@1claw/sdk 0.2.0 → 0.4.0

package/dist/cmek.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Client-side CMEK (Customer-Managed Encryption Key) utilities.
+ *
+ * Wire format:
+ *   [1 byte version = 0x01][12 bytes IV][N bytes ciphertext + 16 bytes GCM tag]
+ *
+ * The key never leaves the client. Only its SHA-256 fingerprint is sent to the
+ * server so the vault can track which key was used without knowing the key.
+ *
+ * Works in browsers (WebCrypto) and Node.js 18+ (globalThis.crypto).
+ */
+/**
+ * Generate a random 256-bit AES-GCM key.
+ * Returns the raw key bytes as a Uint8Array (32 bytes).
+ */
+export declare function generateCmekKey(): Promise<Uint8Array>;
+/**
+ * Compute the SHA-256 fingerprint of a CMEK key.
+ * Returns a 64-character lowercase hex string.
+ */
+export declare function cmekFingerprint(key: Uint8Array): Promise<string>;
+/**
+ * Encrypt plaintext with a CMEK key using AES-256-GCM.
+ * Returns the versioned wire-format blob as a Uint8Array.
+ */
+export declare function cmekEncrypt(plaintext: Uint8Array, keyBytes: Uint8Array): Promise<Uint8Array>;
+/**
+ * Decrypt a CMEK wire-format blob with the key.
+ * Returns the original plaintext as a Uint8Array.
+ */
+export declare function cmekDecrypt(blob: Uint8Array, keyBytes: Uint8Array): Promise<Uint8Array>;
+/**
+ * Encode a Uint8Array to a base64 string.
+ * Works in browsers and Node.js 18+.
+ */
+export declare function toBase64(data: Uint8Array): string;
+/**
+ * Decode a base64 string to a Uint8Array.
+ * Works in browsers and Node.js 18+.
+ */
+export declare function fromBase64(b64: string): Uint8Array;
+//# sourceMappingURL=cmek.d.ts.map

package/dist/cmek.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cmek.d.ts","sourceRoot":"","sources":["../src/cmek.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAaH;;;GAGG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,UAAU,CAAC,CAI3D;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAKtE;AAED;;;GAGG;AACH,wBAAsB,WAAW,CAC7B,SAAS,EAAE,UAAU,EACrB,QAAQ,EAAE,UAAU,GACrB,OAAO,CAAC,UAAU,CAAC,CAuBrB;AAED;;;GAGG;AACH,wBAAsB,WAAW,CAC7B,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,UAAU,GACrB,OAAO,CAAC,UAAU,CAAC,CA0BrB;AAED;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,CASjD;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAUlD"}

package/dist/cmek.js

@@ -0,0 +1,101 @@
+/**
+ * Client-side CMEK (Customer-Managed Encryption Key) utilities.
+ *
+ * Wire format:
+ *   [1 byte version = 0x01][12 bytes IV][N bytes ciphertext + 16 bytes GCM tag]
+ *
+ * The key never leaves the client. Only its SHA-256 fingerprint is sent to the
+ * server so the vault can track which key was used without knowing the key.
+ *
+ * Works in browsers (WebCrypto) and Node.js 18+ (globalThis.crypto).
+ */
+const VERSION_BYTE = 0x01;
+const IV_LENGTH = 12;
+const KEY_LENGTH = 32; // AES-256
+/** Extract a strict ArrayBuffer from a Uint8Array (satisfies WebCrypto BufferSource in TS 5.x strict). */
+function asArrayBuffer(data) {
+    const buf = new ArrayBuffer(data.byteLength);
+    new Uint8Array(buf).set(data);
+    return buf;
+}
+/**
+ * Generate a random 256-bit AES-GCM key.
+ * Returns the raw key bytes as a Uint8Array (32 bytes).
+ */
+export async function generateCmekKey() {
+    const key = new Uint8Array(KEY_LENGTH);
+    crypto.getRandomValues(key);
+    return key;
+}
+/**
+ * Compute the SHA-256 fingerprint of a CMEK key.
+ * Returns a 64-character lowercase hex string.
+ */
+export async function cmekFingerprint(key) {
+    const hash = await crypto.subtle.digest("SHA-256", asArrayBuffer(key));
+    return Array.from(new Uint8Array(hash))
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+}
+/**
+ * Encrypt plaintext with a CMEK key using AES-256-GCM.
+ * Returns the versioned wire-format blob as a Uint8Array.
+ */
+export async function cmekEncrypt(plaintext, keyBytes) {
+    const cryptoKey = await crypto.subtle.importKey("raw", asArrayBuffer(keyBytes), { name: "AES-GCM", length: 256 }, false, ["encrypt"]);
+    const iv = new Uint8Array(IV_LENGTH);
+    crypto.getRandomValues(iv);
+    const ciphertext = await crypto.subtle.encrypt({ name: "AES-GCM", iv: asArrayBuffer(iv) }, cryptoKey, asArrayBuffer(plaintext));
+    const result = new Uint8Array(1 + IV_LENGTH + ciphertext.byteLength);
+    result[0] = VERSION_BYTE;
+    result.set(iv, 1);
+    result.set(new Uint8Array(ciphertext), 1 + IV_LENGTH);
+    return result;
+}
+/**
+ * Decrypt a CMEK wire-format blob with the key.
+ * Returns the original plaintext as a Uint8Array.
+ */
+export async function cmekDecrypt(blob, keyBytes) {
+    if (blob.length < 1 + IV_LENGTH + 16) {
+        throw new Error("CMEK blob too short");
+    }
+    if (blob[0] !== VERSION_BYTE) {
+        throw new Error(`Unsupported CMEK version: ${blob[0]}`);
+    }
+    const iv = blob.slice(1, 1 + IV_LENGTH);
+    const ciphertext = blob.slice(1 + IV_LENGTH);
+    const cryptoKey = await crypto.subtle.importKey("raw", asArrayBuffer(keyBytes), { name: "AES-GCM", length: 256 }, false, ["decrypt"]);
+    const plaintext = await crypto.subtle.decrypt({ name: "AES-GCM", iv: asArrayBuffer(iv) }, cryptoKey, asArrayBuffer(ciphertext));
+    return new Uint8Array(plaintext);
+}
+/**
+ * Encode a Uint8Array to a base64 string.
+ * Works in browsers and Node.js 18+.
+ */
+export function toBase64(data) {
+    if (typeof Buffer !== "undefined") {
+        return Buffer.from(data).toString("base64");
+    }
+    let binary = "";
+    for (const byte of data) {
+        binary += String.fromCharCode(byte);
+    }
+    return btoa(binary);
+}
+/**
+ * Decode a base64 string to a Uint8Array.
+ * Works in browsers and Node.js 18+.
+ */
+export function fromBase64(b64) {
+    if (typeof Buffer !== "undefined") {
+        return new Uint8Array(Buffer.from(b64, "base64"));
+    }
+    const binary = atob(b64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}
+//# sourceMappingURL=cmek.js.map

