@calimero-network/mero-js 2.0.0-beta.1 → 2.0.1

package/dist/index.mjs

@@ -1,9 +1,3 @@
-var __defProp = Object.defineProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-
 // src/http-client/signal-utils.ts
 function combineSignals(signals) {
   const list = signals.filter(Boolean);
@@ -77,15 +71,10 @@ var WebHttpClient = class {
     return this.request(path, { ...init, method: "GET" });
   }
   async post(path, body, init) {
-    const jsonBody = body ? JSON.stringify(body) : void 0;
-    if (path.includes("/refresh")) {
-      console.log("[HTTP POST /refresh] Body being sent:", jsonBody);
-      console.log("[HTTP POST /refresh] Body type:", typeof body, body ? Object.keys(body) : "undefined");
-    }
     return this.request(path, {
       ...init,
       method: "POST",
-      body: jsonBody,
+      body: body ? JSON.stringify(body) : void 0,
       headers: {
         "Content-Type": "application/json",
         ...init?.headers
@@ -208,11 +197,7 @@ var WebHttpClient = class {
           bodyText
         );
         const userAborted = init?.signal?.aborted === true;
-        const hasAuthError = response.headers.get("x-auth-error");
-        const shouldAttemptRefresh = response.status === 401 && this.transport.refreshToken && retryCount < MAX_RETRY_ATTEMPTS && !isStreamBody && // Can't retry with stream bodies
-        !userAborted;
-        if (shouldAttemptRefresh && this.transport.refreshToken) {
-          console.log("[mero-js] 401 received, attempting token refresh...", { hasAuthError });
+        if (response.status === 401 && this.transport.refreshToken && response.headers.get("x-auth-error") === "token_expired" && retryCount < MAX_RETRY_ATTEMPTS && !isStreamBody && !userAborted) {
           try {
             let refreshPromise = this.refreshTokenPromise;
             if (!refreshPromise) {
@@ -252,7 +237,6 @@ var WebHttpClient = class {
           } catch (refreshError) {
             this.refreshTokenPromise = null;
             this.onTokenRefreshPromise = null;
-            console.log("[mero-js] Token refresh failed:", refreshError);
             if (refreshError instanceof Error && refreshError.message.includes("onTokenRefresh")) {
               throw refreshError;
             }
@@ -471,1481 +455,1161 @@ function createRetryableMethod(method, retryOptions = {}) {
   };
 }
 
-// src/api/auth/index.ts
-var auth_exports = {};
-__export(auth_exports, {
-  AuthApiClient: () => AuthApiClient,
-  createAuthApiClient: () => createAuthApiClient
-});
-
-// src/api/utils.ts
-var ApiResponseError = class extends Error {
-  constructor(error) {
-    super(error.message);
-    this.name = "ApiResponseError";
-    this.type = error.type;
-    this.code = error.code;
-    this.data = error.data;
-  }
-};
-function hasErrorPayload(response) {
-  return typeof response === "object" && response !== null && "error" in response && response.error !== null && response.error !== void 0 && typeof response.error === "object";
-}
-async function unwrap(response) {
-  const result = await response;
-  if (hasErrorPayload(result)) {
-    throw new ApiResponseError(result.error);
-  }
-  if (result.data === null || result.data === void 0) {
-    throw new Error("Response data is null or undefined");
-  }
-  return result.data;
-}
-async function unwrapOrNull(response) {
-  const result = await response;
-  if (hasErrorPayload(result)) {
-    throw new ApiResponseError(result.error);
-  }
-  if (result.data === null || result.data === void 0) {
-    return null;
-  }
-  return result.data;
-}
-
-// src/api/auth/client.ts
+// src/auth-api/auth-client.ts
 var AuthApiClient = class {
-  constructor(httpClient, config) {
+  constructor(httpClient) {
     this.httpClient = httpClient;
-    this.embedded = config.embedded ?? true;
   }
-  getAuthPath(path) {
-    if (this.embedded) {
-      return `/auth${path}`;
+  // Health and Status Endpoints
+  async getHealth() {
+    const response = await this.httpClient.get("/auth/health");
+    if (!response.data) {
+      throw new Error("Health response data is null");
     }
-    return path;
-  }
-  // Public endpoints
-  async getLogin() {
-    return this.httpClient.get(this.getAuthPath("/login"), {
-      parse: "text"
-    });
+    return response.data;
   }
-  async getChallenge() {
-    return unwrap(
-      this.httpClient.get(
-        this.getAuthPath("/challenge")
-      )
+  async getIdentity() {
+    const response = await this.httpClient.get(
+      "/admin/identity"
     );
+    if (!response.data) {
+      throw new Error("Identity response data is null");
+    }
+    return response.data;
   }
-  async getToken(request) {
-    return unwrap(
-      this.httpClient.post(
-        this.getAuthPath("/token"),
-        request
-      )
+  async getProviders() {
+    const response = await this.httpClient.get(
+      "/auth/providers"
     );
+    if (!response.data) {
+      throw new Error("Providers response data is null");
+    }
+    return response.data;
+  }
+  // Authentication Endpoints
+  async getLoginPage() {
+    return this.httpClient.get("/auth/login", { parse: "text" });
+  }
+  async generateTokens(request) {
+    return this.httpClient.post("/auth/token", request);
   }
   async refreshToken(request) {
-    return unwrap(
-      this.httpClient.post(
-        this.getAuthPath("/refresh"),
-        request
-      )
-    );
+    return this.httpClient.post("/auth/refresh", request);
   }
-  async getProviders() {
-    return unwrap(
-      this.httpClient.get(
-        this.getAuthPath("/providers")
-      )
-    );
+  async generateMockTokens(request) {
+    return this.httpClient.post("/auth/mock-token", request);
   }
-  async getIdentity() {
-    return unwrap(
-      this.httpClient.get(
-        this.getAuthPath("/identity")
-      )
-    );
+  async getChallenge() {
+    return this.httpClient.get("/auth/challenge");
   }
-  /**
-   * Validate a JWT token.
-   *
-   * Note: The server returns an empty string "" on success with auth info in headers
-   * (X-Auth-User, X-Auth-Permissions). If no error is thrown, the token is valid.
-   */
-  async validateToken(request) {
-    const response = await this.httpClient.post(this.getAuthPath("/validate"), request);
-    if (response.data === "" || response.data === void 0 || response.data === null) {
-      return { valid: true };
-    }
-    if (typeof response.data === "object" && "valid" in response.data) {
-      return response.data;
+  async validateToken(token) {
+    try {
+      const response = await this.validateTokenGet(token);
+      return {
+        valid: response.status === 200,
+        headers: response.headers,
+        status: response.status
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        headers: {},
+        status: 401
+      };
     }
-    return { valid: true };
   }
-  /**
-   * Validate a JWT token using GET with Authorization header.
-   *
-   * Note: The server returns an empty string "" on success with auth info in headers
-   * (X-Auth-User, X-Auth-Permissions). If no error is thrown, the token is valid.
-   */
   async validateTokenGet(token) {
-    const response = await this.httpClient.get(this.getAuthPath("/validate"), {
-      headers: {
-        Authorization: `Bearer ${token}`
-      }
+    const response = await this.httpClient.head("/auth/validate", {
+      headers: { Authorization: `Bearer ${token}` }
     });
-    if (response.data === "" || response.data === void 0 || response.data === null) {
-      return { valid: true };
-    }
-    if (typeof response.data === "object" && "valid" in response.data) {
-      return response.data;
-    }
-    return { valid: true };
-  }
-  async getHealth() {
-    return unwrap(
-      this.httpClient.get(
-        this.getAuthPath("/health")
-      )
-    );
+    return {
+      status: response.status,
+      headers: response.headers
+    };
   }
-  async getCallback(callbackUrl) {
-    const params = callbackUrl ? `?callback-url=${encodeURIComponent(callbackUrl)}` : "";
-    return this.httpClient.get(
-      this.getAuthPath(`/callback${params}`),
-      {
-        parse: "text"
-      }
-    );
+  async isAuthed() {
+    return this.httpClient.get("/auth/is-authed");
   }
-  // Protected endpoints (require JWT token)
-  async revokeToken() {
-    return unwrap(
-      this.httpClient.post(
-        this.getAuthPath("/admin/revoke"),
-        {}
-      )
-    );
+  // Token Management Endpoints
+  async revokeTokens(request) {
+    return this.httpClient.post("/admin/revoke", request);
   }
+  // Key Management Endpoints
   async listRootKeys() {
-    return unwrap(
-      this.httpClient.get(
-        this.getAuthPath("/admin/keys")
-      )
-    );
+    const response = await this.httpClient.get("/admin/keys");
+    if (!response.data) {
+      throw new Error("Root keys response data is null");
+    }
+    return response.data;
   }
   async createRootKey(request) {
-    return unwrap(
-      this.httpClient.post(
-        this.getAuthPath("/admin/keys"),
-        request
-      )
-    );
+    return this.httpClient.post("/admin/keys", request);
   }
   async deleteRootKey(keyId) {
-    return unwrap(
-      this.httpClient.delete(
-        this.getAuthPath(`/admin/keys/${keyId}`)
-      )
-    );
+    return this.httpClient.delete(`/admin/keys/${keyId}`);
   }
+  // Client Management Endpoints
   async listClientKeys() {
-    return unwrap(
-      this.httpClient.get(
-        this.getAuthPath("/admin/keys/clients")
-      )
+    const response = await this.httpClient.get(
+      "/admin/keys/clients"
     );
+    if (!response.data) {
+      throw new Error("Client keys response data is null");
+    }
+    return response.data;
   }
   async generateClientKey(request) {
-    return unwrap(
-      this.httpClient.post(
-        this.getAuthPath("/admin/client-key"),
-        request
-      )
-    );
+    return this.httpClient.post("/admin/client-key", request);
   }
   async deleteClientKey(keyId, clientId) {
-    return unwrap(
-      this.httpClient.delete(
-        this.getAuthPath(`/admin/keys/${keyId}/clients/${clientId}`)
-      )
+    return this.httpClient.delete(
+      `/admin/keys/${keyId}/clients/${clientId}`
     );
   }
+  // Permission Management Endpoints
   async getKeyPermissions(keyId) {
-    return unwrap(
-      this.httpClient.get(
-        this.getAuthPath(`/admin/keys/${keyId}/permissions`)
-      )
+    return this.httpClient.get(
+      `/admin/keys/${keyId}/permissions`
     );
   }
-  async updateKeyPermissions(keyId, request) {
-    return unwrap(
-      this.httpClient.put(
-        this.getAuthPath(`/admin/keys/${keyId}/permissions`),
-        request
-      )
+  async updateKeyPermissions(keyId, permissions) {
+    return this.httpClient.put(
+      `/admin/keys/${keyId}/permissions`,
+      { permissions }
     );
   }
-  async getProtectedIdentity() {
-    return unwrap(
-      this.httpClient.get(
-        this.getAuthPath("/admin/identity")
-      )
+};
+
+// src/auth-api/auth-factory.ts
+var MockHttpClient = class {
+  async get() {
+    throw new Error(
+      "HTTP client not implemented - use createAuthApiClientFromHttpClient with a real HTTP client"
     );
   }
-  async getMetrics() {
-    return unwrap(
-      this.httpClient.get(
-        this.getAuthPath("/admin/metrics")
-      )
+  async post() {
