@heyanon-arp/sdk 0.0.23 → 0.0.25

package/dist/did/format.d.ts

@@ -1,3 +1,11 @@
+/**
+ * Syntactic `did:arp:` shape — prefix + non-empty Bitcoin base58
+ * (no 0/O/I/l). A cheap regex gate for class-validator `@Matches` and
+ * the like; it does NOT verify the body decodes to a 32-byte pubkey
+ * (use {@link isValidDid} / {@link parseDid} for that). Single source
+ * of truth so server DTOs stop each hardcoding their own copy.
+ */
+export declare const DID_ARP_REGEX: RegExp;
 /**
  * Format an Ed25519 identity public key as a `did:arp:<base58btc>` DID.
  *

package/dist/did/index.d.ts

@@ -1,2 +1,2 @@
-export { formatDid, parseDid, isValidDid } from './format';
+export { formatDid, parseDid, isValidDid, DID_ARP_REGEX } from './format';
 export type { DidDocument, VerificationMethod } from './document';

package/dist/errors/codes.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Wire error envelope + the specific error-code sets that BOTH the
+ * server (emits) and the CLI (branches on to map remediation hints)
+ * depend on. Centralised here so a rename can't silently break the
+ * CLI's hint mapping. The full ARP error-code catalogue stays open
+ * (see `00-core/errors.md`) — only the cross-consumed sets are pinned.
+ */
+/** Structured error body the server returns on the wire and the CLI parses. */
+export interface ApiErrorBody {
+    code: string;
+    message: string;
+    details?: unknown;
+}
+/**
+ * Pre-materialization rejection codes for a delegation OFFER. The CLI
+ * maps each to a tailored remediation hint; the server throws them from
+ * the offer-validation gates. Same `as const` array + union +
+ * const-object shape as the protocol vocabularies.
+ */
+export declare const DELEGATION_OFFER_REJECTION_CODES: readonly ["DELEGATION_ASSET_NOT_ALLOWED", "DELEGATION_PRICING_MISMATCH", "DELEGATION_CAPACITY_EXCEEDED"];
+export type DelegationOfferRejectionCode = (typeof DELEGATION_OFFER_REJECTION_CODES)[number];
+/** Named-member accessor for {@link DelegationOfferRejectionCode}. */
+export declare const DelegationOfferRejectionCodes: {
+    readonly ASSET_NOT_ALLOWED: "DELEGATION_ASSET_NOT_ALLOWED";
+    readonly PRICING_MISMATCH: "DELEGATION_PRICING_MISMATCH";
+    readonly CAPACITY_EXCEEDED: "DELEGATION_CAPACITY_EXCEEDED";
+};
+/**
+ * CLI-auth bearer-token error codes. The CLI maps either to a
+ * "run heyarp login again" recovery hint; the server throws them from
+ * token validation + the registration auth guard.
+ */
+export declare const CLI_AUTH_TOKEN_ERROR_CODES: readonly ["AUTH_TOKEN_INVALID", "AUTH_TOKEN_REQUIRED"];
+export type CliAuthTokenErrorCode = (typeof CLI_AUTH_TOKEN_ERROR_CODES)[number];
+/** Named-member accessor for {@link CliAuthTokenErrorCode}. */
+export declare const CliAuthTokenErrorCodes: {
+    readonly INVALID: "AUTH_TOKEN_INVALID";
+    readonly REQUIRED: "AUTH_TOKEN_REQUIRED";
+};

package/dist/errors/index.d.ts

@@ -1,2 +1,4 @@
 export { POST_COMMIT_ERROR_CODES, POST_COMMIT_ERROR_CODE_PREFIXES, isPostCommitErrorCode } from './post-commit';
 export type { PostCommitErrorCode } from './post-commit';
+export { DELEGATION_OFFER_REJECTION_CODES, DelegationOfferRejectionCodes, CLI_AUTH_TOKEN_ERROR_CODES, CliAuthTokenErrorCodes } from './codes';
+export type { ApiErrorBody, DelegationOfferRejectionCode, CliAuthTokenErrorCode } from './codes';

package/dist/index.js

@@ -78,6 +78,7 @@ function verify2(signature, message, publicKey) {
 // src/did/format.ts
 var DID_PREFIX = "did:arp:";
 var ED25519_PUBKEY_LENGTH = 32;
+var DID_ARP_REGEX = /^did:arp:[1-9A-HJ-NP-Za-km-z]+$/;
 function formatDid(identityPublicKey) {
   if (identityPublicKey.length !== ED25519_PUBKEY_LENGTH) {
     throw new Error(`formatDid: expected ${ED25519_PUBKEY_LENGTH}-byte Ed25519 pubkey, got ${identityPublicKey.length}`);
@@ -563,6 +564,22 @@ var InboxBlockScopes = {
   DID: "did"
 };
 
