@kweaver-ai/kweaver-sdk 0.4.10 → 0.4.12

package/dist/auth/oauth.js

@@ -8,82 +8,137 @@ const DEFAULT_SCOPE = "openid offline all";
 export function normalizeBaseUrl(value) {
     return value.replace(/\/+$/, "");
 }
+/**
+ * Temporarily disable TLS certificate verification for Node `fetch` (sets
+ * NODE_TLS_REJECT_UNAUTHORIZED). Used for `--insecure` login and token refresh.
+ */
+async function runWithTlsInsecure(tlsInsecure, fn) {
+    if (!tlsInsecure) {
+        return fn();
+    }
+    const prev = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+    process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
+    try {
+        return await fn();
+    }
+    finally {
+        if (prev === undefined) {
+            delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+        }
+        else {
+            process.env.NODE_TLS_REJECT_UNAUTHORIZED = prev;
+        }
+    }
+}
+/** Generate a PKCE code_verifier and code_challenge (S256). */
+async function generatePkce() {
+    const { randomBytes, createHash } = await import("node:crypto");
+    const verifier = randomBytes(48).toString("base64url");
+    const challenge = createHash("sha256").update(verifier).digest("base64url");
+    return { verifier, challenge };
+}
 /**
  * OAuth2 Authorization Code login flow.
- * 1. Register client (if not already registered)
+ * 1. Register client (if not already registered), OR use a provided client ID
  * 2. Open browser to /oauth2/auth
  * 3. Receive authorization code via local HTTP callback
  * 4. Exchange code for access_token + refresh_token
  * 5. Save token.json + client.json to ~/.kweaver/
  */
 export async function oauth2Login(baseUrl, options) {
-    const { createServer } = await import("node:http");
-    const { randomBytes } = await import("node:crypto");
-    const base = normalizeBaseUrl(baseUrl);
-    const port = options?.port ?? DEFAULT_REDIRECT_PORT;
-    const scope = options?.scope ?? DEFAULT_SCOPE;
-    const redirectUri = `http://127.0.0.1:${port}/callback`;
-    // Step 1: Ensure registered client
-    let client = loadClientConfig(base);
-    if (!client?.clientId) {
-        client = await registerOAuth2Client(base, redirectUri, scope);
-        saveClientConfig(base, client);
-    }
-    // Step 2: Generate CSRF state
-    const state = randomBytes(12).toString("hex");
-    // Step 3: Build authorization URL
-    const authParams = new URLSearchParams({
-        redirect_uri: redirectUri,
-        "x-forwarded-prefix": "",
-        client_id: client.clientId,
-        scope,
-        response_type: "code",
-        state,
-        lang: "zh-cn",
-        product: "adp",
-    });
-    const authUrl = `${base}/oauth2/auth?${authParams.toString()}`;
-    // Step 4: Start local callback server, wait for code
-    const code = await new Promise((resolve, reject) => {
-        const timeoutId = setTimeout(() => {
-            server.close();
-            reject(new Error("OAuth2 login timed out (120s). No authorization code received."));
-        }, 120_000);
-        const server = createServer((req, res) => {
-            const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
-            if (url.pathname === "/callback") {
-                const receivedState = url.searchParams.get("state");
-                const receivedCode = url.searchParams.get("code");
-                res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
-                res.end("<html><body><h2>Login successful. You can close this tab.</h2></body></html>");
-                clearTimeout(timeoutId);
+    return runWithTlsInsecure(options?.tlsInsecure, async () => {
+        const { createServer } = await import("node:http");
+        const { randomBytes } = await import("node:crypto");
+        const base = normalizeBaseUrl(baseUrl);
+        const port = options?.port ?? DEFAULT_REDIRECT_PORT;
+        const scope = options?.scope ?? DEFAULT_SCOPE;
+        const redirectUri = `http://127.0.0.1:${port}/callback`;
+        // Step 1: Determine client — use provided client ID or fall back to dynamic registration
+        let client = loadClientConfig(base);
+        if (options?.clientId) {
+            // Use the platform's existing client (e.g. the web app client).
+            // Persist it so future logins reuse it without re-registering.
+            client = {
+                baseUrl: base,
+                clientId: options.clientId,
+                clientSecret: options.clientSecret ?? "",
+                redirectUri,
+                logoutRedirectUri: redirectUri.replace("/callback", "/successful-logout"),
+                scope,
+                lang: "zh-cn",
+                product: "adp",
+                xForwardedPrefix: "",
+            };
+            saveClientConfig(base, client);
+        }
+        else if (!client?.clientId) {
+            client = await registerOAuth2Client(base, redirectUri, scope);
+            saveClientConfig(base, client);
+        }
+        // Use PKCE when no client secret is available (public client / platform client).
