@arbidocs/sdk 0.3.64 → 0.3.66

package/dist/browser.d.cts

@@ -1,2 +1,2 @@
-export { i as AgentStepEvent, j as Arbi, k as ArbiApiError, l as ArbiError, aP as ArbiErrorEvent, m as ArbiOptions, n as ArtifactEvent, o as AuthContext, A as AuthHeaders, p as AuthenticatedClient, c as ChatSession, q as CitationSummary, a as CliConfig, b as CliCredentials, C as ConfigStore, r as ConnectOptions, y as MessageMetadataPayload, z as MessageQueuedEvent, O as OutputTokensDetails, Q as QueryOptions, R as ReconnectOptions, B as ReconnectableWsConnection, E as ResolvedCitation, G as ResponseCompletedEvent, H as ResponseContentPartAddedEvent, I as ResponseCreatedEvent, J as ResponseFailedEvent, K as ResponseOutputItemAddedEvent, N as ResponseOutputItemDoneEvent, P as ResponseOutputTextDeltaEvent, T as ResponseOutputTextDoneEvent, V as ResponseUsage, W as SSEEvent, X as SSEStreamCallbacks, Y as SSEStreamResult, Z as SSEStreamStartData, _ as UserInfo, $ as UserInputRequestEvent, a0 as UserMessageEvent, a1 as WorkspaceContext, a2 as WsConnection, a3 as agentconfig, a4 as assistant, a5 as authenticatedFetch, a6 as buildRetrievalChunkTool, a7 as buildRetrievalFullContextTool, a8 as buildRetrievalTocTool, a9 as connectWebSocket, aa as connectWithReconnect, ab as consumeSSEStream, ac as contacts, ad as conversations, ae as countCitations, af as createAuthenticatedClient, ah as dm, ai as doctags, aj as documents, ak as files, al as formatAgentStepLabel, am as formatFileSize, ao as formatUserName, ap as formatWorkspaceChoices, au as getErrorMessage, av as getRawWorkspaceKey, aw as health, ax as parseSSEEvents, ay as performPasswordLogin, aB as requireData, aC as requireOk, aD as resolveAuth, aE as resolveCitations, aF as resolveWorkspace, aG as responses, aH as selectWorkspace, aI as selectWorkspaceById, aJ as settings, aK as streamSSE, aL as stripCitationMarkdown, aM as summarizeCitations, aN as tags, aO as workspaces } from './browser-Bs2joT0Y.cjs';
+export { i as AgentStepEvent, j as Arbi, k as ArbiApiError, l as ArbiError, aP as ArbiErrorEvent, m as ArbiOptions, n as ArtifactEvent, o as AuthContext, A as AuthHeaders, p as AuthenticatedClient, c as ChatSession, q as CitationSummary, a as CliConfig, b as CliCredentials, C as ConfigStore, r as ConnectOptions, y as MessageMetadataPayload, z as MessageQueuedEvent, O as OutputTokensDetails, Q as QueryOptions, R as ReconnectOptions, B as ReconnectableWsConnection, E as ResolvedCitation, G as ResponseCompletedEvent, H as ResponseContentPartAddedEvent, I as ResponseCreatedEvent, J as ResponseFailedEvent, K as ResponseOutputItemAddedEvent, N as ResponseOutputItemDoneEvent, P as ResponseOutputTextDeltaEvent, T as ResponseOutputTextDoneEvent, V as ResponseUsage, W as SSEEvent, X as SSEStreamCallbacks, Y as SSEStreamResult, Z as SSEStreamStartData, _ as UserInfo, $ as UserInputRequestEvent, a0 as UserMessageEvent, a1 as WorkspaceContext, a2 as WsConnection, a3 as agentconfig, a4 as assistant, a5 as authenticatedFetch, a6 as buildRetrievalChunkTool, a7 as buildRetrievalFullContextTool, a8 as buildRetrievalTocTool, a9 as connectWebSocket, aa as connectWithReconnect, ab