+    throw new Error(
+      "HTTP client not implemented - use createAuthApiClientFromHttpClient with a real HTTP client"
     );
   }
-};
-
-// src/api/auth/factory.ts
-function createAuthApiClient(httpClient, config) {
-  return new AuthApiClient(httpClient, config);
-}
-
-// src/api/admin/index.ts
-var admin_exports = {};
-__export(admin_exports, {
-  AdminApiClient: () => AdminApiClient,
-  AliasesApiClient: () => AliasesApiClient,
-  ApplicationsApiClient: () => ApplicationsApiClient,
-  BlobsApiClient: () => BlobsApiClient,
-  CapabilitiesApiClient: () => CapabilitiesApiClient,
-  ContextsApiClient: () => ContextsApiClient,
-  IdentityApiClient: () => IdentityApiClient,
-  NetworkApiClient: () => NetworkApiClient,
-  ProposalsApiClient: () => ProposalsApiClient,
-  PublicApiClient: () => PublicApiClient,
-  TeeApiClient: () => TeeApiClient,
-  createAdminApiClient: () => createAdminApiClient
-});
-
-// src/api/admin/public.ts
-var PublicApiClient = class {
-  constructor(httpClient) {
-    this.httpClient = httpClient;
+  async put() {
+    throw new Error(
+      "HTTP client not implemented - use createAuthApiClientFromHttpClient with a real HTTP client"
+    );
   }
-  async health() {
-    return unwrap(
-      this.httpClient.get("/admin-api/health")
+  async delete() {
+    throw new Error(
+      "HTTP client not implemented - use createAuthApiClientFromHttpClient with a real HTTP client"
     );
   }
-  async isAuthed() {
-    return unwrap(
-      this.httpClient.get(
-        "/admin-api/is-authed"
-      )
+  async patch() {
+    throw new Error(
+      "HTTP client not implemented - use createAuthApiClientFromHttpClient with a real HTTP client"
     );
   }
-  async getCertificate() {
-    return this.httpClient.get("/admin-api/certificate", {
-      parse: "text"
-    });
+  async head() {
+    throw new Error(
+      "HTTP client not implemented - use createAuthApiClientFromHttpClient with a real HTTP client"
+    );
+  }
+  async request() {
+    throw new Error(
+      "HTTP client not implemented - use createAuthApiClientFromHttpClient with a real HTTP client"
+    );
   }
 };
+function createBrowserAuthApiClient(_config) {
+  const httpClient = new MockHttpClient();
+  return new AuthApiClient(httpClient);
+}
+function createNodeAuthApiClient(_config) {
+  const httpClient = new MockHttpClient();
+  return new AuthApiClient(httpClient);
+}
+function createAuthApiClient(_config) {
+  const httpClient = new MockHttpClient();
+  return new AuthApiClient(httpClient);
+}
+function createAuthApiClientFromHttpClient(httpClient, _config) {
+  return new AuthApiClient(httpClient);
+}
 
-// src/api/admin/applications.ts
-var ApplicationsApiClient = class {
+// src/admin-api/admin-client.ts
+function unwrap(response) {
+  return response.data;
+}
+var AdminApiClient = class {
   constructor(httpClient) {
     this.httpClient = httpClient;
   }
+  // ---- Health and Status (public, no auth) ----
+  async healthCheck() {
+    return unwrap(await this.httpClient.get("/admin-api/health"));
+  }
+  async isAuthed() {
+    return this.httpClient.get("/admin-api/is-authed");
+  }
+  // ---- Application Management ----
   async installApplication(request) {
-    return unwrap(
-      this.httpClient.post(
-        "/admin-api/install-application",
-        request
-      )
-    );
+    return unwrap(await this.httpClient.post("/admin-api/install-application", request));
   }
   async installDevApplication(request) {
-    return unwrap(
-      this.httpClient.post(
-        "/admin-api/install-dev-application",
-        request
-      )
-    );
+    return unwrap(await this.httpClient.post("/admin-api/install-dev-application", request));
   }
-  async listApplications() {
-    return unwrap(
-      this.httpClient.get(
-        "/admin-api/applications"
-      )
-    );
+  async uninstallApplication(appId) {
+    return unwrap(await this.httpClient.delete(`/admin-api/applications/${appId}`));
   }
-  async getApplication(applicationId) {
-    return unwrap(
-      this.httpClient.get(
-        `/admin-api/applications/${applicationId}`
-      )
-    );
+  async listApplications() {
+    return unwrap(await this.httpClient.get("/admin-api/applications"));
   }
-  async uninstallApplication(applicationId) {
-    return unwrap(
-      this.httpClient.delete(
-        `/admin-api/applications/${applicationId}`
-      )
-    );
+  async getApplication(appId) {
+    return unwrap(await this.httpClient.get(`/admin-api/applications/${appId}`));
   }
+  // ---- Package Management ----
   async listPackages() {
-    return unwrap(
-      this.httpClient.get(
-        "/admin-api/packages"
-      )
-    );
-  }
-  async listVersions(packageName) {
-    return unwrap(
-      this.httpClient.get(
-        `/admin-api/packages/${packageName}/versions`
-      )
-    );
+    return unwrap(await this.httpClient.get("/admin-api/packages"));
   }
-  async getLatestVersion(packageName) {
+  async listPackageVersions(packageName) {
     return unwrap(
-      this.httpClient.get(
-        `/admin-api/packages/${packageName}/latest`
+      await this.httpClient.get(
+        `/admin-api/packages/${encodeURIComponent(packageName)}/versions`
       )
     );
   }
-};
-
-// src/api/admin/contexts.ts
-var ContextsApiClient = class {
-  constructor(httpClient) {
-    this.httpClient = httpClient;
-  }
-  async listContexts() {
-    return unwrap(
-      this.httpClient.get(
-        "/admin-api/contexts"
-      )
+  async getLatestPackageVersion(packageName) {
+    return this.httpClient.get(
+      `/admin-api/packages/${encodeURIComponent(packageName)}/latest`
     );
   }
+  // ---- Context Management ----
   async createContext(request) {
-    return unwrap(
-      this.httpClient.post(
-        "/admin-api/contexts",
-        request
-      )
-    );
+    return unwrap(await this.httpClient.post("/admin-api/contexts", request));
+  }
+  async deleteContext(contextId, request) {
+    if (request) {
+      return unwrap(
+        await this.httpClient.request(`/admin-api/contexts/${contextId}`, {
+          method: "DELETE",
+          body: JSON.stringify(request),
+          headers: { "Content-Type": "application/json" }
+        })
+      );
+    }
+    return unwrap(await this.httpClient.delete(`/admin-api/contexts/${contextId}`));
+  }
+  async getContexts() {
+    return unwrap(await this.httpClient.get("/admin-api/contexts"));
   }
   async getContext(contextId) {
-    return unwrap(
-      this.httpClient.get(
-        `/admin-api/contexts/${contextId}`
-      )
-    );
+    return unwrap(await this.httpClient.get(`/admin-api/contexts/${contextId}`));
   }
-  async deleteContext(contextId) {
-    return unwrap(
-      this.httpClient.delete(
-        `/admin-api/contexts/${contextId}`
-      )
-    );
+  async getContextsForApplication(applicationId) {
+    return unwrap(await this.httpClient.get(`/admin-api/contexts/for-application/${applicationId}`));
   }
-  async getContextStorage(contextId) {
-    return unwrap(
-      this.httpClient.get(
-        `/admin-api/contexts/${contextId}/storage`
-      )
-    );
+  // ---- Context Identity ----
+  async generateContextIdentity() {
+    return unwrap(await this.httpClient.post("/admin-api/identity/context", {}));
   }
   async getContextIdentities(contextId) {
-    return unwrap(
-      this.httpClient.get(
-        `/admin-api/contexts/${contextId}/identities`
-      )
-    );
+    return unwrap(await this.httpClient.get(`/admin-api/contexts/${contextId}/identities`));
   }
   async getContextIdentitiesOwned(contextId) {
-    return unwrap(
-      this.httpClient.get(
-        `/admin-api/contexts/${contextId}/identities-owned`
-      )
-    );
+    return unwrap(await this.httpClient.get(`/admin-api/contexts/${contextId}/identities-owned`));
   }
-  async inviteToContext(request) {
+  // ---- Context join (group membership) ----
+  async joinContext(contextId) {
     return unwrap(
-      this.httpClient.post(
-        "/admin-api/contexts/invite",
-        request
-      )
+      await this.httpClient.post(`/admin-api/contexts/${contextId}/join`, {})
     );
   }
-  async inviteToContextOpenInvitation(request) {
-    return unwrap(
-      this.httpClient.post(
-        "/admin-api/contexts/invite_by_open_invitation",
-        request
-      )
-    );
+  // ---- Context group / storage / sync ----
+  async getContextGroup(contextId) {
+    return unwrap(await this.httpClient.get(`/admin-api/contexts/${contextId}/group`));
+  }
+  async getContextStorage(contextId) {
+    return unwrap(await this.httpClient.get(`/admin-api/contexts/${contextId}/storage`));
+  }
+  async syncContext(contextId) {
+    await this.httpClient.post(`/admin-api/contexts/sync/${contextId ?? ""}`, {});
   }
   async inviteSpecializedNode(request) {
     return unwrap(
-      this.httpClient.post(
+      await this.httpClient.post(
         "/admin-api/contexts/invite-specialized-node",
         request
       )
     );
   }
-  async joinContext(request) {
+  async updateContextApplication(contextId, request) {
+    await this.httpClient.post(`/admin-api/contexts/${contextId}/application`, request);
+  }
+  async getContextsWithExecutorsForApplication(applicationId) {
     return unwrap(
-      this.httpClient.post(
-        "/admin-api/contexts/join",
-        request
+      await this.httpClient.get(
+        `/admin-api/contexts/with-executors/for-application/${applicationId}`
       )
     );
   }
-  async joinContextByOpenInvitation(request) {
+  // ---- Blob Management ----
+  async uploadBlob(data) {
+    return unwrap(await this.httpClient.put("/admin-api/blobs", data));
+  }
+  async deleteBlob(blobId) {
+    return unwrap(await this.httpClient.delete(`/admin-api/blobs/${blobId}`));
+  }
+  async listBlobs() {
+    return unwrap(await this.httpClient.get("/admin-api/blobs"));
+  }
+  async getBlob(blobId) {
+    return unwrap(await this.httpClient.get(`/admin-api/blobs/${blobId}`));
+  }
+  // ---- Alias Management ----
+  async createContextAlias(request) {
+    return unwrap(await this.httpClient.post("/admin-api/alias/create/context", request));
+  }
+  async createApplicationAlias(request) {
+    return unwrap(await this.httpClient.post("/admin-api/alias/create/application", request));
+  }
+  async lookupContextAlias(name) {
     return unwrap(
-      this.httpClient.post(
-        "/admin-api/contexts/join_by_open_invitation",
-        request
+      await this.httpClient.post(
+        `/admin-api/alias/lookup/context/${encodeURIComponent(name)}`,
+        {}
       )
     );
   }
-  async updateContextApplication(contextId, request) {
+  async lookupApplicationAlias(name) {
     return unwrap(
-      this.httpClient.put(
-        `/admin-api/contexts/${contextId}/application`,
-        request
+      await this.httpClient.post(
+        `/admin-api/alias/lookup/application/${encodeURIComponent(name)}`,
+        {}
       )
     );
   }
-  async getContextsForApplication(applicationId) {
+  async deleteContextAlias(name) {
     return unwrap(
-      this.httpClient.get(
-        `/admin-api/contexts/for-application/${applicationId}`
+      await this.httpClient.post(
+        `/admin-api/alias/delete/context/${encodeURIComponent(name)}`,
+        {}
       )
     );
   }
-  async getContextsWithExecutorsForApplication(applicationId) {
