@arbidocs/sdk 0.3.64 → 0.3.66

package/dist/{browser-Bs2joT0Y.d.cts → browser-6H2O896Y.d.cts}

@@ -84,16 +84,40 @@ interface CliConfig {
 }
 interface CliCredentials {
     email: string;
+    /** User's external ID (``usr-*`` or ``agt-*``). Needed by features
+     *  that key on user identity (DM crypto, contact resolution, etc.).
+     *  Set on every login from the API's response; required by
+     *  ``buildAuthFromCache`` to restore the session client-side
+     *  without a server round-trip. */
+    userExtId?: string;
     signingPrivateKeyBase64: string;
     serverSessionKeyBase64: string;
-    /** Cached access token from last successful resolveWorkspace() */
+    /** Cached access token for the live server session. Valid as long as
+     *  ``tokenTimestamp`` is within ``TOKEN_MAX_AGE_MS``. */
     accessToken?: string;
-    /** Cached session-sealed workspace key from last successful resolveWorkspace() */
-    sealedWorkspaceKey?: string;
-    /** Workspace ID the cached token was issued for */
-    workspaceId?: string;
-    /** ISO timestamp when the token was cached */
+    /** ISO timestamp when ``accessToken`` was issued. Used for client-side
+     *  TTL — the server enforces JWT exp independently. */
     tokenTimestamp?: string;
+    /**
+     * Workspaces whose keys are already deposited on the current server
+     * session — i.e. the keys of ``session.workspaces`` in the backend's
+     * Redis entry. Client-side mirror so we can skip a redundant `/open`
+     * round-trip when we've already deposited a workspace's key during
+     * this session's lifetime.
+     *
+     * Both grant types end up in this set:
+     *  - **Permanent** — first `/open` for the workspace POSTs the
+     *    wrapped_key and the server adds it to ``session.workspaces``.
+     *  - **Session-only** (PA agents, temporary shares) — the backend
+     *    pre-deposits via ``store_workspace_key_for_session_pubkey``,
+     *    then the client's `/open` is just a metadata fetch.
+     *
+     * Cleared on every event that invalidates the session: fresh login,
+     * auto-relogin on 401, logout. The new session starts with an empty
+     * ``session.workspaces`` server-side, so this client mirror must
+     * start empty too.
+     */
+    openedWorkspaces?: string[];
     /** Auth0 SSO token — needed for session recovery of SSO users */
     ssoToken?: string;
     /** Parent user ext_id — set for persistent agent accounts */
@@ -152,7 +176,6 @@ interface AuthContext {
 interface WorkspaceContext extends AuthContext {
     workspaceId: string;
     accessToken: string;
-    sealedWorkspaceKey: string;
 }
 /** Minimal workspace shape required by formatWorkspaceChoices. */
 interface WorkspaceForChoice {
@@ -232,23 +255,40 @@ declare function generateNewWorkspaceKey(arbi: ArbiClient, serverSessionKey: Uin
  * never log, persist, or transmit it over the wire.
  */
 declare function getRawWorkspaceKey(arbi: ArbiClient, workspaceId: string, signingPrivateKeyBase64: string): Promise<Uint8Array>;
-/**
- * Find a workspace by ID in the user's workspace list, select it, and return workspace info.
- */
 declare function selectWorkspaceById(arbi: ArbiClient, workspaceId: string, serverSessionKey: Uint8Array, signingPrivateKeyBase64: string): Promise<{
     external_id: string;
     name: string;
-    wrapped_key: string;
+    wrapped_key: string | null;
+    /** The session-sealed workspace key — `null` for session-only grants */
+    sealed_key: string | null;
 }>;
 /**
  * Authenticate and return the SDK client + config.
- * Throws ArbiError instead of calling process.exit.
+ *
+ * Fast path: reuse the live server session via cached accessToken.
+ * Slow path: fresh ``loginWithKey`` (mints a new session, clears
+ * ``openedWorkspaces``).
  */
 declare function resolveAuth(store: ConfigStore): Promise<AuthContext>;
 /**
- * Authenticate, resolve workspace, and set up headers.
- * Uses cached JWT when available for the same workspace and not expired.
- * Throws ArbiError instead of calling process.exit.
+ * Authenticate, ensure the workspace's key is deposited on the current
+ * server session, and return everything callers need.
+ *
+ * Decisions are independent:
+ *  1. **Session aliveness** — reuse the live session if its accessToken
+ *     is within TTL; otherwise fresh login. (Fresh login = new session
+ *     = ``openedWorkspaces`` reset to ``[]``.)
+ *  2. **Workspace deposit** — if ``workspaceId`` already appears in
+ *     ``creds.openedWorkspaces``, the server's session already holds
+ *     its key; no ``/open`` needed. Otherwise call ``/open`` once and
+ *     append to the set.
+ *
+ * Splitting these matters: previously the cache was gated on
+ * ``creds.workspaceId === workspaceId``, so any switch between
+ * workspaces forced a re-login. That orphaned PA-agent session
+ * deposits and broke ``arbi docs`` for them. Now switching workspaces
+ * within a live session just adds another entry to
+ * ``openedWorkspaces`` — no re-login, no orphaned deposits.
  */
 declare function resolveWorkspace(store: ConfigStore, workspaceOpt?: string): Promise<WorkspaceContext>;
 
