@dxos/edge-client 0.8.4-main.fffef41 → 0.8.4-staging.60fe92afc8

package/src/edge-http-client.ts

@@ -4,27 +4,32 @@
 
 import * as FetchHttpClient from '@effect/platform/FetchHttpClient';
 import * as HttpClient from '@effect/platform/HttpClient';
+import * as HttpClientRequest from '@effect/platform/HttpClientRequest';
 import * as Effect from 'effect/Effect';
 import * as Function from 'effect/Function';
 
-import { sleep } from '@dxos/async';
-import { Context } from '@dxos/context';
+import { type Context } from '@dxos/context';
+import { EffectEx } from '@dxos/effect';
 import { invariant } from '@dxos/invariant';
 import { type PublicKey, type SpaceId } from '@dxos/keys';
 import { log } from '@dxos/log';
 import {
+  type CompleteOAuthRegistrationRequest,
+  type CompleteOAuthRegistrationResponse,
   type CreateAgentRequestBody,
   type CreateAgentResponseBody,
   type CreateSpaceRequest,
   type CreateSpaceResponseBody,
-  EdgeAuthChallengeError,
-  EdgeCallFailedError,
+  EDGE_CLIENT_TAG_HEADER,
   type EdgeStatus,
   type ExecuteWorkflowResponseBody,
   type ExportBundleRequest,
   type ExportBundleResponse,
+  type FeedProtocol,
   type GetAgentStatusResponseBody,
   type GetNotarizationResponseBody,
+  type GetPluginVersionsResponseBody,
+  type GetPluginsResponseBody,
   type ImportBundleRequest,
   type InitiateOAuthFlowRequest,
   type InitiateOAuthFlowResponse,
@@ -32,113 +37,85 @@ import {
   type JoinSpaceResponseBody,
   type ObjectId,
   type PostNotarizationRequestBody,
-  type QueryResult,
-  type QueueQuery,
   type RecoverIdentityRequest,
   type RecoverIdentityResponseBody,
   type UploadFunctionRequest,
   type UploadFunctionResponseBody,
 } from '@dxos/protocols';
+import {
+  type QueryRequest as QueryRequestProto,
+  type QueryResponse as QueryResponseProto,
+} from '@dxos/protocols/proto/dxos/echo/query';
 import { createUrl } from '@dxos/util';
 
-import { type EdgeIdentity, handleAuthChallenge } from './edge-identity';
-import { HttpConfig, encodeAuthHeader, withLogging, withRetryConfig } from './http-client';
-import { getEdgeUrlWithProtocol } from './utils';
+import { BaseHttpClient, type BaseHttpClientOptions, type EdgeHttpCallArgs } from './base-http-client';
+import { proxyFetchLegacy } from './cors-proxy';
+import { HttpConfig, withLogging, withRetryConfig } from './http-client';
 
-const DEFAULT_RETRY_TIMEOUT = 1500;
-const DEFAULT_RETRY_JITTER = 500;
-const DEFAULT_MAX_RETRIES_COUNT = 3;
-const WARNING_BODY_SIZE = 10 * 1024 * 1024; // 10MB
+export type { EdgeHttpCallArgs, RetryConfig } from './base-http-client';
 
-export type RetryConfig = {
-  /**
-   * A number of call retries, not counting the initial request.
-   */
-  count: number;
-  /**
-   * Delay before retries in ms.
-   */
-  timeout?: number;
-  /**
-   * A random amount of time before retrying to help prevent large bursts of requests.
-   */
-  jitter?: number;
+/**
+ * HTTP wire shape returned by `/queue/.../query`.
+ */
+export type EdgeQueryQueueResponse = {
+  objects?: unknown[];
+  nextCursor?: string;
+  prevCursor?: string;
 };
 
-type EdgeHttpRequestArgs = {
-  method: string;
-  context?: Context;
-  retry?: RetryConfig;
-  body?: any;
-  /**
-   * @default true
-   */
-  json?: boolean;
-
-  /**
-   * Do not expect a standard EDGE JSON response with a `success` field.
-   * @deprecated Use only for debugging.
-   */
-  rawResponse?: boolean;
-
-  /**
-   * Force authentication.
-   * This should be used for requests with large bodies to avoid sending the body twice.
-   * The client will call /auth endpoint to generate the auth header.
-   */
-  auth?: boolean;
+export type TriggersDispatcherStatus = {
+  isActive: boolean;
+  nextCronTaskRunTimestamp?: number;
+  registeredTriggers: string[];
+  stopAfterTimestamp?: number;
+  remainingMs?: number;
+  nextAlarmTimestamp?: number;
 };
 