+  async deleteApplicationAlias(name) {
     return unwrap(
-      this.httpClient.get(
-        `/admin-api/contexts/with-executors/for-application/${applicationId}`
+      await this.httpClient.post(
+        `/admin-api/alias/delete/application/${encodeURIComponent(name)}`,
+        {}
       )
     );
   }
-  async getProxyContract(contextId) {
+  async listContextAliases() {
+    return unwrap(await this.httpClient.get("/admin-api/alias/list/context"));
+  }
+  async listApplicationAliases() {
+    return unwrap(await this.httpClient.get("/admin-api/alias/list/application"));
+  }
+  // ---- Context Identity Aliases ----
+  async listContextIdentityAliases(contextId) {
     return unwrap(
-      this.httpClient.get(
-        `/admin-api/contexts/${contextId}/proxy-contract`
+      await this.httpClient.get(
+        `/admin-api/alias/list/identity/${contextId}`
       )
     );
   }
-  async syncContext() {
+  async createContextIdentityAlias(contextId, request) {
     return unwrap(
-      this.httpClient.post(
-        "/admin-api/contexts/sync",
-        {}
+      await this.httpClient.post(
+        `/admin-api/alias/create/identity/${contextId}`,
+        request
       )
     );
   }
-  async syncContextById(contextId) {
+  async lookupContextIdentityAlias(contextId, name) {
     return unwrap(
-      this.httpClient.post(
-        `/admin-api/contexts/sync/${contextId}`,
+      await this.httpClient.post(
+        `/admin-api/alias/lookup/identity/${contextId}/${encodeURIComponent(name)}`,
         {}
       )
     );
   }
-};
-
-// src/api/admin/proposals.ts
-var ProposalsApiClient = class {
-  constructor(httpClient) {
-    this.httpClient = httpClient;
-  }
-  async getProposals(contextId, request) {
+  async deleteContextIdentityAlias(contextId, name) {
     return unwrap(
-      this.httpClient.post(
-        `/admin-api/contexts/${contextId}/proposals`,
-        request
+      await this.httpClient.post(
+        `/admin-api/alias/delete/identity/${contextId}/${encodeURIComponent(name)}`,
+        {}
       )
     );
   }
-  async getProposal(contextId, proposalId) {
+  // ---- Namespace Management ----
+  async listNamespaces() {
+    return unwrap(await this.httpClient.get("/admin-api/namespaces"));
+  }
+  async getNamespace(namespaceId) {
+    return unwrap(await this.httpClient.get(`/admin-api/namespaces/${namespaceId}`));
+  }
+  async getNamespaceIdentity(namespaceId) {
+    return unwrap(await this.httpClient.get(`/admin-api/namespaces/${namespaceId}/identity`));
+  }
+  async listNamespacesForApplication(applicationId) {
+    return unwrap(await this.httpClient.get(`/admin-api/namespaces/for-application/${applicationId}`));
+  }
+  async createNamespace(request) {
+    return unwrap(await this.httpClient.post("/admin-api/namespaces", request));
+  }
+  async deleteNamespace(namespaceId, request) {
     return unwrap(
-      this.httpClient.get(
-        `/admin-api/contexts/${contextId}/proposals/${proposalId}`
-      )
+      await this.httpClient.request(`/admin-api/namespaces/${namespaceId}`, {
+        method: "DELETE",
+        body: request ? JSON.stringify(request) : void 0,
+        headers: request ? { "Content-Type": "application/json" } : void 0
+      })
     );
   }
-  async createAndApproveProposal(contextId, request) {
+  async createNamespaceInvitation(namespaceId, request) {
     return unwrap(
-      this.httpClient.post(
-        `/admin-api/contexts/${contextId}/proposals/create-and-approve`,
-        request
+      await this.httpClient.post(
+        `/admin-api/namespaces/${namespaceId}/invite`,
+        request ?? {}
       )
     );
   }
-  async approveProposal(contextId, request) {
+  async joinNamespace(namespaceId, request) {
     return unwrap(
-      this.httpClient.post(
-        `/admin-api/contexts/${contextId}/proposals/approve`,
-        request
+      await this.httpClient.post(
+        `/admin-api/namespaces/${namespaceId}/join`,
+        request,
+        { timeoutMs: 65e3 }
       )
     );
   }
-  async getNumberOfActiveProposals(contextId) {
+  async createGroupInNamespace(namespaceId, request) {
     return unwrap(
-      this.httpClient.get(
-        `/admin-api/contexts/${contextId}/proposals/count`
+      await this.httpClient.post(
+        `/admin-api/namespaces/${namespaceId}/groups`,
+        request ?? {}
       )
     );
   }
-  async getNumberOfProposalApprovals(contextId, proposalId) {
-    return unwrap(
-      this.httpClient.get(
-        `/admin-api/contexts/${contextId}/proposals/${proposalId}/approvals/count`
-      )
-    );
+  async listNamespaceGroups(namespaceId) {
+    return unwrap(await this.httpClient.get(`/admin-api/namespaces/${namespaceId}/groups`));
   }
-  async getProposalApprovers(contextId, proposalId) {
-    return unwrap(
-      this.httpClient.get(
-        `/admin-api/contexts/${contextId}/proposals/${proposalId}/approvals/users`
-      )
-    );
+  // ---- Group Management ----
+  async getGroupInfo(groupId) {
+    return unwrap(await this.httpClient.get(`/admin-api/groups/${groupId}`));
   }
-  async getContextValue(contextId, request) {
-    return unwrap(
-      this.httpClient.post(
-        `/admin-api/contexts/${contextId}/proposals/get-context-value`,
-        request
-      )
-    );
+  async deleteGroup(groupId, request) {
+    if (request) {
+      return unwrap(
+        await this.httpClient.request(`/admin-api/groups/${groupId}`, {
+          method: "DELETE",
+          body: JSON.stringify(request),
+          headers: { "Content-Type": "application/json" }
+        })
+      );
+    }
+    return unwrap(await this.httpClient.delete(`/admin-api/groups/${groupId}`));
   }
-  async getContextStorageEntries(contextId, request) {
-    return unwrap(
-      this.httpClient.post(
-        `/admin-api/contexts/${contextId}/proposals/context-storage-entries`,
-        request
-      )
+  async listGroupMembers(groupId) {
+    const response = await this.httpClient.get(
+      `/admin-api/groups/${groupId}/members`
     );
+    if (!Array.isArray(response?.members)) {
+      const safeId = String(groupId).replace(/[\r\n\t\s]/g, "").slice(0, 64);
+      throw new Error(
+        `Invalid listGroupMembers response for group ${safeId}: missing or non-array \`members\` field`
+      );
+    }
+    return response;
   }
-};
-
-// src/api/admin/capabilities.ts
-var CapabilitiesApiClient = class {
-  constructor(httpClient) {
-    this.httpClient = httpClient;
+  async listGroupContexts(groupId) {
+    return unwrap(await this.httpClient.get(`/admin-api/groups/${groupId}/contexts`));
   }
-  async grantPermission(contextId, request) {
-    return unwrap(
-      this.httpClient.post(
-        `/admin-api/contexts/${contextId}/capabilities/grant`,
-        request
-      )
-    );
+  async addGroupMembers(groupId, request) {
+    await this.httpClient.post(`/admin-api/groups/${groupId}/members`, request);
   }
-  async revokePermission(contextId, request) {
-    return unwrap(
-      this.httpClient.post(
-        `/admin-api/contexts/${contextId}/capabilities/revoke`,
-        request
-      )
-    );
+  async removeGroupMembers(groupId, request) {
+    await this.httpClient.post(`/admin-api/groups/${groupId}/members/remove`, request);
   }
-};
-
-// src/api/admin/identity.ts
-var IdentityApiClient = class {
-  constructor(httpClient) {
-    this.httpClient = httpClient;
+  async updateMemberRole(groupId, identity, request) {
+    await this.httpClient.put(`/admin-api/groups/${groupId}/members/${identity}/role`, request);
   }
-  async generateContextIdentity() {
+  async getMemberCapabilities(groupId, identity) {
     return unwrap(
-      this.httpClient.post(
-        "/admin-api/identity/context",
-        {}
+      await this.httpClient.get(
+        `/admin-api/groups/${groupId}/members/${identity}/capabilities`
       )
     );
   }
-};
-
-// src/api/admin/network.ts
-var NetworkApiClient = class {
-  constructor(httpClient) {
-    this.httpClient = httpClient;
+  async setMemberCapabilities(groupId, identity, request) {
+    await this.httpClient.put(`/admin-api/groups/${groupId}/members/${identity}/capabilities`, request);
   }
-  async getPeersCount() {
-    return this.httpClient.get("/admin-api/peers");
+  async setDefaultCapabilities(groupId, request) {
+    await this.httpClient.put(`/admin-api/groups/${groupId}/settings/default-capabilities`, request);
   }
-};
-
-// src/api/admin/blobs.ts
-var BlobsApiClient = class {
-  constructor(httpClient) {
-    this.httpClient = httpClient;
+  async setSubgroupVisibility(groupId, request) {
+    await this.httpClient.put(`/admin-api/groups/${groupId}/settings/subgroup-visibility`, request);
   }
-  async uploadBlob(blob) {
-    const response = await unwrap(
-      this.httpClient.request(
-        "/admin-api/blobs",
-        {
-          method: "PUT",
-          body: blob,
-          headers: {
-            "Content-Type": "application/octet-stream"
-          }
-        }
-      )
-    );
-    return {
-      blobId: response.blob_id,
-      size: response.size,
-      hash: response.hash ?? null
-    };
+  async setTeeAdmissionPolicy(groupId, request) {
+    await this.httpClient.put(`/admin-api/groups/${groupId}/settings/tee-admission-policy`, request);
   }
-  async listBlobs() {
-    const response = await unwrap(
-      this.httpClient.get("/admin-api/blobs")
-    );
-    return {
-      blobs: response.blobs.map((blob) => ({
-        blobId: blob.blob_id,
-        size: blob.size,
-        hash: blob.hash ?? null
-      }))
-    };
+  async updateGroupSettings(groupId, request) {
+    await this.httpClient.patch(`/admin-api/groups/${groupId}`, request);
   }
-  async getBlob(blobId) {
-    return this.httpClient.get(`/admin-api/blobs/${blobId}`, {
-      parse: "blob"
-    });
+  async setGroupAlias(groupId, request) {
+    await this.httpClient.put(`/admin-api/groups/${groupId}/alias`, request);
   }
-  async getBlobInfo(blobId) {
-    const response = await this.httpClient.head(`/admin-api/blobs/${blobId}`);
-    return {
-      blobId,
-      size: parseInt(response.headers["content-length"] || "0", 10),
-      hash: response.headers["x-blob-hash"] || null
-    };
+  async setMemberAlias(groupId, identity, request) {
+    await this.httpClient.put(`/admin-api/groups/${groupId}/members/${identity}/alias`, request);
   }
-  async deleteBlob(blobId) {
-    const response = await unwrap(
-      this.httpClient.delete(
-        `/admin-api/blobs/${blobId}`
-      )
-    );
-    return {
-      blobId: response.blob_id || response.blobId || blobId,
-      deleted: response.deleted
-    };
+  async syncGroup(groupId, request) {
+    return unwrap(await this.httpClient.post(`/admin-api/groups/${groupId}/sync`, request ?? {}));
   }
-};
-
-// src/api/admin/aliases.ts
-var AliasesApiClient = class {
-  constructor(httpClient) {
-    this.httpClient = httpClient;
-  }
-  async createContextAlias(request) {
+  async registerGroupSigningKey(groupId, request) {
     return unwrap(
-      this.httpClient.post(
-        "/admin-api/alias/create/context",
+      await this.httpClient.post(
+        `/admin-api/groups/${groupId}/signing-key`,
         request
       )
     );
   }
-  async createApplicationAlias(request) {
-    return unwrap(
-      this.httpClient.post(