package/dist/cmek.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cmek.js","sourceRoot":"","sources":["../src/cmek.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,MAAM,YAAY,GAAG,IAAI,CAAC;AAC1B,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,UAAU,GAAG,EAAE,CAAC,CAAC,UAAU;AAEjC,0GAA0G;AAC1G,SAAS,aAAa,CAAC,IAAgB;IACnC,MAAM,GAAG,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7C,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC9B,OAAO,GAAG,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACjC,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;IACvC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IAC5B,OAAO,GAAG,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,GAAe;IACjD,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;IACvE,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;SAClC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC7B,SAAqB,EACrB,QAAoB;IAEpB,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC3C,KAAK,EACL,aAAa,CAAC,QAAQ,CAAC,EACvB,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,CAAC,CACd,CAAC;IAEF,MAAM,EAAE,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;IACrC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;IAE3B,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC1C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,aAAa,CAAC,EAAE,CAAC,EAAE,EAC1C,SAAS,EACT,aAAa,CAAC,SAAS,CAAC,CAC3B,CAAC;IAEF,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,CAAC,GAAG,SAAS,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC;IACrE,MAAM,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC;IACzB,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAClB,MAAM,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,CAAC;IACtD,OAAO,MAAM,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC7B,IAAgB,EAChB,QAAoB;IAEpB,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,GAAG,SAAS,GAAG,EAAE,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;IAC3C,CAAC;IACD,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,YAAY,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC5D,CAAC;IAED,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,CAAC;IACxC,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC;IAE7C,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC3C,KAAK,EACL,aAAa,CAAC,QAAQ,CAAC,EACvB,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EACL,CAAC,SAAS,CAAC,CACd,CAAC;IAEF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CACzC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,aAAa,CAAC,EAAE,CAAC,EAAE,EAC1C,SAAS,EACT,aAAa,CAAC,UAAU,CAAC,CAC5B,CAAC;IAEF,OAAO,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;AACrC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,QAAQ,CAAC,IAAgB;IACrC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAChC,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,IAAI,IAAI,IAAI,EAAE,CAAC;QACtB,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;AACxB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,GAAW;IAClC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAChC,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACpC,CAAC;IACD,OAAO,KAAK,CAAC;AACjB,CAAC"}

