@debros/orama 0.122.4-nightly

package/dist/index.js

@@ -0,0 +1,2553 @@
+// src/errors.ts
+var SDKError = class _SDKError extends Error {
+  constructor(message, httpStatus = 500, code = "SDK_ERROR", details = {}) {
+    super(message);
+    this.name = "SDKError";
+    this.httpStatus = httpStatus;
+    this.code = code;
+    this.details = details;
+  }
+  static fromResponse(status, body, message) {
+    const errorMsg = message || body?.error || `HTTP ${status}`;
+    const code = body?.code || `HTTP_${status}`;
+    return new _SDKError(errorMsg, status, code, body);
+  }
+  toJSON() {
+    return {
+      name: this.name,
+      message: this.message,
+      httpStatus: this.httpStatus,
+      code: this.code,
+      details: this.details
+    };
+  }
+};
+
+// src/core/http.ts
+function createFetchWithTLSConfig() {
+  if (typeof process !== "undefined" && process.versions?.node) {
+    const isDevelopmentOrStaging = process.env.NODE_ENV !== "production" || process.env.DEBROS_ALLOW_STAGING_CERTS === "true" || process.env.DEBROS_USE_HTTPS === "true";
+    if (isDevelopmentOrStaging) {
+      process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
+    }
+  }
+  return globalThis.fetch;
+}
+var HttpClient = class {
+  constructor(config) {
+    this.baseURL = config.baseURL.replace(/\/$/, "");
+    this.timeout = config.timeout ?? 6e4;
+    this.maxRetries = config.maxRetries ?? 3;
+    this.retryDelayMs = config.retryDelayMs ?? 1e3;
+    this.fetch = config.fetch ?? createFetchWithTLSConfig();
+    this.debug = config.debug ?? false;
+    this.onNetworkError = config.onNetworkError;
+  }
+  /**
+   * Set the network error callback
+   */
+  setOnNetworkError(callback) {
+    this.onNetworkError = callback;
+  }
+  setApiKey(apiKey) {
+    this.apiKey = apiKey;
+  }
+  setJwt(jwt) {
+    this.jwt = jwt;
+    if (typeof console !== "undefined") {
+      console.log(
+        "[HttpClient] JWT set:",
+        !!jwt,
+        "API key still present:",
+        !!this.apiKey
+      );
+    }
+  }
+  getAuthHeaders(path) {
+    const headers = {};
+    const isDbOperation = path.includes("/v1/rqlite/");
+    const isPubSubOperation = path.includes("/v1/pubsub/");
+    const isProxyOperation = path.includes("/v1/proxy/");
+    const isCacheOperation = path.includes("/v1/cache/");
+    const isAuthOperation = path.includes("/v1/auth/");
+    if (isDbOperation || isPubSubOperation || isProxyOperation || isCacheOperation) {
+      if (this.apiKey) {
+        headers["X-API-Key"] = this.apiKey;
+      } else if (this.jwt) {
+        headers["Authorization"] = `Bearer ${this.jwt}`;
+      }
+    } else if (isAuthOperation) {
+      if (this.apiKey) {
+        headers["X-API-Key"] = this.apiKey;
+      }
+      if (this.jwt) {
+        headers["Authorization"] = `Bearer ${this.jwt}`;
+      }
+    } else {
+      if (this.jwt) {
+        headers["Authorization"] = `Bearer ${this.jwt}`;
+      }
+      if (this.apiKey) {
+        headers["X-API-Key"] = this.apiKey;
+      }
+    }
+    return headers;
+  }
+  getAuthToken() {
+    return this.jwt || this.apiKey;
+  }
+  getApiKey() {
+    return this.apiKey;
+  }
+  /**
+   * Get the base URL
+   */
+  getBaseURL() {
+    return this.baseURL;
+  }
+  async request(method, path, options = {}) {
+    const startTime = performance.now();
+    const url = new URL(this.baseURL + path);
+    if (options.query) {
+      Object.entries(options.query).forEach(([key, value]) => {
+        url.searchParams.append(key, String(value));
+      });
+    }
+    const headers = {
+      "Content-Type": "application/json",
+      ...this.getAuthHeaders(path),
+      ...options.headers
+    };
+    const controller = new AbortController();
+    const requestTimeout = options.timeout ?? this.timeout;
+    const timeoutId = setTimeout(() => controller.abort(), requestTimeout);
+    const fetchOptions = {
+      method,
+      headers,
+      signal: controller.signal
+    };
+    if (options.body !== void 0) {
+      fetchOptions.body = JSON.stringify(options.body);
+    }
+    const isRqliteOperation = path.includes("/v1/rqlite/");
+    let queryDetails = null;
+    if (isRqliteOperation && options.body) {
+      try {
+        const body = typeof options.body === "string" ? JSON.parse(options.body) : options.body;
+        if (body.sql) {
+          queryDetails = `SQL: ${body.sql}`;
+          if (body.args && body.args.length > 0) {
+            queryDetails += ` | Args: [${body.args.map((a) => typeof a === "string" ? `"${a}"` : a).join(", ")}]`;
+          }
+        } else if (body.table) {
+          queryDetails = `Table: ${body.table}`;
+          if (body.criteria && Object.keys(body.criteria).length > 0) {
+            queryDetails += ` | Criteria: ${JSON.stringify(body.criteria)}`;
+          }
+          if (body.options) {
+            queryDetails += ` | Options: ${JSON.stringify(body.options)}`;
+          }
+          if (body.select) {
+            queryDetails += ` | Select: ${JSON.stringify(body.select)}`;
+          }
+          if (body.where) {
+            queryDetails += ` | Where: ${JSON.stringify(body.where)}`;
+          }
+          if (body.limit) {
+            queryDetails += ` | Limit: ${body.limit}`;
+          }
+          if (body.offset) {
+            queryDetails += ` | Offset: ${body.offset}`;
+          }
+        }
+      } catch (e) {
+      }
+    }
+    try {
+      const result = await this.requestWithRetry(
+        url.toString(),
+        fetchOptions,
+        0,
+        startTime
+      );
+      const duration = performance.now() - startTime;
+      if (typeof console !== "undefined") {
+        const logMessage = `[HttpClient] ${method} ${path} completed in ${duration.toFixed(
+          2
+        )}ms`;
+        if (queryDetails && this.debug) {
+          console.log(logMessage);
+          console.log(`[HttpClient]   ${queryDetails}`);
+        } else {
+          console.log(logMessage);
+        }
+      }
+      return result;
+    } catch (error) {
+      const duration = performance.now() - startTime;
+      if (typeof console !== "undefined") {
+        const is404FindOne = path === "/v1/rqlite/find-one" && error instanceof SDKError && error.httpStatus === 404;
+        if (is404FindOne) {
+          console.warn(
+            `[HttpClient] ${method} ${path} returned 404 after ${duration.toFixed(
+              2
+            )}ms (expected for optional lookups)`
+          );
+        } else {
+          const errorMessage = `[HttpClient] ${method} ${path} failed after ${duration.toFixed(
+            2
+          )}ms:`;
+          console.error(errorMessage, error);
+          if (queryDetails && this.debug) {
+            console.error(`[HttpClient]   ${queryDetails}`);
+          }
+        }
+      }
+      if (this.onNetworkError) {
+        const sdkError = error instanceof SDKError ? error : new SDKError(
+          error instanceof Error ? error.message : String(error),
+          0,
+          // httpStatus 0 indicates network-level failure
+          "NETWORK_ERROR"
+        );
+        this.onNetworkError(sdkError, {
+          method,
+          path,
+          isRetry: false,
+          attempt: this.maxRetries
+          // All retries exhausted
+        });
+      }
+      throw error;
+    } finally {
+      clearTimeout(timeoutId);
+    }
+  }
+  async requestWithRetry(url, options, attempt = 0, startTime) {
+    try {
+      const response = await this.fetch(url, options);
+      if (!response.ok) {
+        let body;
+        try {
+          body = await response.json();
+        } catch {
+          body = { error: response.statusText };
+        }
+        throw SDKError.fromResponse(response.status, body);
+      }
+      const contentType = response.headers.get("content-type");
+      if (contentType?.includes("application/json")) {
+        return response.json();
+      }
+      return response.text();
+    } catch (error) {
+      const isRetryableError = error instanceof SDKError && [408, 429, 500, 502, 503, 504].includes(error.httpStatus);
+      if (isRetryableError && attempt < this.maxRetries) {
+        if (typeof console !== "undefined") {
+          console.warn(
+            `[HttpClient] Retrying request (attempt ${attempt + 1}/${this.maxRetries})`
+          );
+        }
+        await new Promise(
+          (resolve) => setTimeout(resolve, this.retryDelayMs * (attempt + 1))
+        );
+        return this.requestWithRetry(url, options, attempt + 1, startTime);
+      }
+      throw error;
+    }
+  }
+  async get(path, options) {
+    return this.request("GET", path, options);
+  }
+  async post(path, body, options) {
