@kweaver-ai/kweaver-sdk 0.5.2 → 0.6.1

package/dist/auth/oauth.js

@@ -1,5 +1,6 @@
-import { deleteClientConfig, getCurrentPlatform, loadClientConfig, loadTokenConfig, loadUserTokenConfig, resolveUserId, saveClientConfig, saveTokenConfig, setCurrentPlatform, } from "../config/store.js";
-import { HttpError, NetworkRequestError } from "../utils/http.js";
+import { isNoAuth } from "../config/no-auth.js";
+import { deleteClientConfig, getCurrentPlatform, loadClientConfig, loadTokenConfig, loadUserTokenConfig, resolveUserId, saveClientConfig, saveNoAuthPlatform, saveTokenConfig, setCurrentPlatform, } from "../config/store.js";
+import { HttpError, NetworkRequestError, fetchWithRetry } from "../utils/http.js";
 const TOKEN_TTL_SECONDS = 3600;
 /** Seconds before access token expiry to trigger refresh (matches Python ConfigAuth). */
 const REFRESH_THRESHOLD_SEC = 60;
@@ -159,8 +160,7 @@ async function isClientStillValid(baseUrl, clientId, redirectUri) {
         });
         if (resp.status === 302) {
             const location = resp.headers.get("location") ?? "";
-            if (location.includes("error=invalid_client") ||
-                location.includes("error=error")) {
+            if (location.includes("error=")) {
                 return false;
             }
             return true;
@@ -198,73 +198,99 @@ async function resolveOrRegisterClient(baseUrl, redirectUri, scope, options) {
     }
     let client = loadClientConfig(baseUrl);
     if (client?.clientId) {
-        const valid = await isClientStillValid(baseUrl, client.clientId, redirectUri);
-        if (valid)
-            return client;
-        process.stderr.write("Cached OAuth2 client is no longer valid on the server. Re-registering…\n");
-        deleteClientConfig(baseUrl);
-        client = null;
+        const storedUri = client.redirectUri ?? redirectUri;
+        const valid = await isClientStillValid(baseUrl, client.clientId, storedUri);
+        if (valid) {
+            if (storedUri !== redirectUri) {
+                process.stderr.write("Redirect URI changed. Re-registering OAuth2 client…\n");
+                deleteClientConfig(baseUrl);
+                client = null;
+            }
+            else {
+                return client;
+            }
+        }
+        else {
+            process.stderr.write("Cached OAuth2 client is no longer valid on the server. Re-registering…\n");
+            deleteClientConfig(baseUrl);
+            client = null;
+        }
     }
     const registered = await registerOAuth2Client(baseUrl, redirectUri, scope);
     saveClientConfig(baseUrl, registered);
     return registered;
 }
 /**
- * Parse a redirect URI to extract host, port, and pathname.
- * Returns null if the URI is not a valid HTTP(S) URL.
+ * Emphasize text on stderr (bold + bright yellow) when stderr is a TTY and `NO_COLOR` is unset.
+ * See https://no-color.org/
  */
-function parseRedirectUri(uri) {
-    try {
-        const parsed = new URL(uri);
-        const host = parsed.hostname;
-        const port = parsed.port ? Number(parsed.port) : (parsed.protocol === "https:" ? 443 : 80);
-        const isLocalhost = host === "127.0.0.1" || host === "localhost" || host === "::1";
-        return { host, port, pathname: parsed.pathname, isLocalhost };
+function stderrEmphasis(text) {
+    const noColor = process.env.NO_COLOR;
+    if (noColor != null && noColor !== "") {
+        return text;
     }
-    catch {
-        return null;
+    if (!process.stderr.isTTY) {
+        return text;
     }
+    return `\x1b[1;33m${text}\x1b[0m`;
 }
 /**
- * Manual code flow for non-localhost redirect URIs.
- * Prints the auth URL, then reads the full callback URL from stdin
- * to extract the authorization code.
+ * Headless login: read authorization code from stdin (full callback URL or raw code).
+ * Used with `--no-browser` or when automatic browser launch fails.
