@arbidocs/client 0.3.33 → 0.3.35

package/dist/index.d.ts

@@ -897,6 +897,73 @@ interface paths {
         patch?: never;
         trace?: never;
     };
+    '/v1/document/upload-init': {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        get?: never;
+        put?: never;
+        /**
+         * Upload Init
+         * @description Phase 1 of the direct-to-MinIO upload flow.
+         *
+         *     The client declares each file it intends to upload (name, raw size,
+         *     workspace-scoped HMAC content hash). For every file that passes
+         *     validation + quota + dedup, the server reserves a ``Docs`` row in
+         *     ``uploading`` state and returns a short-lived presigned PUT URL pointing
+         *     at the public ``/arbi-files/`` nginx route. The client then encrypts
+         *     the bytes locally with SecretBox(workspace_key) and PUTs the ciphertext
+         *     straight to MinIO — arbi-app never sees the raw or encrypted payload.
+         *
+         *     Call ``POST /v1/document/upload-commit`` once the PUTs succeed to flip
+         *     the rows to ``queued`` and enqueue the parser pipeline.
+         *
+         *     See ``init_direct_uploads`` for the full side-effect ordering.
+         *
+         *     Requires active subscription if Stripe is configured.
+         */
+        post: operations['upload_init'];
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
+    '/v1/document/upload-commit': {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        get?: never;
+        put?: never;
+        /**
+         * Upload Commit
+         * @description Phase 3 of the direct-to-MinIO upload flow.
+         *
+         *     The client calls this after it has PUT encrypted bytes for each
+         *     ``doc_ext_id`` handed out by ``/upload-init``. The server HEADs each
+         *     object in MinIO, flips the row from ``uploading`` → ``queued``, and
+         *     runs the usual parser-enqueue pipeline (or the media / text
+         *     fast-path for those file types). Any ``doc_ext_id`` whose object is
+         *     missing is dropped and reported in the response's ``skipped`` list —
+         *     the row is deleted rather than left half-committed.
+         *
+         *     The response shape matches ``POST /v1/document/upload`` so the
+         *     frontend's existing post-upload UI (batch completion tracking etc.)
+         *     can consume it unchanged.
+         */
+        post: operations['upload_commit'];
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
     '/v1/document/{document_ext_id}/download': {
         parameters: {
             query?: never;
@@ -3174,6 +3241,35 @@ interface components {
                 [key: string]: components['schemas']['ModelGroupUsage'];
             };
         };
+        /**
+         * DeclaredUploadFile
+         * @description One file declared by the client for the direct-to-MinIO upload flow.
+         *
+         *     The client hashes the RAW (pre-encryption) bytes with HMAC-SHA256 keyed by
+         *     the workspace key and truncates to 16 hex chars — same formula the server
+         *     uses today in ``create_content_hash``. ``file_size`` is the RAW byte count
+         *     (not ciphertext); quota accounting and UI display stay in raw units so the
+         *     ciphertext size (raw + 40 for SecretBox nonce + tag) is an implementation
+         *     detail of what goes over the wire.
+         */
+        DeclaredUploadFile: {
+            /** File Name */
+            file_name: string;
+            /**
+             * File Size
+             * @description Raw byte count (pre-encryption)
+             */
+            file_size: number;
+            /**
+             * Encrypted File Size
+             * @description Ciphertext byte count the client will PUT to MinIO (raw + SecretBox envelope: 24-byte nonce + 16-byte MAC = 40 bytes).
+             */
+            encrypted_file_size: number;
+            /** Content Hash */
+            content_hash: string;
+            /** Content Type */
+            content_type?: string | null;
+        };
         /**
          * DeleteAgentsRequest
          * @description Request to delete agents by external ID.
@@ -3814,6 +3910,37 @@ interface components {
             /** Detail */
             detail?: components['schemas']['ValidationError'][];
         };
+        /**
+         * InitedUploadItem
+         * @description One file slot returned by ``POST /v1/document/upload-init``.
