@onkernel/sdk 0.24.0 → 0.26.0

package/src/resources/agents/auth/auth.ts

@@ -4,7 +4,6 @@ import { APIResource } from '../../../core/resource';
 import * as InvocationsAPI from './invocations';
 import {
   InvocationCreateParams,
-  InvocationDiscoverParams,
   InvocationExchangeParams,
   InvocationExchangeResponse,
   InvocationSubmitParams,
@@ -28,8 +27,8 @@ export class Auth extends APIResource {
    * @example
    * ```ts
    * const authAgent = await client.agents.auth.create({
+   *   domain: 'netflix.com',
    *   profile_name: 'user-123',
-   *   target_domain: 'netflix.com',
    * });
    * ```
    */
@@ -51,7 +50,7 @@ export class Auth extends APIResource {
   }
 
   /**
-   * List auth agents with optional filters for profile_name and target_domain.
+   * List auth agents with optional filters for profile_name and domain.
    *
    * @example
    * ```ts
@@ -86,126 +85,148 @@ export class Auth extends APIResource {
       headers: buildHeaders([{ Accept: '*/*' }, options?.headers]),
     });
   }
-
-  /**
-   * Triggers automatic re-authentication for an auth agent using stored credentials.
-   * Requires the auth agent to have a linked credential, stored selectors, and
-   * login_url. Returns immediately with status indicating whether re-auth was
-   * started.
-   *
-   * @example
-   * ```ts
-   * const reauthResponse = await client.agents.auth.reauth(
-   *   'id',
-   * );
-   * ```
-   */
-  reauth(id: string, options?: RequestOptions): APIPromise<ReauthResponse> {
-    return this._client.post(path`/agents/auth/${id}/reauth`, options);
-  }
 }
 
 export type AuthAgentsOffsetPagination = OffsetPagination<AuthAgent>;
 
 /**
- * Response from discover endpoint matching AuthBlueprint schema
+ * Response from get invocation endpoint
  */
-export interface AgentAuthDiscoverResponse {
+export interface AgentAuthInvocationResponse {
   /**
-   * Whether discovery succeeded
+   * App name (org name at time of invocation creation)
    */
-  success: boolean;
+  app_name: string;
 
   /**
-   * Error message if discovery failed
+   * Domain for authentication
    */
-  error_message?: string;
+  domain: string;
 
   /**
-   * Discovered form fields (present when success is true)
+   * When the handoff code expires
    */
-  fields?: Array<DiscoveredField>;
+  expires_at: string;
 
   /**
-   * Whether user is already logged in
+   * Invocation status
    */
-  logged_in?: boolean;
+  status: 'IN_PROGRESS' | 'SUCCESS' | 'EXPIRED' | 'CANCELED' | 'FAILED';
 
   /**
-   * URL of the discovered login page
+   * Current step in the invocation workflow
    */
-  login_url?: string;
+  step:
+    | 'initialized'
+    | 'discovering'
+    | 'awaiting_input'
+    | 'awaiting_external_action'
+    | 'submitting'
+    | 'completed'
+    | 'expired';
 
   /**
-   * Title of the login page
+   * The invocation type:
+   *
+   * - login: First-time authentication
+   * - reauth: Re-authentication for previously authenticated agents
+   * - auto_login: Legacy type (no longer created, kept for backward compatibility)
    */
-  page_title?: string;
-}
+  type: 'login' | 'auto_login' | 'reauth';
 
-/**
- * Response from get invocation endpoint
- */
-export interface AgentAuthInvocationResponse {
   /**
-   * App name (org name at time of invocation creation)
+   * Error message explaining why the invocation failed (present when status=FAILED)
    */
-  app_name: string;
+  error_message?: string | null;
 
   /**
-   * When the handoff code expires
+   * Instructions for user when external action is required (present when
+   * step=awaiting_external_action)
    */
-  expires_at: string;
+  external_action_message?: string | null;
 
   /**
-   * Invocation status
+   * Browser live view URL for debugging the invocation
    */
-  status: 'IN_PROGRESS' | 'SUCCESS' | 'EXPIRED' | 'CANCELED';
+  live_view_url?: string | null;
 
   /**
-   * Target domain for authentication
+   * MFA method options to choose from (present when step=awaiting_input and MFA
+   * selection is required)
    */
-  target_domain: string;
-}
+  mfa_options?: Array<AgentAuthInvocationResponse.MfaOption> | null;
 
-/**
- * Response from submit endpoint matching SubmitResult schema
- */
-export interface AgentAuthSubmitResponse {
   /**
-   * Whether submission succeeded
+   * Fields currently awaiting input (present when step=awaiting_input)
    */
-  success: boolean;
+  pending_fields?: Array<DiscoveredField> | null;
 