-        "/admin-api/alias/create/application",
-        request
-      )
-    );
+  async upgradeGroup(groupId, request) {
+    return unwrap(await this.httpClient.post(`/admin-api/groups/${groupId}/upgrade`, request));
   }
-  async createIdentityAlias(context, request) {
+  async getGroupUpgradeStatus(groupId) {
     return unwrap(
-      this.httpClient.post(
-        `/admin-api/alias/create/identity/${context}`,
-        request
-      )
+      await this.httpClient.get(`/admin-api/groups/${groupId}/upgrade/status`)
     );
   }
-  async lookupContextAlias(name) {
+  async retryGroupUpgrade(groupId, request) {
     return unwrap(
-      this.httpClient.post(
-        `/admin-api/alias/lookup/context/${name}`,
-        {}
+      await this.httpClient.post(
+        `/admin-api/groups/${groupId}/upgrade/retry`,
+        request ?? {}
       )
     );
   }
-  async lookupApplicationAlias(name) {
-    return unwrap(
-      this.httpClient.post(
-        `/admin-api/alias/lookup/application/${name}`,
-        {}
-      )
-    );
+  async nestGroup(parentGroupId, request) {
+    await this.httpClient.post(`/admin-api/groups/${parentGroupId}/nest`, request);
   }
-  async lookupIdentityAlias(context, name) {
-    return unwrap(
-      this.httpClient.post(
-        `/admin-api/alias/lookup/identity/${context}/${name}`,
-        {}
-      )
-    );
+  async unnestGroup(parentGroupId, request) {
+    await this.httpClient.post(`/admin-api/groups/${parentGroupId}/unnest`, request);
   }
-  async listContextAliases() {
-    return unwrap(
-      this.httpClient.get(
-        "/admin-api/alias/list/context"
-      )
-    );
+  async listSubgroups(groupId) {
+    return unwrap(await this.httpClient.get(`/admin-api/groups/${groupId}/subgroups`));
   }
-  async listApplicationAliases() {
-    return unwrap(
-      this.httpClient.get(
-        "/admin-api/alias/list/application"
-      )
-    );
+  async detachContextFromGroup(groupId, contextId, request) {
+    await this.httpClient.post(`/admin-api/groups/${groupId}/contexts/${contextId}/remove`, request ?? {});
   }
-  async listIdentityAliases(context) {
+  // ---- Group Invitation & Join ----
+  async createGroupInvitation(groupId, request) {
     return unwrap(
-      this.httpClient.get(
-        `/admin-api/alias/list/identity/${context}`
+      await this.httpClient.post(
+        `/admin-api/groups/${groupId}/invite`,
+        request ?? {}
       )
     );
   }
-  async deleteContextAlias(name) {
+  async joinGroup(request) {
     return unwrap(
-      this.httpClient.post(
-        `/admin-api/alias/delete/context/${name}`,
-        {}
-      )
+      await this.httpClient.post("/admin-api/groups/join", request)
     );
   }
-  async deleteApplicationAlias(name) {
-    return unwrap(
-      this.httpClient.post(
-        `/admin-api/alias/delete/application/${name}`,
-        {}
-      )
-    );
+  // ---- TEE ----
+  async getTeeInfo() {
+    return unwrap(await this.httpClient.get("/admin-api/tee/info"));
   }
-  async deleteIdentityAlias(context, name) {
+  async teeAttest(request) {
+    return unwrap(await this.httpClient.post("/admin-api/tee/attest", request));
+  }
+  async teeVerifyQuote(request) {
     return unwrap(
-      this.httpClient.post(
-        `/admin-api/alias/delete/identity/${context}/${name}`,
-        {}
-      )
+      await this.httpClient.post("/admin-api/tee/verify-quote", request)
     );
   }
+  // ---- Network ----
+  async getPeersCount() {
+    return this.httpClient.get("/admin-api/peers");
+  }
 };
 
-// src/api/admin/tee.ts
-var TeeApiClient = class {
-  constructor(httpClient) {
-    this.httpClient = httpClient;
-  }
-  async getTeeInfo() {
-    return unwrap(
-      this.httpClient.get("/admin-api/tee/info")
+// src/admin-api/admin-factory.ts
+var MockHttpClient2 = class {
+  async get() {
+    throw new Error(
+      "HTTP client not implemented - use createAdminApiClientFromHttpClient with a real HTTP client"
     );
   }
-  async attestTee(request) {
-    return unwrap(
-      this.httpClient.post(
-        "/admin-api/tee/attest",
-        request
-      )
+  async post() {
+    throw new Error(
+      "HTTP client not implemented - use createAdminApiClientFromHttpClient with a real HTTP client"
     );
   }
-  async verifyTeeQuote(request) {
-    return unwrap(
-      this.httpClient.post(
-        "/admin-api/tee/verify-quote",
-        request
-      )
+  async put() {
+    throw new Error(
+      "HTTP client not implemented - use createAdminApiClientFromHttpClient with a real HTTP client"
     );
   }
-};
-
-// src/api/admin/client.ts
-var AdminApiClient = class {
-  constructor(httpClient) {
-    this.httpClient = httpClient;
-  }
-  /** Public endpoints (health checks, etc.) - no authentication required */
-  get public() {
-    if (!this._public) {
-      this._public = new PublicApiClient(this.httpClient);
-    }
-    return this._public;
-  }
-  /** Application management (install, list, uninstall) */
-  get applications() {
-    if (!this._applications) {
-      this._applications = new ApplicationsApiClient(this.httpClient);
-    }
-    return this._applications;
-  }
-  /** Context management (create, list, join, leave) */
-  get contexts() {
-    if (!this._contexts) {
-      this._contexts = new ContextsApiClient(this.httpClient);
-    }
-    return this._contexts;
+  async delete() {
+    throw new Error(
+      "HTTP client not implemented - use createAdminApiClientFromHttpClient with a real HTTP client"
+    );
   }
-  /** Proposal management for context governance */
-  get proposals() {
-    if (!this._proposals) {
-      this._proposals = new ProposalsApiClient(this.httpClient);
-    }
-    return this._proposals;
+  async patch() {
+    throw new Error(
+      "HTTP client not implemented - use createAdminApiClientFromHttpClient with a real HTTP client"
+    );
   }
-  /** Capability queries for feature detection */
-  get capabilities() {
-    if (!this._capabilities) {
-      this._capabilities = new CapabilitiesApiClient(this.httpClient);
-    }
-    return this._capabilities;
+  async head() {
+    throw new Error(
+      "HTTP client not implemented - use createAdminApiClientFromHttpClient with a real HTTP client"
+    );
   }
-  /** Identity management (key generation, context identities) */
-  get identity() {
-    if (!this._identity) {
-      this._identity = new IdentityApiClient(this.httpClient);
-    }
-    return this._identity;
+  async request() {
+    throw new Error(
+      "HTTP client not implemented - use createAdminApiClientFromHttpClient with a real HTTP client"
+    );
   }
-  /** Network and peer management */
-  get network() {
-    if (!this._network) {
-      this._network = new NetworkApiClient(this.httpClient);
-    }
-    return this._network;
+};
+function createBrowserAdminApiClient(_config) {
+  const httpClient = new MockHttpClient2();
+  return new AdminApiClient(httpClient);
+}
+function createNodeAdminApiClient(_config) {
+  const httpClient = new MockHttpClient2();
+  return new AdminApiClient(httpClient);
+}
+function createAdminApiClient(_config) {
+  const httpClient = new MockHttpClient2();
+  return new AdminApiClient(httpClient);
+}
+function createAdminApiClientFromHttpClient(httpClient, _config) {
+  return new AdminApiClient(httpClient);
+}
+
+// src/auth/index.ts
+function parseAuthCallback(url) {
+  try {
+    const hashIndex = url.indexOf("#");
+    if (hashIndex === -1) return null;
+    const hash = url.substring(hashIndex + 1);
+    const params = new URLSearchParams(hash);
+    const accessToken = params.get("access_token");
+    if (!accessToken) return null;
+    return {
+      accessToken,
+      refreshToken: params.get("refresh_token") ?? "",
+      applicationId: params.get("application_id") ?? "",
+      contextId: params.get("context_id") ?? "",
+      contextIdentity: params.get("context_identity") ?? "",
+      nodeUrl: params.get("node_url") ?? ""
+    };
+  } catch {
+    return null;
   }
-  /** Blob storage (upload, list, delete binary data) */
-  get blobs() {
-    if (!this._blobs) {
-      this._blobs = new BlobsApiClient(this.httpClient);
-    }
-    return this._blobs;
+}
+function buildAuthLoginUrl(nodeUrl, opts) {
+  const params = new URLSearchParams();
+  params.set("callback-url", opts.callbackUrl);
+  if (opts.permissions && opts.permissions.length > 0) {
+    params.set("permissions", opts.permissions.join(","));
   }
-  /** Alias management for human-readable names */
-  get aliases() {
-    if (!this._aliases) {
-      this._aliases = new AliasesApiClient(this.httpClient);
+  params.set("mode", opts.mode);
+  if (opts.packageName) {
+    params.set("package-name", opts.packageName);
+    if (opts.packageVersion) {
+      params.set("package-version", opts.packageVersion);
     }
-    return this._aliases;
-  }
-  /** TEE (Trusted Execution Environment) operations */
-  get tee() {
-    if (!this._tee) {
-      this._tee = new TeeApiClient(this.httpClient);
+    if (opts.registryUrl) {
+      params.set("registry-url", opts.registryUrl);
     }
-    return this._tee;
   }
-};
-
-// src/api/admin/factory.ts
-function createAdminApiClient(httpClient) {
-  return new AdminApiClient(httpClient);
+  const base = nodeUrl.replace(/\/+$/, "");
+  return `${base}/auth/login?${params.toString()}`;
 }
 
-// src/api/rpc/index.ts
-var rpc_exports = {};
-__export(rpc_exports, {
-  JsonRpcError: () => JsonRpcError,
-  RpcClient: () => RpcClient
-});
-
-// src/api/rpc/client.ts
-var JsonRpcError = class extends Error {
-  constructor(type, data, requestId) {
-    const message = typeof data === "string" ? data : data?.message ? String(data.message) : type;
+// src/rpc/index.ts
+var RpcError = class extends Error {
+  constructor(code, message, data, type) {
     super(message);
-    this.type = type;
+    this.name = "RpcError";
+    this.code = code;
     this.data = data;
-    this.requestId = requestId;
-    this.name = "JsonRpcError";
+    this.type = type;
   }
 };
 var RpcClient = class {
-  constructor(httpClient) {
-    this.httpClient = httpClient;
-    this.path = "/jsonrpc";
+  constructor(opts) {
+    this.httpClient = opts.httpClient;
   }
-  /**
-   * Generate a random request ID
-   */
-  generateRequestId() {
-    return Math.floor(Math.random() * Math.pow(2, 32));
-  }
-  /**
-   * Execute a method on a context
-   *
-   * @param params - Execution parameters
-   * @returns The execution result
-   * @throws JsonRpcError if execution fails
-   *
-   * @example
-   * ```typescript
-   * // Query (view) operation
-   * const result = await rpc.execute({
-   *   contextId: 'ctx_123',
-   *   method: 'get',
-   *   args: { key: 'myKey' },
-   *   executorPublicKey: 'ed25519:...',
-   * });
-   * console.log(result.output); // "myValue"
-   *
-   * // Mutate operation
-   * await rpc.execute({
-   *   contextId: 'ctx_123',
-   *   method: 'set',
-   *   args: { key: 'myKey', value: 'myValue' },
-   *   executorPublicKey: 'ed25519:...',
-   * });
-   * ```
-   */
   async execute(params) {
-    const requestId = this.generateRequestId();
-    const request = {
+    const body = {
       jsonrpc: "2.0",
-      id: requestId,
+      id: 1,
       method: "execute",
       params: {
         contextId: params.contextId,
         method: params.method,
-        argsJson: params.args,
