time embedding bake step. * * Providers: * - `openai` (default model `text-embedding-3-small`, 1536-d) — requires * `OPENAI_API_KEY`. * - `openrouter` (default model `baai/bge-base-en-v1.5`, 768-d) — requires * `OPEN_ROUTER_API_KEY`. Same OpenAI-compatible request shape, just a * different base URL. * * Both providers return the same response envelope (`{data:[{embedding,index}]}`), * so the request/response code is shared. * * @packageDocumentation */ export type EmbeddingProvider = 'openai' | 'openrouter'; export interface EmbeddingClientOptions { provider: EmbeddingProvider; /** Defaults: openai → text-embedding-3-small, openrouter → baai/bge-base-en-v1.5. */ model?: string; /** Override API key. Defaults to provider-specific env var. */ apiKey?: string; /** Override base URL. Defaults to provider canonical endpoint. */ baseUrl?: string; } export interface EmbeddingUsage { promptTokens: number; totalTokens: number; } export interface EmbeddingResult { embedding: readonly number[]; usage: EmbeddingUsage; } export interface EmbeddingBatchResult { embeddings: readonly (readonly number[])[]; usage: EmbeddingUsage; } interface OpenAIEmbeddingApiResponse { --- dynamic destinations --- → api.moonshot.ai (via hostname-var)