  */
-async function waitForManualCode(authUrl, state) {
+async function promptForCode(authUrl, state, port, pasteMode = "explicit") {
     const { createInterface } = await import("node:readline");
-    process.stderr.write("\nSince the redirect URI is not localhost, you need to complete login manually.\n" +
-        "1. Open this URL in your browser:\n\n" +
-        `   ${authUrl}\n\n` +
-        "2. After login, the browser will redirect to your callback URL.\n" +
-        "3. Copy the full callback URL and paste it here:\n\n");
+    const intro = pasteMode === "explicit"
+        ? "Open this URL on any device (use a private/incognito window if you need the full sign-in form):\n\n"
+        : "Could not open a browser automatically. Open this URL on any device:\n\n";
+    const pasteInstructions = "After login, the browser may show an error page (this is expected if nothing listens on localhost).\n" +
+        "Copy the FULL URL from the address bar and paste it here, or paste only the authorization code.\n" +
+        `The URL looks like: http://127.0.0.1:${port}/callback?code=THIS_PART&state=...\n\n`;
+    process.stderr.write("\n" +
+        intro +
+        `  ${authUrl}\n\n` +
+        stderrEmphasis(pasteInstructions));
     const rl = createInterface({ input: process.stdin, output: process.stderr });
-    const callbackUrl = await new Promise((resolve) => {
-        rl.question("Callback URL> ", (answer) => {
+    const input = await new Promise((resolve, reject) => {
+        rl.on("close", () => reject(new Error("Login cancelled.")));
+        rl.question("Paste URL or code> ", (answer) => {
             rl.close();
             resolve(answer.trim());
         });
     });
-    const parsed = new URL(callbackUrl);
-    const receivedState = parsed.searchParams.get("state");
-    if (receivedState !== state) {
-        throw new Error("OAuth2 state mismatch — possible CSRF attack.");
-    }
-    const error = parsed.searchParams.get("error");
-    if (error) {
-        const desc = parsed.searchParams.get("error_description") ?? "";
-        throw new Error(desc ? `Authorization failed: ${error} — ${desc}` : `Authorization failed: ${error}`);
+    if (input.includes("code=")) {
+        let url;
+        try {
+            url = new URL(input.startsWith("http") ? input : `http://x/?${input}`);
+        }
+        catch {
+            throw new Error("Could not parse the pasted URL. Paste the full callback URL or the code value.");
+        }
+        const receivedState = url.searchParams.get("state");
+        if (receivedState && receivedState !== state) {
+            throw new Error("OAuth2 state mismatch — possible CSRF attack.");
+        }
+        const err = url.searchParams.get("error");
+        if (err) {
+            const desc = url.searchParams.get("error_description") ?? "";
+            throw new Error(desc ? `Authorization failed: ${err} — ${desc}` : `Authorization failed: ${err}`);
+        }
+        const code = url.searchParams.get("code");
+        if (!code) {
+            throw new Error("No authorization code found in the pasted URL.");
+        }
+        return code;
     }
-    const code = parsed.searchParams.get("code");
-    if (!code) {
-        throw new Error("No authorization code found in the callback URL.");
+    if (!input) {
+        throw new Error("No authorization code entered.");
     }
-    return code;
+    return input;
 }
 /**
  * OAuth2 Authorization Code login flow.