-export type EdgeHttpGetArgs = Pick<EdgeHttpRequestArgs, 'context' | 'retry' | 'auth'>;
-export type EdgeHttpPostArgs = Pick<EdgeHttpRequestArgs, 'context' | 'retry' | 'body' | 'auth'>;
-
-export class EdgeHttpClient {
-  private readonly _baseUrl: string;
-
-  private _edgeIdentity: EdgeIdentity | undefined;
-
-  /**
-   * Auth header is cached until receiving the next 401 from EDGE, at which point it gets refreshed.
-   */
-  private _authHeader: string | undefined;
-
-  constructor(baseUrl: string) {
-    this._baseUrl = getEdgeUrlWithProtocol(baseUrl, 'http');
-    log('created', { url: this._baseUrl });
-  }
+export type GetCronTriggersResponse = {
+  cronIds: string[];
+};
 
-  get baseUrl() {
-    return this._baseUrl;
-  }
+export type EdgeHttpClientOptions = BaseHttpClientOptions;
 
-  setIdentity(identity: EdgeIdentity): void {
-    if (this._edgeIdentity?.identityKey !== identity.identityKey || this._edgeIdentity?.peerKey !== identity.peerKey) {
-      this._edgeIdentity = identity;
-      this._authHeader = undefined;
-    }
+/**
+ * HTTP client for the edge worker API (spaces, queues, functions, agents, etc.).
+ *
+ * Hub-service API (accounts, invitations) lives in {@link HubHttpClient} — the two
+ * services run at different URLs and are never both available from the same base URL.
+ */
+export class EdgeHttpClient extends BaseHttpClient {
+  constructor(baseUrl: string, options?: EdgeHttpClientOptions) {
+    super(baseUrl, options);
+    log('created', { url: this.baseUrl });
   }
 
   //
   // Status
   //
 
-  public async getStatus(args?: EdgeHttpGetArgs): Promise<EdgeStatus> {
-    return this._call(new URL('/status', this.baseUrl), { ...args, method: 'GET' });
+  public async getStatus(ctx: Context, args?: EdgeHttpCallArgs): Promise<EdgeStatus> {
+    return this._call(ctx, new URL('/status', this.baseUrl), { ...args, method: 'GET', auth: true });
   }
 
   //
   // Agents
   //
 
-  public createAgent(body: CreateAgentRequestBody, args?: EdgeHttpGetArgs): Promise<CreateAgentResponseBody> {
-    return this._call(new URL('/agents/create', this.baseUrl), { ...args, method: 'POST', body });
+  public createAgent(
+    ctx: Context,
+    body: CreateAgentRequestBody,
+    args?: EdgeHttpCallArgs,
+  ): Promise<CreateAgentResponseBody> {
+    return this._call(ctx, new URL('/agents/create', this.baseUrl), { ...args, method: 'POST', body });
   }
 
   public getAgentStatus(
+    ctx: Context,
     request: { ownerIdentityKey: PublicKey },
-    args?: EdgeHttpGetArgs,
+    args?: EdgeHttpCallArgs,
   ): Promise<GetAgentStatusResponseBody> {
-    return this._call(new URL(`/users/${request.ownerIdentityKey.toHex()}/agent/status`, this.baseUrl), {
+    return this._call(ctx, new URL(`/users/${request.ownerIdentityKey.toHex()}/agent/status`, this.baseUrl), {
       ...args,
       method: 'GET',
     });
@@ -148,16 +125,21 @@ export class EdgeHttpClient {
   // Credentials
   //
 