package/dist/{client.d.ts → core/client.d.ts}

@@ -1,17 +1,17 @@
-import type { OneclawClientConfig } from "./types";
-import { VaultResource } from "./vault";
-import { SecretsResource } from "./secrets";
-import { AccessResource } from "./access";
-import { AgentsResource } from "./agents";
-import { SharingResource } from "./sharing";
-import { ApprovalsResource } from "./approvals";
-import { BillingResource } from "./billing";
-import { AuditResource } from "./audit";
-import { OrgResource } from "./org";
-import { AuthResource } from "./auth";
-import { ApiKeysResource } from "./api-keys";
-import { ChainsResource } from "./chains";
-import { X402Resource } from "./x402";
+import type { OneclawClientConfig } from "../types";
+import { VaultResource } from "../resources/vault";
+import { SecretsResource } from "../resources/secrets";
+import { AccessResource } from "../resources/access";
+import { AgentsResource } from "../resources/agents";
+import { SharingResource } from "../resources/sharing";
+import { ApprovalsResource } from "../resources/approvals";
+import { BillingResource } from "../resources/billing";
+import { AuditResource } from "../resources/audit";
+import { OrgResource } from "../resources/org";
+import { AuthResource } from "../resources/auth";
+import { ApiKeysResource } from "../resources/api-keys";
+import { ChainsResource } from "../resources/chains";
+import { X402Resource } from "../resources/x402";
 /**
  * The main 1Claw SDK client. All API resources are exposed as
  * namespaced properties for discoverability and tree-shaking.
@@ -62,13 +62,7 @@ export declare class OneclawClient {
     /** x402 payment protocol — inspect, pay, and verify micropayments. */
     readonly x402: X402Resource;
     constructor(config: OneclawClientConfig);
-    /**
-     * When an API key is provided without a pre-existing token, lazily
-     * exchange it for a JWT on construction. This is async but fires
-     * without blocking the constructor — the first actual request
-     * will await token resolution.
-     */
-    private autoAuthenticate;
+    private autoAuthenticateUserKey;
 }
 /**
  * Factory function to create a new 1Claw SDK client.

package/dist/core/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/core/client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAC;AAEpD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,qBAAa,aAAa;IACtB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAa;IAElC,2DAA2D;IAC3D,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC;IAC9B,yEAAyE;IACzE,QAAQ,CAAC,OAAO,EAAE,eAAe,CAAC;IAClC,oEAAoE;IACpE,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAChC,0EAA0E;IAC1E,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAChC,mEAAmE;IACnE,QAAQ,CAAC,OAAO,EAAE,eAAe,CAAC;IAClC,mEAAmE;IACnE,QAAQ,CAAC,SAAS,EAAE,iBAAiB,CAAC;IACtC,wEAAwE;IACxE,QAAQ,CAAC,OAAO,EAAE,eAAe,CAAC;IAClC,mDAAmD;IACnD,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC;IAC9B,+CAA+C;IAC/C,QAAQ,CAAC,GAAG,EAAE,WAAW,CAAC;IAC1B,sEAAsE;IACtE,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,6DAA6D;IAC7D,QAAQ,CAAC,OAAO,EAAE,eAAe,CAAC;IAClC,wEAAwE;IACxE,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAChC,sEAAsE;IACtE,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;gBAEhB,MAAM,EAAE,mBAAmB;IAsBvC,OAAO,CAAC,uBAAuB;CAclC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,mBAAmB,GAAG,aAAa,CAEvE"}

package/dist/{client.js → core/client.js}

@@ -1,17 +1,17 @@
 import { HttpClient } from "./http";
-import { VaultResource } from "./vault";
-import { SecretsResource } from "./secrets";
-import { AccessResource } from "./access";
-import { AgentsResource } from "./agents";
-import { SharingResource } from "./sharing";
-import { ApprovalsResource } from "./approvals";
-import { BillingResource } from "./billing";
-import { AuditResource } from "./audit";
-import { OrgResource } from "./org";
-import { AuthResource } from "./auth";
-import { ApiKeysResource } from "./api-keys";
-import { ChainsResource } from "./chains";
-import { X402Resource } from "./x402";
+import { VaultResource } from "../resources/vault";
+import { SecretsResource } from "../resources/secrets";
+import { AccessResource } from "../resources/access";
+import { AgentsResource } from "../resources/agents";
+import { SharingResource } from "../resources/sharing";
+import { ApprovalsResource } from "../resources/approvals";
+import { BillingResource } from "../resources/billing";
+import { AuditResource } from "../resources/audit";
+import { OrgResource } from "../resources/org";
+import { AuthResource } from "../resources/auth";
+import { ApiKeysResource } from "../resources/api-keys";
+import { ChainsResource } from "../resources/chains";
+import { X402Resource } from "../resources/x402";
 /**
  * The main 1Claw SDK client. All API resources are exposed as
  * namespaced properties for discoverability and tree-shaking.
@@ -36,8 +36,8 @@ import { X402Resource } from "./x402";
 export class OneclawClient {
     constructor(config) {
         this.http = new HttpClient(config);
-        if (config.apiKey && !config.token) {
-            this.autoAuthenticate(config);
+        if (config.apiKey && !config.token && !config.agentId) {
+            this.autoAuthenticateUserKey(config);
         }
         this.vault = new VaultResource(this.http);
         this.secrets = new SecretsResource(this.http);
@@ -53,33 +53,15 @@ export class OneclawClient {
         this.chains = new ChainsResource(this.http);
         this.x402 = new X402Resource(this.http, config.x402Signer);
     }
-    /**
-     * When an API key is provided without a pre-existing token, lazily
-     * exchange it for a JWT on construction. This is async but fires
-     * without blocking the constructor — the first actual request
-     * will await token resolution.
-     */
-    autoAuthenticate(config) {
-        const authPromise = config.agentId
-            ? this.http
-                .request("POST", "/v1/auth/agent-token", {
-                body: {
-                    agent_id: config.agentId,
-                    api_key: config.apiKey,
-                },
-            })
-                .then((res) => {
-                if (res.data?.access_token)
-                    this.http.setToken(res.data.access_token);
-            })
-            : this.http
-                .request("POST", "/v1/auth/api-key-token", {
-                body: { api_key: config.apiKey },
-            })
-                .then((res) => {
-                if (res.data?.access_token)
-                    this.http.setToken(res.data.access_token);
-            });
+    autoAuthenticateUserKey(config) {
+        const authPromise = this.http
+            .request("POST", "/v1/auth/api-key-token", {
+            body: { api_key: config.apiKey },
+        })
+            .then((res) => {
+            if (res.data?.access_token)
+                this.http.setToken(res.data.access_token);
+        });
         authPromise.catch(() => {
             /* auth failure will surface on the next request */
         });

