npm - @hypercerts-org/sdk-core - Versions diffs - 0.2.0-beta.0 - Mend

@hypercerts-org/sdk-core 0.2.0-beta.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (83) hide show

package/.turbo/turbo-build.log +328 -0
package/.turbo/turbo-test.log +118 -0
package/CHANGELOG.md +16 -0
package/LICENSE +21 -0
package/README.md +100 -0
package/dist/errors.cjs +260 -0
package/dist/errors.cjs.map +1 -0
package/dist/errors.d.ts +233 -0
package/dist/errors.mjs +253 -0
package/dist/errors.mjs.map +1 -0
package/dist/index.cjs +4531 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.ts +3430 -0
package/dist/index.mjs +4448 -0
package/dist/index.mjs.map +1 -0
package/dist/lexicons.cjs +420 -0
package/dist/lexicons.cjs.map +1 -0
package/dist/lexicons.d.ts +227 -0
package/dist/lexicons.mjs +410 -0
package/dist/lexicons.mjs.map +1 -0
package/dist/storage.cjs +270 -0
package/dist/storage.cjs.map +1 -0
package/dist/storage.d.ts +474 -0
package/dist/storage.mjs +267 -0
package/dist/storage.mjs.map +1 -0
package/dist/testing.cjs +415 -0
package/dist/testing.cjs.map +1 -0
package/dist/testing.d.ts +928 -0
package/dist/testing.mjs +410 -0
package/dist/testing.mjs.map +1 -0
package/dist/types.cjs +220 -0
package/dist/types.cjs.map +1 -0
package/dist/types.d.ts +2118 -0
package/dist/types.mjs +212 -0
package/dist/types.mjs.map +1 -0
package/eslint.config.mjs +22 -0
package/package.json +90 -0
package/rollup.config.js +75 -0
package/src/auth/OAuthClient.ts +497 -0
package/src/core/SDK.ts +410 -0
package/src/core/config.ts +243 -0
package/src/core/errors.ts +257 -0
package/src/core/interfaces.ts +324 -0
package/src/core/types.ts +281 -0
package/src/errors.ts +57 -0
package/src/index.ts +107 -0
package/src/lexicons.ts +64 -0
package/src/repository/BlobOperationsImpl.ts +199 -0
package/src/repository/CollaboratorOperationsImpl.ts +288 -0
package/src/repository/HypercertOperationsImpl.ts +1146 -0
package/src/repository/LexiconRegistry.ts +332 -0
package/src/repository/OrganizationOperationsImpl.ts +234 -0
package/src/repository/ProfileOperationsImpl.ts +281 -0
package/src/repository/RecordOperationsImpl.ts +340 -0
package/src/repository/Repository.ts +482 -0
package/src/repository/interfaces.ts +868 -0
package/src/repository/types.ts +111 -0
package/src/services/hypercerts/types.ts +87 -0
package/src/storage/InMemorySessionStore.ts +127 -0
package/src/storage/InMemoryStateStore.ts +146 -0
package/src/storage.ts +63 -0
package/src/testing/index.ts +67 -0
package/src/testing/mocks.ts +142 -0
package/src/testing/stores.ts +285 -0
package/src/testing.ts +64 -0
package/src/types.ts +86 -0
package/tests/auth/OAuthClient.test.ts +164 -0
package/tests/core/SDK.test.ts +176 -0
package/tests/core/errors.test.ts +81 -0
package/tests/repository/BlobOperationsImpl.test.ts +154 -0
package/tests/repository/CollaboratorOperationsImpl.test.ts +323 -0
package/tests/repository/HypercertOperationsImpl.test.ts +652 -0
package/tests/repository/LexiconRegistry.test.ts +192 -0
package/tests/repository/OrganizationOperationsImpl.test.ts +242 -0
package/tests/repository/ProfileOperationsImpl.test.ts +254 -0
package/tests/repository/RecordOperationsImpl.test.ts +375 -0
package/tests/repository/Repository.test.ts +149 -0
package/tests/utils/fixtures.ts +117 -0
package/tests/utils/mocks.ts +109 -0
package/tests/utils/repository-fixtures.ts +78 -0
package/tsconfig.json +11 -0
package/tsconfig.tsbuildinfo +1 -0
package/vitest.config.ts +30 -0

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,4531 @@
+'use strict';
+var oauthClientNode = require('@atproto/oauth-client-node');
+var lexicon$1 = require('@atproto/lexicon');
+var api = require('@atproto/api');
+var lexicon = require('@hypercerts-org/lexicon');
+var eventemitter3 = require('eventemitter3');
+var zod = require('zod');
+/**
+ * Base error class for all SDK errors.
+ *
+ * All errors thrown by the Hypercerts SDK extend this class, making it easy
+ * to catch and handle SDK-specific errors.
+ *
+ * @example Catching all SDK errors
+ * ```typescript
+ * try {
+ *   await sdk.authorize("user.bsky.social");
+ * } catch (error) {
+ *   if (error instanceof ATProtoSDKError) {
+ *     console.error(`SDK Error [${error.code}]: ${error.message}`);
+ *     console.error(`HTTP Status: ${error.status}`);
+ *   }
+ * }
+ * ```
+ *
+ * @example Checking error codes
+ * ```typescript
+ * try {
+ *   await repo.records.get(collection, rkey);
+ * } catch (error) {
+ *   if (error instanceof ATProtoSDKError) {
+ *     switch (error.code) {
+ *       case "AUTHENTICATION_ERROR":
+ *         // Redirect to login
+ *         break;
+ *       case "VALIDATION_ERROR":
+ *         // Show form errors
+ *         break;
+ *       case "NETWORK_ERROR":
+ *         // Retry or show offline message
+ *         break;
+ *     }
+ *   }
+ * }
+ * ```
+ */
+class ATProtoSDKError extends Error {
+    /**
+     * Creates a new SDK error.
+     *
+     * @param message - Human-readable error description
+     * @param code - Machine-readable error code for programmatic handling
+     * @param status - HTTP status code associated with this error type
+     * @param cause - The underlying error that caused this error, if any
+     */
+    constructor(message, code, status, cause) {
+        super(message);
+        this.code = code;
+        this.status = status;
+        this.cause = cause;
+        this.name = "ATProtoSDKError";
+        Error.captureStackTrace?.(this, this.constructor);
+    }
+}
+/**
+ * Error thrown when authentication fails.
+ *
+ * This error indicates problems with the OAuth flow, invalid credentials,
+ * or failed token exchanges. Common causes:
+ * - Invalid authorization code
+ * - Expired or invalid state parameter
+ * - Revoked or invalid tokens
+ * - User denied authorization
+ *
+ * @example
+ * ```typescript
+ * try {
+ *   const session = await sdk.callback(params);
+ * } catch (error) {
+ *   if (error instanceof AuthenticationError) {
+ *     // Clear any stored state and redirect to login
+ *     console.error("Authentication failed:", error.message);
+ *   }
+ * }
+ * ```
+ */
+class AuthenticationError extends ATProtoSDKError {
+    /**
+     * Creates an authentication error.
+     *
+     * @param message - Description of what went wrong during authentication
+     * @param cause - The underlying error (e.g., from the OAuth client)
+     */
+    constructor(message, cause) {
+        super(message, "AUTHENTICATION_ERROR", 401, cause);
+        this.name = "AuthenticationError";
+    }
+}
+/**
+ * Error thrown when a session has expired and cannot be refreshed.
+ *
+ * This typically occurs when:
+ * - The refresh token has expired (usually after extended inactivity)
+ * - The user has revoked access to your application
+ * - The PDS has invalidated all sessions for the user
+ *
+ * When this error occurs, the user must re-authenticate.
+ *
+ * @example
+ * ```typescript
+ * try {
+ *   const session = await sdk.restoreSession(did);
+ * } catch (error) {
+ *   if (error instanceof SessionExpiredError) {
+ *     // Clear stored session and prompt user to log in again
+ *     localStorage.removeItem("userDid");
+ *     window.location.href = "/login";
+ *   }
+ * }
+ * ```
+ */
+class SessionExpiredError extends ATProtoSDKError {
+    /**
+     * Creates a session expired error.
+     *
+     * @param message - Description of why the session expired
+     * @param cause - The underlying error from the token refresh attempt
+     */
+    constructor(message = "Session expired", cause) {
+        super(message, "SESSION_EXPIRED", 401, cause);
+        this.name = "SessionExpiredError";
+    }
+}
+/**
+ * Error thrown when input validation fails.
+ *
+ * This error indicates that provided data doesn't meet the required format
+ * or constraints. Common causes:
+ * - Missing required fields
+ * - Invalid URL formats
+ * - Invalid DID format
+ * - Schema validation failures for records
+ * - Invalid configuration values
+ *
+ * @example
+ * ```typescript
+ * try {
+ *   await sdk.authorize("");  // Empty identifier
+ * } catch (error) {
+ *   if (error instanceof ValidationError) {
+ *     console.error("Invalid input:", error.message);
+ *     // Show validation error to user
+ *   }
+ * }
+ * ```
+ *
+ * @example With Zod validation cause
+ * ```typescript
+ * try {
+ *   await repo.records.create(collection, record);
+ * } catch (error) {
+ *   if (error instanceof ValidationError && error.cause) {
+ *     // error.cause may be a ZodError with detailed field errors
+ *     const zodError = error.cause as ZodError;
+ *     zodError.errors.forEach(e => {
+ *       console.error(`Field ${e.path.join(".")}: ${e.message}`);
+ *     });
+ *   }
+ * }
+ * ```
+ */
+class ValidationError extends ATProtoSDKError {
+    /**
+     * Creates a validation error.
+     *
+     * @param message - Description of what validation failed
+     * @param cause - The underlying validation error (e.g., ZodError)
+     */
+    constructor(message, cause) {
+        super(message, "VALIDATION_ERROR", 400, cause);
+        this.name = "ValidationError";
+    }
+}
+/**
+ * Error thrown when a network request fails.
+ *
+ * This error indicates connectivity issues or server unavailability.
+ * Common causes:
+ * - No internet connection
+ * - DNS resolution failure
+ * - Server timeout
+ * - Server returned 5xx error
+ * - TLS/SSL errors
+ *
+ * These errors are typically transient and may succeed on retry.
+ *
+ * @example
+ * ```typescript
+ * try {
+ *   await repo.records.list(collection);
+ * } catch (error) {
+ *   if (error instanceof NetworkError) {
+ *     // Implement retry logic or show offline indicator
+ *     console.error("Network error:", error.message);
+ *     await retryWithBackoff(() => repo.records.list(collection));
+ *   }
+ * }
+ * ```
+ */
+class NetworkError extends ATProtoSDKError {
+    /**
+     * Creates a network error.
+     *
+     * @param message - Description of the network failure
+     * @param cause - The underlying error (e.g., fetch error, timeout)
+     */
+    constructor(message, cause) {
+        super(message, "NETWORK_ERROR", 503, cause);
+        this.name = "NetworkError";
+    }
+}
+/**
+ * Error thrown when an SDS-only operation is attempted on a PDS.
+ *
+ * Certain operations are only available on Shared Data Servers (SDS),
+ * such as collaborator management and organization operations.
+ * This error is thrown when these operations are attempted on a
+ * Personal Data Server (PDS).
+ *
+ * @example
+ * ```typescript
+ * const pdsRepo = sdk.repository(session);  // Default is PDS
+ *
+ * try {
+ *   // This will throw SDSRequiredError
+ *   await pdsRepo.collaborators.list();
+ * } catch (error) {
+ *   if (error instanceof SDSRequiredError) {
+ *     // Switch to SDS for this operation
+ *     const sdsRepo = sdk.repository(session, { server: "sds" });
+ *     const collaborators = await sdsRepo.collaborators.list();
+ *   }
+ * }
+ * ```
+ */
+class SDSRequiredError extends ATProtoSDKError {
+    /**
+     * Creates an SDS required error.
+     *
+     * @param message - Description of which operation requires SDS
+     * @param cause - Any underlying error
+     */
+    constructor(message = "This operation requires a Shared Data Server (SDS)", cause) {
+        super(message, "SDS_REQUIRED", 400, cause);
+        this.name = "SDSRequiredError";
+    }
+}
+/**
+ * In-memory implementation of the SessionStore interface.
+ *
+ * This store keeps OAuth sessions in memory using a Map. It's intended
+ * for development, testing, and simple use cases where session persistence
+ * across restarts is not required.
+ *
+ * @remarks
+ * **Warning**: This implementation is **not suitable for production** because:
+ * - Sessions are lost when the process restarts
+ * - Sessions cannot be shared across multiple server instances
+ * - No automatic cleanup of expired sessions
+ *
+ * For production, implement {@link SessionStore} with a persistent backend:
+ * - **Redis**: Good for distributed systems, supports TTL
+ * - **PostgreSQL/MySQL**: Good for existing database infrastructure
+ * - **MongoDB**: Good for document-based storage
+ *
+ * @example Basic usage
+ * ```typescript
+ * import { InMemorySessionStore } from "@hypercerts-org/sdk/storage";
+ *
+ * const sessionStore = new InMemorySessionStore();
+ *
+ * const sdk = new ATProtoSDK({
+ *   oauth: { ... },
+ *   storage: {
+ *     sessionStore,  // Will warn in logs for production
+ *   },
+ * });
+ * ```
+ *
+ * @example Testing usage
+ * ```typescript
+ * const sessionStore = new InMemorySessionStore();
+ *
+ * // After tests, clean up
+ * sessionStore.clear();
+ * ```
+ *
+ * @see {@link SessionStore} for the interface definition
+ * @see {@link InMemoryStateStore} for the corresponding state store
+ */
+class InMemorySessionStore {
+    constructor() {
+        /**
+         * Internal storage for sessions, keyed by DID.
+         * @internal
+         */
+        this.sessions = new Map();
+    }
+    /**
+     * Retrieves a session by DID.
+     *
+     * @param did - The user's Decentralized Identifier
+     * @returns Promise resolving to the session, or `undefined` if not found
+     *
+     * @example
+     * ```typescript
+     * const session = await sessionStore.get("did:plc:abc123");
+     * if (session) {
+     *   console.log("Session found");
+     * }
+     * ```
+     */
+    async get(did) {
+        return this.sessions.get(did);
+    }
+    /**
+     * Stores or updates a session.
+     *
+     * @param did - The user's DID to use as the key
+     * @param session - The session data to store
+     *
+     * @remarks
+     * If a session already exists for the DID, it is overwritten.
+     *
+     * @example
+     * ```typescript
+     * await sessionStore.set("did:plc:abc123", sessionData);
+     * ```
+     */
+    async set(did, session) {
+        this.sessions.set(did, session);
+    }
+    /**
+     * Deletes a session by DID.
+     *
+     * @param did - The DID of the session to delete
+     *
+     * @remarks
+     * If no session exists for the DID, this is a no-op.
+     *
+     * @example
+     * ```typescript
+     * await sessionStore.del("did:plc:abc123");
+     * ```
+     */
+    async del(did) {
+        this.sessions.delete(did);
+    }
+    /**
+     * Clears all stored sessions.
+     *
+     * This is primarily useful for testing to ensure a clean state
+     * between test runs.
+     *
+     * @remarks
+     * This method is synchronous (not async) for convenience in test cleanup.
+     *
+     * @example
+     * ```typescript
+     * // In test teardown
+     * afterEach(() => {
+     *   sessionStore.clear();
+     * });
+     * ```
+     */
+    clear() {
+        this.sessions.clear();
+    }
+}
+/**
+ * In-memory implementation of the StateStore interface.
+ *
+ * This store keeps OAuth state parameters in memory using a Map. State is
+ * used during the OAuth authorization flow for CSRF protection and PKCE.
+ *
+ * @remarks
+ * **Warning**: This implementation is **not suitable for production** because:
+ * - State is lost when the process restarts (breaking in-progress OAuth flows)
+ * - State cannot be shared across multiple server instances
+ * - No automatic cleanup of expired state (memory leak potential)
+ *
+ * For production, implement {@link StateStore} with a persistent backend
+ * that supports TTL (time-to-live):
+ * - **Redis**: Ideal choice with built-in TTL support
+ * - **Database with cleanup job**: PostgreSQL/MySQL with periodic cleanup
+ *
+ * **State Lifecycle**:
+ * 1. Created when user starts OAuth flow (`authorize()`)
+ * 2. Retrieved and validated during callback
+ * 3. Deleted after successful or failed callback
+ * 4. Should expire after ~15 minutes if callback never happens
+ *
+ * @example Basic usage
+ * ```typescript
+ * import { InMemoryStateStore } from "@hypercerts-org/sdk/storage";
+ *
+ * const stateStore = new InMemoryStateStore();
+ *
+ * const sdk = new ATProtoSDK({
+ *   oauth: { ... },
+ *   storage: {
+ *     stateStore,  // Will warn in logs for production
+ *   },
+ * });
+ * ```
+ *
+ * @example Testing usage
+ * ```typescript
+ * const stateStore = new InMemoryStateStore();
+ *
+ * // After tests, clean up
+ * stateStore.clear();
+ * ```
+ *
+ * @see {@link StateStore} for the interface definition
+ * @see {@link InMemorySessionStore} for the corresponding session store
+ */
+class InMemoryStateStore {
+    constructor() {
+        /**
+         * Internal storage for OAuth state, keyed by state string.
+         * @internal
+         */
+        this.states = new Map();
+    }
+    /**
+     * Retrieves OAuth state by key.
+     *
+     * @param key - The state key (random string from authorization URL)
+     * @returns Promise resolving to the state, or `undefined` if not found
+     *
+     * @remarks
+     * The key is a cryptographically random string generated during
+     * the authorization request. It's included in the callback URL
+     * and used to retrieve the associated PKCE verifier and other data.
+     *
+     * @example
+     * ```typescript
+     * // During OAuth callback
+     * const state = await stateStore.get(params.get("state")!);
+     * if (!state) {
+     *   throw new Error("Invalid or expired state");
+     * }
+     * ```
+     */
+    async get(key) {
+        return this.states.get(key);
+    }
+    /**
+     * Stores OAuth state temporarily.
+     *
+     * @param key - The state key to use for storage
+     * @param state - The OAuth state data (includes PKCE verifier, etc.)
+     *
+     * @remarks
+     * In production implementations, state should be stored with a TTL
+     * of approximately 10-15 minutes to prevent stale state accumulation.
+     *
+     * @example
+     * ```typescript
+     * // Called internally by OAuthClient during authorize()
+     * await stateStore.set(stateKey, {
+     *   // PKCE code verifier, redirect URI, etc.
+     * });
+     * ```
+     */
+    async set(key, state) {
+        this.states.set(key, state);
+    }
+    /**
+     * Deletes OAuth state by key.
+     *
+     * @param key - The state key to delete
+     *
+     * @remarks
+     * Called after the OAuth callback is processed (whether successful or not)
+     * to clean up the temporary state.
