@arbidocs/client 0.3.25 → 0.3.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/index.d.cts +194 -158
  2. package/dist/index.d.ts +194 -158
  3. package/package.json +1 -1
package/dist/index.d.cts CHANGED
@@ -200,7 +200,7 @@ interface paths {
200
200
  patch?: never;
201
201
  trace?: never;
202
202
  };
203
- '/v1/user/authorize': {
203
+ '/v1/user/agent': {
204
204
  parameters: {
205
205
  query?: never;
206
206
  header?: never;
@@ -210,44 +210,17 @@ interface paths {
210
210
  get?: never;
211
211
  put?: never;
212
212
  /**
213
- * Authorize Session Endpoint
214
- * @description Create a delegated session with pre-populated workspace keys.
213
+ * Create Agent
214
+ * @description Create a persistent agent owned by the current user.
215
215
  *
216
- * Frontend sends workspace keys SealedBox-encrypted with the user's session public key.
217
- * Server decrypts them, re-encrypts with a new session keypair, and creates a pending
218
- * session keyed by a 3-word claim code. The recipient redeems the code via POST /user/token.
216
+ * The frontend generates an Ed25519 keypair from a random seed (the agent's password).
217
+ * Only the public key is sent here. The agent logs in via POST /user/login using its
218
+ * synthetic email (``agentname.usr-XXXXXXXX@deploymentdomain``) and a signature derived
219
+ * from the seed.
219
220
  *
220
- * If persist_identity is True, the claim also creates a persistent Agent identity
221
- * with WorkspaceUsers rows so the agent can re-login later.
221
+ * Workspace access is granted separately via POST /workspace/{id}/users.
222
222
  */
223
- post: operations['authorize_session'];
224
- delete?: never;
225
- options?: never;
226
- head?: never;
227
- patch?: never;
228
- trace?: never;
229
- };
230
- '/v1/user/token': {
231
- parameters: {
232
- query?: never;
233
- header?: never;
234
- path?: never;
235
- cookie?: never;
236
- };
237
- get?: never;
238
- put?: never;
239
- /**
240
- * Claim Agent Session Endpoint
241
- * @description Claim an agent session using a 3-word code.
242
- *
243
- * Returns LoginResponse so the frontend can use the same auth code path as login.
244
- * Workspaces are filtered to only those included in the delegation.
245
- *
246
- * If persist_identity was set on delegation:
247
- * - signing_key is required in the request
248
- * - Creates an Agent row and WorkspaceUsers rows (role=guest)
249
- */
250
- post: operations['claim_agent_session'];
223
+ post: operations['create_agent'];
251
224
  delete?: never;
252
225
  options?: never;
253
226
  head?: never;
@@ -283,7 +256,7 @@ interface paths {
283
256
  };
284
257
  /**
285
258
  * List User Sessions
286
- * @description List active sessions. Agents/delegated see only their own session; users see all.
259
+ * @description List active sessions. Agents see only their own session; users see all.
287
260
  */
288
261
  get: operations['list_sessions'];
289
262
  put?: never;
@@ -307,18 +280,15 @@ interface paths {
307
280
  * Change Password
308
281
  * @description Change user's master password by re-keying all workspace keys.
309
282
  *
310
- * Client must:
283
+ * Self re-key (agent_ext_id omitted):
311
284
  * 1. Sign "email|timestamp" with current Ed25519 key (proves current password)
312
285
  * 2. Provide new Ed25519 signing key (derived from new password)
313
286
  * 3. Re-wrap all workspace keys with new X25519 public key
314
287
  *
315
- * Server will:
316
- * 1. Verify signature with stored signing_key_pub
317
- * 2. Derive new X25519 encryption key from new Ed25519 signing key
318
- * 3. Update both keys and all workspace wrapped keys
319
- *
320
- * Note: This changes the master password (encryption password), not authentication password.
321
- * Both local and SSO users can change their master password.
288
+ * Agent re-key (agent_ext_id provided):
289
+ * 1. Parent signs "agent_ext_id|timestamp" with their own Ed25519 key (proves authority)
290
+ * 2. Provide new Ed25519 signing key for the agent
291
+ * 3. Re-wrap the agent's workspace keys with the agent's new X25519 public key
322
292
  */
323
293
  post: operations['change_password'];
324
294
  delete?: never;
@@ -380,7 +350,7 @@ interface paths {
380
350
  * Get User Settings
381
351
  * @description Get current user's settings.
382
352
  *
383
- * Updates local subscription status (entitlements) to ensure fresh status before returning.
353
+ * Updates local subscription status (subscription tier) to ensure fresh status before returning.
384
354
  */
385
355
  get: operations['get_user_settings'];
386
356
  put?: never;
@@ -428,7 +398,7 @@ interface paths {
428
398
  * Get Stripe Subscription
429
399
  * @description Get detailed Stripe subscription information including portal URL for management.
430
400
  *
431
- * First updates local subscription status based on Stripe entitlements (to refresh after purchase),
401
+ * First updates local subscription status based on Stripe subscription tier (to refresh after purchase),
432
402
  * then fetches detailed subscription information from Stripe Subscriptions API.
433
403
  */
434
404
  get: operations['get_subscription'];
@@ -491,7 +461,7 @@ interface paths {
491
461
  * @description Open a workspace: store encrypted workspace key in session, set active, return workspace data.
492
462
  *
493
463
  * Users provide ``workspace_key`` (SealedBox-encrypted with session public key).
494
- * Agents omit it — their keys are pre-populated via ``/agent-session``.
464
+ * Agents omit it — their workspace keys are pre-populated at login from their WorkspaceUsers rows.
495
465
  */
496
466
  post: operations['open_workspace'];
497
467
  delete?: never;
@@ -519,8 +489,15 @@ interface paths {
519
489
  * Add Workspace Users
520
490
  * @description Add users to a workspace (bulk operation). Only workspace owners can add users.
521
491
  *
522
- * Client provides workspace-scoped JWT. Server decrypts workspace key from JWT claims,
523
- * then wraps it with each recipient's public key.