as consumeSSEStream, ac as contacts, ad as conversations, ae as countCitations, af as createAuthenticatedClient, ah as dm, ai as doctags, aj as documents, ak as files, al as formatAgentStepLabel, am as formatFileSize, ao as formatUserName, ap as formatWorkspaceChoices, au as getErrorMessage, av as getRawWorkspaceKey, aw as health, ax as parseSSEEvents, ay as performPasswordLogin, aB as requireData, aC as requireOk, aD as resolveAuth, aE as resolveCitations, aF as resolveWorkspace, aG as responses, aH as selectWorkspace, aI as selectWorkspaceById, aJ as settings, aK as streamSSE, aL as stripCitationMarkdown, aM as summarizeCitations, aN as tags, aO as workspaces } from './browser-6H2O896Y.cjs';
 import '@arbidocs/client';

package/dist/browser.d.ts

@@ -1,2 +1,2 @@
-export { i as AgentStepEvent, j as Arbi, k as ArbiApiError, l as ArbiError, aP as ArbiErrorEvent, m as ArbiOptions, n as ArtifactEvent, o as AuthContext, A as AuthHeaders, p as AuthenticatedClient, c as ChatSession, q as CitationSummary, a as CliConfig, b as CliCredentials, C as ConfigStore, r as ConnectOptions, y as MessageMetadataPayload, z as MessageQueuedEvent, O as OutputTokensDetails, Q as QueryOptions, R as ReconnectOptions, B as ReconnectableWsConnection, E as ResolvedCitation, G as ResponseCompletedEvent, H as ResponseContentPartAddedEvent, I as ResponseCreatedEvent, J as ResponseFailedEvent, K as ResponseOutputItemAddedEvent, N as ResponseOutputItemDoneEvent, P as ResponseOutputTextDeltaEvent, T as ResponseOutputTextDoneEvent, V as ResponseUsage, W as SSEEvent, X as SSEStreamCallbacks, Y as SSEStreamResult, Z as SSEStreamStartData, _ as UserInfo, $ as UserInputRequestEvent, a0 as UserMessageEvent, a1 as WorkspaceContext, a2 as WsConnection, a3 as agentconfig, a4 as assistant, a5 as authenticatedFetch, a6 as buildRetrievalChunkTool, a7 as buildRetrievalFullContextTool, a8 as buildRetrievalTocTool, a9 as connectWebSocket, aa as connectWithReconnect, ab as consumeSSEStream, ac as contacts, ad as conversations, ae as countCitations, af as createAuthenticatedClient, ah as dm, ai as doctags, aj as documents, ak as files, al as formatAgentStepLabel, am as formatFileSize, ao as formatUserName, ap as formatWorkspaceChoices, au as getErrorMessage, av as getRawWorkspaceKey, aw as health, ax as parseSSEEvents, ay as performPasswordLogin, aB as requireData, aC as requireOk, aD as resolveAuth, aE as resolveCitations, aF as resolveWorkspace, aG as responses, aH as selectWorkspace, aI as selectWorkspaceById, aJ as settings, aK as streamSSE, aL as stripCitationMarkdown, aM as summarizeCitations, aN as tags, aO as workspaces } from './browser-Bs2joT0Y.js';
