npm - @agentpress/sdk - Versions diffs - 0.3.4 → 0.4.0 - Mend

@agentpress/sdk 0.3.4 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.cjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.cjs","names":["SIGNATURE_PREFIX","joseErrors","verifySig","verifyKeyRotationImpl"],"sources":["../src/errors.ts","../src/utils.ts","../src/webhooks/signing.ts","../src/actions/client.ts","../src/http.ts","../src/partners/client.ts","../src/userApprovals/client.ts","../src/webhooks/keyRotation.ts","../src/webhooks/client.ts","../src/client.ts"],"sourcesContent":["/*\n Base error class for all SDK errors. Catch this to handle any error\n * thrown by the AgentPress SDK regardless of specific type.\n /\nexport class AgentPressError extends Error {\n constructor(message: string) {\n super(message);\n this.name = \"AgentPressError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/\n Thrown at construction time when `AgentPressOptions` contains invalid values\n * (e.g., non-positive timeout, malformed `webhookSecret`).\n /\nexport class ConfigurationError extends AgentPressError {\n constructor(message: string) {\n super(message);\n this.name = \"ConfigurationError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/\n Thrown when the API returns a non-2xx HTTP response.\n \n Properties:\n * - `statusCode` - HTTP status code (e.g., 401, 404, 500)\n * - `responseBody` - Raw response body text for debugging\n * - `url` - The full request URL that failed\n /\nexport class HttpError extends AgentPressError {\n public readonly statusCode: number;\n public readonly responseBody: string;\n public readonly url: string;\n\n constructor(statusCode: number, responseBody: string, url: string) {\n super(`HTTP ${statusCode} from ${url}`);\n this.name = \"HttpError\";\n this.statusCode = statusCode;\n this.responseBody = responseBody;\n this.url = url;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/* Thrown when a request exceeds the configured `timeout` (default 30s). /\nexport class TimeoutError extends AgentPressError {\n constructor(url: string, timeout: number) {\n super(`Request to ${url} timed out after ${timeout}ms`);\n this.name = \"TimeoutError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/* Thrown by {@link WebhooksClient.verifyOrThrow} when an inbound webhook signature is invalid or expired. /\nexport class WebhookSignatureError extends AgentPressError {\n constructor(message: string) {\n super(message);\n this.name = \"WebhookSignatureError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/* Reason codes for {@link PartnerTokenError}. Maps 1:1 to RFC 6750 `error_description` values. /\nexport type PartnerTokenErrorReason =\n \| \"signature_invalid\"\n \| \"issuer_mismatch\"\n \| \"audience_mismatch\"\n \| \"expired\"\n \| \"not_yet_valid\"\n \| \"missing_claim\"\n \| \"ext_provider_mismatch\"\n \| \"algorithm_not_allowed\"\n \| \"kid_missing_or_unknown\"\n \| \"malformed\";\n\n/\n Thrown by {@link PartnersClient.verifyToken} when a Partner MCP Spec v1 JWT\n * fails verification. Partners map `reason` to their RFC 6750 `WWW-Authenticate`\n * response (`401 invalid_token` for all reasons in this class).\n /\nexport class PartnerTokenError extends AgentPressError {\n public readonly reason: PartnerTokenErrorReason;\n\n constructor(reason: PartnerTokenErrorReason, message: string) {\n super(message);\n this.name = \"PartnerTokenError\";\n this.reason = reason;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/* Reason codes for {@link KeyRotationVerifyError}. /\nexport type KeyRotationVerifyErrorReason =\n \| \"invalid_signature\"\n \| \"invalid_signature_format\"\n \| \"timestamp_out_of_window\"\n \| \"invalid_timestamp\"\n \| \"payload_too_large\"\n \| \"malformed_payload\";\n\n/\n Thrown by {@link WebhooksClient.verifyKeyRotation} when a `signing_key_rotation`\n * webhook fails HMAC / timestamp / payload validation.\n /\nexport class KeyRotationVerifyError extends AgentPressError {\n public readonly reason: KeyRotationVerifyErrorReason;\n\n constructor(reason: KeyRotationVerifyErrorReason, message: string) {\n super(message);\n this.name = \"KeyRotationVerifyError\";\n this.reason = reason;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n","import { randomUUID } from \"node:crypto\";\n\nexport function randomMessageId(): string {\n return `msg_${randomUUID()}`;\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nconst SIGNATURE_PREFIX = \"v1,\";\nconst DEFAULT_TOLERANCE_SECONDS = 5 60; // 5 minutes\n\n/*\n Sign a webhook payload using Svix-compatible HMAC-SHA256.\n \n @param secret - The webhook secret (with \"whsec_\" prefix)\n * @param msgId - Unique message ID (e.g., \"msg_<uuid>\")\n * @param timestamp - Unix timestamp in seconds\n * @param body - JSON stringified payload\n * @returns Signature string in format \"v1,<base64>\"\n /\nexport function sign(\n secret: string,\n msgId: string,\n timestamp: number,\n body: string,\n): string {\n const secretBytes = Buffer.from(secret.replace(/^whsec_/, \"\"), \"base64\");\n const message = `${msgId}.${timestamp}.${body}`;\n const signature = createHmac(\"sha256\", secretBytes)\n .update(message)\n .digest(\"base64\");\n return `${SIGNATURE_PREFIX}${signature}`;\n}\n\n/\n Verify a Svix webhook signature.\n \n @param secret - The webhook secret (with \"whsec_\" prefix)\n * @param payload - Raw request body (string or Buffer)\n * @param headers - Svix headers object\n * @param toleranceSeconds - Max age of signature in seconds (default: 5 min)\n * @returns true if valid, false if invalid or expired\n /\nexport function verify(\n secret: string,\n payload: string \| Buffer,\n headers: {\n \"svix-id\": string;\n \"svix-timestamp\": string;\n \"svix-signature\": string;\n },\n toleranceSeconds: number = DEFAULT_TOLERANCE_SECONDS,\n): boolean {\n const msgId = headers[\"svix-id\"];\n const timestampStr = headers[\"svix-timestamp\"];\n const signatureHeader = headers[\"svix-signature\"];\n\n const timestamp = parseInt(timestampStr, 10);\n if (Number.isNaN(timestamp)) return false;\n\n const now = Math.floor(Date.now() / 1000);\n if (Math.abs(now - timestamp) > toleranceSeconds) return false;\n\n const body =\n typeof payload === \"string\" ? payload : payload.toString(\"utf-8\");\n const expected = sign(secret, msgId, timestamp, body);\n\n const signatures = signatureHeader.split(\" \");\n const expectedBuf = Buffer.from(expected);\n\n for (const sig of signatures) {\n const sigBuf = Buffer.from(sig);\n if (\n sigBuf.length === expectedBuf.length &&\n timingSafeEqual(sigBuf, expectedBuf)\n ) {\n return true;\n }\n }\n\n return false;\n}\n","import { ConfigurationError } from \"../errors\";\nimport type { HttpClient } from \"../http\";\nimport type {\n ActionManageResponse,\n ApproveActionParams,\n RejectActionParams,\n ResolvedOptions,\n} from \"../types\";\nimport { randomMessageId } from \"../utils\";\nimport { sign } from \"../webhooks/signing\";\n\n/\n Client for programmatically approving or rejecting staged actions.\n * Uses HMAC-SHA256 signing (Svix-compatible), identical to {@link WebhooksClient}.\n \n @example\n * ```ts\n * const client = new AgentPress({ webhookSecret: \"whsec_...\", org: \"my-org\" });\n \n // Approve a staged action\n * await client.actions.approve(\"act_123\", {\n * action: \"my_webhook_action\",\n * });\n \n // Reject with a reason\n * await client.actions.reject(\"act_456\", {\n * action: \"my_webhook_action\",\n * reason: \"Insufficient data\",\n * });\n * ```\n /\nexport class ActionsClient {\n private readonly options: ResolvedOptions;\n private readonly http: HttpClient;\n\n constructor(options: ResolvedOptions, http: HttpClient) {\n this.options = options;\n this.http = http;\n }\n\n /\n Approve a staged action, optionally modifying the tool call.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async approve(\n actionId: string,\n params: ApproveActionParams,\n ): Promise<ActionManageResponse> {\n const body: Record<string, unknown> = {};\n if (params.editedToolCall !== undefined) {\n body.editedToolCall = params.editedToolCall;\n }\n if (params.remember !== undefined) {\n body.remember = params.remember;\n }\n return this.manage(actionId, params.action, \"approve\", body);\n }\n\n /\n Reject a staged action.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async reject(\n actionId: string,\n params: RejectActionParams,\n ): Promise<ActionManageResponse> {\n return this.manage(actionId, params.action, \"reject\", {\n reason: params.reason,\n });\n }\n\n private async manage(\n actionId: string,\n webhookAction: string,\n operation: \"approve\" \| \"reject\",\n body: Record<string, unknown>,\n ): Promise<ActionManageResponse> {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for action management operations\",\n );\n }\n\n const path = `/webhooks/actions/${this.options.org}/${webhookAction}/manage/${actionId}/${operation}`;\n const bodyStr = JSON.stringify(body);\n const msgId = randomMessageId();\n const timestamp = Math.floor(Date.now() / 1000);\n const signature = sign(\n this.options.webhookSecret,\n msgId,\n timestamp,\n bodyStr,\n );\n\n return this.http.request<ActionManageResponse>(path, {\n method: \"POST\",\n body: bodyStr,\n headers: {\n \"svix-id\": msgId,\n \"svix-timestamp\": String(timestamp),\n \"svix-signature\": signature,\n },\n });\n }\n}\n","import { AgentPressError, HttpError, TimeoutError } from \"./errors\";\nimport type { ResolvedOptions } from \"./types\";\n\n/\n Internal shared HTTP client. Not part of the public API -- used by\n * namespace clients (e.g., `WebhooksClient`) to make authenticated requests.\n * @internal\n /\nexport class HttpClient {\n private readonly baseUrl: string;\n private readonly timeout: number;\n private readonly onRequest?: ResolvedOptions[\"onRequest\"];\n private readonly onResponse?: ResolvedOptions[\"onResponse\"];\n\n constructor(options: ResolvedOptions) {\n this.baseUrl = options.baseUrl;\n this.timeout = options.timeout;\n this.onRequest = options.onRequest;\n this.onResponse = options.onResponse;\n }\n\n /\n Send an HTTP request to the API. Constructs the full URL from `baseUrl` + `path`,\n * applies the configured timeout via `AbortSignal`, fires `onRequest`/`onResponse`\n * hooks, and parses the JSON response.\n \n @throws {TimeoutError} If the request exceeds the configured timeout.\n * @throws {HttpError} If the API returns a non-2xx status code.\n * @throws {AgentPressError} On network failures or non-JSON responses.\n /\n async request<T>(path: string, init: RequestInit): Promise<T> {\n const url = `${this.baseUrl}${path}`;\n\n const headers = new Headers(init.headers);\n if (!headers.has(\"Content-Type\")) {\n headers.set(\"Content-Type\", \"application/json\");\n }\n\n const requestInit: RequestInit = {\n ...init,\n headers,\n signal: AbortSignal.timeout(this.timeout),\n };\n\n this.onRequest?.(url, requestInit);\n\n let response: Response;\n try {\n // biome-ignore lint/style/noRestrictedGlobals: SDK is a standalone package that uses raw fetch\n response = await fetch(url, requestInit);\n } catch (error: unknown) {\n if (\n error instanceof Error &&\n (error.name === \"TimeoutError\" \|\| error.name === \"AbortError\")\n ) {\n throw new TimeoutError(url, this.timeout);\n }\n const message =\n error instanceof Error ? error.message : \"Unknown fetch error\";\n throw new AgentPressError(`Request to ${url} failed: ${message}`);\n }\n\n this.onResponse?.(url, response.clone());\n\n const text = await response.text();\n\n if (!response.ok) {\n throw new HttpError(response.status, text, url);\n }\n\n try {\n return JSON.parse(text) as T;\n } catch {\n throw new AgentPressError(\n `Expected JSON response from ${url} but received: ${text.slice(0, 200)}`,\n );\n }\n }\n}\n","import {\n createRemoteJWKSet,\n type JWTVerifyGetKey,\n errors as joseErrors,\n jwtVerify,\n} from \"jose\";\n\nimport { ConfigurationError, PartnerTokenError } from \"../errors\";\nimport type {\n PartnerTokenClaims,\n ResolvedOptions,\n ResolvedPartnerMcpOptions,\n} from \"../types\";\n\nconst ALGORITHMS = [\"EdDSA\"] as const;\n\ntype RemoteJwks = ReturnType<typeof createRemoteJWKSet>;\n\n/\n Client for Partner MCP Spec v1 helpers. Created automatically when\n * {@link AgentPressOptions.partnerMcp} is provided.\n \n State (JWKS cache) is per-instance, NOT module-global, so staging and\n * production clients can run side-by-side without cross-talk.\n /\nexport class PartnersClient {\n private readonly options: ResolvedOptions;\n private readonly partnerMcp: ResolvedPartnerMcpOptions \| undefined;\n private jwks: RemoteJwks \| null = null;\n private jwksKeyFn: JWTVerifyGetKey \| null = null;\n\n constructor(options: ResolvedOptions) {\n this.options = options;\n this.partnerMcp = options.partnerMcp;\n }\n\n /\n Verify an inbound Partner MCP Spec v1 JWT against AgentPress's JWKS.\n \n Enforces the full spec: `algorithms: [\"EdDSA\"]` pinned; `iss`, `aud`,\n * `ext_provider` validated; `sub`, `jti`, `scope` required and non-empty;\n * `kid` header required; `exp` / `iat` validated with ±30s skew (configurable).\n \n @param token - Bare JWT string (no `Bearer ` prefix).\n * @returns Typed {@link PartnerTokenClaims}.\n * @throws {PartnerTokenError} with a typed `reason` for RFC 6750 mapping.\n * @throws {ConfigurationError} if `partnerMcp` is not configured.\n /\n async verifyToken(token: string): Promise<PartnerTokenClaims> {\n const cfg = this.requireConfig();\n const jwks = this.getJwks();\n\n let payload: Record<string, unknown>;\n let protectedHeader: { alg?: string; kid?: string; typ?: string };\n\n try {\n const result = await jwtVerify(token, jwks, {\n algorithms: [...ALGORITHMS],\n issuer: cfg.issuer,\n audience: cfg.audience,\n clockTolerance: cfg.clockTolerance,\n });\n payload = result.payload as Record<string, unknown>;\n protectedHeader = result.protectedHeader as {\n alg?: string;\n kid?: string;\n typ?: string;\n };\n } catch (err) {\n throw mapJoseError(err);\n }\n\n // kid header required by spec. jose does not enforce this on its own\n // when the key is resolvable — we enforce it explicitly so forged\n // tokens that elide the kid header can't slip through on a single-key\n // JWKS.\n if (!protectedHeader.kid \|\| typeof protectedHeader.kid !== \"string\") {\n throw new PartnerTokenError(\n \"kid_missing_or_unknown\",\n \"JWT header missing required 'kid'\",\n );\n }\n\n const claims = payload as PartnerTokenClaims & Record<string, unknown>;\n\n // jose's jwtVerify checks `exp` (with clockTolerance) but not `iat`\n // future-time unless `maxTokenAge` is set. The spec requires both sides\n // of the skew window, so enforce the future-iat check explicitly.\n if (typeof claims.iat !== \"number\" \|\| !Number.isFinite(claims.iat)) {\n throw new PartnerTokenError(\n \"missing_claim\",\n \"'iat' claim must be a number\",\n );\n }\n const toleranceSeconds = toSeconds(cfg.clockTolerance);\n const nowSec = Math.floor(Date.now() / 1000);\n if (claims.iat - nowSec > toleranceSeconds) {\n throw new PartnerTokenError(\n \"not_yet_valid\",\n `'iat' is ${claims.iat - nowSec}s in the future, beyond ${toleranceSeconds}s tolerance`,\n );\n }\n\n if (typeof claims.sub !== \"string\" \|\| claims.sub.length === 0) {\n throw new PartnerTokenError(\"missing_claim\", \"'sub' claim is required\");\n }\n if (typeof claims.jti !== \"string\" \|\| claims.jti.length === 0) {\n throw new PartnerTokenError(\"missing_claim\", \"'jti' claim is required\");\n }\n if (typeof claims.scope !== \"string\") {\n throw new PartnerTokenError(\n \"missing_claim\",\n \"'scope' claim must be a string\",\n );\n }\n if (\n typeof claims.ext_provider !== \"string\" \|\|\n claims.ext_provider.length === 0\n ) {\n throw new PartnerTokenError(\n \"missing_claim\",\n \"'ext_provider' claim is required\",\n );\n }\n if (claims.ext_provider !== cfg.expectedExtProvider) {\n throw new PartnerTokenError(\n \"ext_provider_mismatch\",\n `ext_provider '${claims.ext_provider}' does not match expected '${cfg.expectedExtProvider}'`,\n );\n }\n\n return claims;\n }\n\n /\n Force the JWKS cache to refetch immediately. Call this from your\n * `signing_key_rotation` webhook handler after verifying the webhook —\n * otherwise the cache picks up new keys on the next `kid` miss (which\n * works, but with one failed verify latency penalty).\n /\n async refreshJwks(): Promise<void> {\n const jwks = this.getJwks();\n // jose's RemoteJWKSet exposes `.reload()` for exactly this use case.\n const anyJwks = jwks as unknown as { reload?: () => Promise<void> };\n if (typeof anyJwks.reload === \"function\") {\n await anyJwks.reload();\n }\n }\n\n private requireConfig(): ResolvedPartnerMcpOptions {\n if (!this.partnerMcp) {\n throw new ConfigurationError(\n \"partnerMcp options are required for partner token operations\",\n );\n }\n return this.partnerMcp;\n }\n\n private getJwks(): RemoteJwks {\n const cfg = this.requireConfig();\n if (!this.jwks) {\n this.jwks = createRemoteJWKSet(new URL(cfg.jwksUrl), {\n cacheMaxAge: cfg.jwksCacheMaxAgeMs,\n cooldownDuration: 30_000,\n });\n this.jwksKeyFn = this.jwks as unknown as JWTVerifyGetKey;\n }\n return this.jwks;\n }\n}\n\nfunction toSeconds(tolerance: string \| number): number {\n if (typeof tolerance === \"number\") return tolerance;\n const match = tolerance.trim().match(/^(\\d+)\\s(s\|m\|h)$/i);\n if (!match) return 30;\n const n = Number.parseInt(match[1] as string, 10);\n const unit = (match[2] as string).toLowerCase();\n if (unit === \"s\") return n;\n if (unit === \"m\") return n * 60;\n if (unit === \"h\") return n * 3600;\n return 30;\n}\n\nfunction mapJoseError(err: unknown): PartnerTokenError {\n if (err instanceof PartnerTokenError) return err;\n\n if (err instanceof joseErrors.JWSSignatureVerificationFailed) {\n return new PartnerTokenError(\n \"signature_invalid\",\n \"JWT signature verification failed\",\n );\n }\n if (err instanceof joseErrors.JWKSNoMatchingKey) {\n return new PartnerTokenError(\n \"kid_missing_or_unknown\",\n \"No JWKS key matches the JWT 'kid' header\",\n );\n }\n if (err instanceof joseErrors.JOSEAlgNotAllowed) {\n return new PartnerTokenError(\n \"algorithm_not_allowed\",\n \"JWT 'alg' is not EdDSA\",\n );\n }\n if (err instanceof joseErrors.JWTExpired) {\n return new PartnerTokenError(\"expired\", \"JWT has expired\");\n }\n if (err instanceof joseErrors.JWTClaimValidationFailed) {\n const claim = (err as { claim?: string }).claim;\n if (claim === \"iss\") {\n return new PartnerTokenError(\n \"issuer_mismatch\",\n \"JWT 'iss' does not match expected issuer\",\n );\n }\n if (claim === \"aud\") {\n return new PartnerTokenError(\n \"audience_mismatch\",\n \"JWT 'aud' does not match expected audience\",\n );\n }\n if (claim === \"iat\") {\n return new PartnerTokenError(\n \"not_yet_valid\",\n \"JWT 'iat' is in the future beyond clock tolerance\",\n );\n }\n return new PartnerTokenError(\n \"missing_claim\",\n err.message \|\| \"Claim validation failed\",\n );\n }\n if (\n err instanceof joseErrors.JWTInvalid \|\|\n err instanceof joseErrors.JWSInvalid\n ) {\n return new PartnerTokenError(\"malformed\", err.message \|\| \"Malformed JWT\");\n }\n if (err instanceof Error) {\n return new PartnerTokenError(\"malformed\", err.message);\n }\n return new PartnerTokenError(\"malformed\", String(err));\n}\n","import { ConfigurationError } from \"../errors\";\nimport type { HttpClient } from \"../http\";\nimport type {\n CreateUserApprovalParams,\n DeleteUserApprovalParams,\n ListUserApprovalsParams,\n ListUserApprovalsResponse,\n ResolvedOptions,\n UpdateUserApprovalParams,\n UserToolApproval,\n} from \"../types\";\nimport { randomMessageId } from \"../utils\";\nimport { sign } from \"../webhooks/signing\";\n\n/*\n Client for managing per-user auto-approval rules — the SDK equivalent of the\n * console's `/account/auto-approvals` settings page. Uses HMAC-SHA256 signing\n * (Svix-compatible), identical to {@link ActionsClient.manage}.\n \n Each call is scoped to a single webhook (identified by `webhookIdentifier`),\n * which both selects the signing secret and scopes which approvals are visible.\n \n @example\n * ```ts\n * const client = new AgentPress({ webhookSecret: \"whsec_...\", org: \"my-org\" });\n \n // Provision consent so future \"sendEmail\" triggers skip the approval prompt\n * await client.userApprovals.create({\n * webhookIdentifier: \"reviews\",\n * userId: \"user-uuid\",\n * actionWebhookId: \"webhook-uuid\",\n * toolName: \"sendEmail\",\n * mode: \"always_allow\",\n * });\n \n // List rules (optionally filtered by userId)\n * const { approvals } = await client.userApprovals.list({\n * webhookIdentifier: \"reviews\",\n * });\n \n // Revoke\n * await client.userApprovals.delete(approvalId, { webhookIdentifier: \"reviews\" });\n * ```\n /\nexport class UserApprovalsClient {\n private readonly options: ResolvedOptions;\n private readonly http: HttpClient;\n\n constructor(options: ResolvedOptions, http: HttpClient) {\n this.options = options;\n this.http = http;\n }\n\n /\n List auto-approval rules for a webhook. Optionally filter by `userId`.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async list(\n params: ListUserApprovalsParams,\n ): Promise<ListUserApprovalsResponse> {\n const body: Record<string, unknown> = {};\n if (params.userId !== undefined) body.userId = params.userId;\n if (params.authProvider !== undefined)\n body.authProvider = params.authProvider;\n return this.send<ListUserApprovalsResponse>(\n params.webhookIdentifier,\n \"list\",\n body,\n );\n }\n\n /\n Create (or upsert) an auto-approval rule. If a rule with the same\n * `(userId, actionWebhookId, toolName)` triple already exists, it is\n * updated in place.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async create(params: CreateUserApprovalParams): Promise<UserToolApproval> {\n const body: Record<string, unknown> = {\n userId: params.userId,\n actionWebhookId: params.actionWebhookId,\n toolName: params.toolName,\n mode: params.mode ?? \"always_allow\",\n };\n if (params.authProvider !== undefined)\n body.authProvider = params.authProvider;\n if (params.expiresAt !== undefined) {\n body.expiresAt =\n params.expiresAt === null ? null : params.expiresAt.toISOString();\n }\n return this.send<UserToolApproval>(\n params.webhookIdentifier,\n \"create\",\n body,\n );\n }\n\n /\n Patch an existing auto-approval rule (change mode or expiry).\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response (404 if the rule does not belong to this webhook)\n * @throws TimeoutError if request exceeds timeout\n /\n async update(\n id: string,\n params: UpdateUserApprovalParams,\n ): Promise<UserToolApproval> {\n const body: Record<string, unknown> = {};\n if (params.mode !== undefined) body.mode = params.mode;\n if (params.expiresAt !== undefined) {\n body.expiresAt =\n params.expiresAt === null ? null : params.expiresAt.toISOString();\n }\n return this.send<UserToolApproval>(\n params.webhookIdentifier,\n `update/${id}`,\n body,\n );\n }\n\n /\n Revoke an auto-approval rule. Future triggers of the corresponding\n * `(user, webhook, tool)` combination will once again stage for approval.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response (404 if the rule does not belong to this webhook)\n * @throws TimeoutError if request exceeds timeout\n /\n async delete(\n id: string,\n params: DeleteUserApprovalParams,\n ): Promise<{ success: boolean }> {\n return this.send<{ success: boolean }>(\n params.webhookIdentifier,\n `delete/${id}`,\n {},\n );\n }\n\n /* Internal: HMAC-sign and POST the body to the scoped path. /\n private async send<T>(\n webhookIdentifier: string,\n operation: string,\n body: Record<string, unknown>,\n ): Promise<T> {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for user approval management operations\",\n );\n }\n\n const path = `/webhooks/user-approvals/${this.options.org}/${webhookIdentifier}/${operation}`;\n const bodyStr = JSON.stringify(body);\n const msgId = randomMessageId();\n const timestamp = Math.floor(Date.now() / 1000);\n const signature = sign(\n this.options.webhookSecret,\n msgId,\n timestamp,\n bodyStr,\n );\n\n return this.http.request<T>(path, {\n method: \"POST\",\n body: bodyStr,\n headers: {\n \"svix-id\": msgId,\n \"svix-timestamp\": String(timestamp),\n \"svix-signature\": signature,\n },\n });\n }\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nimport { ConfigurationError, KeyRotationVerifyError } from \"../errors\";\nimport type { KeyRotationEvent, KeyRotationVerifyParams } from \"../types\";\n\nconst MAX_PAYLOAD_BYTES = 8 1024; // 8 KB\nconst TIMESTAMP_SKEW_SECONDS = 300; // 5 minutes\nconst SIGNATURE_PREFIX = \"sha256=\";\n\n/*\n Verify a `signing_key_rotation` webhook signed by AgentPress with\n * HMAC-SHA256 over the raw request body. Returns the typed\n * {@link KeyRotationEvent} payload.