Mastra

Wrap Mastra agents with Checkrd policy enforcement and telemetry.

Mastra

Mastra is the fastest-growing TypeScript agent framework (22K+ stars, 1.8M monthly downloads). Checkrd ships two adapters:

wrapMastraAgent(agent, options) — Proxy-wraps an agent's generate() and stream() methods so each invocation is policy-evaluated before the model runs.
checkrdMastraTelemetry(options) — Drop-in Telemetry provider config so Mastra's built-in telemetry pipeline emits Checkrd events.

Install

bash

npm install checkrd @mastra/core

Quickstart

typescript

import { initAsync } from "checkrd";
import { wrapMastraAgent } from "checkrd/integrations/mastra";
import { Agent } from "@mastra/core/agent";
import { openai } from "@ai-sdk/openai";

const checkrd = await initAsync({
  policy: "policy.yaml",
  agentId: "support-agent",
});

const agent = new Agent({
  name: "support-agent",
  instructions: "You are a customer support specialist.",
  model: openai("gpt-4o"),
});

const guarded = wrapMastraAgent(agent, {
  engine: checkrd.engine,
  enforce: true,
  agentId: "support-agent",
  sink: checkrd.sink,
});

const result = await guarded.generate("How do I reset my password?");

guarded is a Proxy over the original agent — pass it anywhere you'd pass agent. Methods other than generate and stream flow through untouched.

Telemetry provider

To emit Checkrd telemetry events from every Mastra agent in your app via Mastra's own telemetry pipeline, wire checkrdMastraTelemetry:

typescript

import { Mastra } from "@mastra/core";
import { checkrdMastraTelemetry } from "checkrd/integrations/mastra";

const mastra = new Mastra({
  telemetry: checkrdMastraTelemetry({
    engine: checkrd.engine,
    agentId: "default",
    sink: checkrd.sink,
  }),
  agents: {
    /* ... */
  },
});

Use both adapters together — wrapMastraAgent enforces policy, checkrdMastraTelemetry ensures every event Mastra emits flows into Checkrd.

What gets enforced

Mastra call	Synthetic URL
`agent.generate(...)`	`https://mastra.local/agents/{agentName}/generate`
`agent.stream(...)`	`https://mastra.local/agents/{agentName}/stream`

Body fields: the input message(s), agent metadata.

yaml

agent: support-agent
default: allow

rules:
  - name: deny-customer-data-export
    deny:
      url: "mastra.local/agents/support-agent/*"
      body:
        messages: "*export all customers*|*download customer list*"

Caveats

Wrap each agent individually. A Mastra app can have many agents; wrap each whose policy you want enforced. They can share the same engine + sink — pass agentId per-agent for telemetry attribution.
stream() token counts are accumulated as the stream is consumed; the completion event fires after the consumer drains the stream.
Mastra's tool-use surface is currently observed via the wrapped generate/stream body; tool-call gating is on the Checkrd roadmap pending Mastra's tool middleware spec.

Vercel AI SDK Next.js