@agent-os-sdk/client 0.2.3 → 0.3.0

package/src/client/auth.ts

@@ -1,8 +1,8 @@
 /**
  * Auth Provider Types for Agent OS SDK
  * 
- * Supports two modes:
- * - JWT (browser): Uses Supabase JWT + workspace header
+ * Two modes only:
+ * - JWT (browser): Uses Supabase JWT + X-Workspace-Id header
  * - API Token (server): Uses aosk_* token with embedded claims
  */
 
@@ -14,6 +14,9 @@
  * API Token authentication for server-to-server integrations.
  * Token format: aosk_live_* or aosk_test_*
  * 
+ * SECURITY: API tokens contain embedded workspace/tenant claims.
+ * The SDK sends ONLY Authorization header (no X-Workspace-Id, no X-Tenant-Id).
+ * 
  * @example
  * ```ts
  * const client = new AgentOsClient({
@@ -30,7 +33,11 @@ export type ApiTokenAuth = {
 
 /**
  * JWT authentication for browser/frontend clients.
- * Uses Supabase JWT with workspace header.
+ * Uses Supabase JWT with X-Workspace-Id header.
+ * 
+ * SECURITY: 
+ * - X-Workspace-Id is REQUIRED (throws if missing)
+ * - X-Tenant-Id is NEVER sent (backend derives from workspace membership)
  * 
  * @example
  * ```ts
@@ -48,12 +55,12 @@ export type JwtAuth = {
     type: "jwt"
     /** Function to get the JWT access token */
     getToken: () => string | Promise<string>
-    /** Function to get the current workspace ID */
+    /** Function to get the current workspace ID (REQUIRED) */
     getWorkspaceId: () => string | Promise<string>
 }
 
 /**
- * Auth provider union type
+ * Auth provider union type - only two modes supported
  */
 export type AuthProvider = ApiTokenAuth | JwtAuth
 
@@ -62,57 +69,27 @@ export type AuthProvider = ApiTokenAuth | JwtAuth
 // ============================================================================
 
 /**
- * New auth-aware options for AgentOsClient
+ * Options for AgentOsClient - auth is REQUIRED
  */
 export type AgentOsClientOptions = {
     /** Base URL of the Agent OS Control Plane */
     baseUrl: string
-    /** Authentication provider */
+    /** Authentication provider (REQUIRED) */
     auth: AuthProvider
     /** 
      * Allow API token in browser environment.
      * Default: false (throws error to prevent accidental exposure)
+     * Only set to true if you understand the security implications.
      */
     allowApiTokenInBrowser?: boolean
     /** Custom headers to add to all requests */
     headers?: Record<string, string>
 }
 
-/**
- * Legacy options (backwards compatibility)
- * @deprecated Use AgentOsClientOptions with auth provider instead
- */
-export type AgentOsClientOptionsLegacy = {
-    /** Base URL of the Agent OS API */
-    baseUrl: string
-    /** Tenant ID @deprecated */
-    tenantId: string
-    /** Workspace ID @deprecated */
-    workspaceId: string
-    /** Auth token @deprecated */
-    token?: string
-    /** Member ID @deprecated */
-    memberId?: string
-    /** Custom headers */
-    headers?: Record<string, string>
-}
-
 // ============================================================================
 // Type Guards
 // ============================================================================
 
-export function isNewAuthOptions(
-    opts: AgentOsClientOptions | AgentOsClientOptionsLegacy
-): opts is AgentOsClientOptions {
-    return "auth" in opts && opts.auth !== undefined
-}
-
-export function isLegacyOptions(
-    opts: AgentOsClientOptions | AgentOsClientOptionsLegacy
-): opts is AgentOsClientOptionsLegacy {
-    return "tenantId" in opts || "workspaceId" in opts
-}
-
 export function isApiTokenAuth(auth: AuthProvider): auth is ApiTokenAuth {
     return auth.type === "api_token"
 }

package/src/client/raw.ts

@@ -14,6 +14,7 @@ export type { paths, components };
 export type ClientOptions = {
     baseUrl: string;
     headers?: Record<string, string>;
+    headerProvider?: () => Promise<Record<string, string>>;
 };
 
 /**
@@ -52,7 +53,7 @@ export function createTypedClient(options: ClientOptions): TypedClient {
  * Wraps openapi-fetch to provide the old interface while maintaining types.
  */
 export function createRawClient(options: ClientOptions) {
-    const { baseUrl, headers: defaultHeaders = {} } = options;
+    const { baseUrl, headers: defaultHeaders = {}, headerProvider } = options;
 
     async function request<T>(
         method: string,
@@ -88,8 +89,13 @@ export function createRawClient(options: ClientOptions) {
         }
 
         const fullUrl = `${baseUrl}${url}`;
+
+        // Resolve dynamic headers (e.g. auth)
+        const dynamicHeaders = headerProvider ? await headerProvider() : {};
+
         const headers: Record<string, string> = {
             ...defaultHeaders,
+            ...dynamicHeaders,
             ...opts?.headers,
         };
 

package/src/index.ts

@@ -38,7 +38,7 @@
 // ============================================================================
 // Main Client
 // ============================================================================
-export { AgentOsClient, type AgentOsClientOptions, type AgentOsClientOptionsLegacy, type AuthProvider } from "./client/AgentOsClient.js";
+export { AgentOsClient, type AgentOsClientOptions, type AuthProvider } from "./client/AgentOsClient.js";
 
 // Auth Provider Types
 export {
@@ -46,7 +46,6 @@ export {
     type JwtAuth,
     isApiTokenAuth,
     isJwtAuth,
-    isNewAuthOptions,
     isBrowser,
     isApiToken,
     isJwtToken,