@abloatai/ablo 0.11.1 → 0.11.2

package/docs/identity.md

@@ -36,8 +36,8 @@ runnable place, so the concepts below have code to attach to.
 ## Declare it, end to end
 
 The entire declaration surface is: `identityRoles` (who may see what), and on
-each model `scope` / `parent` / `grants` (which group a row fans out on), plus an
-optional `scope` setting on the client (narrowing). Read the three blocks first —
+each model `scope` / `parent` / `grants` (which group a row fans out on), plus
+optional `syncGroups` at session-mint time (narrowing). Read the three blocks first —
 a human gets their `org` / `team` scope, an agent gets one `deck` — then the
 sections after explain each.
 
@@ -84,18 +84,17 @@ export const schema = defineSchema(
 
 ```ts
 // 3. an AGENT run inherits its user, narrowed to the entities in play.
-// Pass the MODEL form — { decks: id } — not a hand-built `deck:<id>` string;
-// the engine derives the group from each model's `scope`. The narrowing lives
-// on the client you build, then the provider mounts it.
-const ablo = Ablo({
-  schema,
-  authEndpoint: '/api/ablo-session',
-  scope: { decks: deckId }, // floor: just the deck it's working on
+// You narrow at SESSION-MINT time: your backend calls `sessions.create` with the
+// agent's allowed `syncGroups`, built from each model's scope via the
+// `syncGroup(kind, id)` helper — never a hand-built `deck:<id>` string. The agent's
+// runtime then connects with the minted token.
+const session = await server.sessions.create({
+  agent: { id: agentId },
+  can: { Deck: ['read', 'update'] },
+  syncGroups: [syncGroup('deck', deckId)], // floor: just the deck it's working on
 });
-
-<AbloProvider client={ablo} userId={user.id /* ceiling: the triggering user */}>
-  {children}
-</AbloProvider>;
+// the agent runtime authenticates with the minted token
+const ablo = Ablo({ schema, apiKey: session.token });
 ```
 
 That's the whole surface. The rest of this doc is the *why* behind each line.
@@ -127,11 +126,12 @@ so you pass them in code when you start the run.
 > **One line:** humans subscribe by who they are; agents subscribe by what
 > they've been given.
 
-That's why you never write per-user scope code, but you always pass an agent's
-scope at the call site. A user's org/team/user don't change per request, so
+That's why you never write per-user scope code, but you always choose an agent's
+groups at the dispatch site. A user's org/team/user don't change per request, so
 their scope is a **rule the schema derives automatically**. An agent's reach
 depends on *what it's working on*, which is only knowable at dispatch — so you
-set its `scope` on the client **at the dispatch site, in code**. The schema's
+pass its `syncGroups` **when your backend mints the agent session**
+(`sessions.create({ agent, can, syncGroups })`). The schema's
 only job for entities is to declare *that* a model is
 entity-scopable and *what its group is named* (`scope: 'deck'` → `deck:{id}`);
 it never declares *which* entities a given agent gets. (A human can opt into the
@@ -305,8 +305,9 @@ server, never by the browser.**
 
 The identity your server resolved is carried by the client you build and the
 `userId` prop. In a Next.js app, resolve the user in a Server Component and pass
-it down. Build the client once (the schema, `teamIds`, and any `scope` narrowing
-live here), then hand it to the provider:
+it down. Build the client once (the schema, `teamIds`, and the `apiKey` resolver
+live here; entity narrowing rides the minted session's `syncGroups`), then hand
+it to the provider:
 
 ```ts
 // lib/ablo.ts
@@ -318,7 +319,10 @@ import { schema } from '@/ablo/schema';
 export function makeAblo(user: { teamIds: string[] }) {
   return Ablo({
     schema,
-    authEndpoint: '/api/ablo-session',
+    // The browser holds no secret — the `apiKey` resolver fetches the
+    // short-lived session token your `/api/ablo-session` route minted, and the
+    // client keeps it fresh before expiry.
+    apiKey: () => fetch('/api/ablo-session').then((r) => r.text()),
     teamIds: user.teamIds,
   });
 }
@@ -354,7 +358,7 @@ What carries identity — and just as importantly, what does *not* set the bound
 | ------------ | ------------------------------------------------------------------------------------------------ |
 | `userId` prop | App-level participant id, used for app-owned fields and read by your `identityRole` `source`. **Not** the security boundary — the server enforces scope from the authenticated request. |
 | `teamIds` (on the client) | Team ids expanded into team sync groups via your `identityRoles`.                   |
-| `scope` (on the client) | Optional. **Narrows** the subscription to a subset of what auth already allows — it can never widen it. Use it to scope a page to one entity (e.g. `{ decks: 'abc123' }`). |
+| `syncGroups` (at session mint) | Optional. **Narrows** a minted session's subscription to a subset of what auth already allows — it can never widen it. Passed to `sessions.create({ user \| agent, syncGroups })`; build entries with `syncGroup(kind, id)`. Use it to scope an agent (or a focused page's session) to one entity, e.g. `[syncGroup('deck', 'abc123')]`. |
 
 Because the server is the boundary, a client that changes `userId` to another
 user's id does not gain their data — the server resolves and enforces the real
@@ -398,20 +402,20 @@ subset of what its user could see:
 
