sdk.workspace &dev
Manage agents, configure policies, and access the full audit log for your domain.
Agent Management
// List all agents for a domain
const agents = await sdk.workspace.agents.list('myapp.gao')
// Get single agent
const agent = await sdk.workspace.agents.get(agentId)
// Pause agent (can resume)
await sdk.workspace.agents.pause(agentId)
// Revoke agent (permanent)
await sdk.workspace.agents.revoke(agentId)
---
### Policy Management
Policies define what agents can do, at what risk tier, and what requires human approval.
// Get current policy
const policy = await sdk.workspace.policy.get('myapp.gao')
// Update policy
await sdk.workspace.policy.update('myapp.gao', {
safe_mode: false, // true = all actions require approval
default_enforcement: 'allow', // 'allow' | 'require_approval' | 'deny'
rules: [
{
rule_id: 'block-payments-over-100',
action_category: 'settlement',
condition: { threshold: 100 },
enforcement: 'require_approval',
approver_roles: ['Owner'],
expiry_seconds: null,
},
{
rule_id: 'always-approve-emails',
action_category: 'connector:gmail:send',
enforcement: 'require_approval',
approver_roles: ['Owner', 'Operator'],
}
]
})
Risk Tiers
Tier
Default Enforcement
Examples
low
Allow automatically
Read data, resolve identity
medium
Allow automatically
Create files, internal writes
high
Require approval
Send emails, deploy apps
critical
Require approval
Domain changes, large payments
Audit Log
Every agent action, policy decision, and system event is recorded as an immutable audit event.
// List recent events
const events = await sdk.workspace.audit.list('myapp.gao', {
limit: 50,
since: '2026-01-01T00:00:00Z',
event_type: 'action_executed', // optional filter
})
// Real-time stream (for Studio Traces tab)
for await (const event of sdk.workspace.audit.stream('myapp.gao')) {
console.log(event.event_type, event.outcome, event.timestamp)
}
---
### Audit Event Types
Event
When It Fires
session\_started
GAR session begins
session\_completed
GAR session ends successfully
policy\_evaluated
Policy Gate makes a decision
approval\_requested
High-risk action needs human approval
approval\_decided
Approver responds
action\_executed
Tool or connector called
artifact\_created
Agent produces output
connector\_accessed
External connector called
model\_inference
AI model called
billing\_event
Usage or payment event
---
## sdk.developer — Developer Layer (L3)
Manage capability tokens, connector integrations, and SDK versioning.
---
### Capability Tokens
See Capability Tokens for the full reference. Quick summary:
// Request
const cap = await sdk.developer.capability.request(capability, domain, ttl)
// Validate
await sdk.developer.capability.validate(cap.token)
// Revoke
await sdk.developer.capability.revoke(cap.hash)
Connectors
Connect your agents to external services.
// List available connectors
const connectors = await sdk.developer.connectors.list()
// Returns: id, name, tier, auth_type, available_actions[]
// Execute a connector action
const result = await sdk.developer.connectors.execute(
'gmail', // connector ID
'send', // action
{
to: 'customer@email.com',
subject: 'Booking confirmed',
body: 'Your appointment is confirmed...',
},
capability // must have developer:connector:gmail:send
)
---
### Available Connectors
**Tier 1 (built-in):** gmail, google\_drive, google\_calendar, slack, github, notion, jira
**Tier 2:** twitter, linkedin, shopify, stripe, airtable, hubspot, salesforce
**Gao-Native (elevated trust):** meshii, payii, tmail, gao\_workspace, gao\_domains
**Custom:** oauth2, webhook, rest\_api
---
### Connector Auth
```typescript
// Start OAuth flow
const { auth_url } = await sdk.developer.connectors.execute(
'gmail',
'auth',
{
redirect_uri: 'https://myapp.gao/oauth/callback'
},
capability
)
// Redirect user to auth_url
// After callback, connector is authorized for this domain
SDK Version
const version = await sdk.developer.version()
// version.sdk — "GS/1.1.1"
// version.aip — ["AIP-01", ..., "AIP-18"]
// version.runtime — GAR