@arbidocs/sdk 0.3.16 → 0.3.18

package/dist/index.d.cts

@@ -1,5 +1,5 @@
-import { C as ConfigStore, a as CliConfig, b as CliCredentials, c as ChatSession, A as AuthHeaders, U as UploadBatchResult, d as UploadOptions, e as UploadResult } from './browser-DFRwcoc1.cjs';
-export { f as AgentStepEvent, g as Arbi, h as ArbiApiError, i as ArbiError, j as ArbiOptions, k as ArtifactEvent, l as AuthContext, m as AuthenticatedClient, n as ConnectOptions, D as DocumentWaiter, o as DocumentWaiterOptions, F as FormattedWsMessage, L as LIFECYCLE_LABELS, M as MessageLevel, p as MessageMetadataPayload, q as MessageQueuedEvent, O as OutputTokensDetails, Q as QueryOptions, R as ReconnectOptions, r as ReconnectableWsConnection, s as ResponseCompletedEvent, t as ResponseContentPartAddedEvent, u as ResponseCreatedEvent, v as ResponseFailedEvent, w as ResponseOutputItemAddedEvent, x as ResponseOutputItemDoneEvent, y as ResponseOutputTextDeltaEvent, z as ResponseOutputTextDoneEvent, B as ResponseUsage, S as SSEEvent, E as SSEStreamCallbacks, G as SSEStreamResult, H as SSEStreamStartData, T as TOOL_LABELS, I as UserInfo, J as UserInputRequestEvent, K as UserMessageEvent, W as WorkspaceContext, N as WsConnection, P as agentconfig, V as assistant, X as authenticatedFetch, Y as buildRetrievalChunkTool, Z as buildRetrievalFullContextTool, _ as buildRetrievalTocTool, $ as connectWebSocket, a0 as connectWithReconnect, a1 as consumeSSEStream, a2 as contacts, a3 as conversations, a4 as createAuthenticatedClient, a5 as createDocumentWaiter, a6 as dm, a7 as doctags, a8 as documents, a9 as files, aa as formatAgentStepLabel, ab as formatFileSize, ac as formatUserName, ad as formatWorkspaceChoices, ae as formatWsMessage, af as generateEncryptedWorkspaceKey, ag as getErrorCode, ah as getErrorMessage, ai as health, aj as parseSSEEvents, ak as performPasswordLogin, al as requireData, am as requireOk, an as resolveAuth, ao as resolveWorkspace, ap as responses, aq as selectWorkspace, ar as selectWorkspaceById, as as settings, at as streamSSE, au as tags, av as workspaces } from './browser-DFRwcoc1.cjs';
+import { C as ConfigStore, a as CliConfig, b as CliCredentials, c as ChatSession, A as AuthHeaders, U as UploadBatchResult, d as UploadOptions, e as UploadResult } from './browser-DUQ3Eyvd.cjs';
+export { f as AgentStepEvent, g as Arbi, h as ArbiApiError, i as ArbiError, j as ArbiOptions, k as ArtifactEvent, l as AuthContext, m as AuthenticatedClient, n as CitationSummary, o as ConnectOptions, D as DocumentWaiter, p as DocumentWaiterOptions, F as FormattedWsMessage, L as LIFECYCLE_LABELS, M as MessageLevel, q as MessageMetadataPayload, r as MessageQueuedEvent, O as OutputTokensDetails, Q as QueryOptions, R as ReconnectOptions, s as ReconnectableWsConnection, t as ResolvedCitation, u as ResponseCompletedEvent, v as ResponseContentPartAddedEvent, w as ResponseCreatedEvent, x as ResponseFailedEvent, y as ResponseOutputItemAddedEvent, z as ResponseOutputItemDoneEvent, B as ResponseOutputTextDeltaEvent, E as ResponseOutputTextDoneEvent, G as ResponseUsage, S as SSEEvent, H as SSEStreamCallbacks, I as SSEStreamResult, J as SSEStreamStartData, T as TOOL_LABELS, K as UserInfo, N as UserInputRequestEvent, P as UserMessageEvent, W as WorkspaceContext, V as WsConnection, X as agentconfig, Y as assistant, Z as authenticatedFetch, _ as buildRetrievalChunkTool, $ as buildRetrievalFullContextTool, a0 as buildRetrievalTocTool, a1 as connectWebSocket, a2 as connectWithReconnect, a3 as consumeSSEStream, a4 as contacts, a5 as conversations, a6 as countCitations, a7 as createAuthenticatedClient, a8 as createDocumentWaiter, a9 as dm, aa as doctags, ab as documents, ac as files, ad as formatAgentStepLabel, ae as formatFileSize, af as formatStreamSummary, ag as formatUserName, ah as formatWorkspaceChoices, ai as formatWsMessage, aj as generateEncryptedWorkspaceKey, ak as getErrorCode, al as getErrorMessage, am as health, an as parseSSEEvents, ao as performPasswordLogin, ap as performSsoDeviceFlowLogin, aq as requireData, ar as requireOk, as as resolveAuth, at as resolveCitations, au as resolveWorkspace, av as responses, aw as selectWorkspace, ax as selectWorkspaceById, ay as settings, az as streamSSE, aA as stripCitationMarkdown, aB as summarizeCitations, aC as tags, aD as workspaces } from './browser-DUQ3Eyvd.cjs';