492
+ * Two modes:
493
+ * 1. Body supplies ``workspace_key`` + ``workspace_ext_id``: caller provides the
494
+ * SealedBox-encrypted workspace key (encrypted with their session public key).
495
+ * The workspace need not be open/active on the session. This allows sharing any
496
+ * workspace for which the caller holds a key (e.g. from their login response).
497
+ * 2. No body key: server falls back to the session's current active workspace.
498
+ *
499
+ * Wraps the workspace key with each recipient's X25519 public key (permanent grant)
500
+ * or deposits it into their Redis session (temporary grant when session_pubkey_b64 is set).
524
501
  * Returns the full WorkspaceUserResponse for each successfully added user.
525
502
  */
526
503
  post: operations['add_workspace_users'];
@@ -616,6 +593,37 @@ interface paths {
616
593
  patch?: never;
617
594
  trace?: never;
618
595
  };
596
+ '/v1/document/similar': {
597
+ parameters: {
598
+ query?: never;
599
+ header?: never;
600
+ path?: never;
601
+ cookie?: never;
602
+ };
603
+ /**
604
+ * Get Similar Documents
605
+ * @description Return document similarity pairs from the doc_similarities table.
606
+ *
607
+ * Pairs are stored at upload time for documents with similarity >= NEAR_DUPLICATE_STORE_THRESHOLD.
608
+ * Use the threshold param to filter (e.g. 0.92 for near-duplicates, 0.75 for similar docs).
609
+ * Use doc_ext_id to find all documents similar to a specific document.
610
+ *
611
+ * Args:
612
+ * threshold: Minimum cosine similarity score (0.0–1.0). Default 0.0 returns all stored pairs.
613
+ * doc_ext_id: Optional document ID to filter pairs involving that specific document.
614
+ *
615
+ * Returns:
616
+ * List of document similarity pairs with scores.
617
+ */
618
+ get: operations['get_similar_documents'];
619
+ put?: never;
620
+ post?: never;
621
+ delete?: never;
622
+ options?: never;
623
+ head?: never;
624
+ patch?: never;
625
+ trace?: never;
626
+ };
619
627
  '/v1/document/': {
620
628
  parameters: {
621
629
  query?: never;
@@ -1504,28 +1512,32 @@ interface components {
1504
1512
  };
1505
1513
  /**
1506
1514
  * AddWorkspaceUsersRequest
1507
- * @description Request to add users to a workspace (POST /workspace/{id}/users).
1515
+ * @description Request to add users to a workspace (POST /workspace/users).
1508
1516
  *
1509
1517
  * All invited users receive the same role.
1518
+ *
1519
+ * workspace_key + workspace_ext_id (optional): If provided, the caller supplies the
1520
+ * SealedBox-encrypted workspace key directly (encrypted with their session public key)
1521
+ * and the target workspace external ID. This allows sharing any workspace the caller
1522
+ * holds a key for without needing to open/activate it first. If omitted, the server
1523
+ * falls back to the current session's active workspace.
1524
+ *
1525
+ * session_pubkey_b64 (optional): If set, the grant is temporary and scoped to the
1526
+ * recipient's current session (identified by this X25519 public key). The workspace
1527
+ * key is stored in that session's Redis entry and the workspaceusers row expires when
1528
+ * the session expires. Omit for a permanent grant (default behaviour).
1510
1529
  */
1511
1530
  AddWorkspaceUsersRequest: {
1512
1531
  /** Emails */
1513
1532
  emails: string[];
1514
1533
  /** @default collaborator */
1515
1534
  role: components['schemas']['WorkspaceRole'];
1516
- };
1517
- /**
1518
- * AgentSessionClaimRequest
1519
- * @description Claim an agent session using a 3-word code.
1520
- *
1521
- * If the pending session has persist_identity=True, signing_key is required
1522
- * to create the Agent identity. Otherwise it is accepted but ignored.
1523
- */
1524
- AgentSessionClaimRequest: {
1525
- /** Claim Code */
1526
- claim_code: string;
1527
- /** Signing Key */
1528
- signing_key?: string | null;
1535
+ /** Workspace Key */
1536
+ workspace_key?: string | null;
1537
+ /** Workspace Ext Id */
1538
+ workspace_ext_id?: string | null;
1539
+ /** Session Pubkey B64 */
1540
+ session_pubkey_b64?: string | null;
1529
1541
  };
1530
1542
  /**
1531
1543
  * AgentStepEvent
@@ -2265,47 +2277,6 @@ interface components {
2265
2277
  /** Reason */
2266
2278
  reason?: string | null;
2267
2279
  };
2268
- /**
2269
- * AuthorizeRequest
2270
- * @description Authorize a delegated session with workspace keys.
2271
- *
2272
- * Used by: POST /user/authorize (authenticated)
2273
- *
2274
- * Frontend sends workspace keys SealedBox-encrypted with the user's session public key.
2275
- * Server decrypts them, re-encrypts with a new session keypair, and creates a pending
2276
- * session keyed by a 3-word claim code. The recipient redeems the code via POST /user/token.
2277
- *
2278
- * If persist_identity is True, the claim creates a persistent Agent identity
2279
- * with its own keypair and WorkspaceUsers rows. The agent can then re-login.
2280
- */
2281
- AuthorizeRequest: {
2282
- /** Workspaces */
2283
- workspaces: {
2284
- [key: string]: string;
2285
- };
2286
- /** Active Workspace */
2287
- active_workspace?: string | null;
2288
- /**
2289
- * Ttl
2290
- * @default 3600
2291
- */
2292
- ttl: number;
2293
- /**
2294
- * Persist Identity
2295
- * @default false
2296
- */
2297
- persist_identity: boolean;
2298
- /** Name */
2299
- name: string;
2300
- };
2301
- /**
2302
- * AuthorizeResponse
2303
- * @description Response containing a 3-word claim code for the recipient to retrieve a JWT.
2304
- */
2305
- AuthorizeResponse: {
2306
- /** Claim Code */
2307
- claim_code: string;
2308
- };
2309
2280
  /**
2310
2281
  * BatchCompleteMessage
2311
2282
  * @description Notification that a batch operation (upload or doctag generation) completed.