\n \n @throws {KeyRotationVerifyError} with a typed `reason` for HTTP mapping.\n * @throws {ConfigurationError} if `webhookSecret` is not configured.\n /\nexport function verifyKeyRotation(\n secret: string \| undefined,\n params: KeyRotationVerifyParams,\n): KeyRotationEvent {\n if (!secret) {\n throw new ConfigurationError(\n \"webhookSecret is required for key rotation webhook verification\",\n );\n }\n\n const body =\n typeof params.payload === \"string\"\n ? params.payload\n : params.payload.toString(\"utf-8\");\n\n const byteLength =\n typeof params.payload === \"string\"\n ? Buffer.byteLength(params.payload, \"utf-8\")\n : params.payload.length;\n if (byteLength > MAX_PAYLOAD_BYTES) {\n throw new KeyRotationVerifyError(\n \"payload_too_large\",\n `Payload exceeds ${MAX_PAYLOAD_BYTES} bytes`,\n );\n }\n\n const signatureHeader = readHeader(params.headers, \"x-agentpress-signature\");\n const timestampHeader = readHeader(params.headers, \"x-agentpress-timestamp\");\n\n if (!signatureHeader?.startsWith(SIGNATURE_PREFIX)) {\n throw new KeyRotationVerifyError(\n \"invalid_signature_format\",\n `Signature header missing or does not start with '${SIGNATURE_PREFIX}'`,\n );\n }\n const providedHex = signatureHeader\n .slice(SIGNATURE_PREFIX.length)\n .toLowerCase();\n if (!/^[0-9a-f]+$/.test(providedHex)) {\n throw new KeyRotationVerifyError(\n \"invalid_signature_format\",\n \"Signature is not a hex string\",\n );\n }\n\n if (!timestampHeader) {\n throw new KeyRotationVerifyError(\n \"invalid_timestamp\",\n \"x-agentpress-timestamp header is required\",\n );\n }\n const timestamp = Number.parseInt(timestampHeader, 10);\n if (\n !Number.isFinite(timestamp) \|\|\n String(timestamp) !== timestampHeader.trim()\n ) {\n throw new KeyRotationVerifyError(\n \"invalid_timestamp\",\n \"x-agentpress-timestamp is not a valid unix seconds integer\",\n );\n }\n const now = Math.floor(Date.now() / 1000);\n if (Math.abs(now - timestamp) > TIMESTAMP_SKEW_SECONDS) {\n throw new KeyRotationVerifyError(\n \"timestamp_out_of_window\",\n `Timestamp skew ${Math.abs(now - timestamp)}s exceeds ${TIMESTAMP_SKEW_SECONDS}s tolerance`,\n );\n }\n\n const expectedHex = createHmac(\"sha256\", secret).update(body).digest(\"hex\");\n const providedBuf = Buffer.from(providedHex, \"hex\");\n const expectedBuf = Buffer.from(expectedHex, \"hex\");\n if (\n providedBuf.length !== expectedBuf.length \|\|\n !timingSafeEqual(providedBuf, expectedBuf)\n ) {\n throw new KeyRotationVerifyError(\n \"invalid_signature\",\n \"HMAC signature mismatch\",\n );\n }\n\n let parsed: unknown;\n try {\n parsed = JSON.parse(body);\n } catch {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"Payload is not valid JSON\",\n );\n }\n\n return validatePayload(parsed);\n}\n\nfunction readHeader(\n headers: Record<string, string \| undefined>,\n name: string,\n): string \| undefined {\n // Headers are case-insensitive; normalize without mutating the caller's object.\n const lowered = name.toLowerCase();\n for (const [k, v] of Object.entries(headers)) {\n if (k.toLowerCase() === lowered && typeof v === \"string\" && v.length > 0) {\n return v;\n }\n }\n return undefined;\n}\n\nfunction validatePayload(raw: unknown): KeyRotationEvent {\n if (!raw \|\| typeof raw !== \"object\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"Payload must be a JSON object\",\n );\n }\n const obj = raw as Record<string, unknown>;\n if (obj.event !== \"signing_key_rotation\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n `Unexpected event '${String(obj.event)}'`,\n );\n }\n if (obj.type !== \"scheduled\" && obj.type !== \"emergency\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"'type' must be 'scheduled' or 'emergency'\",\n );\n }\n for (const key of [\n \"retiredKid\",\n \"newCurrentKid\",\n \"retiredAt\",\n \"effectiveAt\",\n \"jwksUrl\",\n ]) {\n if (typeof obj[key] !== \"string\" \|\| (obj[key] as string).length === 0) {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n `'${key}' must be a non-empty string`,\n );\n }\n }\n if (obj.reason !== undefined && typeof obj.reason !== \"string\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"'reason' must be a string when present\",\n );\n }\n\n const event: KeyRotationEvent = {\n event: \"signing_key_rotation\",\n type: obj.type as \"scheduled\" \| \"emergency\",\n retiredKid: obj.retiredKid as string,\n newCurrentKid: obj.newCurrentKid as string,\n retiredAt: obj.retiredAt as string,\n effectiveAt: obj.effectiveAt as string,\n jwksUrl: obj.jwksUrl as string,\n };\n if (typeof obj.reason === \"string\") {\n event.reason = obj.reason;\n }\n return event;\n}\n","import {\n AgentPressError,\n ConfigurationError,\n WebhookSignatureError,\n} from \"../errors\";\nimport type { HttpClient } from \"../http\";\nimport type {\n ActionCallbackPayload,\n KeyRotationEvent,\n KeyRotationVerifyParams,\n ResolvedOptions,\n WebhookResponse,\n WebhookSendParams,\n WebhookVerifyParams,\n} from \"../types\";\nimport { randomMessageId } from \"../utils\";\nimport { verifyKeyRotation as verifyKeyRotationImpl } from \"./keyRotation\";\nimport { sign, verify as verifySig } from \"./signing\";\n\nexport class WebhooksClient {\n private readonly options: ResolvedOptions;\n private readonly http: HttpClient;\n\n constructor(options: ResolvedOptions, http: HttpClient) {\n this.options = options;\n this.http = http;\n }\n\n /\n Send an arbitrary webhook payload to AgentPress.\n * Signs the payload with HMAC-SHA256 (Svix-compatible).\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async send(params: WebhookSendParams): Promise<WebhookResponse> {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for webhook operations\",\n );\n }\n\n const path = `/webhooks/actions/${this.options.org}/${params.action}`;\n const body = JSON.stringify(params.payload);\n const msgId = randomMessageId();\n const timestamp = Math.floor(Date.now() / 1000);\n const signature = sign(this.options.webhookSecret, msgId, timestamp, body);\n\n return this.http.request<WebhookResponse>(path, {\n method: \"POST\",\n body,\n headers: {\n \"svix-id\": msgId,\n \"svix-timestamp\": String(timestamp),\n \"svix-signature\": signature,\n },\n });\n }\n\n /\n Verify an inbound Svix webhook signature.\n \n @returns true if valid, false if invalid or expired\n * @throws ConfigurationError if webhookSecret is not configured\n /\n verify(params: WebhookVerifyParams): boolean {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for webhook verification\",\n );\n }\n\n return verifySig(\n this.options.webhookSecret,\n params.payload,\n params.headers,\n );\n }\n\n /\n Verify an inbound Svix webhook signature, throwing on failure.\n * Useful for middleware patterns where invalid signatures should halt processing.\n \n @throws WebhookSignatureError if signature is invalid or expired\n * @throws ConfigurationError if webhookSecret is not configured\n /\n verifyOrThrow(params: WebhookVerifyParams): void {\n if (!this.verify(params)) {\n throw new WebhookSignatureError(\"Invalid webhook signature\");\n }\n }\n\n /\n Verify and parse an inbound webhook from AgentPress.\n * Combines signature verification with JSON parsing and type casting.\n * This is the recommended way to handle incoming webhooks.\n \n @throws WebhookSignatureError if signature is invalid or expired\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws AgentPressError if payload is not valid JSON\n /\n constructEvent(params: WebhookVerifyParams): ActionCallbackPayload {\n this.verifyOrThrow(params);\n const body =\n typeof params.payload === \"string\"\n ? params.payload\n : params.payload.toString(\"utf-8\");\n try {\n return JSON.parse(body) as ActionCallbackPayload;\n } catch {\n throw new AgentPressError(\"Webhook payload is not valid JSON\");\n }\n }\n\n /\n Verify an inbound `signing_key_rotation` webhook (HMAC-SHA256 + timestamp\n * + typed payload) from AgentPress. See the Partner MCP Spec v1 for the\n * full contract.\n \n @throws {KeyRotationVerifyError} with a typed `reason` for HTTP mapping\n * (401 for signature errors, 400 for malformed payload, 413 for oversize).\n * @throws {ConfigurationError} if `webhookSecret` is not configured.\n /\n verifyKeyRotation(params: KeyRotationVerifyParams): KeyRotationEvent {\n return verifyKeyRotationImpl(this.options.webhookSecret, params);\n }\n}\n","import { ActionsClient } from \"./actions/client\";\nimport { ConfigurationError } from \"./errors\";\nimport { HttpClient } from \"./http\";\nimport { PartnersClient } from \"./partners/client\";\nimport type {\n AgentPressOptions,\n ResolvedOptions,\n ResolvedPartnerMcpOptions,\n} from \"./types\";\nimport { UserApprovalsClient } from \"./userApprovals/client\";\nimport { WebhooksClient } from \"./webhooks/client\";\n\n/\n Main entry point for the AgentPress SDK. Provides namespaced access to API\n * resources (e.g., `client.webhooks.send()`, `client.actions.approve()`).\n * Validates all configuration options at construction time, so invalid config fails fast.\n \n @example\n * ```ts\n * const client = new AgentPress({\n * apiKey: \"ak_...\",\n * webhookSecret: \"whsec_...\",\n * });\n * await client.webhooks.send({ action: \"my_action\", payload: { ... } });\n * await client.actions.approve(\"act_123\", { action: \"my_action\" });\n * ```\n /\nexport class AgentPress {\n /* Webhook operations: send outbound webhooks and verify inbound signatures. /\n public readonly webhooks: WebhooksClient;\n /* Action management: approve or reject staged actions. /\n public readonly actions: ActionsClient;\n /* Per-user auto-approval rules (read / create / update / delete). /\n public readonly userApprovals: UserApprovalsClient;\n /* Partner MCP Spec v1 helpers (inbound JWT verification, JWKS refresh). /\n public readonly partners: PartnersClient;\n\n /\n @param options - SDK configuration. All fields are optional with sensible defaults.\n * @throws {ConfigurationError} If `timeout` is non-positive or `webhookSecret` has an invalid prefix.\n */\n constructor(options: AgentPressOptions = {}) {\n const resolved = resolveOptions(options);\n const http = new HttpClient(resolved);\n this.webhooks = new WebhooksClient(resolved, http);\n this.actions = new ActionsClient(resolved, http);\n this.userApprovals = new UserApprovalsClient(resolved, http);\n this.partners = new PartnersClient(resolved);\n }\n}\n\nfunction resolveOptions(options: AgentPressOptions): ResolvedOptions {\n const baseUrl = (options.baseUrl ?? \"https://api.agent.press\").replace(\n /\\/+$/,\n \"\",\n );\n const timeout = options.timeout ?? 30_000;\n const org = options.org ?? \"default-org\";\n\n if (timeout <= 0 \|\| !Number.isFinite(timeout)) {\n throw new ConfigurationError(\"timeout must be a positive number\");\n }\n\n if (\n options.webhookSecret !== undefined &&\n !options.webhookSecret.startsWith(\"whsec_\")\n ) {\n throw new ConfigurationError('webhookSecret must start with \"whsec_\"');\n }\n\n return {\n baseUrl,\n timeout,\n org,\n webhookSecret: options.webhookSecret,\n apiKey: options.apiKey,\n partnerMcp: resolvePartnerMcp(options.partnerMcp),\n onRequest: options.onRequest,\n onResponse: options.onResponse,\n };\n}\n\nfunction resolvePartnerMcp(\n options: AgentPressOptions[\"partnerMcp\"],\n): ResolvedPartnerMcpOptions \| undefined {\n if (!options) return undefined;\n\n if (typeof options.jwksUrl !== \"string\" \|\| options.jwksUrl.length === 0) {\n throw new ConfigurationError(\"partnerMcp.jwksUrl is required\");\n }\n try {\n // Validate early so a bad URL fails at construction, not on first verify.\n new URL(options.jwksUrl);\n } catch {\n throw new ConfigurationError(\"partnerMcp.jwksUrl must be a valid URL\");\n }\n if (typeof options.issuer !== \"string\" \|\| options.issuer.length === 0) {\n throw new ConfigurationError(\"partnerMcp.issuer is required\");\n }\n if (typeof options.audience !== \"string\" \|\| options.audience.length === 0) {\n throw new ConfigurationError(\"partnerMcp.audience is required\");\n }\n if (\n typeof options.expectedExtProvider !== \"string\" \|\|\n options.expectedExtProvider.length === 0\n ) {\n throw new ConfigurationError(\"partnerMcp.expectedExtProvider is required\");\n }\n\n const clockTolerance = options.clockTolerance ?? \"30s\";\n const jwksCacheMaxAgeMs = options.jwksCacheMaxAgeMs ?? 3_600_000;\n if (jwksCacheMaxAgeMs <= 0 \|\| !Number.isFinite(jwksCacheMaxAgeMs)) {\n throw new ConfigurationError(\n \"partnerMcp.jwksCacheMaxAgeMs must be a positive number\",\n );\n }\n\n return {\n jwksUrl: options.jwksUrl,\n issuer: options.issuer,\n audience: options.audience,\n expectedExtProvider: options.expectedExtProvider,\n clockTolerance,\n jwksCacheMaxAgeMs,\n };\n}\n"],"mappings":";;;;;;;;AAIA,IAAa,kBAAb,cAAqC,MAAM;CACzC,YAAY,SAAiB;AAC3B,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;;;AAQrD,IAAa,qBAAb,cAAwC,gBAAgB;CACtD,YAAY,SAAiB;AAC3B,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;;;;;;;AAYrD,IAAa,YAAb,cAA+B,gBAAgB;CAC7C;CACA;CACA;CAEA,YAAY,YAAoB,cAAsB,KAAa;AACjE,QAAM,QAAQ,WAAW,QAAQ,MAAM;AACvC,OAAK,OAAO;AACZ,OAAK,aAAa;AAClB,OAAK,eAAe;AACpB,OAAK,MAAM;AACX,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;AAKrD,IAAa,eAAb,cAAkC,gBAAgB;CAChD,YAAY,KAAa,SAAiB;AACxC,QAAM,cAAc,IAAI,mBAAmB,QAAQ,IAAI;AACvD,OAAK,OAAO;AACZ,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;AAKrD,IAAa,wBAAb,cAA2C,gBAAgB;CACzD,YAAY,SAAiB;AAC3B,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;;;;AAsBrD,IAAa,oBAAb,cAAuC,gBAAgB;CACrD;CAEA,YAAY,QAAiC,SAAiB;AAC5D,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,OAAK,SAAS;AACd,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;;;AAiBrD,IAAa,yBAAb,cAA4C,gBAAgB;CAC1D;CAEA,YAAY,QAAsC,SAAiB;AACjE,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,OAAK,SAAS;AACd,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;AChHrD,SAAgB,kBAA0B;AACxC,QAAO,QAAA,GAAA,YAAA,aAAmB;;;;ACD5B,MAAMA,qBAAmB;AACzB,MAAM,4BAA4B;;;;;;;;;;AAWlC,SAAgB,KACd,QACA,OACA,WACA,MACQ;CACR,MAAM,cAAc,OAAO,KAAK,OAAO,QAAQ,WAAW,GAAG,EAAE,SAAS;CACxE,MAAM,UAAU,GAAG,MAAM,GAAG,UAAU,GAAG;AAIzC,QAAO,GAAGA,sBAAAA,GAAAA,YAAAA,YAHmB,UAAU,YAAY,CAChD,OAAO,QAAQ,CACf,OAAO,SAAS;;;;;;;;;;;AAarB,SAAgB,OACd,QACA,SACA,SAKA,mBAA2B,2BAClB;CACT,MAAM,QAAQ,QAAQ;CACtB,MAAM,eAAe,QAAQ;CAC7B,MAAM,kBAAkB,QAAQ;CAEhC,MAAM,YAAY,SAAS,cAAc,GAAG;AAC5C,KAAI,OAAO,MAAM,UAAU,CAAE,QAAO;CAEpC,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AACzC,KAAI,KAAK,IAAI,MAAM,UAAU,GAAG,iBAAkB,QAAO;CAIzD,MAAM,WAAW,KAAK,QAAQ,OAAO,WADnC,OAAO,YAAY,WAAW,UAAU,QAAQ,SAAS,QAAQ,CACd;CAErD,MAAM,aAAa,gBAAgB,MAAM,IAAI;CAC7C,MAAM,cAAc,OAAO,KAAK,SAAS;AAEzC,MAAK,MAAM,OAAO,YAAY;EAC5B,MAAM,SAAS,OAAO,KAAK,IAAI;AAC/B,MACE,OAAO,WAAW,YAAY,WAAA,GAAA,YAAA,iBACd,QAAQ,YAAY,CAEpC,QAAO;;AAIX,QAAO;;;;;;;;;;;;;;;;;;;;;;;;AC3CT,IAAa,gBAAb,MAA2B;CACzB;CACA;CAEA,YAAY,SAA0B,MAAkB;AACtD,OAAK,UAAU;AACf,OAAK,OAAO;;;;;;;;;CAUd,MAAM,QACJ,UACA,QAC+B;EAC/B,MAAM,OAAgC,EAAE;AACxC,MAAI,OAAO,mBAAmB,KAAA,EAC5B,MAAK,iBAAiB,OAAO;AAE/B,MAAI,OAAO,aAAa,KAAA,EACtB,MAAK,WAAW,OAAO;AAEzB,SAAO,KAAK,OAAO,UAAU,OAAO,QAAQ,WAAW,KAAK;;;;;;;;;CAU9D,MAAM,OACJ,UACA,QAC+B;AAC/B,SAAO,KAAK,OAAO,UAAU,OAAO,QAAQ,UAAU,EACpD,QAAQ,OAAO,QAChB,CAAC;;CAGJ,MAAc,OACZ,UACA,eACA,WACA,MAC+B;AAC/B,MAAI,CAAC,KAAK,QAAQ,cAChB,OAAM,IAAI,mBACR,6DACD;EAGH,MAAM,OAAO,qBAAqB,KAAK,QAAQ,IAAI,GAAG,cAAc,UAAU,SAAS,GAAG;EAC1F,MAAM,UAAU,KAAK,UAAU,KAAK;EACpC,MAAM,QAAQ,iBAAiB;EAC/B,MAAM,YAAY,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;EAC/C,MAAM,YAAY,KAChB,KAAK,QAAQ,eACb,OACA,WACA,QACD;AAED,SAAO,KAAK,KAAK,QAA8B,MAAM;GACnD,QAAQ;GACR,MAAM;GACN,SAAS;IACP,WAAW;IACX,kBAAkB,OAAO,UAAU;IACnC,kBAAkB;IACnB;GACF,CAAC;;;;;;;;;;ACpGN,IAAa,aAAb,MAAwB;CACtB;CACA;CACA;CACA;CAEA,YAAY,SAA0B;AACpC,OAAK,UAAU,QAAQ;AACvB,OAAK,UAAU,QAAQ;AACvB,OAAK,YAAY,QAAQ;AACzB,OAAK,aAAa,QAAQ;;;;;;;;;;;CAY5B,MAAM,QAAW,MAAc,MAA+B;EAC5D,MAAM,MAAM,GAAG,KAAK,UAAU;EAE9B,MAAM,UAAU,IAAI,QAAQ,KAAK,QAAQ;AACzC,MAAI,CAAC,QAAQ,IAAI,eAAe,CAC9B,SAAQ,IAAI,gBAAgB,mBAAmB;EAGjD,MAAM,cAA2B;GAC/B,GAAG;GACH;GACA,QAAQ,YAAY,QAAQ,KAAK,QAAQ;GAC1C;AAED,OAAK,YAAY,KAAK,YAAY;EAElC,IAAI;AACJ,MAAI;AAEF,cAAW,MAAM,MAAM,KAAK,YAAY;WACjC,OAAgB;AACvB,OACE,iBAAiB,UAChB,MAAM,SAAS,kBAAkB,MAAM,SAAS,cAEjD,OAAM,IAAI,aAAa,KAAK,KAAK,QAAQ;AAI3C,SAAM,IAAI,gBAAgB,cAAc,IAAI,WAD1C,iBAAiB,QAAQ,MAAM,UAAU,wBACsB;;AAGnE,OAAK,aAAa,KAAK,SAAS,OAAO,CAAC;EAExC,MAAM,OAAO,MAAM,SAAS,MAAM;AAElC,MAAI,CAAC,SAAS,GACZ,OAAM,IAAI,UAAU,SAAS,QAAQ,MAAM,IAAI;AAGjD,MAAI;AACF,UAAO,KAAK,MAAM,KAAK;UACjB;AACN,SAAM,IAAI,gBACR,+BAA+B,IAAI,iBAAiB,KAAK,MAAM,GAAG,IAAI,GACvE;;;;;;AC7DP,MAAM,aAAa,CAAC,QAAQ;;;;;;;;AAW5B,IAAa,iBAAb,MAA4B;CAC1B;CACA;CACA,OAAkC;CAClC,YAA4C;CAE5C,YAAY,SAA0B;AACpC,OAAK,UAAU;AACf,OAAK,aAAa,QAAQ;;;;;;;;;;;;;;CAe5B,MAAM,YAAY,OAA4C;EAC5D,MAAM,MAAM,KAAK,eAAe;EAChC,MAAM,OAAO,KAAK,SAAS;EAE3B,IAAI;EACJ,IAAI;AAEJ,MAAI;GACF,MAAM,SAAS,OAAA,GAAA,KAAA,WAAgB,OAAO,MAAM;IAC1C,YAAY,CAAC,GAAG,WAAW;IAC3B,QAAQ,IAAI;IACZ,UAAU,IAAI;IACd,gBAAgB,IAAI;IACrB,CAAC;AACF,aAAU,OAAO;AACjB,qBAAkB,OAAO;WAKlB,KAAK;AACZ,SAAM,aAAa,IAAI;;AAOzB,MAAI,CAAC,gBAAgB,OAAO,OAAO,gBAAgB,QAAQ,SACzD,OAAM,IAAI,kBACR,0BACA,oCACD;EAGH,MAAM,SAAS;AAKf,MAAI,OAAO,OAAO,QAAQ,YAAY,CAAC,OAAO,SAAS,OAAO,IAAI,CAChE,OAAM,IAAI,kBACR,iBACA,+BACD;EAEH,MAAM,mBAAmB,UAAU,IAAI,eAAe;EACtD,MAAM,SAAS,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AAC5C,MAAI,OAAO,MAAM,SAAS,iBACxB,OAAM,IAAI,kBACR,iBACA,YAAY,OAAO,MAAM,OAAO,0BAA0B,iBAAiB,aAC5E;AAGH,MAAI,OAAO,OAAO,QAAQ,YAAY,OAAO,IAAI,WAAW,EAC1D,OAAM,IAAI,kBAAkB,iBAAiB,0BAA0B;AAEzE,MAAI,OAAO,OAAO,QAAQ,YAAY,OAAO,IAAI,WAAW,EAC1D,OAAM,IAAI,kBAAkB,iBAAiB,0BAA0B;AAEzE,MAAI,OAAO,OAAO,UAAU,SAC1B,OAAM,IAAI,kBACR,iBACA,iCACD;AAEH,MACE,OAAO,OAAO,iBAAiB,YAC/B,OAAO,aAAa,WAAW,EAE/B,OAAM,IAAI,kBACR,iBACA,mCACD;AAEH,MAAI,OAAO,iBAAiB,IAAI,oBAC9B,OAAM,IAAI,kBACR,yBACA,iBAAiB,OAAO,aAAa,6BAA6B,IAAI,oBAAoB,GAC3F;AAGH,SAAO;;;;;;;;CAST,MAAM,cAA6B;EAGjC,MAAM,UAFO,KAAK,SAAS;AAG3B,MAAI,OAAO,QAAQ,WAAW,WAC5B,OAAM,QAAQ,QAAQ;;CAI1B,gBAAmD;AACjD,MAAI,CAAC,KAAK,WACR,OAAM,IAAI,mBACR,+DACD;AAEH,SAAO,KAAK;;CAGd,UAA8B;EAC5B,MAAM,MAAM,KAAK,eAAe;AAChC,MAAI,CAAC,KAAK,MAAM;AACd,QAAK,QAAA,GAAA,KAAA,oBAA0B,IAAI,IAAI,IAAI,QAAQ,EAAE;IACnD,aAAa,IAAI;IACjB,kBAAkB;IACnB,CAAC;AACF,QAAK,YAAY,KAAK;;AAExB,SAAO,KAAK;;;AAIhB,SAAS,UAAU,WAAoC;AACrD,KAAI,OAAO,cAAc,SAAU,QAAO;CAC1C,MAAM,QAAQ,UAAU,MAAM,CAAC,MAAM,qBAAqB;AAC1D,KAAI,CAAC,MAAO,QAAO;CACnB,MAAM,IAAI,OAAO,SAAS,MAAM,IAAc,GAAG;CACjD,MAAM,OAAQ,MAAM,GAAc,aAAa;AAC/C,KAAI,SAAS,IAAK,QAAO;AACzB,KAAI,SAAS,IAAK,QAAO,IAAI;AAC7B,KAAI,SAAS,IAAK,QAAO,IAAI;AAC7B,QAAO;;AAGT,SAAS,aAAa,KAAiC;AACrD,KAAI,eAAe,kBAAmB,QAAO;AAE7C,KAAI,eAAeC,KAAAA,OAAW,+BAC5B,QAAO,IAAI,kBACT,qBACA,oCACD;AAEH,KAAI,eAAeA,KAAAA,OAAW,kBAC5B,QAAO,IAAI,kBACT,0BACA,2CACD;AAEH,KAAI,eAAeA,KAAAA,OAAW,kBAC5B,QAAO,IAAI,kBACT,yBACA,yBACD;AAEH,KAAI,eAAeA,KAAAA,OAAW,WAC5B,QAAO,IAAI,kBAAkB,WAAW,kBAAkB;AAE5D,KAAI,eAAeA,KAAAA,OAAW,0BAA0B;EACtD,MAAM,QAAS,IAA2B;AAC1C,MAAI,UAAU,MACZ,QAAO,IAAI,kBACT,mBACA,2CACD;AAEH,MAAI,UAAU,MACZ,QAAO,IAAI,kBACT,qBACA,6CACD;AAEH,MAAI,UAAU,MACZ,QAAO,IAAI,kBACT,iBACA,oDACD;AAEH,SAAO,IAAI,kBACT,iBACA,IAAI,WAAW,0BAChB;;AAEH,KACE,eAAeA,KAAAA,OAAW,cAC1B,eAAeA,KAAAA,OAAW,WAE1B,QAAO,IAAI,kBAAkB,aAAa,IAAI,WAAW,gBAAgB;AAE3E,KAAI,eAAe,MACjB,QAAO,IAAI,kBAAkB,aAAa,IAAI,QAAQ;AAExD,QAAO,IAAI,kBAAkB,aAAa,OAAO,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACrMxD,IAAa,sBAAb,MAAiC;CAC/B;CACA;CAEA,YAAY,SAA0B,MAAkB;AACtD,OAAK,UAAU;AACf,OAAK,OAAO;;;;;;;;;CAUd,MAAM,KACJ,QACoC;EACpC,MAAM,OAAgC,EAAE;AACxC,MAAI,OAAO,WAAW,KAAA,EAAW,MAAK,SAAS,OAAO;AACtD,MAAI,OAAO,iBAAiB,KAAA,EAC1B,MAAK,eAAe,OAAO;AAC7B,SAAO,KAAK,KACV,OAAO,mBACP,QACA,KACD;;;;;;;;;;;CAYH,MAAM,OAAO,QAA6D;EACxE,MAAM,OAAgC;GACpC,QAAQ,OAAO;GACf,iBAAiB,OAAO;GACxB,UAAU,OAAO;GACjB,MAAM,OAAO,QAAQ;GACtB;AACD,MAAI,OAAO,iBAAiB,KAAA,EAC1B,MAAK,eAAe,OAAO;AAC7B,MAAI,OAAO,cAAc,KAAA,EACvB,MAAK,YACH,OAAO,cAAc,OAAO,OAAO,OAAO,UAAU,aAAa;AAErE,SAAO,KAAK,KACV,OAAO,mBACP,UACA,KACD;;;;;;;;;CAUH,MAAM,OACJ,IACA,QAC2B;EAC3B,MAAM,OAAgC,EAAE;AACxC,MAAI,OAAO,SAAS,KAAA,EAAW,MAAK,OAAO,OAAO;AAClD,MAAI,OAAO,cAAc,KAAA,EACvB,MAAK,YACH,OAAO,cAAc,OAAO,OAAO,OAAO,UAAU,aAAa;AAErE,SAAO,KAAK,KACV,OAAO,mBACP,UAAU,MACV,KACD;;;;;;;;;;CAWH,MAAM,OACJ,IACA,QAC+B;AAC/B,SAAO,KAAK,KACV,OAAO,mBACP,UAAU,MACV,EAAE,CACH;;;CAIH,MAAc,KACZ,mBACA,WACA,MACY;AACZ,MAAI,CAAC,KAAK,QAAQ,cAChB,OAAM,IAAI,mBACR,oEACD;EAGH,MAAM,OAAO,4BAA4B,KAAK,QAAQ,IAAI,GAAG,kBAAkB,GAAG;EAClF,MAAM,UAAU,KAAK,UAAU,KAAK;EACpC,MAAM,QAAQ,iBAAiB;EAC/B,MAAM,YAAY,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;EAC/C,MAAM,YAAY,KAChB,KAAK,QAAQ,eACb,OACA,WACA,QACD;AAED,SAAO,KAAK,KAAK,QAAW,MAAM;GAChC,QAAQ;GACR,MAAM;GACN,SAAS;IACP,WAAW;IACX,kBAAkB,OAAO,UAAU;IACnC,kBAAkB;IACnB;GACF,CAAC;;;;;AC5KN,MAAM,oBAAoB,IAAI;AAC9B,MAAM,yBAAyB;AAC/B,MAAM,mBAAmB;;;;;;;;;AAUzB,SAAgB,kBACd,QACA,QACkB;AAClB,KAAI,CAAC,OACH,OAAM,IAAI,mBACR,kEACD;CAGH,MAAM,OACJ,OAAO,OAAO,YAAY,WACtB,OAAO,UACP,OAAO,QAAQ,SAAS,QAAQ;AAMtC,MAHE,OAAO,OAAO,YAAY,WACtB,OAAO,WAAW,OAAO,SAAS,QAAQ,GAC1C,OAAO,QAAQ,UACJ,kBACf,OAAM,IAAI,uBACR,qBACA,mBAAmB,kBAAkB,QACtC;CAGH,MAAM,kBAAkB,WAAW,OAAO,SAAS,yBAAyB;CAC5E,MAAM,kBAAkB,WAAW,OAAO,SAAS,yBAAyB;AAE5E,KAAI,CAAC,iBAAiB,WAAW,iBAAiB,CAChD,OAAM,IAAI,uBACR,4BACA,oDAAoD,iBAAiB,GACtE;CAEH,MAAM,cAAc,gBACjB,MAAM,EAAwB,CAC9B,aAAa;AAChB,KAAI,CAAC,cAAc,KAAK,YAAY,CAClC,OAAM,IAAI,uBACR,4BACA,gCACD;AAGH,KAAI,CAAC,gBACH,OAAM,IAAI,uBACR,qBACA,4CACD;CAEH,MAAM,YAAY,OAAO,SAAS,iBAAiB,GAAG;AACtD,KACE,CAAC,OAAO,SAAS,UAAU,IAC3B,OAAO,UAAU,KAAK,gBAAgB,MAAM,CAE5C,OAAM,IAAI,uBACR,qBACA,6DACD;CAEH,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AACzC,KAAI,KAAK,IAAI,MAAM,UAAU,GAAG,uBAC9B,OAAM,IAAI,uBACR,2BACA,kBAAkB,KAAK,IAAI,MAAM,UAAU,CAAC,YAAY,uBAAuB,aAChF;CAGH,MAAM,eAAA,GAAA,YAAA,YAAyB,UAAU,OAAO,CAAC,OAAO,KAAK,CAAC,OAAO,MAAM;CAC3E,MAAM,cAAc,OAAO,KAAK,aAAa,MAAM;CACnD,MAAM,cAAc,OAAO,KAAK,aAAa,MAAM;AACnD,KACE,YAAY,WAAW,YAAY,UACnC,EAAA,GAAA,YAAA,iBAAiB,aAAa,YAAY,CAE1C,OAAM,IAAI,uBACR,qBACA,0BACD;CAGH,IAAI;AACJ,KAAI;AACF,WAAS,KAAK,MAAM,KAAK;SACnB;AACN,QAAM,IAAI,uBACR,qBACA,4BACD;;AAGH,QAAO,gBAAgB,OAAO;;AAGhC,SAAS,WACP,SACA,MACoB;CAEpB,MAAM,UAAU,KAAK,aAAa;AAClC,MAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,QAAQ,CAC1C,KAAI,EAAE,aAAa,KAAK,WAAW,OAAO,MAAM,YAAY,EAAE,SAAS,EACrE,QAAO;;AAMb,SAAS,gBAAgB,KAAgC;AACvD,KAAI,CAAC,OAAO,OAAO,QAAQ,SACzB,OAAM,IAAI,uBACR,qBACA,gCACD;CAEH,MAAM,MAAM;AACZ,KAAI,IAAI,UAAU,uBAChB,OAAM,IAAI,uBACR,qBACA,qBAAqB,OAAO,IAAI,MAAM,CAAC,GACxC;AAEH,KAAI,IAAI,SAAS,eAAe,IAAI,SAAS,YAC3C,OAAM,IAAI,uBACR,qBACA,4CACD;AAEH,MAAK,MAAM,OAAO;EAChB;EACA;EACA;EACA;EACA;EACD,CACC,KAAI,OAAO,IAAI,SAAS,YAAa,IAAI,KAAgB,WAAW,EAClE,OAAM,IAAI,uBACR,qBACA,IAAI,IAAI,8BACT;AAGL,KAAI,IAAI,WAAW,KAAA,KAAa,OAAO,IAAI,WAAW,SACpD,OAAM,IAAI,uBACR,qBACA,yCACD;CAGH,MAAM,QAA0B;EAC9B,OAAO;EACP,MAAM,IAAI;EACV,YAAY,IAAI;EAChB,eAAe,IAAI;EACnB,WAAW,IAAI;EACf,aAAa,IAAI;EACjB,SAAS,IAAI;EACd;AACD,KAAI,OAAO,IAAI,WAAW,SACxB,OAAM,SAAS,IAAI;AAErB,QAAO;;;;AChKT,IAAa,iBAAb,MAA4B;CAC1B;CACA;CAEA,YAAY,SAA0B,MAAkB;AACtD,OAAK,UAAU;AACf,OAAK,OAAO;;;;;;;;;;CAWd,MAAM,KAAK,QAAqD;AAC9D,MAAI,CAAC,KAAK,QAAQ,cAChB,OAAM,IAAI,mBACR,mDACD;EAGH,MAAM,OAAO,qBAAqB,KAAK,QAAQ,IAAI,GAAG,OAAO;EAC7D,MAAM,OAAO,KAAK,UAAU,OAAO,QAAQ;EAC3C,MAAM,QAAQ,iBAAiB;EAC/B,MAAM,YAAY,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;EAC/C,MAAM,YAAY,KAAK,KAAK,QAAQ,eAAe,OAAO,WAAW,KAAK;AAE1E,SAAO,KAAK,KAAK,QAAyB,MAAM;GAC9C,QAAQ;GACR;GACA,SAAS;IACP,WAAW;IACX,kBAAkB,OAAO,UAAU;IACnC,kBAAkB;IACnB;GACF,CAAC;;;;;;;;CASJ,OAAO,QAAsC;AAC3C,MAAI,CAAC,KAAK,QAAQ,cAChB,OAAM,IAAI,mBACR,qDACD;AAGH,SAAOC,OACL,KAAK,QAAQ,eACb,OAAO,SACP,OAAO,QACR;;;;;;;;;CAUH,cAAc,QAAmC;AAC/C,MAAI,CAAC,KAAK,OAAO,OAAO,CACtB,OAAM,IAAI,sBAAsB,4BAA4B;;;;;;;;;;;CAahE,eAAe,QAAoD;AACjE,OAAK,cAAc,OAAO;EAC1B,MAAM,OACJ,OAAO,OAAO,YAAY,WACtB,OAAO,UACP,OAAO,QAAQ,SAAS,QAAQ;AACtC,MAAI;AACF,UAAO,KAAK,MAAM,KAAK;UACjB;AACN,SAAM,IAAI,gBAAgB,oCAAoC;;;;;;;;;;;;CAalE,kBAAkB,QAAmD;AACnE,SAAOC,kBAAsB,KAAK,QAAQ,eAAe,OAAO;;;;;;;;;;;;;;;;;;;;AClGpE,IAAa,aAAb,MAAwB;;CAEtB;;CAEA;;CAEA;;CAEA;;;;;CAMA,YAAY,UAA6B,EAAE,EAAE;EAC3C,MAAM,WAAW,eAAe,QAAQ;EACxC,MAAM,OAAO,IAAI,WAAW,SAAS;AACrC,OAAK,WAAW,IAAI,eAAe,UAAU,KAAK;AAClD,OAAK,UAAU,IAAI,cAAc,UAAU,KAAK;AAChD,OAAK,gBAAgB,IAAI,oBAAoB,UAAU,KAAK;AAC5D,OAAK,WAAW,IAAI,eAAe,SAAS;;;AAIhD,SAAS,eAAe,SAA6C;CACnE,MAAM,WAAW,QAAQ,WAAW,2BAA2B,QAC7D,QACA,GACD;CACD,MAAM,UAAU,QAAQ,WAAW;CACnC,MAAM,MAAM,QAAQ,OAAO;AAE3B,KAAI,WAAW,KAAK,CAAC,OAAO,SAAS,QAAQ,CAC3C,OAAM,IAAI,mBAAmB,oCAAoC;AAGnE,KACE,QAAQ,kBAAkB,KAAA,KAC1B,CAAC,QAAQ,cAAc,WAAW,SAAS,CAE3C,OAAM,IAAI,mBAAmB,2CAAyC;AAGxE,QAAO;EACL;EACA;EACA;EACA,eAAe,QAAQ;EACvB,QAAQ,QAAQ;EAChB,YAAY,kBAAkB,QAAQ,WAAW;EACjD,WAAW,QAAQ;EACnB,YAAY,QAAQ;EACrB;;AAGH,SAAS,kBACP,SACuC;AACvC,KAAI,CAAC,QAAS,QAAO,KAAA;AAErB,KAAI,OAAO,QAAQ,YAAY,YAAY,QAAQ,QAAQ,WAAW,EACpE,OAAM,IAAI,mBAAmB,iCAAiC;AAEhE,KAAI;AAEF,MAAI,IAAI,QAAQ,QAAQ;SAClB;AACN,QAAM,IAAI,mBAAmB,yCAAyC;;AAExE,KAAI,OAAO,QAAQ,WAAW,YAAY,QAAQ,OAAO,WAAW,EAClE,OAAM,IAAI,mBAAmB,gCAAgC;AAE/D,KAAI,OAAO,QAAQ,aAAa,YAAY,QAAQ,SAAS,WAAW,EACtE,OAAM,IAAI,mBAAmB,kCAAkC;AAEjE,KACE,OAAO,QAAQ,wBAAwB,YACvC,QAAQ,oBAAoB,WAAW,EAEvC,OAAM,IAAI,mBAAmB,6CAA6C;CAG5E,MAAM,iBAAiB,QAAQ,kBAAkB;CACjD,MAAM,oBAAoB,QAAQ,qBAAqB;AACvD,KAAI,qBAAqB,KAAK,CAAC,OAAO,SAAS,kBAAkB,CAC/D,OAAM,IAAI,mBACR,yDACD;AAGH,QAAO;EACL,SAAS,QAAQ;EACjB,QAAQ,QAAQ;EAChB,UAAU,QAAQ;EAClB,qBAAqB,QAAQ;EAC7B;EACA;EACD"}
