@1claw/sdk 0.2.0

package/LICENSE

@@ -0,0 +1,133 @@
+# PolyForm Noncommercial License 1.0.0
+
+<https://polyformproject.org/licenses/noncommercial/1.0.0>
+
+Required Notice: Copyright (c) 2026 1Claw Contributors
+
+## Acceptance
+
+In order to get any license under these terms, you must agree
+to them as both strict obligations and conditions to all
+your licenses.
+
+## Copyright License
+
+The licensor grants you a copyright license for the
+software to do everything you might do with the software
+that would otherwise infringe the licensor's copyright
+in it for any permitted purpose. However, you may
+only distribute the software according to [Distribution
+License](#distribution-license) and make changes or new works
+based on the software according to [Changes and New Works
+License](#changes-and-new-works-license).
+
+## Distribution License
+
+The licensor grants you an additional copyright license
+to distribute copies of the software. Your license
+to distribute covers distributing the software with
+changes and new works permitted by [Changes and New Works
+License](#changes-and-new-works-license).
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of
+the software from you also gets a copy of these terms or the
+URL for them above, as well as copies of any plain-text lines
+beginning with `Required Notice:` that the licensor provided
+with the software. For example:
+
+> Required Notice: Copyright Yoyodyne, Inc. (http://example.com)
+
+## Changes and New Works License
+
+The licensor grants you an additional copyright license to
+make changes and new works based on the software for any
+permitted purpose.
+
+## Patent License
+
+The licensor grants you a patent license for the software that
+covers patent claims the licensor can license, or becomes able
+to license, that you would infringe by using the software.
+
+## Noncommercial Purposes
+
+Any noncommercial purpose is a permitted purpose.
+
+## Personal Uses
+
+Personal use for research, experiment, and testing for
+the benefit of public knowledge, personal study, private
+entertainment, hobby projects, amateur pursuits, or religious
+observance, without any anticipated commercial application,
+is use for a permitted purpose.
+
+## Noncommercial Organizations
+
+Use by any charitable organization, educational institution,
+public research organization, public safety or health
+organization, environmental protection organization,
+or government institution is use for a permitted purpose
+regardless of the source of funding or obligations resulting
+from the funding.
+
+## Fair Use
+
+You may have "fair use" rights for the software under the
+law. These terms do not limit them.
+
+## No Other Rights
+
+These terms do not allow you to sublicense or transfer any of
+your licenses to anyone else, or prevent the licensor from
+granting licenses to anyone else. These terms do not imply
+any other licenses.
+
+## Patent Defense
+
+If you make any written claim that the software infringes or
+contributes to infringement of any patent, your patent license
+for the software granted under these terms ends immediately. If
+your company makes such a claim, your patent license ends
+immediately for work on behalf of your company.
+
+## Violations
+
+The first time you are notified in writing that you have
+violated any of these terms, or done anything with the software
+not covered by your licenses, your licenses can nonetheless
+continue if you come into full compliance with these terms,
+and take practical steps to correct past violations, within
+32 days of receiving notice. Otherwise, all your licenses
+end immediately.
+
+## No Liability
+
+***As far as the law allows, the software comes as is, without
+any warranty or condition, and the licensor will not be liable
+to you for any damages arising out of these terms or the use
+or nature of the software, under any kind of legal claim.***
+
+## Definitions
+
+The **licensor** is the individual or entity offering these
+terms, and the **software** is the software the licensor makes
+available under these terms.
+
+**You** refers to the individual or entity agreeing to these
+terms.
+
+**Your company** is any legal entity, sole proprietorship,
+or other kind of organization that you work for, plus all
+organizations that have control over, are under the control of,
+or are under common control with that organization. **Control**
+means ownership of substantially all the assets of an entity,
+or the power to direct its management and policies by vote,
+contract, or otherwise. Control can be direct or indirect.
+
+**Your licenses** are all the licenses granted to you for the
+software under these terms.
+
+**Use** means anything you do with the software requiring one
+of your licenses.