@@ -2331,8 +2302,15 @@ interface components {
2331
2302
  * ChangePasswordRequest
2332
2303
  * @description Password change request with signature-based auth.
2333
2304
  *
2334
- * Client proves knowledge of current password by signing with Ed25519 key.
2335
- * Server derives new X25519 encryption key from new Ed25519 signing key.
2305
+ * Self re-key (agent_ext_id omitted):
2306
+ * Client proves knowledge of current password by signing "email|timestamp"
2307
+ * with their own Ed25519 key.
2308
+ *
2309
+ * Agent re-key (agent_ext_id provided):
2310
+ * Parent re-keys an agent's signing/encryption keys. Parent proves authority
2311
+ * by signing "agent_ext_id|timestamp" with their own Ed25519 key.
2312
+ * rewrapped_workspace_keys must contain entries for the agent's workspaces,
2313
+ * each wrapped with the agent's new X25519 public key.
2336
2314
  */
2337
2315
  ChangePasswordRequest: {
2338
2316
  /** Signature */
@@ -2345,6 +2323,12 @@ interface components {
2345
2323
  rewrapped_workspace_keys: {
2346
2324
  [key: string]: string;
2347
2325
  };
2326
+ /** Agent Ext Id */
2327
+ agent_ext_id?: string | null;
2328
+ /** Rewrapped Agent Recovery Keys */
2329
+ rewrapped_agent_recovery_keys?: {
2330
+ [key: string]: string;
2331
+ } | null;
2348
2332
  };
2349
2333
  /** ChangePasswordResponse */
2350
2334
  ChangePasswordResponse: {
@@ -2833,6 +2817,28 @@ interface components {
2833
2817
  */
2834
2818
  results: components['schemas']['CopyDocumentResult'][];
2835
2819
  };
2820
+ /**
2821
+ * CreateAgentRequest
2822
+ * @description Create a persistent agent owned by the current user.
2823
+ *
2824
+ * Used by: POST /user/agent (authenticated, non-agent)
2825
+ *
2826
+ * Frontend generates an Ed25519 keypair from a random seed (the agent's "password").
2827
+ * Only the public key is sent here; the seed is given to the agent CLI.
2828
+ * The agent's synthetic email is ``agentname.usr-XXXXXXXX@deploymentdomain``.
2829
+ * The agent logs in via POST /user/login using this email + Ed25519 signature.
2830
+ *
2831
+ * Agent name must be composed of letters, digits, hyphens, and underscores only
2832
+ * (must start with a letter or digit) so it is valid as an email local-part.
2833
+ */
2834
+ CreateAgentRequest: {
2835
+ /** Name */
2836
+ name: string;
2837
+ /** Signing Key */
2838
+ signing_key: string;
2839
+ /** Recovery Key */
2840
+ recovery_key?: string | null;
2841
+ };
2836
2842
  /**
2837
2843
  * CreateArtifactDetail
2838
2844
  * @description Detail for a create_artifact tool call.
@@ -3050,6 +3056,26 @@ interface components {
3050
3056
  doctags: components['schemas']['DocTagResponse'][];
3051
3057
  doc_metadata?: components['schemas']['DocMetadata'] | null;
3052
3058
  };
3059
+ /**
3060
+ * DocSimPair
3061
+ * @description A pair of documents identified as near-duplicates by centroid similarity.
3062
+ */
3063
+ DocSimPair: {
3064
+ doc_a: components['schemas']['DocResponse'];
3065
+ doc_b: components['schemas']['DocResponse'];
3066
+ /** Similarity */
3067
+ similarity: number;
3068
+ };
3069
+ /**
3070
+ * DocSimResponse
3071
+ * @description Response for the near-duplicates endpoint.
3072
+ */
3073
+ DocSimResponse: {
3074
+ /** Workspace Ext Id */
3075
+ workspace_ext_id: string;
3076
+ /** Pairs */
3077
+ pairs: components['schemas']['DocSimPair'][];
3078
+ };
3053
3079
  /**
3054
3080
  * DocTagResponse
3055
3081
  * @description Response for doctag operations - the link between a document and a tag.
@@ -3587,22 +3613,24 @@ interface components {
3587
3613
  * LoginRequest
3588
3614
  * @description Unified login request for users and agents.
3589
3615
  *
3616
+ * Both human users and persistent agents authenticate via email + Ed25519 signature.
3617
+ * Agents have a synthetic email (``parent+agentname@domain``).
3618
+ *
3590
3619
  * For local users: email + signature + timestamp
3591
3620
  * For SSO users: email + signature + timestamp + sso_token
3592
- * For agents: agent_ext_id + signature + timestamp
3593
- *
3594
- * Exactly one of ``email`` or ``agent_ext_id`` must be provided.
3621
+ * For agents: email (agent's synthetic address) + signature + timestamp
3595
3622
  *
3596
3623
  * Authentication flow:
3597
3624
  * 1. Client derives Ed25519 keypair from password (users) or has stored key (agents)
3598
- * 2. Client signs "identity|timestamp" with Ed25519 private key
3625
+ * 2. Client signs "email|timestamp" with Ed25519 private key
3599
3626
  * 3. Server verifies signature using stored Ed25519 public key
3600
3627
  */
3601
3628
  LoginRequest: {
3602
- /** Email */
3603
- email?: string | null;
3604
- /** Agent Ext Id */
3605
- agent_ext_id?: string | null;
3629
+ /**
3630
+ * Email
3631
+ * Format: email
3632
+ */
3633
+ email: string;
3606
3634
  /** Signature */
3607
3635
  signature: string;
3608
3636
  /** Timestamp */
@@ -4076,7 +4104,7 @@ interface components {
4076
4104
  * Type is self-descriptive, no need to parse content field.
