@hsuite/smart-engines-sdk 3.13.0 → 3.14.0

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## 3.14.0 — 2026-06-25
+
+### Added
+
+- **Agent + BaaS SDK completeness (from the showcase boundary audit).** Lets app-as-proxy consumers drop hand-rolled raw-fetch workarounds.
+  - `AgentsClient.certification(agentId, opts?)` → typed `AgentCertification` (entityId, owner/agent/treasury wallets, primaryChain, rulesHash, BLS group key, state-history topic, recent events + tx ids).
+  - `AgentsClient.fund()` now returns the discriminated union `AgentPreparedTransactionResponse | AgentPendingApprovalResponse` (the owner approval-threshold path), plus the `isAgentFundPending()` type guard.
+  - `AgentInfo` gains the on-chain DKG identity the host already returns: optional `agentWallet`, `treasuryAccount`, `entityId` (additive).
+  - `FunctionsClient.getCode(functionId, opts?)` → `BaasFunctionCode` (`{ functionId, code, codeHash }`) for function source reveal.
+  - `StorageClient.downloadWithMeta(cid, opts?)` → `{ bytes, contentType?, filename? }` (the bytes-only `download()` discards the headers), backed by a new `HttpClient.getBinaryWithMeta`.
+  - `HttpCallOptions.onBehalfOf` — owner-acting pass-through: forwards an end user's Mode-1 customer-session JWT as BOTH `Authorization: Bearer` and `X-Customer-Session-Claim` (no client-side signing; owner-gated agent routes accept only the Mode-1 JWT — the Mode-2 BLS claim is host-minted and rejected there). Distinct from the metering-only `customerToken`.
+  - Error helpers for consumers (e.g. a NestJS exception filter): `SdkHttpError.isRetryable` getter, `isSmartEngineSdkError()` guard, and `toHttpError()` (verbatim mapping with a sub-400 → 502 clamp).
+- **`EntitiesClient.prepareCreateAgent(req)` + `executeCreateAgent(req)` — payer-funded two-phase agent create.** Agent creation now mirrors the account create-flow: the synchronous `createAgent` 400s on payer-funded chains (e.g. `chain=xrpl uses prepare-create / execute-create`), so consumers drive the host's generic two-phase create (`POST /api/v3/baas/entities/prepare-create` + `/execute-create`, `entityType: 'agent'`). `prepareCreateAgent` returns `PreparedEntityCreation` (the unsigned payer-funding tx the dapp signs + submits) and `executeCreateAgent` returns `EntityCreationResult` after the validator finalizes (relaying the signed funding blob on XRPL/Stellar, threading the Hedera `createTxId` receipt). `prepareCreateAgent` remaps the agent's `primaryChain` onto the generic prepare/execute DTO's `chain` key. (#117)
+
 ## 3.8.0 — 2026-06-17
 
 ### Added

package/dist/index.d.ts

@@ -1956,6 +1956,7 @@ export declare class ClusterDiscoveryClient {
 }
 export type HttpCallOptions = {
 	customerToken?: string;
+	onBehalfOf?: string;
 	headers?: Record<string, string>;
 };
 export type HttpClient = {
@@ -1966,6 +1967,11 @@ export type HttpClient = {
 	delete<T = any>(path: string, opts?: HttpCallOptions): Promise<T>;
 	getText(path: string, opts?: HttpCallOptions): Promise<string>;
 	getBinary(path: string, opts?: HttpCallOptions): Promise<Uint8Array>;
+	getBinaryWithMeta(path: string, opts?: HttpCallOptions): Promise<{
+		bytes: Uint8Array;
+		contentType?: string;
+		filename?: string;
+	}>;
 	upload<T = any>(path: string, file: Blob | Buffer, filename: string, metadata?: Record<string, string>, fieldName?: string, opts?: HttpCallOptions): Promise<T>;