   /**
-   * Additional fields needed (e.g., OTP) - present when needs_additional_auth is
-   * true
+   * SSO buttons available on the page (present when step=awaiting_input)
    */
-  additional_fields?: Array<DiscoveredField>;
+  pending_sso_buttons?: Array<AgentAuthInvocationResponse.PendingSSOButton> | null;
 
   /**
-   * App name (only present when logged_in is true)
+   * Names of fields that have been submitted (present when step=submitting or later)
    */
-  app_name?: string;
+  submitted_fields?: Array<string> | null;
+}
 
+export namespace AgentAuthInvocationResponse {
   /**
-   * Error message if submission failed
+   * An MFA method option for verification
    */
-  error_message?: string;
+  export interface MfaOption {
+    /**
+     * The visible option text
+     */
+    label: string;
 
-  /**
-   * Whether user is now logged in
-   */
-  logged_in?: boolean;
+    /**
+     * The MFA delivery method type
+     */
+    type: 'sms' | 'call' | 'email' | 'totp' | 'push' | 'security_key';
+
+    /**
+     * Additional instructions from the site
+     */
+    description?: string | null;
+
+    /**
+     * The masked destination (phone/email) if shown
+     */
+    target?: string | null;
+  }
 
   /**
-   * Whether additional authentication fields are needed
+   * An SSO button for signing in with an external identity provider
    */
-  needs_additional_auth?: boolean;
+  export interface PendingSSOButton {
+    /**
+     * Visible button text
+     */
+    label: string;
+
+    /**
+     * Identity provider name
+     */
+    provider: string;
+
+    /**
+     * XPath selector for the button
+     */
+    selector: string;
+  }
+}
 
+/**
+ * Response from submit endpoint - returns immediately after submission is accepted
+ */
+export interface AgentAuthSubmitResponse {
   /**
-   * Target domain (only present when logged_in is true)
+   * Whether the submission was accepted for processing
    */
-  target_domain?: string;
+  accepted: boolean;
 }
 
 /**
@@ -233,6 +254,13 @@ export interface AuthAgent {
    */
   status: 'AUTHENTICATED' | 'NEEDS_AUTH';
 
+  /**
+   * Additional domains that are valid for this auth agent's authentication flow
+   * (besides the primary domain). Useful when login pages redirect to different
+   * domains.
+   */
+  allowed_domains?: Array<string>;
+
   /**
    * Whether automatic re-authentication is possible (has credential_id, selectors,
    * and login_url)
@@ -258,21 +286,34 @@ export interface AuthAgent {
    * When the last authentication check was performed
    */
   last_auth_check_at?: string;
+
+  /**
+   * URL where the browser landed after successful login. Query parameters and
+   * fragments are stripped for privacy.
+   */
+  post_login_url?: string;
 }
 
 /**
  * Request to create or find an auth agent
  */
 export interface AuthAgentCreateRequest {
+  /**
+   * Domain for authentication
+   */
+  domain: string;
+
   /**
    * Name of the profile to use for this auth agent
    */
   profile_name: string;
 
   /**
-   * Target domain for authentication
+   * Additional domains that are valid for this auth agent's authentication flow
+   * (besides the primary domain). Useful when login pages redirect to different
+   * domains.
    */
-  target_domain: string;
+  allowed_domains?: Array<string>;
 
   /**
    * Optional name of an existing credential to use for this auth agent. If provided,
@@ -323,52 +364,37 @@ export interface AuthAgentInvocationCreateRequest {
 }
 
 /**
- * Response when the agent is already authenticated.
+ * Response from creating an invocation. Always returns an invocation_id.
  */
-export type AuthAgentInvocationCreateResponse =
-  | AuthAgentInvocationCreateResponse.AuthAgentAlreadyAuthenticated
-  | AuthAgentInvocationCreateResponse.AuthAgentInvocationCreated;
-
-export namespace AuthAgentInvocationCreateResponse {
+export interface AuthAgentInvocationCreateResponse {
   /**
-   * Response when the agent is already authenticated.
+   * When the handoff code expires.
    */
-  export interface AuthAgentAlreadyAuthenticated {
-    /**
-     * Indicates the agent is already authenticated and no invocation was created.
-     */
-    status: 'already_authenticated';
-  }
+  expires_at: string;
 
   /**
-   * Response when a new invocation was created.
+   * One-time code for handoff.
    */
-  export interface AuthAgentInvocationCreated {
-    /**
-     * When the handoff code expires.
-     */
-    expires_at: string;
-
-    /**
-     * One-time code for handoff.
-     */
-    handoff_code: string;
+  handoff_code: string;
 