 import '@arbidocs/client';
 
 /**
@@ -13,6 +13,7 @@ declare class FileConfigStore implements ConfigStore {
     private readonly configFile;
     private readonly credentialsFile;
     private readonly sessionFile;
+    private readonly metadataFile;
     constructor(configDir?: string);
     private ensureConfigDir;
     private writeSecureFile;
@@ -29,6 +30,8 @@ declare class FileConfigStore implements ConfigStore {
     saveChatSession(session: ChatSession): void;
     updateChatSession(updates: Partial<ChatSession>): void;
     clearChatSession(): void;
+    saveLastMetadata(metadata: unknown): void;
+    loadLastMetadata(): unknown | null;
     /**
      * Try to resolve config from multiple sources, in priority order:
      *
@@ -55,6 +58,66 @@ declare class FileConfigStore implements ConfigStore {
     private readPublicConfigDomain;
 }
 
+/**
+ * OAuth 2.0 Device Authorization Grant (RFC 8628) for Auth0.
+ *
+ * Enables headless CLI login: the user authorizes in a browser while the CLI polls for a token.
+ */
+interface SsoConfig {
+    ssoEnabled: boolean;
+    domain: string;
+    clientId: string;
+    audience: string;
+}
+interface DeviceCodeResponse {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    verification_uri_complete: string;
+    expires_in: number;
+    interval: number;
+}
+declare class DeviceFlowError extends Error {
+    constructor(message: string);
+}
+declare class DeviceFlowExpired extends DeviceFlowError {
+    constructor();
+}
+declare class DeviceFlowAccessDenied extends DeviceFlowError {
+    constructor();
+}
+/**
+ * Fetch SSO configuration from the ARBI deployment.
+ */
+declare function fetchSsoConfig(baseUrl: string): Promise<SsoConfig>;
+/**
+ * Request a device code from Auth0.
+ *
+ * POST https://{domain}/oauth/device/code
+ */
+declare function requestDeviceCode(domain: string, clientId: string, audience?: string, scope?: string): Promise<DeviceCodeResponse>;
+/**
+ * Poll Auth0 token endpoint until the user authorizes (or the code expires).
+ *
+ * Returns the Auth0 access_token (JWT).
+ */
+declare function pollForToken(domain: string, clientId: string, deviceCode: string, interval: number, expiresIn: number, onPoll?: (elapsedMs: number) => void): Promise<string>;
+
+type deviceFlow_DeviceCodeResponse = DeviceCodeResponse;
+type deviceFlow_DeviceFlowAccessDenied = DeviceFlowAccessDenied;
+declare const deviceFlow_DeviceFlowAccessDenied: typeof DeviceFlowAccessDenied;
+type deviceFlow_DeviceFlowError = DeviceFlowError;
+declare const deviceFlow_DeviceFlowError: typeof DeviceFlowError;
+type deviceFlow_DeviceFlowExpired = DeviceFlowExpired;
+declare const deviceFlow_DeviceFlowExpired: typeof DeviceFlowExpired;
+type deviceFlow_SsoConfig = SsoConfig;
+declare const deviceFlow_fetchSsoConfig: typeof fetchSsoConfig;
+declare const deviceFlow_pollForToken: typeof pollForToken;
+declare const deviceFlow_requestDeviceCode: typeof requestDeviceCode;
+declare namespace deviceFlow {
+  export { type deviceFlow_DeviceCodeResponse as DeviceCodeResponse, deviceFlow_DeviceFlowAccessDenied as DeviceFlowAccessDenied, deviceFlow_DeviceFlowError as DeviceFlowError, deviceFlow_DeviceFlowExpired as DeviceFlowExpired, type deviceFlow_SsoConfig as SsoConfig, deviceFlow_fetchSsoConfig as fetchSsoConfig, deviceFlow_pollForToken as pollForToken, deviceFlow_requestDeviceCode as requestDeviceCode };
+}
+
 /**
  * Document operations — Node.js file system operations.