 	setAuthToken(token: string | undefined): void;
 	getAuthToken(): string | undefined;
@@ -1981,6 +1987,7 @@ export declare class SdkHttpError extends Error {
 	readonly statusCode: number;
 	readonly details?: any | undefined;
 	constructor(message: string, statusCode: number, details?: any | undefined);
+	get isRetryable(): boolean;
 }
 export declare function createHttpClient(config: HttpClientConfig): HttpClient;
 export declare function encodePathParam(param: string): string;
@@ -1992,6 +1999,14 @@ export interface RuleRejectedDetails {
 export declare function isRuleRejected(err: unknown): err is SdkHttpError & {
 	details: RuleRejectedDetails;
 };
+export declare function isSmartEngineSdkError(err: unknown): err is SdkHttpError;
+export declare function toHttpError(err: unknown): {
+	statusCode: number;
+	code: string;
+	message: string;
+	isRetryable: boolean;
+	details?: unknown;
+};
 export type DiscoveryClusterEndpoints = {
 	clusterId: string;
 	gatewayUrl: string;
@@ -3839,6 +3854,29 @@ export type AgentInfo = {
 	owner: string;
 	createdAt: string;
 	lastActiveAt?: string;
+	agentWallet?: string;
+	treasuryAccount?: string;
+	entityId?: string;
+};
+export type AgentCertification = {
+	agentId: string;
+	entityId?: string;
+	ownerWallet?: string;
+	status?: string;
+	agentWallet?: string;
+	treasuryAccount?: string;
+	primaryChain?: string;
+	rulesHash?: string;
+	ruleRef?: string;
+	blsGroupPublicKey?: string;
+	stateHistoryTopicId?: string;
+	recentEvents: Array<{
+		agentId: string;
+		type: string;
+		payload: Record<string, unknown>;
+		timestamp: string;
+	}>;
+	recentTxIds: string[];
 };
 export type AgentEvent = {
 	eventId: string;
@@ -3900,6 +3938,15 @@ export type AgentExecuteResponse = {
 export type AgentPreparedTransactionResponse = PreparedTransactionResponse & {
 	success: true;
 };
+export type AgentPendingApprovalResponse = {
+	success: true;
+	pendingOpId: string;
+	agentId: string;
+	action: string;
+	status: "awaiting_approval";
+	description: string;
+};
+export declare function isAgentFundPending(r: AgentPreparedTransactionResponse | AgentPendingApprovalResponse): r is AgentPendingApprovalResponse;
 export declare class AgentsClient {
 	private readonly http;
 	constructor(http: HttpClient);
@@ -3909,7 +3956,7 @@ export declare class AgentsClient {
 		agents: AgentInfo[];
 		total: number;
 	}>;
-	fund(agentId: string, request: AgentFundRequest, opts?: HttpCallOptions): Promise<AgentPreparedTransactionResponse>;
+	fund(agentId: string, request: AgentFundRequest, opts?: HttpCallOptions): Promise<AgentPreparedTransactionResponse | AgentPendingApprovalResponse>;
 	trade(agentId: string, request: AgentTradeRequest, opts?: HttpCallOptions): Promise<AgentPreparedTransactionResponse>;
 	withdraw(agentId: string, request: AgentWithdrawRequest, opts?: HttpCallOptions): Promise<AgentPreparedTransactionResponse>;
 	execute(agentId: string, request: AgentExecuteRequest, opts?: HttpCallOptions): Promise<AgentExecuteResponse & {
@@ -3927,6 +3974,7 @@ export declare class AgentsClient {
 		success: boolean;
 		status: string;
 	}>;
+	certification(agentId: string, opts?: HttpCallOptions): Promise<AgentCertification>;
 	updateRules(agentId: string, rules: Partial<AgentRules>, opts?: HttpCallOptions): Promise<AgentInfo>;
 	getEvents(agentId: string, opts?: HttpCallOptions): Promise<{