 ```ts
 // agent run triggered by `user`, working on one document + one deck.
-// The narrowing lives on the client; the provider just mounts it.
-const ablo = Ablo({
-  schema,
-  authEndpoint: '/api/ablo-session',
-  // authority narrowed to just the entities in play (the floor).
-  // Model form — keyed by model, resolved to groups via each model's `scope`.
-  scope: { documents: documentId, decks: deckId },
+// Your backend mints the agent session narrowed to just the entities in play
+// (the floor). Build each group from the model's scope with `syncGroup(kind, id)`.
+const session = await server.sessions.create({
+  agent: { id: agentId },
+  can: { Document: ['read', 'update'], Deck: ['read', 'update'] },
+  syncGroups: [syncGroup('document', documentId), syncGroup('deck', deckId)],
 });
-
-// identity inherited from the triggering user (the ceiling)
-<AbloProvider client={ablo} userId={user.id}>
+// identity (the ceiling) is inherited from the triggering user via your
+// session-mint logic; the agent runtime connects with the minted token.
+const ablo = Ablo({ schema, apiKey: session.token });
 ```
 
-As the run touches more entities its set **accretes** to cover them; it never
+As the run touches more entities, claim or read them and the client auto-enrolls
+in their entity groups — its set **accretes** to cover them; it never
 widens past the user's ceiling, and it carries no standing access to entities it
 isn't working on. The `identityRoles` need no agent-specific entry: the agent
 carries the triggering user's `userId`, so the same `user:{id}` role that scopes
@@ -444,52 +448,55 @@ runs the [Coordinating long agent work](../README.md#coordinating-long-agent-wor
 `claim` loop is, to the scoping layer, that same participant — scoped to the row
 it claimed.
 
-## Narrowing to specific entities — the `scope` setting
-
-A human gets their full membership automatically (`identityRoles`). To narrow a
-session — a page on one deck, or an agent pointed at the entities it's working
-on — set `scope` on the client you build (`Ablo({ schema, scope })`). You give it
-the **model and id(s)**; the engine builds the group string from the model's
-`scope` (Half 2), so you never hand-write `deck:<id>`.
-
-`scope` accepts four shapes, all resolved through the schema:
-
-| You pass | Resolves to | Use it for |
-| --- | --- | --- |
-| `{ decks: deckId }` | `deck:<deckId>` | one entity (a page, a focused agent) |
-| `{ decks: [id1, id2] }` | `deck:<id1>`, `deck:<id2>` | several of one model |
-| `{ decks: deckId, documents: docId }` | `deck:<deckId>`, `document:<docId>` | a mix across models |
-| `[{ type: 'Deck', id: deckId }]` | `deck:<deckId>` | entity refs (e.g. from a list) |
-
-```tsx
-// a page on one deck
-const ablo = Ablo({ schema, authEndpoint: '/api/ablo-session', scope: { decks: deckId } });
-<AbloProvider client={ablo} userId={user.id} />;
-
-// an agent working across two decks and a document
-const ablo = Ablo({
-  schema,
-  authEndpoint: '/api/ablo-session',
-  scope: { decks: [deckA, deckB], documents: docId },
-});
-<AbloProvider client={ablo} userId={user.id} />;
-```
-
-The key is the **model** (`decks`), the value is **which id(s)** — the `deck:`
-prefix comes from that model's `scope: 'deck'`, never from a string you compose.
-
-> **`scope` means one thing: sync-group scope.** It appears in two places that
-> are the same concept — the model option `scope: 'deck'` (declares a scope root,
-> [Half 2](#half-2--per-model-scope-row--group)) and this `scope` client setting
-> (subscribe to it). The lifecycle filter on [`list()`](./api.md#model-methods) is a separate
-> axis and is named **`state`** (`'live' | 'archived' | 'all'`, GitHub's
-> open/closed/all), precisely so it doesn't share the word.
-
-> **`scope` requests, it never grants.** At connect, the server intersects your
-> requested groups with what the identity is actually allowed (`requested ∩
-> allowed`). So `scope` only ever *narrows* within a participant's ceiling — an
-> agent can't reach a deck its capability doesn't already permit, no matter what
-> it passes. Smaller bootstrap, less fan-out, same server-enforced boundary.
+## Narrowing to specific entities
+
+A human gets their full membership automatically (`identityRoles`). There are
+three ways to narrow a participant to specific entities — a page on one deck, or
+an agent pointed at the entities it's working on. You **never hand-write**
+`deck:<id>`; build groups from the model's `scope` (Half 2) with the typed
+`syncGroup(kind, id)` helper from `@abloatai/ablo/schema`.
+
+1. **At session mint — `syncGroups`.** When your backend mints a session, pass the
+   exact groups it may subscribe to. This is the floor for a delegated agent (and
+   the way to scope a focused page's session):
+
+   ```ts
+   // an agent working across two decks and a document
+   const session = await server.sessions.create({
+     agent: { id: agentId },
+     can: { Deck: ['read', 'update'], Document: ['read'] },
+     syncGroups: [
+       syncGroup('deck', deckA),
+       syncGroup('deck', deckB),
+       syncGroup('document', docId),
+     ],
+   });
+   const ablo = Ablo({ schema, apiKey: session.token });
+   ```
+
+2. **Automatically, on read or claim.** Reading a row (`retrieve`/`get`/
+   `claim.state`) auto-enrolls the client in that row's entity group
