@paneui/core 0.0.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Lalit Singh
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,31 @@
+# @paneui/core
+
+Typed client for the Pane relay HTTP + WebSocket API. Framework-free: no argv,
+no MCP, no server dependencies — just the relay protocol expressed as typed
+operations.
+
+## Runtime requirement: Node.js >= 20
+
+`@paneui/core` targets the **Node.js** runtime (>= 20, as declared in
+`package.json`'s `engines`). It is *framework*-free, not *runtime*-free.
+
+The WebSocket transport (`openStream`) uses the [`ws`](https://www.npmjs.com/package/ws)
+package rather than the global `WebSocket`. `ws` exposes a Node-style event API
+(`socket.on("message", ...)`, custom upgrade headers such as `Authorization`)
+that the browser `WebSocket` does not, and the relay protocol relies on it.
+Because of this, `@paneui/core` is **not** intended to run in a browser or other
+non-Node runtime as-is.
+
+The HTTP surface (`PaneClient`, `registerAgent`) uses the standard `fetch` API
+and is runtime-agnostic; only `openStream` carries the Node constraint.
+
+If you need a browser client, treat that as separate future work — it would
+need a `ws`-vs-global-`WebSocket` abstraction rather than the unconditional
+`import { WebSocket } from "ws"` used today.
+
+## Exports
+
+- `PaneClient` / `PaneApiError` — typed HTTP operations against a relay.
+- `openStream` — WebSocket stream (replay-on-connect, then live). **Node only.**
+- `registerAgent` — agent registration helper.
+- `artifactSchema`, `callbackSchema`, `createSessionSchema` — Zod schemas.

