@fabric-platform/sdk 0.2.2

package/dist/index.d.ts

@@ -0,0 +1,1884 @@
+/**
+ * Auth strategy types and header resolution.
+ *
+ * The SDK is stateless — it does NOT manage auth state.
+ * Socialite (or any consumer) owns the session.
+ */
+/** Static auth strategies. */
+type AuthStrategy = {
+    type: "api-key";
+    key: string;
+} | {
+    type: "bearer";
+    token: string;
+} | {
+    type: "oauth";
+    clientId: string;
+    clientSecret: string;
+};
+/**
+ * Auth configuration for FabricClient.
+ *
+ * - Static `AuthStrategy` for fixed credentials
+ * - `() => Promise<string>` for dynamic per-request tokens (e.g., from Next.js cookies)
+ */
+type AuthConfig = AuthStrategy | (() => Promise<string>);
+
+/**
+ * Pagination types and async iterator helper.
+ */
+/** Pagination metadata from Fabric API responses. */
+interface Pagination {
+    count: number;
+    has_more: boolean;
+    next_cursor?: string;
+}
+/** A paginated list response. */
+interface PaginatedResponse<T> {
+    items: T[];
+    pagination: Pagination;
+}
+/** Query parameters for paginated endpoints. */
+interface PaginationParams {
+    limit?: number;
+    cursor?: string;
+}
+/**
+ * Async generator for auto-pagination.
+ *
+ * Yields pages of items until no more pages are available.
+ *
+ * ```typescript
+ * for await (const page of paginate((params) => fabric.organizations.list(params))) {
+ *   for (const org of page) { ... }
+ * }
+ * ```
+ */
+declare function paginate<T>(fetcher: (params: PaginationParams) => Promise<PaginatedResponse<T>>, options?: {
+    limit?: number;
+}): AsyncGenerator<T[], void, unknown>;
+/**
+ * Async generator for item-level iteration (single items, not pages).
+ *
+ * ```typescript
+ * for await (const org of paginateItems((params) => fabric.organizations.list(params))) {
+ *   console.log(org.name);
+ * }
+ * ```
+ */
+declare function paginateItems<T>(fetcher: (params: PaginationParams) => Promise<PaginatedResponse<T>>, options?: {
+    limit?: number;
+}): AsyncGenerator<T, void, unknown>;
+/**
+ * Collect all pages into a single array.
+ *
+ * ```typescript
+ * const allOrgs = await paginateAll((params) => fabric.organizations.list(params));
+ * ```
+ */
+declare function paginateAll<T>(fetcher: (params: PaginationParams) => Promise<PaginatedResponse<T>>, options?: {
+    limit?: number;
+}): Promise<T[]>;
+
+/**
+ * Low-level HTTP transport for the Fabric API.
+ *
+ * Wraps `fetch` with:
+ * - Base URL prefixing
+ * - Auth header injection (resolved per-request)
+ * - Envelope unwrapping (`data` on success, throws on `error`)
+ * - Typed error mapping
+ * - Retry on 429 with Retry-After
+ * - Timeout via AbortSignal
+ * - Idempotency key support
+ */
+
+/** Interceptor called before each request. Can modify headers or log. */
+type RequestInterceptor = (method: string, url: string, headers: Record<string, string>) => void | Promise<void>;
+/** Interceptor called after each response. Can log or inspect. */
+type ResponseInterceptor = (method: string, url: string, status: number, durationMs: number) => void | Promise<void>;
+interface HttpTransportConfig {
+    baseUrl: string;
+    auth?: AuthConfig;
+    organizationId?: string;
+    teamId?: string;
+    timeout?: number;
+    fetch?: typeof globalThis.fetch;
+    retry?: {
+        maxRetries: number;
+        baseDelayMs: number;
+    };
+    /** Log all requests and responses to console. */
+    debug?: boolean;
+    /** Called before each request. */
+    onRequest?: RequestInterceptor;
+    /** Called after each response. */
+    onResponse?: ResponseInterceptor;
+}
+interface RequestOptions {
+    body?: unknown;
+    query?: Record<string, string | number | boolean | undefined>;
+    headers?: Record<string, string>;
+    idempotencyKey?: string;
+    signal?: AbortSignal;
+    /** Pass-through for Next.js extended fetch options (e.g. `next: { revalidate }`) */
+    requestInit?: RequestInit;
+}
+declare class HttpTransport {
+    private readonly baseUrl;
+    private readonly auth?;
+    private readonly organizationId?;
+    private readonly teamId?;
+    private readonly timeoutMs;
+    private readonly fetchFn;
+    private readonly retryConfig;
+    private readonly debug;
+    private readonly onRequest?;
+    private readonly onResponse?;
+    private oauthManager?;
+    constructor(config: HttpTransportConfig);
+    /** Getters for context values (used by resources). */
+    getOrganizationId(): string | undefined;
+    getTeamId(): string | undefined;
+    getBaseUrl(): string;
+    /** Make a request and unwrap the envelope, returning `data`. */
+    request<T>(method: string, path: string, opts?: RequestOptions): Promise<T>;
+    /** Make a request and unwrap a paginated envelope. */
+    requestPaginated<T>(method: string, path: string, opts?: RequestOptions): Promise<PaginatedResponse<T>>;
+    /** Make a request and return the raw Response (for SSE, file uploads, etc). */
+    requestRaw(method: string, path: string, opts?: RequestOptions): Promise<Response>;
+    /** Build full headers for a request (used by streaming). */
+    buildHeaders(extra?: Record<string, string>): Promise<Record<string, string>>;
+    private doFetch;
+    private fetchWithRetry;
+    private resolveAuth;
+    private buildUrl;
+    private throwIfError;
+}
+
+/** RBAC role hierarchy. */
+type Role = "owner" | "admin" | "member" | "viewer";
+
+/** Response envelope metadata. */
+interface Meta {
+    request_id: string;
+    trace_id?: string;
+    status: number;
+    api_version: string;
+}
+/** Request context attached to responses. */
+interface RequestContext {
+    principal_id?: string;
+    organization_id?: string;
+    team_id?: string;
+}
+/** Structured error body. */
+interface ErrorBody {
+    code: string;
+    message: string;
+}
+/** Standard Fabric API response envelope. */
+interface Envelope<T = unknown> {
+    meta: Meta;
+    context?: RequestContext;
+    data?: T;
+    error?: ErrorBody;
+}
+/** Paginated data wrapper. */
+interface PaginatedData<T> {
+    items: T[];
+    pagination: {
+        count: number;
+        has_more: boolean;
+        next_cursor?: string;
+    };
+}
+
+/** User info returned from auth endpoints. */
+interface AuthUser {
+    id: string;
+    email?: string;
+}
+/** Response from signup, login, and refresh endpoints. */
+interface AuthResponse {
+    access_token: string;
+    refresh_token: string;
+    expires_in: number;
+    token_type: string;
+    user: AuthUser;
+}
+/** MFA enrollment response. */
+interface MfaEnrollResponse {
+    id: string;
+    type: string;
+    totp?: {
+        qr_code: string;
+        secret: string;
+        uri: string;
+    };
+}
+/** MFA challenge response. */
+interface MfaChallengeResponse {
+    id: string;
+    expires_at: number;
+}
+/** MFA verify response. */
+interface MfaVerifyResponse {
+    access_token: string;
+    refresh_token: string;
+    expires_in: number;
+    token_type: string;
+    user: AuthUser;
+}
+
+interface Organization {
+    id: string;
+    slug: string;
+    name: string;
+    archived: boolean;
+    created_at: string;
+    updated_at: string;
+}
+interface CreateOrganizationRequest {
+    slug?: string;
+    name: string;
+}
+interface UpdateOrganizationRequest {
+    name?: string;
+}
+interface Membership {
+    id: string;
+    principal_id: string;
+    organization_id: string;
+    team_id: string | null;
+    role: Role;
+    active: boolean;
+    created_at: string;
+    updated_at: string;
+}
+interface OrgUsageSummary {
+    organization_id: string;
+    total_runs: number;
+    total_cost_usd: number;
+    period_start: string;
+    period_end: string;
+}
+interface OrgBudget {
+    organization_id: string;
+    monthly_limit_usd: number | null;
+    current_spend_usd: number;
+}
+interface OrgSecret {
+    name: string;
+    created_at: string;
+    updated_at: string;
+}
+interface CreateSecretRequest {
+    name: string;
+    value: string;
+}
+/** Organization settings. */
+interface OrgSettings {
+    id: string;
+    organization_id: string;
+    display_name: string | null;
+    logo_url: string | null;
+    email_from_name: string | null;
+    webhook_url: string | null;
+    webhook_events: string[] | null;
+    max_pending_invitations: number;
+    max_invitations_per_hour: number;
+}
+/** Request to update organization settings. */
+interface UpdateOrgSettingsRequest {
+    display_name?: string | null;
+    logo_url?: string | null;
+    email_from_name?: string | null;
+    webhook_url?: string | null;
+    webhook_events?: string[] | null;
+    max_pending_invitations?: number;
+    max_invitations_per_hour?: number;
+}
+/** Rotated webhook secret (one-time reveal). */
+interface RotateWebhookSecretResponse {
+    webhook_signing_secret: string;
+}
+/** A daily usage rollup entry. */