+        const usePkce = !client.clientSecret;
+        const pkce = usePkce ? await generatePkce() : null;
+        // Step 2: Generate CSRF state
+        const state = randomBytes(12).toString("hex");
+        // Step 3: Build authorization URL
+        const authParams = new URLSearchParams({
+            redirect_uri: redirectUri,
+            "x-forwarded-prefix": "",
+            client_id: client.clientId,
+            scope,
+            response_type: "code",
+            state,
+            lang: "zh-cn",
+            product: "adp",
+        });
+        if (pkce) {
+            authParams.set("code_challenge", pkce.challenge);
+            authParams.set("code_challenge_method", "S256");
+        }
+        const authUrl = `${base}/oauth2/auth?${authParams.toString()}`;
+        // Step 4: Start local callback server, wait for code
+        const code = await new Promise((resolve, reject) => {
+            const timeoutId = setTimeout(() => {
                 server.close();
-                if (receivedState !== state) {
-                    reject(new Error("OAuth2 state mismatch — possible CSRF attack."));
-                }
-                else if (!receivedCode) {
-                    reject(new Error("No authorization code received in callback."));
+                reject(new Error("OAuth2 login timed out (120s). No authorization code received."));
+            }, 120_000);
+            const server = createServer((req, res) => {
+                const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
+                if (url.pathname === "/callback") {
+                    const receivedState = url.searchParams.get("state");
+                    const receivedCode = url.searchParams.get("code");
+                    res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+                    res.end("<html><body><h2>Login successful. You can close this tab.</h2></body></html>");
+                    clearTimeout(timeoutId);
+                    server.close();
+                    if (receivedState !== state) {
+                        reject(new Error("OAuth2 state mismatch — possible CSRF attack."));
+                    }
+                    else if (!receivedCode) {
+                        reject(new Error("No authorization code received in callback."));
+                    }
+                    else {
+                        resolve(receivedCode);
+                    }
                 }
                 else {
-                    resolve(receivedCode);
+                    res.writeHead(404);
+                    res.end();
                 }
-            }
-            else {
-                res.writeHead(404);
-                res.end();
-            }
-        });
-        server.listen(port, "127.0.0.1", () => {
-            // Step 5: Open browser (uses spawn with proper Windows quoting)
-            import("../utils/browser.js").then(({ openBrowser }) => {
-                openBrowser(authUrl);
+            });
+            server.listen(port, "127.0.0.1", () => {
+                // Step 5: Open browser (uses spawn with proper Windows quoting)
+                import("../utils/browser.js").then(({ openBrowser }) => {
+                    openBrowser(authUrl);
+                });
+                process.stderr.write(`If the wrong browser opens, copy this URL to your correct browser:\n  ${authUrl}\n`);
             });
         });
+        // Step 6: Exchange code for tokens
+        const token = await exchangeCodeForToken(base, code, client.clientId, client.clientSecret, redirectUri, pkce?.verifier, options?.tlsInsecure);
+        setCurrentPlatform(base);
+        return token;
     });
-    // Step 6: Exchange code for tokens
-    const token = await exchangeCodeForToken(base, code, client.clientId, client.clientSecret, redirectUri);
-    setCurrentPlatform(base);
-    return token;
 }
 async function registerOAuth2Client(baseUrl, redirectUri, scope) {
     const logoutUri = redirectUri.replace("/callback", "/successful-logout");
@@ -123,20 +178,31 @@ async function registerOAuth2Client(baseUrl, redirectUri, scope) {
         xForwardedPrefix: "",
     };
 }
-async function exchangeCodeForToken(baseUrl, code, clientId, clientSecret, redirectUri) {
-    const credentials = Buffer.from(`${clientId}:${clientSecret}`).toString("base64");
+async function exchangeCodeForToken(baseUrl, code, clientId, clientSecret, redirectUri, codeVerifier, tlsInsecure) {
+    const params = {
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: redirectUri,
+    };
+    if (codeVerifier) {
+        params.code_verifier = codeVerifier;
+    }
+    const headers = {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json",
+    };
+    if (clientSecret) {
+        // Confidential client: use HTTP Basic auth
+        headers.Authorization = `Basic ${Buffer.from(`${clientId}:${clientSecret}`).toString("base64")}`;
+    }
+    else {
+        // Public client (PKCE): send client_id in body
+        params.client_id = clientId;
+    }
     const response = await fetch(`${baseUrl}/oauth2/token`, {
         method: "POST",
-        headers: {
-            Authorization: `Basic ${credentials}`,
-            "Content-Type": "application/x-www-form-urlencoded",
-            Accept: "application/json",
-        },
-        body: new URLSearchParams({
-            grant_type: "authorization_code",
-            code,
-            redirect_uri: redirectUri,
-        }).toString(),
+        headers,
+        body: new URLSearchParams(params).toString(),
     });
     const text = await response.text();
     if (!response.ok) {
@@ -155,6 +221,7 @@ async function exchangeCodeForToken(baseUrl, code, clientId, clientSecret, redir
         refreshToken: data.refresh_token ?? "",
         idToken: data.id_token ?? "",
         obtainedAt: now.toISOString(),
+        ...(tlsInsecure ? { tlsInsecure: true } : {}),
     };
     saveTokenConfig(token);
     return token;
@@ -171,105 +238,107 @@ async function exchangeCodeForToken(baseUrl, code, clientId, clientSecret, redir
  * window for manual login (same UX as the old cookie-based flow).
