@agent-os-sdk/client 0.1.2 → 0.2.1

package/dist/client/AgentOsClient.d.ts

@@ -2,24 +2,29 @@
  * Agent OS SDK - Main Client
  *
  * Fully typed API client for Agent OS platform.
- * All HTTP calls must go through this client.
+ * Supports both API Token (server) and JWT (browser) authentication.
  *
  * @example
  * ```ts
+ * // API Token (server-to-server)
  * const api = new AgentOsClient({
- *   baseUrl: "http://localhost:5000",
- *   tenantId: "...",
- *   workspaceId: "...",
- *   token: "...",
+ *   baseUrl: "https://api.agentos.io",
+ *   auth: { type: "api_token", apiKey: "aosk_live_xxx" }
  * });
  *
- * const run = await api.runs.create({
- *   agent_id: "...",
- *   input: { message: "Hello" },
+ * // JWT (browser)
+ * const api = new AgentOsClient({
+ *   baseUrl: "https://api.agentos.io",
+ *   auth: {
+ *     type: "jwt",
+ *     getToken: () => supabase.auth.getSession().then(s => s.data.session?.access_token),
+ *     getWorkspaceId: () => localStorage.getItem("agentos.workspaceId")!
+ *   }
  * });
  * ```
  */
 import { type RawClient } from "./raw.js";
+import { type AgentOsClientOptions, type AgentOsClientOptionsLegacy } from "./auth.js";
 import { AgentsModule } from "../modules/agents.js";
 import { RunsModule } from "../modules/runs.js";
 import { ThreadsModule } from "../modules/threads.js";
@@ -58,28 +63,17 @@ import { BudgetsModule } from "../modules/budgets.js";
 import { DeploymentsModule } from "../modules/deployments.js";
 import { IncidentsModule } from "../modules/incidents.js";
 import { ArtifactsModule } from "../modules/artifacts.js";
-export type AgentOsClientOptions = {
-    /** Base URL of the Agent OS API (Control Plane) */
-    baseUrl: string;
-    /** Tenant ID (multi-tenant) */
-    tenantId: string;
-    /** Workspace ID */
-    workspaceId: string;
-    /** Optional auth token */
-    token?: string;
-    /** Optional member ID (for identity header) */
-    memberId?: string;
-    /** Custom headers */
-    headers?: Record<string, string>;
-};
+export type { AgentOsClientOptions, AgentOsClientOptionsLegacy, AuthProvider } from "./auth.js";
+export { isApiTokenAuth, isJwtAuth, isNewAuthOptions } from "./auth.js";
 export declare class AgentOsClient {
     private readonly _client;
     private readonly _baseUrl;
-    private readonly _tenantId;
-    private readonly _workspaceId;
+    private readonly _auth;
+    private readonly _customHeaders;
+    private readonly _tenantId?;
+    private readonly _workspaceId?;
     private readonly _token?;
     private readonly _memberId?;
-    private readonly _customHeaders;
     /** Agents API: CRUD, versions, graph */
     readonly agents: AgentsModule;
     /** Runs API: create, stream, cancel, resume, replay */
@@ -138,47 +132,48 @@ export declare class AgentOsClient {
     readonly metrics: MetricsModule;
     /** Graphs API: Validation and introspection */
     readonly graphs: GraphsModule;
-    /** Handoff API: Multi-agent delegation */
     readonly handoff: HandoffModule;
-    /** Flows API: Workflow orchestration */
     readonly flows: FlowsModule;
-    /** Capabilities API: Agent/run permissions */
     readonly capabilities: CapabilitiesModule;
-    /** Policies API: Governance rules */
     readonly policies: PoliciesModule;
-    /** Approvals API: Human-in-the-loop */
     readonly approvals: ApprovalsModule;
-    /** Budgets API: Cost control */
     readonly budgets: BudgetsModule;
-    /** Deployments API: Release management */
     readonly deployments: DeploymentsModule;
-    /** Incidents API: Operational incidents & SLOs */
     readonly incidents: IncidentsModule;