  *
@@ -87,4 +150,4 @@ declare namespace documentsNode {
   export { documentsNode_uploadDirectory as uploadDirectory, documentsNode_uploadLocalFile as uploadLocalFile, documentsNode_uploadZip as uploadZip };
 }
 
-export { AuthHeaders, ChatSession, CliConfig, CliCredentials, ConfigStore, FileConfigStore, documentsNode };
+export { AuthHeaders, ChatSession, CliConfig, CliCredentials, ConfigStore, FileConfigStore, deviceFlow, documentsNode };

package/dist/index.d.ts

@@ -1,5 +1,5 @@
-import { C as ConfigStore, a as CliConfig, b as CliCredentials, c as ChatSession, A as AuthHeaders, U as UploadBatchResult, d as UploadOptions, e as UploadResult } from './browser-DFRwcoc1.js';
-export { f as AgentStepEvent, g as Arbi, h as ArbiApiError, i as ArbiError, j as ArbiOptions, k as ArtifactEvent, l as AuthContext, m as AuthenticatedClient, n as ConnectOptions, D as DocumentWaiter, o as DocumentWaiterOptions, F as FormattedWsMessage, L as LIFECYCLE_LABELS, M as MessageLevel, p as MessageMetadataPayload, q as MessageQueuedEvent, O as OutputTokensDetails, Q as QueryOptions, R as ReconnectOptions, r as ReconnectableWsConnection, s as ResponseCompletedEvent, t as ResponseContentPartAddedEvent, u as ResponseCreatedEvent, v as ResponseFailedEvent, w as ResponseOutputItemAddedEvent, x as ResponseOutputItemDoneEvent, y as ResponseOutputTextDeltaEvent, z as ResponseOutputTextDoneEvent, B as ResponseUsage, S as SSEEvent, E as SSEStreamCallbacks, G as SSEStreamResult, H as SSEStreamStartData, T as TOOL_LABELS, I as UserInfo, J as UserInputRequestEvent, K as UserMessageEvent, W as WorkspaceContext, N as WsConnection, P as agentconfig, V as assistant, X as authenticatedFetch, Y as buildRetrievalChunkTool, Z as buildRetrievalFullContextTool, _ as buildRetrievalTocTool, $ as connectWebSocket, a0 as connectWithReconnect, a1 as consumeSSEStream, a2 as contacts, a3 as conversations, a4 as createAuthenticatedClient, a5 as createDocumentWaiter, a6 as dm, a7 as doctags, a8 as documents, a9 as files, aa as formatAgentStepLabel, ab as formatFileSize, ac as formatUserName, ad as formatWorkspaceChoices, ae as formatWsMessage, af as generateEncryptedWorkspaceKey, ag as getErrorCode, ah as getErrorMessage, ai as health, aj as parseSSEEvents, ak as performPasswordLogin, al as requireData, am as requireOk, an as resolveAuth, ao as resolveWorkspace, ap as responses, aq as selectWorkspace, ar as selectWorkspaceById, as as settings, at as streamSSE, au as tags, av as workspaces } from './browser-DFRwcoc1.js';
+import { C as ConfigStore, a as CliConfig, b as CliCredentials, c as ChatSession, A as AuthHeaders, U as UploadBatchResult, d as UploadOptions, e as UploadResult } from './browser-DUQ3Eyvd.js';
+export { f as AgentStepEvent, g as Arbi, h as ArbiApiError, i as ArbiError, j as ArbiOptions, k as ArtifactEvent, l as AuthContext, m as AuthenticatedClient, n as CitationSummary, o as ConnectOptions, D as DocumentWaiter, p as DocumentWaiterOptions, F as FormattedWsMessage, L as LIFECYCLE_LABELS, M as MessageLevel, q as MessageMetadataPayload, r as MessageQueuedEvent, O as OutputTokensDetails, Q as QueryOptions, R as ReconnectOptions, s as ReconnectableWsConnection, t as ResolvedCitation, u as ResponseCompletedEvent, v as