@agentunion/fastaun 0.3.5 → 0.4.0

package/dist/cert-utils.d.ts

@@ -0,0 +1,29 @@
+/**
+ * 证书与签名工具函数 — 对齐 Python SDK _cert_utils.py
+ * 从 namespaces/auth.ts 提取的纯函数，供 AID/AIDStore 使用。
+ */
+import { certificateSha256Fingerprint } from './crypto.js';
+/** 解析 agent.md 尾部签名块 */
+export declare function parseAgentMdTailSignature(content: string): {
+    payload: string;
+    fields: Record<string, string> | null;
+    parseError?: string;
+};
+/** 从 agent.md frontmatter 提取 aid 字段 */
+export declare function extractAgentMdAid(payload: string): string;
+/** 规范化 agent.md payload（去除签名块，确保末尾换行） */
+export declare function normalizeAgentMdPayload(content: string): string;
+/** 构造 agent.md 签名块 */
+export declare function buildAgentMdSignatureBlock(certFingerprint: string, timestamp: number, signatureB64: string): string;
+/** 使用私钥签名（ECDSA P-256 SHA-256，DER 编码输出） */
+export declare function signBytes(privateKeyPem: string, payload: Buffer): Buffer;
+/** 使用证书公钥验签 */
+export declare function verifySignatureWithCert(certPem: string, signature: Buffer, data: Buffer): boolean;
+/** 获取证书 Subject CN */
+export declare function certCommonName(certPem: string, issuer?: boolean): string;
+/** 检查证书有效期，返回 '' | 'expired' | 'not_yet_valid' */
+export declare function certTimeError(certPem: string): '' | 'expired' | 'not_yet_valid';
+/** 获取证书公钥 DER base64 */
+export declare function publicKeyDerB64(certPem: string): string;
+/** 证书 SHA-256 指纹（复用 crypto.ts 的实现） */
+export { certificateSha256Fingerprint as certFingerprint };

package/dist/cert-utils.js

@@ -0,0 +1,142 @@
+/**
+ * 证书与签名工具函数 — 对齐 Python SDK _cert_utils.py
+ * 从 namespaces/auth.ts 提取的纯函数，供 AID/AIDStore 使用。
+ */
+import { createSign, createVerify, X509Certificate } from 'node:crypto';
+import { certificateSha256Fingerprint } from './crypto.js';
+const AGENT_MD_SIGNATURE_MARKER = '<!-- AUN-SIGNATURE';
+const AGENT_MD_SIGNATURE_RE = /^<!-- AUN-SIGNATURE\r?\n(?<body>[\s\S]*?)\r?\n-->\s*$/;
+const AGENT_MD_FINGERPRINT_RE = /^sha256:[0-9a-f]{64}$/;
+/** 解析 agent.md 尾部签名块 */
+export function parseAgentMdTailSignature(content) {
+    const idx = content.lastIndexOf(AGENT_MD_SIGNATURE_MARKER);
+    if (idx < 0)
+        return { payload: content, fields: null };
+    if (idx > 0 && content[idx - 1] !== '\n' && content[idx - 1] !== '\r') {
+        return { payload: content, fields: null };
+    }
+    const tail = content.slice(idx);
+    const match = tail.match(AGENT_MD_SIGNATURE_RE);
+    if (!match) {
+        return { payload: content.slice(0, idx), fields: null, parseError: 'malformed signature block' };
+    }
+    const fields = {};
+    for (const rawLine of match.groups?.body?.split(/\r?\n/) ?? []) {
+        const line = rawLine.trim();
+        if (!line)
+            continue;
+        const colon = line.indexOf(':');
+        if (colon < 0) {
+            return { payload: content.slice(0, idx), fields: null, parseError: `malformed signature field: ${line}` };
+        }
+        fields[line.slice(0, colon).trim().toLowerCase()] = line.slice(colon + 1).trim();
+    }
+    for (const req of ['cert_fingerprint', 'timestamp', 'signature']) {
+        if (!fields[req]) {
+            return { payload: content.slice(0, idx), fields: null, parseError: `signature block missing ${req}` };
+        }
+    }