-        executorPublicKey: params.executorPublicKey,
-        substitute: params.substitute ?? []
+        argsJson: params.argsJson ?? {}
       }
     };
     const response = await this.httpClient.post(
-      this.path,
-      request
+      "/jsonrpc",
+      body
     );
-    if (response.id !== requestId) {
-      throw new JsonRpcError(
-        "MismatchedRequestIdError",
-        `Expected request ID ${requestId}, got ${response.id}`,
-        response.id
-      );
-    }
     if (response.error) {
-      throw new JsonRpcError(
-        response.error.type,
-        response.error.data,
-        response.id
-      );
+      const err = response.error;
+      const code = err.code ?? -1;
+      const message = err.message ?? err.type ?? "RPC error";
+      throw new RpcError(code, message, err.data, err.type);
     }
-    return response.result ?? { output: null };
-  }
-  /**
-   * Execute a query (view) method - convenience wrapper
-   *
-   * @param contextId - Context ID
-   * @param method - Method name
-   * @param args - Method arguments
-   * @param executorPublicKey - Executor's public key
-   */
-  async query(contextId, method, args, executorPublicKey) {
-    const result = await this.execute({
-      contextId,
-      method,
-      args,
-      executorPublicKey
-    });
-    return result.output;
-  }
-  /**
-   * Execute a mutate method - convenience wrapper
-   *
-   * @param contextId - Context ID
-   * @param method - Method name
-   * @param args - Method arguments
-   * @param executorPublicKey - Executor's public key
-   */
-  async mutate(contextId, method, args, executorPublicKey) {
-    const result = await this.execute({
-      contextId,
-      method,
-      args,
-      executorPublicKey
-    });
-    return result.output;
+    if (response.result && "output" in response.result) {
+      return response.result.output;
+    }
+    return response.result;
   }
 };
 
-// src/api/ws/index.ts
-var ws_exports = {};
-__export(ws_exports, {
-  WebSocketClient: () => WebSocketClient
-});
-
-// src/api/ws/client.ts
-var WebSocketClient = class {
-  constructor(options) {
-    this.ws = null;
-    this.requestId = 0;
-    this.pendingRequests = /* @__PURE__ */ new Map();
-    this.eventHandlers = [];
-    this.errorHandlers = [];
-    this.closeHandlers = [];
-    this.reconnectAttempts = 0;
-    this.subscribedContexts = /* @__PURE__ */ new Set();
-    this.options = {
-      autoReconnect: true,
-      reconnectDelay: 1e3,
-      maxReconnectAttempts: 5,
-      getAuthToken: async () => null,
-      ...options
-    };
+// src/events/sse.ts
+var SseClient = class {
+  constructor(opts) {
+    this.sessionId = null;
+    this.abortController = null;
+    this.reconnectTimer = null;
+    this.subscribedContextIds = /* @__PURE__ */ new Set();
+    this.closed = false;
+    this.listeners = { connect: [], event: [], error: [] };
+    this.baseUrl = opts.baseUrl.replace(/\/+$/, "");
+    this.getAuthToken = opts.getAuthToken;
+    this.reconnectDelayMs = opts.reconnectDelayMs ?? 3e3;
+  }
+  on(event, handler) {
+    const key = event;
+    if (key in this.listeners) {
+      const arr = this.listeners[key];
+      if (!arr.includes(handler)) arr.push(handler);
+    }
+  }
+  off(event, handler) {
+    const key = event;
+    if (key in this.listeners) {
+      const arr = this.listeners[key];
+      const idx = arr.indexOf(handler);
+      if (idx !== -1) arr.splice(idx, 1);
+    }
+  }
+  emit(event, arg) {
+    const key = event;
+    if (key in this.listeners) {
+      for (const handler of this.listeners[key]) {
+        try {
+          handler(arg);
+        } catch {
+        }
+      }
+    }
   }
-  /**
-   * Connect to the WebSocket server
-   */
   async connect() {
-    if (this.ws?.readyState === WebSocket.OPEN) {
+    if (this.abortController && !this.closed) {
       return;
     }
-    const wsUrl = this.options.baseUrl.replace(/^http:/, "ws:").replace(/^https:/, "wss:").replace(/\/$/, "") + "/ws";
-    const token = await this.options.getAuthToken();
-    return new Promise((resolve, reject) => {
-      const url = token ? `${wsUrl}?token=${encodeURIComponent(token)}` : wsUrl;
-      this.ws = new WebSocket(url);
-      this.ws.onopen = () => {
-        this.reconnectAttempts = 0;
-        resolve();
-      };
-      this.ws.onerror = (_event) => {
-        const error = new Error("WebSocket error");
-        this.errorHandlers.forEach((h) => h(error));
-        reject(error);
-      };
-      this.ws.onclose = (event) => {
-        this.closeHandlers.forEach((h) => h(event.code, event.reason));
-        this.handleDisconnect();
-      };
-      this.ws.onmessage = (event) => {
-        this.handleMessage(event.data);
-      };
-    });
-  }
-  /**
-   * Disconnect from the WebSocket server
-   */
-  disconnect() {
-    this.options.autoReconnect = false;
-    this.ws?.close();
-    this.ws = null;
-    this.subscribedContexts.clear();
-  }
-  /**
-   * Subscribe to context events
-   */
-  async subscribe(contextIds) {
-    const response = await this.send({
-      id: ++this.requestId,
-      method: "subscribe",
-      params: { contextIds }
-    });
-    if (!response.error) {
-      contextIds.forEach((id) => this.subscribedContexts.add(id));
-    }
-    return response;
-  }
-  /**
-   * Unsubscribe from context events
-   */
-  async unsubscribe(contextIds) {
-    const response = await this.send({
-      id: ++this.requestId,
-      method: "unsubscribe",
-      params: { contextIds }
-    });
-    if (!response.error) {
-      contextIds.forEach((id) => this.subscribedContexts.delete(id));
+    this.closed = false;
+    this.abortController = new AbortController();
+    try {
+      const token = await this.getAuthToken();
+      const response = await fetch(`${this.baseUrl}/sse`, {
+        headers: {
+          "Authorization": `Bearer ${token}`,
+          "Accept": "text/event-stream"
+        },
+        signal: this.abortController.signal
+      });
+      if (!response.ok) {
+        throw new Error(`SSE connection failed: ${response.status}`);
+      }
+      if (!response.body) {
+        throw new Error("SSE response has no body");
+      }
+      this.readStream(response.body).catch((err) => {
+        if (this.closed) return;
+        const error = err instanceof Error ? err : new Error(String(err));
+        this.emit("error", error);
+        this.scheduleReconnect();
+      });
+    } catch (err) {
+      if (this.closed) return;
+      const error = err instanceof Error ? err : new Error(String(err));
+      this.emit("error", error);
+      this.scheduleReconnect();
     }
-    return response;
-  }
-  /**
-   * Add event handler
-   */
-  onEvent(handler) {
-    this.eventHandlers.push(handler);
-    return () => {
-      this.eventHandlers = this.eventHandlers.filter((h) => h !== handler);
-    };
-  }
-  /**
-   * Add error handler
-   */
-  onError(handler) {
-    this.errorHandlers.push(handler);
-    return () => {
-      this.errorHandlers = this.errorHandlers.filter((h) => h !== handler);
-    };
-  }
-  /**
-   * Add close handler
-   */
-  onClose(handler) {
-    this.closeHandlers.push(handler);
-    return () => {
-      this.closeHandlers = this.closeHandlers.filter((h) => h !== handler);
-    };
-  }
-  /**
-   * Check if connected
-   */
-  isConnected() {
-    return this.ws?.readyState === WebSocket.OPEN;
-  }
-  /**
-   * Get subscribed context IDs
-   */
-  getSubscribedContexts() {
-    return Array.from(this.subscribedContexts);
   }
-  async send(request) {
-    if (!this.ws || this.ws.readyState !== WebSocket.OPEN) {
-      throw new Error("WebSocket not connected");
-    }
-    return new Promise((resolve, reject) => {
-      const id = request.id;
-      if (id !== null) {
-        this.pendingRequests.set(id, { resolve, reject });
+  async readStream(body) {
+    const reader = body.getReader();
+    const decoder = new TextDecoder();
+    let buffer = "";
+    try {
+      for (; ; ) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        buffer += decoder.decode(value, { stream: true });
+        const lines = buffer.split("\n");
+        buffer = lines.pop() ?? "";
+        for (const line of lines) {
+          if (line.startsWith("data:")) {
+            const jsonStr = line.slice(5).trim();
+            if (jsonStr) {
+              this.handleMessage(jsonStr);
+            }
+          }
+        }
       }
-      this.ws.send(JSON.stringify(request));
-      setTimeout(() => {
-        if (id !== null && this.pendingRequests.has(id)) {
-          this.pendingRequests.delete(id);
-          reject(new Error("WebSocket request timeout"));
+      buffer += decoder.decode();
+      if (buffer.startsWith("data:")) {
+        const jsonStr = buffer.slice(5).trim();
+        if (jsonStr) {
+          this.handleMessage(jsonStr);
         }
-      }, 3e4);
-    });
+      }
+    } catch (err) {
+      if (this.closed) return;
+      const error = err instanceof Error ? err : new Error(String(err));
+      this.emit("error", error);
+    }
+    if (!this.closed) {
+      this.scheduleReconnect();
+    }
   }
-  handleMessage(data) {
+  handleMessage(jsonStr) {
     try {
-      const message = JSON.parse(data);
-      if (message.id !== void 0 && this.pendingRequests.has(message.id)) {
-        const { resolve } = this.pendingRequests.get(message.id);
-        this.pendingRequests.delete(message.id);
-        resolve(message);
+      const msg = JSON.parse(jsonStr);
+      if (msg.type === "connect" && msg.session_id) {
+        this.sessionId = msg.session_id;
+        this.emit("connect", msg.session_id);
+        if (this.subscribedContextIds.size > 0) {
+          this.sendSubscription("subscribe", [...this.subscribedContextIds]);
+        }
         return;
       }
-      const event = {
-        contextId: message.contextId || message.context_id,
-        type: message.type || message.event,
-        data: message.data || message.payload
-      };
-      this.eventHandlers.forEach((h) => h(event));
-    } catch (error) {
-      this.errorHandlers.forEach((h) => h(error instanceof Error ? error : new Error(String(error))));
+      if (msg.result && msg.result.contextId) {
+        let eventData = msg.result.data;
+        if (Array.isArray(eventData)) {
+          try {
+            const bytes = new Uint8Array(eventData);
+            const text = new TextDecoder().decode(bytes);
+            eventData = JSON.parse(text);
+          } catch {
+          }
+        }
+        this.emit("event", {
+          contextId: msg.result.contextId,
+          data: eventData
+        });
+      }
+    } catch {
     }
   }
-  handleDisconnect() {
-    if (!this.options.autoReconnect) {
-      return;
+  async subscribe(contextIds) {
+    const newIds = contextIds.filter((id) => !this.subscribedContextIds.has(id));
+    for (const id of contextIds) {
+      this.subscribedContextIds.add(id);
     }
-    if (this.reconnectAttempts >= this.options.maxReconnectAttempts) {
-      this.errorHandlers.forEach((h) => h(new Error("Max reconnect attempts reached")));
-      return;
+    if (newIds.length > 0 && this.sessionId) {
+      await this.sendSubscription("subscribe", newIds);
     }
-    this.reconnectAttempts++;
-    const delay = this.options.reconnectDelay * Math.pow(2, this.reconnectAttempts - 1);