ResponseContentPartAddedEvent, w as ResponseCreatedEvent, x as ResponseFailedEvent, y as ResponseOutputItemAddedEvent, z as ResponseOutputItemDoneEvent, B as ResponseOutputTextDeltaEvent, E as ResponseOutputTextDoneEvent, G as ResponseUsage, S as SSEEvent, H as SSEStreamCallbacks, I as SSEStreamResult, J as SSEStreamStartData, T as TOOL_LABELS, K as UserInfo, N as UserInputRequestEvent, P as UserMessageEvent, W as WorkspaceContext, V as WsConnection, X as agentconfig, Y as assistant, Z as authenticatedFetch, _ as buildRetrievalChunkTool, $ as buildRetrievalFullContextTool, a0 as buildRetrievalTocTool, a1 as connectWebSocket, a2 as connectWithReconnect, a3 as consumeSSEStream, a4 as contacts, a5 as conversations, a6 as countCitations, a7 as createAuthenticatedClient, a8 as createDocumentWaiter, a9 as dm, aa as doctags, ab as documents, ac as files, ad as formatAgentStepLabel, ae as formatFileSize, af as formatStreamSummary, ag as formatUserName, ah as formatWorkspaceChoices, ai as formatWsMessage, aj as generateEncryptedWorkspaceKey, ak as getErrorCode, al as getErrorMessage, am as health, an as parseSSEEvents, ao as performPasswordLogin, ap as performSsoDeviceFlowLogin, aq as requireData, ar as requireOk, as as resolveAuth, at as resolveCitations, au as resolveWorkspace, av as responses, aw as selectWorkspace, ax as selectWorkspaceById, ay as settings, az as streamSSE, aA as stripCitationMarkdown, aB as summarizeCitations, aC as tags, aD as workspaces } from './browser-DUQ3Eyvd.js';
 import '@arbidocs/client';
 
 /**
@@ -13,6 +13,7 @@ declare class FileConfigStore implements ConfigStore {
     private readonly configFile;
     private readonly credentialsFile;
     private readonly sessionFile;
+    private readonly metadataFile;
     constructor(configDir?: string);
     private ensureConfigDir;
     private writeSecureFile;
@@ -29,6 +30,8 @@ declare class FileConfigStore implements ConfigStore {
     saveChatSession(session: ChatSession): void;
     updateChatSession(updates: Partial<ChatSession>): void;
     clearChatSession(): void;
+    saveLastMetadata(metadata: unknown): void;
+    loadLastMetadata(): unknown | null;
     /**
      * Try to resolve config from multiple sources, in priority order:
      *
@@ -55,6 +58,66 @@ declare class FileConfigStore implements ConfigStore {
     private readPublicConfigDomain;
 }
 
+/**
+ * OAuth 2.0 Device Authorization Grant (RFC 8628) for Auth0.
+ *
+ * Enables headless CLI login: the user authorizes in a browser while the CLI polls for a token.
+ */
+interface SsoConfig {
+    ssoEnabled: boolean;
+    domain: string;
+    clientId: string;
+    audience: string;
+}
+interface DeviceCodeResponse {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    verification_uri_complete: string;
+    expires_in: number;
+    interval: number;
+}
+declare class DeviceFlowError extends Error {
+    constructor(message: string);
+}
+declare class DeviceFlowExpired extends DeviceFlowError {
+    constructor();
+}
+declare class DeviceFlowAccessDenied extends DeviceFlowError {
+    constructor();
+}
+/**
+ * Fetch SSO configuration from the ARBI deployment.
+ */
+declare function fetchSsoConfig(baseUrl: string): Promise<SsoConfig>;
+/**
+ * Request a device code from Auth0.