-  public getCredentialsForNotarization(spaceId: SpaceId, args?: EdgeHttpGetArgs): Promise<GetNotarizationResponseBody> {
-    return this._call(new URL(`/spaces/${spaceId}/notarization`, this.baseUrl), { ...args, method: 'GET' });
+  public getCredentialsForNotarization(
+    ctx: Context,
+    spaceId: SpaceId,
+    args?: EdgeHttpCallArgs,
+  ): Promise<GetNotarizationResponseBody> {
+    return this._call(ctx, new URL(`/spaces/${spaceId}/notarization`, this.baseUrl), { ...args, method: 'GET' });
   }
 
   public async notarizeCredentials(
+    ctx: Context,
     spaceId: SpaceId,
     body: PostNotarizationRequestBody,
-    args?: EdgeHttpGetArgs,
+    args?: EdgeHttpCallArgs,
   ): Promise<void> {
-    await this._call(new URL(`/spaces/${spaceId}/notarization`, this.baseUrl), { ...args, body, method: 'POST' });
+    await this._call(ctx, new URL(`/spaces/${spaceId}/notarization`, this.baseUrl), { ...args, body, method: 'POST' });
   }
 
   //
@@ -165,41 +147,52 @@ export class EdgeHttpClient {
   //
 
   public async recoverIdentity(
+    ctx: Context,
     body: RecoverIdentityRequest,
-    args?: EdgeHttpGetArgs,
+    args?: EdgeHttpCallArgs,
   ): Promise<RecoverIdentityResponseBody> {
-    return this._call(new URL('/identity/recover', this.baseUrl), { ...args, body, method: 'POST' });
+    return this._call(ctx, new URL('/identity/recover', this.baseUrl), { ...args, body, method: 'POST' });
   }
 
   //
-  // Invitations
+  // Invitations (space join)
   //
 
   public async joinSpaceByInvitation(
+    ctx: Context,
     spaceId: SpaceId,
     body: JoinSpaceRequest,
-    args?: EdgeHttpGetArgs,
+    args?: EdgeHttpCallArgs,
   ): Promise<JoinSpaceResponseBody> {
-    return this._call(new URL(`/spaces/${spaceId}/join`, this.baseUrl), { ...args, body, method: 'POST' });
+    return this._call(ctx, new URL(`/spaces/${spaceId}/join`, this.baseUrl), { ...args, body, method: 'POST' });
   }
 
   //
-  // OAuth and credentials
+  // OAuth
   //
 
   public async initiateOAuthFlow(
+    ctx: Context,
     body: InitiateOAuthFlowRequest,
-    args?: EdgeHttpGetArgs,
+    args?: EdgeHttpCallArgs,
   ): Promise<InitiateOAuthFlowResponse> {
-    return this._call(new URL('/oauth/initiate', this.baseUrl), { ...args, body, method: 'POST' });
+    return this._call(ctx, new URL('/oauth/initiate', this.baseUrl), { ...args, body, method: 'POST' });
+  }
+
+  public async completeOAuthRegistration(
+    ctx: Context,
+    body: CompleteOAuthRegistrationRequest,
+    args?: EdgeHttpCallArgs,
+  ): Promise<CompleteOAuthRegistrationResponse> {
+    return this._call(ctx, new URL('/oauth/registration/complete', this.baseUrl), { ...args, body, method: 'POST' });
   }
 
   //
   // Spaces
   //
 
-  async createSpace(body: CreateSpaceRequest, args?: EdgeHttpGetArgs): Promise<CreateSpaceResponseBody> {
-    return this._call(new URL('/spaces/create', this.baseUrl), { ...args, body, method: 'POST' });
+  async createSpace(ctx: Context, body: CreateSpaceRequest, args?: EdgeHttpCallArgs): Promise<CreateSpaceResponseBody> {
+    return this._call(ctx, new URL('/spaces/create', this.baseUrl), { ...args, body, method: 'POST' });
   }
 