+         *
+         *     When ``status == "uploading"`` the client should PUT the SecretBox-encrypted
+         *     bytes (``nonce(24) ‖ ciphertext+tag``) to ``upload_url`` using a plain HTTPS
+         *     PUT, then call ``/v1/document/upload-commit`` with the ``doc_ext_id``.
+         *     Any other status means the server rejected this file and no PUT/commit
+         *     should be attempted for it — the client should surface the reason to the
+         *     user and move on.
+         */
+        InitedUploadItem: {
+            /** File Name */
+            file_name: string;
+            /** Doc Ext Id */
+            doc_ext_id?: string | null;
+            /** Storage Uri */
+            storage_uri?: string | null;
+            /** Upload Url */
+            upload_url?: string | null;
+            /** Expires In */
+            expires_in?: number | null;
+            /**
+             * Status
+             * @default uploading
+             * @enum {string}
+             */
+            status: 'uploading' | 'duplicate' | 'quota_exceeded' | 'unsupported' | 'empty';
+            /** Reason */
+            reason?: string | null;
+        };
         /**
          * KeywordEmbedderConfig
          * @description Configuration for keyword embedder with BM25 scoring.
@@ -4539,6 +4666,10 @@ interface components {
              * @default markdown
              */
             output_mode: string;
+            /** Timing */
+            timing?: {
+                [key: string]: unknown;
+            } | null;
         };
         /**
          * ParsedStage
@@ -6436,7 +6567,7 @@ interface components {
              * Status
              * @enum {string}
              */
-            status: 'queued' | 'parsing' | 'encrypting' | 'indexing' | 'analysing' | 'completed' | 'failed' | 'skipped' | 'empty';
+            status: 'uploading' | 'queued' | 'parsing' | 'encrypting' | 'indexing' | 'analysing' | 'completed' | 'failed' | 'skipped' | 'empty';
             /** Progress */
             progress: number;
         };
@@ -6713,6 +6844,20 @@ interface components {
             user_ext_ids: string[];
             role: components['schemas']['WorkspaceRole'];
         };
+        /**
+         * UploadCommitRequest
+         * @description Request body for ``POST /v1/document/upload-commit``.
+         *
+         *     ``doc_ext_ids`` should be the subset of init items the client actually
+         *     uploaded successfully. Any IDs not listed here are left in ``uploading``
+         *     state on the server and eventually garbage-collected.
+         */
+        UploadCommitRequest: {
+            /** Doc Ext Ids */
+            doc_ext_ids: string[];
+            /** Tag Ext Id */
+            tag_ext_id?: string | null;
+        };
         /**
          * UploadDocumentsResponse
          * @description Response for document upload operations.
@@ -6734,6 +6879,42 @@ interface components {
              */
             skipped?: components['schemas']['SkippedFile'][];
         };
+        /**
+         * UploadInitRequest
+         * @description Request body for ``POST /v1/document/upload-init``.
+         */
+        UploadInitRequest: {
+            /** Files */
+            files: components['schemas']['DeclaredUploadFile'][];
+            /**
+             * Shared
+             * @default true
+             */
+            shared: boolean;
+            /** Config Ext Id */
+            config_ext_id?: string | null;
+            /** Parent Ext Id */
+            parent_ext_id?: string | null;
+            /** Wp Type */
+            wp_type?: string | null;
+            /** Tag Ext Id */
+            tag_ext_id?: string | null;
+            /** Folder */
+            folder?: string | null;
+            /**
+             * Presign Expires In
+             * @default 3600
+             */
+            presign_expires_in: number;
+        };
+        /**
+         * UploadInitResponse
+         * @description Response body for ``POST /v1/document/upload-init``.
+         */
+        UploadInitResponse: {
+            /** Items */
+            items?: components['schemas']['InitedUploadItem'][];
+        };
         /**
          * UserInputBody
          * @description Request body for POST /assistant/respond.
