@fabric-platform/sdk 0.2.2

package/dist/index.js

@@ -0,0 +1,1921 @@
+// src/auth.ts
+async function resolveAuthHeader(auth, _opts) {
+  if (!auth) return void 0;
+  if (typeof auth === "function") {
+    const token = await auth();
+    return `Bearer ${token}`;
+  }
+  switch (auth.type) {
+    case "api-key":
+      return `Bearer ${auth.key}`;
+    case "bearer":
+      return `Bearer ${auth.token}`;
+    case "oauth":
+      return void 0;
+  }
+}
+var OAuthTokenManager = class {
+  constructor(clientId, clientSecret, tokenUrl, fetchFn = globalThis.fetch) {
+    this.clientId = clientId;
+    this.clientSecret = clientSecret;
+    this.tokenUrl = tokenUrl;
+    this.fetchFn = fetchFn;
+  }
+  cachedToken;
+  expiresAt = 0;
+  async getToken() {
+    if (this.cachedToken && Date.now() < this.expiresAt - 3e4) {
+      return this.cachedToken;
+    }
+    const res = await this.fetchFn(this.tokenUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "client_credentials",
+        client_id: this.clientId,
+        client_secret: this.clientSecret
+      })
+    });
+    if (!res.ok) {
+      throw new Error(`OAuth token exchange failed: ${res.status} ${res.statusText}`);
+    }
+    const body = await res.json();
+    const accessToken = body.data?.access_token ?? body.access_token;
+    const expiresIn = body.data?.expires_in ?? body.expires_in ?? 900;
+    if (!accessToken) {
+      throw new Error("OAuth token exchange returned no access_token");
+    }
+    this.cachedToken = accessToken;
+    this.expiresAt = Date.now() + expiresIn * 1e3;
+    return accessToken;
+  }
+};
+
+// src/errors.ts
+var FabricError = class extends Error {
+  code;
+  status;
+  requestId;
+  traceId;
+  constructor(params) {
+    super(params.message);
+    this.name = "FabricError";
+    this.code = params.code;
+    this.status = params.status;
+    this.requestId = params.requestId;
+    this.traceId = params.traceId;
+  }
+};
+var FabricValidationError = class extends FabricError {
+  constructor(params) {
+    super(params);
+    this.name = "FabricValidationError";
+  }
+};
+var FabricAuthError = class extends FabricError {
+  constructor(params) {
+    super(params);
+    this.name = "FabricAuthError";
+  }
+};
+var FabricForbiddenError = class extends FabricError {
+  constructor(params) {
+    super(params);
+    this.name = "FabricForbiddenError";
+  }
+};
+var FabricNotFoundError = class extends FabricError {
+  constructor(params) {
+    super(params);
+    this.name = "FabricNotFoundError";
+  }
+};
+var FabricConflictError = class extends FabricError {
+  constructor(params) {
+    super(params);
+    this.name = "FabricConflictError";
+  }
+};
+var FabricRateLimitError = class extends FabricError {
+  retryAfterMs;
+  constructor(params) {
+    super(params);
+    this.name = "FabricRateLimitError";
+    this.retryAfterMs = params.retryAfterMs;
+  }
+};
+var FabricServerError = class extends FabricError {
+  constructor(params) {
+    super(params);
+    this.name = "FabricServerError";
+  }
+};
+function createFabricError(params) {
+  switch (true) {
+    case params.status === 401:
+      return new FabricAuthError(params);
+    case params.status === 403:
+      return new FabricForbiddenError(params);
+    case params.status === 404:
+      return new FabricNotFoundError(params);
+    case params.status === 409:
+      return new FabricConflictError(params);
+    case params.status === 429:
+      return new FabricRateLimitError(params);
+    case (params.status >= 400 && params.status < 500):
+      return new FabricValidationError(params);
+    case params.status >= 500:
+      return new FabricServerError(params);
+    default:
+      return new FabricError(params);
+  }
+}
+
+// src/http.ts
+var HttpTransport = class {
+  baseUrl;
+  auth;
+  organizationId;
+  teamId;
+  timeoutMs;
+  fetchFn;
+  retryConfig;
+  debug;
+  onRequest;
+  onResponse;
+  oauthManager;
+  constructor(config) {
+    this.baseUrl = config.baseUrl.replace(/\/$/, "");
+    this.auth = config.auth;
+    this.organizationId = config.organizationId;
+    this.teamId = config.teamId;
+    this.timeoutMs = config.timeout ?? 3e4;
+    this.fetchFn = config.fetch ?? globalThis.fetch.bind(globalThis);
+    this.retryConfig = config.retry ?? { maxRetries: 2, baseDelayMs: 1e3 };
+    this.debug = config.debug ?? false;
+    this.onRequest = config.onRequest;
+    this.onResponse = config.onResponse;
+    if (config.auth && typeof config.auth !== "function" && config.auth.type === "oauth") {
+      this.oauthManager = new OAuthTokenManager(
+        config.auth.clientId,
+        config.auth.clientSecret,
+        `${this.baseUrl}/v1/oauth/token`,
+        this.fetchFn
+      );
+    }
+  }
+  /** Getters for context values (used by resources). */
+  getOrganizationId() {
+    return this.organizationId;
+  }
+  getTeamId() {
+    return this.teamId;
+  }
+  getBaseUrl() {
+    return this.baseUrl;
+  }
+  /** Make a request and unwrap the envelope, returning `data`. */
+  async request(method, path, opts) {
+    const res = await this.doFetch(method, path, opts);
+    const envelope = await res.json();
+    this.throwIfError(envelope, res);
+    return envelope.data;
+  }
+  /** Make a request and unwrap a paginated envelope. */
+  async requestPaginated(method, path, opts) {
+    const res = await this.doFetch(method, path, opts);
+    const envelope = await res.json();
+    if (envelope.error) {
+      throw createFabricError({
+        code: envelope.error.code,
+        status: envelope.meta.status,
+        message: envelope.error.message,
+        requestId: envelope.meta.request_id,
+        traceId: envelope.meta.trace_id
+      });
+    }
+    return {
+      items: envelope.data?.items ?? [],
+      pagination: envelope.data?.pagination ?? { count: 0, has_more: false }
+    };
+  }
+  /** Make a request and return the raw Response (for SSE, file uploads, etc). */
+  async requestRaw(method, path, opts) {
+    return this.doFetch(method, path, opts);
+  }
+  /** Build full headers for a request (used by streaming). */
+  async buildHeaders(extra) {
+    const headers = {
+      "Content-Type": "application/json",
+      ...extra
+    };
+    const authHeader = await this.resolveAuth();
+    if (authHeader) headers["Authorization"] = authHeader;
+    return headers;
+  }
+  // ── Internal ──────────────────────────────────────────────────────
+  async doFetch(method, path, opts) {
+    const url = this.buildUrl(path, opts?.query);
+    const headers = await this.buildHeaders(opts?.headers);
+    if (opts?.idempotencyKey) {
+      headers["idempotency-key"] = opts.idempotencyKey;
+    }
+    if (!headers["x-request-id"] && !headers["X-Request-ID"]) {
+      headers["X-Request-ID"] = generateRequestId();
+    }
+    if (method === "GET" || method === "DELETE") {
+      delete headers["Content-Type"];
+    }
+    await this.onRequest?.(method, url, headers);
+    if (this.debug) {
+      console.debug(`[fabric] ${method} ${url}`);
+    }
+    const init = {
+      method,
+      headers,
+      body: opts?.body !== void 0 ? JSON.stringify(opts.body) : void 0,
+      signal: opts?.signal ?? AbortSignal.timeout(this.timeoutMs),
+      ...opts?.requestInit
+    };
+    const start = Date.now();
+    const res = await this.fetchWithRetry(url, init);
+    const durationMs = Date.now() - start;
+    await this.onResponse?.(method, url, res.status, durationMs);
+    if (this.debug) {