package/dist/core/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/core/client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACpC,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,OAAO,aAAa;IA8BtB,YAAY,MAA2B;QACnC,IAAI,CAAC,IAAI,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;QAEnC,IAAI,MAAM,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpD,IAAI,CAAC,uBAAuB,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;QAED,IAAI,CAAC,KAAK,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,OAAO,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9C,IAAI,CAAC,MAAM,GAAG,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM,GAAG,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5C,IAAI,CAAC,OAAO,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9C,IAAI,CAAC,SAAS,GAAG,IAAI,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClD,IAAI,CAAC,OAAO,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9C,IAAI,CAAC,KAAK,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,GAAG,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtC,IAAI,CAAC,IAAI,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9C,IAAI,CAAC,MAAM,GAAG,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5C,IAAI,CAAC,IAAI,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;IAC/D,CAAC;IAEO,uBAAuB,CAAC,MAA2B;QACvD,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI;aACxB,OAAO,CAA2B,MAAM,EAAE,wBAAwB,EAAE;YACjE,IAAI,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE;SACnC,CAAC;aACD,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE;YACV,IAAI,GAAG,CAAC,IAAI,EAAE,YAAY;gBACtB,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;QAEP,WAAW,CAAC,KAAK,CAAC,GAAG,EAAE;YACnB,mDAAmD;QACvD,CAAC,CAAC,CAAC;IACP,CAAC;CACJ;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,YAAY,CAAC,MAA2B;IACpD,OAAO,IAAI,aAAa,CAAC,MAAM,CAAC,CAAC;AACrC,CAAC"}

package/dist/{errors.d.ts → core/errors.d.ts}

@@ -1,4 +1,4 @@
-import type { PaymentRequirement } from "./types";
+import type { PaymentRequirement } from "../types";
 /**
  * Base error class for all 1Claw SDK errors.
  * Includes the HTTP status code and a machine-readable error type.
@@ -13,6 +13,13 @@ export declare class OneclawError extends Error {
 export declare class AuthError extends OneclawError {
     constructor(message: string, status?: 401 | 403);
 }
+/**
+ * Thrown when a resource limit is exceeded (403 with type "resource_limit_exceeded").
+ * The `detail` message includes the current count, limit, and tier.
+ */
+export declare class ResourceLimitExceededError extends OneclawError {
+    constructor(message: string);
+}
 /**
  * Thrown on 402 Payment Required responses.
  * Contains the full `PaymentRequirement` so callers can inspect

package/dist/core/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/core/errors.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAEnD;;;GAGG;AACH,qBAAa,YAAa,SAAQ,KAAK;IACnC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;gBAGrB,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,MAAM,CAAC,EAAE,MAAM;CAQtB;AAED,6DAA6D;AAC7D,qBAAa,SAAU,SAAQ,YAAY;gBAC3B,OAAO,EAAE,MAAM,EAAE,MAAM,GAAE,GAAG,GAAG,GAAS;CAIvD;AAED;;;GAGG;AACH,qBAAa,0BAA2B,SAAQ,YAAY;gBAC5C,OAAO,EAAE,MAAM;CAI9B;AAED;;;;GAIG;AACH,qBAAa,oBAAqB,SAAQ,YAAY;IAClD,QAAQ,CAAC,kBAAkB,EAAE,kBAAkB,CAAC;gBAEpC,OAAO,EAAE,MAAM,EAAE,kBAAkB,EAAE,kBAAkB;CAKtE;AAED;;;GAGG;AACH,qBAAa,qBAAsB,SAAQ,YAAY;IACnD,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;gBAEvB,iBAAiB,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM;CAS1D;AAED,yCAAyC;AACzC,qBAAa,aAAc,SAAQ,YAAY;gBAC/B,OAAO,GAAE,MAA6B;CAIrD;AAED,uFAAuF;AACvF,qBAAa,cAAe,SAAQ,YAAY;IAC5C,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;gBAG3B,OAAO,GAAE,MAA8B,EACvC,YAAY,CAAC,EAAE,MAAM;CAM5B;AAED,mEAAmE;AACnE,qBAAa,eAAgB,SAAQ,YAAY;IAC7C,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBAE7B,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;CAK/D;AAED,yCAAyC;AACzC,qBAAa,WAAY,SAAQ,YAAY;gBAErC,OAAO,GAAE,MAAgC,EACzC,MAAM,GAAE,MAAY;CAK3B;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,YAAY,CAAC,CAkD5E"}