@@ -7181,11 +7362,11 @@ interface components {
         WorkspaceOpenResponse: {
             workspace: components['schemas']['WorkspaceResponse'];
             /** Conversations */
-            conversations: components['schemas']['ConversationResponse'][];
+            conversations?: components['schemas']['ConversationResponse'][] | null;
             /** Documents */
-            documents: unknown[];
+            documents?: unknown[] | null;
             /** Tags */
-            tags: unknown[];
+            tags?: unknown[] | null;
         };
         /** WorkspaceResponse */
         WorkspaceResponse: {
@@ -8197,7 +8378,14 @@ interface operations {
     };
     open_workspace: {
         parameters: {
-            query?: never;
+            query?: {
+                /** @description Include full document list in response */
+                include_documents?: boolean;
+                /** @description Include conversations in response */
+                include_conversations?: boolean;
+                /** @description Include tags in response */
+                include_tags?: boolean;
+            };
             header?: never;
             path: {
                 workspace_ext_id: string;
@@ -8789,6 +8977,72 @@ interface operations {
             };
         };
     };
+    upload_init: {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        requestBody: {
+            content: {
+                'application/json': components['schemas']['UploadInitRequest'];
+            };
+        };
+        responses: {
+            /** @description Successful Response */
+            200: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content: {
+                    'application/json': components['schemas']['UploadInitResponse'];
+                };
+            };
+            /** @description Validation Error */
+            422: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content: {
+                    'application/json': components['schemas']['HTTPValidationError'];
+                };
+            };
+        };
+    };
+    upload_commit: {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        requestBody: {
+            content: {
+                'application/json': components['schemas']['UploadCommitRequest'];
+            };
+        };
+        responses: {
+            /** @description Successful Response */
+            200: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content: {
+                    'application/json': components['schemas']['UploadDocumentsResponse'];
+                };
+            };
+            /** @description Validation Error */
+            422: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content: {
+                    'application/json': components['schemas']['HTTPValidationError'];
+                };
+            };
+        };
+    };
     download_document: {
         parameters: {
             query?: never;
@@ -10269,6 +10523,31 @@ declare function deriveEncryptionKeypairFromSigning(signingKeyPair: KeyPair): Ke
  * Used for agent accounts that don't derive keys from a password.
  */
 declare function generateRandomSigningKeypair(): KeyPair;
+/**
+ * SecretBox-encrypt file bytes with the workspace key.
+ *
+ * Returns the wire format the server stores in MinIO:
+ * `nonce(24) ‖ ciphertext ‖ tag(16)` — byte-for-byte identical to what
+ * PyNaCl's `SecretBox(workspace_key).encrypt(raw)` produces and what the
+ * server's `decrypt_file` expects. PUT the returned bytes directly to the
+ * presigned upload URL returned by `/v1/document/upload-init`.
+ */
+declare function encryptFile(raw: Uint8Array, workspaceKey: Uint8Array): Uint8Array;
+/**
+ * SecretBox-decrypt a file body downloaded from MinIO.
+ * Input is the same `nonce ‖ ciphertext ‖ tag` wire format that `encryptFile`
+ * produces.
+ */
+declare function decryptFile(ciphertext: Uint8Array, workspaceKey: Uint8Array): Uint8Array;
+/**
+ * Workspace-scoped content hash for client-side dedup.
+ *
+ * HMAC-SHA256(workspace_key, raw_bytes) truncated to 16 hex chars — byte
+ * compatible with the server's `create_content_hash` helper. The client
+ * sends this to `/v1/document/upload-init` so the server can dedup without
+ * ever seeing plaintext.
+ */
+declare function createContentHash(content: Uint8Array, workspaceKey: Uint8Array): string;
 /**
  * Precompute shared secret for ECDH encryption.