  * 1. Register client (if not already registered), OR use a provided client ID
- * 2. Open browser to /oauth2/auth
- * 3. Receive authorization code via local HTTP callback (or manual paste for non-localhost)
+ * 2. Open browser to /oauth2/auth (unless `noBrowser` or browser launch fails)
+ * 3. Receive authorization code via local HTTP callback, or stdin paste (`noBrowser` / fallback)
  * 4. Exchange code for access_token + refresh_token
  * 5. Save token.json + client.json to ~/.kweaver/
  */
@@ -275,14 +301,19 @@ export async function oauth2Login(baseUrl, options) {
         const base = normalizeBaseUrl(baseUrl);
         const port = options?.port ?? DEFAULT_REDIRECT_PORT;
         const scope = options?.scope ?? DEFAULT_SCOPE;
-        // Determine redirect URI: explicit option > port-based default
-        const redirectUri = options?.redirectUri ?? `http://127.0.0.1:${port}/callback`;
-        const parsedRedirect = parseRedirectUri(redirectUri);
-        const isLocalRedirect = parsedRedirect?.isLocalhost ?? true;
-        const listenPort = parsedRedirect?.port ?? port;
-        const callbackPathname = parsedRedirect?.pathname ?? "/callback";
+        const redirectUri = `http://127.0.0.1:${port}/callback`;
         // Step 1: Determine client — use provided client ID or fall back to dynamic registration
-        let client = await resolveOrRegisterClient(base, redirectUri, scope, options);
+        let client;
+        try {
+            client = await resolveOrRegisterClient(base, redirectUri, scope, options);
+        }
+        catch (e) {
+            if (e instanceof HttpError && e.status === 404) {
+                process.stderr.write("OAuth2 endpoint not found (404). Saving platform in no-auth mode.\n");
+                return saveNoAuthPlatform(base, { tlsInsecure: options?.tlsInsecure });
+            }
+            throw e;
+        }
         // Use PKCE when no client secret is available (public client / platform client).
         const usePkce = !client.clientSecret;
         const pkce = usePkce ? await generatePkce() : null;
@@ -304,9 +335,19 @@ export async function oauth2Login(baseUrl, options) {
             authParams.set("code_challenge_method", "S256");
         }
         const authUrl = `${base}/oauth2/auth?${authParams.toString()}`;
+        const runPasteCodeFlow = async (pasteMode) => {
+            const code = await promptForCode(authUrl, state, port, pasteMode);
+            const exchanged = await exchangeCodeForToken(base, code, client.clientId, client.clientSecret, redirectUri, pkce?.verifier, options?.tlsInsecure);
+            const copyCommand = buildCopyCommand(base, client.clientId, client.clientSecret, exchanged.refreshToken, options?.tlsInsecure);
+            process.stderr.write("\nOn a machine without a browser, run:\n\n  " + copyCommand + "\n\n");
+            return exchanged;
+        };
         let token;
-        if (isLocalRedirect) {
-            // Step 4a: Local callback — start HTTP server to receive the authorization code
+        if (options?.noBrowser) {
+            token = await runPasteCodeFlow("explicit");
+        }
+        else {
+            // Step 4: Local HTTP callback, or paste-code if browser cannot be opened
             token = await new Promise((resolve, reject) => {
                 let server;
                 const timeoutId = setTimeout(() => {
@@ -316,8 +357,8 @@ export async function oauth2Login(baseUrl, options) {
                 server = createServer((req, res) => {
                     void (async () => {
                         try {
-                            const url = new URL(req.url ?? "/", `http://127.0.0.1:${listenPort}`);
-                            if (url.pathname !== callbackPathname) {
+                            const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
+                            if (url.pathname !== "/callback") {
                                 res.writeHead(404);
                                 res.end();
                                 return;
@@ -376,19 +417,25 @@ export async function oauth2Login(baseUrl, options) {
                         }
                     })();
                 });
-                server.listen(listenPort, "127.0.0.1", () => {
-                    import("../utils/browser.js").then(({ openBrowser }) => {
-                        openBrowser(authUrl);
-                    });