-    /** Artifacts API: Output management */
     readonly artifacts: ArtifactsModule;
-    /**
-     * Alias for evaluation.listExperiments() - provides first-level access to experiments
-     * @example client.experiments.list() // same as client.evaluation.listExperiments()
-     */
     readonly experiments: {
         list: EvaluationModule["listExperiments"];
         get: EvaluationModule["getExperiment"];
         create: EvaluationModule["createExperiment"];
     };
-    /**
-     * Alias for agents.listVersions() - provides first-level access to agent versions
-     */
     readonly agentVersions: {
         list: (agentId: string) => ReturnType<AgentsModule["listVersions"]>;
         get: (agentId: string, versionId: string) => ReturnType<AgentsModule["getVersion"]>;
         create: (agentId: string, body: Parameters<AgentsModule["createVersion"]>[1]) => ReturnType<AgentsModule["createVersion"]>;
     };
-    constructor(options: AgentOsClientOptions);
+    constructor(options: AgentOsClientOptions | AgentOsClientOptionsLegacy);
+    /**
+     * Validate auth configuration
+     */
+    private _validateAuth;
+    /**
+     * Get headers for current request (sync version for modules)
+     */
     private _getHeaders;
-    /** Current tenant ID */
+    /**
+     * Get headers for current request (async version - resolves auth functions)
+     */
+    getHeadersAsync(): Promise<Record<string, string>>;
+    /**
+     * Get workspace ID synchronously (for modules that need it)
+     */
+    private _getWorkspaceIdSync;
+    /** Current tenant ID (legacy) */
     get tenantId(): string;
-    /** Current workspace ID */
+    /** Current workspace ID (legacy) */
     get workspaceId(): string;
+    /** Auth provider type */
+    get authType(): "api_token" | "jwt" | "legacy";
     /** Raw HTTP client (use modules instead) */
     get raw(): RawClient;
 }

package/dist/client/AgentOsClient.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AgentOsClient.d.ts","sourceRoot":"","sources":["../../src/client/AgentOsClient.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAmB,KAAK,SAAS,EAAE,MAAM,UAAU,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAG5D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAGpD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAE1D,MAAM,MAAM,oBAAoB,GAAG;IAC/B,mDAAmD;IACnD,OAAO,EAAE,MAAM,CAAC;IAEhB,+BAA+B;IAC/B,QAAQ,EAAE,MAAM,CAAC;IAEjB,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAC;IAEpB,0BAA0B;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,qBAAqB;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACpC,CAAC;AAEF,qBAAa,aAAa;IACtB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAY;IACpC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAyB;IAIxD,wCAAwC;IACxC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC;IAC9B,uDAAuD;IACvD,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,kDAAkD;IAClD,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;IAChC,uCAAuC;IACvC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,wCAAwC;IACxC,QAAQ,CAAC,SAAS,EAAE,eAAe,CAAC;IACpC,oCAAoC;IACpC,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,oCAAoC;IACpC,QAAQ,CAAC,WAAW,EAAE,iBAAiB,CAAC;IACxC,6DAA6D;IAC7D,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;IAChC,4CAA4C;IAC5C,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;IAChC,mCAAmC;IACnC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;IAChC,2CAA2C;IAC3C,QAAQ,CAAC,UAAU,EAAE,gBAAgB,CAAC;IAGtC,kCAAkC;IAClC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;IAChC,qCAAqC;IACrC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC;IAC9