+     *
+     * @example
+     * ```typescript
+     * // After processing callback
+     * await stateStore.del(stateKey);
+     * ```
+     */
+    async del(key) {
+        this.states.delete(key);
+    }
+    /**
+     * Clears all stored state.
+     *
+     * This is primarily useful for testing to ensure a clean state
+     * between test runs.
+     *
+     * @remarks
+     * This method is synchronous (not async) for convenience in test cleanup.
+     * In production, be careful using this as it will invalidate all
+     * in-progress OAuth flows.
+     *
+     * @example
+     * ```typescript
+     * // In test teardown
+     * afterEach(() => {
+     *   stateStore.clear();
+     * });
+     * ```
+     */
+    clear() {
+        this.states.clear();
+    }
+}
+/**
+ * OAuth 2.0 client for AT Protocol authentication with DPoP support.
+ *
+ * This class wraps the `@atproto/oauth-client-node` library to provide
+ * OAuth 2.0 authentication with the following features:
+ *
+ * - **DPoP (Demonstrating Proof of Possession)**: Binds tokens to cryptographic keys
+ *   to prevent token theft and replay attacks
+ * - **PKCE (Proof Key for Code Exchange)**: Protects against authorization code interception
+ * - **Automatic Token Refresh**: Transparently refreshes expired access tokens
+ * - **Session Persistence**: Stores sessions in configurable storage backends
+ *
+ * @remarks
+ * This class is typically used internally by {@link ATProtoSDK}. Direct usage
+ * is only needed for advanced scenarios.
+ *
+ * The client uses lazy initialization - the underlying `NodeOAuthClient` is
+ * created asynchronously on first use. This allows the constructor to return
+ * synchronously while deferring async key parsing.
+ *
+ * @example Direct usage (advanced)
+ * ```typescript
+ * import { OAuthClient } from "@hypercerts-org/sdk";
+ *
+ * const client = new OAuthClient({
+ *   oauth: {
+ *     clientId: "https://my-app.com/client-metadata.json",
+ *     redirectUri: "https://my-app.com/callback",
+ *     scope: "atproto transition:generic",
+ *     jwksUri: "https://my-app.com/.well-known/jwks.json",
+ *     jwkPrivate: process.env.JWK_PRIVATE_KEY!,
+ *   },
+ *   servers: { pds: "https://bsky.social" },
+ * });
+ *
+ * // Start authorization
+ * const authUrl = await client.authorize("user.bsky.social");
+ *
+ * // Handle callback
+ * const session = await client.callback(new URLSearchParams(callbackUrl.search));
+ * ```
+ *
+ * @see {@link ATProtoSDK} for the recommended high-level API
+ * @see https://atproto.com/specs/oauth for AT Protocol OAuth specification
+ */
+class OAuthClient {
+    /**
+     * Creates a new OAuth client.
+     *
+     * @param config - SDK configuration including OAuth credentials and server URLs
+     * @throws {@link AuthenticationError} if the JWK private key is not valid JSON
+     *
+     * @remarks
+     * The constructor validates the JWK format synchronously but defers
+     * the actual client initialization to the first API call.
+     */
+    constructor(config) {
+        /** The underlying NodeOAuthClient instance (lazily initialized) */
+        this.client = null;
+        this.config = config;
+        this.logger = config.logger;
+        // Validate JWK format synchronously (before async initialization)
+        try {
+            JSON.parse(config.oauth.jwkPrivate);
+        }
+        catch (error) {
+            throw new AuthenticationError("Failed to parse JWK private key. Ensure it is valid JSON.", error);
+        }
+        // Initialize client lazily (async initialization)
+        this.clientPromise = this.initializeClient();
+    }
+    /**
+     * Initializes the NodeOAuthClient asynchronously.
+     *
+     * This method is called lazily on first use. It:
+     * 1. Parses the JWK private key(s)
+     * 2. Builds OAuth client metadata
+     * 3. Creates the underlying NodeOAuthClient
+     *
+     * @returns Promise resolving to the initialized client
+     * @internal
+     */
+    async initializeClient() {
+        if (this.client) {
+            return this.client;
+        }
+        // Parse JWK private key (already validated in constructor)
+        const privateJWK = JSON.parse(this.config.oauth.jwkPrivate);
+        // Build client metadata
+        const clientMetadata = this.buildClientMetadata();
+        // Convert JWK keys to JoseKey instances (await here)
+        const keyset = await Promise.all(privateJWK.keys.map((key) => oauthClientNode.JoseKey.fromImportable(key, key.kid)));
+        // Create fetch with timeout
+        const fetchWithTimeout = this.createFetchWithTimeout(this.config.timeouts?.pdsMetadata ?? 30000);
+        // Use provided stores or fall back to in-memory implementations
+        const stateStore = this.config.storage?.stateStore ?? new InMemoryStateStore();
+        const sessionStore = this.config.storage?.sessionStore ?? new InMemorySessionStore();
+        this.client = new oauthClientNode.NodeOAuthClient({
+            clientMetadata,
+            keyset,
+            stateStore: this.createStateStoreAdapter(stateStore),
+            sessionStore: this.createSessionStoreAdapter(sessionStore),
+            handleResolver: this.config.servers?.pds,
+            fetch: this.config.fetch ?? fetchWithTimeout,
+        });
+        return this.client;
+    }
+    /**
+     * Gets the OAuth client instance, initializing if needed.
+     *
+     * @returns Promise resolving to the initialized client
+     * @internal
+     */
+    async getClient() {
+        return this.clientPromise;
+    }
+    /**
+     * Builds OAuth client metadata from configuration.
+     *
+     * The metadata describes your application to the authorization server
+     * and must match what's published at your `clientId` URL.
+     *
+     * @returns OAuth client metadata object
+     * @internal
+     *
+     * @remarks
+     * Key metadata fields:
+     * - `client_id`: URL to your client metadata JSON
+     * - `redirect_uris`: Where to redirect after auth (must match config)
+     * - `dpop_bound_access_tokens`: Always true for AT Protocol
+     * - `token_endpoint_auth_method`: Uses private_key_jwt for security
+     */
+    buildClientMetadata() {
+        const clientIdUrl = new URL(this.config.oauth.clientId);
+        return {
+            client_id: this.config.oauth.clientId,
+            client_name: "ATProto SDK Client",
+            client_uri: clientIdUrl.origin,
+            redirect_uris: [this.config.oauth.redirectUri],
+            scope: this.config.oauth.scope,
+            grant_types: ["authorization_code", "refresh_token"],
+            response_types: ["code"],
+            application_type: "web",
+            token_endpoint_auth_method: "private_key_jwt",
+            token_endpoint_auth_signing_alg: "ES256",
+            dpop_bound_access_tokens: true,
+            jwks_uri: this.config.oauth.jwksUri,
+        };
+    }
+    /**
+     * Creates a fetch handler with timeout support.
+     *
+     * @param timeoutMs - Request timeout in milliseconds
+     * @returns A fetch function that aborts after the timeout
+     * @internal
+     */
+    createFetchWithTimeout(timeoutMs) {
+        return async (input, init) => {
+            const controller = new AbortController();
+            const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+            try {
+                const response = await fetch(input, {
+                    ...init,
+                    signal: controller.signal,
+                });
+                clearTimeout(timeoutId);
+                return response;
+            }
+            catch (error) {
+                clearTimeout(timeoutId);
+                if (error instanceof Error && error.name === "AbortError") {
+                    throw new NetworkError(`Request timeout after ${timeoutMs}ms`, error);
+                }
+                throw new NetworkError("Network request failed", error);
+            }
+        };
+    }
+    /**
+     * Creates a state store adapter compatible with NodeOAuthClient.
+     *
+     * @param store - The StateStore implementation to adapt
+     * @returns An adapter compatible with NodeOAuthClient
+     * @internal
+     */
+    createStateStoreAdapter(store) {
+        return {
+            get: (key) => store.get(key),
+            set: (key, value) => store.set(key, value),
+            del: (key) => store.del(key),
+        };
+    }
+    /**
+     * Creates a session store adapter compatible with NodeOAuthClient.
+     *
+     * @param store - The SessionStore implementation to adapt
+     * @returns An adapter compatible with NodeOAuthClient
+     * @internal
+     */
+    createSessionStoreAdapter(store) {
+        return {
+            get: (did) => store.get(did),
+            set: (did, session) => store.set(did, session),
+            del: (did) => store.del(did),
+        };
+    }
+    /**
+     * Initiates the OAuth authorization flow.
+     *
+     * This method resolves the user's identity from their identifier,
+     * generates PKCE codes, creates OAuth state, and returns an
+     * authorization URL to redirect the user to.
+     *
+     * @param identifier - The user's ATProto identifier. Accepts:
+     *   - Handle (e.g., `"alice.bsky.social"`)
+     *   - DID (e.g., `"did:plc:abc123..."`)
+     *   - PDS URL (e.g., `"https://bsky.social"`)
+     * @param options - Optional authorization settings
+     * @returns A Promise resolving to the authorization URL
+     * @throws {@link AuthenticationError} if authorization setup fails
+     * @throws {@link NetworkError} if identity resolution fails
+     *
+     * @example
+     * ```typescript
+     * // Get authorization URL
+     * const authUrl = await client.authorize("user.bsky.social");
+     *
+     * // Redirect user (in a web app)
+     * window.location.href = authUrl;
+     *
+     * // Or return to client (in an API)
+     * res.json({ authUrl });
+     * ```
+     */
+    async authorize(identifier, options) {
+        try {
+            this.logger?.debug("Initiating OAuth authorization", { identifier });
+            const client = await this.getClient();
+            const scope = options?.scope ?? this.config.oauth.scope;
+            const authUrl = await client.authorize(identifier, { scope });
+            this.logger?.debug("Authorization URL generated", { identifier });
+            // Convert URL to string if needed
+            return typeof authUrl === "string" ? authUrl : authUrl.toString();
+        }
+        catch (error) {
+            this.logger?.error("Authorization failed", { identifier, error });
+            if (error instanceof NetworkError || error instanceof AuthenticationError) {
+                throw error;
+            }
+            throw new AuthenticationError(`Failed to initiate authorization: ${error instanceof Error ? error.message : String(error)}`, error);
+        }
+    }
+    /**
+     * Handles the OAuth callback and exchanges the authorization code for tokens.
+     *
+     * Call this method when the user is redirected back to your application.
+     * It validates the state, exchanges the code for tokens, and creates
+     * a persistent session.
+     *
+     * @param params - URL search parameters from the callback. Expected parameters:
+     *   - `code`: The authorization code
+     *   - `state`: The state parameter (for CSRF protection)
+     *   - `iss`: The issuer (authorization server URL)
+     * @returns A Promise resolving to the authenticated OAuth session
+     * @throws {@link AuthenticationError} if:
+     *   - The callback contains an OAuth error
+     *   - The state is invalid or expired
+     *   - The code exchange fails
+     *   - Session persistence fails
+     *
+     * @example
+     * ```typescript
+     * // In your callback route handler
+     * app.get("/callback", async (req, res) => {
+     *   const params = new URLSearchParams(req.url.split("?")[1]);
+     *
+     *   try {
+     *     const session = await client.callback(params);
+     *     // Store DID for session restoration
+     *     req.session.userDid = session.sub;
+     *     res.redirect("/dashboard");
+     *   } catch (error) {
+     *     res.redirect("/login?error=auth_failed");
+     *   }
+     * });
+     * ```
+     *
+     * @remarks
+     * After successful token exchange, this method verifies that the session
+     * was properly persisted by attempting to restore it. This ensures the
+     * storage backend is working correctly.
+     */
+    async callback(params) {
+        try {
+            this.logger?.debug("Processing OAuth callback");
+            // Check for OAuth errors
+            const error = params.get("error");
+            if (error) {
+                const errorDescription = params.get("error_description");
+                throw new AuthenticationError(errorDescription || error);
+            }
+            const client = await this.getClient();
+            const result = await client.callback(params);
+            const session = result.session;
+            const did = session.sub;
+            this.logger?.info("OAuth callback successful", { did });
+            // Verify session can be restored (validates persistence)
+            try {
+                const restored = await client.restore(did);
+                if (!restored) {
+                    throw new AuthenticationError("OAuth session was not persisted");
+                }
+                this.logger?.debug("Session verified and restorable", { did });
+            }
+            catch (restoreError) {
+                this.logger?.error("Failed to verify persisted session", {
+                    did,
+                    error: restoreError,
+                });
+                throw new AuthenticationError("Failed to persist OAuth session", restoreError);
+            }
+            return session;
+        }
+        catch (error) {
+            this.logger?.error("OAuth callback failed", { error });
+            if (error instanceof AuthenticationError) {
+                throw error;
+            }
+            throw new AuthenticationError(`OAuth callback failed: ${error instanceof Error ? error.message : String(error)}`, error);
+        }
+    }
+    /**
+     * Restores an OAuth session by DID.
+     *
+     * Use this method to restore a previously authenticated session.
+     * The method automatically refreshes expired access tokens using
+     * the stored refresh token.
+     *
+     * @param did - The user's Decentralized Identifier (e.g., `"did:plc:abc123..."`)
+     * @returns A Promise resolving to the session, or `null` if not found
+     * @throws {@link AuthenticationError} if session restoration fails (not for missing sessions)
+     * @throws {@link NetworkError} if token refresh requires network and fails
+     *
+     * @example
+     * ```typescript
+     * // On application startup or request
+     * const userDid = req.session.userDid;
+     * if (userDid) {
+     *   const session = await client.restore(userDid);
+     *   if (session) {
+     *     // Session restored, user is authenticated
+     *     req.atprotoSession = session;
+     *   } else {
+     *     // No session found, user needs to log in
+     *     delete req.session.userDid;
+     *   }
+     * }
+     * ```
+     *
+     * @remarks
+     * Token refresh is handled automatically by the underlying OAuth client.
+     * If the refresh token has expired or been revoked, this method will
+     * throw an {@link AuthenticationError}.
+     */
+    async restore(did) {
+        try {
+            this.logger?.debug("Restoring session", { did });
+            const client = await this.getClient();
+            const session = await client.restore(did);
+            if (session) {
+                this.logger?.debug("Session restored", { did });
+            }
+            else {
+                this.logger?.debug("No session found", { did });
+            }
+            return session;
+        }
+        catch (error) {
+            this.logger?.error("Failed to restore session", { did, error });
+            if (error instanceof NetworkError) {
+                throw error;
+            }
+            throw new AuthenticationError(`Failed to restore session: ${error instanceof Error ? error.message : String(error)}`, error);
+        }
+    }
+    /**
+     * Revokes an OAuth session.
+     *
+     * This method invalidates the session's tokens both locally and
+     * (if supported) on the authorization server. After revocation,
+     * the session cannot be restored.
+     *
+     * @param did - The user's DID to revoke
+     * @throws {@link AuthenticationError} if revocation fails
+     *
+     * @example
+     * ```typescript
+     * // Log out endpoint
+     * app.post("/logout", async (req, res) => {
+     *   const userDid = req.session.userDid;
+     *   if (userDid) {
+     *     await client.revoke(userDid);
+     *     delete req.session.userDid;
+     *   }
+     *   res.redirect("/");
+     * });
+     * ```
+     *
+     * @remarks
+     * Even if revocation fails on the server, the local session is
+     * removed. The error is thrown to inform you that remote revocation
+     * may not have succeeded.
+     */
+    async revoke(did) {
+        try {
+            this.logger?.debug("Revoking session", { did });
+            const client = await this.getClient();
+            await client.revoke(did);
+            this.logger?.info("Session revoked", { did });
+        }
+        catch (error) {
+            this.logger?.error("Failed to revoke session", { did, error });
+            throw new AuthenticationError(`Failed to revoke session: ${error instanceof Error ? error.message : String(error)}`, error);
+        }
+    }
+}
+/**
+ * Registry for managing and validating AT Protocol lexicon schemas.
+ *
+ * Lexicons are schema definitions that describe the structure of records
+ * in the AT Protocol. This registry allows you to:
+ *
+ * - Register custom lexicons for your application's record types
+ * - Validate records against their lexicon schemas
+ * - Extend the AT Protocol Agent with custom lexicon support
+ *
+ * @remarks
+ * The SDK automatically registers hypercert lexicons when creating a Repository.
+ * You only need to use this class directly if you're working with custom
+ * record types.
+ *
+ * **Lexicon IDs** follow the NSID (Namespaced Identifier) format:
+ * `{authority}.{name}` (e.g., `org.hypercerts.hypercert`)
+ *
+ * @example Registering custom lexicons
+ * ```typescript
+ * const registry = sdk.getLexiconRegistry();
+ *
+ * // Register a single lexicon
+ * registry.register({
+ *   lexicon: 1,
+ *   id: "org.example.myRecord",
+ *   defs: {
+ *     main: {
+ *       type: "record",
+ *       key: "tid",
+ *       record: {
+ *         type: "object",
+ *         required: ["title", "createdAt"],
+ *         properties: {
+ *           title: { type: "string" },
+ *           description: { type: "string" },
+ *           createdAt: { type: "string", format: "datetime" },
+ *         },
+ *       },
+ *     },
+ *   },
+ * });
+ *
+ * // Register multiple lexicons at once
+ * registry.registerMany([lexicon1, lexicon2, lexicon3]);
+ * ```
+ *
+ * @example Validating records
+ * ```typescript
+ * const result = registry.validate("org.example.myRecord", {
+ *   title: "Test",
+ *   createdAt: new Date().toISOString(),
+ * });
+ *
+ * if (!result.valid) {
+ *   console.error(`Validation failed: ${result.error}`);
+ * }
+ * ```
+ *
+ * @see https://atproto.com/specs/lexicon for the Lexicon specification
+ */
+class LexiconRegistry {
+    /**
+     * Creates a new LexiconRegistry.
+     *
+     * The registry starts empty. Use {@link register} or {@link registerMany}
+     * to add lexicons.
+     */
+    constructor() {
+        /** Map of lexicon ID to lexicon document */
+        this.lexicons = new Map();
+        this.lexiconsCollection = new lexicon$1.Lexicons();
+    }
+    /**
+     * Registers a single lexicon schema.
+     *
+     * @param lexicon - The lexicon document to register
+     * @throws {@link ValidationError} if the lexicon doesn't have an `id` field
+     *
+     * @remarks
+     * If a lexicon with the same ID is already registered, it will be
+     * replaced with the new definition. This is useful for testing but
+     * should generally be avoided in production.