-                    process.stderr.write(`If the wrong browser opens, copy this URL to your correct browser:\n  ${authUrl}\n`);
+                server.listen(port, "127.0.0.1", () => {
+                    void (async () => {
+                        const { openBrowser } = await import("../utils/browser.js");
+                        const opened = await openBrowser(authUrl);
+                        process.stderr.write(`If the wrong browser opens, copy this URL to your correct browser:\n  ${authUrl}\n`);
+                        if (!opened) {
+                            clearTimeout(timeoutId);
+                            server.close();
+                            try {
+                                resolve(await runPasteCodeFlow("fallback"));
+                            }
+                            catch (err) {
+                                reject(err instanceof Error ? err : new Error(String(err)));
+                            }
+                        }
+                    })();
                 });
             });
         }
-        else {
-            // Step 4b: Non-localhost redirect — manual code entry flow
-            const code = await waitForManualCode(authUrl, state);
-            token = await exchangeCodeForToken(base, code, client.clientId, client.clientSecret, redirectUri, pkce?.verifier, options?.tlsInsecure);
-        }
         setCurrentPlatform(base);
         return token;
     });
@@ -509,13 +556,20 @@ export async function playwrightLogin(baseUrl, options) {
         const base = normalizeBaseUrl(baseUrl);
         const port = options?.port ?? DEFAULT_REDIRECT_PORT;
         const scope = options?.scope ?? DEFAULT_SCOPE;
-        const redirectUri = options?.redirectUri ?? `http://127.0.0.1:${port}/callback`;
-        const parsedRedirect = parseRedirectUri(redirectUri);
-        const listenPort = parsedRedirect?.port ?? port;
-        const callbackPathname = parsedRedirect?.pathname ?? "/callback";
+        const redirectUri = `http://127.0.0.1:${port}/callback`;
         const hasCredentials = !!(options?.username && options?.password);
         // Step 1: Ensure registered OAuth2 client (with stale-client auto-recovery)
-        let client = await resolveOrRegisterClient(base, redirectUri, scope);
+        let client;
+        try {
+            client = await resolveOrRegisterClient(base, redirectUri, scope);
+        }
+        catch (e) {
+            if (e instanceof HttpError && e.status === 404) {
+                process.stderr.write("OAuth2 endpoint not found (404). Saving platform in no-auth mode.\n");
+                return saveNoAuthPlatform(base, { tlsInsecure: options?.tlsInsecure });
+            }
+            throw e;
+        }
         // Step 2: Generate CSRF state
         const state = randomBytes(12).toString("hex");
         // Step 3: Build authorization URL
@@ -543,8 +597,8 @@ export async function playwrightLogin(baseUrl, options) {
             server = createServer((req, res) => {
                 void (async () => {
                     try {
-                        const url = new URL(req.url ?? "/", `http://127.0.0.1:${listenPort}`);
-                        if (url.pathname !== callbackPathname) {
+                        const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
+                        if (url.pathname !== "/callback") {
                             res.writeHead(404);
                             res.end();
                             return;
@@ -608,7 +662,7 @@ export async function playwrightLogin(baseUrl, options) {
                     }
                 })();
             });
-            server.listen(listenPort, "127.0.0.1", async () => {
+            server.listen(port, "127.0.0.1", async () => {
                 try {
                     browser = await chromium.launch({ headless: hasCredentials });
                     const context = await browser.newContext({ ignoreHTTPSErrors: !!options?.tlsInsecure });
@@ -649,7 +703,7 @@ export async function playwrightLogin(baseUrl, options) {
  */
 export async function refreshTokenLogin(baseUrl, options) {
     const base = normalizeBaseUrl(baseUrl);
-    const redirectUri = `http://127.0.0.1:${DEFAULT_REDIRECT_PORT}/callback`;
+    const redirectUri = `http://localhost:${DEFAULT_REDIRECT_PORT}/callback`;
     const client = {
         baseUrl: base,
         clientId: options.clientId,