+// src/types/cli-auth.ts
+var CLI_LOGIN_SESSION_STORED_STATES = ["pending", "confirmed", "consumed"];
+var CLI_LOGIN_SESSION_STATES = ["pending", "confirmed", "consumed", "expired"];
+function isCliLoginSessionWireState(v) {
+  return typeof v === "string" && CLI_LOGIN_SESSION_STATES.includes(v);
+}
+var CliLoginSessionStates = {
+  PENDING: "pending",
+  CONFIRMED: "confirmed",
+  CONSUMED: "consumed",
+  EXPIRED: "expired"
+};
+
+// src/types/agent.ts
+var AGENT_TAG_REGEX = /^[a-z0-9][a-z0-9_-]{0,38}[a-z0-9]$|^[a-z0-9]$/;
+
 // src/assets.ts
 var SOLANA_CLUSTER_IDS = {
   "solana-mainnet": "5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp",
@@ -934,6 +951,20 @@ function isPostCommitErrorCode(code) {
   return POST_COMMIT_SET.has(code) || POST_COMMIT_ERROR_CODE_PREFIXES.some((p) => code.startsWith(p));
 }
 
+// src/errors/codes.ts
+var DELEGATION_OFFER_REJECTION_CODES = ["DELEGATION_ASSET_NOT_ALLOWED", "DELEGATION_PRICING_MISMATCH", "DELEGATION_CAPACITY_EXCEEDED"];
+var DelegationOfferRejectionCodes = {
+  ASSET_NOT_ALLOWED: "DELEGATION_ASSET_NOT_ALLOWED",
+  PRICING_MISMATCH: "DELEGATION_PRICING_MISMATCH",
+  CAPACITY_EXCEEDED: "DELEGATION_CAPACITY_EXCEEDED"
+};
+var CLI_AUTH_TOKEN_ERROR_CODES = ["AUTH_TOKEN_INVALID", "AUTH_TOKEN_REQUIRED"];
+var CliAuthTokenErrorCodes = {
+  INVALID: "AUTH_TOKEN_INVALID",
+  REQUIRED: "AUTH_TOKEN_REQUIRED"
+};
+
+exports.AGENT_TAG_REGEX = AGENT_TAG_REGEX;
 exports.ASSET_DECIMALS_MAX = ASSET_DECIMALS_MAX;
 exports.ASSET_DECIMALS_MIN = ASSET_DECIMALS_MIN;
 exports.ASSET_SYMBOL_MAX_LEN = ASSET_SYMBOL_MAX_LEN;
@@ -943,17 +974,25 @@ exports.ASSOCIATED_TOKEN_PROGRAM_ID_BASE58 = ASSOCIATED_TOKEN_PROGRAM_ID_BASE58;
 exports.BODY_TYPES = BODY_TYPES;
 exports.BodyTypes = BodyTypes;
 exports.CAIP19_REGEX = CAIP19_REGEX;
+exports.CLI_AUTH_TOKEN_ERROR_CODES = CLI_AUTH_TOKEN_ERROR_CODES;
+exports.CLI_LOGIN_SESSION_STATES = CLI_LOGIN_SESSION_STATES;
+exports.CLI_LOGIN_SESSION_STORED_STATES = CLI_LOGIN_SESSION_STORED_STATES;
 exports.CREATE_LOCK_DISCRIMINATOR = CREATE_LOCK_DISCRIMINATOR;
 exports.CREATE_LOCK_NATIVE_DISCRIMINATOR = CREATE_LOCK_NATIVE_DISCRIMINATOR;
 exports.CURRENT_PROTOCOL_VERSION = CURRENT_PROTOCOL_VERSION;
+exports.CliAuthTokenErrorCodes = CliAuthTokenErrorCodes;
+exports.CliLoginSessionStates = CliLoginSessionStates;
 exports.DECIMAL_AMOUNT_REGEX = DECIMAL_AMOUNT_REGEX;
 exports.DECLINE_REASONS = DECLINE_REASONS;
 exports.DELEGATION_ACTIONS = DELEGATION_ACTIONS;
 exports.DELEGATION_ACTIVE_STATES = DELEGATION_ACTIVE_STATES;
+exports.DELEGATION_OFFER_REJECTION_CODES = DELEGATION_OFFER_REJECTION_CODES;
 exports.DELEGATION_STATES = DELEGATION_STATES;
 exports.DEVNET_MINTS = DEVNET_MINTS;
+exports.DID_ARP_REGEX = DID_ARP_REGEX;
 exports.DISCOVERY_SORTS = DISCOVERY_SORTS;
 exports.DelegationActions = DelegationActions;
+exports.DelegationOfferRejectionCodes = DelegationOfferRejectionCodes;
 exports.DelegationStates = DelegationStates;
 exports.DiscoverySorts = DiscoverySorts;
 exports.ED25519_SIG_PREFIX = ED25519_SIG_PREFIX;
@@ -1026,6 +1065,7 @@ exports.getPublicKey = getPublicKey2;
 exports.instructionDiscriminator = instructionDiscriminator;
 exports.isAssetIdentifier = isAssetIdentifier;
 exports.isBodyType = isBodyType;
+exports.isCliLoginSessionWireState = isCliLoginSessionWireState;
 exports.isDecimalAmountString = isDecimalAmountString;
 exports.isDeclineReason = isDeclineReason;
 exports.isDelegationAction = isDelegationAction;