package/README.md

@@ -0,0 +1,246 @@
+# @1claw/sdk
+
+TypeScript SDK for **1Claw Vault** — HSM-backed secret management for AI agents and humans.
+
+## Install
+
+```bash
+npm install @1claw/sdk
+```
+
+## Quick Start
+
+```typescript
+import { createClient } from "@1claw/sdk";
+
+const client = createClient({
+    baseUrl: "https://api.1claw.xyz",
+    apiKey: "ocv_...", // auto-exchanges for a JWT
+});
+
+// List vaults
+const { data } = await client.vault.list();
+console.log(data?.vaults);
+
+// Store a secret
+await client.secrets.set("vault-id", "OPENAI_KEY", "sk-...", {
+    type: "api_key",
+});
+
+// Retrieve a secret
+const secret = await client.secrets.get("vault-id", "OPENAI_KEY");
+console.log(secret.data?.value);
+```
+
+## Authentication
+
+The SDK supports three authentication modes:
+
+```typescript
+// 1. User API key (auto-authenticates)
+const client = createClient({
+    baseUrl: "https://api.1claw.xyz",
+    apiKey: "ocv_...",
+});
+
+// 2. Agent with API key (auto-authenticates as agent)
+const agent = createClient({
+    baseUrl: "https://api.1claw.xyz",
+    apiKey: "ocv_...",
+    agentId: "agent-uuid",
+});
+
+// 3. Pre-authenticated JWT
+const authed = createClient({
+    baseUrl: "https://api.1claw.xyz",
+    token: "eyJ...",
+});
+
+// Or authenticate manually:
+await client.auth.login({ email: "...", password: "..." });
+await client.auth.agentToken({ agent_id: "...", api_key: "..." });
+await client.auth.google({ id_token: "..." });
+```
+
+## API Resources
+
+| Resource           | Methods                                                                                                    |
+| ------------------ | ---------------------------------------------------------------------------------------------------------- |
+| `client.vault`     | `create`, `get`, `list`, `delete`                                                                          |
+| `client.secrets`   | `set`, `get`, `delete`, `list`, `rotate`                                                                   |
+| `client.access`    | `grantHuman`, `grantAgent`, `update`, `revoke`, `listGrants`                                               |
+| `client.agents`    | `create`, `get`, `list`, `update`, `delete`, `rotateKey`, `submitTransaction`, `getTransaction`, `listTransactions` |
+| `client.chains`    | `list`, `get`, `adminList`, `create`, `update`, `delete`                                                   |
+| `client.sharing`   | `create`, `access`, `listOutbound`, `listInbound`, `accept`, `decline`, `revoke`                           |
+| `client.approvals` | `request`, `list`, `approve`, `deny`, `check`, `subscribe`                                                 |
+| `client.billing`   | `usage`, `history`                                                                                         |
+| `client.audit`     | `query`                                                                                                    |
+| `client.org`       | `listMembers`, `updateMemberRole`, `removeMember`                                                          |
+| `client.auth`      | `login`, `agentToken`, `apiKeyToken`, `google`, `changePassword`, `logout`                                 |
+| `client.apiKeys`   | `create`, `list`, `revoke`                                                                                 |
+| `client.x402`      | `getPaymentRequirement`, `pay`, `verifyReceipt`, `withPayment`                                             |
+
+## Response Envelope
+
+All methods return a typed envelope:
+
+```typescript
+interface OneclawResponse<T> {
+    data: T | null;
+    error: { type: string; message: string; detail?: string } | null;
+    meta?: { status: number };
+}
+```
+
+Check `error` before accessing `data`:
+
+```typescript
+const res = await client.secrets.get("vault-id", "key");
+if (res.error) {
+    console.error(res.error.type, res.error.message);
+} else {
+    console.log(res.data.value);
+}
+```
+
+## Error Types
+
+The SDK exports a typed error hierarchy for catch-based flows:
+
+| Error                   | HTTP Status | Description                                           |
+| ----------------------- | ----------- | ----------------------------------------------------- |
+| `OneclawError`          | any         | Base error class                                      |
+| `AuthError`             | 401, 403    | Authentication/authorization failure                  |
+| `PaymentRequiredError`  | 402         | x402 payment required (includes `paymentRequirement`) |