@@ -676,6 +730,9 @@ export async function refreshTokenLogin(baseUrl, options) {
     return token;
 }
 function tokenNeedsRefresh(token) {
+    if (isNoAuth(token.accessToken)) {
+        return false;
+    }
     if (!token.expiresAt) {
         return false;
     }
@@ -692,6 +749,9 @@ function tokenNeedsRefresh(token) {
  */
 export async function refreshAccessToken(token) {
     const baseUrl = normalizeBaseUrl(token.baseUrl);
+    if (isNoAuth(token.accessToken)) {
+        throw new Error(`Cannot refresh no-auth session for ${baseUrl}.`);
+    }
     const refreshToken = token.refreshToken?.trim();
     if (!refreshToken) {
         throw new Error(`Token expired and no refresh_token available for ${baseUrl}. Run \`kweaver auth login ${baseUrl}\` again.`);
@@ -710,7 +770,7 @@ export async function refreshAccessToken(token) {
     });
     let response;
     try {
-        response = await runWithTlsInsecure(token.tlsInsecure, () => fetch(url, {
+        response = await runWithTlsInsecure(token.tlsInsecure, () => fetchWithRetry(url, {
             method: "POST",
             headers: {
                 Authorization: `Basic ${credentials}`,
@@ -777,11 +837,24 @@ export async function ensureValidToken(opts) {
         return {
             baseUrl: normalizeBaseUrl(envBaseUrl),
             accessToken: rawToken,
-            tokenType: "bearer",
+            tokenType: isNoAuth(rawToken) ? "none" : "bearer",
             scope: "",
             obtainedAt: new Date().toISOString(),
         };
     }
+    if (!opts?.forceRefresh && envToken && !envBaseUrl) {
+        const currentPlatformForEnv = getCurrentPlatform();
+        if (currentPlatformForEnv) {
+            const rawToken = envToken.replace(/^Bearer\s+/i, "");
+            return {
+                baseUrl: normalizeBaseUrl(currentPlatformForEnv),
+                accessToken: rawToken,
+                tokenType: isNoAuth(rawToken) ? "none" : "bearer",
+                scope: "",
+                obtainedAt: new Date().toISOString(),
+            };
+        }
+    }
     const currentPlatform = getCurrentPlatform();
     if (!currentPlatform) {
         throw new Error("No active platform selected. Run `kweaver auth login <platform-url>` first.");
@@ -803,6 +876,9 @@ export async function ensureValidToken(opts) {
     if (!token) {
         throw new Error(`No saved token for ${currentPlatform}. Run \`kweaver auth login ${currentPlatform}\` first.`);
     }
+    if (isNoAuth(token.accessToken)) {
+        return token;
+    }
     if (opts?.forceRefresh) {
         return refreshAccessToken(token);
     }
@@ -845,6 +921,9 @@ export async function with401RefreshRetry(fn) {
             if (!latest) {
                 throw error;
             }
+            if (isNoAuth(latest.accessToken)) {
+                throw error;
+            }
             try {
                 await refreshAccessToken(latest);
             }
@@ -869,6 +948,9 @@ export async function withTokenRetry(fn) {
     }
     catch (error) {
         if (error instanceof HttpError && error.status === 401) {
+            if (isNoAuth(token.accessToken)) {
+                throw error;
+            }
             const platformUrl = normalizeBaseUrl(token.baseUrl);
             const envUser = process.env.KWEAVER_USER;
             let latest;
@@ -918,6 +1000,11 @@ function formatOAuthErrorBody(body) {
     }
     return lines.join("\n");
 }
+function isTlsVerificationDisabledForProcess() {
+    return (process.env.NODE_TLS_REJECT_UNAUTHORIZED === "0" ||
+        process.env.KWEAVER_TLS_INSECURE === "1" ||
+        process.env.KWEAVER_TLS_INSECURE === "true");
+}
 export function formatHttpError(error) {
     if (error instanceof HttpError) {
         const oauthMessage = formatOAuthErrorBody(error.body);
@@ -938,7 +1025,10 @@ export function formatHttpError(error) {
     if (error instanceof Error) {
         const cause = "cause" in error && error.cause instanceof Error ? error.cause.message : "";
         if (cause && error.message === "fetch failed") {
-            return `${error.message}: ${cause}\nHint: use --insecure (-k) to skip TLS verification for self-signed certificates.`;
+            const hint = isTlsVerificationDisabledForProcess()
+                ? "Hint: TLS verification is already disabled for this process. Check network reachability, TLS termination, or proxy stability."
