@calimero-network/mero-js 1.0.2 → 2.0.0-beta.1

package/dist/index.mjs

@@ -1,3 +1,9 @@
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
 // src/http-client/signal-utils.ts
 function combineSignals(signals) {
   const list = signals.filter(Boolean);
@@ -62,15 +68,24 @@ function headersToRecord(headers) {
 var WebHttpClient = class {
   constructor(transport) {
     this.transport = transport;
+    // Cache for concurrent refresh token calls to prevent race conditions
+    this.refreshTokenPromise = null;
+    // Cache for concurrent onTokenRefresh calls to prevent duplicate callbacks
+    this.onTokenRefreshPromise = null;
   }
   async get(path, init) {
     return this.request(path, { ...init, method: "GET" });
   }
   async post(path, body, init) {
+    const jsonBody = body ? JSON.stringify(body) : void 0;
+    if (path.includes("/refresh")) {
+      console.log("[HTTP POST /refresh] Body being sent:", jsonBody);
+      console.log("[HTTP POST /refresh] Body type:", typeof body, body ? Object.keys(body) : "undefined");
+    }
     return this.request(path, {
       ...init,
       method: "POST",
-      body: body ? JSON.stringify(body) : void 0,
+      body: jsonBody,
       headers: {
         "Content-Type": "application/json",
         ...init?.headers
@@ -116,61 +131,10 @@ var WebHttpClient = class {
   async request(path, init) {
     return this.makeRequest(path, init);
   }
-  async makeRequest(path, init) {
+  async makeRequest(path, init, retryCount = 0, requestStartTime) {
+    const MAX_RETRY_ATTEMPTS = 1;
     const url = this.buildUrl(path);
-    const hasTauriInternals = typeof window !== "undefined" && "__TAURI_INTERNALS__" in window;
-    const hasTauri = typeof window !== "undefined" && "__TAURI__" in window;
-    const isTauri = hasTauriInternals || hasTauri || this.transport.credentials === "omit";
-    if (isTauri) {
-      const headers2 = await this.buildHeaders(init?.headers);
-      let headersObj2;
-      if (headers2 instanceof Headers) {
-        headersObj2 = {};
-        headers2.forEach((value, key) => {
-          headersObj2[key] = value;
-        });
-      } else {
-        headersObj2 = headers2;
-      }
-      const requestInit2 = {};
-      if (init?.method && init.method !== "GET") {
-        requestInit2.method = init.method;
-      }
-      if (headersObj2 && Object.keys(headersObj2).length > 0) {
-        requestInit2.headers = headersObj2;
-      }
-      if (init?.body !== void 0 && init.body !== null) {
-        requestInit2.body = init.body;
-      }
-      if (this.transport.credentials !== void 0) {
-        requestInit2.credentials = this.transport.credentials;
-      }
-      try {
-        const response = await globalThis.fetch(url, requestInit2);
-        if (!response.ok) {
-          const bodyText = await this.getBodyText(response);
-          throw new HTTPError(
-            response.status,
-            response.statusText,
-            url,
-            response.headers,
-            bodyText
-          );
-        }
-        return this.parseResponse(response, init?.parse);
-      } catch (error) {
-        if (error instanceof HTTPError) {
-          throw error;
-        }
-        throw new HTTPError(
-          0,
-          "Network Error",
-          url,
-          new Headers(),
-          error instanceof Error ? error.message : "Unknown error"
-        );
-      }
-    }
+    const startTime = requestStartTime ?? Date.now();
     const signal = this.createAbortSignal(init);
     const headers = await this.buildHeaders(init?.headers);
     let headersObj;
@@ -186,11 +150,27 @@ var WebHttpClient = class {
       method: init?.method || "GET",
       headers: headersObj
     };
-    if (init?.body !== void 0) {
+    const isStreamBody = init?.body instanceof ReadableStream || typeof init?.body === "object" && init?.body !== null && "getReader" in init.body && !(init.body instanceof Blob);
+    if (init?.body !== void 0 && !isStreamBody) {
+      requestInit.body = init.body;
+    } else if (init?.body !== void 0 && isStreamBody && retryCount === 0) {
       requestInit.body = init.body;
     }
-    if (signal) {
-      requestInit.signal = signal;
+    let retrySignal;
+    if (retryCount > 0 && requestStartTime !== void 0) {
+      const timeoutMs = init?.timeoutMs || this.transport.timeoutMs;
+      if (timeoutMs) {
+        const elapsed = Date.now() - startTime;
+        const remaining = Math.max(0, timeoutMs - elapsed);
+        retrySignal = this.createAbortSignal({ ...init, timeoutMs: remaining });
+      } else {
+        retrySignal = this.createAbortSignal(init);
+      }
+    } else {
+      retrySignal = signal;
+    }
+    if (retrySignal) {
+      requestInit.signal = retrySignal;
     }
     if (this.transport.credentials !== void 0) {
       requestInit.credentials = this.transport.credentials;
@@ -220,19 +200,75 @@ var WebHttpClient = class {
       const response = await this.transport.fetch(url, requestInit);
       if (!response.ok) {
         const bodyText = await this.getBodyText(response);
-        throw new HTTPError(
+        const httpError = new HTTPError(
           response.status,
           response.statusText,
           url,
           response.headers,
           bodyText
         );
+        const userAborted = init?.signal?.aborted === true;
+        const hasAuthError = response.headers.get("x-auth-error");
+        const shouldAttemptRefresh = response.status === 401 && this.transport.refreshToken && retryCount < MAX_RETRY_ATTEMPTS && !isStreamBody && // Can't retry with stream bodies
+        !userAborted;
+        if (shouldAttemptRefresh && this.transport.refreshToken) {
+          console.log("[mero-js] 401 received, attempting token refresh...", { hasAuthError });
+          try {
+            let refreshPromise = this.refreshTokenPromise;
+            if (!refreshPromise) {
+              refreshPromise = this.transport.refreshToken();
+              this.refreshTokenPromise = refreshPromise;
+            }
+            const newToken = await refreshPromise;
+            if (!newToken || newToken.trim() === "") {
+              this.refreshTokenPromise = null;
+              this.onTokenRefreshPromise = null;
+              throw new Error("Refresh token returned empty token");
+            }
+            if (!this.transport.onTokenRefresh) {
+              this.refreshTokenPromise = null;
+              this.onTokenRefreshPromise = null;
+              throw new Error(
+                "onTokenRefresh callback is required when refreshToken is provided. The callback must update the token storage so getAuthToken() returns the new token."