 		events: AgentEvent[];
@@ -4212,6 +4260,11 @@ export type BaasFunctionInfo = {
 	lastInvokedAt?: string;
 	invocationCount: number;
 };
+export type BaasFunctionCode = {
+	functionId: string;
+	code: string | null;
+	codeHash?: string;
+};
 export type BaasFunctionLog = {
 	timestamp: string;
 	level: "debug" | "info" | "warn" | "error";
@@ -5423,8 +5476,9 @@ export declare function createAnthropicProvider(opts: {
 	model: string;
 }): IModelProvider;
 export declare function createOpenAiProvider(opts: {
-	apiKey: string;
+	apiKey?: string;
 	model: string;
+	baseURL?: string;
 }): IModelProvider;
 export declare function createGeminiProvider(opts: {
 	apiKey: string;
@@ -5432,8 +5486,9 @@ export declare function createGeminiProvider(opts: {
 }): IModelProvider;
 export declare function createModelProvider(opts: {
 	provider: ModelProvider;
-	apiKey: string;
+	apiKey?: string;
 	model: string;
+	baseURL?: string;
 }): IModelProvider;
 export type InferJsonResult<T> = {
 	ok: boolean;
@@ -5443,8 +5498,9 @@ export type InferJsonResult<T> = {
 };
 export declare function inferJson<T = unknown>(opts: {
 	provider: ModelProvider;
-	apiKey: string;
+	apiKey?: string;
 	model: string;
+	baseURL?: string;
 	system?: string;
 	input: unknown;
 	maxTokens?: number;
@@ -5510,6 +5566,11 @@ export declare class StorageClient {
 	constructor(http: HttpClient, getAppId: () => string);
 	upload(file: Blob | Buffer, filename: string, metadata?: Record<string, string>, opts?: HttpCallOptions): Promise<BaasUploadResult>;
 	download(cid: string, opts?: HttpCallOptions): Promise<Uint8Array>;
+	downloadWithMeta(cid: string, opts?: HttpCallOptions): Promise<{
+		bytes: Uint8Array;
+		contentType?: string;
+		filename?: string;
+	}>;
 	getMetadata(cid: string, opts?: HttpCallOptions): Promise<BaasFileMetadata>;
 	delete(cid: string, opts?: HttpCallOptions): Promise<{
 		success: boolean;
@@ -5540,6 +5601,7 @@ export declare class FunctionsClient {
 		total: number;
 	}>;
 	get(functionId: string, opts?: HttpCallOptions): Promise<BaasFunctionInfo>;
+	getCode(functionId: string, opts?: HttpCallOptions): Promise<BaasFunctionCode>;
 	update(functionId: string, updates: Partial<BaasFunctionDeployRequest>, opts?: HttpCallOptions): Promise<BaasFunctionInfo>;
 	delete(functionId: string, opts?: HttpCallOptions): Promise<{
 		success: boolean;
@@ -25294,6 +25356,9 @@ export type CreateAgentRequest = {
 	ruleRef: RuleRef;
 	name: string;
 	agentType?: string;
+	securityMode?: EntitySecurityMode;
+	payerAccountId?: string;
+	fundWith?: FundWith;
 };
 export type EntityCreationResult = {
 	entityId: string;
@@ -25377,6 +25442,14 @@ export declare class EntitiesClient {
 	}): Promise<EntityCreationResult>;
 	createTopic(req: CreateTopicRequest): Promise<EntityCreationResult>;
 	createAgent(req: CreateAgentRequest): Promise<EntityCreationResult>;
+	prepareCreateAgent(req: Omit<CreateAgentRequest, "fundWith">): Promise<PreparedEntityCreation>;
+	executeCreateAgent(req: {
+		entityId: string;
+		chain: ChainType;
+		securityMode?: EntitySecurityMode;
+		signedFundingBlob?: string;
+		createTxId?: string;
+	}): Promise<EntityCreationResult>;
 	launchpad(req: LaunchpadEntityRequest): Promise<LaunchpadEntityResult>;
 	get(entityId: string): Promise<EntityInfo>;
 	listByOwner(filter?: ListEntitiesFilter): Promise<ListEntitiesResponse>;
@@ -25645,7 +25718,7 @@ declare namespace personhood {