+                : "Hint: use --insecure (-k) to skip TLS verification for self-signed certificates.";
+            return `${error.message}: ${cause}\n${hint}`;
         }
         return error.message;
     }

package/dist/cli.js

@@ -1,3 +1,4 @@
+import { NO_AUTH_TOKEN } from "./config/no-auth.js";
 import { applyTlsEnvFromSavedTokens } from "./config/tls-env.js";
 import { runAgentCommand } from "./commands/agent.js";
 import { runAuthCommand } from "./commands/auth.js";
@@ -5,7 +6,9 @@ import { runKnCommand } from "./commands/bkn.js";
 import { runCallCommand } from "./commands/call.js";
 import { runConfigCommand } from "./commands/config.js";
 import { runContextLoaderCommand } from "./commands/context-loader.js";
+import { runDataflowCommand } from "./commands/dataflow.js";
 import { runDsCommand } from "./commands/ds.js";
+import { runExploreCommand } from "./commands/explore.js";
 import { runDataviewCommand } from "./commands/dataview.js";
 import { runSkillCommand } from "./commands/skill.js";
 import { runTokenCommand } from "./commands/token.js";
@@ -18,7 +21,7 @@ Usage:
   kweaver --version | -V
   kweaver --help | -h
 
-  kweaver auth <platform-url> [--alias name] [-u user] [-p pass] [--playwright] [--insecure|-k]
+  kweaver auth <platform-url> [--alias name] [--no-auth] [--no-browser] [-u user] [-p pass] [--playwright] [--insecure|-k]
   kweaver auth login <platform-url>          (alias for auth <url>)
   kweaver auth login <url> --client-id ID --client-secret S --refresh-token T   (run on host without browser)
   kweaver auth whoami [platform-url|alias] [--json]
@@ -55,6 +58,11 @@ Usage:
   kweaver ds tables <id> [--keyword X] [--pretty]
   kweaver ds connect <db_type> <host> <port> <database> --account X --password Y [--schema S] [--name N]
 
+  kweaver dataflow list [-bd value]
+  kweaver dataflow run <dagId> (--file <path> | --url <remote-url> --name <filename>) [-bd value]
+  kweaver dataflow runs <dagId> [--since <date-like>] [-bd value]
+  kweaver dataflow logs <dagId> <instanceId> [--detail] [-bd value]
+
   kweaver dataview list [--datasource-id id] [--type atomic|custom] [--limit n] [-bd value] [--pretty]
   kweaver dataview find --name <name> [--exact] [--datasource-id id] [--wait] [--timeout ms] [-bd value] [--pretty]
   kweaver dataview get <id> [-bd value] [--pretty]
@@ -114,6 +122,7 @@ Commands:
   call (curl)    Call an API with curl-style flags and auto-injected token headers
   agent          Agent CRUD, chat, sessions, history, publish/unpublish
   ds             Manage datasources (list, get, delete, tables, connect)
+  dataflow       Dataflow document workflows (list, run, runs, logs)
   dataview|dv    List, find, get, query (SQL), delete data views (atomic / custom)
   bkn            Knowledge network (CRUD, build, validate, export, stats, push/pull,
                  object-type, relation-type, subgraph, action-type, action-execution, action-log)
@@ -125,6 +134,11 @@ Commands:
 }
 export async function run(argv) {
     applyTlsEnvFromSavedTokens();
+    const noAuthEnv = process.env.KWEAVER_NO_AUTH;
+    if ((noAuthEnv === "1" || noAuthEnv === "true" || noAuthEnv === "yes") &&
+        !process.env.KWEAVER_TOKEN) {
+        process.env.KWEAVER_TOKEN = NO_AUTH_TOKEN;
+    }
     // Global --user flag: override active user for this invocation
     const userIdx = argv.indexOf("--user");
     let filteredArgv = argv;
@@ -153,6 +167,9 @@ export async function run(argv) {
     if (command === "ds") {
         return runDsCommand(rest);
     }
+    if (command === "dataflow") {
+        return runDataflowCommand(rest);
+    }
     if (command === "dataview" || command === "dv") {
         return runDataviewCommand(rest);
     }
@@ -162,6 +179,9 @@ export async function run(argv) {
     if (command === "agent") {
         return runAgentCommand(rest);
     }
+    if (command === "explore") {
+        return runExploreCommand(rest);
+    }
     if (command === "bkn") {
         return runKnCommand(rest);
     }

package/dist/client.d.ts

@@ -40,8 +40,17 @@ export interface KWeaverClientOptions {
      * When true, read credentials exclusively from ~/.kweaver/ (saved by
      * `kweaver auth login`), ignoring KWEAVER_BASE_URL / KWEAVER_TOKEN env vars.
      * Useful when env vars hold stale tokens or are intended for other tooling.
+     * Incompatible with `auth: false` — the constructor throws if both are set.
      */
     config?: boolean;
+    /**
+     * When false, use no-auth mode: API requests omit Authorization / token headers.