package/dist/client.d.ts

@@ -0,0 +1,161 @@
+import type { ArtifactRecord, ArtifactSummary, ArtifactType, ArtifactVersion, CreateArtifactResponse, CreateSessionRequest, CreateSessionResponse, EventsPage, KeyInfo, PaneEvent, SessionState } from "./types.js";
+export interface ClientOptions {
+    /** Relay base URL, e.g. https://pane.example.com. Trailing slash is trimmed. */
+    url: string;
+    /** Agent API key (bearer token). */
+    apiKey: string;
+    /** Optional fetch override (defaults to global fetch). */
+    fetch?: typeof fetch;
+}
+/** Low-level relay response: ok flag, HTTP status, parsed JSON body. */
+export interface RelayResponse {
+    ok: boolean;
+    status: number;
+    data: unknown;
+}
+/**
+ * Request body for POST /v1/artifacts — create a named, reusable artifact plus
+ * its v1 content. Mirrors `createArtifactSchema` from ./schemas.js.
+ */
+export interface CreateArtifactRequest {
+    name: string;
+    slug?: string;
+    description?: string;
+    tags?: string[];
+    source: string;
+    type: ArtifactType;
+    event_schema?: unknown;
+    input_schema?: Record<string, unknown>;
+}
+/**
+ * Request body for POST /v1/artifacts/:id/versions — append a new immutable
+ * version (content only). Mirrors `createArtifactVersionSchema`.
+ */
+export interface CreateArtifactVersionRequest {
+    source: string;
+    type: ArtifactType;
+    event_schema?: unknown;
+    input_schema?: Record<string, unknown>;
+}
+/**
+ * Request body for PATCH /v1/artifacts/:id — head metadata only (never
+ * content). Mirrors `patchArtifactMetadataSchema`.
+ */
+export interface PatchArtifactMetadataRequest {
+    name?: string;
+    slug?: string;
+    description?: string;
+    tags?: string[];
+}
+/**
+ * An error thrown by the typed operations when the relay returns a non-2xx
+ * response (or the request fails outright). Carries the HTTP status and the
+ * relay error envelope so callers can branch on `code`.
+ */
+export declare class PaneApiError extends Error {
+    readonly status: number;
+    readonly code: string;
+    readonly details: unknown;
+    /** Agent-friendly remediation hint, when the relay supplies one. */
+    readonly hint?: string;
+    /** Whether retrying the same request may succeed (e.g. 429). */
+    readonly retryable?: boolean;
+    /** Documentation URL for this error class (mapped from the wire's `docs_url`). */
+    readonly docsUrl?: string;
+    constructor(status: number, code: string, message: string, details?: unknown, extra?: {
+        hint?: string;
+        retryable?: boolean;
+        docsUrl?: string;
+    });
+}
+export declare class PaneClient {
+    private readonly base;
+    private readonly apiKey;
+    private readonly fetchImpl;
+    constructor(opts: ClientOptions);
+    /** Relay base URL (trailing slash trimmed). */
+    get baseUrl(): string;
+    /** WebSocket base URL derived from the relay base URL (http→ws, https→wss). */
+    get wsBaseUrl(): string;
+    /**
+     * Low-level HTTP helper. Mirrors the relay API contract: Bearer auth,
+     * JSON bodies, 204 handled. Never throws on non-2xx — returns `ok: false`.
+     * Network failures return `{ ok: false, status: 0, ... }`.
+     */
+    call(method: string, path: string, body?: object): Promise<RelayResponse>;
+    /** Assert a 2xx body is a non-null object before treating it as typed JSON. */
+    private asObject;
+    /** Throw a PaneApiError from a failed RelayResponse. */
+    private fail;
+    /** POST /v1/sessions — create a session. */
+    createSession(req: CreateSessionRequest): Promise<CreateSessionResponse>;
+    /** GET /v1/sessions/:id — non-blocking session metadata. */
+    getSession(sessionId: string): Promise<SessionState>;
+    /**
+     * GET /v1/sessions/:id/events — fetch the event log.
+     * `since` is an opaque cursor; `waitSeconds` enables the relay long-poll
+     * (0 = non-blocking, capped at 30 by the relay).
+     */
+    getEvents(sessionId: string, opts?: {
+        since?: string | null;
+        waitSeconds?: number;
+    }): Promise<EventsPage>;
+    /** POST /v1/sessions/:id/events — append an agent event. */
+    sendEvent(sessionId: string, ev: {
+        type: string;
+        data: unknown;
+        causationId?: string;
+        idempotencyKey?: string;
+    }): Promise<{
+        event: PaneEvent;
+        deduped: boolean;
+    }>;
+    /**
+     * POST /v1/artifacts — create a named, reusable artifact and its v1 content.
+     * Returns the new `artifact_id` and `version` (1).
+     */
+    createArtifact(req: CreateArtifactRequest): Promise<CreateArtifactResponse>;
+    /**
+     * POST /v1/artifacts/:id/versions — append a new immutable version to an
+     * existing artifact. `idOrSlug` accepts the artifact id or its slug.
+     * Returns the new `version` number.
+     */
+    createArtifactVersion(idOrSlug: string, req: CreateArtifactVersionRequest): Promise<CreateArtifactResponse>;
+    /**
+     * PATCH /v1/artifacts/:id — update head metadata (name / slug / description /
+     * tags); never the content. Returns the updated lean summary.
+     */
+    updateArtifact(idOrSlug: string, metadata: PatchArtifactMetadataRequest): Promise<ArtifactSummary>;
+    /**
+     * GET /v1/artifacts?q=... — search/list the agent's named artifacts. The
+     * response is lean (no `source` blob), ranked by `last_used_at`. Omit `query`
+     * to list every named artifact.
+     */
+    searchArtifacts(query?: string): Promise<ArtifactSummary[]>;
+    /**
+     * GET /v1/artifacts/:id — fetch a full artifact (head metadata + version
+     * list). `idOrSlug` accepts the artifact id or its slug.
+     */
+    getArtifact(idOrSlug: string): Promise<ArtifactRecord>;
+    /**
+     * GET /v1/artifacts/:id/versions/:version — fetch one version's full
+     * content (HTML, event schema, input schema).
+     */
+    getArtifactVersion(idOrSlug: string, version: number): Promise<ArtifactVersion>;
+    /**
+     * GET /v1/keys — the calling agent's own key info. The relay scopes this to
+     * the authenticated agent: it returns one key (the caller's), not a list.
+     */
+    listKeys(): Promise<KeyInfo>;
+    /**
+     * DELETE /v1/keys/:id — revoke an API key. The relay only permits revoking
+     * the caller's OWN key (any other id is rejected 403): this is a
+     * self-destruct. Returns 204 with no body on success.
+     */
+    revokeKey(id: string): Promise<void>;
+    /**
+     * DELETE /v1/sessions/:id — close/delete a session. Idempotent on the relay
+     * side (an already-closed session still returns 204 with no body).
+     */
+    deleteSession(id: string): Promise<void>;
+}