+    return this.request("POST", path, { ...options, body });
+  }
+  async put(path, body, options) {
+    return this.request("PUT", path, { ...options, body });
+  }
+  async delete(path, options) {
+    return this.request("DELETE", path, options);
+  }
+  /**
+   * Upload a file using multipart/form-data
+   * This is a special method for file uploads that bypasses JSON serialization
+   */
+  async uploadFile(path, formData, options) {
+    const startTime = performance.now();
+    const url = new URL(this.baseURL + path);
+    const headers = {
+      ...this.getAuthHeaders(path)
+      // Don't set Content-Type - browser will set it with boundary
+    };
+    const controller = new AbortController();
+    const requestTimeout = options?.timeout ?? this.timeout * 5;
+    const timeoutId = setTimeout(() => controller.abort(), requestTimeout);
+    const fetchOptions = {
+      method: "POST",
+      headers,
+      body: formData,
+      signal: controller.signal
+    };
+    try {
+      const result = await this.requestWithRetry(
+        url.toString(),
+        fetchOptions,
+        0,
+        startTime
+      );
+      const duration = performance.now() - startTime;
+      if (typeof console !== "undefined") {
+        console.log(
+          `[HttpClient] POST ${path} (upload) completed in ${duration.toFixed(
+            2
+          )}ms`
+        );
+      }
+      return result;
+    } catch (error) {
+      const duration = performance.now() - startTime;
+      if (typeof console !== "undefined") {
+        console.error(
+          `[HttpClient] POST ${path} (upload) failed after ${duration.toFixed(
+            2
+          )}ms:`,
+          error
+        );
+      }
+      if (this.onNetworkError) {
+        const sdkError = error instanceof SDKError ? error : new SDKError(
+          error instanceof Error ? error.message : String(error),
+          0,
+          "NETWORK_ERROR"
+        );
+        this.onNetworkError(sdkError, {
+          method: "POST",
+          path,
+          isRetry: false,
+          attempt: this.maxRetries
+        });
+      }
+      throw error;
+    } finally {
+      clearTimeout(timeoutId);
+    }
+  }
+  /**
+   * Get a binary response (returns Response object for streaming)
+   */
+  async getBinary(path) {
+    const url = new URL(this.baseURL + path);
+    const headers = {
+      ...this.getAuthHeaders(path)
+    };
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), this.timeout * 5);
+    const fetchOptions = {
+      method: "GET",
+      headers,
+      signal: controller.signal
+    };
+    try {
+      const response = await this.fetch(url.toString(), fetchOptions);
+      if (!response.ok) {
+        clearTimeout(timeoutId);
+        const errorBody = await response.json().catch(() => ({
+          error: response.statusText
+        }));
+        throw SDKError.fromResponse(response.status, errorBody);
+      }
+      return response;
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (this.onNetworkError) {
+        const sdkError = error instanceof SDKError ? error : new SDKError(
+          error instanceof Error ? error.message : String(error),
+          0,
+          "NETWORK_ERROR"
+        );
+        this.onNetworkError(sdkError, {
+          method: "GET",
+          path,
+          isRetry: false,
+          attempt: 0
+        });
+      }
+      throw error;
+    }
+  }
+  getToken() {
+    return this.getAuthToken();
+  }
+};
+
+// src/auth/types.ts
+var MemoryStorage = class {
+  constructor() {
+    this.storage = /* @__PURE__ */ new Map();
+  }
+  async get(key) {
+    return this.storage.get(key) ?? null;
+  }
+  async set(key, value) {
+    this.storage.set(key, value);
+  }
+  async clear() {
+    this.storage.clear();
+  }
+};
+var LocalStorageAdapter = class {
+  constructor() {
+    this.prefix = "@network/sdk:";
+  }
+  async get(key) {
+    if (typeof globalThis !== "undefined" && globalThis.localStorage) {
+      return globalThis.localStorage.getItem(this.prefix + key);
+    }
+    return null;
+  }
+  async set(key, value) {
+    if (typeof globalThis !== "undefined" && globalThis.localStorage) {
+      globalThis.localStorage.setItem(this.prefix + key, value);
+    }
+  }
+  async clear() {
+    if (typeof globalThis !== "undefined" && globalThis.localStorage) {
+      const keysToDelete = [];
+      for (let i = 0; i < globalThis.localStorage.length; i++) {
+        const key = globalThis.localStorage.key(i);
+        if (key?.startsWith(this.prefix)) {
+          keysToDelete.push(key);
+        }
+      }
+      keysToDelete.forEach((key) => globalThis.localStorage.removeItem(key));
+    }
+  }
+};
+
+// src/auth/client.ts
+var AuthClient = class {
+  constructor(config) {
+    this.httpClient = config.httpClient;
+    this.storage = config.storage ?? new MemoryStorage();
+    this.currentApiKey = config.apiKey;
+    this.currentJwt = config.jwt;
+    if (this.currentApiKey) {
+      this.httpClient.setApiKey(this.currentApiKey);
+    }
+    if (this.currentJwt) {
+      this.httpClient.setJwt(this.currentJwt);
+    }
+  }
+  setApiKey(apiKey) {
+    this.currentApiKey = apiKey;
+    this.httpClient.setApiKey(apiKey);
+    this.storage.set("apiKey", apiKey);
+  }
+  setJwt(jwt) {
+    this.currentJwt = jwt;
+    this.httpClient.setJwt(jwt);
+    this.storage.set("jwt", jwt);
+  }
+  getToken() {
+    return this.httpClient.getToken();
+  }
+  async whoami() {
+    try {
+      const response = await this.httpClient.get("/v1/auth/whoami");
+      return response;
+    } catch {
+      return { authenticated: false };
+    }
+  }
+  /**
+   * Exchange a stored refresh token for a fresh access token.
+   *
+   * Pulls the refresh token (and the namespace it was issued for) out of
+   * storage — both are persisted by `verify()` after a successful wallet
+   * sign-in. The gateway returns a new access token and may rotate the
+   * refresh token; we persist the rotated one if present.
+   *
+   * Bug #239: previously this method (a) sent no body and (b) read the
+   * wrong response field, so the call always 400-ed AND silently wrote
+   * `undefined` as the in-memory JWT. Both issues fixed.
+   */
+  async refresh() {
+    const refreshToken = await this.storage.get("refreshToken");
+    if (!refreshToken) {
+      throw new Error(
+        "refresh failed: no refresh token in storage \u2014 call verify() first"
+      );
+    }
+    const namespace = await this.storage.get("namespace") ?? "default";
+    const response = await this.httpClient.post("/v1/auth/refresh", { refresh_token: refreshToken, namespace });
+    if (!response?.access_token) {
+      throw new Error("refresh failed: server returned no access_token");
+    }
+    this.setJwt(response.access_token);
+    if (response.refresh_token && response.refresh_token !== refreshToken) {
+      await this.storage.set("refreshToken", response.refresh_token);
+    }
+    return response.access_token;
+  }
+  /**
+   * Logout user and clear JWT, but preserve API key
+   * Use this for user logout in apps where API key is app-level credential
+   */
+  async logoutUser() {
+    if (this.currentJwt) {
+      try {
+        await this.httpClient.post("/v1/auth/logout", { all: true });
+      } catch (error) {
+        console.warn(
+          "Server-side logout failed, continuing with local cleanup:",
+          error
+        );
+      }
+    }
+    this.currentJwt = void 0;
+    this.httpClient.setJwt(void 0);
+    await this.storage.set("jwt", "");
+    if (!this.currentApiKey) {
+      const storedApiKey = await this.storage.get("apiKey");
+      if (storedApiKey) {
+        this.currentApiKey = storedApiKey;
+      }
+    }
+    if (this.currentApiKey) {
+      this.httpClient.setApiKey(this.currentApiKey);
+      console.log("[Auth] API key restored after user logout");
+    } else {
+      console.warn("[Auth] No API key available after logout");
+    }
+  }
+  /**
+   * Full logout - clears both JWT and API key
+   * Use this to completely reset authentication state
+   */
+  async logout() {
+    if (this.currentJwt) {
+      try {
+        await this.httpClient.post("/v1/auth/logout", { all: true });
+      } catch (error) {
+        console.warn(
+          "Server-side logout failed, continuing with local cleanup:",
+          error
+        );
+      }
+    }
+    this.currentApiKey = void 0;
+    this.currentJwt = void 0;
+    this.httpClient.setApiKey(void 0);
+    this.httpClient.setJwt(void 0);
+    await this.storage.clear();
+  }
+  async clear() {
+    this.currentApiKey = void 0;
+    this.currentJwt = void 0;
+    this.httpClient.setApiKey(void 0);
+    this.httpClient.setJwt(void 0);