1	+ {"version":3,"file":"index.cjs","names":["SIGNATURE_PREFIX","joseErrors","verifySig","verifyKeyRotationImpl"],"sources":["../src/errors.ts","../src/utils.ts","../src/webhooks/signing.ts","../src/actions/client.ts","../src/http.ts","../src/partners/client.ts","../src/userApprovals/client.ts","../src/webhooks/keyRotation.ts","../src/webhooks/client.ts","../src/client.ts"],"sourcesContent":["/*\n Base error class for all SDK errors. Catch this to handle any error\n * thrown by the AgentPress SDK regardless of specific type.\n /\nexport class AgentPressError extends Error {\n constructor(message: string) {\n super(message);\n this.name = \"AgentPressError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/\n Thrown at construction time when `AgentPressOptions` contains invalid values\n * (e.g., non-positive timeout, malformed `webhookSecret`).\n /\nexport class ConfigurationError extends AgentPressError {\n constructor(message: string) {\n super(message);\n this.name = \"ConfigurationError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/\n Thrown when the API returns a non-2xx HTTP response.\n \n Properties:\n * - `statusCode` - HTTP status code (e.g., 401, 404, 500)\n * - `responseBody` - Raw response body text for debugging\n * - `url` - The full request URL that failed\n /\nexport class HttpError extends AgentPressError {\n public readonly statusCode: number;\n public readonly responseBody: string;\n public readonly url: string;\n\n constructor(statusCode: number, responseBody: string, url: string) {\n super(`HTTP ${statusCode} from ${url}`);\n this.name = \"HttpError\";\n this.statusCode = statusCode;\n this.responseBody = responseBody;\n this.url = url;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/* Thrown when a request exceeds the configured `timeout` (default 30s). /\nexport class TimeoutError extends AgentPressError {\n constructor(url: string, timeout: number) {\n super(`Request to ${url} timed out after ${timeout}ms`);\n this.name = \"TimeoutError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/* Thrown by {@link WebhooksClient.verifyOrThrow} when an inbound webhook signature is invalid or expired. /\nexport class WebhookSignatureError extends AgentPressError {\n constructor(message: string) {\n super(message);\n this.name = \"WebhookSignatureError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/* Reason codes for {@link PartnerTokenError}. Maps 1:1 to RFC 6750 `error_description` values. /\nexport type PartnerTokenErrorReason =\n \| \"signature_invalid\"\n \| \"issuer_mismatch\"\n \| \"audience_mismatch\"\n \| \"expired\"\n \| \"not_yet_valid\"\n \| \"missing_claim\"\n \| \"ext_provider_mismatch\"\n \| \"algorithm_not_allowed\"\n \| \"kid_missing_or_unknown\"\n \| \"malformed\";\n\n/\n Thrown by {@link PartnersClient.verifyToken} when a Partner MCP Spec v1 JWT\n * fails verification. Partners map `reason` to their RFC 6750 `WWW-Authenticate`\n * response (`401 invalid_token` for all reasons in this class).\n /\nexport class PartnerTokenError extends AgentPressError {\n public readonly reason: PartnerTokenErrorReason;\n\n constructor(reason: PartnerTokenErrorReason, message: string) {\n super(message);\n this.name = \"PartnerTokenError\";\n this.reason = reason;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/* Reason codes for {@link KeyRotationVerifyError}. /\nexport type KeyRotationVerifyErrorReason =\n \| \"invalid_signature\"\n \| \"invalid_signature_format\"\n \| \"timestamp_out_of_window\"\n \| \"invalid_timestamp\"\n \| \"payload_too_large\"\n \| \"malformed_payload\";\n\n/\n Thrown by {@link WebhooksClient.verifyKeyRotation} when a `signing_key_rotation`\n * webhook fails HMAC / timestamp / payload validation.\n /\nexport class KeyRotationVerifyError extends AgentPressError {\n public readonly reason: KeyRotationVerifyErrorReason;\n\n constructor(reason: KeyRotationVerifyErrorReason, message: string) {\n super(message);\n this.name = \"KeyRotationVerifyError\";\n this.reason = reason;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n","import { randomUUID } from \"node:crypto\";\n\nexport function randomMessageId(): string {\n return `msg_${randomUUID()}`;\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nconst SIGNATURE_PREFIX = \"v1,\";\nconst DEFAULT_TOLERANCE_SECONDS = 5 60; // 5 minutes\n\n/*\n Sign a webhook payload using Svix-compatible HMAC-SHA256.\n \n @param secret - The webhook secret (with \"whsec_\" prefix)\n * @param msgId - Unique message ID (e.g., \"msg_<uuid>\")\n * @param timestamp - Unix timestamp in seconds\n * @param body - JSON stringified payload\n * @returns Signature string in format \"v1,<base64>\"\n /\nexport function sign(\n secret: string,\n msgId: string,\n timestamp: number,\n body: string,\n): string {\n const secretBytes = Buffer.from(secret.replace(/^whsec_/, \"\"), \"base64\");\n const message = `${msgId}.${timestamp}.${body}`;\n const signature = createHmac(\"sha256\", secretBytes)\n .update(message)\n .digest(\"base64\");\n return `${SIGNATURE_PREFIX}${signature}`;\n}\n\n/\n Verify a Svix webhook signature.\n \n @param secret - The webhook secret (with \"whsec_\" prefix)\n * @param payload - Raw request body (string or Buffer)\n * @param headers - Svix headers object\n * @param toleranceSeconds - Max age of signature in seconds (default: 5 min)\n * @returns true if valid, false if invalid or expired\n /\nexport function verify(\n secret: string,\n payload: string \| Buffer,\n headers: {\n \"svix-id\": string;\n \"svix-timestamp\": string;\n \"svix-signature\": string;\n },\n toleranceSeconds: number = DEFAULT_TOLERANCE_SECONDS,\n): boolean {\n const msgId = headers[\"svix-id\"];\n const timestampStr = headers[\"svix-timestamp\"];\n const signatureHeader = headers[\"svix-signature\"];\n\n const timestamp = parseInt(timestampStr, 10);\n if (Number.isNaN(timestamp)) return false;\n\n const now = Math.floor(Date.now() / 1000);\n if (Math.abs(now - timestamp) > toleranceSeconds) return false;\n\n const body =\n typeof payload === \"string\" ? payload : payload.toString(\"utf-8\");\n const expected = sign(secret, msgId, timestamp, body);\n\n const signatures = signatureHeader.split(\" \");\n const expectedBuf = Buffer.from(expected);\n\n for (const sig of signatures) {\n const sigBuf = Buffer.from(sig);\n if (\n sigBuf.length === expectedBuf.length &&\n timingSafeEqual(sigBuf, expectedBuf)\n ) {\n return true;\n }\n }\n\n return false;\n}\n","import { ConfigurationError } from \"../errors\";\nimport type { HttpClient } from \"../http\";\nimport type {\n ActionManageResponse,\n ApproveActionParams,\n RejectActionParams,\n ResolvedOptions,\n} from \"../types\";\nimport { randomMessageId } from \"../utils\";\nimport { sign } from \"../webhooks/signing\";\n\n/\n Client for programmatically approving or rejecting staged actions.\n * Uses HMAC-SHA256 signing (Svix-compatible), identical to {@link WebhooksClient}.\n \n @example\n * ```ts\n * const client = new AgentPress({ webhookSecret: \"whsec_...\", org: \"my-org\" });\n \n // Approve a staged action\n * await client.actions.approve(\"act_123\", {\n * action: \"my_webhook_action\",\n * });\n \n // Reject with a reason\n * await client.actions.reject(\"act_456\", {\n * action: \"my_webhook_action\",\n * reason: \"Insufficient data\",\n * });\n * ```\n /\nexport class ActionsClient {\n private readonly options: ResolvedOptions;\n private readonly http: HttpClient;\n\n constructor(options: ResolvedOptions, http: HttpClient) {\n this.options = options;\n this.http = http;\n }\n\n /\n Approve a staged action, optionally modifying the tool call.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async approve(\n actionId: string,\n params: ApproveActionParams,\n ): Promise<ActionManageResponse> {\n const body: Record<string, unknown> = {};\n if (params.editedToolCall !== undefined) {\n body.editedToolCall = params.editedToolCall;\n }\n if (params.remember !== undefined) {\n body.remember = params.remember;\n }\n return this.manage(actionId, params.action, \"approve\", body);\n }\n\n /\n Reject a staged action.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async reject(\n actionId: string,\n params: RejectActionParams,\n ): Promise<ActionManageResponse> {\n return this.manage(actionId, params.action, \"reject\", {\n reason: params.reason,\n });\n }\n\n private async manage(\n actionId: string,\n webhookAction: string,\n operation: \"approve\" \| \"reject\",\n body: Record<string, unknown>,\n ): Promise<ActionManageResponse> {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for action management operations\",\n );\n }\n\n const path = `/webhooks/actions/${this.options.org}/${webhookAction}/manage/${actionId}/${operation}`;\n const bodyStr = JSON.stringify(body);\n const msgId = randomMessageId();\n const timestamp = Math.floor(Date.now() / 1000);\n const signature = sign(\n this.options.webhookSecret,\n msgId,\n timestamp,\n bodyStr,\n );\n\n return this.http.request<ActionManageResponse>(path, {\n method: \"POST\",\n body: bodyStr,\n headers: {\n \"svix-id\": msgId,\n \"svix-timestamp\": String(timestamp),\n \"svix-signature\": signature,\n },\n });\n }\n}\n","import { AgentPressError, HttpError, TimeoutError } from \"./errors\";\nimport type { ResolvedOptions } from \"./types\";\n\n/\n Internal shared HTTP client. Not part of the public API -- used by\n * namespace clients (e.g., `WebhooksClient`) to make authenticated requests.\n * @internal\n /\nexport class HttpClient {\n private readonly baseUrl: string;\n private readonly timeout: number;\n private readonly onRequest?: ResolvedOptions[\"onRequest\"];\n private readonly onResponse?: ResolvedOptions[\"onResponse\"];\n\n constructor(options: ResolvedOptions) {\n this.baseUrl = options.baseUrl;\n this.timeout = options.timeout;\n this.onRequest = options.onRequest;\n this.onResponse = options.onResponse;\n }\n\n /\n Send an HTTP request to the API. Constructs the full URL from `baseUrl` + `path`,\n * applies the configured timeout via `AbortSignal`, fires `onRequest`/`onResponse`\n * hooks, and parses the JSON response.\n \n @throws {TimeoutError} If the request exceeds the configured timeout.\n * @throws {HttpError} If the API returns a non-2xx status code.\n * @throws {AgentPressError} On network failures or non-JSON responses.\n /\n async request<T>(path: string, init: RequestInit): Promise<T> {\n const url = `${this.baseUrl}${path}`;\n\n const headers = new Headers(init.headers);\n if (!headers.has(\"Content-Type\")) {\n headers.set(\"Content-Type\", \"application/json\");\n }\n\n const requestInit: RequestInit = {\n ...init,\n headers,\n signal: AbortSignal.timeout(this.timeout),\n };\n\n this.onRequest?.(url, requestInit);\n\n let response: Response;\n try {\n // biome-ignore lint/style/noRestrictedGlobals: SDK is a standalone package that uses raw fetch\n response = await fetch(url, requestInit);\n } catch (error: unknown) {\n if (\n error instanceof Error &&\n (error.name === \"TimeoutError\" \|\| error.name === \"AbortError\")\n ) {\n throw new TimeoutError(url, this.timeout);\n }\n const message =\n error instanceof Error ? error.message : \"Unknown fetch error\";\n throw new AgentPressError(`Request to ${url} failed: ${message}`);\n }\n\n this.onResponse?.(url, response.clone());\n\n const text = await response.text();\n\n if (!response.ok) {\n throw new HttpError(response.status, text, url);\n }\n\n try {\n return JSON.parse(text) as T;\n } catch {\n throw new AgentPressError(\n `Expected JSON response from ${url} but received: ${text.slice(0, 200)}`,\n );\n }\n }\n}\n","import {\n createRemoteJWKSet,\n type JWTVerifyGetKey,\n errors as joseErrors,\n jwtVerify,\n} from \"jose\";\n\nimport { ConfigurationError, PartnerTokenError } from \"../errors\";\nimport type {\n PartnerTokenClaims,\n ResolvedOptions,\n ResolvedPartnerMcpOptions,\n} from \"../types\";\n\nconst ALGORITHMS = [\"EdDSA\"] as const;\n\ntype RemoteJwks = ReturnType<typeof createRemoteJWKSet>;\n\n/\n Client for Partner MCP Spec v1 helpers. Created automatically when\n * {@link AgentPressOptions.partnerMcp} is provided.\n \n State (JWKS cache) is per-instance, NOT module-global, so staging and\n * production clients can run side-by-side without cross-talk.\n /\nexport class PartnersClient {\n private readonly options: ResolvedOptions;\n private readonly partnerMcp: ResolvedPartnerMcpOptions \| undefined;\n private jwks: RemoteJwks \| null = null;\n private jwksKeyFn: JWTVerifyGetKey \| null = null;\n\n constructor(options: ResolvedOptions) {\n this.options = options;\n this.partnerMcp = options.partnerMcp;\n }\n\n /\n Verify an inbound Partner MCP Spec v1 JWT against AgentPress's JWKS.\n \n Enforces the full spec: `algorithms: [\"EdDSA\"]` pinned; `iss`, `aud`,\n * `ext_provider` validated; `sub`, `jti`, `scope` required and non-empty;\n * `kid` header required; `exp` / `iat` validated with ±30s skew (configurable).\n \n @param token - Bare JWT string (no `Bearer ` prefix).\n * @returns Typed {@link PartnerTokenClaims}.\n * @throws {PartnerTokenError} with a typed `reason` for RFC 6750 mapping.\n * @throws {ConfigurationError} if `partnerMcp` is not configured.\n /\n async verifyToken(token: string): Promise<PartnerTokenClaims> {\n const cfg = this.requireConfig();\n const jwks = this.getJwks();\n\n let payload: Record<string, unknown>;\n let protectedHeader: { alg?: string; kid?: string; typ?: string };\n\n try {\n const result = await jwtVerify(token, jwks, {\n algorithms: [...ALGORITHMS],\n issuer: cfg.issuer,\n audience: cfg.audience,\n clockTolerance: cfg.clockTolerance,\n });\n payload = result.payload as Record<string, unknown>;\n protectedHeader = result.protectedHeader as {\n alg?: string;\n kid?: string;\n typ?: string;\n };\n } catch (err) {\n throw mapJoseError(err);\n }\n\n // kid header required by spec. jose does not enforce this on its own\n // when the key is resolvable — we enforce it explicitly so forged\n // tokens that elide the kid header can't slip through on a single-key\n // JWKS.\n if (!protectedHeader.kid \|\| typeof protectedHeader.kid !== \"string\") {\n throw new PartnerTokenError(\n \"kid_missing_or_unknown\",\n \"JWT header missing required 'kid'\",\n );\n }\n\n const claims = payload as PartnerTokenClaims & Record<string, unknown>;\n\n // jose's jwtVerify checks `exp` (with clockTolerance) but not `iat`\n // future-time unless `maxTokenAge` is set. The spec requires both sides\n // of the skew window, so enforce the future-iat check explicitly.\n if (typeof claims.iat !== \"number\" \|\| !Number.isFinite(claims.iat)) {\n throw new PartnerTokenError(\n \"missing_claim\",\n \"'iat' claim must be a number\",\n );\n }\n const toleranceSeconds = toSeconds(cfg.clockTolerance);\n const nowSec = Math.floor(Date.now() / 1000);\n if (claims.iat - nowSec > toleranceSeconds) {\n throw new PartnerTokenError(\n \"not_yet_valid\",\n `'iat' is ${claims.iat - nowSec}s in the future, beyond ${toleranceSeconds}s tolerance`,\n );\n }\n\n if (typeof claims.sub !== \"string\" \|\| claims.sub.length === 0) {\n throw new PartnerTokenError(\"missing_claim\", \"'sub' claim is required\");\n }\n if (typeof claims.jti !== \"string\" \|\| claims.jti.length === 0) {\n throw new PartnerTokenError(\"missing_claim\", \"'jti' claim is required\");\n }\n if (typeof claims.scope !== \"string\") {\n throw new PartnerTokenError(\n \"missing_claim\",\n \"'scope' claim must be a string\",\n );\n }\n if (\n typeof claims.ext_provider !== \"string\" \|\|\n claims.ext_provider.length === 0\n ) {\n throw new PartnerTokenError(\n \"missing_claim\",\n \"'ext_provider' claim is required\",\n );\n }\n if (claims.ext_provider !== cfg.expectedExtProvider) {\n throw new PartnerTokenError(\n \"ext_provider_mismatch\",\n `ext_provider '${claims.ext_provider}' does not match expected '${cfg.expectedExtProvider}'`,\n );\n }\n\n return claims;\n }\n\n /\n Force the JWKS cache to refetch immediately. Call this from your\n * `signing_key_rotation` webhook handler after verifying the webhook —\n * otherwise the cache picks up new keys on the next `kid` miss (which\n * works, but with one failed verify latency penalty).\n /\n async refreshJwks(): Promise<void> {\n const jwks = this.getJwks();\n // jose's RemoteJWKSet exposes `.reload()` for exactly this use case.\n const anyJwks = jwks as unknown as { reload?: () => Promise<void> };\n if (typeof anyJwks.reload === \"function\") {\n await anyJwks.reload();\n }\n }\n\n private requireConfig(): ResolvedPartnerMcpOptions {\n if (!this.partnerMcp) {\n throw new ConfigurationError(\n \"partnerMcp options are required for partner token operations\",\n );\n }\n return this.partnerMcp;\n }\n\n private getJwks(): RemoteJwks {\n const cfg = this.requireConfig();\n if (!this.jwks) {\n this.jwks = createRemoteJWKSet(new URL(cfg.jwksUrl), {\n cacheMaxAge: cfg.jwksCacheMaxAgeMs,\n cooldownDuration: 30_000,\n });\n this.jwksKeyFn = this.jwks as unknown as JWTVerifyGetKey;\n }\n return this.jwks;\n }\n}\n\nfunction toSeconds(tolerance: string \| number): number {\n if (typeof tolerance === \"number\") return tolerance;\n const match = tolerance.trim().match(/^(\\d+)\\s(s\|m\|h)$/i);\n if (!match) return 30;\n const n = Number.parseInt(match[1] as string, 10);\n const unit = (match[2] as string).toLowerCase();\n if (unit === \"s\") return n;\n if (unit === \"m\") return n * 60;\n if (unit === \"h\") return n * 3600;\n return 30;\n}\n\nfunction mapJoseError(err: unknown): PartnerTokenError {\n if (err instanceof PartnerTokenError) return err;\n\n if (err instanceof joseErrors.JWSSignatureVerificationFailed) {\n return new PartnerTokenError(\n \"signature_invalid\",\n \"JWT signature verification failed\",\n );\n }\n if (err instanceof joseErrors.JWKSNoMatchingKey) {\n return new PartnerTokenError(\n \"kid_missing_or_unknown\",\n \"No JWKS key matches the JWT 'kid' header\",\n );\n }\n if (err instanceof joseErrors.JOSEAlgNotAllowed) {\n return new PartnerTokenError(\n \"algorithm_not_allowed\",\n \"JWT 'alg' is not EdDSA\",\n );\n }\n if (err instanceof joseErrors.JWTExpired) {\n return new PartnerTokenError(\"expired\", \"JWT has expired\");\n }\n if (err instanceof joseErrors.JWTClaimValidationFailed) {\n const claim = (err as { claim?: string }).claim;\n if (claim === \"iss\") {\n return new PartnerTokenError(\n \"issuer_mismatch\",\n \"JWT 'iss' does not match expected issuer\",\n );\n }\n if (claim === \"aud\") {\n return new PartnerTokenError(\n \"audience_mismatch\",\n \"JWT 'aud' does not match expected audience\",\n );\n }\n if (claim === \"iat\") {\n return new PartnerTokenError(\n \"not_yet_valid\",\n \"JWT 'iat' is in the future beyond clock tolerance\",\n );\n }\n return new PartnerTokenError(\n \"missing_claim\",\n err.message \|\| \"Claim validation failed\",\n );\n }\n if (\n err instanceof joseErrors.JWTInvalid \|\|\n err instanceof joseErrors.JWSInvalid\n ) {\n return new PartnerTokenError(\"malformed\", err.message \|\| \"Malformed JWT\");\n }\n if (err instanceof Error) {\n return new PartnerTokenError(\"malformed\", err.message);\n }\n return new PartnerTokenError(\"malformed\", String(err));\n}\n","import { ConfigurationError } from \"../errors\";\nimport type { HttpClient } from \"../http\";\nimport type {\n CreateUserApprovalParams,\n DeleteUserApprovalParams,\n ListUserApprovalsParams,\n ListUserApprovalsResponse,\n ResolvedOptions,\n UpdateUserApprovalParams,\n UserToolApproval,\n} from \"../types\";\nimport { randomMessageId } from \"../utils\";\nimport { sign } from \"../webhooks/signing\";\n\n/*\n Client for managing per-user auto-approval rules — the SDK equivalent of the\n * console's `/account/auto-approvals` settings page. Uses HMAC-SHA256 signing\n * (Svix-compatible), identical to {@link ActionsClient.manage}.\n \n Each call is scoped to a single webhook (identified by `webhookIdentifier`),\n * which both selects the signing secret and scopes which approvals are visible.\n \n @example\n * ```ts\n * const client = new AgentPress({ webhookSecret: \"whsec_...\", org: \"my-org\" });\n \n // Provision consent so future \"sendEmail\" triggers skip the approval prompt\n * await client.userApprovals.create({\n * webhookIdentifier: \"reviews\",\n * userId: \"user-uuid\",\n * actionWebhookId: \"webhook-uuid\",\n * toolName: \"sendEmail\",\n * mode: \"always_allow\",\n * });\n \n // List rules (optionally filtered by userId)\n * const { approvals } = await client.userApprovals.list({\n * webhookIdentifier: \"reviews\",\n * });\n \n // Revoke\n * await client.userApprovals.delete(approvalId, { webhookIdentifier: \"reviews\" });\n * ```\n /\nexport class UserApprovalsClient {\n private readonly options: ResolvedOptions;\n private readonly http: HttpClient;\n\n constructor(options: ResolvedOptions, http: HttpClient) {\n this.options = options;\n this.http = http;\n }\n\n /\n List auto-approval rules for a webhook. Optionally filter by `userId`.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async list(\n params: ListUserApprovalsParams,\n ): Promise<ListUserApprovalsResponse> {\n const body: Record<string, unknown> = {};\n if (params.userId !== undefined) body.userId = params.userId;\n if (params.authProvider !== undefined)\n body.authProvider = params.authProvider;\n return this.send<ListUserApprovalsResponse>(\n params.webhookIdentifier,\n \"list\",\n body,\n );\n }\n\n /\n Create (or upsert) an auto-approval rule. If a rule with the same\n * `(userId, actionWebhookId, toolName)` triple already exists, it is\n * updated in place.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async create(params: CreateUserApprovalParams): Promise<UserToolApproval> {\n const body: Record<string, unknown> = {\n userId: params.userId,\n actionWebhookId: params.actionWebhookId,\n toolName: params.toolName,\n mode: params.mode ?? \"always_allow\",\n };\n if (params.authProvider !== undefined)\n body.authProvider = params.authProvider;\n if (params.expiresAt !== undefined) {\n body.expiresAt =\n params.expiresAt === null ? null : params.expiresAt.toISOString();\n }\n return this.send<UserToolApproval>(\n params.webhookIdentifier,\n \"create\",\n body,\n );\n }\n\n /\n Patch an existing auto-approval rule (change mode or expiry).\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response (404 if the rule does not belong to this webhook)\n * @throws TimeoutError if request exceeds timeout\n /\n async update(\n id: string,\n params: UpdateUserApprovalParams,\n ): Promise<UserToolApproval> {\n const body: Record<string, unknown> = {};\n if (params.mode !== undefined) body.mode = params.mode;\n if (params.expiresAt !== undefined) {\n body.expiresAt =\n params.expiresAt === null ? null : params.expiresAt.toISOString();\n }\n return this.send<UserToolApproval>(\n params.webhookIdentifier,\n `update/${id}`,\n body,\n );\n }\n\n /\n Revoke an auto-approval rule. Future triggers of the corresponding\n * `(user, webhook, tool)` combination will once again stage for approval.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response (404 if the rule does not belong to this webhook)\n * @throws TimeoutError if request exceeds timeout\n /\n async delete(\n id: string,\n params: DeleteUserApprovalParams,\n ): Promise<{ success: boolean }> {\n return this.send<{ success: boolean }>(\n params.webhookIdentifier,\n `delete/${id}`,\n {},\n );\n }\n\n /* Internal: HMAC-sign and POST the body to the scoped path. /\n private async send<T>(\n webhookIdentifier: string,\n operation: string,\n body: Record<string, unknown>,\n ): Promise<T> {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for user approval management operations\",\n );\n }\n\n const path = `/webhooks/user-approvals/${this.options.org}/${webhookIdentifier}/${operation}`;\n const bodyStr = JSON.stringify(body);\n const msgId = randomMessageId();\n const timestamp = Math.floor(Date.now() / 1000);\n const signature = sign(\n this.options.webhookSecret,\n msgId,\n timestamp,\n bodyStr,\n );\n\n return this.http.request<T>(path, {\n method: \"POST\",\n body: bodyStr,\n headers: {\n \"svix-id\": msgId,\n \"svix-timestamp\": String(timestamp),\n \"svix-signature\": signature,\n },\n });\n }\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nimport { ConfigurationError, KeyRotationVerifyError } from \"../errors\";\nimport type { KeyRotationEvent, KeyRotationVerifyParams } from \"../types\";\n\nconst MAX_PAYLOAD_BYTES = 8 1024; // 8 KB\nconst TIMESTAMP_SKEW_SECONDS = 300; // 5 minutes\nconst SIGNATURE_PREFIX = \"sha256=\";\n\n/*\n Verify a `signing_key_rotation` webhook signed by AgentPress with\n * HMAC-SHA256 over the raw request body. Returns the typed\n * {@link KeyRotationEvent} payload.\n \n @throws {KeyRotationVerifyError} with a typed `reason` for HTTP mapping.