+interface UsageDailyEntry {
+    date: string;
+    total_cost_usd: number;
+    total_input_tokens: number;
+    total_output_tokens: number;
+    total_runs: number;
+    group_key?: string;
+}
+/** A detailed usage record. */
+interface UsageRecord {
+    id: string;
+    action: string;
+    provider: string | null;
+    model: string | null;
+    input_tokens: number;
+    output_tokens: number;
+    cost_usd: number;
+    created_at: string;
+}
+/** System info returned by admin endpoint. */
+interface SystemInfo {
+    version: string;
+    features: string[];
+    uptime_seconds?: number;
+}
+/** System status returned by admin endpoint. */
+interface SystemStatus {
+    status: string;
+    database: string;
+    event_bus: string;
+}
+
+interface Team {
+    id: string;
+    organization_id: string;
+    slug: string;
+    name: string;
+    archived: boolean;
+    created_at: string;
+    updated_at: string;
+}
+interface CreateTeamRequest {
+    organization_id: string;
+    slug?: string;
+    name: string;
+}
+
+/** All event kinds emitted by the Fabric event bus. */
+type EventKind = "workflow.run.created" | "workflow.run.queued" | "workflow.run.promoted" | "workflow.run.started" | "workflow.run.completed" | "workflow.run.failed" | "workflow.run.cancelled" | "workflow.run.waiting" | "workflow.run.paused" | "workflow.node.ready" | "workflow.node.claimed" | "workflow.node.started" | "workflow.node.progress" | "workflow.node.completed" | "workflow.node.failed" | "workflow.node.retried" | "workflow.node.skipped" | "workflow.node.cancelled" | "workflow.node.waiting_for_event" | "workflow.node.resumed" | "job.created" | "job.started" | "job.completed" | "job.failed" | "workflow.schedule.triggered" | "workflow.schedule.skipped" | "workflow.schedule.failed" | "webhook.delivery.exhausted" | "organization.created" | "team.created" | "membership.created" | "invitation.created" | "invitation.accepted" | "invitation.revoked";
+/** Terminal event kinds that signal a workflow run is done. */
+declare const TERMINAL_RUN_EVENTS: EventKind[];
+/** Node-level event kinds for filtering in watch/stream. */
+declare const NODE_EVENT_KINDS: EventKind[];
+/** A domain event from the Fabric event bus. */
+interface DomainEvent {
+    id: string;
+    kind: EventKind;
+    organization_id?: string;
+    job_id?: string;
+    workflow_id?: string;
+    run_id?: string;
+    node_key?: string;
+    payload: Record<string, unknown>;
+    timestamp: string;
+}
+/** Event handler callback. */
+type EventHandler = (event: DomainEvent) => void;
+/** Client-side filter for SSE event streams. */
+interface EventStreamFilter {
+    /** Only deliver events matching these kinds. */
+    kinds?: EventKind[];
+    /** Only deliver node events for these node keys. */
+    nodeKeys?: string[];
+}
+/** Commands the client can send over the WebSocket. */
+type WebSocketCommand = {
+    subscribe_run: string;
+} | {
+    unsubscribe: true;
+};
+/** Acknowledgements the server sends in response to commands. */
+type WebSocketAck = {
+    subscribed_to_run: string;
+} | {
+    unsubscribed: true;
+};
+
+/** Workflow language for registry entries. */
+type WorkflowLanguage = "rust" | "python" | "typescript";
+/** Workflow source type. */
+type WorkflowSource = "builtin" | "composed" | "custom";
+/** Workflow run status. */
+type RunStatus = "pending" | "running" | "completed" | "failed" | "cancelled" | "paused" | "waiting";
+/** A workflow definition in the hierarchical registry. */
+interface RegistryEntry {
+    id: string;
+    organization_id: string | null;
+    team_id: string | null;
+    name: string;
+    language: WorkflowLanguage;
+    source: WorkflowSource;
+    entry_point: string | null;
+    compose_from: string[] | null;
+    config: Record<string, unknown> | null;
+    version: string;
+    worker_tags: string[];
+    input_schema: Record<string, unknown> | null;
+    output_schema: Record<string, unknown> | null;
+    description: string | null;
+    created_at: string;
+    updated_at: string;
+}
+/** Request to create a registry entry. */
+interface CreateRegistryRequest {
+    name: string;
+    language: WorkflowLanguage;
+    source: WorkflowSource;
+    entry_point?: string;
+    compose_from?: string[];
+    config?: Record<string, unknown>;
+    version?: string;
+    worker_tags?: string[];
+    input_schema?: Record<string, unknown>;
+    output_schema?: Record<string, unknown>;
+    description?: string;
+}
+/** Request to compose multiple workflows. */
+interface ComposeWorkflowRequest {
+    name: string;
+    steps: string[];
+    description?: string;
+}
+/** Progress tracking for a workflow run. */
+interface RunProgress {
+    total_tasks: number;
+    completed_tasks: number;
+    current_task: string | null;
+    percentage: number;
+}
+/** A workflow run (execution instance). */
+interface WorkflowRun {
+    id: string;
+    sayiir_instance_id: string;
+    organization_id: string;
+    team_id: string | null;
+    registry_entry_id: string | null;
+    workflow_name: string;
+    created_by: string | null;
+    metadata: Record<string, unknown> | null;
+    status: RunStatus;
+    progress: RunProgress | null;
+    output: unknown | null;
+    error: string | null;
+    created_at: string;
+}
+/** Request to submit a workflow run. */
+interface SubmitRunRequest {
+    input: Record<string, unknown>;
+    metadata?: Record<string, unknown>;
+    priority?: number;
+}
+/** Cost hint for a single workflow node. */
+interface NodeCostHint {
+    provider?: string;
+    model?: string;
+    modality?: string;
+    calls?: number;
+    calls_from_input?: string;
+}
+/** Historical cost summary from past completed runs. */
+interface HistoricalCostSummary {
+    avg_cost_usd: number;
+    min_cost_usd: number;
+    max_cost_usd: number;
+    sample_count: number;
+    per_node_avg: Record<string, number>;
+}
+/** Pre-execution workflow cost estimate. */
+interface WorkflowCostEstimate {
+    total_estimated_usd: number;
+    per_node: Record<string, number>;
+    best_case_usd: number;
+    worst_case_usd: number;
+    source: "config" | "historical" | "hybrid" | "none";
+    historical: HistoricalCostSummary | null;
+}
+/** Request to estimate workflow cost. */
+interface EstimateWorkflowRequest {
+    input?: Record<string, unknown>;
+    cost_profile?: {
+        nodes: Record<string, NodeCostHint>;
+    };
+}
+/** Options for `runs.watch()` — high-level workflow run observation. */
+interface WatchRunOptions {
+    /** Only deliver node events for these node keys (omit for all nodes). */
+    nodeKeys?: string[];
+    /** Called when a node reports progress. */
+    onNodeProgress?: (nodeKey: string, payload: Record<string, unknown>) => void;
+    /** Called when a node starts executing. */
+    onNodeStarted?: (nodeKey: string, payload: Record<string, unknown>) => void;
+    /** Called when a node completes successfully. */
+    onNodeCompleted?: (nodeKey: string, payload: Record<string, unknown>) => void;
+    /** Called when a node fails. */
+    onNodeFailed?: (nodeKey: string, payload: Record<string, unknown>) => void;
+    /** Called when the workflow run completes. */
+    onRunCompleted?: (payload: Record<string, unknown>) => void;
+    /** Called when the workflow run fails. */
+    onRunFailed?: (payload: Record<string, unknown>) => void;
+    /** Called when the workflow run is cancelled. */
+    onRunCancelled?: (payload: Record<string, unknown>) => void;
+    /** Called for every event (in addition to typed callbacks). */
+    onEvent?: (event: DomainEvent) => void;
+    /** Called on stream errors. */
+    onError?: (error: Error) => void;
+    /** AbortSignal for manual cancellation. */
+    signal?: AbortSignal;
+    /** Enable auto-reconnection (default: true). */
+    reconnect?: boolean;
+    /** Resume from a specific event ID. */
+    lastEventId?: string;
+}
+/** Handle returned by `runs.watch()`. */
+interface RunWatcher {
+    /** Abort the watcher and disconnect. */
+    abort(): void;
+    /** Resolves when the watcher stops (terminal event, abort, or max reconnect failures). */
+    readonly done: Promise<void>;
+}
+/** An artifact produced by a workflow run. */
+interface RunArtifact {
+    id: string;
+    run_id: string;
+    asset_id: string | null;
+    task_id: string;
+    filename: string;
+    content_type: string | null;
+    produced_by: string | null;
+    consumed_from: string[] | null;
+    metadata: Record<string, unknown> | null;
+    created_at: string;
+    /** Signed download URL (populated by `artifactsWithUrls()`). */
+    download_url?: string;
+}
+/** Request to record an artifact for a workflow run. */
+interface RecordArtifactRequest {
+    asset_id?: string;
+    task_id: string;
+    filename: string;
+    content_type?: string;