package/dist/{errors.js → core/errors.js}

@@ -18,6 +18,16 @@ export class AuthError extends OneclawError {
         this.name = "AuthError";
     }
 }
+/**
+ * Thrown when a resource limit is exceeded (403 with type "resource_limit_exceeded").
+ * The `detail` message includes the current count, limit, and tier.
+ */
+export class ResourceLimitExceededError extends OneclawError {
+    constructor(message) {
+        super(message, 403, "resource_limit_exceeded");
+        this.name = "ResourceLimitExceededError";
+    }
+}
 /**
  * Thrown on 402 Payment Required responses.
  * Contains the full `PaymentRequirement` so callers can inspect
@@ -91,8 +101,18 @@ export async function errorFromResponse(res) {
         case 400:
             return new ValidationError(message, body.fields);
         case 401:
-        case 403:
-            return new AuthError(message, res.status);
+            return new AuthError(message, 401);
+        case 403: {
+            const errorType = body.type;
+            if (errorType === "resource_limit_exceeded") {
+                return new ResourceLimitExceededError(message);
+            }
+            if (errorType === "approval_required") {
+                const approvalId = body.approval_request_id ?? "";
+                return new ApprovalRequiredError(approvalId, message);
+            }
+            return new AuthError(message, 403);
+        }
         case 402: {
             const requirement = body;
             return new PaymentRequiredError(message, requirement);

package/dist/core/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/core/errors.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,MAAM,OAAO,YAAa,SAAQ,KAAK;IAKnC,YACI,OAAe,EACf,MAAc,EACd,IAAY,EACZ,MAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,cAAc,CAAC;QAC3B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACzB,CAAC;CACJ;AAED,6DAA6D;AAC7D,MAAM,OAAO,SAAU,SAAQ,YAAY;IACvC,YAAY,OAAe,EAAE,SAAoB,GAAG;QAChD,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;QACrC,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;IAC5B,CAAC;CACJ;AAED;;;GAGG;AACH,MAAM,OAAO,0BAA2B,SAAQ,YAAY;IACxD,YAAY,OAAe;QACvB,KAAK,CAAC,OAAO,EAAE,GAAG,EAAE,yBAAyB,CAAC,CAAC;QAC/C,IAAI,CAAC,IAAI,GAAG,4BAA4B,CAAC;IAC7C,CAAC;CACJ;AAED;;;;GAIG;AACH,MAAM,OAAO,oBAAqB,SAAQ,YAAY;IAGlD,YAAY,OAAe,EAAE,kBAAsC;QAC/D,KAAK,CAAC,OAAO,EAAE,GAAG,EAAE,kBAAkB,CAAC,CAAC;QACxC,IAAI,CAAC,IAAI,GAAG,sBAAsB,CAAC;QACnC,IAAI,CAAC,kBAAkB,GAAG,kBAAkB,CAAC;IACjD,CAAC;CACJ;AAED;;;GAGG;AACH,MAAM,OAAO,qBAAsB,SAAQ,YAAY;IAGnD,YAAY,iBAAyB,EAAE,OAAgB;QACnD,KAAK,CACD,OAAO,IAAI,kDAAkD,EAC7D,GAAG,EACH,mBAAmB,CACtB,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;QACpC,IAAI,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;IAC/C,CAAC;CACJ;AAED,yCAAyC;AACzC,MAAM,OAAO,aAAc,SAAQ,YAAY;IAC3C,YAAY,UAAkB,oBAAoB;QAC9C,KAAK,CAAC,OAAO,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QACjC,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;IAChC,CAAC;CACJ;AAED,uFAAuF;AACvF,MAAM,OAAO,cAAe,SAAQ,YAAY;IAG5C,YACI,UAAkB,qBAAqB,EACvC,YAAqB;QAErB,KAAK,CAAC,OAAO,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;QAClC,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;QAC7B,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IACrC,CAAC;CACJ;AAED,mEAAmE;AACnE,MAAM,OAAO,eAAgB,SAAQ,YAAY;IAG7C,YAAY,OAAe,EAAE,MAA+B;QACxD,KAAK,CAAC,OAAO,EAAE,GAAG,EAAE,kBAAkB,CAAC,CAAC;QACxC,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;QAC9B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACzB,CAAC;CACJ;AAED,yCAAyC;AACzC,MAAM,OAAO,WAAY,SAAQ,YAAY;IACzC,YACI,UAAkB,uBAAuB,EACzC,SAAiB,GAAG;QAEpB,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,cAAc,CAAC,CAAC;QACvC,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;IAC9B,CAAC;CACJ;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,GAAa;IACjD,IAAI,IAAI,GAA4B,EAAE,CAAC;IACvC,IAAI,CAAC;QACD,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA4B,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACL,8BAA8B;IAClC,CAAC;IAED,MAAM,OAAO,GACR,IAAI,CAAC,MAAiB;QACtB,IAAI,CAAC,OAAkB;QACvB,IAAI,CAAC,KAAgB;QACtB,QAAQ,GAAG,CAAC,MAAM,EAAE,CAAC;IAEzB,QAAQ,GAAG,CAAC,MAAM,EAAE,CAAC;QACjB,KAAK,GAAG;YACJ,OAAO,IAAI,eAAe,CACtB,OAAO,EACP,IAAI,CAAC,MAAgC,CACxC,CAAC;QACN,KAAK,GAAG;YACJ,OAAO,IAAI,SAAS,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACvC,KAAK,GAAG,CAAC,CAAC,CAAC;YACP,MAAM,SAAS,GAAG,IAAI,CAAC,IAAc,CAAC;YACtC,IAAI,SAAS,KAAK,yBAAyB,EAAE,CAAC;gBAC1C,OAAO,IAAI,0BAA0B,CAAC,OAAO,CAAC,CAAC;YACnD,CAAC;YACD,IAAI,SAAS,KAAK,mBAAmB,EAAE,CAAC;gBACpC,MAAM,UAAU,GAAI,IAAI,CAAC,mBAA8B,IAAI,EAAE,CAAC;gBAC9D,OAAO,IAAI,qBAAqB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YAC1D,CAAC;YACD,OAAO,IAAI,SAAS,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACvC,CAAC;QACD,KAAK,GAAG,CAAC,CAAC,CAAC;YACP,MAAM,WAAW,GAAG,IAAqC,CAAC;YAC1D,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAC1D,CAAC;QACD,KAAK,GAAG;YACJ,OAAO,IAAI,aAAa,CAAC,OAAO,CAAC,CAAC;QACtC,KAAK,GAAG,CAAC,CAAC,CAAC;YACP,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YACnD,MAAM,YAAY,GAAG,WAAW;gBAC5B,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC,GAAG,IAAI;gBAClC,CAAC,CAAC,SAAS,CAAC;YAChB,OAAO,IAAI,cAAc,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACrD,CAAC;QACD;YACI,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG;gBAAE,OAAO,IAAI,WAAW,CAAC,OAAO,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;YACnE,OAAO,IAAI,YAAY,CAAC,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAChE,CAAC;AACL,CAAC"}