+ *
+ * POST https://{domain}/oauth/device/code
+ */
+declare function requestDeviceCode(domain: string, clientId: string, audience?: string, scope?: string): Promise<DeviceCodeResponse>;
+/**
+ * Poll Auth0 token endpoint until the user authorizes (or the code expires).
+ *
+ * Returns the Auth0 access_token (JWT).
+ */
+declare function pollForToken(domain: string, clientId: string, deviceCode: string, interval: number, expiresIn: number, onPoll?: (elapsedMs: number) => void): Promise<string>;
+
+type deviceFlow_DeviceCodeResponse = DeviceCodeResponse;
+type deviceFlow_DeviceFlowAccessDenied = DeviceFlowAccessDenied;
+declare const deviceFlow_DeviceFlowAccessDenied: typeof DeviceFlowAccessDenied;
+type deviceFlow_DeviceFlowError = DeviceFlowError;
+declare const deviceFlow_DeviceFlowError: typeof DeviceFlowError;
+type deviceFlow_DeviceFlowExpired = DeviceFlowExpired;
+declare const deviceFlow_DeviceFlowExpired: typeof DeviceFlowExpired;
+type deviceFlow_SsoConfig = SsoConfig;
+declare const deviceFlow_fetchSsoConfig: typeof fetchSsoConfig;
+declare const deviceFlow_pollForToken: typeof pollForToken;
+declare const deviceFlow_requestDeviceCode: typeof requestDeviceCode;
+declare namespace deviceFlow {
+  export { type deviceFlow_DeviceCodeResponse as DeviceCodeResponse, deviceFlow_DeviceFlowAccessDenied as DeviceFlowAccessDenied, deviceFlow_DeviceFlowError as DeviceFlowError, deviceFlow_DeviceFlowExpired as DeviceFlowExpired, type deviceFlow_SsoConfig as SsoConfig, deviceFlow_fetchSsoConfig as fetchSsoConfig, deviceFlow_pollForToken as pollForToken, deviceFlow_requestDeviceCode as requestDeviceCode };
+}
+
 /**
  * Document operations — Node.js file system operations.
  *
@@ -87,4 +150,4 @@ declare namespace documentsNode {
   export { documentsNode_uploadDirectory as uploadDirectory, documentsNode_uploadLocalFile as uploadLocalFile, documentsNode_uploadZip as uploadZip };
 }
 
-export { AuthHeaders, ChatSession, CliConfig, CliCredentials, ConfigStore, FileConfigStore, documentsNode };
+export { AuthHeaders, ChatSession, CliConfig, CliCredentials, ConfigStore, FileConfigStore, deviceFlow, documentsNode };

package/dist/index.js

@@ -121,11 +121,13 @@ var FileConfigStore = class {
   configFile;
   credentialsFile;
   sessionFile;
+  metadataFile;
   constructor(configDir) {
     this.configDir = configDir ?? process.env.ARBI_CONFIG_DIR ?? path2.join(os.homedir(), ".arbi");
     this.configFile = path2.join(this.configDir, "config.json");
     this.credentialsFile = path2.join(this.configDir, "credentials.json");
     this.sessionFile = path2.join(this.configDir, "session.json");
+    this.metadataFile = path2.join(this.configDir, "last-metadata.json");
   }
   ensureConfigDir() {
     if (!fs.existsSync(this.configDir)) {
@@ -196,6 +198,13 @@ var FileConfigStore = class {
   clearChatSession() {
     this.saveChatSession({ ...DEFAULT_SESSION });
   }
+  // ── Last metadata (for citation browsing) ────────────────────────────────
+  saveLastMetadata(metadata) {
+    this.writeSecureFile(this.metadataFile, metadata);
+  }
+  loadLastMetadata() {
+    return this.readJsonFile(this.metadataFile);
+  }
   /**
    * Try to resolve config from multiple sources, in priority order:
    *
@@ -268,6 +277,107 @@ var FileConfigStore = class {
     return null;
   }
 };
+
+// src/device-flow.ts
+var device_flow_exports = {};
+__export(device_flow_exports, {
+  DeviceFlowAccessDenied: () => DeviceFlowAccessDenied,
+  DeviceFlowError: () => DeviceFlowError,
+  DeviceFlowExpired: () => DeviceFlowExpired,
+  fetchSsoConfig: () => fetchSsoConfig,
+  pollForToken: () => pollForToken,
+  requestDeviceCode: () => requestDeviceCode
+});
+var DeviceFlowError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "DeviceFlowError";