   //
@@ -207,13 +200,16 @@ export class EdgeHttpClient {
   //
 
   public async queryQueue(
+    ctx: Context,
     subspaceTag: string,
     spaceId: SpaceId,
-    query: QueueQuery,
-    args?: EdgeHttpGetArgs,
-  ): Promise<QueryResult> {
-    const { queueId } = query;
+    query: FeedProtocol.QueueQuery,
+    args?: EdgeHttpCallArgs,
+  ): Promise<EdgeQueryQueueResponse> {
+    const queueId = query.queueIds?.[0];
+    invariant(queueId, 'queueId required');
     return this._call(
+      ctx,
       createUrl(new URL(`/spaces/${subspaceTag}/${spaceId}/queue/${queueId}/query`, this.baseUrl), {
         after: query.after,
         before: query.before,
@@ -221,21 +217,19 @@ export class EdgeHttpClient {
         reverse: query.reverse,
         objectIds: query.objectIds?.join(','),
       }),
-      {
-        ...args,
-        method: 'GET',
-      },
+      { ...args, method: 'GET' },
     );
   }
 
   public async insertIntoQueue(
+    ctx: Context,
     subspaceTag: string,
     spaceId: SpaceId,
     queueId: ObjectId,
     objects: unknown[],
-    args?: EdgeHttpGetArgs,
+    args?: EdgeHttpCallArgs,
   ): Promise<void> {
-    return this._call(new URL(`/spaces/${subspaceTag}/${spaceId}/queue/${queueId}`, this.baseUrl), {
+    return this._call(ctx, new URL(`/spaces/${subspaceTag}/${spaceId}/queue/${queueId}`, this.baseUrl), {
       ...args,
       body: { objects },
       method: 'POST',
@@ -243,20 +237,19 @@ export class EdgeHttpClient {
   }
 
   public async deleteFromQueue(
+    ctx: Context,
     subspaceTag: string,
     spaceId: SpaceId,
     queueId: ObjectId,
     objectIds: ObjectId[],
-    args?: EdgeHttpGetArgs,
+    args?: EdgeHttpCallArgs,
   ): Promise<void> {
     return this._call(
+      ctx,
       createUrl(new URL(`/spaces/${subspaceTag}/${spaceId}/queue/${queueId}`, this.baseUrl), {
         ids: objectIds.join(','),
       }),
-      {
-        ...args,
-        method: 'DELETE',
-      },
+      { ...args, method: 'DELETE' },
     );
   }
 
@@ -265,9 +258,10 @@ export class EdgeHttpClient {
   //
 
   public async uploadFunction(
+    ctx: Context,
     pathParts: { functionId?: string },
     body: UploadFunctionRequest,
-    args?: EdgeHttpGetArgs,
+    args?: EdgeHttpCallArgs,
   ): Promise<UploadFunctionResponseBody> {
     const formData = new FormData();
     formData.append('name', body.name ?? '');
@@ -282,21 +276,16 @@ export class EdgeHttpClient {
         filename,
       );
     }
-
     const path = ['functions', ...(pathParts.functionId ? [pathParts.functionId] : [])].join('/');
-    return this._call(new URL(path, this.baseUrl), {
-      ...args,
-      body: formData,
-      method: 'PUT',
-      json: false,
-    });
+    return this._call(ctx, new URL(path, this.baseUrl), { ...args, body: formData, method: 'PUT', json: false });
   }
 
-  public async listFunctions(args?: EdgeHttpGetArgs): Promise<any> {
-    return this._call(new URL('/functions', this.baseUrl), { ...args, method: 'GET' });
+  public async listFunctions(ctx: Context, args?: EdgeHttpCallArgs): Promise<any> {
+    return this._call(ctx, new URL('/functions', this.baseUrl), { ...args, method: 'GET' });
   }
 
   public async invokeFunction(
+    ctx: Context,
     params: {
       functionId: string;
       version?: string;
@@ -305,7 +294,7 @@ export class EdgeHttpClient {
       subrequestsLimit?: number;
     },
     input: unknown,
-    args?: EdgeHttpGetArgs,
+    args?: EdgeHttpCallArgs,
   ): Promise<any> {
     const url = new URL(`/functions/${params.functionId}`, this.baseUrl);
     if (params.version) {
@@ -320,13 +309,7 @@ export class EdgeHttpClient {
     if (params.subrequestsLimit) {
       url.searchParams.set('subrequestsLimit', params.subrequestsLimit.toString());
     }
-
-    return this._call(url, {
-      ...args,
-      body: input,
-      method: 'POST',
-      rawResponse: true,
-    });
+    return this._call(ctx, url, { ...args, body: input, method: 'POST' });
   }
 