  *
@@ -10769,4 +11048,4 @@ declare function isMessageType<T extends WebSocketServerMessage>(msg: WebSocketS
  */
 declare function createReloginHandler(deps: ReloginDeps): () => Promise<string | null>;
 
-export { type $defs, API_PREFIX, type ArbiClient, type ArbiClientOptions, type AuthStateProvider, type AutoReloginMiddlewareConfig, type BearerAuthMiddlewareConfig, type ChangePasswordParams, type ChangePasswordRequest, type ChangePasswordResult, type CryptoProvider, type KeyPair, type LoginCredentials, type LoginParams, type LoginProvider, type LoginRequest, type LoginResult, type LoginWithKeyParams, type OnReloginSuccess, type PasswordChangeCredentials, type RegisterParams, type RegisterRequest, type RegisterResult, type RegistrationCredentials, type ReloginDeps, type ReloginHandler, type SessionData, type SessionKeys, type SessionManager, type SessionState, type SessionStorageProvider, type SsoTokenProvider, type TokenProvider, type UserKeypairs, type WebSocketClientMessage, type WebSocketServerMessage, type WorkspaceKeyRefreshProvider, type WorkspaceOpenProvider, type WsAuthMessage, type WsAuthResultMessage, type WsBatchCompleteMessage, type WsConnectionClosedMessage, type WsErrorMessage, type WsNotificationResponse, type WsPresenceUpdateMessage, type WsResponseCompleteMessage, type WsTaskUpdateMessage, base64Decode, base64Encode, base64ToBytes, buildWebSocketUrl, bytesToBase64, clearAllData, clearSession, type components, computeSharedSecret, createArbiClient, createAuthMessage, createAutoReloginMiddleware, createBearerAuthMiddleware, createReloginHandler, createSessionManager, decryptMessage, decryptMessageWithSharedSecret, deriveEncryptionKeypairFromSigning, derivePublicKey, encryptMessage, encryptMessageWithSharedSecret, generateKeyPairs, generateLoginCredentials, generateLoginCredentialsFromKey, generatePasswordChangeCredentials, generateRandomSigningKeypair, generateRecoveryPasswordChangeCredentials, generateRegistrationCredentials, generateUserKeypairs, getSession, hasSession, initSodium, initializeDatabase, isMessageType, type operations, parseServerMessage, type paths, saveSession, sealKeyForSession, sealedBoxDecrypt, sealedBoxEncrypt, signMessage, updateSigningPrivateKey, type webhooks };
+export { type $defs, API_PREFIX, type ArbiClient, type ArbiClientOptions, type AuthStateProvider, type AutoReloginMiddlewareConfig, type BearerAuthMiddlewareConfig, type ChangePasswordParams, type ChangePasswordRequest, type ChangePasswordResult, type CryptoProvider, type KeyPair, type LoginCredentials, type LoginParams, type LoginProvider, type LoginRequest, type LoginResult, type LoginWithKeyParams, type OnReloginSuccess, type PasswordChangeCredentials, type RegisterParams, type RegisterRequest, type RegisterResult, type RegistrationCredentials, type ReloginDeps, type ReloginHandler, type SessionData, type SessionKeys, type SessionManager, type SessionState, type SessionStorageProvider, type SsoTokenProvider, type TokenProvider, type UserKeypairs, type WebSocketClientMessage, type WebSocketServerMessage, type WorkspaceKeyRefreshProvider, type WorkspaceOpenProvider, type WsAuthMessage, type WsAuthResultMessage, type WsBatchCompleteMessage, type WsConnectionClosedMessage, type WsErrorMessage, type WsNotificationResponse, type WsPresenceUpdateMessage, type WsResponseCompleteMessage, type WsTaskUpdateMessage, base64Decode, base64Encode, base64ToBytes, buildWebSocketUrl, bytesToBase64, clearAllData, clearSession, type