+| `ApprovalRequiredError` | 403         | Human approval gate triggered                         |
+| `NotFoundError`         | 404         | Resource not found                                    |
+| `RateLimitError`        | 429         | Rate limit exceeded                                   |
+| `ValidationError`       | 400         | Invalid request body                                  |
+| `ServerError`           | 500+        | Server-side failure                                   |
+
+## Crypto Transaction Proxy
+
+Agents can be granted the ability to sign and broadcast on-chain transactions through a controlled signing proxy. Private keys stay in the HSM — the agent submits intent, the proxy signs and broadcasts.
+
+Toggle `crypto_proxy_enabled` when creating or updating an agent:
+
+```typescript
+// Register an agent with crypto proxy access
+const { data } = await client.agents.create({
+    name: "defi-bot",
+    auth_method: "api_key",
+    scopes: ["vault:read", "tx:sign"],
+    crypto_proxy_enabled: true,
+});
+
+// Or enable it later
+await client.agents.update(agentId, {
+    crypto_proxy_enabled: true,
+});
+
+// Check an agent's proxy status
+const agent = await client.agents.get(agentId);
+console.log(agent.data?.crypto_proxy_enabled); // true
+```
+
+### Submitting a transaction
+
+Once `crypto_proxy_enabled` is true and the agent has a signing key stored in an accessible vault, the agent can submit transaction intents:
+
+```typescript
+const txRes = await client.agents.submitTransaction(agentId, {
+    to: "0x000000000000000000000000000000000000dEaD",
+    value: "0.01",    // ETH
+    chain: "base",
+    // Optional: data, signing_key_path, nonce, gas_price, gas_limit
+});
+
+console.log(txRes.data?.status);     // "signed"
+console.log(txRes.data?.tx_hash);    // "0x..."
+console.log(txRes.data?.signed_tx);  // signed raw transaction hex
+```
+
+The backend fetches the signing key from the vault, signs the EIP-155 transaction, and returns the signed transaction hex. The signing key is decrypted in-memory, used, and immediately zeroized — it never leaves the server.
+
+Key properties:
+
+- **Disabled by default** — a human must explicitly enable per-agent
+- **Signing keys never leave the HSM** — same envelope encryption as secrets
+- **Every transaction is audit-logged** with full calldata
+- **Revocable instantly** — set `crypto_proxy_enabled: false` to cut off access
+
+## x402 Payment Protocol
+
+When free-tier limits are exceeded, the API returns `402 Payment Required`. The SDK can automatically handle payments if you provide a signer:
+
+```typescript
+import { createClient, type X402Signer } from "@1claw/sdk";
+
+const signer: X402Signer = {
+    getAddress: async () => "0x...",
+    signPayment: async (accept) => {
+        // Sign EIP-712 payment with your wallet library (ethers, viem, etc.)
+        return signedPayloadHex;
+    },
+};
+
+const client = createClient({
+    baseUrl: "https://api.1claw.xyz",
+    apiKey: "ocv_...",
+    x402Signer: signer,
+    maxAutoPayUsd: 0.01, // auto-pay up to $0.01 per request
+});
+
+// Or use the explicit pay-and-fetch flow:
+const secret = await client.x402.withPayment("vault-id", "key", signer);
+```
+
+## MCP Integration (AI Agents)
+
+The SDK exposes MCP-compatible tool definitions for AI agents:
+
+```typescript
+import { getMcpToolDefinitions, McpHandler } from "@1claw/sdk/mcp";
+import { createClient } from "@1claw/sdk";
+
+// Get tool definitions for your agent's tool registry
+const tools = getMcpToolDefinitions();
+// → 1claw_get_secret, 1claw_set_secret, 1claw_list_secret_keys, etc.
+
+// Dispatch tool calls from your agent
+const client = createClient({ baseUrl: "...", token: "..." });
+const handler = new McpHandler(client);
+const result = await handler.handle("1claw_get_secret", {
+    vault_id: "...",
+    key: "OPENAI_KEY",
+});
+```
+
+### With Vercel AI SDK
+
+```typescript
+import { tool } from "ai";
+import { z } from "zod";
+import { createClient } from "@1claw/sdk";
+
+const client = createClient({ baseUrl: "...", apiKey: "..." });
+
+export const oneclawTools = {
+    getSecret: tool({
+        description: "Fetch a secret from the 1claw vault",
+        parameters: z.object({
+            vaultId: z.string(),
+            key: z.string(),
+        }),
+        execute: async ({ vaultId, key }) => {
+            const res = await client.secrets.get(vaultId, key);
+            if (res.error) return { error: res.error.message };
+            return { status: "available", hint: `Secret retrieved (${key})` };
+        },
+    }),
+};
+```
+
+## License
+
+PolyForm Noncommercial 1.0.0