   //
@@ -334,12 +317,13 @@ export class EdgeHttpClient {
   //
 
   public async executeWorkflow(
+    ctx: Context,
     spaceId: SpaceId,
     graphId: ObjectId,
     input: any,
-    args?: EdgeHttpGetArgs,
+    args?: EdgeHttpCallArgs,
   ): Promise<ExecuteWorkflowResponseBody> {
-    return this._call(new URL(`/workflows/${spaceId}/${graphId}`, this.baseUrl), {
+    return this._call(ctx, new URL(`/workflows/${spaceId}/${graphId}`, this.baseUrl), {
       ...args,
       body: input,
       method: 'POST',
@@ -350,185 +334,168 @@ export class EdgeHttpClient {
   // Triggers
   //
 
-  public async getCronTriggers(spaceId: SpaceId) {
-    return this._call(new URL(`/test/functions/${spaceId}/triggers/crons`, this.baseUrl), { method: 'GET' });
+  public async getCronTriggers(ctx: Context, spaceId: SpaceId): Promise<GetCronTriggersResponse> {
+    return this._call<GetCronTriggersResponse>(ctx, new URL(`/functions/${spaceId}/triggers/crons`, this.baseUrl), {
+      method: 'GET',
+    });
+  }
+
+  public async getTriggersDispatcherStatus(
+    ctx: Context,
+    spaceId: SpaceId,
+    args?: EdgeHttpCallArgs,
+  ): Promise<TriggersDispatcherStatus> {
+    return this._call<TriggersDispatcherStatus>(ctx, new URL(`/triggers/${spaceId}/status`, this.baseUrl), {
+      ...args,
+      method: 'GET',
+      auth: true,
+    });
+  }
+
+  public async forceRunCronTrigger(ctx: Context, spaceId: SpaceId, triggerId: ObjectId) {
+    return this._call(ctx, new URL(`/functions/${spaceId}/triggers/crons/${triggerId}/run`, this.baseUrl), {
+      method: 'POST',
+    });
   }
 
   //
-  // Import/Export space.
+  // Query
+  //
+
+  public async execQuery(
+    ctx: Context,
+    spaceId: SpaceId,
+    body: QueryRequestProto,
+    args?: EdgeHttpCallArgs,
+  ): Promise<QueryResponseProto> {
+    return this._call(ctx, new URL(`/spaces/${spaceId}/exec-query`, this.baseUrl), { ...args, body, method: 'POST' });
+  }
+
+  //
+  // Registry
+  //
+
+  public async getRegistryPlugins(ctx: Context, args?: EdgeHttpCallArgs): Promise<GetPluginsResponseBody> {
+    return this._call(ctx, new URL('/registry/plugins', this.baseUrl), { ...args, method: 'GET' });
+  }
+
+  public async getRegistryPluginVersions(
+    ctx: Context,
+    repo: string,
+    args?: EdgeHttpCallArgs,
+  ): Promise<GetPluginVersionsResponseBody> {
+    return this._call(ctx, new URL(`/registry/plugins/${encodeURIComponent(repo)}/versions`, this.baseUrl), {
+      ...args,
+      method: 'GET',
+    });
+  }
+
+  //
+  // Import/Export
   //
 
   public async importBundle(
-    spaceId: SpaceId, //
+    ctx: Context,
+    spaceId: SpaceId,
     body: ImportBundleRequest,
-    args?: EdgeHttpGetArgs,
+    args?: EdgeHttpCallArgs,
   ): Promise<void> {
-    return this._call(new URL(`/spaces/${spaceId}/import`, this.baseUrl), { ...args, body, method: 'PUT' });
+    return this._call(ctx, new URL(`/spaces/${spaceId}/import`, this.baseUrl), { ...args, body, method: 'PUT' });
   }
 
   public async exportBundle(
+    ctx: Context,
     spaceId: SpaceId,
     body: ExportBundleRequest,
-    args?: EdgeHttpGetArgs,
+    args?: EdgeHttpCallArgs,
   ): Promise<ExportBundleResponse> {
-    return this._call(new URL(`/spaces/${spaceId}/export`, this.baseUrl), {
-      ...args,
-      body,
-      method: 'POST',
-    });
+    return this._call(ctx, new URL(`/spaces/${spaceId}/export`, this.baseUrl), { ...args, body, method: 'POST' });
   }
 
