@hypercerts-org/sdk-core 0.2.0-beta.0

package/dist/index.mjs

@@ -0,0 +1,4448 @@
+import { JoseKey, NodeOAuthClient } from '@atproto/oauth-client-node';
+import { Lexicons } from '@atproto/lexicon';
+import { Agent } from '@atproto/api';
+import { HYPERCERT_COLLECTIONS, HYPERCERT_LEXICONS } from '@hypercerts-org/lexicon';
+export { AppCertifiedLocation, ComAtprotoRepoStrongRef, HYPERCERT_COLLECTIONS, HYPERCERT_LEXICONS, OrgHypercertsClaim, OrgHypercertsClaimContribution, OrgHypercertsClaimEvaluation, OrgHypercertsClaimEvidence, OrgHypercertsClaimMeasurement, OrgHypercertsClaimRights, OrgHypercertsCollection, ids, lexicons, schemaDict, schemas, validate } from '@hypercerts-org/lexicon';
+import { EventEmitter } from 'eventemitter3';
+import { z } from 'zod';
+
+/**
+ * Base error class for all SDK errors.
+ *
+ * All errors thrown by the Hypercerts SDK extend this class, making it easy
+ * to catch and handle SDK-specific errors.
+ *
+ * @example Catching all SDK errors
+ * ```typescript
+ * try {
+ *   await sdk.authorize("user.bsky.social");
+ * } catch (error) {
+ *   if (error instanceof ATProtoSDKError) {
+ *     console.error(`SDK Error [${error.code}]: ${error.message}`);
+ *     console.error(`HTTP Status: ${error.status}`);
+ *   }
+ * }
+ * ```
+ *
+ * @example Checking error codes
+ * ```typescript
+ * try {
+ *   await repo.records.get(collection, rkey);
+ * } catch (error) {
+ *   if (error instanceof ATProtoSDKError) {
+ *     switch (error.code) {
+ *       case "AUTHENTICATION_ERROR":
+ *         // Redirect to login
+ *         break;
+ *       case "VALIDATION_ERROR":
+ *         // Show form errors
+ *         break;
+ *       case "NETWORK_ERROR":
+ *         // Retry or show offline message
+ *         break;
+ *     }
+ *   }
+ * }
+ * ```
+ */
+class ATProtoSDKError extends Error {
+    /**
+     * Creates a new SDK error.
+     *
+     * @param message - Human-readable error description
+     * @param code - Machine-readable error code for programmatic handling
+     * @param status - HTTP status code associated with this error type
+     * @param cause - The underlying error that caused this error, if any
+     */
+    constructor(message, code, status, cause) {
+        super(message);
+        this.code = code;
+        this.status = status;
+        this.cause = cause;
+        this.name = "ATProtoSDKError";
+        Error.captureStackTrace?.(this, this.constructor);
+    }
+}
+/**
+ * Error thrown when authentication fails.
+ *
+ * This error indicates problems with the OAuth flow, invalid credentials,
+ * or failed token exchanges. Common causes:
+ * - Invalid authorization code
+ * - Expired or invalid state parameter
+ * - Revoked or invalid tokens
+ * - User denied authorization
+ *
+ * @example
+ * ```typescript
+ * try {
+ *   const session = await sdk.callback(params);
+ * } catch (error) {
+ *   if (error instanceof AuthenticationError) {
+ *     // Clear any stored state and redirect to login
+ *     console.error("Authentication failed:", error.message);
+ *   }
+ * }
+ * ```
+ */
+class AuthenticationError extends ATProtoSDKError {
+    /**
+     * Creates an authentication error.
+     *
+     * @param message - Description of what went wrong during authentication
+     * @param cause - The underlying error (e.g., from the OAuth client)
+     */
+    constructor(message, cause) {
+        super(message, "AUTHENTICATION_ERROR", 401, cause);
+        this.name = "AuthenticationError";
+    }
+}
+/**
+ * Error thrown when a session has expired and cannot be refreshed.
+ *
+ * This typically occurs when:
+ * - The refresh token has expired (usually after extended inactivity)
+ * - The user has revoked access to your application
+ * - The PDS has invalidated all sessions for the user
+ *
+ * When this error occurs, the user must re-authenticate.
+ *
+ * @example
+ * ```typescript
+ * try {
+ *   const session = await sdk.restoreSession(did);
+ * } catch (error) {
+ *   if (error instanceof SessionExpiredError) {
+ *     // Clear stored session and prompt user to log in again
+ *     localStorage.removeItem("userDid");
+ *     window.location.href = "/login";
+ *   }
+ * }
+ * ```
+ */
+class SessionExpiredError extends ATProtoSDKError {
+    /**
+     * Creates a session expired error.
+     *
+     * @param message - Description of why the session expired
+     * @param cause - The underlying error from the token refresh attempt
+     */
+    constructor(message = "Session expired", cause) {
+        super(message, "SESSION_EXPIRED", 401, cause);
+        this.name = "SessionExpiredError";
+    }
+}
+/**
+ * Error thrown when input validation fails.
+ *
+ * This error indicates that provided data doesn't meet the required format
+ * or constraints. Common causes:
+ * - Missing required fields
+ * - Invalid URL formats
+ * - Invalid DID format
+ * - Schema validation failures for records
+ * - Invalid configuration values
+ *
+ * @example
+ * ```typescript
+ * try {
+ *   await sdk.authorize("");  // Empty identifier
+ * } catch (error) {
+ *   if (error instanceof ValidationError) {
+ *     console.error("Invalid input:", error.message);
+ *     // Show validation error to user
+ *   }
+ * }
+ * ```
+ *
+ * @example With Zod validation cause
+ * ```typescript
+ * try {
+ *   await repo.records.create(collection, record);
+ * } catch (error) {
+ *   if (error instanceof ValidationError && error.cause) {
+ *     // error.cause may be a ZodError with detailed field errors
+ *     const zodError = error.cause as ZodError;
+ *     zodError.errors.forEach(e => {
+ *       console.error(`Field ${e.path.join(".")}: ${e.message}`);
+ *     });
+ *   }
+ * }
+ * ```
+ */
+class ValidationError extends ATProtoSDKError {
+    /**
+     * Creates a validation error.
+     *
+     * @param message - Description of what validation failed
+     * @param cause - The underlying validation error (e.g., ZodError)
+     */
+    constructor(message, cause) {
+        super(message, "VALIDATION_ERROR", 400, cause);
+        this.name = "ValidationError";
+    }
+}
+/**
+ * Error thrown when a network request fails.
+ *
+ * This error indicates connectivity issues or server unavailability.
+ * Common causes:
+ * - No internet connection
+ * - DNS resolution failure
+ * - Server timeout
+ * - Server returned 5xx error
+ * - TLS/SSL errors
+ *
+ * These errors are typically transient and may succeed on retry.
+ *
+ * @example
+ * ```typescript
+ * try {
+ *   await repo.records.list(collection);
+ * } catch (error) {
+ *   if (error instanceof NetworkError) {
+ *     // Implement retry logic or show offline indicator
+ *     console.error("Network error:", error.message);
+ *     await retryWithBackoff(() => repo.records.list(collection));
+ *   }
+ * }
+ * ```
+ */
+class NetworkError extends ATProtoSDKError {
+    /**
+     * Creates a network error.
+     *
+     * @param message - Description of the network failure
+     * @param cause - The underlying error (e.g., fetch error, timeout)
+     */
+    constructor(message, cause) {
+        super(message, "NETWORK_ERROR", 503, cause);
+        this.name = "NetworkError";
+    }
+}
+/**
+ * Error thrown when an SDS-only operation is attempted on a PDS.
+ *
+ * Certain operations are only available on Shared Data Servers (SDS),
+ * such as collaborator management and organization operations.
+ * This error is thrown when these operations are attempted on a
+ * Personal Data Server (PDS).
+ *
+ * @example
+ * ```typescript
+ * const pdsRepo = sdk.repository(session);  // Default is PDS
+ *
+ * try {
+ *   // This will throw SDSRequiredError
+ *   await pdsRepo.collaborators.list();
+ * } catch (error) {
+ *   if (error instanceof SDSRequiredError) {
+ *     // Switch to SDS for this operation
+ *     const sdsRepo = sdk.repository(session, { server: "sds" });
+ *     const collaborators = await sdsRepo.collaborators.list();
+ *   }
+ * }
+ * ```
+ */
+class SDSRequiredError extends ATProtoSDKError {
+    /**
+     * Creates an SDS required error.
+     *
+     * @param message - Description of which operation requires SDS
+     * @param cause - Any underlying error
+     */
+    constructor(message = "This operation requires a Shared Data Server (SDS)", cause) {
+        super(message, "SDS_REQUIRED", 400, cause);
+        this.name = "SDSRequiredError";
+    }
+}
+
+/**
+ * In-memory implementation of the SessionStore interface.
+ *
+ * This store keeps OAuth sessions in memory using a Map. It's intended
+ * for development, testing, and simple use cases where session persistence
+ * across restarts is not required.
+ *
+ * @remarks
+ * **Warning**: This implementation is **not suitable for production** because:
+ * - Sessions are lost when the process restarts
+ * - Sessions cannot be shared across multiple server instances
+ * - No automatic cleanup of expired sessions
+ *
+ * For production, implement {@link SessionStore} with a persistent backend:
+ * - **Redis**: Good for distributed systems, supports TTL
+ * - **PostgreSQL/MySQL**: Good for existing database infrastructure
+ * - **MongoDB**: Good for document-based storage
+ *
+ * @example Basic usage
+ * ```typescript
+ * import { InMemorySessionStore } from "@hypercerts-org/sdk/storage";
+ *
+ * const sessionStore = new InMemorySessionStore();
+ *
+ * const sdk = new ATProtoSDK({
+ *   oauth: { ... },
+ *   storage: {
+ *     sessionStore,  // Will warn in logs for production
+ *   },
+ * });
+ * ```
+ *
+ * @example Testing usage
+ * ```typescript
+ * const sessionStore = new InMemorySessionStore();
+ *
+ * // After tests, clean up
+ * sessionStore.clear();
+ * ```
+ *
+ * @see {@link SessionStore} for the interface definition
+ * @see {@link InMemoryStateStore} for the corresponding state store
+ */
+class InMemorySessionStore {
+    constructor() {
+        /**
+         * Internal storage for sessions, keyed by DID.
+         * @internal
+         */
+        this.sessions = new Map();
+    }
+    /**
+     * Retrieves a session by DID.
+     *
+     * @param did - The user's Decentralized Identifier
+     * @returns Promise resolving to the session, or `undefined` if not found
+     *
+     * @example
+     * ```typescript
+     * const session = await sessionStore.get("did:plc:abc123");
+     * if (session) {
+     *   console.log("Session found");
+     * }
+     * ```
+     */
+    async get(did) {
+        return this.sessions.get(did);
+    }
+    /**
+     * Stores or updates a session.
+     *
+     * @param did - The user's DID to use as the key
+     * @param session - The session data to store
+     *
+     * @remarks
+     * If a session already exists for the DID, it is overwritten.
+     *
+     * @example
+     * ```typescript
+     * await sessionStore.set("did:plc:abc123", sessionData);
+     * ```
+     */
+    async set(did, session) {
+        this.sessions.set(did, session);
+    }
+    /**
+     * Deletes a session by DID.
+     *
+     * @param did - The DID of the session to delete
+     *
+     * @remarks
+     * If no session exists for the DID, this is a no-op.
+     *
+     * @example
+     * ```typescript
+     * await sessionStore.del("did:plc:abc123");
+     * ```
+     */
+    async del(did) {
+        this.sessions.delete(did);
+    }
+    /**
+     * Clears all stored sessions.
+     *
+     * This is primarily useful for testing to ensure a clean state
+     * between test runs.
+     *
+     * @remarks
+     * This method is synchronous (not async) for convenience in test cleanup.
+     *
+     * @example
+     * ```typescript
+     * // In test teardown
+     * afterEach(() => {
+     *   sessionStore.clear();
+     * });
+     * ```
+     */
+    clear() {
+        this.sessions.clear();
+    }
+}
+
+/**
+ * In-memory implementation of the StateStore interface.
+ *
+ * This store keeps OAuth state parameters in memory using a Map. State is
+ * used during the OAuth authorization flow for CSRF protection and PKCE.
+ *
+ * @remarks
+ * **Warning**: This implementation is **not suitable for production** because:
+ * - State is lost when the process restarts (breaking in-progress OAuth flows)
+ * - State cannot be shared across multiple server instances
+ * - No automatic cleanup of expired state (memory leak potential)
+ *
+ * For production, implement {@link StateStore} with a persistent backend
+ * that supports TTL (time-to-live):
+ * - **Redis**: Ideal choice with built-in TTL support
+ * - **Database with cleanup job**: PostgreSQL/MySQL with periodic cleanup
+ *
+ * **State Lifecycle**:
+ * 1. Created when user starts OAuth flow (`authorize()`)
+ * 2. Retrieved and validated during callback
+ * 3. Deleted after successful or failed callback
+ * 4. Should expire after ~15 minutes if callback never happens
+ *
+ * @example Basic usage
+ * ```typescript
+ * import { InMemoryStateStore } from "@hypercerts-org/sdk/storage";
+ *
+ * const stateStore = new InMemoryStateStore();
+ *
+ * const sdk = new ATProtoSDK({
+ *   oauth: { ... },
+ *   storage: {
+ *     stateStore,  // Will warn in logs for production
+ *   },
+ * });
+ * ```
+ *
+ * @example Testing usage
+ * ```typescript
+ * const stateStore = new InMemoryStateStore();
+ *
+ * // After tests, clean up
+ * stateStore.clear();
+ * ```
+ *
+ * @see {@link StateStore} for the interface definition
+ * @see {@link InMemorySessionStore} for the corresponding session store
+ */
+class InMemoryStateStore {
+    constructor() {
+        /**
+         * Internal storage for OAuth state, keyed by state string.
+         * @internal
+         */
+        this.states = new Map();
+    }
+    /**
+     * Retrieves OAuth state by key.
+     *
+     * @param key - The state key (random string from authorization URL)
+     * @returns Promise resolving to the state, or `undefined` if not found
+     *
+     * @remarks
+     * The key is a cryptographically random string generated during
+     * the authorization request. It's included in the callback URL
+     * and used to retrieve the associated PKCE verifier and other data.
+     *
+     * @example
+     * ```typescript
+     * // During OAuth callback
+     * const state = await stateStore.get(params.get("state")!);
+     * if (!state) {
+     *   throw new Error("Invalid or expired state");
+     * }
+     * ```
+     */
+    async get(key) {
+        return this.states.get(key);
+    }
+    /**
+     * Stores OAuth state temporarily.
+     *
+     * @param key - The state key to use for storage
+     * @param state - The OAuth state data (includes PKCE verifier, etc.)
+     *
+     * @remarks
+     * In production implementations, state should be stored with a TTL
+     * of approximately 10-15 minutes to prevent stale state accumulation.
+     *
+     * @example
+     * ```typescript
+     * // Called internally by OAuthClient during authorize()
+     * await stateStore.set(stateKey, {
+     *   // PKCE code verifier, redirect URI, etc.
+     * });
+     * ```
+     */
+    async set(key, state) {
+        this.states.set(key, state);
+    }
+    /**
+     * Deletes OAuth state by key.
+     *
+     * @param key - The state key to delete
+     *
+     * @remarks
+     * Called after the OAuth callback is processed (whether successful or not)
+     * to clean up the temporary state.
+     *
+     * @example
+     * ```typescript
+     * // After processing callback
+     * await stateStore.del(stateKey);
+     * ```
+     */
+    async del(key) {
+        this.states.delete(key);
+    }
+    /**
+     * Clears all stored state.
+     *
+     * This is primarily useful for testing to ensure a clean state
+     * between test runs.
+     *
+     * @remarks
+     * This method is synchronous (not async) for convenience in test cleanup.
+     * In production, be careful using this as it will invalidate all
+     * in-progress OAuth flows.
+     *
+     * @example
+     * ```typescript
+     * // In test teardown
+     * afterEach(() => {
+     *   stateStore.clear();
+     * });
+     * ```
+     */
+    clear() {
+        this.states.clear();
+    }
+}
+
+/**
+ * OAuth 2.0 client for AT Protocol authentication with DPoP support.
+ *
+ * This class wraps the `@atproto/oauth-client-node` library to provide
+ * OAuth 2.0 authentication with the following features:
+ *
+ * - **DPoP (Demonstrating Proof of Possession)**: Binds tokens to cryptographic keys
+ *   to prevent token theft and replay attacks
+ * - **PKCE (Proof Key for Code Exchange)**: Protects against authorization code interception
+ * - **Automatic Token Refresh**: Transparently refreshes expired access tokens
+ * - **Session Persistence**: Stores sessions in configurable storage backends
+ *
+ * @remarks
+ * This class is typically used internally by {@link ATProtoSDK}. Direct usage
+ * is only needed for advanced scenarios.
+ *
+ * The client uses lazy initialization - the underlying `NodeOAuthClient` is
+ * created asynchronously on first use. This allows the constructor to return
+ * synchronously while deferring async key parsing.
+ *
+ * @example Direct usage (advanced)
+ * ```typescript
+ * import { OAuthClient } from "@hypercerts-org/sdk";
+ *
+ * const client = new OAuthClient({
+ *   oauth: {
+ *     clientId: "https://my-app.com/client-metadata.json",
+ *     redirectUri: "https://my-app.com/callback",
+ *     scope: "atproto transition:generic",
+ *     jwksUri: "https://my-app.com/.well-known/jwks.json",
+ *     jwkPrivate: process.env.JWK_PRIVATE_KEY!,
+ *   },
+ *   servers: { pds: "https://bsky.social" },
+ * });
+ *
+ * // Start authorization
+ * const authUrl = await client.authorize("user.bsky.social");
+ *
+ * // Handle callback
+ * const session = await client.callback(new URLSearchParams(callbackUrl.search));
+ * ```
+ *
+ * @see {@link ATProtoSDK} for the recommended high-level API
+ * @see https://atproto.com/specs/oauth for AT Protocol OAuth specification
+ */
+class OAuthClient {
+    /**
+     * Creates a new OAuth client.