package/dist/index.mjs

@@ -53,6 +53,7 @@ function verify2(signature, message, publicKey) {
 // src/did/format.ts
 var DID_PREFIX = "did:arp:";
 var ED25519_PUBKEY_LENGTH = 32;
+var DID_ARP_REGEX = /^did:arp:[1-9A-HJ-NP-Za-km-z]+$/;
 function formatDid(identityPublicKey) {
   if (identityPublicKey.length !== ED25519_PUBKEY_LENGTH) {
     throw new Error(`formatDid: expected ${ED25519_PUBKEY_LENGTH}-byte Ed25519 pubkey, got ${identityPublicKey.length}`);
@@ -538,6 +539,22 @@ var InboxBlockScopes = {
   DID: "did"
 };
 
+// src/types/cli-auth.ts
+var CLI_LOGIN_SESSION_STORED_STATES = ["pending", "confirmed", "consumed"];
+var CLI_LOGIN_SESSION_STATES = ["pending", "confirmed", "consumed", "expired"];
+function isCliLoginSessionWireState(v) {
+  return typeof v === "string" && CLI_LOGIN_SESSION_STATES.includes(v);
+}
+var CliLoginSessionStates = {
+  PENDING: "pending",
+  CONFIRMED: "confirmed",
+  CONSUMED: "consumed",
+  EXPIRED: "expired"
+};
+
+// src/types/agent.ts
+var AGENT_TAG_REGEX = /^[a-z0-9][a-z0-9_-]{0,38}[a-z0-9]$|^[a-z0-9]$/;
+
 // src/assets.ts
 var SOLANA_CLUSTER_IDS = {
   "solana-mainnet": "5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp",
@@ -909,4 +926,17 @@ function isPostCommitErrorCode(code) {
   return POST_COMMIT_SET.has(code) || POST_COMMIT_ERROR_CODE_PREFIXES.some((p) => code.startsWith(p));
 }
 