+      console.debug(`[fabric] ${method} ${url} \u2192 ${res.status} (${durationMs}ms)`);
+    }
+    return res;
+  }
+  async fetchWithRetry(url, init) {
+    let lastError;
+    for (let attempt = 0; attempt <= this.retryConfig.maxRetries; attempt++) {
+      try {
+        const res = await this.fetchFn(url, init);
+        if (res.status !== 429 || attempt >= this.retryConfig.maxRetries) {
+          return res;
+        }
+        const retryAfter = res.headers.get("retry-after");
+        const delayMs = retryAfter ? parseInt(retryAfter, 10) * 1e3 : this.retryConfig.baseDelayMs * Math.pow(2, attempt);
+        await sleep(delayMs);
+      } catch (err) {
+        if (err instanceof DOMException && err.name === "AbortError") throw err;
+        lastError = err instanceof Error ? err : new Error(String(err));
+        if (attempt >= this.retryConfig.maxRetries) break;
+        await sleep(this.retryConfig.baseDelayMs * Math.pow(2, attempt));
+      }
+    }
+    throw lastError ?? new Error("Request failed after retries");
+  }
+  async resolveAuth() {
+    if (this.oauthManager) {
+      const token = await this.oauthManager.getToken();
+      return `Bearer ${token}`;
+    }
+    return resolveAuthHeader(this.auth);
+  }
+  buildUrl(path, query) {
+    let url = `${this.baseUrl}${path}`;
+    const params = new URLSearchParams();
+    if (query) {
+      for (const [key, value] of Object.entries(query)) {
+        if (value !== void 0) params.set(key, String(value));
+      }
+    }
+    const qs = params.toString();
+    if (qs) url += (url.includes("?") ? "&" : "?") + qs;
+    return url;
+  }
+  throwIfError(envelope, res) {
+    if (envelope.error) {
+      const retryAfterHeader = res.headers.get("retry-after");
+      const retryAfterMs = retryAfterHeader ? parseInt(retryAfterHeader, 10) * 1e3 : void 0;
+      throw createFabricError({
+        code: envelope.error.code,
+        status: envelope.meta.status,
+        message: envelope.error.message,
+        requestId: envelope.meta.request_id,
+        traceId: envelope.meta.trace_id,
+        retryAfterMs
+      });
+    }
+  }
+};
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function generateRequestId() {
+  const bytes = new Uint8Array(16);
+  crypto.getRandomValues(bytes);
+  let hex = "";
+  for (let i = 0; i < bytes.length; i++) {
+    hex += bytes[i].toString(16).padStart(2, "0");
+  }
+  return hex;
+}
+
+// src/resources/auth.resource.ts
+var MfaResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Enroll a new MFA factor (e.g., "totp"). */
+  async enroll(factorType, friendlyName) {
+    return this.http.request("POST", "/v1/auth/mfa/enroll", {
+      body: { factor_type: factorType, friendly_name: friendlyName }
+    });
+  }
+  /** Request an MFA challenge for a factor. */
+  async challenge(factorId) {
+    return this.http.request("POST", "/v1/auth/mfa/challenge", {
+      body: { factor_id: factorId }
+    });
+  }
+  /** Verify an MFA code. Returns new tokens on success. */
+  async verify(factorId, challengeId, code) {
+    return this.http.request("POST", "/v1/auth/mfa/verify", {
+      body: { factor_id: factorId, challenge_id: challengeId, code }
+    });
+  }
+  /** Remove an MFA factor. */
+  async unenroll(factorId) {
+    await this.http.request("DELETE", "/v1/auth/mfa/unenroll", {
+      body: { factor_id: factorId }
+    });
+  }
+};
+var AuthResource = class {
+  constructor(http) {
+    this.http = http;
+    this.mfa = new MfaResource(http);
+  }
+  mfa;
+  /** Sign up with email and password. Returns tokens + user. */
+  async signup(email, password) {
+    return this.http.request("POST", "/v1/auth/signup", {
+      body: { email, password }
+    });
+  }
+  /** Log in with email and password. Returns tokens + user. */
+  async login(email, password) {
+    return this.http.request("POST", "/v1/auth/login", {
+      body: { email, password }
+    });
+  }
+  /** Log out (revoke tokens). */
+  async logout() {
+    await this.http.request("POST", "/v1/auth/logout", { body: {} });
+  }
+  /** Refresh an access token using a refresh token. */
+  async refresh(refreshToken) {
+    return this.http.request("POST", "/v1/auth/token/refresh", {
+      body: { refresh_token: refreshToken }
+    });
+  }
+  /** Request a magic link email. */
+  async magicLink(email) {
+    await this.http.request("POST", "/v1/auth/magic-link", {
+      body: { email }
+    });
+  }
+  /** Request a password reset email. */
+  async forgotPassword(email) {
+    await this.http.request("POST", "/v1/auth/forgot-password", {
+      body: { email }
+    });
+  }
+  /** Reset password with a recovery token. */
+  async resetPassword(accessToken, newPassword) {
+    await this.http.request("POST", "/v1/auth/reset-password", {
+      body: { access_token: accessToken, new_password: newPassword }
+    });
+  }
+  /** Get the URL for social login redirect (e.g., "google", "github"). */
+  socialLoginUrl(provider) {
+    return `${this.http.getBaseUrl()}/v1/auth/social/${encodeURIComponent(provider)}`;
+  }
+  /** Verify an email address using a verification token. */
+  async verify(token) {
+    await this.http.request("GET", "/v1/auth/verify", {
+      query: { token }
+    });
+  }
+};
+
+// src/resources/me.resource.ts
+var MeResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Get current principal info. */
+  async get() {
+    return this.http.request("GET", "/v1/me");
+  }
+  /** List organizations the current user belongs to. */
+  async organizations() {
+    return this.http.request("GET", "/v1/me/organizations");
+  }
+  /** List teams the current user belongs to. */
+  async teams() {
+    return this.http.request("GET", "/v1/me/teams");
+  }
+  /** List effective permissions for the current user. */
+  async permissions() {
+    return this.http.request("GET", "/v1/me/permissions");
+  }
+};
+
+// src/resources/organizations.resource.ts
+var OrganizationsResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Create an organization. */
+  async create(opts) {
+    return this.http.request("POST", "/v1/organizations", { body: opts });
+  }
+  /** List organizations (paginated). */
+  async list(params) {
+    return this.http.requestPaginated("GET", "/v1/organizations", {
+      query: { limit: params?.limit, cursor: params?.cursor }
+    });
+  }
+  /** Get an organization by ID. */
+  async get(orgId) {
+    return this.http.request("GET", `/v1/organizations/${orgId}`);
+  }
+  /** Update an organization (e.g., rename). */
+  async update(orgId, opts) {
+    return this.http.request("PUT", `/v1/organizations/${orgId}`, { body: opts });
+  }
+  /** Archive an organization (soft-delete). */
+  async archive(orgId) {
+    return this.http.request("POST", `/v1/organizations/${orgId}/archive`, { body: {} });
+  }
+  /** List teams in an organization. */
+  async teams(orgId, params) {
+    return this.http.requestPaginated("GET", `/v1/organizations/${orgId}/teams`, {
+      query: { limit: params?.limit, cursor: params?.cursor }
+    });
+  }
+  /** List members in an organization. */
+  async members(orgId, params) {
+    return this.http.requestPaginated("GET", `/v1/organizations/${orgId}/members`, {
+      query: { limit: params?.limit, cursor: params?.cursor }
+    });
+  }
+  /** List permissions for an organization. */
+  async permissions(orgId) {
+    return this.http.request("GET", `/v1/organizations/${orgId}/permissions`);
+  }
+  /** Get usage summary for an organization. */
+  async usage(orgId) {