components, computeSharedSecret, createArbiClient, createAuthMessage, createAutoReloginMiddleware, createBearerAuthMiddleware, createContentHash, createReloginHandler, createSessionManager, decryptFile, decryptMessage, decryptMessageWithSharedSecret, deriveEncryptionKeypairFromSigning, derivePublicKey, encryptFile, encryptMessage, encryptMessageWithSharedSecret, generateKeyPairs, generateLoginCredentials, generateLoginCredentialsFromKey, generatePasswordChangeCredentials, generateRandomSigningKeypair, generateRecoveryPasswordChangeCredentials, generateRegistrationCredentials, generateUserKeypairs, getSession, hasSession, initSodium, initializeDatabase, isMessageType, type operations, parseServerMessage, type paths, saveSession, sealKeyForSession, sealedBoxDecrypt, sealedBoxEncrypt, signMessage, updateSigningPrivateKey, type webhooks };

package/dist/index.js

@@ -180,6 +180,27 @@ function generateRandomSigningKeypair() {
   const kp = sodium.crypto_sign_keypair();
   return { publicKey: kp.publicKey, secretKey: kp.privateKey };
 }
+function encryptFile(raw, workspaceKey) {
+  const nonce = sodium.randombytes_buf(sodium.crypto_secretbox_NONCEBYTES);
+  const cipher = sodium.crypto_secretbox_easy(raw, nonce, workspaceKey);
+  const combined = new Uint8Array(nonce.length + cipher.length);
+  combined.set(nonce, 0);
+  combined.set(cipher, nonce.length);
+  return combined;
+}
+function decryptFile(ciphertext, workspaceKey) {
+  const nonce = ciphertext.slice(0, sodium.crypto_secretbox_NONCEBYTES);
+  const cipher = ciphertext.slice(sodium.crypto_secretbox_NONCEBYTES);
+  return sodium.crypto_secretbox_open_easy(cipher, nonce, workspaceKey);
+}
+function createContentHash(content, workspaceKey) {
+  const mac = sodium.crypto_auth_hmacsha256(content, workspaceKey);
+  let hex = "";
+  for (let i = 0; i < mac.length; i++) {
+    hex += mac[i].toString(16).padStart(2, "0");
+  }
+  return hex.slice(0, 16);
+}
 async function computeSharedSecret(theirPublicKeyBase64, myPrivateKey) {
   await initSodium();
   const theirPublicKey = base64ToBytes(theirPublicKeyBase64);
@@ -1090,6 +1111,6 @@ function isMessageType(msg, type) {
   return msg.type === type;
 }
 
-export { API_PREFIX, base64Decode, base64Encode, base64ToBytes, buildWebSocketUrl, bytesToBase64, clearAllData, clearSession, computeSharedSecret, createArbiClient, createAuthMessage, createAutoReloginMiddleware, createBearerAuthMiddleware, createReloginHandler, createSessionManager, decryptMessage, decryptMessageWithSharedSecret, deriveEncryptionKeypairFromSigning, derivePublicKey, encryptMessage, encryptMessageWithSharedSecret, generateKeyPairs, generateLoginCredentials, generateLoginCredentialsFromKey, generatePasswordChangeCredentials, generateRandomSigningKeypair, generateRecoveryPasswordChangeCredentials, generateRegistrationCredentials, generateUserKeypairs, getSession, hasSession, initSodium, initializeDatabase, isMessageType, parseServerMessage, saveSession, sealKeyForSession, sealedBoxDecrypt, sealedBoxEncrypt, signMessage, updateSigningPrivateKey };
+export { API_PREFIX, base64Decode, base64Encode, base64ToBytes, buildWebSocketUrl, bytesToBase64, clearAllData, clearSession, computeSharedSecret, createArbiClient, createAuthMessage, createAutoReloginMiddleware, createBearerAuthMiddleware, createContentHash, createReloginHandler, createSessionManager, decryptFile, decryptMessage, decryptMessageWithSharedSecret, deriveEncryptionKeypairFromSigning, derivePublicKey, encryptFile, encryptMessage, encryptMessageWithSharedSecret, generateKeyPairs, generateLoginCredentials, generateLoginCredentialsFromKey, generatePasswordChangeCredentials, generateRandomSigningKeypair, generateRecoveryPasswordChangeCredentials, generateRegistrationCredentials, generateUserKeypairs, getSession, hasSession, initSodium, initializeDatabase, isMessageType, parseServerMessage, saveSession, sealKeyForSession, sealedBoxDecrypt, sealedBoxEncrypt, signMessage, updateSigningPrivateKey };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map