package/dist/{http.d.ts → core/http.d.ts}

@@ -1,4 +1,4 @@
-import type { OneclawClientConfig, OneclawResponse } from "./types";
+import type { OneclawClientConfig, OneclawResponse } from "../types";
 /**
  * Internal HTTP transport used by every resource module.
  * Handles authentication headers, 402 auto-pay, and error mapping.
@@ -6,13 +6,19 @@ import type { OneclawClientConfig, OneclawResponse } from "./types";
 export declare class HttpClient {
     private baseUrl;
     private token?;
+    private tokenExpiresAt;
     private signer?;
     private maxAutoPayUsd;
+    private agentCredentials?;
+    private refreshPromise?;
+    private static readonly REFRESH_BUFFER_MS;
     constructor(config: OneclawClientConfig);
     /** Replace the current Bearer token (called by auth methods). */
     setToken(token: string): void;
     getToken(): string | undefined;
     getBaseUrl(): string;
+    private static decodeExpiry;
+    private ensureToken;
     /**
      * Perform a typed request against the API and return an envelope.
      * Automatically retries once with an x402 payment header when

package/dist/core/http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../../src/core/http.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACR,mBAAmB,EACnB,eAAe,EAGlB,MAAM,UAAU,CAAC;AAGlB;;;GAGG;AACH,qBAAa,UAAU;IACnB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,KAAK,CAAC,CAAS;IACvB,OAAO,CAAC,cAAc,CAAK;IAC3B,OAAO,CAAC,MAAM,CAAC,CAAa;IAC5B,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,gBAAgB,CAAC,CAAsC;IAC/D,OAAO,CAAC,cAAc,CAAC,CAAgB;IAEvC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,iBAAiB,CAAU;gBAEvC,MAAM,EAAE,mBAAmB;IAcvC,iEAAiE;IACjE,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAK7B,QAAQ,IAAI,MAAM,GAAG,SAAS;IAI9B,UAAU,IAAI,MAAM;IAIpB,OAAO,CAAC,MAAM,CAAC,YAAY;YAab,WAAW;IA0CzB;;;;OAIG;IACG,OAAO,CAAC,CAAC,EACX,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,OAAO,GAAE;QACL,IAAI,CAAC,EAAE,OAAO,CAAC;QACf,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC,CAAC;QACpD,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAC/B,GACP,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IA+C9B;;;OAGG;IACG,cAAc,CAAC,CAAC,EAClB,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,OAAO,GAAE;QACL,IAAI,CAAC,EAAE,OAAO,CAAC;QACf,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC,CAAC;QACpD,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAC/B,GACP,OAAO,CAAC,CAAC,CAAC;IAqCb,OAAO,CAAC,QAAQ;IAahB;;;OAGG;YACW,aAAa;CA6C9B"}