B,iCAAiC;IACjC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,iDAAiD;IACjD,QAAQ,CAAC,YAAY,EAAE,kBAAkB,CAAC;IAC1C,6CAA6C;IAC7C,QAAQ,CAAC,UAAU,EAAE,gBAAgB,CAAC;IACtC,6CAA6C;IAC7C,QAAQ,CAAC,WAAW,EAAE,iBAAiB,CAAC;IACxC,wCAAwC;IACxC,QAAQ,CAAC,UAAU,EAAE,gBAAgB,CAAC;IACtC,qCAAqC;IACrC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,iCAAiC;IACjC,QAAQ,CAAC,GAAG,EAAE,SAAS,CAAC;IACxB,mCAAmC;IACnC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,4BAA4B;IAC5B,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,kCAAkC;IAClC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,sCAAsC;IACtC,QAAQ,CAAC,GAAG,EAAE,SAAS,CAAC;IACxB,uCAAuC;IACvC,QAAQ,CAAC,GAAG,EAAE,SAAS,CAAC;IACxB,oCAAoC;IACpC,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC;IACtB,mCAAmC;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,sCAAsC;IACtC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;IAChC,+CAA+C;IAC/C,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC;IAG9B,0CAA0C;IAC1C,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;IAChC,wCAAwC;IACxC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,8CAA8C;IAC9C,QAAQ,CAAC,YAAY,EAAE,kBAAkB,CAAC;IAC1C,qCAAqC;IACrC,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,uCAAuC;IACvC,QAAQ,CAAC,SAAS,EAAE,eAAe,CAAC;IACpC,gCAAgC;IAChC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;IAChC,0CAA0C;IAC1C,QAAQ,CAAC,WAAW,EAAE,iBAAiB,CAAC;IACxC,kDAAkD;IAClD,QAAQ,CAAC,SAAS,EAAE,eAAe,CAAC;IACpC,uCAAuC;IACvC,QAAQ,CAAC,SAAS,EAAE,eAAe,CAAC;IAGpC;;;OAGG;IACH,QAAQ,CAAC,WAAW,EAAE;QAClB,IAAI,EAAE,gBAAgB,CAAC,iBAAiB,CAAC,CAAC;QAC1C,GAAG,EAAE,gBAAgB,CAAC,eAAe,CAAC,CAAC;QACvC,MAAM,EAAE,gBAAgB,CAAC,kBAAkB,CAAC,CAAC;KAChD,CAAC;IAEF;;OAEG;IACH,QAAQ,CAAC,aAAa,EAAE;QACpB,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,UAAU,CAAC,YAAY,CAAC,cAAc,CAAC,CAAC,CAAC;QACpE,GAAG,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,KAAK,UAAU,CAAC,YAAY,CAAC,YAAY,CAAC,CAAC,CAAC;QACpF,MAAM,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,UAAU,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;KAC9H,CAAC;gBAEU,OAAO,EAAE,oBAAoB;IA2EzC,OAAO,CAAC,WAAW;IAmBnB,wBAAwB;IACxB,IAAI,QAAQ,IAAI,MAAM,CAErB;IAED,2BAA2B;IAC3B,IAAI,WAAW,IAAI,MAAM,CAExB;IAED,4CAA4C;IAC5C,IAAI,GAAG,IAAI,SAAS,CAEnB;CACJ"}
+{"version":3,"file":"AgentOsClient.d.ts","sourceRoot":"","sources":["../../src/client/AgentOsClient.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EAAmB,KAAK,SAAS,EAAE,MAAM,UAAU,CAAC;AAC3D,OAAO,EACH,KAAK,oBAAoB,EACzB,KAAK,0BAA0B,EAOlC,MAAM,WAAW,CAAC;AAEnB,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAG5D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAGpD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAG1D,YAAY,EAAE,oBAAoB,EAAE,0BAA0B,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAChG,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAExE,qBAAa,aAAa;IACtB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAY;IACpC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAsB;IAC5C,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAyB;IAGxD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAS;IAGpC,wCAAwC;IACxC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC;IAC9B,uDAAuD;IACvD,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,kDAAkD;IAClD,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;IAChC,uCAAuC;IACvC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,wCAAwC;IACxC,QAAQ,CAAC,SAAS,EAAE,eAAe,CAAC;IACpC,oCAAoC;IACpC,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,oCAAoC;IACpC,QAAQ,CAAC,WAAW,EAAE,iBAAiB,CAAC;IACxC,6DAA6D;IAC7D,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;IAChC,4CAA4C;IAC5C,