  */
 export async function playwrightLogin(baseUrl, options) {
-    const { createServer } = await import("node:http");
-    const { randomBytes } = await import("node:crypto");
-    let chromium;
-    try {
-        const modName = "playwright";
-        const pw = await import(/* webpackIgnore: true */ modName);
-        chromium = pw.chromium;
-    }
-    catch {
-        throw new Error("Playwright is not installed. Run:\n  npm install playwright && npx playwright install chromium");
-    }
-    const base = normalizeBaseUrl(baseUrl);
-    const port = options?.port ?? DEFAULT_REDIRECT_PORT;
-    const scope = options?.scope ?? DEFAULT_SCOPE;
-    const redirectUri = `http://127.0.0.1:${port}/callback`;
-    const hasCredentials = !!(options?.username && options?.password);
-    // Step 1: Ensure registered OAuth2 client
-    let client = loadClientConfig(base);
-    if (!client?.clientId) {
-        client = await registerOAuth2Client(base, redirectUri, scope);
-        saveClientConfig(base, client);
-    }
-    // Step 2: Generate CSRF state
-    const state = randomBytes(12).toString("hex");
-    // Step 3: Build authorization URL
-    const authParams = new URLSearchParams({
-        redirect_uri: redirectUri,
-        "x-forwarded-prefix": "",
-        client_id: client.clientId,
-        scope,
-        response_type: "code",
-        state,
-        lang: "zh-cn",
-        product: "adp",
-    });
-    const authUrl = `${base}/oauth2/auth?${authParams.toString()}`;
-    // Step 4: Start local callback server to capture the authorization code
-    const code = await new Promise((resolve, reject) => {
-        const TIMEOUT_MS = hasCredentials ? 30_000 : 120_000;
-        const timeoutId = setTimeout(() => {
-            server.close();
-            browser?.close();
-            reject(new Error(`OAuth2 login timed out (${TIMEOUT_MS / 1000}s). No authorization code received.`));
-        }, TIMEOUT_MS);
-        const server = createServer((req, res) => {
-            const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
-            if (url.pathname === "/callback") {
-                const receivedState = url.searchParams.get("state");
-                const receivedCode = url.searchParams.get("code");
-                res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
-                res.end("<html><body><h2>Login successful. You can close this tab.</h2></body></html>");
-                clearTimeout(timeoutId);
+    return runWithTlsInsecure(options?.tlsInsecure, async () => {
+        const { createServer } = await import("node:http");
+        const { randomBytes } = await import("node:crypto");
+        let chromium;
+        try {
+            const modName = "playwright";
+            const pw = await import(/* webpackIgnore: true */ modName);
+            chromium = pw.chromium;
+        }
+        catch {
+            throw new Error("Playwright is not installed. Run:\n  npm install playwright && npx playwright install chromium");
+        }
+        const base = normalizeBaseUrl(baseUrl);
+        const port = options?.port ?? DEFAULT_REDIRECT_PORT;
+        const scope = options?.scope ?? DEFAULT_SCOPE;
+        const redirectUri = `http://127.0.0.1:${port}/callback`;
+        const hasCredentials = !!(options?.username && options?.password);
+        // Step 1: Ensure registered OAuth2 client
+        let client = loadClientConfig(base);
+        if (!client?.clientId) {
+            client = await registerOAuth2Client(base, redirectUri, scope);
+            saveClientConfig(base, client);
+        }
+        // Step 2: Generate CSRF state
+        const state = randomBytes(12).toString("hex");
+        // Step 3: Build authorization URL
+        const authParams = new URLSearchParams({
+            redirect_uri: redirectUri,
+            "x-forwarded-prefix": "",
+            client_id: client.clientId,
+            scope,
+            response_type: "code",
+            state,
+            lang: "zh-cn",
+            product: "adp",
+        });
+        const authUrl = `${base}/oauth2/auth?${authParams.toString()}`;
+        // Step 4: Start local callback server to capture the authorization code
+        const code = await new Promise((resolve, reject) => {
+            const TIMEOUT_MS = hasCredentials ? 30_000 : 120_000;
+            const timeoutId = setTimeout(() => {
                 server.close();