+    return this.http.request("GET", `/v1/organizations/${orgId}/usage`);
+  }
+  /** Get audit logs for an organization. */
+  async auditLogs(orgId, params) {
+    return this.http.requestPaginated("GET", `/v1/organizations/${orgId}/audit-logs`, {
+      query: { limit: params?.limit, cursor: params?.cursor }
+    });
+  }
+  /** Export organization data. */
+  async export(orgId) {
+    return this.http.request("POST", `/v1/organizations/${orgId}/export`, { body: {} });
+  }
+  /** Request organization deletion. */
+  async requestDeletion(orgId) {
+    await this.http.request("POST", `/v1/organizations/${orgId}/delete`, { body: {} });
+  }
+  // ── Budget ────────────────────────────────────────────────────────
+  /** Get budget configuration. */
+  async getBudget(orgId) {
+    return this.http.request("GET", `/v1/organizations/${orgId}/budget`);
+  }
+  /** Set budget limit. */
+  async setBudget(orgId, monthlyLimitUsd) {
+    return this.http.request("PUT", `/v1/organizations/${orgId}/budget`, {
+      body: { monthly_limit_usd: monthlyLimitUsd }
+    });
+  }
+  // ── Settings ─────────────────────────────────────────────────────
+  /** Get organization settings. */
+  async getSettings(orgId) {
+    return this.http.request("GET", `/v1/organizations/${orgId}/settings`);
+  }
+  /** Update organization settings. */
+  async updateSettings(orgId, settings) {
+    return this.http.request("PUT", `/v1/organizations/${orgId}/settings`, {
+      body: settings
+    });
+  }
+  /** Rotate the webhook signing secret (one-time reveal of new secret). */
+  async rotateWebhookSecret(orgId) {
+    return this.http.request("POST", `/v1/organizations/${orgId}/settings/webhook/rotate-secret`, {
+      body: {}
+    });
+  }
+  // ── Usage details ───────────────────────────────────────────────
+  /** Get daily usage rollup with optional grouping (provider, model, workflow). */
+  async usageDaily(orgId, params) {
+    return this.http.requestPaginated("GET", `/v1/organizations/${orgId}/usage/daily`, {
+      query: {
+        from: params?.from,
+        to: params?.to,
+        group_by: params?.group_by,
+        limit: params?.limit,
+        cursor: params?.cursor
+      }
+    });
+  }
+  /** Get detailed usage records (individual provider executions). */
+  async usageRecords(orgId) {
+    return this.http.request("GET", `/v1/organizations/${orgId}/usage/records`);
+  }
+  // ── Secrets ───────────────────────────────────────────────────────
+  /** List secrets for an organization. */
+  async listSecrets(orgId) {
+    return this.http.request("GET", `/v1/organizations/${orgId}/secrets`);
+  }
+  /** Create a secret. */
+  async createSecret(orgId, opts) {
+    return this.http.request("POST", `/v1/organizations/${orgId}/secrets`, { body: opts });
+  }
+  /** Delete a secret. */
+  async deleteSecret(orgId, name) {
+    await this.http.request("DELETE", `/v1/organizations/${orgId}/secrets/${encodeURIComponent(name)}`);
+  }
+};
+
+// src/resources/teams.resource.ts
+var TeamsResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Create a team within an organization. */
+  async create(opts) {
+    return this.http.request("POST", "/v1/teams", { body: opts });
+  }
+  /** Get a team by ID. */
+  async get(teamId) {
+    return this.http.request("GET", `/v1/teams/${teamId}`);
+  }
+};
+
+// src/types/events.ts
+var TERMINAL_RUN_EVENTS = [
+  "workflow.run.completed",
+  "workflow.run.failed",
+  "workflow.run.cancelled"
+];
+var NODE_EVENT_KINDS = [
+  "workflow.node.ready",
+  "workflow.node.claimed",
+  "workflow.node.started",
+  "workflow.node.progress",
+  "workflow.node.completed",
+  "workflow.node.failed",
+  "workflow.node.retried",
+  "workflow.node.skipped",
+  "workflow.node.cancelled",
+  "workflow.node.waiting_for_event",
+  "workflow.node.resumed"
+];
+
+// src/streaming.ts
+function connectSSE(options, onEvent, onError) {
+  const controller = new AbortController();
+  const fetchFn = options.fetch ?? globalThis.fetch;
+  const signal = options.signal ? combineSignals(options.signal, controller.signal) : controller.signal;
+  const done = (async () => {
+    const headers = {
+      ...options.headers,
+      Accept: "text/event-stream",
+      "Cache-Control": "no-cache"
+    };
+    if (options.lastEventId) {
+      headers["Last-Event-ID"] = options.lastEventId;
+    }
+    let res;
+    try {
+      res = await fetchFn(options.url, { headers, signal });
+    } catch (err) {
+      if (!isAbortError(err)) {
+        onError?.(err instanceof Error ? err : new Error(String(err)));
+      }
+      return;
+    }
+    if (!res.ok) {
+      onError?.(new Error(`SSE connection failed: ${res.status} ${res.statusText}`));
+      return;
+    }
+    const reader = res.body?.getReader();
+    if (!reader) {
+      onError?.(new Error("SSE response has no body"));
+      return;
+    }
+    const decoder = new TextDecoder();
+    let buffer = "";
+    let currentEvent = {};
+    let dataLines = [];
+    try {
+      while (true) {
+        const { done: streamDone, value } = await reader.read();
+        if (streamDone) break;
+        buffer += decoder.decode(value, { stream: true });
+        const lines = buffer.split("\n");
+        buffer = lines.pop() ?? "";
+        for (const line of lines) {
+          if (line === "") {
+            if (dataLines.length > 0) {
+              const dataStr = dataLines.join("\n");
+              let parsed;
+              try {
+                parsed = JSON.parse(dataStr);
+              } catch {
+                parsed = dataStr;
+              }
+              const sseEvent = {
+                event: currentEvent.event,
+                data: parsed,
+                id: currentEvent.id
+              };
+              onEvent(parsed, sseEvent);
+            }
+            currentEvent = {};
+            dataLines = [];
+          } else if (line.startsWith("data:")) {
+            dataLines.push(line.slice(line[5] === " " ? 6 : 5));
+          } else if (line.startsWith("event:")) {
+            currentEvent.event = line.slice(line[6] === " " ? 7 : 6);
+          } else if (line.startsWith("id:")) {
+            currentEvent.id = line.slice(line[3] === " " ? 4 : 3);
+          } else if (line.startsWith("retry:")) {
+            const ms = parseInt(line.slice(line[6] === " " ? 7 : 6), 10);
+            if (!isNaN(ms)) options.onRetry?.(ms);
+          }
+        }
+      }
+    } catch (err) {
+      if (!isAbortError(err)) {
+        onError?.(err instanceof Error ? err : new Error(String(err)));
+      }
+    } finally {
+      try {
+        reader.releaseLock();
+      } catch {
+      }
+    }
+  })();
+  return {
+    abort() {
+      controller.abort();
+    },
+    done
+  };
+}
+function isAbortError(err) {
+  return err instanceof DOMException && err.name === "AbortError";
+}
+function combineSignals(a, b) {
+  const controller = new AbortController();
+  const onAbort = () => controller.abort();
+  a.addEventListener("abort", onAbort, { once: true });
+  b.addEventListener("abort", onAbort, { once: true });
+  if (a.aborted || b.aborted) controller.abort();
+  return controller.signal;
+}
+function matchesFilter(event, filter) {
+  if (!filter) return true;
+  if (filter.kinds && filter.kinds.length > 0) {
+    if (!filter.kinds.includes(event.kind)) return false;
+  }
+  if (filter.nodeKeys && filter.nodeKeys.length > 0) {
+    if (event.node_key && !filter.nodeKeys.includes(event.node_key)) return false;
+  }