\n * @throws {ConfigurationError} if `webhookSecret` is not configured.\n /\nexport function verifyKeyRotation(\n secret: string \| undefined,\n params: KeyRotationVerifyParams,\n): KeyRotationEvent {\n if (!secret) {\n throw new ConfigurationError(\n \"webhookSecret is required for key rotation webhook verification\",\n );\n }\n\n const body =\n typeof params.payload === \"string\"\n ? params.payload\n : params.payload.toString(\"utf-8\");\n\n const byteLength =\n typeof params.payload === \"string\"\n ? Buffer.byteLength(params.payload, \"utf-8\")\n : params.payload.length;\n if (byteLength > MAX_PAYLOAD_BYTES) {\n throw new KeyRotationVerifyError(\n \"payload_too_large\",\n `Payload exceeds ${MAX_PAYLOAD_BYTES} bytes`,\n );\n }\n\n const signatureHeader = readHeader(params.headers, \"x-agentpress-signature\");\n const timestampHeader = readHeader(params.headers, \"x-agentpress-timestamp\");\n\n if (!signatureHeader?.startsWith(SIGNATURE_PREFIX)) {\n throw new KeyRotationVerifyError(\n \"invalid_signature_format\",\n `Signature header missing or does not start with '${SIGNATURE_PREFIX}'`,\n );\n }\n const providedHex = signatureHeader\n .slice(SIGNATURE_PREFIX.length)\n .toLowerCase();\n if (!/^[0-9a-f]+$/.test(providedHex)) {\n throw new KeyRotationVerifyError(\n \"invalid_signature_format\",\n \"Signature is not a hex string\",\n );\n }\n\n if (!timestampHeader) {\n throw new KeyRotationVerifyError(\n \"invalid_timestamp\",\n \"x-agentpress-timestamp header is required\",\n );\n }\n const timestamp = Number.parseInt(timestampHeader, 10);\n if (\n !Number.isFinite(timestamp) \|\|\n String(timestamp) !== timestampHeader.trim()\n ) {\n throw new KeyRotationVerifyError(\n \"invalid_timestamp\",\n \"x-agentpress-timestamp is not a valid unix seconds integer\",\n );\n }\n const now = Math.floor(Date.now() / 1000);\n if (Math.abs(now - timestamp) > TIMESTAMP_SKEW_SECONDS) {\n throw new KeyRotationVerifyError(\n \"timestamp_out_of_window\",\n `Timestamp skew ${Math.abs(now - timestamp)}s exceeds ${TIMESTAMP_SKEW_SECONDS}s tolerance`,\n );\n }\n\n const expectedHex = createHmac(\"sha256\", secret).update(body).digest(\"hex\");\n const providedBuf = Buffer.from(providedHex, \"hex\");\n const expectedBuf = Buffer.from(expectedHex, \"hex\");\n if (\n providedBuf.length !== expectedBuf.length \|\|\n !timingSafeEqual(providedBuf, expectedBuf)\n ) {\n throw new KeyRotationVerifyError(\n \"invalid_signature\",\n \"HMAC signature mismatch\",\n );\n }\n\n let parsed: unknown;\n try {\n parsed = JSON.parse(body);\n } catch {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"Payload is not valid JSON\",\n );\n }\n\n return validatePayload(parsed);\n}\n\nfunction readHeader(\n headers: Record<string, string \| undefined>,\n name: string,\n): string \| undefined {\n // Headers are case-insensitive; normalize without mutating the caller's object.\n const lowered = name.toLowerCase();\n for (const [k, v] of Object.entries(headers)) {\n if (k.toLowerCase() === lowered && typeof v === \"string\" && v.length > 0) {\n return v;\n }\n }\n return undefined;\n}\n\nfunction validatePayload(raw: unknown): KeyRotationEvent {\n if (!raw \|\| typeof raw !== \"object\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"Payload must be a JSON object\",\n );\n }\n const obj = raw as Record<string, unknown>;\n if (obj.event !== \"signing_key_rotation\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n `Unexpected event '${String(obj.event)}'`,\n );\n }\n if (obj.type !== \"scheduled\" && obj.type !== \"emergency\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"'type' must be 'scheduled' or 'emergency'\",\n );\n }\n for (const key of [\n \"retiredKid\",\n \"newCurrentKid\",\n \"retiredAt\",\n \"effectiveAt\",\n \"jwksUrl\",\n ]) {\n if (typeof obj[key] !== \"string\" \|\| (obj[key] as string).length === 0) {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n `'${key}' must be a non-empty string`,\n );\n }\n }\n if (obj.reason !== undefined && typeof obj.reason !== \"string\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"'reason' must be a string when present\",\n );\n }\n\n const event: KeyRotationEvent = {\n event: \"signing_key_rotation\",\n type: obj.type as \"scheduled\" \| \"emergency\",\n retiredKid: obj.retiredKid as string,\n newCurrentKid: obj.newCurrentKid as string,\n retiredAt: obj.retiredAt as string,\n effectiveAt: obj.effectiveAt as string,\n jwksUrl: obj.jwksUrl as string,\n };\n if (typeof obj.reason === \"string\") {\n event.reason = obj.reason;\n }\n return event;\n}\n","import {\n AgentPressError,\n ConfigurationError,\n WebhookSignatureError,\n} from \"../errors\";\nimport type { HttpClient } from \"../http\";\nimport type {\n ActionCallbackPayload,\n KeyRotationEvent,\n KeyRotationVerifyParams,\n ResolvedOptions,\n WebhookResponse,\n WebhookSendParams,\n WebhookVerifyParams,\n} from \"../types\";\nimport { randomMessageId } from \"../utils\";\nimport { verifyKeyRotation as verifyKeyRotationImpl } from \"./keyRotation\";\nimport { sign, verify as verifySig } from \"./signing\";\n\nexport class WebhooksClient {\n private readonly options: ResolvedOptions;\n private readonly http: HttpClient;\n\n constructor(options: ResolvedOptions, http: HttpClient) {\n this.options = options;\n this.http = http;\n }\n\n /\n Send an arbitrary webhook payload to AgentPress.\n * Signs the payload with HMAC-SHA256 (Svix-compatible).\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async send(params: WebhookSendParams): Promise<WebhookResponse> {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for webhook operations\",\n );\n }\n\n const path = `/webhooks/actions/${this.options.org}/${params.action}`;\n const body = JSON.stringify(params.payload);\n const msgId = randomMessageId();\n const timestamp = Math.floor(Date.now() / 1000);\n const signature = sign(this.options.webhookSecret, msgId, timestamp, body);\n\n return this.http.request<WebhookResponse>(path, {\n method: \"POST\",\n body,\n headers: {\n \"svix-id\": msgId,\n \"svix-timestamp\": String(timestamp),\n \"svix-signature\": signature,\n },\n });\n }\n\n /\n Verify an inbound Svix webhook signature.\n \n @returns true if valid, false if invalid or expired\n * @throws ConfigurationError if webhookSecret is not configured\n /\n verify(params: WebhookVerifyParams): boolean {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for webhook verification\",\n );\n }\n\n return verifySig(\n this.options.webhookSecret,\n params.payload,\n params.headers,\n );\n }\n\n /\n Verify an inbound Svix webhook signature, throwing on failure.\n * Useful for middleware patterns where invalid signatures should halt processing.\n \n @throws WebhookSignatureError if signature is invalid or expired\n * @throws ConfigurationError if webhookSecret is not configured\n /\n verifyOrThrow(params: WebhookVerifyParams): void {\n if (!this.verify(params)) {\n throw new WebhookSignatureError(\"Invalid webhook signature\");\n }\n }\n\n /\n Verify and parse an inbound webhook from AgentPress.\n * Combines signature verification with JSON parsing and type casting.\n * This is the recommended way to handle incoming webhooks.\n \n @throws WebhookSignatureError if signature is invalid or expired\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws AgentPressError if payload is not valid JSON\n /\n constructEvent(params: WebhookVerifyParams): ActionCallbackPayload {\n this.verifyOrThrow(params);\n const body =\n typeof params.payload === \"string\"\n ? params.payload\n : params.payload.toString(\"utf-8\");\n try {\n return JSON.parse(body) as ActionCallbackPayload;\n } catch {\n throw new AgentPressError(\"Webhook payload is not valid JSON\");\n }\n }\n\n /\n Verify an inbound `signing_key_rotation` webhook (HMAC-SHA256 + timestamp\n * + typed payload) from AgentPress. See the Partner MCP Spec v1 for the\n * full contract.\n \n @throws {KeyRotationVerifyError} with a typed `reason` for HTTP mapping\n * (401 for signature errors, 400 for malformed payload, 413 for oversize).\n * @throws {ConfigurationError} if `webhookSecret` is not configured.\n /\n verifyKeyRotation(params: KeyRotationVerifyParams): KeyRotationEvent {\n return verifyKeyRotationImpl(this.options.webhookSecret, params);\n }\n}\n","import { ActionsClient } from \"./actions/client\";\nimport { ConfigurationError } from \"./errors\";\nimport { HttpClient } from \"./http\";\nimport { PartnersClient } from \"./partners/client\";\nimport type {\n AgentPressOptions,\n ResolvedOptions,\n ResolvedPartnerMcpOptions,\n} from \"./types\";\nimport { UserApprovalsClient } from \"./userApprovals/client\";\nimport { WebhooksClient } from \"./webhooks/client\";\n\n/\n Main entry point for the AgentPress SDK. Provides namespaced access to API\n * resources (e.g., `client.webhooks.send()`, `client.actions.approve()`).\n * Validates all configuration options at construction time, so invalid config fails fast.\n \n @example\n * ```ts\n * const client = new AgentPress({\n * apiKey: \"ak_...\",\n * webhookSecret: \"whsec_...\",\n * });\n * await client.webhooks.send({ action: \"my_action\", payload: { ... } });\n * await client.actions.approve(\"act_123\", { action: \"my_action\" });\n * ```\n /\nexport class AgentPress {\n /* Webhook operations: send outbound webhooks and verify inbound signatures. /\n public readonly webhooks: WebhooksClient;\n /* Action management: approve or reject staged actions. /\n public readonly actions: ActionsClient;\n /* Per-user auto-approval rules (read / create / update / delete). /\n public readonly userApprovals: UserApprovalsClient;\n /* Partner MCP Spec v1 helpers (inbound JWT verification, JWKS refresh). /\n public readonly partners: PartnersClient;\n\n /\n @param options - SDK configuration. All fields are optional with sensible defaults.\n * @throws {ConfigurationError} If `timeout` is non-positive or `webhookSecret` has an invalid prefix.\n */\n constructor(options: AgentPressOptions = {}) {\n const resolved = resolveOptions(options);\n const http = new HttpClient(resolved);\n this.webhooks = new WebhooksClient(resolved, http);\n this.actions = new ActionsClient(resolved, http);\n this.userApprovals = new UserApprovalsClient(resolved, http);\n this.partners = new PartnersClient(resolved);\n }\n}\n\nfunction resolveOptions(options: AgentPressOptions): ResolvedOptions {\n const baseUrl = (options.baseUrl ?? \"https://api.agent.press\").replace(\n /\\/+$/,\n \"\",\n );\n const timeout = options.timeout ?? 30_000;\n const org = options.org ?? \"default-org\";\n\n if (timeout <= 0 \|\| !Number.isFinite(timeout)) {\n throw new ConfigurationError(\"timeout must be a positive number\");\n }\n\n if (\n options.webhookSecret !== undefined &&\n !options.webhookSecret.startsWith(\"whsec_\")\n ) {\n throw new ConfigurationError('webhookSecret must start with \"whsec_\"');\n }\n\n return {\n baseUrl,\n timeout,\n org,\n webhookSecret: options.webhookSecret,\n apiKey: options.apiKey,\n partnerMcp: resolvePartnerMcp(options.partnerMcp),\n onRequest: options.onRequest,\n onResponse: options.onResponse,\n };\n}\n\nfunction resolvePartnerMcp(\n options: AgentPressOptions[\"partnerMcp\"],\n): ResolvedPartnerMcpOptions \| undefined {\n if (!options) return undefined;\n\n if (typeof options.jwksUrl !== \"string\" \|\| options.jwksUrl.length === 0) {\n throw new ConfigurationError(\"partnerMcp.jwksUrl is required\");\n }\n try {\n // Validate early so a bad URL fails at construction, not on first verify.\n new URL(options.jwksUrl);\n } catch {\n throw new ConfigurationError(\"partnerMcp.jwksUrl must be a valid URL\");\n }\n if (typeof options.issuer !== \"string\" \|\| options.issuer.length === 0) {\n throw new ConfigurationError(\"partnerMcp.issuer is required\");\n }\n if (typeof options.audience !== \"string\" \|\| options.audience.length === 0) {\n throw new ConfigurationError(\"partnerMcp.audience is required\");\n }\n if (\n typeof options.expectedExtProvider !== \"string\" \|\|\n options.expectedExtProvider.length === 0\n ) {\n throw new ConfigurationError(\"partnerMcp.expectedExtProvider is required\");\n }\n\n const clockTolerance = options.clockTolerance ?? \"30s\";\n const jwksCacheMaxAgeMs = options.jwksCacheMaxAgeMs ?? 3_600_000;\n if (jwksCacheMaxAgeMs <= 0 \|\| !Number.isFinite(jwksCacheMaxAgeMs)) {\n throw new ConfigurationError(\n \"partnerMcp.jwksCacheMaxAgeMs must be a positive number\",\n );\n }\n\n return {\n jwksUrl: options.jwksUrl,\n issuer: options.issuer,\n audience: options.audience,\n expectedExtProvider: options.expectedExtProvider,\n clockTolerance,\n jwksCacheMaxAgeMs,\n };\n}\n"],"mappings":";;;;;;;;AAIA,IAAa,kBAAb,cAAqC,MAAM;CACzC,YAAY,SAAiB;AAC3B,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;;;AAQrD,IAAa,qBAAb,cAAwC,gBAAgB;CACtD,YAAY,SAAiB;AAC3B,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;;;;;;;AAYrD,IAAa,YAAb,cAA+B,gBAAgB;CAC7C;CACA;CACA;CAEA,YAAY,YAAoB,cAAsB,KAAa;AACjE,QAAM,QAAQ,WAAW,QAAQ,MAAM;AACvC,OAAK,OAAO;AACZ,OAAK,aAAa;AAClB,OAAK,eAAe;AACpB,OAAK,MAAM;AACX,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;AAKrD,IAAa,eAAb,cAAkC,gBAAgB;CAChD,YAAY,KAAa,SAAiB;AACxC,QAAM,cAAc,IAAI,mBAAmB,QAAQ,IAAI;AACvD,OAAK,OAAO;AACZ,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;AAKrD,IAAa,wBAAb,cAA2C,gBAAgB;CACzD,YAAY,SAAiB;AAC3B,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;;;;AAsBrD,IAAa,oBAAb,cAAuC,gBAAgB;CACrD;CAEA,YAAY,QAAiC,SAAiB;AAC5D,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,OAAK,SAAS;AACd,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;;;AAiBrD,IAAa,yBAAb,cAA4C,gBAAgB;CAC1D;CAEA,YAAY,QAAsC,SAAiB;AACjE,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,OAAK,SAAS;AACd,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;AChHrD,SAAgB,kBAA0B;AACxC,QAAO,QAAA,GAAA,YAAA,aAAmB;;;;ACD5B,MAAMA,qBAAmB;AACzB,MAAM,4BAA4B;;;;;;;;;;AAWlC,SAAgB,KACd,QACA,OACA,WACA,MACQ;CACR,MAAM,cAAc,OAAO,KAAK,OAAO,QAAQ,WAAW,GAAG,EAAE,SAAS;CACxE,MAAM,UAAU,GAAG,MAAM,GAAG,UAAU,GAAG;AAIzC,QAAO,GAAGA,sBAAAA,GAAAA,YAAAA,YAHmB,UAAU,YAAY,CAChD,OAAO,QAAQ,CACf,OAAO,SAC4B;;;;;;;;;;;AAYxC,SAAgB,OACd,QACA,SACA,SAKA,mBAA2B,2BAClB;CACT,MAAM,QAAQ,QAAQ;CACtB,MAAM,eAAe,QAAQ;CAC7B,MAAM,kBAAkB,QAAQ;CAEhC,MAAM,YAAY,SAAS,cAAc,GAAG;AAC5C,KAAI,OAAO,MAAM,UAAU,CAAE,QAAO;CAEpC,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AACzC,KAAI,KAAK,IAAI,MAAM,UAAU,GAAG,iBAAkB,QAAO;CAIzD,MAAM,WAAW,KAAK,QAAQ,OAAO,WADnC,OAAO,YAAY,WAAW,UAAU,QAAQ,SAAS,QAAQ,CACd;CAErD,MAAM,aAAa,gBAAgB,MAAM,IAAI;CAC7C,MAAM,cAAc,OAAO,KAAK,SAAS;AAEzC,MAAK,MAAM,OAAO,YAAY;EAC5B,MAAM,SAAS,OAAO,KAAK,IAAI;AAC/B,MACE,OAAO,WAAW,YAAY,WAAA,GAAA,YAAA,iBACd,QAAQ,YAAY,CAEpC,QAAO;;AAIX,QAAO;;;;;;;;;;;;;;;;;;;;;;;;AC3CT,IAAa,gBAAb,MAA2B;CACzB;CACA;CAEA,YAAY,SAA0B,MAAkB;AACtD,OAAK,UAAU;AACf,OAAK,OAAO;;;;;;;;;CAUd,MAAM,QACJ,UACA,QAC+B;EAC/B,MAAM,OAAgC,EAAE;AACxC,MAAI,OAAO,mBAAmB,KAAA,EAC5B,MAAK,iBAAiB,OAAO;AAE/B,MAAI,OAAO,aAAa,KAAA,EACtB,MAAK,WAAW,OAAO;AAEzB,SAAO,KAAK,OAAO,UAAU,OAAO,QAAQ,WAAW,KAAK;;;;;;;;;CAU9D,MAAM,OACJ,UACA,QAC+B;AAC/B,SAAO,KAAK,OAAO,UAAU,OAAO,QAAQ,UAAU,EACpD,QAAQ,OAAO,QAChB,CAAC;;CAGJ,MAAc,OACZ,UACA,eACA,WACA,MAC+B;AAC/B,MAAI,CAAC,KAAK,QAAQ,cAChB,OAAM,IAAI,mBACR,6DACD;EAGH,MAAM,OAAO,qBAAqB,KAAK,QAAQ,IAAI,GAAG,cAAc,UAAU,SAAS,GAAG;EAC1F,MAAM,UAAU,KAAK,UAAU,KAAK;EACpC,MAAM,QAAQ,iBAAiB;EAC/B,MAAM,YAAY,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;EAC/C,MAAM,YAAY,KAChB,KAAK,QAAQ,eACb,OACA,WACA,QACD;AAED,SAAO,KAAK,KAAK,QAA8B,MAAM;GACnD,QAAQ;GACR,MAAM;GACN,SAAS;IACP,WAAW;IACX,kBAAkB,OAAO,UAAU;IACnC,kBAAkB;IACnB;GACF,CAAC;;;;;;;;;;ACpGN,IAAa,aAAb,MAAwB;CACtB;CACA;CACA;CACA;CAEA,YAAY,SAA0B;AACpC,OAAK,UAAU,QAAQ;AACvB,OAAK,UAAU,QAAQ;AACvB,OAAK,YAAY,QAAQ;AACzB,OAAK,aAAa,QAAQ;;;;;;;;;;;CAY5B,MAAM,QAAW,MAAc,MAA+B;EAC5D,MAAM,MAAM,GAAG,KAAK,UAAU;EAE9B,MAAM,UAAU,IAAI,QAAQ,KAAK,QAAQ;AACzC,MAAI,CAAC,QAAQ,IAAI,eAAe,CAC9B,SAAQ,IAAI,gBAAgB,mBAAmB;EAGjD,MAAM,cAA2B;GAC/B,GAAG;GACH;GACA,QAAQ,YAAY,QAAQ,KAAK,QAAQ;GAC1C;AAED,OAAK,YAAY,KAAK,YAAY;EAElC,IAAI;AACJ,MAAI;AAEF,cAAW,MAAM,MAAM,KAAK,YAAY;WACjC,OAAgB;AACvB,OACE,iBAAiB,UAChB,MAAM,SAAS,kBAAkB,MAAM,SAAS,cAEjD,OAAM,IAAI,aAAa,KAAK,KAAK,QAAQ;AAI3C,SAAM,IAAI,gBAAgB,cAAc,IAAI,WAD1C,iBAAiB,QAAQ,MAAM,UAAU,wBACsB;;AAGnE,OAAK,aAAa,KAAK,SAAS,OAAO,CAAC;EAExC,MAAM,OAAO,MAAM,SAAS,MAAM;AAElC,MAAI,CAAC,SAAS,GACZ,OAAM,IAAI,UAAU,SAAS,QAAQ,MAAM,IAAI;AAGjD,MAAI;AACF,UAAO,KAAK,MAAM,KAAK;UACjB;AACN,SAAM,IAAI,gBACR,+BAA+B,IAAI,iBAAiB,KAAK,MAAM,GAAG,IAAI,GACvE;;;;;;AC7DP,MAAM,aAAa,CAAC,QAAQ;;;;;;;;AAW5B,IAAa,iBAAb,MAA4B;CAC1B;CACA;CACA,OAAkC;CAClC,YAA4C;CAE5C,YAAY,SAA0B;AACpC,OAAK,UAAU;AACf,OAAK,aAAa,QAAQ;;;;;;;;;;;;;;CAe5B,MAAM,YAAY,OAA4C;EAC5D,MAAM,MAAM,KAAK,eAAe;EAChC,MAAM,OAAO,KAAK,SAAS;EAE3B,IAAI;EACJ,IAAI;AAEJ,MAAI;GACF,MAAM,SAAS,OAAA,GAAA,KAAA,WAAgB,OAAO,MAAM;IAC1C,YAAY,CAAC,GAAG,WAAW;IAC3B,QAAQ,IAAI;IACZ,UAAU,IAAI;IACd,gBAAgB,IAAI;IACrB,CAAC;AACF,aAAU,OAAO;AACjB,qBAAkB,OAAO;WAKlB,KAAK;AACZ,SAAM,aAAa,IAAI;;AAOzB,MAAI,CAAC,gBAAgB,OAAO,OAAO,gBAAgB,QAAQ,SACzD,OAAM,IAAI,kBACR,0BACA,oCACD;EAGH,MAAM,SAAS;AAKf,MAAI,OAAO,OAAO,QAAQ,YAAY,CAAC,OAAO,SAAS,OAAO,IAAI,CAChE,OAAM,IAAI,kBACR,iBACA,+BACD;EAEH,MAAM,mBAAmB,UAAU,IAAI,eAAe;EACtD,MAAM,SAAS,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AAC5C,MAAI,OAAO,MAAM,SAAS,iBACxB,OAAM,IAAI,kBACR,iBACA,YAAY,OAAO,MAAM,OAAO,0BAA0B,iBAAiB,aAC5E;AAGH,MAAI,OAAO,OAAO,QAAQ,YAAY,OAAO,IAAI,WAAW,EAC1D,OAAM,IAAI,kBAAkB,iBAAiB,0BAA0B;AAEzE,MAAI,OAAO,OAAO,QAAQ,YAAY,OAAO,IAAI,WAAW,EAC1D,OAAM,IAAI,kBAAkB,iBAAiB,0BAA0B;AAEzE,MAAI,OAAO,OAAO,UAAU,SAC1B,OAAM,IAAI,kBACR,iBACA,iCACD;AAEH,MACE,OAAO,OAAO,iBAAiB,YAC/B,OAAO,aAAa,WAAW,EAE/B,OAAM,IAAI,kBACR,iBACA,mCACD;AAEH,MAAI,OAAO,iBAAiB,IAAI,oBAC9B,OAAM,IAAI,kBACR,yBACA,iBAAiB,OAAO,aAAa,6BAA6B,IAAI,oBAAoB,GAC3F;AAGH,SAAO;;;;;;;;CAST,MAAM,cAA6B;EAGjC,MAAM,UAFO,KAAK,SAEE;AACpB,MAAI,OAAO,QAAQ,WAAW,WAC5B,OAAM,QAAQ,QAAQ;;CAI1B,gBAAmD;AACjD,MAAI,CAAC,KAAK,WACR,OAAM,IAAI,mBACR,+DACD;AAEH,SAAO,KAAK;;CAGd,UAA8B;EAC5B,MAAM,MAAM,KAAK,eAAe;AAChC,MAAI,CAAC,KAAK,MAAM;AACd,QAAK,QAAA,GAAA,KAAA,oBAA0B,IAAI,IAAI,IAAI,QAAQ,EAAE;IACnD,aAAa,IAAI;IACjB,kBAAkB;IACnB,CAAC;AACF,QAAK,YAAY,KAAK;;AAExB,SAAO,KAAK;;;AAIhB,SAAS,UAAU,WAAoC;AACrD,KAAI,OAAO,cAAc,SAAU,QAAO;CAC1C,MAAM,QAAQ,UAAU,MAAM,CAAC,MAAM,qBAAqB;AAC1D,KAAI,CAAC,MAAO,QAAO;CACnB,MAAM,IAAI,OAAO,SAAS,MAAM,IAAc,GAAG;CACjD,MAAM,OAAQ,MAAM,GAAc,aAAa;AAC/C,KAAI,SAAS,IAAK,QAAO;AACzB,KAAI,SAAS,IAAK,QAAO,IAAI;AAC7B,KAAI,SAAS,IAAK,QAAO,IAAI;AAC7B,QAAO;;AAGT,SAAS,aAAa,KAAiC;AACrD,KAAI,eAAe,kBAAmB,QAAO;AAE7C,KAAI,eAAeC,KAAAA,OAAW,+BAC5B,QAAO,IAAI,kBACT,qBACA,oCACD;AAEH,KAAI,eAAeA,KAAAA,OAAW,kBAC5B,QAAO,IAAI,kBACT,0BACA,2CACD;AAEH,KAAI,eAAeA,KAAAA,OAAW,kBAC5B,QAAO,IAAI,kBACT,yBACA,yBACD;AAEH,KAAI,eAAeA,KAAAA,OAAW,WAC5B,QAAO,IAAI,kBAAkB,WAAW,kBAAkB;AAE5D,KAAI,eAAeA,KAAAA,OAAW,0BAA0B;EACtD,MAAM,QAAS,IAA2B;AAC1C,MAAI,UAAU,MACZ,QAAO,IAAI,kBACT,mBACA,2CACD;AAEH,MAAI,UAAU,MACZ,QAAO,IAAI,kBACT,qBACA,6CACD;AAEH,MAAI,UAAU,MACZ,QAAO,IAAI,kBACT,iBACA,oDACD;AAEH,SAAO,IAAI,kBACT,iBACA,IAAI,WAAW,0BAChB;;AAEH,KACE,eAAeA,KAAAA,OAAW,cAC1B,eAAeA,KAAAA,OAAW,WAE1B,QAAO,IAAI,kBAAkB,aAAa,IAAI,WAAW,gBAAgB;AAE3E,KAAI,eAAe,MACjB,QAAO,IAAI,kBAAkB,aAAa,IAAI,QAAQ;AAExD,QAAO,IAAI,kBAAkB,aAAa,OAAO,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACrMxD,IAAa,sBAAb,MAAiC;CAC/B;CACA;CAEA,YAAY,SAA0B,MAAkB;AACtD,OAAK,UAAU;AACf,OAAK,OAAO;;;;;;;;;CAUd,MAAM,KACJ,QACoC;EACpC,MAAM,OAAgC,EAAE;AACxC,MAAI,OAAO,WAAW,KAAA,EAAW,MAAK,SAAS,OAAO;AACtD,MAAI,OAAO,iBAAiB,KAAA,EAC1B,MAAK,eAAe,OAAO;AAC7B,SAAO,KAAK,KACV,OAAO,mBACP,QACA,KACD;;;;;;;;;;;CAYH,MAAM,OAAO,QAA6D;EACxE,MAAM,OAAgC;GACpC,QAAQ,OAAO;GACf,iBAAiB,OAAO;GACxB,UAAU,OAAO;GACjB,MAAM,OAAO,QAAQ;GACtB;AACD,MAAI,OAAO,iBAAiB,KAAA,EAC1B,MAAK,eAAe,OAAO;AAC7B,MAAI,OAAO,cAAc,KAAA,EACvB,MAAK,YACH,OAAO,cAAc,OAAO,OAAO,OAAO,UAAU,aAAa;AAErE,SAAO,KAAK,KACV,OAAO,mBACP,UACA,KACD;;;;;;;;;CAUH,MAAM,OACJ,IACA,QAC2B;EAC3B,MAAM,OAAgC,EAAE;AACxC,MAAI,OAAO,SAAS,KAAA,EAAW,MAAK,OAAO,OAAO;AAClD,MAAI,OAAO,cAAc,KAAA,EACvB,MAAK,YACH,OAAO,cAAc,OAAO,OAAO,OAAO,UAAU,aAAa;AAErE,SAAO,KAAK,KACV,OAAO,mBACP,UAAU,MACV,KACD;;;;;;;;;;CAWH,MAAM,OACJ,IACA,QAC+B;AAC/B,SAAO,KAAK,KACV,OAAO,mBACP,UAAU,MACV,EAAE,CACH;;;CAIH,MAAc,KACZ,mBACA,WACA,MACY;AACZ,MAAI,CAAC,KAAK,QAAQ,cAChB,OAAM,IAAI,mBACR,oEACD;EAGH,MAAM,OAAO,4BAA4B,KAAK,QAAQ,IAAI,GAAG,kBAAkB,GAAG;EAClF,MAAM,UAAU,KAAK,UAAU,KAAK;EACpC,MAAM,QAAQ,iBAAiB;EAC/B,MAAM,YAAY,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;EAC/C,MAAM,YAAY,KAChB,KAAK,QAAQ,eACb,OACA,WACA,QACD;AAED,SAAO,KAAK,KAAK,QAAW,MAAM;GAChC,QAAQ;GACR,MAAM;GACN,SAAS;IACP,WAAW;IACX,kBAAkB,OAAO,UAAU;IACnC,kBAAkB;IACnB;GACF,CAAC;;;;;AC5KN,MAAM,oBAAoB,IAAI;AAC9B,MAAM,yBAAyB;AAC/B,MAAM,mBAAmB;;;;;;;;;AAUzB,SAAgB,kBACd,QACA,QACkB;AAClB,KAAI,CAAC,OACH,OAAM,IAAI,mBACR,kEACD;CAGH,MAAM,OACJ,OAAO,OAAO,YAAY,WACtB,OAAO,UACP,OAAO,QAAQ,SAAS,QAAQ;AAMtC,MAHE,OAAO,OAAO,YAAY,WACtB,OAAO,WAAW,OAAO,SAAS,QAAQ,GAC1C,OAAO,QAAQ,UACJ,kBACf,OAAM,IAAI,uBACR,qBACA,mBAAmB,kBAAkB,QACtC;CAGH,MAAM,kBAAkB,WAAW,OAAO,SAAS,yBAAyB;CAC5E,MAAM,kBAAkB,WAAW,OAAO,SAAS,yBAAyB;AAE5E,KAAI,CAAC,iBAAiB,WAAW,iBAAiB,CAChD,OAAM,IAAI,uBACR,4BACA,oDAAoD,iBAAiB,GACtE;CAEH,MAAM,cAAc,gBACjB,MAAM,EAAwB,CAC9B,aAAa;AAChB,KAAI,CAAC,cAAc,KAAK,YAAY,CAClC,OAAM,IAAI,uBACR,4BACA,gCACD;AAGH,KAAI,CAAC,gBACH,OAAM,IAAI,uBACR,qBACA,4CACD;CAEH,MAAM,YAAY,OAAO,SAAS,iBAAiB,GAAG;AACtD,KACE,CAAC,OAAO,SAAS,UAAU,IAC3B,OAAO,UAAU,KAAK,gBAAgB,MAAM,CAE5C,OAAM,IAAI,uBACR,qBACA,6DACD;CAEH,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AACzC,KAAI,KAAK,IAAI,MAAM,UAAU,GAAG,uBAC9B,OAAM,IAAI,uBACR,2BACA,kBAAkB,KAAK,IAAI,MAAM,UAAU,CAAC,YAAY,uBAAuB,aAChF;CAGH,MAAM,eAAA,GAAA,YAAA,YAAyB,UAAU,OAAO,CAAC,OAAO,KAAK,CAAC,OAAO,MAAM;CAC3E,MAAM,cAAc,OAAO,KAAK,aAAa,MAAM;CACnD,MAAM,cAAc,OAAO,KAAK,aAAa,MAAM;AACnD,KACE,YAAY,WAAW,YAAY,UACnC,EAAA,GAAA,YAAA,iBAAiB,aAAa,YAAY,CAE1C,OAAM,IAAI,uBACR,qBACA,0BACD;CAGH,IAAI;AACJ,KAAI;AACF,WAAS,KAAK,MAAM,KAAK;SACnB;AACN,QAAM,IAAI,uBACR,qBACA,4BACD;;AAGH,QAAO,gBAAgB,OAAO;;AAGhC,SAAS,WACP,SACA,MACoB;CAEpB,MAAM,UAAU,KAAK,aAAa;AAClC,MAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,QAAQ,CAC1C,KAAI,EAAE,aAAa,KAAK,WAAW,OAAO,MAAM,YAAY,EAAE,SAAS,EACrE,QAAO;;AAMb,SAAS,gBAAgB,KAAgC;AACvD,KAAI,CAAC,OAAO,OAAO,QAAQ,SACzB,OAAM,IAAI,uBACR,qBACA,gCACD;CAEH,MAAM,MAAM;AACZ,KAAI,IAAI,UAAU,uBAChB,OAAM,IAAI,uBACR,qBACA,qBAAqB,OAAO,IAAI,MAAM,CAAC,GACxC;AAEH,KAAI,IAAI,SAAS,eAAe,IAAI,SAAS,YAC3C,OAAM,IAAI,uBACR,qBACA,4CACD;AAEH,MAAK,MAAM,OAAO;EAChB;EACA;EACA;EACA;EACA;EACD,CACC,KAAI,OAAO,IAAI,SAAS,YAAa,IAAI,KAAgB,WAAW,EAClE,OAAM,IAAI,uBACR,qBACA,IAAI,IAAI,8BACT;AAGL,KAAI,IAAI,WAAW,KAAA,KAAa,OAAO,IAAI,WAAW,SACpD,OAAM,IAAI,uBACR,qBACA,yCACD;CAGH,MAAM,QAA0B;EAC9B,OAAO;EACP,MAAM,IAAI;EACV,YAAY,IAAI;EAChB,eAAe,IAAI;EACnB,WAAW,IAAI;EACf,aAAa,IAAI;EACjB,SAAS,IAAI;EACd;AACD,KAAI,OAAO,IAAI,WAAW,SACxB,OAAM,SAAS,IAAI;AAErB,QAAO;;;;AChKT,IAAa,iBAAb,MAA4B;CAC1B;CACA;CAEA,YAAY,SAA0B,MAAkB;AACtD,OAAK,UAAU;AACf,OAAK,OAAO;;;;;;;;;;CAWd,MAAM,KAAK,QAAqD;AAC9D,MAAI,CAAC,KAAK,QAAQ,cAChB,OAAM,IAAI,mBACR,mDACD;EAGH,MAAM,OAAO,qBAAqB,KAAK,QAAQ,IAAI,GAAG,OAAO;EAC7D,MAAM,OAAO,KAAK,UAAU,OAAO,QAAQ;EAC3C,MAAM,QAAQ,iBAAiB;EAC/B,MAAM,YAAY,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;EAC/C,MAAM,YAAY,KAAK,KAAK,QAAQ,eAAe,OAAO,WAAW,KAAK;AAE1E,SAAO,KAAK,KAAK,QAAyB,MAAM;GAC9C,QAAQ;GACR;GACA,SAAS;IACP,WAAW;IACX,kBAAkB,OAAO,UAAU;IACnC,kBAAkB;IACnB;GACF,CAAC;;;;;;;;CASJ,OAAO,QAAsC;AAC3C,MAAI,CAAC,KAAK,QAAQ,cAChB,OAAM,IAAI,mBACR,qDACD;AAGH,SAAOC,OACL,KAAK,QAAQ,eACb,OAAO,SACP,OAAO,QACR;;;;;;;;;CAUH,cAAc,QAAmC;AAC/C,MAAI,CAAC,KAAK,OAAO,OAAO,CACtB,OAAM,IAAI,sBAAsB,4BAA4B;;;;;;;;;;;CAahE,eAAe,QAAoD;AACjE,OAAK,cAAc,OAAO;EAC1B,MAAM,OACJ,OAAO,OAAO,YAAY,WACtB,OAAO,UACP,OAAO,QAAQ,SAAS,QAAQ;AACtC,MAAI;AACF,UAAO,KAAK,MAAM,KAAK;UACjB;AACN,SAAM,IAAI,gBAAgB,oCAAoC;;;;;;;;;;;;CAalE,kBAAkB,QAAmD;AACnE,SAAOC,kBAAsB,KAAK,QAAQ,eAAe,OAAO;;;;;;;;;;;;;;;;;;;;AClGpE,IAAa,aAAb,MAAwB;;CAEtB;;CAEA;;CAEA;;CAEA;;;;;CAMA,YAAY,UAA6B,EAAE,EAAE;EAC3C,MAAM,WAAW,eAAe,QAAQ;EACxC,MAAM,OAAO,IAAI,WAAW,SAAS;AACrC,OAAK,WAAW,IAAI,eAAe,UAAU,KAAK;AAClD,OAAK,UAAU,IAAI,cAAc,UAAU,KAAK;AAChD,OAAK,gBAAgB,IAAI,oBAAoB,UAAU,KAAK;AAC5D,OAAK,WAAW,IAAI,eAAe,SAAS;;;AAIhD,SAAS,eAAe,SAA6C;CACnE,MAAM,WAAW,QAAQ,WAAW,2BAA2B,QAC7D,QACA,GACD;CACD,MAAM,UAAU,QAAQ,WAAW;CACnC,MAAM,MAAM,QAAQ,OAAO;AAE3B,KAAI,WAAW,KAAK,CAAC,OAAO,SAAS,QAAQ,CAC3C,OAAM,IAAI,mBAAmB,oCAAoC;AAGnE,KACE,QAAQ,kBAAkB,KAAA,KAC1B,CAAC,QAAQ,cAAc,WAAW,SAAS,CAE3C,OAAM,IAAI,mBAAmB,2CAAyC;AAGxE,QAAO;EACL;EACA;EACA;EACA,eAAe,QAAQ;EACvB,QAAQ,QAAQ;EAChB,YAAY,kBAAkB,QAAQ,WAAW;EACjD,WAAW,QAAQ;EACnB,YAAY,QAAQ;EACrB;;AAGH,SAAS,kBACP,SACuC;AACvC,KAAI,CAAC,QAAS,QAAO,KAAA;AAErB,KAAI,OAAO,QAAQ,YAAY,YAAY,QAAQ,QAAQ,WAAW,EACpE,OAAM,IAAI,mBAAmB,iCAAiC;AAEhE,KAAI;AAEF,MAAI,IAAI,QAAQ,QAAQ;SAClB;AACN,QAAM,IAAI,mBAAmB,yCAAyC;;AAExE,KAAI,OAAO,QAAQ,WAAW,YAAY,QAAQ,OAAO,WAAW,EAClE,OAAM,IAAI,mBAAmB,gCAAgC;AAE/D,KAAI,OAAO,QAAQ,aAAa,YAAY,QAAQ,SAAS,WAAW,EACtE,OAAM,IAAI,mBAAmB,kCAAkC;AAEjE,KACE,OAAO,QAAQ,wBAAwB,YACvC,QAAQ,oBAAoB,WAAW,EAEvC,OAAM,IAAI,mBAAmB,6CAA6C;CAG5E,MAAM,iBAAiB,QAAQ,kBAAkB;CACjD,MAAM,oBAAoB,QAAQ,qBAAqB;AACvD,KAAI,qBAAqB,KAAK,CAAC,OAAO,SAAS,kBAAkB,CAC/D,OAAM,IAAI,mBACR,yDACD;AAGH,QAAO;EACL,SAAS,QAAQ;EACjB,QAAQ,QAAQ;EAChB,UAAU,QAAQ;EAClB,qBAAqB,QAAQ;EAC7B;EACA;EACD"}