+   (**read-interest**), and `claim`-ing it pins a **write-intent** subscription.
+   So an agent's reachable set **accretes** as it works — no extra subscribe call.
+
+3. **Explicitly, for presence — `watch`.** To hold presence on a known set of rows
+   and react to peers, use the WebSocket-only `ablo.<model>.watch(ids, { ttl })`
+   (it returns a participant handle with `.peers`). See
+   [Coordination](./coordination.md).
+
+> **`scope` is the schema model option, not a client setting.** `scope: 'deck'`
+> in `model(...)` declares a scope root ([Half 2](#half-2--per-model-scope-row--group)) —
+> it names the group (`deck:<id>`) that the mechanisms above then subscribe to.
+> There is no `Ablo({ scope })` constructor option. The lifecycle filter on
+> [`list()`](./api.md#model-methods) is a separate axis named **`state`**
+> (`'live' | 'archived' | 'all'`, GitHub's open/closed/all), precisely so it
+> doesn't share the word.
+
+> **Requested groups never grant.** At connect, the server intersects the session's
+> `syncGroups` with what the identity is actually allowed (`requested ∩ allowed`).
+> So `syncGroups` only ever *narrows* within a participant's ceiling — an agent
+> can't reach a deck its capability doesn't already permit, no matter what it
+> passes. Smaller bootstrap, less fan-out, same server-enforced boundary.
 
 ## How this compares — and the best practices it follows
 
@@ -512,7 +519,7 @@ how to reason about it.
   the room/shape and the server signs off, as in
   [Pusher's channel authorization endpoint](https://pusher.com/docs/channels/server_api/authorizing-users/),
   [ElectricSQL **gatekeeper auth**](https://github.com/electric-sql/electric/blob/main/examples/gatekeeper-auth/README.md),
-  and Liveblocks **access tokens**. Ablo's client `scope` setting is the
+  and Liveblocks **access tokens**. Ablo's session-mint `syncGroups` is the
   *narrowing* half of this — but it can only ever shrink the server-derived set,
   never grow it.
 
@@ -529,10 +536,10 @@ The best practices Ablo inherits from that lineage:
 2. **Trusted vs untrusted claims is the whole security argument.** PowerSync draws
    the line precisely: [token parameters are trusted and usable for access
    control; client parameters are not](https://docs.powersync.com/usage/sync-rules/advanced-topics/client-parameters).
-   In Ablo terms, the identity your server vouches for is the *trusted* claim that
-   sets scope; the `userId` prop and the client's `scope` setting are *untrusted
-   client input* — convenient for app-owned fields and narrowing, but never the
-   boundary. This is why changing `userId` in the browser grants nothing.
+   In Ablo terms, the identity your server vouches for — and the session's
+   `syncGroups`, minted server-side — are the *trusted* claims that set scope; the
+   `userId` prop is *untrusted client input* — convenient for app-owned fields, but
+   never the boundary. This is why changing `userId` in the browser grants nothing.
 
 3. **Scope by a hierarchical naming convention, declared once.** Ablo's `kind:id`
    group naming (`org:…` / `team:…` from `identityRoles`, `deck:…` from a model's

package/docs/integration-guide.md

@@ -44,13 +44,18 @@ objects by hand.
 
 ## Your Database
 
-Every schema model is backed by **your own database**. You expose a signed Data
-Source endpoint; Ablo coordinates each write and your app commits it to your
-Postgres. The SDK call shape is the same everywhere.
+Every schema model is backed by **your own database**. The SDK call shape is the
+same everywhere.
 
-Do not pass a database URL to `Ablo(...)`. Application and agent code use
-`ABLO_API_KEY`. If your database stays canonical, expose a signed Data Source
-endpoint from your app and keep the database credentials inside your app.
+In this guide — an app that already owns its backend and database — keep
+`DATABASE_URL` inside your app and expose a signed Data Source endpoint: Ablo
+coordinates each write and your app commits it to your Postgres. Do not pass
+`databaseUrl` to `Ablo(...)` here; application and agent code use `ABLO_API_KEY`.
+
+If instead you want Ablo to connect to your Postgres directly, pass `databaseUrl`
+(a live, server-only option) to `Ablo(...)`. That and the sandbox-only `apiKey`
+shape are the other two start states — [Connect Your Database](./data-sources.md)
+is the single source of truth for all three.
 
 ## Test With Sandboxes
 
@@ -94,12 +99,13 @@ import { defineSchema, model, z } from '@abloatai/ablo/schema';
 export const schema = defineSchema(
   {
     weatherReports: model({
-      id: z.string(),
+      // Reserved fields (id, createdAt, updatedAt, organizationId, createdBy)
+      // are SDK-provided automatically — never declare them. Declare only your
+      // own fields.
       projectId: z.string(),
       location: z.string(),
       status: z.enum(['pending', 'ready']),
       assigneeId: z.string().nullable(),
-      updatedAt: z.string(),
     }),
   },
   {
@@ -169,7 +175,7 @@ export const ablo = Ablo({
 Browser apps should use the React provider or a scoped session token, not a
 server API key in the bundle. Build the client first, then hand it to the
 provider — `AbloProvider` takes `{ client, userId?, onError?, fallback? }`, and
-nothing else (`schema`, `teamIds`, `scope`, and `authEndpoint` all live on the
+nothing else (`schema`, `teamIds`, and `apiKey` all live on the
 client now).
 