@@ -2489,7 +2529,6 @@ declare class Arbi {
             muted_users: string[];
             premium_model?: string | null | undefined;
             picture?: string | null | undefined;
-            deletion_requested_at?: string | null | undefined;
         }>;
         update: (body: UserSettingsUpdate$1) => Promise<void>;
     };
@@ -3817,7 +3856,6 @@ declare function getSettings(arbi: ArbiClient): Promise<{
     muted_users: string[];
     premium_model?: string | null | undefined;
     picture?: string | null | undefined;
-    deletion_requested_at?: string | null | undefined;
 }>;
 declare function updateSettings(arbi: ArbiClient, body: UserSettingsUpdate): Promise<void>;
 

package/dist/{browser-Bs2joT0Y.d.ts → browser-6H2O896Y.d.ts}

@@ -84,16 +84,40 @@ interface CliConfig {
 }
 interface CliCredentials {
     email: string;
+    /** User's external ID (``usr-*`` or ``agt-*``). Needed by features
+     *  that key on user identity (DM crypto, contact resolution, etc.).
+     *  Set on every login from the API's response; required by
+     *  ``buildAuthFromCache`` to restore the session client-side
+     *  without a server round-trip. */
+    userExtId?: string;
     signingPrivateKeyBase64: string;
     serverSessionKeyBase64: string;
-    /** Cached access token from last successful resolveWorkspace() */
+    /** Cached access token for the live server session. Valid as long as
+     *  ``tokenTimestamp`` is within ``TOKEN_MAX_AGE_MS``. */
     accessToken?: string;
-    /** Cached session-sealed workspace key from last successful resolveWorkspace() */
-    sealedWorkspaceKey?: string;
-    /** Workspace ID the cached token was issued for */
-    workspaceId?: string;
-    /** ISO timestamp when the token was cached */
+    /** ISO timestamp when ``accessToken`` was issued. Used for client-side
+     *  TTL — the server enforces JWT exp independently. */
     tokenTimestamp?: string;
+    /**
+     * Workspaces whose keys are already deposited on the current server
+     * session — i.e. the keys of ``session.workspaces`` in the backend's
+     * Redis entry. Client-side mirror so we can skip a redundant `/open`
+     * round-trip when we've already deposited a workspace's key during
+     * this session's lifetime.
+     *
+     * Both grant types end up in this set:
+     *  - **Permanent** — first `/open` for the workspace POSTs the
+     *    wrapped_key and the server adds it to ``session.workspaces``.
+     *  - **Session-only** (PA agents, temporary shares) — the backend
+     *    pre-deposits via ``store_workspace_key_for_session_pubkey``,
+     *    then the client's `/open` is just a metadata fetch.
+     *
+     * Cleared on every event that invalidates the session: fresh login,
+     * auto-relogin on 401, logout. The new session starts with an empty
+     * ``session.workspaces`` server-side, so this client mirror must
+     * start empty too.
+     */
+    openedWorkspaces?: string[];
     /** Auth0 SSO token — needed for session recovery of SSO users */
     ssoToken?: string;
     /** Parent user ext_id — set for persistent agent accounts */
@@ -152,7 +176,6 @@ interface AuthContext {
 interface WorkspaceContext extends AuthContext {
     workspaceId: string;
     accessToken: string;
-    sealedWorkspaceKey: string;
 }
 /** Minimal workspace shape required by formatWorkspaceChoices. */
 interface WorkspaceForChoice {
@@ -232,23 +255,40 @@ declare function generateNewWorkspaceKey(arbi: ArbiClient, serverSessionKey: Uin
  * never log, persist, or transmit it over the wire.
  */
 declare function getRawWorkspaceKey(arbi: ArbiClient, workspaceId: string, signingPrivateKeyBase64: string): Promise<Uint8Array>;
-/**
- * Find a workspace by ID in the user's workspace list, select it, and return workspace info.
- */
 declare function selectWorkspaceById(arbi: ArbiClient, workspaceId: string, serverSessionKey: Uint8Array, signingPrivateKeyBase64: string): Promise<{
     external_id: string;
     name: string;
-    wrapped_key: string;
+    wrapped_key: string | null;
+    /** The session-sealed workspace key — `null` for session-only grants */
+    sealed_key: string | null;
 }>;
 /**
  * Authenticate and return the SDK client + config.
- * Throws ArbiError instead of calling process.exit.
+ *
+ * Fast path: reuse the live server session via cached accessToken.
+ * Slow path: fresh ``loginWithKey`` (mints a new session, clears
+ * ``openedWorkspaces``).
  */
 declare function resolveAuth(store: ConfigStore): Promise<AuthContext>;
 /**
- * Authenticate, resolve workspace, and set up headers.
- * Uses cached JWT when available for the same workspace and not expired.
- * Throws ArbiError instead of calling process.exit.
+ * Authenticate, ensure the workspace's key is deposited on the current
+ * server session, and return everything callers need.
+ *
+ * Decisions are independent:
+ *  1. **Session aliveness** — reuse the live session if its accessToken
+ *     is within TTL; otherwise fresh login. (Fresh login = new session
+ *     = ``openedWorkspaces`` reset to ``[]``.)
+ *  2. **Workspace deposit** — if ``workspaceId`` already appears in
+ *     ``creds.openedWorkspaces``, the server's session already holds
+ *     its key; no ``/open`` needed. Otherwise call ``/open`` once and
+ *     append to the set.
+ *
+ * Splitting these matters: previously the cache was gated on
+ * ``creds.workspaceId === workspaceId``, so any switch between
+ * workspaces forced a re-login. That orphaned PA-agent session
+ * deposits and broke ``arbi docs`` for them. Now switching workspaces
+ * within a live session just adds another entry to
+ * ``openedWorkspaces`` — no re-login, no orphaned deposits.
  */
 declare function resolveWorkspace(store: ConfigStore, workspaceOpt?: string): Promise<WorkspaceContext>;
 