                 browser?.close();
-                if (receivedState !== state) {
-                    reject(new Error("OAuth2 state mismatch — possible CSRF attack."));
-                }
-                else if (!receivedCode) {
-                    reject(new Error("No authorization code received in callback."));
+                reject(new Error(`OAuth2 login timed out (${TIMEOUT_MS / 1000}s). No authorization code received.`));
+            }, TIMEOUT_MS);
+            const server = createServer((req, res) => {
+                const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
+                if (url.pathname === "/callback") {
+                    const receivedState = url.searchParams.get("state");
+                    const receivedCode = url.searchParams.get("code");
+                    res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+                    res.end("<html><body><h2>Login successful. You can close this tab.</h2></body></html>");
+                    clearTimeout(timeoutId);
+                    server.close();
+                    browser?.close();
+                    if (receivedState !== state) {
+                        reject(new Error("OAuth2 state mismatch — possible CSRF attack."));
+                    }
+                    else if (!receivedCode) {
+                        reject(new Error("No authorization code received in callback."));
+                    }
+                    else {
+                        resolve(receivedCode);
+                    }
                 }
                 else {
-                    resolve(receivedCode);
+                    res.writeHead(404);
+                    res.end();
                 }
-            }
-            else {
-                res.writeHead(404);
-                res.end();
-            }
-        });
-        let browser;
-        server.listen(port, "127.0.0.1", async () => {
-            try {
-                browser = await chromium.launch({ headless: hasCredentials });
-                const context = await browser.newContext();
-                const page = await context.newPage();
-                // Navigate to OAuth2 auth URL — redirects to signin page
-                await page.goto(authUrl, { waitUntil: "networkidle", timeout: 30_000 });
-                if (hasCredentials) {
-                    // Auto-fill credentials
-                    await page.waitForSelector('input[name="account"]', { timeout: 10_000 });
-                    await page.fill('input[name="account"]', options.username);
-                    await page.fill('input[name="password"]', options.password);
-                    await page.click("button.ant-btn-primary");
+            });
+            let browser;
+            server.listen(port, "127.0.0.1", async () => {
+                try {
+                    browser = await chromium.launch({ headless: hasCredentials });
+                    const context = await browser.newContext({ ignoreHTTPSErrors: !!options?.tlsInsecure });
+                    const page = await context.newPage();
+                    // Navigate to OAuth2 auth URL — redirects to signin page
+                    await page.goto(authUrl, { waitUntil: "networkidle", timeout: 30_000 });
+                    if (hasCredentials) {
+                        // Auto-fill credentials
+                        await page.waitForSelector('input[name="account"]', { timeout: 10_000 });
+                        await page.fill('input[name="account"]', options.username);
+                        await page.fill('input[name="password"]', options.password);
+                        await page.click("button.ant-btn-primary");
+                    }
+                    // else: visible browser — user logs in manually
+                    // The OAuth2 callback will fire when login completes, resolving the promise above
                 }
-                // else: visible browser — user logs in manually
-                // The OAuth2 callback will fire when login completes, resolving the promise above
-            }
-            catch (err) {
-                clearTimeout(timeoutId);
-                server.close();
-                browser?.close();
-                reject(err);
-            }
+                catch (err) {
+                    clearTimeout(timeoutId);
+                    server.close();
+                    browser?.close();
+                    reject(err);