+  return true;
+}
+function connectReconnectingSSE(options, onEvent, onError) {
+  const controller = new AbortController();
+  const maxAttempts = options.maxReconnectAttempts ?? 10;
+  const baseDelay = options.reconnectBaseDelayMs ?? 1e3;
+  let lastEventId = options.lastEventId;
+  let serverRetryMs;
+  const done = (async () => {
+    let attempts = 0;
+    while (!controller.signal.aborted) {
+      let streamEndedCleanly = false;
+      const innerStream = connectSSE(
+        {
+          ...options,
+          lastEventId,
+          signal: controller.signal
+        },
+        (event, raw) => {
+          if (raw.id) lastEventId = raw.id;
+          attempts = 0;
+          if (!matchesFilter(event, options.filter)) return;
+          onEvent(event, raw);
+        },
+        (error) => {
+          if (!controller.signal.aborted) {
+            onError?.(error);
+          }
+        }
+      );
+      const origOnRetry = options.onRetry;
+      options.onRetry = (ms) => {
+        serverRetryMs = ms;
+        origOnRetry?.(ms);
+      };
+      await innerStream.done;
+      streamEndedCleanly = true;
+      if (controller.signal.aborted || !options.reconnect) break;
+      attempts++;
+      if (attempts > maxAttempts) {
+        onError?.(new Error(`SSE reconnection failed after ${maxAttempts} attempts`));
+        break;
+      }
+      const delay = serverRetryMs ?? baseDelay * Math.pow(2, Math.min(attempts - 1, 6));
+      await new Promise((resolve) => setTimeout(resolve, delay));
+    }
+  })();
+  return {
+    abort() {
+      controller.abort();
+    },
+    done
+  };
+}
+
+// src/resources/workflows.resource.ts
+var WorkflowRegistryResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Create a workflow definition in the registry. */
+  async create(opts) {
+    return this.http.request("POST", "/v1/workflow-registry", {
+      body: {
+        name: opts.name,
+        language: opts.language,
+        source: opts.source,
+        entry_point: opts.entry_point,
+        compose_from: opts.compose_from,
+        config: opts.config,
+        version: opts.version,
+        worker_tags: opts.worker_tags,
+        input_schema: opts.input_schema,
+        output_schema: opts.output_schema,
+        description: opts.description
+      }
+    });
+  }
+  /** List workflows visible to the current org (global + org + team). */
+  async list(params) {
+    return this.http.requestPaginated("GET", "/v1/workflow-registry", {
+      query: {
+        limit: params?.limit,
+        cursor: params?.cursor,
+        organization_id: params?.organization_id ?? this.http.getOrganizationId(),
+        team_id: params?.team_id ?? this.http.getTeamId()
+      }
+    });
+  }
+  /** Get a workflow by name (resolves hierarchically: team > org > global). */
+  async get(name, opts) {
+    const orgId = opts?.organization_id ?? this.http.getOrganizationId();
+    return this.http.request("GET", `/v1/workflow-registry/${encodeURIComponent(name)}`, {
+      query: { organization_id: orgId }
+    });
+  }
+  /** Delete an org/team-scoped workflow (not global). */
+  async delete(name, opts) {
+    const orgId = opts?.organization_id ?? this.http.getOrganizationId();
+    await this.http.request("DELETE", `/v1/workflow-registry/${encodeURIComponent(name)}`, {
+      query: { organization_id: orgId }
+    });
+  }
+};
+var WorkflowRunsResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Submit a workflow run. Returns immediately with a run ID. */
+  async submit(workflowName, opts) {
+    return this.http.request("POST", "/v1/workflows/run", {
+      query: {
+        name: workflowName,
+        organization_id: opts?.organization_id ?? this.http.getOrganizationId(),
+        team_id: opts?.team_id ?? this.http.getTeamId()
+      },
+      body: {
+        input: opts?.input ?? {},
+        metadata: opts?.metadata,
+        priority: opts?.priority
+      },
+      idempotencyKey: opts?.idempotencyKey
+    });
+  }
+  /** List workflow runs. */
+  async list(params) {
+    return this.http.requestPaginated("GET", "/v1/workflows/runs", {
+      query: {
+        limit: params?.limit,
+        offset: params?.cursor,
+        organization_id: params?.organization_id ?? this.http.getOrganizationId(),
+        team_id: params?.team_id ?? this.http.getTeamId()
+      }
+    });
+  }
+  /** Get a run's status and progress. */
+  async get(runId) {
+    return this.http.request("GET", `/v1/workflows/runs/${runId}`);
+  }
+  /** Cancel a running workflow. */
+  async cancel(runId, reason) {
+    await this.http.request("POST", `/v1/workflows/runs/${runId}/cancel`, {
+      body: { reason }
+    });
+  }
+  /** Pause a running workflow. */
+  async pause(runId, reason) {
+    await this.http.request("POST", `/v1/workflows/runs/${runId}/pause`, {
+      body: { reason }
+    });
+  }
+  /** Resume a paused workflow. */
+  async resume(runId) {
+    await this.http.request("POST", `/v1/workflows/runs/${runId}/resume`, { body: {} });
+  }
+  /** Recover a stalled workflow from its last Sayiir checkpoint. */
+  async recover(runId) {
+    await this.http.request("POST", `/v1/workflows/runs/${runId}/recover`, { body: {} });
+  }
+  /** Send an external signal to a waiting workflow (e.g. HITL approval). */
+  async signal(runId, signalName, payload = {}) {
+    await this.http.request("POST", `/v1/workflows/runs/${runId}/signal`, {
+      body: { signal_name: signalName, payload }
+    });
+  }
+  /** Approve or reject a waiting workflow (convenience wrapper over signal). */
+  async approve(runId, opts) {
+    await this.http.request("POST", `/v1/workflows/runs/${runId}/approve`, {
+      body: opts
+    });
+  }
+  /** List workflow runs currently waiting for a signal (pending approvals). */
+  async listWaiting(params) {
+    return this.http.request("GET", "/v1/workflows/runs/waiting", {
+      query: {
+        organization_id: params?.organization_id ?? this.http.getOrganizationId(),
+        team_id: params?.team_id ?? this.http.getTeamId()
+      }
+    });
+  }
+  /**
+   * Stream SSE events for a workflow run.
+   *
+   * - Replays existing events, then streams live
+   * - Auto-reconnects via Last-Event-ID (when `reconnect: true`)
+   * - Client-side filtering by event kind and node key
+   * - Auto-closes on terminal events (completed/failed/cancelled)
+   *
+   * Returns an EventStream handle for cancellation.
+   */
+  streamEvents(runId, opts) {
+    const url = `${this.http.getBaseUrl()}/v1/workflow-runs/${runId}/events`;
+    const sseOpts = {
+      url,
+      headers: {},
+      lastEventId: opts.lastEventId,
+      signal: opts.signal,
+      filter: opts.filter,
+      reconnect: opts.reconnect,
+      maxReconnectAttempts: opts.maxReconnectAttempts,
+      fetch: async (input, init) => {
+        const headers = await this.http.buildHeaders({
+          ...init?.headers
+        });
+        return globalThis.fetch(input, { ...init, headers });
+      }
+    };
+    if (opts.reconnect) {
+      return connectReconnectingSSE(
+        sseOpts,
+        (event) => opts.onEvent(event),
+        opts.onError
+      );
+    }
+    return connectSSE(
+      sseOpts,
+      (event) => {
+        if (matchesFilter(event, opts.filter)) opts.onEvent(event);
+      },
+      opts.onError
+    );
+  }
+  /**
+   * Submit a workflow and wait for it to complete.
+   *
+   * Streams events via SSE while waiting. Returns the final WorkflowRun
+   * with status and output.