@@ -2489,7 +2529,6 @@ declare class Arbi {
             muted_users: string[];
             premium_model?: string | null | undefined;
             picture?: string | null | undefined;
-            deletion_requested_at?: string | null | undefined;
         }>;
         update: (body: UserSettingsUpdate$1) => Promise<void>;
     };
@@ -3817,7 +3856,6 @@ declare function getSettings(arbi: ArbiClient): Promise<{
     muted_users: string[];
     premium_model?: string | null | undefined;
     picture?: string | null | undefined;
-    deletion_requested_at?: string | null | undefined;
 }>;
 declare function updateSettings(arbi: ArbiClient, body: UserSettingsUpdate): Promise<void>;
 

package/dist/browser.cjs

@@ -3568,6 +3568,7 @@ async function authenticatedFetch(options) {
 }
 
 // src/auth.ts
+var TOKEN_MAX_AGE_MS = 50 * 60 * 1e3;
 function formatWorkspaceChoices(wsList) {
   return wsList.map((ws) => {
     const totalDocs = ws.shared_document_count + ws.private_document_count;
@@ -3598,11 +3599,11 @@ async function createAuthenticatedClient(config, creds, store) {
   });
   store.saveCredentials({
     ...creds,
+    userExtId: loginResult.userExtId ?? creds.userExtId,
     serverSessionKeyBase64: arbi.crypto.bytesToBase64(loginResult.serverSessionKey),
     accessToken: void 0,
-    sealedWorkspaceKey: void 0,
-    workspaceId: void 0,
-    tokenTimestamp: void 0
+    tokenTimestamp: void 0,
+    openedWorkspaces: void 0
   });
   return { arbi, loginResult };
 }
@@ -3612,13 +3613,18 @@ async function performPasswordLogin(config, email, password, store) {
   const loginResult = await arbi.auth.login({ email, password });
   store.saveCredentials({
     email,
+    userExtId: loginResult.userExtId,
     signingPrivateKeyBase64: arbi.crypto.bytesToBase64(loginResult.signingPrivateKey),
     serverSessionKeyBase64: arbi.crypto.bytesToBase64(loginResult.serverSessionKey),
-    // Clear any cached workspace tokens — new session key invalidates them
+    // `parent_ext_id` is set for persistent agent accounts (the user is
+    // an Assistant owned by another user). Persisting it makes the CLI's
+    // `arbi listen` work — it requires this to confirm a real agent
+    // identity. Regular users get `null`, which we store as `undefined`.
+    parentExtId: loginResult.parentExtId ?? void 0,
+    // New session = no workspaces deposited yet.
     accessToken: void 0,
-    sealedWorkspaceKey: void 0,
-    workspaceId: void 0,
-    tokenTimestamp: void 0
+    tokenTimestamp: void 0,
+    openedWorkspaces: void 0
   });
   return { arbi, loginResult, config };
 }
@@ -3634,16 +3640,6 @@ async function selectWorkspace(arbi, workspaceId, wrappedKey, serverSessionKey,
   arbi.session.setSelectedWorkspace(workspaceId);
   return header;
 }
-async function generateEncryptedWorkspaceKey(arbi, wrappedKey, serverSessionKey, signingPrivateKeyBase64) {
-  const signingPrivateKey = client.base64ToBytes(signingPrivateKeyBase64);
-  const ed25519PublicKey = signingPrivateKey.slice(32, 64);
-  const encryptionKeyPair = client.deriveEncryptionKeypairFromSigning({
-    publicKey: ed25519PublicKey,
-    secretKey: signingPrivateKey
-  });
-  const workspaceKey = client.sealedBoxDecrypt(wrappedKey, encryptionKeyPair.secretKey);
-  return client.sealKeyForSession(workspaceKey, serverSessionKey);
-}
 async function getRawWorkspaceKey(arbi, workspaceId, signingPrivateKeyBase64) {