+  }
+};
+var DeviceFlowExpired = class extends DeviceFlowError {
+  constructor() {
+    super("Device code expired \u2014 please try again");
+    this.name = "DeviceFlowExpired";
+  }
+};
+var DeviceFlowAccessDenied = class extends DeviceFlowError {
+  constructor() {
+    super("Authorization was denied by the user");
+    this.name = "DeviceFlowAccessDenied";
+  }
+};
+async function fetchSsoConfig(baseUrl) {
+  const arbi = createArbiClient({ baseUrl, deploymentDomain: "", credentials: "omit" });
+  const { data, error } = await arbi.fetch.GET("/v1/user/sso-config");
+  if (error || !data) {
+    throw new DeviceFlowError(`Failed to fetch SSO config`);
+  }
+  return {
+    ssoEnabled: data.sso_enabled,
+    domain: data.domain,
+    clientId: data.cli_client_id || data.client_id,
+    audience: data.audience
+  };
+}
+async function requestDeviceCode(domain, clientId, audience, scope = "openid email profile") {
+  const body = new URLSearchParams({
+    client_id: clientId,
+    scope,
+    ...audience ? { audience } : {}
+  });
+  const res = await fetch(`https://${domain}/oauth/device/code`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new DeviceFlowError(`Device code request failed: ${res.status} ${text}`);
+  }
+  return await res.json();
+}
+async function pollForToken(domain, clientId, deviceCode, interval, expiresIn, onPoll) {
+  const deadline = Date.now() + expiresIn * 1e3;
+  let pollInterval = interval * 1e3;
+  while (Date.now() < deadline) {
+    await sleep(pollInterval);
+    onPoll?.(Date.now());
+    const res = await fetch(`https://${domain}/oauth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+        client_id: clientId,
+        device_code: deviceCode
+      })
+    });
+    if (res.ok) {
+      const data = await res.json();
+      return data.access_token;
+    }
+    const errBody = await res.json().catch(() => ({ error: "unknown" }));
+    if (errBody.error === "authorization_pending") {
+      continue;
+    } else if (errBody.error === "slow_down") {
+      pollInterval += 5e3;
+      continue;
+    } else if (errBody.error === "expired_token") {
+      throw new DeviceFlowExpired();
+    } else if (errBody.error === "access_denied") {
+      throw new DeviceFlowAccessDenied();
+    } else {
+      throw new DeviceFlowError(
+        `Token polling error: ${errBody.error} \u2014 ${errBody.error_description ?? ""}`
+      );
+    }
+  }
+  throw new DeviceFlowExpired();
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// src/auth.ts
 function formatWorkspaceChoices(wsList) {
   return wsList.map((ws) => {
     const totalDocs = ws.shared_document_count + ws.private_document_count;
@@ -288,7 +398,8 @@ async function createAuthenticatedClient(config, creds, store) {
   const signingPrivateKey = base64ToBytes(creds.signingPrivateKeyBase64);
   const loginResult = await arbi.auth.loginWithKey({
     email: creds.email,
-    signingPrivateKey
+    signingPrivateKey,
+    ssoToken: creds.ssoToken
   });
   store.saveCredentials({
     ...creds,
@@ -320,6 +431,40 @@ async function performPasswordLogin(config, email, password, store) {
   });
   return { arbi, loginResult, config };
 }
+async function performSsoDeviceFlowLogin(config, email, password, store, callbacks) {
+  const ssoConfig = await fetchSsoConfig(config.baseUrl);
+  if (!ssoConfig.ssoEnabled) {
+    throw new ArbiError("SSO is not enabled on this deployment");
+  }
+  const dc = await requestDeviceCode(ssoConfig.domain, ssoConfig.clientId, ssoConfig.audience);
+  callbacks?.onUserCode?.(dc.user_code, dc.verification_uri_complete);
+  const ssoToken = await pollForToken(
+    ssoConfig.domain,
+    ssoConfig.clientId,