+export { i as AgentStepEvent, j as Arbi, k as ArbiApiError, l as ArbiError, aP as ArbiErrorEvent, m as ArbiOptions, n as ArtifactEvent, o as AuthContext, A as AuthHeaders, p as AuthenticatedClient, c as ChatSession, q as CitationSummary, a as CliConfig, b as CliCredentials, C as ConfigStore, r as ConnectOptions, y as MessageMetadataPayload, z as MessageQueuedEvent, O as OutputTokensDetails, Q as QueryOptions, R as ReconnectOptions, B as ReconnectableWsConnection, E as ResolvedCitation, G as ResponseCompletedEvent, H as ResponseContentPartAddedEvent, I as ResponseCreatedEvent, J as ResponseFailedEvent, K as ResponseOutputItemAddedEvent, N as ResponseOutputItemDoneEvent, P as ResponseOutputTextDeltaEvent, T as ResponseOutputTextDoneEvent, V as ResponseUsage, W as SSEEvent, X as SSEStreamCallbacks, Y as SSEStreamResult, Z as SSEStreamStartData, _ as UserInfo, $ as UserInputRequestEvent, a0 as UserMessageEvent, a1 as WorkspaceContext, a2 as WsConnection, a3 as agentconfig, a4 as assistant, a5 as authenticatedFetch, a6 as buildRetrievalChunkTool, a7 as buildRetrievalFullContextTool, a8 as buildRetrievalTocTool, a9 as connectWebSocket, aa as connectWithReconnect, ab as consumeSSEStream, ac as contacts, ad as conversations, ae as countCitations, af as createAuthenticatedClient, ah as dm, ai as doctags, aj as documents, ak as files, al as formatAgentStepLabel, am as formatFileSize, ao as formatUserName, ap as formatWorkspaceChoices, au as getErrorMessage, av as getRawWorkspaceKey, aw as health, ax as parseSSEEvents, ay as performPasswordLogin, aB as requireData, aC as requireOk, aD as resolveAuth, aE as resolveCitations, aF as resolveWorkspace, aG as responses, aH as selectWorkspace, aI as selectWorkspaceById, aJ as settings, aK as streamSSE, aL as stripCitationMarkdown, aM as summarizeCitations, aN as tags, aO as workspaces } from './browser-6H2O896Y.js';
 import '@arbidocs/client';

package/dist/browser.js

@@ -3565,6 +3565,7 @@ async function authenticatedFetch(options) {
 }
 
 // src/auth.ts
+var TOKEN_MAX_AGE_MS = 50 * 60 * 1e3;
 function formatWorkspaceChoices(wsList) {
   return wsList.map((ws) => {
     const totalDocs = ws.shared_document_count + ws.private_document_count;
@@ -3595,11 +3596,11 @@ async function createAuthenticatedClient(config, creds, store) {
   });
   store.saveCredentials({
     ...creds,
+    userExtId: loginResult.userExtId ?? creds.userExtId,
     serverSessionKeyBase64: arbi.crypto.bytesToBase64(loginResult.serverSessionKey),
     accessToken: void 0,
-    sealedWorkspaceKey: void 0,
-    workspaceId: void 0,
-    tokenTimestamp: void 0
+    tokenTimestamp: void 0,
+    openedWorkspaces: void 0
   });
   return { arbi, loginResult };
 }
@@ -3609,13 +3610,18 @@ async function performPasswordLogin(config, email, password, store) {
   const loginResult = await arbi.auth.login({ email, password });
   store.saveCredentials({
     email,
+    userExtId: loginResult.userExtId,
     signingPrivateKeyBase64: arbi.crypto.bytesToBase64(loginResult.signingPrivateKey),
     serverSessionKeyBase64: arbi.crypto.bytesToBase64(loginResult.serverSessionKey),
-    // Clear any cached workspace tokens — new session key invalidates them
+    // `parent_ext_id` is set for persistent agent accounts (the user is
+    // an Assistant owned by another user). Persisting it makes the CLI's
+    // `arbi listen` work — it requires this to confirm a real agent
+    // identity. Regular users get `null`, which we store as `undefined`.
+    parentExtId: loginResult.parentExtId ?? void 0,
+    // New session = no workspaces deposited yet.