+     *
+     * @param config - SDK configuration including OAuth credentials and server URLs
+     * @throws {@link AuthenticationError} if the JWK private key is not valid JSON
+     *
+     * @remarks
+     * The constructor validates the JWK format synchronously but defers
+     * the actual client initialization to the first API call.
+     */
+    constructor(config) {
+        /** The underlying NodeOAuthClient instance (lazily initialized) */
+        this.client = null;
+        this.config = config;
+        this.logger = config.logger;
+        // Validate JWK format synchronously (before async initialization)
+        try {
+            JSON.parse(config.oauth.jwkPrivate);
+        }
+        catch (error) {
+            throw new AuthenticationError("Failed to parse JWK private key. Ensure it is valid JSON.", error);
+        }
+        // Initialize client lazily (async initialization)
+        this.clientPromise = this.initializeClient();
+    }
+    /**
+     * Initializes the NodeOAuthClient asynchronously.
+     *
+     * This method is called lazily on first use. It:
+     * 1. Parses the JWK private key(s)
+     * 2. Builds OAuth client metadata
+     * 3. Creates the underlying NodeOAuthClient
+     *
+     * @returns Promise resolving to the initialized client
+     * @internal
+     */
+    async initializeClient() {
+        if (this.client) {
+            return this.client;
+        }
+        // Parse JWK private key (already validated in constructor)
+        const privateJWK = JSON.parse(this.config.oauth.jwkPrivate);
+        // Build client metadata
+        const clientMetadata = this.buildClientMetadata();
+        // Convert JWK keys to JoseKey instances (await here)
+        const keyset = await Promise.all(privateJWK.keys.map((key) => JoseKey.fromImportable(key, key.kid)));
+        // Create fetch with timeout
+        const fetchWithTimeout = this.createFetchWithTimeout(this.config.timeouts?.pdsMetadata ?? 30000);
+        // Use provided stores or fall back to in-memory implementations
+        const stateStore = this.config.storage?.stateStore ?? new InMemoryStateStore();
+        const sessionStore = this.config.storage?.sessionStore ?? new InMemorySessionStore();
+        this.client = new NodeOAuthClient({
+            clientMetadata,
+            keyset,
+            stateStore: this.createStateStoreAdapter(stateStore),
+            sessionStore: this.createSessionStoreAdapter(sessionStore),
+            handleResolver: this.config.servers?.pds,
+            fetch: this.config.fetch ?? fetchWithTimeout,
+        });
+        return this.client;
+    }
+    /**
+     * Gets the OAuth client instance, initializing if needed.
+     *
+     * @returns Promise resolving to the initialized client
+     * @internal
+     */
+    async getClient() {
+        return this.clientPromise;
+    }
+    /**
+     * Builds OAuth client metadata from configuration.
+     *
+     * The metadata describes your application to the authorization server
+     * and must match what's published at your `clientId` URL.
+     *
+     * @returns OAuth client metadata object
+     * @internal
+     *
+     * @remarks
+     * Key metadata fields:
+     * - `client_id`: URL to your client metadata JSON
+     * - `redirect_uris`: Where to redirect after auth (must match config)
+     * - `dpop_bound_access_tokens`: Always true for AT Protocol
+     * - `token_endpoint_auth_method`: Uses private_key_jwt for security
+     */
+    buildClientMetadata() {
+        const clientIdUrl = new URL(this.config.oauth.clientId);
+        return {
+            client_id: this.config.oauth.clientId,
+            client_name: "ATProto SDK Client",
+            client_uri: clientIdUrl.origin,
+            redirect_uris: [this.config.oauth.redirectUri],
+            scope: this.config.oauth.scope,
+            grant_types: ["authorization_code", "refresh_token"],
+            response_types: ["code"],
+            application_type: "web",
+            token_endpoint_auth_method: "private_key_jwt",
+            token_endpoint_auth_signing_alg: "ES256",
+            dpop_bound_access_tokens: true,
+            jwks_uri: this.config.oauth.jwksUri,
+        };
+    }
+    /**
+     * Creates a fetch handler with timeout support.
+     *
+     * @param timeoutMs - Request timeout in milliseconds
+     * @returns A fetch function that aborts after the timeout
+     * @internal
+     */
+    createFetchWithTimeout(timeoutMs) {
+        return async (input, init) => {
+            const controller = new AbortController();
+            const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+            try {
+                const response = await fetch(input, {
+                    ...init,
+                    signal: controller.signal,
+                });
+                clearTimeout(timeoutId);
+                return response;
+            }
+            catch (error) {
+                clearTimeout(timeoutId);
+                if (error instanceof Error && error.name === "AbortError") {
+                    throw new NetworkError(`Request timeout after ${timeoutMs}ms`, error);
+                }
+                throw new NetworkError("Network request failed", error);
+            }
+        };
+    }
+    /**
+     * Creates a state store adapter compatible with NodeOAuthClient.
+     *
+     * @param store - The StateStore implementation to adapt
+     * @returns An adapter compatible with NodeOAuthClient
+     * @internal
+     */
+    createStateStoreAdapter(store) {
+        return {
+            get: (key) => store.get(key),
+            set: (key, value) => store.set(key, value),
+            del: (key) => store.del(key),
+        };
+    }
+    /**
+     * Creates a session store adapter compatible with NodeOAuthClient.
+     *
+     * @param store - The SessionStore implementation to adapt
+     * @returns An adapter compatible with NodeOAuthClient
+     * @internal
+     */
+    createSessionStoreAdapter(store) {
+        return {
+            get: (did) => store.get(did),
+            set: (did, session) => store.set(did, session),
+            del: (did) => store.del(did),
+        };
+    }
+    /**
+     * Initiates the OAuth authorization flow.
+     *
+     * This method resolves the user's identity from their identifier,
+     * generates PKCE codes, creates OAuth state, and returns an
+     * authorization URL to redirect the user to.
+     *
+     * @param identifier - The user's ATProto identifier. Accepts:
+     *   - Handle (e.g., `"alice.bsky.social"`)
+     *   - DID (e.g., `"did:plc:abc123..."`)
+     *   - PDS URL (e.g., `"https://bsky.social"`)
+     * @param options - Optional authorization settings
+     * @returns A Promise resolving to the authorization URL
+     * @throws {@link AuthenticationError} if authorization setup fails
+     * @throws {@link NetworkError} if identity resolution fails
+     *
+     * @example
+     * ```typescript
+     * // Get authorization URL
+     * const authUrl = await client.authorize("user.bsky.social");
+     *
+     * // Redirect user (in a web app)
+     * window.location.href = authUrl;
+     *
+     * // Or return to client (in an API)
+     * res.json({ authUrl });
+     * ```
+     */
+    async authorize(identifier, options) {
+        try {
+            this.logger?.debug("Initiating OAuth authorization", { identifier });
+            const client = await this.getClient();
+            const scope = options?.scope ?? this.config.oauth.scope;
+            const authUrl = await client.authorize(identifier, { scope });
+            this.logger?.debug("Authorization URL generated", { identifier });
+            // Convert URL to string if needed
+            return typeof authUrl === "string" ? authUrl : authUrl.toString();
+        }
+        catch (error) {
+            this.logger?.error("Authorization failed", { identifier, error });
+            if (error instanceof NetworkError || error instanceof AuthenticationError) {
+                throw error;
+            }
+            throw new AuthenticationError(`Failed to initiate authorization: ${error instanceof Error ? error.message : String(error)}`, error);
+        }
+    }
+    /**
+     * Handles the OAuth callback and exchanges the authorization code for tokens.
+     *
+     * Call this method when the user is redirected back to your application.
+     * It validates the state, exchanges the code for tokens, and creates
+     * a persistent session.
+     *
+     * @param params - URL search parameters from the callback. Expected parameters:
+     *   - `code`: The authorization code
+     *   - `state`: The state parameter (for CSRF protection)
+     *   - `iss`: The issuer (authorization server URL)
+     * @returns A Promise resolving to the authenticated OAuth session
+     * @throws {@link AuthenticationError} if:
+     *   - The callback contains an OAuth error
+     *   - The state is invalid or expired
+     *   - The code exchange fails
+     *   - Session persistence fails
+     *
+     * @example
+     * ```typescript
+     * // In your callback route handler
+     * app.get("/callback", async (req, res) => {
+     *   const params = new URLSearchParams(req.url.split("?")[1]);
+     *
+     *   try {
+     *     const session = await client.callback(params);
+     *     // Store DID for session restoration
+     *     req.session.userDid = session.sub;
+     *     res.redirect("/dashboard");
+     *   } catch (error) {
+     *     res.redirect("/login?error=auth_failed");
+     *   }
+     * });
+     * ```
+     *
+     * @remarks
+     * After successful token exchange, this method verifies that the session
+     * was properly persisted by attempting to restore it. This ensures the
+     * storage backend is working correctly.
+     */
+    async callback(params) {
+        try {
+            this.logger?.debug("Processing OAuth callback");
+            // Check for OAuth errors
+            const error = params.get("error");
+            if (error) {
+                const errorDescription = params.get("error_description");
+                throw new AuthenticationError(errorDescription || error);
+            }
+            const client = await this.getClient();
+            const result = await client.callback(params);
+            const session = result.session;
+            const did = session.sub;
+            this.logger?.info("OAuth callback successful", { did });
+            // Verify session can be restored (validates persistence)
+            try {
+                const restored = await client.restore(did);
+                if (!restored) {
+                    throw new AuthenticationError("OAuth session was not persisted");
+                }
+                this.logger?.debug("Session verified and restorable", { did });
+            }
+            catch (restoreError) {
+                this.logger?.error("Failed to verify persisted session", {
+                    did,
+                    error: restoreError,
+                });
+                throw new AuthenticationError("Failed to persist OAuth session", restoreError);
+            }
+            return session;
+        }
+        catch (error) {
+            this.logger?.error("OAuth callback failed", { error });
+            if (error instanceof AuthenticationError) {
+                throw error;
+            }
+            throw new AuthenticationError(`OAuth callback failed: ${error instanceof Error ? error.message : String(error)}`, error);
+        }
+    }
+    /**
+     * Restores an OAuth session by DID.
+     *
+     * Use this method to restore a previously authenticated session.
+     * The method automatically refreshes expired access tokens using
+     * the stored refresh token.
+     *
+     * @param did - The user's Decentralized Identifier (e.g., `"did:plc:abc123..."`)
+     * @returns A Promise resolving to the session, or `null` if not found
+     * @throws {@link AuthenticationError} if session restoration fails (not for missing sessions)
+     * @throws {@link NetworkError} if token refresh requires network and fails
+     *
+     * @example
+     * ```typescript
+     * // On application startup or request
+     * const userDid = req.session.userDid;
+     * if (userDid) {
+     *   const session = await client.restore(userDid);
+     *   if (session) {
+     *     // Session restored, user is authenticated
+     *     req.atprotoSession = session;
+     *   } else {
+     *     // No session found, user needs to log in
+     *     delete req.session.userDid;
+     *   }
+     * }
+     * ```
+     *
+     * @remarks
+     * Token refresh is handled automatically by the underlying OAuth client.
+     * If the refresh token has expired or been revoked, this method will
+     * throw an {@link AuthenticationError}.
+     */
+    async restore(did) {
+        try {
+            this.logger?.debug("Restoring session", { did });
+            const client = await this.getClient();
+            const session = await client.restore(did);
+            if (session) {
+                this.logger?.debug("Session restored", { did });
+            }
+            else {
+                this.logger?.debug("No session found", { did });
+            }
+            return session;
+        }
+        catch (error) {
+            this.logger?.error("Failed to restore session", { did, error });
+            if (error instanceof NetworkError) {
+                throw error;
+            }
+            throw new AuthenticationError(`Failed to restore session: ${error instanceof Error ? error.message : String(error)}`, error);
+        }
+    }
+    /**
+     * Revokes an OAuth session.
+     *
+     * This method invalidates the session's tokens both locally and
+     * (if supported) on the authorization server. After revocation,
+     * the session cannot be restored.
+     *
+     * @param did - The user's DID to revoke
+     * @throws {@link AuthenticationError} if revocation fails
+     *
+     * @example
+     * ```typescript
+     * // Log out endpoint
+     * app.post("/logout", async (req, res) => {
+     *   const userDid = req.session.userDid;
+     *   if (userDid) {
+     *     await client.revoke(userDid);
+     *     delete req.session.userDid;
+     *   }
+     *   res.redirect("/");
+     * });
+     * ```
+     *
+     * @remarks
+     * Even if revocation fails on the server, the local session is
+     * removed. The error is thrown to inform you that remote revocation
+     * may not have succeeded.
+     */
+    async revoke(did) {
+        try {
+            this.logger?.debug("Revoking session", { did });
+            const client = await this.getClient();
+            await client.revoke(did);
+            this.logger?.info("Session revoked", { did });
+        }
+        catch (error) {
+            this.logger?.error("Failed to revoke session", { did, error });
+            throw new AuthenticationError(`Failed to revoke session: ${error instanceof Error ? error.message : String(error)}`, error);
+        }
+    }
+}
+
+/**
+ * Registry for managing and validating AT Protocol lexicon schemas.
+ *
+ * Lexicons are schema definitions that describe the structure of records
+ * in the AT Protocol. This registry allows you to:
+ *
+ * - Register custom lexicons for your application's record types
+ * - Validate records against their lexicon schemas
+ * - Extend the AT Protocol Agent with custom lexicon support
+ *
+ * @remarks
+ * The SDK automatically registers hypercert lexicons when creating a Repository.
+ * You only need to use this class directly if you're working with custom
+ * record types.
+ *
+ * **Lexicon IDs** follow the NSID (Namespaced Identifier) format:
+ * `{authority}.{name}` (e.g., `org.hypercerts.hypercert`)
+ *
+ * @example Registering custom lexicons
+ * ```typescript
+ * const registry = sdk.getLexiconRegistry();
+ *
+ * // Register a single lexicon
+ * registry.register({
+ *   lexicon: 1,
+ *   id: "org.example.myRecord",
+ *   defs: {
+ *     main: {
+ *       type: "record",
+ *       key: "tid",
+ *       record: {
+ *         type: "object",
+ *         required: ["title", "createdAt"],
+ *         properties: {
+ *           title: { type: "string" },
+ *           description: { type: "string" },
+ *           createdAt: { type: "string", format: "datetime" },
+ *         },
+ *       },
+ *     },
+ *   },
+ * });
+ *
+ * // Register multiple lexicons at once
+ * registry.registerMany([lexicon1, lexicon2, lexicon3]);
+ * ```
+ *
+ * @example Validating records
+ * ```typescript
+ * const result = registry.validate("org.example.myRecord", {
+ *   title: "Test",
+ *   createdAt: new Date().toISOString(),
+ * });
+ *
+ * if (!result.valid) {
+ *   console.error(`Validation failed: ${result.error}`);
+ * }
+ * ```
+ *
+ * @see https://atproto.com/specs/lexicon for the Lexicon specification
+ */
+class LexiconRegistry {
+    /**
+     * Creates a new LexiconRegistry.
+     *
+     * The registry starts empty. Use {@link register} or {@link registerMany}
+     * to add lexicons.
+     */
+    constructor() {
+        /** Map of lexicon ID to lexicon document */
+        this.lexicons = new Map();
+        this.lexiconsCollection = new Lexicons();
+    }
+    /**
+     * Registers a single lexicon schema.
+     *
+     * @param lexicon - The lexicon document to register
+     * @throws {@link ValidationError} if the lexicon doesn't have an `id` field
+     *
+     * @remarks
+     * If a lexicon with the same ID is already registered, it will be
+     * replaced with the new definition. This is useful for testing but
+     * should generally be avoided in production.
+     *
+     * @example
+     * ```typescript
+     * registry.register({
+     *   lexicon: 1,
+     *   id: "org.example.post",
+     *   defs: {
+     *     main: {
+     *       type: "record",
+     *       key: "tid",
+     *       record: {
+     *         type: "object",
+     *         required: ["text", "createdAt"],
+     *         properties: {
+     *           text: { type: "string", maxLength: 300 },
+     *           createdAt: { type: "string", format: "datetime" },
+     *         },
+     *       },
+     *     },
+     *   },
+     * });
+     * ```
+     */
+    register(lexicon) {
+        if (!lexicon.id) {
+            throw new ValidationError("Lexicon must have an 'id' field");
+        }
+        // Remove existing lexicon if present (to allow overwriting)
+        if (this.lexicons.has(lexicon.id)) {
+            // Lexicons collection doesn't support removal, so we create a new one
+            // This is a limitation - in practice, lexicons shouldn't be overwritten
+            // But we allow it for testing and flexibility
+            const existingLexicon = this.lexicons.get(lexicon.id);
+            if (existingLexicon) {
+                // Try to remove from collection (may fail if not supported)
+                try {
+                    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                    this.lexiconsCollection.remove?.(lexicon.id);
+                }
+                catch {
+                    // If removal fails, create a new collection
+                    this.lexiconsCollection = new Lexicons();
+                    // Re-register all other lexicons
+                    for (const [id, lex] of this.lexicons.entries()) {
+                        if (id !== lexicon.id) {
+                            this.lexiconsCollection.add(lex);
+                        }
+                    }
+                }
+            }
+        }
+        this.lexicons.set(lexicon.id, lexicon);
+        this.lexiconsCollection.add(lexicon);
+    }
+    /**
+     * Registers multiple lexicons at once.
+     *
+     * @param lexicons - Array of lexicon documents to register
+     *
+     * @example
+     * ```typescript
+     * import { HYPERCERT_LEXICONS } from "@hypercerts-org/sdk/lexicons";
+     *
+     * registry.registerMany(HYPERCERT_LEXICONS);
+     * ```
+     */
+    registerMany(lexicons) {
+        for (const lexicon of lexicons) {
+            this.register(lexicon);
+        }
+    }
+    /**
+     * Gets a lexicon document by ID.