package/dist/{http.js → core/http.js}

@@ -5,14 +5,22 @@ import { errorFromResponse, PaymentRequiredError } from "./errors";
  */
 export class HttpClient {
     constructor(config) {
+        this.tokenExpiresAt = 0;
         this.baseUrl = config.baseUrl.replace(/\/$/, "");
         this.token = config.token;
         this.signer = config.x402Signer;
         this.maxAutoPayUsd = config.maxAutoPayUsd ?? 0;
+        if (config.agentId && config.apiKey) {
+            this.agentCredentials = {
+                agentId: config.agentId,
+                apiKey: config.apiKey,
+            };
+        }
     }
     /** Replace the current Bearer token (called by auth methods). */
     setToken(token) {
         this.token = token;
+        this.tokenExpiresAt = HttpClient.decodeExpiry(token);
     }
     getToken() {
         return this.token;
@@ -20,12 +28,55 @@ export class HttpClient {
     getBaseUrl() {
         return this.baseUrl;
     }
+    static decodeExpiry(jwt) {
+        try {
+            const parts = jwt.split(".");
+            if (parts.length !== 3)
+                return 0;
+            const payload = JSON.parse(atob(parts[1].replace(/-/g, "+").replace(/_/g, "/")));
+            return typeof payload.exp === "number" ? payload.exp * 1000 : 0;
+        }
+        catch {
+            return 0;
+        }
+    }
+    async ensureToken() {
+        if (!this.agentCredentials)
+            return;
+        if (this.token &&
+            Date.now() < this.tokenExpiresAt - HttpClient.REFRESH_BUFFER_MS)
+            return;
+        if (this.refreshPromise) {
+            await this.refreshPromise;
+            return;
+        }
+        this.refreshPromise = (async () => {
+            const res = await fetch(`${this.baseUrl}/v1/auth/agent-token`, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify({
+                    agent_id: this.agentCredentials.agentId,
+                    api_key: this.agentCredentials.apiKey,
+                }),
+            });
+            if (!res.ok) {
+                throw new Error(`Agent token refresh failed: HTTP ${res.status}`);
+            }
+            const data = (await res.json());
+            this.token = data.access_token;
+            this.tokenExpiresAt = Date.now() + data.expires_in * 1000;
+        })().finally(() => {
+            this.refreshPromise = undefined;
+        });
+        await this.refreshPromise;
+    }
     /**
      * Perform a typed request against the API and return an envelope.
      * Automatically retries once with an x402 payment header when
      * a signer is configured and the price is within limits.
      */
     async request(method, path, options = {}) {
+        await this.ensureToken();
         const url = this.buildUrl(path, options.query);
         const headers = {
             "Content-Type": "application/json",
@@ -69,6 +120,7 @@ export class HttpClient {
      * Convenient for callers that prefer exceptions.
      */
     async requestOrThrow(method, path, options = {}) {
+        await this.ensureToken();
         const url = this.buildUrl(path, options.query);
         const headers = {
             "Content-Type": "application/json",
@@ -142,4 +194,5 @@ export class HttpClient {
         return fetch(url, { ...init, headers: retryHeaders });
     }
 }
+HttpClient.REFRESH_BUFFER_MS = 60000;
 //# sourceMappingURL=http.js.map