 	export { PERSONHOOD_VERIFIER_NOT_CONFIGURED, PersonhoodAttestationMethod, PersonhoodCert, PersonhoodClient, PersonhoodProof, PersonhoodVerifyParams, isPersonhoodVerifierNotConfigured };
 }
 declare namespace baas {
-	export { AgentBalance, AgentEvent, AgentFundRequest, AgentInfo, AgentOperation, AgentRegisterRequest, AgentRules, AgentRulesValidationResult, AgentStatus, AgentTradeRequest, AgentWithdrawRequest, AgentsClient, AuthenticateOptions, BaasAppListResponse, BaasAuthConfig, BaasAuthResult, BaasChallengeRequest, BaasChallengeResponse, BaasChannelConfig, BaasClient, BaasClientConfig, BaasConnectToClusterConfig, BaasDeleteResult, BaasDeployRequest, BaasDeployResponse, BaasDocument, BaasEndpoints, BaasError, BaasErrorDetails, BaasErrorResponse, BaasFileInfo, BaasFileMetadata, BaasFindResult, BaasFunctionDeployRequest, BaasFunctionDeployResult, BaasFunctionEvalRequest, BaasFunctionInfo, BaasFunctionLog, BaasFunctionLogOptions, BaasFunctionResources, BaasFunctionResult, BaasFunctionRuntime, BaasHistoryOptions, BaasInitRequest, BaasInitResponse, BaasInsertResult, BaasMerkleProof, BaasMessage, BaasPresenceInfo, BaasPresenceMember, BaasPublishResult, BaasQueryOptions, BaasReissuePushCredentialsResponse, BaasRevokeKekResponse, BaasRollbackRequest, BaasRotateKekResponse, BaasRuntimeStatus, BaasService, BaasSessionInfo, BaasSetWebhookResponse, BaasSignedCode, BaasStateTransition, BaasStorageUsage, BaasSupportedChain, BaasTriggerType, BaasUpdateResult, BaasUploadFrontendResponse, BaasUploadResult, BaasVerifyRequest, ChannelSubscription, CreateAccountRequest$1 as BaasCreateAccountRequest, CreateAgentRequest, CreateTokenRequest$1 as CreateTokenRequest, CreateTopicRequest, DatabaseClient, DatabaseStatsResponse, DbComparisonOperator, DbDocument, DbQuery, DeployedApp, DeployedAppInfo, DeployedAppLimits, DeployedAppStatus, DeployedAppUsage, DeploymentClient, DeprecateRuleResponse, DocumentProofResponse, EntitiesClient, EntityCreationResult, EntityInfo, EntitySecurityMode, EntityType$1 as BaasEntityType, FunctionsClient, FundWith, LaunchpadEntityRequest, LaunchpadEntityResult, ListEntitiesFilter, ListEntitiesResponse, ListRulesFilter, ListRulesResponse, MessageHandler, MessagingClient, PreparedEntityCreation, PublishRuleResponse, RulesClient, SimulateRuleRequest, StateRootResponse, StateTransitionsResponse, StorageClient, ValidationResult, VersionHistoryResponse, validateAgentRules };
+	export { AgentBalance, AgentCertification, AgentEvent, AgentFundRequest, AgentInfo, AgentOperation, AgentPendingApprovalResponse, AgentPreparedTransactionResponse, AgentRegisterRequest, AgentRules, AgentRulesValidationResult, AgentStatus, AgentTradeRequest, AgentWithdrawRequest, AgentsClient, AuthenticateOptions, BaasAppListResponse, BaasAuthConfig, BaasAuthResult, BaasChallengeRequest, BaasChallengeResponse, BaasChannelConfig, BaasClient, BaasClientConfig, BaasConnectToClusterConfig, BaasDeleteResult, BaasDeployRequest, BaasDeployResponse, BaasDocument, BaasEndpoints, BaasError, BaasErrorDetails, BaasErrorResponse, BaasFileInfo, BaasFileMetadata, BaasFindResult, BaasFunctionCode, BaasFunctionDeployRequest, BaasFunctionDeployResult, BaasFunctionEvalRequest, BaasFunctionInfo, BaasFunctionLog, BaasFunctionLogOptions, BaasFunctionResources, BaasFunctionResult, BaasFunctionRuntime, BaasHistoryOptions, BaasInitRequest, BaasInitResponse, BaasInsertResult, BaasMerkleProof, BaasMessage, BaasPresenceInfo, BaasPresenceMember, BaasPublishResult, BaasQueryOptions, BaasReissuePushCredentialsResponse, BaasRevokeKekResponse, BaasRollbackRequest, BaasRotateKekResponse, BaasRuntimeStatus, BaasService, BaasSessionInfo, BaasSetWebhookResponse, BaasSignedCode, BaasStateTransition, BaasStorageUsage, BaasSupportedChain, BaasTriggerType, BaasUpdateResult, BaasUploadFrontendResponse, BaasUploadResult, BaasVerifyRequest, ChannelSubscription, CreateAccountRequest$1 as BaasCreateAccountRequest, CreateAgentRequest, CreateTokenRequest$1 as CreateTokenRequest, CreateTopicRequest, DatabaseClient, DatabaseStatsResponse, DbComparisonOperator, DbDocument, DbQuery, DeployedApp, DeployedAppInfo, DeployedAppLimits, DeployedAppStatus, DeployedAppUsage, DeploymentClient, DeprecateRuleResponse, DocumentProofResponse, EntitiesClient, EntityCreationResult, EntityInfo, EntitySecurityMode, EntityType$1 as BaasEntityType, FunctionsClient, FundWith, LaunchpadEntityRequest, LaunchpadEntityResult, ListEntitiesFilter, ListEntitiesResponse, ListRulesFilter, ListRulesResponse, MessageHandler, MessagingClient, PreparedEntityCreation, PublishRuleResponse, RulesClient, SimulateRuleRequest, StateRootResponse, StateTransitionsResponse, StorageClient, ValidationResult, VersionHistoryResponse, isAgentFundPending, validateAgentRules };
 }
 declare namespace pqcVerify {
 	export { FetchRegistryOptions, PqcCertV1, PqcCertV1Schema, PqcCertV1Signer, ValidatorRegistrySnapshot, VerifyResult, fetchRegistrySnapshot, parsePqcCert, verifyPqcAttestation };

package/dist/index.js

@@ -6606,6 +6606,13 @@ var SdkHttpError = class extends Error {
   }
   statusCode;
   details;
+  /**
+   * True for transient failures worth retrying: a 5xx, a 429 (rate limit), a 408
+   * (timeout), or a 0 (network/abort). Deterministic 4xx client errors are not.
+   */
+  get isRetryable() {
+    return this.statusCode === 0 || this.statusCode === 408 || this.statusCode === 429 || this.statusCode >= 500;
+  }
 };
 function createHttpClient(config) {
   const timeout = config.timeout ?? 3e4;
@@ -6623,6 +6630,10 @@ function createHttpClient(config) {
     if (opts?.customerToken) {
       headers["X-Customer-Session-Token"] = opts.customerToken;
     }
+    if (opts?.onBehalfOf) {
+      headers["Authorization"] = `Bearer ${opts.onBehalfOf}`;
+      headers["X-Customer-Session-Claim"] = opts.onBehalfOf;
+    }
     if (opts?.headers) {
       Object.assign(headers, opts.headers);
     }
@@ -6730,6 +6741,41 @@ function createHttpClient(config) {
       throw new SdkHttpError(`Network error: ${err.message}`, 0, error);
     }
   }
+  async function getBinaryWithMeta(path, opts) {
+    const url = `${config.baseUrl}${path}`;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const response = await fetch(url, {
+        method: "GET",
+        headers: getHeaders(void 0, opts),
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        const errBody = await response.json().catch(() => ({}));
+        throw new SdkHttpError(
+          errBody.message || `API error: ${response.status} ${response.statusText}`,
+          response.status,
+          errBody
+        );
+      }
+      const bytes = new Uint8Array(await response.arrayBuffer());
+      const contentType = response.headers.get("content-type") ?? void 0;