-export { ASSET_DECIMALS_MAX, ASSET_DECIMALS_MIN, ASSET_SYMBOL_MAX_LEN, ASSET_SYMBOL_MIN_LEN, ASSET_WHITELIST, ASSOCIATED_TOKEN_PROGRAM_ID_BASE58, BODY_TYPES, BodyTypes, CAIP19_REGEX, CREATE_LOCK_DISCRIMINATOR, CREATE_LOCK_NATIVE_DISCRIMINATOR, CURRENT_PROTOCOL_VERSION, DECIMAL_AMOUNT_REGEX, DECLINE_REASONS, DELEGATION_ACTIONS, DELEGATION_ACTIVE_STATES, DELEGATION_STATES, DEVNET_MINTS, DISCOVERY_SORTS, DelegationActions, DelegationStates, DiscoverySorts, ED25519_SIG_PREFIX, ESCROW_PDA_SEEDS, ESCROW_PROGRAM_ID_BASE58, ESCROW_RELEASE_METHODS, EscrowReleaseMethods, HANDSHAKE_DECISIONS, HandshakeDecisions, INBOX_BLOCK_SCOPES, InboxBlockScopes, LIVE_RELATIONSHIP_STATE_NAMES, LOCK_ACCOUNT_DISCRIMINATOR, LOCK_ACCOUNT_SIZE, LOCK_STATE_NAMES, LOCK_TERMINAL_STATES, LockStates, LockTerminalStates, MAINNET_MINTS, MAX_CLOCK_SKEW_SECONDS, MAX_ENVELOPE_TTL_SECONDS, NATIVE_SOL_MINT_BASE58, NO_ARG_LIFECYCLE_INSTRUCTIONS, OWNER_SIGNING_METHODS, POST_COMMIT_ERROR_CODES, POST_COMMIT_ERROR_CODE_PREFIXES, PROTOCOL_VERSIONS, Purpose, READ_MODEL_STATUSES, RECEIPT_VERDICTS, RELATIONSHIP_STATE_NAMES, ReadModelStatuses, ReceiptVerdicts, RelationshipStates, SCRYPT_PARAMS, SHA256_HEX_RE, SLIP44_SOLANA, SOLANA_CLUSTER_IDS, SPL_TOKEN_PROGRAM_ID_BASE58, SYSTEM_PROGRAM_ID_BASE58, TOKEN_2022_PROGRAM_ID_BASE58, WELL_KNOWN_ASSETS, WELL_KNOWN_ASSET_KEYS, WORK_LOG_STATES, WorkLogStates, base58btcDecode, base58btcEncode, buildCreateLockIxData, buildLifecycleIxData, buildResolveDisputeIxData, bytes16ToDelegationId, canonicalBytes, canonicalJson, canonicalSha256Hex, computeCreateLockDiscriminator, computeLockAccountDiscriminator, decodeLockAccount, delegationIdToBytes16, deriveDelegationConditionHash, deriveLockId, deriveScryptKey, detectTokenProgramFromOwner, detectTokenProgramFromOwnerBytes, expiresAt, findAssetByAssetId, findFirstChainDivergence, formatDid, generateKeyPair, getPublicKey2 as getPublicKey, instructionDiscriminator, isAssetIdentifier, isBodyType, isDecimalAmountString, isDeclineReason, isDelegationAction, isDelegationState, isDiscoverySort, isEscrowReleaseMethod, isHandshakeDecision, isInboxBlockScope, isPostCommitErrorCode, isReadModelStatus, isReceiptVerdict, isRelationshipState, isSha256Hex, isValidDid, isWhitelistedAssetId, isWorkLogState, listWhitelistedAssets, parseCaip19SolanaAssetId, parseDid, pollUntil, resolveAsset, rfc3339, scryptPasswordProofSign, scryptPasswordProofVerify, senderNonce, serverEventHash, sign2 as sign, signChallenge, signEnvelope, signKeyLinkAttestation, signedMessageHash, uuidV4, verify2 as verify, verifyChallenge, verifyEnvelope, verifyKeyLinkAttestation };
+// src/errors/codes.ts
+var DELEGATION_OFFER_REJECTION_CODES = ["DELEGATION_ASSET_NOT_ALLOWED", "DELEGATION_PRICING_MISMATCH", "DELEGATION_CAPACITY_EXCEEDED"];
+var DelegationOfferRejectionCodes = {
+  ASSET_NOT_ALLOWED: "DELEGATION_ASSET_NOT_ALLOWED",
+  PRICING_MISMATCH: "DELEGATION_PRICING_MISMATCH",
+  CAPACITY_EXCEEDED: "DELEGATION_CAPACITY_EXCEEDED"
+};
+var CLI_AUTH_TOKEN_ERROR_CODES = ["AUTH_TOKEN_INVALID", "AUTH_TOKEN_REQUIRED"];