+    produced_by?: string;
+    consumed_from?: string[];
+    metadata?: Record<string, unknown>;
+}
+/** Node execution attempt with log excerpts. */
+interface NodeAttempt {
+    id: string;
+    workflow_run_node_id: string;
+    status: string;
+    stdout_excerpt: string | null;
+    stderr_excerpt: string | null;
+    error_message: string | null;
+    duration_ms: number | null;
+    output: unknown | null;
+    created_at: string;
+}
+
+/** Asset kind. */
+type AssetKind = "upload" | "generated" | "derivation";
+/** An uploaded or generated asset. */
+interface Asset {
+    id: string;
+    organization_id: string;
+    created_by: string;
+    kind: AssetKind;
+    content_type: string;
+    filename: string | null;
+    size_bytes: number;
+    storage_path: string;
+    derived_from: string | null;
+    created_at: string;
+}
+/** Response from signed URL generation. */
+interface SignedUrlResponse {
+    url: string;
+}
+
+interface Gallery {
+    id: string;
+    organization_id: string | null;
+    name: string;
+    description: string | null;
+    kind: string;
+    tags: string[];
+    created_at: string;
+    updated_at: string;
+}
+interface GalleryItem {
+    id: string;
+    gallery_id: string;
+    asset_id: string;
+    label: string | null;
+    tags: string[];
+    sort_order: number;
+    created_at: string;
+}
+interface CreateGalleryRequest {
+    name: string;
+    description?: string;
+    kind: string;
+    tags?: string[];
+}
+interface AddGalleryItemRequest {
+    asset_id: string;
+    label?: string;
+    tags?: string[];
+    sort_order?: number;
+}
+
+interface ApiKey {
+    id: string;
+    prefix: string;
+    owner_principal_id: string;
+    organization_id: string;
+    team_id: string | null;
+    description: string | null;
+    scopes: string[];
+    disabled: boolean;
+    expires_at: string | null;
+    last_used_at: string | null;
+    created_at: string;
+    updated_at: string;
+}
+/** Returned only at creation time — includes the raw secret. */
+interface CreateApiKeyResponse {
+    id: string;
+    prefix: string;
+    secret: string;
+    scopes: string[];
+    created_at: string;
+}
+interface CreateApiKeyRequest {
+    description?: string;
+    scopes?: string[];
+    expires_in_days?: number;
+}
+
+interface ServiceAccount {
+    id: string;
+    organization_id: string;
+    team_id: string | null;
+    name: string;
+    disabled: boolean;
+    created_at: string;
+    updated_at: string;
+}
+interface CreateServiceAccountRequest {
+    name: string;
+    team_id?: string;
+}
+
+type PermissionEffect = "allow" | "deny";
+interface Permission {
+    id: string;
+    principal_id: string;
+    resource_type: string;
+    resource_id: string;
+    action: string;
+    effect: PermissionEffect;
+    granted_by: string | null;
+    created_at: string;
+    expires_at: string | null;
+}
+interface GrantPermissionRequest {
+    principal_id: string;
+    resource_type: string;
+    resource_id: string;
+    action: string;
+    effect?: PermissionEffect;
+    expires_in_hours?: number;
+}
+interface AuthzCheckRequest {
+    resource: string;
+    action: string;
+}
+interface AuthzCheckResponse {
+    allowed: boolean;
+    reason?: string;
+}
+
+interface Webhook {
+    id: string;
+    organization_id: string;
+    url: string;
+    description: string | null;
+    event_filter: string[];
+    resource_filter: WebhookResourceFilter | null;
+    active: boolean;
+    max_retries: number;
+    created_by: string | null;
+    created_at: string;
+    updated_at: string;
+}
+interface WebhookResourceFilter {
+    workflow_definition_id?: string;
+    workflow_run_id?: string;
+    job_id?: string;
+}
+interface WebhookDelivery {
+    id: string;
+    webhook_id: string;
+    event_id: string;
+    event_kind: string;
+    status: string;
+    status_code: number | null;
+    error_message: string | null;
+    attempt: number;
+    next_retry_at: string | null;
+    created_at: string;
+    completed_at: string | null;
+}
+interface CreateWebhookRequest {
+    url: string;
+    event_filter?: string[];
+    resource_filter?: WebhookResourceFilter;
+    description?: string;
+    max_retries?: number;
+}
+interface UpdateWebhookRequest {
+    url?: string;
+    event_filter?: string[];
+    resource_filter?: WebhookResourceFilter | null;
+    description?: string;
+    active?: boolean;
+    max_retries?: number;
+}
+
+interface WorkflowSchedule {
+    id: string;
+    workflow_definition_id: string;
+    organization_id: string;
+    cron_expression: string;
+    timezone: string;
+    enabled: boolean;
+    input_context: Record<string, unknown>;
+    input_template: Record<string, unknown> | null;
+    on_failure: 'skip' | 'retry';
+    max_retries: number;
+    consecutive_failures: number;
+    concurrency_policy: 'allow' | 'skip' | 'queue';
+    active_run_id: string | null;
+    next_run_at: string | null;
+    last_run_id: string | null;
+    last_run_at: string | null;
+    created_at: string;
+    updated_at: string;
+}
+interface ScheduleRun {
+    id: string;
+    schedule_id: string;
+    workflow_run_id: string;
+    triggered_at: string;
+    trigger_type: 'cron' | 'manual';
+    status: 'submitted' | 'skipped_overlap' | 'failed_to_submit';
+    error_message: string | null;
+    resolved_input: Record<string, unknown> | null;
+    created_at: string;
+}
+interface CreateScheduleRequest {
+    cron_expression: string;
+    timezone?: string;
+    input_context?: Record<string, unknown>;
+    input_template?: Record<string, unknown>;
+    on_failure?: 'skip' | 'retry';
+    max_retries?: number;
+    concurrency_policy?: 'allow' | 'skip' | 'queue';
+    enabled?: boolean;
+}
+interface UpdateScheduleRequest {
+    cron_expression?: string;
+    timezone?: string;
+    input_context?: Record<string, unknown>;
+    input_template?: Record<string, unknown> | null;
+    on_failure?: 'skip' | 'retry';
+    max_retries?: number;
+    concurrency_policy?: 'allow' | 'skip' | 'queue';
+    enabled?: boolean;
+}
+
+interface MeResponse {
+    principal_id: string;
+    principal_type: "user" | "service_account";
+    email?: string;
+    display_name?: string;
+}
+interface MyOrgSummary {
+    id: string;
+    slug: string;
+    name: string;
+    role: Role;
+}
+interface MyTeamSummary {
+    id: string;
+    organization_id: string;
+    slug: string;
+    name: string;
+    role: Role;
+}
+
+type InvitationStatus = "pending" | "accepted" | "revoked" | "expired";
+interface Invitation {
+    id: string;
+    organization_id: string;
+    team_id: string | null;
+    email: string;
+    role: Role;
+    status: InvitationStatus;
+    expires_at: string;
+    accepted_at: string | null;
+    revoked_at: string | null;
+    created_at: string;
+    updated_at: string;
+}
+interface CreateInvitationRequest {
+    organization_id: string;
+    email: string;
+    role: Role;
+    team_id?: string;
+}
+
+interface OAuthClient {
+    id: string;
+    organization_id: string;
+    client_name: string;
+    client_id: string;
+    redirect_uris: string[];
+    scopes: string[];
+    created_at: string;
+    updated_at: string;
+}
+interface CreateOAuthClientRequest {
+    client_name: string;
+    redirect_uris?: string[];
+    scopes?: string[];
+}
+interface OAuthTokenResponse {
+    access_token: string;
+    refresh_token: string;
+    expires_in: number;
+    token_type: string;
+}
+
+/** Platform identifier for source documents. */
+type Platform = "reddit" | "twitter" | "youtube" | "hn" | (string & {});
+/** Raw ingested content from a platform. */
+interface SourceDocument {
+    id: string;
+    platform: Platform;
+    subreddit: string | null;
+    post_id: string;
+    parent_id: string | null;
+    author: string | null;
+    title: string | null;
+    body: string;
+    score: number;
+    num_comments: number;
+    created_at: string;
+    url: string;
+    embedding: number[] | null;
+}
+/** Atomic extracted problem signal from a source document. */
+interface ProblemMention {
+    id: string;
+    source_document_id: string;
+    source_document_ids: string[];
+    problem_text: string;
+    normalized_problem: string;
+    persona: string | null;
+    context: string | null;
+    /** Range: -1 to 1 */
+    sentiment: number;
+    /** Range: 0 to 1 */
+    frustration: number;
+    /** Range: 0 to 1 */
+    urgency: number;
+    existing_solutions: string[];
+    /** Range: 0 to 1 */
+    dissatisfaction: number;
+    created_at: string;
+}
+/** Canonical grouping of related problem mentions. */
+interface ProblemCluster {
+    id: string;
+    canonical_problem: string;
+    category: string;
+    persona: string;
+    mention_count: number;
+    unique_users: number;
+    avg_sentiment: number;
+    avg_frustration: number;
+    avg_urgency: number;