     accessToken: void 0,
-    sealedWorkspaceKey: void 0,
-    workspaceId: void 0,
-    tokenTimestamp: void 0
+    tokenTimestamp: void 0,
+    openedWorkspaces: void 0
   });
   return { arbi, loginResult, config };
 }
@@ -3631,16 +3637,6 @@ async function selectWorkspace(arbi, workspaceId, wrappedKey, serverSessionKey,
   arbi.session.setSelectedWorkspace(workspaceId);
   return header;
 }
-async function generateEncryptedWorkspaceKey(arbi, wrappedKey, serverSessionKey, signingPrivateKeyBase64) {
-  const signingPrivateKey = base64ToBytes(signingPrivateKeyBase64);
-  const ed25519PublicKey = signingPrivateKey.slice(32, 64);
-  const encryptionKeyPair = deriveEncryptionKeypairFromSigning({
-    publicKey: ed25519PublicKey,
-    secretKey: signingPrivateKey
-  });
-  const workspaceKey = sealedBoxDecrypt(wrappedKey, encryptionKeyPair.secretKey);
-  return sealKeyForSession(workspaceKey, serverSessionKey);
-}
 async function getRawWorkspaceKey(arbi, workspaceId, signingPrivateKeyBase64) {
   const { data: workspaces, error } = await arbi.fetch.GET("/v1/user/workspaces");
   if (error || !workspaces) {
@@ -3658,38 +3654,79 @@ async function getRawWorkspaceKey(arbi, workspaceId, signingPrivateKeyBase64) {
   });
   return sealedBoxDecrypt(ws.wrapped_key, encryptionKeyPair.secretKey);
 }
+async function openWorkspaceEntry(arbi, ws, serverSessionKey, signingPrivateKeyBase64) {
+  if (ws.wrapped_key) {
+    const sealedKey = await selectWorkspace(
+      arbi,
+      ws.external_id,
+      ws.wrapped_key,
+      serverSessionKey,
+      signingPrivateKeyBase64
+    );
+    const { error: error2 } = await arbi.fetch.POST("/v1/workspace/{workspace_ext_id}/open", {
+      params: { path: { workspace_ext_id: ws.external_id } },
+      body: { workspace_key: sealedKey }
+    });
+    if (error2) {
+      throw new ArbiError(`Workspace open failed for ${ws.external_id}: ${JSON.stringify(error2)}`);
+    }
+    return sealedKey;
+  }
+  arbi.session.setSelectedWorkspace(ws.external_id);
+  const { error } = await arbi.fetch.POST("/v1/workspace/{workspace_ext_id}/open", {
+    params: { path: { workspace_ext_id: ws.external_id } },
+    body: {}
+  });
+  if (error) {
+    throw new ArbiError(`Workspace open failed for ${ws.external_id}: ${JSON.stringify(error)}`);
+  }
+  return null;
+}
 async function selectWorkspaceById(arbi, workspaceId, serverSessionKey, signingPrivateKeyBase64) {
   const { data: workspaces, error } = await arbi.fetch.GET("/v1/user/workspaces");
   if (error || !workspaces) {
     throw new ArbiError("Failed to fetch workspaces");
   }
   const ws = workspaces.find((w2) => w2.external_id === workspaceId);
-  if (!ws || !ws.wrapped_key) {
-    throw new ArbiError(`Workspace ${workspaceId} not found or has no encryption key`);
+  if (!ws) {
+    throw new ArbiError(`Workspace ${workspaceId} not found`);
   }
-  const sealedKey = await selectWorkspace(
-    arbi,
-    ws.external_id,
-    ws.wrapped_key,
-    serverSessionKey,
-    signingPrivateKeyBase64
-  );
-  await arbi.fetch.POST("/v1/workspace/{workspace_ext_id}/open", {
-    params: { path: { workspace_ext_id: ws.external_id } },
-    body: { workspace_key: sealedKey }
-  });
-  return { external_id: ws.external_id, name: ws.name, wrapped_key: ws.wrapped_key };
+  const sealedKey = await openWorkspaceEntry(arbi, ws, serverSessionKey, signingPrivateKeyBase64);
+  return {
+    external_id: ws.external_id,
+    name: ws.name,
+    wrapped_key: ws.wrapped_key ?? null,
+    sealed_key: sealedKey
+  };
+}
+function isSessionAlive(creds) {
+  return !!(creds.accessToken && creds.tokenTimestamp && Date.now() - new Date(creds.tokenTimestamp).getTime() < TOKEN_MAX_AGE_MS);
+}
+async function buildAuthFromCache(config, creds, store) {
+  const arbi = createArbiClient(buildClientOptions(config, store, creds.email));
+  await arbi.crypto.initSodium();
+  arbi.session.setUser(creds.email, creds.userExtId);
