
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@copass/ai-sdk
Advanced tools
Vercel AI SDK tool adapters for Copass — drop-in discover/interpret/search tools for LLM agents
Copass retrieval as Vercel AI SDK tools. The LLM decides whether to discover, interpret, or search — you don't write the tool-calling loop.
Install the Copass CLI and bootstrap your account:
npm install -g @copass/cli
copass login # email OTP
copass setup # creates a sandbox, writes .olane/refs.json
copass apikey create --name my-app # prints an olk_... key — shown once, save it
| Output | Use as |
|---|---|
olk_... key printed by copass apikey create | COPASS_API_KEY |
sandbox_id in ./.olane/refs.json | COPASS_SANDBOX_ID |
project_id in ./.olane/refs.json (optional) | COPASS_PROJECT_ID |
Ingest some content so retrieval has something to return:
copass ingest path/to/file.md
# or pipe stdin: echo "some decision or note" | copass ingest -
npm install @copass/ai-sdk @copass/core ai @ai-sdk/anthropic zod
The Copass-specific code is four lines. Everything else is vanilla Vercel AI SDK you'd write even without Copass.
import { CopassClient } from '@copass/core';
import { copassTools } from '@copass/ai-sdk';
import { generateText } from 'ai';
import { anthropic } from '@ai-sdk/anthropic';
// ── Copass (the entire integration) ──
const copass = new CopassClient({
auth: { type: 'api-key', key: process.env.COPASS_API_KEY! },
});
const window = await copass.contextWindow.create({
sandbox_id: process.env.COPASS_SANDBOX_ID!,
});
// ── Standard Vercel AI SDK call — only `tools:` is new ──
const { text } = await generateText({
model: anthropic('claude-opus-4-7'),
tools: copassTools({ client: copass, sandbox_id: window.sandboxId, window }),
maxSteps: 5,
prompt: 'what do we know about checkout retry behavior?',
});
console.log(text);
What Copass is actually doing:
new CopassClient({ auth }) — authenticated REST client.contextWindow.create(...) — opens an ephemeral data source for this conversation.copassTools({ ... }) — returns discover / interpret / search tools Claude can invoke autonomously. The window argument makes each retrieval window-aware at the server level.Everything else — generateText, model:, maxSteps:, prompt: — is vanilla Vercel AI SDK.
createWindowTrackerThe quickstart above runs one turn. For a multi-turn conversation where turn 2 retrieval should know what turn 1 surfaced, wrap with createWindowTracker:
import { copassTools, createWindowTracker } from '@copass/ai-sdk';
const tracker = createWindowTracker({ window });
// Per turn:
const userMessage = '...';
await tracker.recordUserTurn(userMessage);
const { text } = await generateText({
model,
tools: copassTools({ client: copass, sandbox_id: window.sandboxId, window }),
onStepFinish: tracker.onStepFinish, // auto-mirror assistant + tool messages
prompt: userMessage,
});
Three additions:
const tracker = createWindowTracker({ window }) at setup.tracker.recordUserTurn(msg) before each generateText — the user's message isn't in onStepFinish (it's the input), so capture it explicitly. Idempotent; safe to call redundantly.onStepFinish: tracker.onStepFinish on the generateText call — Vercel AI SDK's standard step-finish hook; the tracker mirrors each step's response.messages into the window, deduplicated.Tool messages (role: 'tool') are skipped by default since they're usually retrieval noise. Opt in with createWindowTracker({ window, includeToolMessages: true }) if you want them tracked.
discover for exploration, interpret for drilling into picked items, or search for a direct answer.window argument so the server knows which items have already been surfaced in this conversation. Add createWindowTracker (above) to get automatic cross-turn awareness.{header, items, next_steps} / {brief} / {answer}) — no sandbox/project echoes that waste tokens.| Tool | When the LLM calls it |
|---|---|
discover | "What's relevant?" — ranked menu of pointers |
interpret | "Tell me about these specific items." — brief pinned to canonical_ids |
search | "Answer this directly." — full synthesized answer |
@copass/core — client SDK@copass/langchain, @copass/mastra, copass-pydantic-ai — same shape for other frameworks@copass/mcp — standalone MCP server for Claude Code / Desktop / CursorMIT
FAQs
Vercel AI SDK tool adapters for Copass — drop-in discover/interpret/search tools for LLM agents
The npm package @copass/ai-sdk receives a total of 22 weekly downloads. As such, @copass/ai-sdk popularity was classified as not popular.
We found that @copass/ai-sdk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.