+    if (!AGENT_MD_FINGERPRINT_RE.test(fields.cert_fingerprint.toLowerCase())) {
+        return { payload: content.slice(0, idx), fields: null, parseError: 'invalid cert_fingerprint' };
+    }
+    if (!Number.isFinite(Number(fields.timestamp))) {
+        return { payload: content.slice(0, idx), fields: null, parseError: 'invalid timestamp' };
+    }
+    return { payload: content.slice(0, idx), fields };
+}
+/** 从 agent.md frontmatter 提取 aid 字段 */
+export function extractAgentMdAid(payload) {
+    const lines = payload.replace(/^/, '').split(/\r?\n/);
+    if (!lines.length || lines[0].trim() !== '---')
+        return '';
+    for (const line of lines.slice(1)) {
+        const t = line.trim();
+        if (t === '---')
+            break;
+        if (t.startsWith('aid:')) {
+            let v = t.slice(4).trim();
+            if (v.length >= 2 && v[0] === v[v.length - 1] && (v[0] === '"' || v[0] === "'")) {
+                v = v.slice(1, -1);
+            }
+            return v.trim();
+        }
+    }
+    return '';
+}
+/** 规范化 agent.md payload（去除签名块，确保末尾换行） */
+export function normalizeAgentMdPayload(content) {
+    let payload = parseAgentMdTailSignature(String(content ?? '')).payload;
+    if (payload && !payload.endsWith('\n') && !payload.endsWith('\r'))
+        payload += '\n';
+    return payload;
+}
+/** 构造 agent.md 签名块 */
+export function buildAgentMdSignatureBlock(certFingerprint, timestamp, signatureB64) {
+    return [
+        '<!-- AUN-SIGNATURE',
+        `cert_fingerprint: ${certFingerprint}`,
+        `timestamp: ${Math.trunc(timestamp)}`,
+        `signature: ${signatureB64}`,
+        '-->',
+    ].join('\n');
+}
+/** 使用私钥签名（ECDSA P-256 SHA-256，DER 编码输出） */
+export function signBytes(privateKeyPem, payload) {
+    const signer = createSign('SHA256');
+    signer.update(payload);
+    signer.end();
+    return signer.sign(privateKeyPem);
+}
+/** 使用证书公钥验签 */
+export function verifySignatureWithCert(certPem, signature, data) {
+    try {
+        const cert = new X509Certificate(certPem);
+        const verifier = createVerify('SHA256');
+        verifier.update(data);
+        verifier.end();
+        return verifier.verify(cert.publicKey, signature);
+    }
+    catch {
+        return false;
+    }
+}
+/** 获取证书 Subject CN */
+export function certCommonName(certPem, issuer = false) {
+    try {
+        const cert = new X509Certificate(certPem);
+        const dn = issuer ? cert.issuer : cert.subject;
+        const match = dn.match(/(?:^|,\s*)CN=([^,\n]+)/);
+        return match?.[1]?.trim() ?? '';
+    }
+    catch {
+        return '';
+    }
+}
+/** 检查证书有效期，返回 '' | 'expired' | 'not_yet_valid' */
+export function certTimeError(certPem) {
+    try {
+        const cert = new X509Certificate(certPem);
+        const now = Date.now();
+        if (now < new Date(cert.validFrom).getTime())
+            return 'not_yet_valid';
+        if (now > new Date(cert.validTo).getTime())
+            return 'expired';
+        return '';
+    }
+    catch {
+        return 'expired';
+    }
+}
+/** 获取证书公钥 DER base64 */
+export function publicKeyDerB64(certPem) {
+    try {
+        const cert = new X509Certificate(certPem);
+        return cert.publicKey.export({ type: 'spki', format: 'der' }).toString('base64');
+    }
+    catch {