   const { data: workspaces, error } = await arbi.fetch.GET("/v1/user/workspaces");
   if (error || !workspaces) {
@@ -3661,38 +3657,79 @@ async function getRawWorkspaceKey(arbi, workspaceId, signingPrivateKeyBase64) {
   });
   return client.sealedBoxDecrypt(ws.wrapped_key, encryptionKeyPair.secretKey);
 }
+async function openWorkspaceEntry(arbi, ws, serverSessionKey, signingPrivateKeyBase64) {
+  if (ws.wrapped_key) {
+    const sealedKey = await selectWorkspace(
+      arbi,
+      ws.external_id,
+      ws.wrapped_key,
+      serverSessionKey,
+      signingPrivateKeyBase64
+    );
+    const { error: error2 } = await arbi.fetch.POST("/v1/workspace/{workspace_ext_id}/open", {
+      params: { path: { workspace_ext_id: ws.external_id } },
+      body: { workspace_key: sealedKey }
+    });
+    if (error2) {
+      throw new ArbiError(`Workspace open failed for ${ws.external_id}: ${JSON.stringify(error2)}`);
+    }
+    return sealedKey;
+  }
+  arbi.session.setSelectedWorkspace(ws.external_id);
+  const { error } = await arbi.fetch.POST("/v1/workspace/{workspace_ext_id}/open", {
+    params: { path: { workspace_ext_id: ws.external_id } },
+    body: {}
+  });
+  if (error) {
+    throw new ArbiError(`Workspace open failed for ${ws.external_id}: ${JSON.stringify(error)}`);
+  }
+  return null;
+}
 async function selectWorkspaceById(arbi, workspaceId, serverSessionKey, signingPrivateKeyBase64) {
   const { data: workspaces, error } = await arbi.fetch.GET("/v1/user/workspaces");
   if (error || !workspaces) {
     throw new ArbiError("Failed to fetch workspaces");
   }
   const ws = workspaces.find((w2) => w2.external_id === workspaceId);
-  if (!ws || !ws.wrapped_key) {
-    throw new ArbiError(`Workspace ${workspaceId} not found or has no encryption key`);
+  if (!ws) {
+    throw new ArbiError(`Workspace ${workspaceId} not found`);
   }
-  const sealedKey = await selectWorkspace(
-    arbi,
-    ws.external_id,
-    ws.wrapped_key,
-    serverSessionKey,
-    signingPrivateKeyBase64
-  );
-  await arbi.fetch.POST("/v1/workspace/{workspace_ext_id}/open", {
-    params: { path: { workspace_ext_id: ws.external_id } },
-    body: { workspace_key: sealedKey }
-  });
-  return { external_id: ws.external_id, name: ws.name, wrapped_key: ws.wrapped_key };
+  const sealedKey = await openWorkspaceEntry(arbi, ws, serverSessionKey, signingPrivateKeyBase64);
+  return {
+    external_id: ws.external_id,
+    name: ws.name,
+    wrapped_key: ws.wrapped_key ?? null,
+    sealed_key: sealedKey
+  };
+}
+function isSessionAlive(creds) {
+  return !!(creds.accessToken && creds.tokenTimestamp && Date.now() - new Date(creds.tokenTimestamp).getTime() < TOKEN_MAX_AGE_MS);
+}
+async function buildAuthFromCache(config, creds, store) {
+  const arbi = client.createArbiClient(buildClientOptions(config, store, creds.email));
+  await arbi.crypto.initSodium();
+  arbi.session.setUser(creds.email, creds.userExtId);
+  arbi.session.setAccessToken(creds.accessToken);
+  const signingPrivateKey = client.base64ToBytes(creds.signingPrivateKeyBase64);
+  const serverSessionKey = client.base64ToBytes(creds.serverSessionKeyBase64);
+  const loginResult = {
+    accessToken: creds.accessToken,
+    userExtId: creds.userExtId,
+    signingPrivateKey,
+    serverSessionKey
+  };
+  return { arbi, loginResult };
 }
 async function resolveAuth(store) {
   const config = store.requireConfig();
   const creds = store.requireCredentials();