package/dist/client.js

@@ -0,0 +1,281 @@
+// Pane relay HTTP client. Pure: no argv, no process.env reads, no MCP.
+// The caller supplies the relay base URL + API key explicitly.
+import { MAX_RESPONSE_SNIPPET_LENGTH } from "./limits.js";
+/**
+ * An error thrown by the typed operations when the relay returns a non-2xx
+ * response (or the request fails outright). Carries the HTTP status and the
+ * relay error envelope so callers can branch on `code`.
+ */
+export class PaneApiError extends Error {
+    status;
+    code;
+    details;
+    /** Agent-friendly remediation hint, when the relay supplies one. */
+    hint;
+    /** Whether retrying the same request may succeed (e.g. 429). */
+    retryable;
+    /** Documentation URL for this error class (mapped from the wire's `docs_url`). */
+    docsUrl;
+    constructor(status, code, message, details, extra) {
+        super(message);
+        this.name = "PaneApiError";
+        this.status = status;
+        this.code = code;
+        this.details = details;
+        this.hint = extra?.hint;
+        this.retryable = extra?.retryable;
+        this.docsUrl = extra?.docsUrl;
+    }
+}
+export class PaneClient {
+    base;
+    apiKey;
+    fetchImpl;
+    constructor(opts) {
+        this.base = opts.url.replace(/\/$/, "");
+        this.apiKey = opts.apiKey;
+        this.fetchImpl = opts.fetch ?? fetch;
+    }
+    /** Relay base URL (trailing slash trimmed). */
+    get baseUrl() {
+        return this.base;
+    }
+    /** WebSocket base URL derived from the relay base URL (http→ws, https→wss). */
+    get wsBaseUrl() {
+        const u = new URL(this.base);
+        u.protocol = u.protocol === "https:" ? "wss:" : "ws:";
+        return u.toString().replace(/\/$/, "");
+    }
+    /**
+     * Low-level HTTP helper. Mirrors the relay API contract: Bearer auth,
+     * JSON bodies, 204 handled. Never throws on non-2xx — returns `ok: false`.
+     * Network failures return `{ ok: false, status: 0, ... }`.
+     */
+    async call(method, path, body) {
+        const url = this.base + path;
+        let res;
+        try {
+            res = await this.fetchImpl(url, {
+                method,
+                headers: {
+                    authorization: "Bearer " + this.apiKey,
+                    ...(body ? { "content-type": "application/json" } : {}),
+                },
+                body: body ? JSON.stringify(body) : undefined,
+            });
+        }
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            return {
+                ok: false,
+                status: 0,
+                data: { error: { code: "fetch_error", message: msg } },
+            };
+        }
+        let data = null;
+        if (res.status !== 204) {
+            const text = await res.text().catch(() => "");
+            if (text !== "") {
+                try {
+                    data = JSON.parse(text);
+                }
+                catch {
+                    // Body was not JSON (HTML error page, plain-text proxy error, …).
+                    // Don't discard it — surface the raw text so callers can diagnose.
+                    const snippet = text.length > MAX_RESPONSE_SNIPPET_LENGTH
+                        ? text.slice(0, MAX_RESPONSE_SNIPPET_LENGTH) + "…"
+                        : text;
+                    data = {
+                        error: {
+                            code: "non_json_response",
+                            message: `relay returned a non-JSON body (status ${res.status})`,
+                            details: { body: snippet },
+                        },
+                    };
+                }
+            }
+        }
+        return { ok: res.ok, status: res.status, data };
+    }
+    /** Assert a 2xx body is a non-null object before treating it as typed JSON. */
+    asObject(r) {
+        if (r.data === null ||
+            typeof r.data !== "object" ||
+            Array.isArray(r.data)) {
+            throw new PaneApiError(r.status, "invalid_response", `relay returned a ${r.status} with a non-object body`, { body: r.data });
+        }
+        return r.data;
+    }
+    /** Throw a PaneApiError from a failed RelayResponse. */
+    fail(r) {
+        const err = r.data?.error;
+        throw new PaneApiError(r.status, err?.code ?? "relay_error", err?.message ?? `relay returned ${r.status}`, err?.details, {
+            hint: err?.hint,
+            retryable: err?.retryable,
+            docsUrl: err?.docs_url,
+        });
+    }
+    /** POST /v1/sessions — create a session. */
+    async createSession(req) {
+        const r = await this.call("POST", "/v1/sessions", {
+            artifact: req.artifact,
+            input_data: req.input_data,
+            participants: req.participants,
+            ttl: req.ttl,
+            metadata: req.metadata,
+            callback: req.callback,
+        });
+        if (!r.ok)
+            this.fail(r);
+        return this.asObject(r);
+    }
+    /** GET /v1/sessions/:id — non-blocking session metadata. */
+    async getSession(sessionId) {
+        const r = await this.call("GET", `/v1/sessions/${encodeURIComponent(sessionId)}`);
+        if (!r.ok)
+            this.fail(r);
+        return this.asObject(r);
+    }
+    /**
+     * GET /v1/sessions/:id/events — fetch the event log.
+     * `since` is an opaque cursor; `waitSeconds` enables the relay long-poll