package/dist/index.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.mjs","names":["SIGNATURE_PREFIX","joseErrors","verifySig","verifyKeyRotationImpl"],"sources":["../src/errors.ts","../src/utils.ts","../src/webhooks/signing.ts","../src/actions/client.ts","../src/http.ts","../src/partners/client.ts","../src/userApprovals/client.ts","../src/webhooks/keyRotation.ts","../src/webhooks/client.ts","../src/client.ts"],"sourcesContent":["/*\n Base error class for all SDK errors. Catch this to handle any error\n * thrown by the AgentPress SDK regardless of specific type.\n /\nexport class AgentPressError extends Error {\n constructor(message: string) {\n super(message);\n this.name = \"AgentPressError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/\n Thrown at construction time when `AgentPressOptions` contains invalid values\n * (e.g., non-positive timeout, malformed `webhookSecret`).\n /\nexport class ConfigurationError extends AgentPressError {\n constructor(message: string) {\n super(message);\n this.name = \"ConfigurationError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/\n Thrown when the API returns a non-2xx HTTP response.\n \n Properties:\n * - `statusCode` - HTTP status code (e.g., 401, 404, 500)\n * - `responseBody` - Raw response body text for debugging\n * - `url` - The full request URL that failed\n /\nexport class HttpError extends AgentPressError {\n public readonly statusCode: number;\n public readonly responseBody: string;\n public readonly url: string;\n\n constructor(statusCode: number, responseBody: string, url: string) {\n super(`HTTP ${statusCode} from ${url}`);\n this.name = \"HttpError\";\n this.statusCode = statusCode;\n this.responseBody = responseBody;\n this.url = url;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/* Thrown when a request exceeds the configured `timeout` (default 30s). /\nexport class TimeoutError extends AgentPressError {\n constructor(url: string, timeout: number) {\n super(`Request to ${url} timed out after ${timeout}ms`);\n this.name = \"TimeoutError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/* Thrown by {@link WebhooksClient.verifyOrThrow} when an inbound webhook signature is invalid or expired. /\nexport class WebhookSignatureError extends AgentPressError {\n constructor(message: string) {\n super(message);\n this.name = \"WebhookSignatureError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/* Reason codes for {@link PartnerTokenError}. Maps 1:1 to RFC 6750 `error_description` values. /\nexport type PartnerTokenErrorReason =\n \| \"signature_invalid\"\n \| \"issuer_mismatch\"\n \| \"audience_mismatch\"\n \| \"expired\"\n \| \"not_yet_valid\"\n \| \"missing_claim\"\n \| \"ext_provider_mismatch\"\n \| \"algorithm_not_allowed\"\n \| \"kid_missing_or_unknown\"\n \| \"malformed\";\n\n/\n Thrown by {@link PartnersClient.verifyToken} when a Partner MCP Spec v1 JWT\n * fails verification. Partners map `reason` to their RFC 6750 `WWW-Authenticate`\n * response (`401 invalid_token` for all reasons in this class).\n /\nexport class PartnerTokenError extends AgentPressError {\n public readonly reason: PartnerTokenErrorReason;\n\n constructor(reason: PartnerTokenErrorReason, message: string) {\n super(message);\n this.name = \"PartnerTokenError\";\n this.reason = reason;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/* Reason codes for {@link KeyRotationVerifyError}. /\nexport type KeyRotationVerifyErrorReason =\n \| \"invalid_signature\"\n \| \"invalid_signature_format\"\n \| \"timestamp_out_of_window\"\n \| \"invalid_timestamp\"\n \| \"payload_too_large\"\n \| \"malformed_payload\";\n\n/\n Thrown by {@link WebhooksClient.verifyKeyRotation} when a `signing_key_rotation`\n * webhook fails HMAC / timestamp / payload validation.\n /\nexport class KeyRotationVerifyError extends AgentPressError {\n public readonly reason: KeyRotationVerifyErrorReason;\n\n constructor(reason: KeyRotationVerifyErrorReason, message: string) {\n super(message);\n this.name = \"KeyRotationVerifyError\";\n this.reason = reason;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n","import { randomUUID } from \"node:crypto\";\n\nexport function randomMessageId(): string {\n return `msg_${randomUUID()}`;\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nconst SIGNATURE_PREFIX = \"v1,\";\nconst DEFAULT_TOLERANCE_SECONDS = 5 60; // 5 minutes\n\n/*\n Sign a webhook payload using Svix-compatible HMAC-SHA256.\n \n @param secret - The webhook secret (with \"whsec_\" prefix)\n * @param msgId - Unique message ID (e.g., \"msg_<uuid>\")\n * @param timestamp - Unix timestamp in seconds\n * @param body - JSON stringified payload\n * @returns Signature string in format \"v1,<base64>\"\n /\nexport function sign(\n secret: string,\n msgId: string,\n timestamp: number,\n body: string,\n): string {\n const secretBytes = Buffer.from(secret.replace(/^whsec_/, \"\"), \"base64\");\n const message = `${msgId}.${timestamp}.${body}`;\n const signature = createHmac(\"sha256\", secretBytes)\n .update(message)\n .digest(\"base64\");\n return `${SIGNATURE_PREFIX}${signature}`;\n}\n\n/\n Verify a Svix webhook signature.\n \n @param secret - The webhook secret (with \"whsec_\" prefix)\n * @param payload - Raw request body (string or Buffer)\n * @param headers - Svix headers object\n * @param toleranceSeconds - Max age of signature in seconds (default: 5 min)\n * @returns true if valid, false if invalid or expired\n /\nexport function verify(\n secret: string,\n payload: string \| Buffer,\n headers: {\n \"svix-id\": string;\n \"svix-timestamp\": string;\n \"svix-signature\": string;\n },\n toleranceSeconds: number = DEFAULT_TOLERANCE_SECONDS,\n): boolean {\n const msgId = headers[\"svix-id\"];\n const timestampStr = headers[\"svix-timestamp\"];\n const signatureHeader = headers[\"svix-signature\"];\n\n const timestamp = parseInt(timestampStr, 10);\n if (Number.isNaN(timestamp)) return false;\n\n const now = Math.floor(Date.now() / 1000);\n if (Math.abs(now - timestamp) > toleranceSeconds) return false;\n\n const body =\n typeof payload === \"string\" ? payload : payload.toString(\"utf-8\");\n const expected = sign(secret, msgId, timestamp, body);\n\n const signatures = signatureHeader.split(\" \");\n const expectedBuf = Buffer.from(expected);\n\n for (const sig of signatures) {\n const sigBuf = Buffer.from(sig);\n if (\n sigBuf.length === expectedBuf.length &&\n timingSafeEqual(sigBuf, expectedBuf)\n ) {\n return true;\n }\n }\n\n return false;\n}\n","import { ConfigurationError } from \"../errors\";\nimport type { HttpClient } from \"../http\";\nimport type {\n ActionManageResponse,\n ApproveActionParams,\n RejectActionParams,\n ResolvedOptions,\n} from \"../types\";\nimport { randomMessageId } from \"../utils\";\nimport { sign } from \"../webhooks/signing\";\n\n/\n Client for programmatically approving or rejecting staged actions.\n * Uses HMAC-SHA256 signing (Svix-compatible), identical to {@link WebhooksClient}.\n \n @example\n * ```ts\n * const client = new AgentPress({ webhookSecret: \"whsec_...\", org: \"my-org\" });\n \n // Approve a staged action\n * await client.actions.approve(\"act_123\", {\n * action: \"my_webhook_action\",\n * });\n \n // Reject with a reason\n * await client.actions.reject(\"act_456\", {\n * action: \"my_webhook_action\",\n * reason: \"Insufficient data\",\n * });\n * ```\n /\nexport class ActionsClient {\n private readonly options: ResolvedOptions;\n private readonly http: HttpClient;\n\n constructor(options: ResolvedOptions, http: HttpClient) {\n this.options = options;\n this.http = http;\n }\n\n /\n Approve a staged action, optionally modifying the tool call.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async approve(\n actionId: string,\n params: ApproveActionParams,\n ): Promise<ActionManageResponse> {\n const body: Record<string, unknown> = {};\n if (params.editedToolCall !== undefined) {\n body.editedToolCall = params.editedToolCall;\n }\n if (params.remember !== undefined) {\n body.remember = params.remember;\n }\n return this.manage(actionId, params.action, \"approve\", body);\n }\n\n /\n Reject a staged action.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async reject(\n actionId: string,\n params: RejectActionParams,\n ): Promise<ActionManageResponse> {\n return this.manage(actionId, params.action, \"reject\", {\n reason: params.reason,\n });\n }\n\n private async manage(\n actionId: string,\n webhookAction: string,\n operation: \"approve\" \| \"reject\",\n body: Record<string, unknown>,\n ): Promise<ActionManageResponse> {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for action management operations\",\n );\n }\n\n const path = `/webhooks/actions/${this.options.org}/${webhookAction}/manage/${actionId}/${operation}`;\n const bodyStr = JSON.stringify(body);\n const msgId = randomMessageId();\n const timestamp = Math.floor(Date.now() / 1000);\n const signature = sign(\n this.options.webhookSecret,\n msgId,\n timestamp,\n bodyStr,\n );\n\n return this.http.request<ActionManageResponse>(path, {\n method: \"POST\",\n body: bodyStr,\n headers: {\n \"svix-id\": msgId,\n \"svix-timestamp\": String(timestamp),\n \"svix-signature\": signature,\n },\n });\n }\n}\n","import { AgentPressError, HttpError, TimeoutError } from \"./errors\";\nimport type { ResolvedOptions } from \"./types\";\n\n/\n Internal shared HTTP client. Not part of the public API -- used by\n * namespace clients (e.g., `WebhooksClient`) to make authenticated requests.\n * @internal\n /\nexport class HttpClient {\n private readonly baseUrl: string;\n private readonly timeout: number;\n private readonly onRequest?: ResolvedOptions[\"onRequest\"];\n private readonly onResponse?: ResolvedOptions[\"onResponse\"];\n\n constructor(options: ResolvedOptions) {\n this.baseUrl = options.baseUrl;\n this.timeout = options.timeout;\n this.onRequest = options.onRequest;\n this.onResponse = options.onResponse;\n }\n\n /\n Send an HTTP request to the API. Constructs the full URL from `baseUrl` + `path`,\n * applies the configured timeout via `AbortSignal`, fires `onRequest`/`onResponse`\n * hooks, and parses the JSON response.\n \n @throws {TimeoutError} If the request exceeds the configured timeout.\n * @throws {HttpError} If the API returns a non-2xx status code.\n * @throws {AgentPressError} On network failures or non-JSON responses.\n /\n async request<T>(path: string, init: RequestInit): Promise<T> {\n const url = `${this.baseUrl}${path}`;\n\n const headers = new Headers(init.headers);\n if (!headers.has(\"Content-Type\")) {\n headers.set(\"Content-Type\", \"application/json\");\n }\n\n const requestInit: RequestInit = {\n ...init,\n headers,\n signal: AbortSignal.timeout(this.timeout),\n };\n\n this.onRequest?.(url, requestInit);\n\n let response: Response;\n try {\n // biome-ignore lint/style/noRestrictedGlobals: SDK is a standalone package that uses raw fetch\n response = await fetch(url, requestInit);\n } catch (error: unknown) {\n if (\n error instanceof Error &&\n (error.name === \"TimeoutError\" \|\| error.name === \"AbortError\")\n ) {\n throw new TimeoutError(url, this.timeout);\n }\n const message =\n error instanceof Error ? error.message : \"Unknown fetch error\";\n throw new AgentPressError(`Request to ${url} failed: ${message}`);\n }\n\n this.onResponse?.(url, response.clone());\n\n const text = await response.text();\n\n if (!response.ok) {\n throw new HttpError(response.status, text, url);\n }\n\n try {\n return JSON.parse(text) as T;\n } catch {\n throw new AgentPressError(\n `Expected JSON response from ${url} but received: ${text.slice(0, 200)}`,\n );\n }\n }\n}\n","import {\n createRemoteJWKSet,\n type JWTVerifyGetKey,\n errors as joseErrors,\n jwtVerify,\n} from \"jose\";\n\nimport { ConfigurationError, PartnerTokenError } from \"../errors\";\nimport type {\n PartnerTokenClaims,\n ResolvedOptions,\n ResolvedPartnerMcpOptions,\n} from \"../types\";\n\nconst ALGORITHMS = [\"EdDSA\"] as const;\n\ntype RemoteJwks = ReturnType<typeof createRemoteJWKSet>;\n\n/\n Client for Partner MCP Spec v1 helpers. Created automatically when\n * {@link AgentPressOptions.partnerMcp} is provided.\n \n State (JWKS cache) is per-instance, NOT module-global, so staging and\n * production clients can run side-by-side without cross-talk.\n /\nexport class PartnersClient {\n private readonly options: ResolvedOptions;\n private readonly partnerMcp: ResolvedPartnerMcpOptions \| undefined;\n private jwks: RemoteJwks \| null = null;\n private jwksKeyFn: JWTVerifyGetKey \| null = null;\n\n constructor(options: ResolvedOptions) {\n this.options = options;\n this.partnerMcp = options.partnerMcp;\n }\n\n /\n Verify an inbound Partner MCP Spec v1 JWT against AgentPress's JWKS.\n \n Enforces the full spec: `algorithms: [\"EdDSA\"]` pinned; `iss`, `aud`,\n * `ext_provider` validated; `sub`, `jti`, `scope` required and non-empty;\n * `kid` header required; `exp` / `iat` validated with ±30s skew (configurable).\n \n @param token - Bare JWT string (no `Bearer ` prefix).\n * @returns Typed {@link PartnerTokenClaims}.\n * @throws {PartnerTokenError} with a typed `reason` for RFC 6750 mapping.\n * @throws {ConfigurationError} if `partnerMcp` is not configured.\n /\n async verifyToken(token: string): Promise<PartnerTokenClaims> {\n const cfg = this.requireConfig();\n const jwks = this.getJwks();\n\n let payload: Record<string, unknown>;\n let protectedHeader: { alg?: string; kid?: string; typ?: string };\n\n try {\n const result = await jwtVerify(token, jwks, {\n algorithms: [...ALGORITHMS],\n issuer: cfg.issuer,\n audience: cfg.audience,\n clockTolerance: cfg.clockTolerance,\n });\n payload = result.payload as Record<string, unknown>;\n protectedHeader = result.protectedHeader as {\n alg?: string;\n kid?: string;\n typ?: string;\n };\n } catch (err) {\n throw mapJoseError(err);\n }\n\n // kid header required by spec. jose does not enforce this on its own\n // when the key is resolvable — we enforce it explicitly so forged\n // tokens that elide the kid header can't slip through on a single-key\n // JWKS.\n if (!protectedHeader.kid \|\| typeof protectedHeader.kid !== \"string\") {\n throw new PartnerTokenError(\n \"kid_missing_or_unknown\",\n \"JWT header missing required 'kid'\",\n );\n }\n\n const claims = payload as PartnerTokenClaims & Record<string, unknown>;\n\n // jose's jwtVerify checks `exp` (with clockTolerance) but not `iat`\n // future-time unless `maxTokenAge` is set. The spec requires both sides\n // of the skew window, so enforce the future-iat check explicitly.\n if (typeof claims.iat !== \"number\" \|\| !Number.isFinite(claims.iat)) {\n throw new PartnerTokenError(\n \"missing_claim\",\n \"'iat' claim must be a number\",\n );\n }\n const toleranceSeconds = toSeconds(cfg.clockTolerance);\n const nowSec = Math.floor(Date.now() / 1000);\n if (claims.iat - nowSec > toleranceSeconds) {\n throw new PartnerTokenError(\n \"not_yet_valid\",\n `'iat' is ${claims.iat - nowSec}s in the future, beyond ${toleranceSeconds}s tolerance`,\n );\n }\n\n if (typeof claims.sub !== \"string\" \|\| claims.sub.length === 0) {\n throw new PartnerTokenError(\"missing_claim\", \"'sub' claim is required\");\n }\n if (typeof claims.jti !== \"string\" \|\| claims.jti.length === 0) {\n throw new PartnerTokenError(\"missing_claim\", \"'jti' claim is required\");\n }\n if (typeof claims.scope !== \"string\") {\n throw new PartnerTokenError(\n \"missing_claim\",\n \"'scope' claim must be a string\",\n );\n }\n if (\n typeof claims.ext_provider !== \"string\" \|\|\n claims.ext_provider.length === 0\n ) {\n throw new PartnerTokenError(\n \"missing_claim\",\n \"'ext_provider' claim is required\",\n );\n }\n if (claims.ext_provider !== cfg.expectedExtProvider) {\n throw new PartnerTokenError(\n \"ext_provider_mismatch\",\n `ext_provider '${claims.ext_provider}' does not match expected '${cfg.expectedExtProvider}'`,\n );\n }\n\n return claims;\n }\n\n /\n Force the JWKS cache to refetch immediately. Call this from your\n * `signing_key_rotation` webhook handler after verifying the webhook —\n * otherwise the cache picks up new keys on the next `kid` miss (which\n * works, but with one failed verify latency penalty).\n /\n async refreshJwks(): Promise<void> {\n const jwks = this.getJwks();\n // jose's RemoteJWKSet exposes `.reload()` for exactly this use case.\n const anyJwks = jwks as unknown as { reload?: () => Promise<void> };\n if (typeof anyJwks.reload === \"function\") {\n await anyJwks.reload();\n }\n }\n\n private requireConfig(): ResolvedPartnerMcpOptions {\n if (!this.partnerMcp) {\n throw new ConfigurationError(\n \"partnerMcp options are required for partner token operations\",\n );\n }\n return this.partnerMcp;\n }\n\n private getJwks(): RemoteJwks {\n const cfg = this.requireConfig();\n if (!this.jwks) {\n this.jwks = createRemoteJWKSet(new URL(cfg.jwksUrl), {\n cacheMaxAge: cfg.jwksCacheMaxAgeMs,\n cooldownDuration: 30_000,\n });\n this.jwksKeyFn = this.jwks as unknown as JWTVerifyGetKey;\n }\n return this.jwks;\n }\n}\n\nfunction toSeconds(tolerance: string \| number): number {\n if (typeof tolerance === \"number\") return tolerance;\n const match = tolerance.trim().match(/^(\\d+)\\s(s\|m\|h)$/i);\n if (!match) return 30;\n const n = Number.parseInt(match[1] as string, 10);\n const unit = (match[2] as string).toLowerCase();\n if (unit === \"s\") return n;\n if (unit === \"m\") return n * 60;\n if (unit === \"h\") return n * 3600;\n return 30;\n}\n\nfunction mapJoseError(err: unknown): PartnerTokenError {\n if (err instanceof PartnerTokenError) return err;\n\n if (err instanceof joseErrors.JWSSignatureVerificationFailed) {\n return new PartnerTokenError(\n \"signature_invalid\",\n \"JWT signature verification failed\",\n );\n }\n if (err instanceof joseErrors.JWKSNoMatchingKey) {\n return new PartnerTokenError(\n \"kid_missing_or_unknown\",\n \"No JWKS key matches the JWT 'kid' header\",\n );\n }\n if (err instanceof joseErrors.JOSEAlgNotAllowed) {\n return new PartnerTokenError(\n \"algorithm_not_allowed\",\n \"JWT 'alg' is not EdDSA\",\n );\n }\n if (err instanceof joseErrors.JWTExpired) {\n return new PartnerTokenError(\"expired\", \"JWT has expired\");\n }\n if (err instanceof joseErrors.JWTClaimValidationFailed) {\n const claim = (err as { claim?: string }).claim;\n if (claim === \"iss\") {\n return new PartnerTokenError(\n \"issuer_mismatch\",\n \"JWT 'iss' does not match expected issuer\",\n );\n }\n if (claim === \"aud\") {\n return new PartnerTokenError(\n \"audience_mismatch\",\n \"JWT 'aud' does not match expected audience\",\n );\n }\n if (claim === \"iat\") {\n return new PartnerTokenError(\n \"not_yet_valid\",\n \"JWT 'iat' is in the future beyond clock tolerance\",\n );\n }\n return new PartnerTokenError(\n \"missing_claim\",\n err.message \|\| \"Claim validation failed\",\n );\n }\n if (\n err instanceof joseErrors.JWTInvalid \|\|\n err instanceof joseErrors.JWSInvalid\n ) {\n return new PartnerTokenError(\"malformed\", err.message \|\| \"Malformed JWT\");\n }\n if (err instanceof Error) {\n return new PartnerTokenError(\"malformed\", err.message);\n }\n return new PartnerTokenError(\"malformed\", String(err));\n}\n","import { ConfigurationError } from \"../errors\";\nimport type { HttpClient } from \"../http\";\nimport type {\n CreateUserApprovalParams,\n DeleteUserApprovalParams,\n ListUserApprovalsParams,\n ListUserApprovalsResponse,\n ResolvedOptions,\n UpdateUserApprovalParams,\n UserToolApproval,\n} from \"../types\";\nimport { randomMessageId } from \"../utils\";\nimport { sign } from \"../webhooks/signing\";\n\n/*\n Client for managing per-user auto-approval rules — the SDK equivalent of the\n * console's `/account/auto-approvals` settings page. Uses HMAC-SHA256 signing\n * (Svix-compatible), identical to {@link ActionsClient.manage}.\n \n Each call is scoped to a single webhook (identified by `webhookIdentifier`),\n * which both selects the signing secret and scopes which approvals are visible.\n \n @example\n * ```ts\n * const client = new AgentPress({ webhookSecret: \"whsec_...\", org: \"my-org\" });\n \n // Provision consent so future \"sendEmail\" triggers skip the approval prompt\n * await client.userApprovals.create({\n * webhookIdentifier: \"reviews\",\n * userId: \"user-uuid\",\n * actionWebhookId: \"webhook-uuid\",\n * toolName: \"sendEmail\",\n * mode: \"always_allow\",\n * });\n \n // List rules (optionally filtered by userId)\n * const { approvals } = await client.userApprovals.list({\n * webhookIdentifier: \"reviews\",\n * });\n \n // Revoke\n * await client.userApprovals.delete(approvalId, { webhookIdentifier: \"reviews\" });\n * ```\n /\nexport class UserApprovalsClient {\n private readonly options: ResolvedOptions;\n private readonly http: HttpClient;\n\n constructor(options: ResolvedOptions, http: HttpClient) {\n this.options = options;\n this.http = http;\n }\n\n /\n List auto-approval rules for a webhook. Optionally filter by `userId`.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async list(\n params: ListUserApprovalsParams,\n ): Promise<ListUserApprovalsResponse> {\n const body: Record<string, unknown> = {};\n if (params.userId !== undefined) body.userId = params.userId;\n if (params.authProvider !== undefined)\n body.authProvider = params.authProvider;\n return this.send<ListUserApprovalsResponse>(\n params.webhookIdentifier,\n \"list\",\n body,\n );\n }\n\n /\n Create (or upsert) an auto-approval rule. If a rule with the same\n * `(userId, actionWebhookId, toolName)` triple already exists, it is\n * updated in place.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async create(params: CreateUserApprovalParams): Promise<UserToolApproval> {\n const body: Record<string, unknown> = {\n userId: params.userId,\n actionWebhookId: params.actionWebhookId,\n toolName: params.toolName,\n mode: params.mode ?? \"always_allow\",\n };\n if (params.authProvider !== undefined)\n body.authProvider = params.authProvider;\n if (params.expiresAt !== undefined) {\n body.expiresAt =\n params.expiresAt === null ? null : params.expiresAt.toISOString();\n }\n return this.send<UserToolApproval>(\n params.webhookIdentifier,\n \"create\",\n body,\n );\n }\n\n /\n Patch an existing auto-approval rule (change mode or expiry).\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response (404 if the rule does not belong to this webhook)\n * @throws TimeoutError if request exceeds timeout\n /\n async update(\n id: string,\n params: UpdateUserApprovalParams,\n ): Promise<UserToolApproval> {\n const body: Record<string, unknown> = {};\n if (params.mode !== undefined) body.mode = params.mode;\n if (params.expiresAt !== undefined) {\n body.expiresAt =\n params.expiresAt === null ? null : params.expiresAt.toISOString();\n }\n return this.send<UserToolApproval>(\n params.webhookIdentifier,\n `update/${id}`,\n body,\n );\n }\n\n /\n Revoke an auto-approval rule. Future triggers of the corresponding\n * `(user, webhook, tool)` combination will once again stage for approval.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response (404 if the rule does not belong to this webhook)\n * @throws TimeoutError if request exceeds timeout\n /\n async delete(\n id: string,\n params: DeleteUserApprovalParams,\n ): Promise<{ success: boolean }> {\n return this.send<{ success: boolean }>(\n params.webhookIdentifier,\n `delete/${id}`,\n {},\n );\n }\n\n /* Internal: HMAC-sign and POST the body to the scoped path. /\n private async send<T>(\n webhookIdentifier: string,\n operation: string,\n body: Record<string, unknown>,\n ): Promise<T> {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for user approval management operations\",\n );\n }\n\n const path = `/webhooks/user-approvals/${this.options.org}/${webhookIdentifier}/${operation}`;\n const bodyStr = JSON.stringify(body);\n const msgId = randomMessageId();\n const timestamp = Math.floor(Date.now() / 1000);\n const signature = sign(\n this.options.webhookSecret,\n msgId,\n timestamp,\n bodyStr,\n );\n\n return this.http.request<T>(path, {\n method: \"POST\",\n body: bodyStr,\n headers: {\n \"svix-id\": msgId,\n \"svix-timestamp\": String(timestamp),\n \"svix-signature\": signature,\n },\n });\n }\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nimport { ConfigurationError, KeyRotationVerifyError } from \"../errors\";\nimport type { KeyRotationEvent, KeyRotationVerifyParams } from \"../types\";\n\nconst MAX_PAYLOAD_BYTES = 8 1024; // 8 KB\nconst TIMESTAMP_SKEW_SECONDS = 300; // 5 minutes\nconst SIGNATURE_PREFIX = \"sha256=\";\n\n/*\n Verify a `signing_key_rotation` webhook signed by AgentPress with\n * HMAC-SHA256 over the raw request body. Returns the typed\n * {@link KeyRotationEvent} payload.\n \n @throws {KeyRotationVerifyError} with a typed `reason` for HTTP mapping.\n * @throws {ConfigurationError} if `webhookSecret` is not configured.