-    setTimeout(async () => {
-      try {
-        await this.connect();
-        if (this.subscribedContexts.size > 0) {
-          await this.subscribe(Array.from(this.subscribedContexts));
-        }
-      } catch {
+  }
+  async unsubscribe(contextIds) {
+    const hadIds = contextIds.filter((id) => this.subscribedContextIds.has(id));
+    for (const id of contextIds) {
+      this.subscribedContextIds.delete(id);
+    }
+    if (hadIds.length > 0 && this.sessionId) {
+      await this.sendSubscription("unsubscribe", hadIds);
+    }
+  }
+  async sendSubscription(method, contextIds) {
+    try {
+      const token = await this.getAuthToken();
+      const response = await fetch(`${this.baseUrl}/sse/subscription`, {
+        method: "POST",
+        headers: {
+          "Authorization": `Bearer ${token}`,
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          id: this.sessionId,
+          method,
+          params: { contextIds }
+        })
+      });
+      if (!response.ok) {
+        this.emit("error", new Error(`SSE ${method} failed: ${response.status}`));
       }
-    }, delay);
+    } catch (err) {
+      this.emit("error", err instanceof Error ? err : new Error(`SSE ${method} failed`));
+    }
   }
-};
-
-// src/api/sse/index.ts
-var sse_exports = {};
-__export(sse_exports, {
-  SseClient: () => SseClient
-});
-
-// src/api/sse/client.ts
-var SseClient = class {
-  constructor(options) {
-    this.eventSource = null;
+  forceReconnect() {
+    if (this.abortController) {
+      this.abortController.abort();
+      this.abortController = null;
+    }
     this.sessionId = null;
-    this.eventHandlers = [];
-    this.errorHandlers = [];
-    this.subscribedContexts = /* @__PURE__ */ new Set();
-    // Track last event ID for reconnection (used for resumable streams)
-    this._lastEventId = null;
-    this.options = {
-      autoReconnect: true,
-      reconnectDelay: 1e3,
-      getAuthToken: async () => null,
-      ...options
-    };
+    this.connect();
   }
-  /**
-   * Connect to the SSE stream
-   */
-  async connect() {
-    if (this.eventSource) {
-      throw new Error("Already connected");
+  scheduleReconnect() {
+    if (this.closed) return;
+    if (this.reconnectTimer) {
+      clearTimeout(this.reconnectTimer);
     }
-    const token = await this.options.getAuthToken();
-    let url = `${this.options.baseUrl}/sse`;
-    if (token) {
-      url += `?token=${encodeURIComponent(token)}`;
+    this.reconnectTimer = setTimeout(() => {
+      this.reconnectTimer = null;
+      this.forceReconnect();
+    }, this.reconnectDelayMs);
+  }
+  close() {
+    this.closed = true;
+    if (this.abortController) {
+      this.abortController.abort();
+      this.abortController = null;
     }
-    return new Promise((resolve, reject) => {
-      this.eventSource = new EventSource(url, {
-        withCredentials: true
-      });
-      this.eventSource.addEventListener("connect", (event) => {
-        const messageEvent = event;
+    if (this.reconnectTimer) {
+      clearTimeout(this.reconnectTimer);
+      this.reconnectTimer = null;
+    }
+    this.sessionId = null;
+    this.subscribedContextIds.clear();
+  }
+};
+
+// src/events/ws.ts
+var _WsClient = class _WsClient {
+  constructor(opts) {
+    this.ws = null;
+    this.closed = false;
+    this.reconnectAttempt = 0;
+    this.reconnectTimer = null;
+    this.subscribedContextIds = /* @__PURE__ */ new Set();
+    this.listeners = { connect: [], event: [], error: [] };
+    this.baseUrl = opts.baseUrl.replace(/\/+$/, "");
+    this.getAuthToken = opts.getAuthToken;
+  }
+  on(event, handler) {
+    const key = event;
+    if (key in this.listeners) {
+      const arr = this.listeners[key];
+      if (!arr.includes(handler)) arr.push(handler);
+    }
+  }
+  off(event, handler) {
+    const key = event;
+    if (key in this.listeners) {
+      const arr = this.listeners[key];
+      const idx = arr.indexOf(handler);
+      if (idx !== -1) arr.splice(idx, 1);
+    }
+  }
+  emit(event, arg) {
+    const key = event;
+    if (key in this.listeners) {
+      for (const handler of this.listeners[key]) {
         try {
-          const data = messageEvent.data;
-          this.sessionId = typeof data === "string" && data.startsWith("{") ? JSON.parse(data).session_id || JSON.parse(data).sessionId : data;
-          resolve(this.sessionId);
+          handler(arg);
         } catch {
-          this.sessionId = messageEvent.data;
-          resolve(this.sessionId);
         }
-      });
-      this.eventSource.onmessage = (event) => {
-        this._lastEventId = event.lastEventId;
-        try {
-          const data = JSON.parse(event.data);
-          const sseEvent = {
-            id: event.lastEventId,
-            event: "message",
-            data
-          };
-          this.eventHandlers.forEach((h) => h(sseEvent));
-        } catch {
-          const sseEvent = {
-            id: event.lastEventId,
-            event: "message",
-            data: event.data
-          };
-          this.eventHandlers.forEach((h) => h(sseEvent));
+      }
+    }
+  }
+  async connect() {
+    if (this.ws && (this.ws.readyState === WebSocket.CONNECTING || this.ws.readyState === WebSocket.OPEN)) {
+      return;
+    }
+    this.closed = false;
+    try {
+      const token = await this.getAuthToken();
+      if (!token) {
+        throw new Error("No authentication token available for WebSocket connection");
+      }
+      const wsUrl = this.baseUrl.replace(/^http/, "ws");
+      this.ws = new WebSocket(`${wsUrl}/ws?token=${encodeURIComponent(token)}`);
+      this.ws.onopen = () => {
+        this.reconnectAttempt = 0;
+        this.emit("connect");
+        if (this.subscribedContextIds.size > 0) {
+          this.sendMessage({
+            id: null,
+            method: "subscribe",
+            params: { contextIds: [...this.subscribedContextIds] }
+          });
         }
       };
-      this.eventSource.onerror = (_event) => {
-        const error = new Error("SSE connection error");
-        this.errorHandlers.forEach((h) => h(error));
-        if (this.eventSource?.readyState === EventSource.CLOSED) {
-          this.handleDisconnect();
-          if (!this.sessionId) {
-            reject(error);
-          }
+      this.ws.onmessage = (event) => {
+        this.handleMessage(event.data);
+      };
+      this.ws.onerror = () => {
+        this.emit("error", new Error("WebSocket error"));
+      };
+      this.ws.onclose = () => {
+        if (!this.closed) {
+          this.scheduleReconnect();
         }
       };
-    });
+    } catch (err) {
+      if (this.closed) return;
+      const error = err instanceof Error ? err : new Error(String(err));
+      this.emit("error", error);
+      this.scheduleReconnect();
+    }
   }
-  /**
-   * Disconnect from the SSE stream
-   */
-  disconnect() {
-    this.options.autoReconnect = false;
-    this.eventSource?.close();
-    this.eventSource = null;
-    this.sessionId = null;
-    this.subscribedContexts.clear();
+  handleMessage(raw) {
+    if (typeof raw !== "string") return;
+    try {
+      const msg = JSON.parse(raw);
+      if (msg.result && msg.result.contextId) {
+        let eventData = msg.result.data;
+        if (Array.isArray(eventData)) {
+          try {
+            const bytes = new Uint8Array(eventData);
+            const text = new TextDecoder().decode(bytes);
+            eventData = JSON.parse(text);
+          } catch {
+          }
+        }
+        this.emit("event", {
+          contextId: msg.result.contextId,
+          data: eventData
+        });
+      }
+    } catch {
+    }
   }
-  /**
-   * Subscribe to context events
-   */
-  async subscribe(contextIds) {
-    if (!this.sessionId) {
-      throw new Error("Not connected");
+  subscribe(contextIds) {
+    for (const id of contextIds) {
+      this.subscribedContextIds.add(id);
     }
-    const request = {
-      id: this.sessionId,
-      method: "subscribe",
-      params: { contextIds }
-    };
-    const response = await this.options.httpClient.post(
-      "/sse/subscription",
-      request
-    );
-    if (!response.error) {
-      contextIds.forEach((id) => this.subscribedContexts.add(id));
+    if (this.ws && this.ws.readyState === WebSocket.OPEN) {
+      this.sendMessage({
+        id: null,
+        method: "subscribe",
+        params: { contextIds }
+      });
     }
-    return response;
   }
-  /**
-   * Unsubscribe from context events
-   */
-  async unsubscribe(contextIds) {
-    if (!this.sessionId) {
-      throw new Error("Not connected");
+  unsubscribe(contextIds) {
+    for (const id of contextIds) {
+      this.subscribedContextIds.delete(id);
     }
-    const request = {
-      id: this.sessionId,
-      method: "unsubscribe",
-      params: { contextIds }
-    };
-    const response = await this.options.httpClient.post(
-      "/sse/subscription",
-      request
-    );
-    if (!response.error) {
-      contextIds.forEach((id) => this.subscribedContexts.delete(id));
+    if (this.ws && this.ws.readyState === WebSocket.OPEN) {
+      this.sendMessage({
+        id: null,
+        method: "unsubscribe",
+        params: { contextIds }
+      });
     }
-    return response;
   }
-  /**
-   * Get session information
-   */
-  async getSession() {
-    if (!this.sessionId) {
-      throw new Error("Not connected");
+  sendMessage(msg) {
+    if (this.ws && this.ws.readyState === WebSocket.OPEN) {
+      this.ws.send(JSON.stringify(msg));
     }
-    return this.options.httpClient.get(
-      `/sse/session/${this.sessionId}`
-    );
   }
-  /**
-   * Add event handler
-   */
-  onEvent(handler) {
-    this.eventHandlers.push(handler);
-    return () => {
-      this.eventHandlers = this.eventHandlers.filter((h) => h !== handler);
-    };
-  }
-  /**
-   * Add error handler
-   */
-  onError(handler) {
-    this.errorHandlers.push(handler);
-    return () => {
-      this.errorHandlers = this.errorHandlers.filter((h) => h !== handler);
-    };
-  }
-  /**
-   * Check if connected
-   */
-  isConnected() {
-    return this.eventSource?.readyState === EventSource.OPEN;
-  }
-  /**
-   * Get current session ID
-   */
-  getSessionId() {
-    return this.sessionId;
-  }
-  /**
-   * Get subscribed context IDs
-   */
-  getSubscribedContexts() {
-    return Array.from(this.subscribedContexts);
-  }
-  /**
-   * Get the last event ID (useful for resumable connections)
-   */
-  getLastEventId() {
-    return this._lastEventId;
+  scheduleReconnect() {
+    if (this.closed) return;
+    if (this.reconnectTimer) {
+      clearTimeout(this.reconnectTimer);
+    }
+    const delay = Math.min(
+      1e3 * Math.pow(2, this.reconnectAttempt),
+      _WsClient.MAX_BACKOFF_MS
+    );
+    this.reconnectAttempt++;
+    this.reconnectTimer = setTimeout(() => {
+      this.reconnectTimer = null;
+      this.connect();
+    }, delay);
   }
-  handleDisconnect() {
-    if (!this.options.autoReconnect) {
-      return;
+  close() {
+    this.closed = true;
+    if (this.reconnectTimer) {
+      clearTimeout(this.reconnectTimer);
+      this.reconnectTimer = null;
     }
-    setTimeout(async () => {
-      try {
-        await this.connect();
-        if (this.subscribedContexts.size > 0) {