+var CliAuthTokenErrorCodes = {
+  INVALID: "AUTH_TOKEN_INVALID",
+  REQUIRED: "AUTH_TOKEN_REQUIRED"
+};
+
+export { AGENT_TAG_REGEX, ASSET_DECIMALS_MAX, ASSET_DECIMALS_MIN, ASSET_SYMBOL_MAX_LEN, ASSET_SYMBOL_MIN_LEN, ASSET_WHITELIST, ASSOCIATED_TOKEN_PROGRAM_ID_BASE58, BODY_TYPES, BodyTypes, CAIP19_REGEX, CLI_AUTH_TOKEN_ERROR_CODES, CLI_LOGIN_SESSION_STATES, CLI_LOGIN_SESSION_STORED_STATES, CREATE_LOCK_DISCRIMINATOR, CREATE_LOCK_NATIVE_DISCRIMINATOR, CURRENT_PROTOCOL_VERSION, CliAuthTokenErrorCodes, CliLoginSessionStates, DECIMAL_AMOUNT_REGEX, DECLINE_REASONS, DELEGATION_ACTIONS, DELEGATION_ACTIVE_STATES, DELEGATION_OFFER_REJECTION_CODES, DELEGATION_STATES, DEVNET_MINTS, DID_ARP_REGEX, DISCOVERY_SORTS, DelegationActions, DelegationOfferRejectionCodes, DelegationStates, DiscoverySorts, ED25519_SIG_PREFIX, ESCROW_PDA_SEEDS, ESCROW_PROGRAM_ID_BASE58, ESCROW_RELEASE_METHODS, EscrowReleaseMethods, HANDSHAKE_DECISIONS, HandshakeDecisions, INBOX_BLOCK_SCOPES, InboxBlockScopes, LIVE_RELATIONSHIP_STATE_NAMES, LOCK_ACCOUNT_DISCRIMINATOR, LOCK_ACCOUNT_SIZE, LOCK_STATE_NAMES, LOCK_TERMINAL_STATES, LockStates, LockTerminalStates, MAINNET_MINTS, MAX_CLOCK_SKEW_SECONDS, MAX_ENVELOPE_TTL_SECONDS, NATIVE_SOL_MINT_BASE58, NO_ARG_LIFECYCLE_INSTRUCTIONS, OWNER_SIGNING_METHODS, POST_COMMIT_ERROR_CODES, POST_COMMIT_ERROR_CODE_PREFIXES, PROTOCOL_VERSIONS, Purpose, READ_MODEL_STATUSES, RECEIPT_VERDICTS, RELATIONSHIP_STATE_NAMES, ReadModelStatuses, ReceiptVerdicts, RelationshipStates, SCRYPT_PARAMS, SHA256_HEX_RE, SLIP44_SOLANA, SOLANA_CLUSTER_IDS, SPL_TOKEN_PROGRAM_ID_BASE58, SYSTEM_PROGRAM_ID_BASE58, TOKEN_2022_PROGRAM_ID_BASE58, WELL_KNOWN_ASSETS, WELL_KNOWN_ASSET_KEYS, WORK_LOG_STATES, WorkLogStates, base58btcDecode, base58btcEncode, buildCreateLockIxData, buildLifecycleIxData, buildResolveDisputeIxData, bytes16ToDelegationId, canonicalBytes, canonicalJson, canonicalSha256Hex, computeCreateLockDiscriminator, computeLockAccountDiscriminator, decodeLockAccount, delegationIdToBytes16, deriveDelegationConditionHash, deriveLockId, deriveScryptKey, detectTokenProgramFromOwner, detectTokenProgramFromOwnerBytes, expiresAt, findAssetByAssetId, findFirstChainDivergence, formatDid, generateKeyPair, getPublicKey2 as getPublicKey, instructionDiscriminator, isAssetIdentifier, isBodyType, isCliLoginSessionWireState, isDecimalAmountString, isDeclineReason, isDelegationAction, isDelegationState, isDiscoverySort, isEscrowReleaseMethod, isHandshakeDecision, isInboxBlockScope, isPostCommitErrorCode, isReadModelStatus, isReceiptVerdict, isRelationshipState, isSha256Hex, isValidDid, isWhitelistedAssetId, isWorkLogState, listWhitelistedAssets, parseCaip19SolanaAssetId, parseDid, pollUntil, resolveAsset, rfc3339, scryptPasswordProofSign, scryptPasswordProofVerify, senderNonce, serverEventHash, sign2 as sign, signChallenge, signEnvelope, signKeyLinkAttestation, signedMessageHash, uuidV4, verify2 as verify, verifyChallenge, verifyEnvelope, verifyKeyLinkAttestation };