\n /\nexport function verifyKeyRotation(\n secret: string \| undefined,\n params: KeyRotationVerifyParams,\n): KeyRotationEvent {\n if (!secret) {\n throw new ConfigurationError(\n \"webhookSecret is required for key rotation webhook verification\",\n );\n }\n\n const body =\n typeof params.payload === \"string\"\n ? params.payload\n : params.payload.toString(\"utf-8\");\n\n const byteLength =\n typeof params.payload === \"string\"\n ? Buffer.byteLength(params.payload, \"utf-8\")\n : params.payload.length;\n if (byteLength > MAX_PAYLOAD_BYTES) {\n throw new KeyRotationVerifyError(\n \"payload_too_large\",\n `Payload exceeds ${MAX_PAYLOAD_BYTES} bytes`,\n );\n }\n\n const signatureHeader = readHeader(params.headers, \"x-agentpress-signature\");\n const timestampHeader = readHeader(params.headers, \"x-agentpress-timestamp\");\n\n if (!signatureHeader?.startsWith(SIGNATURE_PREFIX)) {\n throw new KeyRotationVerifyError(\n \"invalid_signature_format\",\n `Signature header missing or does not start with '${SIGNATURE_PREFIX}'`,\n );\n }\n const providedHex = signatureHeader\n .slice(SIGNATURE_PREFIX.length)\n .toLowerCase();\n if (!/^[0-9a-f]+$/.test(providedHex)) {\n throw new KeyRotationVerifyError(\n \"invalid_signature_format\",\n \"Signature is not a hex string\",\n );\n }\n\n if (!timestampHeader) {\n throw new KeyRotationVerifyError(\n \"invalid_timestamp\",\n \"x-agentpress-timestamp header is required\",\n );\n }\n const timestamp = Number.parseInt(timestampHeader, 10);\n if (\n !Number.isFinite(timestamp) \|\|\n String(timestamp) !== timestampHeader.trim()\n ) {\n throw new KeyRotationVerifyError(\n \"invalid_timestamp\",\n \"x-agentpress-timestamp is not a valid unix seconds integer\",\n );\n }\n const now = Math.floor(Date.now() / 1000);\n if (Math.abs(now - timestamp) > TIMESTAMP_SKEW_SECONDS) {\n throw new KeyRotationVerifyError(\n \"timestamp_out_of_window\",\n `Timestamp skew ${Math.abs(now - timestamp)}s exceeds ${TIMESTAMP_SKEW_SECONDS}s tolerance`,\n );\n }\n\n const expectedHex = createHmac(\"sha256\", secret).update(body).digest(\"hex\");\n const providedBuf = Buffer.from(providedHex, \"hex\");\n const expectedBuf = Buffer.from(expectedHex, \"hex\");\n if (\n providedBuf.length !== expectedBuf.length \|\|\n !timingSafeEqual(providedBuf, expectedBuf)\n ) {\n throw new KeyRotationVerifyError(\n \"invalid_signature\",\n \"HMAC signature mismatch\",\n );\n }\n\n let parsed: unknown;\n try {\n parsed = JSON.parse(body);\n } catch {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"Payload is not valid JSON\",\n );\n }\n\n return validatePayload(parsed);\n}\n\nfunction readHeader(\n headers: Record<string, string \| undefined>,\n name: string,\n): string \| undefined {\n // Headers are case-insensitive; normalize without mutating the caller's object.\n const lowered = name.toLowerCase();\n for (const [k, v] of Object.entries(headers)) {\n if (k.toLowerCase() === lowered && typeof v === \"string\" && v.length > 0) {\n return v;\n }\n }\n return undefined;\n}\n\nfunction validatePayload(raw: unknown): KeyRotationEvent {\n if (!raw \|\| typeof raw !== \"object\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"Payload must be a JSON object\",\n );\n }\n const obj = raw as Record<string, unknown>;\n if (obj.event !== \"signing_key_rotation\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n `Unexpected event '${String(obj.event)}'`,\n );\n }\n if (obj.type !== \"scheduled\" && obj.type !== \"emergency\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"'type' must be 'scheduled' or 'emergency'\",\n );\n }\n for (const key of [\n \"retiredKid\",\n \"newCurrentKid\",\n \"retiredAt\",\n \"effectiveAt\",\n \"jwksUrl\",\n ]) {\n if (typeof obj[key] !== \"string\" \|\| (obj[key] as string).length === 0) {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n `'${key}' must be a non-empty string`,\n );\n }\n }\n if (obj.reason !== undefined && typeof obj.reason !== \"string\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"'reason' must be a string when present\",\n );\n }\n\n const event: KeyRotationEvent = {\n event: \"signing_key_rotation\",\n type: obj.type as \"scheduled\" \| \"emergency\",\n retiredKid: obj.retiredKid as string,\n newCurrentKid: obj.newCurrentKid as string,\n retiredAt: obj.retiredAt as string,\n effectiveAt: obj.effectiveAt as string,\n jwksUrl: obj.jwksUrl as string,\n };\n if (typeof obj.reason === \"string\") {\n event.reason = obj.reason;\n }\n return event;\n}\n","import {\n AgentPressError,\n ConfigurationError,\n WebhookSignatureError,\n} from \"../errors\";\nimport type { HttpClient } from \"../http\";\nimport type {\n ActionCallbackPayload,\n KeyRotationEvent,\n KeyRotationVerifyParams,\n ResolvedOptions,\n WebhookResponse,\n WebhookSendParams,\n WebhookVerifyParams,\n} from \"../types\";\nimport { randomMessageId } from \"../utils\";\nimport { verifyKeyRotation as verifyKeyRotationImpl } from \"./keyRotation\";\nimport { sign, verify as verifySig } from \"./signing\";\n\nexport class WebhooksClient {\n private readonly options: ResolvedOptions;\n private readonly http: HttpClient;\n\n constructor(options: ResolvedOptions, http: HttpClient) {\n this.options = options;\n this.http = http;\n }\n\n /\n Send an arbitrary webhook payload to AgentPress.\n * Signs the payload with HMAC-SHA256 (Svix-compatible).\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async send(params: WebhookSendParams): Promise<WebhookResponse> {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for webhook operations\",\n );\n }\n\n const path = `/webhooks/actions/${this.options.org}/${params.action}`;\n const body = JSON.stringify(params.payload);\n const msgId = randomMessageId();\n const timestamp = Math.floor(Date.now() / 1000);\n const signature = sign(this.options.webhookSecret, msgId, timestamp, body);\n\n return this.http.request<WebhookResponse>(path, {\n method: \"POST\",\n body,\n headers: {\n \"svix-id\": msgId,\n \"svix-timestamp\": String(timestamp),\n \"svix-signature\": signature,\n },\n });\n }\n\n /\n Verify an inbound Svix webhook signature.\n \n @returns true if valid, false if invalid or expired\n * @throws ConfigurationError if webhookSecret is not configured\n /\n verify(params: WebhookVerifyParams): boolean {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for webhook verification\",\n );\n }\n\n return verifySig(\n this.options.webhookSecret,\n params.payload,\n params.headers,\n );\n }\n\n /\n Verify an inbound Svix webhook signature, throwing on failure.\n * Useful for middleware patterns where invalid signatures should halt processing.\n \n @throws WebhookSignatureError if signature is invalid or expired\n * @throws ConfigurationError if webhookSecret is not configured\n /\n verifyOrThrow(params: WebhookVerifyParams): void {\n if (!this.verify(params)) {\n throw new WebhookSignatureError(\"Invalid webhook signature\");\n }\n }\n\n /\n Verify and parse an inbound webhook from AgentPress.\n * Combines signature verification with JSON parsing and type casting.\n * This is the recommended way to handle incoming webhooks.\n \n @throws WebhookSignatureError if signature is invalid or expired\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws AgentPressError if payload is not valid JSON\n /\n constructEvent(params: WebhookVerifyParams): ActionCallbackPayload {\n this.verifyOrThrow(params);\n const body =\n typeof params.payload === \"string\"\n ? params.payload\n : params.payload.toString(\"utf-8\");\n try {\n return JSON.parse(body) as ActionCallbackPayload;\n } catch {\n throw new AgentPressError(\"Webhook payload is not valid JSON\");\n }\n }\n\n /\n Verify an inbound `signing_key_rotation` webhook (HMAC-SHA256 + timestamp\n * + typed payload) from AgentPress. See the Partner MCP Spec v1 for the\n * full contract.\n \n @throws {KeyRotationVerifyError} with a typed `reason` for HTTP mapping\n * (401 for signature errors, 400 for malformed payload, 413 for oversize).\n * @throws {ConfigurationError} if `webhookSecret` is not configured.\n /\n verifyKeyRotation(params: KeyRotationVerifyParams): KeyRotationEvent {\n return verifyKeyRotationImpl(this.options.webhookSecret, params);\n }\n}\n","import { ActionsClient } from \"./actions/client\";\nimport { ConfigurationError } from \"./errors\";\nimport { HttpClient } from \"./http\";\nimport { PartnersClient } from \"./partners/client\";\nimport type {\n AgentPressOptions,\n ResolvedOptions,\n ResolvedPartnerMcpOptions,\n} from \"./types\";\nimport { UserApprovalsClient } from \"./userApprovals/client\";\nimport { WebhooksClient } from \"./webhooks/client\";\n\n/\n Main entry point for the AgentPress SDK. Provides namespaced access to API\n * resources (e.g., `client.webhooks.send()`, `client.actions.approve()`).\n * Validates all configuration options at construction time, so invalid config fails fast.\n \n @example\n * ```ts\n * const client = new AgentPress({\n * apiKey: \"ak_...\",\n * webhookSecret: \"whsec_...\",\n * });\n * await client.webhooks.send({ action: \"my_action\", payload: { ... } });\n * await client.actions.approve(\"act_123\", { action: \"my_action\" });\n * ```\n /\nexport class AgentPress {\n /* Webhook operations: send outbound webhooks and verify inbound signatures. /\n public readonly webhooks: WebhooksClient;\n /* Action management: approve or reject staged actions. /\n public readonly actions: ActionsClient;\n /* Per-user auto-approval rules (read / create / update / delete). /\n public readonly userApprovals: UserApprovalsClient;\n /* Partner MCP Spec v1 helpers (inbound JWT verification, JWKS refresh). /\n public readonly partners: PartnersClient;\n\n /\n @param options - SDK configuration. All fields are optional with sensible defaults.\n * @throws {ConfigurationError} If `timeout` is non-positive or `webhookSecret` has an invalid prefix.\n */\n constructor(options: AgentPressOptions = {}) {\n const resolved = resolveOptions(options);\n const http = new HttpClient(resolved);\n this.webhooks = new WebhooksClient(resolved, http);\n this.actions = new ActionsClient(resolved, http);\n this.userApprovals = new UserApprovalsClient(resolved, http);\n this.partners = new PartnersClient(resolved);\n }\n}\n\nfunction resolveOptions(options: AgentPressOptions): ResolvedOptions {\n const baseUrl = (options.baseUrl ?? \"https://api.agent.press\").replace(\n /\\/+$/,\n \"\",\n );\n const timeout = options.timeout ?? 30_000;\n const org = options.org ?? \"default-org\";\n\n if (timeout <= 0 \|\| !Number.isFinite(timeout)) {\n throw new ConfigurationError(\"timeout must be a positive number\");\n }\n\n if (\n options.webhookSecret !== undefined &&\n !options.webhookSecret.startsWith(\"whsec_\")\n ) {\n throw new ConfigurationError('webhookSecret must start with \"whsec_\"');\n }\n\n return {\n baseUrl,\n timeout,\n org,\n webhookSecret: options.webhookSecret,\n apiKey: options.apiKey,\n partnerMcp: resolvePartnerMcp(options.partnerMcp),\n onRequest: options.onRequest,\n onResponse: options.onResponse,\n };\n}\n\nfunction resolvePartnerMcp(\n options: AgentPressOptions[\"partnerMcp\"],\n): ResolvedPartnerMcpOptions \| undefined {\n if (!options) return undefined;\n\n if (typeof options.jwksUrl !== \"string\" \|\| options.jwksUrl.length === 0) {\n throw new ConfigurationError(\"partnerMcp.jwksUrl is required\");\n }\n try {\n // Validate early so a bad URL fails at construction, not on first verify.\n new URL(options.jwksUrl);\n } catch {\n throw new ConfigurationError(\"partnerMcp.jwksUrl must be a valid URL\");\n }\n if (typeof options.issuer !== \"string\" \|\| options.issuer.length === 0) {\n throw new ConfigurationError(\"partnerMcp.issuer is required\");\n }\n if (typeof options.audience !== \"string\" \|\| options.audience.length === 0) {\n throw new ConfigurationError(\"partnerMcp.audience is required\");\n }\n if (\n typeof options.expectedExtProvider !== \"string\" \|\|\n options.expectedExtProvider.length === 0\n ) {\n throw new ConfigurationError(\"partnerMcp.expectedExtProvider is required\");\n }\n\n const clockTolerance = options.clockTolerance ?? \"30s\";\n const jwksCacheMaxAgeMs = options.jwksCacheMaxAgeMs ?? 3_600_000;\n if (jwksCacheMaxAgeMs <= 0 \|\| !Number.isFinite(jwksCacheMaxAgeMs)) {\n throw new ConfigurationError(\n \"partnerMcp.jwksCacheMaxAgeMs must be a positive number\",\n );\n }\n\n return {\n jwksUrl: options.jwksUrl,\n issuer: options.issuer,\n audience: options.audience,\n expectedExtProvider: options.expectedExtProvider,\n clockTolerance,\n jwksCacheMaxAgeMs,\n };\n}\n"],"mappings":";;;;;;;AAIA,IAAa,kBAAb,cAAqC,MAAM;CACzC,YAAY,SAAiB;AAC3B,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;;;AAQrD,IAAa,qBAAb,cAAwC,gBAAgB;CACtD,YAAY,SAAiB;AAC3B,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;;;;;;;AAYrD,IAAa,YAAb,cAA+B,gBAAgB;CAC7C;CACA;CACA;CAEA,YAAY,YAAoB,cAAsB,KAAa;AACjE,QAAM,QAAQ,WAAW,QAAQ,MAAM;AACvC,OAAK,OAAO;AACZ,OAAK,aAAa;AAClB,OAAK,eAAe;AACpB,OAAK,MAAM;AACX,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;AAKrD,IAAa,eAAb,cAAkC,gBAAgB;CAChD,YAAY,KAAa,SAAiB;AACxC,QAAM,cAAc,IAAI,mBAAmB,QAAQ,IAAI;AACvD,OAAK,OAAO;AACZ,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;AAKrD,IAAa,wBAAb,cAA2C,gBAAgB;CACzD,YAAY,SAAiB;AAC3B,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;;;;AAsBrD,IAAa,oBAAb,cAAuC,gBAAgB;CACrD;CAEA,YAAY,QAAiC,SAAiB;AAC5D,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,OAAK,SAAS;AACd,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;;;AAiBrD,IAAa,yBAAb,cAA4C,gBAAgB;CAC1D;CAEA,YAAY,QAAsC,SAAiB;AACjE,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,OAAK,SAAS;AACd,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;AChHrD,SAAgB,kBAA0B;AACxC,QAAO,OAAO,YAAY;;;;ACD5B,MAAMA,qBAAmB;AACzB,MAAM,4BAA4B;;;;;;;;;;AAWlC,SAAgB,KACd,QACA,OACA,WACA,MACQ;CACR,MAAM,cAAc,OAAO,KAAK,OAAO,QAAQ,WAAW,GAAG,EAAE,SAAS;CACxE,MAAM,UAAU,GAAG,MAAM,GAAG,UAAU,GAAG;AAIzC,QAAO,GAAGA,qBAHQ,WAAW,UAAU,YAAY,CAChD,OAAO,QAAQ,CACf,OAAO,SAAS;;;;;;;;;;;AAarB,SAAgB,OACd,QACA,SACA,SAKA,mBAA2B,2BAClB;CACT,MAAM,QAAQ,QAAQ;CACtB,MAAM,eAAe,QAAQ;CAC7B,MAAM,kBAAkB,QAAQ;CAEhC,MAAM,YAAY,SAAS,cAAc,GAAG;AAC5C,KAAI,OAAO,MAAM,UAAU,CAAE,QAAO;CAEpC,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AACzC,KAAI,KAAK,IAAI,MAAM,UAAU,GAAG,iBAAkB,QAAO;CAIzD,MAAM,WAAW,KAAK,QAAQ,OAAO,WADnC,OAAO,YAAY,WAAW,UAAU,QAAQ,SAAS,QAAQ,CACd;CAErD,MAAM,aAAa,gBAAgB,MAAM,IAAI;CAC7C,MAAM,cAAc,OAAO,KAAK,SAAS;AAEzC,MAAK,MAAM,OAAO,YAAY;EAC5B,MAAM,SAAS,OAAO,KAAK,IAAI;AAC/B,MACE,OAAO,WAAW,YAAY,UAC9B,gBAAgB,QAAQ,YAAY,CAEpC,QAAO;;AAIX,QAAO;;;;;;;;;;;;;;;;;;;;;;;;AC3CT,IAAa,gBAAb,MAA2B;CACzB;CACA;CAEA,YAAY,SAA0B,MAAkB;AACtD,OAAK,UAAU;AACf,OAAK,OAAO;;;;;;;;;CAUd,MAAM,QACJ,UACA,QAC+B;EAC/B,MAAM,OAAgC,EAAE;AACxC,MAAI,OAAO,mBAAmB,KAAA,EAC5B,MAAK,iBAAiB,OAAO;AAE/B,MAAI,OAAO,aAAa,KAAA,EACtB,MAAK,WAAW,OAAO;AAEzB,SAAO,KAAK,OAAO,UAAU,OAAO,QAAQ,WAAW,KAAK;;;;;;;;;CAU9D,MAAM,OACJ,UACA,QAC+B;AAC/B,SAAO,KAAK,OAAO,UAAU,OAAO,QAAQ,UAAU,EACpD,QAAQ,OAAO,QAChB,CAAC;;CAGJ,MAAc,OACZ,UACA,eACA,WACA,MAC+B;AAC/B,MAAI,CAAC,KAAK,QAAQ,cAChB,OAAM,IAAI,mBACR,6DACD;EAGH,MAAM,OAAO,qBAAqB,KAAK,QAAQ,IAAI,GAAG,cAAc,UAAU,SAAS,GAAG;EAC1F,MAAM,UAAU,KAAK,UAAU,KAAK;EACpC,MAAM,QAAQ,iBAAiB;EAC/B,MAAM,YAAY,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;EAC/C,MAAM,YAAY,KAChB,KAAK,QAAQ,eACb,OACA,WACA,QACD;AAED,SAAO,KAAK,KAAK,QAA8B,MAAM;GACnD,QAAQ;GACR,MAAM;GACN,SAAS;IACP,WAAW;IACX,kBAAkB,OAAO,UAAU;IACnC,kBAAkB;IACnB;GACF,CAAC;;;;;;;;;;ACpGN,IAAa,aAAb,MAAwB;CACtB;CACA;CACA;CACA;CAEA,YAAY,SAA0B;AACpC,OAAK,UAAU,QAAQ;AACvB,OAAK,UAAU,QAAQ;AACvB,OAAK,YAAY,QAAQ;AACzB,OAAK,aAAa,QAAQ;;;;;;;;;;;CAY5B,MAAM,QAAW,MAAc,MAA+B;EAC5D,MAAM,MAAM,GAAG,KAAK,UAAU;EAE9B,MAAM,UAAU,IAAI,QAAQ,KAAK,QAAQ;AACzC,MAAI,CAAC,QAAQ,IAAI,eAAe,CAC9B,SAAQ,IAAI,gBAAgB,mBAAmB;EAGjD,MAAM,cAA2B;GAC/B,GAAG;GACH;GACA,QAAQ,YAAY,QAAQ,KAAK,QAAQ;GAC1C;AAED,OAAK,YAAY,KAAK,YAAY;EAElC,IAAI;AACJ,MAAI;AAEF,cAAW,MAAM,MAAM,KAAK,YAAY;WACjC,OAAgB;AACvB,OACE,iBAAiB,UAChB,MAAM,SAAS,kBAAkB,MAAM,SAAS,cAEjD,OAAM,IAAI,aAAa,KAAK,KAAK,QAAQ;AAI3C,SAAM,IAAI,gBAAgB,cAAc,IAAI,WAD1C,iBAAiB,QAAQ,MAAM,UAAU,wBACsB;;AAGnE,OAAK,aAAa,KAAK,SAAS,OAAO,CAAC;EAExC,MAAM,OAAO,MAAM,SAAS,MAAM;AAElC,MAAI,CAAC,SAAS,GACZ,OAAM,IAAI,UAAU,SAAS,QAAQ,MAAM,IAAI;AAGjD,MAAI;AACF,UAAO,KAAK,MAAM,KAAK;UACjB;AACN,SAAM,IAAI,gBACR,+BAA+B,IAAI,iBAAiB,KAAK,MAAM,GAAG,IAAI,GACvE;;;;;;AC7DP,MAAM,aAAa,CAAC,QAAQ;;;;;;;;AAW5B,IAAa,iBAAb,MAA4B;CAC1B;CACA;CACA,OAAkC;CAClC,YAA4C;CAE5C,YAAY,SAA0B;AACpC,OAAK,UAAU;AACf,OAAK,aAAa,QAAQ;;;;;;;;;;;;;;CAe5B,MAAM,YAAY,OAA4C;EAC5D,MAAM,MAAM,KAAK,eAAe;EAChC,MAAM,OAAO,KAAK,SAAS;EAE3B,IAAI;EACJ,IAAI;AAEJ,MAAI;GACF,MAAM,SAAS,MAAM,UAAU,OAAO,MAAM;IAC1C,YAAY,CAAC,GAAG,WAAW;IAC3B,QAAQ,IAAI;IACZ,UAAU,IAAI;IACd,gBAAgB,IAAI;IACrB,CAAC;AACF,aAAU,OAAO;AACjB,qBAAkB,OAAO;WAKlB,KAAK;AACZ,SAAM,aAAa,IAAI;;AAOzB,MAAI,CAAC,gBAAgB,OAAO,OAAO,gBAAgB,QAAQ,SACzD,OAAM,IAAI,kBACR,0BACA,oCACD;EAGH,MAAM,SAAS;AAKf,MAAI,OAAO,OAAO,QAAQ,YAAY,CAAC,OAAO,SAAS,OAAO,IAAI,CAChE,OAAM,IAAI,kBACR,iBACA,+BACD;EAEH,MAAM,mBAAmB,UAAU,IAAI,eAAe;EACtD,MAAM,SAAS,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AAC5C,MAAI,OAAO,MAAM,SAAS,iBACxB,OAAM,IAAI,kBACR,iBACA,YAAY,OAAO,MAAM,OAAO,0BAA0B,iBAAiB,aAC5E;AAGH,MAAI,OAAO,OAAO,QAAQ,YAAY,OAAO,IAAI,WAAW,EAC1D,OAAM,IAAI,kBAAkB,iBAAiB,0BAA0B;AAEzE,MAAI,OAAO,OAAO,QAAQ,YAAY,OAAO,IAAI,WAAW,EAC1D,OAAM,IAAI,kBAAkB,iBAAiB,0BAA0B;AAEzE,MAAI,OAAO,OAAO,UAAU,SAC1B,OAAM,IAAI,kBACR,iBACA,iCACD;AAEH,MACE,OAAO,OAAO,iBAAiB,YAC/B,OAAO,aAAa,WAAW,EAE/B,OAAM,IAAI,kBACR,iBACA,mCACD;AAEH,MAAI,OAAO,iBAAiB,IAAI,oBAC9B,OAAM,IAAI,kBACR,yBACA,iBAAiB,OAAO,aAAa,6BAA6B,IAAI,oBAAoB,GAC3F;AAGH,SAAO;;;;;;;;CAST,MAAM,cAA6B;EAGjC,MAAM,UAFO,KAAK,SAAS;AAG3B,MAAI,OAAO,QAAQ,WAAW,WAC5B,OAAM,QAAQ,QAAQ;;CAI1B,gBAAmD;AACjD,MAAI,CAAC,KAAK,WACR,OAAM,IAAI,mBACR,+DACD;AAEH,SAAO,KAAK;;CAGd,UAA8B;EAC5B,MAAM,MAAM,KAAK,eAAe;AAChC,MAAI,CAAC,KAAK,MAAM;AACd,QAAK,OAAO,mBAAmB,IAAI,IAAI,IAAI,QAAQ,EAAE;IACnD,aAAa,IAAI;IACjB,kBAAkB;IACnB,CAAC;AACF,QAAK,YAAY,KAAK;;AAExB,SAAO,KAAK;;;AAIhB,SAAS,UAAU,WAAoC;AACrD,KAAI,OAAO,cAAc,SAAU,QAAO;CAC1C,MAAM,QAAQ,UAAU,MAAM,CAAC,MAAM,qBAAqB;AAC1D,KAAI,CAAC,MAAO,QAAO;CACnB,MAAM,IAAI,OAAO,SAAS,MAAM,IAAc,GAAG;CACjD,MAAM,OAAQ,MAAM,GAAc,aAAa;AAC/C,KAAI,SAAS,IAAK,QAAO;AACzB,KAAI,SAAS,IAAK,QAAO,IAAI;AAC7B,KAAI,SAAS,IAAK,QAAO,IAAI;AAC7B,QAAO;;AAGT,SAAS,aAAa,KAAiC;AACrD,KAAI,eAAe,kBAAmB,QAAO;AAE7C,KAAI,eAAeC,OAAW,+BAC5B,QAAO,IAAI,kBACT,qBACA,oCACD;AAEH,KAAI,eAAeA,OAAW,kBAC5B,QAAO,IAAI,kBACT,0BACA,2CACD;AAEH,KAAI,eAAeA,OAAW,kBAC5B,QAAO,IAAI,kBACT,yBACA,yBACD;AAEH,KAAI,eAAeA,OAAW,WAC5B,QAAO,IAAI,kBAAkB,WAAW,kBAAkB;AAE5D,KAAI,eAAeA,OAAW,0BAA0B;EACtD,MAAM,QAAS,IAA2B;AAC1C,MAAI,UAAU,MACZ,QAAO,IAAI,kBACT,mBACA,2CACD;AAEH,MAAI,UAAU,MACZ,QAAO,IAAI,kBACT,qBACA,6CACD;AAEH,MAAI,UAAU,MACZ,QAAO,IAAI,kBACT,iBACA,oDACD;AAEH,SAAO,IAAI,kBACT,iBACA,IAAI,WAAW,0BAChB;;AAEH,KACE,eAAeA,OAAW,cAC1B,eAAeA,OAAW,WAE1B,QAAO,IAAI,kBAAkB,aAAa,IAAI,WAAW,gBAAgB;AAE3E,KAAI,eAAe,MACjB,QAAO,IAAI,kBAAkB,aAAa,IAAI,QAAQ;AAExD,QAAO,IAAI,kBAAkB,aAAa,OAAO,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACrMxD,IAAa,sBAAb,MAAiC;CAC/B;CACA;CAEA,YAAY,SAA0B,MAAkB;AACtD,OAAK,UAAU;AACf,OAAK,OAAO;;;;;;;;;CAUd,MAAM,KACJ,QACoC;EACpC,MAAM,OAAgC,EAAE;AACxC,MAAI,OAAO,WAAW,KAAA,EAAW,MAAK,SAAS,OAAO;AACtD,MAAI,OAAO,iBAAiB,KAAA,EAC1B,MAAK,eAAe,OAAO;AAC7B,SAAO,KAAK,KACV,OAAO,mBACP,QACA,KACD;;;;;;;;;;;CAYH,MAAM,OAAO,QAA6D;EACxE,MAAM,OAAgC;GACpC,QAAQ,OAAO;GACf,iBAAiB,OAAO;GACxB,UAAU,OAAO;GACjB,MAAM,OAAO,QAAQ;GACtB;AACD,MAAI,OAAO,iBAAiB,KAAA,EAC1B,MAAK,eAAe,OAAO;AAC7B,MAAI,OAAO,cAAc,KAAA,EACvB,MAAK,YACH,OAAO,cAAc,OAAO,OAAO,OAAO,UAAU,aAAa;AAErE,SAAO,KAAK,KACV,OAAO,mBACP,UACA,KACD;;;;;;;;;CAUH,MAAM,OACJ,IACA,QAC2B;EAC3B,MAAM,OAAgC,EAAE;AACxC,MAAI,OAAO,SAAS,KAAA,EAAW,MAAK,OAAO,OAAO;AAClD,MAAI,OAAO,cAAc,KAAA,EACvB,MAAK,YACH,OAAO,cAAc,OAAO,OAAO,OAAO,UAAU,aAAa;AAErE,SAAO,KAAK,KACV,OAAO,mBACP,UAAU,MACV,KACD;;;;;;;;;;CAWH,MAAM,OACJ,IACA,QAC+B;AAC/B,SAAO,KAAK,KACV,OAAO,mBACP,UAAU,MACV,EAAE,CACH;;;CAIH,MAAc,KACZ,mBACA,WACA,MACY;AACZ,MAAI,CAAC,KAAK,QAAQ,cAChB,OAAM,IAAI,mBACR,oEACD;EAGH,MAAM,OAAO,4BAA4B,KAAK,QAAQ,IAAI,GAAG,kBAAkB,GAAG;EAClF,MAAM,UAAU,KAAK,UAAU,KAAK;EACpC,MAAM,QAAQ,iBAAiB;EAC/B,MAAM,YAAY,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;EAC/C,MAAM,YAAY,KAChB,KAAK,QAAQ,eACb,OACA,WACA,QACD;AAED,SAAO,KAAK,KAAK,QAAW,MAAM;GAChC,QAAQ;GACR,MAAM;GACN,SAAS;IACP,WAAW;IACX,kBAAkB,OAAO,UAAU;IACnC,kBAAkB;IACnB;GACF,CAAC;;;;;AC5KN,MAAM,oBAAoB,IAAI;AAC9B,MAAM,yBAAyB;AAC/B,MAAM,mBAAmB;;;;;;;;;AAUzB,SAAgB,kBACd,QACA,QACkB;AAClB,KAAI,CAAC,OACH,OAAM,IAAI,mBACR,kEACD;CAGH,MAAM,OACJ,OAAO,OAAO,YAAY,WACtB,OAAO,UACP,OAAO,QAAQ,SAAS,QAAQ;AAMtC,MAHE,OAAO,OAAO,YAAY,WACtB,OAAO,WAAW,OAAO,SAAS,QAAQ,GAC1C,OAAO,QAAQ,UACJ,kBACf,OAAM,IAAI,uBACR,qBACA,mBAAmB,kBAAkB,QACtC;CAGH,MAAM,kBAAkB,WAAW,OAAO,SAAS,yBAAyB;CAC5E,MAAM,kBAAkB,WAAW,OAAO,SAAS,yBAAyB;AAE5E,KAAI,CAAC,iBAAiB,WAAW,iBAAiB,CAChD,OAAM,IAAI,uBACR,4BACA,oDAAoD,iBAAiB,GACtE;CAEH,MAAM,cAAc,gBACjB,MAAM,EAAwB,CAC9B,aAAa;AAChB,KAAI,CAAC,cAAc,KAAK,YAAY,CAClC,OAAM,IAAI,uBACR,4BACA,gCACD;AAGH,KAAI,CAAC,gBACH,OAAM,IAAI,uBACR,qBACA,4CACD;CAEH,MAAM,YAAY,OAAO,SAAS,iBAAiB,GAAG;AACtD,KACE,CAAC,OAAO,SAAS,UAAU,IAC3B,OAAO,UAAU,KAAK,gBAAgB,MAAM,CAE5C,OAAM,IAAI,uBACR,qBACA,6DACD;CAEH,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AACzC,KAAI,KAAK,IAAI,MAAM,UAAU,GAAG,uBAC9B,OAAM,IAAI,uBACR,2BACA,kBAAkB,KAAK,IAAI,MAAM,UAAU,CAAC,YAAY,uBAAuB,aAChF;CAGH,MAAM,cAAc,WAAW,UAAU,OAAO,CAAC,OAAO,KAAK,CAAC,OAAO,MAAM;CAC3E,MAAM,cAAc,OAAO,KAAK,aAAa,MAAM;CACnD,MAAM,cAAc,OAAO,KAAK,aAAa,MAAM;AACnD,KACE,YAAY,WAAW,YAAY,UACnC,CAAC,gBAAgB,aAAa,YAAY,CAE1C,OAAM,IAAI,uBACR,qBACA,0BACD;CAGH,IAAI;AACJ,KAAI;AACF,WAAS,KAAK,MAAM,KAAK;SACnB;AACN,QAAM,IAAI,uBACR,qBACA,4BACD;;AAGH,QAAO,gBAAgB,OAAO;;AAGhC,SAAS,WACP,SACA,MACoB;CAEpB,MAAM,UAAU,KAAK,aAAa;AAClC,MAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,QAAQ,CAC1C,KAAI,EAAE,aAAa,KAAK,WAAW,OAAO,MAAM,YAAY,EAAE,SAAS,EACrE,QAAO;;AAMb,SAAS,gBAAgB,KAAgC;AACvD,KAAI,CAAC,OAAO,OAAO,QAAQ,SACzB,OAAM,IAAI,uBACR,qBACA,gCACD;CAEH,MAAM,MAAM;AACZ,KAAI,IAAI,UAAU,uBAChB,OAAM,IAAI,uBACR,qBACA,qBAAqB,OAAO,IAAI,MAAM,CAAC,GACxC;AAEH,KAAI,IAAI,SAAS,eAAe,IAAI,SAAS,YAC3C,OAAM,IAAI,uBACR,qBACA,4CACD;AAEH,MAAK,MAAM,OAAO;EAChB;EACA;EACA;EACA;EACA;EACD,CACC,KAAI,OAAO,IAAI,SAAS,YAAa,IAAI,KAAgB,WAAW,EAClE,OAAM,IAAI,uBACR,qBACA,IAAI,IAAI,8BACT;AAGL,KAAI,IAAI,WAAW,KAAA,KAAa,OAAO,IAAI,WAAW,SACpD,OAAM,IAAI,uBACR,qBACA,yCACD;CAGH,MAAM,QAA0B;EAC9B,OAAO;EACP,MAAM,IAAI;EACV,YAAY,IAAI;EAChB,eAAe,IAAI;EACnB,WAAW,IAAI;EACf,aAAa,IAAI;EACjB,SAAS,IAAI;EACd;AACD,KAAI,OAAO,IAAI,WAAW,SACxB,OAAM,SAAS,IAAI;AAErB,QAAO;;;;AChKT,IAAa,iBAAb,MAA4B;CAC1B;CACA;CAEA,YAAY,SAA0B,MAAkB;AACtD,OAAK,UAAU;AACf,OAAK,OAAO;;;;;;;;;;CAWd,MAAM,KAAK,QAAqD;AAC9D,MAAI,CAAC,KAAK,QAAQ,cAChB,OAAM,IAAI,mBACR,mDACD;EAGH,MAAM,OAAO,qBAAqB,KAAK,QAAQ,IAAI,GAAG,OAAO;EAC7D,MAAM,OAAO,KAAK,UAAU,OAAO,QAAQ;EAC3C,MAAM,QAAQ,iBAAiB;EAC/B,MAAM,YAAY,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;EAC/C,MAAM,YAAY,KAAK,KAAK,QAAQ,eAAe,OAAO,WAAW,KAAK;AAE1E,SAAO,KAAK,KAAK,QAAyB,MAAM;GAC9C,QAAQ;GACR;GACA,SAAS;IACP,WAAW;IACX,kBAAkB,OAAO,UAAU;IACnC,kBAAkB;IACnB;GACF,CAAC;;;;;;;;CASJ,OAAO,QAAsC;AAC3C,MAAI,CAAC,KAAK,QAAQ,cAChB,OAAM,IAAI,mBACR,qDACD;AAGH,SAAOC,OACL,KAAK,QAAQ,eACb,OAAO,SACP,OAAO,QACR;;;;;;;;;CAUH,cAAc,QAAmC;AAC/C,MAAI,CAAC,KAAK,OAAO,OAAO,CACtB,OAAM,IAAI,sBAAsB,4BAA4B;;;;;;;;;;;CAahE,eAAe,QAAoD;AACjE,OAAK,cAAc,OAAO;EAC1B,MAAM,OACJ,OAAO,OAAO,YAAY,WACtB,OAAO,UACP,OAAO,QAAQ,SAAS,QAAQ;AACtC,MAAI;AACF,UAAO,KAAK,MAAM,KAAK;UACjB;AACN,SAAM,IAAI,gBAAgB,oCAAoC;;;;;;;;;;;;CAalE,kBAAkB,QAAmD;AACnE,SAAOC,kBAAsB,KAAK,QAAQ,eAAe,OAAO;;;;;;;;;;;;;;;;;;;;AClGpE,IAAa,aAAb,MAAwB;;CAEtB;;CAEA;;CAEA;;CAEA;;;;;CAMA,YAAY,UAA6B,EAAE,EAAE;EAC3C,MAAM,WAAW,eAAe,QAAQ;EACxC,MAAM,OAAO,IAAI,WAAW,SAAS;AACrC,OAAK,WAAW,IAAI,eAAe,UAAU,KAAK;AAClD,OAAK,UAAU,IAAI,cAAc,UAAU,KAAK;AAChD,OAAK,gBAAgB,IAAI,oBAAoB,UAAU,KAAK;AAC5D,OAAK,WAAW,IAAI,eAAe,SAAS;;;AAIhD,SAAS,eAAe,SAA6C;CACnE,MAAM,WAAW,QAAQ,WAAW,2BAA2B,QAC7D,QACA,GACD;CACD,MAAM,UAAU,QAAQ,WAAW;CACnC,MAAM,MAAM,QAAQ,OAAO;AAE3B,KAAI,WAAW,KAAK,CAAC,OAAO,SAAS,QAAQ,CAC3C,OAAM,IAAI,mBAAmB,oCAAoC;AAGnE,KACE,QAAQ,kBAAkB,KAAA,KAC1B,CAAC,QAAQ,cAAc,WAAW,SAAS,CAE3C,OAAM,IAAI,mBAAmB,2CAAyC;AAGxE,QAAO;EACL;EACA;EACA;EACA,eAAe,QAAQ;EACvB,QAAQ,QAAQ;EAChB,YAAY,kBAAkB,QAAQ,WAAW;EACjD,WAAW,QAAQ;EACnB,YAAY,QAAQ;EACrB;;AAGH,SAAS,kBACP,SACuC;AACvC,KAAI,CAAC,QAAS,QAAO,KAAA;AAErB,KAAI,OAAO,QAAQ,YAAY,YAAY,QAAQ,QAAQ,WAAW,EACpE,OAAM,IAAI,mBAAmB,iCAAiC;AAEhE,KAAI;AAEF,MAAI,IAAI,QAAQ,QAAQ;SAClB;AACN,QAAM,IAAI,mBAAmB,yCAAyC;;AAExE,KAAI,OAAO,QAAQ,WAAW,YAAY,QAAQ,OAAO,WAAW,EAClE,OAAM,IAAI,mBAAmB,gCAAgC;AAE/D,KAAI,OAAO,QAAQ,aAAa,YAAY,QAAQ,SAAS,WAAW,EACtE,OAAM,IAAI,mBAAmB,kCAAkC;AAEjE,KACE,OAAO,QAAQ,wBAAwB,YACvC,QAAQ,oBAAoB,WAAW,EAEvC,OAAM,IAAI,mBAAmB,6CAA6C;CAG5E,MAAM,iBAAiB,QAAQ,kBAAkB;CACjD,MAAM,oBAAoB,QAAQ,qBAAqB;AACvD,KAAI,qBAAqB,KAAK,CAAC,OAAO,SAAS,kBAAkB,CAC/D,OAAM,IAAI,mBACR,yDACD;AAGH,QAAO;EACL,SAAS,QAAQ;EACjB,QAAQ,QAAQ;EAChB,UAAU,QAAQ;EAClB,qBAAqB,QAAQ;EAC7B;EACA;EACD"}