package/dist/access.d.ts

@@ -0,0 +1,35 @@
+import type { HttpClient } from "./http";
+import type { UpdatePolicyRequest, PolicyResponse, PolicyListResponse, OneclawResponse } from "./types";
+export interface GrantOptions {
+    /** Glob pattern for which secret paths the grant covers (default: "**"). */
+    secretPathPattern?: string;
+    /** Additional conditions (e.g. IP allow-list, time windows). */
+    conditions?: Record<string, unknown>;
+    /** ISO-8601 expiry for the grant. */
+    expires_at?: string;
+}
+/**
+ * Access resource — manage vault access policies (grants) for
+ * humans and agents.
+ */
+export declare class AccessResource {
+    private readonly http;
+    constructor(http: HttpClient);
+    /**
+     * Grant a human user access to a vault.
+     * @param permissions - e.g. ["read"], ["read", "write"]
+     */
+    grantHuman(vaultId: string, userId: string, permissions: string[], options?: GrantOptions): Promise<OneclawResponse<PolicyResponse>>;
+    /**
+     * Grant an agent access to a vault.
+     * @param permissions - e.g. ["read"], ["read", "write"]
+     */
+    grantAgent(vaultId: string, agentId: string, permissions: string[], options?: GrantOptions): Promise<OneclawResponse<PolicyResponse>>;
+    /** Update an existing policy's permissions and/or conditions. */
+    update(vaultId: string, policyId: string, update: UpdatePolicyRequest): Promise<OneclawResponse<PolicyResponse>>;
+    /** Revoke a specific access policy by its ID. */
+    revoke(vaultId: string, policyId: string): Promise<OneclawResponse<void>>;
+    /** List all access grants (policies) on a vault. */
+    listGrants(vaultId: string): Promise<OneclawResponse<PolicyListResponse>>;
+}
+//# sourceMappingURL=access.d.ts.map

package/dist/access.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../src/access.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACzC,OAAO,KAAK,EAER,mBAAmB,EACnB,cAAc,EACd,kBAAkB,EAClB,eAAe,EAClB,MAAM,SAAS,CAAC;AAEjB,MAAM,WAAW,YAAY;IACzB,4EAA4E;IAC5E,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,gEAAgE;IAChE,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,qCAAqC;IACrC,UAAU,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;GAGG;AACH,qBAAa,cAAc;IACX,OAAO,CAAC,QAAQ,CAAC,IAAI;gBAAJ,IAAI,EAAE,UAAU;IAE7C;;;OAGG;IACG,UAAU,CACZ,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EAAE,EACrB,OAAO,GAAE,YAAiB,GAC3B,OAAO,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;IAgB3C;;;OAGG;IACG,UAAU,CACZ,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,MAAM,EAAE,EACrB,OAAO,GAAE,YAAiB,GAC3B,OAAO,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;IAgB3C,iEAAiE;IAC3D,MAAM,CACR,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,mBAAmB,GAC5B,OAAO,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;IAQ3C,iDAAiD;IAC3C,MAAM,CACR,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACjB,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;IAOjC,oDAAoD;IAC9C,UAAU,CACZ,OAAO,EAAE,MAAM,GAChB,OAAO,CAAC,eAAe,CAAC,kBAAkB,CAAC,CAAC;CAMlD"}

package/dist/access.js

@@ -0,0 +1,52 @@
+/**
+ * Access resource — manage vault access policies (grants) for
+ * humans and agents.
+ */
+export class AccessResource {
+    constructor(http) {
+        this.http = http;
+    }
+    /**
+     * Grant a human user access to a vault.
+     * @param permissions - e.g. ["read"], ["read", "write"]
+     */
+    async grantHuman(vaultId, userId, permissions, options = {}) {
+        const body = {
+            secret_path_pattern: options.secretPathPattern ?? "**",
+            principal_type: "user",
+            principal_id: userId,
+            permissions,
+            conditions: options.conditions,
+            expires_at: options.expires_at,
+        };
+        return this.http.request("POST", `/v1/vaults/${vaultId}/policies`, { body });
+    }
+    /**
+     * Grant an agent access to a vault.
+     * @param permissions - e.g. ["read"], ["read", "write"]
+     */
+    async grantAgent(vaultId, agentId, permissions, options = {}) {
+        const body = {
+            secret_path_pattern: options.secretPathPattern ?? "**",
+            principal_type: "agent",
+            principal_id: agentId,
+            permissions,
+            conditions: options.conditions,
+            expires_at: options.expires_at,
+        };
+        return this.http.request("POST", `/v1/vaults/${vaultId}/policies`, { body });
+    }
+    /** Update an existing policy's permissions and/or conditions. */
+    async update(vaultId, policyId, update) {
+        return this.http.request("PUT", `/v1/vaults/${vaultId}/policies/${policyId}`, { body: update });
+    }
+    /** Revoke a specific access policy by its ID. */
+    async revoke(vaultId, policyId) {
+        return this.http.request("DELETE", `/v1/vaults/${vaultId}/policies/${policyId}`);
+    }
+    /** List all access grants (policies) on a vault. */
+    async listGrants(vaultId) {
+        return this.http.request("GET", `/v1/vaults/${vaultId}/policies`);
+    }
+}
+//# sourceMappingURL=access.js.map