+        return '';
+    }
+}
+/** 证书 SHA-256 指纹（复用 crypto.ts 的实现） */
+export { certificateSha256Fingerprint as certFingerprint };
+//# sourceMappingURL=cert-utils.js.map

package/dist/cert-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cert-utils.js","sourceRoot":"","sources":["../src/cert-utils.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,eAAe,EAAc,MAAM,aAAa,CAAC;AACpF,OAAO,EAAE,4BAA4B,EAAE,MAAM,aAAa,CAAC;AAE3D,MAAM,yBAAyB,GAAG,oBAAoB,CAAC;AACvD,MAAM,qBAAqB,GAAG,uDAAuD,CAAC;AACtF,MAAM,uBAAuB,GAAG,uBAAuB,CAAC;AAExD,wBAAwB;AACxB,MAAM,UAAU,yBAAyB,CAAC,OAAe;IAKvD,MAAM,GAAG,GAAG,OAAO,CAAC,WAAW,CAAC,yBAAyB,CAAC,CAAC;IAC3D,IAAI,GAAG,GAAG,CAAC;QAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IACvD,IAAI,GAAG,GAAG,CAAC,IAAI,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,IAAI,IAAI,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACtE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IAC5C,CAAC;IACD,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;IAChD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,2BAA2B,EAAE,CAAC;IACnG,CAAC;IACD,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,OAAO,IAAI,KAAK,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;QAC/D,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,IAAI;YAAE,SAAS;QACpB,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;YACd,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,8BAA8B,IAAI,EAAE,EAAE,CAAC;QAC5G,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACnF,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,CAAC,kBAAkB,EAAE,WAAW,EAAE,WAAW,CAAC,EAAE,CAAC;QACjE,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;YACjB,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,2BAA2B,GAAG,EAAE,EAAE,CAAC;QACxG,CAAC;IACH,CAAC;IACD,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QACzE,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,0BAA0B,EAAE,CAAC;IAClG,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;QAC/C,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,mBAAmB,EAAE,CAAC;IAC3F,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;AACpD,CAAC;AAED,uCAAuC;AACvC,MAAM,UAAU,iBAAiB,CAAC,OAAe;IAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACvD,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,KAAK;QAAE,OAAO,EAAE,CAAC;IAC1D,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QACtB,IAAI,CAAC,KAAK,KAAK;YAAE,MAAM;QACvB,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YACzB,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC1B,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;gBAChF,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YACrB,CAAC;YACD,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAClB,CAAC;IACH,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,yCAAyC;AACzC,MAAM,UAAU,uBAAuB,CAAC,OAAe;IACrD,IAAI,OAAO,GAAG,yBAAyB,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;IACvE,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,IAAI,CAAC;IACnF,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,sBAAsB;AACtB,MAAM,UAAU,0BAA0B,CAAC,eAAuB,EAAE,SAAiB,EAAE,YAAoB;IACzG,OAAO;QACL,oBAAoB;QACpB,qBAAqB,eAAe,EAAE;QACtC,cAAc,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE;QACrC,cAAc,YAAY,EAAE;QAC5B,KAAK;KACN,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,2CAA2C;AAC3C,MAAM,UAAU,SAAS,CAAC,aAAqB,EAAE,OAAe;IAC9D,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACvB,MAAM,CAAC,GAAG,EAAE,CAAC;IACb,OAAO,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;AACpC,CAAC;AAED,eAAe;AACf,MAAM,UAAU,uBAAuB,CAAC,OAAe,EAAE,SAAiB,EAAE,IAAY;IACtF,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;QACxC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACtB,QAAQ,CAAC,GAAG,EAAE,CAAC;QACf,OAAO,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,sBAAsB;AACtB,MAAM,UAAU,cAAc,CAAC,OAAe,EAAE,MAAM,GAAG,KAAK;IAC5D,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC;QAC/C,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;QACjD,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,kDAAkD;AAClD,MAAM,UAAU,aAAa,CAAC,OAAe;IAC3C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,GAAG,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;YAAE,OAAO,eAAe,CAAC;QACrE,IAAI,GAAG,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE;YAAE,OAAO,SAAS,CAAC;QAC7D,OAAO,EAAE,CAAC;IACZ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,wBAAwB;AACxB,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,OAAO,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACnF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,sCAAsC;AACtC,OAAO,EAAE,4BAA4B,IAAI,eAAe,EAAE,CAAC"}

package/dist/client.d.ts

@@ -10,18 +10,37 @@
  * - 客户端签名（关键操作）
  * - 群组 E2EE 全自动编排（建群/加人/踢人/退出）
  */
-import type { ProtectedHeadersInput } from './protected-headers.js';
 import { type Subscription, type EventHandler } from './events.js';
-import { AuthNamespace } from './namespaces/auth.js';
-import { CustodyNamespace } from './namespaces/custody.js';
-import { MetaNamespace } from './namespaces/meta.js';
-import { type JsonValue, type RpcParams, type RpcResult } from './types.js';
+import { type JsonValue, type RpcParams, type RpcResult, ConnectionState } from './types.js';
+import { AID } from './aid.js';
 /**
  * 递归排序键的 JSON 序列化（Canonical JSON for AUN）
  * 等价于 Python json.dumps(sort_keys=True, separators=(",",":"), ensure_ascii=False)
  * 非 ASCII 字符直接以 UTF-8 输出，与 AAD 序列化规则一致。
  */
 export declare function stableStringify(obj: JsonValue | object | undefined): string;
+export interface AUNClientOptions extends Record<string, unknown> {
+    aun_path?: string;
+    aunPath?: string;
+    root_ca_path?: string;
+    rootCaPath?: string;
+    seed_password?: string;
+    seedPassword?: string;
+    encryption_seed?: string;
+    encryptionSeed?: string;
+    discovery_port?: number;
+    discoveryPort?: number;
+    verify_ssl?: boolean;
+    verifySSL?: boolean;
+    verifySsl?: boolean;
+    require_forward_secrecy?: boolean;
+    requireForwardSecrecy?: boolean;
+    replay_window_seconds?: number;
+    replayWindowSeconds?: number;
+    debug?: boolean;
+    protected_headers?: Record<string, unknown> | null;
+    aid?: never;
+}
 export declare class AUNClient {
     /** 原始配置 */
     readonly config: RpcParams;
@@ -33,6 +52,16 @@ export declare class AUNClient {
     private _identity;
     /** 连接状态 */
     private _state;
+    /** 当前 AID 值对象（新 API） */
+    private _currentAid;
+    /** 实例级 protected_headers */
+    private _instanceProtectedHeaders;
+    /** 重连退避时间戳（ms） */
+    private _nextRetryAt;
+    private _retryAttempt;
+    private _retryMaxAttempts;
+    private _lastError;