+    await this.storage.clear();
+  }
+  /**
+   * Request a challenge nonce for wallet authentication
+   */
+  async challenge(params) {
+    const response = await this.httpClient.post("/v1/auth/challenge", {
+      wallet: params.wallet,
+      purpose: params.purpose || "authentication",
+      namespace: params.namespace || "default"
+    });
+    return response;
+  }
+  /**
+   * Verify wallet signature and get JWT token
+   */
+  async verify(params) {
+    const response = await this.httpClient.post("/v1/auth/verify", {
+      wallet: params.wallet,
+      nonce: params.nonce,
+      signature: params.signature,
+      namespace: params.namespace || "default",
+      chain_type: params.chain_type || "ETH"
+    });
+    this.setJwt(response.access_token);
+    if (response.api_key) {
+      this.setApiKey(response.api_key);
+    }
+    if (response.refresh_token) {
+      await this.storage.set("refreshToken", response.refresh_token);
+    }
+    const issuedNamespace = response.namespace || params.namespace || "default";
+    await this.storage.set("namespace", issuedNamespace);
+    return response;
+  }
+  /**
+   * Get API key for wallet (creates namespace ownership)
+   */
+  async getApiKey(params) {
+    const response = await this.httpClient.post("/v1/auth/api-key", {
+      wallet: params.wallet,
+      nonce: params.nonce,
+      signature: params.signature,
+      namespace: params.namespace || "default",
+      chain_type: params.chain_type || "ETH"
+    });
+    this.setApiKey(response.api_key);
+    return response;
+  }
+};
+
+// src/db/qb.ts
+var QueryBuilder = class {
+  constructor(httpClient, table) {
+    this.options = {};
+    this.httpClient = httpClient;
+    this.table = table;
+  }
+  select(...columns) {
+    this.options.select = columns;
+    return this;
+  }
+  innerJoin(table, on) {
+    if (!this.options.joins) this.options.joins = [];
+    this.options.joins.push({ kind: "INNER", table, on });
+    return this;
+  }
+  leftJoin(table, on) {
+    if (!this.options.joins) this.options.joins = [];
+    this.options.joins.push({ kind: "LEFT", table, on });
+    return this;
+  }
+  rightJoin(table, on) {
+    if (!this.options.joins) this.options.joins = [];
+    this.options.joins.push({ kind: "RIGHT", table, on });
+    return this;
+  }
+  where(expr, args) {
+    if (!this.options.where) this.options.where = [];
+    this.options.where.push({ conj: "AND", expr, args });
+    return this;
+  }
+  andWhere(expr, args) {
+    return this.where(expr, args);
+  }
+  orWhere(expr, args) {
+    if (!this.options.where) this.options.where = [];
+    this.options.where.push({ conj: "OR", expr, args });
+    return this;
+  }
+  groupBy(...columns) {
+    this.options.group_by = columns;
+    return this;
+  }
+  orderBy(...columns) {
+    this.options.order_by = columns;
+    return this;
+  }
+  limit(n) {
+    this.options.limit = n;
+    return this;
+  }
+  offset(n) {
+    this.options.offset = n;
+    return this;
+  }
+  async getMany(ctx) {
+    const response = await this.httpClient.post(
+      "/v1/rqlite/select",
+      {
+        table: this.table,
+        ...this.options
+      }
+    );
+    return response.items || [];
+  }
+  async getOne(ctx) {
+    const response = await this.httpClient.post(
+      "/v1/rqlite/select",
+      {
+        table: this.table,
+        ...this.options,
+        one: true,
+        limit: 1
+      }
+    );
+    const items = response.items || [];
+    return items.length > 0 ? items[0] : null;
+  }
+  async count() {
+    const response = await this.httpClient.post(
+      "/v1/rqlite/select",
+      {
+        table: this.table,
+        select: ["COUNT(*) AS count"],
+        where: this.options.where,
+        one: true
+      }
+    );
+    const items = response.items || [];
+    return items.length > 0 ? items[0].count : 0;
+  }
+};
+
+// src/db/repository.ts
+var Repository = class {
+  constructor(httpClient, tableName, primaryKey = "id") {
+    this.httpClient = httpClient;
+    this.tableName = tableName;
+    this.primaryKey = primaryKey;
+  }
+  createQueryBuilder() {
+    return new QueryBuilder(this.httpClient, this.tableName);
+  }
+  async find(criteria = {}, options = {}) {
+    const response = await this.httpClient.post(
+      "/v1/rqlite/find",
+      {
+        table: this.tableName,
+        criteria,
+        options
+      }
+    );
+    return response.items || [];
+  }
+  async findOne(criteria) {
+    try {
+      const response = await this.httpClient.post(
+        "/v1/rqlite/find-one",
+        {
+          table: this.tableName,
+          criteria
+        }
+      );
+      return response;
+    } catch (error) {
+      if (error instanceof SDKError && error.httpStatus === 404) {
+        return null;
+      }
+      throw error;
+    }
+  }
+  async save(entity) {
+    const pkValue = entity[this.primaryKey];
+    if (!pkValue) {
+      const response = await this.httpClient.post("/v1/rqlite/exec", {
+        sql: this.buildInsertSql(entity),
+        args: this.buildInsertArgs(entity)
+      });
+      if (response.last_insert_id) {
+        entity[this.primaryKey] = response.last_insert_id;
+      }
+      return entity;
+    } else {
+      await this.httpClient.post("/v1/rqlite/exec", {
+        sql: this.buildUpdateSql(entity),
+        args: this.buildUpdateArgs(entity)
+      });
+      return entity;
+    }
+  }
+  async remove(entity) {
+    const pkValue = entity[this.primaryKey];
+    if (!pkValue) {
+      throw new SDKError(
+        `Primary key "${this.primaryKey}" is required for remove`,
+        400,
+        "MISSING_PK"
+      );
+    }
+    await this.httpClient.post("/v1/rqlite/exec", {
+      sql: `DELETE FROM ${this.tableName} WHERE ${this.primaryKey} = ?`,
+      args: [pkValue]
+    });
+  }
+  buildInsertSql(entity) {
+    const columns = Object.keys(entity).filter((k) => entity[k] !== void 0);
+    const placeholders = columns.map(() => "?").join(", ");
+    return `INSERT INTO ${this.tableName} (${columns.join(
+      ", "
+    )}) VALUES (${placeholders})`;
+  }
+  buildInsertArgs(entity) {
+    return Object.entries(entity).filter(([, v]) => v !== void 0).map(([, v]) => v);
+  }
+  buildUpdateSql(entity) {
+    const columns = Object.keys(entity).filter((k) => entity[k] !== void 0 && k !== this.primaryKey).map((k) => `${k} = ?`);
+    return `UPDATE ${this.tableName} SET ${columns.join(", ")} WHERE ${this.primaryKey} = ?`;
+  }
+  buildUpdateArgs(entity) {
+    const args = Object.entries(entity).filter(([k, v]) => v !== void 0 && k !== this.primaryKey).map(([, v]) => v);
+    args.push(entity[this.primaryKey]);
+    return args;
+  }
+};
+
+// src/db/client.ts
+var DBClient = class {
+  constructor(httpClient) {
+    this.httpClient = httpClient;
+  }
+  /**
+   * Execute a write/DDL SQL statement.
+   */
+  async exec(sql, args = []) {
+    return this.httpClient.post("/v1/rqlite/exec", { sql, args });
+  }
+  /**
+   * Execute a SELECT query.
+   */
+  async query(sql, args = []) {
+    const response = await this.httpClient.post(
+      "/v1/rqlite/query",
+      { sql, args }
+    );
+    return response.items || [];
+  }
+  /**
+   * Find rows with map-based criteria.
+   */
+  async find(table, criteria = {}, options = {}) {
+    const response = await this.httpClient.post(
+      "/v1/rqlite/find",
+      {
+        table,
+        criteria,
+        options
+      }
+    );
+    return response.items || [];
+  }
+  /**
+   * Find a single row with map-based criteria.
+   */
+  async findOne(table, criteria) {
+    return this.httpClient.post("/v1/rqlite/find-one", {
+      table,
+      criteria
+    });
+  }
+  /**
+   * Create a fluent QueryBuilder for complex SELECT queries.
+   */
+  createQueryBuilder(table) {
+    return new QueryBuilder(this.httpClient, table);
+  }
+  /**
+   * Create a Repository for entity-based operations.
+   */
+  repository(tableName, primaryKey = "id") {
+    return new Repository(this.httpClient, tableName, primaryKey);
+  }
+  /**
+   * Execute multiple operations atomically.
+   */
+  async transaction(ops, returnResults = true) {
+    const response = await this.httpClient.post(
+      "/v1/rqlite/transaction",
+      {
+        ops,
+        return_results: returnResults
+      }
+    );
+    return response.results || [];
+  }
+  /**
+   * Create a table from DDL SQL.
+   */
+  async createTable(schema) {
+    await this.httpClient.post("/v1/rqlite/create-table", { schema });
+  }
+  /**
+   * Drop a table.
+   */
+  async dropTable(table) {
+    await this.httpClient.post("/v1/rqlite/drop-table", { table });
+  }
+  /**
+   * Get current database schema.