+      const disposition = response.headers.get("content-disposition") ?? "";
+      const match = /filename\*?=(?:UTF-8'')?"?([^"\n;]+)"?/i.exec(disposition);
+      const filename = match ? decodeURIComponent(match[1].trim()) : void 0;
+      return { bytes, contentType, filename };
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error instanceof SdkHttpError) throw error;
+      const err = error;
+      if (err.name === "AbortError") {
+        throw new SdkHttpError("Request timeout", 408);
+      }
+      throw new SdkHttpError(`Network error: ${err.message}`, 0, error);
+    }
+  }
   async function upload(path, file, filename, metadata, fieldName = "file", opts) {
     const url = `${config.baseUrl}${path}`;
     const controller = new AbortController();
@@ -6753,6 +6799,10 @@ function createHttpClient(config) {
       if (opts?.customerToken) {
         headers["X-Customer-Session-Token"] = opts.customerToken;
       }
+      if (opts?.onBehalfOf) {
+        headers["Authorization"] = `Bearer ${opts.onBehalfOf}`;
+        headers["X-Customer-Session-Claim"] = opts.onBehalfOf;
+      }
       if (opts?.headers) {
         Object.assign(headers, opts.headers);
       }
@@ -6810,6 +6860,7 @@ function createHttpClient(config) {
     delete: (path, opts) => withAuthRetry(path, () => request("DELETE", path, void 0, opts)),
     getText: (path, opts) => withAuthRetry(path, () => getText(path, opts)),
     getBinary: (path, opts) => withAuthRetry(path, () => getBinary(path, opts)),
+    getBinaryWithMeta: (path, opts) => withAuthRetry(path, () => getBinaryWithMeta(path, opts)),
     upload: ((path, file, filename, metadata, fieldName, opts) => withAuthRetry(path, () => upload(path, file, filename, metadata, fieldName, opts))),
     setAuthToken,
     getAuthToken
@@ -6830,6 +6881,22 @@ function isRuleRejected(err) {
   if (!Array.isArray(obj.ruleAtoms)) return false;
   return obj.ruleAtoms.every((a) => typeof a === "string");
 }
+function isSmartEngineSdkError(err) {
+  return err instanceof SdkHttpError;
+}
+function toHttpError(err) {
+  if (isSmartEngineSdkError(err)) {
+    return {
+      statusCode: err.statusCode >= 400 ? err.statusCode : 502,
+      code: "SDK_HTTP_ERROR",
+      message: err.message,
+      isRetryable: err.isRetryable,
+      details: err.details
+    };
+  }
+  const message = err instanceof Error ? err.message : "Unknown error";
+  return { statusCode: 500, code: "INTERNAL_ERROR", message, isRetryable: false };
+}
 
 // src/discovery/discovery-client.ts
 var DiscoveryClient = class {
@@ -8567,6 +8634,9 @@ function isPositiveDecimalString(value) {
 }
 
 // src/baas/agents/index.ts
+function isAgentFundPending(r) {
+  return "pendingOpId" in r;
+}
 var AgentsClient = class {
   constructor(http) {
     this.http = http;
@@ -8585,9 +8655,12 @@ var AgentsClient = class {
     return this.http.get("/api/v3/baas/agents", opts);
   }
   /**
-   * Fund agent treasury (owner-only). Returns a
+   * Fund agent treasury (owner-only). Normally returns a
    * `PreparedTransactionResponse` wrapped in a `success: true` envelope —
-   * the caller is expected to sign and submit the prepared bytes.
+   * the caller is expected to sign and submit the prepared bytes. When the
+   * amount trips an approval-required rule the host instead returns an
+   * {@link AgentPendingApprovalResponse}; discriminate with
+   * {@link isAgentFundPending}.