+              );
+            }
+            let onTokenRefreshPromise = this.onTokenRefreshPromise;
+            if (!onTokenRefreshPromise) {
+              onTokenRefreshPromise = this.transport.onTokenRefresh(newToken);
+              this.onTokenRefreshPromise = onTokenRefreshPromise;
+            }
+            await onTokenRefreshPromise;
+            this.refreshTokenPromise = null;
+            this.onTokenRefreshPromise = null;
+            const timeoutMs = init?.timeoutMs || this.transport.timeoutMs;
+            if (timeoutMs && requestStartTime !== void 0) {
+              const elapsed = Date.now() - startTime;
+              const remaining = timeoutMs - elapsed;
+              if (remaining <= 0) {
+                throw httpError;
+              }
+            }
+            return this.makeRequest(path, init, retryCount + 1, startTime);
+          } catch (refreshError) {
+            this.refreshTokenPromise = null;
+            this.onTokenRefreshPromise = null;
+            console.log("[mero-js] Token refresh failed:", refreshError);
+            if (refreshError instanceof Error && refreshError.message.includes("onTokenRefresh")) {
+              throw refreshError;
+            }
+            throw httpError;
+          }
+        }
+        throw httpError;
       }
       return this.parseResponse(response, init?.parse);
     } catch (error) {
       if (error instanceof HTTPError) {
         throw error;
       }
+      if (error instanceof Error && error.message.includes("onTokenRefresh")) {
+        throw error;
+      }
       throw new HTTPError(
         0,
         "Network Error",
@@ -256,10 +292,6 @@ var WebHttpClient = class {
     }
   }
   createAbortSignal(init) {
-    const isTauri = typeof window !== "undefined" && "__TAURI_INTERNALS__" in window;
-    if (isTauri) {
-      return void 0;
-    }
     const signals = [];
     if (this.transport.defaultAbortSignal) {
       signals.push(this.transport.defaultAbortSignal);
@@ -338,6 +370,7 @@ function createBrowserHttpClient(options) {
     baseUrl: options.baseUrl,
     getAuthToken: options.getAuthToken,
     onTokenRefresh: options.onTokenRefresh,
+    refreshToken: options.refreshToken,
     defaultHeaders: options.defaultHeaders,
     timeoutMs: options.timeoutMs,
     credentials: options.credentials,
@@ -362,6 +395,7 @@ function createNodeHttpClient(options) {
     baseUrl: options.baseUrl,
     getAuthToken: options.getAuthToken,
     onTokenRefresh: options.onTokenRefresh,
+    refreshToken: options.refreshToken,
     defaultHeaders: options.defaultHeaders,
     timeoutMs: options.timeoutMs,
     credentials: options.credentials,
@@ -437,394 +471,1481 @@ function createRetryableMethod(method, retryOptions = {}) {
   };
 }
 
-// src/auth-api/auth-client.ts
+// src/api/auth/index.ts
+var auth_exports = {};
+__export(auth_exports, {
+  AuthApiClient: () => AuthApiClient,
+  createAuthApiClient: () => createAuthApiClient
+});
+
+// src/api/utils.ts
+var ApiResponseError = class extends Error {
+  constructor(error) {
+    super(error.message);
+    this.name = "ApiResponseError";
+    this.type = error.type;
+    this.code = error.code;
+    this.data = error.data;
+  }
+};
+function hasErrorPayload(response) {
+  return typeof response === "object" && response !== null && "error" in response && response.error !== null && response.error !== void 0 && typeof response.error === "object";
+}
+async function unwrap(response) {
+  const result = await response;
+  if (hasErrorPayload(result)) {
+    throw new ApiResponseError(result.error);
+  }
+  if (result.data === null || result.data === void 0) {
+    throw new Error("Response data is null or undefined");
+  }
+  return result.data;
+}
+async function unwrapOrNull(response) {
+  const result = await response;
+  if (hasErrorPayload(result)) {
+    throw new ApiResponseError(result.error);
+  }
+  if (result.data === null || result.data === void 0) {
+    return null;
+  }
+  return result.data;
+}
+
+// src/api/auth/client.ts
 var AuthApiClient = class {
-  constructor(httpClient) {
+  constructor(httpClient, config) {
     this.httpClient = httpClient;
+    this.embedded = config.embedded ?? true;
   }
-  // Health and Status Endpoints
-  async getHealth() {
-    const response = await this.httpClient.get("/auth/health");
-    if (!response.data) {
-      throw new Error("Health response data is null");
+  getAuthPath(path) {
+    if (this.embedded) {
+      return `/auth${path}`;
     }
-    return response.data;
+    return path;
   }
-  async getIdentity() {
-    const response = await this.httpClient.get(
-      "/admin/identity"
-    );
-    if (!response.data) {
-      throw new Error("Identity response data is null");
-    }
-    return response.data;
+  // Public endpoints
+  async getLogin() {
+    return this.httpClient.get(this.getAuthPath("/login"), {
+      parse: "text"
+    });
   }
-  async getProviders() {
-    const response = await this.httpClient.get(
-      "/auth/providers"
+  async getChallenge() {
+    return unwrap(
+      this.httpClient.get(
+        this.getAuthPath("/challenge")
+      )
     );
-    if (!response.data) {
-      throw new Error("Providers response data is null");
-    }
-    return response.data;
   }
-  // Authentication Endpoints
-  async getLoginPage() {
-    return this.httpClient.get("/auth/login", { parse: "text" });
-  }
-  async generateTokens(request) {
-    return this.httpClient.post("/auth/token", request);
+  async getToken(request) {
+    return unwrap(
+      this.httpClient.post(
+        this.getAuthPath("/token"),
+        request
+      )
+    );
   }
   async refreshToken(request) {
-    return this.httpClient.post("/auth/refresh", request);
+    return unwrap(
+      this.httpClient.post(
+        this.getAuthPath("/refresh"),
+        request
+      )
+    );
   }
-  async generateMockTokens(request) {
-    return this.httpClient.post("/auth/mock-token", request);
+  async getProviders() {
+    return unwrap(
+      this.httpClient.get(
+        this.getAuthPath("/providers")
+      )
+    );
   }
-  async getChallenge() {
-    return this.httpClient.get("/auth/challenge");
+  async getIdentity() {
+    return unwrap(
+      this.httpClient.get(
+        this.getAuthPath("/identity")
+      )
+    );
   }
-  async validateToken(token) {
-    try {
-      const response = await this.validateTokenGet(token);
-      return {
-        valid: response.status === 200,
-        headers: response.headers,
-        status: response.status
-      };
-    } catch (error) {
-      return {
-        valid: false,
-        headers: {},
-        status: 401
-      };
+  /**
+   * Validate a JWT token.
+   *
+   * Note: The server returns an empty string "" on success with auth info in headers
+   * (X-Auth-User, X-Auth-Permissions). If no error is thrown, the token is valid.
+   */
+  async validateToken(request) {
+    const response = await this.httpClient.post(this.getAuthPath("/validate"), request);
+    if (response.data === "" || response.data === void 0 || response.data === null) {
+      return { valid: true };
+    }
+    if (typeof response.data === "object" && "valid" in response.data) {
+      return response.data;
     }
+    return { valid: true };
   }
+  /**
+   * Validate a JWT token using GET with Authorization header.
+   *
+   * Note: The server returns an empty string "" on success with auth info in headers
+   * (X-Auth-User, X-Auth-Permissions). If no error is thrown, the token is valid.
+   */
   async validateTokenGet(token) {
-    const response = await this.httpClient.head("/auth/validate", {
-      headers: { Authorization: `Bearer ${token}` }
+    const response = await this.httpClient.get(this.getAuthPath("/validate"), {
+      headers: {
+        Authorization: `Bearer ${token}`
+      }
     });
-    return {
-      status: response.status,
-      headers: response.headers
-    };
+    if (response.data === "" || response.data === void 0 || response.data === null) {
+      return { valid: true };
+    }
+    if (typeof response.data === "object" && "valid" in response.data) {
+      return response.data;
+    }
+    return { valid: true };
   }
-  async isAuthed() {
-    return this.httpClient.get("/auth/is-authed");
+  async getHealth() {
+    return unwrap(
+      this.httpClient.get(
+        this.getAuthPath("/health")
+      )
+    );
   }
-  // Token Management Endpoints
-  async revokeTokens(request) {
-    return this.httpClient.post("/admin/revoke", request);
+  async getCallback(callbackUrl) {
+    const params = callbackUrl ? `?callback-url=${encodeURIComponent(callbackUrl)}` : "";
+    return this.httpClient.get(
+      this.getAuthPath(`/callback${params}`),
+      {
+        parse: "text"
+      }
+    );
+  }
+  // Protected endpoints (require JWT token)
+  async revokeToken() {
+    return unwrap(
+      this.httpClient.post(
+        this.getAuthPath("/admin/revoke"),
+        {}
+      )
+    );
   }
-  // Key Management Endpoints
   async listRootKeys() {
-    const response = await this.httpClient.get("/admin/keys");