+   */
+  async getSchema() {
+    return this.httpClient.get("/v1/rqlite/schema");
+  }
+};
+
+// src/core/ws.ts
+import WebSocket from "isomorphic-ws";
+var WSClient = class {
+  constructor(config) {
+    this.messageHandlers = /* @__PURE__ */ new Set();
+    this.errorHandlers = /* @__PURE__ */ new Set();
+    this.closeHandlers = /* @__PURE__ */ new Set();
+    this.openHandlers = /* @__PURE__ */ new Set();
+    this.isClosed = false;
+    this.wsURL = config.wsURL;
+    this.timeout = config.timeout ?? 3e4;
+    this.authToken = config.authToken;
+    this.WebSocketClass = config.WebSocket ?? WebSocket;
+    this.onNetworkError = config.onNetworkError;
+  }
+  /**
+   * Set the network error callback
+   */
+  setOnNetworkError(callback) {
+    this.onNetworkError = callback;
+  }
+  /**
+   * Get the current WebSocket URL
+   */
+  get url() {
+    return this.wsURL;
+  }
+  /**
+   * Connect to WebSocket server
+   */
+  connect() {
+    return new Promise((resolve, reject) => {
+      try {
+        const wsUrl = this.buildWSUrl();
+        this.ws = new this.WebSocketClass(wsUrl);
+        this.isClosed = false;
+        const timeout = setTimeout(() => {
+          this.ws?.close();
+          const error = new SDKError("WebSocket connection timeout", 408, "WS_TIMEOUT");
+          if (this.onNetworkError) {
+            this.onNetworkError(error, {
+              method: "WS",
+              path: this.wsURL,
+              isRetry: false,
+              attempt: 0
+            });
+          }
+          reject(error);
+        }, this.timeout);
+        this.ws.addEventListener("open", () => {
+          clearTimeout(timeout);
+          console.log("[WSClient] Connected to", this.wsURL);
+          this.openHandlers.forEach((handler) => handler());
+          resolve();
+        });
+        this.ws.addEventListener("message", (event) => {
+          const msgEvent = event;
+          this.messageHandlers.forEach((handler) => handler(msgEvent.data));
+        });
+        this.ws.addEventListener("error", (event) => {
+          console.error("[WSClient] WebSocket error:", event);
+          clearTimeout(timeout);
+          const details = { type: event.type };
+          if ("message" in event) {
+            details.message = event.message;
+          }
+          const error = new SDKError("WebSocket error", 0, "WS_ERROR", details);
+          if (this.onNetworkError) {
+            this.onNetworkError(error, {
+              method: "WS",
+              path: this.wsURL,
+              isRetry: false,
+              attempt: 0
+            });
+          }
+          this.errorHandlers.forEach((handler) => handler(error));
+          reject(error);
+        });
+        this.ws.addEventListener("close", (event) => {
+          clearTimeout(timeout);
+          const closeEvent = event;
+          const code = closeEvent.code ?? 1006;
+          const reason = closeEvent.reason ?? "";
+          console.log(`[WSClient] Connection closed (code: ${code}, reason: ${reason || "none"})`);
+          this.closeHandlers.forEach((handler) => handler(code, reason));
+        });
+      } catch (error) {
+        reject(error);
+      }
+    });
+  }
+  /**
+   * Build WebSocket URL with auth token
+   */
+  buildWSUrl() {
+    let url = this.wsURL;
+    if (this.authToken) {
+      const separator = url.includes("?") ? "&" : "?";
+      const paramName = this.authToken.startsWith("ak_") ? "api_key" : "token";
+      const encodedToken = this.authToken.startsWith("ak_") ? this.authToken : encodeURIComponent(this.authToken);
+      url += `${separator}${paramName}=${encodedToken}`;
+    }
+    return url;
+  }
+  /**
+   * Register message handler
+   */
+  onMessage(handler) {
+    this.messageHandlers.add(handler);
+    return () => this.messageHandlers.delete(handler);
+  }
+  /**
+   * Unregister message handler
+   */
+  offMessage(handler) {
+    this.messageHandlers.delete(handler);
+  }
+  /**
+   * Register error handler
+   */
+  onError(handler) {
+    this.errorHandlers.add(handler);
+    return () => this.errorHandlers.delete(handler);
+  }
+  /**
+   * Unregister error handler
+   */
+  offError(handler) {
+    this.errorHandlers.delete(handler);
+  }
+  /**
+   * Register close handler
+   */
+  onClose(handler) {
+    this.closeHandlers.add(handler);
+    return () => this.closeHandlers.delete(handler);
+  }
+  /**
+   * Unregister close handler
+   */
+  offClose(handler) {
+    this.closeHandlers.delete(handler);
+  }
+  /**
+   * Register open handler
+   */
+  onOpen(handler) {
+    this.openHandlers.add(handler);
+    return () => this.openHandlers.delete(handler);
+  }
+  /**
+   * Send data through WebSocket
+   */
+  send(data) {
+    if (this.ws?.readyState !== WebSocket.OPEN) {
+      throw new SDKError("WebSocket is not connected", 0, "WS_NOT_CONNECTED");
+    }
+    this.ws.send(data);
+  }
+  /**
+   * Close WebSocket connection
+   */
+  close() {
+    if (this.isClosed) {
+      return;
+    }
+    this.isClosed = true;
+    this.ws?.close();
+  }
+  /**
+   * Check if WebSocket is connected
+   */
+  isConnected() {
+    return !this.isClosed && this.ws?.readyState === WebSocket.OPEN;
+  }
+  /**
+   * Update auth token
+   */
+  setAuthToken(token) {
+    this.authToken = token;
+  }
+};
+
+// src/pubsub/client.ts
+function base64Encode(str) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(str).toString("base64");
+  } else if (typeof btoa !== "undefined") {
+    return btoa(
+      encodeURIComponent(str).replace(
+        /%([0-9A-F]{2})/g,
+        (match, p1) => String.fromCharCode(parseInt(p1, 16))
+      )
+    );
+  }
+  throw new Error("No base64 encoding method available");
+}
+function base64EncodeBytes(bytes) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  } else if (typeof btoa !== "undefined") {
+    let binary = "";
+    for (let i = 0; i < bytes.length; i++) {
+      binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary);
+  }
+  throw new Error("No base64 encoding method available");
+}
+function base64Decode(b64) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(b64, "base64").toString("utf-8");
+  } else if (typeof atob !== "undefined") {
+    const binary = atob(b64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return new TextDecoder().decode(bytes);
+  }
+  throw new Error("No base64 decoding method available");
+}
+var PubSubClient = class {
+  constructor(httpClient, wsConfig = {}) {
+    this.httpClient = httpClient;
+    this.wsConfig = wsConfig;
+  }
+  /**
+   * Publish a message to a topic via HTTP
+   */
+  async publish(topic, data) {
+    let dataBase64;
+    if (typeof data === "string") {
+      dataBase64 = base64Encode(data);
+    } else {
+      dataBase64 = base64EncodeBytes(data);
+    }
+    await this.httpClient.post(
+      "/v1/pubsub/publish",
+      {
+        topic,
+        data_base64: dataBase64
+      },
+      {
+        timeout: 3e4
+      }
+    );
+  }
+  /**
+   * List active topics in the current namespace
+   */
+  async topics() {
+    const response = await this.httpClient.get(
+      "/v1/pubsub/topics"
+    );
+    return response.topics || [];
+  }
+  /**
+   * Get current presence for a topic without subscribing
+   */
+  async getPresence(topic) {
+    const response = await this.httpClient.get(
+      `/v1/pubsub/presence?topic=${encodeURIComponent(topic)}`
+    );
+    return response;
+  }
+  /**
+   * Subscribe to a topic via WebSocket
+   * Creates one WebSocket connection per topic
+   */
+  async subscribe(topic, options = {}) {
+    const wsUrl = new URL(this.wsConfig.wsURL || "ws://127.0.0.1:6001");
+    wsUrl.pathname = "/v1/pubsub/ws";
+    wsUrl.searchParams.set("topic", topic);
+    let presence;
+    if (options.presence?.enabled) {
+      presence = options.presence;
+      wsUrl.searchParams.set("presence", "true");
+      wsUrl.searchParams.set("member_id", presence.memberId);
+      if (presence.meta) {
+        wsUrl.searchParams.set("member_meta", JSON.stringify(presence.meta));
+      }
+    }
+    const authToken = this.httpClient.getApiKey() ?? this.httpClient.getToken();
+    const wsClient = new WSClient({
+      ...this.wsConfig,
+      wsURL: wsUrl.toString(),
+      authToken
+    });
+    await wsClient.connect();
+    const subscription = new Subscription(
+      wsClient,
+      topic,
+      presence,
+      () => this.getPresence(topic)
+    );
+    if (options.onMessage) {
+      subscription.onMessage(options.onMessage);
+    }
+    if (options.onError) {
+      subscription.onError(options.onError);
+    }
+    if (options.onClose) {
+      subscription.onClose(options.onClose);
+    }
+    return subscription;
+  }
+};
+var Subscription = class {
+  constructor(wsClient, topic, presenceOptions, getPresenceFn) {
+    this.messageHandlers = /* @__PURE__ */ new Set();
+    this.errorHandlers = /* @__PURE__ */ new Set();
+    this.closeHandlers = /* @__PURE__ */ new Set();
+    this.isClosed = false;
+    this.wsMessageHandler = null;
+    this.wsErrorHandler = null;
+    this.wsCloseHandler = null;
+    this.wsClient = wsClient;
+    this.topic = topic;
+    this.presenceOptions = presenceOptions;
+    this.getPresenceFn = getPresenceFn;
+    this.wsMessageHandler = (data) => {
+      try {
+        const envelope = JSON.parse(data);
+        if (!envelope || typeof envelope !== "object") {
+          throw new Error("Invalid envelope: not an object");
+        }
+        if (envelope.type === "presence.join" || envelope.type === "presence.leave") {
+          if (!envelope.member_id) {
+            console.warn("[Subscription] Presence event missing member_id");
+            return;
+          }
+          const presenceMember = {
+            memberId: envelope.member_id,
+            joinedAt: envelope.timestamp,
+            meta: envelope.meta
+          };
+          if (envelope.type === "presence.join" && this.presenceOptions?.onJoin) {
+            this.presenceOptions.onJoin(presenceMember);
+          } else if (envelope.type === "presence.leave" && this.presenceOptions?.onLeave) {
+            this.presenceOptions.onLeave(presenceMember);
+          }
+          return;
+        }
+        if (!envelope.data || typeof envelope.data !== "string") {
+          throw new Error("Invalid envelope: missing or invalid data field");
+        }
+        if (!envelope.topic || typeof envelope.topic !== "string") {
+          throw new Error("Invalid envelope: missing or invalid topic field");
+        }
+        if (typeof envelope.timestamp !== "number") {
+          throw new Error(
+            "Invalid envelope: missing or invalid timestamp field"
+          );
+        }
+        const messageData = base64Decode(envelope.data);
+        const message = {
+          topic: envelope.topic,
+          data: messageData,
+          timestamp: envelope.timestamp
+        };
+        console.log("[Subscription] Received message on topic:", this.topic);
+        this.messageHandlers.forEach((handler) => handler(message));
+      } catch (error) {
+        console.error("[Subscription] Error processing message:", error);
+        this.errorHandlers.forEach(
+          (handler) => handler(error instanceof Error ? error : new Error(String(error)))
+        );
+      }
+    };
+    this.wsClient.onMessage(this.wsMessageHandler);
+    this.wsErrorHandler = (error) => {
+      this.errorHandlers.forEach((handler) => handler(error));
+    };
+    this.wsClient.onError(this.wsErrorHandler);
+    this.wsCloseHandler = (code, reason) => {
+      this.closeHandlers.forEach((handler) => handler(code, reason));
+    };
+    this.wsClient.onClose(this.wsCloseHandler);
+  }
+  /**
+   * Get current presence (requires presence.enabled on subscribe)
+   */
+  async getPresence() {
+    if (!this.presenceOptions?.enabled) {
+      throw new Error("Presence is not enabled for this subscription");
+    }
+    const response = await this.getPresenceFn();
+    return response.members;
+  }
+  /**
+   * Check if presence is enabled for this subscription
+   */
+  hasPresence() {
+    return !!this.presenceOptions?.enabled;
+  }
+  /**
+   * Register message handler
+   */
+  onMessage(handler) {
+    this.messageHandlers.add(handler);
+    return () => this.messageHandlers.delete(handler);
+  }
+  /**
+   * Register error handler
+   */
+  onError(handler) {
+    this.errorHandlers.add(handler);
+    return () => this.errorHandlers.delete(handler);
+  }
+  /**
+   * Register close handler
+   */
+  onClose(handler) {
+    this.closeHandlers.add(handler);
+    return () => this.closeHandlers.delete(handler);
+  }
+  /**
+   * Close subscription and underlying WebSocket
+   */
+  close() {
+    if (this.isClosed) {
+      return;
+    }
+    this.isClosed = true;
+    if (this.wsMessageHandler) {
+      this.wsClient.offMessage(this.wsMessageHandler);
+      this.wsMessageHandler = null;
+    }
+    if (this.wsErrorHandler) {
+      this.wsClient.offError(this.wsErrorHandler);
+      this.wsErrorHandler = null;
+    }
+    if (this.wsCloseHandler) {
+      this.wsClient.offClose(this.wsCloseHandler);
+      this.wsCloseHandler = null;
+    }
+    this.messageHandlers.clear();
+    this.errorHandlers.clear();
+    this.closeHandlers.clear();
+    this.wsClient.close();
+  }
+  /**
+   * Check if subscription is active
+   */
+  isConnected() {
+    return !this.isClosed && this.wsClient.isConnected();
+  }
+};
+
+// src/network/client.ts
+var NetworkClient = class {
+  constructor(httpClient) {
+    this.httpClient = httpClient;
+  }
+  /**
+   * Check gateway health.