+    private _lastErrorCode;
     /** Gateway URL */
     private _gatewayUrl;
     /** 是否正在关闭 */
@@ -47,12 +76,6 @@ export declare class AUNClient {
     private _auth;
     /** 密钥存储 */
     private _keystore;
-    /** Auth 命名空间 */
-    readonly auth: AuthNamespace;
-    /** AID 托管命名空间 */
-    readonly custody: CustodyNamespace;
-    /** Meta 命名空间（心跳、状态、信任根管理） */
-    readonly meta: MetaNamespace;
     /** 会话参数（重连用） */
     private _sessionParams;
     /** 会话选项 */
@@ -71,6 +94,9 @@ export declare class AUNClient {
     private _remoteAgentMdEtag;
     private _agentMdCache;
     private _agentMdFetchInflight;
+    private _agentMdDownloadInflight;
+    private _agentMdDownloadActive;
+    private _agentMdDownloadWaiters;
     /** 消息序列号跟踪器（群消息 + P2P 空洞检测） */
     private _seqTracker;
     private _seqTrackerContext;
@@ -115,8 +141,11 @@ export declare class AUNClient {
     private static readonly V2_BOOTSTRAP_TTL_MS;
     private static readonly V2_RETRYABLE_CODES;
     private static readonly PULL_GATE_STALE_MS;
+    /** 对端 AID 缓存（aid string → AID 对象） */
+    private _peerCache;
     private static readonly V2_SIG_CACHE_TTL_MS;
     private static readonly V2_SIG_CACHE_MAX;
+    private static readonly AGENT_MD_DOWNLOAD_CONCURRENCY;
     private _reconnectActive;
     private _reconnectAbort;
     private _serverKicked;
@@ -124,31 +153,52 @@ export declare class AUNClient {
     private _lastDisconnectInfo;
     private _logger;
     private _clientLog;
-    constructor(config?: RpcParams, debug?: boolean);
+    constructor(options?: AUNClientOptions | null);
+    constructor(aid: AID, options?: AUNClientOptions | null);
     /** 当前 AID */
     get aid(): string | null;
+    /** 当前 AID 值对象 */
+    get currentAid(): AID | null;
+    get hasIdentity(): boolean;
+    get canSign(): boolean;
+    get canConnect(): boolean;
+    get canSend(): boolean;
+    get isReady(): boolean;
+    get isOnline(): boolean;
+    get isClosed(): boolean;
+    get aunPath(): string | null;
+    get nextRetryAt(): Date | null;
+    get nextRetryInSeconds(): number | null;
+    get retryAttempt(): number;
+    get retryMaxAttempts(): number;
+    get lastError(): Error | null;
+    get lastErrorCode(): string | null;
+    loadIdentity(aid: AID): void;
+    setProtectedHeaders(headers: Record<string, unknown> | null): void;
+    getProtectedHeaders(): Record<string, string> | null;
+    cachePeer(aid: AID): AID;
+    getPeer(aid: string): AID | null;
+    lookupPeer(aid: string): Promise<AID>;
+    peers(): AID[];
+    private _resolveAgentMdUrl;
+    private _ensureAgentMdUploadToken;
+    private _uploadAgentMd;
+    private _acquireAgentMdDownloadSlot;
+    private _releaseAgentMdDownloadSlot;
+    private _downloadAgentMd;
+    private _downloadAgentMdOnce;
+    private _headAgentMd;
+    private _verifyAgentMd;
     /**
      * 读取 {agentMdPath}/{self_aid}/agent.md，签名后上传，并把签名结果原子写回本地。
      */
     publishAgentMd(): Promise<Record<string, unknown>>;
-    /**
-     * 下载 agent.md 并自动验签；内容固定保存到 {agentMdPath}/{aid}/agent.md。
-     */
-    fetchAgentMd(aid?: string | null): Promise<{
-        aid: string;
-        content: string;
-        signature: Record<string, unknown>;
-        in_sync: boolean | null;
-        saved_to: string | null;
-        save_error: string | null;