+   */
+  async submitAndWait(workflowName, opts) {
+    const run = await this.submit(workflowName, {
+      input: opts.input,
+      metadata: opts.metadata,
+      priority: opts.priority,
+      organization_id: opts.organization_id,
+      team_id: opts.team_id
+    });
+    const timeoutMs = opts.timeoutMs ?? 9e5;
+    return new Promise((resolve, reject) => {
+      const timeout = setTimeout(() => {
+        stream.abort();
+        reject(new Error(`Workflow run ${run.id} timed out after ${timeoutMs}ms`));
+      }, timeoutMs);
+      const stream = this.streamEvents(run.id, {
+        onEvent: (event) => {
+          opts.onEvent?.(event);
+          if (TERMINAL_RUN_EVENTS.includes(event.kind)) {
+            clearTimeout(timeout);
+            this.get(run.id).then(resolve).catch(reject);
+          }
+        },
+        onError: (error) => {
+          clearTimeout(timeout);
+          reject(error);
+        }
+      });
+      stream.done.then(() => {
+        clearTimeout(timeout);
+        this.get(run.id).then(resolve).catch(reject);
+      });
+    });
+  }
+  /** Get node execution attempts (logs) for a specific node. */
+  async getNodeAttempts(runId, nodeKey) {
+    return this.http.request(
+      "GET",
+      `/v1/workflows/runs/${runId}/nodes/${encodeURIComponent(nodeKey)}/attempts`
+    );
+  }
+  /** List artifacts produced by a workflow run. */
+  async artifacts(runId) {
+    return this.http.request("GET", `/v1/workflows/runs/${runId}/artifacts`);
+  }
+  /**
+   * List artifacts with signed download URLs for each asset.
+   *
+   * Fetches artifacts, then generates a signed URL for each one that has
+   * an `asset_id`. This is the recommended way for consumers to access
+   * output files (videos, images, audio, text) from completed workflows.
+   *
+   * @example
+   * ```ts
+   * const artifacts = await fabric.workflows.runs.artifactsWithUrls(runId);
+   * for (const a of artifacts) {
+   *   console.log(a.filename, a.download_url); // signed URL ready for download
+   * }
+   * ```
+   */
+  async artifactsWithUrls(runId, expirySeconds) {
+    const artifacts = await this.artifacts(runId);
+    const withUrls = await Promise.all(
+      artifacts.map(async (artifact) => {
+        if (!artifact.asset_id) return artifact;
+        try {
+          const signed = await this.http.request(
+            "POST",
+            `/v1/asset-signed-urls/${artifact.asset_id}`,
+            { body: { expiry_seconds: expirySeconds } }
+          );
+          return { ...artifact, download_url: signed.url };
+        } catch {
+          return artifact;
+        }
+      })
+    );
+    return withUrls;
+  }
+  /** Record an artifact produced by a workflow run (called by workers). */
+  async recordArtifact(runId, artifact) {
+    return this.http.request("POST", `/v1/workflows/runs/${runId}/artifacts`, {
+      body: artifact
+    });
+  }
+  /**
+   * Watch a workflow run step-by-step with typed callbacks.
+   *
+   * High-level convenience that composes SSE streaming, client-side
+   * filtering, auto-reconnection, and typed event dispatch.
+   *
+   * @example
+   * ```ts
+   * const watcher = fabric.workflows.runs.watch(runId, {
+   *   nodeKeys: ["transcribe", "render"],
+   *   onNodeStarted: (key) => console.log(`${key} started`),
+   *   onNodeProgress: (key, p) => console.log(`${key}: ${p.percentage}%`),
+   *   onNodeCompleted: (key) => console.log(`${key} done`),
+   *   onNodeFailed: (key, p) => console.error(`${key} failed:`, p),
+   *   onRunCompleted: () => console.log("Workflow finished!"),
+   *   onRunFailed: (p) => console.error("Workflow failed:", p),
+   * });
+   *
+   * // Stop watching early
+   * watcher.abort();
+   *
+   * // Or wait until completion
+   * await watcher.done;
+   * ```
+   */
+  watch(runId, opts = {}) {
+    const filter = {};
+    filter.kinds = [
+      // Always include run lifecycle
+      "workflow.run.completed",
+      "workflow.run.failed",
+      "workflow.run.cancelled",
+      // Node events
+      "workflow.node.started",
+      "workflow.node.progress",
+      "workflow.node.completed",
+      "workflow.node.failed",
+      "workflow.node.retried",
+      "workflow.node.skipped",
+      "workflow.node.waiting_for_event",
+      "workflow.node.resumed"
+    ];
+    if (opts.nodeKeys && opts.nodeKeys.length > 0) {
+      filter.nodeKeys = opts.nodeKeys;
+    }
+    const stream = this.streamEvents(runId, {
+      lastEventId: opts.lastEventId,
+      signal: opts.signal,
+      reconnect: opts.reconnect ?? true,
+      filter,
+      onEvent: (event) => {
+        opts.onEvent?.(event);
+        const nodeKey = event.node_key ?? "unknown";
+        const payload = event.payload;
+        switch (event.kind) {
+          case "workflow.node.started":
+            opts.onNodeStarted?.(nodeKey, payload);
+            break;
+          case "workflow.node.progress":
+            opts.onNodeProgress?.(nodeKey, payload);
+            break;
+          case "workflow.node.completed":
+            opts.onNodeCompleted?.(nodeKey, payload);
+            break;
+          case "workflow.node.failed":
+            opts.onNodeFailed?.(nodeKey, payload);
+            break;
+          case "workflow.run.completed":
+            opts.onRunCompleted?.(payload);
+            stream.abort();
+            break;
+          case "workflow.run.failed":
+            opts.onRunFailed?.(payload);
+            stream.abort();
+            break;
+          case "workflow.run.cancelled":
+            opts.onRunCancelled?.(payload);
+            stream.abort();
+            break;
+        }
+      },
+      onError: opts.onError
+    });
+    return stream;
+  }
+};
+var WorkflowsResource = class {
+  constructor(http) {
+    this.http = http;
+    this.registry = new WorkflowRegistryResource(http);
+    this.runs = new WorkflowRunsResource(http);
+  }
+  registry;
+  runs;
+  /** Compose multiple workflows into a pipeline. */
+  async compose(opts) {
+    return this.http.request("POST", "/v1/workflows/compose", {
+      body: {
+        name: opts.name,
+        steps: opts.steps,
+        description: opts.description
+      }
+    });
+  }
+  /** Estimate cost of a workflow before running it. */
+  async estimate(workflowName, opts) {
+    return this.http.request("POST", "/v1/workflows/estimate", {
+      query: {
+        name: workflowName,
+        organization_id: opts?.organization_id ?? this.http.getOrganizationId(),
+        team_id: opts?.team_id ?? this.http.getTeamId()
+      },
+      body: {
+        input: opts?.input,
+        cost_profile: opts?.cost_profile
+      }
+    });
+  }
+};
+
+// src/resources/events.resource.ts
+var EventsResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Build fetch wrapper that injects auth headers. */
+  authFetch() {
+    return async (input, init) => {
+      const headers = await this.http.buildHeaders({
+        ...init?.headers
+      });
+      return globalThis.fetch(input, { ...init, headers });
+    };
+  }
+  /**
+   * Stream all domain events via SSE.
+   *
+   * This is a long-lived connection — call `stream.abort()` to disconnect.
+   */
+  stream(opts) {
+    const url = `${this.http.getBaseUrl()}/v1/events/stream`;
+    const sseOpts = {
+      url,
+      headers: {},
+      signal: opts.signal,
+      lastEventId: opts.lastEventId,
+      fetch: this.authFetch(),
+      filter: opts.filter,
+      reconnect: opts.reconnect,
+      maxReconnectAttempts: opts.maxReconnectAttempts
+    };
+    if (opts.reconnect) {
+      return connectReconnectingSSE(
+        sseOpts,
+        (event) => opts.onEvent(event),
+        opts.onError
+      );
+    }
+    return connectSSE(
+      sseOpts,
+      (event) => {
+        if (matchesFilter(event, opts.filter)) opts.onEvent(event);
+      },
+      opts.onError
+    );
+  }
+  /**
+   * Stream events for a specific workflow run via SSE.
+   *
+   * Supports client-side filtering by event kind and node key, plus
+   * auto-reconnection with Last-Event-ID replay.