+   */
+  async health() {
+    try {
+      await this.httpClient.get("/v1/health");
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Get network status.
+   */
+  async status() {
+    const response = await this.httpClient.get(
+      "/v1/network/status"
+    );
+    return response;
+  }
+  /**
+   * Get connected peers.
+   */
+  async peers() {
+    const response = await this.httpClient.get(
+      "/v1/network/peers"
+    );
+    return response.peers || [];
+  }
+  /**
+   * Connect to a peer.
+   */
+  async connect(peerAddr) {
+    await this.httpClient.post("/v1/network/connect", { peer_addr: peerAddr });
+  }
+  /**
+   * Disconnect from a peer.
+   */
+  async disconnect(peerId) {
+    await this.httpClient.post("/v1/network/disconnect", { peer_id: peerId });
+  }
+  /**
+   * Proxy an HTTP request through the Anyone network.
+   * Requires authentication (API key or JWT).
+   *
+   * @param request - The proxy request configuration
+   * @returns The proxied response
+   * @throws {SDKError} If the Anyone proxy is not available or the request fails
+   *
+   * @example
+   * ```ts
+   * const response = await client.network.proxyAnon({
+   *   url: 'https://api.example.com/data',
+   *   method: 'GET',
+   *   headers: {
+   *     'Accept': 'application/json'
+   *   }
+   * });
+   *
+   * console.log(response.status_code); // 200
+   * console.log(response.body); // Response data
+   * ```
+   */
+  async proxyAnon(request) {
+    const response = await this.httpClient.post(
+      "/v1/proxy/anon",
+      request
+    );
+    if (response.error) {
+      throw new Error(`Proxy request failed: ${response.error}`);
+    }
+    return response;
+  }
+};
+
+// src/cache/client.ts
+var CacheClient = class {
+  constructor(httpClient) {
+    this.httpClient = httpClient;
+  }
+  /**
+   * Check cache service health
+   */
+  async health() {
+    return this.httpClient.get("/v1/cache/health");
+  }
+  /**
+   * Get a value from cache
+   * Returns null if the key is not found (cache miss/expired), which is normal behavior
+   */
+  async get(dmap, key) {
+    try {
+      return await this.httpClient.post("/v1/cache/get", {
+        dmap,
+        key
+      });
+    } catch (error) {
+      if (error instanceof SDKError && (error.httpStatus === 404 || error.httpStatus === 500 && error.message?.toLowerCase().includes("key not found"))) {
+        return null;
+      }
+      throw error;
+    }
+  }
+  /**
+   * Put a value into cache
+   */
+  async put(dmap, key, value, ttl) {
+    return this.httpClient.post("/v1/cache/put", {
+      dmap,
+      key,
+      value,
+      ttl
+    });
+  }
+  /**
+   * Delete a value from cache
+   */
+  async delete(dmap, key) {
+    return this.httpClient.post("/v1/cache/delete", {
+      dmap,
+      key
+    });
+  }
+  /**
+   * Get multiple values from cache in a single request
+   * Returns a map of key -> value (or null if not found)
+   * Gracefully handles 404 errors (endpoint not implemented) by returning empty results
+   */
+  async multiGet(dmap, keys) {
+    try {
+      if (keys.length === 0) {
+        return /* @__PURE__ */ new Map();
+      }
+      const response = await this.httpClient.post(
+        "/v1/cache/mget",
+        {
+          dmap,
+          keys
+        }
+      );
+      const resultMap = /* @__PURE__ */ new Map();
+      keys.forEach((key) => {
+        resultMap.set(key, null);
+      });
+      if (response.results) {
+        response.results.forEach(({ key, value }) => {
+          resultMap.set(key, value);
+        });
+      }
+      return resultMap;
+    } catch (error) {
+      if (error instanceof SDKError && error.httpStatus === 404) {
+        const resultMap2 = /* @__PURE__ */ new Map();
+        keys.forEach((key) => {
+          resultMap2.set(key, null);
+        });
+        return resultMap2;
+      }
+      const resultMap = /* @__PURE__ */ new Map();
+      keys.forEach((key) => {
+        resultMap.set(key, null);
+      });
+      console.error(`[CacheClient] Error in multiGet for ${dmap}:`, error);
+      return resultMap;
+    }
+  }
+  /**
+   * Scan keys in a distributed map, optionally matching a regex pattern
+   */
+  async scan(dmap, match) {
+    return this.httpClient.post("/v1/cache/scan", {
+      dmap,
+      match
+    });
+  }
+};
+
+// src/storage/client.ts
+var StorageClient = class {
+  constructor(httpClient) {
+    this.httpClient = httpClient;
+  }
+  /**
+   * Upload content to IPFS and optionally pin it.
+   * Supports both File objects (browser) and Buffer/ReadableStream (Node.js).
+   *
+   * @param file - File to upload (File, Blob, or Buffer)
+   * @param name - Optional filename
+   * @param options - Optional upload options
+   * @param options.pin - Whether to pin the content (default: true). Pinning happens asynchronously on the backend.
+   * @returns Upload result with CID
+   *
+   * @example
+   * ```ts
+   * // Browser
+   * const fileInput = document.querySelector('input[type="file"]');
+   * const file = fileInput.files[0];
+   * const result = await client.storage.upload(file, file.name);
+   * console.log(result.cid);
+   *
+   * // Node.js
+   * const fs = require('fs');
+   * const fileBuffer = fs.readFileSync('image.jpg');
+   * const result = await client.storage.upload(fileBuffer, 'image.jpg', { pin: true });
+   * ```
+   */
+  async upload(file, name, options) {
+    const formData = new FormData();
+    if (file instanceof File) {
+      formData.append("file", file);
+    } else if (file instanceof Blob) {
+      formData.append("file", file, name);
+    } else if (file instanceof ArrayBuffer) {
+      const blob = new Blob([file]);
+      formData.append("file", blob, name);
+    } else if (file instanceof Uint8Array) {
+      const buffer = file.buffer.slice(
+        file.byteOffset,
+        file.byteOffset + file.byteLength
+      );
+      const blob = new Blob([buffer], { type: "application/octet-stream" });
+      formData.append("file", blob, name);
+    } else if (file instanceof ReadableStream) {
+      const chunks = [];
+      const reader = file.getReader();
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        const buffer = value.buffer.slice(
+          value.byteOffset,
+          value.byteOffset + value.byteLength
+        );
+        chunks.push(buffer);
+      }
+      const blob = new Blob(chunks);
+      formData.append("file", blob, name);
+    } else {
+      throw new Error(
+        "Unsupported file type. Use File, Blob, ArrayBuffer, Uint8Array, or ReadableStream."