+                }
+            });
         });
+        // Step 5: Exchange authorization code for tokens (includes refresh_token)
+        const token = await exchangeCodeForToken(base, code, client.clientId, client.clientSecret, redirectUri, undefined, options?.tlsInsecure);
+        setCurrentPlatform(base);
+        return token;
     });
-    // Step 5: Exchange authorization code for tokens (includes refresh_token)
-    const token = await exchangeCodeForToken(base, code, client.clientId, client.clientSecret, redirectUri);
-    setCurrentPlatform(base);
-    return token;
 }
 function tokenNeedsRefresh(token) {
     if (!token.expiresAt) {
@@ -306,7 +375,7 @@ export async function refreshAccessToken(token) {
     });
     let response;
     try {
-        response = await fetch(url, {
+        response = await runWithTlsInsecure(token.tlsInsecure, () => fetch(url, {
             method: "POST",
             headers: {
                 Authorization: `Basic ${credentials}`,
@@ -314,7 +383,7 @@ export async function refreshAccessToken(token) {
                 Accept: "application/json",
             },
             body: body.toString(),
-        });
+        }));
     }
     catch (cause) {
         const hint = cause instanceof Error ? cause.message : String(cause);
@@ -346,6 +415,7 @@ export async function refreshAccessToken(token) {
         refreshToken: data.refresh_token ?? refreshToken,
         idToken: data.id_token ?? token.idToken ?? "",
         obtainedAt: now.toISOString(),
+        ...(token.tlsInsecure ? { tlsInsecure: true } : {}),
     };
     saveTokenConfig(newToken);
     return newToken;
@@ -486,6 +556,10 @@ export function formatHttpError(error) {
         ].join("\n").trim();
     }
     if (error instanceof Error) {
+        const cause = "cause" in error && error.cause instanceof Error ? error.cause.message : "";
+        if (cause && error.message === "fetch failed") {
+            return `${error.message}: ${cause}\nHint: use --insecure (-k) to skip TLS verification for self-signed certificates.`;
+        }
         return error.message;
     }
     return String(error);

package/dist/cli.js

@@ -1,3 +1,4 @@
+import { applyTlsEnvFromSavedTokens } from "./config/tls-env.js";
 import { runAgentCommand } from "./commands/agent.js";
 import { runAuthCommand } from "./commands/auth.js";
 import { runKnCommand } from "./commands/bkn.js";
@@ -5,6 +6,7 @@ import { runCallCommand } from "./commands/call.js";
 import { runConfigCommand } from "./commands/config.js";
 import { runContextLoaderCommand } from "./commands/context-loader.js";
 import { runDsCommand } from "./commands/ds.js";
+import { runDataviewCommand } from "./commands/dataview.js";
 import { runTokenCommand } from "./commands/token.js";
 import { runVegaCommand } from "./commands/vega.js";
 function printHelp() {
@@ -14,7 +16,7 @@ Usage:
   kweaver --version | -V
   kweaver --help | -h
 
-  kweaver auth <platform-url> [--alias name] [-u user] [-p pass] [--playwright]
+  kweaver auth <platform-url> [--alias name] [-u user] [-p pass] [--playwright] [--insecure|-k]
   kweaver auth login <platform-url>          (alias for auth <url>)
   kweaver auth status [platform-url|alias]
   kweaver auth list
@@ -46,6 +48,11 @@ Usage:
   kweaver ds tables <id> [--keyword X] [--pretty]
   kweaver ds connect <db_type> <host> <port> <database> --account X --password Y [--schema S] [--name N]
 
+  kweaver dataview list [--datasource-id id] [--type atomic|custom] [--limit n] [-bd value] [--pretty]
+  kweaver dataview find --name <name> [--exact] [--datasource-id id] [--wait] [--timeout ms] [-bd value] [--pretty]
+  kweaver dataview get <id> [-bd value] [--pretty]
+  kweaver dataview delete <id> [-y] [-bd value]
+
   kweaver bkn list [options]
   kweaver bkn get <kn-id> [options]
   kweaver bkn search <kn-id> <query> [--max-concepts N] [--mode M] [--pretty] [-bd value]
@@ -89,6 +96,7 @@ Commands:
   call (curl)    Call an API with curl-style flags and auto-injected token headers
   agent          Agent CRUD, chat, sessions, history, publish/unpublish
   ds             Manage datasources (list, get, delete, tables, connect)
+  dataview       List, find, get, delete data views (atomic / custom)
   bkn            Knowledge network (CRUD, build, validate, export, stats, push/pull,
                  object-type, relation-type, subgraph, action-type, action-execution, action-log)