package/dist/core/http.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.js","sourceRoot":"","sources":["../../src/core/http.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,MAAM,UAAU,CAAC;AAEnE;;;GAGG;AACH,MAAM,OAAO,UAAU;IAWnB,YAAY,MAA2B;QAR/B,mBAAc,GAAG,CAAC,CAAC;QASvB,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACjD,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;QAC1B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC;QAChC,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,IAAI,CAAC,CAAC;QAE/C,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClC,IAAI,CAAC,gBAAgB,GAAG;gBACpB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,MAAM,EAAE,MAAM,CAAC,MAAM;aACxB,CAAC;QACN,CAAC;IACL,CAAC;IAED,iEAAiE;IACjE,QAAQ,CAAC,KAAa;QAClB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,cAAc,GAAG,UAAU,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;IACzD,CAAC;IAED,QAAQ;QACJ,OAAO,IAAI,CAAC,KAAK,CAAC;IACtB,CAAC;IAED,UAAU;QACN,OAAO,IAAI,CAAC,OAAO,CAAC;IACxB,CAAC;IAEO,MAAM,CAAC,YAAY,CAAC,GAAW;QACnC,IAAI,CAAC;YACD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,CAAC,CAAC;YACjC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CACtB,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CACvD,CAAC;YACF,OAAO,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACpE,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,CAAC,CAAC;QACb,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,WAAW;QACrB,IAAI,CAAC,IAAI,CAAC,gBAAgB;YAAE,OAAO;QACnC,IACI,IAAI,CAAC,KAAK;YACV,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,cAAc,GAAG,UAAU,CAAC,iBAAiB;YAE/D,OAAO;QAEX,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACtB,MAAM,IAAI,CAAC,cAAc,CAAC;YAC1B,OAAO;QACX,CAAC;QAED,IAAI,CAAC,cAAc,GAAG,CAAC,KAAK,IAAI,EAAE;YAC9B,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,sBAAsB,EAAE;gBAC3D,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACjB,QAAQ,EAAE,IAAI,CAAC,gBAAiB,CAAC,OAAO;oBACxC,OAAO,EAAE,IAAI,CAAC,gBAAiB,CAAC,MAAM;iBACzC,CAAC;aACL,CAAC,CAAC;YAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACV,MAAM,IAAI,KAAK,CACX,oCAAoC,GAAG,CAAC,MAAM,EAAE,CACnD,CAAC;YACN,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAG7B,CAAC;YACF,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC;YAC/B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QAC9D,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE;YACd,IAAI,CAAC,cAAc,GAAG,SAAS,CAAC;QACpC,CAAC,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,cAAc,CAAC;IAC9B,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,OAAO,CACT,MAAc,EACd,IAAY,EACZ,UAII,EAAE;QAEN,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QAC/C,MAAM,OAAO,GAA2B;YACpC,cAAc,EAAE,kBAAkB;YAClC,GAAG,OAAO,CAAC,OAAO;SACrB,CAAC;QACF,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACb,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,IAAI,CAAC,KAAK,EAAE,CAAC;QACtD,CAAC;QAED,MAAM,IAAI,GAAgB,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;QAC9C,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7C,CAAC;QAED,IAAI,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAEjC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YACpC,GAAG,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QACnD,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACV,MAAM,GAAG,GAAG,MAAM,iBAAiB,CAAC,GAAG,CAAC,CAAC;YACzC,OAAO;gBACH,IAAI,EAAE,IAAI;gBACV,KAAK,EAAE;oBACH,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,OAAO,EAAE,GAAG,CAAC,OAAO;oBACpB,MAAM,EAAE,GAAG,CAAC,MAAM;iBACrB;gBACD,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE;aAC/B,CAAC;QACN,CAAC;QAED,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YACrB,OAAO;gBACH,IAAI,EAAE,IAAoB;gBAC1B,KAAK,EAAE,IAAI;gBACX,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE;aACxB,CAAC;QACN,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAM,CAAC;QACrC,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;IAC/D,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,cAAc,CAChB,MAAc,EACd,IAAY,EACZ,UAII,EAAE;QAEN,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QAC/C,MAAM,OAAO,GAA2B;YACpC,cAAc,EAAE,kBAAkB;YAClC,GAAG,OAAO,CAAC,OAAO;SACrB,CAAC;QACF,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACb,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,IAAI,CAAC,KAAK,EAAE,CAAC;QACtD,CAAC;QAED,MAAM,IAAI,GAAgB,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;QAC9C,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7C,CAAC;QAED,IAAI,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAEjC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YACpC,GAAG,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QACnD,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACV,MAAM,MAAM,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACvC,CAAC;QAED,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YACrB,OAAO,SAAyB,CAAC;QACrC,CAAC;QAED,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAM,CAAC;IACnC,CAAC;IAED,0EAA0E;IAC1E,kBAAkB;IAClB,0EAA0E;IAElE,QAAQ,CACZ,IAAY,EACZ,KAAmD;QAEnD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,CAAC,CAAC;QAC9C,IAAI,KAAK,EAAE,CAAC;YACR,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzC,IAAI,CAAC,KAAK,SAAS;oBAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;YAC5D,CAAC;QACL,CAAC;QACD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC1B,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,aAAa,CACvB,WAAqB,EACrB,GAAW,EACX,IAAiB;QAEjB,IAAI,WAA+B,CAAC;QACpC,IAAI,CAAC;YACD,WAAW,GAAG,CAAC,MAAM,WAAW,CAAC,IAAI,EAAE,CAAuB,CAAC;QACnE,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,WAAW,CAAC;QACvB,CAAC;QAED,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;QACxC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO,WAAW,CAAC;QAEhD,MAAM,KAAK,GAAG,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvC,IAAI,IAAI,CAAC,aAAa,GAAG,CAAC,IAAI,KAAK,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;YACvD,MAAM,IAAI,oBAAoB,CAC1B,eAAe,KAAK,+BAA+B,IAAI,CAAC,aAAa,EAAE,EACvE,WAAW,CACd,CAAC;QACN,CAAC;QACD,IAAI,IAAI,CAAC,aAAa,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,oBAAoB,CAC1B,eAAe,KAAK,sDAAsD,EAC1E,WAAW,CACd,CAAC;QACN,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAExD,MAAM,cAAc,GAAG;YACnB,WAAW,EAAE,WAAW,CAAC,WAAW;YACpC,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,OAAO,EAAE,SAAS;SACrB,CAAC;QAEF,MAAM,YAAY,GAAG;YACjB,GAAI,IAAI,CAAC,OAAkC;YAC3C,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC;SAC9C,CAAC;QAEF,OAAO,KAAK,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC,CAAC;IAC1D,CAAC;;AA/PuB,4BAAiB,GAAG,KAAM,AAAT,CAAU"}