1	+ {"version":3,"file":"index.mjs","names":["SIGNATURE_PREFIX","joseErrors","verifySig","verifyKeyRotationImpl"],"sources":["../src/errors.ts","../src/utils.ts","../src/webhooks/signing.ts","../src/actions/client.ts","../src/http.ts","../src/partners/client.ts","../src/userApprovals/client.ts","../src/webhooks/keyRotation.ts","../src/webhooks/client.ts","../src/client.ts"],"sourcesContent":["/*\n Base error class for all SDK errors. Catch this to handle any error\n * thrown by the AgentPress SDK regardless of specific type.\n /\nexport class AgentPressError extends Error {\n constructor(message: string) {\n super(message);\n this.name = \"AgentPressError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/\n Thrown at construction time when `AgentPressOptions` contains invalid values\n * (e.g., non-positive timeout, malformed `webhookSecret`).\n /\nexport class ConfigurationError extends AgentPressError {\n constructor(message: string) {\n super(message);\n this.name = \"ConfigurationError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/\n Thrown when the API returns a non-2xx HTTP response.\n \n Properties:\n * - `statusCode` - HTTP status code (e.g., 401, 404, 500)\n * - `responseBody` - Raw response body text for debugging\n * - `url` - The full request URL that failed\n /\nexport class HttpError extends AgentPressError {\n public readonly statusCode: number;\n public readonly responseBody: string;\n public readonly url: string;\n\n constructor(statusCode: number, responseBody: string, url: string) {\n super(`HTTP ${statusCode} from ${url}`);\n this.name = \"HttpError\";\n this.statusCode = statusCode;\n this.responseBody = responseBody;\n this.url = url;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/* Thrown when a request exceeds the configured `timeout` (default 30s). /\nexport class TimeoutError extends AgentPressError {\n constructor(url: string, timeout: number) {\n super(`Request to ${url} timed out after ${timeout}ms`);\n this.name = \"TimeoutError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/* Thrown by {@link WebhooksClient.verifyOrThrow} when an inbound webhook signature is invalid or expired. /\nexport class WebhookSignatureError extends AgentPressError {\n constructor(message: string) {\n super(message);\n this.name = \"WebhookSignatureError\";\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/* Reason codes for {@link PartnerTokenError}. Maps 1:1 to RFC 6750 `error_description` values. /\nexport type PartnerTokenErrorReason =\n \| \"signature_invalid\"\n \| \"issuer_mismatch\"\n \| \"audience_mismatch\"\n \| \"expired\"\n \| \"not_yet_valid\"\n \| \"missing_claim\"\n \| \"ext_provider_mismatch\"\n \| \"algorithm_not_allowed\"\n \| \"kid_missing_or_unknown\"\n \| \"malformed\";\n\n/\n Thrown by {@link PartnersClient.verifyToken} when a Partner MCP Spec v1 JWT\n * fails verification. Partners map `reason` to their RFC 6750 `WWW-Authenticate`\n * response (`401 invalid_token` for all reasons in this class).\n /\nexport class PartnerTokenError extends AgentPressError {\n public readonly reason: PartnerTokenErrorReason;\n\n constructor(reason: PartnerTokenErrorReason, message: string) {\n super(message);\n this.name = \"PartnerTokenError\";\n this.reason = reason;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n\n/* Reason codes for {@link KeyRotationVerifyError}. /\nexport type KeyRotationVerifyErrorReason =\n \| \"invalid_signature\"\n \| \"invalid_signature_format\"\n \| \"timestamp_out_of_window\"\n \| \"invalid_timestamp\"\n \| \"payload_too_large\"\n \| \"malformed_payload\";\n\n/\n Thrown by {@link WebhooksClient.verifyKeyRotation} when a `signing_key_rotation`\n * webhook fails HMAC / timestamp / payload validation.\n /\nexport class KeyRotationVerifyError extends AgentPressError {\n public readonly reason: KeyRotationVerifyErrorReason;\n\n constructor(reason: KeyRotationVerifyErrorReason, message: string) {\n super(message);\n this.name = \"KeyRotationVerifyError\";\n this.reason = reason;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n}\n","import { randomUUID } from \"node:crypto\";\n\nexport function randomMessageId(): string {\n return `msg_${randomUUID()}`;\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nconst SIGNATURE_PREFIX = \"v1,\";\nconst DEFAULT_TOLERANCE_SECONDS = 5 60; // 5 minutes\n\n/*\n Sign a webhook payload using Svix-compatible HMAC-SHA256.\n \n @param secret - The webhook secret (with \"whsec_\" prefix)\n * @param msgId - Unique message ID (e.g., \"msg_<uuid>\")\n * @param timestamp - Unix timestamp in seconds\n * @param body - JSON stringified payload\n * @returns Signature string in format \"v1,<base64>\"\n /\nexport function sign(\n secret: string,\n msgId: string,\n timestamp: number,\n body: string,\n): string {\n const secretBytes = Buffer.from(secret.replace(/^whsec_/, \"\"), \"base64\");\n const message = `${msgId}.${timestamp}.${body}`;\n const signature = createHmac(\"sha256\", secretBytes)\n .update(message)\n .digest(\"base64\");\n return `${SIGNATURE_PREFIX}${signature}`;\n}\n\n/\n Verify a Svix webhook signature.\n \n @param secret - The webhook secret (with \"whsec_\" prefix)\n * @param payload - Raw request body (string or Buffer)\n * @param headers - Svix headers object\n * @param toleranceSeconds - Max age of signature in seconds (default: 5 min)\n * @returns true if valid, false if invalid or expired\n /\nexport function verify(\n secret: string,\n payload: string \| Buffer,\n headers: {\n \"svix-id\": string;\n \"svix-timestamp\": string;\n \"svix-signature\": string;\n },\n toleranceSeconds: number = DEFAULT_TOLERANCE_SECONDS,\n): boolean {\n const msgId = headers[\"svix-id\"];\n const timestampStr = headers[\"svix-timestamp\"];\n const signatureHeader = headers[\"svix-signature\"];\n\n const timestamp = parseInt(timestampStr, 10);\n if (Number.isNaN(timestamp)) return false;\n\n const now = Math.floor(Date.now() / 1000);\n if (Math.abs(now - timestamp) > toleranceSeconds) return false;\n\n const body =\n typeof payload === \"string\" ? payload : payload.toString(\"utf-8\");\n const expected = sign(secret, msgId, timestamp, body);\n\n const signatures = signatureHeader.split(\" \");\n const expectedBuf = Buffer.from(expected);\n\n for (const sig of signatures) {\n const sigBuf = Buffer.from(sig);\n if (\n sigBuf.length === expectedBuf.length &&\n timingSafeEqual(sigBuf, expectedBuf)\n ) {\n return true;\n }\n }\n\n return false;\n}\n","import { ConfigurationError } from \"../errors\";\nimport type { HttpClient } from \"../http\";\nimport type {\n ActionManageResponse,\n ApproveActionParams,\n RejectActionParams,\n ResolvedOptions,\n} from \"../types\";\nimport { randomMessageId } from \"../utils\";\nimport { sign } from \"../webhooks/signing\";\n\n/\n Client for programmatically approving or rejecting staged actions.\n * Uses HMAC-SHA256 signing (Svix-compatible), identical to {@link WebhooksClient}.\n \n @example\n * ```ts\n * const client = new AgentPress({ webhookSecret: \"whsec_...\", org: \"my-org\" });\n \n // Approve a staged action\n * await client.actions.approve(\"act_123\", {\n * action: \"my_webhook_action\",\n * });\n \n // Reject with a reason\n * await client.actions.reject(\"act_456\", {\n * action: \"my_webhook_action\",\n * reason: \"Insufficient data\",\n * });\n * ```\n /\nexport class ActionsClient {\n private readonly options: ResolvedOptions;\n private readonly http: HttpClient;\n\n constructor(options: ResolvedOptions, http: HttpClient) {\n this.options = options;\n this.http = http;\n }\n\n /\n Approve a staged action, optionally modifying the tool call.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async approve(\n actionId: string,\n params: ApproveActionParams,\n ): Promise<ActionManageResponse> {\n const body: Record<string, unknown> = {};\n if (params.editedToolCall !== undefined) {\n body.editedToolCall = params.editedToolCall;\n }\n if (params.remember !== undefined) {\n body.remember = params.remember;\n }\n return this.manage(actionId, params.action, \"approve\", body);\n }\n\n /\n Reject a staged action.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async reject(\n actionId: string,\n params: RejectActionParams,\n ): Promise<ActionManageResponse> {\n return this.manage(actionId, params.action, \"reject\", {\n reason: params.reason,\n });\n }\n\n private async manage(\n actionId: string,\n webhookAction: string,\n operation: \"approve\" \| \"reject\",\n body: Record<string, unknown>,\n ): Promise<ActionManageResponse> {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for action management operations\",\n );\n }\n\n const path = `/webhooks/actions/${this.options.org}/${webhookAction}/manage/${actionId}/${operation}`;\n const bodyStr = JSON.stringify(body);\n const msgId = randomMessageId();\n const timestamp = Math.floor(Date.now() / 1000);\n const signature = sign(\n this.options.webhookSecret,\n msgId,\n timestamp,\n bodyStr,\n );\n\n return this.http.request<ActionManageResponse>(path, {\n method: \"POST\",\n body: bodyStr,\n headers: {\n \"svix-id\": msgId,\n \"svix-timestamp\": String(timestamp),\n \"svix-signature\": signature,\n },\n });\n }\n}\n","import { AgentPressError, HttpError, TimeoutError } from \"./errors\";\nimport type { ResolvedOptions } from \"./types\";\n\n/\n Internal shared HTTP client. Not part of the public API -- used by\n * namespace clients (e.g., `WebhooksClient`) to make authenticated requests.\n * @internal\n /\nexport class HttpClient {\n private readonly baseUrl: string;\n private readonly timeout: number;\n private readonly onRequest?: ResolvedOptions[\"onRequest\"];\n private readonly onResponse?: ResolvedOptions[\"onResponse\"];\n\n constructor(options: ResolvedOptions) {\n this.baseUrl = options.baseUrl;\n this.timeout = options.timeout;\n this.onRequest = options.onRequest;\n this.onResponse = options.onResponse;\n }\n\n /\n Send an HTTP request to the API. Constructs the full URL from `baseUrl` + `path`,\n * applies the configured timeout via `AbortSignal`, fires `onRequest`/`onResponse`\n * hooks, and parses the JSON response.\n \n @throws {TimeoutError} If the request exceeds the configured timeout.\n * @throws {HttpError} If the API returns a non-2xx status code.\n * @throws {AgentPressError} On network failures or non-JSON responses.\n /\n async request<T>(path: string, init: RequestInit): Promise<T> {\n const url = `${this.baseUrl}${path}`;\n\n const headers = new Headers(init.headers);\n if (!headers.has(\"Content-Type\")) {\n headers.set(\"Content-Type\", \"application/json\");\n }\n\n const requestInit: RequestInit = {\n ...init,\n headers,\n signal: AbortSignal.timeout(this.timeout),\n };\n\n this.onRequest?.(url, requestInit);\n\n let response: Response;\n try {\n // biome-ignore lint/style/noRestrictedGlobals: SDK is a standalone package that uses raw fetch\n response = await fetch(url, requestInit);\n } catch (error: unknown) {\n if (\n error instanceof Error &&\n (error.name === \"TimeoutError\" \|\| error.name === \"AbortError\")\n ) {\n throw new TimeoutError(url, this.timeout);\n }\n const message =\n error instanceof Error ? error.message : \"Unknown fetch error\";\n throw new AgentPressError(`Request to ${url} failed: ${message}`);\n }\n\n this.onResponse?.(url, response.clone());\n\n const text = await response.text();\n\n if (!response.ok) {\n throw new HttpError(response.status, text, url);\n }\n\n try {\n return JSON.parse(text) as T;\n } catch {\n throw new AgentPressError(\n `Expected JSON response from ${url} but received: ${text.slice(0, 200)}`,\n );\n }\n }\n}\n","import {\n createRemoteJWKSet,\n type JWTVerifyGetKey,\n errors as joseErrors,\n jwtVerify,\n} from \"jose\";\n\nimport { ConfigurationError, PartnerTokenError } from \"../errors\";\nimport type {\n PartnerTokenClaims,\n ResolvedOptions,\n ResolvedPartnerMcpOptions,\n} from \"../types\";\n\nconst ALGORITHMS = [\"EdDSA\"] as const;\n\ntype RemoteJwks = ReturnType<typeof createRemoteJWKSet>;\n\n/\n Client for Partner MCP Spec v1 helpers. Created automatically when\n * {@link AgentPressOptions.partnerMcp} is provided.\n \n State (JWKS cache) is per-instance, NOT module-global, so staging and\n * production clients can run side-by-side without cross-talk.\n /\nexport class PartnersClient {\n private readonly options: ResolvedOptions;\n private readonly partnerMcp: ResolvedPartnerMcpOptions \| undefined;\n private jwks: RemoteJwks \| null = null;\n private jwksKeyFn: JWTVerifyGetKey \| null = null;\n\n constructor(options: ResolvedOptions) {\n this.options = options;\n this.partnerMcp = options.partnerMcp;\n }\n\n /\n Verify an inbound Partner MCP Spec v1 JWT against AgentPress's JWKS.\n \n Enforces the full spec: `algorithms: [\"EdDSA\"]` pinned; `iss`, `aud`,\n * `ext_provider` validated; `sub`, `jti`, `scope` required and non-empty;\n * `kid` header required; `exp` / `iat` validated with ±30s skew (configurable).\n \n @param token - Bare JWT string (no `Bearer ` prefix).\n * @returns Typed {@link PartnerTokenClaims}.\n * @throws {PartnerTokenError} with a typed `reason` for RFC 6750 mapping.\n * @throws {ConfigurationError} if `partnerMcp` is not configured.\n /\n async verifyToken(token: string): Promise<PartnerTokenClaims> {\n const cfg = this.requireConfig();\n const jwks = this.getJwks();\n\n let payload: Record<string, unknown>;\n let protectedHeader: { alg?: string; kid?: string; typ?: string };\n\n try {\n const result = await jwtVerify(token, jwks, {\n algorithms: [...ALGORITHMS],\n issuer: cfg.issuer,\n audience: cfg.audience,\n clockTolerance: cfg.clockTolerance,\n });\n payload = result.payload as Record<string, unknown>;\n protectedHeader = result.protectedHeader as {\n alg?: string;\n kid?: string;\n typ?: string;\n };\n } catch (err) {\n throw mapJoseError(err);\n }\n\n // kid header required by spec. jose does not enforce this on its own\n // when the key is resolvable — we enforce it explicitly so forged\n // tokens that elide the kid header can't slip through on a single-key\n // JWKS.\n if (!protectedHeader.kid \|\| typeof protectedHeader.kid !== \"string\") {\n throw new PartnerTokenError(\n \"kid_missing_or_unknown\",\n \"JWT header missing required 'kid'\",\n );\n }\n\n const claims = payload as PartnerTokenClaims & Record<string, unknown>;\n\n // jose's jwtVerify checks `exp` (with clockTolerance) but not `iat`\n // future-time unless `maxTokenAge` is set. The spec requires both sides\n // of the skew window, so enforce the future-iat check explicitly.\n if (typeof claims.iat !== \"number\" \|\| !Number.isFinite(claims.iat)) {\n throw new PartnerTokenError(\n \"missing_claim\",\n \"'iat' claim must be a number\",\n );\n }\n const toleranceSeconds = toSeconds(cfg.clockTolerance);\n const nowSec = Math.floor(Date.now() / 1000);\n if (claims.iat - nowSec > toleranceSeconds) {\n throw new PartnerTokenError(\n \"not_yet_valid\",\n `'iat' is ${claims.iat - nowSec}s in the future, beyond ${toleranceSeconds}s tolerance`,\n );\n }\n\n if (typeof claims.sub !== \"string\" \|\| claims.sub.length === 0) {\n throw new PartnerTokenError(\"missing_claim\", \"'sub' claim is required\");\n }\n if (typeof claims.jti !== \"string\" \|\| claims.jti.length === 0) {\n throw new PartnerTokenError(\"missing_claim\", \"'jti' claim is required\");\n }\n if (typeof claims.scope !== \"string\") {\n throw new PartnerTokenError(\n \"missing_claim\",\n \"'scope' claim must be a string\",\n );\n }\n if (\n typeof claims.ext_provider !== \"string\" \|\|\n claims.ext_provider.length === 0\n ) {\n throw new PartnerTokenError(\n \"missing_claim\",\n \"'ext_provider' claim is required\",\n );\n }\n if (claims.ext_provider !== cfg.expectedExtProvider) {\n throw new PartnerTokenError(\n \"ext_provider_mismatch\",\n `ext_provider '${claims.ext_provider}' does not match expected '${cfg.expectedExtProvider}'`,\n );\n }\n\n return claims;\n }\n\n /\n Force the JWKS cache to refetch immediately. Call this from your\n * `signing_key_rotation` webhook handler after verifying the webhook —\n * otherwise the cache picks up new keys on the next `kid` miss (which\n * works, but with one failed verify latency penalty).\n /\n async refreshJwks(): Promise<void> {\n const jwks = this.getJwks();\n // jose's RemoteJWKSet exposes `.reload()` for exactly this use case.\n const anyJwks = jwks as unknown as { reload?: () => Promise<void> };\n if (typeof anyJwks.reload === \"function\") {\n await anyJwks.reload();\n }\n }\n\n private requireConfig(): ResolvedPartnerMcpOptions {\n if (!this.partnerMcp) {\n throw new ConfigurationError(\n \"partnerMcp options are required for partner token operations\",\n );\n }\n return this.partnerMcp;\n }\n\n private getJwks(): RemoteJwks {\n const cfg = this.requireConfig();\n if (!this.jwks) {\n this.jwks = createRemoteJWKSet(new URL(cfg.jwksUrl), {\n cacheMaxAge: cfg.jwksCacheMaxAgeMs,\n cooldownDuration: 30_000,\n });\n this.jwksKeyFn = this.jwks as unknown as JWTVerifyGetKey;\n }\n return this.jwks;\n }\n}\n\nfunction toSeconds(tolerance: string \| number): number {\n if (typeof tolerance === \"number\") return tolerance;\n const match = tolerance.trim().match(/^(\\d+)\\s(s\|m\|h)$/i);\n if (!match) return 30;\n const n = Number.parseInt(match[1] as string, 10);\n const unit = (match[2] as string).toLowerCase();\n if (unit === \"s\") return n;\n if (unit === \"m\") return n * 60;\n if (unit === \"h\") return n * 3600;\n return 30;\n}\n\nfunction mapJoseError(err: unknown): PartnerTokenError {\n if (err instanceof PartnerTokenError) return err;\n\n if (err instanceof joseErrors.JWSSignatureVerificationFailed) {\n return new PartnerTokenError(\n \"signature_invalid\",\n \"JWT signature verification failed\",\n );\n }\n if (err instanceof joseErrors.JWKSNoMatchingKey) {\n return new PartnerTokenError(\n \"kid_missing_or_unknown\",\n \"No JWKS key matches the JWT 'kid' header\",\n );\n }\n if (err instanceof joseErrors.JOSEAlgNotAllowed) {\n return new PartnerTokenError(\n \"algorithm_not_allowed\",\n \"JWT 'alg' is not EdDSA\",\n );\n }\n if (err instanceof joseErrors.JWTExpired) {\n return new PartnerTokenError(\"expired\", \"JWT has expired\");\n }\n if (err instanceof joseErrors.JWTClaimValidationFailed) {\n const claim = (err as { claim?: string }).claim;\n if (claim === \"iss\") {\n return new PartnerTokenError(\n \"issuer_mismatch\",\n \"JWT 'iss' does not match expected issuer\",\n );\n }\n if (claim === \"aud\") {\n return new PartnerTokenError(\n \"audience_mismatch\",\n \"JWT 'aud' does not match expected audience\",\n );\n }\n if (claim === \"iat\") {\n return new PartnerTokenError(\n \"not_yet_valid\",\n \"JWT 'iat' is in the future beyond clock tolerance\",\n );\n }\n return new PartnerTokenError(\n \"missing_claim\",\n err.message \|\| \"Claim validation failed\",\n );\n }\n if (\n err instanceof joseErrors.JWTInvalid \|\|\n err instanceof joseErrors.JWSInvalid\n ) {\n return new PartnerTokenError(\"malformed\", err.message \|\| \"Malformed JWT\");\n }\n if (err instanceof Error) {\n return new PartnerTokenError(\"malformed\", err.message);\n }\n return new PartnerTokenError(\"malformed\", String(err));\n}\n","import { ConfigurationError } from \"../errors\";\nimport type { HttpClient } from \"../http\";\nimport type {\n CreateUserApprovalParams,\n DeleteUserApprovalParams,\n ListUserApprovalsParams,\n ListUserApprovalsResponse,\n ResolvedOptions,\n UpdateUserApprovalParams,\n UserToolApproval,\n} from \"../types\";\nimport { randomMessageId } from \"../utils\";\nimport { sign } from \"../webhooks/signing\";\n\n/*\n Client for managing per-user auto-approval rules — the SDK equivalent of the\n * console's `/account/auto-approvals` settings page. Uses HMAC-SHA256 signing\n * (Svix-compatible), identical to {@link ActionsClient.manage}.\n \n Each call is scoped to a single webhook (identified by `webhookIdentifier`),\n * which both selects the signing secret and scopes which approvals are visible.\n \n @example\n * ```ts\n * const client = new AgentPress({ webhookSecret: \"whsec_...\", org: \"my-org\" });\n \n // Provision consent so future \"sendEmail\" triggers skip the approval prompt\n * await client.userApprovals.create({\n * webhookIdentifier: \"reviews\",\n * userId: \"user-uuid\",\n * actionWebhookId: \"webhook-uuid\",\n * toolName: \"sendEmail\",\n * mode: \"always_allow\",\n * });\n \n // List rules (optionally filtered by userId)\n * const { approvals } = await client.userApprovals.list({\n * webhookIdentifier: \"reviews\",\n * });\n \n // Revoke\n * await client.userApprovals.delete(approvalId, { webhookIdentifier: \"reviews\" });\n * ```\n /\nexport class UserApprovalsClient {\n private readonly options: ResolvedOptions;\n private readonly http: HttpClient;\n\n constructor(options: ResolvedOptions, http: HttpClient) {\n this.options = options;\n this.http = http;\n }\n\n /\n List auto-approval rules for a webhook. Optionally filter by `userId`.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async list(\n params: ListUserApprovalsParams,\n ): Promise<ListUserApprovalsResponse> {\n const body: Record<string, unknown> = {};\n if (params.userId !== undefined) body.userId = params.userId;\n if (params.authProvider !== undefined)\n body.authProvider = params.authProvider;\n return this.send<ListUserApprovalsResponse>(\n params.webhookIdentifier,\n \"list\",\n body,\n );\n }\n\n /\n Create (or upsert) an auto-approval rule. If a rule with the same\n * `(userId, actionWebhookId, toolName)` triple already exists, it is\n * updated in place.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async create(params: CreateUserApprovalParams): Promise<UserToolApproval> {\n const body: Record<string, unknown> = {\n userId: params.userId,\n actionWebhookId: params.actionWebhookId,\n toolName: params.toolName,\n mode: params.mode ?? \"always_allow\",\n };\n if (params.authProvider !== undefined)\n body.authProvider = params.authProvider;\n if (params.expiresAt !== undefined) {\n body.expiresAt =\n params.expiresAt === null ? null : params.expiresAt.toISOString();\n }\n return this.send<UserToolApproval>(\n params.webhookIdentifier,\n \"create\",\n body,\n );\n }\n\n /\n Patch an existing auto-approval rule (change mode or expiry).\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response (404 if the rule does not belong to this webhook)\n * @throws TimeoutError if request exceeds timeout\n /\n async update(\n id: string,\n params: UpdateUserApprovalParams,\n ): Promise<UserToolApproval> {\n const body: Record<string, unknown> = {};\n if (params.mode !== undefined) body.mode = params.mode;\n if (params.expiresAt !== undefined) {\n body.expiresAt =\n params.expiresAt === null ? null : params.expiresAt.toISOString();\n }\n return this.send<UserToolApproval>(\n params.webhookIdentifier,\n `update/${id}`,\n body,\n );\n }\n\n /\n Revoke an auto-approval rule. Future triggers of the corresponding\n * `(user, webhook, tool)` combination will once again stage for approval.\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response (404 if the rule does not belong to this webhook)\n * @throws TimeoutError if request exceeds timeout\n /\n async delete(\n id: string,\n params: DeleteUserApprovalParams,\n ): Promise<{ success: boolean }> {\n return this.send<{ success: boolean }>(\n params.webhookIdentifier,\n `delete/${id}`,\n {},\n );\n }\n\n /* Internal: HMAC-sign and POST the body to the scoped path. /\n private async send<T>(\n webhookIdentifier: string,\n operation: string,\n body: Record<string, unknown>,\n ): Promise<T> {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for user approval management operations\",\n );\n }\n\n const path = `/webhooks/user-approvals/${this.options.org}/${webhookIdentifier}/${operation}`;\n const bodyStr = JSON.stringify(body);\n const msgId = randomMessageId();\n const timestamp = Math.floor(Date.now() / 1000);\n const signature = sign(\n this.options.webhookSecret,\n msgId,\n timestamp,\n bodyStr,\n );\n\n return this.http.request<T>(path, {\n method: \"POST\",\n body: bodyStr,\n headers: {\n \"svix-id\": msgId,\n \"svix-timestamp\": String(timestamp),\n \"svix-signature\": signature,\n },\n });\n }\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nimport { ConfigurationError, KeyRotationVerifyError } from \"../errors\";\nimport type { KeyRotationEvent, KeyRotationVerifyParams } from \"../types\";\n\nconst MAX_PAYLOAD_BYTES = 8 1024; // 8 KB\nconst TIMESTAMP_SKEW_SECONDS = 300; // 5 minutes\nconst SIGNATURE_PREFIX = \"sha256=\";\n\n/*\n Verify a `signing_key_rotation` webhook signed by AgentPress with\n * HMAC-SHA256 over the raw request body. Returns the typed\n * {@link KeyRotationEvent} payload.\n \n @throws {KeyRotationVerifyError} with a typed `reason` for HTTP mapping.\n * @throws {ConfigurationError} if `webhookSecret` is not configured.