+     *
+     * @example
+     * ```typescript
+     * registry.register({
+     *   lexicon: 1,
+     *   id: "org.example.post",
+     *   defs: {
+     *     main: {
+     *       type: "record",
+     *       key: "tid",
+     *       record: {
+     *         type: "object",
+     *         required: ["text", "createdAt"],
+     *         properties: {
+     *           text: { type: "string", maxLength: 300 },
+     *           createdAt: { type: "string", format: "datetime" },
+     *         },
+     *       },
+     *     },
+     *   },
+     * });
+     * ```
+     */
+    register(lexicon) {
+        if (!lexicon.id) {
+            throw new ValidationError("Lexicon must have an 'id' field");
+        }
+        // Remove existing lexicon if present (to allow overwriting)
+        if (this.lexicons.has(lexicon.id)) {
+            // Lexicons collection doesn't support removal, so we create a new one
+            // This is a limitation - in practice, lexicons shouldn't be overwritten
+            // But we allow it for testing and flexibility
+            const existingLexicon = this.lexicons.get(lexicon.id);
+            if (existingLexicon) {
+                // Try to remove from collection (may fail if not supported)
+                try {
+                    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                    this.lexiconsCollection.remove?.(lexicon.id);
+                }
+                catch {
+                    // If removal fails, create a new collection
+                    this.lexiconsCollection = new lexicon$1.Lexicons();
+                    // Re-register all other lexicons
+                    for (const [id, lex] of this.lexicons.entries()) {
+                        if (id !== lexicon.id) {
+                            this.lexiconsCollection.add(lex);
+                        }
+                    }
+                }
+            }
+        }
+        this.lexicons.set(lexicon.id, lexicon);
+        this.lexiconsCollection.add(lexicon);
+    }
+    /**
+     * Registers multiple lexicons at once.
+     *
+     * @param lexicons - Array of lexicon documents to register
+     *
+     * @example
+     * ```typescript
+     * import { HYPERCERT_LEXICONS } from "@hypercerts-org/sdk/lexicons";
+     *
+     * registry.registerMany(HYPERCERT_LEXICONS);
+     * ```
+     */
+    registerMany(lexicons) {
+        for (const lexicon of lexicons) {
+            this.register(lexicon);
+        }
+    }
+    /**
+     * Gets a lexicon document by ID.
+     *
+     * @param id - The lexicon NSID (e.g., "org.hypercerts.hypercert")
+     * @returns The lexicon document, or `undefined` if not registered
+     *
+     * @example
+     * ```typescript
+     * const lexicon = registry.get("org.hypercerts.hypercert");
+     * if (lexicon) {
+     *   console.log(`Found lexicon: ${lexicon.id}`);
+     * }
+     * ```
+     */
+    get(id) {
+        return this.lexicons.get(id);
+    }
+    /**
+     * Validates a record against a collection's lexicon schema.
+     *
+     * @param collection - The collection NSID (same as lexicon ID)
+     * @param record - The record data to validate
+     * @returns Validation result with `valid` boolean and optional `error` message
+     *
+     * @remarks
+     * - If no lexicon is registered for the collection, validation passes
+     *   (we can't validate against unknown schemas)
+     * - Validation checks required fields and type constraints defined
+     *   in the lexicon schema
+     *
+     * @example
+     * ```typescript
+     * const result = registry.validate("org.hypercerts.hypercert", {
+     *   title: "My Hypercert",
+     *   description: "Description...",
+     *   // ... other fields
+     * });
+     *
+     * if (!result.valid) {
+     *   throw new Error(`Invalid record: ${result.error}`);
+     * }
+     * ```
+     */
+    validate(collection, record) {
+        // Check if we have a lexicon registered for this collection
+        // Collection format is typically "namespace.collection" (e.g., "app.bsky.feed.post")
+        // Lexicon ID format is the same
+        const lexiconId = collection;
+        const lexicon = this.lexicons.get(lexiconId);
+        if (!lexicon) {
+            // No lexicon registered - validation passes (can't validate unknown schemas)
+            return { valid: true };
+        }
+        // Check required fields if the lexicon defines them
+        const recordDef = lexicon.defs?.record;
+        if (recordDef && typeof recordDef === "object" && "record" in recordDef) {
+            const recordSchema = recordDef.record;
+            if (typeof recordSchema === "object" && "required" in recordSchema && Array.isArray(recordSchema.required)) {
+                const recordObj = record;
+                for (const requiredField of recordSchema.required) {
+                    if (typeof requiredField === "string" && !(requiredField in recordObj)) {
+                        return {
+                            valid: false,
+                            error: `Missing required field: ${requiredField}`,
+                        };
+                    }
+                }
+            }
+        }
+        try {
+            this.lexiconsCollection.assertValidRecord(collection, record);
+            return { valid: true };
+        }
+        catch (error) {
+            // If error indicates lexicon not found, treat as validation pass
+            // (the lexicon might exist in Agent's collection but not ours)
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            if (errorMessage.includes("not found") || errorMessage.includes("Lexicon not found")) {
+                return { valid: true };
+            }
+            return {
+                valid: false,
+                error: errorMessage,
+            };
+        }
+    }
+    /**
+     * Adds all registered lexicons to an AT Protocol Agent instance.
+     *
+     * This allows the Agent to understand custom lexicon types when making
+     * API requests.
+     *
+     * @param agent - The Agent instance to extend
+     *
+     * @remarks
+     * This is called automatically when creating a Repository. You typically
+     * don't need to call this directly unless you're using the Agent
+     * independently.
+     *
+     * @internal
+     */
+    addToAgent(agent) {
+        // Access the internal lexicons collection and merge our lexicons
+        // The Agent's lex property is a Lexicons instance
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const agentLex = agent.lex;
+        // Add each registered lexicon to the agent
+        for (const lexicon of this.lexicons.values()) {
+            agentLex.add(lexicon);
+        }
+    }
+    /**
+     * Gets all registered lexicon IDs.
+     *
+     * @returns Array of lexicon NSIDs
+     *
+     * @example
+     * ```typescript
+     * const ids = registry.getRegisteredIds();
+     * console.log(`Registered lexicons: ${ids.join(", ")}`);
+     * ```
+     */
+    getRegisteredIds() {
+        return Array.from(this.lexicons.keys());
+    }
+    /**
+     * Checks if a lexicon is registered.
+     *
+     * @param id - The lexicon NSID to check
+     * @returns `true` if the lexicon is registered
+     *
+     * @example
+     * ```typescript
+     * if (registry.has("org.hypercerts.hypercert")) {
+     *   // Hypercert lexicon is available
+     * }
+     * ```
+     */
+    has(id) {
+        return this.lexicons.has(id);
+    }
+}
+/**
+ * RecordOperationsImpl - Low-level record CRUD operations.
+ *
+ * This module provides the implementation for direct AT Protocol
+ * record operations (create, read, update, delete, list).
+ *
+ * @packageDocumentation
+ */
+/**
+ * Implementation of low-level AT Protocol record operations.
+ *
+ * This class provides direct access to the AT Protocol repository API
+ * for CRUD operations on records. It handles:
+ *
+ * - Lexicon validation before create/update operations
+ * - Error mapping to SDK error types
+ * - Response normalization
+ *
+ * @remarks
+ * This class is typically not instantiated directly. Access it through
+ * {@link Repository.records}.
+ *
+ * All operations are performed against the repository DID specified
+ * at construction time. To operate on a different repository, create
+ * a new Repository instance using {@link Repository.repo}.
+ *
+ * @example
+ * ```typescript
+ * // Access through Repository
+ * const repo = sdk.repository(session);
+ *
+ * // Create a record
+ * const { uri, cid } = await repo.records.create({
+ *   collection: "org.example.myRecord",
+ *   record: { title: "Hello", createdAt: new Date().toISOString() },
+ * });
+ *
+ * // Update the record
+ * const rkey = uri.split("/").pop()!;
+ * await repo.records.update({
+ *   collection: "org.example.myRecord",
+ *   rkey,
+ *   record: { title: "Updated", createdAt: new Date().toISOString() },
+ * });
+ * ```
+ *
+ * @internal
+ */
+class RecordOperationsImpl {
+    /**
+     * Creates a new RecordOperationsImpl.
+     *
+     * @param agent - AT Protocol Agent for making API calls
+     * @param repoDid - DID of the repository to operate on
+     * @param lexiconRegistry - Registry for record validation
+     *
+     * @internal
+     */
+    constructor(agent, repoDid, lexiconRegistry) {
+        this.agent = agent;
+        this.repoDid = repoDid;
+        this.lexiconRegistry = lexiconRegistry;
+    }
+    /**
+     * Creates a new record in the specified collection.
+     *
+     * @param params - Creation parameters
+     * @param params.collection - NSID of the collection (e.g., "org.hypercerts.hypercert")
+     * @param params.record - Record data conforming to the collection's lexicon schema
+     * @param params.rkey - Optional record key. If not provided, a TID (timestamp-based ID)
+     *                      is automatically generated by the server.
+     * @returns Promise resolving to the created record's URI and CID
+     * @throws {@link ValidationError} if the record doesn't conform to the lexicon schema
+     * @throws {@link NetworkError} if the API request fails
+     *
+     * @remarks
+     * The record is validated against the collection's lexicon before sending
+     * to the server. If no lexicon is registered for the collection, validation
+     * is skipped (allowing custom record types).
+     *
+     * **AT-URI Format**: `at://{did}/{collection}/{rkey}`
+     *
+     * @example
+     * ```typescript
+     * const result = await repo.records.create({
+     *   collection: "org.hypercerts.hypercert",
+     *   record: {
+     *     title: "My Hypercert",
+     *     description: "...",
+     *     createdAt: new Date().toISOString(),
+     *   },
+     * });
+     * console.log(`Created: ${result.uri}`);
+     * // Output: Created: at://did:plc:abc123/org.hypercerts.hypercert/xyz789
+     * ```
+     */
+    async create(params) {
+        const validation = this.lexiconRegistry.validate(params.collection, params.record);
+        if (!validation.valid) {
+            throw new ValidationError(`Invalid record for collection ${params.collection}: ${validation.error}`);
+        }
+        try {
+            const result = await this.agent.com.atproto.repo.createRecord({
+                repo: this.repoDid,
+                collection: params.collection,
+                record: params.record,
+                rkey: params.rkey,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to create record");
+            }
+            return { uri: result.data.uri, cid: result.data.cid };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to create record: ${error instanceof Error ? error.message : "Unknown error"}`, error);
+        }
+    }
+    /**
+     * Updates an existing record (full replacement).
+     *
+     * @param params - Update parameters
+     * @param params.collection - NSID of the collection
+     * @param params.rkey - Record key (the last segment of the AT-URI)
+     * @param params.record - New record data (completely replaces existing record)
+     * @returns Promise resolving to the updated record's URI and new CID
+     * @throws {@link ValidationError} if the record doesn't conform to the lexicon schema
+     * @throws {@link NetworkError} if the API request fails
+     *
+     * @remarks
+     * This is a full replacement operation, not a partial update. The entire
+     * record is replaced with the new data. To preserve existing fields,
+     * first fetch the record with {@link get}, modify it, then update.
+     *
+     * @example
+     * ```typescript
+     * // Get existing record
+     * const existing = await repo.records.get({
+     *   collection: "org.hypercerts.hypercert",
+     *   rkey: "xyz789",
+     * });
+     *
+     * // Update with modified data
+     * const updated = await repo.records.update({
+     *   collection: "org.hypercerts.hypercert",
+     *   rkey: "xyz789",
+     *   record: {
+     *     ...existing.value,
+     *     title: "Updated Title",
+     *   },
+     * });
+     * ```
+     */
+    async update(params) {
+        const validation = this.lexiconRegistry.validate(params.collection, params.record);
+        if (!validation.valid) {
+            throw new ValidationError(`Invalid record for collection ${params.collection}: ${validation.error}`);
+        }
+        try {
+            const result = await this.agent.com.atproto.repo.putRecord({
+                repo: this.repoDid,
+                collection: params.collection,
+                rkey: params.rkey,
+                record: params.record,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to update record");
+            }
+            return { uri: result.data.uri, cid: result.data.cid };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to update record: ${error instanceof Error ? error.message : "Unknown error"}`, error);
+        }
+    }
+    /**
+     * Gets a single record by collection and key.
+     *
+     * @param params - Get parameters
+     * @param params.collection - NSID of the collection
+     * @param params.rkey - Record key
+     * @returns Promise resolving to the record's URI, CID, and value
+     * @throws {@link NetworkError} if the record is not found or request fails
+     *
+     * @example
+     * ```typescript
+     * const record = await repo.records.get({
+     *   collection: "org.hypercerts.hypercert",
+     *   rkey: "xyz789",
+     * });
+     *
+     * console.log(record.uri);    // at://did:plc:abc123/org.hypercerts.hypercert/xyz789
+     * console.log(record.cid);    // bafyrei...
+     * console.log(record.value);  // { title: "...", description: "...", ... }
+     * ```
+     */
+    async get(params) {
+        try {
+            const result = await this.agent.com.atproto.repo.getRecord({
+                repo: this.repoDid,
+                collection: params.collection,
+                rkey: params.rkey,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to get record");
+            }
+            return { uri: result.data.uri, cid: result.data.cid ?? "", value: result.data.value };
+        }
+        catch (error) {
+            if (error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to get record: ${error instanceof Error ? error.message : "Unknown error"}`, error);
+        }
+    }
+    /**
+     * Lists records in a collection with pagination.
+     *
+     * @param params - List parameters
+     * @param params.collection - NSID of the collection
+     * @param params.limit - Maximum number of records to return (server may impose its own limit)
+     * @param params.cursor - Pagination cursor from a previous response
+     * @returns Promise resolving to paginated list of records
+     * @throws {@link NetworkError} if the request fails
+     *
+     * @remarks
+     * Records are returned in reverse chronological order (newest first).
+     * Use the `cursor` from the response to fetch subsequent pages.
+     *
+     * @example Paginating through all records
+     * ```typescript
+     * let cursor: string | undefined;
+     * const allRecords = [];
+     *
+     * do {
+     *   const page = await repo.records.list({
+     *     collection: "org.hypercerts.hypercert",
+     *     limit: 100,
+     *     cursor,
+     *   });
+     *   allRecords.push(...page.records);
+     *   cursor = page.cursor;
+     * } while (cursor);
+     *
+     * console.log(`Total records: ${allRecords.length}`);
+     * ```
+     */
+    async list(params) {
+        try {
+            const result = await this.agent.com.atproto.repo.listRecords({
+                repo: this.repoDid,
+                collection: params.collection,
+                limit: params.limit,
+                cursor: params.cursor,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to list records");
+            }
+            return {
+                records: result.data.records?.map((r) => ({ uri: r.uri, cid: r.cid, value: r.value })) || [],
+                cursor: result.data.cursor ?? undefined,
+            };
+        }
+        catch (error) {
+            if (error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to list records: ${error instanceof Error ? error.message : "Unknown error"}`, error);
+        }
+    }
+    /**
+     * Deletes a record from a collection.
+     *
+     * @param params - Delete parameters
+     * @param params.collection - NSID of the collection
+     * @param params.rkey - Record key to delete
+     * @throws {@link NetworkError} if the deletion fails
+     *
+     * @remarks
+     * Deletion is permanent. The record's AT-URI cannot be reused (the same
+     * rkey can be used for a new record, but it will have a different CID).
+     *
+     * @example
+     * ```typescript
+     * await repo.records.delete({
+     *   collection: "org.hypercerts.hypercert",
+     *   rkey: "xyz789",
+     * });
+     * ```
+     */
+    async delete(params) {
+        try {
+            const result = await this.agent.com.atproto.repo.deleteRecord({
+                repo: this.repoDid,
+                collection: params.collection,
+                rkey: params.rkey,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to delete record");
+            }
+        }
+        catch (error) {
+            if (error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to delete record: ${error instanceof Error ? error.message : "Unknown error"}`, error);
+        }
+    }
+}
+/**
+ * BlobOperationsImpl - Blob upload and retrieval operations.
+ *
+ * This module provides the implementation for AT Protocol blob operations,
+ * handling binary data like images and files.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Implementation of blob operations for binary data handling.
+ *
+ * Blobs in AT Protocol are content-addressed binary objects stored
+ * separately from records. They are referenced in records using a
+ * blob reference object with a CID ($link).
+ *
+ * @remarks
+ * This class is typically not instantiated directly. Access it through
+ * {@link Repository.blobs}.
+ *
+ * **Blob Size Limits**: PDS servers typically impose size limits on blobs.
+ * Common limits are:
+ * - Images: 1MB
+ * - Other files: Varies by server configuration
+ *
+ * **Supported MIME Types**: Any MIME type is technically supported, but
+ * servers may reject certain types. Images (JPEG, PNG, GIF, WebP) are
+ * universally supported.
+ *
+ * @example
+ * ```typescript
+ * // Upload an image blob
+ * const imageBlob = new Blob([imageData], { type: "image/jpeg" });
+ * const { ref, mimeType, size } = await repo.blobs.upload(imageBlob);
+ *
+ * // Use the ref in a record
+ * await repo.records.create({
+ *   collection: "org.example.post",
+ *   record: {
+ *     text: "Check out this image!",
+ *     image: ref,  // { $link: "bafyrei..." }
+ *     createdAt: new Date().toISOString(),
+ *   },
+ * });
+ * ```
+ *
+ * @internal
+ */
+class BlobOperationsImpl {
+    /**
+     * Creates a new BlobOperationsImpl.
+     *
+     * @param agent - AT Protocol Agent for making API calls
+     * @param repoDid - DID of the repository (used for blob retrieval)
+     * @param _serverUrl - Server URL (reserved for future use)
+     *
+     * @internal
+     */
+    constructor(agent, repoDid, _serverUrl) {
+        this.agent = agent;
+        this.repoDid = repoDid;
+        this._serverUrl = _serverUrl;
+    }
+    /**
+     * Uploads a blob to the server.
+     *
+     * @param blob - The blob to upload (File or Blob object)
+     * @returns Promise resolving to blob reference and metadata
+     * @throws {@link NetworkError} if the upload fails
+     *
+     * @remarks
+     * The returned `ref` object should be used directly in records to
+     * reference the blob. The `$link` property contains the blob's CID.
+     *
+     * **MIME Type Detection**: If the blob has no type, it defaults to
+     * `application/octet-stream`. For best results, always specify the
+     * correct MIME type when creating the Blob.
+     *
+     * @example Uploading an image
+     * ```typescript
+     * // From a File input
+     * const file = fileInput.files[0];
+     * const { ref } = await repo.blobs.upload(file);
+     *
+     * // From raw data
+     * const imageBlob = new Blob([uint8Array], { type: "image/png" });
+     * const { ref, mimeType, size } = await repo.blobs.upload(imageBlob);
+     *
+     * console.log(`Uploaded ${size} bytes of ${mimeType}`);
+     * console.log(`CID: ${ref.$link}`);
+     * ```
+     *
+     * @example Using in a hypercert
+     * ```typescript
+     * const coverImage = new Blob([imageData], { type: "image/jpeg" });
+     * const { ref } = await repo.blobs.upload(coverImage);
+     *
+     * // The ref is used directly in the record
+     * await repo.hypercerts.create({
+     *   title: "My Hypercert",
+     *   // ... other fields
+     *   image: coverImage,  // HypercertOperations handles upload internally
+     * });
+     * ```
+     */
+    async upload(blob) {
+        try {
+            const arrayBuffer = await blob.arrayBuffer();
+            const uint8Array = new Uint8Array(arrayBuffer);
+            const result = await this.agent.com.atproto.repo.uploadBlob(uint8Array, {
+                encoding: blob.type || "application/octet-stream",
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to upload blob");
+            }
+            return {
+                ref: result.data.blob.ref,
+                mimeType: result.data.blob.mimeType,
+                size: result.data.blob.size,
+            };
+        }
+        catch (error) {
+            if (error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to upload blob: ${error instanceof Error ? error.message : "Unknown error"}`, error);
+        }
+    }
+    /**
+     * Retrieves a blob by its CID.