+     *
+     * @param id - The lexicon NSID (e.g., "org.hypercerts.hypercert")
+     * @returns The lexicon document, or `undefined` if not registered
+     *
+     * @example
+     * ```typescript
+     * const lexicon = registry.get("org.hypercerts.hypercert");
+     * if (lexicon) {
+     *   console.log(`Found lexicon: ${lexicon.id}`);
+     * }
+     * ```
+     */
+    get(id) {
+        return this.lexicons.get(id);
+    }
+    /**
+     * Validates a record against a collection's lexicon schema.
+     *
+     * @param collection - The collection NSID (same as lexicon ID)
+     * @param record - The record data to validate
+     * @returns Validation result with `valid` boolean and optional `error` message
+     *
+     * @remarks
+     * - If no lexicon is registered for the collection, validation passes
+     *   (we can't validate against unknown schemas)
+     * - Validation checks required fields and type constraints defined
+     *   in the lexicon schema
+     *
+     * @example
+     * ```typescript
+     * const result = registry.validate("org.hypercerts.hypercert", {
+     *   title: "My Hypercert",
+     *   description: "Description...",
+     *   // ... other fields
+     * });
+     *
+     * if (!result.valid) {
+     *   throw new Error(`Invalid record: ${result.error}`);
+     * }
+     * ```
+     */
+    validate(collection, record) {
+        // Check if we have a lexicon registered for this collection
+        // Collection format is typically "namespace.collection" (e.g., "app.bsky.feed.post")
+        // Lexicon ID format is the same
+        const lexiconId = collection;
+        const lexicon = this.lexicons.get(lexiconId);
+        if (!lexicon) {
+            // No lexicon registered - validation passes (can't validate unknown schemas)
+            return { valid: true };
+        }
+        // Check required fields if the lexicon defines them
+        const recordDef = lexicon.defs?.record;
+        if (recordDef && typeof recordDef === "object" && "record" in recordDef) {
+            const recordSchema = recordDef.record;
+            if (typeof recordSchema === "object" && "required" in recordSchema && Array.isArray(recordSchema.required)) {
+                const recordObj = record;
+                for (const requiredField of recordSchema.required) {
+                    if (typeof requiredField === "string" && !(requiredField in recordObj)) {
+                        return {
+                            valid: false,
+                            error: `Missing required field: ${requiredField}`,
+                        };
+                    }
+                }
+            }
+        }
+        try {
+            this.lexiconsCollection.assertValidRecord(collection, record);
+            return { valid: true };
+        }
+        catch (error) {
+            // If error indicates lexicon not found, treat as validation pass
+            // (the lexicon might exist in Agent's collection but not ours)
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            if (errorMessage.includes("not found") || errorMessage.includes("Lexicon not found")) {
+                return { valid: true };
+            }
+            return {
+                valid: false,
+                error: errorMessage,
+            };
+        }
+    }
+    /**
+     * Adds all registered lexicons to an AT Protocol Agent instance.
+     *
+     * This allows the Agent to understand custom lexicon types when making
+     * API requests.
+     *
+     * @param agent - The Agent instance to extend
+     *
+     * @remarks
+     * This is called automatically when creating a Repository. You typically
+     * don't need to call this directly unless you're using the Agent
+     * independently.
+     *
+     * @internal
+     */
+    addToAgent(agent) {
+        // Access the internal lexicons collection and merge our lexicons
+        // The Agent's lex property is a Lexicons instance
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const agentLex = agent.lex;
+        // Add each registered lexicon to the agent
+        for (const lexicon of this.lexicons.values()) {
+            agentLex.add(lexicon);
+        }
+    }
+    /**
+     * Gets all registered lexicon IDs.
+     *
+     * @returns Array of lexicon NSIDs
+     *
+     * @example
+     * ```typescript
+     * const ids = registry.getRegisteredIds();
+     * console.log(`Registered lexicons: ${ids.join(", ")}`);
+     * ```
+     */
+    getRegisteredIds() {
+        return Array.from(this.lexicons.keys());
+    }
+    /**
+     * Checks if a lexicon is registered.
+     *
+     * @param id - The lexicon NSID to check
+     * @returns `true` if the lexicon is registered
+     *
+     * @example
+     * ```typescript
+     * if (registry.has("org.hypercerts.hypercert")) {
+     *   // Hypercert lexicon is available
+     * }
+     * ```
+     */
+    has(id) {
+        return this.lexicons.has(id);
+    }
+}
+
+/**
+ * RecordOperationsImpl - Low-level record CRUD operations.
+ *
+ * This module provides the implementation for direct AT Protocol
+ * record operations (create, read, update, delete, list).
+ *
+ * @packageDocumentation
+ */
+/**
+ * Implementation of low-level AT Protocol record operations.
+ *
+ * This class provides direct access to the AT Protocol repository API
+ * for CRUD operations on records. It handles:
+ *
+ * - Lexicon validation before create/update operations
+ * - Error mapping to SDK error types
+ * - Response normalization
+ *
+ * @remarks
+ * This class is typically not instantiated directly. Access it through
+ * {@link Repository.records}.
+ *
+ * All operations are performed against the repository DID specified
+ * at construction time. To operate on a different repository, create
+ * a new Repository instance using {@link Repository.repo}.
+ *
+ * @example
+ * ```typescript
+ * // Access through Repository
+ * const repo = sdk.repository(session);
+ *
+ * // Create a record
+ * const { uri, cid } = await repo.records.create({
+ *   collection: "org.example.myRecord",
+ *   record: { title: "Hello", createdAt: new Date().toISOString() },
+ * });
+ *
+ * // Update the record
+ * const rkey = uri.split("/").pop()!;
+ * await repo.records.update({
+ *   collection: "org.example.myRecord",
+ *   rkey,
+ *   record: { title: "Updated", createdAt: new Date().toISOString() },
+ * });
+ * ```
+ *
+ * @internal
+ */
+class RecordOperationsImpl {
+    /**
+     * Creates a new RecordOperationsImpl.
+     *
+     * @param agent - AT Protocol Agent for making API calls
+     * @param repoDid - DID of the repository to operate on
+     * @param lexiconRegistry - Registry for record validation
+     *
+     * @internal
+     */
+    constructor(agent, repoDid, lexiconRegistry) {
+        this.agent = agent;
+        this.repoDid = repoDid;
+        this.lexiconRegistry = lexiconRegistry;
+    }
+    /**
+     * Creates a new record in the specified collection.
+     *
+     * @param params - Creation parameters
+     * @param params.collection - NSID of the collection (e.g., "org.hypercerts.hypercert")
+     * @param params.record - Record data conforming to the collection's lexicon schema
+     * @param params.rkey - Optional record key. If not provided, a TID (timestamp-based ID)
+     *                      is automatically generated by the server.
+     * @returns Promise resolving to the created record's URI and CID
+     * @throws {@link ValidationError} if the record doesn't conform to the lexicon schema
+     * @throws {@link NetworkError} if the API request fails
+     *
+     * @remarks
+     * The record is validated against the collection's lexicon before sending
+     * to the server. If no lexicon is registered for the collection, validation
+     * is skipped (allowing custom record types).
+     *
+     * **AT-URI Format**: `at://{did}/{collection}/{rkey}`
+     *
+     * @example
+     * ```typescript
+     * const result = await repo.records.create({
+     *   collection: "org.hypercerts.hypercert",
+     *   record: {
+     *     title: "My Hypercert",
+     *     description: "...",
+     *     createdAt: new Date().toISOString(),
+     *   },
+     * });
+     * console.log(`Created: ${result.uri}`);
+     * // Output: Created: at://did:plc:abc123/org.hypercerts.hypercert/xyz789
+     * ```
+     */
+    async create(params) {
+        const validation = this.lexiconRegistry.validate(params.collection, params.record);
+        if (!validation.valid) {
+            throw new ValidationError(`Invalid record for collection ${params.collection}: ${validation.error}`);
+        }
+        try {
+            const result = await this.agent.com.atproto.repo.createRecord({
+                repo: this.repoDid,
+                collection: params.collection,
+                record: params.record,
+                rkey: params.rkey,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to create record");
+            }
+            return { uri: result.data.uri, cid: result.data.cid };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to create record: ${error instanceof Error ? error.message : "Unknown error"}`, error);
+        }
+    }
+    /**
+     * Updates an existing record (full replacement).
+     *
+     * @param params - Update parameters
+     * @param params.collection - NSID of the collection
+     * @param params.rkey - Record key (the last segment of the AT-URI)
+     * @param params.record - New record data (completely replaces existing record)
+     * @returns Promise resolving to the updated record's URI and new CID
+     * @throws {@link ValidationError} if the record doesn't conform to the lexicon schema
+     * @throws {@link NetworkError} if the API request fails
+     *
+     * @remarks
+     * This is a full replacement operation, not a partial update. The entire
+     * record is replaced with the new data. To preserve existing fields,
+     * first fetch the record with {@link get}, modify it, then update.
+     *
+     * @example
+     * ```typescript
+     * // Get existing record
+     * const existing = await repo.records.get({
+     *   collection: "org.hypercerts.hypercert",
+     *   rkey: "xyz789",
+     * });
+     *
+     * // Update with modified data
+     * const updated = await repo.records.update({
+     *   collection: "org.hypercerts.hypercert",
+     *   rkey: "xyz789",
+     *   record: {
+     *     ...existing.value,
+     *     title: "Updated Title",
+     *   },
+     * });
+     * ```
+     */
+    async update(params) {
+        const validation = this.lexiconRegistry.validate(params.collection, params.record);
+        if (!validation.valid) {
+            throw new ValidationError(`Invalid record for collection ${params.collection}: ${validation.error}`);
+        }
+        try {
+            const result = await this.agent.com.atproto.repo.putRecord({
+                repo: this.repoDid,
+                collection: params.collection,
+                rkey: params.rkey,
+                record: params.record,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to update record");
+            }
+            return { uri: result.data.uri, cid: result.data.cid };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to update record: ${error instanceof Error ? error.message : "Unknown error"}`, error);
+        }
+    }
+    /**
+     * Gets a single record by collection and key.
+     *
+     * @param params - Get parameters
+     * @param params.collection - NSID of the collection
+     * @param params.rkey - Record key
+     * @returns Promise resolving to the record's URI, CID, and value
+     * @throws {@link NetworkError} if the record is not found or request fails
+     *
+     * @example
+     * ```typescript
+     * const record = await repo.records.get({
+     *   collection: "org.hypercerts.hypercert",
+     *   rkey: "xyz789",
+     * });
+     *
+     * console.log(record.uri);    // at://did:plc:abc123/org.hypercerts.hypercert/xyz789
+     * console.log(record.cid);    // bafyrei...
+     * console.log(record.value);  // { title: "...", description: "...", ... }
+     * ```
+     */
+    async get(params) {
+        try {
+            const result = await this.agent.com.atproto.repo.getRecord({
+                repo: this.repoDid,
+                collection: params.collection,
+                rkey: params.rkey,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to get record");
+            }
+            return { uri: result.data.uri, cid: result.data.cid ?? "", value: result.data.value };
+        }
+        catch (error) {
+            if (error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to get record: ${error instanceof Error ? error.message : "Unknown error"}`, error);
+        }
+    }
+    /**
+     * Lists records in a collection with pagination.
+     *
+     * @param params - List parameters
+     * @param params.collection - NSID of the collection
+     * @param params.limit - Maximum number of records to return (server may impose its own limit)
+     * @param params.cursor - Pagination cursor from a previous response
+     * @returns Promise resolving to paginated list of records
+     * @throws {@link NetworkError} if the request fails
+     *
+     * @remarks
+     * Records are returned in reverse chronological order (newest first).
+     * Use the `cursor` from the response to fetch subsequent pages.
+     *
+     * @example Paginating through all records
+     * ```typescript
+     * let cursor: string | undefined;
+     * const allRecords = [];
+     *
+     * do {
+     *   const page = await repo.records.list({
+     *     collection: "org.hypercerts.hypercert",
+     *     limit: 100,
+     *     cursor,
+     *   });
+     *   allRecords.push(...page.records);
+     *   cursor = page.cursor;
+     * } while (cursor);
+     *
+     * console.log(`Total records: ${allRecords.length}`);
+     * ```
+     */
+    async list(params) {
+        try {
+            const result = await this.agent.com.atproto.repo.listRecords({
+                repo: this.repoDid,
+                collection: params.collection,
+                limit: params.limit,
+                cursor: params.cursor,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to list records");
+            }
+            return {
+                records: result.data.records?.map((r) => ({ uri: r.uri, cid: r.cid, value: r.value })) || [],
+                cursor: result.data.cursor ?? undefined,
+            };
+        }
+        catch (error) {
+            if (error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to list records: ${error instanceof Error ? error.message : "Unknown error"}`, error);
+        }
+    }
+    /**
+     * Deletes a record from a collection.
+     *
+     * @param params - Delete parameters
+     * @param params.collection - NSID of the collection
+     * @param params.rkey - Record key to delete
+     * @throws {@link NetworkError} if the deletion fails
+     *
+     * @remarks
+     * Deletion is permanent. The record's AT-URI cannot be reused (the same
+     * rkey can be used for a new record, but it will have a different CID).
+     *
+     * @example
+     * ```typescript
+     * await repo.records.delete({
+     *   collection: "org.hypercerts.hypercert",
+     *   rkey: "xyz789",
+     * });
+     * ```
+     */
+    async delete(params) {
+        try {
+            const result = await this.agent.com.atproto.repo.deleteRecord({
+                repo: this.repoDid,
+                collection: params.collection,
+                rkey: params.rkey,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to delete record");
+            }
+        }
+        catch (error) {
+            if (error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to delete record: ${error instanceof Error ? error.message : "Unknown error"}`, error);
+        }
+    }
+}
+
+/**
+ * BlobOperationsImpl - Blob upload and retrieval operations.
+ *
+ * This module provides the implementation for AT Protocol blob operations,
+ * handling binary data like images and files.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Implementation of blob operations for binary data handling.
+ *
+ * Blobs in AT Protocol are content-addressed binary objects stored
+ * separately from records. They are referenced in records using a
+ * blob reference object with a CID ($link).
+ *
+ * @remarks
+ * This class is typically not instantiated directly. Access it through
+ * {@link Repository.blobs}.
+ *
+ * **Blob Size Limits**: PDS servers typically impose size limits on blobs.
+ * Common limits are:
+ * - Images: 1MB
+ * - Other files: Varies by server configuration
+ *
+ * **Supported MIME Types**: Any MIME type is technically supported, but
+ * servers may reject certain types. Images (JPEG, PNG, GIF, WebP) are
+ * universally supported.
+ *
+ * @example
+ * ```typescript
+ * // Upload an image blob
+ * const imageBlob = new Blob([imageData], { type: "image/jpeg" });
+ * const { ref, mimeType, size } = await repo.blobs.upload(imageBlob);
+ *
+ * // Use the ref in a record
+ * await repo.records.create({
+ *   collection: "org.example.post",
+ *   record: {
+ *     text: "Check out this image!",
+ *     image: ref,  // { $link: "bafyrei..." }
+ *     createdAt: new Date().toISOString(),
+ *   },
+ * });
+ * ```
+ *
+ * @internal
+ */
+class BlobOperationsImpl {
+    /**
+     * Creates a new BlobOperationsImpl.
+     *
+     * @param agent - AT Protocol Agent for making API calls
+     * @param repoDid - DID of the repository (used for blob retrieval)
+     * @param _serverUrl - Server URL (reserved for future use)
+     *
+     * @internal
+     */
+    constructor(agent, repoDid, _serverUrl) {
+        this.agent = agent;
+        this.repoDid = repoDid;
+        this._serverUrl = _serverUrl;
+    }
+    /**
+     * Uploads a blob to the server.
+     *
+     * @param blob - The blob to upload (File or Blob object)
+     * @returns Promise resolving to blob reference and metadata
+     * @throws {@link NetworkError} if the upload fails
+     *
+     * @remarks
+     * The returned `ref` object should be used directly in records to
+     * reference the blob. The `$link` property contains the blob's CID.
+     *
+     * **MIME Type Detection**: If the blob has no type, it defaults to
+     * `application/octet-stream`. For best results, always specify the
+     * correct MIME type when creating the Blob.
+     *
+     * @example Uploading an image
+     * ```typescript
+     * // From a File input
+     * const file = fileInput.files[0];
+     * const { ref } = await repo.blobs.upload(file);
+     *
+     * // From raw data
+     * const imageBlob = new Blob([uint8Array], { type: "image/png" });
+     * const { ref, mimeType, size } = await repo.blobs.upload(imageBlob);
+     *
+     * console.log(`Uploaded ${size} bytes of ${mimeType}`);
+     * console.log(`CID: ${ref.$link}`);
+     * ```
+     *
+     * @example Using in a hypercert
+     * ```typescript
+     * const coverImage = new Blob([imageData], { type: "image/jpeg" });
+     * const { ref } = await repo.blobs.upload(coverImage);
+     *
+     * // The ref is used directly in the record
+     * await repo.hypercerts.create({
+     *   title: "My Hypercert",
+     *   // ... other fields
+     *   image: coverImage,  // HypercertOperations handles upload internally
+     * });
+     * ```
+     */
+    async upload(blob) {
+        try {
+            const arrayBuffer = await blob.arrayBuffer();
+            const uint8Array = new Uint8Array(arrayBuffer);
+            const result = await this.agent.com.atproto.repo.uploadBlob(uint8Array, {
+                encoding: blob.type || "application/octet-stream",
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to upload blob");
+            }
+            return {
+                ref: result.data.blob.ref,
+                mimeType: result.data.blob.mimeType,
+                size: result.data.blob.size,
+            };
+        }
+        catch (error) {
+            if (error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to upload blob: ${error instanceof Error ? error.message : "Unknown error"}`, error);
+        }
+    }
+    /**
+     * Retrieves a blob by its CID.
+     *
+     * @param cid - Content Identifier (CID) of the blob, typically from a blob
+     *              reference's `$link` property
+     * @returns Promise resolving to blob data and MIME type
+     * @throws {@link NetworkError} if the blob is not found or retrieval fails
+     *
+     * @remarks
+     * The returned data is a Uint8Array which can be converted to other
+     * formats as needed (Blob, ArrayBuffer, Base64, etc.).