+      );
+    }
+    const shouldPin = options?.pin !== false;
+    formData.append("pin", shouldPin ? "true" : "false");
+    return this.httpClient.uploadFile(
+      "/v1/storage/upload",
+      formData,
+      { timeout: 3e5 }
+      // 5 minute timeout for large files
+    );
+  }
+  /**
+   * Pin an existing CID
+   *
+   * @param cid - Content ID to pin
+   * @param name - Optional name for the pin
+   * @returns Pin result
+   */
+  async pin(cid, name) {
+    return this.httpClient.post("/v1/storage/pin", {
+      cid,
+      name
+    });
+  }
+  /**
+   * Get the pin status for a CID
+   *
+   * @param cid - Content ID to check
+   * @returns Pin status information
+   */
+  async status(cid) {
+    return this.httpClient.get(`/v1/storage/status/${cid}`);
+  }
+  /**
+   * Retrieve content from IPFS by CID
+   *
+   * @param cid - Content ID to retrieve
+   * @returns ReadableStream of the content
+   *
+   * @example
+   * ```ts
+   * const stream = await client.storage.get(cid);
+   * const reader = stream.getReader();
+   * while (true) {
+   *   const { done, value } = await reader.read();
+   *   if (done) break;
+   *   // Process chunk
+   * }
+   * ```
+   */
+  async get(cid) {
+    const maxAttempts = 8;
+    let lastError = null;
+    for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+      try {
+        const response = await this.httpClient.getBinary(
+          `/v1/storage/get/${cid}`
+        );
+        if (!response.body) {
+          throw new Error("Response body is null");
+        }
+        return response.body;
+      } catch (error) {
+        lastError = error;
+        const isNotFound = error?.httpStatus === 404 || error?.message?.includes("not found") || error?.message?.includes("404");
+        if (!isNotFound || attempt === maxAttempts) {
+          throw error;
+        }
+        const backoffMs = Math.min(attempt * 1e3, 3e3);
+        await new Promise((resolve) => setTimeout(resolve, backoffMs));
+      }
+    }
+    throw lastError || new Error("Failed to retrieve content");
+  }
+  /**
+   * Retrieve content from IPFS by CID and return the full Response object
+   * Useful when you need access to response headers (e.g., content-length)
+   *
+   * @param cid - Content ID to retrieve
+   * @returns Response object with body stream and headers
+   *
+   * @example
+   * ```ts
+   * const response = await client.storage.getBinary(cid);
+   * const contentLength = response.headers.get('content-length');
+   * const reader = response.body.getReader();
+   * // ... read stream
+   * ```
+   */
+  async getBinary(cid) {
+    const maxAttempts = 8;
+    let lastError = null;
+    for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+      try {
+        const response = await this.httpClient.getBinary(
+          `/v1/storage/get/${cid}`
+        );
+        if (!response) {
+          throw new Error("Response is null");
+        }
+        return response;
+      } catch (error) {
+        lastError = error;
+        const isNotFound = error?.httpStatus === 404 || error?.message?.includes("not found") || error?.message?.includes("404");
+        if (!isNotFound || attempt === maxAttempts) {
+          throw error;
+        }
+        const backoffMs = Math.min(attempt * 1e3, 3e3);
+        await new Promise((resolve) => setTimeout(resolve, backoffMs));
+      }
+    }
+    throw lastError || new Error("Failed to retrieve content");
+  }
+  /**
+   * Unpin a CID
+   *
+   * @param cid - Content ID to unpin
+   */
+  async unpin(cid) {
+    await this.httpClient.delete(`/v1/storage/unpin/${cid}`);
+  }
+};
+
+// src/functions/client.ts
+var FunctionsClient = class {
+  constructor(httpClient, config) {
+    this.httpClient = httpClient;
+    this.gatewayURL = config?.gatewayURL;
+    this.namespace = config?.namespace ?? "default";
+  }
+  /**
+   * Invoke a serverless function by name
+   * 
+   * @param functionName - Name of the function to invoke
+   * @param input - Input payload for the function
+   * @returns The function response
+   */
+  async invoke(functionName, input) {
+    const url = this.gatewayURL ? `${this.gatewayURL}/v1/invoke/${this.namespace}/${functionName}` : `/v1/invoke/${this.namespace}/${functionName}`;
+    try {
+      const response = await this.httpClient.post(url, input);
+      return response;
+    } catch (error) {
+      if (error instanceof SDKError) {
+        throw error;
+      }
+      throw new SDKError(
+        `Function ${functionName} failed`,
+        500,
+        error instanceof Error ? error.message : String(error)
+      );
+    }
+  }
+};
+
+// src/vault/transport/guardian.ts
+var GuardianError = class extends Error {
+  constructor(code, message) {
+    super(message);
+    this.code = code;
+    this.name = "GuardianError";
+  }
+};
+var DEFAULT_TIMEOUT_MS = 1e4;
+var GuardianClient = class {
+  constructor(endpoint, timeoutMs = DEFAULT_TIMEOUT_MS) {
+    this.sessionToken = null;
+    this.baseUrl = `http://${endpoint.address}:${endpoint.port}`;
+    this.timeoutMs = timeoutMs;
+  }
+  /** Set a session token for authenticated V2 requests. */
+  setSessionToken(token) {
+    this.sessionToken = token;
+  }
+  /** Get the current session token. */
+  getSessionToken() {
+    return this.sessionToken;
+  }
+  /** Clear the session token. */
+  clearSessionToken() {
+    this.sessionToken = null;
+  }
+  // ── V1 endpoints ────────────────────────────────────────────────────
+  /** GET /v1/vault/health */
+  async health() {
+    return this.get("/v1/vault/health");
+  }
+  /** GET /v1/vault/status */
+  async status() {
+    return this.get("/v1/vault/status");
+  }
+  /** GET /v1/vault/guardians */
+  async guardians() {
+    return this.get("/v1/vault/guardians");
+  }
+  /** POST /v1/vault/push — store a share (V1). */
+  async push(identity, share) {
+    return this.post("/v1/vault/push", {
+      identity,
+      share: uint8ToBase64(share)
+    });
+  }
+  /** POST /v1/vault/pull — retrieve a share (V1). */
+  async pull(identity) {
+    const resp = await this.post("/v1/vault/pull", { identity });
+    return base64ToUint8(resp.share);
+  }
+  /** Check if this guardian is reachable. */
+  async isReachable() {
+    try {
+      await this.health();
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  // ── V2 auth endpoints ───────────────────────────────────────────────
+  /** POST /v2/vault/auth/challenge — request an auth challenge. */
+  async requestChallenge(identity) {
+    return this.post("/v2/vault/auth/challenge", { identity });
+  }
+  /** POST /v2/vault/auth/session — exchange challenge for session token. */
+  async createSession(identity, nonce, created_ns, tag) {
+    return this.post("/v2/vault/auth/session", {
+      identity,
+      nonce,
+      created_ns,
+      tag
+    });
+  }
+  // ── V2 secrets CRUD ─────────────────────────────────────────────────
+  /** PUT /v2/vault/secrets/{name} — store a secret. Requires session token. */
+  async putSecret(name, share, version) {
+    return this.authedRequest("PUT", `/v2/vault/secrets/${encodeURIComponent(name)}`, {
+      share: uint8ToBase64(share),
+      version
+    });
+  }
+  /** GET /v2/vault/secrets/{name} — retrieve a secret. Requires session token. */
+  async getSecret(name) {
+    const resp = await this.authedRequest("GET", `/v2/vault/secrets/${encodeURIComponent(name)}`);
+    return {
+      share: base64ToUint8(resp.share),
+      name: resp.name,
+      version: resp.version,
+      created_ns: resp.created_ns,
+      updated_ns: resp.updated_ns
+    };
+  }
+  /** DELETE /v2/vault/secrets/{name} — delete a secret. Requires session token. */
+  async deleteSecret(name) {
+    return this.authedRequest("DELETE", `/v2/vault/secrets/${encodeURIComponent(name)}`);
+  }
+  /** GET /v2/vault/secrets — list all secrets. Requires session token. */
+  async listSecrets() {
+    return this.authedRequest("GET", "/v2/vault/secrets");
+  }
+  // ── Internal HTTP methods ───────────────────────────────────────────
+  async authedRequest(method, path, body) {
+    if (!this.sessionToken) {
+      throw new GuardianError("AUTH", "No session token set. Call authenticate() first.");
+    }
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
+    try {
+      const headers = {
+        "X-Session-Token": this.sessionToken
+      };
+      const init = {
+        method,
+        headers,
+        signal: controller.signal
+      };
+      if (body !== void 0) {
+        headers["Content-Type"] = "application/json";
+        init.body = JSON.stringify(body);
+      }
+      const resp = await fetch(`${this.baseUrl}${path}`, init);
+      if (!resp.ok) {
+        const errBody = await resp.json().catch(() => ({}));
+        const msg = errBody.error || `HTTP ${resp.status}`;
+        throw new GuardianError(classifyHttpStatus(resp.status), msg);
+      }
+      return await resp.json();
+    } catch (err) {
+      throw classifyError(err);
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+  async get(path) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
+    try {
+      const resp = await fetch(`${this.baseUrl}${path}`, {
+        method: "GET",
+        signal: controller.signal
+      });
+      if (!resp.ok) {
+        const body = await resp.json().catch(() => ({}));
+        const msg = body.error || `HTTP ${resp.status}`;
+        throw new GuardianError(classifyHttpStatus(resp.status), msg);
+      }
+      return await resp.json();
+    } catch (err) {
+      throw classifyError(err);
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+  async post(path, body) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
+    try {
+      const resp = await fetch(`${this.baseUrl}${path}`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(body),
+        signal: controller.signal
+      });
+      if (!resp.ok) {
+        const errBody = await resp.json().catch(() => ({}));
+        const msg = errBody.error || `HTTP ${resp.status}`;
+        throw new GuardianError(classifyHttpStatus(resp.status), msg);
+      }
+      return await resp.json();
+    } catch (err) {
+      throw classifyError(err);
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+};
+function classifyHttpStatus(status) {
+  if (status === 404) return "NOT_FOUND";
+  if (status === 401 || status === 403) return "AUTH";
+  if (status === 409) return "CONFLICT";
+  if (status >= 500) return "SERVER_ERROR";
+  return "NETWORK";
+}
+function classifyError(err) {
+  if (err instanceof GuardianError) return err;
+  if (err instanceof Error) {
+    if (err.name === "AbortError") {
+      return new GuardianError("TIMEOUT", `Request timed out: ${err.message}`);
+    }
+    if (err.name === "TypeError" || err.message.includes("fetch")) {
+      return new GuardianError("NETWORK", `Network error: ${err.message}`);
+    }
+    return new GuardianError("NETWORK", err.message);
+  }
+  return new GuardianError("NETWORK", String(err));
+}
+function uint8ToBase64(bytes) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary);
+}
+function base64ToUint8(b64) {
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(b64, "base64"));
+  }
+  const binary = atob(b64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+
+// src/vault/auth.ts
+var AuthClient2 = class {
+  constructor(identityHex, timeoutMs = 1e4) {
+    this.sessions = /* @__PURE__ */ new Map();
+    this.identityHex = identityHex;
+    this.timeoutMs = timeoutMs;
+  }
+  /**
+   * Authenticate with a guardian and cache the session token.
+   * Returns a GuardianClient with the session token set.
+   */
+  async authenticate(endpoint) {
+    const key = `${endpoint.address}:${endpoint.port}`;
+    const cached = this.sessions.get(key);
+    if (cached) {
+      const nowNs = Date.now() * 1e6;
+      if (cached.expiryNs > nowNs + 3e10) {
+        const client2 = new GuardianClient(endpoint, this.timeoutMs);
+        client2.setSessionToken(cached.token);
+        return client2;
+      }
+      this.sessions.delete(key);
+    }
+    const client = new GuardianClient(endpoint, this.timeoutMs);
+    const challenge = await client.requestChallenge(this.identityHex);
+    const session = await client.createSession(
+      this.identityHex,
+      challenge.nonce,
+      challenge.created_ns,
+      challenge.tag
+    );
+    const token = `${session.identity}:${session.expiry_ns}:${session.tag}`;
+    client.setSessionToken(token);
+    this.sessions.set(key, { token, expiryNs: session.expiry_ns });
+    return client;
+  }
+  /**
+   * Authenticate with multiple guardians in parallel.