+   */
+  streamRun(runId, opts) {
+    const url = `${this.http.getBaseUrl()}/v1/workflow-runs/${runId}/events`;
+    const sseOpts = {
+      url,
+      headers: {},
+      lastEventId: opts.lastEventId,
+      signal: opts.signal,
+      fetch: this.authFetch(),
+      filter: opts.filter,
+      reconnect: opts.reconnect,
+      maxReconnectAttempts: opts.maxReconnectAttempts
+    };
+    if (opts.reconnect) {
+      return connectReconnectingSSE(
+        sseOpts,
+        (event) => opts.onEvent(event),
+        opts.onError
+      );
+    }
+    return connectSSE(
+      sseOpts,
+      (event) => {
+        if (matchesFilter(event, opts.filter)) opts.onEvent(event);
+      },
+      opts.onError
+    );
+  }
+  /**
+   * Stream events for a specific job via SSE.
+   *
+   * A job is a single-node execution. Use this to watch one node
+   * without receiving events from the rest of the workflow.
+   */
+  streamJob(jobId, opts) {
+    const url = `${this.http.getBaseUrl()}/v1/jobs/${jobId}/events`;
+    const sseOpts = {
+      url,
+      headers: {},
+      lastEventId: opts.lastEventId,
+      signal: opts.signal,
+      fetch: this.authFetch(),
+      filter: opts.filter,
+      reconnect: opts.reconnect,
+      maxReconnectAttempts: opts.maxReconnectAttempts
+    };
+    if (opts.reconnect) {
+      return connectReconnectingSSE(
+        sseOpts,
+        (event) => opts.onEvent(event),
+        opts.onError
+      );
+    }
+    return connectSSE(
+      sseOpts,
+      (event) => {
+        if (matchesFilter(event, opts.filter)) opts.onEvent(event);
+      },
+      opts.onError
+    );
+  }
+  /**
+   * Connect via WebSocket for bidirectional event streaming.
+   *
+   * Supports dynamic run subscription via `subscribeToRun()` / `unsubscribe()`.
+   * Server acknowledgements are typed and delivered via `onAck`.
+   * Only available in environments with WebSocket support (browser, Node.js 21+).
+   */
+  connectWebSocket(opts) {
+    const baseUrl = this.http.getBaseUrl().replace(/^http/, "ws");
+    const url = `${baseUrl}/v1/events/ws`;
+    const ws = new WebSocket(url);
+    ws.onmessage = (msg) => {
+      try {
+        const data = JSON.parse(msg.data);
+        if ("subscribed_to_run" in data || "unsubscribed" in data) {
+          opts.onAck?.(data);
+          return;
+        }
+        const event = data;
+        if (matchesFilter(event, opts.filter)) {
+          opts.onEvent(event);
+        }
+      } catch {
+      }
+    };
+    ws.onerror = (err) => opts.onError?.(err);
+    ws.onclose = () => opts.onClose?.();
+    return {
+      subscribeToRun(runId) {
+        const cmd = { subscribe_run: runId };
+        ws.send(JSON.stringify(cmd));
+      },
+      unsubscribe() {
+        const cmd = { unsubscribe: true };
+        ws.send(JSON.stringify(cmd));
+      },
+      close() {
+        ws.close();
+      }
+    };
+  }
+};
+
+// src/resources/assets.resource.ts
+var AssetsResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Upload an asset (max 100 MB).
+   *
+   * @param data - File data as Blob, ArrayBuffer, or ReadableStream
+   * @param opts - Content type and optional filename
+   */
+  async upload(data, opts) {
+    const headers = await this.http.buildHeaders({
+      "Content-Type": opts?.contentType ?? "application/octet-stream"
+    });
+    if (opts?.filename) {
+      headers["X-Filename"] = opts.filename;
+    }
+    const orgId = opts?.organization_id ?? this.http.getOrganizationId();
+    const query = orgId ? `?organization_id=${orgId}` : "";
+    const res = await globalThis.fetch(`${this.http.getBaseUrl()}/v1/assets${query}`, {
+      method: "POST",
+      headers,
+      body: data
+    });
+    const json = await res.json();
+    if (json.error) {
+      throw new Error(`${json.error.code}: ${json.error.message}`);
+    }
+    return json.data;
+  }
+  /** List assets for the current organization. */
+  async list(params) {
+    return this.http.requestPaginated("GET", "/v1/assets", {
+      query: {
+        limit: params?.limit,
+        cursor: params?.cursor,
+        organization_id: params?.organization_id ?? this.http.getOrganizationId()
+      }
+    });
+  }
+  /** Generate a signed download URL for an asset. */
+  async signedUrl(assetId, expirySeconds) {
+    return this.http.request("POST", `/v1/asset-signed-urls/${assetId}`, {
+      body: { expiry_seconds: expirySeconds }
+    });
+  }
+  /** Download an asset by path. Returns the raw Response for streaming. */
+  async download(path) {
+    return this.http.requestRaw("GET", `/v1/assets/${path}`);
+  }
+};
+
+// src/resources/galleries.resource.ts
+var GalleriesResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Create a gallery. */
+  async create(opts) {
+    return this.http.request("POST", "/v1/galleries", { body: opts });
+  }
+  /** List galleries. */
+  async list(params) {
+    return this.http.requestPaginated("GET", "/v1/galleries", {
+      query: { limit: params?.limit, cursor: params?.cursor }
+    });
+  }
+  /** Get a gallery by ID. */
+  async get(galleryId) {
+    return this.http.request("GET", `/v1/galleries/${galleryId}`);
+  }
+  /** Delete a gallery. */
+  async delete(galleryId) {
+    await this.http.request("DELETE", `/v1/galleries/${galleryId}`);
+  }
+  /** Add an item to a gallery. */
+  async addItem(galleryId, opts) {
+    return this.http.request("POST", `/v1/galleries/${galleryId}/items`, { body: opts });
+  }
+  /** List items in a gallery. */
+  async listItems(galleryId, params) {
+    return this.http.requestPaginated("GET", `/v1/galleries/${galleryId}/items`, {
+      query: { limit: params?.limit, cursor: params?.cursor }
+    });
+  }
+  /** Remove an item from a gallery. */
+  async removeItem(itemId) {
+    await this.http.request("DELETE", `/v1/gallery-items/${itemId}`);
+  }
+};
+
+// src/resources/api-keys.resource.ts
+var ApiKeysResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Create an API key. Returns the raw secret (only shown once). */
+  async create(opts) {
+    return this.http.request("POST", "/v1/api-keys", { body: opts });
+  }
+  /** List API keys. */
+  async list(params) {
+    return this.http.requestPaginated("GET", "/v1/api-keys", {
+      query: { limit: params?.limit, cursor: params?.cursor }
+    });
+  }
+  /** Get an API key by ID. */
+  async get(keyId) {
+    return this.http.request("GET", `/v1/api-keys/${keyId}`);
+  }
+  /** Delete an API key. */
+  async delete(keyId) {
+    await this.http.request("DELETE", `/v1/api-keys/${keyId}`);
+  }
+  /** Disable an API key. */
+  async disable(keyId) {
+    await this.http.request("POST", `/v1/api-keys/${keyId}/disable`, { body: {} });
+  }
+  /** Rotate an API key (new secret issued). */
+  async rotate(keyId) {
+    return this.http.request("POST", `/v1/api-keys/${keyId}/rotate`, { body: {} });
+  }
+};
+
+// src/resources/invitations.resource.ts
+var InvitationsResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Create an invitation. */
+  async create(opts) {
+    return this.http.request("POST", "/v1/invitations", { body: opts });
+  }
+  /** Accept an invitation. */
+  async accept(invitationId) {
+    await this.http.request("POST", `/v1/invitations/${invitationId}/accept`, { body: {} });
+  }
+  /** Revoke/cancel an invitation. */
+  async revoke(invitationId) {
+    await this.http.request("POST", `/v1/invitations/${invitationId}/revoke`, { body: {} });
+  }
+};
+
+// src/resources/permissions.resource.ts
+var PermissionsResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Check a single permission. */
+  async check(opts) {
+    return this.http.request("POST", "/v1/authz/check", { body: opts });
+  }
+  /** Check multiple permissions in batch. */