+     *
+     * @param cid - Content Identifier (CID) of the blob, typically from a blob
+     *              reference's `$link` property
+     * @returns Promise resolving to blob data and MIME type
+     * @throws {@link NetworkError} if the blob is not found or retrieval fails
+     *
+     * @remarks
+     * The returned data is a Uint8Array which can be converted to other
+     * formats as needed (Blob, ArrayBuffer, Base64, etc.).
+     *
+     * **MIME Type**: The returned MIME type comes from the Content-Type header.
+     * If the server doesn't provide one, it defaults to `application/octet-stream`.
+     *
+     * @example Basic retrieval
+     * ```typescript
+     * // Get a blob from a record's blob reference
+     * const record = await repo.records.get({ collection, rkey });
+     * const blobRef = (record.value as any).image;
+     *
+     * const { data, mimeType } = await repo.blobs.get(blobRef.$link);
+     *
+     * // Convert to a Blob for use in the browser
+     * const blob = new Blob([data], { type: mimeType });
+     * const url = URL.createObjectURL(blob);
+     * ```
+     *
+     * @example Displaying an image
+     * ```typescript
+     * const { data, mimeType } = await repo.blobs.get(imageCid);
+     *
+     * // Create data URL for <img> src
+     * const base64 = btoa(String.fromCharCode(...data));
+     * const dataUrl = `data:${mimeType};base64,${base64}`;
+     *
+     * // Or use object URL
+     * const blob = new Blob([data], { type: mimeType });
+     * img.src = URL.createObjectURL(blob);
+     * ```
+     */
+    async get(cid) {
+        try {
+            const result = await this.agent.com.atproto.sync.getBlob({
+                did: this.repoDid,
+                cid,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to get blob");
+            }
+            return {
+                data: result.data,
+                mimeType: result.headers["content-type"] || "application/octet-stream",
+            };
+        }
+        catch (error) {
+            if (error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to get blob: ${error instanceof Error ? error.message : "Unknown error"}`, error);
+        }
+    }
+}
+/**
+ * ProfileOperationsImpl - User profile operations.
+ *
+ * This module provides the implementation for AT Protocol profile
+ * management, including fetching and updating user profiles.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Implementation of profile operations for user profile management.
+ *
+ * Profiles in AT Protocol are stored as records in the `app.bsky.actor.profile`
+ * collection with the special rkey "self". This class provides a convenient
+ * API for reading and updating profile data.
+ *
+ * @remarks
+ * This class is typically not instantiated directly. Access it through
+ * {@link Repository.profile}.
+ *
+ * **Profile Fields**:
+ * - `handle`: Read-only, managed by the PDS
+ * - `displayName`: User's display name (max 64 chars typically)
+ * - `description`: Profile bio (max 256 chars typically)
+ * - `avatar`: Profile picture blob reference
+ * - `banner`: Banner image blob reference
+ * - `website`: User's website URL (may not be available on all servers)
+ *
+ * @example
+ * ```typescript
+ * // Get profile
+ * const profile = await repo.profile.get();
+ * console.log(`${profile.displayName} (@${profile.handle})`);
+ *
+ * // Update profile
+ * await repo.profile.update({
+ *   displayName: "New Name",
+ *   description: "Updated bio",
+ * });
+ *
+ * // Update with new avatar
+ * const avatarBlob = new Blob([imageData], { type: "image/png" });
+ * await repo.profile.update({ avatar: avatarBlob });
+ *
+ * // Remove a field
+ * await repo.profile.update({ website: null });
+ * ```
+ *
+ * @internal
+ */
+class ProfileOperationsImpl {
+    /**
+     * Creates a new ProfileOperationsImpl.
+     *
+     * @param agent - AT Protocol Agent for making API calls
+     * @param repoDid - DID of the repository/user
+     * @param _serverUrl - Server URL (reserved for future use)
+     *
+     * @internal
+     */
+    constructor(agent, repoDid, _serverUrl) {
+        this.agent = agent;
+        this.repoDid = repoDid;
+        this._serverUrl = _serverUrl;
+    }
+    /**
+     * Gets the repository's profile.
+     *
+     * @returns Promise resolving to profile data
+     * @throws {@link NetworkError} if the profile cannot be fetched
+     *
+     * @remarks
+     * This method fetches the full profile using the `getProfile` API,
+     * which includes resolved information like follower counts on some
+     * servers. For hypercerts SDK usage, the basic profile fields are
+     * returned.
+     *
+     * **Note**: The `website` field may not be available on all AT Protocol
+     * servers. Standard Bluesky profiles don't include this field.
+     *
+     * @example
+     * ```typescript
+     * const profile = await repo.profile.get();
+     *
+     * console.log(`Handle: @${profile.handle}`);
+     * console.log(`Name: ${profile.displayName || "(not set)"}`);
+     * console.log(`Bio: ${profile.description || "(no bio)"}`);
+     *
+     * if (profile.avatar) {
+     *   // Avatar is a URL or blob reference
+     *   console.log(`Avatar: ${profile.avatar}`);
+     * }
+     * ```
+     */
+    async get() {
+        try {
+            const result = await this.agent.getProfile({ actor: this.repoDid });
+            if (!result.success) {
+                throw new NetworkError("Failed to get profile");
+            }
+            return {
+                handle: result.data.handle,
+                displayName: result.data.displayName,
+                description: result.data.description,
+                avatar: result.data.avatar,
+                banner: result.data.banner,
+                // Note: website may not be available in standard profile
+            };
+        }
+        catch (error) {
+            if (error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to get profile: ${error instanceof Error ? error.message : "Unknown error"}`, error);
+        }
+    }
+    /**
+     * Updates the repository's profile.
+     *
+     * @param params - Fields to update. Pass `null` to remove a field.
+     *                 Omitted fields are preserved from the existing profile.
+     * @returns Promise resolving to update result with new URI and CID
+     * @throws {@link NetworkError} if the update fails
+     *
+     * @remarks
+     * This method performs a read-modify-write operation:
+     * 1. Fetches the existing profile record
+     * 2. Merges in the provided updates
+     * 3. Writes the updated profile back
+     *
+     * **Image Handling**: When providing `avatar` or `banner` as a Blob,
+     * the image is automatically uploaded and the blob reference is stored
+     * in the profile.
+     *
+     * **Field Removal**: Pass `null` to explicitly remove a field. Omitting
+     * a field (not including it in params) preserves the existing value.
+     *
+     * @example Update display name and bio
+     * ```typescript
+     * await repo.profile.update({
+     *   displayName: "Alice",
+     *   description: "Building impact certificates",
+     * });
+     * ```
+     *
+     * @example Update avatar image
+     * ```typescript
+     * // From a file input
+     * const file = document.getElementById("avatar").files[0];
+     * await repo.profile.update({ avatar: file });
+     *
+     * // From raw data
+     * const response = await fetch("https://example.com/my-avatar.png");
+     * const blob = await response.blob();
+     * await repo.profile.update({ avatar: blob });
+     * ```
+     *
+     * @example Remove description
+     * ```typescript
+     * // Removes the description field entirely
+     * await repo.profile.update({ description: null });
+     * ```
+     *
+     * @example Multiple updates at once
+     * ```typescript
+     * const newAvatar = new Blob([avatarData], { type: "image/png" });
+     * const newBanner = new Blob([bannerData], { type: "image/jpeg" });
+     *
+     * await repo.profile.update({
+     *   displayName: "New Name",
+     *   description: "New bio",
+     *   avatar: newAvatar,
+     *   banner: newBanner,
+     * });
+     * ```
+     */
+    async update(params) {
+        try {
+            // Get existing profile record
+            const existing = await this.agent.com.atproto.repo.getRecord({
+                repo: this.repoDid,
+                collection: "app.bsky.actor.profile",
+                rkey: "self",
+            });
+            const existingProfile = existing.data.value || {};
+            // Build updated profile
+            const updatedProfile = { ...existingProfile };
+            if (params.displayName !== undefined) {
+                if (params.displayName === null) {
+                    delete updatedProfile.displayName;
+                }
+                else {
+                    updatedProfile.displayName = params.displayName;
+                }
+            }
+            if (params.description !== undefined) {
+                if (params.description === null) {
+                    delete updatedProfile.description;
+                }
+                else {
+                    updatedProfile.description = params.description;
+                }
+            }
+            // Handle avatar upload
+            if (params.avatar !== undefined) {
+                if (params.avatar === null) {
+                    delete updatedProfile.avatar;
+                }
+                else {
+                    const arrayBuffer = await params.avatar.arrayBuffer();
+                    const uint8Array = new Uint8Array(arrayBuffer);
+                    const uploadResult = await this.agent.com.atproto.repo.uploadBlob(uint8Array, {
+                        encoding: params.avatar.type || "image/jpeg",
+                    });
+                    if (uploadResult.success) {
+                        updatedProfile.avatar = uploadResult.data.blob;
+                    }
+                }
+            }
+            // Handle banner upload
+            if (params.banner !== undefined) {
+                if (params.banner === null) {
+                    delete updatedProfile.banner;
+                }
+                else {
+                    const arrayBuffer = await params.banner.arrayBuffer();
+                    const uint8Array = new Uint8Array(arrayBuffer);
+                    const uploadResult = await this.agent.com.atproto.repo.uploadBlob(uint8Array, {
+                        encoding: params.banner.type || "image/jpeg",
+                    });
+                    if (uploadResult.success) {
+                        updatedProfile.banner = uploadResult.data.blob;
+                    }
+                }
+            }
+            const result = await this.agent.com.atproto.repo.putRecord({
+                repo: this.repoDid,
+                collection: "app.bsky.actor.profile",
+                rkey: "self",
+                record: updatedProfile,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to update profile");
+            }
+            return { uri: result.data.uri, cid: result.data.cid };
+        }
+        catch (error) {
+            if (error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to update profile: ${error instanceof Error ? error.message : "Unknown error"}`, error);
+        }
+    }
+}
+/**
+ * HypercertOperationsImpl - High-level hypercert operations.
+ *
+ * This module provides the implementation for creating and managing
+ * hypercerts, including related records like rights, locations,
+ * contributions, measurements, and evaluations.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Implementation of high-level hypercert operations.
+ *
+ * This class provides a convenient API for creating and managing hypercerts
+ * with automatic handling of:
+ *
+ * - Image upload and blob reference management
+ * - Rights record creation and linking
+ * - Location attachment with optional GeoJSON support
+ * - Contribution tracking
+ * - Measurement and evaluation records
+ * - Hypercert collections
+ *
+ * The class extends EventEmitter to provide real-time progress notifications
+ * during complex operations.
+ *
+ * @remarks
+ * This class is typically not instantiated directly. Access it through
+ * {@link Repository.hypercerts}.
+ *
+ * **Record Relationships**:
+ * - Hypercert → Rights (required, 1:1)
+ * - Hypercert → Location (optional, 1:many)
+ * - Hypercert → Contribution (optional, 1:many)
+ * - Hypercert → Measurement (optional, 1:many)
+ * - Hypercert → Evaluation (optional, 1:many)
+ * - Collection → Hypercerts (1:many via claims array)
+ *
+ * @example Creating a hypercert with progress tracking
+ * ```typescript
+ * repo.hypercerts.on("recordCreated", ({ uri }) => {
+ *   console.log(`Hypercert created: ${uri}`);
+ * });
+ *
+ * const result = await repo.hypercerts.create({
+ *   title: "Climate Impact",
+ *   description: "Reduced emissions by 100 tons",
+ *   workScope: "Climate",
+ *   workTimeframeFrom: "2024-01-01",
+ *   workTimeframeTo: "2024-12-31",
+ *   rights: { name: "CC-BY", type: "license", description: "..." },
+ *   onProgress: (step) => console.log(`${step.name}: ${step.status}`),
+ * });
+ * ```
+ *
+ * @internal
+ */
+class HypercertOperationsImpl extends eventemitter3.EventEmitter {
+    /**
+     * Creates a new HypercertOperationsImpl.
+     *
+     * @param agent - AT Protocol Agent for making API calls
+     * @param repoDid - DID of the repository to operate on
+     * @param _serverUrl - Server URL (reserved for future use)
+     * @param lexiconRegistry - Registry for record validation
+     * @param logger - Optional logger for debugging
+     *
+     * @internal
+     */
+    constructor(agent, repoDid, _serverUrl, lexiconRegistry, logger) {
+        super();
+        this.agent = agent;
+        this.repoDid = repoDid;
+        this._serverUrl = _serverUrl;
+        this.lexiconRegistry = lexiconRegistry;
+        this.logger = logger;
+    }
+    /**
+     * Emits a progress event to the optional progress handler.
+     *
+     * @param onProgress - Progress callback from create params
+     * @param step - Progress step information
+     * @internal
+     */
+    emitProgress(onProgress, step) {
+        if (onProgress) {
+            try {
+                onProgress(step);
+            }
+            catch (err) {
+                this.logger?.error(`Error in progress handler: ${err instanceof Error ? err.message : "Unknown"}`);
+            }
+        }
+    }
+    /**
+     * Creates a new hypercert with all related records.
+     *
+     * This method orchestrates the creation of a hypercert and its associated
+     * records in the correct order:
+     *
+     * 1. Upload image (if provided)
+     * 2. Create rights record
+     * 3. Create hypercert record (referencing rights)
+     * 4. Attach location (if provided)
+     * 5. Create contributions (if provided)
+     *
+     * @param params - Creation parameters (see {@link CreateHypercertParams})
+     * @returns Promise resolving to URIs and CIDs of all created records
+     * @throws {@link ValidationError} if any record fails validation
+     * @throws {@link NetworkError} if any API call fails
+     *
+     * @remarks
+     * The operation is not atomic - if a later step fails, earlier records
+     * will still exist. The result object will contain URIs for all
+     * successfully created records.
+     *
+     * **Progress Steps**:
+     * - `uploadImage`: Image blob upload
+     * - `createRights`: Rights record creation
+     * - `createHypercert`: Main hypercert record creation
+     * - `attachLocation`: Location record creation
+     * - `createContributions`: Contribution records creation
+     *
+     * @example Minimal hypercert
+     * ```typescript
+     * const result = await repo.hypercerts.create({
+     *   title: "My Impact",
+     *   description: "Description of impact work",
+     *   workScope: "Education",
+     *   workTimeframeFrom: "2024-01-01",
+     *   workTimeframeTo: "2024-06-30",
+     *   rights: {
+     *     name: "Attribution",
+     *     type: "license",
+     *     description: "CC-BY-4.0",
+     *   },
+     * });
+     * ```
+     *
+     * @example Full hypercert with all options
+     * ```typescript
+     * const result = await repo.hypercerts.create({
+     *   title: "Reforestation Project",
+     *   description: "Planted 10,000 trees...",
+     *   shortDescription: "10K trees planted",
+     *   workScope: "Environment",
+     *   workTimeframeFrom: "2024-01-01",
+     *   workTimeframeTo: "2024-12-31",
+     *   rights: { name: "Open", type: "impact", description: "..." },
+     *   image: coverImageBlob,
+     *   location: { value: "Amazon, Brazil", name: "Amazon Basin" },
+     *   contributions: [
+     *     { contributors: ["did:plc:org1"], role: "coordinator" },
+     *     { contributors: ["did:plc:org2"], role: "implementer" },
+     *   ],
+     *   evidence: [{ uri: "https://...", description: "Satellite data" }],
+     *   onProgress: console.log,
+     * });
+     * ```
+     */
+    async create(params) {
+        const createdAt = new Date().toISOString();
+        const result = {
+            hypercertUri: "",
+            rightsUri: "",
+            hypercertCid: "",
+            rightsCid: "",
+        };
+        try {
+            // Step 1: Upload image if provided
+            let imageBlobRef;
+            if (params.image) {
+                this.emitProgress(params.onProgress, { name: "uploadImage", status: "start" });
+                try {
+                    const arrayBuffer = await params.image.arrayBuffer();
+                    const uint8Array = new Uint8Array(arrayBuffer);
+                    const uploadResult = await this.agent.com.atproto.repo.uploadBlob(uint8Array, {
+                        encoding: params.image.type || "image/jpeg",
+                    });
+                    if (uploadResult.success) {
+                        imageBlobRef = {
+                            $type: "blob",
+                            ref: uploadResult.data.blob.ref,
+                            mimeType: uploadResult.data.blob.mimeType,
+                            size: uploadResult.data.blob.size,
+                        };
+                    }
+                    this.emitProgress(params.onProgress, {
+                        name: "uploadImage",
+                        status: "success",
+                        data: { size: params.image.size },
+                    });
+                }
+                catch (error) {
+                    this.emitProgress(params.onProgress, { name: "uploadImage", status: "error", error: error });
+                    throw new NetworkError(`Failed to upload image: ${error instanceof Error ? error.message : "Unknown"}`, error);
+                }
+            }
+            // Step 2: Create rights record
+            this.emitProgress(params.onProgress, { name: "createRights", status: "start" });
+            const rightsRecord = {
+                rightsName: params.rights.name,
+                rightsType: params.rights.type,
+                rightsDescription: params.rights.description,
+                createdAt,
+            };
+            const rightsValidation = this.lexiconRegistry.validate(lexicon.HYPERCERT_COLLECTIONS.RIGHTS, rightsRecord);
+            if (!rightsValidation.valid) {
+                throw new ValidationError(`Invalid rights record: ${rightsValidation.error}`);
+            }
+            const rightsResult = await this.agent.com.atproto.repo.createRecord({
+                repo: this.repoDid,
+                collection: lexicon.HYPERCERT_COLLECTIONS.RIGHTS,
+                record: rightsRecord,
+            });
+            if (!rightsResult.success) {
+                throw new NetworkError("Failed to create rights record");
+            }
+            result.rightsUri = rightsResult.data.uri;
+            result.rightsCid = rightsResult.data.cid;
+            this.emit("rightsCreated", { uri: result.rightsUri, cid: result.rightsCid });
+            this.emitProgress(params.onProgress, {
+                name: "createRights",
+                status: "success",
+                data: { uri: result.rightsUri },
+            });
+            // Step 3: Create hypercert record
+            this.emitProgress(params.onProgress, { name: "createHypercert", status: "start" });
+            const hypercertRecord = {
+                title: params.title,
+                description: params.description,
+                workScope: params.workScope,
+                workTimeframeFrom: params.workTimeframeFrom,
+                workTimeframeTo: params.workTimeframeTo,
+                rights: { uri: result.rightsUri, cid: result.rightsCid },
+                createdAt,
+            };
+            if (params.shortDescription) {
+                hypercertRecord.shortDescription = params.shortDescription;
+            }
+            if (imageBlobRef) {
+                hypercertRecord.image = imageBlobRef;
+            }
+            if (params.evidence && params.evidence.length > 0) {
+                hypercertRecord.evidence = params.evidence;
+            }
+            const hypercertValidation = this.lexiconRegistry.validate(lexicon.HYPERCERT_COLLECTIONS.CLAIM, hypercertRecord);
+            if (!hypercertValidation.valid) {
+                throw new ValidationError(`Invalid hypercert record: ${hypercertValidation.error}`);
+            }
+            const hypercertResult = await this.agent.com.atproto.repo.createRecord({
+                repo: this.repoDid,
+                collection: lexicon.HYPERCERT_COLLECTIONS.CLAIM,
+                record: hypercertRecord,
+            });
+            if (!hypercertResult.success) {
+                throw new NetworkError("Failed to create hypercert record");
+            }
+            result.hypercertUri = hypercertResult.data.uri;
+            result.hypercertCid = hypercertResult.data.cid;
+            this.emit("recordCreated", { uri: result.hypercertUri, cid: result.hypercertCid });
+            this.emitProgress(params.onProgress, {
+                name: "createHypercert",
+                status: "success",
+                data: { uri: result.hypercertUri },
+            });
+            // Step 4: Attach location if provided
+            if (params.location) {
+                this.emitProgress(params.onProgress, { name: "attachLocation", status: "start" });
+                try {
+                    const locationResult = await this.attachLocation(result.hypercertUri, params.location);
+                    result.locationUri = locationResult.uri;
+                    this.emitProgress(params.onProgress, {
+                        name: "attachLocation",
+                        status: "success",
+                        data: { uri: result.locationUri },
+                    });
+                }
+                catch (error) {
+                    this.emitProgress(params.onProgress, { name: "attachLocation", status: "error", error: error });
+                    this.logger?.warn(`Failed to attach location: ${error instanceof Error ? error.message : "Unknown"}`);
+                }
+            }
+            // Step 5: Create contributions if provided
+            if (params.contributions && params.contributions.length > 0) {
+                this.emitProgress(params.onProgress, { name: "createContributions", status: "start" });
+                result.contributionUris = [];
+                try {
+                    for (const contrib of params.contributions) {
+                        const contribResult = await this.addContribution({
+                            hypercertUri: result.hypercertUri,
+                            contributors: contrib.contributors,
+                            role: contrib.role,
+                            description: contrib.description,
+                        });
+                        result.contributionUris.push(contribResult.uri);
+                    }
+                    this.emitProgress(params.onProgress, {
+                        name: "createContributions",
+                        status: "success",
+                        data: { count: result.contributionUris.length },
+                    });
+                }
+                catch (error) {
+                    this.emitProgress(params.onProgress, { name: "createContributions", status: "error", error: error });
+                    this.logger?.warn(`Failed to create contributions: ${error instanceof Error ? error.message : "Unknown"}`);
+                }
+            }
+            return result;
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to create hypercert: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Updates an existing hypercert record.