-    if (!response.data) {
-      throw new Error("Root keys response data is null");
-    }
-    return response.data;
+    return unwrap(
+      this.httpClient.get(
+        this.getAuthPath("/admin/keys")
+      )
+    );
   }
   async createRootKey(request) {
-    return this.httpClient.post("/admin/keys", request);
+    return unwrap(
+      this.httpClient.post(
+        this.getAuthPath("/admin/keys"),
+        request
+      )
+    );
   }
   async deleteRootKey(keyId) {
-    return this.httpClient.delete(`/admin/keys/${keyId}`);
+    return unwrap(
+      this.httpClient.delete(
+        this.getAuthPath(`/admin/keys/${keyId}`)
+      )
+    );
   }
-  // Client Management Endpoints
   async listClientKeys() {
-    const response = await this.httpClient.get(
-      "/admin/keys/clients"
+    return unwrap(
+      this.httpClient.get(
+        this.getAuthPath("/admin/keys/clients")
+      )
     );
-    if (!response.data) {
-      throw new Error("Client keys response data is null");
-    }
-    return response.data;
   }
   async generateClientKey(request) {
-    return this.httpClient.post("/admin/client-key", request);
+    return unwrap(
+      this.httpClient.post(
+        this.getAuthPath("/admin/client-key"),
+        request
+      )
+    );
   }
   async deleteClientKey(keyId, clientId) {
-    return this.httpClient.delete(
-      `/admin/keys/${keyId}/clients/${clientId}`
+    return unwrap(
+      this.httpClient.delete(
+        this.getAuthPath(`/admin/keys/${keyId}/clients/${clientId}`)
+      )
     );
   }
-  // Permission Management Endpoints
   async getKeyPermissions(keyId) {
-    return this.httpClient.get(
-      `/admin/keys/${keyId}/permissions`
+    return unwrap(
+      this.httpClient.get(
+        this.getAuthPath(`/admin/keys/${keyId}/permissions`)
+      )
+    );
+  }
+  async updateKeyPermissions(keyId, request) {
+    return unwrap(
+      this.httpClient.put(
+        this.getAuthPath(`/admin/keys/${keyId}/permissions`),
+        request
+      )
     );
   }
-  async updateKeyPermissions(keyId, permissions) {
-    return this.httpClient.put(
-      `/admin/keys/${keyId}/permissions`,
-      { permissions }
+  async getProtectedIdentity() {
+    return unwrap(
+      this.httpClient.get(
+        this.getAuthPath("/admin/identity")
+      )
+    );
+  }
+  async getMetrics() {
+    return unwrap(
+      this.httpClient.get(
+        this.getAuthPath("/admin/metrics")
+      )
     );
   }
 };
 
-// src/auth-api/auth-factory.ts
-var MockHttpClient = class {
-  async get() {
-    throw new Error(
-      "HTTP client not implemented - use createAuthApiClientFromHttpClient with a real HTTP client"
+// src/api/auth/factory.ts
+function createAuthApiClient(httpClient, config) {
+  return new AuthApiClient(httpClient, config);
+}
+
+// src/api/admin/index.ts
+var admin_exports = {};
+__export(admin_exports, {
+  AdminApiClient: () => AdminApiClient,
+  AliasesApiClient: () => AliasesApiClient,
+  ApplicationsApiClient: () => ApplicationsApiClient,
+  BlobsApiClient: () => BlobsApiClient,
+  CapabilitiesApiClient: () => CapabilitiesApiClient,
+  ContextsApiClient: () => ContextsApiClient,
+  IdentityApiClient: () => IdentityApiClient,
+  NetworkApiClient: () => NetworkApiClient,
+  ProposalsApiClient: () => ProposalsApiClient,
+  PublicApiClient: () => PublicApiClient,
+  TeeApiClient: () => TeeApiClient,
+  createAdminApiClient: () => createAdminApiClient
+});
+
+// src/api/admin/public.ts
+var PublicApiClient = class {
+  constructor(httpClient) {
+    this.httpClient = httpClient;
+  }
+  async health() {
+    return unwrap(
+      this.httpClient.get("/admin-api/health")
     );
   }
-  async post() {
-    throw new Error(
-      "HTTP client not implemented - use createAuthApiClientFromHttpClient with a real HTTP client"
+  async isAuthed() {
+    return unwrap(
+      this.httpClient.get(
+        "/admin-api/is-authed"
+      )
     );
   }
-  async put() {
-    throw new Error(
-      "HTTP client not implemented - use createAuthApiClientFromHttpClient with a real HTTP client"
+  async getCertificate() {
+    return this.httpClient.get("/admin-api/certificate", {
+      parse: "text"
+    });
+  }
+};
+
+// src/api/admin/applications.ts
+var ApplicationsApiClient = class {
+  constructor(httpClient) {
+    this.httpClient = httpClient;
+  }
+  async installApplication(request) {
+    return unwrap(
+      this.httpClient.post(
+        "/admin-api/install-application",
+        request
+      )
     );
   }
-  async delete() {
-    throw new Error(
-      "HTTP client not implemented - use createAuthApiClientFromHttpClient with a real HTTP client"
+  async installDevApplication(request) {
+    return unwrap(
+      this.httpClient.post(
+        "/admin-api/install-dev-application",
+        request
+      )
     );
   }
-  async patch() {
-    throw new Error(
-      "HTTP client not implemented - use createAuthApiClientFromHttpClient with a real HTTP client"
+  async listApplications() {
+    return unwrap(
+      this.httpClient.get(
+        "/admin-api/applications"
+      )
     );
   }
-  async head() {
-    throw new Error(
-      "HTTP client not implemented - use createAuthApiClientFromHttpClient with a real HTTP client"
+  async getApplication(applicationId) {
+    return unwrap(
+      this.httpClient.get(
+        `/admin-api/applications/${applicationId}`
+      )
     );
   }
-  async request() {
-    throw new Error(
-      "HTTP client not implemented - use createAuthApiClientFromHttpClient with a real HTTP client"
+  async uninstallApplication(applicationId) {
+    return unwrap(
+      this.httpClient.delete(
+        `/admin-api/applications/${applicationId}`
+      )
+    );
+  }
+  async listPackages() {
+    return unwrap(
+      this.httpClient.get(
+        "/admin-api/packages"
+      )
+    );
+  }
+  async listVersions(packageName) {
+    return unwrap(
+      this.httpClient.get(
+        `/admin-api/packages/${packageName}/versions`
+      )
+    );
+  }
+  async getLatestVersion(packageName) {
+    return unwrap(
+      this.httpClient.get(
+        `/admin-api/packages/${packageName}/latest`
+      )
     );
   }
 };
-function createBrowserAuthApiClient(_config) {
-  const httpClient = new MockHttpClient();
-  return new AuthApiClient(httpClient);
-}
-function createNodeAuthApiClient(_config) {
-  const httpClient = new MockHttpClient();
-  return new AuthApiClient(httpClient);
-}
-function createAuthApiClient(_config) {
-  const httpClient = new MockHttpClient();
-  return new AuthApiClient(httpClient);
-}
-function createAuthApiClientFromHttpClient(httpClient, _config) {
-  return new AuthApiClient(httpClient);
-}
 
-// src/admin-api/admin-client.ts
-var AdminApiClient = class {
+// src/api/admin/contexts.ts
+var ContextsApiClient = class {
   constructor(httpClient) {
     this.httpClient = httpClient;
   }
-  // Health and Status Endpoints
-  async healthCheck() {
-    const response = await this.httpClient.get("/health");
-    if (!response.data) {
-      throw new Error("Health response data is null");
-    }
-    return response.data;
+  async listContexts() {
+    return unwrap(
+      this.httpClient.get(
+        "/admin-api/contexts"
+      )
+    );
   }
-  async isAuthed() {
-    return this.httpClient.get("/is-authed");
+  async createContext(request) {
+    return unwrap(
+      this.httpClient.post(
+        "/admin-api/contexts",
+        request
+      )
+    );
   }
-  // Application Management Endpoints
-  async installApplication(request) {
-    return this.httpClient.post(
-      "/install-application",
-      request
+  async getContext(contextId) {
+    return unwrap(
+      this.httpClient.get(
+        `/admin-api/contexts/${contextId}`
+      )
     );
   }
-  async installDevApplication(request) {
-    return this.httpClient.post(
-      "/install-dev-application",
-      request
+  async deleteContext(contextId) {
+    return unwrap(
+      this.httpClient.delete(
+        `/admin-api/contexts/${contextId}`
+      )
     );
   }
-  async uninstallApplication(appId) {
-    return this.httpClient.delete(
-      `/applications/${appId}`
+  async getContextStorage(contextId) {
+    return unwrap(
+      this.httpClient.get(
+        `/admin-api/contexts/${contextId}/storage`
+      )
     );
   }
-  async listApplications() {
-    return this.httpClient.get("/applications");
+  async getContextIdentities(contextId) {
+    return unwrap(
+      this.httpClient.get(
+        `/admin-api/contexts/${contextId}/identities`
+      )
+    );
   }
-  async getApplication(appId) {
-    return this.httpClient.get(
-      `/applications/${appId}`
+  async getContextIdentitiesOwned(contextId) {
+    return unwrap(
+      this.httpClient.get(
+        `/admin-api/contexts/${contextId}/identities-owned`
+      )
     );
   }
-  // Context Management Endpoints
-  async createContext(request) {
-    return this.httpClient.post("/contexts", request);
+  async inviteToContext(request) {
+    return unwrap(
+      this.httpClient.post(