 ```tsx
@@ -179,7 +185,10 @@ import { schema } from '@/ablo/schema';
 
 // The browser never holds the API key. The client mints a short-lived token
 // from your session route (see below) and refreshes it before expiry.
-export const ablo = Ablo({ schema, authEndpoint: '/api/ablo-session' });
+export const ablo = Ablo({
+  schema,
+  apiKey: () => fetch('/api/ablo-session').then((r) => r.text()),
+});
 ```
 
 ```tsx

package/docs/migration.md

@@ -113,6 +113,11 @@ const ablo = Ablo({ schema, apiKey: process.env.ABLO_API_KEY, transport: 'http'
 await ablo.tasks.update({ id, data: { status: 'done' } });
 ```
 
+> **Minting still needs the stateful client.** `sessions.create(...)` is not on
+> the `transport: 'http'` surface. Keep a default-transport `server` client for
+> minting short-lived credentials (see the 0.9.2 example below), and use the
+> http client for the per-request reads and writes.
+
 ---
 
 ## 0.9.2 — `turn` / agent-`tasks` removed; `intents` deprecated
@@ -135,8 +140,10 @@ helper, and the agent/task type family (`Agent`, `AgentOptions`,
 ```diff
 - const turn = await engine.beginTurn();
 - await Ablo({ apiKey }).agent(agentId, opts).run(prompt, handler);
-+ // Mint a scoped credential, then claim + write under it.
-+ const { token } = await ablo.sessions.create({ agent: { id: agentId } });
++ // Mint a scoped credential from a stateful (default-transport) server client —
++ // sessions.create lives on the stateful client, not on transport: 'http'.
++ const server = Ablo({ schema, apiKey: process.env.ABLO_API_KEY });
++ const { token } = await server.sessions.create({ agent: { id: agentId } });
 + const agent = Ablo({ schema, apiKey: token });
 + await using claim = await agent.tasks.claim({ id });
 + await agent.tasks.update({ id, data: { status: 'done' }, wait: 'confirmed' });