+     *
+     * **MIME Type**: The returned MIME type comes from the Content-Type header.
+     * If the server doesn't provide one, it defaults to `application/octet-stream`.
+     *
+     * @example Basic retrieval
+     * ```typescript
+     * // Get a blob from a record's blob reference
+     * const record = await repo.records.get({ collection, rkey });
+     * const blobRef = (record.value as any).image;
+     *
+     * const { data, mimeType } = await repo.blobs.get(blobRef.$link);
+     *
+     * // Convert to a Blob for use in the browser
+     * const blob = new Blob([data], { type: mimeType });
+     * const url = URL.createObjectURL(blob);
+     * ```
+     *
+     * @example Displaying an image
+     * ```typescript
+     * const { data, mimeType } = await repo.blobs.get(imageCid);
+     *
+     * // Create data URL for <img> src
+     * const base64 = btoa(String.fromCharCode(...data));
+     * const dataUrl = `data:${mimeType};base64,${base64}`;
+     *
+     * // Or use object URL
+     * const blob = new Blob([data], { type: mimeType });
+     * img.src = URL.createObjectURL(blob);
+     * ```
+     */
+    async get(cid) {
+        try {
+            const result = await this.agent.com.atproto.sync.getBlob({
+                did: this.repoDid,
+                cid,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to get blob");
+            }
+            return {
+                data: result.data,
+                mimeType: result.headers["content-type"] || "application/octet-stream",
+            };
+        }
+        catch (error) {
+            if (error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to get blob: ${error instanceof Error ? error.message : "Unknown error"}`, error);
+        }
+    }
+}
+
+/**
+ * ProfileOperationsImpl - User profile operations.
+ *
+ * This module provides the implementation for AT Protocol profile
+ * management, including fetching and updating user profiles.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Implementation of profile operations for user profile management.
+ *
+ * Profiles in AT Protocol are stored as records in the `app.bsky.actor.profile`
+ * collection with the special rkey "self". This class provides a convenient
+ * API for reading and updating profile data.
+ *
+ * @remarks
+ * This class is typically not instantiated directly. Access it through
+ * {@link Repository.profile}.
+ *
+ * **Profile Fields**:
+ * - `handle`: Read-only, managed by the PDS
+ * - `displayName`: User's display name (max 64 chars typically)
+ * - `description`: Profile bio (max 256 chars typically)
+ * - `avatar`: Profile picture blob reference
+ * - `banner`: Banner image blob reference
+ * - `website`: User's website URL (may not be available on all servers)
+ *
+ * @example
+ * ```typescript
+ * // Get profile
+ * const profile = await repo.profile.get();
+ * console.log(`${profile.displayName} (@${profile.handle})`);
+ *
+ * // Update profile
+ * await repo.profile.update({
+ *   displayName: "New Name",
+ *   description: "Updated bio",
+ * });
+ *
+ * // Update with new avatar
+ * const avatarBlob = new Blob([imageData], { type: "image/png" });
+ * await repo.profile.update({ avatar: avatarBlob });
+ *
+ * // Remove a field
+ * await repo.profile.update({ website: null });
+ * ```
+ *
+ * @internal
+ */
+class ProfileOperationsImpl {
+    /**
+     * Creates a new ProfileOperationsImpl.
+     *
+     * @param agent - AT Protocol Agent for making API calls
+     * @param repoDid - DID of the repository/user
+     * @param _serverUrl - Server URL (reserved for future use)
+     *
+     * @internal
+     */
+    constructor(agent, repoDid, _serverUrl) {
+        this.agent = agent;
+        this.repoDid = repoDid;
+        this._serverUrl = _serverUrl;
+    }
+    /**
+     * Gets the repository's profile.
+     *
+     * @returns Promise resolving to profile data
+     * @throws {@link NetworkError} if the profile cannot be fetched
+     *
+     * @remarks
+     * This method fetches the full profile using the `getProfile` API,
+     * which includes resolved information like follower counts on some
+     * servers. For hypercerts SDK usage, the basic profile fields are
+     * returned.
+     *
+     * **Note**: The `website` field may not be available on all AT Protocol
+     * servers. Standard Bluesky profiles don't include this field.
+     *
+     * @example
+     * ```typescript
+     * const profile = await repo.profile.get();
+     *
+     * console.log(`Handle: @${profile.handle}`);
+     * console.log(`Name: ${profile.displayName || "(not set)"}`);
+     * console.log(`Bio: ${profile.description || "(no bio)"}`);
+     *
+     * if (profile.avatar) {
+     *   // Avatar is a URL or blob reference
+     *   console.log(`Avatar: ${profile.avatar}`);
+     * }
+     * ```
+     */
+    async get() {
+        try {
+            const result = await this.agent.getProfile({ actor: this.repoDid });
+            if (!result.success) {
+                throw new NetworkError("Failed to get profile");
+            }
+            return {
+                handle: result.data.handle,
+                displayName: result.data.displayName,
+                description: result.data.description,
+                avatar: result.data.avatar,
+                banner: result.data.banner,
+                // Note: website may not be available in standard profile
+            };
+        }
+        catch (error) {
+            if (error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to get profile: ${error instanceof Error ? error.message : "Unknown error"}`, error);
+        }
+    }
+    /**
+     * Updates the repository's profile.
+     *
+     * @param params - Fields to update. Pass `null` to remove a field.
+     *                 Omitted fields are preserved from the existing profile.
+     * @returns Promise resolving to update result with new URI and CID
+     * @throws {@link NetworkError} if the update fails
+     *
+     * @remarks
+     * This method performs a read-modify-write operation:
+     * 1. Fetches the existing profile record
+     * 2. Merges in the provided updates
+     * 3. Writes the updated profile back
+     *
+     * **Image Handling**: When providing `avatar` or `banner` as a Blob,
+     * the image is automatically uploaded and the blob reference is stored
+     * in the profile.
+     *
+     * **Field Removal**: Pass `null` to explicitly remove a field. Omitting
+     * a field (not including it in params) preserves the existing value.
+     *
+     * @example Update display name and bio
+     * ```typescript
+     * await repo.profile.update({
+     *   displayName: "Alice",
+     *   description: "Building impact certificates",
+     * });
+     * ```
+     *
+     * @example Update avatar image
+     * ```typescript
+     * // From a file input
+     * const file = document.getElementById("avatar").files[0];
+     * await repo.profile.update({ avatar: file });
+     *
+     * // From raw data
+     * const response = await fetch("https://example.com/my-avatar.png");
+     * const blob = await response.blob();
+     * await repo.profile.update({ avatar: blob });
+     * ```
+     *
+     * @example Remove description
+     * ```typescript
+     * // Removes the description field entirely
+     * await repo.profile.update({ description: null });
+     * ```
+     *
+     * @example Multiple updates at once
+     * ```typescript
+     * const newAvatar = new Blob([avatarData], { type: "image/png" });
+     * const newBanner = new Blob([bannerData], { type: "image/jpeg" });
+     *
+     * await repo.profile.update({
+     *   displayName: "New Name",
+     *   description: "New bio",
+     *   avatar: newAvatar,
+     *   banner: newBanner,
+     * });
+     * ```
+     */
+    async update(params) {
+        try {
+            // Get existing profile record
+            const existing = await this.agent.com.atproto.repo.getRecord({
+                repo: this.repoDid,
+                collection: "app.bsky.actor.profile",
+                rkey: "self",
+            });
+            const existingProfile = existing.data.value || {};
+            // Build updated profile
+            const updatedProfile = { ...existingProfile };
+            if (params.displayName !== undefined) {
+                if (params.displayName === null) {
+                    delete updatedProfile.displayName;
+                }
+                else {
+                    updatedProfile.displayName = params.displayName;
+                }
+            }
+            if (params.description !== undefined) {
+                if (params.description === null) {
+                    delete updatedProfile.description;
+                }
+                else {
+                    updatedProfile.description = params.description;
+                }
+            }
+            // Handle avatar upload
+            if (params.avatar !== undefined) {
+                if (params.avatar === null) {
+                    delete updatedProfile.avatar;
+                }
+                else {
+                    const arrayBuffer = await params.avatar.arrayBuffer();
+                    const uint8Array = new Uint8Array(arrayBuffer);
+                    const uploadResult = await this.agent.com.atproto.repo.uploadBlob(uint8Array, {
+                        encoding: params.avatar.type || "image/jpeg",
+                    });
+                    if (uploadResult.success) {
+                        updatedProfile.avatar = uploadResult.data.blob;
+                    }
+                }
+            }
+            // Handle banner upload
+            if (params.banner !== undefined) {
+                if (params.banner === null) {
+                    delete updatedProfile.banner;
+                }
+                else {
+                    const arrayBuffer = await params.banner.arrayBuffer();
+                    const uint8Array = new Uint8Array(arrayBuffer);
+                    const uploadResult = await this.agent.com.atproto.repo.uploadBlob(uint8Array, {
+                        encoding: params.banner.type || "image/jpeg",
+                    });
+                    if (uploadResult.success) {
+                        updatedProfile.banner = uploadResult.data.blob;
+                    }
+                }
+            }
+            const result = await this.agent.com.atproto.repo.putRecord({
+                repo: this.repoDid,
+                collection: "app.bsky.actor.profile",
+                rkey: "self",
+                record: updatedProfile,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to update profile");
+            }
+            return { uri: result.data.uri, cid: result.data.cid };
+        }
+        catch (error) {
+            if (error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to update profile: ${error instanceof Error ? error.message : "Unknown error"}`, error);
+        }
+    }
+}
+
+/**
+ * HypercertOperationsImpl - High-level hypercert operations.
+ *
+ * This module provides the implementation for creating and managing
+ * hypercerts, including related records like rights, locations,
+ * contributions, measurements, and evaluations.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Implementation of high-level hypercert operations.
+ *
+ * This class provides a convenient API for creating and managing hypercerts
+ * with automatic handling of:
+ *
+ * - Image upload and blob reference management
+ * - Rights record creation and linking
+ * - Location attachment with optional GeoJSON support
+ * - Contribution tracking
+ * - Measurement and evaluation records
+ * - Hypercert collections
+ *
+ * The class extends EventEmitter to provide real-time progress notifications
+ * during complex operations.
+ *
+ * @remarks
+ * This class is typically not instantiated directly. Access it through
+ * {@link Repository.hypercerts}.
+ *
+ * **Record Relationships**:
+ * - Hypercert → Rights (required, 1:1)
+ * - Hypercert → Location (optional, 1:many)
+ * - Hypercert → Contribution (optional, 1:many)
+ * - Hypercert → Measurement (optional, 1:many)
+ * - Hypercert → Evaluation (optional, 1:many)
+ * - Collection → Hypercerts (1:many via claims array)
+ *
+ * @example Creating a hypercert with progress tracking
+ * ```typescript
+ * repo.hypercerts.on("recordCreated", ({ uri }) => {
+ *   console.log(`Hypercert created: ${uri}`);
+ * });
+ *
+ * const result = await repo.hypercerts.create({
+ *   title: "Climate Impact",
+ *   description: "Reduced emissions by 100 tons",
+ *   workScope: "Climate",
+ *   workTimeframeFrom: "2024-01-01",
+ *   workTimeframeTo: "2024-12-31",
+ *   rights: { name: "CC-BY", type: "license", description: "..." },
+ *   onProgress: (step) => console.log(`${step.name}: ${step.status}`),
+ * });
+ * ```
+ *
+ * @internal
+ */
+class HypercertOperationsImpl extends EventEmitter {
+    /**
+     * Creates a new HypercertOperationsImpl.
+     *
+     * @param agent - AT Protocol Agent for making API calls
+     * @param repoDid - DID of the repository to operate on
+     * @param _serverUrl - Server URL (reserved for future use)
+     * @param lexiconRegistry - Registry for record validation
+     * @param logger - Optional logger for debugging
+     *
+     * @internal
+     */
+    constructor(agent, repoDid, _serverUrl, lexiconRegistry, logger) {
+        super();
+        this.agent = agent;
+        this.repoDid = repoDid;
+        this._serverUrl = _serverUrl;
+        this.lexiconRegistry = lexiconRegistry;
+        this.logger = logger;
+    }
+    /**
+     * Emits a progress event to the optional progress handler.
+     *
+     * @param onProgress - Progress callback from create params
+     * @param step - Progress step information
+     * @internal
+     */
+    emitProgress(onProgress, step) {
+        if (onProgress) {
+            try {
+                onProgress(step);
+            }
+            catch (err) {
+                this.logger?.error(`Error in progress handler: ${err instanceof Error ? err.message : "Unknown"}`);
+            }
+        }
+    }
+    /**
+     * Creates a new hypercert with all related records.
+     *
+     * This method orchestrates the creation of a hypercert and its associated
+     * records in the correct order:
+     *
+     * 1. Upload image (if provided)
+     * 2. Create rights record
+     * 3. Create hypercert record (referencing rights)
+     * 4. Attach location (if provided)
+     * 5. Create contributions (if provided)
+     *
+     * @param params - Creation parameters (see {@link CreateHypercertParams})
+     * @returns Promise resolving to URIs and CIDs of all created records
+     * @throws {@link ValidationError} if any record fails validation
+     * @throws {@link NetworkError} if any API call fails
+     *
+     * @remarks
+     * The operation is not atomic - if a later step fails, earlier records
+     * will still exist. The result object will contain URIs for all
+     * successfully created records.
+     *
+     * **Progress Steps**:
+     * - `uploadImage`: Image blob upload
+     * - `createRights`: Rights record creation
+     * - `createHypercert`: Main hypercert record creation
+     * - `attachLocation`: Location record creation
+     * - `createContributions`: Contribution records creation
+     *
+     * @example Minimal hypercert
+     * ```typescript
+     * const result = await repo.hypercerts.create({
+     *   title: "My Impact",
+     *   description: "Description of impact work",
+     *   workScope: "Education",
+     *   workTimeframeFrom: "2024-01-01",
+     *   workTimeframeTo: "2024-06-30",
+     *   rights: {
+     *     name: "Attribution",
+     *     type: "license",
+     *     description: "CC-BY-4.0",
+     *   },
+     * });
+     * ```
+     *
+     * @example Full hypercert with all options
+     * ```typescript
+     * const result = await repo.hypercerts.create({
+     *   title: "Reforestation Project",
+     *   description: "Planted 10,000 trees...",
+     *   shortDescription: "10K trees planted",
+     *   workScope: "Environment",
+     *   workTimeframeFrom: "2024-01-01",
+     *   workTimeframeTo: "2024-12-31",
+     *   rights: { name: "Open", type: "impact", description: "..." },
+     *   image: coverImageBlob,
+     *   location: { value: "Amazon, Brazil", name: "Amazon Basin" },
+     *   contributions: [
+     *     { contributors: ["did:plc:org1"], role: "coordinator" },
+     *     { contributors: ["did:plc:org2"], role: "implementer" },
+     *   ],
+     *   evidence: [{ uri: "https://...", description: "Satellite data" }],
+     *   onProgress: console.log,
+     * });
+     * ```
+     */
+    async create(params) {
+        const createdAt = new Date().toISOString();
+        const result = {
+            hypercertUri: "",
+            rightsUri: "",
+            hypercertCid: "",
+            rightsCid: "",
+        };
+        try {
+            // Step 1: Upload image if provided
+            let imageBlobRef;
+            if (params.image) {
+                this.emitProgress(params.onProgress, { name: "uploadImage", status: "start" });
+                try {
+                    const arrayBuffer = await params.image.arrayBuffer();
+                    const uint8Array = new Uint8Array(arrayBuffer);
+                    const uploadResult = await this.agent.com.atproto.repo.uploadBlob(uint8Array, {
+                        encoding: params.image.type || "image/jpeg",
+                    });
+                    if (uploadResult.success) {
+                        imageBlobRef = {
+                            $type: "blob",
+                            ref: uploadResult.data.blob.ref,
+                            mimeType: uploadResult.data.blob.mimeType,
+                            size: uploadResult.data.blob.size,
+                        };
+                    }
+                    this.emitProgress(params.onProgress, {
+                        name: "uploadImage",
+                        status: "success",
+                        data: { size: params.image.size },
+                    });
+                }
+                catch (error) {
+                    this.emitProgress(params.onProgress, { name: "uploadImage", status: "error", error: error });
+                    throw new NetworkError(`Failed to upload image: ${error instanceof Error ? error.message : "Unknown"}`, error);
+                }
+            }
+            // Step 2: Create rights record
+            this.emitProgress(params.onProgress, { name: "createRights", status: "start" });
+            const rightsRecord = {
+                rightsName: params.rights.name,
+                rightsType: params.rights.type,
+                rightsDescription: params.rights.description,
+                createdAt,
+            };
+            const rightsValidation = this.lexiconRegistry.validate(HYPERCERT_COLLECTIONS.RIGHTS, rightsRecord);
+            if (!rightsValidation.valid) {
+                throw new ValidationError(`Invalid rights record: ${rightsValidation.error}`);
+            }
+            const rightsResult = await this.agent.com.atproto.repo.createRecord({
+                repo: this.repoDid,
+                collection: HYPERCERT_COLLECTIONS.RIGHTS,
+                record: rightsRecord,
+            });
+            if (!rightsResult.success) {
+                throw new NetworkError("Failed to create rights record");
+            }
+            result.rightsUri = rightsResult.data.uri;
+            result.rightsCid = rightsResult.data.cid;
+            this.emit("rightsCreated", { uri: result.rightsUri, cid: result.rightsCid });
+            this.emitProgress(params.onProgress, {
+                name: "createRights",
+                status: "success",
+                data: { uri: result.rightsUri },
+            });
+            // Step 3: Create hypercert record
+            this.emitProgress(params.onProgress, { name: "createHypercert", status: "start" });
+            const hypercertRecord = {
+                title: params.title,
+                description: params.description,
+                workScope: params.workScope,
+                workTimeframeFrom: params.workTimeframeFrom,
+                workTimeframeTo: params.workTimeframeTo,
+                rights: { uri: result.rightsUri, cid: result.rightsCid },
+                createdAt,
+            };
+            if (params.shortDescription) {
+                hypercertRecord.shortDescription = params.shortDescription;
+            }
+            if (imageBlobRef) {
+                hypercertRecord.image = imageBlobRef;
+            }
+            if (params.evidence && params.evidence.length > 0) {
+                hypercertRecord.evidence = params.evidence;
+            }
+            const hypercertValidation = this.lexiconRegistry.validate(HYPERCERT_COLLECTIONS.CLAIM, hypercertRecord);
+            if (!hypercertValidation.valid) {
+                throw new ValidationError(`Invalid hypercert record: ${hypercertValidation.error}`);
+            }
+            const hypercertResult = await this.agent.com.atproto.repo.createRecord({
+                repo: this.repoDid,
+                collection: HYPERCERT_COLLECTIONS.CLAIM,
+                record: hypercertRecord,
+            });
+            if (!hypercertResult.success) {
+                throw new NetworkError("Failed to create hypercert record");
+            }
+            result.hypercertUri = hypercertResult.data.uri;
+            result.hypercertCid = hypercertResult.data.cid;
+            this.emit("recordCreated", { uri: result.hypercertUri, cid: result.hypercertCid });
+            this.emitProgress(params.onProgress, {
+                name: "createHypercert",
+                status: "success",
+                data: { uri: result.hypercertUri },
+            });
+            // Step 4: Attach location if provided
+            if (params.location) {
+                this.emitProgress(params.onProgress, { name: "attachLocation", status: "start" });
+                try {
+                    const locationResult = await this.attachLocation(result.hypercertUri, params.location);
+                    result.locationUri = locationResult.uri;
+                    this.emitProgress(params.onProgress, {
+                        name: "attachLocation",
+                        status: "success",
+                        data: { uri: result.locationUri },
+                    });
+                }
+                catch (error) {
+                    this.emitProgress(params.onProgress, { name: "attachLocation", status: "error", error: error });
+                    this.logger?.warn(`Failed to attach location: ${error instanceof Error ? error.message : "Unknown"}`);
+                }
+            }
+            // Step 5: Create contributions if provided
+            if (params.contributions && params.contributions.length > 0) {
+                this.emitProgress(params.onProgress, { name: "createContributions", status: "start" });
+                result.contributionUris = [];
+                try {
+                    for (const contrib of params.contributions) {
+                        const contribResult = await this.addContribution({
+                            hypercertUri: result.hypercertUri,
+                            contributors: contrib.contributors,
+                            role: contrib.role,
+                            description: contrib.description,
+                        });
+                        result.contributionUris.push(contribResult.uri);
+                    }
+                    this.emitProgress(params.onProgress, {
+                        name: "createContributions",
+                        status: "success",
+                        data: { count: result.contributionUris.length },
+                    });
+                }
+                catch (error) {
+                    this.emitProgress(params.onProgress, { name: "createContributions", status: "error", error: error });
+                    this.logger?.warn(`Failed to create contributions: ${error instanceof Error ? error.message : "Unknown"}`);
+                }
+            }
+            return result;
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to create hypercert: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Updates an existing hypercert record.