+        "/admin-api/contexts/invite",
+        request
+      )
+    );
   }
-  async deleteContext(contextId) {
-    return this.httpClient.delete(
-      `/contexts/${contextId}`
+  async inviteToContextOpenInvitation(request) {
+    return unwrap(
+      this.httpClient.post(
+        "/admin-api/contexts/invite_by_open_invitation",
+        request
+      )
     );
   }
-  async getContexts() {
-    return this.httpClient.get("/contexts");
+  async inviteSpecializedNode(request) {
+    return unwrap(
+      this.httpClient.post(
+        "/admin-api/contexts/invite-specialized-node",
+        request
+      )
+    );
   }
-  async getContext(contextId) {
-    return this.httpClient.get(`/contexts/${contextId}`);
+  async joinContext(request) {
+    return unwrap(
+      this.httpClient.post(
+        "/admin-api/contexts/join",
+        request
+      )
+    );
   }
-  // Blob Management Endpoints
-  async uploadBlob(request) {
-    return this.httpClient.post("/blobs", request);
+  async joinContextByOpenInvitation(request) {
+    return unwrap(
+      this.httpClient.post(
+        "/admin-api/contexts/join_by_open_invitation",
+        request
+      )
+    );
   }
-  async deleteBlob(blobId) {
-    return this.httpClient.delete(`/blobs/${blobId}`);
+  async updateContextApplication(contextId, request) {
+    return unwrap(
+      this.httpClient.put(
+        `/admin-api/contexts/${contextId}/application`,
+        request
+      )
+    );
   }
-  async listBlobs() {
-    return this.httpClient.get("/blobs");
+  async getContextsForApplication(applicationId) {
+    return unwrap(
+      this.httpClient.get(
+        `/admin-api/contexts/for-application/${applicationId}`
+      )
+    );
   }
-  async getBlob(blobId) {
-    return this.httpClient.get(`/blobs/${blobId}`);
+  async getContextsWithExecutorsForApplication(applicationId) {
+    return unwrap(
+      this.httpClient.get(
+        `/admin-api/contexts/with-executors/for-application/${applicationId}`
+      )
+    );
   }
-  // Alias Management Endpoints
-  async createAlias(request) {
-    return this.httpClient.post("/alias", request);
+  async getProxyContract(contextId) {
+    return unwrap(
+      this.httpClient.get(
+        `/admin-api/contexts/${contextId}/proxy-contract`
+      )
+    );
   }
-  async deleteAlias(aliasId) {
-    return this.httpClient.delete(`/alias/${aliasId}`);
+  async syncContext() {
+    return unwrap(
+      this.httpClient.post(
+        "/admin-api/contexts/sync",
+        {}
+      )
+    );
   }
-  async listAliases() {
-    return this.httpClient.get("/alias");
+  async syncContextById(contextId) {
+    return unwrap(
+      this.httpClient.post(
+        `/admin-api/contexts/sync/${contextId}`,
+        {}
+      )
+    );
   }
-  async getAlias(aliasId) {
-    return this.httpClient.get(`/alias/${aliasId}`);
+};
+
+// src/api/admin/proposals.ts
+var ProposalsApiClient = class {
+  constructor(httpClient) {
+    this.httpClient = httpClient;
   }
-  // Network Management Endpoints
-  async getNetworkPeers() {
-    return this.httpClient.get("/network/peers");
+  async getProposals(contextId, request) {
+    return unwrap(
+      this.httpClient.post(
+        `/admin-api/contexts/${contextId}/proposals`,
+        request
+      )
+    );
   }
-  async getNetworkStats() {
-    return this.httpClient.get("/network/stats");
+  async getProposal(contextId, proposalId) {
+    return unwrap(
+      this.httpClient.get(
+        `/admin-api/contexts/${contextId}/proposals/${proposalId}`
+      )
+    );
   }
-  async getNetworkConfig() {
-    return this.httpClient.get("/network/config");
+  async createAndApproveProposal(contextId, request) {
+    return unwrap(
+      this.httpClient.post(
+        `/admin-api/contexts/${contextId}/proposals/create-and-approve`,
+        request
+      )
+    );
   }
-  async updateNetworkConfig(request) {
-    return this.httpClient.put(
-      "/network/config",
-      request
+  async approveProposal(contextId, request) {
+    return unwrap(
+      this.httpClient.post(
+        `/admin-api/contexts/${contextId}/proposals/approve`,
+        request
+      )
+    );
+  }
+  async getNumberOfActiveProposals(contextId) {
+    return unwrap(
+      this.httpClient.get(
+        `/admin-api/contexts/${contextId}/proposals/count`
+      )
+    );
+  }
+  async getNumberOfProposalApprovals(contextId, proposalId) {
+    return unwrap(
+      this.httpClient.get(
+        `/admin-api/contexts/${contextId}/proposals/${proposalId}/approvals/count`
+      )
+    );
+  }
+  async getProposalApprovers(contextId, proposalId) {
+    return unwrap(
+      this.httpClient.get(
+        `/admin-api/contexts/${contextId}/proposals/${proposalId}/approvals/users`
+      )
+    );
+  }
+  async getContextValue(contextId, request) {
+    return unwrap(
+      this.httpClient.post(
+        `/admin-api/contexts/${contextId}/proposals/get-context-value`,
+        request
+      )
     );
   }
+  async getContextStorageEntries(contextId, request) {
+    return unwrap(
+      this.httpClient.post(
+        `/admin-api/contexts/${contextId}/proposals/context-storage-entries`,
+        request
+      )
+    );
+  }
+};
+
+// src/api/admin/capabilities.ts
+var CapabilitiesApiClient = class {
+  constructor(httpClient) {
+    this.httpClient = httpClient;
+  }
+  async grantPermission(contextId, request) {
+    return unwrap(
+      this.httpClient.post(
+        `/admin-api/contexts/${contextId}/capabilities/grant`,
+        request
+      )
+    );
+  }
+  async revokePermission(contextId, request) {
+    return unwrap(
+      this.httpClient.post(
+        `/admin-api/contexts/${contextId}/capabilities/revoke`,
+        request
+      )
+    );
+  }
+};
+
+// src/api/admin/identity.ts
+var IdentityApiClient = class {
+  constructor(httpClient) {
+    this.httpClient = httpClient;
+  }
+  async generateContextIdentity() {
+    return unwrap(
+      this.httpClient.post(
+        "/admin-api/identity/context",
+        {}
+      )
+    );
+  }
+};
+
+// src/api/admin/network.ts
+var NetworkApiClient = class {
+  constructor(httpClient) {
+    this.httpClient = httpClient;
+  }
   async getPeersCount() {
-    return this.httpClient.get("/network/peers/count");
+    return this.httpClient.get("/admin-api/peers");
   }
-  // System Management Endpoints
-  async getSystemInfo() {
-    return this.httpClient.get("/system/info");
+};
+
+// src/api/admin/blobs.ts
+var BlobsApiClient = class {
+  constructor(httpClient) {
+    this.httpClient = httpClient;
   }
-  async getSystemLogs() {
-    return this.httpClient.get("/system/logs");
+  async uploadBlob(blob) {
+    const response = await unwrap(
+      this.httpClient.request(
+        "/admin-api/blobs",
+        {
+          method: "PUT",
+          body: blob,
+          headers: {
+            "Content-Type": "application/octet-stream"
+          }
+        }
+      )
+    );
+    return {
+      blobId: response.blob_id,
+      size: response.size,
+      hash: response.hash ?? null
+    };
   }
-  async getSystemMetrics() {
-    return this.httpClient.get("/system/metrics");
+  async listBlobs() {
+    const response = await unwrap(
+      this.httpClient.get("/admin-api/blobs")
+    );
+    return {
+      blobs: response.blobs.map((blob) => ({
+        blobId: blob.blob_id,
+        size: blob.size,
+        hash: blob.hash ?? null
+      }))
+    };
   }
-  async restartSystem() {
-    return this.httpClient.post("/system/restart");
+  async getBlob(blobId) {
+    return this.httpClient.get(`/admin-api/blobs/${blobId}`, {
+      parse: "blob"
+    });
   }
-  async shutdownSystem() {
-    return this.httpClient.post("/system/shutdown");
+  async getBlobInfo(blobId) {
+    const response = await this.httpClient.head(`/admin-api/blobs/${blobId}`);
+    return {
+      blobId,
+      size: parseInt(response.headers["content-length"] || "0", 10),
+      hash: response.headers["x-blob-hash"] || null
+    };
+  }
+  async deleteBlob(blobId) {
+    const response = await unwrap(
+      this.httpClient.delete(
+        `/admin-api/blobs/${blobId}`
+      )
+    );
+    return {
+      blobId: response.blob_id || response.blobId || blobId,
+      deleted: response.deleted
+    };
   }
 };
 
-// src/admin-api/admin-factory.ts
-var MockHttpClient2 = class {
-  async get() {
-    throw new Error(
-      "HTTP client not implemented - use createAdminApiClientFromHttpClient with a real HTTP client"
+// src/api/admin/aliases.ts
+var AliasesApiClient = class {
+  constructor(httpClient) {
+    this.httpClient = httpClient;
+  }
+  async createContextAlias(request) {
+    return unwrap(
+      this.httpClient.post(
+        "/admin-api/alias/create/context",
+        request
+      )
     );
   }
-  async post() {
-    throw new Error(
-      "HTTP client not implemented - use createAdminApiClientFromHttpClient with a real HTTP client"
+  async createApplicationAlias(request) {
+    return unwrap(
+      this.httpClient.post(
+        "/admin-api/alias/create/application",
+        request
+      )
     );
   }