+   * Returns authenticated GuardianClients for all that succeed.
+   */
+  async authenticateAll(endpoints) {
+    const results = await Promise.allSettled(
+      endpoints.map(async (ep) => {
+        const client = await this.authenticate(ep);
+        return { client, endpoint: ep };
+      })
+    );
+    const authenticated = [];
+    for (const r of results) {
+      if (r.status === "fulfilled") {
+        authenticated.push(r.value);
+      }
+    }
+    return authenticated;
+  }
+  /** Clear all cached sessions. */
+  clearSessions() {
+    this.sessions.clear();
+  }
+  /** Get the identity hex string. */
+  getIdentityHex() {
+    return this.identityHex;
+  }
+};
+
+// src/vault/transport/fanout.ts
+async function fanOut(guardians, operation) {
+  const results = await Promise.allSettled(
+    guardians.map(async (endpoint) => {
+      const client = new GuardianClient(endpoint);
+      const result = await operation(client);
+      return { endpoint, result, error: null };
+    })
+  );
+  return results.map((r, i) => {
+    if (r.status === "fulfilled") return r.value;
+    const reason = r.reason;
+    const errorCode = reason instanceof GuardianError ? reason.code : void 0;
+    return {
+      endpoint: guardians[i],
+      result: null,
+      error: reason.message,
+      errorCode
+    };
+  });
+}
+async function fanOutIndexed(guardians, operation) {
+  const results = await Promise.allSettled(
+    guardians.map(async (endpoint, i) => {
+      const client = new GuardianClient(endpoint);
+      const result = await operation(client, i);
+      return { endpoint, result, error: null };
+    })
+  );
+  return results.map((r, i) => {
+    if (r.status === "fulfilled") return r.value;
+    const reason = r.reason;
+    const errorCode = reason instanceof GuardianError ? reason.code : void 0;
+    return {
+      endpoint: guardians[i],
+      result: null,
+      error: reason.message,
+      errorCode
+    };
+  });
+}
+function withTimeout(promise, ms) {
+  return Promise.race([
+    promise,
+    new Promise(
+      (_, reject) => setTimeout(() => reject(new Error(`timeout after ${ms}ms`)), ms)
+    )
+  ]);
+}
+async function withRetry(fn, attempts = 3) {
+  let lastError;
+  for (let i = 0; i < attempts; i++) {
+    try {
+      return await fn();
+    } catch (err) {
+      lastError = err;
+      if (err instanceof GuardianError && (err.code === "AUTH" || err.code === "NOT_FOUND")) {
+        throw err;
+      }
+      if (i < attempts - 1) {
+        await new Promise((r) => setTimeout(r, 200 * Math.pow(2, i)));
+      }
+    }
+  }
+  throw lastError;
+}
+
+// src/vault/crypto/shamir.ts
+import { randomBytes } from "@noble/ciphers/webcrypto";
+var IRREDUCIBLE = 283;
+var EXP_TABLE = new Uint8Array(512);
+var LOG_TABLE = new Uint8Array(256);
+(function buildTables() {
+  let x = 1;
+  for (let i = 0; i < 255; i++) {
+    EXP_TABLE[i] = x;
+    LOG_TABLE[x] = i;
+    x = x ^ x << 1;
+    if (x >= 256) x ^= IRREDUCIBLE;
+  }
+  for (let i = 255; i < 512; i++) {
+    EXP_TABLE[i] = EXP_TABLE[i - 255];
+  }
+})();
+function gfAdd(a, b) {
+  return a ^ b;
+}
+function gfMul(a, b) {
+  if (a === 0 || b === 0) return 0;
+  return EXP_TABLE[LOG_TABLE[a] + LOG_TABLE[b]];
+}
+function gfDiv(a, b) {
+  if (b === 0) throw new Error("GF(2^8): division by zero");
+  if (a === 0) return 0;
+  return EXP_TABLE[(LOG_TABLE[a] - LOG_TABLE[b] + 255) % 255];
+}
+function split(secret, n, k) {
+  if (k < 2) throw new Error("Threshold K must be at least 2");
+  if (n < k) throw new Error("Share count N must be >= threshold K");
+  if (n > 255) throw new Error("Maximum 255 shares (GF(2^8) limit)");
+  if (secret.length === 0) throw new Error("Secret must not be empty");
+  const coefficients = new Array(secret.length);
+  for (let i = 0; i < secret.length; i++) {
+    const poly = new Uint8Array(k);
+    poly[0] = secret[i];
+    const rand = randomBytes(k - 1);
+    poly.set(rand, 1);
+    coefficients[i] = poly;
+  }
+  const shares = [];
+  for (let xi = 1; xi <= n; xi++) {
+    const y = new Uint8Array(secret.length);
+    for (let byteIdx = 0; byteIdx < secret.length; byteIdx++) {
+      y[byteIdx] = evaluatePolynomial(coefficients[byteIdx], xi);
+    }
+    shares.push({ x: xi, y });
+  }
+  for (const poly of coefficients) {
+    poly.fill(0);
+  }
+  return shares;
+}
+function evaluatePolynomial(coeffs, x) {
+  let result = 0;
+  for (let i = coeffs.length - 1; i >= 0; i--) {
+    result = gfAdd(gfMul(result, x), coeffs[i]);
+  }
+  return result;
+}
+function combine(shares) {
+  if (shares.length < 2) throw new Error("Need at least 2 shares");
+  const secretLength = shares[0].y.length;
+  for (const share of shares) {
+    if (share.y.length !== secretLength) {
+      throw new Error("All shares must have the same data length");
+    }
+    if (share.x === 0) {
+      throw new Error("Share index must not be 0");
+    }
+  }
+  const xValues = new Set(shares.map((s) => s.x));
+  if (xValues.size !== shares.length) {
+    throw new Error("Duplicate share indices");
+  }
+  const secret = new Uint8Array(secretLength);
+  for (let byteIdx = 0; byteIdx < secretLength; byteIdx++) {
+    let value = 0;
+    for (let i = 0; i < shares.length; i++) {
+      const xi = shares[i].x;
+      const yi = shares[i].y[byteIdx];
+      let basis = 1;
+      for (let j = 0; j < shares.length; j++) {
+        if (i === j) continue;
+        const xj = shares[j].x;
+        basis = gfMul(basis, gfDiv(xj, gfAdd(xi, xj)));
+      }
+      value = gfAdd(value, gfMul(yi, basis));
+    }
+    secret[byteIdx] = value;
+  }
+  return secret;
+}
+
+// src/vault/quorum.ts
+function adaptiveThreshold(n) {
+  return Math.max(3, Math.floor(n / 3));
+}
+function writeQuorum(n) {
+  if (n === 0) return 0;
+  if (n <= 2) return n;
+  return Math.ceil(2 * n / 3);
+}
+
+// src/vault/client.ts
+var PULL_TIMEOUT_MS = 1e4;
+var VaultClient = class {
+  constructor(config) {
+    this.config = config;
+    this.auth = new AuthClient2(config.identityHex, config.timeoutMs);
+  }
+  /**
+   * Store a secret across guardian nodes using Shamir splitting.
+   *
+   * @param name - Secret name (alphanumeric, _, -, max 128 chars)
+   * @param data - Secret data to store
+   * @param version - Monotonic version number (must be > previous)
+   */
+  async store(name, data, version) {
+    const guardians = this.config.guardians;
+    const n = guardians.length;
+    const k = adaptiveThreshold(n);
+    const shares = split(data, n, k);
+    const authed = await this.auth.authenticateAll(guardians);
+    const results = await Promise.allSettled(
+      authed.map(async ({ client, endpoint }, _i) => {
+        const guardianIdx = guardians.indexOf(endpoint);
+        const share = shares[guardianIdx];
+        if (!share) throw new Error("share index out of bounds");
+        const shareBytes = new Uint8Array(1 + share.y.length);
+        shareBytes[0] = share.x;
+        shareBytes.set(share.y, 1);
+        return withRetry(() => client.putSecret(name, shareBytes, version));
+      })
+    );
+    for (const share of shares) {
+      share.y.fill(0);
+    }
+    const guardianResults = authed.map(({ endpoint }, i) => {
+      const ep = `${endpoint.address}:${endpoint.port}`;
+      const r = results[i];
+      if (r.status === "fulfilled") {
+        return { endpoint: ep, success: true };
+      }
+      return { endpoint: ep, success: false, error: r.reason.message };
+    });
+    const ackCount = results.filter((r) => r.status === "fulfilled").length;
+    const failCount = results.filter((r) => r.status === "rejected").length;
+    const w = writeQuorum(n);
+    return {
+      ackCount,
+      totalContacted: authed.length,
+      failCount,
+      quorumMet: ackCount >= w,
+      guardianResults
+    };
+  }
+  /**
+   * Retrieve and reconstruct a secret from guardian nodes.
+   *
+   * @param name - Secret name
+   */
+  async retrieve(name) {
+    const guardians = this.config.guardians;
+    const n = guardians.length;
+    const k = adaptiveThreshold(n);
+    const authed = await this.auth.authenticateAll(guardians);
+    const pullResults = await Promise.allSettled(
+      authed.map(async ({ client }) => {
+        const resp = await withTimeout(client.getSecret(name), PULL_TIMEOUT_MS);
+        const shareBytes = resp.share;
+        if (shareBytes.length < 2) throw new Error("Share too short");
+        return {
+          x: shareBytes[0],
+          y: shareBytes.slice(1)
+        };
+      })
+    );
+    const shares = [];
+    for (const r of pullResults) {
+      if (r.status === "fulfilled") {
+        shares.push(r.value);
+      }
+    }
+    if (shares.length < k) {
+      throw new Error(
+        `Not enough shares: collected ${shares.length} of ${k} required (contacted ${authed.length} guardians)`
+      );
+    }
+    const data = combine(shares);
+    for (const share of shares) {
+      share.y.fill(0);
+    }
+    return {
+      data,
+      sharesCollected: shares.length
+    };
+  }
+  /**
+   * List all secrets for this identity.