   //
-  // Internal
+  // Proxy
   //
 
-  private async _fetch<T>(url: URL, _args: EdgeHttpRequestArgs): Promise<T> {
-    return Function.pipe(
-      HttpClient.get(url),
-      withLogging,
-      withRetryConfig,
-      Effect.provide(FetchHttpClient.layer),
-      Effect.provide(HttpConfig.default),
-      Effect.withSpan('EdgeHttpClient'),
-      Effect.runPromise,
-    ) as T;
+  /**
+   * Fetch through the edge proxy for third-party REST APIs.
+   * TEMPORARY: currently routes through legacy open proxy. See https://github.com/dxos/edge/pull/576.
+   */
+  public async proxyFetch(target: URL, init: RequestInit = {}): Promise<Response> {
+    return proxyFetchLegacy(target, init, this._clientTag);
   }
 
-  // TODO(burdon): Refactor with effect (see edge-http-client.test.ts).
-  private async _call<T>(url: URL, args: EdgeHttpRequestArgs): Promise<T> {
-    const shouldRetry = createRetryHandler(args);
-    const requestContext = args.context ?? Context.default();
-    log('fetch', { url, request: args.body });
+  //
+  // AI service.
+  //
+
+  /**
+   * Issue an authenticated request to the EDGE AI route (`/ai/generate/anthropic/*`), which
+   * proxies to the AI service. Used as the backend HTTP client for the Anthropic AI provider
+   * (see {@link EdgeAiHttpClient}).
+   *
+   * Returns the raw `Response` so streaming bodies are forwarded unchanged to `@effect/ai`.
+   * Requires an identity to have been set via {@link setIdentity}.
+   */
+  // TODO(mykola): Merge into `BaseHttpClient._call` once it can return a streaming/raw `Response`;
+  // the auth/retry loop below duplicates the one in `_call`.
+  public async anthropicAiRequest(request: Request): Promise<Response> {
+    const incoming = new URL(request.url);
+    const base = this.baseUrl.replace(/\/$/, '');
+    const target = new URL(`${base}/ai/generate/anthropic${incoming.pathname}${incoming.search}`);
+
+    const method = request.method;
+    const body = method === 'GET' || method === 'HEAD' ? undefined : await request.arrayBuffer();
 
     let handledAuth = false;
-    const tryCount = 1;
     while (true) {
-      let processingError: EdgeCallFailedError | undefined = undefined;
-      try {
-        if (!this._authHeader && args.auth) {
-          const response = await fetch(new URL(`/auth`, this.baseUrl));
-          if (response.status === 401) {
-            this._authHeader = await this._handleUnauthorized(response);
-          }
-        }
-
-        const request = createRequest(args, this._authHeader);
-        log('call edge', { url, tryCount, authHeader: !!this._authHeader });
-        const response = await fetch(url, request);
-
-        if (response.ok) {
-          const body = await response.clone().json();
-          if (args.rawResponse) {
-            return body as any;
-          }
-          invariant(body, 'Expected body to be present');
-          if (!('success' in body)) {
-            return body;
-          }
-          if (body.success) {
-            return body.data;
-          }
-        } else if (response.status === 401 && !handledAuth) {
-          this._authHeader = await this._handleUnauthorized(response);
-          handledAuth = true;
-          continue;
+      if (!this._authHeader) {
+        const authResponse = await fetch(new URL('/auth', this.baseUrl));
+        if (authResponse.status === 401) {
+          this._authHeader = await this._handleUnauthorized(authResponse);
         }
+      }
 
-        const body =
-          response.headers.get('Content-Type') === 'application/json' ? await response.clone().json() : undefined;
-
-        invariant(!body?.success, 'Expected body to not be a failure response or undefined.');
-
-        if (body?.errorData?.type === 'auth_challenge' && typeof body?.errorData?.challenge === 'string') {
-          processingError = new EdgeAuthChallengeError(body.errorData.challenge, body.errorData);
-        } else if (body?.success === false) {
-          processingError = EdgeCallFailedError.fromUnsuccessfulResponse(response, body);
-        } else {
-          invariant(!response.ok, 'Expected response to not be ok.');
-          processingError = await EdgeCallFailedError.fromHttpFailure(response);
-        }
-      } catch (error: any) {
-        processingError = EdgeCallFailedError.fromProcessingFailureCause(error);
+      const headers = new Headers(request.headers);
+      if (this._authHeader) {
+        headers.set('Authorization', this._authHeader);
+      }
+      if (this._clientTag) {
+        headers.set(EDGE_CLIENT_TAG_HEADER, this._clientTag);
       }
 