-  async put() {
-    throw new Error(
-      "HTTP client not implemented - use createAdminApiClientFromHttpClient with a real HTTP client"
+  async createIdentityAlias(context, request) {
+    return unwrap(
+      this.httpClient.post(
+        `/admin-api/alias/create/identity/${context}`,
+        request
+      )
     );
   }
-  async delete() {
-    throw new Error(
-      "HTTP client not implemented - use createAdminApiClientFromHttpClient with a real HTTP client"
+  async lookupContextAlias(name) {
+    return unwrap(
+      this.httpClient.post(
+        `/admin-api/alias/lookup/context/${name}`,
+        {}
+      )
     );
   }
-  async patch() {
-    throw new Error(
-      "HTTP client not implemented - use createAdminApiClientFromHttpClient with a real HTTP client"
+  async lookupApplicationAlias(name) {
+    return unwrap(
+      this.httpClient.post(
+        `/admin-api/alias/lookup/application/${name}`,
+        {}
+      )
     );
   }
-  async head() {
-    throw new Error(
-      "HTTP client not implemented - use createAdminApiClientFromHttpClient with a real HTTP client"
+  async lookupIdentityAlias(context, name) {
+    return unwrap(
+      this.httpClient.post(
+        `/admin-api/alias/lookup/identity/${context}/${name}`,
+        {}
+      )
     );
   }
-  async request() {
-    throw new Error(
-      "HTTP client not implemented - use createAdminApiClientFromHttpClient with a real HTTP client"
+  async listContextAliases() {
+    return unwrap(
+      this.httpClient.get(
+        "/admin-api/alias/list/context"
+      )
+    );
+  }
+  async listApplicationAliases() {
+    return unwrap(
+      this.httpClient.get(
+        "/admin-api/alias/list/application"
+      )
+    );
+  }
+  async listIdentityAliases(context) {
+    return unwrap(
+      this.httpClient.get(
+        `/admin-api/alias/list/identity/${context}`
+      )
+    );
+  }
+  async deleteContextAlias(name) {
+    return unwrap(
+      this.httpClient.post(
+        `/admin-api/alias/delete/context/${name}`,
+        {}
+      )
+    );
+  }
+  async deleteApplicationAlias(name) {
+    return unwrap(
+      this.httpClient.post(
+        `/admin-api/alias/delete/application/${name}`,
+        {}
+      )
+    );
+  }
+  async deleteIdentityAlias(context, name) {
+    return unwrap(
+      this.httpClient.post(
+        `/admin-api/alias/delete/identity/${context}/${name}`,
+        {}
+      )
     );
   }
 };
-function createBrowserAdminApiClient(_config) {
-  const httpClient = new MockHttpClient2();
-  return new AdminApiClient(httpClient);
-}
-function createNodeAdminApiClient(_config) {
-  const httpClient = new MockHttpClient2();
-  return new AdminApiClient(httpClient);
-}
-function createAdminApiClient(_config) {
-  const httpClient = new MockHttpClient2();
-  return new AdminApiClient(httpClient);
-}
-function createAdminApiClientFromHttpClient(httpClient, _config) {
+
+// src/api/admin/tee.ts
+var TeeApiClient = class {
+  constructor(httpClient) {
+    this.httpClient = httpClient;
+  }
+  async getTeeInfo() {
+    return unwrap(
+      this.httpClient.get("/admin-api/tee/info")
+    );
+  }
+  async attestTee(request) {
+    return unwrap(
+      this.httpClient.post(
+        "/admin-api/tee/attest",
+        request
+      )
+    );
+  }
+  async verifyTeeQuote(request) {
+    return unwrap(
+      this.httpClient.post(
+        "/admin-api/tee/verify-quote",
+        request
+      )
+    );
+  }
+};
+
+// src/api/admin/client.ts
+var AdminApiClient = class {
+  constructor(httpClient) {
+    this.httpClient = httpClient;
+  }
+  /** Public endpoints (health checks, etc.) - no authentication required */
+  get public() {
+    if (!this._public) {
+      this._public = new PublicApiClient(this.httpClient);
+    }
+    return this._public;
+  }
+  /** Application management (install, list, uninstall) */
+  get applications() {
+    if (!this._applications) {
+      this._applications = new ApplicationsApiClient(this.httpClient);
+    }
+    return this._applications;
+  }
+  /** Context management (create, list, join, leave) */
+  get contexts() {
+    if (!this._contexts) {
+      this._contexts = new ContextsApiClient(this.httpClient);
+    }
+    return this._contexts;
+  }
+  /** Proposal management for context governance */
+  get proposals() {
+    if (!this._proposals) {
+      this._proposals = new ProposalsApiClient(this.httpClient);
+    }
+    return this._proposals;
+  }
+  /** Capability queries for feature detection */
+  get capabilities() {
+    if (!this._capabilities) {
+      this._capabilities = new CapabilitiesApiClient(this.httpClient);
+    }
+    return this._capabilities;
+  }
+  /** Identity management (key generation, context identities) */
+  get identity() {
+    if (!this._identity) {
+      this._identity = new IdentityApiClient(this.httpClient);
+    }
+    return this._identity;
+  }
+  /** Network and peer management */
+  get network() {
+    if (!this._network) {
+      this._network = new NetworkApiClient(this.httpClient);
+    }
+    return this._network;
+  }
+  /** Blob storage (upload, list, delete binary data) */
+  get blobs() {
+    if (!this._blobs) {
+      this._blobs = new BlobsApiClient(this.httpClient);
+    }
+    return this._blobs;
+  }
+  /** Alias management for human-readable names */
+  get aliases() {
+    if (!this._aliases) {
+      this._aliases = new AliasesApiClient(this.httpClient);
+    }
+    return this._aliases;
+  }
+  /** TEE (Trusted Execution Environment) operations */
+  get tee() {
+    if (!this._tee) {
+      this._tee = new TeeApiClient(this.httpClient);
+    }
+    return this._tee;
+  }
+};
+
+// src/api/admin/factory.ts
+function createAdminApiClient(httpClient) {
   return new AdminApiClient(httpClient);
 }
 
+// src/api/rpc/index.ts
+var rpc_exports = {};
+__export(rpc_exports, {
+  JsonRpcError: () => JsonRpcError,
+  RpcClient: () => RpcClient
+});
+
+// src/api/rpc/client.ts
+var JsonRpcError = class extends Error {
+  constructor(type, data, requestId) {
+    const message = typeof data === "string" ? data : data?.message ? String(data.message) : type;
+    super(message);
+    this.type = type;
+    this.data = data;
+    this.requestId = requestId;
+    this.name = "JsonRpcError";
+  }
+};
+var RpcClient = class {
+  constructor(httpClient) {
+    this.httpClient = httpClient;
+    this.path = "/jsonrpc";
+  }
+  /**
+   * Generate a random request ID
+   */
+  generateRequestId() {
+    return Math.floor(Math.random() * Math.pow(2, 32));
+  }
+  /**
+   * Execute a method on a context
+   *
+   * @param params - Execution parameters
+   * @returns The execution result
+   * @throws JsonRpcError if execution fails
+   *
+   * @example
+   * ```typescript
+   * // Query (view) operation
+   * const result = await rpc.execute({
+   *   contextId: 'ctx_123',
+   *   method: 'get',
+   *   args: { key: 'myKey' },
+   *   executorPublicKey: 'ed25519:...',
+   * });
+   * console.log(result.output); // "myValue"
+   *
+   * // Mutate operation
+   * await rpc.execute({
+   *   contextId: 'ctx_123',
+   *   method: 'set',
+   *   args: { key: 'myKey', value: 'myValue' },
+   *   executorPublicKey: 'ed25519:...',
+   * });
+   * ```
+   */
+  async execute(params) {
+    const requestId = this.generateRequestId();
+    const request = {
+      jsonrpc: "2.0",
+      id: requestId,
+      method: "execute",
+      params: {
+        contextId: params.contextId,
+        method: params.method,
+        argsJson: params.args,
+        executorPublicKey: params.executorPublicKey,
+        substitute: params.substitute ?? []
+      }
+    };
+    const response = await this.httpClient.post(
+      this.path,
+      request
+    );
+    if (response.id !== requestId) {
+      throw new JsonRpcError(
+        "MismatchedRequestIdError",
+        `Expected request ID ${requestId}, got ${response.id}`,
+        response.id
+      );
+    }
+    if (response.error) {
+      throw new JsonRpcError(
+        response.error.type,
+        response.error.data,
+        response.id
+      );
+    }
+    return response.result ?? { output: null };
+  }
+  /**
+   * Execute a query (view) method - convenience wrapper
+   *
+   * @param contextId - Context ID
+   * @param method - Method name
+   * @param args - Method arguments
+   * @param executorPublicKey - Executor's public key
+   */
+  async query(contextId, method, args, executorPublicKey) {
+    const result = await this.execute({
+      contextId,
+      method,
+      args,
+      executorPublicKey
+    });
+    return result.output;
+  }
+  /**
+   * Execute a mutate method - convenience wrapper
+   *
+   * @param contextId - Context ID
+   * @param method - Method name
+   * @param args - Method arguments
+   * @param executorPublicKey - Executor's public key
+   */
+  async mutate(contextId, method, args, executorPublicKey) {
+    const result = await this.execute({
+      contextId,
+      method,
+      args,
+      executorPublicKey
+    });
+    return result.output;
+  }
+};
+
+// src/api/ws/index.ts
+var ws_exports = {};