package/dist/access.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.js","sourceRoot":"","sources":["../src/access.ts"],"names":[],"mappings":"AAkBA;;;GAGG;AACH,MAAM,OAAO,cAAc;IACvB,YAA6B,IAAgB;QAAhB,SAAI,GAAJ,IAAI,CAAY;IAAG,CAAC;IAEjD;;;OAGG;IACH,KAAK,CAAC,UAAU,CACZ,OAAe,EACf,MAAc,EACd,WAAqB,EACrB,UAAwB,EAAE;QAE1B,MAAM,IAAI,GAAwB;YAC9B,mBAAmB,EAAE,OAAO,CAAC,iBAAiB,IAAI,IAAI;YACtD,cAAc,EAAE,MAAM;YACtB,YAAY,EAAE,MAAM;YACpB,WAAW;YACX,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,UAAU,EAAE,OAAO,CAAC,UAAU;SACjC,CAAC;QACF,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CACpB,MAAM,EACN,cAAc,OAAO,WAAW,EAChC,EAAE,IAAI,EAAE,CACX,CAAC;IACN,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,UAAU,CACZ,OAAe,EACf,OAAe,EACf,WAAqB,EACrB,UAAwB,EAAE;QAE1B,MAAM,IAAI,GAAwB;YAC9B,mBAAmB,EAAE,OAAO,CAAC,iBAAiB,IAAI,IAAI;YACtD,cAAc,EAAE,OAAO;YACvB,YAAY,EAAE,OAAO;YACrB,WAAW;YACX,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,UAAU,EAAE,OAAO,CAAC,UAAU;SACjC,CAAC;QACF,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CACpB,MAAM,EACN,cAAc,OAAO,WAAW,EAChC,EAAE,IAAI,EAAE,CACX,CAAC;IACN,CAAC;IAED,iEAAiE;IACjE,KAAK,CAAC,MAAM,CACR,OAAe,EACf,QAAgB,EAChB,MAA2B;QAE3B,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CACpB,KAAK,EACL,cAAc,OAAO,aAAa,QAAQ,EAAE,EAC5C,EAAE,IAAI,EAAE,MAAM,EAAE,CACnB,CAAC;IACN,CAAC;IAED,iDAAiD;IACjD,KAAK,CAAC,MAAM,CACR,OAAe,EACf,QAAgB;QAEhB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CACpB,QAAQ,EACR,cAAc,OAAO,aAAa,QAAQ,EAAE,CAC/C,CAAC;IACN,CAAC;IAED,oDAAoD;IACpD,KAAK,CAAC,UAAU,CACZ,OAAe;QAEf,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CACpB,KAAK,EACL,cAAc,OAAO,WAAW,CACnC,CAAC;IACN,CAAC;CACJ"}