+     *
+     * @param params - Update parameters
+     * @param params.uri - AT-URI of the hypercert to update
+     * @param params.updates - Partial record with fields to update
+     * @param params.image - New image blob, `null` to remove, `undefined` to keep existing
+     * @returns Promise resolving to update result
+     * @throws {@link ValidationError} if the URI format is invalid or record fails validation
+     * @throws {@link NetworkError} if the update fails
+     *
+     * @remarks
+     * This is a partial update - only specified fields are changed.
+     * The `createdAt` and `rights` fields cannot be changed.
+     *
+     * @example Update title and description
+     * ```typescript
+     * await repo.hypercerts.update({
+     *   uri: "at://did:plc:abc/org.hypercerts.hypercert/xyz",
+     *   updates: {
+     *     title: "Updated Title",
+     *     description: "New description",
+     *   },
+     * });
+     * ```
+     *
+     * @example Update with new image
+     * ```typescript
+     * await repo.hypercerts.update({
+     *   uri: hypercertUri,
+     *   updates: { title: "New Title" },
+     *   image: newImageBlob,
+     * });
+     * ```
+     *
+     * @example Remove image
+     * ```typescript
+     * await repo.hypercerts.update({
+     *   uri: hypercertUri,
+     *   updates: {},
+     *   image: null,  // Explicitly remove image
+     * });
+     * ```
+     */
+    async update(params) {
+        try {
+            const uriMatch = params.uri.match(/^at:\/\/([^/]+)\/([^/]+)\/(.+)$/);
+            if (!uriMatch) {
+                throw new ValidationError(`Invalid URI format: ${params.uri}`);
+            }
+            const [, , collection, rkey] = uriMatch;
+            const existing = await this.agent.com.atproto.repo.getRecord({
+                repo: this.repoDid,
+                collection,
+                rkey,
+            });
+            // The existing record comes from ATProto, use it directly
+            // TypeScript ensures type safety through the HypercertClaim interface
+            const existingRecord = existing.data.value;
+            const recordForUpdate = {
+                ...existingRecord,
+                ...params.updates,
+                createdAt: existingRecord.createdAt,
+                rights: existingRecord.rights,
+            };
+            // Handle image update
+            delete recordForUpdate.image;
+            if (params.image !== undefined) {
+                if (params.image === null) {
+                    // Remove image
+                }
+                else {
+                    const arrayBuffer = await params.image.arrayBuffer();
+                    const uint8Array = new Uint8Array(arrayBuffer);
+                    const uploadResult = await this.agent.com.atproto.repo.uploadBlob(uint8Array, {
+                        encoding: params.image.type || "image/jpeg",
+                    });
+                    if (uploadResult.success) {
+                        recordForUpdate.image = {
+                            $type: "blob",
+                            ref: uploadResult.data.blob.ref,
+                            mimeType: uploadResult.data.blob.mimeType,
+                            size: uploadResult.data.blob.size,
+                        };
+                    }
+                }
+            }
+            else if (existingRecord.image) {
+                // Preserve existing image
+                recordForUpdate.image = existingRecord.image;
+            }
+            const validation = this.lexiconRegistry.validate(collection, recordForUpdate);
+            if (!validation.valid) {
+                throw new ValidationError(`Invalid hypercert record: ${validation.error}`);
+            }
+            const result = await this.agent.com.atproto.repo.putRecord({
+                repo: this.repoDid,
+                collection,
+                rkey,
+                record: recordForUpdate,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to update hypercert");
+            }
+            this.emit("recordUpdated", { uri: result.data.uri, cid: result.data.cid });
+            return { uri: result.data.uri, cid: result.data.cid };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to update hypercert: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Gets a hypercert by its AT-URI.
+     *
+     * @param uri - AT-URI of the hypercert (e.g., "at://did:plc:abc/org.hypercerts.hypercert/xyz")
+     * @returns Promise resolving to hypercert URI, CID, and parsed record
+     * @throws {@link ValidationError} if the URI format is invalid or record doesn't match schema
+     * @throws {@link NetworkError} if the record cannot be fetched
+     *
+     * @example
+     * ```typescript
+     * const { uri, cid, record } = await repo.hypercerts.get(hypercertUri);
+     * console.log(`${record.title}: ${record.description}`);
+     * ```
+     */
+    async get(uri) {
+        try {
+            const uriMatch = uri.match(/^at:\/\/([^/]+)\/([^/]+)\/(.+)$/);
+            if (!uriMatch) {
+                throw new ValidationError(`Invalid URI format: ${uri}`);
+            }
+            const [, , collection, rkey] = uriMatch;
+            const result = await this.agent.com.atproto.repo.getRecord({
+                repo: this.repoDid,
+                collection,
+                rkey,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to get hypercert");
+            }
+            // Validate with lexicon registry (more lenient - doesn't require $type)
+            const validation = this.lexiconRegistry.validate(lexicon.HYPERCERT_COLLECTIONS.CLAIM, result.data.value);
+            if (!validation.valid) {
+                throw new ValidationError(`Invalid hypercert record format: ${validation.error}`);
+            }
+            return {
+                uri: result.data.uri,
+                cid: result.data.cid ?? "",
+                record: result.data.value,
+            };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to get hypercert: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Lists hypercerts in the repository with pagination.
+     *
+     * @param params - Optional pagination parameters
+     * @returns Promise resolving to paginated list of hypercerts
+     * @throws {@link NetworkError} if the list operation fails
+     *
+     * @example
+     * ```typescript
+     * // Get first page
+     * const { records, cursor } = await repo.hypercerts.list({ limit: 20 });
+     *
+     * // Get next page
+     * if (cursor) {
+     *   const nextPage = await repo.hypercerts.list({ limit: 20, cursor });
+     * }
+     * ```
+     */
+    async list(params) {
+        try {
+            const result = await this.agent.com.atproto.repo.listRecords({
+                repo: this.repoDid,
+                collection: lexicon.HYPERCERT_COLLECTIONS.CLAIM,
+                limit: params?.limit,
+                cursor: params?.cursor,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to list hypercerts");
+            }
+            return {
+                records: result.data.records?.map((r) => ({
+                    uri: r.uri,
+                    cid: r.cid,
+                    record: r.value,
+                })) || [],
+                cursor: result.data.cursor ?? undefined,
+            };
+        }
+        catch (error) {
+            if (error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to list hypercerts: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Deletes a hypercert record.
+     *
+     * @param uri - AT-URI of the hypercert to delete
+     * @throws {@link ValidationError} if the URI format is invalid
+     * @throws {@link NetworkError} if the deletion fails
+     *
+     * @remarks
+     * This only deletes the hypercert record itself. Related records
+     * (rights, locations, contributions) are not automatically deleted.
+     *
+     * @example
+     * ```typescript
+     * await repo.hypercerts.delete(hypercertUri);
+     * ```
+     */
+    async delete(uri) {
+        try {
+            const uriMatch = uri.match(/^at:\/\/([^/]+)\/([^/]+)\/(.+)$/);
+            if (!uriMatch) {
+                throw new ValidationError(`Invalid URI format: ${uri}`);
+            }
+            const [, , collection, rkey] = uriMatch;
+            const result = await this.agent.com.atproto.repo.deleteRecord({
+                repo: this.repoDid,
+                collection,
+                rkey,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to delete hypercert");
+            }
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to delete hypercert: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Attaches a location to an existing hypercert.
+     *
+     * @param hypercertUri - AT-URI of the hypercert to attach location to
+     * @param location - Location data
+     * @param location.value - Location value (address, coordinates, or description)
+     * @param location.name - Optional human-readable name
+     * @param location.description - Optional description
+     * @param location.srs - Spatial Reference System (e.g., "EPSG:4326")
+     * @param location.geojson - Optional GeoJSON blob for precise boundaries
+     * @returns Promise resolving to location record URI and CID
+     * @throws {@link ValidationError} if validation fails
+     * @throws {@link NetworkError} if the operation fails
+     *
+     * @example Simple location
+     * ```typescript
+     * await repo.hypercerts.attachLocation(hypercertUri, {
+     *   value: "San Francisco, CA",
+     *   name: "SF Bay Area",
+     * });
+     * ```
+     *
+     * @example Location with GeoJSON
+     * ```typescript
+     * const geojsonBlob = new Blob([JSON.stringify(geojson)], {
+     *   type: "application/geo+json"
+     * });
+     *
+     * await repo.hypercerts.attachLocation(hypercertUri, {
+     *   value: "Custom Region",
+     *   srs: "EPSG:4326",
+     *   geojson: geojsonBlob,
+     * });
+     * ```
+     */
+    async attachLocation(hypercertUri, location) {
+        try {
+            // Get hypercert to get CID
+            const hypercert = await this.get(hypercertUri);
+            const createdAt = new Date().toISOString();
+            let locationValue = location.value;
+            if (location.geojson) {
+                const arrayBuffer = await location.geojson.arrayBuffer();
+                const uint8Array = new Uint8Array(arrayBuffer);
+                const uploadResult = await this.agent.com.atproto.repo.uploadBlob(uint8Array, {
+                    encoding: location.geojson.type || "application/geo+json",
+                });
+                if (uploadResult.success) {
+                    locationValue = {
+                        $type: "blob",
+                        ref: uploadResult.data.blob.ref,
+                        mimeType: uploadResult.data.blob.mimeType,
+                        size: uploadResult.data.blob.size,
+                    };
+                }
+            }
+            const locationRecord = {
+                hypercert: { uri: hypercert.uri, cid: hypercert.cid },
+                value: locationValue,
+                createdAt,
+                name: location.name,
+                description: location.description,
+                srs: location.srs,
+            };
+            const validation = this.lexiconRegistry.validate(lexicon.HYPERCERT_COLLECTIONS.LOCATION, locationRecord);
+            if (!validation.valid) {
+                throw new ValidationError(`Invalid location record: ${validation.error}`);
+            }
+            const result = await this.agent.com.atproto.repo.createRecord({
+                repo: this.repoDid,
+                collection: lexicon.HYPERCERT_COLLECTIONS.LOCATION,
+                record: locationRecord,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to attach location");
+            }
+            this.emit("locationAttached", { uri: result.data.uri, cid: result.data.cid, hypercertUri });
+            return { uri: result.data.uri, cid: result.data.cid };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to attach location: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Adds evidence to an existing hypercert.
+     *
+     * @param hypercertUri - AT-URI of the hypercert
+     * @param evidence - Array of evidence items to add
+     * @returns Promise resolving to update result
+     * @throws {@link ValidationError} if validation fails
+     * @throws {@link NetworkError} if the operation fails
+     *
+     * @remarks
+     * Evidence is appended to existing evidence, not replaced.
+     *
+     * @example
+     * ```typescript
+     * await repo.hypercerts.addEvidence(hypercertUri, [
+     *   { uri: "https://example.com/report.pdf", description: "Impact report" },
+     *   { uri: "https://example.com/data.csv", description: "Raw data" },
+     * ]);
+     * ```
+     */
+    async addEvidence(hypercertUri, evidence) {
+        try {
+            const existing = await this.get(hypercertUri);
+            const existingEvidence = existing.record.evidence || [];
+            const updatedEvidence = [...existingEvidence, ...evidence];
+            const result = await this.update({
+                uri: hypercertUri,
+                updates: { evidence: updatedEvidence },
+            });
+            this.emit("evidenceAdded", { uri: result.uri, cid: result.cid });
+            return result;
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to add evidence: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Creates a contribution record.
+     *
+     * @param params - Contribution parameters
+     * @param params.hypercertUri - Optional hypercert to link (can be standalone)
+     * @param params.contributors - Array of contributor DIDs
+     * @param params.role - Role of the contributors (e.g., "coordinator", "implementer")
+     * @param params.description - Optional description of the contribution
+     * @returns Promise resolving to contribution record URI and CID
+     * @throws {@link ValidationError} if validation fails
+     * @throws {@link NetworkError} if the operation fails
+     *
+     * @example
+     * ```typescript
+     * await repo.hypercerts.addContribution({
+     *   hypercertUri: hypercertUri,
+     *   contributors: ["did:plc:alice", "did:plc:bob"],
+     *   role: "implementer",
+     *   description: "On-ground implementation team",
+     * });
+     * ```
+     */
+    async addContribution(params) {
+        try {
+            const createdAt = new Date().toISOString();
+            const contributionRecord = {
+                contributors: params.contributors,
+                role: params.role,
+                createdAt,
+                description: params.description,
+            };
+            if (params.hypercertUri) {
+                const hypercert = await this.get(params.hypercertUri);
+                contributionRecord.hypercert = { uri: hypercert.uri, cid: hypercert.cid };
+            }
+            const validation = this.lexiconRegistry.validate(lexicon.HYPERCERT_COLLECTIONS.CONTRIBUTION, contributionRecord);
+            if (!validation.valid) {
+                throw new ValidationError(`Invalid contribution record: ${validation.error}`);
+            }
+            const result = await this.agent.com.atproto.repo.createRecord({
+                repo: this.repoDid,
+                collection: lexicon.HYPERCERT_COLLECTIONS.CONTRIBUTION,
+                record: contributionRecord,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to create contribution");
+            }
+            this.emit("contributionCreated", { uri: result.data.uri, cid: result.data.cid });
+            return { uri: result.data.uri, cid: result.data.cid };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to add contribution: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Creates a measurement record for a hypercert.
+     *
+     * Measurements quantify the impact claimed in a hypercert with
+     * specific metrics and values.
+     *
+     * @param params - Measurement parameters
+     * @param params.hypercertUri - AT-URI of the hypercert being measured
+     * @param params.measurers - DIDs of entities who performed the measurement
+     * @param params.metric - Name of the metric (e.g., "CO2 Reduced", "Trees Planted")
+     * @param params.value - Measured value with units (e.g., "100 tons", "10000")
+     * @param params.methodUri - Optional URI describing the measurement methodology
+     * @param params.evidenceUris - Optional URIs to supporting evidence
+     * @returns Promise resolving to measurement record URI and CID
+     * @throws {@link ValidationError} if validation fails
+     * @throws {@link NetworkError} if the operation fails
+     *
+     * @example
+     * ```typescript
+     * await repo.hypercerts.addMeasurement({
+     *   hypercertUri: hypercertUri,
+     *   measurers: ["did:plc:auditor"],
+     *   metric: "Carbon Offset",
+     *   value: "150 tons CO2e",
+     *   methodUri: "https://example.com/methodology",
+     *   evidenceUris: ["https://example.com/audit-report"],
+     * });
+     * ```
+     */
+    async addMeasurement(params) {
+        try {
+            const hypercert = await this.get(params.hypercertUri);
+            const createdAt = new Date().toISOString();
+            const measurementRecord = {
+                hypercert: { uri: hypercert.uri, cid: hypercert.cid },
+                measurers: params.measurers,
+                metric: params.metric,
+                value: params.value,
+                createdAt,
+                measurementMethodURI: params.methodUri,
+                evidenceURI: params.evidenceUris,
+            };
+            const validation = this.lexiconRegistry.validate(lexicon.HYPERCERT_COLLECTIONS.MEASUREMENT, measurementRecord);
+            if (!validation.valid) {
+                throw new ValidationError(`Invalid measurement record: ${validation.error}`);
+            }
+            const result = await this.agent.com.atproto.repo.createRecord({
+                repo: this.repoDid,
+                collection: lexicon.HYPERCERT_COLLECTIONS.MEASUREMENT,
+                record: measurementRecord,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to create measurement");
+            }
+            return { uri: result.data.uri, cid: result.data.cid };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to add measurement: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Creates an evaluation record for a hypercert or other subject.
+     *
+     * Evaluations provide third-party assessments of impact claims.