+__export(ws_exports, {
+  WebSocketClient: () => WebSocketClient
+});
+
+// src/api/ws/client.ts
+var WebSocketClient = class {
+  constructor(options) {
+    this.ws = null;
+    this.requestId = 0;
+    this.pendingRequests = /* @__PURE__ */ new Map();
+    this.eventHandlers = [];
+    this.errorHandlers = [];
+    this.closeHandlers = [];
+    this.reconnectAttempts = 0;
+    this.subscribedContexts = /* @__PURE__ */ new Set();
+    this.options = {
+      autoReconnect: true,
+      reconnectDelay: 1e3,
+      maxReconnectAttempts: 5,
+      getAuthToken: async () => null,
+      ...options
+    };
+  }
+  /**
+   * Connect to the WebSocket server
+   */
+  async connect() {
+    if (this.ws?.readyState === WebSocket.OPEN) {
+      return;
+    }
+    const wsUrl = this.options.baseUrl.replace(/^http:/, "ws:").replace(/^https:/, "wss:").replace(/\/$/, "") + "/ws";
+    const token = await this.options.getAuthToken();
+    return new Promise((resolve, reject) => {
+      const url = token ? `${wsUrl}?token=${encodeURIComponent(token)}` : wsUrl;
+      this.ws = new WebSocket(url);
+      this.ws.onopen = () => {
+        this.reconnectAttempts = 0;
+        resolve();
+      };
+      this.ws.onerror = (_event) => {
+        const error = new Error("WebSocket error");
+        this.errorHandlers.forEach((h) => h(error));
+        reject(error);
+      };
+      this.ws.onclose = (event) => {
+        this.closeHandlers.forEach((h) => h(event.code, event.reason));
+        this.handleDisconnect();
+      };
+      this.ws.onmessage = (event) => {
+        this.handleMessage(event.data);
+      };
+    });
+  }
+  /**
+   * Disconnect from the WebSocket server
+   */
+  disconnect() {
+    this.options.autoReconnect = false;
+    this.ws?.close();
+    this.ws = null;
+    this.subscribedContexts.clear();
+  }
+  /**
+   * Subscribe to context events
+   */
+  async subscribe(contextIds) {
+    const response = await this.send({
+      id: ++this.requestId,
+      method: "subscribe",
+      params: { contextIds }
+    });
+    if (!response.error) {
+      contextIds.forEach((id) => this.subscribedContexts.add(id));
+    }
+    return response;
+  }
+  /**
+   * Unsubscribe from context events
+   */
+  async unsubscribe(contextIds) {
+    const response = await this.send({
+      id: ++this.requestId,
+      method: "unsubscribe",
+      params: { contextIds }
+    });
+    if (!response.error) {
+      contextIds.forEach((id) => this.subscribedContexts.delete(id));
+    }
+    return response;
+  }
+  /**
+   * Add event handler
+   */
+  onEvent(handler) {
+    this.eventHandlers.push(handler);
+    return () => {
+      this.eventHandlers = this.eventHandlers.filter((h) => h !== handler);
+    };
+  }
+  /**
+   * Add error handler
+   */
+  onError(handler) {
+    this.errorHandlers.push(handler);
+    return () => {
+      this.errorHandlers = this.errorHandlers.filter((h) => h !== handler);
+    };
+  }
+  /**
+   * Add close handler
+   */
+  onClose(handler) {
+    this.closeHandlers.push(handler);
+    return () => {
+      this.closeHandlers = this.closeHandlers.filter((h) => h !== handler);
+    };
+  }
+  /**
+   * Check if connected
+   */
+  isConnected() {
+    return this.ws?.readyState === WebSocket.OPEN;
+  }
+  /**
+   * Get subscribed context IDs
+   */
+  getSubscribedContexts() {
+    return Array.from(this.subscribedContexts);
+  }
+  async send(request) {
+    if (!this.ws || this.ws.readyState !== WebSocket.OPEN) {
+      throw new Error("WebSocket not connected");
+    }
+    return new Promise((resolve, reject) => {
+      const id = request.id;
+      if (id !== null) {
+        this.pendingRequests.set(id, { resolve, reject });
+      }
+      this.ws.send(JSON.stringify(request));
+      setTimeout(() => {
+        if (id !== null && this.pendingRequests.has(id)) {
+          this.pendingRequests.delete(id);
+          reject(new Error("WebSocket request timeout"));
+        }
+      }, 3e4);
+    });
+  }
+  handleMessage(data) {
+    try {
+      const message = JSON.parse(data);
+      if (message.id !== void 0 && this.pendingRequests.has(message.id)) {
+        const { resolve } = this.pendingRequests.get(message.id);
+        this.pendingRequests.delete(message.id);
+        resolve(message);
+        return;
+      }
+      const event = {
+        contextId: message.contextId || message.context_id,
+        type: message.type || message.event,
+        data: message.data || message.payload
+      };
+      this.eventHandlers.forEach((h) => h(event));
+    } catch (error) {
+      this.errorHandlers.forEach((h) => h(error instanceof Error ? error : new Error(String(error))));
+    }
+  }
+  handleDisconnect() {
+    if (!this.options.autoReconnect) {
+      return;
+    }
+    if (this.reconnectAttempts >= this.options.maxReconnectAttempts) {
+      this.errorHandlers.forEach((h) => h(new Error("Max reconnect attempts reached")));
+      return;
+    }
+    this.reconnectAttempts++;
+    const delay = this.options.reconnectDelay * Math.pow(2, this.reconnectAttempts - 1);
+    setTimeout(async () => {
+      try {
+        await this.connect();
+        if (this.subscribedContexts.size > 0) {
+          await this.subscribe(Array.from(this.subscribedContexts));
+        }
+      } catch {
+      }
+    }, delay);
+  }
+};
+
+// src/api/sse/index.ts
+var sse_exports = {};
+__export(sse_exports, {
+  SseClient: () => SseClient
+});
+
+// src/api/sse/client.ts
+var SseClient = class {
+  constructor(options) {
+    this.eventSource = null;
+    this.sessionId = null;
+    this.eventHandlers = [];
+    this.errorHandlers = [];
+    this.subscribedContexts = /* @__PURE__ */ new Set();
+    // Track last event ID for reconnection (used for resumable streams)
+    this._lastEventId = null;
+    this.options = {
+      autoReconnect: true,
+      reconnectDelay: 1e3,
+      getAuthToken: async () => null,
+      ...options
+    };
+  }
+  /**
+   * Connect to the SSE stream
+   */
+  async connect() {
+    if (this.eventSource) {
+      throw new Error("Already connected");
+    }
+    const token = await this.options.getAuthToken();
+    let url = `${this.options.baseUrl}/sse`;
+    if (token) {
+      url += `?token=${encodeURIComponent(token)}`;
+    }
+    return new Promise((resolve, reject) => {
+      this.eventSource = new EventSource(url, {
+        withCredentials: true
+      });
+      this.eventSource.addEventListener("connect", (event) => {
+        const messageEvent = event;
+        try {
+          const data = messageEvent.data;
+          this.sessionId = typeof data === "string" && data.startsWith("{") ? JSON.parse(data).session_id || JSON.parse(data).sessionId : data;
+          resolve(this.sessionId);
+        } catch {
+          this.sessionId = messageEvent.data;
+          resolve(this.sessionId);
+        }
+      });
+      this.eventSource.onmessage = (event) => {
+        this._lastEventId = event.lastEventId;
+        try {
+          const data = JSON.parse(event.data);
+          const sseEvent = {
+            id: event.lastEventId,
+            event: "message",
+            data
+          };
+          this.eventHandlers.forEach((h) => h(sseEvent));
+        } catch {
+          const sseEvent = {
+            id: event.lastEventId,
+            event: "message",
+            data: event.data
+          };
+          this.eventHandlers.forEach((h) => h(sseEvent));
+        }
+      };
+      this.eventSource.onerror = (_event) => {
+        const error = new Error("SSE connection error");
+        this.errorHandlers.forEach((h) => h(error));
+        if (this.eventSource?.readyState === EventSource.CLOSED) {
+          this.handleDisconnect();
+          if (!this.sessionId) {
+            reject(error);
+          }
+        }
+      };
+    });
+  }
+  /**
+   * Disconnect from the SSE stream
+   */
+  disconnect() {
+    this.options.autoReconnect = false;
+    this.eventSource?.close();
+    this.eventSource = null;
+    this.sessionId = null;
+    this.subscribedContexts.clear();
+  }
+  /**
+   * Subscribe to context events
+   */
+  async subscribe(contextIds) {
+    if (!this.sessionId) {
+      throw new Error("Not connected");
+    }
+    const request = {
+      id: this.sessionId,
+      method: "subscribe",
+      params: { contextIds }
+    };
+    const response = await this.options.httpClient.post(
+      "/sse/subscription",
+      request
+    );
+    if (!response.error) {
+      contextIds.forEach((id) => this.subscribedContexts.add(id));
+    }
+    return response;
+  }
+  /**
+   * Unsubscribe from context events
+   */
+  async unsubscribe(contextIds) {
+    if (!this.sessionId) {
+      throw new Error("Not connected");
+    }
+    const request = {
+      id: this.sessionId,
+      method: "unsubscribe",
+      params: { contextIds }
+    };
+    const response = await this.options.httpClient.post(
+      "/sse/subscription",
+      request
+    );
+    if (!response.error) {
+      contextIds.forEach((id) => this.subscribedContexts.delete(id));