+    dc.device_code,
+    dc.interval,
+    dc.expires_in,
+    callbacks?.onPoll
+  );
+  const arbi = createArbiClient({
+    baseUrl: config.baseUrl,
+    deploymentDomain: config.deploymentDomain,
+    credentials: "omit"
+  });
+  await arbi.crypto.initSodium();
+  const loginResult = await arbi.auth.login({ email, password, ssoToken });
+  store.saveCredentials({
+    email,
+    signingPrivateKeyBase64: arbi.crypto.bytesToBase64(loginResult.signingPrivateKey),
+    serverSessionKeyBase64: arbi.crypto.bytesToBase64(loginResult.serverSessionKey),
+    ssoToken,
+    accessToken: void 0,
+    workspaceKeyHeader: void 0,
+    workspaceId: void 0,
+    tokenTimestamp: void 0
+  });
+  return { arbi, loginResult, config };
+}
 async function selectWorkspace(arbi, workspaceId, wrappedKey, serverSessionKey, signingPrivateKeyBase64) {
   const signingPrivateKey = base64ToBytes(signingPrivateKeyBase64);
   const ed25519PublicKey = signingPrivateKey.slice(32, 64);
@@ -644,6 +789,27 @@ async function streamSSE(response, callbacks = {}) {
     context
   };
 }
+function formatStreamSummary(result, elapsedTime) {
+  const parts = [];
+  if (result.agentSteps.length > 0) {
+    let stepLabel = `${result.agentSteps.length} step${result.agentSteps.length === 1 ? "" : "s"}`;
+    if (result.toolCallCount > 0) {
+      stepLabel += ` (${result.toolCallCount} tool call${result.toolCallCount === 1 ? "" : "s"})`;
+    }
+    parts.push(stepLabel);
+  }
+  if (result.usage) {
+    parts.push(`${result.usage.total_tokens.toLocaleString()} tokens`);
+  }
+  if (result.context && result.context.context_window > 0) {
+    const used = result.context.all_llm_calls?.last_input_tokens ?? result.context.total_input;
+    parts.push(`${used.toLocaleString()}/${result.context.context_window.toLocaleString()} context`);
+  }
+  if (elapsedTime != null) {
+    parts.push(`${elapsedTime.toFixed(1)}s`);
+  }
+  return parts.length > 0 ? parts.join(" \xB7 ") : "";
+}
 var consumeSSEStream = streamSSE;
 var AUTH_TIMEOUT_MS = 1e4;
 var MAX_BACKOFF_MS = 3e4;
@@ -868,6 +1034,66 @@ function formatUserName(user) {
   return [user.given_name, user.family_name].filter(Boolean).join(" ");
 }
 
+// src/citations.ts
+function resolveCitations(metadata) {
+  if (!metadata?.tools) return [];
+  const tools = metadata.tools;
+  const modelCitations = tools.model_citations;
+  const citationMap = modelCitations?.tool_responses;
+  if (!citationMap || Object.keys(citationMap).length === 0) return [];
+  const chunkLookup = buildChunkLookup(tools);
+  const resolved = [];
+  for (const [citationNum, citationData] of Object.entries(citationMap)) {
+    const chunks = [];
+    for (const chunkId of citationData.chunk_ids ?? []) {
+      const chunk = chunkLookup.get(chunkId);
+      if (chunk) chunks.push(chunk);
+    }
+    resolved.push({ citationNum, citationData, chunks });
+  }
+  resolved.sort((a, b) => Number(a.citationNum) - Number(b.citationNum));
+  return resolved;
+}
+function summarizeCitations(resolved) {
+  return resolved.map((r) => {
+    const firstChunk = r.chunks[0];
+    return {
+      citationNum: r.citationNum,
+      statement: r.citationData.statement ?? "",
+      docTitle: firstChunk?.metadata?.doc_title ?? "Unknown document",
+      pageNumber: firstChunk?.metadata?.page_number ?? null,
+      chunkCount: r.chunks.length
+    };
+  });
+}
+function countCitations(metadata) {
+  if (!metadata?.tools) return 0;
+  const tools = metadata.tools;
+  const modelCitations = tools.model_citations;
+  const responses = modelCitations?.tool_responses;
+  return responses ? Object.keys(responses).length : 0;
+}
+function stripCitationMarkdown(text) {
+  return text.replace(/\[([^\]]+)\]\(#cite-(\d+)\)/g, "$1[$2]");