+     *
+     * @param params - Update parameters
+     * @param params.uri - AT-URI of the hypercert to update
+     * @param params.updates - Partial record with fields to update
+     * @param params.image - New image blob, `null` to remove, `undefined` to keep existing
+     * @returns Promise resolving to update result
+     * @throws {@link ValidationError} if the URI format is invalid or record fails validation
+     * @throws {@link NetworkError} if the update fails
+     *
+     * @remarks
+     * This is a partial update - only specified fields are changed.
+     * The `createdAt` and `rights` fields cannot be changed.
+     *
+     * @example Update title and description
+     * ```typescript
+     * await repo.hypercerts.update({
+     *   uri: "at://did:plc:abc/org.hypercerts.hypercert/xyz",
+     *   updates: {
+     *     title: "Updated Title",
+     *     description: "New description",
+     *   },
+     * });
+     * ```
+     *
+     * @example Update with new image
+     * ```typescript
+     * await repo.hypercerts.update({
+     *   uri: hypercertUri,
+     *   updates: { title: "New Title" },
+     *   image: newImageBlob,
+     * });
+     * ```
+     *
+     * @example Remove image
+     * ```typescript
+     * await repo.hypercerts.update({
+     *   uri: hypercertUri,
+     *   updates: {},
+     *   image: null,  // Explicitly remove image
+     * });
+     * ```
+     */
+    async update(params) {
+        try {
+            const uriMatch = params.uri.match(/^at:\/\/([^/]+)\/([^/]+)\/(.+)$/);
+            if (!uriMatch) {
+                throw new ValidationError(`Invalid URI format: ${params.uri}`);
+            }
+            const [, , collection, rkey] = uriMatch;
+            const existing = await this.agent.com.atproto.repo.getRecord({
+                repo: this.repoDid,
+                collection,
+                rkey,
+            });
+            // The existing record comes from ATProto, use it directly
+            // TypeScript ensures type safety through the HypercertClaim interface
+            const existingRecord = existing.data.value;
+            const recordForUpdate = {
+                ...existingRecord,
+                ...params.updates,
+                createdAt: existingRecord.createdAt,
+                rights: existingRecord.rights,
+            };
+            // Handle image update
+            delete recordForUpdate.image;
+            if (params.image !== undefined) {
+                if (params.image === null) {
+                    // Remove image
+                }
+                else {
+                    const arrayBuffer = await params.image.arrayBuffer();
+                    const uint8Array = new Uint8Array(arrayBuffer);
+                    const uploadResult = await this.agent.com.atproto.repo.uploadBlob(uint8Array, {
+                        encoding: params.image.type || "image/jpeg",
+                    });
+                    if (uploadResult.success) {
+                        recordForUpdate.image = {
+                            $type: "blob",
+                            ref: uploadResult.data.blob.ref,
+                            mimeType: uploadResult.data.blob.mimeType,
+                            size: uploadResult.data.blob.size,
+                        };
+                    }
+                }
+            }
+            else if (existingRecord.image) {
+                // Preserve existing image
+                recordForUpdate.image = existingRecord.image;
+            }
+            const validation = this.lexiconRegistry.validate(collection, recordForUpdate);
+            if (!validation.valid) {
+                throw new ValidationError(`Invalid hypercert record: ${validation.error}`);
+            }
+            const result = await this.agent.com.atproto.repo.putRecord({
+                repo: this.repoDid,
+                collection,
+                rkey,
+                record: recordForUpdate,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to update hypercert");
+            }
+            this.emit("recordUpdated", { uri: result.data.uri, cid: result.data.cid });
+            return { uri: result.data.uri, cid: result.data.cid };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to update hypercert: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Gets a hypercert by its AT-URI.
+     *
+     * @param uri - AT-URI of the hypercert (e.g., "at://did:plc:abc/org.hypercerts.hypercert/xyz")
+     * @returns Promise resolving to hypercert URI, CID, and parsed record
+     * @throws {@link ValidationError} if the URI format is invalid or record doesn't match schema
+     * @throws {@link NetworkError} if the record cannot be fetched
+     *
+     * @example
+     * ```typescript
+     * const { uri, cid, record } = await repo.hypercerts.get(hypercertUri);
+     * console.log(`${record.title}: ${record.description}`);
+     * ```
+     */
+    async get(uri) {
+        try {
+            const uriMatch = uri.match(/^at:\/\/([^/]+)\/([^/]+)\/(.+)$/);
+            if (!uriMatch) {
+                throw new ValidationError(`Invalid URI format: ${uri}`);
+            }
+            const [, , collection, rkey] = uriMatch;
+            const result = await this.agent.com.atproto.repo.getRecord({
+                repo: this.repoDid,
+                collection,
+                rkey,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to get hypercert");
+            }
+            // Validate with lexicon registry (more lenient - doesn't require $type)
+            const validation = this.lexiconRegistry.validate(HYPERCERT_COLLECTIONS.CLAIM, result.data.value);
+            if (!validation.valid) {
+                throw new ValidationError(`Invalid hypercert record format: ${validation.error}`);
+            }
+            return {
+                uri: result.data.uri,
+                cid: result.data.cid ?? "",
+                record: result.data.value,
+            };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to get hypercert: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Lists hypercerts in the repository with pagination.
+     *
+     * @param params - Optional pagination parameters
+     * @returns Promise resolving to paginated list of hypercerts
+     * @throws {@link NetworkError} if the list operation fails
+     *
+     * @example
+     * ```typescript
+     * // Get first page
+     * const { records, cursor } = await repo.hypercerts.list({ limit: 20 });
+     *
+     * // Get next page
+     * if (cursor) {
+     *   const nextPage = await repo.hypercerts.list({ limit: 20, cursor });
+     * }
+     * ```
+     */
+    async list(params) {
+        try {
+            const result = await this.agent.com.atproto.repo.listRecords({
+                repo: this.repoDid,
+                collection: HYPERCERT_COLLECTIONS.CLAIM,
+                limit: params?.limit,
+                cursor: params?.cursor,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to list hypercerts");
+            }
+            return {
+                records: result.data.records?.map((r) => ({
+                    uri: r.uri,
+                    cid: r.cid,
+                    record: r.value,
+                })) || [],
+                cursor: result.data.cursor ?? undefined,
+            };
+        }
+        catch (error) {
+            if (error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to list hypercerts: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Deletes a hypercert record.
+     *
+     * @param uri - AT-URI of the hypercert to delete
+     * @throws {@link ValidationError} if the URI format is invalid
+     * @throws {@link NetworkError} if the deletion fails
+     *
+     * @remarks
+     * This only deletes the hypercert record itself. Related records
+     * (rights, locations, contributions) are not automatically deleted.
+     *
+     * @example
+     * ```typescript
+     * await repo.hypercerts.delete(hypercertUri);
+     * ```
+     */
+    async delete(uri) {
+        try {
+            const uriMatch = uri.match(/^at:\/\/([^/]+)\/([^/]+)\/(.+)$/);
+            if (!uriMatch) {
+                throw new ValidationError(`Invalid URI format: ${uri}`);
+            }
+            const [, , collection, rkey] = uriMatch;
+            const result = await this.agent.com.atproto.repo.deleteRecord({
+                repo: this.repoDid,
+                collection,
+                rkey,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to delete hypercert");
+            }
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to delete hypercert: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Attaches a location to an existing hypercert.
+     *
+     * @param hypercertUri - AT-URI of the hypercert to attach location to
+     * @param location - Location data
+     * @param location.value - Location value (address, coordinates, or description)
+     * @param location.name - Optional human-readable name
+     * @param location.description - Optional description
+     * @param location.srs - Spatial Reference System (e.g., "EPSG:4326")
+     * @param location.geojson - Optional GeoJSON blob for precise boundaries
+     * @returns Promise resolving to location record URI and CID
+     * @throws {@link ValidationError} if validation fails
+     * @throws {@link NetworkError} if the operation fails
+     *
+     * @example Simple location
+     * ```typescript
+     * await repo.hypercerts.attachLocation(hypercertUri, {
+     *   value: "San Francisco, CA",
+     *   name: "SF Bay Area",
+     * });
+     * ```
+     *
+     * @example Location with GeoJSON
+     * ```typescript
+     * const geojsonBlob = new Blob([JSON.stringify(geojson)], {
+     *   type: "application/geo+json"
+     * });
+     *
+     * await repo.hypercerts.attachLocation(hypercertUri, {
+     *   value: "Custom Region",
+     *   srs: "EPSG:4326",
+     *   geojson: geojsonBlob,
+     * });
+     * ```
+     */
+    async attachLocation(hypercertUri, location) {
+        try {
+            // Get hypercert to get CID
+            const hypercert = await this.get(hypercertUri);
+            const createdAt = new Date().toISOString();
+            let locationValue = location.value;
+            if (location.geojson) {
+                const arrayBuffer = await location.geojson.arrayBuffer();
+                const uint8Array = new Uint8Array(arrayBuffer);
+                const uploadResult = await this.agent.com.atproto.repo.uploadBlob(uint8Array, {
+                    encoding: location.geojson.type || "application/geo+json",
+                });
+                if (uploadResult.success) {
+                    locationValue = {
+                        $type: "blob",
+                        ref: uploadResult.data.blob.ref,
+                        mimeType: uploadResult.data.blob.mimeType,
+                        size: uploadResult.data.blob.size,
+                    };
+                }
+            }
+            const locationRecord = {
+                hypercert: { uri: hypercert.uri, cid: hypercert.cid },
+                value: locationValue,
+                createdAt,
+                name: location.name,
+                description: location.description,
+                srs: location.srs,
+            };
+            const validation = this.lexiconRegistry.validate(HYPERCERT_COLLECTIONS.LOCATION, locationRecord);
+            if (!validation.valid) {
+                throw new ValidationError(`Invalid location record: ${validation.error}`);
+            }
+            const result = await this.agent.com.atproto.repo.createRecord({
+                repo: this.repoDid,
+                collection: HYPERCERT_COLLECTIONS.LOCATION,
+                record: locationRecord,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to attach location");
+            }
+            this.emit("locationAttached", { uri: result.data.uri, cid: result.data.cid, hypercertUri });
+            return { uri: result.data.uri, cid: result.data.cid };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to attach location: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Adds evidence to an existing hypercert.
+     *
+     * @param hypercertUri - AT-URI of the hypercert
+     * @param evidence - Array of evidence items to add
+     * @returns Promise resolving to update result
+     * @throws {@link ValidationError} if validation fails
+     * @throws {@link NetworkError} if the operation fails
+     *
+     * @remarks
+     * Evidence is appended to existing evidence, not replaced.
+     *
+     * @example
+     * ```typescript
+     * await repo.hypercerts.addEvidence(hypercertUri, [
+     *   { uri: "https://example.com/report.pdf", description: "Impact report" },
+     *   { uri: "https://example.com/data.csv", description: "Raw data" },
+     * ]);
+     * ```
+     */
+    async addEvidence(hypercertUri, evidence) {
+        try {
+            const existing = await this.get(hypercertUri);
+            const existingEvidence = existing.record.evidence || [];
+            const updatedEvidence = [...existingEvidence, ...evidence];
+            const result = await this.update({
+                uri: hypercertUri,
+                updates: { evidence: updatedEvidence },
+            });
+            this.emit("evidenceAdded", { uri: result.uri, cid: result.cid });
+            return result;
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to add evidence: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Creates a contribution record.
+     *
+     * @param params - Contribution parameters
+     * @param params.hypercertUri - Optional hypercert to link (can be standalone)
+     * @param params.contributors - Array of contributor DIDs
+     * @param params.role - Role of the contributors (e.g., "coordinator", "implementer")
+     * @param params.description - Optional description of the contribution
+     * @returns Promise resolving to contribution record URI and CID
+     * @throws {@link ValidationError} if validation fails
+     * @throws {@link NetworkError} if the operation fails
+     *
+     * @example
+     * ```typescript
+     * await repo.hypercerts.addContribution({
+     *   hypercertUri: hypercertUri,
+     *   contributors: ["did:plc:alice", "did:plc:bob"],
+     *   role: "implementer",
+     *   description: "On-ground implementation team",
+     * });
+     * ```
+     */
+    async addContribution(params) {
+        try {
+            const createdAt = new Date().toISOString();
+            const contributionRecord = {
+                contributors: params.contributors,
+                role: params.role,
+                createdAt,
+                description: params.description,
+            };
+            if (params.hypercertUri) {
+                const hypercert = await this.get(params.hypercertUri);
+                contributionRecord.hypercert = { uri: hypercert.uri, cid: hypercert.cid };
+            }
+            const validation = this.lexiconRegistry.validate(HYPERCERT_COLLECTIONS.CONTRIBUTION, contributionRecord);
+            if (!validation.valid) {
+                throw new ValidationError(`Invalid contribution record: ${validation.error}`);
+            }
+            const result = await this.agent.com.atproto.repo.createRecord({
+                repo: this.repoDid,
+                collection: HYPERCERT_COLLECTIONS.CONTRIBUTION,
+                record: contributionRecord,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to create contribution");
+            }
+            this.emit("contributionCreated", { uri: result.data.uri, cid: result.data.cid });
+            return { uri: result.data.uri, cid: result.data.cid };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to add contribution: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Creates a measurement record for a hypercert.
+     *
+     * Measurements quantify the impact claimed in a hypercert with
+     * specific metrics and values.
+     *
+     * @param params - Measurement parameters
+     * @param params.hypercertUri - AT-URI of the hypercert being measured
+     * @param params.measurers - DIDs of entities who performed the measurement
+     * @param params.metric - Name of the metric (e.g., "CO2 Reduced", "Trees Planted")
+     * @param params.value - Measured value with units (e.g., "100 tons", "10000")
+     * @param params.methodUri - Optional URI describing the measurement methodology
+     * @param params.evidenceUris - Optional URIs to supporting evidence
+     * @returns Promise resolving to measurement record URI and CID
+     * @throws {@link ValidationError} if validation fails
+     * @throws {@link NetworkError} if the operation fails
+     *
+     * @example
+     * ```typescript
+     * await repo.hypercerts.addMeasurement({
+     *   hypercertUri: hypercertUri,
+     *   measurers: ["did:plc:auditor"],
+     *   metric: "Carbon Offset",
+     *   value: "150 tons CO2e",
+     *   methodUri: "https://example.com/methodology",
+     *   evidenceUris: ["https://example.com/audit-report"],
+     * });
+     * ```
+     */
+    async addMeasurement(params) {
+        try {
+            const hypercert = await this.get(params.hypercertUri);
+            const createdAt = new Date().toISOString();
+            const measurementRecord = {
+                hypercert: { uri: hypercert.uri, cid: hypercert.cid },
+                measurers: params.measurers,
+                metric: params.metric,
+                value: params.value,
+                createdAt,
+                measurementMethodURI: params.methodUri,
+                evidenceURI: params.evidenceUris,
+            };
+            const validation = this.lexiconRegistry.validate(HYPERCERT_COLLECTIONS.MEASUREMENT, measurementRecord);
+            if (!validation.valid) {
+                throw new ValidationError(`Invalid measurement record: ${validation.error}`);
+            }
+            const result = await this.agent.com.atproto.repo.createRecord({
+                repo: this.repoDid,
+                collection: HYPERCERT_COLLECTIONS.MEASUREMENT,
+                record: measurementRecord,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to create measurement");
+            }
+            return { uri: result.data.uri, cid: result.data.cid };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to add measurement: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Creates an evaluation record for a hypercert or other subject.