package/dist/agents.d.ts

@@ -0,0 +1,41 @@
+import type { HttpClient } from "./http";
+import type { CreateAgentRequest, UpdateAgentRequest, AgentResponse, AgentCreatedResponse, AgentListResponse, AgentKeyRotatedResponse, SubmitTransactionRequest, TransactionResponse, TransactionListResponse, OneclawResponse } from "./types";
+/**
+ * Agents resource — register, manage, and rotate keys for AI agents
+ * that interact with the vault programmatically.
+ */
+export declare class AgentsResource {
+    private readonly http;
+    constructor(http: HttpClient);
+    /**
+     * Register a new agent. Returns the agent record and a one-time API key.
+     * Store the API key securely — it cannot be retrieved again.
+     */
+    create(options: CreateAgentRequest): Promise<OneclawResponse<AgentCreatedResponse>>;
+    /** Fetch a single agent by ID. */
+    get(agentId: string): Promise<OneclawResponse<AgentResponse>>;
+    /** List all agents in the current organization. */
+    list(): Promise<OneclawResponse<AgentListResponse>>;
+    /** Update agent name, scopes, active status, expiry, or crypto proxy setting. */
+    update(agentId: string, update: UpdateAgentRequest): Promise<OneclawResponse<AgentResponse>>;
+    /** Delete an agent permanently. */
+    delete(agentId: string): Promise<OneclawResponse<void>>;
+    /**
+     * Rotate an agent's API key. Returns the new key — store it securely.
+     * The old key is immediately invalidated.
+     */
+    rotateKey(agentId: string): Promise<OneclawResponse<AgentKeyRotatedResponse>>;
+    /**
+     * Submit a transaction intent to be signed by the crypto proxy.
+     * The agent must have `crypto_proxy_enabled: true` and a valid
+     * signing key stored in an accessible vault.
+     *
+     * Returns the signed transaction hex and keccak tx hash.
+     */
+    submitTransaction(agentId: string, tx: SubmitTransactionRequest): Promise<OneclawResponse<TransactionResponse>>;
+    /** Fetch a single transaction by ID. */
+    getTransaction(agentId: string, txId: string): Promise<OneclawResponse<TransactionResponse>>;
+    /** List recent transactions for an agent. */
+    listTransactions(agentId: string): Promise<OneclawResponse<TransactionListResponse>>;
+}
+//# sourceMappingURL=agents.d.ts.map

package/dist/agents.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agents.d.ts","sourceRoot":"","sources":["../src/agents.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACzC,OAAO,KAAK,EACR,kBAAkB,EAClB,kBAAkB,EAClB,aAAa,EACb,oBAAoB,EACpB,iBAAiB,EACjB,uBAAuB,EACvB,wBAAwB,EACxB,mBAAmB,EACnB,uBAAuB,EACvB,eAAe,EAClB,MAAM,SAAS,CAAC;AAEjB;;;GAGG;AACH,qBAAa,cAAc;IACX,OAAO,CAAC,QAAQ,CAAC,IAAI;gBAAJ,IAAI,EAAE,UAAU;IAE7C;;;OAGG;IACG,MAAM,CACR,OAAO,EAAE,kBAAkB,GAC5B,OAAO,CAAC,eAAe,CAAC,oBAAoB,CAAC,CAAC;IAMjD,kCAAkC;IAC5B,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC;IAInE,mDAAmD;IAC7C,IAAI,IAAI,OAAO,CAAC,eAAe,CAAC,iBAAiB,CAAC,CAAC;IAIzD,iFAAiF;IAC3E,MAAM,CACR,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,kBAAkB,GAC3B,OAAO,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC;IAQ1C,mCAAmC;IAC7B,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;IAI7D;;;OAGG;IACG,SAAS,CACX,OAAO,EAAE,MAAM,GAChB,OAAO,CAAC,eAAe,CAAC,uBAAuB,CAAC,CAAC;IASpD;;;;;;OAMG;IACG,iBAAiB,CACnB,OAAO,EAAE,MAAM,EACf,EAAE,EAAE,wBAAwB,GAC7B,OAAO,CAAC,eAAe,CAAC,mBAAmB,CAAC,CAAC;IAQhD,wCAAwC;IAClC,cAAc,CAChB,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,GACb,OAAO,CAAC,eAAe,CAAC,mBAAmB,CAAC,CAAC;IAOhD,6CAA6C;IACvC,gBAAgB,CAClB,OAAO,EAAE,MAAM,GAChB,OAAO,CAAC,eAAe,CAAC,uBAAuB,CAAC,CAAC;CAMvD"}