-    /**
-     * URL to redirect user to.
-     */
-    hosted_url: string;
+  /**
+   * URL to redirect user to.
+   */
+  hosted_url: string;
 
-    /**
-     * Unique identifier for the invocation.
-     */
-    invocation_id: string;
+  /**
+   * Unique identifier for the invocation.
+   */
+  invocation_id: string;
 
-    /**
-     * Indicates an invocation was created.
-     */
-    status: 'invocation_created';
-  }
+  /**
+   * The invocation type:
+   *
+   * - login: First-time authentication
+   * - reauth: Re-authentication for previously authenticated agents
+   * - auto_login: Legacy type (no longer created, kept for backward compatibility)
+   */
+  type: 'login' | 'auto_login' | 'reauth';
 }
 
 /**
@@ -393,7 +419,7 @@ export interface DiscoveredField {
   /**
    * Field type
    */
-  type: 'text' | 'email' | 'password' | 'tel' | 'number' | 'url' | 'code';
+  type: 'text' | 'email' | 'password' | 'tel' | 'number' | 'url' | 'code' | 'totp';
 
   /**
    * Field placeholder
@@ -406,36 +432,23 @@ export interface DiscoveredField {
   required?: boolean;
 }
 
-/**
- * Response from triggering re-authentication
- */
-export interface ReauthResponse {
-  /**
-   * Result of the re-authentication attempt
-   */
-  status: 'reauth_started' | 'already_authenticated' | 'cannot_reauth';
-
-  /**
-   * ID of the re-auth invocation if one was created
-   */
-  invocation_id?: string;
-
+export interface AuthCreateParams {
   /**
-   * Human-readable description of the result
+   * Domain for authentication
    */
-  message?: string;
-}
+  domain: string;
 
-export interface AuthCreateParams {
   /**
    * Name of the profile to use for this auth agent
    */
   profile_name: string;
 
   /**
-   * Target domain for authentication
+   * Additional domains that are valid for this auth agent's authentication flow
+   * (besides the primary domain). Useful when login pages redirect to different
+   * domains.
    */
-  target_domain: string;
+  allowed_domains?: Array<string>;
 
   /**
    * Optional name of an existing credential to use for this auth agent. If provided,
@@ -470,21 +483,20 @@ export namespace AuthCreateParams {
 
 export interface AuthListParams extends OffsetPaginationParams {
   /**
-   * Filter by profile name
+   * Filter by domain
    */
-  profile_name?: string;
+  domain?: string;
 
   /**
-   * Filter by target domain
+   * Filter by profile name
    */
-  target_domain?: string;
+  profile_name?: string;
 }
 
 Auth.Invocations = Invocations;
 
 export declare namespace Auth {
   export {
-    type AgentAuthDiscoverResponse as AgentAuthDiscoverResponse,
     type AgentAuthInvocationResponse as AgentAuthInvocationResponse,
     type AgentAuthSubmitResponse as AgentAuthSubmitResponse,
     type AuthAgent as AuthAgent,
@@ -492,7 +504,6 @@ export declare namespace Auth {
     type AuthAgentInvocationCreateRequest as AuthAgentInvocationCreateRequest,
     type AuthAgentInvocationCreateResponse as AuthAgentInvocationCreateResponse,
     type DiscoveredField as DiscoveredField,
-    type ReauthResponse as ReauthResponse,
     type AuthAgentsOffsetPagination as AuthAgentsOffsetPagination,
     type AuthCreateParams as AuthCreateParams,
     type AuthListParams as AuthListParams,
@@ -502,7 +513,6 @@ export declare namespace Auth {
     Invocations as Invocations,
     type InvocationExchangeResponse as InvocationExchangeResponse,
     type InvocationCreateParams as InvocationCreateParams,
-    type InvocationDiscoverParams as InvocationDiscoverParams,
     type InvocationExchangeParams as InvocationExchangeParams,
     type InvocationSubmitParams as InvocationSubmitParams,
   };

package/src/resources/agents/auth/index.ts

@@ -2,7 +2,6 @@
 
 export {
   Auth,
-  type AgentAuthDiscoverResponse,
   type AgentAuthInvocationResponse,
   type AgentAuthSubmitResponse,
   type AuthAgent,
@@ -10,7 +9,6 @@ export {
   type AuthAgentInvocationCreateRequest,
   type AuthAgentInvocationCreateResponse,
   type DiscoveredField,
-  type ReauthResponse,
   type AuthCreateParams,
   type AuthListParams,
   type AuthAgentsOffsetPagination,
@@ -19,7 +17,6 @@ export {
   Invocations,
   type InvocationExchangeResponse,
   type InvocationCreateParams,
-  type InvocationDiscoverParams,
   type InvocationExchangeParams,
   type InvocationSubmitParams,
 } from './invocations';