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;IAChC,mCAAmC;IACnC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;IAChC,2CAA2C;IAC3C,QAAQ,CAAC,UAAU,EAAE,gBAAgB,CAAC;IAGtC,kCAAkC;IAClC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;IAChC,qCAAqC;IACrC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC;IAC9B,iCAAiC;IACjC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,iDAAiD;IACjD,QAAQ,CAAC,YAAY,EAAE,kBAAkB,CAAC;IAC1C,6CAA6C;IAC7C,QAAQ,CAAC,UAAU,EAAE,gBAAgB,CAAC;IACtC,6CAA6C;IAC7C,QAAQ,CAAC,WAAW,EAAE,iBAAiB,CAAC;IACxC,wCAAwC;IACxC,QAAQ,CAAC,UAAU,EAAE,gBAAgB,CAAC;IACtC,qCAAqC;IACrC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,iCAAiC;IACjC,QAAQ,CAAC,GAAG,EAAE,SAAS,CAAC;IACxB,mCAAmC;IACnC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,4BAA4B;IAC5B,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,kCAAkC;IAClC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,sCAAsC;IACtC,QAAQ,CAAC,GAAG,EAAE,SAAS,CAAC;IACxB,uCAAuC;IACvC,QAAQ,CAAC,GAAG,EAAE,SAAS,CAAC;IACxB,oCAAoC;IACpC,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC;IACtB,mCAAmC;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,sCAAsC;IACtC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;IAChC,+CAA+C;IAC/C,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC;IAG9B,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;IAChC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,QAAQ,CAAC,YAAY,EAAE,kBAAkB,CAAC;IAC1C,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,QAAQ,CAAC,SAAS,EAAE,eAAe,CAAC;IACpC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;IAChC,QAAQ,CAAC,WAAW,EAAE,iBAAiB,CAAC;IACxC,QAAQ,CAAC,SAAS,EAAE,eAAe,CAAC;IACpC,QAAQ,CAAC,SAAS,EAAE,eAAe,CAAC;IAGpC,QAAQ,CAAC,WAAW,EAAE;QAClB,IAAI,EAAE,gBAAgB,CAAC,iBAAiB,CAAC,CAAC;QAC1C,GAAG,EAAE,gBAAgB,CAAC,eAAe,CAAC,CAAC;QACvC,MAAM,EAAE,gBAAgB,CAAC,kBAAkB,CAAC,CAAC;KAChD,CAAC;IAEF,QAAQ,CAAC,aAAa,EAAE;QACpB,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,UAAU,CAAC,YAAY,CAAC,cAAc,CAAC,CAAC,CAAC;QACpE,GAAG,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,KAAK,UAAU,CAAC,YAAY,CAAC,YAAY,CAAC,CAAC,CAAC;QACpF,MAAM,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,UAAU,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;KAC9H,CAAC;gBAEU,OAAO,EAAE,oBAAoB,GAAG,0BAA0B;IAmGtE;;OAEG;IACH,OAAO,CAAC,aAAa;IAarB;;OAEG;IACH,OAAO,CAAC,WAAW;IA0CnB;;OAEG;IACG,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAmDxD;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAI3B,iCAAiC;IACjC,IAAI,QAAQ,IAAI,MAAM,CAErB;IAED,oCAAoC;IACpC,IAAI,WAAW,IAAI,MAAM,CAExB;IAED,yBAAyB;IACzB,IAAI,QAAQ,IAAI,WAAW,GAAG,KAAK,GAAG,QAAQ,CAG7C;IAED,4CAA4C;IAC5C,IAAI,GAAG,IAAI,SAAS,CAEnB;CACJ"}

package/dist/client/AgentOsClient.js

@@ -2,24 +2,29 @@
  * Agent OS SDK - Main Client
  *
  * Fully typed API client for Agent OS platform.
- * All HTTP calls must go through this client.
+ * Supports both API Token (server) and JWT (browser) authentication.
  *
  * @example
  * ```ts
+ * // API Token (server-to-server)
  * const api = new AgentOsClient({
- *   baseUrl: "http://localhost:5000",
- *   tenantId: "...",
- *   workspaceId: "...",
- *   token: "...",
+ *   baseUrl: "https://api.agentos.io",
+ *   auth: { type: "api_token", apiKey: "aosk_live_xxx" }
  * });
  *
- * const run = await api.runs.create({
- *   agent_id: "...",
- *   input: { message: "Hello" },
+ * // JWT (browser)
+ * const api = new AgentOsClient({
+ *   baseUrl: "https://api.agentos.io",
+ *   auth: {
+ *     type: "jwt",
+ *     getToken: () => supabase.auth.getSession().then(s => s.data.session?.access_token),
+ *     getWorkspaceId: () => localStorage.getItem("agentos.workspaceId")!