+     *
+     * @param params - Evaluation parameters
+     * @param params.subjectUri - AT-URI of the record being evaluated
+     * @param params.evaluators - DIDs of evaluating entities
+     * @param params.summary - Summary of the evaluation findings
+     * @returns Promise resolving to evaluation record URI and CID
+     * @throws {@link ValidationError} if validation fails
+     * @throws {@link NetworkError} if the operation fails
+     *
+     * @example
+     * ```typescript
+     * await repo.hypercerts.addEvaluation({
+     *   subjectUri: hypercertUri,
+     *   evaluators: ["did:plc:evaluator-org"],
+     *   summary: "Verified impact claims through site visit and data analysis",
+     * });
+     * ```
+     */
+    async addEvaluation(params) {
+        try {
+            const subject = await this.get(params.subjectUri);
+            const createdAt = new Date().toISOString();
+            const evaluationRecord = {
+                subject: { uri: subject.uri, cid: subject.cid },
+                evaluators: params.evaluators,
+                summary: params.summary,
+                createdAt,
+            };
+            const validation = this.lexiconRegistry.validate(lexicon.HYPERCERT_COLLECTIONS.EVALUATION, evaluationRecord);
+            if (!validation.valid) {
+                throw new ValidationError(`Invalid evaluation record: ${validation.error}`);
+            }
+            const result = await this.agent.com.atproto.repo.createRecord({
+                repo: this.repoDid,
+                collection: lexicon.HYPERCERT_COLLECTIONS.EVALUATION,
+                record: evaluationRecord,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to create evaluation");
+            }
+            return { uri: result.data.uri, cid: result.data.cid };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to add evaluation: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Creates a collection of hypercerts.
+     *
+     * Collections group related hypercerts with optional weights
+     * for relative importance.
+     *
+     * @param params - Collection parameters
+     * @param params.title - Collection title
+     * @param params.claims - Array of hypercert references with weights
+     * @param params.shortDescription - Optional short description
+     * @param params.coverPhoto - Optional cover image blob
+     * @returns Promise resolving to collection record URI and CID
+     * @throws {@link ValidationError} if validation fails
+     * @throws {@link NetworkError} if the operation fails
+     *
+     * @example
+     * ```typescript
+     * const collection = await repo.hypercerts.createCollection({
+     *   title: "Climate Projects 2024",
+     *   shortDescription: "Our climate impact portfolio",
+     *   claims: [
+     *     { uri: hypercert1Uri, cid: hypercert1Cid, weight: "0.5" },
+     *     { uri: hypercert2Uri, cid: hypercert2Cid, weight: "0.3" },
+     *     { uri: hypercert3Uri, cid: hypercert3Cid, weight: "0.2" },
+     *   ],
+     *   coverPhoto: coverImageBlob,
+     * });
+     * ```
+     */
+    async createCollection(params) {
+        try {
+            const createdAt = new Date().toISOString();
+            let coverPhotoRef;
+            if (params.coverPhoto) {
+                const arrayBuffer = await params.coverPhoto.arrayBuffer();
+                const uint8Array = new Uint8Array(arrayBuffer);
+                const uploadResult = await this.agent.com.atproto.repo.uploadBlob(uint8Array, {
+                    encoding: params.coverPhoto.type || "image/jpeg",
+                });
+                if (uploadResult.success) {
+                    coverPhotoRef = {
+                        $type: "blob",
+                        ref: uploadResult.data.blob.ref,
+                        mimeType: uploadResult.data.blob.mimeType,
+                        size: uploadResult.data.blob.size,
+                    };
+                }
+            }
+            const collectionRecord = {
+                title: params.title,
+                claims: params.claims.map((c) => ({ claim: { uri: c.uri, cid: c.cid }, weight: c.weight })),
+                createdAt,
+            };
+            if (params.shortDescription) {
+                collectionRecord.shortDescription = params.shortDescription;
+            }
+            if (coverPhotoRef) {
+                collectionRecord.coverPhoto = coverPhotoRef;
+            }
+            const validation = this.lexiconRegistry.validate(lexicon.HYPERCERT_COLLECTIONS.COLLECTION, collectionRecord);
+            if (!validation.valid) {
+                throw new ValidationError(`Invalid collection record: ${validation.error}`);
+            }
+            const result = await this.agent.com.atproto.repo.createRecord({
+                repo: this.repoDid,
+                collection: lexicon.HYPERCERT_COLLECTIONS.COLLECTION,
+                record: collectionRecord,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to create collection");
+            }
+            this.emit("collectionCreated", { uri: result.data.uri, cid: result.data.cid });
+            return { uri: result.data.uri, cid: result.data.cid };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to create collection: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Gets a collection by its AT-URI.
+     *
+     * @param uri - AT-URI of the collection
+     * @returns Promise resolving to collection URI, CID, and parsed record
+     * @throws {@link ValidationError} if the URI format is invalid or record doesn't match schema
+     * @throws {@link NetworkError} if the record cannot be fetched
+     *
+     * @example
+     * ```typescript
+     * const { record } = await repo.hypercerts.getCollection(collectionUri);
+     * console.log(`Collection: ${record.title}`);
+     * console.log(`Contains ${record.claims.length} hypercerts`);
+     * ```
+     */
+    async getCollection(uri) {
+        try {
+            const uriMatch = uri.match(/^at:\/\/([^/]+)\/([^/]+)\/(.+)$/);
+            if (!uriMatch) {
+                throw new ValidationError(`Invalid URI format: ${uri}`);
+            }
+            const [, , collection, rkey] = uriMatch;
+            const result = await this.agent.com.atproto.repo.getRecord({
+                repo: this.repoDid,
+                collection,
+                rkey,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to get collection");
+            }
+            // Validate with lexicon registry (more lenient - doesn't require $type)
+            const validation = this.lexiconRegistry.validate(lexicon.HYPERCERT_COLLECTIONS.COLLECTION, result.data.value);
+            if (!validation.valid) {
+                throw new ValidationError(`Invalid collection record format: ${validation.error}`);
+            }
+            return {
+                uri: result.data.uri,
+                cid: result.data.cid ?? "",
+                record: result.data.value,
+            };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to get collection: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Lists collections in the repository with pagination.
+     *
+     * @param params - Optional pagination parameters
+     * @returns Promise resolving to paginated list of collections
+     * @throws {@link NetworkError} if the list operation fails
+     *
+     * @example
+     * ```typescript
+     * const { records } = await repo.hypercerts.listCollections();
+     * for (const { record } of records) {
+     *   console.log(`${record.title}: ${record.claims.length} claims`);
+     * }
+     * ```
+     */
+    async listCollections(params) {
+        try {
+            const result = await this.agent.com.atproto.repo.listRecords({
+                repo: this.repoDid,
+                collection: lexicon.HYPERCERT_COLLECTIONS.COLLECTION,
+                limit: params?.limit,
+                cursor: params?.cursor,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to list collections");
+            }
+            return {
+                records: result.data.records?.map((r) => ({
+                    uri: r.uri,
+                    cid: r.cid,
+                    record: r.value,
+                })) || [],
+                cursor: result.data.cursor ?? undefined,
+            };
+        }
+        catch (error) {
+            if (error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to list collections: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+}
+/**
+ * CollaboratorOperationsImpl - SDS collaborator management operations.
+ *
+ * This module provides the implementation for managing collaborator
+ * access on Shared Data Server (SDS) repositories.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Implementation of collaborator operations for SDS access control.
+ *
+ * This class manages access permissions for shared repositories on
+ * Shared Data Servers (SDS). It provides role-based access control
+ * with predefined permission sets.
+ *
+ * @remarks
+ * This class is typically not instantiated directly. Access it through
+ * {@link Repository.collaborators} on an SDS-connected repository.
+ *
+ * **Role Hierarchy**:
+ * - `viewer`: Read-only access
+ * - `editor`: Read + Create + Update
+ * - `admin`: All permissions except ownership transfer
+ * - `owner`: Full control including ownership management
+ *
+ * **SDS API Endpoints Used**:
+ * - `com.atproto.sds.grantAccess`: Grant access to a user
+ * - `com.atproto.sds.revokeAccess`: Revoke access from a user
+ * - `com.atproto.sds.listCollaborators`: List all collaborators
+ *
+ * @example
+ * ```typescript
+ * // Get SDS repository
+ * const sdsRepo = sdk.repository(session, { server: "sds" });
+ *
+ * // Grant editor access
+ * await sdsRepo.collaborators.grant({
+ *   userDid: "did:plc:new-user",
+ *   role: "editor",
+ * });
+ *
+ * // List all collaborators
+ * const collaborators = await sdsRepo.collaborators.list();
+ *
+ * // Check specific user
+ * const hasAccess = await sdsRepo.collaborators.hasAccess("did:plc:someone");
+ * const role = await sdsRepo.collaborators.getRole("did:plc:someone");
+ * ```
+ *
+ * @internal
+ */
+class CollaboratorOperationsImpl {
+    /**
+     * Creates a new CollaboratorOperationsImpl.
+     *
+     * @param session - Authenticated OAuth session with fetchHandler
+     * @param repoDid - DID of the repository to manage
+     * @param serverUrl - SDS server URL
+     *
+     * @internal
+     */
+    constructor(session, repoDid, serverUrl) {
+        this.session = session;
+        this.repoDid = repoDid;
+        this.serverUrl = serverUrl;
+    }
+    /**
+     * Converts a role to its corresponding permissions object.
+     *
+     * @param role - The role to convert
+     * @returns Permission flags for the role
+     * @internal
+     */
+    roleToPermissions(role) {
+        switch (role) {
+            case "viewer":
+                return { read: true, create: false, update: false, delete: false, admin: false, owner: false };
+            case "editor":
+                return { read: true, create: true, update: true, delete: false, admin: false, owner: false };
+            case "admin":
+                return { read: true, create: true, update: true, delete: true, admin: true, owner: false };
+            case "owner":
+                return { read: true, create: true, update: true, delete: true, admin: true, owner: true };
+        }
+    }
+    /**
+     * Determines the role from a permissions object.
+     *
+     * @param permissions - The permissions to analyze
+     * @returns The highest role matching the permissions
+     * @internal
+     */
+    permissionsToRole(permissions) {
+        if (permissions.owner)
+            return "owner";
+        if (permissions.admin)
+            return "admin";
+        if (permissions.create || permissions.update)
+            return "editor";
+        return "viewer";
+    }
+    /**
+     * Grants repository access to a user.
+     *
+     * @param params - Grant parameters
+     * @param params.userDid - DID of the user to grant access to
+     * @param params.role - Role to assign (determines permissions)
+     * @throws {@link NetworkError} if the grant operation fails
+     *
+     * @remarks
+     * If the user already has access, their permissions are updated
+     * to the new role.
+     *
+     * @example
+     * ```typescript
+     * // Grant viewer access
+     * await repo.collaborators.grant({
+     *   userDid: "did:plc:viewer-user",
+     *   role: "viewer",
+     * });
+     *
+     * // Upgrade to editor
+     * await repo.collaborators.grant({
+     *   userDid: "did:plc:viewer-user",
+     *   role: "editor",
+     * });
+     * ```
+     */
+    async grant(params) {
+        const permissions = this.roleToPermissions(params.role);
+        const response = await this.session.fetchHandler(`${this.serverUrl}/xrpc/com.atproto.sds.grantAccess`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                repo: this.repoDid,
+                userDid: params.userDid,
+                permissions,
+            }),
+        });
+        if (!response.ok) {
+            throw new NetworkError(`Failed to grant access: ${response.statusText}`);
+        }
+    }
+    /**
+     * Revokes repository access from a user.
+     *
+     * @param params - Revoke parameters
+     * @param params.userDid - DID of the user to revoke access from
+     * @throws {@link NetworkError} if the revoke operation fails
+     *
+     * @remarks
+     * - Cannot revoke access from the repository owner
+     * - Revoked access is recorded with a `revokedAt` timestamp
+     *
+     * @example
+     * ```typescript
+     * await repo.collaborators.revoke({
+     *   userDid: "did:plc:former-collaborator",
+     * });
+     * ```
+     */
+    async revoke(params) {
+        const response = await this.session.fetchHandler(`${this.serverUrl}/xrpc/com.atproto.sds.revokeAccess`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                repo: this.repoDid,
+                userDid: params.userDid,
+            }),
+        });
+        if (!response.ok) {
+            throw new NetworkError(`Failed to revoke access: ${response.statusText}`);
+        }
+    }
+    /**
+     * Lists all collaborators on the repository.
+     *
+     * @returns Promise resolving to array of access grants
+     * @throws {@link NetworkError} if the list operation fails
+     *
+     * @remarks
+     * The list includes both active and revoked collaborators.
+     * Check `revokedAt` to filter active collaborators.
+     *
+     * @example
+     * ```typescript
+     * const collaborators = await repo.collaborators.list();
+     *
+     * // Filter active collaborators
+     * const active = collaborators.filter(c => !c.revokedAt);
+     *
+     * // Group by role
+     * const byRole = {
+     *   owners: active.filter(c => c.role === "owner"),
+     *   admins: active.filter(c => c.role === "admin"),
+     *   editors: active.filter(c => c.role === "editor"),
+     *   viewers: active.filter(c => c.role === "viewer"),
+     * };
+     * ```
+     */
+    async list() {
+        const response = await this.session.fetchHandler(`${this.serverUrl}/xrpc/com.atproto.sds.listCollaborators?repo=${encodeURIComponent(this.repoDid)}`, { method: "GET" });
+        if (!response.ok) {
+            throw new NetworkError(`Failed to list collaborators: ${response.statusText}`);
+        }
+        const data = await response.json();
+        return (data.collaborators || []).map((c) => ({
+            userDid: c.userDid,
+            role: this.permissionsToRole(c.permissions),
+            permissions: c.permissions,
+            grantedBy: c.grantedBy,
+            grantedAt: c.grantedAt,
+            revokedAt: c.revokedAt,
+        }));
+    }
+    /**
+     * Checks if a user has any access to the repository.
+     *
+     * @param userDid - DID of the user to check
+     * @returns Promise resolving to `true` if user has active access
+     *
+     * @remarks
+     * Returns `false` if:
+     * - User was never granted access
+     * - User's access was revoked
+     * - The list operation fails (error is suppressed)
+     *
+     * @example
+     * ```typescript
+     * if (await repo.collaborators.hasAccess("did:plc:someone")) {
+     *   console.log("User has access");
+     * }
+     * ```
+     */
+    async hasAccess(userDid) {
+        try {
+            const collaborators = await this.list();
+            return collaborators.some((c) => c.userDid === userDid && !c.revokedAt);
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Gets the role assigned to a user.
+     *
+     * @param userDid - DID of the user to check
+     * @returns Promise resolving to the user's role, or `null` if no active access
+     *
+     * @example
+     * ```typescript
+     * const role = await repo.collaborators.getRole("did:plc:someone");
+     * if (role === "admin" || role === "owner") {
+     *   // User can manage other collaborators
+     * }
+     * ```
+     */
+    async getRole(userDid) {
+        const collaborators = await this.list();
+        const collab = collaborators.find((c) => c.userDid === userDid && !c.revokedAt);
+        return collab?.role ?? null;
+    }
+}
+/**
+ * OrganizationOperationsImpl - SDS organization management operations.
+ *
+ * This module provides the implementation for creating and managing
+ * organizations on Shared Data Server (SDS) instances.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Implementation of organization operations for SDS management.
+ *
+ * Organizations on SDS provide a way to create shared repositories
+ * that multiple users can collaborate on. Each organization has:
+ *
+ * - A unique DID (Decentralized Identifier)
+ * - A handle for human-readable identification
+ * - An owner and optional collaborators
+ * - Its own repository for storing records
+ *
+ * @remarks
+ * This class is typically not instantiated directly. Access it through
+ * {@link Repository.organizations} on an SDS-connected repository.
+ *
+ * **SDS API Endpoints Used**:
+ * - `com.atproto.sds.createRepository`: Create a new organization
+ * - `com.atproto.sds.listRepositories`: List accessible organizations
+ *
+ * **Access Types**:
+ * - `"owner"`: User created or owns the organization
+ * - `"collaborator"`: User was invited with specific permissions
+ *
+ * @example
+ * ```typescript
+ * // Get SDS repository
+ * const sdsRepo = sdk.repository(session, { server: "sds" });
+ *
+ * // Create an organization
+ * const org = await sdsRepo.organizations.create({
+ *   name: "My Team",
+ *   description: "A team for impact projects",
+ * });
+ *
+ * // List organizations you have access to
+ * const orgs = await sdsRepo.organizations.list();
+ *
+ * // Get specific organization
+ * const orgInfo = await sdsRepo.organizations.get(org.did);
+ * ```
+ *
+ * @internal
+ */
+class OrganizationOperationsImpl {
+    /**
+     * Creates a new OrganizationOperationsImpl.
+     *
+     * @param session - Authenticated OAuth session with fetchHandler
+     * @param _repoDid - DID of the user's repository (reserved for future use)
+     * @param serverUrl - SDS server URL
+     * @param _logger - Optional logger for debugging (reserved for future use)
+     *
+     * @internal
+     */
+    constructor(session, _repoDid, serverUrl, _logger) {
+        this.session = session;
+        this._repoDid = _repoDid;
+        this.serverUrl = serverUrl;
+        this._logger = _logger;
+    }
+    /**
+     * Creates a new organization.
+     *
+     * @param params - Organization parameters
+     * @param params.name - Display name for the organization
+     * @param params.description - Optional description of the organization's purpose
+     * @param params.handle - Optional custom handle. If not provided, one is auto-generated.
+     * @returns Promise resolving to the created organization info
+     * @throws {@link NetworkError} if organization creation fails
+     *
+     * @remarks
+     * The creating user automatically becomes the owner with full permissions.
+     *
+     * **Handle Format**: Handles are typically formatted as
+     * `{name}.sds.{domain}` (e.g., "my-team.sds.hypercerts.org").
+     * If you provide a custom handle, it must be unique on the SDS.
+     *
+     * @example Basic organization
+     * ```typescript
+     * const org = await repo.organizations.create({
+     *   name: "Climate Action Team",
+     * });
+     * console.log(`Created org: ${org.did}`);
+     * ```
+     *
+     * @example With description and custom handle
+     * ```typescript
+     * const org = await repo.organizations.create({
+     *   name: "Reforestation Initiative",
+     *   description: "Coordinating tree planting projects worldwide",
+     *   handle: "reforestation",
+     * });
+     * ```
+     */
+    async create(params) {
+        const response = await this.session.fetchHandler(`${this.serverUrl}/xrpc/com.atproto.sds.createRepository`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(params),
+        });
+        if (!response.ok) {
+            throw new NetworkError(`Failed to create organization: ${response.statusText}`);
+        }
+        const data = await response.json();
+        return {
+            did: data.did,
+            handle: data.handle,
+            name: data.name,
+            description: data.description,
+            createdAt: data.createdAt || new Date().toISOString(),
+            accessType: "owner",
+            permissions: { read: true, create: true, update: true, delete: true, admin: true, owner: true },
+        };
+    }
+    /**
+     * Gets an organization by its DID.
+     *
+     * @param did - The organization's DID
+     * @returns Promise resolving to organization info, or `null` if not found
+     *
+     * @remarks
+     * This method searches through the user's accessible organizations.
+     * If the organization exists but the user doesn't have access,
+     * it will return `null`.