    */
   async fund(agentId, request, opts) {
     return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/fund`, request, opts);
@@ -8626,6 +8699,14 @@ var AgentsClient = class {
   async revoke(agentId, opts) {
     return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/revoke`, {}, opts);
   }
+  /**
+   * Get an agent's certification snapshot (identity, rule refs, BLS group key,
+   * and recent on-chain activity). A 404 throws `SdkHttpError` via `http.get`
+   * — parity with {@link get}.
+   */
+  async certification(agentId, opts) {
+    return this.http.get(`/api/v3/baas/agents/${encodePathParam(agentId)}/certification`, opts);
+  }
   /**
    * Update agent rules.
    *
@@ -10497,10 +10578,11 @@ function createAnthropicProvider(opts) {
 }
 
 // src/ai/openai.ts
-var OPENAI_URL = "https://api.openai.com/v1/chat/completions";
+var DEFAULT_OPENAI_BASE_URL = "https://api.openai.com/v1";
 var DEFAULT_MAX_TOKENS2 = 1024;
 function createOpenAiProvider(opts) {
   const { apiKey, model } = opts;
+  const url = `${(opts.baseURL ?? DEFAULT_OPENAI_BASE_URL).replace(/\/+$/, "")}/chat/completions`;
   return {
     provider: "openai",
     async infer(args) {
@@ -10514,11 +10596,13 @@ function createOpenAiProvider(opts) {
       let res;
       try {
         res = await fetchWithTimeout(
-          OPENAI_URL,
+          url,
           {
             method: "POST",
             headers: {
-              Authorization: `Bearer ${apiKey}`,
+              // Auth only when a key is supplied — a keyless local server (Ollama)
+              // rejects a bogus Bearer header.
+              ...apiKey ? { Authorization: `Bearer ${apiKey}` } : {},
               "content-type": "application/json"
             },
             body: JSON.stringify({
@@ -10603,14 +10687,14 @@ function createGeminiProvider(opts) {
 
 // src/ai/factory.ts
 function createModelProvider(opts) {
-  const { provider, apiKey, model } = opts;
+  const { provider, apiKey, model, baseURL } = opts;
   switch (provider) {
     case "anthropic":
-      return createAnthropicProvider({ apiKey, model });
+      return createAnthropicProvider({ apiKey: apiKey ?? "", model });
     case "openai":
-      return createOpenAiProvider({ apiKey, model });
+      return createOpenAiProvider({ apiKey, model, baseURL });
     case "gemini":
-      return createGeminiProvider({ apiKey, model });
+      return createGeminiProvider({ apiKey: apiKey ?? "", model });
     default: {
       const never = provider;
       throw new Error(`Unsupported model provider: ${String(never)}`);
@@ -10675,10 +10759,10 @@ function extractJson(raw) {
   );
 }
 async function inferJson(opts) {
-  const { provider, apiKey, model, system, input, maxTokens, timeoutMs, signal, parse } = opts;
+  const { provider, apiKey, model, baseURL, system, input, maxTokens, timeoutMs, signal, parse } = opts;
   let client;
   try {
-    client = createModelProvider({ provider, apiKey, model });
+    client = createModelProvider({ provider, apiKey, model, baseURL });
   } catch (err) {
     return { ok: false, error: errMsg(err) };
   }
@@ -10740,6 +10824,7 @@ __export(baas_exports, {
   MessagingClient: () => MessagingClient,
   RulesClient: () => RulesClient,
   StorageClient: () => StorageClient,
+  isAgentFundPending: () => isAgentFundPending,
   validateAgentRules: () => validateAgentRules
 });
 
@@ -10893,6 +10978,20 @@ var StorageClient = class {
     const appId = this.getAppId();
     return this.http.getBinary(`/api/v3/baas/storage/${encodePathParam(appId)}/download/${encodePathParam(cid)}`, opts);
   }
+  /**
+   * Download a file by CID WITH its response metadata — the raw bytes plus the
+   * host-supplied `contentType` (derived from the stored file's metadata) and,
+   * when present, the `filename`. Use this instead of {@link download} when the
+   * caller must echo the content-type back to its own client; a bytes-only
+   * download cannot recover it.