+ *   }
  * });
  * ```
  */
 import { createRawClient } from "./raw.js";
+import { isNewAuthOptions, isApiTokenAuth, isJwtAuth, isApiToken, isBrowser, } from "./auth.js";
 import { AgentsModule } from "../modules/agents.js";
 import { RunsModule } from "../modules/runs.js";
 import { ThreadsModule } from "../modules/threads.js";
@@ -60,14 +65,17 @@ import { BudgetsModule } from "../modules/budgets.js";
 import { DeploymentsModule } from "../modules/deployments.js";
 import { IncidentsModule } from "../modules/incidents.js";
 import { ArtifactsModule } from "../modules/artifacts.js";
+export { isApiTokenAuth, isJwtAuth, isNewAuthOptions } from "./auth.js";
 export class AgentOsClient {
     _client;
     _baseUrl;
+    _auth;
+    _customHeaders;
+    // Legacy fields (for backwards compat)
     _tenantId;
     _workspaceId;
     _token;
     _memberId;
-    _customHeaders;
     // Core modules
     /** Agents API: CRUD, versions, graph */
     agents;
@@ -128,49 +136,55 @@ export class AgentOsClient {
     metrics;
     /** Graphs API: Validation and introspection */
     graphs;
-    // MOCK - Future modules (marked for replacement when backend is ready)
-    /** Handoff API: Multi-agent delegation */
+    // MOCK - Future modules
     handoff;
-    /** Flows API: Workflow orchestration */
     flows;
-    /** Capabilities API: Agent/run permissions */
     capabilities;
-    /** Policies API: Governance rules */
     policies;
-    /** Approvals API: Human-in-the-loop */
     approvals;
-    /** Budgets API: Cost control */
     budgets;
-    /** Deployments API: Release management */
     deployments;
-    /** Incidents API: Operational incidents & SLOs */
     incidents;
-    /** Artifacts API: Output management */
     artifacts;
-    // ======================== Convenience Aliases ========================
-    /**
-     * Alias for evaluation.listExperiments() - provides first-level access to experiments
-     * @example client.experiments.list() // same as client.evaluation.listExperiments()
-     */
+    // Convenience Aliases
     experiments;
-    /**
-     * Alias for agents.listVersions() - provides first-level access to agent versions
-     */
     agentVersions;
     constructor(options) {
         this._baseUrl = options.baseUrl;
-        this._tenantId = options.tenantId;
-        this._workspaceId = options.workspaceId;
-        this._token = options.token;
-        this._memberId = options.memberId;
         this._customHeaders = options.headers ?? {};
+        // Detect auth mode
+        if (isNewAuthOptions(options)) {
+            // New auth provider mode
+            this._auth = options.auth;
+            this._validateAuth(options);
+        }
+        else {
+            // Legacy mode - convert to new auth if possible
+            this._tenantId = options.tenantId;
+            this._workspaceId = options.workspaceId;
+            this._token = options.token;
+            this._memberId = options.memberId;
+            // Attempt to detect auth type from token
+            if (options.token && isApiToken(options.token)) {
+                // Token looks like API token - use as api_token
+                this._auth = { type: "api_token", apiKey: options.token };
+                console.warn("[AgentOS SDK] Using legacy options with API token. " +
+                    "Consider migrating to: new AgentOsClient({ auth: { type: 'api_token', apiKey: '...' } })");
+            }
+            else {
+                // Legacy JWT mode - keep using headers
+                this._auth = null;
+            }
+        }
+        // Create raw HTTP client
         this._client = createRawClient({
             baseUrl: options.baseUrl,
-            headers: this._getHeaders(),
+            headers: {}, // Headers resolved dynamically
         });