+    avg_dissatisfaction: number;
+    growth_velocity: number;
+    recency_score: number;
+    opportunity_score: number;
+    example_mentions: string[];
+    created_at: string;
+    updated_at: string;
+}
+/** Maps a problem mention to the cluster it belongs to. */
+interface ProblemClusterMember {
+    problem_cluster_id: string;
+    problem_mention_id: string;
+}
+/** Ambiguous mention flagged for human review. */
+interface ReviewItem {
+    problem_mention_id: string;
+    reason: string;
+}
+/** Detected solution/tool associated with a problem cluster. */
+interface SolutionMention {
+    id: string;
+    problem_cluster_id: string;
+    name: string;
+    sentiment: number;
+    dissatisfaction: number;
+    frequency: number;
+}
+/** Scoring weights used for opportunity scoring. */
+interface ScoringWeights {
+    pain: number;
+    demand: number;
+    growth: number;
+    solution_gap: number;
+    recency: number;
+}
+/** Complete problem intelligence pipeline output. */
+interface ProblemIntelligenceOutput {
+    workflow: "research/problem-intelligence";
+    scope: "global" | "niche";
+    query: string;
+    platforms_queried: string[];
+    total_sources_collected: number;
+    platform_summary: Record<string, number>;
+    ranked_clusters: ProblemCluster[];
+    source_documents: SourceDocument[];
+    problem_mentions: ProblemMention[];
+    clusters: ProblemCluster[];
+    solution_mentions: SolutionMention[];
+    problem_cluster_members?: ProblemClusterMember[];
+    review_items?: ReviewItem[];
+    ideas: unknown[];
+    specs: unknown[];
+    scoring_weights: {
+        opportunity: ScoringWeights;
+        idea: Record<string, number>;
+    };
+    errors: Record<string, string>;
+}
+
+/** AI provider modality. */
+type Modality = "text" | "image" | "audio" | "video" | "embedding" | "classification";
+/** Quality tier for provider routing. */
+type Tier = "basic" | "standard" | "premium";
+/** Capability tag for filtering providers. */
+type CapabilityTag = "reasoning" | "coding" | "creative" | "fast" | "multimodal" | "local" | "structured_output";
+/** A provider capability summary from the registry. */
+interface ProviderCapability {
+    provider_id: string;
+    modality: Modality;
+    model: string;
+    supports_streaming: boolean;
+}
+/** Per-request credentials (BYOK). */
+interface ProviderCredentials {
+    [key: string]: string;
+}
+/** Request to execute a provider. */
+interface ProviderExecuteRequest {
+    modality: Modality;
+    model?: string;
+    tier?: Tier;
+    input: unknown;
+    params?: Record<string, unknown>;
+    provider_id?: string;
+    credentials?: ProviderCredentials;
+    response_schema?: Record<string, unknown>;
+    required_tags?: CapabilityTag[];
+    preferred_tags?: CapabilityTag[];
+}
+/** Response from provider execution. */
+interface ProviderExecuteResponse {
+    provider_id: string;
+    model: string;
+    modality: Modality;
+    output: unknown;
+    usage: {
+        input_tokens: number;
+        output_tokens: number;
+        estimated_cost_usd: number;
+    };
+}
+
+/** An installed domain package. */
+interface Package {
+    name: string;
+    version: string;
+    description: string;
+    operation_prefixes: string[];
+    node_count: number;
+}
+
+/**
+ * Auth resource — stateless.
+ *
+ * All methods RETURN tokens. They do NOT store them on the client.
+ * Socialite is responsible for persisting tokens in cookies/session.
+ */
+
+declare class MfaResource {
+    private readonly http;
+    constructor(http: HttpTransport);
+    /** Enroll a new MFA factor (e.g., "totp"). */
+    enroll(factorType: string, friendlyName?: string): Promise<MfaEnrollResponse>;
+    /** Request an MFA challenge for a factor. */
+    challenge(factorId: string): Promise<MfaChallengeResponse>;
+    /** Verify an MFA code. Returns new tokens on success. */
+    verify(factorId: string, challengeId: string, code: string): Promise<MfaVerifyResponse>;
+    /** Remove an MFA factor. */
+    unenroll(factorId: string): Promise<void>;
+}
+declare class AuthResource {
+    private readonly http;
+    readonly mfa: MfaResource;
+    constructor(http: HttpTransport);
+    /** Sign up with email and password. Returns tokens + user. */
+    signup(email: string, password: string): Promise<AuthResponse>;
+    /** Log in with email and password. Returns tokens + user. */
+    login(email: string, password: string): Promise<AuthResponse>;
+    /** Log out (revoke tokens). */
+    logout(): Promise<void>;
+    /** Refresh an access token using a refresh token. */
+    refresh(refreshToken: string): Promise<AuthResponse>;
+    /** Request a magic link email. */
+    magicLink(email: string): Promise<void>;
+    /** Request a password reset email. */
+    forgotPassword(email: string): Promise<void>;
+    /** Reset password with a recovery token. */
+    resetPassword(accessToken: string, newPassword: string): Promise<void>;
+    /** Get the URL for social login redirect (e.g., "google", "github"). */
+    socialLoginUrl(provider: string): string;
+    /** Verify an email address using a verification token. */
+    verify(token: string): Promise<void>;
+}
+
+declare class MeResource {
+    private readonly http;
+    constructor(http: HttpTransport);
+    /** Get current principal info. */
+    get(): Promise<MeResponse>;
+    /** List organizations the current user belongs to. */
+    organizations(): Promise<MyOrgSummary[]>;
+    /** List teams the current user belongs to. */
+    teams(): Promise<MyTeamSummary[]>;
+    /** List effective permissions for the current user. */
+    permissions(): Promise<Permission[]>;
+}
+
+declare class OrganizationsResource {
+    private readonly http;
+    constructor(http: HttpTransport);
+    /** Create an organization. */
+    create(opts: CreateOrganizationRequest): Promise<Organization>;
+    /** List organizations (paginated). */
+    list(params?: PaginationParams): Promise<PaginatedResponse<Organization>>;
+    /** Get an organization by ID. */
+    get(orgId: string): Promise<Organization>;
+    /** Update an organization (e.g., rename). */
+    update(orgId: string, opts: UpdateOrganizationRequest): Promise<Organization>;
+    /** Archive an organization (soft-delete). */
+    archive(orgId: string): Promise<Organization>;
+    /** List teams in an organization. */
+    teams(orgId: string, params?: PaginationParams): Promise<PaginatedResponse<Team>>;
+    /** List members in an organization. */
+    members(orgId: string, params?: PaginationParams): Promise<PaginatedResponse<Membership>>;
+    /** List permissions for an organization. */
+    permissions(orgId: string): Promise<Permission[]>;
+    /** Get usage summary for an organization. */
+    usage(orgId: string): Promise<OrgUsageSummary>;
+    /** Get audit logs for an organization. */
+    auditLogs(orgId: string, params?: PaginationParams): Promise<PaginatedResponse<Record<string, unknown>>>;
+    /** Export organization data. */
+    export(orgId: string): Promise<Record<string, unknown>>;
+    /** Request organization deletion. */
+    requestDeletion(orgId: string): Promise<void>;
+    /** Get budget configuration. */
+    getBudget(orgId: string): Promise<OrgBudget>;
+    /** Set budget limit. */
+    setBudget(orgId: string, monthlyLimitUsd: number): Promise<OrgBudget>;
+    /** Get organization settings. */
+    getSettings(orgId: string): Promise<OrgSettings>;
+    /** Update organization settings. */
+    updateSettings(orgId: string, settings: UpdateOrgSettingsRequest): Promise<OrgSettings>;
+    /** Rotate the webhook signing secret (one-time reveal of new secret). */
+    rotateWebhookSecret(orgId: string): Promise<RotateWebhookSecretResponse>;
+    /** Get daily usage rollup with optional grouping (provider, model, workflow). */
+    usageDaily(orgId: string, params?: {
+        from?: string;
+        to?: string;
+        group_by?: string;
+        limit?: number;
+        cursor?: string;
+    }): Promise<PaginatedResponse<UsageDailyEntry>>;
+    /** Get detailed usage records (individual provider executions). */
+    usageRecords(orgId: string): Promise<UsageRecord[]>;
+    /** List secrets for an organization. */
+    listSecrets(orgId: string): Promise<OrgSecret[]>;
+    /** Create a secret. */
+    createSecret(orgId: string, opts: CreateSecretRequest): Promise<OrgSecret>;
+    /** Delete a secret. */
+    deleteSecret(orgId: string, name: string): Promise<void>;
+}
+
+declare class TeamsResource {
+    private readonly http;
+    constructor(http: HttpTransport);
+    /** Create a team within an organization. */
+    create(opts: CreateTeamRequest): Promise<Team>;
+    /** Get a team by ID. */
+    get(teamId: string): Promise<Team>;
+}
+
+/**
+ * SSE (Server-Sent Events) parser for real-time event streaming.