-          await this.subscribe(Array.from(this.subscribedContexts));
-        }
-      } catch {
-      }
-    }, this.options.reconnectDelay);
+    if (this.ws) {
+      this.ws.onclose = null;
+      this.ws.close();
+      this.ws = null;
+    }
+    this.subscribedContextIds.clear();
   }
 };
+_WsClient.MAX_BACKOFF_MS = 3e4;
+var WsClient = _WsClient;
 
 // src/mero-js.ts
+function expiresAtFromJwt(token, fallbackMs) {
+  try {
+    const parts = token.split(".");
+    if (parts.length === 3) {
+      let b64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+      while (b64.length % 4) b64 += "=";
+      const payload = JSON.parse(atob(b64));
+      if (typeof payload.exp === "number") {
+        return payload.exp * 1e3;
+      }
+    }
+  } catch {
+  }
+  return fallbackMs;
+}
 var MeroJs = class {
   constructor(config) {
     this.tokenData = null;
     this.refreshPromise = null;
-    this.tokenStorage = null;
+    this.rpcClient = null;
+    this.sseClient = null;
+    this.wsClient = null;
+    this.wsWarned = false;
     this.config = {
       timeoutMs: 1e4,
       ...config
     };
-    this.tokenStorage = config.tokenStorage || null;
+    this.tokenStore = config.tokenStore ?? null;
+    if (this.tokenStore) {
+      this.tokenData = this.tokenStore.getTokens();
+    }
     const isTauri = typeof window !== "undefined" && "__TAURI_INTERNALS__" in window;
-    const authBaseUrl = this.config.authBaseUrl ?? this.config.baseUrl;
-    const isEmbedded = authBaseUrl === this.config.baseUrl;
     this.httpClient = createBrowserHttpClient({
       baseUrl: this.config.baseUrl,
       getAuthToken: async () => {
         const token = await this.getValidToken();
         return token?.access_token || "";
       },
-      // Wire up automatic token refresh on 401
       refreshToken: async () => {
         const refreshed = await this.performTokenRefresh();
         return refreshed.access_token;
       },
-      onTokenRefresh: async (_newToken) => {
-        if (this.tokenData && this.tokenStorage) {
-          await this.tokenStorage.set(this.tokenData);
+      onTokenRefresh: async (newToken) => {
+        if (this.tokenData) {
+          this.tokenData.access_token = newToken;
+          this.tokenStore?.setTokens(this.tokenData);
         }
       },
       timeoutMs: this.config.timeoutMs,
       credentials: this.config.requestCredentials ?? (isTauri ? "omit" : void 0)
     });
-    const authHttpClient = createBrowserHttpClient({
-      baseUrl: authBaseUrl,
+    this.authClient = createAuthApiClientFromHttpClient(this.httpClient, {
+      baseUrl: this.config.baseUrl,
       getAuthToken: async () => {
         const token = await this.getValidToken();
         return token?.access_token || "";
       },
-      // NO refreshToken callback - auth endpoints handle their own auth
-      // Wiring refreshToken here would cause infinite loops when refresh fails
-      timeoutMs: this.config.timeoutMs,
-      credentials: this.config.requestCredentials ?? (isTauri ? "omit" : void 0)
+      timeoutMs: this.config.timeoutMs
     });
-    this.authClient = createAuthApiClient(authHttpClient, {
-      baseUrl: authBaseUrl,
-      embedded: isEmbedded
+    this.adminClient = createAdminApiClientFromHttpClient(this.httpClient, {
+      baseUrl: this.config.baseUrl,
+      getAuthToken: async () => {
+        const token = await this.getValidToken();
+        return token?.access_token || "";
+      },
+      timeoutMs: this.config.timeoutMs
     });
-    this.adminClient = createAdminApiClient(this.httpClient);
-    this.rpcClient = new RpcClient(this.httpClient);
-  }
-  /**
-   * Initialize the SDK by loading tokens from storage (if provided).
-   * Call this after construction if using tokenStorage.
-   * 
-   * @example
-   * ```typescript
-   * const mero = new MeroJs({ baseUrl: '...', tokenStorage: myStorage });
-   * await mero.init(); // Load stored tokens
-   * 
-   * if (!mero.isAuthenticated()) {
-   *   await mero.authenticate({ username: '...', password: '...' });
-   * }
-   * ```
-   */
-  async init() {
-    console.log("[mero-js] init() called, tokenStorage:", this.tokenStorage ? "EXISTS" : "NULL");
-    if (this.tokenStorage) {
-      const storedToken = await this.tokenStorage.get();
-      console.log("[mero-js] init() storedToken:", storedToken ? "LOADED" : "NULL");
-      if (storedToken) {
-        this.tokenData = storedToken;
-        console.log("[mero-js] init() tokenData set, expires_at:", storedToken.expires_at);
-      }
-    } else {
-      console.log("[mero-js] init() no tokenStorage configured");
-    }
   }
   /**
    * Get the Auth API client
@@ -1960,38 +1624,49 @@ var MeroJs = class {
     return this.adminClient;
   }
   /**
-   * Get the RPC client for executing queries and mutations
-   *
-   * @example
-   * ```typescript
-   * // Execute a query
-   * const result = await meroJs.rpc.query(
-   *   'context-id',
-   *   'get',
-   *   { key: 'myKey' },
-   *   'ed25519:executor-public-key'
-   * );
-   *
-   * // Execute a mutation
-   * await meroJs.rpc.mutate(
-   *   'context-id',
-   *   'set',
-   *   { key: 'myKey', value: 'myValue' },
-   *   'ed25519:executor-public-key'
-   * );
-   *
-   * // Or use the generic execute method
-   * const result = await meroJs.rpc.execute({
-   *   contextId: 'context-id',
-   *   method: 'set',
-   *   args: { key: 'myKey', value: 'myValue' },
-   *   executorPublicKey: 'ed25519:...',
-   * });
-   * ```
+   * Get the RPC client (lazy initialized)
    */
   get rpc() {
+    if (!this.rpcClient) {
+      this.rpcClient = new RpcClient({ httpClient: this.httpClient });
+    }
     return this.rpcClient;
   }
+  /**
+   * Get the SSE event client (lazy initialized)
+   */
+  get events() {
+    if (!this.sseClient) {
+      this.sseClient = new SseClient({
+        baseUrl: this.config.baseUrl,
+        getAuthToken: async () => {
+          const token = await this.getValidToken();
+          return token?.access_token || "";
+        }
+      });
+    }
+    return this.sseClient;
+  }
+  /**
+   * Get the WebSocket event client (lazy initialized).
+   * @experimental Use `events` (SSE) for production. WsClient is experimental.
+   */
+  get ws() {
+    if (!this.wsWarned) {
+      this.wsWarned = true;
+      console.warn("[mero-js] WsClient is experimental. Use mero.events (SSE) for production.");
+    }
+    if (!this.wsClient) {
+      this.wsClient = new WsClient({
+        baseUrl: this.config.baseUrl,
+        getAuthToken: async () => {
+          const token = await this.getValidToken();
+          return token?.access_token || "";
+        }
+      });
+    }
+    return this.wsClient;
+  }
   /**
    * Authenticate with the provided credentials
    * This will create the root key on first use
@@ -2013,82 +1688,41 @@ var MeroJs = class {
           password: creds.password
         }
       };
-      const response = await this.authClient.getToken(requestBody);
-      let expiresAt;
-      try {
-        const payload = JSON.parse(atob(response.access_token.split(".")[1]));
-        expiresAt = payload.exp * 1e3;
-        console.log("[mero-js] Extracted exp from JWT:", payload.exp, "-> expires_at:", expiresAt);
-      } catch (e) {
-        expiresAt = Date.now() + (response.expires_in || 3600) * 1e3;
-        console.warn("[mero-js] Failed to parse JWT, using expires_in fallback:", expiresAt);
-      }
+      const response = await this.authClient.generateTokens(requestBody);
+      const accessToken = response.data.access_token;
       this.tokenData = {
-        access_token: response.access_token,
-        refresh_token: response.refresh_token,
-        expires_at: expiresAt
+        access_token: accessToken,
+        refresh_token: response.data.refresh_token,
+        expires_at: expiresAtFromJwt(accessToken, Date.now() + 36e5)
       };
-      if (this.tokenStorage) {
-        await this.tokenStorage.set(this.tokenData);
-      }
+      this.tokenStore?.setTokens(this.tokenData);
       return this.tokenData;
     } catch (error) {
-      const errorMessage = error instanceof Error ? error.message : "Unknown error";
-      const httpStatus = error && typeof error === "object" && "status" in error ? `HTTP ${String(error.status)}` : "";
-      const httpStatusText = error && typeof error === "object" && "statusText" in error ? ` ${String(error.statusText)}` : "";
-      const bodyText = error && typeof error === "object" && "bodyText" in error ? `: ${String(error.bodyText)}` : "";
       throw new Error(
-        `Authentication failed: ${httpStatus}${httpStatusText}${bodyText || errorMessage}`
+        `Authentication failed: ${error instanceof Error ? error.message : "Unknown error"}`
       );
     }
   }
   /**
-   * Get a valid token, refreshing if necessary.
-   * This is called automatically by the HTTP client.
-   * 
-   * Note: The HTTP client also handles 401 errors with automatic refresh,
-   * so this preemptive check is an optimization to avoid unnecessary 401s.
+   * Get a valid token. Returns the current token as-is.
+   * The server rejects refresh attempts while the access token is still valid,
+   * so we never proactively refresh. Instead, the WebHttpClient handles 401
+   * responses reactively via the refreshToken transport hook.
    */
   async getValidToken() {
-    console.log("[mero-js] getValidToken called, tokenData:", this.tokenData ? "EXISTS" : "NULL");
-    if (!this.tokenData) {
-      console.log("[mero-js] No tokenData, returning null");
-      return null;
-    }
-    const now = Date.now();
-    const expiresAt = this.tokenData.expires_at;
-    const isExpired = now >= expiresAt;
-    console.log("[mero-js] Token check: now=", now, "expires_at=", expiresAt, "isExpired=", isExpired);
-    if (isExpired) {
-      console.log("[mero-js] Token expired, attempting preemptive refresh");
-      return await this.refreshToken();
-    }
-    console.log("[mero-js] Token valid, returning tokenData");
     return this.tokenData;
   }
   /**
-   * Refresh the access token using the refresh token.
-   * Called automatically when token is about to expire or on 401.
-   * 
-   * @deprecated Use performTokenRefresh instead - this is kept for compatibility
+   * Refresh the access token using the refresh token
    */
   async refreshToken() {
-    return this.performTokenRefresh();
-  }
-  /**
-   * Perform the actual token refresh.
-   * This is used by both preemptive refresh and HTTP client's 401 handler.
-   * 
-   * Uses a shared promise to prevent multiple simultaneous refresh attempts,
-   * even when called from multiple sources (preemptive check, HTTP 401 handler, etc.)
-   */
-  async performTokenRefresh() {
+    if (!this.tokenData?.refresh_token) {
+      throw new Error("No refresh token available");
+    }
     if (this.refreshPromise) {
-      console.log("[mero-js] Refresh already in progress, waiting for existing promise");
       return this.refreshPromise;
     }
-    console.log("[mero-js] Starting new refresh attempt");
-    this.refreshPromise = this.doTokenRefresh();
+    this.refreshPromise = this.performTokenRefresh();
     try {
       const newToken = await this.refreshPromise;
       return newToken;
@@ -2097,87 +1731,37 @@ var MeroJs = class {
     }
   }
   /**
-   * Internal: Actually perform the refresh request.