+     *
+     * @example
+     * ```typescript
+     * const org = await repo.organizations.get("did:plc:org123");
+     * if (org) {
+     *   console.log(`Found: ${org.name}`);
+     *   console.log(`Your role: ${org.accessType}`);
+     * } else {
+     *   console.log("Organization not found or no access");
+     * }
+     * ```
+     */
+    async get(did) {
+        try {
+            const orgs = await this.list();
+            return orgs.find((o) => o.did === did) ?? null;
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Lists organizations the current user has access to.
+     *
+     * @returns Promise resolving to array of organization info
+     * @throws {@link NetworkError} if the list operation fails
+     *
+     * @remarks
+     * Returns organizations where the user is either:
+     * - The owner
+     * - A collaborator with any permission level
+     *
+     * The `accessType` field indicates the user's relationship to each organization.
+     *
+     * @example
+     * ```typescript
+     * const orgs = await repo.organizations.list();
+     *
+     * // Filter by access type
+     * const owned = orgs.filter(o => o.accessType === "owner");
+     * const collaborated = orgs.filter(o => o.accessType === "collaborator");
+     *
+     * console.log(`You own ${owned.length} organizations`);
+     * console.log(`You collaborate on ${collaborated.length} organizations`);
+     * ```
+     *
+     * @example Display organization details
+     * ```typescript
+     * const orgs = await repo.organizations.list();
+     *
+     * for (const org of orgs) {
+     *   console.log(`${org.name} (@${org.handle})`);
+     *   console.log(`  DID: ${org.did}`);
+     *   console.log(`  Access: ${org.accessType}`);
+     *   if (org.description) {
+     *     console.log(`  Description: ${org.description}`);
+     *   }
+     * }
+     * ```
+     */
+    async list() {
+        const response = await this.session.fetchHandler(`${this.serverUrl}/xrpc/com.atproto.sds.listRepositories?userDid=${encodeURIComponent(this.session.did || this.session.sub)}`, { method: "GET" });
+        if (!response.ok) {
+            throw new NetworkError(`Failed to list organizations: ${response.statusText}`);
+        }
+        const data = await response.json();
+        return (data.repositories || []).map((r) => ({
+            did: r.did,
+            handle: r.handle,
+            name: r.name,
+            description: r.description,
+            createdAt: new Date().toISOString(), // SDS may not return this
+            accessType: r.accessType,
+            permissions: r.permissions,
+        }));
+    }
+}
+/**
+ * Repository - Unified fluent API for ATProto repository operations.
+ *
+ * This module provides the main interface for interacting with AT Protocol
+ * data servers (PDS and SDS) through a consistent, fluent API.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Repository provides a fluent API for AT Protocol data operations.
+ *
+ * This class is the primary interface for working with data in the AT Protocol
+ * ecosystem. It provides organized access to:
+ *
+ * - **Records**: Low-level CRUD operations for any AT Protocol record type
+ * - **Blobs**: Binary data upload and retrieval (images, files)
+ * - **Profile**: User profile management
+ * - **Hypercerts**: High-level hypercert creation and management
+ * - **Collaborators**: Access control for shared repositories (SDS only)
+ * - **Organizations**: Organization management (SDS only)
+ *
+ * @remarks
+ * The Repository uses lazy initialization for operation handlers - they are
+ * created only when first accessed. This improves performance when you only
+ * need a subset of operations.
+ *
+ * **PDS vs SDS:**
+ * - **PDS (Personal Data Server)**: User's own data storage. All operations
+ *   except collaborators and organizations are available.
+ * - **SDS (Shared Data Server)**: Collaborative data storage with access
+ *   control. All operations including collaborators and organizations.
+ *
+ * @example Basic usage
+ * ```typescript
+ * // Get a repository from the SDK
+ * const repo = sdk.repository(session);
+ *
+ * // Access user profile
+ * const profile = await repo.profile.get();
+ *
+ * // Create a hypercert
+ * const result = await repo.hypercerts.create({
+ *   title: "My Impact",
+ *   description: "Description of the impact",
+ *   workScope: "Climate Action",
+ *   workTimeframeFrom: "2024-01-01",
+ *   workTimeframeTo: "2024-12-31",
+ *   rights: {
+ *     name: "Attribution",
+ *     type: "license",
+ *     description: "CC-BY-4.0",
+ *   },
+ * });
+ * ```
+ *
+ * @example Working with a different user's repository
+ * ```typescript
+ * // Get the current user's repo
+ * const myRepo = sdk.repository(session);
+ *
+ * // Get another user's repo (read-only for most operations)
+ * const otherRepo = myRepo.repo("did:plc:other-user-did");
+ * const theirProfile = await otherRepo.profile.get();
+ * ```
+ *
+ * @example SDS operations
+ * ```typescript
+ * // Get SDS repository for collaborator features
+ * const sdsRepo = sdk.repository(session, { server: "sds" });
+ *
+ * // Manage collaborators
+ * await sdsRepo.collaborators.grant({
+ *   userDid: "did:plc:collaborator",
+ *   role: "editor",
+ * });
+ *
+ * // List organizations
+ * const orgs = await sdsRepo.organizations.list();
+ * ```
+ *
+ * @see {@link ATProtoSDK.repository} for creating Repository instances
+ */
+class Repository {
+    /**
+     * Creates a new Repository instance.
+     *
+     * @param session - Authenticated OAuth session
+     * @param serverUrl - Base URL of the AT Protocol server
+     * @param repoDid - DID of the repository to operate on
+     * @param lexiconRegistry - Registry for lexicon validation
+     * @param isSDS - Whether this is a Shared Data Server
+     * @param logger - Optional logger for debugging
+     *
+     * @remarks
+     * This constructor is typically not called directly. Use
+     * {@link ATProtoSDK.repository} to create Repository instances.
+     *
+     * @internal
+     */
+    constructor(session, serverUrl, repoDid, lexiconRegistry, isSDS, logger) {
+        this.session = session;
+        this.serverUrl = serverUrl;
+        this.repoDid = repoDid;
+        this.lexiconRegistry = lexiconRegistry;
+        this._isSDS = isSDS;
+        this.logger = logger;
+        // Create Agent with OAuth session
+        this.agent = new api.Agent(session);
+        this.lexiconRegistry.addToAgent(this.agent);
+        // Register hypercert lexicons
+        this.lexiconRegistry.registerMany(lexicon.HYPERCERT_LEXICONS);
+    }
+    /**
+     * The DID (Decentralized Identifier) of this repository.
+     *
+     * This is the user or organization that owns the repository data.
+     *
+     * @example
+     * ```typescript
+     * console.log(`Working with repo: ${repo.did}`);
+     * // Output: Working with repo: did:plc:abc123xyz...
+     * ```
+     */
+    get did() {
+        return this.repoDid;
+    }
+    /**
+     * Whether this repository is on a Shared Data Server (SDS).
+     *
+     * SDS servers support additional features like collaborators and
+     * organizations. Attempting to use these features on a PDS will
+     * throw {@link SDSRequiredError}.
+     *
+     * @example
+     * ```typescript
+     * if (repo.isSDS) {
+     *   const collaborators = await repo.collaborators.list();
+     * }
+     * ```
+     */
+    get isSDS() {
+        return this._isSDS;
+    }
+    /**
+     * Gets the server URL this repository connects to.
+     *
+     * @returns The base URL of the AT Protocol server
+     *
+     * @example
+     * ```typescript
+     * console.log(repo.getServerUrl());
+     * // Output: https://bsky.social or https://sds.hypercerts.org
+     * ```
+     */
+    getServerUrl() {
+        return this.serverUrl;
+    }
+    /**
+     * Creates a Repository instance for a different DID on the same server.
+     *
+     * This allows you to read data from other users' repositories while
+     * maintaining your authenticated session.
+     *
+     * @param did - The DID of the repository to access
+     * @returns A new Repository instance for the specified DID
+     *
+     * @remarks
+     * Write operations on another user's repository will typically fail
+     * unless you have been granted collaborator access (SDS only).
+     *
+     * @example
+     * ```typescript
+     * // Read another user's profile
+     * const otherRepo = repo.repo("did:plc:other-user");
+     * const profile = await otherRepo.profile.get();
+     *
+     * // List their public hypercerts
+     * const hypercerts = await otherRepo.hypercerts.list();
+     * ```
+     */
+    repo(did) {
+        return new Repository(this.session, this.serverUrl, did, this.lexiconRegistry, this._isSDS, this.logger);
+    }
+    /**
+     * Low-level record operations for CRUD on any AT Protocol record type.
+     *
+     * Use this for direct access to AT Protocol records when the high-level
+     * APIs don't meet your needs.
+     *
+     * @returns {@link RecordOperations} interface for record CRUD
+     *
+     * @example
+     * ```typescript
+     * // Create a custom record
+     * const result = await repo.records.create({
+     *   collection: "org.example.myRecord",
+     *   record: { foo: "bar" },
+     * });
+     *
+     * // List records in a collection
+     * const list = await repo.records.list({
+     *   collection: "org.example.myRecord",
+     *   limit: 50,
+     * });
+     *
+     * // Get a specific record
+     * const record = await repo.records.get({
+     *   collection: "org.example.myRecord",
+     *   rkey: "abc123",
+     * });
+     * ```
+     */
+    get records() {
+        if (!this._records) {
+            this._records = new RecordOperationsImpl(this.agent, this.repoDid, this.lexiconRegistry);
+        }
+        return this._records;
+    }
+    /**
+     * Blob operations for uploading and retrieving binary data.
+     *
+     * Blobs are used for images, files, and other binary content associated
+     * with records.
+     *
+     * @returns {@link BlobOperations} interface for blob management
+     *
+     * @example
+     * ```typescript
+     * // Upload an image
+     * const imageBlob = new Blob([imageData], { type: "image/png" });
+     * const uploadResult = await repo.blobs.upload(imageBlob);
+     *
+     * // The ref can be used in records
+     * console.log(uploadResult.ref.$link);  // CID of the blob
+     *
+     * // Retrieve a blob by CID
+     * const { data, mimeType } = await repo.blobs.get(cid);
+     * ```
+     */
+    get blobs() {
+        if (!this._blobs) {
+            this._blobs = new BlobOperationsImpl(this.agent, this.repoDid, this.serverUrl);
+        }
+        return this._blobs;
+    }
+    /**
+     * Profile operations for managing user profiles.
+     *
+     * @returns {@link ProfileOperations} interface for profile management
+     *
+     * @example
+     * ```typescript
+     * // Get current profile
+     * const profile = await repo.profile.get();
+     * console.log(profile.displayName);
+     *
+     * // Update profile
+     * await repo.profile.update({
+     *   displayName: "New Name",
+     *   description: "Updated bio",
+     *   avatar: avatarBlob,  // Optional: update avatar image
+     * });
+     * ```
+     */
+    get profile() {
+        if (!this._profile) {
+            this._profile = new ProfileOperationsImpl(this.agent, this.repoDid, this.serverUrl);
+        }
+        return this._profile;
+    }
+    /**
+     * High-level hypercert operations.
+     *
+     * Provides a convenient API for creating and managing hypercerts,
+     * including related records like locations, contributions, and evidence.
+     *
+     * @returns {@link HypercertOperations} interface with EventEmitter capabilities
+     *
+     * @example Creating a hypercert
+     * ```typescript
+     * const result = await repo.hypercerts.create({
+     *   title: "Climate Action Project",
+     *   description: "Reduced carbon emissions by 1000 tons",
+     *   workScope: "Climate Action",
+     *   workTimeframeFrom: "2024-01-01",
+     *   workTimeframeTo: "2024-06-30",
+     *   rights: {
+     *     name: "Public Domain",
+     *     type: "license",
+     *     description: "CC0 - No Rights Reserved",
+     *   },
+     *   image: imageBlob,  // Optional cover image
+     *   location: {
+     *     value: "San Francisco, CA",
+     *     name: "SF Bay Area",
+     *   },
+     * });
+     * console.log(`Created: ${result.hypercertUri}`);
+     * ```
+     *
+     * @example Listening to events
+     * ```typescript
+     * repo.hypercerts.on("recordCreated", ({ uri, cid }) => {
+     *   console.log(`Record created: ${uri}`);
+     * });
+     * ```
+     */
+    get hypercerts() {
+        if (!this._hypercerts) {
+            this._hypercerts = new HypercertOperationsImpl(this.agent, this.repoDid, this.serverUrl, this.lexiconRegistry, this.logger);
+        }
+        return this._hypercerts;
+    }
+    /**
+     * Collaborator operations for managing repository access.
+     *
+     * **SDS Only**: This property throws {@link SDSRequiredError} if accessed
+     * on a PDS repository.
+     *
+     * @returns {@link CollaboratorOperations} interface for access control
+     * @throws {@link SDSRequiredError} if not connected to an SDS server
+     *
+     * @example
+     * ```typescript
+     * // Ensure we're on SDS
+     * const sdsRepo = sdk.repository(session, { server: "sds" });
+     *
+     * // Grant editor access
+     * await sdsRepo.collaborators.grant({
+     *   userDid: "did:plc:new-collaborator",
+     *   role: "editor",
+     * });
+     *
+     * // List all collaborators
+     * const collaborators = await sdsRepo.collaborators.list();
+     *
+     * // Check access
+     * const hasAccess = await sdsRepo.collaborators.hasAccess("did:plc:someone");
+     *
+     * // Revoke access
+     * await sdsRepo.collaborators.revoke({ userDid: "did:plc:former-collaborator" });
+     * ```
+     */
+    get collaborators() {
+        if (!this._isSDS) {
+            throw new SDSRequiredError("Collaborator operations are only available on SDS servers");
+        }
+        if (!this._collaborators) {
+            this._collaborators = new CollaboratorOperationsImpl(this.session, this.repoDid, this.serverUrl);
+        }
+        return this._collaborators;
+    }
+    /**
+     * Organization operations for creating and managing organizations.
+     *
+     * **SDS Only**: This property throws {@link SDSRequiredError} if accessed
+     * on a PDS repository.
+     *
+     * @returns {@link OrganizationOperations} interface for organization management
+     * @throws {@link SDSRequiredError} if not connected to an SDS server
+     *
+     * @example
+     * ```typescript
+     * // Ensure we're on SDS
+     * const sdsRepo = sdk.repository(session, { server: "sds" });
+     *
+     * // Create an organization
+     * const org = await sdsRepo.organizations.create({
+     *   name: "My Organization",
+     *   description: "A team working on impact certificates",
+     *   handle: "my-org",  // Optional custom handle
+     * });
+     *
+     * // List organizations you have access to
+     * const orgs = await sdsRepo.organizations.list();
+     *
+     * // Get specific organization
+     * const orgInfo = await sdsRepo.organizations.get(org.did);
+     * ```
+     */
+    get organizations() {
+        if (!this._isSDS) {
+            throw new SDSRequiredError("Organization operations are only available on SDS servers");
+        }
+        if (!this._organizations) {
+            this._organizations = new OrganizationOperationsImpl(this.session, this.repoDid, this.serverUrl, this.logger);
+        }
+        return this._organizations;
+    }
+}
+/**
+ * Zod schema for OAuth configuration validation.
+ *
+ * @remarks
+ * All URLs must be valid and use HTTPS in production. The `jwkPrivate` field
+ * should contain the private key in JWK (JSON Web Key) format as a string.
+ */
+const OAuthConfigSchema = zod.z.object({
+    /**
+     * URL to the OAuth client metadata JSON document.
+     * This document describes your application to the authorization server.
+     *
+     * @see https://atproto.com/specs/oauth#client-metadata
+     */
+    clientId: zod.z.string().url(),
+    /**
+     * URL where users are redirected after authentication.
+     * Must match one of the redirect URIs in your client metadata.
+     */
+    redirectUri: zod.z.string().url(),
+    /**
+     * OAuth scopes to request, space-separated.
+     * Common scopes: "atproto", "transition:generic"
+     */
+    scope: zod.z.string(),
+    /**
+     * URL to your public JWKS (JSON Web Key Set) endpoint.
+     * Used by the authorization server to verify your client's signatures.
+     */
+    jwksUri: zod.z.string().url(),
+    /**
+     * Private JWK (JSON Web Key) as a JSON string.
+     * Used for signing DPoP proofs and client assertions.
+     *
+     * @remarks
+     * This should be kept secret and never exposed to clients.
+     * Typically loaded from environment variables or a secrets manager.
+     */
+    jwkPrivate: zod.z.string(),
+});
+/**
+ * Zod schema for server URL configuration.
+ *
+ * @remarks
+ * At least one server (PDS or SDS) should be configured for the SDK to be useful.
+ */
+const ServerConfigSchema = zod.z.object({
+    /**
+     * Personal Data Server URL - the user's own AT Protocol server.
+     * This is the primary server for user data operations.
+     *
+     * @example "https://bsky.social"
+     */
+    pds: zod.z.string().url().optional(),
+    /**
+     * Shared Data Server URL - for collaborative data storage.
+     * Required for collaborator and organization operations.
+     *
+     * @example "https://sds.hypercerts.org"
+     */
+    sds: zod.z.string().url().optional(),
+});
+/**
+ * Zod schema for timeout configuration.
+ *
+ * @remarks
+ * All timeout values are in milliseconds.
+ */
+const TimeoutConfigSchema = zod.z.object({
+    /**
+     * Timeout for fetching PDS metadata during identity resolution.
+     * @default 5000 (5 seconds, set by OAuthClient)
+     */
+    pdsMetadata: zod.z.number().positive().optional(),
+    /**
+     * Timeout for general API requests to PDS/SDS.
+     * @default 30000 (30 seconds)
+     */
+    apiRequests: zod.z.number().positive().optional(),
+});
+/**
+ * Zod schema for SDK configuration validation.
+ *
+ * @remarks
+ * This schema validates only the primitive/serializable parts of the configuration.
+ * Storage interfaces ({@link SessionStore}, {@link StateStore}) cannot be validated
+ * with Zod as they are runtime objects.
+ */
+const ATProtoSDKConfigSchema = zod.z.object({
+    oauth: OAuthConfigSchema,
+    servers: ServerConfigSchema.optional(),
+    timeouts: TimeoutConfigSchema.optional(),
+});
+/**
+ * Main ATProto SDK class providing OAuth authentication and repository access.
+ *
+ * This is the primary entry point for interacting with AT Protocol servers.
+ * It handles the OAuth 2.0 flow with DPoP (Demonstrating Proof of Possession)
+ * and provides access to repository operations for managing records, blobs,
+ * and profiles.