4077
4105
  * @enum {string}
4078
4106
  */
4079
- NotificationType: 'user_message' | 'workspaceuser_added_owner' | 'workspaceuser_added_collaborator' | 'workspaceuser_added_guest' | 'workspaceuser_removed' | 'workspaceuser_updated_owner' | 'workspaceuser_updated_collaborator' | 'workspaceuser_updated_guest' | 'contact_accepted' | 'access_request' | 'access_code' | 'email_reply';
4107
+ NotificationType: 'user_message' | 'workspaceuser_added_owner' | 'workspaceuser_added_collaborator' | 'workspaceuser_added_guest' | 'workspaceuser_removed' | 'workspaceuser_updated_owner' | 'workspaceuser_updated_collaborator' | 'workspaceuser_updated_guest' | 'contact_accepted' | 'email_reply';
4080
4108
  /**
4081
4109
  * NotificationUpdate
4082
4110
  * @description Single notification update for bulk PATCH.
@@ -5666,11 +5694,12 @@ interface components {
5666
5694
  * SubscriptionStatusResponse
5667
5695
  * @description Subscription status response - unified model for all subscription states.
5668
5696
  *
5669
- * Status can be:
5670
- * - "trialing": User is on trial (has trial_expires, days_remaining)
5671
- * - "active": Active Stripe subscription (has plan, amount, currency, etc.)
5672
- * - "canceled": Had subscription but canceled (has portal_url)
5673
- * - "none": No subscription or trial
5697
+ * Status is one of the tier names configured in STRIPE_TIERS, plus system tiers:
5698
+ * - Paid tiers (e.g., "pro", "pro_plus"): Active Stripe subscription
5699
+ * - "trial": User is on trial (has trial_expires, days_remaining)
5700
+ * - "dev": Developer access
5701
+ * - "restricted": No access (trial expired or no subscription)
5702
+ * - "inactive": Expired/canceled/unpaid Stripe subscription
5674
5703
  */
5675
5704
  SubscriptionStatusResponse: {
5676
5705
  /** Status */
@@ -6711,6 +6740,7 @@ interface components {
6711
6740
  * @description User (or agent) with their role in a workspace.
6712
6741
  *
6713
6742
  * For agents: agent_ext_id is set (agt-XXXXXXXX), name is user.given_name.
6743
+ * is_temporary: True when the grant is session-scoped (expires_at is set in DB).
6714
6744
  */
6715
6745
  WorkspaceUserResponse: {
6716
6746
  user: components['schemas']['UserResponse'];
@@ -6732,6 +6762,11 @@ interface components {
6732
6762
  document_count: number;
6733
6763
  /** Agent Ext Id */
6734
6764
  agent_ext_id?: string | null;
6765
+ /**
6766
+ * Is Temporary
6767
+ * @default false
6768
+ */
6769
+ is_temporary: boolean;
6735
6770
  };
6736
6771
  };
6737
6772
  responses: never;
@@ -7033,7 +7068,7 @@ interface operations {
7033
7068
  };
7034
7069
  };
7035
7070
  };
7036
- authorize_session: {
7071
+ create_agent: {
7037
7072
  parameters: {
7038
7073
  query?: never;
7039
7074
  header?: never;
@@ -7042,50 +7077,17 @@ interface operations {
7042
7077
  };
7043
7078
  requestBody: {
7044
7079
  content: {
7045
- 'application/json': components['schemas']['AuthorizeRequest'];
7080
+ 'application/json': components['schemas']['CreateAgentRequest'];
7046
7081
  };
7047
7082
  };
7048
7083
  responses: {
7049
7084
  /** @description Successful Response */
7050
- 200: {
7051
- headers: {
7052
- [name: string]: unknown;
7053
- };
7054
- content: {
7055
- 'application/json': components['schemas']['AuthorizeResponse'];
7056
- };
7057
- };
7058
- /** @description Validation Error */
7059
- 422: {
7060
- headers: {
7061
- [name: string]: unknown;
7062
- };
7063
- content: {
7064
- 'application/json': components['schemas']['HTTPValidationError'];
7065
- };
7066
- };
7067
- };
7068
- };
7069
- claim_agent_session: {
7070
- parameters: {
7071
- query?: never;
7072
- header?: never;
7073
- path?: never;
7074
- cookie?: never;
7075
- };
7076
- requestBody: {
7077
- content: {
7078
- 'application/json': components['schemas']['AgentSessionClaimRequest'];
7079
- };
7080
- };
7081
- responses: {
7082
- /** @description Successful Response */
7083
- 200: {
7085
+ 201: {
7084
7086
  headers: {
7085
7087
  [name: string]: unknown;
7086
7088
  };
7087
7089
  content: {
7088
- 'application/json': components['schemas']['LoginResponse'];
7090
+ 'application/json': components['schemas']['UserResponse'];
7089
7091
  };
7090
7092
  };
7091
7093
  /** @description Validation Error */
@@ -7665,6 +7667,40 @@ interface operations {
7665
7667
  };
7666
7668
  };
7667
7669
  };
7670
+ get_similar_documents: {
7671
+ parameters: {
7672
+ query?: {
7673
+ /** @description Minimum similarity score (0.0 = all stored pairs) */
7674
+ threshold?: number;
7675
+ /** @description Filter pairs involving a specific document */
7676
+ doc_ext_id?: string | null;
7677
+ };
7678
+ header?: never;
7679
+ path?: never;
7680
+ cookie?: never;
7681
+ };
7682
+ requestBody?: never;
7683
+ responses: {
7684
+ /** @description Successful Response */
7685
+ 200: {
7686
+ headers: {
7687
+ [name: string]: unknown;
7688
+ };
7689
+ content: {
7690
+ 'application/json': components['schemas']['DocSimResponse'];
7691
+ };
7692
+ };
7693
+ /** @description Validation Error */
7694
+ 422: {
7695
+ headers: {
7696
+ [name: string]: unknown;
7697
+ };
7698
+ content: {
7699
+ 'application/json': components['schemas']['HTTPValidationError'];
7700
+ };
7701
+ };
7702
+ };
7703
+ };
7668
7704
  get_documents: {
7669
7705
  parameters: {
7670
7706
  query: {
package/dist/index.d.ts CHANGED
@@ -200,7 +200,7 @@ interface paths {
200
200
  patch?: never;
201
201
  trace?: never;
202
202
  };
203
- '/v1/user/authorize': {
203
+ '/v1/user/agent': {
204
204
  parameters: {
205
205
  query?: never;
206
206
  header?: never;
@@ -210,44 +210,17 @@ interface paths {
210
210
  get?: never;
211
211
  put?: never;
212
212
  /**
213
- * Authorize Session Endpoint
214
- * @description Create a delegated session with pre-populated workspace keys.