+   * Queries the first reachable guardian (metadata is replicated).
+   */
+  async list() {
+    const guardians = this.config.guardians;
+    const authed = await this.auth.authenticateAll(guardians);
+    if (authed.length === 0) {
+      throw new Error("No guardians reachable");
+    }
+    const resp = await authed[0].client.listSecrets();
+    return { secrets: resp.secrets };
+  }
+  /**
+   * Delete a secret from all guardian nodes.
+   *
+   * @param name - Secret name to delete
+   */
+  async delete(name) {
+    const guardians = this.config.guardians;
+    const n = guardians.length;
+    const authed = await this.auth.authenticateAll(guardians);
+    const results = await Promise.allSettled(
+      authed.map(async ({ client }) => {
+        return withRetry(() => client.deleteSecret(name));
+      })
+    );
+    const ackCount = results.filter((r) => r.status === "fulfilled").length;
+    const w = writeQuorum(n);
+    return {
+      ackCount,
+      totalContacted: authed.length,
+      quorumMet: ackCount >= w
+    };
+  }
+  /** Clear all cached auth sessions. */
+  clearSessions() {
+    this.auth.clearSessions();
+  }
+};
+
+// src/vault/crypto/aes.ts
+import { gcm } from "@noble/ciphers/aes";
+import { randomBytes as randomBytes2 } from "@noble/ciphers/webcrypto";
+import { bytesToHex, hexToBytes, concatBytes } from "@noble/hashes/utils";
+var KEY_SIZE = 32;
+var NONCE_SIZE = 12;
+var TAG_SIZE = 16;
+function encrypt(plaintext, key, aad) {
+  validateKey(key);
+  const nonce = randomBytes2(NONCE_SIZE);
+  const cipher = gcm(key, nonce, aad);
+  const ciphertext = cipher.encrypt(plaintext);
+  return {
+    ciphertext,
+    nonce,
+    aad
+  };
+}
+function decrypt(encryptedData, key) {
+  validateKey(key);
+  validateNonce(encryptedData.nonce);
+  const cipher = gcm(key, encryptedData.nonce, encryptedData.aad);
+  try {
+    return cipher.decrypt(encryptedData.ciphertext);
+  } catch (error) {
+    throw new Error("Decryption failed: invalid ciphertext or authentication tag");
+  }
+}
+function encryptString(message, key, aad) {
+  const plaintext = new TextEncoder().encode(message);
+  try {
+    return encrypt(plaintext, key, aad);
+  } finally {
+    plaintext.fill(0);
+  }
+}
+function decryptString(encryptedData, key) {
+  const plaintext = decrypt(encryptedData, key);
+  try {
+    return new TextDecoder().decode(plaintext);
+  } finally {
+    plaintext.fill(0);
+  }
+}
+function serialize(encryptedData) {
+  const data = concatBytes(encryptedData.nonce, encryptedData.ciphertext);
+  return {
+    data,
+    aad: encryptedData.aad
+  };
+}
+function deserialize(serialized) {
+  if (serialized.data.length < NONCE_SIZE + TAG_SIZE) {
+    throw new Error("Invalid serialized data: too short");
+  }
+  const nonce = serialized.data.slice(0, NONCE_SIZE);
+  const ciphertext = serialized.data.slice(NONCE_SIZE);
+  return {
+    ciphertext,
+    nonce,
+    aad: serialized.aad
+  };
+}
+function encryptAndSerialize(plaintext, key, aad) {
+  const encrypted = encrypt(plaintext, key, aad);
+  return serialize(encrypted);
+}
+function deserializeAndDecrypt(serialized, key) {
+  const encrypted = deserialize(serialized);
+  return decrypt(encrypted, key);
+}
+function toHex(encryptedData) {
+  const serialized = serialize(encryptedData);
+  return bytesToHex(serialized.data);
+}
+function fromHex(hex, aad) {
+  const normalized = hex.startsWith("0x") ? hex.slice(2) : hex;
+  const data = hexToBytes(normalized);
+  return deserialize({ data, aad });
+}
+function toBase64(encryptedData) {
+  const serialized = serialize(encryptedData);
+  if (typeof btoa === "function") {
+    return btoa(String.fromCharCode(...serialized.data));
+  } else {
+    return Buffer.from(serialized.data).toString("base64");
+  }
+}
+function fromBase64(base64, aad) {
+  let data;
+  if (typeof atob === "function") {
+    const binary = atob(base64);
+    data = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      data[i] = binary.charCodeAt(i);
+    }
+  } else {
+    data = new Uint8Array(Buffer.from(base64, "base64"));
+  }
+  return deserialize({ data, aad });
+}
+function validateKey(key) {
+  if (!(key instanceof Uint8Array)) {
+    throw new Error("Key must be a Uint8Array");
+  }
+  if (key.length !== KEY_SIZE) {
+    throw new Error(`Invalid key length: expected ${KEY_SIZE}, got ${key.length}`);
+  }
+}
+function validateNonce(nonce) {
+  if (!(nonce instanceof Uint8Array)) {
+    throw new Error("Nonce must be a Uint8Array");
+  }
+  if (nonce.length !== NONCE_SIZE) {
+    throw new Error(`Invalid nonce length: expected ${NONCE_SIZE}, got ${nonce.length}`);
+  }
+}
+function generateKey() {
+  return randomBytes2(KEY_SIZE);
+}
+function generateNonce() {
+  return randomBytes2(NONCE_SIZE);
+}
+function clearKey(key) {
+  key.fill(0);
+}
+function isValidEncryptedData(data) {
+  return data.nonce instanceof Uint8Array && data.nonce.length === NONCE_SIZE && data.ciphertext instanceof Uint8Array && data.ciphertext.length >= TAG_SIZE;
+}
+
+// src/vault/crypto/hkdf.ts
+import { hkdf } from "@noble/hashes/hkdf";
+import { sha256 } from "@noble/hashes/sha256";
+var DEFAULT_KEY_LENGTH = 32;
+var MAX_KEY_LENGTH = 255 * 32;
+function deriveKeyHKDF(ikm, salt, info, length = DEFAULT_KEY_LENGTH) {
+  if (!ikm || ikm.length === 0) {
+    throw new Error("HKDF: input key material must not be empty");
+  }
+  if (length <= 0 || length > MAX_KEY_LENGTH) {
+    throw new Error(`HKDF: output length must be between 1 and ${MAX_KEY_LENGTH}`);
+  }
+  const saltBytes = typeof salt === "string" ? new TextEncoder().encode(salt) : salt;
+  const infoBytes = typeof info === "string" ? new TextEncoder().encode(info) : info;
+  return hkdf(sha256, ikm, saltBytes, infoBytes, length);
+}
+
+// src/index.ts
+function createClient(config) {
+  const httpClient = new HttpClient({
+    baseURL: config.baseURL,
+    timeout: config.timeout,
+    maxRetries: config.maxRetries,
+    retryDelayMs: config.retryDelayMs,
+    debug: config.debug,
+    fetch: config.fetch,
+    onNetworkError: config.onNetworkError
+  });
+  const auth = new AuthClient({
+    httpClient,
+    storage: config.storage,
+    apiKey: config.apiKey,
+    jwt: config.jwt
+  });
+  const wsURL = config.baseURL.replace(/^http/, "ws").replace(/\/$/, "");
+  const db = new DBClient(httpClient);
+  const pubsub = new PubSubClient(httpClient, {
+    ...config.wsConfig,
+    wsURL,
+    onNetworkError: config.onNetworkError
+  });
+  const network = new NetworkClient(httpClient);
+  const cache = new CacheClient(httpClient);
+  const storage = new StorageClient(httpClient);
+  const functions = new FunctionsClient(httpClient, config.functionsConfig);
+  const vault = config.vaultConfig ? new VaultClient(config.vaultConfig) : null;
+  return {
+    auth,
+    db,
+    pubsub,
+    network,
+    cache,
+    storage,
+    functions,
+    vault
+  };
+}
+export {
+  AuthClient,
+  CacheClient,
+  DBClient,
+  FunctionsClient,
+  GuardianClient,
+  GuardianError,
+  HttpClient,
+  KEY_SIZE,
+  LocalStorageAdapter,
+  MemoryStorage,
+  NONCE_SIZE,
+  NetworkClient,
+  PubSubClient,
+  QueryBuilder,
+  Repository,
+  SDKError,
+  StorageClient,
+  Subscription,
+  TAG_SIZE,
+  AuthClient2 as VaultAuthClient,
+  VaultClient,
+  WSClient,
+  adaptiveThreshold,
+  clearKey,
+  createClient,
+  decrypt,
+  decryptString,
+  deriveKeyHKDF,
+  deserializeAndDecrypt,
+  deserialize as deserializeEncrypted,
+  encrypt,
+  encryptAndSerialize,
+  encryptString,
+  fromBase64 as encryptedFromBase64,
+  fromHex as encryptedFromHex,
+  toBase64 as encryptedToBase64,
+  toHex as encryptedToHex,
+  fanOut,
+  fanOutIndexed,
+  generateKey,
+  generateNonce,
+  isValidEncryptedData,
+  serialize as serializeEncrypted,
+  combine as shamirCombine,
+  split as shamirSplit,
+  withRetry,
+  withTimeout,
+  writeQuorum
+};
+//# sourceMappingURL=index.js.map