+        // Bound header getter
         const getHeaders = () => this._getHeaders();
-        const getWorkspaceId = () => this._workspaceId;
-        const getTenantId = () => this._tenantId;
+        const getWorkspaceId = () => this._getWorkspaceIdSync();
+        const getTenantId = () => this._tenantId ?? "";
         // Initialize core modules
         this.agents = new AgentsModule(this._client, getHeaders);
         this.runs = new RunsModule(this._client, this._baseUrl, getHeaders);
@@ -224,28 +238,132 @@ export class AgentOsClient {
             create: (agentId, body) => this.agents.createVersion(agentId, body),
         };
     }
+    /**
+     * Validate auth configuration
+     */
+    _validateAuth(options) {
+        const { auth, allowApiTokenInBrowser } = options;
+        // Browser guard for API tokens
+        if (isApiTokenAuth(auth) && isBrowser() && !allowApiTokenInBrowser) {
+            throw new Error("[AgentOS SDK] API tokens should not be used in the browser. " +
+                "They may be exposed in network requests. " +
+                "Use JWT auth for browser clients, or set allowApiTokenInBrowser: true if you understand the risks.");
+        }
+    }
+    /**
+     * Get headers for current request (sync version for modules)
+     */
     _getHeaders() {
         const headers = {
             "Content-Type": "application/json",
-            "X-Tenant-Id": this._tenantId,
-            "X-Workspace-Id": this._workspaceId,
             ...this._customHeaders,
         };
-        if (this._token) {
-            headers["Authorization"] = `Bearer ${this._token}`;
+        if (this._auth) {
+            // New auth mode
+            if (isApiTokenAuth(this._auth)) {
+                // API Token: Only Authorization header
+                const apiKey = typeof this._auth.apiKey === "function"
+                    ? "" // Will be resolved async
+                    : this._auth.apiKey;
+                if (apiKey) {
+                    headers["Authorization"] = `Bearer ${apiKey}`;
+                }
+                // NO X-Tenant-Id, NO X-Workspace-Id (backend resolves from claims)
+            }
+            else if (isJwtAuth(this._auth)) {
+                // JWT: Authorization + X-Workspace-Id
+                // Note: For sync header getter, we use empty strings as placeholders
+                // The actual values are resolved in _getHeadersAsync
+                // This is a limitation of the current module architecture
+            }
         }
-        if (this._memberId) {
-            headers["X-Member-Id"] = this._memberId;
+        else {
+            // Legacy mode - use stored values
+            if (this._token) {
+                headers["Authorization"] = `Bearer ${this._token}`;
+            }
+            if (this._tenantId) {
+                headers["X-Tenant-Id"] = this._tenantId;
+            }
+            if (this._workspaceId) {
+                headers["X-Workspace-Id"] = this._workspaceId;
+            }
+            if (this._memberId) {
+                headers["X-Member-Id"] = this._memberId;
+            }
         }
         return headers;
     }
-    /** Current tenant ID */
+    /**
+     * Get headers for current request (async version - resolves auth functions)
+     */
+    async getHeadersAsync() {
+        const headers = {
+            "Content-Type": "application/json",
+            ...this._customHeaders,
+        };
+        if (this._auth) {
+            if (isApiTokenAuth(this._auth)) {
+                // API Token
+                const apiKey = typeof this._auth.apiKey === "function"
+                    ? await this._auth.apiKey()
+                    : this._auth.apiKey;
+                headers["Authorization"] = `Bearer ${apiKey}`;
+                // NO X-Tenant-Id, NO X-Workspace-Id
+            }