package/docs/quickstart.md

@@ -57,6 +57,9 @@ export const schema = defineSchema({
 });
 ```
 
+**Reserved fields** — `id`, `createdAt`, `updatedAt`, `organizationId`, and
+`createdBy` are provided by the SDK automatically. Don't declare them in your
+`model(...)` fields; declare only your own.
 
 The schema is registered once (init scaffolds `ablo/register.ts` for you), and
 every type is one parameter away — no `typeof schema` re-stating, anywhere:
@@ -210,8 +213,9 @@ and you write the usual way with `ablo.<model>.update({ id, data })`.
 Claims don't lock. If another writer holds the row, `claim` waits for them,
 re-reads the fresh row, then hands it to you — so two writers serialize instead
 of clobbering. Normal reads still work while the claim is held. If a server read
-should not return a row while someone else is mid-edit, pass `ifClaimed: 'wait'`
-to wait for the claim to clear, or `ifClaimed: 'fail'` to error out instead.
+should not return a row while someone else is mid-edit, pass `ifClaimed: 'fail'`
+to error out instead. Reads never block on a claim — to wait for a row to free
+up, `claim({ id })` it (the claim queues fairly behind the holder).
 Call `handle.release()` when your work is done.
 
 ```ts

package/docs/react.md

@@ -31,7 +31,7 @@ import { schema } from '@/ablo/schema';
 // from your own server route (see Identity below).
 export const ablo = Ablo({
   schema,
-  authEndpoint: '/api/ablo-session',
+  apiKey: () => fetch('/api/ablo-session').then((r) => r.text()),
 });
 ```
 
@@ -65,13 +65,13 @@ export function Providers({
 
 | Prop        | Default          | Purpose                                                                                                   |
 | ----------- | ---------------- | --------------------------------------------------------------------------------------------------------- |
-| `client`    | —                | **Required.** The `Ablo({ schema, authEndpoint })` instance. It carries the schema and connection config. |
+| `client`    | —                | **Required.** The `Ablo({ schema, apiKey })` instance. It carries the schema and connection config. |
 | `userId`    | resolved from auth | App participant id for app-owned fields and your `identityRoles`. Not the security boundary.            |
 | `fallback`  | neutral spinner  | Rendered during the *first* bootstrap only. Pass a branded skeleton, `null`, or `'passthrough'`.          |
 | `onError`   | —                | Engine / WebSocket / bootstrap errors. Wire to Sentry / Datadog.                                          |
 
 Everything that used to be a provider prop — `schema`, `url`, `apiKey`,
-`teamIds`, `syncGroups`/`scope`, `persistence`, `bootstrapMode` — now lives on
+`teamIds`, `syncGroups`, `persistence`, `bootstrapMode` — now lives on
 the `Ablo({ ... })` client you build before mounting the provider. Where the
 identity comes from, and why the API key never reaches the browser, is the whole
 of [Identity & Sync Groups](./identity.md) — read that if it isn't obvious how

package/docs/schema-contract.md

@@ -49,6 +49,20 @@ The model key (`weatherReports`) becomes the client namespace
 contract. You should not create a parallel string-keyed write path for the same
 data.
 
+### Reserved fields
+
+The SDK provides these on every row automatically — do **not** declare them in
+your `model(...)` fields:
+
+- `id`
+- `createdAt`
+- `updatedAt`
+- `organizationId`
+- `createdBy`
+
+Declare only your own fields; the reserved ones are still present on the row and
+readable, you just don't author them.
+
 ## Reads and writes
 
 Use async reads when the row may not be local:
@@ -88,12 +102,16 @@ the fresh row. Reads stay open; only acting on the row serializes.
 
 ## Storage boundary
 
-Every schema model is backed by your own database through a Data Source — Ablo
-coordinates each write and your app commits it to your Postgres.
+Every schema model is backed by your own database. There are three start states,
+all covered in [Connect Your Database](./data-sources.md) (the single source of
+truth): the sandbox (`apiKey` only, no database), a direct connection string
+(`databaseUrl` passed to `Ablo(...)`, a live, server-only option), or a signed
+Data Source endpoint where your app keeps the database credential and commits
+each write itself.
 
-Do not pass a database URL to `Ablo(...)`. Trusted runtimes use `ABLO_API_KEY`.
-Browser code goes through `<AbloProvider>` or a scoped session route, never a raw
-API key.
+If your database stays canonical behind a Data Source endpoint, do not pass
+`databaseUrl` to `Ablo(...)` — trusted runtimes use `ABLO_API_KEY`. Browser code
+goes through `<AbloProvider>` or a scoped session route, never a raw API key.
 
 ## Rules of thumb
 

package/llms-full.txt

@@ -39,9 +39,9 @@ Use `snapshot(...)` and `readAt` when an agent write depends on state it already
 read. `onStale: 'reject'` prevents lost updates by rejecting if the target
 changed after the snapshot.
 
-Claims are live coordination signals, not database locks. Schema clients wait
-from the realtime claim stream. Schema-less HTTP clients must pass an explicit
-`claimedPollInterval` for `ifClaimed: 'wait'`; no hidden hard-coded polling.
+Claims are live coordination signals, not database locks. Reads never block on a
+claim — to wait for a row to free up, `claim({ id })` it and the claim queues
+fairly behind the current holder.
 
 Agent run bookkeeping is internal. Most users should not create run ledger
 records or scoped access credentials manually.
@@ -307,7 +307,10 @@ common agent path.
 
 ## Model
 
-Every model read returns state plus coordination metadata:
+The read shape depends on whether the client has a local graph:
+
+- The stateful `ablo.<model>.retrieve({ id })` returns the BARE row (`T | undefined`), and `list({ where })` returns `T[]`. Read coordination metadata (state watermark, active claims) separately via `ablo.snapshot(...)` and `ablo.<model>.claim.state({ id })`.
+- The stateless HTTP / `.model(name)` `retrieve({ id })` returns a `ModelRead<T>` envelope because it has no local graph to carry the watermark; `list({ where })` still returns `T[]`.
 