+  arbi.session.setAccessToken(creds.accessToken);
+  const signingPrivateKey = base64ToBytes(creds.signingPrivateKeyBase64);
+  const serverSessionKey = base64ToBytes(creds.serverSessionKeyBase64);
+  const loginResult = {
+    accessToken: creds.accessToken,
+    userExtId: creds.userExtId,
+    signingPrivateKey,
+    serverSessionKey
+  };
+  return { arbi, loginResult };
 }
 async function resolveAuth(store) {
   const config = store.requireConfig();
   const creds = store.requireCredentials();
+  if (isSessionAlive(creds)) {
+    const { arbi: arbi2, loginResult: loginResult2 } = await buildAuthFromCache(config, creds, store);
+    return { arbi: arbi2, loginResult: loginResult2, config };
+  }
   const { arbi, loginResult } = await createAuthenticatedClient(config, creds, store);
   return { arbi, loginResult, config };
 }
-var TOKEN_MAX_AGE_MS = 50 * 60 * 1e3;
-function isCachedTokenValid(creds, workspaceId) {
-  return !!(creds.accessToken && creds.sealedWorkspaceKey && creds.workspaceId === workspaceId && creds.tokenTimestamp && Date.now() - new Date(creds.tokenTimestamp).getTime() < TOKEN_MAX_AGE_MS);
-}
 async function resolveWorkspace(store, workspaceOpt) {
   const config = store.requireConfig();
   const creds = store.requireCredentials();
@@ -3697,53 +3734,52 @@ async function resolveWorkspace(store, workspaceOpt) {
   if (!workspaceId) {
     throw new ArbiError("No workspace selected. Run: arbi workspace select <id>");
   }
-  if (isCachedTokenValid(creds, workspaceId)) {
-    const arbi2 = createArbiClient(buildClientOptions(config, store, creds.email));
-    await arbi2.crypto.initSodium();
-    arbi2.session.setUser(creds.email);
+  if (isSessionAlive(creds)) {
+    const { arbi: arbi2, loginResult: loginResult2 } = await buildAuthFromCache(config, creds, store);
     arbi2.session.setSelectedWorkspace(workspaceId);
-    arbi2.session.setAccessToken(creds.accessToken);
-    const signingPrivateKey = base64ToBytes(creds.signingPrivateKeyBase64);
-    const serverSessionKey = base64ToBytes(creds.serverSessionKeyBase64);
-    const loginResult2 = {
-      accessToken: creds.accessToken,
-      signingPrivateKey,
-      serverSessionKey
-    };
+    await selectWorkspaceById(
+      arbi2,
+      workspaceId,
+      loginResult2.serverSessionKey,
+      creds.signingPrivateKeyBase64
+    );
+    const nextOpened = Array.from(/* @__PURE__ */ new Set([...creds.openedWorkspaces ?? [], workspaceId]));
+    store.saveCredentials({
+      ...store.requireCredentials(),
+      openedWorkspaces: nextOpened
+    });
     return {
       arbi: arbi2,
       loginResult: loginResult2,
       config,
       workspaceId,
-      accessToken: creds.accessToken,
-      sealedWorkspaceKey: creds.sealedWorkspaceKey
+      accessToken: creds.accessToken
     };
   }
   const { arbi, loginResult } = await createAuthenticatedClient(config, creds, store);
-  const wsInfo = await selectWorkspaceById(
+  await selectWorkspaceById(
     arbi,
     workspaceId,
     loginResult.serverSessionKey,
     creds.signingPrivateKeyBase64
   );
   const accessToken = arbi.session.getState().accessToken;
-  const sealedWorkspaceKey = await generateEncryptedWorkspaceKey(
-    arbi,
-    wsInfo.wrapped_key,
-    loginResult.serverSessionKey,
-    creds.signingPrivateKeyBase64
-  );
   if (!accessToken) {
     throw new ArbiError("Authentication error \u2014 missing token");
   }
   store.saveCredentials({
     ...store.requireCredentials(),
     accessToken,
-    sealedWorkspaceKey,
-    workspaceId,
-    tokenTimestamp: (/* @__PURE__ */ new Date()).toISOString()
+    tokenTimestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    openedWorkspaces: [workspaceId]
   });
-  return { arbi, loginResult, config, workspaceId, accessToken, sealedWorkspaceKey };
+  return {
+    arbi,
+    loginResult,
+    config,
+    workspaceId,
+    accessToken
+  };
 }
 
 // src/sse.ts