package/dist/types/agent.d.ts

@@ -136,3 +136,42 @@ export interface AgentReputation {
     computed: boolean;
     lastComputedAt?: string | null;
 }
+/**
+ * Agent capability-tag charset — lowercase alphanumeric + dash +
+ * underscore, 1-40 chars. Single source of truth for the server's
+ * `@Matches` on register + update (both DTOs hardcoded an identical copy
+ * before). The catalog filters on the persisted set.
+ */
+export declare const AGENT_TAG_REGEX: RegExp;
+/** Response for `POST /v1/agents/challenge` (server DTO `IssueChallengeResponseDto`). */
+export interface ChallengeResponse {
+    /** UUID — opaque handle passed back in challenge-response + register. */
+    challengeId: string;
+    /** Challenge bytes, base64url-no-pad (32 random bytes). */
+    challengeB64: string;
+    /** RFC 3339 expiry; after this the challenge is TTL-evicted. */
+    expiresAt: string;
+}
+/**
+ * Request body for `POST /v1/agents` (registration). The server DTO is
+ * `RegisterAgentDto`; `ownerAttestation` mirrors the SDK
+ * `ScryptPasswordAttestation<KeyLinkPayload>` wire shape but stays a
+ * generic object here — its inner fields are verified by canonical-JSON
+ * + HMAC at the server, not structurally.
+ */
+export interface RegisterAgentRequest {
+    challengeId: string;
+    identityPublicKey: string;
+    settlementPublicKey: string;
+    ownerAttestation: {
+        payload: Record<string, unknown>;
+        sig: string;
+        scrypt_salt_id: string;
+    };
+    scryptKeyB64: string;
+    scryptSaltB64: string;
+    name?: string;
+    description?: string;
+    /** Capability tags — lowercase alphanumeric + dash/underscore, max 20. */
+    tags?: string[];
+}

package/dist/types/cli-auth.d.ts

@@ -4,12 +4,36 @@
  * CLI's response types — both are plain framework-agnostic interfaces
  * (the server declares them in a service, not a NestJS DTO class), so
  * this is a pure lift-and-share with no decorator coupling.
+ */
+/**
+ * `heyarp login` session lifecycle. TWO tiers because the wire vocab is
+ * a strict superset of what's persisted:
+ *
+ *   - {@link CLI_LOGIN_SESSION_STORED_STATES} — what the server's Mongo
+ *     row actually holds (`@Prop enum`): `pending` → `confirmed` →
+ *     `consumed`.
+ *   - {@link CLI_LOGIN_SESSION_STATES} — what the `GET …/sessions/:id`
+ *     endpoint can RETURN. Adds `expired`, which the service COMPUTES on
+ *     read for a `pending` row past its TTL (and the CLI also derives
+ *     from a 404). `expired` is never stored.
  *
- * NOT included here: the cli-auth SESSION-STATE union
- * ('pending'|'confirmed'|'consumed'|...) — the CLI and server disagree
- * on the terminal members, so it needs reconciliation before it can be
- * centralized.
+ * Same `as const` array + union + guard + const-object shape as the
+ * protocol vocabularies; the server sources its `@Prop enum` from the
+ * stored array and types the read endpoint with the full wire union,
+ * and the CLI types its wire response from the full union.
  */
+export declare const CLI_LOGIN_SESSION_STORED_STATES: readonly ["pending", "confirmed", "consumed"];
+export type CliLoginSessionStoredState = (typeof CLI_LOGIN_SESSION_STORED_STATES)[number];
+export declare const CLI_LOGIN_SESSION_STATES: readonly ["pending", "confirmed", "consumed", "expired"];
+export type CliLoginSessionWireState = (typeof CLI_LOGIN_SESSION_STATES)[number];
+export declare function isCliLoginSessionWireState(v: unknown): v is CliLoginSessionWireState;
+/** Named-member accessor for {@link CliLoginSessionWireState} (vocab-tested). */
+export declare const CliLoginSessionStates: {
+    readonly PENDING: "pending";
+    readonly CONFIRMED: "confirmed";
+    readonly CONSUMED: "consumed";
+    readonly EXPIRED: "expired";
+};
 /** `POST /v1/auth/cli/sessions` → a new login session. */
 export interface CliSessionCreated {
     sessionId: string;