+            else if (isJwtAuth(this._auth)) {
+                // JWT
+                const [token, workspaceId] = await Promise.all([
+                    this._auth.getToken(),
+                    this._auth.getWorkspaceId(),
+                ]);
+                if (!token) {
+                    throw new Error("[AgentOS SDK] JWT token not available. User may not be authenticated.");
+                }
+                if (!workspaceId) {
+                    throw new Error("[AgentOS SDK] Workspace ID not available. Please select a workspace first.");
+                }
+                headers["Authorization"] = `Bearer ${token}`;
+                headers["X-Workspace-Id"] = workspaceId;
+                // NO X-Tenant-Id (backend derives from workspace membership)
+            }
+        }
+        else {
+            // Legacy mode
+            if (this._token) {
+                headers["Authorization"] = `Bearer ${this._token}`;
+            }
+            if (this._tenantId) {
+                headers["X-Tenant-Id"] = this._tenantId;
+            }
+            if (this._workspaceId) {
+                headers["X-Workspace-Id"] = this._workspaceId;
+            }
+            if (this._memberId) {
+                headers["X-Member-Id"] = this._memberId;
+            }
+        }
+        return headers;
+    }
+    /**
+     * Get workspace ID synchronously (for modules that need it)
+     */
+    _getWorkspaceIdSync() {
+        return this._workspaceId ?? "";
+    }
+    /** Current tenant ID (legacy) */
     get tenantId() {
-        return this._tenantId;
+        return this._tenantId ?? "";
     }
-    /** Current workspace ID */
+    /** Current workspace ID (legacy) */
     get workspaceId() {
-        return this._workspaceId;
+        return this._workspaceId ?? "";
+    }
+    /** Auth provider type */
+    get authType() {
+        if (!this._auth)
+            return "legacy";
+        return this._auth.type;
     }
     /** Raw HTTP client (use modules instead) */
     get raw() {

package/dist/client/auth.d.ts

@@ -0,0 +1,102 @@
+/**
+ * Auth Provider Types for Agent OS SDK
+ *
+ * Supports two modes:
+ * - JWT (browser): Uses Supabase JWT + workspace header
+ * - API Token (server): Uses aosk_* token with embedded claims
+ */
+/**
+ * API Token authentication for server-to-server integrations.
+ * Token format: aosk_live_* or aosk_test_*
+ *
+ * @example
+ * ```ts
+ * const client = new AgentOsClient({
+ *   baseUrl: "https://api.example.com",
+ *   auth: { type: "api_token", apiKey: "aosk_live_xxx" }
+ * })
+ * ```
+ */
+export type ApiTokenAuth = {
+    type: "api_token";
+    /** API key (aosk_*) or function that returns one */
+    apiKey: string | (() => string | Promise<string>);
+};
+/**
+ * JWT authentication for browser/frontend clients.
+ * Uses Supabase JWT with workspace header.
+ *
+ * @example
+ * ```ts
+ * const client = new AgentOsClient({
+ *   baseUrl: "https://api.example.com",
+ *   auth: {
+ *     type: "jwt",
+ *     getToken: async () => (await supabase.auth.getSession()).data.session?.access_token,
+ *     getWorkspaceId: () => localStorage.getItem("agentos.workspaceId")!,
+ *   }
+ * })
+ * ```
+ */
+export type JwtAuth = {
+    type: "jwt";
+    /** Function to get the JWT access token */
+    getToken: () => string | Promise<string>;
+    /** Function to get the current workspace ID */
+    getWorkspaceId: () => string | Promise<string>;
+};
+/**
+ * Auth provider union type
+ */
+export type AuthProvider = ApiTokenAuth | JwtAuth;
+/**
+ * New auth-aware options for AgentOsClient
+ */
+export type AgentOsClientOptions = {
+    /** Base URL of the Agent OS Control Plane */
+    baseUrl: string;
+    /** Authentication provider */
+    auth: AuthProvider;
+    /**
+     * Allow API token in browser environment.