+   */
+  async downloadWithMeta(cid, opts) {
+    const appId = this.getAppId();
+    return this.http.getBinaryWithMeta(
+      `/api/v3/baas/storage/${encodePathParam(appId)}/download/${encodePathParam(cid)}`,
+      opts
+    );
+  }
   /**
    * Get file metadata
    */
@@ -11015,6 +11114,16 @@ var FunctionsClient = class {
       opts
     );
   }
+  /**
+   * Get a function's source code
+   */
+  async getCode(functionId, opts) {
+    const appId = this.getAppId();
+    return this.http.get(
+      `/api/v3/baas/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}/code`,
+      opts
+    );
+  }
   /**
    * Update a function
    */
@@ -11596,6 +11705,44 @@ var EntitiesClient = class _EntitiesClient {
   async createAgent(req) {
     return this.http.post("/api/v3/baas/entities/createAgent", req);
   }
+  /**
+   * PREPARE half of the payer-funded agent-create flow.
+   *
+   * POSTs `/api/v3/baas/entities/prepare-create` with `entityType: 'agent'`. The cluster
+   * runs the per-entity DKG (persists the binding, submits nothing on-chain) and
+   * returns the unsigned payer-funding `Payment`(s) the caller signs + submits with
+   * their own wallet — mirroring `prepareCreateAccount`. The agent's primary chain
+   * is relayed as `chain` (the generic prepare/execute DTO key) so the host's
+   * chain-bound preparer runs; `name` / `agentType` / `ruleRef` ride along.
+   */
+  async prepareCreateAgent(req) {
+    const { primaryChain, ...rest } = req;
+    return this.http.post("/api/v3/baas/entities/prepare-create", {
+      entityType: "agent",
+      chain: primaryChain,
+      ...rest
+    });
+  }
+  /**
+   * EXECUTE half of the payer-funded agent-create flow.
+   *
+   * POSTs `/api/v3/baas/entities/execute-create` with `entityType: 'agent'`. The entity
+   * already exists (its DKG ran during prepare); pass `signedFundingBlob` for the
+   * validator to submit the payer's signed funding tx (XRPL/Stellar account-model
+   * relay), or omit it when the caller already submitted the funding tx themselves.
+   * `createTxId` is the Hedera receipt thread (the prepared create's
+   * `transactionId`); ignored for non-Hedera chains. Mirrors
+   * `executeCreateAccount` but tags `entityType: 'agent'`.
+   */
+  async executeCreateAgent(req) {
+    const { createTxId, signedFundingBlob, ...rest } = req;
+    return this.http.post("/api/v3/baas/entities/execute-create", {
+      ...rest,
+      ...createTxId !== void 0 ? { createTxId } : {},
+      ...signedFundingBlob !== void 0 ? { signedFundingBlob } : {},
+      entityType: "agent"
+    });
+  }
   /**
    * Mega-helper: build a token rule with a launchpad ModuleEntry attached,
    * publish it, create the token, and return the combined result in one HTTP
@@ -13883,9 +14030,11 @@ exports.forToken = forToken;
 exports.forTopic = forTopic;
 exports.governance = governance_exports;
 exports.inferJson = inferJson;
+exports.isAgentFundPending = isAgentFundPending;
 exports.isKnownNetwork = isKnownNetwork;
 exports.isPersonhoodVerifierNotConfigured = isPersonhoodVerifierNotConfigured;
 exports.isRuleRejected = isRuleRejected;
+exports.isSmartEngineSdkError = isSmartEngineSdkError;
 exports.managedAccount = managedAccount;
 exports.membershipNft = membershipNft;
 exports.module_ = module_;
@@ -13909,6 +14058,7 @@ exports.subscriptionNft = subscriptionNft;
 exports.systemTopic = systemTopic;
 exports.template = template;
 exports.tieredIDO = tieredIDO;
+exports.toHttpError = toHttpError;
 exports.tokenDAO = tokenDAO;
 exports.tokens = tokens_exports;
 exports.tradingAgent = tradingAgent;