213
+ * Create Agent
214
+ * @description Create a persistent agent owned by the current user.
215
215
  *
216
- * Frontend sends workspace keys SealedBox-encrypted with the user's session public key.
217
- * Server decrypts them, re-encrypts with a new session keypair, and creates a pending
218
- * session keyed by a 3-word claim code. The recipient redeems the code via POST /user/token.
216
+ * The frontend generates an Ed25519 keypair from a random seed (the agent's password).
217
+ * Only the public key is sent here. The agent logs in via POST /user/login using its
218
+ * synthetic email (``agentname.usr-XXXXXXXX@deploymentdomain``) and a signature derived
219
+ * from the seed.
219
220
  *
220
- * If persist_identity is True, the claim also creates a persistent Agent identity
221
- * with WorkspaceUsers rows so the agent can re-login later.
221
+ * Workspace access is granted separately via POST /workspace/{id}/users.
222
222
  */
223
- post: operations['authorize_session'];
224
- delete?: never;
225
- options?: never;
226
- head?: never;
227
- patch?: never;
228
- trace?: never;
229
- };
230
- '/v1/user/token': {
231
- parameters: {
232
- query?: never;
233
- header?: never;
234
- path?: never;
235
- cookie?: never;
236
- };
237
- get?: never;
238
- put?: never;
239
- /**
240
- * Claim Agent Session Endpoint
241
- * @description Claim an agent session using a 3-word code.
242
- *
243
- * Returns LoginResponse so the frontend can use the same auth code path as login.
244
- * Workspaces are filtered to only those included in the delegation.
245
- *
246
- * If persist_identity was set on delegation:
247
- * - signing_key is required in the request
248
- * - Creates an Agent row and WorkspaceUsers rows (role=guest)
249
- */
250
- post: operations['claim_agent_session'];
223
+ post: operations['create_agent'];
251
224
  delete?: never;
252
225
  options?: never;
253
226
  head?: never;
@@ -283,7 +256,7 @@ interface paths {
283
256
  };
284
257
  /**
285
258
  * List User Sessions
286
- * @description List active sessions. Agents/delegated see only their own session; users see all.
259
+ * @description List active sessions. Agents see only their own session; users see all.
287
260
  */
288
261
  get: operations['list_sessions'];
289
262
  put?: never;
@@ -307,18 +280,15 @@ interface paths {
307
280
  * Change Password
308
281
  * @description Change user's master password by re-keying all workspace keys.
309
282
  *
310
- * Client must:
283
+ * Self re-key (agent_ext_id omitted):
311
284
  * 1. Sign "email|timestamp" with current Ed25519 key (proves current password)
312
285
  * 2. Provide new Ed25519 signing key (derived from new password)
313
286
  * 3. Re-wrap all workspace keys with new X25519 public key
314
287
  *
315
- * Server will:
316
- * 1. Verify signature with stored signing_key_pub
317
- * 2. Derive new X25519 encryption key from new Ed25519 signing key
318
- * 3. Update both keys and all workspace wrapped keys
319
- *
320
- * Note: This changes the master password (encryption password), not authentication password.
321
- * Both local and SSO users can change their master password.
288
+ * Agent re-key (agent_ext_id provided):
289
+ * 1. Parent signs "agent_ext_id|timestamp" with their own Ed25519 key (proves authority)
290
+ * 2. Provide new Ed25519 signing key for the agent
291
+ * 3. Re-wrap the agent's workspace keys with the agent's new X25519 public key
322
292
  */
323
293
  post: operations['change_password'];
324
294
  delete?: never;
@@ -380,7 +350,7 @@ interface paths {
380
350
  * Get User Settings
381
351
  * @description Get current user's settings.
382
352
  *
383
- * Updates local subscription status (entitlements) to ensure fresh status before returning.
353
+ * Updates local subscription status (subscription tier) to ensure fresh status before returning.
384
354
  */
385
355
  get: operations['get_user_settings'];
386
356
  put?: never;
@@ -428,7 +398,7 @@ interface paths {
428
398
  * Get Stripe Subscription
429
399
  * @description Get detailed Stripe subscription information including portal URL for management.
430
400
  *
431
- * First updates local subscription status based on Stripe entitlements (to refresh after purchase),
401
+ * First updates local subscription status based on Stripe subscription tier (to refresh after purchase),
432
402
  * then fetches detailed subscription information from Stripe Subscriptions API.
433
403
  */
434
404
  get: operations['get_subscription'];
@@ -491,7 +461,7 @@ interface paths {
491
461
  * @description Open a workspace: store encrypted workspace key in session, set active, return workspace data.
492
462
  *
493
463
  * Users provide ``workspace_key`` (SealedBox-encrypted with session public key).
494
- * Agents omit it — their keys are pre-populated via ``/agent-session``.
464
+ * Agents omit it — their workspace keys are pre-populated at login from their WorkspaceUsers rows.
495
465
  */
496
466
  post: operations['open_workspace'];
497
467
  delete?: never;
@@ -519,8 +489,15 @@ interface paths {
519
489
  * Add Workspace Users
520
490
  * @description Add users to a workspace (bulk operation). Only workspace owners can add users.
521
491
  *
522
- * Client provides workspace-scoped JWT. Server decrypts workspace key from JWT claims,
523
- * then wraps it with each recipient's public key.
492
+ * Two modes:
493
+ * 1. Body supplies ``workspace_key`` + ``workspace_ext_id``: caller provides the
494
+ * SealedBox-encrypted workspace key (encrypted with their session public key).