+  async checkBatch(checks) {
+    return this.http.request("POST", "/v1/authz/check-batch", {
+      body: { checks }
+    });
+  }
+  /** Grant a permission (ACL entry). */
+  async grant(opts) {
+    return this.http.request("POST", "/v1/permissions", { body: opts });
+  }
+  /** List permissions. */
+  async list(params) {
+    return this.http.requestPaginated("GET", "/v1/permissions", {
+      query: {
+        limit: params?.limit,
+        cursor: params?.cursor,
+        resource_type: params?.resource_type,
+        resource_id: params?.resource_id
+      }
+    });
+  }
+  /** Revoke a permission. */
+  async revoke(permissionId) {
+    await this.http.request("DELETE", `/v1/permissions/${permissionId}`);
+  }
+};
+
+// src/resources/webhooks.resource.ts
+var WebhooksResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Create a webhook for an organization. */
+  async create(orgId, opts) {
+    return this.http.request("POST", `/v1/organizations/${orgId}/webhooks`, { body: opts });
+  }
+  /** List webhooks for an organization. */
+  async list(orgId, params) {
+    return this.http.requestPaginated("GET", `/v1/organizations/${orgId}/webhooks`, {
+      query: { limit: params?.limit, cursor: params?.cursor }
+    });
+  }
+  /** Get a webhook by ID. */
+  async get(webhookId) {
+    return this.http.request("GET", `/v1/webhooks/${webhookId}`);
+  }
+  /** Update a webhook. */
+  async update(webhookId, opts) {
+    return this.http.request("PATCH", `/v1/webhooks/${webhookId}`, { body: opts });
+  }
+  /** Delete a webhook. */
+  async delete(webhookId) {
+    await this.http.request("DELETE", `/v1/webhooks/${webhookId}`);
+  }
+  /** List delivery attempts for a webhook. */
+  async deliveries(webhookId, params) {
+    return this.http.requestPaginated("GET", `/v1/webhooks/${webhookId}/deliveries`, {
+      query: { limit: params?.limit, cursor: params?.cursor }
+    });
+  }
+};
+
+// src/resources/service-accounts.resource.ts
+var ServiceAccountsResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Create a service account. */
+  async create(opts) {
+    return this.http.request("POST", "/v1/service-accounts", { body: opts });
+  }
+  /** List service accounts. */
+  async list(params) {
+    return this.http.requestPaginated("GET", "/v1/service-accounts", {
+      query: { limit: params?.limit, cursor: params?.cursor }
+    });
+  }
+  /** Get a service account by ID. */
+  async get(id) {
+    return this.http.request("GET", `/v1/service-accounts/${id}`);
+  }
+  /** Disable a service account. */
+  async disable(id) {
+    await this.http.request("POST", `/v1/service-accounts/${id}/disable`, { body: {} });
+  }
+  /** Enable a service account. */
+  async enable(id) {
+    await this.http.request("POST", `/v1/service-accounts/${id}/enable`, { body: {} });
+  }
+  /** Create an API key for a service account. */
+  async createApiKey(id) {
+    return this.http.request("POST", `/v1/service-accounts/${id}/api-keys`, { body: {} });
+  }
+  /** List API keys for a service account. */
+  async listApiKeys(id) {
+    return this.http.request("GET", `/v1/service-accounts/${id}/api-keys`);
+  }
+  /** Revoke an API key for a service account. */
+  async revokeApiKey(id, keyId) {
+    await this.http.request("DELETE", `/v1/service-accounts/${id}/api-keys/${keyId}`);
+  }
+  /** Rotate an API key for a service account. */
+  async rotateApiKey(id, keyId) {
+    return this.http.request("POST", `/v1/service-accounts/${id}/api-keys/${keyId}/rotate`, { body: {} });
+  }
+};
+
+// src/resources/oauth.resource.ts
+var OAuthResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Create an OAuth client for an organization. */
+  async createClient(opts) {
+    return this.http.request("POST", "/v1/oauth/clients", { body: opts });
+  }
+  /** List OAuth clients. */
+  async listClients() {
+    return this.http.request("GET", "/v1/oauth/clients");
+  }
+  /** Delete an OAuth client. */
+  async deleteClient(clientId) {
+    await this.http.request("DELETE", `/v1/oauth/clients/${clientId}`);
+  }
+  /** Exchange client credentials for an access token. */
+  async token(clientId, clientSecret) {
+    return this.http.request("POST", "/v1/oauth/token", {
+      body: {
+        grant_type: "client_credentials",
+        client_id: clientId,
+        client_secret: clientSecret
+      }
+    });
+  }
+  /** Refresh an access token. */
+  async refresh(refreshToken) {
+    return this.http.request("POST", "/v1/oauth/token", {
+      body: {
+        grant_type: "refresh_token",
+        refresh_token: refreshToken
+      }
+    });
+  }
+  /** Revoke an OAuth token. */
+  async revoke(token) {
+    await this.http.request("POST", "/v1/oauth/revoke", {
+      body: { token }
+    });
+  }
+};
+
+// src/resources/admin.resource.ts
+var AdminResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Bootstrap the system (dev mode: creates org + admin). */
+  async bootstrap() {
+    return this.http.request("POST", "/v1/admin/bootstrap", { body: {} });
+  }
+  /** List concurrency limits. */
+  async listConcurrencyLimits() {
+    return this.http.request("GET", "/v1/admin/concurrency-limits");
+  }
+  /** Set a concurrency limit for a scope (e.g., "org:<uuid>"). */
+  async setConcurrencyLimit(scope, maxConcurrentRuns) {
+    return this.http.request("PUT", "/v1/admin/concurrency-limits", {
+      body: { scope, max_concurrent_runs: maxConcurrentRuns }
+    });
+  }
+  /** Get system information (version, features, uptime). */
+  async systemInfo() {
+    return this.http.request("GET", "/v1/system/info");
+  }
+  /** Get detailed system status (database, event bus health). */
+  async systemStatus() {
+    return this.http.request("GET", "/v1/system/status");
+  }
+  /** List audit logs (standalone, not org-scoped). */
+  async auditLogs(params) {
+    return this.http.requestPaginated("GET", "/v1/audit-logs", {
+      query: { limit: params?.limit, cursor: params?.cursor }
+    });
+  }
+};
+
+// src/resources/schedules.resource.ts
+var SchedulesResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Create a schedule for a workflow definition. */
+  async create(workflowDefId, opts) {
+    return this.http.request("POST", `/v1/workflow-definitions/${workflowDefId}/schedules`, { body: opts });
+  }
+  /** List schedules for a workflow definition. */
+  async list(workflowDefId) {
+    return this.http.request("GET", `/v1/workflow-definitions/${workflowDefId}/schedules`);
+  }
+  /** Get a schedule by ID. */
+  async get(scheduleId) {
+    return this.http.request("GET", `/v1/schedules/${scheduleId}`);
+  }
+  /** Update a schedule. */
+  async update(scheduleId, opts) {
+    return this.http.request("PATCH", `/v1/schedules/${scheduleId}`, { body: opts });
+  }
+  /** Delete a schedule. */
+  async delete(scheduleId) {
+    await this.http.request("DELETE", `/v1/schedules/${scheduleId}`);
+  }
+  /** Manually trigger a scheduled workflow run. */
+  async trigger(scheduleId) {
+    return this.http.request("POST", `/v1/schedules/${scheduleId}/trigger`);
+  }
+  /** List run history for a schedule. */
+  async history(scheduleId) {
+    return this.http.request("GET", `/v1/schedules/${scheduleId}/history`);
+  }
+};
+
+// src/resources/providers.resource.ts
+var ProvidersResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** List all available provider capabilities. */
+  async list() {
+    return this.http.request("GET", "/v1/providers");
+  }
+  /** Execute a provider (request/response). */
+  async execute(request) {
+    return this.http.request("POST", "/v1/providers/execute", {
+      body: request
+    });
+  }
+  /**
+   * Execute a provider with streaming (SSE).