\n /\nexport function verifyKeyRotation(\n secret: string \| undefined,\n params: KeyRotationVerifyParams,\n): KeyRotationEvent {\n if (!secret) {\n throw new ConfigurationError(\n \"webhookSecret is required for key rotation webhook verification\",\n );\n }\n\n const body =\n typeof params.payload === \"string\"\n ? params.payload\n : params.payload.toString(\"utf-8\");\n\n const byteLength =\n typeof params.payload === \"string\"\n ? Buffer.byteLength(params.payload, \"utf-8\")\n : params.payload.length;\n if (byteLength > MAX_PAYLOAD_BYTES) {\n throw new KeyRotationVerifyError(\n \"payload_too_large\",\n `Payload exceeds ${MAX_PAYLOAD_BYTES} bytes`,\n );\n }\n\n const signatureHeader = readHeader(params.headers, \"x-agentpress-signature\");\n const timestampHeader = readHeader(params.headers, \"x-agentpress-timestamp\");\n\n if (!signatureHeader?.startsWith(SIGNATURE_PREFIX)) {\n throw new KeyRotationVerifyError(\n \"invalid_signature_format\",\n `Signature header missing or does not start with '${SIGNATURE_PREFIX}'`,\n );\n }\n const providedHex = signatureHeader\n .slice(SIGNATURE_PREFIX.length)\n .toLowerCase();\n if (!/^[0-9a-f]+$/.test(providedHex)) {\n throw new KeyRotationVerifyError(\n \"invalid_signature_format\",\n \"Signature is not a hex string\",\n );\n }\n\n if (!timestampHeader) {\n throw new KeyRotationVerifyError(\n \"invalid_timestamp\",\n \"x-agentpress-timestamp header is required\",\n );\n }\n const timestamp = Number.parseInt(timestampHeader, 10);\n if (\n !Number.isFinite(timestamp) \|\|\n String(timestamp) !== timestampHeader.trim()\n ) {\n throw new KeyRotationVerifyError(\n \"invalid_timestamp\",\n \"x-agentpress-timestamp is not a valid unix seconds integer\",\n );\n }\n const now = Math.floor(Date.now() / 1000);\n if (Math.abs(now - timestamp) > TIMESTAMP_SKEW_SECONDS) {\n throw new KeyRotationVerifyError(\n \"timestamp_out_of_window\",\n `Timestamp skew ${Math.abs(now - timestamp)}s exceeds ${TIMESTAMP_SKEW_SECONDS}s tolerance`,\n );\n }\n\n const expectedHex = createHmac(\"sha256\", secret).update(body).digest(\"hex\");\n const providedBuf = Buffer.from(providedHex, \"hex\");\n const expectedBuf = Buffer.from(expectedHex, \"hex\");\n if (\n providedBuf.length !== expectedBuf.length \|\|\n !timingSafeEqual(providedBuf, expectedBuf)\n ) {\n throw new KeyRotationVerifyError(\n \"invalid_signature\",\n \"HMAC signature mismatch\",\n );\n }\n\n let parsed: unknown;\n try {\n parsed = JSON.parse(body);\n } catch {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"Payload is not valid JSON\",\n );\n }\n\n return validatePayload(parsed);\n}\n\nfunction readHeader(\n headers: Record<string, string \| undefined>,\n name: string,\n): string \| undefined {\n // Headers are case-insensitive; normalize without mutating the caller's object.\n const lowered = name.toLowerCase();\n for (const [k, v] of Object.entries(headers)) {\n if (k.toLowerCase() === lowered && typeof v === \"string\" && v.length > 0) {\n return v;\n }\n }\n return undefined;\n}\n\nfunction validatePayload(raw: unknown): KeyRotationEvent {\n if (!raw \|\| typeof raw !== \"object\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"Payload must be a JSON object\",\n );\n }\n const obj = raw as Record<string, unknown>;\n if (obj.event !== \"signing_key_rotation\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n `Unexpected event '${String(obj.event)}'`,\n );\n }\n if (obj.type !== \"scheduled\" && obj.type !== \"emergency\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"'type' must be 'scheduled' or 'emergency'\",\n );\n }\n for (const key of [\n \"retiredKid\",\n \"newCurrentKid\",\n \"retiredAt\",\n \"effectiveAt\",\n \"jwksUrl\",\n ]) {\n if (typeof obj[key] !== \"string\" \|\| (obj[key] as string).length === 0) {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n `'${key}' must be a non-empty string`,\n );\n }\n }\n if (obj.reason !== undefined && typeof obj.reason !== \"string\") {\n throw new KeyRotationVerifyError(\n \"malformed_payload\",\n \"'reason' must be a string when present\",\n );\n }\n\n const event: KeyRotationEvent = {\n event: \"signing_key_rotation\",\n type: obj.type as \"scheduled\" \| \"emergency\",\n retiredKid: obj.retiredKid as string,\n newCurrentKid: obj.newCurrentKid as string,\n retiredAt: obj.retiredAt as string,\n effectiveAt: obj.effectiveAt as string,\n jwksUrl: obj.jwksUrl as string,\n };\n if (typeof obj.reason === \"string\") {\n event.reason = obj.reason;\n }\n return event;\n}\n","import {\n AgentPressError,\n ConfigurationError,\n WebhookSignatureError,\n} from \"../errors\";\nimport type { HttpClient } from \"../http\";\nimport type {\n ActionCallbackPayload,\n KeyRotationEvent,\n KeyRotationVerifyParams,\n ResolvedOptions,\n WebhookResponse,\n WebhookSendParams,\n WebhookVerifyParams,\n} from \"../types\";\nimport { randomMessageId } from \"../utils\";\nimport { verifyKeyRotation as verifyKeyRotationImpl } from \"./keyRotation\";\nimport { sign, verify as verifySig } from \"./signing\";\n\nexport class WebhooksClient {\n private readonly options: ResolvedOptions;\n private readonly http: HttpClient;\n\n constructor(options: ResolvedOptions, http: HttpClient) {\n this.options = options;\n this.http = http;\n }\n\n /\n Send an arbitrary webhook payload to AgentPress.\n * Signs the payload with HMAC-SHA256 (Svix-compatible).\n \n @throws ConfigurationError if webhookSecret is not configured\n * @throws HttpError on non-2xx response\n * @throws TimeoutError if request exceeds timeout\n /\n async send(params: WebhookSendParams): Promise<WebhookResponse> {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for webhook operations\",\n );\n }\n\n const path = `/webhooks/actions/${this.options.org}/${params.action}`;\n const body = JSON.stringify(params.payload);\n const msgId = randomMessageId();\n const timestamp = Math.floor(Date.now() / 1000);\n const signature = sign(this.options.webhookSecret, msgId, timestamp, body);\n\n return this.http.request<WebhookResponse>(path, {\n method: \"POST\",\n body,\n headers: {\n \"svix-id\": msgId,\n \"svix-timestamp\": String(timestamp),\n \"svix-signature\": signature,\n },\n });\n }\n\n /\n Verify an inbound Svix webhook signature.\n \n @returns true if valid, false if invalid or expired\n * @throws ConfigurationError if webhookSecret is not configured\n /\n verify(params: WebhookVerifyParams): boolean {\n if (!this.options.webhookSecret) {\n throw new ConfigurationError(\n \"webhookSecret is required for webhook verification\",\n );\n }\n\n return verifySig(\n this.options.webhookSecret,\n params.payload,\n params.headers,\n );\n }\n\n /\n Verify an inbound Svix webhook signature, throwing on failure.\n * Useful for middleware patterns where invalid signatures should halt processing.\n \n @throws WebhookSignatureError if signature is invalid or expired\n * @throws ConfigurationError if webhookSecret is not configured\n /\n verifyOrThrow(params: WebhookVerifyParams): void {\n if (!this.verify(params)) {\n throw new WebhookSignatureError(\"Invalid webhook signature\");\n }\n }\n\n /\n Verify and parse an inbound webhook from AgentPress.\n * Combines signature verification with JSON parsing and type casting.\n * This is the recommended way to handle incoming webhooks.\n \n @throws WebhookSignatureError if signature is invalid or expired\n * @throws ConfigurationError if webhookSecret is not configured\n * @throws AgentPressError if payload is not valid JSON\n /\n constructEvent(params: WebhookVerifyParams): ActionCallbackPayload {\n this.verifyOrThrow(params);\n const body =\n typeof params.payload === \"string\"\n ? params.payload\n : params.payload.toString(\"utf-8\");\n try {\n return JSON.parse(body) as ActionCallbackPayload;\n } catch {\n throw new AgentPressError(\"Webhook payload is not valid JSON\");\n }\n }\n\n /\n Verify an inbound `signing_key_rotation` webhook (HMAC-SHA256 + timestamp\n * + typed payload) from AgentPress. See the Partner MCP Spec v1 for the\n * full contract.\n \n @throws {KeyRotationVerifyError} with a typed `reason` for HTTP mapping\n * (401 for signature errors, 400 for malformed payload, 413 for oversize).\n * @throws {ConfigurationError} if `webhookSecret` is not configured.\n /\n verifyKeyRotation(params: KeyRotationVerifyParams): KeyRotationEvent {\n return verifyKeyRotationImpl(this.options.webhookSecret, params);\n }\n}\n","import { ActionsClient } from \"./actions/client\";\nimport { ConfigurationError } from \"./errors\";\nimport { HttpClient } from \"./http\";\nimport { PartnersClient } from \"./partners/client\";\nimport type {\n AgentPressOptions,\n ResolvedOptions,\n ResolvedPartnerMcpOptions,\n} from \"./types\";\nimport { UserApprovalsClient } from \"./userApprovals/client\";\nimport { WebhooksClient } from \"./webhooks/client\";\n\n/\n Main entry point for the AgentPress SDK. Provides namespaced access to API\n * resources (e.g., `client.webhooks.send()`, `client.actions.approve()`).\n * Validates all configuration options at construction time, so invalid config fails fast.\n \n @example\n * ```ts\n * const client = new AgentPress({\n * apiKey: \"ak_...\",\n * webhookSecret: \"whsec_...\",\n * });\n * await client.webhooks.send({ action: \"my_action\", payload: { ... } });\n * await client.actions.approve(\"act_123\", { action: \"my_action\" });\n * ```\n /\nexport class AgentPress {\n /* Webhook operations: send outbound webhooks and verify inbound signatures. /\n public readonly webhooks: WebhooksClient;\n /* Action management: approve or reject staged actions. /\n public readonly actions: ActionsClient;\n /* Per-user auto-approval rules (read / create / update / delete). /\n public readonly userApprovals: UserApprovalsClient;\n /* Partner MCP Spec v1 helpers (inbound JWT verification, JWKS refresh). /\n public readonly partners: PartnersClient;\n\n /\n @param options - SDK configuration. All fields are optional with sensible defaults.\n * @throws {ConfigurationError} If `timeout` is non-positive or `webhookSecret` has an invalid prefix.\n */\n constructor(options: AgentPressOptions = {}) {\n const resolved = resolveOptions(options);\n const http = new HttpClient(resolved);\n this.webhooks = new WebhooksClient(resolved, http);\n this.actions = new ActionsClient(resolved, http);\n this.userApprovals = new UserApprovalsClient(resolved, http);\n this.partners = new PartnersClient(resolved);\n }\n}\n\nfunction resolveOptions(options: AgentPressOptions): ResolvedOptions {\n const baseUrl = (options.baseUrl ?? \"https://api.agent.press\").replace(\n /\\/+$/,\n \"\",\n );\n const timeout = options.timeout ?? 30_000;\n const org = options.org ?? \"default-org\";\n\n if (timeout <= 0 \|\| !Number.isFinite(timeout)) {\n throw new ConfigurationError(\"timeout must be a positive number\");\n }\n\n if (\n options.webhookSecret !== undefined &&\n !options.webhookSecret.startsWith(\"whsec_\")\n ) {\n throw new ConfigurationError('webhookSecret must start with \"whsec_\"');\n }\n\n return {\n baseUrl,\n timeout,\n org,\n webhookSecret: options.webhookSecret,\n apiKey: options.apiKey,\n partnerMcp: resolvePartnerMcp(options.partnerMcp),\n onRequest: options.onRequest,\n onResponse: options.onResponse,\n };\n}\n\nfunction resolvePartnerMcp(\n options: AgentPressOptions[\"partnerMcp\"],\n): ResolvedPartnerMcpOptions \| undefined {\n if (!options) return undefined;\n\n if (typeof options.jwksUrl !== \"string\" \|\| options.jwksUrl.length === 0) {\n throw new ConfigurationError(\"partnerMcp.jwksUrl is required\");\n }\n try {\n // Validate early so a bad URL fails at construction, not on first verify.\n new URL(options.jwksUrl);\n } catch {\n throw new ConfigurationError(\"partnerMcp.jwksUrl must be a valid URL\");\n }\n if (typeof options.issuer !== \"string\" \|\| options.issuer.length === 0) {\n throw new ConfigurationError(\"partnerMcp.issuer is required\");\n }\n if (typeof options.audience !== \"string\" \|\| options.audience.length === 0) {\n throw new ConfigurationError(\"partnerMcp.audience is required\");\n }\n if (\n typeof options.expectedExtProvider !== \"string\" \|\|\n options.expectedExtProvider.length === 0\n ) {\n throw new ConfigurationError(\"partnerMcp.expectedExtProvider is required\");\n }\n\n const clockTolerance = options.clockTolerance ?? \"30s\";\n const jwksCacheMaxAgeMs = options.jwksCacheMaxAgeMs ?? 3_600_000;\n if (jwksCacheMaxAgeMs <= 0 \|\| !Number.isFinite(jwksCacheMaxAgeMs)) {\n throw new ConfigurationError(\n \"partnerMcp.jwksCacheMaxAgeMs must be a positive number\",\n );\n }\n\n return {\n jwksUrl: options.jwksUrl,\n issuer: options.issuer,\n audience: options.audience,\n expectedExtProvider: options.expectedExtProvider,\n clockTolerance,\n jwksCacheMaxAgeMs,\n };\n}\n"],"mappings":";;;;;;;AAIA,IAAa,kBAAb,cAAqC,MAAM;CACzC,YAAY,SAAiB;AAC3B,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;;;AAQrD,IAAa,qBAAb,cAAwC,gBAAgB;CACtD,YAAY,SAAiB;AAC3B,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;;;;;;;AAYrD,IAAa,YAAb,cAA+B,gBAAgB;CAC7C;CACA;CACA;CAEA,YAAY,YAAoB,cAAsB,KAAa;AACjE,QAAM,QAAQ,WAAW,QAAQ,MAAM;AACvC,OAAK,OAAO;AACZ,OAAK,aAAa;AAClB,OAAK,eAAe;AACpB,OAAK,MAAM;AACX,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;AAKrD,IAAa,eAAb,cAAkC,gBAAgB;CAChD,YAAY,KAAa,SAAiB;AACxC,QAAM,cAAc,IAAI,mBAAmB,QAAQ,IAAI;AACvD,OAAK,OAAO;AACZ,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;AAKrD,IAAa,wBAAb,cAA2C,gBAAgB;CACzD,YAAY,SAAiB;AAC3B,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;;;;AAsBrD,IAAa,oBAAb,cAAuC,gBAAgB;CACrD;CAEA,YAAY,QAAiC,SAAiB;AAC5D,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,OAAK,SAAS;AACd,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;;;AAiBrD,IAAa,yBAAb,cAA4C,gBAAgB;CAC1D;CAEA,YAAY,QAAsC,SAAiB;AACjE,QAAM,QAAQ;AACd,OAAK,OAAO;AACZ,OAAK,SAAS;AACd,SAAO,eAAe,MAAM,IAAI,OAAO,UAAU;;;;;AChHrD,SAAgB,kBAA0B;AACxC,QAAO,OAAO,YAAY;;;;ACD5B,MAAMA,qBAAmB;AACzB,MAAM,4BAA4B;;;;;;;;;;AAWlC,SAAgB,KACd,QACA,OACA,WACA,MACQ;CACR,MAAM,cAAc,OAAO,KAAK,OAAO,QAAQ,WAAW,GAAG,EAAE,SAAS;CACxE,MAAM,UAAU,GAAG,MAAM,GAAG,UAAU,GAAG;AAIzC,QAAO,GAAGA,qBAHQ,WAAW,UAAU,YAAY,CAChD,OAAO,QAAQ,CACf,OAAO,SAC4B;;;;;;;;;;;AAYxC,SAAgB,OACd,QACA,SACA,SAKA,mBAA2B,2BAClB;CACT,MAAM,QAAQ,QAAQ;CACtB,MAAM,eAAe,QAAQ;CAC7B,MAAM,kBAAkB,QAAQ;CAEhC,MAAM,YAAY,SAAS,cAAc,GAAG;AAC5C,KAAI,OAAO,MAAM,UAAU,CAAE,QAAO;CAEpC,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AACzC,KAAI,KAAK,IAAI,MAAM,UAAU,GAAG,iBAAkB,QAAO;CAIzD,MAAM,WAAW,KAAK,QAAQ,OAAO,WADnC,OAAO,YAAY,WAAW,UAAU,QAAQ,SAAS,QAAQ,CACd;CAErD,MAAM,aAAa,gBAAgB,MAAM,IAAI;CAC7C,MAAM,cAAc,OAAO,KAAK,SAAS;AAEzC,MAAK,MAAM,OAAO,YAAY;EAC5B,MAAM,SAAS,OAAO,KAAK,IAAI;AAC/B,MACE,OAAO,WAAW,YAAY,UAC9B,gBAAgB,QAAQ,YAAY,CAEpC,QAAO;;AAIX,QAAO;;;;;;;;;;;;;;;;;;;;;;;;AC3CT,IAAa,gBAAb,MAA2B;CACzB;CACA;CAEA,YAAY,SAA0B,MAAkB;AACtD,OAAK,UAAU;AACf,OAAK,OAAO;;;;;;;;;CAUd,MAAM,QACJ,UACA,QAC+B;EAC/B,MAAM,OAAgC,EAAE;AACxC,MAAI,OAAO,mBAAmB,KAAA,EAC5B,MAAK,iBAAiB,OAAO;AAE/B,MAAI,OAAO,aAAa,KAAA,EACtB,MAAK,WAAW,OAAO;AAEzB,SAAO,KAAK,OAAO,UAAU,OAAO,QAAQ,WAAW,KAAK;;;;;;;;;CAU9D,MAAM,OACJ,UACA,QAC+B;AAC/B,SAAO,KAAK,OAAO,UAAU,OAAO,QAAQ,UAAU,EACpD,QAAQ,OAAO,QAChB,CAAC;;CAGJ,MAAc,OACZ,UACA,eACA,WACA,MAC+B;AAC/B,MAAI,CAAC,KAAK,QAAQ,cAChB,OAAM,IAAI,mBACR,6DACD;EAGH,MAAM,OAAO,qBAAqB,KAAK,QAAQ,IAAI,GAAG,cAAc,UAAU,SAAS,GAAG;EAC1F,MAAM,UAAU,KAAK,UAAU,KAAK;EACpC,MAAM,QAAQ,iBAAiB;EAC/B,MAAM,YAAY,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;EAC/C,MAAM,YAAY,KAChB,KAAK,QAAQ,eACb,OACA,WACA,QACD;AAED,SAAO,KAAK,KAAK,QAA8B,MAAM;GACnD,QAAQ;GACR,MAAM;GACN,SAAS;IACP,WAAW;IACX,kBAAkB,OAAO,UAAU;IACnC,kBAAkB;IACnB;GACF,CAAC;;;;;;;;;;ACpGN,IAAa,aAAb,MAAwB;CACtB;CACA;CACA;CACA;CAEA,YAAY,SAA0B;AACpC,OAAK,UAAU,QAAQ;AACvB,OAAK,UAAU,QAAQ;AACvB,OAAK,YAAY,QAAQ;AACzB,OAAK,aAAa,QAAQ;;;;;;;;;;;CAY5B,MAAM,QAAW,MAAc,MAA+B;EAC5D,MAAM,MAAM,GAAG,KAAK,UAAU;EAE9B,MAAM,UAAU,IAAI,QAAQ,KAAK,QAAQ;AACzC,MAAI,CAAC,QAAQ,IAAI,eAAe,CAC9B,SAAQ,IAAI,gBAAgB,mBAAmB;EAGjD,MAAM,cAA2B;GAC/B,GAAG;GACH;GACA,QAAQ,YAAY,QAAQ,KAAK,QAAQ;GAC1C;AAED,OAAK,YAAY,KAAK,YAAY;EAElC,IAAI;AACJ,MAAI;AAEF,cAAW,MAAM,MAAM,KAAK,YAAY;WACjC,OAAgB;AACvB,OACE,iBAAiB,UAChB,MAAM,SAAS,kBAAkB,MAAM,SAAS,cAEjD,OAAM,IAAI,aAAa,KAAK,KAAK,QAAQ;AAI3C,SAAM,IAAI,gBAAgB,cAAc,IAAI,WAD1C,iBAAiB,QAAQ,MAAM,UAAU,wBACsB;;AAGnE,OAAK,aAAa,KAAK,SAAS,OAAO,CAAC;EAExC,MAAM,OAAO,MAAM,SAAS,MAAM;AAElC,MAAI,CAAC,SAAS,GACZ,OAAM,IAAI,UAAU,SAAS,QAAQ,MAAM,IAAI;AAGjD,MAAI;AACF,UAAO,KAAK,MAAM,KAAK;UACjB;AACN,SAAM,IAAI,gBACR,+BAA+B,IAAI,iBAAiB,KAAK,MAAM,GAAG,IAAI,GACvE;;;;;;AC7DP,MAAM,aAAa,CAAC,QAAQ;;;;;;;;AAW5B,IAAa,iBAAb,MAA4B;CAC1B;CACA;CACA,OAAkC;CAClC,YAA4C;CAE5C,YAAY,SAA0B;AACpC,OAAK,UAAU;AACf,OAAK,aAAa,QAAQ;;;;;;;;;;;;;;CAe5B,MAAM,YAAY,OAA4C;EAC5D,MAAM,MAAM,KAAK,eAAe;EAChC,MAAM,OAAO,KAAK,SAAS;EAE3B,IAAI;EACJ,IAAI;AAEJ,MAAI;GACF,MAAM,SAAS,MAAM,UAAU,OAAO,MAAM;IAC1C,YAAY,CAAC,GAAG,WAAW;IAC3B,QAAQ,IAAI;IACZ,UAAU,IAAI;IACd,gBAAgB,IAAI;IACrB,CAAC;AACF,aAAU,OAAO;AACjB,qBAAkB,OAAO;WAKlB,KAAK;AACZ,SAAM,aAAa,IAAI;;AAOzB,MAAI,CAAC,gBAAgB,OAAO,OAAO,gBAAgB,QAAQ,SACzD,OAAM,IAAI,kBACR,0BACA,oCACD;EAGH,MAAM,SAAS;AAKf,MAAI,OAAO,OAAO,QAAQ,YAAY,CAAC,OAAO,SAAS,OAAO,IAAI,CAChE,OAAM,IAAI,kBACR,iBACA,+BACD;EAEH,MAAM,mBAAmB,UAAU,IAAI,eAAe;EACtD,MAAM,SAAS,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AAC5C,MAAI,OAAO,MAAM,SAAS,iBACxB,OAAM,IAAI,kBACR,iBACA,YAAY,OAAO,MAAM,OAAO,0BAA0B,iBAAiB,aAC5E;AAGH,MAAI,OAAO,OAAO,QAAQ,YAAY,OAAO,IAAI,WAAW,EAC1D,OAAM,IAAI,kBAAkB,iBAAiB,0BAA0B;AAEzE,MAAI,OAAO,OAAO,QAAQ,YAAY,OAAO,IAAI,WAAW,EAC1D,OAAM,IAAI,kBAAkB,iBAAiB,0BAA0B;AAEzE,MAAI,OAAO,OAAO,UAAU,SAC1B,OAAM,IAAI,kBACR,iBACA,iCACD;AAEH,MACE,OAAO,OAAO,iBAAiB,YAC/B,OAAO,aAAa,WAAW,EAE/B,OAAM,IAAI,kBACR,iBACA,mCACD;AAEH,MAAI,OAAO,iBAAiB,IAAI,oBAC9B,OAAM,IAAI,kBACR,yBACA,iBAAiB,OAAO,aAAa,6BAA6B,IAAI,oBAAoB,GAC3F;AAGH,SAAO;;;;;;;;CAST,MAAM,cAA6B;EAGjC,MAAM,UAFO,KAAK,SAEE;AACpB,MAAI,OAAO,QAAQ,WAAW,WAC5B,OAAM,QAAQ,QAAQ;;CAI1B,gBAAmD;AACjD,MAAI,CAAC,KAAK,WACR,OAAM,IAAI,mBACR,+DACD;AAEH,SAAO,KAAK;;CAGd,UAA8B;EAC5B,MAAM,MAAM,KAAK,eAAe;AAChC,MAAI,CAAC,KAAK,MAAM;AACd,QAAK,OAAO,mBAAmB,IAAI,IAAI,IAAI,QAAQ,EAAE;IACnD,aAAa,IAAI;IACjB,kBAAkB;IACnB,CAAC;AACF,QAAK,YAAY,KAAK;;AAExB,SAAO,KAAK;;;AAIhB,SAAS,UAAU,WAAoC;AACrD,KAAI,OAAO,cAAc,SAAU,QAAO;CAC1C,MAAM,QAAQ,UAAU,MAAM,CAAC,MAAM,qBAAqB;AAC1D,KAAI,CAAC,MAAO,QAAO;CACnB,MAAM,IAAI,OAAO,SAAS,MAAM,IAAc,GAAG;CACjD,MAAM,OAAQ,MAAM,GAAc,aAAa;AAC/C,KAAI,SAAS,IAAK,QAAO;AACzB,KAAI,SAAS,IAAK,QAAO,IAAI;AAC7B,KAAI,SAAS,IAAK,QAAO,IAAI;AAC7B,QAAO;;AAGT,SAAS,aAAa,KAAiC;AACrD,KAAI,eAAe,kBAAmB,QAAO;AAE7C,KAAI,eAAeC,OAAW,+BAC5B,QAAO,IAAI,kBACT,qBACA,oCACD;AAEH,KAAI,eAAeA,OAAW,kBAC5B,QAAO,IAAI,kBACT,0BACA,2CACD;AAEH,KAAI,eAAeA,OAAW,kBAC5B,QAAO,IAAI,kBACT,yBACA,yBACD;AAEH,KAAI,eAAeA,OAAW,WAC5B,QAAO,IAAI,kBAAkB,WAAW,kBAAkB;AAE5D,KAAI,eAAeA,OAAW,0BAA0B;EACtD,MAAM,QAAS,IAA2B;AAC1C,MAAI,UAAU,MACZ,QAAO,IAAI,kBACT,mBACA,2CACD;AAEH,MAAI,UAAU,MACZ,QAAO,IAAI,kBACT,qBACA,6CACD;AAEH,MAAI,UAAU,MACZ,QAAO,IAAI,kBACT,iBACA,oDACD;AAEH,SAAO,IAAI,kBACT,iBACA,IAAI,WAAW,0BAChB;;AAEH,KACE,eAAeA,OAAW,cAC1B,eAAeA,OAAW,WAE1B,QAAO,IAAI,kBAAkB,aAAa,IAAI,WAAW,gBAAgB;AAE3E,KAAI,eAAe,MACjB,QAAO,IAAI,kBAAkB,aAAa,IAAI,QAAQ;AAExD,QAAO,IAAI,kBAAkB,aAAa,OAAO,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACrMxD,IAAa,sBAAb,MAAiC;CAC/B;CACA;CAEA,YAAY,SAA0B,MAAkB;AACtD,OAAK,UAAU;AACf,OAAK,OAAO;;;;;;;;;CAUd,MAAM,KACJ,QACoC;EACpC,MAAM,OAAgC,EAAE;AACxC,MAAI,OAAO,WAAW,KAAA,EAAW,MAAK,SAAS,OAAO;AACtD,MAAI,OAAO,iBAAiB,KAAA,EAC1B,MAAK,eAAe,OAAO;AAC7B,SAAO,KAAK,KACV,OAAO,mBACP,QACA,KACD;;;;;;;;;;;CAYH,MAAM,OAAO,QAA6D;EACxE,MAAM,OAAgC;GACpC,QAAQ,OAAO;GACf,iBAAiB,OAAO;GACxB,UAAU,OAAO;GACjB,MAAM,OAAO,QAAQ;GACtB;AACD,MAAI,OAAO,iBAAiB,KAAA,EAC1B,MAAK,eAAe,OAAO;AAC7B,MAAI,OAAO,cAAc,KAAA,EACvB,MAAK,YACH,OAAO,cAAc,OAAO,OAAO,OAAO,UAAU,aAAa;AAErE,SAAO,KAAK,KACV,OAAO,mBACP,UACA,KACD;;;;;;;;;CAUH,MAAM,OACJ,IACA,QAC2B;EAC3B,MAAM,OAAgC,EAAE;AACxC,MAAI,OAAO,SAAS,KAAA,EAAW,MAAK,OAAO,OAAO;AAClD,MAAI,OAAO,cAAc,KAAA,EACvB,MAAK,YACH,OAAO,cAAc,OAAO,OAAO,OAAO,UAAU,aAAa;AAErE,SAAO,KAAK,KACV,OAAO,mBACP,UAAU,MACV,KACD;;;;;;;;;;CAWH,MAAM,OACJ,IACA,QAC+B;AAC/B,SAAO,KAAK,KACV,OAAO,mBACP,UAAU,MACV,EAAE,CACH;;;CAIH,MAAc,KACZ,mBACA,WACA,MACY;AACZ,MAAI,CAAC,KAAK,QAAQ,cAChB,OAAM,IAAI,mBACR,oEACD;EAGH,MAAM,OAAO,4BAA4B,KAAK,QAAQ,IAAI,GAAG,kBAAkB,GAAG;EAClF,MAAM,UAAU,KAAK,UAAU,KAAK;EACpC,MAAM,QAAQ,iBAAiB;EAC/B,MAAM,YAAY,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;EAC/C,MAAM,YAAY,KAChB,KAAK,QAAQ,eACb,OACA,WACA,QACD;AAED,SAAO,KAAK,KAAK,QAAW,MAAM;GAChC,QAAQ;GACR,MAAM;GACN,SAAS;IACP,WAAW;IACX,kBAAkB,OAAO,UAAU;IACnC,kBAAkB;IACnB;GACF,CAAC;;;;;AC5KN,MAAM,oBAAoB,IAAI;AAC9B,MAAM,yBAAyB;AAC/B,MAAM,mBAAmB;;;;;;;;;AAUzB,SAAgB,kBACd,QACA,QACkB;AAClB,KAAI,CAAC,OACH,OAAM,IAAI,mBACR,kEACD;CAGH,MAAM,OACJ,OAAO,OAAO,YAAY,WACtB,OAAO,UACP,OAAO,QAAQ,SAAS,QAAQ;AAMtC,MAHE,OAAO,OAAO,YAAY,WACtB,OAAO,WAAW,OAAO,SAAS,QAAQ,GAC1C,OAAO,QAAQ,UACJ,kBACf,OAAM,IAAI,uBACR,qBACA,mBAAmB,kBAAkB,QACtC;CAGH,MAAM,kBAAkB,WAAW,OAAO,SAAS,yBAAyB;CAC5E,MAAM,kBAAkB,WAAW,OAAO,SAAS,yBAAyB;AAE5E,KAAI,CAAC,iBAAiB,WAAW,iBAAiB,CAChD,OAAM,IAAI,uBACR,4BACA,oDAAoD,iBAAiB,GACtE;CAEH,MAAM,cAAc,gBACjB,MAAM,EAAwB,CAC9B,aAAa;AAChB,KAAI,CAAC,cAAc,KAAK,YAAY,CAClC,OAAM,IAAI,uBACR,4BACA,gCACD;AAGH,KAAI,CAAC,gBACH,OAAM,IAAI,uBACR,qBACA,4CACD;CAEH,MAAM,YAAY,OAAO,SAAS,iBAAiB,GAAG;AACtD,KACE,CAAC,OAAO,SAAS,UAAU,IAC3B,OAAO,UAAU,KAAK,gBAAgB,MAAM,CAE5C,OAAM,IAAI,uBACR,qBACA,6DACD;CAEH,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AACzC,KAAI,KAAK,IAAI,MAAM,UAAU,GAAG,uBAC9B,OAAM,IAAI,uBACR,2BACA,kBAAkB,KAAK,IAAI,MAAM,UAAU,CAAC,YAAY,uBAAuB,aAChF;CAGH,MAAM,cAAc,WAAW,UAAU,OAAO,CAAC,OAAO,KAAK,CAAC,OAAO,MAAM;CAC3E,MAAM,cAAc,OAAO,KAAK,aAAa,MAAM;CACnD,MAAM,cAAc,OAAO,KAAK,aAAa,MAAM;AACnD,KACE,YAAY,WAAW,YAAY,UACnC,CAAC,gBAAgB,aAAa,YAAY,CAE1C,OAAM,IAAI,uBACR,qBACA,0BACD;CAGH,IAAI;AACJ,KAAI;AACF,WAAS,KAAK,MAAM,KAAK;SACnB;AACN,QAAM,IAAI,uBACR,qBACA,4BACD;;AAGH,QAAO,gBAAgB,OAAO;;AAGhC,SAAS,WACP,SACA,MACoB;CAEpB,MAAM,UAAU,KAAK,aAAa;AAClC,MAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,QAAQ,CAC1C,KAAI,EAAE,aAAa,KAAK,WAAW,OAAO,MAAM,YAAY,EAAE,SAAS,EACrE,QAAO;;AAMb,SAAS,gBAAgB,KAAgC;AACvD,KAAI,CAAC,OAAO,OAAO,QAAQ,SACzB,OAAM,IAAI,uBACR,qBACA,gCACD;CAEH,MAAM,MAAM;AACZ,KAAI,IAAI,UAAU,uBAChB,OAAM,IAAI,uBACR,qBACA,qBAAqB,OAAO,IAAI,MAAM,CAAC,GACxC;AAEH,KAAI,IAAI,SAAS,eAAe,IAAI,SAAS,YAC3C,OAAM,IAAI,uBACR,qBACA,4CACD;AAEH,MAAK,MAAM,OAAO;EAChB;EACA;EACA;EACA;EACA;EACD,CACC,KAAI,OAAO,IAAI,SAAS,YAAa,IAAI,KAAgB,WAAW,EAClE,OAAM,IAAI,uBACR,qBACA,IAAI,IAAI,8BACT;AAGL,KAAI,IAAI,WAAW,KAAA,KAAa,OAAO,IAAI,WAAW,SACpD,OAAM,IAAI,uBACR,qBACA,yCACD;CAGH,MAAM,QAA0B;EAC9B,OAAO;EACP,MAAM,IAAI;EACV,YAAY,IAAI;EAChB,eAAe,IAAI;EACnB,WAAW,IAAI;EACf,aAAa,IAAI;EACjB,SAAS,IAAI;EACd;AACD,KAAI,OAAO,IAAI,WAAW,SACxB,OAAM,SAAS,IAAI;AAErB,QAAO;;;;AChKT,IAAa,iBAAb,MAA4B;CAC1B;CACA;CAEA,YAAY,SAA0B,MAAkB;AACtD,OAAK,UAAU;AACf,OAAK,OAAO;;;;;;;;;;CAWd,MAAM,KAAK,QAAqD;AAC9D,MAAI,CAAC,KAAK,QAAQ,cAChB,OAAM,IAAI,mBACR,mDACD;EAGH,MAAM,OAAO,qBAAqB,KAAK,QAAQ,IAAI,GAAG,OAAO;EAC7D,MAAM,OAAO,KAAK,UAAU,OAAO,QAAQ;EAC3C,MAAM,QAAQ,iBAAiB;EAC/B,MAAM,YAAY,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;EAC/C,MAAM,YAAY,KAAK,KAAK,QAAQ,eAAe,OAAO,WAAW,KAAK;AAE1E,SAAO,KAAK,KAAK,QAAyB,MAAM;GAC9C,QAAQ;GACR;GACA,SAAS;IACP,WAAW;IACX,kBAAkB,OAAO,UAAU;IACnC,kBAAkB;IACnB;GACF,CAAC;;;;;;;;CASJ,OAAO,QAAsC;AAC3C,MAAI,CAAC,KAAK,QAAQ,cAChB,OAAM,IAAI,mBACR,qDACD;AAGH,SAAOC,OACL,KAAK,QAAQ,eACb,OAAO,SACP,OAAO,QACR;;;;;;;;;CAUH,cAAc,QAAmC;AAC/C,MAAI,CAAC,KAAK,OAAO,OAAO,CACtB,OAAM,IAAI,sBAAsB,4BAA4B;;;;;;;;;;;CAahE,eAAe,QAAoD;AACjE,OAAK,cAAc,OAAO;EAC1B,MAAM,OACJ,OAAO,OAAO,YAAY,WACtB,OAAO,UACP,OAAO,QAAQ,SAAS,QAAQ;AACtC,MAAI;AACF,UAAO,KAAK,MAAM,KAAK;UACjB;AACN,SAAM,IAAI,gBAAgB,oCAAoC;;;;;;;;;;;;CAalE,kBAAkB,QAAmD;AACnE,SAAOC,kBAAsB,KAAK,QAAQ,eAAe,OAAO;;;;;;;;;;;;;;;;;;;;AClGpE,IAAa,aAAb,MAAwB;;CAEtB;;CAEA;;CAEA;;CAEA;;;;;CAMA,YAAY,UAA6B,EAAE,EAAE;EAC3C,MAAM,WAAW,eAAe,QAAQ;EACxC,MAAM,OAAO,IAAI,WAAW,SAAS;AACrC,OAAK,WAAW,IAAI,eAAe,UAAU,KAAK;AAClD,OAAK,UAAU,IAAI,cAAc,UAAU,KAAK;AAChD,OAAK,gBAAgB,IAAI,oBAAoB,UAAU,KAAK;AAC5D,OAAK,WAAW,IAAI,eAAe,SAAS;;;AAIhD,SAAS,eAAe,SAA6C;CACnE,MAAM,WAAW,QAAQ,WAAW,2BAA2B,QAC7D,QACA,GACD;CACD,MAAM,UAAU,QAAQ,WAAW;CACnC,MAAM,MAAM,QAAQ,OAAO;AAE3B,KAAI,WAAW,KAAK,CAAC,OAAO,SAAS,QAAQ,CAC3C,OAAM,IAAI,mBAAmB,oCAAoC;AAGnE,KACE,QAAQ,kBAAkB,KAAA,KAC1B,CAAC,QAAQ,cAAc,WAAW,SAAS,CAE3C,OAAM,IAAI,mBAAmB,2CAAyC;AAGxE,QAAO;EACL;EACA;EACA;EACA,eAAe,QAAQ;EACvB,QAAQ,QAAQ;EAChB,YAAY,kBAAkB,QAAQ,WAAW;EACjD,WAAW,QAAQ;EACnB,YAAY,QAAQ;EACrB;;AAGH,SAAS,kBACP,SACuC;AACvC,KAAI,CAAC,QAAS,QAAO,KAAA;AAErB,KAAI,OAAO,QAAQ,YAAY,YAAY,QAAQ,QAAQ,WAAW,EACpE,OAAM,IAAI,mBAAmB,iCAAiC;AAEhE,KAAI;AAEF,MAAI,IAAI,QAAQ,QAAQ;SAClB;AACN,QAAM,IAAI,mBAAmB,yCAAyC;;AAExE,KAAI,OAAO,QAAQ,WAAW,YAAY,QAAQ,OAAO,WAAW,EAClE,OAAM,IAAI,mBAAmB,gCAAgC;AAE/D,KAAI,OAAO,QAAQ,aAAa,YAAY,QAAQ,SAAS,WAAW,EACtE,OAAM,IAAI,mBAAmB,kCAAkC;AAEjE,KACE,OAAO,QAAQ,wBAAwB,YACvC,QAAQ,oBAAoB,WAAW,EAEvC,OAAM,IAAI,mBAAmB,6CAA6C;CAG5E,MAAM,iBAAiB,QAAQ,kBAAkB;CACjD,MAAM,oBAAoB,QAAQ,qBAAqB;AACvD,KAAI,qBAAqB,KAAK,CAAC,OAAO,SAAS,kBAAkB,CAC/D,OAAM,IAAI,mBACR,yDACD;AAGH,QAAO;EACL,SAAS,QAAQ;EACjB,QAAQ,QAAQ;EAChB,UAAU,QAAQ;EAClB,qBAAqB,QAAQ;EAC7B;EACA;EACD"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@agentpress/sdk",
-  "version": "0.3.4",
+  "version": "0.4.0",
   "description": "TypeScript SDK for the AgentPress API",
   "type": "module",
   "exports": {