+  if (isSessionAlive(creds)) {
+    const { arbi: arbi2, loginResult: loginResult2 } = await buildAuthFromCache(config, creds, store);
+    return { arbi: arbi2, loginResult: loginResult2, config };
+  }
   const { arbi, loginResult } = await createAuthenticatedClient(config, creds, store);
   return { arbi, loginResult, config };
 }
-var TOKEN_MAX_AGE_MS = 50 * 60 * 1e3;
-function isCachedTokenValid(creds, workspaceId) {
-  return !!(creds.accessToken && creds.sealedWorkspaceKey && creds.workspaceId === workspaceId && creds.tokenTimestamp && Date.now() - new Date(creds.tokenTimestamp).getTime() < TOKEN_MAX_AGE_MS);
-}
 async function resolveWorkspace(store, workspaceOpt) {
   const config = store.requireConfig();
   const creds = store.requireCredentials();
@@ -3700,53 +3737,52 @@ async function resolveWorkspace(store, workspaceOpt) {
   if (!workspaceId) {
     throw new ArbiError("No workspace selected. Run: arbi workspace select <id>");
   }
-  if (isCachedTokenValid(creds, workspaceId)) {
-    const arbi2 = client.createArbiClient(buildClientOptions(config, store, creds.email));
-    await arbi2.crypto.initSodium();
-    arbi2.session.setUser(creds.email);
+  if (isSessionAlive(creds)) {
+    const { arbi: arbi2, loginResult: loginResult2 } = await buildAuthFromCache(config, creds, store);
     arbi2.session.setSelectedWorkspace(workspaceId);
-    arbi2.session.setAccessToken(creds.accessToken);
-    const signingPrivateKey = client.base64ToBytes(creds.signingPrivateKeyBase64);
-    const serverSessionKey = client.base64ToBytes(creds.serverSessionKeyBase64);
-    const loginResult2 = {
-      accessToken: creds.accessToken,
-      signingPrivateKey,
-      serverSessionKey
-    };
+    await selectWorkspaceById(
+      arbi2,
+      workspaceId,
+      loginResult2.serverSessionKey,
+      creds.signingPrivateKeyBase64
+    );
+    const nextOpened = Array.from(/* @__PURE__ */ new Set([...creds.openedWorkspaces ?? [], workspaceId]));
+    store.saveCredentials({
+      ...store.requireCredentials(),
+      openedWorkspaces: nextOpened
+    });
     return {
       arbi: arbi2,
       loginResult: loginResult2,
       config,
       workspaceId,
-      accessToken: creds.accessToken,
-      sealedWorkspaceKey: creds.sealedWorkspaceKey
+      accessToken: creds.accessToken
     };
   }
   const { arbi, loginResult } = await createAuthenticatedClient(config, creds, store);
-  const wsInfo = await selectWorkspaceById(
+  await selectWorkspaceById(
     arbi,
     workspaceId,
     loginResult.serverSessionKey,
     creds.signingPrivateKeyBase64
   );
   const accessToken = arbi.session.getState().accessToken;
-  const sealedWorkspaceKey = await generateEncryptedWorkspaceKey(
-    arbi,
-    wsInfo.wrapped_key,
-    loginResult.serverSessionKey,
-    creds.signingPrivateKeyBase64
-  );
   if (!accessToken) {
     throw new ArbiError("Authentication error \u2014 missing token");
   }
   store.saveCredentials({
     ...store.requireCredentials(),
     accessToken,
-    sealedWorkspaceKey,
-    workspaceId,
-    tokenTimestamp: (/* @__PURE__ */ new Date()).toISOString()
+    tokenTimestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    openedWorkspaces: [workspaceId]
   });
-  return { arbi, loginResult, config, workspaceId, accessToken, sealedWorkspaceKey };
+  return {
+    arbi,
+    loginResult,
+    config,
+    workspaceId,
+    accessToken
+  };
 }
 
 // src/sse.ts