+ *
+ * Uses `fetch` + `ReadableStream` instead of `EventSource` to support
+ * custom headers (auth) and work in both Node.js 18+ and browsers/Edge Runtime.
+ */
+
+interface SSEOptions {
+    /** Full URL to the SSE endpoint. */
+    url: string;
+    /** Headers to send (including auth). */
+    headers: Record<string, string>;
+    /** Resume from a specific event ID (Last-Event-ID header). */
+    lastEventId?: string;
+    /** AbortSignal for cancellation. */
+    signal?: AbortSignal;
+    /** Custom fetch implementation. */
+    fetch?: typeof globalThis.fetch;
+    /** Retry delay in ms from the server's `retry:` directive. */
+    onRetry?: (retryMs: number) => void;
+}
+interface ReconnectingSSEOptions extends SSEOptions {
+    /** Enable auto-reconnection on connection drop (default: false). */
+    reconnect?: boolean;
+    /** Maximum reconnection attempts before giving up (default: 10). */
+    maxReconnectAttempts?: number;
+    /** Base delay in ms for exponential backoff (default: 1000). */
+    reconnectBaseDelayMs?: number;
+    /** Client-side event filter. */
+    filter?: EventStreamFilter;
+}
+interface SSEEvent {
+    /** Event type from the `event:` field. */
+    event?: string;
+    /** Parsed JSON data from the `data:` field. */
+    data: unknown;
+    /** Event ID from the `id:` field. */
+    id?: string;
+}
+/** Handle for a running SSE stream. */
+interface EventStream {
+    /** Abort the stream. */
+    abort(): void;
+    /** Resolves when the stream ends (terminal event, server close, or abort). */
+    readonly done: Promise<void>;
+}
+/** Returns true if the event passes the filter (or if no filter is set). */
+declare function matchesFilter(event: DomainEvent, filter?: EventStreamFilter): boolean;
+/**
+ * Connect to an SSE endpoint with automatic reconnection and client-side filtering.
+ *
+ * On connection drop, reconnects with exponential backoff using the last
+ * received event ID (Last-Event-ID) so the server replays missed events.
+ */
+declare function connectReconnectingSSE<T extends DomainEvent = DomainEvent>(options: ReconnectingSSEOptions, onEvent: (event: T, raw: SSEEvent) => void, onError?: (error: Error) => void): EventStream;
+
+/**
+ * Workflows resource — the core resource for Socialite.
+ *
+ * Nested sub-resources:
+ * - `registry` — CRUD for workflow definitions
+ * - `runs` — execution, streaming, cancellation
+ * - `compose()` — chain multiple workflows
+ */
+
+declare class WorkflowRegistryResource {
+    private readonly http;
+    constructor(http: HttpTransport);
+    /** Create a workflow definition in the registry. */
+    create(opts: CreateRegistryRequest): Promise<RegistryEntry>;
+    /** List workflows visible to the current org (global + org + team). */
+    list(params?: PaginationParams & {
+        organization_id?: string;
+        team_id?: string;
+    }): Promise<PaginatedResponse<RegistryEntry>>;
+    /** Get a workflow by name (resolves hierarchically: team > org > global). */
+    get(name: string, opts?: {
+        organization_id?: string;
+    }): Promise<RegistryEntry>;
+    /** Delete an org/team-scoped workflow (not global). */
+    delete(name: string, opts?: {
+        organization_id?: string;
+    }): Promise<void>;
+}
+interface StreamEventsOptions {
+    onEvent: EventHandler;
+    onError?: (error: Error) => void;
+    signal?: AbortSignal;
+    lastEventId?: string;
+    /** Client-side event filter. */
+    filter?: EventStreamFilter;
+    /** Enable auto-reconnection on connection drop. */
+    reconnect?: boolean;
+    /** Maximum reconnection attempts (default: 10). */
+    maxReconnectAttempts?: number;
+}
+interface SubmitAndWaitOptions extends SubmitRunRequest {
+    onEvent?: EventHandler;
+    timeoutMs?: number;
+    organization_id?: string;
+    team_id?: string;
+}
+declare class WorkflowRunsResource {
+    private readonly http;
+    constructor(http: HttpTransport);
+    /** Submit a workflow run. Returns immediately with a run ID. */
+    submit(workflowName: string, opts?: SubmitRunRequest & {
+        organization_id?: string;
+        team_id?: string;
+        idempotencyKey?: string;
+    }): Promise<WorkflowRun>;
+    /** List workflow runs. */
+    list(params?: PaginationParams & {
+        organization_id?: string;
+        team_id?: string;
+    }): Promise<PaginatedResponse<WorkflowRun>>;
+    /** Get a run's status and progress. */
+    get(runId: string): Promise<WorkflowRun>;
+    /** Cancel a running workflow. */
+    cancel(runId: string, reason?: string): Promise<void>;
+    /** Pause a running workflow. */
+    pause(runId: string, reason?: string): Promise<void>;
+    /** Resume a paused workflow. */
+    resume(runId: string): Promise<void>;
+    /** Recover a stalled workflow from its last Sayiir checkpoint. */
+    recover(runId: string): Promise<void>;
+    /** Send an external signal to a waiting workflow (e.g. HITL approval). */
+    signal(runId: string, signalName: string, payload?: Record<string, unknown>): Promise<void>;
+    /** Approve or reject a waiting workflow (convenience wrapper over signal). */
+    approve(runId: string, opts: {
+        approved: boolean;
+        reason?: string;
+        data?: Record<string, unknown>;
+    }): Promise<void>;
+    /** List workflow runs currently waiting for a signal (pending approvals). */
+    listWaiting(params?: {
+        organization_id?: string;
+        team_id?: string;
+    }): Promise<WorkflowRun[]>;
+    /**
+     * Stream SSE events for a workflow run.
+     *
+     * - Replays existing events, then streams live
+     * - Auto-reconnects via Last-Event-ID (when `reconnect: true`)
+     * - Client-side filtering by event kind and node key
+     * - Auto-closes on terminal events (completed/failed/cancelled)
+     *
+     * Returns an EventStream handle for cancellation.
+     */
+    streamEvents(runId: string, opts: StreamEventsOptions): EventStream;
+    /**
+     * Submit a workflow and wait for it to complete.
+     *
+     * Streams events via SSE while waiting. Returns the final WorkflowRun
+     * with status and output.
+     */
+    submitAndWait(workflowName: string, opts: SubmitAndWaitOptions): Promise<WorkflowRun>;
+    /** Get node execution attempts (logs) for a specific node. */
+    getNodeAttempts(runId: string, nodeKey: string): Promise<NodeAttempt[]>;
+    /** List artifacts produced by a workflow run. */
+    artifacts(runId: string): Promise<RunArtifact[]>;
+    /**
+     * List artifacts with signed download URLs for each asset.
+     *
+     * Fetches artifacts, then generates a signed URL for each one that has
+     * an `asset_id`. This is the recommended way for consumers to access
+     * output files (videos, images, audio, text) from completed workflows.