+    }
+    return response;
+  }
+  /**
+   * Get session information
+   */
+  async getSession() {
+    if (!this.sessionId) {
+      throw new Error("Not connected");
+    }
+    return this.options.httpClient.get(
+      `/sse/session/${this.sessionId}`
+    );
+  }
+  /**
+   * Add event handler
+   */
+  onEvent(handler) {
+    this.eventHandlers.push(handler);
+    return () => {
+      this.eventHandlers = this.eventHandlers.filter((h) => h !== handler);
+    };
+  }
+  /**
+   * Add error handler
+   */
+  onError(handler) {
+    this.errorHandlers.push(handler);
+    return () => {
+      this.errorHandlers = this.errorHandlers.filter((h) => h !== handler);
+    };
+  }
+  /**
+   * Check if connected
+   */
+  isConnected() {
+    return this.eventSource?.readyState === EventSource.OPEN;
+  }
+  /**
+   * Get current session ID
+   */
+  getSessionId() {
+    return this.sessionId;
+  }
+  /**
+   * Get subscribed context IDs
+   */
+  getSubscribedContexts() {
+    return Array.from(this.subscribedContexts);
+  }
+  /**
+   * Get the last event ID (useful for resumable connections)
+   */
+  getLastEventId() {
+    return this._lastEventId;
+  }
+  handleDisconnect() {
+    if (!this.options.autoReconnect) {
+      return;
+    }
+    setTimeout(async () => {
+      try {
+        await this.connect();
+        if (this.subscribedContexts.size > 0) {
+          await this.subscribe(Array.from(this.subscribedContexts));
+        }
+      } catch {
+      }
+    }, this.options.reconnectDelay);
+  }
+};
+
 // src/mero-js.ts
 var MeroJs = class {
   constructor(config) {
     this.tokenData = null;
     this.refreshPromise = null;
+    this.tokenStorage = null;
     this.config = {
       timeoutMs: 1e4,
       ...config
     };
+    this.tokenStorage = config.tokenStorage || null;
     const isTauri = typeof window !== "undefined" && "__TAURI_INTERNALS__" in window;
+    const authBaseUrl = this.config.authBaseUrl ?? this.config.baseUrl;
+    const isEmbedded = authBaseUrl === this.config.baseUrl;
     this.httpClient = createBrowserHttpClient({
       baseUrl: this.config.baseUrl,
       getAuthToken: async () => {
         const token = await this.getValidToken();
         return token?.access_token || "";
       },
+      // Wire up automatic token refresh on 401
+      refreshToken: async () => {
+        const refreshed = await this.performTokenRefresh();
+        return refreshed.access_token;
+      },
+      onTokenRefresh: async (_newToken) => {
+        if (this.tokenData && this.tokenStorage) {
+          await this.tokenStorage.set(this.tokenData);
+        }
+      },
       timeoutMs: this.config.timeoutMs,
       credentials: this.config.requestCredentials ?? (isTauri ? "omit" : void 0)
     });
-    this.authClient = createAuthApiClientFromHttpClient(this.httpClient, {
-      baseUrl: this.config.baseUrl,
+    const authHttpClient = createBrowserHttpClient({
+      baseUrl: authBaseUrl,
       getAuthToken: async () => {
         const token = await this.getValidToken();
         return token?.access_token || "";
       },
-      timeoutMs: this.config.timeoutMs
+      // NO refreshToken callback - auth endpoints handle their own auth
+      // Wiring refreshToken here would cause infinite loops when refresh fails
+      timeoutMs: this.config.timeoutMs,
+      credentials: this.config.requestCredentials ?? (isTauri ? "omit" : void 0)
     });
-    this.adminClient = createAdminApiClientFromHttpClient(this.httpClient, {
-      baseUrl: this.config.baseUrl,
-      getAuthToken: async () => {
-        const token = await this.getValidToken();
-        return token?.access_token || "";
-      },
-      timeoutMs: this.config.timeoutMs
+    this.authClient = createAuthApiClient(authHttpClient, {
+      baseUrl: authBaseUrl,
+      embedded: isEmbedded
     });
+    this.adminClient = createAdminApiClient(this.httpClient);
+    this.rpcClient = new RpcClient(this.httpClient);
+  }
+  /**
+   * Initialize the SDK by loading tokens from storage (if provided).
+   * Call this after construction if using tokenStorage.
+   * 
+   * @example
+   * ```typescript
+   * const mero = new MeroJs({ baseUrl: '...', tokenStorage: myStorage });
+   * await mero.init(); // Load stored tokens
+   * 
+   * if (!mero.isAuthenticated()) {
+   *   await mero.authenticate({ username: '...', password: '...' });
+   * }
+   * ```
+   */
+  async init() {
+    console.log("[mero-js] init() called, tokenStorage:", this.tokenStorage ? "EXISTS" : "NULL");
+    if (this.tokenStorage) {
+      const storedToken = await this.tokenStorage.get();
+      console.log("[mero-js] init() storedToken:", storedToken ? "LOADED" : "NULL");
+      if (storedToken) {
+        this.tokenData = storedToken;
+        console.log("[mero-js] init() tokenData set, expires_at:", storedToken.expires_at);
+      }
+    } else {
+      console.log("[mero-js] init() no tokenStorage configured");
+    }
   }
   /**
    * Get the Auth API client
@@ -838,6 +1959,39 @@ var MeroJs = class {
   get admin() {
     return this.adminClient;
   }
+  /**
+   * Get the RPC client for executing queries and mutations
+   *
+   * @example
+   * ```typescript
+   * // Execute a query
+   * const result = await meroJs.rpc.query(
+   *   'context-id',
+   *   'get',
+   *   { key: 'myKey' },
+   *   'ed25519:executor-public-key'
+   * );
+   *
+   * // Execute a mutation
+   * await meroJs.rpc.mutate(
+   *   'context-id',
+   *   'set',
+   *   { key: 'myKey', value: 'myValue' },
+   *   'ed25519:executor-public-key'
+   * );
+   *
+   * // Or use the generic execute method
+   * const result = await meroJs.rpc.execute({
+   *   contextId: 'context-id',
+   *   method: 'set',
+   *   args: { key: 'myKey', value: 'myValue' },
+   *   executorPublicKey: 'ed25519:...',
+   * });
+   * ```
+   */
+  get rpc() {
+    return this.rpcClient;
+  }
   /**
    * Authenticate with the provided credentials
    * This will create the root key on first use
@@ -859,44 +2013,82 @@ var MeroJs = class {
           password: creds.password
         }
       };
-      const response = await this.authClient.generateTokens(requestBody);
+      const response = await this.authClient.getToken(requestBody);
+      let expiresAt;
+      try {
+        const payload = JSON.parse(atob(response.access_token.split(".")[1]));
+        expiresAt = payload.exp * 1e3;
+        console.log("[mero-js] Extracted exp from JWT:", payload.exp, "-> expires_at:", expiresAt);
+      } catch (e) {
+        expiresAt = Date.now() + (response.expires_in || 3600) * 1e3;
+        console.warn("[mero-js] Failed to parse JWT, using expires_in fallback:", expiresAt);
+      }
       this.tokenData = {
-        access_token: response.data.access_token,
-        refresh_token: response.data.refresh_token,
-        expires_at: Date.now() + 24 * 60 * 60 * 1e3
-        // Default to 24 hours
+        access_token: response.access_token,
+        refresh_token: response.refresh_token,
+        expires_at: expiresAt
       };
+      if (this.tokenStorage) {
+        await this.tokenStorage.set(this.tokenData);
+      }
       return this.tokenData;
     } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : "Unknown error";
+      const httpStatus = error && typeof error === "object" && "status" in error ? `HTTP ${String(error.status)}` : "";
+      const httpStatusText = error && typeof error === "object" && "statusText" in error ? ` ${String(error.statusText)}` : "";
+      const bodyText = error && typeof error === "object" && "bodyText" in error ? `: ${String(error.bodyText)}` : "";
       throw new Error(
-        `Authentication failed: ${error instanceof Error ? error.message : "Unknown error"}`
+        `Authentication failed: ${httpStatus}${httpStatusText}${bodyText || errorMessage}`
       );
     }
   }
   /**
-   * Get a valid token, refreshing if necessary
+   * Get a valid token, refreshing if necessary.
+   * This is called automatically by the HTTP client.
+   * 
+   * Note: The HTTP client also handles 401 errors with automatic refresh,
+   * so this preemptive check is an optimization to avoid unnecessary 401s.
    */
   async getValidToken() {
+    console.log("[mero-js] getValidToken called, tokenData:", this.tokenData ? "EXISTS" : "NULL");
     if (!this.tokenData) {
+      console.log("[mero-js] No tokenData, returning null");
       return null;
     }
-    const bufferTime = 5 * 60 * 1e3;
-    if (Date.now() >= this.tokenData.expires_at - bufferTime) {
+    const now = Date.now();
+    const expiresAt = this.tokenData.expires_at;
+    const isExpired = now >= expiresAt;
+    console.log("[mero-js] Token check: now=", now, "expires_at=", expiresAt, "isExpired=", isExpired);
+    if (isExpired) {
+      console.log("[mero-js] Token expired, attempting preemptive refresh");
       return await this.refreshToken();
     }
+    console.log("[mero-js] Token valid, returning tokenData");
     return this.tokenData;
   }
   /**
-   * Refresh the access token using the refresh token
+   * Refresh the access token using the refresh token.