   config         Per-platform configuration (business domain)
@@ -97,6 +105,7 @@ Commands:
   help           Show this message`);
 }
 export async function run(argv) {
+    applyTlsEnvFromSavedTokens();
     const [command, ...rest] = argv;
     if (command === "--version" || command === "-V" || command === "version") {
         const { createRequire } = await import("node:module");
@@ -118,6 +127,9 @@ export async function run(argv) {
     if (command === "ds") {
         return runDsCommand(rest);
     }
+    if (command === "dataview") {
+        return runDataviewCommand(rest);
+    }
     if (command === "token") {
         return runTokenCommand(rest);
     }

package/dist/client.d.ts

@@ -1,8 +1,12 @@
 import { AgentsResource } from "./resources/agents.js";
 import { ConversationsResource } from "./resources/conversations.js";
 import { ContextLoaderResource } from "./resources/context-loader.js";
+import { DataflowsResource } from "./resources/dataflows.js";
+import { DataSourcesResource } from "./resources/datasources.js";
+import { DataViewsResource } from "./resources/dataviews.js";
 import { KnowledgeNetworksResource } from "./resources/knowledge-networks.js";
 import { BknResource } from "./resources/bkn.js";
+import { VegaResource } from "./resources/vega.js";
 /**
  * Shared credentials passed to every resource method.
  * Internal — use KWeaverClient.
@@ -78,6 +82,14 @@ export declare class KWeaverClient implements ClientContext {
     readonly bkn: BknResource;
     /** Conversation and message history. */
     readonly conversations: ConversationsResource;
+    /** Dataflow DAG automation (create/run/poll/delete). */
+    readonly dataflows: DataflowsResource;
+    /** Data source management (connect, test, list tables). */
+    readonly datasources: DataSourcesResource;
+    /** Data view creation and retrieval. */
+    readonly dataviews: DataViewsResource;
+    /** Vega observability platform (catalogs, resources, connector types). */
+    readonly vega: VegaResource;
     constructor(opts?: KWeaverClientOptions);
     /**
      * Async factory that auto-refreshes expired or revoked tokens.

package/dist/client.js

@@ -1,10 +1,15 @@
+import { applyTlsEnvFromSavedTokens } from "./config/tls-env.js";
 import { getCurrentPlatform, loadTokenConfig, } from "./config/store.js";
 import { ensureValidToken } from "./auth/oauth.js";
 import { AgentsResource } from "./resources/agents.js";
 import { ConversationsResource } from "./resources/conversations.js";
 import { ContextLoaderResource } from "./resources/context-loader.js";
+import { DataflowsResource } from "./resources/dataflows.js";
+import { DataSourcesResource } from "./resources/datasources.js";
+import { DataViewsResource } from "./resources/dataviews.js";
 import { KnowledgeNetworksResource } from "./resources/knowledge-networks.js";
 import { BknResource } from "./resources/bkn.js";
+import { VegaResource } from "./resources/vega.js";
 // ── KWeaverClient ─────────────────────────────────────────────────────────────
 /**
  * Main entry point for the KWeaver TypeScript SDK.
@@ -46,6 +51,14 @@ export class KWeaverClient {
     bkn;
     /** Conversation and message history. */
     conversations;
+    /** Dataflow DAG automation (create/run/poll/delete). */
+    dataflows;
+    /** Data source management (connect, test, list tables). */
+    datasources;
+    /** Data view creation and retrieval. */
+    dataviews;
+    /** Vega observability platform (catalogs, resources, connector types). */
+    vega;
     constructor(opts = {}) {
         const envDomain = process.env.KWEAVER_BUSINESS_DOMAIN;
         let baseUrl;
@@ -97,6 +110,10 @@ export class KWeaverClient {
         this.agents = new AgentsResource(this);
         this.bkn = new BknResource(this);
         this.conversations = new ConversationsResource(this);
+        this.dataflows = new DataflowsResource(this);
+        this.datasources = new DataSourcesResource(this);
+        this.dataviews = new DataViewsResource(this);
+        this.vega = new VegaResource(this);
     }
     /**
      * Async factory that auto-refreshes expired or revoked tokens.
@@ -111,6 +128,7 @@ export class KWeaverClient {
      * ```
      */
     static async connect(opts = {}) {
+        applyTlsEnvFromSavedTokens();
         // Try with current token first
         let token = await ensureValidToken();
         const client = new KWeaverClient({