+     *
+     * @example
+     * ```ts
+     * const artifacts = await fabric.workflows.runs.artifactsWithUrls(runId);
+     * for (const a of artifacts) {
+     *   console.log(a.filename, a.download_url); // signed URL ready for download
+     * }
+     * ```
+     */
+    artifactsWithUrls(runId: string, expirySeconds?: number): Promise<RunArtifact[]>;
+    /** Record an artifact produced by a workflow run (called by workers). */
+    recordArtifact(runId: string, artifact: RecordArtifactRequest): Promise<RunArtifact>;
+    /**
+     * Watch a workflow run step-by-step with typed callbacks.
+     *
+     * High-level convenience that composes SSE streaming, client-side
+     * filtering, auto-reconnection, and typed event dispatch.
+     *
+     * @example
+     * ```ts
+     * const watcher = fabric.workflows.runs.watch(runId, {
+     *   nodeKeys: ["transcribe", "render"],
+     *   onNodeStarted: (key) => console.log(`${key} started`),
+     *   onNodeProgress: (key, p) => console.log(`${key}: ${p.percentage}%`),
+     *   onNodeCompleted: (key) => console.log(`${key} done`),
+     *   onNodeFailed: (key, p) => console.error(`${key} failed:`, p),
+     *   onRunCompleted: () => console.log("Workflow finished!"),
+     *   onRunFailed: (p) => console.error("Workflow failed:", p),
+     * });
+     *
+     * // Stop watching early
+     * watcher.abort();
+     *
+     * // Or wait until completion
+     * await watcher.done;
+     * ```
+     */
+    watch(runId: string, opts?: WatchRunOptions): RunWatcher;
+}
+declare class WorkflowsResource {
+    private readonly http;
+    readonly registry: WorkflowRegistryResource;
+    readonly runs: WorkflowRunsResource;
+    constructor(http: HttpTransport);
+    /** Compose multiple workflows into a pipeline. */
+    compose(opts: ComposeWorkflowRequest): Promise<RegistryEntry>;
+    /** Estimate cost of a workflow before running it. */
+    estimate(workflowName: string, opts?: EstimateWorkflowRequest & {
+        organization_id?: string;
+        team_id?: string;
+    }): Promise<WorkflowCostEstimate>;
+}
+
+/**
+ * Events resource — real-time event streaming.
+ */
+
+interface WebSocketConnection {
+    /** Subscribe to events for a specific run. */
+    subscribeToRun(runId: string): void;
+    /** Unsubscribe from run-specific filtering. */
+    unsubscribe(): void;
+    /** Close the WebSocket connection. */
+    close(): void;
+}
+interface WebSocketOptions {
+    onEvent: EventHandler;
+    onError?: (error: Event) => void;
+    onClose?: () => void;
+    /** Client-side event filter. */
+    filter?: EventStreamFilter;
+    /** Callback for server acknowledgements. */
+    onAck?: (ack: WebSocketAck) => void;
+}
+interface StreamOptions {
+    onEvent: EventHandler;
+    onError?: (error: Error) => void;
+    signal?: AbortSignal;
+    lastEventId?: string;
+    /** Client-side event filter. */
+    filter?: EventStreamFilter;
+    /** Enable auto-reconnection on connection drop (default: false). */
+    reconnect?: boolean;
+    /** Maximum reconnection attempts (default: 10). */
+    maxReconnectAttempts?: number;
+}
+declare class EventsResource {
+    private readonly http;
+    constructor(http: HttpTransport);
+    /** Build fetch wrapper that injects auth headers. */
+    private authFetch;
+    /**
+     * Stream all domain events via SSE.
+     *
+     * This is a long-lived connection — call `stream.abort()` to disconnect.
+     */
+    stream(opts: StreamOptions): EventStream;
+    /**
+     * Stream events for a specific workflow run via SSE.
+     *
+     * Supports client-side filtering by event kind and node key, plus
+     * auto-reconnection with Last-Event-ID replay.
+     */
+    streamRun(runId: string, opts: StreamOptions): EventStream;
+    /**
+     * Stream events for a specific job via SSE.
+     *
+     * A job is a single-node execution. Use this to watch one node
+     * without receiving events from the rest of the workflow.
+     */
+    streamJob(jobId: string, opts: StreamOptions): EventStream;
+    /**
+     * Connect via WebSocket for bidirectional event streaming.
+     *
+     * Supports dynamic run subscription via `subscribeToRun()` / `unsubscribe()`.
+     * Server acknowledgements are typed and delivered via `onAck`.
+     * Only available in environments with WebSocket support (browser, Node.js 21+).
+     */
+    connectWebSocket(opts: WebSocketOptions): WebSocketConnection;
+}
+
+declare class AssetsResource {
+    private readonly http;
+    constructor(http: HttpTransport);
+    /**
+     * Upload an asset (max 100 MB).
+     *
+     * @param data - File data as Blob, ArrayBuffer, or ReadableStream
+     * @param opts - Content type and optional filename
+     */
+    upload(data: Blob | ArrayBuffer | ReadableStream<Uint8Array>, opts?: {
+        contentType?: string;
+        filename?: string;
+        organization_id?: string;
+    }): Promise<Asset>;
+    /** List assets for the current organization. */
+    list(params?: PaginationParams & {
+        organization_id?: string;
+    }): Promise<PaginatedResponse<Asset>>;
+    /** Generate a signed download URL for an asset. */
+    signedUrl(assetId: string, expirySeconds?: number): Promise<SignedUrlResponse>;
+    /** Download an asset by path. Returns the raw Response for streaming. */
+    download(path: string): Promise<Response>;
+}
+
+declare class GalleriesResource {
+    private readonly http;
+    constructor(http: HttpTransport);
+    /** Create a gallery. */
+    create(opts: CreateGalleryRequest): Promise<Gallery>;
+    /** List galleries. */
+    list(params?: PaginationParams): Promise<PaginatedResponse<Gallery>>;
+    /** Get a gallery by ID. */
+    get(galleryId: string): Promise<Gallery>;
+    /** Delete a gallery. */
+    delete(galleryId: string): Promise<void>;
+    /** Add an item to a gallery. */
+    addItem(galleryId: string, opts: AddGalleryItemRequest): Promise<GalleryItem>;
+    /** List items in a gallery. */
+    listItems(galleryId: string, params?: PaginationParams): Promise<PaginatedResponse<GalleryItem>>;
+    /** Remove an item from a gallery. */
+    removeItem(itemId: string): Promise<void>;
+}
+
+declare class ApiKeysResource {
+    private readonly http;
+    constructor(http: HttpTransport);
+    /** Create an API key. Returns the raw secret (only shown once). */
+    create(opts: CreateApiKeyRequest): Promise<CreateApiKeyResponse>;
+    /** List API keys. */
+    list(params?: PaginationParams): Promise<PaginatedResponse<ApiKey>>;
+    /** Get an API key by ID. */
+    get(keyId: string): Promise<ApiKey>;
+    /** Delete an API key. */
+    delete(keyId: string): Promise<void>;
+    /** Disable an API key. */
+    disable(keyId: string): Promise<void>;
+    /** Rotate an API key (new secret issued). */
+    rotate(keyId: string): Promise<CreateApiKeyResponse>;
+}
+
+declare class InvitationsResource {
+    private readonly http;
+    constructor(http: HttpTransport);
+    /** Create an invitation. */
+    create(opts: CreateInvitationRequest): Promise<Invitation>;
+    /** Accept an invitation. */
+    accept(invitationId: string): Promise<void>;
+    /** Revoke/cancel an invitation. */
+    revoke(invitationId: string): Promise<void>;
+}
+
+declare class PermissionsResource {
+    private readonly http;
+    constructor(http: HttpTransport);
+    /** Check a single permission. */
+    check(opts: AuthzCheckRequest): Promise<AuthzCheckResponse>;
+    /** Check multiple permissions in batch. */
+    checkBatch(checks: AuthzCheckRequest[]): Promise<AuthzCheckResponse[]>;
+    /** Grant a permission (ACL entry). */
+    grant(opts: GrantPermissionRequest): Promise<Permission>;
+    /** List permissions. */
+    list(params?: PaginationParams & {
+        resource_type?: string;
+        resource_id?: string;
+    }): Promise<PaginatedResponse<Permission>>;
+    /** Revoke a permission. */
+    revoke(permissionId: string): Promise<void>;
+}
+
+declare class WebhooksResource {
+    private readonly http;
+    constructor(http: HttpTransport);
+    /** Create a webhook for an organization. */
+    create(orgId: string, opts: CreateWebhookRequest): Promise<Webhook>;
+    /** List webhooks for an organization. */