+   *
+   * Streams token-level chunks during LLM inference.
+   * Events: `chunk` (delta), `complete` (final response + usage), `error`.
+   */
+  executeStream(request, opts) {
+    const url = `${this.http.getBaseUrl()}/v1/providers/execute/stream`;
+    return connectSSE(
+      {
+        url,
+        headers: {},
+        signal: opts.signal,
+        fetch: async (input, init) => {
+          const headers = await this.http.buildHeaders({
+            ...init?.headers
+          });
+          return globalThis.fetch(input, {
+            ...init,
+            method: "POST",
+            headers,
+            body: JSON.stringify(request)
+          });
+        }
+      },
+      (event, raw) => {
+        if (raw.event === "chunk") {
+          opts.onChunk(event);
+        } else if (raw.event === "complete") {
+          opts.onComplete?.(event);
+        }
+      },
+      opts.onError
+    );
+  }
+  /** Estimate the cost of a provider execution before running it. */
+  async estimate(request) {
+    return this.http.request("POST", "/v1/providers/estimate", {
+      body: request
+    });
+  }
+};
+
+// src/resources/packages.resource.ts
+var PackagesResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** List all installed domain packages. */
+  async list() {
+    return this.http.request("GET", "/v1/packages");
+  }
+};
+
+// src/client.ts
+var DEFAULT_BASE_URL = "http://localhost:3001";
+var FabricClient = class {
+  auth;
+  me;
+  organizations;
+  teams;
+  workflows;
+  events;
+  assets;
+  galleries;
+  apiKeys;
+  invitations;
+  permissions;
+  webhooks;
+  serviceAccounts;
+  oauth;
+  admin;
+  schedules;
+  providers;
+  packages;
+  constructor(config = {}) {
+    const transport = new HttpTransport({
+      baseUrl: config.baseUrl ?? DEFAULT_BASE_URL,
+      auth: config.auth,
+      organizationId: config.organizationId,
+      teamId: config.teamId,
+      timeout: config.timeout,
+      fetch: config.fetch,
+      debug: config.debug,
+      onRequest: config.onRequest,
+      onResponse: config.onResponse
+    });
+    this.auth = new AuthResource(transport);
+    this.me = new MeResource(transport);
+    this.organizations = new OrganizationsResource(transport);
+    this.teams = new TeamsResource(transport);
+    this.workflows = new WorkflowsResource(transport);
+    this.events = new EventsResource(transport);
+    this.assets = new AssetsResource(transport);
+    this.galleries = new GalleriesResource(transport);
+    this.apiKeys = new ApiKeysResource(transport);
+    this.invitations = new InvitationsResource(transport);
+    this.permissions = new PermissionsResource(transport);
+    this.webhooks = new WebhooksResource(transport);
+    this.serviceAccounts = new ServiceAccountsResource(transport);
+    this.oauth = new OAuthResource(transport);
+    this.admin = new AdminResource(transport);
+    this.schedules = new SchedulesResource(transport);
+    this.providers = new ProvidersResource(transport);
+    this.packages = new PackagesResource(transport);
+  }
+};
+
+// src/pagination.ts
+async function* paginate(fetcher, options) {
+  let cursor;
+  do {
+    const page = await fetcher({ limit: options?.limit, cursor });
+    yield page.items;
+    cursor = page.pagination.has_more ? page.pagination.next_cursor : void 0;
+  } while (cursor);
+}
+async function* paginateItems(fetcher, options) {
+  for await (const page of paginate(fetcher, options)) {
+    for (const item of page) {
+      yield item;
+    }
+  }
+}
+async function paginateAll(fetcher, options) {
+  const all = [];
+  for await (const page of paginate(fetcher, options)) {
+    all.push(...page);
+  }
+  return all;
+}
+
+// src/verify-webhook.ts
+async function verifyWebhookSignature(rawBody, signature, secret) {
+  const expected = await computeSignature(rawBody, secret);
+  return constantTimeEqual(expected, signature);
+}
+async function constructWebhookEvent(rawBody, signature, secret) {
+  const valid = await verifyWebhookSignature(rawBody, signature, secret);
+  if (!valid) {
+    throw new Error("Invalid webhook signature");
+  }
+  return JSON.parse(rawBody);
+}
+var encoder = new TextEncoder();
+async function computeSignature(payload, secret) {
+  const key = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const sig = await crypto.subtle.sign("HMAC", key, encoder.encode(payload));
+  return `sha256=${hexEncode(new Uint8Array(sig))}`;
+}
+function hexEncode(bytes) {
+  let hex = "";
+  for (let i = 0; i < bytes.length; i++) {
+    hex += bytes[i].toString(16).padStart(2, "0");
+  }
+  return hex;
+}
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+
+// src/_compat.ts
+var ansi = {
+  reset: "\x1B[0m",
+  dim: "\x1B[2m",
+  bold: "\x1B[1m",
+  green: "\x1B[32m",
+  red: "\x1B[31m",
+  cyan: "\x1B[36m"
+};
+var nodeTimers = {};
+var ts = () => (/* @__PURE__ */ new Date()).toISOString().split("T")[1].slice(0, 12);
+var logEvents = (event) => {
+  const t = `${ansi.dim}${ts()}${ansi.reset}`;
+  const key = event.node_key;
+  switch (event.kind) {
+    case "workflow.run.started":
+      console.log(`${t} ${ansi.green}\u25B6 Workflow started${ansi.reset}`);
+      break;
+    case "workflow.node.started":
+      if (key) nodeTimers[key] = Date.now();
+      console.log(`${t} ${ansi.cyan}\u27F3 ${key}${ansi.reset} running`);
+      break;
+    case "workflow.node.completed": {
+      const ms = key && nodeTimers[key] ? Date.now() - nodeTimers[key] : 0;
+      console.log(`${t} ${ansi.green}\u2713 ${key}${ansi.reset} ${ms ? `${(ms / 1e3).toFixed(1)}s` : ""}`);
+      break;
+    }
+    case "workflow.node.failed":
+      console.log(`${t} ${ansi.red}\u2717 ${key} FAILED${ansi.reset} ${event.payload?.error ?? ""}`);
+      break;
+    case "workflow.run.completed":
+      console.log(`${t} ${ansi.green}${ansi.bold}\u2713 Workflow completed!${ansi.reset}`);
+      break;
+    case "workflow.run.failed":
+      console.log(`${t} ${ansi.red}${ansi.bold}\u2717 Workflow failed${ansi.reset} ${event.payload?.error ?? ""}`);
+      break;
+  }
+};
+export {
+  AdminResource,
+  ApiKeysResource,
+  AssetsResource,
+  AuthResource,
+  EventsResource,
+  FabricAuthError,
+  FabricClient,
+  FabricConflictError,
+  FabricError,
+  FabricForbiddenError,
+  FabricNotFoundError,
+  FabricRateLimitError,
+  FabricServerError,
+  FabricValidationError,
+  GalleriesResource,
+  InvitationsResource,
+  MeResource,
+  NODE_EVENT_KINDS,
+  OAuthResource,
+  OrganizationsResource,
+  PackagesResource,
+  PermissionsResource,
+  ProvidersResource,
+  SchedulesResource,
+  ServiceAccountsResource,
+  TERMINAL_RUN_EVENTS,
+  TeamsResource,
+  WebhooksResource,
+  WorkflowRegistryResource,
+  WorkflowRunsResource,
+  WorkflowsResource,
+  connectReconnectingSSE,
+  constructWebhookEvent,
+  logEvents,
+  matchesFilter,
+  paginate,
+  paginateAll,
+  paginateItems,
+  verifyWebhookSignature
+};
+//# sourceMappingURL=index.js.map