+     * Default: false (throws error to prevent accidental exposure)
+     */
+    allowApiTokenInBrowser?: boolean;
+    /** Custom headers to add to all requests */
+    headers?: Record<string, string>;
+};
+/**
+ * Legacy options (backwards compatibility)
+ * @deprecated Use AgentOsClientOptions with auth provider instead
+ */
+export type AgentOsClientOptionsLegacy = {
+    /** Base URL of the Agent OS API */
+    baseUrl: string;
+    /** Tenant ID @deprecated */
+    tenantId: string;
+    /** Workspace ID @deprecated */
+    workspaceId: string;
+    /** Auth token @deprecated */
+    token?: string;
+    /** Member ID @deprecated */
+    memberId?: string;
+    /** Custom headers */
+    headers?: Record<string, string>;
+};
+export declare function isNewAuthOptions(opts: AgentOsClientOptions | AgentOsClientOptionsLegacy): opts is AgentOsClientOptions;
+export declare function isLegacyOptions(opts: AgentOsClientOptions | AgentOsClientOptionsLegacy): opts is AgentOsClientOptionsLegacy;
+export declare function isApiTokenAuth(auth: AuthProvider): auth is ApiTokenAuth;
+export declare function isJwtAuth(auth: AuthProvider): auth is JwtAuth;
+/**
+ * Detect browser environment
+ */
+export declare function isBrowser(): boolean;
+/**
+ * Check if token looks like an API token (aosk_*)
+ */
+export declare function isApiToken(token: string): boolean;
+/**
+ * Check if token looks like a JWT (three base64 segments)
+ */
+export declare function isJwtToken(token: string): boolean;
+//# sourceMappingURL=auth.d.ts.map

package/dist/client/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/client/auth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH;;;;;;;;;;;GAWG;AACH,MAAM,MAAM,YAAY,GAAG;IACvB,IAAI,EAAE,WAAW,CAAA;IACjB,oDAAoD;IACpD,MAAM,EAAE,MAAM,GAAG,CAAC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAA;CACpD,CAAA;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,OAAO,GAAG;IAClB,IAAI,EAAE,KAAK,CAAA;IACX,2CAA2C;IAC3C,QAAQ,EAAE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IACxC,+CAA+C;IAC/C,cAAc,EAAE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;CACjD,CAAA;AAED;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,YAAY,GAAG,OAAO,CAAA;AAMjD;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG;IAC/B,6CAA6C;IAC7C,OAAO,EAAE,MAAM,CAAA;IACf,8BAA8B;IAC9B,IAAI,EAAE,YAAY,CAAA;IAClB;;;OAGG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAA;IAChC,4CAA4C;IAC5C,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CACnC,CAAA;AAED;;;GAGG;AACH,MAAM,MAAM,0BAA0B,GAAG;IACrC,mCAAmC;IACnC,OAAO,EAAE,MAAM,CAAA;IACf,4BAA4B;IAC5B,QAAQ,EAAE,MAAM,CAAA;IAChB,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAA;IACnB,6BAA6B;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,4BAA4B;IAC5B,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,qBAAqB;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CACnC,CAAA;AAMD,wBAAgB,gBAAgB,CAC5B,IAAI,EAAE,oBAAoB,GAAG,0BAA0B,GACxD,IAAI,IAAI,oBAAoB,CAE9B;AAED,wBAAgB,eAAe,CAC3B,IAAI,EAAE,oBAAoB,GAAG,0BAA0B,GACxD,IAAI,IAAI,0BAA0B,CAEpC;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,YAAY,GAAG,IAAI,IAAI,YAAY,CAEvE;AAED,wBAAgB,SAAS,CAAC,IAAI,EAAE,YAAY,GAAG,IAAI,IAAI,OAAO,CAE7D;AAMD;;GAEG;AACH,wBAAgB,SAAS,IAAI,OAAO,CAEnC;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAEjD;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAGjD"}

package/dist/client/auth.js

@@ -0,0 +1,44 @@
+/**
+ * Auth Provider Types for Agent OS SDK
+ *
+ * Supports two modes:
+ * - JWT (browser): Uses Supabase JWT + workspace header
+ * - API Token (server): Uses aosk_* token with embedded claims
+ */
+// ============================================================================
+// Type Guards
+// ============================================================================
+export function isNewAuthOptions(opts) {
+    return "auth" in opts && opts.auth !== undefined;
+}
+export function isLegacyOptions(opts) {
+    return "tenantId" in opts || "workspaceId" in opts;
+}
+export function isApiTokenAuth(auth) {
+    return auth.type === "api_token";
+}
+export function isJwtAuth(auth) {
+    return auth.type === "jwt";
+}
+// ============================================================================
+// Helpers
+// ============================================================================
+/**
+ * Detect browser environment
+ */
+export function isBrowser() {
+    return typeof window !== "undefined" && typeof document !== "undefined";
+}
+/**
+ * Check if token looks like an API token (aosk_*)
+ */
+export function isApiToken(token) {
+    return token.startsWith("aosk_");
+}
+/**
+ * Check if token looks like a JWT (three base64 segments)
+ */
+export function isJwtToken(token) {
+    const parts = token.split(".");
+    return parts.length === 3 && parts.every(p => p.length > 0);
+}