-   * Called only from performTokenRefresh() which manages the deduplication.
+   * Perform the actual token refresh
    */
-  async doTokenRefresh() {
-    console.log("[mero-js doTokenRefresh] STARTING refresh...");
-    console.log("[mero-js doTokenRefresh] tokenData exists:", !!this.tokenData);
-    console.log("[mero-js doTokenRefresh] access_token exists:", !!this.tokenData?.access_token);
-    console.log("[mero-js doTokenRefresh] refresh_token exists:", !!this.tokenData?.refresh_token);
+  async performTokenRefresh() {
     if (!this.tokenData?.refresh_token) {
       throw new Error("No refresh token available");
     }
-    if (!this.tokenData?.access_token) {
-      throw new Error("No access token available for refresh (server requires both tokens)");
-    }
     try {
-      const refreshPayload = {
+      const response = await this.authClient.refreshToken({
         access_token: this.tokenData.access_token,
         refresh_token: this.tokenData.refresh_token
-      };
-      console.log("[mero-js doTokenRefresh] Payload keys:", Object.keys(refreshPayload));
-      console.log("[mero-js doTokenRefresh] access_token length:", refreshPayload.access_token?.length);
-      console.log("[mero-js doTokenRefresh] refresh_token length:", refreshPayload.refresh_token?.length);
-      const response = await this.authClient.refreshToken(refreshPayload);
-      let expiresAt;
-      try {
-        const payload = JSON.parse(atob(response.access_token.split(".")[1]));
-        expiresAt = payload.exp * 1e3;
-        console.log("[mero-js] Extracted exp from JWT:", payload.exp, "-> expires_at:", expiresAt);
-      } catch (e) {
-        expiresAt = Date.now() + (response.expires_in || 3600) * 1e3;
-        console.warn("[mero-js] Failed to parse JWT, using expires_in fallback:", expiresAt);
-      }
+      });
+      const accessToken = response.data.access_token;
       this.tokenData = {
-        access_token: response.access_token,
-        refresh_token: response.refresh_token,
-        expires_at: expiresAt
+        access_token: accessToken,
+        refresh_token: response.data.refresh_token,
+        expires_at: expiresAtFromJwt(accessToken, Date.now() + 36e5)
       };
-      if (this.tokenStorage) {
-        await this.tokenStorage.set(this.tokenData);
-      }
+      this.tokenStore?.setTokens(this.tokenData);
       return this.tokenData;
     } catch (error) {
-      console.error("[mero-js] Token refresh failed:", error);
-      const httpError = error;
-      const status = httpError?.status;
-      const errorBody = httpError?.body || httpError?.message || "";
-      if (status) {
-        console.error("[mero-js] Refresh error status:", status);
-        console.error("[mero-js] Refresh error body:", errorBody);
-      }
-      if (errorBody.includes("still valid") || errorBody.includes("token valid")) {
-        console.warn("[mero-js] Server says token is still valid - NOT clearing tokens");
-        console.warn("[mero-js] This usually means the 401 came from a different issue (wrong endpoint, missing header, etc.)");
-        const tokenValidError = new Error("Token is valid but request failed. Check Authorization header.");
-        tokenValidError.tokenStillValid = true;
-        throw tokenValidError;
-      }
-      if (status && status >= 400 && status < 500) {
-        console.warn("[mero-js] Refresh failed with 4XX - clearing tokens, user must re-authenticate");
-        await this.clearToken();
-        throw new Error(`Session expired. Please log in again. (${status})`);
-      }
-      if (status && status >= 500) {
-        console.warn("[mero-js] Refresh failed with 5XX - server error, keeping tokens");
-        throw new Error(`Server error during refresh. Please try again later. (${status})`);
-      }
-      console.warn("[mero-js] Refresh failed with unknown error - clearing tokens");
-      await this.clearToken();
       throw new Error(
         `Token refresh failed: ${error instanceof Error ? error.message : "Unknown error"}`
       );
     }
   }
   /**
-   * Clear the current token from memory and storage
+   * Clear the current token
    */
-  async clearToken() {
+  clearToken() {
     this.tokenData = null;
-    if (this.tokenStorage) {
-      await this.tokenStorage.clear();
-    }
+    this.tokenStore?.clear();
   }
   /**
    * Check if the SDK is authenticated
@@ -2185,6 +1769,16 @@ var MeroJs = class {
   isAuthenticated() {
     return this.tokenData !== null;
   }
+  /**
+   * Set token data directly (e.g., from auth callback).
+   * If `expires_at` is missing or 0, attempts to parse the JWT exp claim,
+   * falling back to 1 hour from now.
+   */
+  setTokenData(data) {
+    const expiresAt = data.expires_at || expiresAtFromJwt(data.access_token, Date.now() + 36e5);
+    this.tokenData = { ...data, expires_at: expiresAt };
+    this.tokenStore?.setTokens(this.tokenData);
+  }
   /**
    * Get the current token data (for debugging)
    */
@@ -2192,122 +1786,140 @@ var MeroJs = class {
     return this.tokenData;
   }
   /**
-   * Manually set the token data.
-   * Use this when handling authentication externally (e.g., OAuth flows).
-   * 
-   * @param tokenData - The token data to set, or null to clear
-   * @example
-   * ```typescript
-   * // After receiving tokens from external auth flow
-   * await meroJs.setToken({
-   *   access_token: 'eyJ...',
-   *   refresh_token: 'eyJ...',
-   *   expires_at: Date.now() + 3600000,
-   * });
-   * ```
+   * Close all event connections and clean up resources
    */
-  async setToken(tokenData) {
-    this.tokenData = tokenData;
-    if (this.tokenStorage) {
-      if (tokenData) {
-        await this.tokenStorage.set(tokenData);
-      } else {
-        await this.tokenStorage.clear();
-      }
-    }
+  close() {
+    this.sseClient?.close();
+    this.wsClient?.close();
   }
   /**
-   * Create a WebSocket client for real-time event subscriptions
-   *
-   * @param options - Optional WebSocket client options to override defaults
-   * @returns A new WebSocketClient instance
-   *
-   * @example
-   * ```typescript
-   * const ws = meroJs.createWebSocket();
-   * await ws.connect();
-   *
-   * ws.onEvent((event) => {
-   *   console.log('Received event:', event);
-   * });
-   *
-   * await ws.subscribe(['context-id-1', 'context-id-2']);
-   *
-   * // Later...
-   * ws.disconnect();
-   * ```
+   * Parse an auth callback URL hash fragment (static utility)
    */
-  createWebSocket(options) {
-    return new WebSocketClient({
-      baseUrl: this.config.baseUrl,
-      getAuthToken: async () => this.tokenData?.access_token || null,
-      ...options
-    });
+  static parseAuthCallback(url) {
+    return parseAuthCallback(url);
   }
   /**
-   * Create an SSE client for server-sent event streaming
-   *
-   * @param options - Optional SSE client options to override defaults
-   * @returns A new SseClient instance
-   *
-   * @example
-   * ```typescript
-   * const sse = meroJs.createSse();
-   * const sessionId = await sse.connect();
-   *
-   * sse.onEvent((event) => {
-   *   console.log('Received event:', event);
-   * });
-   *
-   * await sse.subscribe(['context-id-1', 'context-id-2']);
-   *
-   * // Get session info
-   * const session = await sse.getSession();
-   *
-   * // Later...
-   * sse.disconnect();
-   * ```
+   * Build an auth login URL (static utility)
    */
-  createSse(options) {
-    return new SseClient({
-      baseUrl: this.config.baseUrl,
-      httpClient: this.httpClient,
-      getAuthToken: async () => this.tokenData?.access_token || null,
-      ...options
-    });
+  static buildAuthLoginUrl(nodeUrl, opts) {
+    return buildAuthLoginUrl(nodeUrl, opts);
   }
 };
 function createMeroJs(config) {
   return new MeroJs(config);
 }
+
+// src/token-store/index.ts
+var MemoryTokenStore = class {
+  constructor() {
+    this.tokens = null;
+  }
+  getTokens() {
+    return this.tokens;
+  }
+  setTokens(data) {
+    this.tokens = data;
+  }
+  clear() {
+    this.tokens = null;
+  }
+};
+var STORAGE_KEY = "mero-tokens";
+var LocalStorageTokenStore = class {
+  constructor(key = STORAGE_KEY) {
+    this.key = key;
+  }
+  getTokens() {
+    try {
+      if (typeof localStorage === "undefined") return null;
+      const raw = localStorage.getItem(this.key);
+      if (!raw) return null;
+      const parsed = JSON.parse(raw);
+      if (parsed && parsed.access_token && parsed.refresh_token) {
+        return {
+          access_token: parsed.access_token,
+          refresh_token: parsed.refresh_token,
+          expires_at: typeof parsed.expires_at === "number" ? parsed.expires_at : Date.now() + 36e5
+        };
+      }
+      return null;
+    } catch {
+      return null;
+    }
+  }
+  setTokens(data) {
+    try {
+      if (typeof localStorage === "undefined") return;
+      localStorage.setItem(this.key, JSON.stringify(data));
+    } catch {
+    }
+  }
+  clear() {
+    try {
+      if (typeof localStorage === "undefined") return;
+      localStorage.removeItem(this.key);
+    } catch {
+    }
+  }
+};
+
+// src/cloud/cloud-client.ts
+var CloudClient = class {
+  constructor(config = {}) {
+    this.baseUrl = (config.cloudBaseUrl || "https://cloud.calimero.network").replace(/\/+$/, "");
+  }
+  enableHA(options) {
+    const params = new URLSearchParams({
+      group_id: options.groupId,
+      context_id: options.contextId
+    });
+    if (options.redirectUrl) {
+      params.set("redirect_url", options.redirectUrl);
+    }
+    window.open(`${this.baseUrl}/enable-ha?${params.toString()}`);
+  }
+  disableHA(options) {
+    const params = new URLSearchParams({
+      group_id: options.groupId,
+      context_id: options.contextId
+    });
+    if (options.redirectUrl) {
+      params.set("redirect_url", options.redirectUrl);
+    }
+    window.open(`${this.baseUrl}/disable-ha?${params.toString()}`);
+  }
+};
 export {
-  admin_exports as AdminApi,
   AdminApiClient,
-  ApiResponseError,
-  auth_exports as AuthApi,
   AuthApiClient,
+  CloudClient,
   HTTPError,
-  JsonRpcError,
+  LocalStorageTokenStore,
+  MemoryTokenStore,
   MeroJs,
-  rpc_exports as RpcApi,
   RpcClient,
-  sse_exports as SseApi,
+  RpcError,
   SseClient,
   WebHttpClient,
-  WebSocketClient,
-  ws_exports as WsApi,
+  WsClient,
+  buildAuthLoginUrl,
   combineSignals,
   createAdminApiClient,
+  createAdminApiClientFromHttpClient,
   createAuthApiClient,
+  createAuthApiClientFromHttpClient,
+  createBrowserAdminApiClient,
+  createBrowserAuthApiClient,
   createBrowserHttpClient,
   createHttpClient,
   createMeroJs,
+  createNodeAdminApiClient,
+  createNodeAuthApiClient,
   createNodeHttpClient,
   createRetryableMethod,
   createTimeoutSignal,
   createUniversalHttpClient,
-  unwrap,
-  unwrapOrNull,
+  parseAuthCallback,
   withRetry
 };
 //# sourceMappingURL=index.mjs.map