SDKs

Go SDK

Quickstart for the Lattix Go SDK — a Go-idiomatic wrapper over the Rust core for the public control-plane contract and local embedded-protection helpers.

The Go SDK is a thin typed wrapper over the Rust SDK core. It exposes the same public control-plane contract with Go-idiomatic types and also ships local embedded-protection helpers for CID binding, artifact protection, and detached signatures. It is the right choice for sidecars, gateways, and service-mesh enforcement where a compiled binary needs to call into the Lattix control plane.

This page is a conceptual quickstart. Full API reference — every exported type, every field, every option — lives with the Go module itself at github.com/LATTIX-IO/sdk-go-public and via pkg.go.dev.

Install

The Go module path is github.com/LATTIX-IO/sdk-go-public. In addition to go get, the Go SDK requires a version-matched native Rust library installed alongside the Go binary.

One-command native bootstrap

A release of the Go module attaches two installer scripts. Run the one for your platform:

Linux / macOS

./install-native.sh
source ./activate-native.sh

Windows

./install-native.ps1

The installer downloads the matching sdk-rust native archive and exposes the environment variables needed for CGO builds or native loading.

Manual install

If you already manage native dependencies yourself, install the Rust core library alongside the Go binary:

  • Windows — place sdk_rust.dll next to your executable, or set LATTIX_SDK_RUST_LIB to its path.
  • Linux / macOS — install libsdk_rust.so or libsdk_rust.dylib, make lattix_sdk.h reachable, and set CGO_CFLAGS / CGO_LDFLAGS.

Build tags

The package compiles in two modes:

  • Without the rustbindings tag — the package builds but NewClient(...) returns a runtime error. This is useful for vendor and CI scenarios where the native library is not available.
  • With -tags rustbindings — the package links against the Rust native library.
go build -tags rustbindings ./...
go test -tags rustbindings ./...

Construct a client

package main

import (
    "fmt"

    sdk "github.com/LATTIX-IO/sdk-go-public"
)

func main() {
    client, err := sdk.NewClient(sdk.Options{
        BaseURL:     "https://api.lattix.io",
        BearerToken: "<your-token>",
    })
    if err != nil {
        panic(err)
    }
    defer client.Close()

    bootstrap, err := client.Bootstrap()
    if err != nil {
        panic(err)
    }
    fmt.Println(bootstrap.EnforcementModel)
}

Options

The Options struct is the single configuration point.

FieldPurpose
BaseURLThe Lattix platform API base URL.
BearerTokenPre-issued bearer token attached to every request.
TimeoutSecsHTTP request timeout in seconds.
HeadersAdditional headers attached to every request.
ManagedSymmetricKeyProvidersConfigure managed symmetric-key providers for local TDF / envelope helpers.
TenantID / UserIDPrivate-deployment options for trusted-header or test workflows; not required on the public api.lattix.io bearer path.

Close() releases the underlying native client handle. Use defer client.Close() for safety.

For public integrations, obtain the access token out of band via the published OAuth/OIDC issuer, then pass that token as BearerToken.

Make a call

Every operation is a method on *Client returning a pointer to a typed response and a regular Go error.

import (
    sdk "github.com/LATTIX-IO/sdk-go-public"
)

plan, err := client.ProtectionPlan(sdk.SdkProtectionPlanRequest{
    Operation: sdk.ProtectionOperationProtect,
    Workload: sdk.WorkloadDescriptor{
        Application: "example-app",
        Environment: "prod",
        Component:   "ingest",
    },
    Resource: sdk.ResourceDescriptor{
        Kind:     "document",
        ID:       "doc-123",
        MimeType: "application/pdf",
    },
    PreferredArtifactProfile: sdk.ArtifactProfileTDF,
    ContentDigest:            "sha256:...",
    ContentSizeBytes:         1024,
    Purpose:                  "store",
    Labels:                   []string{"confidential"},
})
if err != nil {
    // handle error
}

if plan.Decision.Allow && plan.Execution.ProtectLocally {
    // ... perform local protection using the indicated artifact profile
}

Local helper surface

In addition to the HTTP control-plane calls, the current Go SDK exposes local helper families for embedded enforcement:

  • PrepareLocalProtection(...) and GenerateCIDBinding(...)
  • TDF helpers for protect / access / rewrap plus attribute updates
  • Envelope helpers for protect / access / rewrap
  • Detached-signature helpers for sign / verify
  • ManagedSymmetricKeyProviders for managed local key flows

These helpers keep bytes and key material local to the caller while still using the control plane for policy, key guidance, registration, and evidence.

The eight core control-plane operations

Every method maps to a single /v1/sdk/* route.

client.Capabilities()                 // GET /v1/sdk/capabilities
client.WhoAmI()                       // GET /v1/sdk/whoami
client.Bootstrap()                    // GET /v1/sdk/bootstrap
client.ProtectionPlan(req)            // POST /v1/sdk/protection-plan
client.PolicyResolve(req)             // POST /v1/sdk/policy-resolve
client.KeyAccessPlan(req)             // POST /v1/sdk/key-access-plan
client.ArtifactRegister(req)          // POST /v1/sdk/artifact-register
client.Evidence(req)                  // POST /v1/sdk/evidence

See Platform API → Endpoints for the shape of each request and response. The Go struct names mirror the wire contract: SdkProtectionPlanRequest, SdkPolicyResolveResponse, KeyAccessDecision, etc.

Constants and enums

The package exports typed string constants for every enum in the contract:

sdk.ProtectionOperationProtect        // "protect"
sdk.ProtectionOperationAccess         // "access"
sdk.ProtectionOperationRewrap         // "rewrap"

sdk.KeyAccessOperationWrap            // "wrap"
sdk.KeyAccessOperationUnwrap          // "unwrap"
sdk.KeyAccessOperationRewrap          // "rewrap"

sdk.ArtifactProfileTDF                // "tdf"
sdk.ArtifactProfileEnvelope           // "envelope"
sdk.ArtifactProfileDetachedSignature  // "detached_signature"

sdk.EvidenceEventTypeProtect          // "protect"
sdk.EvidenceEventTypeAccess           // "access"
sdk.EvidenceEventTypeRewrap           // "rewrap"
sdk.EvidenceEventTypeDeny             // "deny"

sdk.AuthModeBearerToken
sdk.AuthModeTrustedHeaders
sdk.AuthModeBearerTokenOrTrustedHeader

Errors

All methods return a standard Go error. Errors either originate in the Go layer (serialization, invalid arguments) or are returned by the Rust core (connection, server response, or upstream failure) and surfaced as a single typed error value. Callers can use errors.As / errors.Is against the exported error types listed in the module's pkg.go.dev reference.

Testing without the native library

Default unit tests use a fake binding so they run without native linkage:

go test ./...

For native-linked tests:

go test -tags rustbindings ./...

Relationship to other pages

Rust SDK

Quickstart for the Lattix Rust SDK — the canonical core for the public control-plane contract plus local embedded-protection helpers.

Python SDK

Quickstart for the Lattix Python SDK — an async wrapper over the Rust core with Pydantic models for the public control-plane contract and local embedded-protection helpers.

On this page

InstallOne-command native bootstrapManual installBuild tagsConstruct a clientOptionsMake a callLocal helper surfaceThe eight core control-plane operationsConstants and enumsErrorsTesting without the native libraryRelationship to other pages