-      if (processingError?.isRetryable && (await shouldRetry(requestContext, processingError.retryAfterMs))) {
-        log.verbose('retrying edge request', { url, processingError });
-      } else {
-        throw processingError!;
+      const response = await fetch(target, { method, headers, body, signal: request.signal });
+      // Only retry edge auth when the 401 came from edge's own auth layer. Edge always sets
+      // `WWW-Authenticate` on its own 401s; upstream-forwarded 401s (e.g. invalid BYOK rejected
+      // by Anthropic) lack it and must be surfaced verbatim.
+      if (response.status === 401 && response.headers.get('WWW-Authenticate') !== null && !handledAuth) {
+        this._authHeader = await this._handleUnauthorized(response);
+        handledAuth = true;
+        continue;
       }
-    }
-  }
 
-  private async _handleUnauthorized(response: Response): Promise<string> {
-    if (!this._edgeIdentity) {
-      log.warn('unauthorized response received before identity was set');
-      throw await EdgeCallFailedError.fromHttpFailure(response);
+      return response;
     }
-
-    const challenge = await handleAuthChallenge(response, this._edgeIdentity);
-    return encodeAuthHeader(challenge);
-  }
-}
-
-const createRequest = (
-  { method, body, json = true }: EdgeHttpRequestArgs,
-  authHeader: string | undefined,
-): RequestInit => {
-  let requestBody: BodyInit | undefined;
-  const headers: HeadersInit = {};
-
-  if (json) {
-    requestBody = body && JSON.stringify(body);
-    headers['Content-Type'] = 'application/json';
-  } else {
-    requestBody = body;
   }
 
-  if (typeof requestBody === 'string' && requestBody.length > WARNING_BODY_SIZE) {
-    log.warn('Request with large body', { bodySize: requestBody.length });
-  }
-
-  if (authHeader) {
-    headers['Authorization'] = authHeader;
-  }
-
-  return {
-    method,
-    body: requestBody,
-    headers,
-  };
-};
+  //
+  // Internal (Effect-based, used by tests)
+  //
 
-/**
- * @deprecated
- */
-const createRetryHandler = ({ retry }: EdgeHttpRequestArgs) => {
-  if (!retry || retry.count < 1) {
-    return async () => false;
+  public async _fetch<T>(url: URL, _args: { method: string }): Promise<T> {
+    return Function.pipe(
+      HttpClient.execute(HttpClientRequest.make(_args.method as any)(url.toString())),
+      withLogging,
+      withRetryConfig,
+      Effect.provide(FetchHttpClient.layer),
+      Effect.provide(HttpConfig.default),
+      Effect.withSpan('EdgeHttpClient'),
+      EffectEx.runAndForwardErrors,
+    ) as T;
   }
-
-  let retries = 0;
-  const maxRetries = retry.count ?? DEFAULT_MAX_RETRIES_COUNT;
-  const baseTimeout = retry.timeout ?? DEFAULT_RETRY_TIMEOUT;
-  const jitter = retry.jitter ?? DEFAULT_RETRY_JITTER;
-  return async (ctx: Context, retryAfter?: number) => {
-    if (++retries > maxRetries || ctx.disposed) {
-      return false;
-    }
-
-    if (retryAfter) {
-      await sleep(retryAfter);
-    } else {
-      const timeout = baseTimeout + Math.random() * jitter;
-      await sleep(timeout);
-    }
-
-    return true;
-  };
-};
+}
 
 const getFileMimeType = (filename: string) =>
-  ['.js', '.mjs'].some((codeExtension) => filename.endsWith(codeExtension))
+  ['.js', '.mjs'].some((ext) => filename.endsWith(ext))
     ? 'application/javascript+module'
     : filename.endsWith('.wasm')
       ? 'application/wasm'