495
+ * The workspace need not be open/active on the session. This allows sharing any
496
+ * workspace for which the caller holds a key (e.g. from their login response).
497
+ * 2. No body key: server falls back to the session's current active workspace.
498
+ *
499
+ * Wraps the workspace key with each recipient's X25519 public key (permanent grant)
500
+ * or deposits it into their Redis session (temporary grant when session_pubkey_b64 is set).
524
501
  * Returns the full WorkspaceUserResponse for each successfully added user.
525
502
  */
526
503
  post: operations['add_workspace_users'];
@@ -616,6 +593,37 @@ interface paths {
616
593
  patch?: never;
617
594
  trace?: never;
618
595
  };
596
+ '/v1/document/similar': {
597
+ parameters: {
598
+ query?: never;
599
+ header?: never;
600
+ path?: never;
601
+ cookie?: never;
602
+ };
603
+ /**
604
+ * Get Similar Documents
605
+ * @description Return document similarity pairs from the doc_similarities table.
606
+ *
607
+ * Pairs are stored at upload time for documents with similarity >= NEAR_DUPLICATE_STORE_THRESHOLD.
608
+ * Use the threshold param to filter (e.g. 0.92 for near-duplicates, 0.75 for similar docs).
609
+ * Use doc_ext_id to find all documents similar to a specific document.
610
+ *
611
+ * Args:
612
+ * threshold: Minimum cosine similarity score (0.0–1.0). Default 0.0 returns all stored pairs.
613
+ * doc_ext_id: Optional document ID to filter pairs involving that specific document.
614
+ *
615
+ * Returns:
616
+ * List of document similarity pairs with scores.
617
+ */
618
+ get: operations['get_similar_documents'];
619
+ put?: never;
620
+ post?: never;
621
+ delete?: never;
622
+ options?: never;
623
+ head?: never;
624
+ patch?: never;
625
+ trace?: never;
626
+ };
619
627
  '/v1/document/': {
620
628
  parameters: {
621
629
  query?: never;
@@ -1504,28 +1512,32 @@ interface components {
1504
1512
  };
1505
1513
  /**
1506
1514
  * AddWorkspaceUsersRequest
1507
- * @description Request to add users to a workspace (POST /workspace/{id}/users).
1515
+ * @description Request to add users to a workspace (POST /workspace/users).
1508
1516
  *
1509
1517
  * All invited users receive the same role.
1518
+ *
1519
+ * workspace_key + workspace_ext_id (optional): If provided, the caller supplies the
1520
+ * SealedBox-encrypted workspace key directly (encrypted with their session public key)
1521
+ * and the target workspace external ID. This allows sharing any workspace the caller
1522
+ * holds a key for without needing to open/activate it first. If omitted, the server
1523
+ * falls back to the current session's active workspace.
1524
+ *
1525
+ * session_pubkey_b64 (optional): If set, the grant is temporary and scoped to the
1526
+ * recipient's current session (identified by this X25519 public key). The workspace
1527
+ * key is stored in that session's Redis entry and the workspaceusers row expires when
1528
+ * the session expires. Omit for a permanent grant (default behaviour).
1510
1529
  */
1511
1530
  AddWorkspaceUsersRequest: {
1512
1531
  /** Emails */
1513
1532
  emails: string[];
1514
1533
  /** @default collaborator */
1515
1534
  role: components['schemas']['WorkspaceRole'];
1516
- };
1517
- /**
1518
- * AgentSessionClaimRequest
1519
- * @description Claim an agent session using a 3-word code.
1520
- *
1521
- * If the pending session has persist_identity=True, signing_key is required
1522
- * to create the Agent identity. Otherwise it is accepted but ignored.
1523
- */
1524
- AgentSessionClaimRequest: {
1525
- /** Claim Code */
1526
- claim_code: string;
1527
- /** Signing Key */
1528
- signing_key?: string | null;
1535
+ /** Workspace Key */
1536
+ workspace_key?: string | null;
1537
+ /** Workspace Ext Id */
1538
+ workspace_ext_id?: string | null;
1539
+ /** Session Pubkey B64 */
1540
+ session_pubkey_b64?: string | null;
1529
1541
  };
1530
1542
  /**
1531
1543
  * AgentStepEvent
@@ -2265,47 +2277,6 @@ interface components {
2265
2277
  /** Reason */
2266
2278
  reason?: string | null;
2267
2279
  };
2268
- /**
2269
- * AuthorizeRequest
2270
- * @description Authorize a delegated session with workspace keys.
2271
- *
2272
- * Used by: POST /user/authorize (authenticated)
2273
- *
2274
- * Frontend sends workspace keys SealedBox-encrypted with the user's session public key.
2275
- * Server decrypts them, re-encrypts with a new session keypair, and creates a pending
2276
- * session keyed by a 3-word claim code. The recipient redeems the code via POST /user/token.
2277
- *
2278
- * If persist_identity is True, the claim creates a persistent Agent identity
2279
- * with its own keypair and WorkspaceUsers rows. The agent can then re-login.
2280
- */
2281
- AuthorizeRequest: {
2282
- /** Workspaces */
2283
- workspaces: {
2284
- [key: string]: string;
2285
- };
2286
- /** Active Workspace */
2287
- active_workspace?: string | null;
2288
- /**
2289
- * Ttl
2290
- * @default 3600
2291
- */
2292
- ttl: number;
2293
- /**
2294
- * Persist Identity
2295
- * @default false
2296
- */
2297
- persist_identity: boolean;
2298
- /** Name */
2299
- name: string;
2300
- };
2301
- /**
2302
- * AuthorizeResponse
2303
- * @description Response containing a 3-word claim code for the recipient to retrieve a JWT.
2304
- */
2305
- AuthorizeResponse: {
2306
- /** Claim Code */
2307
- claim_code: string;
2308
- };
2309
2280
  /**
2310
2281
  * BatchCompleteMessage
2311
2282
  * @description Notification that a batch operation (upload or doctag generation) completed.
@@ -2331,8 +2302,15 @@ interface components {
2331
2302
  * ChangePasswordRequest
2332
2303
  * @description Password change request with signature-based auth.