+ *
+ * @example Basic usage with OAuth flow
+ * ```typescript
+ * import { ATProtoSDK, InMemorySessionStore, InMemoryStateStore } from "@hypercerts-org/sdk";
+ *
+ * const sdk = new ATProtoSDK({
+ *   oauth: {
+ *     clientId: "https://my-app.com/client-metadata.json",
+ *     redirectUri: "https://my-app.com/callback",
+ *     scope: "atproto transition:generic",
+ *     jwksUri: "https://my-app.com/.well-known/jwks.json",
+ *     jwkPrivate: process.env.JWK_PRIVATE_KEY!,
+ *   },
+ *   servers: {
+ *     pds: "https://bsky.social",
+ *     sds: "https://sds.hypercerts.org",
+ *   },
+ * });
+ *
+ * // Start OAuth flow - redirect user to this URL
+ * const authUrl = await sdk.authorize("user.bsky.social");
+ *
+ * // After user returns, handle the callback
+ * const session = await sdk.callback(new URLSearchParams(window.location.search));
+ *
+ * // Get a repository to work with data
+ * const repo = sdk.repository(session);
+ * ```
+ *
+ * @example Restoring an existing session
+ * ```typescript
+ * // Restore a previous session by DID
+ * const session = await sdk.restoreSession("did:plc:abc123...");
+ * if (session) {
+ *   const repo = sdk.repository(session);
+ *   // Continue working with the restored session
+ * }
+ * ```
+ *
+ * @see {@link ATProtoSDKConfig} for configuration options
+ * @see {@link Repository} for data operations
+ * @see {@link OAuthClient} for OAuth implementation details
+ */
+class ATProtoSDK {
+    /**
+     * Creates a new ATProto SDK instance.
+     *
+     * @param config - SDK configuration including OAuth credentials, server URLs, and optional storage adapters
+     * @throws {@link ValidationError} if the configuration is invalid (e.g., malformed URLs, missing required fields)
+     *
+     * @remarks
+     * If no storage adapters are provided, in-memory implementations are used.
+     * These are suitable for development and testing but **not recommended for production**
+     * as sessions will be lost on restart.
+     *
+     * @example
+     * ```typescript
+     * // Minimal configuration (uses in-memory storage)
+     * const sdk = new ATProtoSDK({
+     *   oauth: {
+     *     clientId: "https://my-app.com/client-metadata.json",
+     *     redirectUri: "https://my-app.com/callback",
+     *     scope: "atproto",
+     *     jwksUri: "https://my-app.com/.well-known/jwks.json",
+     *     jwkPrivate: privateKeyJwk,
+     *   },
+     *   servers: { pds: "https://bsky.social" },
+     * });
+     * ```
+     */
+    constructor(config) {
+        // Validate configuration
+        const validationResult = ATProtoSDKConfigSchema.safeParse(config);
+        if (!validationResult.success) {
+            throw new ValidationError(`Invalid SDK configuration: ${validationResult.error.message}`, validationResult.error);
+        }
+        // Apply defaults for optional storage
+        const configWithDefaults = {
+            ...config,
+            storage: {
+                sessionStore: config.storage?.sessionStore ?? new InMemorySessionStore(),
+                stateStore: config.storage?.stateStore ?? new InMemoryStateStore(),
+            },
+        };
+        this.config = configWithDefaults;
+        this.logger = config.logger;
+        // Initialize OAuth client
+        this.oauthClient = new OAuthClient(configWithDefaults);
+        // Initialize lexicon registry
+        this.lexiconRegistry = new LexiconRegistry();
+        this.logger?.info("ATProto SDK initialized");
+    }
+    /**
+     * Initiates the OAuth authorization flow.
+     *
+     * This method starts the OAuth 2.0 authorization flow by resolving the user's
+     * identity and generating an authorization URL. The user should be redirected
+     * to this URL to authenticate.
+     *
+     * @param identifier - The user's ATProto identifier. Can be:
+     *   - A handle (e.g., `"user.bsky.social"`)
+     *   - A DID (e.g., `"did:plc:abc123..."`)
+     *   - A PDS URL (e.g., `"https://bsky.social"`)
+     * @param options - Optional authorization settings
+     * @returns A Promise resolving to the authorization URL to redirect the user to
+     * @throws {@link ValidationError} if the identifier is empty or invalid
+     * @throws {@link NetworkError} if the identity cannot be resolved
+     *
+     * @example
+     * ```typescript
+     * // Using a handle
+     * const authUrl = await sdk.authorize("alice.bsky.social");
+     *
+     * // Using a DID directly
+     * const authUrl = await sdk.authorize("did:plc:abc123xyz");
+     *
+     * // With custom scope
+     * const authUrl = await sdk.authorize("alice.bsky.social", {
+     *   scope: "atproto transition:generic"
+     * });
+     *
+     * // Redirect user to authUrl
+     * window.location.href = authUrl;
+     * ```
+     */
+    async authorize(identifier, options) {
+        if (!identifier || !identifier.trim()) {
+            throw new ValidationError("ATProto identifier is required");
+        }
+        return this.oauthClient.authorize(identifier.trim(), options);
+    }
+    /**
+     * Handles the OAuth callback and exchanges the authorization code for tokens.
+     *
+     * Call this method when the user is redirected back to your application
+     * after authenticating. It validates the OAuth state, exchanges the
+     * authorization code for access/refresh tokens, and creates a session.
+     *
+     * @param params - URL search parameters from the callback URL
+     * @returns A Promise resolving to the authenticated OAuth session
+     * @throws {@link AuthenticationError} if the callback parameters are invalid or the code exchange fails
+     * @throws {@link ValidationError} if required parameters are missing
+     *
+     * @example
+     * ```typescript
+     * // In your callback route handler
+     * const params = new URLSearchParams(window.location.search);
+     * // params contains: code, state, iss (issuer)
+     *
+     * const session = await sdk.callback(params);
+     * console.log(`Authenticated as ${session.did}`);
+     *
+     * // Store the DID to restore the session later
+     * localStorage.setItem("userDid", session.did);
+     * ```
+     */
+    async callback(params) {
+        return this.oauthClient.callback(params);
+    }
+    /**
+     * Restores an existing OAuth session by DID.
+     *
+     * Use this method to restore a previously authenticated session, typically
+     * on application startup. The method retrieves the stored session and
+     * automatically refreshes expired tokens if needed.
+     *
+     * @param did - The user's Decentralized Identifier (DID), e.g., `"did:plc:abc123..."`
+     * @returns A Promise resolving to the restored session, or `null` if no session exists
+     * @throws {@link ValidationError} if the DID is empty
+     * @throws {@link SessionExpiredError} if the session cannot be refreshed
+     *
+     * @example
+     * ```typescript
+     * // On application startup
+     * const savedDid = localStorage.getItem("userDid");
+     * if (savedDid) {
+     *   const session = await sdk.restoreSession(savedDid);
+     *   if (session) {
+     *     // User is still authenticated
+     *     const repo = sdk.repository(session);
+     *   } else {
+     *     // Session not found, user needs to re-authenticate
+     *     const authUrl = await sdk.authorize(savedDid);
+     *   }
+     * }
+     * ```
+     */
+    async restoreSession(did) {
+        if (!did || !did.trim()) {
+            throw new ValidationError("DID is required");
+        }
+        return this.oauthClient.restore(did.trim());
+    }
+    /**
+     * Revokes an OAuth session, logging the user out.
+     *
+     * This method invalidates the session's tokens and removes it from storage.
+     * After revocation, the session can no longer be used or restored.
+     *
+     * @param did - The user's DID to revoke the session for
+     * @throws {@link ValidationError} if the DID is empty
+     *
+     * @example
+     * ```typescript
+     * // Log out the user
+     * await sdk.revokeSession(session.did);
+     * localStorage.removeItem("userDid");
+     * ```
+     */
+    async revokeSession(did) {
+        if (!did || !did.trim()) {
+            throw new ValidationError("DID is required");
+        }
+        return this.oauthClient.revoke(did.trim());
+    }
+    /**
+     * Creates a repository instance for data operations.
+     *
+     * The repository provides a fluent API for working with AT Protocol data
+     * including records, blobs, profiles, and domain-specific operations like
+     * hypercerts and collaborators.
+     *
+     * @param session - An authenticated OAuth session
+     * @param options - Repository configuration options
+     * @returns A {@link Repository} instance configured for the specified server
+     * @throws {@link ValidationError} if the session is invalid or server URL is not configured
+     *
+     * @remarks
+     * - **PDS (Personal Data Server)**: User's own data storage, default for most operations
+     * - **SDS (Shared Data Server)**: Shared data storage with collaborator support
+     *
+     * @example Using default PDS
+     * ```typescript
+     * const repo = sdk.repository(session);
+     * const profile = await repo.profile.get();
+     * ```
+     *
+     * @example Using configured SDS
+     * ```typescript
+     * const sdsRepo = sdk.repository(session, { server: "sds" });
+     * const collaborators = await sdsRepo.collaborators.list();
+     * ```
+     *
+     * @example Using custom server URL
+     * ```typescript
+     * const customRepo = sdk.repository(session, {
+     *   serverUrl: "https://custom.atproto.server"
+     * });
+     * ```
+     */
+    repository(session, options) {
+        if (!session) {
+            throw new ValidationError("Session is required");
+        }
+        // Determine server URL
+        let serverUrl;
+        let isSDS = false;
+        if (options?.serverUrl) {
+            // Custom URL provided
+            serverUrl = options.serverUrl;
+            // Check if it matches configured SDS
+            isSDS = this.config.servers?.sds === serverUrl;
+        }
+        else if (options?.server === "sds") {
+            // Use configured SDS
+            if (!this.config.servers?.sds) {
+                throw new ValidationError("SDS server URL not configured");
+            }
+            serverUrl = this.config.servers.sds;
+            isSDS = true;
+        }
+        else if (options?.server === "pds" || !options?.server) {
+            // Use configured PDS (default)
+            if (!this.config.servers?.pds) {
+                throw new ValidationError("PDS server URL not configured");
+            }
+            serverUrl = this.config.servers.pds;
+            isSDS = false;
+        }
+        else {
+            // Custom server string (treat as URL)
+            serverUrl = options.server;
+            isSDS = this.config.servers?.sds === serverUrl;
+        }
+        // Get repository DID (default to session DID)
+        const repoDid = session.did || session.sub;
+        return new Repository(session, serverUrl, repoDid, this.lexiconRegistry, isSDS, this.logger);
+    }
+    /**
+     * Gets the lexicon registry for schema validation.
+     *
+     * The lexicon registry manages AT Protocol lexicon schemas used for
+     * validating record data. You can register custom lexicons to extend
+     * the SDK's capabilities.
+     *
+     * @returns The {@link LexiconRegistry} instance
+     *
+     * @example
+     * ```typescript
+     * const registry = sdk.getLexiconRegistry();
+     *
+     * // Register custom lexicons
+     * registry.register(myCustomLexicons);
+     *
+     * // Check if a lexicon is registered
+     * const hasLexicon = registry.has("org.example.myRecord");
+     * ```
+     */
+    getLexiconRegistry() {
+        return this.lexiconRegistry;
+    }
+    /**
+     * The configured PDS (Personal Data Server) URL.
+     *
+     * @returns The PDS URL if configured, otherwise `undefined`
+     */
+    get pdsUrl() {
+        return this.config.servers?.pds;
+    }
+    /**
+     * The configured SDS (Shared Data Server) URL.
+     *
+     * @returns The SDS URL if configured, otherwise `undefined`
+     */
+    get sdsUrl() {
+        return this.config.servers?.sds;
+    }
+}
+/**
+ * Factory function to create an ATProto SDK instance.
+ *
+ * This is a convenience function equivalent to `new ATProtoSDK(config)`.
+ *
+ * @param config - SDK configuration
+ * @returns A new {@link ATProtoSDK} instance
+ *
+ * @example
+ * ```typescript
+ * import { createATProtoSDK } from "@hypercerts-org/sdk";
+ *
+ * const sdk = createATProtoSDK({
+ *   oauth: { ... },
+ *   servers: { pds: "https://bsky.social" },
+ * });
+ * ```
+ */
+function createATProtoSDK(config) {
+    return new ATProtoSDK(config);
+}
+/**
+ * Zod schema for collaborator permissions in SDS repositories.
+ *
+ * Defines the granular permissions a collaborator can have on a shared repository.
+ * Permissions follow a hierarchical model where higher-level permissions
+ * typically imply lower-level ones.
+ */
+const CollaboratorPermissionsSchema = zod.z.object({
+    /**
+     * Can read/view records in the repository.
+     * This is the most basic permission level.
+     */
+    read: zod.z.boolean(),
+    /**
+     * Can create new records in the repository.
+     * Typically implies `read` permission.
+     */
+    create: zod.z.boolean(),
+    /**
+     * Can modify existing records in the repository.
+     * Typically implies `read` and `create` permissions.
+     */
+    update: zod.z.boolean(),
+    /**
+     * Can delete records from the repository.
+     * Typically implies `read`, `create`, and `update` permissions.
+     */
+    delete: zod.z.boolean(),
+    /**
+     * Can manage collaborators and their permissions.
+     * Administrative permission that allows inviting/removing collaborators.
+     */
+    admin: zod.z.boolean(),
+    /**
+     * Full ownership of the repository.
+     * Owners have all permissions and cannot be removed by other admins.
+     * There must always be at least one owner.
+     */
+    owner: zod.z.boolean(),
+});
+/**
+ * Zod schema for SDS organization data.
+ *
+ * Organizations are top-level entities in SDS that can own repositories
+ * and have multiple collaborators with different permission levels.
+ */
+const OrganizationSchema = zod.z.object({
+    /**
+     * The organization's DID - unique identifier.
+     * Format: "did:plc:..." or "did:web:..."
+     */
+    did: zod.z.string(),
+    /**
+     * The organization's handle - human-readable identifier.
+     * Format: "orgname.sds.hypercerts.org" or similar
+     */
+    handle: zod.z.string(),
+    /**
+     * Display name for the organization.
+     */
+    name: zod.z.string(),
+    /**
+     * Optional description of the organization's purpose.
+     */
+    description: zod.z.string().optional(),
+    /**
+     * ISO 8601 timestamp when the organization was created.
+     * Format: "2024-01-15T10:30:00.000Z"
+     */
+    createdAt: zod.z.string(),
+    /**
+     * The current user's permissions within this organization.
+     */
+    permissions: CollaboratorPermissionsSchema,
+    /**
+     * How the current user relates to this organization.
+     * - `"owner"`: User created or owns the organization
+     * - `"collaborator"`: User was invited to collaborate
+     */
+    accessType: zod.z.enum(["owner", "collaborator"]),
+});
+/**
+ * Zod schema for collaborator data.
+ *
+ * Represents a user who has been granted access to a shared repository
+ * or organization with specific permissions.
+ */
+const CollaboratorSchema = zod.z.object({
+    /**
+     * The collaborator's DID - their unique identifier.
+     * Format: "did:plc:..." or "did:web:..."
+     */
+    userDid: zod.z.string(),
+    /**
+     * The permissions granted to this collaborator.
+     */
+    permissions: CollaboratorPermissionsSchema,
+    /**
+     * DID of the user who granted these permissions.
+     * Useful for audit trails.
+     */
+    grantedBy: zod.z.string(),
+    /**
+     * ISO 8601 timestamp when permissions were granted.
+     * Format: "2024-01-15T10:30:00.000Z"
+     */
+    grantedAt: zod.z.string(),
+    /**
+     * ISO 8601 timestamp when permissions were revoked, if applicable.
+     * Undefined if the collaborator is still active.
+     */
+    revokedAt: zod.z.string().optional(),
+});
+Object.defineProperty(exports, "AppCertifiedLocation", {
+    enumerable: true,
+    get: function () { return lexicon.AppCertifiedLocation; }
+});
+Object.defineProperty(exports, "ComAtprotoRepoStrongRef", {
+    enumerable: true,
+    get: function () { return lexicon.ComAtprotoRepoStrongRef; }
+});
+Object.defineProperty(exports, "HYPERCERT_COLLECTIONS", {
+    enumerable: true,
+    get: function () { return lexicon.HYPERCERT_COLLECTIONS; }
+});
+Object.defineProperty(exports, "HYPERCERT_LEXICONS", {
+    enumerable: true,
+    get: function () { return lexicon.HYPERCERT_LEXICONS; }
+});
+Object.defineProperty(exports, "OrgHypercertsClaim", {
+    enumerable: true,
+    get: function () { return lexicon.OrgHypercertsClaim; }
+});
+Object.defineProperty(exports, "OrgHypercertsClaimContribution", {
+    enumerable: true,
+    get: function () { return lexicon.OrgHypercertsClaimContribution; }
+});
+Object.defineProperty(exports, "OrgHypercertsClaimEvaluation", {
+    enumerable: true,
+    get: function () { return lexicon.OrgHypercertsClaimEvaluation; }
+});
+Object.defineProperty(exports, "OrgHypercertsClaimEvidence", {
+    enumerable: true,
+    get: function () { return lexicon.OrgHypercertsClaimEvidence; }
+});
+Object.defineProperty(exports, "OrgHypercertsClaimMeasurement", {
+    enumerable: true,
+    get: function () { return lexicon.OrgHypercertsClaimMeasurement; }
+});
+Object.defineProperty(exports, "OrgHypercertsClaimRights", {
+    enumerable: true,
+    get: function () { return lexicon.OrgHypercertsClaimRights; }
+});
+Object.defineProperty(exports, "OrgHypercertsCollection", {
+    enumerable: true,
+    get: function () { return lexicon.OrgHypercertsCollection; }
+});
+Object.defineProperty(exports, "ids", {
+    enumerable: true,
+    get: function () { return lexicon.ids; }
+});
+Object.defineProperty(exports, "lexicons", {
+    enumerable: true,
+    get: function () { return lexicon.lexicons; }
+});
+Object.defineProperty(exports, "schemaDict", {
+    enumerable: true,
+    get: function () { return lexicon.schemaDict; }
+});
+Object.defineProperty(exports, "schemas", {
+    enumerable: true,
+    get: function () { return lexicon.schemas; }
+});
+Object.defineProperty(exports, "validate", {
+    enumerable: true,
+    get: function () { return lexicon.validate; }
+});
+exports.ATProtoSDK = ATProtoSDK;
+exports.ATProtoSDKConfigSchema = ATProtoSDKConfigSchema;
+exports.ATProtoSDKError = ATProtoSDKError;
+exports.AuthenticationError = AuthenticationError;
+exports.CollaboratorPermissionsSchema = CollaboratorPermissionsSchema;
+exports.CollaboratorSchema = CollaboratorSchema;
+exports.InMemorySessionStore = InMemorySessionStore;
+exports.InMemoryStateStore = InMemoryStateStore;
+exports.LexiconRegistry = LexiconRegistry;
+exports.NetworkError = NetworkError;
+exports.OAuthConfigSchema = OAuthConfigSchema;
+exports.OrganizationSchema = OrganizationSchema;
+exports.Repository = Repository;
+exports.SDSRequiredError = SDSRequiredError;
+exports.ServerConfigSchema = ServerConfigSchema;
+exports.SessionExpiredError = SessionExpiredError;
+exports.TimeoutConfigSchema = TimeoutConfigSchema;
+exports.ValidationError = ValidationError;
+exports.createATProtoSDK = createATProtoSDK;
+//# sourceMappingURL=index.cjs.map