+}
+function buildChunkLookup(tools) {
+  const lookup = /* @__PURE__ */ new Map();
+  for (const toolName of ["retrieval_chunk", "retrieval_full_context"]) {
+    const tool = tools[toolName];
+    if (!tool?.tool_responses) continue;
+    for (const chunks of Object.values(tool.tool_responses)) {
+      if (!Array.isArray(chunks)) continue;
+      for (const chunk of chunks) {
+        const id = chunk.metadata?.chunk_ext_id;
+        if (id && !lookup.has(id)) {
+          lookup.set(id, chunk);
+        }
+      }
+    }
+  }
+  return lookup;
+}
+
 // src/operations/documents.ts
 var documents_exports = {};
 __export(documents_exports, {
@@ -1565,6 +1791,19 @@ var Arbi = class {
       lr.serverSessionKey,
       signingPrivateKeyBase64
     );
+    const workspaceKeyHeader = client.session.getWorkspaceKeyHeader();
+    if (workspaceKeyHeader) {
+      const { data: openResult, error: openError } = await client.fetch.POST(
+        "/v1/workspace/{workspace_ext_id}/open",
+        {
+          params: { path: { workspace_ext_id: ws.external_id } },
+          body: { workspace_key: workspaceKeyHeader }
+        }
+      );
+      if (!openError && openResult?.access_token) {
+        client.session.setAccessToken(openResult.access_token);
+      }
+    }
     this.currentWorkspaceId = ws.external_id;
   }
   /** Log out and clear internal state. */
@@ -1966,6 +2205,6 @@ function extractResponseText(response) {
   return parts.join("");
 }
 
-export { Arbi, ArbiApiError, ArbiError, FileConfigStore, LIFECYCLE_LABELS, TOOL_LABELS, agentconfig_exports as agentconfig, assistant_exports as assistant, authenticatedFetch, buildRetrievalChunkTool, buildRetrievalFullContextTool, buildRetrievalTocTool, connectWebSocket, connectWithReconnect, consumeSSEStream, contacts_exports as contacts, conversations_exports as conversations, createAuthenticatedClient, createDocumentWaiter, dm_exports as dm, doctags_exports as doctags, documents_exports as documents, documents_node_exports as documentsNode, files_exports as files, formatAgentStepLabel, formatFileSize, formatUserName, formatWorkspaceChoices, formatWsMessage, generateEncryptedWorkspaceKey, getErrorCode, getErrorMessage, health_exports as health, parseSSEEvents, performPasswordLogin, requireData, requireOk, resolveAuth, resolveWorkspace, responses_exports as responses, selectWorkspace, selectWorkspaceById, settings_exports as settings, streamSSE, tags_exports as tags, workspaces_exports as workspaces };
+export { Arbi, ArbiApiError, ArbiError, FileConfigStore, LIFECYCLE_LABELS, TOOL_LABELS, agentconfig_exports as agentconfig, assistant_exports as assistant, authenticatedFetch, buildRetrievalChunkTool, buildRetrievalFullContextTool, buildRetrievalTocTool, connectWebSocket, connectWithReconnect, consumeSSEStream, contacts_exports as contacts, conversations_exports as conversations, countCitations, createAuthenticatedClient, createDocumentWaiter, device_flow_exports as deviceFlow, dm_exports as dm, doctags_exports as doctags, documents_exports as documents, documents_node_exports as documentsNode, files_exports as files, formatAgentStepLabel, formatFileSize, formatStreamSummary, formatUserName, formatWorkspaceChoices, formatWsMessage, generateEncryptedWorkspaceKey, getErrorCode, getErrorMessage, health_exports as health, parseSSEEvents, performPasswordLogin, performSsoDeviceFlowLogin, requireData, requireOk, resolveAuth, resolveCitations, resolveWorkspace, responses_exports as responses, selectWorkspace, selectWorkspaceById, settings_exports as settings, streamSSE, stripCitationMarkdown, summarizeCitations, tags_exports as tags, workspaces_exports as workspaces };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map