-    }>;
     private _startAgentMdFetchTask;
     private _fetchAgentMdOnce;
     /**
      * 设置 agent.md 本地存储根目录；为空时恢复默认 {aun_path}/AIDs。
      */
-    setAgentMdPath(root?: string | null): string;
-    SetAgentMDPath(root?: string | null): string;
+    private _setAgentMdRoot;
     /**
      * 记录本地 agent.md 文件路径并一次性计算 etag（quoted sha256，与服务端一致）。
      *
@@ -193,22 +243,18 @@ export declare class AUNClient {
     private _observeAgentMdMeta;
     private _observeAgentMdEtag;
     private _observeAgentMdFromEnvelope;
-    checkAgentMd(aid?: string | null, maxUnsyncedDays?: number): Promise<Record<string, unknown>>;
+    private _checkAgentMdCache;
     /** transport 的 meta observer：吸收 gateway 注入的 _meta 字段。失败不影响业务。 */
     private _observeRpcMeta;
     /** 连接状态 */
-    get state(): string;
+    get state(): ConnectionState;
+    private _publicState;
     /** 最近一次 gateway health check 结果，null 表示尚未检查 */
     get gatewayHealth(): boolean | null;
-    /** 向 gatewayUrl 的 /health 端点发送 GET 请求，检查网关可用性 */
-    checkGatewayHealth(gatewayUrl: string, timeout?: number): Promise<boolean>;
-    /**
-     * 连接到 Gateway。
-     *
-     * @param auth - 认证参数（必须包含 access_token 和 gateway）
-     * @param options - 会话选项（auto_reconnect、heartbeat_interval 等）
-     */
-    connect(auth: RpcParams, options?: RpcParams): Promise<void>;
+    /** 仅认证当前身份，获取/刷新 token，但不建立长连接。 */
+    authenticate(options?: RpcParams): Promise<Record<string, unknown>>;
+    /** 连接到 Gateway；身份来自构造函数或 loadIdentity(aid)，认证由 SDK 内部自动完成。 */
+    connect(options?: RpcParams): Promise<void>;
     /** 关闭连接 */
     close(): Promise<void>;
     /**
@@ -216,38 +262,11 @@ export declare class AUNClient {
      * disconnect 是可恢复的：停止心跳、关闭 WebSocket，但不清理 keystore 等状态。
      */
     disconnect(): Promise<void>;
-    /**
-     * 列出本地身份摘要。
-     *
-     * @param opts.all=false（默认）：仅返回严格校验通过的可用身份——
-     *   keypair 完整 + cert 公钥 == keypair 公钥 + cert 时间窗口有效
-     * @param opts.all=true：返回所有 AIDs/ 子目录（不含 _pending/）；
-     *   每项含 valid=bool 和 reason=string 字段
-     */
-    listIdentities(opts?: {
-        all?: boolean;
-    }): Array<{
-        aid: string;
-        valid: boolean;
-        reason?: string;
-        metadata?: Record<string, unknown>;
-    }>;
-    /**
-     * 严格校验本地身份的可用性。返回 {valid, reason}。
-     * 4 项校验：keypair 完整 + cert 存在 + cert 公钥 == keypair 公钥 + cert 时间窗口有效。
-     */
-    private _validateLocalIdentity;
     /**
      * 发送 JSON-RPC 调用。
      * 自动处理内部方法限制、E2EE 加解密、客户端签名等。
      */
     call(method: string, params?: RpcParams): Promise<RpcResult>;
-    /** 心跳检测 */
-    ping(params?: RpcParams): Promise<RpcResult>;
-    /** 获取服务端状态 */
-    status(params?: RpcParams): Promise<RpcResult>;
-    /** 获取信任根证书列表 */
-    trustRoots(params?: RpcParams): Promise<RpcResult>;
     /** 订阅事件 */
     on(event: string, handler: EventHandler): Subscription;
     private _callRawV2Rpc;
@@ -383,7 +402,7 @@ export declare class AUNClient {
      * 初始化 V2 session：IK 使用 AID 长期私钥，SPK 存储在 per-AID SQLite 的 v2_device_keys 表。
      * connect 成功后会自动调用；重复调用幂等。
      */
-    initV2Session(): Promise<void>;
+    private _initV2Session;
     private _v2TrustedIKPubDer;
     private _v2SPKTimestampText;
     private _v2VerifySPKDevice;
@@ -400,43 +419,35 @@ export declare class AUNClient {
      */
     private _buildV2P2PEnvelope;