package/dist/types/discovery.d.ts

@@ -17,6 +17,30 @@ export declare const DiscoverySorts: {
     readonly RECENT: "recent";
     readonly CREATED: "created";
 };
+/**
+ * Query for `GET /v1/discovery/search` (server DTO
+ * `DiscoverySearchQueryDto`). Every field optional; filters AND-compose.
+ * Reputation is a SOFT sort, never a gate.
+ */
+export interface DiscoverySearchQuery {
+    /** Full-text over name + description. */
+    q?: string;
+    /** Capability tags — AND-require all. */
+    tag?: string[];
+    /** Creator wallet (base58) — you must already know it; never echoed back. */
+    accountId?: string;
+    /** CAIP-19 payment asset; matches explicit listers AND accept-anything agents. */
+    accepts?: string;
+    /** Only agents seen within the liveness window. */
+    online?: boolean;
+    /** `reputation` (composite desc, default) | `recent` | `created` (cursor). */
+    sort?: DiscoverySort;
+    /** Zero-based page index (offset = page × limit) — reputation/recent sorts. */
+    page?: number;
+    /** Cursor for `sort=created`: the previous page's last row id. */
+    after?: string;
+    limit?: number;
+}
 /** Reputation digest carried inline on each discovery row (the soft-sort key). */
 export interface DiscoveryReputation {
     composite: number;

package/dist/types/inbox.d.ts

@@ -31,3 +31,16 @@ export interface InboxBlock {
     /** When the block was set (ISO 8601). */
     blockedAt: string;
 }
+/**
+ * Body for `POST /v1/inbox/blocks` (server DTO `CreateInboxBlockDto`).
+ * You always NAME a DID; by default the server resolves its owner and
+ * blocks every sibling agent (account scope). The target account id is
+ * never returned.
+ */
+export interface BlockInboxBody {
+    did: string;
+    /** Block only this exact DID instead of the whole owner account. */
+    didOnly?: boolean;
+    /** Optional private note (max 512 chars). Visible only to you. */
+    reason?: string;
+}

package/dist/types/index.d.ts

@@ -10,12 +10,14 @@ export type { WorkLogState } from './work-log';
 export { WORK_LOG_STATES, WorkLogStates, isWorkLogState } from './work-log';
 export type { ReadModelStatus } from './event';
 export { READ_MODEL_STATUSES, ReadModelStatuses, isReadModelStatus } from './event';
-export type { DiscoverySort, DiscoveryReputation, DiscoveryLiveness, DiscoveryResult, DiscoveryPagination, DiscoverySearchResponse, DiscoveryProfile, } from './discovery';
+export type { DiscoverySort, DiscoverySearchQuery, DiscoveryReputation, DiscoveryLiveness, DiscoveryResult, DiscoveryPagination, DiscoverySearchResponse, DiscoveryProfile, } from './discovery';
 export { DISCOVERY_SORTS, DiscoverySorts, isDiscoverySort } from './discovery';
-export type { InboxBlockScope, InboxBlock } from './inbox';
+export type { InboxBlockScope, InboxBlock, BlockInboxBody } from './inbox';
 export { INBOX_BLOCK_SCOPES, InboxBlockScopes, isInboxBlockScope } from './inbox';
-export type { CliSessionCreated, CliTokenIssued, CliWhoami, MyAgentSummary } from './cli-auth';
-export type { AssetIdentifierWire, DelegationPublic, ReceiptPublic, RelationshipPublic, WorkLogPublic, EventPublic, IngestResult } from './read-model';
-export type { AcceptPrefs, AcceptCurrency, AgentRegisteredResponse, AgentPublic, UpdateAgentBody, ReputationScores, ReputationCounters, AgentReputation, } from './agent';
+export type { CliSessionCreated, CliTokenIssued, CliWhoami, MyAgentSummary, CliLoginSessionStoredState, CliLoginSessionWireState, } from './cli-auth';
+export { CLI_LOGIN_SESSION_STORED_STATES, CLI_LOGIN_SESSION_STATES, CliLoginSessionStates, isCliLoginSessionWireState } from './cli-auth';
+export type { AssetIdentifierWire, DelegationPublic, ReceiptPublic, RelationshipPublic, WorkLogPublic, EventPublic, IngestResult, SenderSequenceResponse, InboxUnblockResult, ListRelationshipsQuery, ListInboxQuery, ListEventsQuery, ListDelegationsQuery, ListWorkLogsQuery, ListReceiptsQuery, } from './read-model';
+export type { AcceptPrefs, AcceptCurrency, AgentRegisteredResponse, AgentPublic, UpdateAgentBody, RegisterAgentRequest, ChallengeResponse, ReputationScores, ReputationCounters, AgentReputation, } from './agent';
+export { AGENT_TAG_REGEX } from './agent';
 export type { OwnerSigningMethod, KeyLinkPayload, ScryptPasswordAttestation } from './identity';
 export { SCRYPT_PARAMS, OWNER_SIGNING_METHODS } from './identity';