+     * Requires a resolvable base URL: `baseUrl`, `KWEAVER_BASE_URL`, or the active
+     * platform from `kweaver auth login`. Incompatible with `config: true` — use
+     * saved `~/.kweaver/` credentials (including `__NO_AUTH__`) via `config: true`
+     * alone instead of passing `auth: false`.
+     */
+    auth?: boolean;
 }
 /**
  * Main entry point for the KWeaver TypeScript SDK.

package/dist/client.js

@@ -1,5 +1,7 @@
 import { applyTlsEnvFromSavedTokens } from "./config/tls-env.js";
+import { NO_AUTH_TOKEN, isNoAuth } from "./config/no-auth.js";
 import { getCurrentPlatform, loadTokenConfig, } from "./config/store.js";
+import { buildHeaders } from "./api/headers.js";
 import { ensureValidToken } from "./auth/oauth.js";
 import { AgentsResource } from "./resources/agents.js";
 import { ConversationsResource } from "./resources/conversations.js";
@@ -64,8 +66,39 @@ export class KWeaverClient {
     skills;
     constructor(opts = {}) {
         const envDomain = process.env.KWEAVER_BUSINESS_DOMAIN;
+        if (opts.auth === false && opts.config) {
+            throw new Error("KWeaverClient: auth: false is incompatible with config: true.");
+        }
         let baseUrl;
         let accessToken;
+        if (opts.auth === false) {
+            {
+                const envUrl = process.env.KWEAVER_BASE_URL;
+                baseUrl = opts.baseUrl ?? envUrl;
+                if (!baseUrl) {
+                    const platform = getCurrentPlatform();
+                    if (platform)
+                        baseUrl = platform;
+                }
+            }
+            if (!baseUrl) {
+                throw new Error("KWeaverClient: baseUrl is required when auth is false. " +
+                    "Pass it explicitly, set KWEAVER_BASE_URL, or run `kweaver auth login`.");
+            }
+            this._baseUrl = baseUrl.replace(/\/+$/, "");
+            this._accessToken = NO_AUTH_TOKEN;
+            this._businessDomain = opts.businessDomain ?? envDomain ?? "bd_public";
+            this.knowledgeNetworks = new KnowledgeNetworksResource(this);
+            this.agents = new AgentsResource(this);
+            this.bkn = new BknResource(this);
+            this.conversations = new ConversationsResource(this);
+            this.dataflows = new DataflowsResource(this);
+            this.datasources = new DataSourcesResource(this);
+            this.dataviews = new DataViewsResource(this);
+            this.vega = new VegaResource(this);
+            this.skills = new SkillsResource(this);
+            return;
+        }
         if (opts.config) {
             // config: true — read exclusively from ~/.kweaver/, ignore env vars
             const platform = getCurrentPlatform();
@@ -140,15 +173,22 @@ export class KWeaverClient {
             accessToken: token.accessToken,
             ...opts,
         });
-        // Quick probe — if the token was revoked server-side, force refresh
-        try {
-            const probe = await fetch(`${token.baseUrl.replace(/\/+$/, "")}/api/ontology-manager/v1/knowledge-networks?limit=1`, { headers: { authorization: `Bearer ${token.accessToken}`, token: token.accessToken } });
-            if (probe.status === 401) {
-                throw new Error("Access token revoked. Run `kweaver auth login` to re-authenticate.");
+        if (!isNoAuth(token.accessToken)) {
+            // Quick probe — if the token was revoked server-side, force refresh
+            try {
+                const bd = client.base().businessDomain;
+                const probe = await fetch(`${token.baseUrl.replace(/\/+$/, "")}/api/ontology-manager/v1/knowledge-networks?limit=1`, { headers: buildHeaders(token.accessToken, bd) });
+                if (probe.status === 401) {
+                    throw new Error("Access token revoked. Run `kweaver auth login` to re-authenticate.");
+                }
+            }
+            catch (e) {
+                if (e instanceof Error &&
+                    e.message.startsWith("Access token revoked")) {
+                    throw e;
+                }
+                // Network error — return client as-is, let the caller deal with it
             }
-        }
-        catch {
-            // Network error — return client as-is, let the caller deal with it
         }
         return client;
     }