+   * Called automatically when token is about to expire or on 401.
+   * 
+   * @deprecated Use performTokenRefresh instead - this is kept for compatibility
    */
   async refreshToken() {
-    if (!this.tokenData?.refresh_token) {
-      throw new Error("No refresh token available");
-    }
+    return this.performTokenRefresh();
+  }
+  /**
+   * Perform the actual token refresh.
+   * This is used by both preemptive refresh and HTTP client's 401 handler.
+   * 
+   * Uses a shared promise to prevent multiple simultaneous refresh attempts,
+   * even when called from multiple sources (preemptive check, HTTP 401 handler, etc.)
+   */
+  async performTokenRefresh() {
     if (this.refreshPromise) {
+      console.log("[mero-js] Refresh already in progress, waiting for existing promise");
       return this.refreshPromise;
     }
-    this.refreshPromise = this.performTokenRefresh();
+    console.log("[mero-js] Starting new refresh attempt");
+    this.refreshPromise = this.doTokenRefresh();
     try {
       const newToken = await this.refreshPromise;
       return newToken;
@@ -905,36 +2097,87 @@ var MeroJs = class {
     }
   }
   /**
-   * Perform the actual token refresh
+   * Internal: Actually perform the refresh request.
+   * Called only from performTokenRefresh() which manages the deduplication.
    */
-  async performTokenRefresh() {
+  async doTokenRefresh() {
+    console.log("[mero-js doTokenRefresh] STARTING refresh...");
+    console.log("[mero-js doTokenRefresh] tokenData exists:", !!this.tokenData);
+    console.log("[mero-js doTokenRefresh] access_token exists:", !!this.tokenData?.access_token);
+    console.log("[mero-js doTokenRefresh] refresh_token exists:", !!this.tokenData?.refresh_token);
     if (!this.tokenData?.refresh_token) {
       throw new Error("No refresh token available");
     }
+    if (!this.tokenData?.access_token) {
+      throw new Error("No access token available for refresh (server requires both tokens)");
+    }
     try {
-      const response = await this.authClient.refreshToken({
+      const refreshPayload = {
         access_token: this.tokenData.access_token,
         refresh_token: this.tokenData.refresh_token
-      });
+      };
+      console.log("[mero-js doTokenRefresh] Payload keys:", Object.keys(refreshPayload));
+      console.log("[mero-js doTokenRefresh] access_token length:", refreshPayload.access_token?.length);
+      console.log("[mero-js doTokenRefresh] refresh_token length:", refreshPayload.refresh_token?.length);
+      const response = await this.authClient.refreshToken(refreshPayload);
+      let expiresAt;
+      try {
+        const payload = JSON.parse(atob(response.access_token.split(".")[1]));
+        expiresAt = payload.exp * 1e3;
+        console.log("[mero-js] Extracted exp from JWT:", payload.exp, "-> expires_at:", expiresAt);
+      } catch (e) {
+        expiresAt = Date.now() + (response.expires_in || 3600) * 1e3;
+        console.warn("[mero-js] Failed to parse JWT, using expires_in fallback:", expiresAt);
+      }
       this.tokenData = {
-        access_token: response.data.access_token,
-        refresh_token: response.data.refresh_token,
-        expires_at: Date.now() + 24 * 60 * 60 * 1e3
-        // Default to 24 hours
+        access_token: response.access_token,
+        refresh_token: response.refresh_token,
+        expires_at: expiresAt
       };
+      if (this.tokenStorage) {
+        await this.tokenStorage.set(this.tokenData);
+      }
       return this.tokenData;
     } catch (error) {
-      this.clearToken();
+      console.error("[mero-js] Token refresh failed:", error);
+      const httpError = error;
+      const status = httpError?.status;
+      const errorBody = httpError?.body || httpError?.message || "";
+      if (status) {
+        console.error("[mero-js] Refresh error status:", status);
+        console.error("[mero-js] Refresh error body:", errorBody);
+      }
+      if (errorBody.includes("still valid") || errorBody.includes("token valid")) {
+        console.warn("[mero-js] Server says token is still valid - NOT clearing tokens");
+        console.warn("[mero-js] This usually means the 401 came from a different issue (wrong endpoint, missing header, etc.)");
+        const tokenValidError = new Error("Token is valid but request failed. Check Authorization header.");
+        tokenValidError.tokenStillValid = true;
+        throw tokenValidError;
+      }
+      if (status && status >= 400 && status < 500) {
+        console.warn("[mero-js] Refresh failed with 4XX - clearing tokens, user must re-authenticate");
+        await this.clearToken();
+        throw new Error(`Session expired. Please log in again. (${status})`);
+      }
+      if (status && status >= 500) {
+        console.warn("[mero-js] Refresh failed with 5XX - server error, keeping tokens");
+        throw new Error(`Server error during refresh. Please try again later. (${status})`);
+      }
+      console.warn("[mero-js] Refresh failed with unknown error - clearing tokens");
+      await this.clearToken();
       throw new Error(
         `Token refresh failed: ${error instanceof Error ? error.message : "Unknown error"}`
       );
     }
   }
   /**
-   * Clear the current token
+   * Clear the current token from memory and storage
    */
-  clearToken() {
+  async clearToken() {
     this.tokenData = null;
+    if (this.tokenStorage) {
+      await this.tokenStorage.clear();
+    }
   }
   /**
    * Check if the SDK is authenticated
@@ -948,32 +2191,123 @@ var MeroJs = class {
   getTokenData() {
     return this.tokenData;
   }
+  /**
+   * Manually set the token data.
+   * Use this when handling authentication externally (e.g., OAuth flows).
+   * 
+   * @param tokenData - The token data to set, or null to clear
+   * @example
+   * ```typescript
+   * // After receiving tokens from external auth flow
+   * await meroJs.setToken({
+   *   access_token: 'eyJ...',
+   *   refresh_token: 'eyJ...',
+   *   expires_at: Date.now() + 3600000,
+   * });
+   * ```
+   */
+  async setToken(tokenData) {
+    this.tokenData = tokenData;
+    if (this.tokenStorage) {
+      if (tokenData) {
+        await this.tokenStorage.set(tokenData);
+      } else {
+        await this.tokenStorage.clear();
+      }
+    }
+  }
+  /**
+   * Create a WebSocket client for real-time event subscriptions
+   *
+   * @param options - Optional WebSocket client options to override defaults
+   * @returns A new WebSocketClient instance
+   *
+   * @example
+   * ```typescript
+   * const ws = meroJs.createWebSocket();
+   * await ws.connect();
+   *
+   * ws.onEvent((event) => {
+   *   console.log('Received event:', event);
+   * });
+   *
+   * await ws.subscribe(['context-id-1', 'context-id-2']);
+   *
+   * // Later...
+   * ws.disconnect();
+   * ```
+   */
+  createWebSocket(options) {
+    return new WebSocketClient({
+      baseUrl: this.config.baseUrl,
+      getAuthToken: async () => this.tokenData?.access_token || null,
+      ...options
+    });
+  }
+  /**
+   * Create an SSE client for server-sent event streaming
+   *
+   * @param options - Optional SSE client options to override defaults
+   * @returns A new SseClient instance
+   *
+   * @example
+   * ```typescript
+   * const sse = meroJs.createSse();
+   * const sessionId = await sse.connect();
+   *
+   * sse.onEvent((event) => {
+   *   console.log('Received event:', event);
+   * });
+   *
+   * await sse.subscribe(['context-id-1', 'context-id-2']);
+   *
+   * // Get session info
+   * const session = await sse.getSession();
+   *
+   * // Later...
+   * sse.disconnect();
+   * ```
+   */
+  createSse(options) {
+    return new SseClient({
+      baseUrl: this.config.baseUrl,
+      httpClient: this.httpClient,
+      getAuthToken: async () => this.tokenData?.access_token || null,
+      ...options
+    });
+  }
 };
 function createMeroJs(config) {
   return new MeroJs(config);
 }
 export {
+  admin_exports as AdminApi,
   AdminApiClient,
+  ApiResponseError,
+  auth_exports as AuthApi,
   AuthApiClient,
   HTTPError,
+  JsonRpcError,
   MeroJs,
+  rpc_exports as RpcApi,
+  RpcClient,
+  sse_exports as SseApi,
+  SseClient,
   WebHttpClient,
+  WebSocketClient,
+  ws_exports as WsApi,
   combineSignals,
   createAdminApiClient,
-  createAdminApiClientFromHttpClient,
   createAuthApiClient,
-  createAuthApiClientFromHttpClient,
-  createBrowserAdminApiClient,
-  createBrowserAuthApiClient,
   createBrowserHttpClient,
   createHttpClient,
   createMeroJs,
-  createNodeAdminApiClient,
-  createNodeAuthApiClient,
   createNodeHttpClient,
   createRetryableMethod,
   createTimeoutSignal,
   createUniversalHttpClient,
+  unwrap,
+  unwrapOrNull,
   withRetry
 };
 //# sourceMappingURL=index.mjs.map