package/dist/agents.js

@@ -0,0 +1,61 @@
+/**
+ * Agents resource — register, manage, and rotate keys for AI agents
+ * that interact with the vault programmatically.
+ */
+export class AgentsResource {
+    constructor(http) {
+        this.http = http;
+    }
+    /**
+     * Register a new agent. Returns the agent record and a one-time API key.
+     * Store the API key securely — it cannot be retrieved again.
+     */
+    async create(options) {
+        return this.http.request("POST", "/v1/agents", {
+            body: options,
+        });
+    }
+    /** Fetch a single agent by ID. */
+    async get(agentId) {
+        return this.http.request("GET", `/v1/agents/${agentId}`);
+    }
+    /** List all agents in the current organization. */
+    async list() {
+        return this.http.request("GET", "/v1/agents");
+    }
+    /** Update agent name, scopes, active status, expiry, or crypto proxy setting. */
+    async update(agentId, update) {
+        return this.http.request("PATCH", `/v1/agents/${agentId}`, { body: update });
+    }
+    /** Delete an agent permanently. */
+    async delete(agentId) {
+        return this.http.request("DELETE", `/v1/agents/${agentId}`);
+    }
+    /**
+     * Rotate an agent's API key. Returns the new key — store it securely.
+     * The old key is immediately invalidated.
+     */
+    async rotateKey(agentId) {
+        return this.http.request("POST", `/v1/agents/${agentId}/rotate-key`);
+    }
+    // ── Crypto Transaction Proxy ───────────────────────────────────────
+    /**
+     * Submit a transaction intent to be signed by the crypto proxy.
+     * The agent must have `crypto_proxy_enabled: true` and a valid
+     * signing key stored in an accessible vault.
+     *
+     * Returns the signed transaction hex and keccak tx hash.
+     */
+    async submitTransaction(agentId, tx) {
+        return this.http.request("POST", `/v1/agents/${agentId}/transactions`, { body: tx });
+    }
+    /** Fetch a single transaction by ID. */
+    async getTransaction(agentId, txId) {
+        return this.http.request("GET", `/v1/agents/${agentId}/transactions/${txId}`);
+    }
+    /** List recent transactions for an agent. */
+    async listTransactions(agentId) {
+        return this.http.request("GET", `/v1/agents/${agentId}/transactions`);
+    }
+}
+//# sourceMappingURL=agents.js.map

package/dist/agents.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agents.js","sourceRoot":"","sources":["../src/agents.ts"],"names":[],"mappings":"AAcA;;;GAGG;AACH,MAAM,OAAO,cAAc;IACvB,YAA6B,IAAgB;QAAhB,SAAI,GAAJ,IAAI,CAAY;IAAG,CAAC;IAEjD;;;OAGG;IACH,KAAK,CAAC,MAAM,CACR,OAA2B;QAE3B,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAuB,MAAM,EAAE,YAAY,EAAE;YACjE,IAAI,EAAE,OAAO;SAChB,CAAC,CAAC;IACP,CAAC;IAED,kCAAkC;IAClC,KAAK,CAAC,GAAG,CAAC,OAAe;QACrB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAgB,KAAK,EAAE,cAAc,OAAO,EAAE,CAAC,CAAC;IAC5E,CAAC;IAED,mDAAmD;IACnD,KAAK,CAAC,IAAI;QACN,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAoB,KAAK,EAAE,YAAY,CAAC,CAAC;IACrE,CAAC;IAED,iFAAiF;IACjF,KAAK,CAAC,MAAM,CACR,OAAe,EACf,MAA0B;QAE1B,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CACpB,OAAO,EACP,cAAc,OAAO,EAAE,EACvB,EAAE,IAAI,EAAE,MAAM,EAAE,CACnB,CAAC;IACN,CAAC;IAED,mCAAmC;IACnC,KAAK,CAAC,MAAM,CAAC,OAAe;QACxB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAO,QAAQ,EAAE,cAAc,OAAO,EAAE,CAAC,CAAC;IACtE,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,SAAS,CACX,OAAe;QAEf,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CACpB,MAAM,EACN,cAAc,OAAO,aAAa,CACrC,CAAC;IACN,CAAC;IAED,sEAAsE;IAEtE;;;;;;OAMG;IACH,KAAK,CAAC,iBAAiB,CACnB,OAAe,EACf,EAA4B;QAE5B,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CACpB,MAAM,EACN,cAAc,OAAO,eAAe,EACpC,EAAE,IAAI,EAAE,EAAE,EAAE,CACf,CAAC;IACN,CAAC;IAED,wCAAwC;IACxC,KAAK,CAAC,cAAc,CAChB,OAAe,EACf,IAAY;QAEZ,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CACpB,KAAK,EACL,cAAc,OAAO,iBAAiB,IAAI,EAAE,CAC/C,CAAC;IACN,CAAC;IAED,6CAA6C;IAC7C,KAAK,CAAC,gBAAgB,CAClB,OAAe;QAEf,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CACpB,KAAK,EACL,cAAc,OAAO,eAAe,CACvC,CAAC;IACN,CAAC;CACJ"}