+     *
+     * Evaluations provide third-party assessments of impact claims.
+     *
+     * @param params - Evaluation parameters
+     * @param params.subjectUri - AT-URI of the record being evaluated
+     * @param params.evaluators - DIDs of evaluating entities
+     * @param params.summary - Summary of the evaluation findings
+     * @returns Promise resolving to evaluation record URI and CID
+     * @throws {@link ValidationError} if validation fails
+     * @throws {@link NetworkError} if the operation fails
+     *
+     * @example
+     * ```typescript
+     * await repo.hypercerts.addEvaluation({
+     *   subjectUri: hypercertUri,
+     *   evaluators: ["did:plc:evaluator-org"],
+     *   summary: "Verified impact claims through site visit and data analysis",
+     * });
+     * ```
+     */
+    async addEvaluation(params) {
+        try {
+            const subject = await this.get(params.subjectUri);
+            const createdAt = new Date().toISOString();
+            const evaluationRecord = {
+                subject: { uri: subject.uri, cid: subject.cid },
+                evaluators: params.evaluators,
+                summary: params.summary,
+                createdAt,
+            };
+            const validation = this.lexiconRegistry.validate(HYPERCERT_COLLECTIONS.EVALUATION, evaluationRecord);
+            if (!validation.valid) {
+                throw new ValidationError(`Invalid evaluation record: ${validation.error}`);
+            }
+            const result = await this.agent.com.atproto.repo.createRecord({
+                repo: this.repoDid,
+                collection: HYPERCERT_COLLECTIONS.EVALUATION,
+                record: evaluationRecord,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to create evaluation");
+            }
+            return { uri: result.data.uri, cid: result.data.cid };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to add evaluation: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Creates a collection of hypercerts.
+     *
+     * Collections group related hypercerts with optional weights
+     * for relative importance.
+     *
+     * @param params - Collection parameters
+     * @param params.title - Collection title
+     * @param params.claims - Array of hypercert references with weights
+     * @param params.shortDescription - Optional short description
+     * @param params.coverPhoto - Optional cover image blob
+     * @returns Promise resolving to collection record URI and CID
+     * @throws {@link ValidationError} if validation fails
+     * @throws {@link NetworkError} if the operation fails
+     *
+     * @example
+     * ```typescript
+     * const collection = await repo.hypercerts.createCollection({
+     *   title: "Climate Projects 2024",
+     *   shortDescription: "Our climate impact portfolio",
+     *   claims: [
+     *     { uri: hypercert1Uri, cid: hypercert1Cid, weight: "0.5" },
+     *     { uri: hypercert2Uri, cid: hypercert2Cid, weight: "0.3" },
+     *     { uri: hypercert3Uri, cid: hypercert3Cid, weight: "0.2" },
+     *   ],
+     *   coverPhoto: coverImageBlob,
+     * });
+     * ```
+     */
+    async createCollection(params) {
+        try {
+            const createdAt = new Date().toISOString();
+            let coverPhotoRef;
+            if (params.coverPhoto) {
+                const arrayBuffer = await params.coverPhoto.arrayBuffer();
+                const uint8Array = new Uint8Array(arrayBuffer);
+                const uploadResult = await this.agent.com.atproto.repo.uploadBlob(uint8Array, {
+                    encoding: params.coverPhoto.type || "image/jpeg",
+                });
+                if (uploadResult.success) {
+                    coverPhotoRef = {
+                        $type: "blob",
+                        ref: uploadResult.data.blob.ref,
+                        mimeType: uploadResult.data.blob.mimeType,
+                        size: uploadResult.data.blob.size,
+                    };
+                }
+            }
+            const collectionRecord = {
+                title: params.title,
+                claims: params.claims.map((c) => ({ claim: { uri: c.uri, cid: c.cid }, weight: c.weight })),
+                createdAt,
+            };
+            if (params.shortDescription) {
+                collectionRecord.shortDescription = params.shortDescription;
+            }
+            if (coverPhotoRef) {
+                collectionRecord.coverPhoto = coverPhotoRef;
+            }
+            const validation = this.lexiconRegistry.validate(HYPERCERT_COLLECTIONS.COLLECTION, collectionRecord);
+            if (!validation.valid) {
+                throw new ValidationError(`Invalid collection record: ${validation.error}`);
+            }
+            const result = await this.agent.com.atproto.repo.createRecord({
+                repo: this.repoDid,
+                collection: HYPERCERT_COLLECTIONS.COLLECTION,
+                record: collectionRecord,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to create collection");
+            }
+            this.emit("collectionCreated", { uri: result.data.uri, cid: result.data.cid });
+            return { uri: result.data.uri, cid: result.data.cid };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to create collection: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Gets a collection by its AT-URI.
+     *
+     * @param uri - AT-URI of the collection
+     * @returns Promise resolving to collection URI, CID, and parsed record
+     * @throws {@link ValidationError} if the URI format is invalid or record doesn't match schema
+     * @throws {@link NetworkError} if the record cannot be fetched
+     *
+     * @example
+     * ```typescript
+     * const { record } = await repo.hypercerts.getCollection(collectionUri);
+     * console.log(`Collection: ${record.title}`);
+     * console.log(`Contains ${record.claims.length} hypercerts`);
+     * ```
+     */
+    async getCollection(uri) {
+        try {
+            const uriMatch = uri.match(/^at:\/\/([^/]+)\/([^/]+)\/(.+)$/);
+            if (!uriMatch) {
+                throw new ValidationError(`Invalid URI format: ${uri}`);
+            }
+            const [, , collection, rkey] = uriMatch;
+            const result = await this.agent.com.atproto.repo.getRecord({
+                repo: this.repoDid,
+                collection,
+                rkey,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to get collection");
+            }
+            // Validate with lexicon registry (more lenient - doesn't require $type)
+            const validation = this.lexiconRegistry.validate(HYPERCERT_COLLECTIONS.COLLECTION, result.data.value);
+            if (!validation.valid) {
+                throw new ValidationError(`Invalid collection record format: ${validation.error}`);
+            }
+            return {
+                uri: result.data.uri,
+                cid: result.data.cid ?? "",
+                record: result.data.value,
+            };
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to get collection: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+    /**
+     * Lists collections in the repository with pagination.
+     *
+     * @param params - Optional pagination parameters
+     * @returns Promise resolving to paginated list of collections
+     * @throws {@link NetworkError} if the list operation fails
+     *
+     * @example
+     * ```typescript
+     * const { records } = await repo.hypercerts.listCollections();
+     * for (const { record } of records) {
+     *   console.log(`${record.title}: ${record.claims.length} claims`);
+     * }
+     * ```
+     */
+    async listCollections(params) {
+        try {
+            const result = await this.agent.com.atproto.repo.listRecords({
+                repo: this.repoDid,
+                collection: HYPERCERT_COLLECTIONS.COLLECTION,
+                limit: params?.limit,
+                cursor: params?.cursor,
+            });
+            if (!result.success) {
+                throw new NetworkError("Failed to list collections");
+            }
+            return {
+                records: result.data.records?.map((r) => ({
+                    uri: r.uri,
+                    cid: r.cid,
+                    record: r.value,
+                })) || [],
+                cursor: result.data.cursor ?? undefined,
+            };
+        }
+        catch (error) {
+            if (error instanceof NetworkError)
+                throw error;
+            throw new NetworkError(`Failed to list collections: ${error instanceof Error ? error.message : "Unknown"}`, error);
+        }
+    }
+}
+
+/**
+ * CollaboratorOperationsImpl - SDS collaborator management operations.
+ *
+ * This module provides the implementation for managing collaborator
+ * access on Shared Data Server (SDS) repositories.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Implementation of collaborator operations for SDS access control.
+ *
+ * This class manages access permissions for shared repositories on
+ * Shared Data Servers (SDS). It provides role-based access control
+ * with predefined permission sets.
+ *
+ * @remarks
+ * This class is typically not instantiated directly. Access it through
+ * {@link Repository.collaborators} on an SDS-connected repository.
+ *
+ * **Role Hierarchy**:
+ * - `viewer`: Read-only access
+ * - `editor`: Read + Create + Update
+ * - `admin`: All permissions except ownership transfer
+ * - `owner`: Full control including ownership management
+ *
+ * **SDS API Endpoints Used**:
+ * - `com.atproto.sds.grantAccess`: Grant access to a user
+ * - `com.atproto.sds.revokeAccess`: Revoke access from a user
+ * - `com.atproto.sds.listCollaborators`: List all collaborators
+ *
+ * @example
+ * ```typescript
+ * // Get SDS repository
+ * const sdsRepo = sdk.repository(session, { server: "sds" });
+ *
+ * // Grant editor access
+ * await sdsRepo.collaborators.grant({
+ *   userDid: "did:plc:new-user",
+ *   role: "editor",
+ * });
+ *
+ * // List all collaborators
+ * const collaborators = await sdsRepo.collaborators.list();
+ *
+ * // Check specific user
+ * const hasAccess = await sdsRepo.collaborators.hasAccess("did:plc:someone");
+ * const role = await sdsRepo.collaborators.getRole("did:plc:someone");
+ * ```
+ *
+ * @internal
+ */
+class CollaboratorOperationsImpl {
+    /**
+     * Creates a new CollaboratorOperationsImpl.
+     *
+     * @param session - Authenticated OAuth session with fetchHandler
+     * @param repoDid - DID of the repository to manage
+     * @param serverUrl - SDS server URL
+     *
+     * @internal
+     */
+    constructor(session, repoDid, serverUrl) {
+        this.session = session;
+        this.repoDid = repoDid;
+        this.serverUrl = serverUrl;
+    }
+    /**
+     * Converts a role to its corresponding permissions object.
+     *
+     * @param role - The role to convert
+     * @returns Permission flags for the role
+     * @internal
+     */
+    roleToPermissions(role) {
+        switch (role) {
+            case "viewer":
+                return { read: true, create: false, update: false, delete: false, admin: false, owner: false };
+            case "editor":
+                return { read: true, create: true, update: true, delete: false, admin: false, owner: false };
+            case "admin":
+                return { read: true, create: true, update: true, delete: true, admin: true, owner: false };
+            case "owner":
+                return { read: true, create: true, update: true, delete: true, admin: true, owner: true };
+        }
+    }
+    /**
+     * Determines the role from a permissions object.
+     *
+     * @param permissions - The permissions to analyze
+     * @returns The highest role matching the permissions
+     * @internal
+     */
+    permissionsToRole(permissions) {
+        if (permissions.owner)
+            return "owner";
+        if (permissions.admin)
+            return "admin";
+        if (permissions.create || permissions.update)
+            return "editor";
+        return "viewer";
+    }
+    /**
+     * Grants repository access to a user.
+     *
+     * @param params - Grant parameters
+     * @param params.userDid - DID of the user to grant access to
+     * @param params.role - Role to assign (determines permissions)
+     * @throws {@link NetworkError} if the grant operation fails
+     *
+     * @remarks
+     * If the user already has access, their permissions are updated
+     * to the new role.
+     *
+     * @example
+     * ```typescript
+     * // Grant viewer access
+     * await repo.collaborators.grant({
+     *   userDid: "did:plc:viewer-user",
+     *   role: "viewer",
+     * });
+     *
+     * // Upgrade to editor
+     * await repo.collaborators.grant({
+     *   userDid: "did:plc:viewer-user",
+     *   role: "editor",
+     * });
+     * ```
+     */
+    async grant(params) {
+        const permissions = this.roleToPermissions(params.role);
+        const response = await this.session.fetchHandler(`${this.serverUrl}/xrpc/com.atproto.sds.grantAccess`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                repo: this.repoDid,
+                userDid: params.userDid,
+                permissions,
+            }),
+        });
+        if (!response.ok) {
+            throw new NetworkError(`Failed to grant access: ${response.statusText}`);
+        }
+    }
+    /**
+     * Revokes repository access from a user.
+     *
+     * @param params - Revoke parameters
+     * @param params.userDid - DID of the user to revoke access from
+     * @throws {@link NetworkError} if the revoke operation fails
+     *
+     * @remarks
+     * - Cannot revoke access from the repository owner
+     * - Revoked access is recorded with a `revokedAt` timestamp
+     *
+     * @example
+     * ```typescript
+     * await repo.collaborators.revoke({
+     *   userDid: "did:plc:former-collaborator",
+     * });
+     * ```
+     */
+    async revoke(params) {
+        const response = await this.session.fetchHandler(`${this.serverUrl}/xrpc/com.atproto.sds.revokeAccess`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                repo: this.repoDid,
+                userDid: params.userDid,
+            }),
+        });
+        if (!response.ok) {
+            throw new NetworkError(`Failed to revoke access: ${response.statusText}`);
+        }
+    }
+    /**
+     * Lists all collaborators on the repository.
+     *
+     * @returns Promise resolving to array of access grants
+     * @throws {@link NetworkError} if the list operation fails
+     *
+     * @remarks
+     * The list includes both active and revoked collaborators.
+     * Check `revokedAt` to filter active collaborators.
+     *
+     * @example
+     * ```typescript
+     * const collaborators = await repo.collaborators.list();
+     *
+     * // Filter active collaborators
+     * const active = collaborators.filter(c => !c.revokedAt);
+     *
+     * // Group by role
+     * const byRole = {
+     *   owners: active.filter(c => c.role === "owner"),
+     *   admins: active.filter(c => c.role === "admin"),
+     *   editors: active.filter(c => c.role === "editor"),
+     *   viewers: active.filter(c => c.role === "viewer"),
+     * };
+     * ```
+     */
+    async list() {
+        const response = await this.session.fetchHandler(`${this.serverUrl}/xrpc/com.atproto.sds.listCollaborators?repo=${encodeURIComponent(this.repoDid)}`, { method: "GET" });
+        if (!response.ok) {
+            throw new NetworkError(`Failed to list collaborators: ${response.statusText}`);
+        }
+        const data = await response.json();
+        return (data.collaborators || []).map((c) => ({
+            userDid: c.userDid,
+            role: this.permissionsToRole(c.permissions),
+            permissions: c.permissions,
+            grantedBy: c.grantedBy,
+            grantedAt: c.grantedAt,
+            revokedAt: c.revokedAt,
+        }));
+    }
+    /**
+     * Checks if a user has any access to the repository.
+     *
+     * @param userDid - DID of the user to check
+     * @returns Promise resolving to `true` if user has active access
+     *
+     * @remarks
+     * Returns `false` if:
+     * - User was never granted access
+     * - User's access was revoked
+     * - The list operation fails (error is suppressed)
+     *
+     * @example
+     * ```typescript
+     * if (await repo.collaborators.hasAccess("did:plc:someone")) {
+     *   console.log("User has access");
+     * }
+     * ```
+     */
+    async hasAccess(userDid) {
+        try {
+            const collaborators = await this.list();
+            return collaborators.some((c) => c.userDid === userDid && !c.revokedAt);
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Gets the role assigned to a user.
+     *
+     * @param userDid - DID of the user to check
+     * @returns Promise resolving to the user's role, or `null` if no active access
+     *
+     * @example
+     * ```typescript
+     * const role = await repo.collaborators.getRole("did:plc:someone");
+     * if (role === "admin" || role === "owner") {
+     *   // User can manage other collaborators
+     * }
+     * ```
+     */
+    async getRole(userDid) {
+        const collaborators = await this.list();
+        const collab = collaborators.find((c) => c.userDid === userDid && !c.revokedAt);
+        return collab?.role ?? null;
+    }
+}
+
+/**
+ * OrganizationOperationsImpl - SDS organization management operations.
+ *
+ * This module provides the implementation for creating and managing
+ * organizations on Shared Data Server (SDS) instances.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Implementation of organization operations for SDS management.
+ *
+ * Organizations on SDS provide a way to create shared repositories
+ * that multiple users can collaborate on. Each organization has:
+ *
+ * - A unique DID (Decentralized Identifier)
+ * - A handle for human-readable identification
+ * - An owner and optional collaborators
+ * - Its own repository for storing records
+ *
+ * @remarks
+ * This class is typically not instantiated directly. Access it through
+ * {@link Repository.organizations} on an SDS-connected repository.
+ *
+ * **SDS API Endpoints Used**:
+ * - `com.atproto.sds.createRepository`: Create a new organization
+ * - `com.atproto.sds.listRepositories`: List accessible organizations
+ *
+ * **Access Types**:
+ * - `"owner"`: User created or owns the organization
+ * - `"collaborator"`: User was invited with specific permissions
+ *
+ * @example
+ * ```typescript
+ * // Get SDS repository
+ * const sdsRepo = sdk.repository(session, { server: "sds" });
+ *
+ * // Create an organization
+ * const org = await sdsRepo.organizations.create({
+ *   name: "My Team",
+ *   description: "A team for impact projects",
+ * });
+ *
+ * // List organizations you have access to
+ * const orgs = await sdsRepo.organizations.list();
+ *
+ * // Get specific organization
+ * const orgInfo = await sdsRepo.organizations.get(org.did);
+ * ```
+ *
+ * @internal
+ */
+class OrganizationOperationsImpl {
+    /**
+     * Creates a new OrganizationOperationsImpl.
+     *
+     * @param session - Authenticated OAuth session with fetchHandler
+     * @param _repoDid - DID of the user's repository (reserved for future use)
+     * @param serverUrl - SDS server URL
+     * @param _logger - Optional logger for debugging (reserved for future use)
+     *
+     * @internal
+     */
+    constructor(session, _repoDid, serverUrl, _logger) {
+        this.session = session;
+        this._repoDid = _repoDid;
+        this.serverUrl = serverUrl;
+        this._logger = _logger;
+    }
+    /**
+     * Creates a new organization.
+     *
+     * @param params - Organization parameters
+     * @param params.name - Display name for the organization
+     * @param params.description - Optional description of the organization's purpose
+     * @param params.handle - Optional custom handle. If not provided, one is auto-generated.