2333
2304
  *
2334
- * Client proves knowledge of current password by signing with Ed25519 key.
2335
- * Server derives new X25519 encryption key from new Ed25519 signing key.
2305
+ * Self re-key (agent_ext_id omitted):
2306
+ * Client proves knowledge of current password by signing "email|timestamp"
2307
+ * with their own Ed25519 key.
2308
+ *
2309
+ * Agent re-key (agent_ext_id provided):
2310
+ * Parent re-keys an agent's signing/encryption keys. Parent proves authority
2311
+ * by signing "agent_ext_id|timestamp" with their own Ed25519 key.
2312
+ * rewrapped_workspace_keys must contain entries for the agent's workspaces,
2313
+ * each wrapped with the agent's new X25519 public key.
2336
2314
  */
2337
2315
  ChangePasswordRequest: {
2338
2316
  /** Signature */
@@ -2345,6 +2323,12 @@ interface components {
2345
2323
  rewrapped_workspace_keys: {
2346
2324
  [key: string]: string;
2347
2325
  };
2326
+ /** Agent Ext Id */
2327
+ agent_ext_id?: string | null;
2328
+ /** Rewrapped Agent Recovery Keys */
2329
+ rewrapped_agent_recovery_keys?: {
2330
+ [key: string]: string;
2331
+ } | null;
2348
2332
  };
2349
2333
  /** ChangePasswordResponse */
2350
2334
  ChangePasswordResponse: {
@@ -2833,6 +2817,28 @@ interface components {
2833
2817
  */
2834
2818
  results: components['schemas']['CopyDocumentResult'][];
2835
2819
  };
2820
+ /**
2821
+ * CreateAgentRequest
2822
+ * @description Create a persistent agent owned by the current user.
2823
+ *
2824
+ * Used by: POST /user/agent (authenticated, non-agent)
2825
+ *
2826
+ * Frontend generates an Ed25519 keypair from a random seed (the agent's "password").
2827
+ * Only the public key is sent here; the seed is given to the agent CLI.
2828
+ * The agent's synthetic email is ``agentname.usr-XXXXXXXX@deploymentdomain``.
2829
+ * The agent logs in via POST /user/login using this email + Ed25519 signature.
2830
+ *
2831
+ * Agent name must be composed of letters, digits, hyphens, and underscores only
2832
+ * (must start with a letter or digit) so it is valid as an email local-part.
2833
+ */
2834
+ CreateAgentRequest: {
2835
+ /** Name */
2836
+ name: string;
2837
+ /** Signing Key */
2838
+ signing_key: string;
2839
+ /** Recovery Key */
2840
+ recovery_key?: string | null;
2841
+ };
2836
2842
  /**
2837
2843
  * CreateArtifactDetail
2838
2844
  * @description Detail for a create_artifact tool call.
@@ -3050,6 +3056,26 @@ interface components {
3050
3056
  doctags: components['schemas']['DocTagResponse'][];
3051
3057
  doc_metadata?: components['schemas']['DocMetadata'] | null;
3052
3058
  };
3059
+ /**
3060
+ * DocSimPair
3061
+ * @description A pair of documents identified as near-duplicates by centroid similarity.
3062
+ */
3063
+ DocSimPair: {
3064
+ doc_a: components['schemas']['DocResponse'];
3065
+ doc_b: components['schemas']['DocResponse'];
3066
+ /** Similarity */
3067
+ similarity: number;
3068
+ };
3069
+ /**
3070
+ * DocSimResponse
3071
+ * @description Response for the near-duplicates endpoint.
3072
+ */
3073
+ DocSimResponse: {
3074
+ /** Workspace Ext Id */
3075
+ workspace_ext_id: string;
3076
+ /** Pairs */
3077
+ pairs: components['schemas']['DocSimPair'][];
3078
+ };
3053
3079
  /**
3054
3080
  * DocTagResponse
3055
3081
  * @description Response for doctag operations - the link between a document and a tag.
@@ -3587,22 +3613,24 @@ interface components {
3587
3613
  * LoginRequest
3588
3614
  * @description Unified login request for users and agents.
3589
3615
  *
3616
+ * Both human users and persistent agents authenticate via email + Ed25519 signature.
3617
+ * Agents have a synthetic email (``parent+agentname@domain``).
3618
+ *
3590
3619
  * For local users: email + signature + timestamp
3591
3620
  * For SSO users: email + signature + timestamp + sso_token
3592
- * For agents: agent_ext_id + signature + timestamp
3593
- *
3594
- * Exactly one of ``email`` or ``agent_ext_id`` must be provided.
3621
+ * For agents: email (agent's synthetic address) + signature + timestamp
3595
3622
  *
3596
3623
  * Authentication flow:
3597
3624
  * 1. Client derives Ed25519 keypair from password (users) or has stored key (agents)
3598
- * 2. Client signs "identity|timestamp" with Ed25519 private key
3625
+ * 2. Client signs "email|timestamp" with Ed25519 private key
3599
3626
  * 3. Server verifies signature using stored Ed25519 public key
3600
3627
  */
3601
3628
  LoginRequest: {
3602
- /** Email */
3603
- email?: string | null;
3604
- /** Agent Ext Id */
3605
- agent_ext_id?: string | null;
3629
+ /**
3630
+ * Email
3631
+ * Format: email
3632
+ */
3633
+ email: string;
3606
3634
  /** Signature */
3607
3635
  signature: string;
3608
3636
  /** Timestamp */
@@ -4076,7 +4104,7 @@ interface components {
4076
4104
  * Type is self-descriptive, no need to parse content field.