package/src/resources/agents/auth/invocations.ts

@@ -28,8 +28,8 @@ export class Invocations extends APIResource {
   }
 
   /**
-   * Returns invocation details including app_name and target_domain. Uses the JWT
-   * returned by the exchange endpoint, or standard API key or JWT authentication.
+   * Returns invocation details including status, app_name, and domain. Supports both
+   * API key and JWT (from exchange endpoint) authentication.
    *
    * @example
    * ```ts
@@ -43,27 +43,6 @@ export class Invocations extends APIResource {
     return this._client.get(path`/agents/auth/invocations/${invocationID}`, options);
   }
 
-  /**
-   * Inspects the target site to detect logged-in state or discover required fields.
-   * Returns 200 with success: true when fields are found, or 4xx/5xx for failures.
-   * Requires the JWT returned by the exchange endpoint.
-   *
-   * @example
-   * ```ts
-   * const agentAuthDiscoverResponse =
-   *   await client.agents.auth.invocations.discover(
-   *     'invocation_id',
-   *   );
-   * ```
-   */
-  discover(
-    invocationID: string,
-    body: InvocationDiscoverParams | null | undefined = {},
-    options?: RequestOptions,
-  ): APIPromise<AuthAPI.AgentAuthDiscoverResponse> {
-    return this._client.post(path`/agents/auth/invocations/${invocationID}/discover`, { body, ...options });
-  }
-
   /**
    * Validates the handoff code and returns a JWT token for subsequent requests. No
    * authentication required (the handoff code serves as the credential).
@@ -86,8 +65,9 @@ export class Invocations extends APIResource {
   }
 
   /**
-   * Submits field values for the discovered login form and may return additional
-   * auth fields or success. Requires the JWT returned by the exchange endpoint.
+   * Submits field values for the discovered login form. Returns immediately after
+   * submission is accepted. Poll the invocation endpoint to track progress and get
+   * results.
    *
    * @example
    * ```ts
@@ -141,14 +121,6 @@ export interface InvocationCreateParams {
   save_credential_as?: string;
 }
 
-export interface InvocationDiscoverParams {
-  /**
-   * Optional login page URL. If provided, will override the stored login URL for
-   * this discovery invocation and skip Phase 1 discovery.
-   */
-  login_url?: string;
-}
-
 export interface InvocationExchangeParams {
   /**
    * Handoff code from start endpoint
@@ -156,18 +128,38 @@ export interface InvocationExchangeParams {
   code: string;
 }
 
-export interface InvocationSubmitParams {
-  /**
-   * Values for the discovered login fields
-   */
-  field_values: { [key: string]: string };
+export type InvocationSubmitParams =
+  | InvocationSubmitParams.Variant0
+  | InvocationSubmitParams.Variant1
+  | InvocationSubmitParams.Variant2;
+
+export declare namespace InvocationSubmitParams {
+  export interface Variant0 {
+    /**
+     * Values for the discovered login fields
+     */
+    field_values: { [key: string]: string };
+  }
+
+  export interface Variant1 {
+    /**
+     * Selector of SSO button to click
+     */
+    sso_button: string;
+  }
+
+  export interface Variant2 {
+    /**
+     * The MFA delivery method type
+     */
+    selected_mfa_type: 'sms' | 'call' | 'email' | 'totp' | 'push' | 'security_key';
+  }
 }
 
 export declare namespace Invocations {
   export {
     type InvocationExchangeResponse as InvocationExchangeResponse,
     type InvocationCreateParams as InvocationCreateParams,
-    type InvocationDiscoverParams as InvocationDiscoverParams,
     type InvocationExchangeParams as InvocationExchangeParams,
     type InvocationSubmitParams as InvocationSubmitParams,
   };

package/src/resources/agents/index.ts

@@ -3,7 +3,6 @@
 export { Agents } from './agents';
 export {
   Auth,
-  type AgentAuthDiscoverResponse,
   type AgentAuthInvocationResponse,
   type AgentAuthSubmitResponse,
   type AuthAgent,
@@ -11,7 +10,6 @@ export {
   type AuthAgentInvocationCreateRequest,
   type AuthAgentInvocationCreateResponse,
   type DiscoveredField,
-  type ReauthResponse,
   type AuthCreateParams,
   type AuthListParams,
   type AuthAgentsOffsetPagination,