package/dist/types/read-model.d.ts

@@ -158,3 +158,62 @@ export interface IngestResult {
     serverTimestamp: string;
     relationshipId: string;
 }
+/** Response for `GET /v1/agents/:did/sender-sequence`. */
+export interface SenderSequenceResponse {
+    lastSenderSequence: number;
+}
+/** Response for `DELETE /v1/inbox/blocks` (unblock). */
+export interface InboxUnblockResult {
+    removed: boolean;
+}
+/** Query for `GET /v1/agents/:did/relationships`. */
+export interface ListRelationshipsQuery {
+    /** Filter by relationship state. Omitted ⇒ all live + closed rows. */
+    state?: RelationshipState;
+    limit?: number;
+}
+/**
+ * Query for `GET /v1/agents/:did/inbox`. Two composite cursors:
+ *   - `(before, beforeEventId)` walks BACK through history.
+ *   - `(since, sinceEventId)` walks FORWARD from a watermark (polling).
+ * Pair each timestamp with its eventId tiebreaker to avoid skipping
+ * events that share a millisecond.
+ */
+export interface ListInboxQuery {
+    before?: string;
+    beforeEventId?: string;
+    since?: string;
+    sinceEventId?: string;
+    limit?: number;
+}
+/** Query for `GET /v1/relationships/:id/events`. */
+export interface ListEventsQuery {
+    /** Return events with `relationshipEventIndex >= since` (cursor). */
+    since?: number;
+    limit?: number;
+    /** Server-side read-model-outcome filter (success-only / rejected-only). */
+    readModelStatus?: ReadModelStatus;
+}
+/** Query for `GET /v1/relationships/:id/delegations`. */
+export interface ListDelegationsQuery {
+    /** Exact-match state filter (NOT a live/terminal classifier). */
+    state?: DelegationState;
+    /** Opaque per-row cursor — the previous page's last `id`. */
+    after?: string;
+    limit?: number;
+}
+/** Query for `GET /v1/relationships/:id/work`. */
+export interface ListWorkLogsQuery {
+    state?: WorkLogState;
+    /** Narrow to work under a specific delegation id. */
+    delegationId?: string;
+    after?: string;
+    limit?: number;
+}
+/** Query for `GET /v1/relationships/:id/receipts`. */
+export interface ListReceiptsQuery {
+    /** Narrow to receipts under a specific delegation id. */
+    delegationId?: string;
+    after?: string;
+    limit?: number;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@heyanon-arp/sdk",
-  "version": "0.0.23",
+  "version": "0.0.25",
   "description": "TypeScript SDK for the Agent Relationship Protocol — canonical JSON, Ed25519 envelope sign/verify, did:arp identity, scrypt key attestation, chain-audit helpers.",
   "license": "MIT",
   "keywords": [