+     * (0 = non-blocking, capped at 30 by the relay).
+     */
+    async getEvents(sessionId, opts = {}) {
+        const q = new URLSearchParams();
+        if (opts.since != null && opts.since !== "")
+            q.set("since", opts.since);
+        if (opts.waitSeconds != null && opts.waitSeconds > 0) {
+            q.set("wait", String(Math.floor(opts.waitSeconds)));
+        }
+        const qs = q.toString();
+        const r = await this.call("GET", `/v1/sessions/${encodeURIComponent(sessionId)}/events${qs ? "?" + qs : ""}`);
+        if (!r.ok)
+            this.fail(r);
+        return this.asObject(r);
+    }
+    /** POST /v1/sessions/:id/events — append an agent event. */
+    async sendEvent(sessionId, ev) {
+        const r = await this.call("POST", `/v1/sessions/${encodeURIComponent(sessionId)}/events`, {
+            type: ev.type,
+            data: ev.data,
+            causation_id: ev.causationId,
+            idempotency_key: ev.idempotencyKey,
+        });
+        if (!r.ok)
+            this.fail(r);
+        const body = this.asObject(r);
+        return { event: body.event, deduped: body.deduped ?? false };
+    }
+    /**
+     * POST /v1/artifacts — create a named, reusable artifact and its v1 content.
+     * Returns the new `artifact_id` and `version` (1).
+     */
+    async createArtifact(req) {
+        const r = await this.call("POST", "/v1/artifacts", {
+            name: req.name,
+            slug: req.slug,
+            description: req.description,
+            tags: req.tags,
+            source: req.source,
+            type: req.type,
+            event_schema: req.event_schema,
+            input_schema: req.input_schema,
+        });
+        if (!r.ok)
+            this.fail(r);
+        return this.asObject(r);
+    }
+    /**
+     * POST /v1/artifacts/:id/versions — append a new immutable version to an
+     * existing artifact. `idOrSlug` accepts the artifact id or its slug.
+     * Returns the new `version` number.
+     */
+    async createArtifactVersion(idOrSlug, req) {
+        const r = await this.call("POST", `/v1/artifacts/${encodeURIComponent(idOrSlug)}/versions`, {
+            source: req.source,
+            type: req.type,
+            event_schema: req.event_schema,
+            input_schema: req.input_schema,
+        });
+        if (!r.ok)
+            this.fail(r);
+        return this.asObject(r);
+    }
+    /**
+     * PATCH /v1/artifacts/:id — update head metadata (name / slug / description /
+     * tags); never the content. Returns the updated lean summary.
+     */
+    async updateArtifact(idOrSlug, metadata) {
+        const r = await this.call("PATCH", `/v1/artifacts/${encodeURIComponent(idOrSlug)}`, {
+            name: metadata.name,
+            slug: metadata.slug,
+            description: metadata.description,
+            tags: metadata.tags,
+        });
+        if (!r.ok)
+            this.fail(r);
+        return this.asObject(r);
+    }
+    /**
+     * GET /v1/artifacts?q=... — search/list the agent's named artifacts. The
+     * response is lean (no `source` blob), ranked by `last_used_at`. Omit `query`
+     * to list every named artifact.
+     */
+    async searchArtifacts(query) {
+        const qs = query != null && query !== "" ? "?q=" + encodeURIComponent(query) : "";
+        const r = await this.call("GET", `/v1/artifacts${qs}`);
+        if (!r.ok)
+            this.fail(r);
+        return this.asObject(r).artifacts;
+    }
+    /**
+     * GET /v1/artifacts/:id — fetch a full artifact (head metadata + version
+     * list). `idOrSlug` accepts the artifact id or its slug.
+     */
+    async getArtifact(idOrSlug) {
+        const r = await this.call("GET", `/v1/artifacts/${encodeURIComponent(idOrSlug)}`);
+        if (!r.ok)
+            this.fail(r);
+        return this.asObject(r);
+    }
+    /**
+     * GET /v1/artifacts/:id/versions/:version — fetch one version's full
+     * content (HTML, event schema, input schema).
+     */
+    async getArtifactVersion(idOrSlug, version) {
+        const r = await this.call("GET", `/v1/artifacts/${encodeURIComponent(idOrSlug)}/versions/${encodeURIComponent(String(version))}`);
+        if (!r.ok)
+            this.fail(r);
+        return this.asObject(r);
+    }
+    /**
+     * GET /v1/keys — the calling agent's own key info. The relay scopes this to
+     * the authenticated agent: it returns one key (the caller's), not a list.
+     */
+    async listKeys() {
+        const r = await this.call("GET", "/v1/keys");
+        if (!r.ok)
+            this.fail(r);
+        return this.asObject(r);
+    }
+    /**
+     * DELETE /v1/keys/:id — revoke an API key. The relay only permits revoking
+     * the caller's OWN key (any other id is rejected 403): this is a
+     * self-destruct. Returns 204 with no body on success.
+     */
+    async revokeKey(id) {
+        const r = await this.call("DELETE", `/v1/keys/${encodeURIComponent(id)}`);
+        if (!r.ok)
+            this.fail(r);
+    }
+    /**
+     * DELETE /v1/sessions/:id — close/delete a session. Idempotent on the relay
+     * side (an already-closed session still returns 204 with no body).
+     */
+    async deleteSession(id) {
+        const r = await this.call("DELETE", `/v1/sessions/${encodeURIComponent(id)}`);
+        if (!r.ok)
+            this.fail(r);
+    }
+}