+    list(orgId: string, params?: PaginationParams): Promise<PaginatedResponse<Webhook>>;
+    /** Get a webhook by ID. */
+    get(webhookId: string): Promise<Webhook>;
+    /** Update a webhook. */
+    update(webhookId: string, opts: UpdateWebhookRequest): Promise<Webhook>;
+    /** Delete a webhook. */
+    delete(webhookId: string): Promise<void>;
+    /** List delivery attempts for a webhook. */
+    deliveries(webhookId: string, params?: PaginationParams): Promise<PaginatedResponse<WebhookDelivery>>;
+}
+
+declare class ServiceAccountsResource {
+    private readonly http;
+    constructor(http: HttpTransport);
+    /** Create a service account. */
+    create(opts: CreateServiceAccountRequest): Promise<ServiceAccount>;
+    /** List service accounts. */
+    list(params?: PaginationParams): Promise<PaginatedResponse<ServiceAccount>>;
+    /** Get a service account by ID. */
+    get(id: string): Promise<ServiceAccount>;
+    /** Disable a service account. */
+    disable(id: string): Promise<void>;
+    /** Enable a service account. */
+    enable(id: string): Promise<void>;
+    /** Create an API key for a service account. */
+    createApiKey(id: string): Promise<CreateApiKeyResponse>;
+    /** List API keys for a service account. */
+    listApiKeys(id: string): Promise<ApiKey[]>;
+    /** Revoke an API key for a service account. */
+    revokeApiKey(id: string, keyId: string): Promise<void>;
+    /** Rotate an API key for a service account. */
+    rotateApiKey(id: string, keyId: string): Promise<CreateApiKeyResponse>;
+}
+
+declare class OAuthResource {
+    private readonly http;
+    constructor(http: HttpTransport);
+    /** Create an OAuth client for an organization. */
+    createClient(opts: CreateOAuthClientRequest): Promise<OAuthClient>;
+    /** List OAuth clients. */
+    listClients(): Promise<OAuthClient[]>;
+    /** Delete an OAuth client. */
+    deleteClient(clientId: string): Promise<void>;
+    /** Exchange client credentials for an access token. */
+    token(clientId: string, clientSecret: string): Promise<OAuthTokenResponse>;
+    /** Refresh an access token. */
+    refresh(refreshToken: string): Promise<OAuthTokenResponse>;
+    /** Revoke an OAuth token. */
+    revoke(token: string): Promise<void>;
+}
+
+interface ConcurrencyLimit {
+    id: string;
+    scope: string;
+    max_concurrent_runs: number;
+    created_at: string;
+    updated_at: string;
+}
+declare class AdminResource {
+    private readonly http;
+    constructor(http: HttpTransport);
+    /** Bootstrap the system (dev mode: creates org + admin). */
+    bootstrap(): Promise<Record<string, unknown>>;
+    /** List concurrency limits. */
+    listConcurrencyLimits(): Promise<ConcurrencyLimit[]>;
+    /** Set a concurrency limit for a scope (e.g., "org:<uuid>"). */
+    setConcurrencyLimit(scope: string, maxConcurrentRuns: number): Promise<ConcurrencyLimit>;
+    /** Get system information (version, features, uptime). */
+    systemInfo(): Promise<SystemInfo>;
+    /** Get detailed system status (database, event bus health). */
+    systemStatus(): Promise<SystemStatus>;
+    /** List audit logs (standalone, not org-scoped). */
+    auditLogs(params?: PaginationParams): Promise<PaginatedResponse<Record<string, unknown>>>;
+}
+
+declare class SchedulesResource {
+    private readonly http;
+    constructor(http: HttpTransport);
+    /** Create a schedule for a workflow definition. */
+    create(workflowDefId: string, opts: CreateScheduleRequest): Promise<WorkflowSchedule>;
+    /** List schedules for a workflow definition. */
+    list(workflowDefId: string): Promise<WorkflowSchedule[]>;
+    /** Get a schedule by ID. */
+    get(scheduleId: string): Promise<WorkflowSchedule>;
+    /** Update a schedule. */
+    update(scheduleId: string, opts: UpdateScheduleRequest): Promise<WorkflowSchedule>;
+    /** Delete a schedule. */
+    delete(scheduleId: string): Promise<void>;
+    /** Manually trigger a scheduled workflow run. */
+    trigger(scheduleId: string): Promise<{
+        workflow_run_id: string;
+        schedule_id: string;
+        trigger_type: string;
+    }>;
+    /** List run history for a schedule. */
+    history(scheduleId: string): Promise<ScheduleRun[]>;
+}
+
+/**
+ * Providers resource — AI provider execution (feature-gated).
+ *
+ * Exposes modality-based routing to AI providers (text, image, audio, video, etc.)
+ * with BYOK support via per-request credentials.
+ */
+
+declare class ProvidersResource {
+    private readonly http;
+    constructor(http: HttpTransport);
+    /** List all available provider capabilities. */
+    list(): Promise<ProviderCapability[]>;
+    /** Execute a provider (request/response). */
+    execute(request: ProviderExecuteRequest): Promise<ProviderExecuteResponse>;
+    /**
+     * Execute a provider with streaming (SSE).
+     *
+     * Streams token-level chunks during LLM inference.
+     * Events: `chunk` (delta), `complete` (final response + usage), `error`.
+     */
+    executeStream(request: ProviderExecuteRequest, opts: {
+        onChunk: (data: Record<string, unknown>) => void;
+        onComplete?: (data: ProviderExecuteResponse) => void;
+        onError?: (error: Error) => void;
+        signal?: AbortSignal;
+    }): EventStream;
+    /** Estimate the cost of a provider execution before running it. */
+    estimate(request: ProviderExecuteRequest): Promise<number>;
+}
+
+declare class PackagesResource {
+    private readonly http;
+    constructor(http: HttpTransport);
+    /** List all installed domain packages. */
+    list(): Promise<Package[]>;
+}
+
+/**
+ * FabricClient — the main entry point for the SDK.
+ *
+ * Instantiate with a config, then access resources via namespaced properties:
+ *
+ * ```typescript
+ * const fabric = new FabricClient({
+ *   baseUrl: 'https://api.fabric.ai',
+ *   auth: { type: 'api-key', key: 'fab_...' },
+ *   organizationId: 'org-uuid',
+ * });
+ *
+ * const run = await fabric.workflows.runs.submit('research/deep_research', {
+ *   input: { query: 'AI trends' },
+ * });
+ *
+ * const stream = fabric.workflows.runs.streamEvents(run.id, {
+ *   onEvent(event) { console.log(event.kind, event.node_key); },
+ * });
+ * ```
+ */
+
+interface FabricConfig {
+    /** Base URL of the Fabric API. Default: http://localhost:3001 */
+    baseUrl?: string;
+    /**
+     * Authentication strategy.
+     *
+     * - `{ type: 'api-key', key: 'fab_...' }` — API key auth
+     * - `{ type: 'bearer', token: '...' }` — JWT bearer token
+     * - `{ type: 'oauth', clientId, clientSecret }` — OAuth client credentials
+     * - `() => Promise<string>` — dynamic per-request token (e.g., from Next.js cookies)
+     */
+    auth?: AuthConfig;
+    /** Default organization ID for scoped requests. */
+    organizationId?: string;
+    /** Default team ID for scoped requests. */
+    teamId?: string;
+    /** Request timeout in milliseconds. Default: 30000 */
+    timeout?: number;
+    /** Custom fetch implementation (e.g., Next.js enhanced fetch for caching). */
+    fetch?: typeof globalThis.fetch;
+    /** Log all requests and responses to console. */
+    debug?: boolean;
+    /** Called before each request. Use for logging, metrics, tracing. */
+    onRequest?: RequestInterceptor;
+    /** Called after each response. Use for logging, metrics, tracing. */
+    onResponse?: ResponseInterceptor;
+}
+declare class FabricClient {
+    readonly auth: AuthResource;
+    readonly me: MeResource;
+    readonly organizations: OrganizationsResource;
+    readonly teams: TeamsResource;
+    readonly workflows: WorkflowsResource;
+    readonly events: EventsResource;
+    readonly assets: AssetsResource;
+    readonly galleries: GalleriesResource;
+    readonly apiKeys: ApiKeysResource;
+    readonly invitations: InvitationsResource;
+    readonly permissions: PermissionsResource;
+    readonly webhooks: WebhooksResource;
+    readonly serviceAccounts: ServiceAccountsResource;
+    readonly oauth: OAuthResource;
+    readonly admin: AdminResource;
+    readonly schedules: SchedulesResource;
+    readonly providers: ProvidersResource;
+    readonly packages: PackagesResource;
+    constructor(config?: FabricConfig);
+}
+
+/**
+ * Typed error classes mapping to Fabric API error responses.