+     * @returns Promise resolving to the created organization info
+     * @throws {@link NetworkError} if organization creation fails
+     *
+     * @remarks
+     * The creating user automatically becomes the owner with full permissions.
+     *
+     * **Handle Format**: Handles are typically formatted as
+     * `{name}.sds.{domain}` (e.g., "my-team.sds.hypercerts.org").
+     * If you provide a custom handle, it must be unique on the SDS.
+     *
+     * @example Basic organization
+     * ```typescript
+     * const org = await repo.organizations.create({
+     *   name: "Climate Action Team",
+     * });
+     * console.log(`Created org: ${org.did}`);
+     * ```
+     *
+     * @example With description and custom handle
+     * ```typescript
+     * const org = await repo.organizations.create({
+     *   name: "Reforestation Initiative",
+     *   description: "Coordinating tree planting projects worldwide",
+     *   handle: "reforestation",
+     * });
+     * ```
+     */
+    async create(params) {
+        const response = await this.session.fetchHandler(`${this.serverUrl}/xrpc/com.atproto.sds.createRepository`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(params),
+        });
+        if (!response.ok) {
+            throw new NetworkError(`Failed to create organization: ${response.statusText}`);
+        }
+        const data = await response.json();
+        return {
+            did: data.did,
+            handle: data.handle,
+            name: data.name,
+            description: data.description,
+            createdAt: data.createdAt || new Date().toISOString(),
+            accessType: "owner",
+            permissions: { read: true, create: true, update: true, delete: true, admin: true, owner: true },
+        };
+    }
+    /**
+     * Gets an organization by its DID.
+     *
+     * @param did - The organization's DID
+     * @returns Promise resolving to organization info, or `null` if not found
+     *
+     * @remarks
+     * This method searches through the user's accessible organizations.
+     * If the organization exists but the user doesn't have access,
+     * it will return `null`.
+     *
+     * @example
+     * ```typescript
+     * const org = await repo.organizations.get("did:plc:org123");
+     * if (org) {
+     *   console.log(`Found: ${org.name}`);
+     *   console.log(`Your role: ${org.accessType}`);
+     * } else {
+     *   console.log("Organization not found or no access");
+     * }
+     * ```
+     */
+    async get(did) {
+        try {
+            const orgs = await this.list();
+            return orgs.find((o) => o.did === did) ?? null;
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Lists organizations the current user has access to.
+     *
+     * @returns Promise resolving to array of organization info
+     * @throws {@link NetworkError} if the list operation fails
+     *
+     * @remarks
+     * Returns organizations where the user is either:
+     * - The owner
+     * - A collaborator with any permission level
+     *
+     * The `accessType` field indicates the user's relationship to each organization.
+     *
+     * @example
+     * ```typescript
+     * const orgs = await repo.organizations.list();
+     *
+     * // Filter by access type
+     * const owned = orgs.filter(o => o.accessType === "owner");
+     * const collaborated = orgs.filter(o => o.accessType === "collaborator");
+     *
+     * console.log(`You own ${owned.length} organizations`);
+     * console.log(`You collaborate on ${collaborated.length} organizations`);
+     * ```
+     *
+     * @example Display organization details
+     * ```typescript
+     * const orgs = await repo.organizations.list();
+     *
+     * for (const org of orgs) {
+     *   console.log(`${org.name} (@${org.handle})`);
+     *   console.log(`  DID: ${org.did}`);
+     *   console.log(`  Access: ${org.accessType}`);
+     *   if (org.description) {
+     *     console.log(`  Description: ${org.description}`);
+     *   }
+     * }
+     * ```
+     */
+    async list() {
+        const response = await this.session.fetchHandler(`${this.serverUrl}/xrpc/com.atproto.sds.listRepositories?userDid=${encodeURIComponent(this.session.did || this.session.sub)}`, { method: "GET" });
+        if (!response.ok) {
+            throw new NetworkError(`Failed to list organizations: ${response.statusText}`);
+        }
+        const data = await response.json();
+        return (data.repositories || []).map((r) => ({
+            did: r.did,
+            handle: r.handle,
+            name: r.name,
+            description: r.description,
+            createdAt: new Date().toISOString(), // SDS may not return this
+            accessType: r.accessType,
+            permissions: r.permissions,
+        }));
+    }
+}
+
+/**
+ * Repository - Unified fluent API for ATProto repository operations.
+ *
+ * This module provides the main interface for interacting with AT Protocol
+ * data servers (PDS and SDS) through a consistent, fluent API.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Repository provides a fluent API for AT Protocol data operations.
+ *
+ * This class is the primary interface for working with data in the AT Protocol
+ * ecosystem. It provides organized access to:
+ *
+ * - **Records**: Low-level CRUD operations for any AT Protocol record type
+ * - **Blobs**: Binary data upload and retrieval (images, files)
+ * - **Profile**: User profile management
+ * - **Hypercerts**: High-level hypercert creation and management
+ * - **Collaborators**: Access control for shared repositories (SDS only)
+ * - **Organizations**: Organization management (SDS only)
+ *
+ * @remarks
+ * The Repository uses lazy initialization for operation handlers - they are
+ * created only when first accessed. This improves performance when you only
+ * need a subset of operations.
+ *
+ * **PDS vs SDS:**
+ * - **PDS (Personal Data Server)**: User's own data storage. All operations
+ *   except collaborators and organizations are available.
+ * - **SDS (Shared Data Server)**: Collaborative data storage with access
+ *   control. All operations including collaborators and organizations.
+ *
+ * @example Basic usage
+ * ```typescript
+ * // Get a repository from the SDK
+ * const repo = sdk.repository(session);
+ *
+ * // Access user profile
+ * const profile = await repo.profile.get();
+ *
+ * // Create a hypercert
+ * const result = await repo.hypercerts.create({
+ *   title: "My Impact",
+ *   description: "Description of the impact",
+ *   workScope: "Climate Action",
+ *   workTimeframeFrom: "2024-01-01",
+ *   workTimeframeTo: "2024-12-31",
+ *   rights: {
+ *     name: "Attribution",
+ *     type: "license",
+ *     description: "CC-BY-4.0",
+ *   },
+ * });
+ * ```
+ *
+ * @example Working with a different user's repository
+ * ```typescript
+ * // Get the current user's repo
+ * const myRepo = sdk.repository(session);
+ *
+ * // Get another user's repo (read-only for most operations)
+ * const otherRepo = myRepo.repo("did:plc:other-user-did");
+ * const theirProfile = await otherRepo.profile.get();
+ * ```
+ *
+ * @example SDS operations
+ * ```typescript
+ * // Get SDS repository for collaborator features
+ * const sdsRepo = sdk.repository(session, { server: "sds" });
+ *
+ * // Manage collaborators
+ * await sdsRepo.collaborators.grant({
+ *   userDid: "did:plc:collaborator",
+ *   role: "editor",
+ * });
+ *
+ * // List organizations
+ * const orgs = await sdsRepo.organizations.list();
+ * ```
+ *
+ * @see {@link ATProtoSDK.repository} for creating Repository instances
+ */
+class Repository {
+    /**
+     * Creates a new Repository instance.
+     *
+     * @param session - Authenticated OAuth session
+     * @param serverUrl - Base URL of the AT Protocol server
+     * @param repoDid - DID of the repository to operate on
+     * @param lexiconRegistry - Registry for lexicon validation
+     * @param isSDS - Whether this is a Shared Data Server
+     * @param logger - Optional logger for debugging
+     *
+     * @remarks
+     * This constructor is typically not called directly. Use
+     * {@link ATProtoSDK.repository} to create Repository instances.
+     *
+     * @internal
+     */
+    constructor(session, serverUrl, repoDid, lexiconRegistry, isSDS, logger) {
+        this.session = session;
+        this.serverUrl = serverUrl;
+        this.repoDid = repoDid;
+        this.lexiconRegistry = lexiconRegistry;
+        this._isSDS = isSDS;
+        this.logger = logger;
+        // Create Agent with OAuth session
+        this.agent = new Agent(session);
+        this.lexiconRegistry.addToAgent(this.agent);
+        // Register hypercert lexicons
+        this.lexiconRegistry.registerMany(HYPERCERT_LEXICONS);
+    }
+    /**
+     * The DID (Decentralized Identifier) of this repository.
+     *
+     * This is the user or organization that owns the repository data.
+     *
+     * @example
+     * ```typescript
+     * console.log(`Working with repo: ${repo.did}`);
+     * // Output: Working with repo: did:plc:abc123xyz...
+     * ```
+     */
+    get did() {
+        return this.repoDid;
+    }
+    /**
+     * Whether this repository is on a Shared Data Server (SDS).
+     *
+     * SDS servers support additional features like collaborators and
+     * organizations. Attempting to use these features on a PDS will
+     * throw {@link SDSRequiredError}.
+     *
+     * @example
+     * ```typescript
+     * if (repo.isSDS) {
+     *   const collaborators = await repo.collaborators.list();
+     * }
+     * ```
+     */
+    get isSDS() {
+        return this._isSDS;
+    }
+    /**
+     * Gets the server URL this repository connects to.
+     *
+     * @returns The base URL of the AT Protocol server
+     *
+     * @example
+     * ```typescript
+     * console.log(repo.getServerUrl());
+     * // Output: https://bsky.social or https://sds.hypercerts.org
+     * ```
+     */
+    getServerUrl() {
+        return this.serverUrl;
+    }
+    /**
+     * Creates a Repository instance for a different DID on the same server.
+     *
+     * This allows you to read data from other users' repositories while
+     * maintaining your authenticated session.
+     *
+     * @param did - The DID of the repository to access
+     * @returns A new Repository instance for the specified DID
+     *
+     * @remarks
+     * Write operations on another user's repository will typically fail
+     * unless you have been granted collaborator access (SDS only).
+     *
+     * @example
+     * ```typescript
+     * // Read another user's profile
+     * const otherRepo = repo.repo("did:plc:other-user");
+     * const profile = await otherRepo.profile.get();
+     *
+     * // List their public hypercerts
+     * const hypercerts = await otherRepo.hypercerts.list();
+     * ```
+     */
+    repo(did) {
+        return new Repository(this.session, this.serverUrl, did, this.lexiconRegistry, this._isSDS, this.logger);
+    }
+    /**
+     * Low-level record operations for CRUD on any AT Protocol record type.
+     *
+     * Use this for direct access to AT Protocol records when the high-level
+     * APIs don't meet your needs.
+     *
+     * @returns {@link RecordOperations} interface for record CRUD
+     *
+     * @example
+     * ```typescript
+     * // Create a custom record
+     * const result = await repo.records.create({
+     *   collection: "org.example.myRecord",
+     *   record: { foo: "bar" },
+     * });
+     *
+     * // List records in a collection
+     * const list = await repo.records.list({
+     *   collection: "org.example.myRecord",
+     *   limit: 50,
+     * });
+     *
+     * // Get a specific record
+     * const record = await repo.records.get({
+     *   collection: "org.example.myRecord",
+     *   rkey: "abc123",
+     * });
+     * ```
+     */
+    get records() {
+        if (!this._records) {
+            this._records = new RecordOperationsImpl(this.agent, this.repoDid, this.lexiconRegistry);
+        }
+        return this._records;
+    }
+    /**
+     * Blob operations for uploading and retrieving binary data.
+     *
+     * Blobs are used for images, files, and other binary content associated
+     * with records.
+     *
+     * @returns {@link BlobOperations} interface for blob management
+     *
+     * @example
+     * ```typescript
+     * // Upload an image
+     * const imageBlob = new Blob([imageData], { type: "image/png" });
+     * const uploadResult = await repo.blobs.upload(imageBlob);
+     *
+     * // The ref can be used in records
+     * console.log(uploadResult.ref.$link);  // CID of the blob
+     *
+     * // Retrieve a blob by CID
+     * const { data, mimeType } = await repo.blobs.get(cid);
+     * ```
+     */
+    get blobs() {
+        if (!this._blobs) {
+            this._blobs = new BlobOperationsImpl(this.agent, this.repoDid, this.serverUrl);
+        }
+        return this._blobs;
+    }
+    /**
+     * Profile operations for managing user profiles.
+     *
+     * @returns {@link ProfileOperations} interface for profile management
+     *
+     * @example
+     * ```typescript
+     * // Get current profile
+     * const profile = await repo.profile.get();
+     * console.log(profile.displayName);
+     *
+     * // Update profile
+     * await repo.profile.update({
+     *   displayName: "New Name",
+     *   description: "Updated bio",
+     *   avatar: avatarBlob,  // Optional: update avatar image
+     * });
+     * ```
+     */
+    get profile() {
+        if (!this._profile) {
+            this._profile = new ProfileOperationsImpl(this.agent, this.repoDid, this.serverUrl);
+        }
+        return this._profile;
+    }
+    /**
+     * High-level hypercert operations.
+     *
+     * Provides a convenient API for creating and managing hypercerts,
+     * including related records like locations, contributions, and evidence.
+     *
+     * @returns {@link HypercertOperations} interface with EventEmitter capabilities
+     *
+     * @example Creating a hypercert
+     * ```typescript
+     * const result = await repo.hypercerts.create({
+     *   title: "Climate Action Project",
+     *   description: "Reduced carbon emissions by 1000 tons",
+     *   workScope: "Climate Action",
+     *   workTimeframeFrom: "2024-01-01",
+     *   workTimeframeTo: "2024-06-30",
+     *   rights: {
+     *     name: "Public Domain",
+     *     type: "license",
+     *     description: "CC0 - No Rights Reserved",
+     *   },
+     *   image: imageBlob,  // Optional cover image
+     *   location: {
+     *     value: "San Francisco, CA",
+     *     name: "SF Bay Area",
+     *   },
+     * });
+     * console.log(`Created: ${result.hypercertUri}`);
+     * ```
+     *
+     * @example Listening to events
+     * ```typescript
+     * repo.hypercerts.on("recordCreated", ({ uri, cid }) => {
+     *   console.log(`Record created: ${uri}`);
+     * });
+     * ```
+     */
+    get hypercerts() {
+        if (!this._hypercerts) {
+            this._hypercerts = new HypercertOperationsImpl(this.agent, this.repoDid, this.serverUrl, this.lexiconRegistry, this.logger);
+        }
+        return this._hypercerts;
+    }
+    /**
+     * Collaborator operations for managing repository access.
+     *
+     * **SDS Only**: This property throws {@link SDSRequiredError} if accessed
+     * on a PDS repository.
+     *
+     * @returns {@link CollaboratorOperations} interface for access control
+     * @throws {@link SDSRequiredError} if not connected to an SDS server
+     *
+     * @example
+     * ```typescript
+     * // Ensure we're on SDS
+     * const sdsRepo = sdk.repository(session, { server: "sds" });
+     *
+     * // Grant editor access
+     * await sdsRepo.collaborators.grant({
+     *   userDid: "did:plc:new-collaborator",
+     *   role: "editor",
+     * });
+     *
+     * // List all collaborators
+     * const collaborators = await sdsRepo.collaborators.list();
+     *
+     * // Check access
+     * const hasAccess = await sdsRepo.collaborators.hasAccess("did:plc:someone");
+     *
+     * // Revoke access
+     * await sdsRepo.collaborators.revoke({ userDid: "did:plc:former-collaborator" });
+     * ```
+     */
+    get collaborators() {
+        if (!this._isSDS) {
+            throw new SDSRequiredError("Collaborator operations are only available on SDS servers");
+        }
+        if (!this._collaborators) {
+            this._collaborators = new CollaboratorOperationsImpl(this.session, this.repoDid, this.serverUrl);
+        }
+        return this._collaborators;
+    }
+    /**
+     * Organization operations for creating and managing organizations.
+     *
+     * **SDS Only**: This property throws {@link SDSRequiredError} if accessed
+     * on a PDS repository.
+     *
+     * @returns {@link OrganizationOperations} interface for organization management
+     * @throws {@link SDSRequiredError} if not connected to an SDS server
+     *
+     * @example
+     * ```typescript
+     * // Ensure we're on SDS
+     * const sdsRepo = sdk.repository(session, { server: "sds" });
+     *
+     * // Create an organization
+     * const org = await sdsRepo.organizations.create({
+     *   name: "My Organization",
+     *   description: "A team working on impact certificates",
+     *   handle: "my-org",  // Optional custom handle
+     * });
+     *
+     * // List organizations you have access to
+     * const orgs = await sdsRepo.organizations.list();
+     *
+     * // Get specific organization
+     * const orgInfo = await sdsRepo.organizations.get(org.did);
+     * ```
+     */
+    get organizations() {
+        if (!this._isSDS) {
+            throw new SDSRequiredError("Organization operations are only available on SDS servers");
+        }
+        if (!this._organizations) {
+            this._organizations = new OrganizationOperationsImpl(this.session, this.repoDid, this.serverUrl, this.logger);
+        }
+        return this._organizations;
+    }
+}
+
+/**
+ * Zod schema for OAuth configuration validation.
+ *
+ * @remarks
+ * All URLs must be valid and use HTTPS in production. The `jwkPrivate` field
+ * should contain the private key in JWK (JSON Web Key) format as a string.
+ */
+const OAuthConfigSchema = z.object({
+    /**
+     * URL to the OAuth client metadata JSON document.
+     * This document describes your application to the authorization server.
+     *
+     * @see https://atproto.com/specs/oauth#client-metadata
+     */
+    clientId: z.string().url(),
+    /**
+     * URL where users are redirected after authentication.
+     * Must match one of the redirect URIs in your client metadata.
+     */
+    redirectUri: z.string().url(),
+    /**
+     * OAuth scopes to request, space-separated.
+     * Common scopes: "atproto", "transition:generic"
+     */
+    scope: z.string(),
+    /**
+     * URL to your public JWKS (JSON Web Key Set) endpoint.
+     * Used by the authorization server to verify your client's signatures.
+     */
+    jwksUri: z.string().url(),
+    /**
+     * Private JWK (JSON Web Key) as a JSON string.
+     * Used for signing DPoP proofs and client assertions.
+     *
+     * @remarks
+     * This should be kept secret and never exposed to clients.
+     * Typically loaded from environment variables or a secrets manager.