package/dist/api-keys.d.ts

@@ -0,0 +1,20 @@
+import type { HttpClient } from "./http";
+import type { CreateApiKeyRequest, ApiKeyCreatedResponse, ApiKeyListResponse, OneclawResponse } from "./types";
+/**
+ * ApiKeys resource — create, list, and revoke personal API keys
+ * for human users.
+ */
+export declare class ApiKeysResource {
+    private readonly http;
+    constructor(http: HttpClient);
+    /**
+     * Create a new API key. Returns the full key string once — store it
+     * securely as it cannot be retrieved again.
+     */
+    create(options: CreateApiKeyRequest): Promise<OneclawResponse<ApiKeyCreatedResponse>>;
+    /** List all API keys for the current user (keys are masked). */
+    list(): Promise<OneclawResponse<ApiKeyListResponse>>;
+    /** Revoke (deactivate) an API key by its ID. */
+    revoke(keyId: string): Promise<OneclawResponse<void>>;
+}
+//# sourceMappingURL=api-keys.d.ts.map

package/dist/api-keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-keys.d.ts","sourceRoot":"","sources":["../src/api-keys.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACzC,OAAO,KAAK,EACR,mBAAmB,EACnB,qBAAqB,EACrB,kBAAkB,EAClB,eAAe,EAClB,MAAM,SAAS,CAAC;AAEjB;;;GAGG;AACH,qBAAa,eAAe;IACZ,OAAO,CAAC,QAAQ,CAAC,IAAI;gBAAJ,IAAI,EAAE,UAAU;IAE7C;;;OAGG;IACG,MAAM,CACR,OAAO,EAAE,mBAAmB,GAC7B,OAAO,CAAC,eAAe,CAAC,qBAAqB,CAAC,CAAC;IAQlD,gEAAgE;IAC1D,IAAI,IAAI,OAAO,CAAC,eAAe,CAAC,kBAAkB,CAAC,CAAC;IAO1D,gDAAgD;IAC1C,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;CAG9D"}

package/dist/api-keys.js

@@ -0,0 +1,25 @@
+/**
+ * ApiKeys resource — create, list, and revoke personal API keys
+ * for human users.
+ */
+export class ApiKeysResource {
+    constructor(http) {
+        this.http = http;
+    }
+    /**
+     * Create a new API key. Returns the full key string once — store it
+     * securely as it cannot be retrieved again.
+     */
+    async create(options) {
+        return this.http.request("POST", "/v1/auth/api-keys", { body: options });
+    }
+    /** List all API keys for the current user (keys are masked). */
+    async list() {
+        return this.http.request("GET", "/v1/auth/api-keys");
+    }
+    /** Revoke (deactivate) an API key by its ID. */
+    async revoke(keyId) {
+        return this.http.request("DELETE", `/v1/auth/api-keys/${keyId}`);
+    }
+}
+//# sourceMappingURL=api-keys.js.map

package/dist/api-keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-keys.js","sourceRoot":"","sources":["../src/api-keys.ts"],"names":[],"mappings":"AAQA;;;GAGG;AACH,MAAM,OAAO,eAAe;IACxB,YAA6B,IAAgB;QAAhB,SAAI,GAAJ,IAAI,CAAY;IAAG,CAAC;IAEjD;;;OAGG;IACH,KAAK,CAAC,MAAM,CACR,OAA4B;QAE5B,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CACpB,MAAM,EACN,mBAAmB,EACnB,EAAE,IAAI,EAAE,OAAO,EAAE,CACpB,CAAC;IACN,CAAC;IAED,gEAAgE;IAChE,KAAK,CAAC,IAAI;QACN,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CACpB,KAAK,EACL,mBAAmB,CACtB,CAAC;IACN,CAAC;IAED,gDAAgD;IAChD,KAAK,CAAC,MAAM,CAAC,KAAa;QACtB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAO,QAAQ,EAAE,qBAAqB,KAAK,EAAE,CAAC,CAAC;IAC3E,CAAC;CACJ"}