 ```ts
 type ModelRead<T> = {
@@ -317,32 +320,31 @@ type ModelRead<T> = {
 };
 ```
 
-`stamp` is the state watermark. Pass it to writes as `readAt`.
+`stamp` is the state watermark. Pass it to writes as `readAt` (from `ablo.snapshot(...)` on the stateful client, or from the envelope on the HTTP client).
 
 `claims` lists active work on the target. Reads are allowed while another participant is working. The caller decides whether to return, fail, or wait.
 
 ## Claimed Behavior
 
-Claimed behavior is explicit:
+Claimed behavior is explicit, and there are only two policies:
 
-- `ifClaimed: 'return'` returns the current claims with the read.
+- `ifClaimed: 'return'` (the default) returns the row plus the current claims with the read.
 - `ifClaimed: 'fail'` throws `AbloClaimedError`.
-- `ifClaimed: 'wait'` waits for matching claims to clear.
-
-Schema clients use the realtime claim stream for waits.
 
-Schema-less HTTP clients cannot know when a claim clears unless the caller opts into polling. When using `ifClaimed: 'wait'` over HTTP, provide `claimedPollInterval` and usually `claimedTimeout`.
+Reads never block on a claim. To wait for a row to free up, `claim({ id })` it —
+the claim queues fairly behind the current holder and is granted when the row
+frees. Use `ifClaimed: 'fail'` when you'd rather refuse to read a claimed row.
 
 ```ts
+// Read a claimed row without blocking, surfacing who holds it:
 await api.model('reports').retrieve({
   id: 'report_stockholm',
-  ifClaimed: 'wait',
-  claimedPollInterval: 1_000,
-  claimedTimeout: 30_000,
+  ifClaimed: 'return',
 });
-```
 
-No hidden hard-coded claimed polling. `claimedTimeout` is a maximum wait, not the coordination mechanism.
+// Or wait for it to free up by queueing your own claim:
+await api.model('reports').claim({ id: 'report_stockholm' });
+```
 
 ## Write
 

package/llms.txt

@@ -99,13 +99,13 @@ coordination until the app reports it through Data Source events.
 ## Claimed Behavior
 
 Reads never silently block. Schema reads stay open while a row is claimed.
-Server reads through `ablo.model(name)` can pass `ifClaimed: 'return'` to
-receive active claims, `ifClaimed: 'fail'` to throw `AbloClaimedError`, or
-`ifClaimed: 'wait'` to wait until the active claim clears.
+Server reads through `ablo.model(name)` can pass `ifClaimed: 'return'` (the
+default — returns the row plus active claim metadata) or `ifClaimed: 'fail'`
+to throw `AbloClaimedError`.
 