+     */
+    jwkPrivate: z.string(),
+});
+/**
+ * Zod schema for server URL configuration.
+ *
+ * @remarks
+ * At least one server (PDS or SDS) should be configured for the SDK to be useful.
+ */
+const ServerConfigSchema = z.object({
+    /**
+     * Personal Data Server URL - the user's own AT Protocol server.
+     * This is the primary server for user data operations.
+     *
+     * @example "https://bsky.social"
+     */
+    pds: z.string().url().optional(),
+    /**
+     * Shared Data Server URL - for collaborative data storage.
+     * Required for collaborator and organization operations.
+     *
+     * @example "https://sds.hypercerts.org"
+     */
+    sds: z.string().url().optional(),
+});
+/**
+ * Zod schema for timeout configuration.
+ *
+ * @remarks
+ * All timeout values are in milliseconds.
+ */
+const TimeoutConfigSchema = z.object({
+    /**
+     * Timeout for fetching PDS metadata during identity resolution.
+     * @default 5000 (5 seconds, set by OAuthClient)
+     */
+    pdsMetadata: z.number().positive().optional(),
+    /**
+     * Timeout for general API requests to PDS/SDS.
+     * @default 30000 (30 seconds)
+     */
+    apiRequests: z.number().positive().optional(),
+});
+/**
+ * Zod schema for SDK configuration validation.
+ *
+ * @remarks
+ * This schema validates only the primitive/serializable parts of the configuration.
+ * Storage interfaces ({@link SessionStore}, {@link StateStore}) cannot be validated
+ * with Zod as they are runtime objects.
+ */
+const ATProtoSDKConfigSchema = z.object({
+    oauth: OAuthConfigSchema,
+    servers: ServerConfigSchema.optional(),
+    timeouts: TimeoutConfigSchema.optional(),
+});
+
+/**
+ * Main ATProto SDK class providing OAuth authentication and repository access.
+ *
+ * This is the primary entry point for interacting with AT Protocol servers.
+ * It handles the OAuth 2.0 flow with DPoP (Demonstrating Proof of Possession)
+ * and provides access to repository operations for managing records, blobs,
+ * and profiles.
+ *
+ * @example Basic usage with OAuth flow
+ * ```typescript
+ * import { ATProtoSDK, InMemorySessionStore, InMemoryStateStore } from "@hypercerts-org/sdk";
+ *
+ * const sdk = new ATProtoSDK({
+ *   oauth: {
+ *     clientId: "https://my-app.com/client-metadata.json",
+ *     redirectUri: "https://my-app.com/callback",
+ *     scope: "atproto transition:generic",
+ *     jwksUri: "https://my-app.com/.well-known/jwks.json",
+ *     jwkPrivate: process.env.JWK_PRIVATE_KEY!,
+ *   },
+ *   servers: {
+ *     pds: "https://bsky.social",
+ *     sds: "https://sds.hypercerts.org",
+ *   },
+ * });
+ *
+ * // Start OAuth flow - redirect user to this URL
+ * const authUrl = await sdk.authorize("user.bsky.social");
+ *
+ * // After user returns, handle the callback
+ * const session = await sdk.callback(new URLSearchParams(window.location.search));
+ *
+ * // Get a repository to work with data
+ * const repo = sdk.repository(session);
+ * ```
+ *
+ * @example Restoring an existing session
+ * ```typescript
+ * // Restore a previous session by DID
+ * const session = await sdk.restoreSession("did:plc:abc123...");
+ * if (session) {
+ *   const repo = sdk.repository(session);
+ *   // Continue working with the restored session
+ * }
+ * ```
+ *
+ * @see {@link ATProtoSDKConfig} for configuration options
+ * @see {@link Repository} for data operations
+ * @see {@link OAuthClient} for OAuth implementation details
+ */
+class ATProtoSDK {
+    /**
+     * Creates a new ATProto SDK instance.
+     *
+     * @param config - SDK configuration including OAuth credentials, server URLs, and optional storage adapters
+     * @throws {@link ValidationError} if the configuration is invalid (e.g., malformed URLs, missing required fields)
+     *
+     * @remarks
+     * If no storage adapters are provided, in-memory implementations are used.
+     * These are suitable for development and testing but **not recommended for production**
+     * as sessions will be lost on restart.
+     *
+     * @example
+     * ```typescript
+     * // Minimal configuration (uses in-memory storage)
+     * const sdk = new ATProtoSDK({
+     *   oauth: {
+     *     clientId: "https://my-app.com/client-metadata.json",
+     *     redirectUri: "https://my-app.com/callback",
+     *     scope: "atproto",
+     *     jwksUri: "https://my-app.com/.well-known/jwks.json",
+     *     jwkPrivate: privateKeyJwk,
+     *   },
+     *   servers: { pds: "https://bsky.social" },
+     * });
+     * ```
+     */
+    constructor(config) {
+        // Validate configuration
+        const validationResult = ATProtoSDKConfigSchema.safeParse(config);
+        if (!validationResult.success) {
+            throw new ValidationError(`Invalid SDK configuration: ${validationResult.error.message}`, validationResult.error);
+        }
+        // Apply defaults for optional storage
+        const configWithDefaults = {
+            ...config,
+            storage: {
+                sessionStore: config.storage?.sessionStore ?? new InMemorySessionStore(),
+                stateStore: config.storage?.stateStore ?? new InMemoryStateStore(),
+            },
+        };
+        this.config = configWithDefaults;
+        this.logger = config.logger;
+        // Initialize OAuth client
+        this.oauthClient = new OAuthClient(configWithDefaults);
+        // Initialize lexicon registry
+        this.lexiconRegistry = new LexiconRegistry();
+        this.logger?.info("ATProto SDK initialized");
+    }
+    /**
+     * Initiates the OAuth authorization flow.
+     *
+     * This method starts the OAuth 2.0 authorization flow by resolving the user's
+     * identity and generating an authorization URL. The user should be redirected
+     * to this URL to authenticate.
+     *
+     * @param identifier - The user's ATProto identifier. Can be:
+     *   - A handle (e.g., `"user.bsky.social"`)
+     *   - A DID (e.g., `"did:plc:abc123..."`)
+     *   - A PDS URL (e.g., `"https://bsky.social"`)
+     * @param options - Optional authorization settings
+     * @returns A Promise resolving to the authorization URL to redirect the user to
+     * @throws {@link ValidationError} if the identifier is empty or invalid
+     * @throws {@link NetworkError} if the identity cannot be resolved
+     *
+     * @example
+     * ```typescript
+     * // Using a handle
+     * const authUrl = await sdk.authorize("alice.bsky.social");
+     *
+     * // Using a DID directly
+     * const authUrl = await sdk.authorize("did:plc:abc123xyz");
+     *
+     * // With custom scope
+     * const authUrl = await sdk.authorize("alice.bsky.social", {
+     *   scope: "atproto transition:generic"
+     * });
+     *
+     * // Redirect user to authUrl
+     * window.location.href = authUrl;
+     * ```
+     */
+    async authorize(identifier, options) {
+        if (!identifier || !identifier.trim()) {
+            throw new ValidationError("ATProto identifier is required");
+        }
+        return this.oauthClient.authorize(identifier.trim(), options);
+    }
+    /**
+     * Handles the OAuth callback and exchanges the authorization code for tokens.
+     *
+     * Call this method when the user is redirected back to your application
+     * after authenticating. It validates the OAuth state, exchanges the
+     * authorization code for access/refresh tokens, and creates a session.
+     *
+     * @param params - URL search parameters from the callback URL
+     * @returns A Promise resolving to the authenticated OAuth session
+     * @throws {@link AuthenticationError} if the callback parameters are invalid or the code exchange fails
+     * @throws {@link ValidationError} if required parameters are missing
+     *
+     * @example
+     * ```typescript
+     * // In your callback route handler
+     * const params = new URLSearchParams(window.location.search);
+     * // params contains: code, state, iss (issuer)
+     *
+     * const session = await sdk.callback(params);
+     * console.log(`Authenticated as ${session.did}`);
+     *
+     * // Store the DID to restore the session later
+     * localStorage.setItem("userDid", session.did);
+     * ```
+     */
+    async callback(params) {
+        return this.oauthClient.callback(params);
+    }
+    /**
+     * Restores an existing OAuth session by DID.
+     *
+     * Use this method to restore a previously authenticated session, typically
+     * on application startup. The method retrieves the stored session and
+     * automatically refreshes expired tokens if needed.
+     *
+     * @param did - The user's Decentralized Identifier (DID), e.g., `"did:plc:abc123..."`
+     * @returns A Promise resolving to the restored session, or `null` if no session exists
+     * @throws {@link ValidationError} if the DID is empty
+     * @throws {@link SessionExpiredError} if the session cannot be refreshed
+     *
+     * @example
+     * ```typescript
+     * // On application startup
+     * const savedDid = localStorage.getItem("userDid");
+     * if (savedDid) {
+     *   const session = await sdk.restoreSession(savedDid);
+     *   if (session) {
+     *     // User is still authenticated
+     *     const repo = sdk.repository(session);
+     *   } else {
+     *     // Session not found, user needs to re-authenticate
+     *     const authUrl = await sdk.authorize(savedDid);
+     *   }
+     * }
+     * ```
+     */
+    async restoreSession(did) {
+        if (!did || !did.trim()) {
+            throw new ValidationError("DID is required");
+        }
+        return this.oauthClient.restore(did.trim());
+    }
+    /**
+     * Revokes an OAuth session, logging the user out.
+     *
+     * This method invalidates the session's tokens and removes it from storage.
+     * After revocation, the session can no longer be used or restored.
+     *
+     * @param did - The user's DID to revoke the session for
+     * @throws {@link ValidationError} if the DID is empty
+     *
+     * @example
+     * ```typescript
+     * // Log out the user
+     * await sdk.revokeSession(session.did);
+     * localStorage.removeItem("userDid");
+     * ```
+     */
+    async revokeSession(did) {
+        if (!did || !did.trim()) {
+            throw new ValidationError("DID is required");
+        }
+        return this.oauthClient.revoke(did.trim());
+    }
+    /**
+     * Creates a repository instance for data operations.
+     *
+     * The repository provides a fluent API for working with AT Protocol data
+     * including records, blobs, profiles, and domain-specific operations like
+     * hypercerts and collaborators.
+     *
+     * @param session - An authenticated OAuth session
+     * @param options - Repository configuration options
+     * @returns A {@link Repository} instance configured for the specified server
+     * @throws {@link ValidationError} if the session is invalid or server URL is not configured
+     *
+     * @remarks
+     * - **PDS (Personal Data Server)**: User's own data storage, default for most operations
+     * - **SDS (Shared Data Server)**: Shared data storage with collaborator support
+     *
+     * @example Using default PDS
+     * ```typescript
+     * const repo = sdk.repository(session);
+     * const profile = await repo.profile.get();
+     * ```
+     *
+     * @example Using configured SDS
+     * ```typescript
+     * const sdsRepo = sdk.repository(session, { server: "sds" });
+     * const collaborators = await sdsRepo.collaborators.list();
+     * ```
+     *
+     * @example Using custom server URL
+     * ```typescript
+     * const customRepo = sdk.repository(session, {
+     *   serverUrl: "https://custom.atproto.server"
+     * });
+     * ```
+     */
+    repository(session, options) {
+        if (!session) {
+            throw new ValidationError("Session is required");
+        }
+        // Determine server URL
+        let serverUrl;
+        let isSDS = false;
+        if (options?.serverUrl) {
+            // Custom URL provided
+            serverUrl = options.serverUrl;
+            // Check if it matches configured SDS
+            isSDS = this.config.servers?.sds === serverUrl;
+        }
+        else if (options?.server === "sds") {
+            // Use configured SDS
+            if (!this.config.servers?.sds) {
+                throw new ValidationError("SDS server URL not configured");
+            }
+            serverUrl = this.config.servers.sds;
+            isSDS = true;
+        }
+        else if (options?.server === "pds" || !options?.server) {
+            // Use configured PDS (default)
+            if (!this.config.servers?.pds) {
+                throw new ValidationError("PDS server URL not configured");
+            }
+            serverUrl = this.config.servers.pds;
+            isSDS = false;
+        }
+        else {
+            // Custom server string (treat as URL)
+            serverUrl = options.server;
+            isSDS = this.config.servers?.sds === serverUrl;
+        }
+        // Get repository DID (default to session DID)
+        const repoDid = session.did || session.sub;
+        return new Repository(session, serverUrl, repoDid, this.lexiconRegistry, isSDS, this.logger);
+    }
+    /**
+     * Gets the lexicon registry for schema validation.
+     *
+     * The lexicon registry manages AT Protocol lexicon schemas used for
+     * validating record data. You can register custom lexicons to extend
+     * the SDK's capabilities.
+     *
+     * @returns The {@link LexiconRegistry} instance
+     *
+     * @example
+     * ```typescript
+     * const registry = sdk.getLexiconRegistry();
+     *
+     * // Register custom lexicons
+     * registry.register(myCustomLexicons);
+     *
+     * // Check if a lexicon is registered
+     * const hasLexicon = registry.has("org.example.myRecord");
+     * ```
+     */
+    getLexiconRegistry() {
+        return this.lexiconRegistry;
+    }
+    /**
+     * The configured PDS (Personal Data Server) URL.
+     *
+     * @returns The PDS URL if configured, otherwise `undefined`
+     */
+    get pdsUrl() {
+        return this.config.servers?.pds;
+    }
+    /**
+     * The configured SDS (Shared Data Server) URL.
+     *
+     * @returns The SDS URL if configured, otherwise `undefined`
+     */
+    get sdsUrl() {
+        return this.config.servers?.sds;
+    }
+}
+/**
+ * Factory function to create an ATProto SDK instance.
+ *
+ * This is a convenience function equivalent to `new ATProtoSDK(config)`.
+ *
+ * @param config - SDK configuration
+ * @returns A new {@link ATProtoSDK} instance
+ *
+ * @example
+ * ```typescript
+ * import { createATProtoSDK } from "@hypercerts-org/sdk";
+ *
+ * const sdk = createATProtoSDK({
+ *   oauth: { ... },
+ *   servers: { pds: "https://bsky.social" },
+ * });
+ * ```
+ */
+function createATProtoSDK(config) {
+    return new ATProtoSDK(config);
+}
+
+/**
+ * Zod schema for collaborator permissions in SDS repositories.
+ *
+ * Defines the granular permissions a collaborator can have on a shared repository.
+ * Permissions follow a hierarchical model where higher-level permissions
+ * typically imply lower-level ones.
+ */
+const CollaboratorPermissionsSchema = z.object({
+    /**
+     * Can read/view records in the repository.
+     * This is the most basic permission level.
+     */
+    read: z.boolean(),
+    /**
+     * Can create new records in the repository.
+     * Typically implies `read` permission.
+     */
+    create: z.boolean(),
+    /**
+     * Can modify existing records in the repository.
+     * Typically implies `read` and `create` permissions.
+     */
+    update: z.boolean(),
+    /**
+     * Can delete records from the repository.
+     * Typically implies `read`, `create`, and `update` permissions.
+     */
+    delete: z.boolean(),
+    /**
+     * Can manage collaborators and their permissions.
+     * Administrative permission that allows inviting/removing collaborators.
+     */
+    admin: z.boolean(),
+    /**
+     * Full ownership of the repository.
+     * Owners have all permissions and cannot be removed by other admins.
+     * There must always be at least one owner.
+     */
+    owner: z.boolean(),
+});
+/**
+ * Zod schema for SDS organization data.
+ *
+ * Organizations are top-level entities in SDS that can own repositories
+ * and have multiple collaborators with different permission levels.
+ */
+const OrganizationSchema = z.object({
+    /**
+     * The organization's DID - unique identifier.
+     * Format: "did:plc:..." or "did:web:..."
+     */
+    did: z.string(),
+    /**
+     * The organization's handle - human-readable identifier.
+     * Format: "orgname.sds.hypercerts.org" or similar
+     */
+    handle: z.string(),
+    /**
+     * Display name for the organization.
+     */
+    name: z.string(),
+    /**
+     * Optional description of the organization's purpose.
+     */
+    description: z.string().optional(),
+    /**
+     * ISO 8601 timestamp when the organization was created.
+     * Format: "2024-01-15T10:30:00.000Z"
+     */
+    createdAt: z.string(),
+    /**
+     * The current user's permissions within this organization.
+     */
+    permissions: CollaboratorPermissionsSchema,
+    /**
+     * How the current user relates to this organization.
+     * - `"owner"`: User created or owns the organization
+     * - `"collaborator"`: User was invited to collaborate
+     */
+    accessType: z.enum(["owner", "collaborator"]),
+});
+/**
+ * Zod schema for collaborator data.
+ *
+ * Represents a user who has been granted access to a shared repository
+ * or organization with specific permissions.
+ */
+const CollaboratorSchema = z.object({
+    /**
+     * The collaborator's DID - their unique identifier.
+     * Format: "did:plc:..." or "did:web:..."
+     */
+    userDid: z.string(),
+    /**
+     * The permissions granted to this collaborator.
+     */
+    permissions: CollaboratorPermissionsSchema,
+    /**
+     * DID of the user who granted these permissions.
+     * Useful for audit trails.
+     */
+    grantedBy: z.string(),
+    /**
+     * ISO 8601 timestamp when permissions were granted.
+     * Format: "2024-01-15T10:30:00.000Z"
+     */
+    grantedAt: z.string(),
+    /**
+     * ISO 8601 timestamp when permissions were revoked, if applicable.
+     * Undefined if the collaborator is still active.
+     */
+    revokedAt: z.string().optional(),
+});
+
+export { ATProtoSDK, ATProtoSDKConfigSchema, ATProtoSDKError, AuthenticationError, CollaboratorPermissionsSchema, CollaboratorSchema, InMemorySessionStore, InMemoryStateStore, LexiconRegistry, NetworkError, OAuthConfigSchema, OrganizationSchema, Repository, SDSRequiredError, ServerConfigSchema, SessionExpiredError, TimeoutConfigSchema, ValidationError, createATProtoSDK };
+//# sourceMappingURL=index.mjs.map