+ *
+ * The HTTP transport parses the envelope's `error.code` and `error.message`
+ * and throws the appropriate subclass, allowing consumers to catch specific
+ * error types:
+ *
+ * ```typescript
+ * try {
+ *   await fabric.organizations.create({ name: 'Acme' });
+ * } catch (e) {
+ *   if (e instanceof FabricConflictError) { // slug taken }
+ *   if (e instanceof FabricAuthError) { // re-authenticate }
+ * }
+ * ```
+ */
+interface FabricErrorParams {
+    code: string;
+    status: number;
+    message: string;
+    requestId?: string;
+    traceId?: string;
+}
+declare class FabricError extends Error {
+    readonly code: string;
+    readonly status: number;
+    readonly requestId?: string;
+    readonly traceId?: string;
+    constructor(params: FabricErrorParams);
+}
+/** 400 Bad Request / 422 Unprocessable Entity */
+declare class FabricValidationError extends FabricError {
+    constructor(params: FabricErrorParams);
+}
+/** 401 Unauthorized */
+declare class FabricAuthError extends FabricError {
+    constructor(params: FabricErrorParams);
+}
+/** 403 Forbidden */
+declare class FabricForbiddenError extends FabricError {
+    constructor(params: FabricErrorParams);
+}
+/** 404 Not Found */
+declare class FabricNotFoundError extends FabricError {
+    constructor(params: FabricErrorParams);
+}
+/** 409 Conflict */
+declare class FabricConflictError extends FabricError {
+    constructor(params: FabricErrorParams);
+}
+/** 429 Too Many Requests */
+declare class FabricRateLimitError extends FabricError {
+    readonly retryAfterMs?: number;
+    constructor(params: FabricErrorParams & {
+        retryAfterMs?: number;
+    });
+}
+/** 5xx Server Error */
+declare class FabricServerError extends FabricError {
+    constructor(params: FabricErrorParams);
+}
+
+/**
+ * Webhook signature verification utility.
+ *
+ * The Fabric backend signs every webhook delivery with HMAC-SHA256.
+ * Headers sent with each delivery:
+ * - `X-Fabric-Signature`: `sha256=<hex>` — HMAC of the raw body
+ * - `X-Fabric-Event`: event kind (e.g. `workflow.run.completed`)
+ * - `X-Fabric-Delivery`: unique delivery/event ID
+ *
+ * Works in both Node.js 18+ and browsers via Web Crypto API.
+ */
+
+/** Headers sent with each webhook delivery. */
+interface WebhookHeaders {
+    "x-fabric-signature": string;
+    "x-fabric-event": string;
+    "x-fabric-delivery": string;
+}
+/**
+ * Verify a webhook signature.
+ *
+ * @param rawBody - The raw request body string (do NOT parse before verifying)
+ * @param signature - The `X-Fabric-Signature` header value (format: `sha256=<hex>`)
+ * @param secret - Your webhook signing secret
+ * @returns `true` if the signature is valid
+ *
+ * @example
+ * ```ts
+ * import { verifyWebhookSignature } from "@fabric-platform/sdk";
+ *
+ * app.post("/webhook", async (req, res) => {
+ *   const rawBody = req.body; // must be the raw string
+ *   const sig = req.headers["x-fabric-signature"];
+ *   if (!await verifyWebhookSignature(rawBody, sig, process.env.WEBHOOK_SECRET!)) {
+ *     return res.status(401).send("Invalid signature");
+ *   }
+ *   // safe to process
+ * });
+ * ```
+ */
+declare function verifyWebhookSignature(rawBody: string, signature: string, secret: string): Promise<boolean>;
+/**
+ * Verify the signature and parse the webhook payload in one call (Stripe pattern).
+ *
+ * Throws if the signature is invalid.
+ *
+ * @param rawBody - The raw request body string
+ * @param signature - The `X-Fabric-Signature` header value
+ * @param secret - Your webhook signing secret
+ * @returns The parsed and typed `DomainEvent`
+ *
+ * @example
+ * ```ts
+ * import { constructWebhookEvent } from "@fabric-platform/sdk";
+ *
+ * app.post("/webhook", async (req, res) => {
+ *   let event;
+ *   try {
+ *     event = await constructWebhookEvent(
+ *       req.body,
+ *       req.headers["x-fabric-signature"]!,
+ *       process.env.WEBHOOK_SECRET!,
+ *     );
+ *   } catch {
+ *     return res.status(401).send("Invalid signature");
+ *   }
+ *
+ *   switch (event.kind) {
+ *     case "workflow.run.completed":
+ *       console.log("Run completed:", event.run_id);
+ *       break;
+ *     case "workflow.run.failed":
+ *       console.error("Run failed:", event.payload);
+ *       break;
+ *   }
+ *   res.sendStatus(200);
+ * });
+ * ```
+ */
+declare function constructWebhookEvent(rawBody: string, signature: string, secret: string): Promise<DomainEvent>;
+
+/**
+ * Backwards-compatible event logger from the original SDK.
+ *
+ * Usage:
+ * ```typescript
+ * import { logEvents } from '@fabric-platform/sdk';
+ * fabric.workflows.runs.streamEvents(runId, { onEvent: logEvents });
+ * ```
+ */
+
+/** Built-in event logger — prints workflow progress to the console. */
+declare const logEvents: (event: DomainEvent) => void;
+
+export { type AddGalleryItemRequest, AdminResource, type ApiKey, ApiKeysResource, type Asset, type AssetKind, AssetsResource, type AuthConfig, AuthResource, type AuthResponse, type AuthStrategy, type AuthUser, type AuthzCheckRequest, type AuthzCheckResponse, type CapabilityTag, type ComposeWorkflowRequest, type ConcurrencyLimit, type CreateApiKeyRequest, type CreateApiKeyResponse, type CreateGalleryRequest, type CreateInvitationRequest, type CreateOAuthClientRequest, type CreateOrganizationRequest, type CreateRegistryRequest, type CreateScheduleRequest, type CreateSecretRequest, type CreateServiceAccountRequest, type CreateTeamRequest, type CreateWebhookRequest, type DomainEvent, type Envelope, type ErrorBody, type EstimateWorkflowRequest, type EventHandler, type EventKind, type EventStream, type EventStreamFilter, EventsResource, FabricAuthError, FabricClient, type FabricConfig, FabricConflictError, FabricError, type FabricErrorParams, FabricForbiddenError, FabricNotFoundError, FabricRateLimitError, FabricServerError, FabricValidationError, GalleriesResource, type Gallery, type GalleryItem, type GrantPermissionRequest, type HistoricalCostSummary, type Invitation, type InvitationStatus, InvitationsResource, MeResource, type MeResponse, type Membership, type Meta, type MfaChallengeResponse, type MfaEnrollResponse, type MfaVerifyResponse, type Modality, type MyOrgSummary, type MyTeamSummary, NODE_EVENT_KINDS, type NodeAttempt, type NodeCostHint, type OAuthClient, OAuthResource, type OAuthTokenResponse, type OrgBudget, type OrgSecret, type OrgSettings, type OrgUsageSummary, type Organization, OrganizationsResource, type Package, PackagesResource, type PaginatedData, type PaginatedResponse, type Pagination, type PaginationParams, type Permission, type PermissionEffect, PermissionsResource, type Platform, type ProblemCluster, type ProblemClusterMember, type ProblemIntelligenceOutput, type ProblemMention, type ProviderCapability, type ProviderCredentials, type ProviderExecuteRequest, type ProviderExecuteResponse, ProvidersResource, type ReconnectingSSEOptions, type RecordArtifactRequest, type RegistryEntry, type RequestContext, type RequestInterceptor, type ResponseInterceptor, type ReviewItem, type Role, type RotateWebhookSecretResponse, type RunArtifact, type RunProgress, type RunStatus, type RunWatcher, type SSEEvent, type ScheduleRun, SchedulesResource, type ScoringWeights, type ServiceAccount, ServiceAccountsResource, type SignedUrlResponse, type SolutionMention, type SourceDocument, type StreamEventsOptions, type StreamOptions, type SubmitAndWaitOptions, type SubmitRunRequest, type SystemInfo, type SystemStatus, TERMINAL_RUN_EVENTS, type Team, TeamsResource, type Tier, type UpdateOrgSettingsRequest, type UpdateOrganizationRequest, type UpdateScheduleRequest, type UpdateWebhookRequest, type UsageDailyEntry, type UsageRecord, type WatchRunOptions, type WebSocketAck, type WebSocketCommand, type WebSocketConnection, type WebSocketOptions, type Webhook, type WebhookDelivery, type WebhookHeaders, type WebhookResourceFilter, WebhooksResource, type WorkflowCostEstimate, type WorkflowLanguage, WorkflowRegistryResource, type WorkflowRun, WorkflowRunsResource, type WorkflowSchedule, type WorkflowSource, WorkflowsResource, connectReconnectingSSE, constructWebhookEvent, logEvents, matchesFilter, paginate, paginateAll, paginateItems, verifyWebhookSignature };