Skip to the content.

Web integration

Using AppSec Agent as an npm library inside a web server or API.

← Back to README · Development


Install as a library

npm install appsec-agent
import { AgentActions, loadYaml, type AgentArgs } from 'appsec-agent';

Ensure ANTHROPIC_API_KEY is set in the server environment (or CODEX_API_KEY when using Codex).


Basic request handler

Create a new AgentActions instance per HTTP request — do not share one instance across concurrent users.

import { AgentActions, loadYaml, type AgentArgs } from 'appsec-agent';

const confDict = loadYaml('conf/appsec_agent.yaml');

app.post('/api/query', async (req, res) => {
  const args: AgentArgs = {
    role: 'simple_query_agent',
    environment: 'default',
    verbose: false,
  };

  const agent = new AgentActions(confDict, 'default', args);
  const result = await agent.simpleQueryClaudeWithOptions(req.body.query);

  res.json({ result });
});

Other roles use similarly named methods on AgentActions:

Role Method
code_reviewer codeReviewerWithOptions(prompt, srcDir)
pr_reviewer diffReviewerWithOptions(prompt, srcDir)
threat_modeler threatModelerAgentWithOptions(prompt, srcDir)
pr_adversary prAdversaryWithOptions(prompt, srcDir)
code_fixer codeFixerWithOptions(prompt, srcDir)
qa_verifier qaVerifierWithOptions(prompt, srcDir)

See src/agent_actions.ts for the full list.


Thread safety

The package is designed for concurrent web traffic:

Safe Unsafe
New AgentActions per request Reusing one instance across requests
Capture process.cwd() once per request Calling process.cwd() repeatedly under load
Pass explicit paths to validators Sharing mutable state between handlers

Conversation history

Each AgentActions instance keeps its own conversation history — requests do not leak context to each other.

Tool usage logs

If you reuse AgentOptions across requests (unusual), clear logs between uses:

agentOptions.clearToolUsageLog();

Read-only access:

const log = agentOptions.getToolUsageLog();

Path validation

Always validate user-supplied paths before read/write:

import { validateInputFilePath, validateOutputFilePath } from 'appsec-agent';

const workingDir = process.cwd(); // once per request
const inputPath = validateInputFilePath(userSuppliedPath, workingDir);
const outputPath = validateOutputFilePath('report.json', workingDir);

Provider selection

Set process.env.AGENT_PROVIDER = 'claude' | 'codex' before creating AgentActions, or pass model/provider via AgentArgs when your integration supports it.

The library calls resolveProvider().run({ prompt, roleSpec }) internally — same behavior as the CLI.


Metrics and cost

Result messages may include:

Threat modeler and chunked PR reviews aggregate cost across batches when applicable.


Prefer a ready-made UI?

If you do not need a custom integration, use AI Threat Modeler — a Dockerized Next.js app that already wraps these agents with auth, dashboards, and exports.