     /** V2 P2P 加密发送，推测性缓存失败后刷新 bootstrap 重试一次。 */
-    sendV2(to: string, payload: Record<string, unknown>, opts?: {
-        messageId?: string;
-        timestamp?: number;
-        protectedHeaders?: ProtectedHeadersInput;
-        context?: Record<string, unknown>;
-    }): Promise<unknown>;
+    private _sendV2;
     /** V2 P2P 拉取并解密；直接方法返回消息数组，call("message.pull") 会包装为 {messages}. */
-    pullV2(afterSeq?: number, limit?: number, opts?: {
-        skipAutoAck?: boolean;
-        gateLocked?: boolean;
-        scheduleFollowup?: boolean;
-    }): Promise<Array<Record<string, unknown>>>;
+    private _pullV2;
     /** V2 P2P ack，并触发旧 SPK 销毁自检。 */
-    ackV2(upToSeq?: number): Promise<unknown>;
+    private _ackV2;
     /** V2 Group 加密发送，推测性缓存失败后刷新 bootstrap 重试一次。 */
-    sendGroupV2(groupId: string, payload: Record<string, unknown>, opts?: {
-        messageId?: string;
-        timestamp?: number;
-        protectedHeaders?: ProtectedHeadersInput;
-        context?: Record<string, unknown>;
-    }): Promise<unknown>;
+    private _sendGroupV2;
     /** 构造 V2 Group envelope；group.send 与 group.thought.put 共用。 */
     private _buildV2GroupEnvelope;
     private _pullGroupV2Internal;
     /** V2 Group 拉取并解密；直接方法返回消息数组，call("group.pull") 会包装为 {messages}. */
-    pullGroupV2(groupId: string, afterSeq?: number, limit?: number, opts?: {
-        gateLocked?: boolean;
-        scheduleFollowup?: boolean;
-    }): Promise<Array<Record<string, unknown>>>;
+    private _pullGroupV2;
     /** V2 Group ack。 */
-    ackGroupV2(groupId: string, upToSeq?: number): Promise<unknown>;
+    private _ackGroupV2;
     /** 解密单条 V2 pull 消息。缺 sender IK 时先入 pending，后台补齐后重试。 */
     private _decryptV2Message;
     private _v2E2eeMeta;
     private _attachV2EnvelopeMetadata;
     private _attachV2EnvelopeMetadataFromSource;
     private _extractV2EnvelopeFromSource;
+    private _truthyBool;
+    private _encryptedPushEnvelope;
+    private _isEncryptedPushMessage;
+    private _isEncryptedEnvelopePayload;
+    private _isV2EncryptedEnvelopePayload;
+    private _safeUndecryptablePushEvent;
+    private _decryptEncryptedPushPayload;
+    private _publishEncryptedPushAsUndecryptable;
+    private _publishEncryptedPushMessage;
     private _metadataWithoutAuth;
     private _putMessageThoughtEncryptedV2;
     private _putGroupThoughtEncryptedV2;
@@ -462,6 +473,8 @@ export declare class AUNClient {
     /** Push 通知带 payload 时的就地解密（复用 _decryptV2Message） */
     private _decryptV2PushMessage;
     private _onV2EpochRotated;
+    /** 按当前 AID 发现 Gateway；用于 authenticate()/connect() 的新入口。 */
+    private _resolveGatewayForAid;
     /** 从参数中解析 Gateway URL */
     private _resolveGateway;
     /** 从参数中解析所有 Gateway URL（支持 string 或 string[]） */
@@ -513,11 +526,11 @@ export declare class AUNClient {
      * 创建命名群：本地生成 P-256 keypair，调用 group.create 传入 public_key，
      * 服务端签发群 AID 证书，返回后将证书和私钥存入 keystore。
      */
-    createNamedGroup(groupName: string, opts?: Record<string, unknown>): Promise<Record<string, unknown>>;
+    private createNamedGroup;
     /**
      * 为已有普通群绑定命名 AID（升级为命名群）。
      */
-    bindGroupAid(groupId: string, groupName: string): Promise<Record<string, unknown>>;
+    private bindGroupAid;
     /** 判断是否应重试重连 */
     private static _shouldRetryReconnect;
 }