4077
4105
  * @enum {string}
4078
4106
  */
4079
- NotificationType: 'user_message' | 'workspaceuser_added_owner' | 'workspaceuser_added_collaborator' | 'workspaceuser_added_guest' | 'workspaceuser_removed' | 'workspaceuser_updated_owner' | 'workspaceuser_updated_collaborator' | 'workspaceuser_updated_guest' | 'contact_accepted' | 'access_request' | 'access_code' | 'email_reply';
4107
+ NotificationType: 'user_message' | 'workspaceuser_added_owner' | 'workspaceuser_added_collaborator' | 'workspaceuser_added_guest' | 'workspaceuser_removed' | 'workspaceuser_updated_owner' | 'workspaceuser_updated_collaborator' | 'workspaceuser_updated_guest' | 'contact_accepted' | 'email_reply';
4080
4108
  /**
4081
4109
  * NotificationUpdate
4082
4110
  * @description Single notification update for bulk PATCH.
@@ -5666,11 +5694,12 @@ interface components {
5666
5694
  * SubscriptionStatusResponse
5667
5695
  * @description Subscription status response - unified model for all subscription states.
5668
5696
  *
5669
- * Status can be:
5670
- * - "trialing": User is on trial (has trial_expires, days_remaining)
5671
- * - "active": Active Stripe subscription (has plan, amount, currency, etc.)
5672
- * - "canceled": Had subscription but canceled (has portal_url)
5673
- * - "none": No subscription or trial
5697
+ * Status is one of the tier names configured in STRIPE_TIERS, plus system tiers:
5698
+ * - Paid tiers (e.g., "pro", "pro_plus"): Active Stripe subscription
5699
+ * - "trial": User is on trial (has trial_expires, days_remaining)
5700
+ * - "dev": Developer access
5701
+ * - "restricted": No access (trial expired or no subscription)
5702
+ * - "inactive": Expired/canceled/unpaid Stripe subscription
5674
5703
  */
5675
5704
  SubscriptionStatusResponse: {
5676
5705
  /** Status */
@@ -6711,6 +6740,7 @@ interface components {
6711
6740
  * @description User (or agent) with their role in a workspace.
6712
6741
  *
6713
6742
  * For agents: agent_ext_id is set (agt-XXXXXXXX), name is user.given_name.
6743
+ * is_temporary: True when the grant is session-scoped (expires_at is set in DB).
6714
6744
  */
6715
6745
  WorkspaceUserResponse: {
6716
6746
  user: components['schemas']['UserResponse'];
@@ -6732,6 +6762,11 @@ interface components {
6732
6762
  document_count: number;
6733
6763
  /** Agent Ext Id */
6734
6764
  agent_ext_id?: string | null;
6765
+ /**
6766
+ * Is Temporary
6767
+ * @default false
6768
+ */
6769
+ is_temporary: boolean;
6735
6770
  };
6736
6771
  };
6737
6772
  responses: never;
@@ -7033,7 +7068,7 @@ interface operations {
7033
7068
  };
7034
7069
  };
7035
7070
  };
7036
- authorize_session: {
7071
+ create_agent: {
7037
7072
  parameters: {
7038
7073
  query?: never;
7039
7074
  header?: never;
@@ -7042,50 +7077,17 @@ interface operations {
7042
7077
  };
7043
7078
  requestBody: {
7044
7079
  content: {
7045
- 'application/json': components['schemas']['AuthorizeRequest'];
7080
+ 'application/json': components['schemas']['CreateAgentRequest'];
7046
7081
  };
7047
7082
  };
7048
7083
  responses: {
7049
7084
  /** @description Successful Response */
7050
- 200: {
7051
- headers: {
7052
- [name: string]: unknown;
7053
- };
7054
- content: {
7055
- 'application/json': components['schemas']['AuthorizeResponse'];
7056
- };
7057
- };
7058
- /** @description Validation Error */
7059
- 422: {
7060
- headers: {
7061
- [name: string]: unknown;
7062
- };
7063
- content: {
7064
- 'application/json': components['schemas']['HTTPValidationError'];
7065
- };
7066
- };
7067
- };
7068
- };
7069
- claim_agent_session: {
7070
- parameters: {
7071
- query?: never;
7072
- header?: never;
7073
- path?: never;
7074
- cookie?: never;
7075
- };
7076
- requestBody: {
7077
- content: {
7078
- 'application/json': components['schemas']['AgentSessionClaimRequest'];
7079
- };
7080
- };
7081
- responses: {
7082
- /** @description Successful Response */
7083
- 200: {
7085
+ 201: {
7084
7086
  headers: {
7085
7087
  [name: string]: unknown;
7086
7088
  };
7087
7089
  content: {
7088
- 'application/json': components['schemas']['LoginResponse'];
7090
+ 'application/json': components['schemas']['UserResponse'];
7089
7091
  };
7090
7092
  };
7091
7093
  /** @description Validation Error */
@@ -7665,6 +7667,40 @@ interface operations {
7665
7667
  };
7666
7668
  };
7667
7669
  };
7670
+ get_similar_documents: {
7671
+ parameters: {
7672
+ query?: {
7673
+ /** @description Minimum similarity score (0.0 = all stored pairs) */
7674
+ threshold?: number;
7675
+ /** @description Filter pairs involving a specific document */
7676
+ doc_ext_id?: string | null;
7677
+ };
7678
+ header?: never;
7679
+ path?: never;
7680
+ cookie?: never;
7681
+ };
7682
+ requestBody?: never;
7683
+ responses: {
7684
+ /** @description Successful Response */
7685
+ 200: {
7686
+ headers: {
7687
+ [name: string]: unknown;
7688
+ };
7689
+ content: {
7690
+ 'application/json': components['schemas']['DocSimResponse'];
7691
+ };
7692
+ };
7693
+ /** @description Validation Error */
7694
+ 422: {
7695
+ headers: {
7696
+ [name: string]: unknown;
7697
+ };
7698
+ content: {
7699
+ 'application/json': components['schemas']['HTTPValidationError'];
7700
+ };
7701
+ };
7702
+ };
7703
+ };
7668
7704
  get_documents: {
7669
7705
  parameters: {
7670
7706
  query: {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@arbidocs/client",
3
- "version": "0.3.25",
3
+ "version": "0.3.26",
4
4
  "description": "TypeScript SDK for the ARBI API — zero-knowledge auth, E2E encryption, and type-safe REST client",
5
5
  "type": "module",
6
6
  "main": "dist/index.cjs",