-Schema clients learn when a claim clears by listening to the live claim stream, so they don't need to poll. Schema-less HTTP callers must provide an explicit `claimedPollInterval` when using `ifClaimed: 'wait'`; Ablo does not hide a hard-coded polling loop.
-
-Use `claimedTimeout` only as a maximum wait, not as the coordination mechanism.
+Reads never block on a claim. To wait for a row to free up, `claim({ id })` it —
+the claim queues fairly behind the current holder and is granted when the row
+frees. Use `ifClaimed: 'fail'` when you'd rather refuse to read a claimed row.
 
 ## Guarantees
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@abloatai/ablo",
-  "version": "0.11.1",
+  "version": "0.11.2",
   "description": "The Collaboration Layer For AI Agents",
   "license": "Apache-2.0",
   "type": "module",

package/dist/api/index.d.ts

@@ -1,10 +0,0 @@
-/**
- * Internal compatibility entrypoint for the stateless hosted protocol client.
- *
- * Use this build for serverless functions, scripts, and backends that want
- * model reads/writes and commits over HTTP without the realtime sync runtime.
- */
-export { createProtocolClient, createProtocolClient as Ablo, type AbloApi, type AbloApiClientOptions, type AbloApiClaims, type Capability, type CapabilityCreateOptions, type CapabilityParticipantKind, type CapabilityRecord, type CapabilityResource, type CapabilityRevocation, type CapabilityScope, } from '../client/ApiClient.js';
-export type { CommitCreateOptions, CommitOperationInput, CommitReceipt, CommitWait, ClaimCreateOptions, ClaimHandle, ClaimWaitOptions, ClaimedOptions, IfClaimedPolicy, ModelClient, ModelClaim, ModelMutationOptions, ModelReadOptions, ModelRead, ModelTarget, } from '../client/Ablo.js';
-import { createProtocolClient } from '../client/ApiClient.js';
-export default createProtocolClient;

package/dist/api/index.js

@@ -1,9 +0,0 @@
-/**
- * Internal compatibility entrypoint for the stateless hosted protocol client.
- *
- * Use this build for serverless functions, scripts, and backends that want
- * model reads/writes and commits over HTTP without the realtime sync runtime.
- */
-export { createProtocolClient, createProtocolClient as Ablo, } from '../client/ApiClient.js';
-import { createProtocolClient } from '../client/ApiClient.js';
-export default createProtocolClient;

package/dist/principal.d.ts

@@ -1,44 +0,0 @@
-/**
- * Principal constructors — a thin typed façade over the raw
- * `SessionRef` / `AgentRef` shapes so call sites don't have to memorize
- * the discriminated-union tags.
- *
- * ```ts
- * import Ablo, { session } from '@abloatai/ablo';
- *
- * const ablo = Ablo({ schema, apiKey });
- * const participant = await ablo.participants.join({
- *   type: 'Matter',
- *   id: 'deal-1',
- * });
- * ```
- *
- * Browser-human flows use `session(...)`. Agent-spawn-agent flows use
- * `agent(...)`, but those rarely appear in customer code because the
- * participant layer handles attenuation.
- *
- * These are pure — no I/O, no hidden state. If the shape ever grows a
- * required field (say, a scope hint for the restricted key), the helper
- * is the one place to flag migrations.
- */
-import type { AgentRef, SessionRef } from './types/streams.js';
-/**
- * Build a `SessionRef` from the identifiers your auth system already
- * holds. Typical inputs: the Better Auth session id, the user id, and
- * the organization the session is scoped to.
- */
-export declare function session(params: {
-    id: string;
-    userId: string;
-    organizationId: string;
-}): SessionRef;
-/**
- * Build an `AgentRef` from an agent id + the capability token that
- * authenticates it. Rare in application code — the common path is
- * `participant.join(child)` where the parent's token is attenuated
- * automatically.
- */
-export declare function agent(params: {
-    id: string;
-    capabilityToken: string;
-}): AgentRef;