package/dist/index.d.ts

@@ -0,0 +1,10 @@
+export { PaneClient, PaneApiError } from "./client.js";
+export type { ClientOptions, RelayResponse, CreateArtifactRequest, CreateArtifactVersionRequest, PatchArtifactMetadataRequest, } from "./client.js";
+export { openStream } from "./stream.js";
+export type { OpenStreamOptions, StreamHandlers, StreamHandle, } from "./stream.js";
+export { registerAgent } from "./register.js";
+export type { RegisterAgentOptions, RegisterAgentResult } from "./register.js";
+export { artifactSchema, callbackSchema, createSessionSchema, artifactTypeSchema, createArtifactSchema, createArtifactVersionSchema, patchArtifactMetadataSchema, } from "./schemas.js";
+export type { CreateSessionInput } from "./schemas.js";
+export { MAX_EVENT_TYPE_LENGTH, MAX_IDEMPOTENCY_KEY_LENGTH, MAX_RESPONSE_SNIPPET_LENGTH, MAX_FRAME_SNIPPET_LENGTH, } from "./limits.js";
+export type { AuthorKind, PaneEvent, Artifact, ArtifactType, ArtifactVersion, ArtifactRecord, ArtifactSummary, CreateArtifactResponse, KeyInfo, Callback, CreateSessionRequest, CreateSessionResponse, SessionState, EventsPage, RelayError, } from "./types.js";

package/dist/index.js

@@ -0,0 +1,7 @@
+// @paneui/core — typed client for the Pane relay HTTP + WebSocket API.
+// Pure and framework-free: no argv, no MCP, no server deps.
+export { PaneClient, PaneApiError } from "./client.js";
+export { openStream } from "./stream.js";
+export { registerAgent } from "./register.js";
+export { artifactSchema, callbackSchema, createSessionSchema, artifactTypeSchema, createArtifactSchema, createArtifactVersionSchema, patchArtifactMetadataSchema, } from "./schemas.js";
+export { MAX_EVENT_TYPE_LENGTH, MAX_IDEMPOTENCY_KEY_LENGTH, MAX_RESPONSE_SNIPPET_LENGTH, MAX_FRAME_SNIPPET_LENGTH, } from "./limits.js";

package/dist/limits.d.ts

@@ -0,0 +1,8 @@
+/** Maximum length of an event type string, in characters. */
+export declare const MAX_EVENT_TYPE_LENGTH = 64;
+/** Maximum length of an idempotency key string, in characters. */
+export declare const MAX_IDEMPOTENCY_KEY_LENGTH = 128;
+/** Maximum number of characters from a raw response body to include in error details. */
+export declare const MAX_RESPONSE_SNIPPET_LENGTH = 500;
+/** Maximum number of characters from a raw stream frame to include in error messages. */
+export declare const MAX_FRAME_SNIPPET_LENGTH = 200;

package/dist/limits.js

@@ -0,0 +1,10 @@
+// Shared protocol limits used across transports (HTTP and WebSocket).
+// Defined once here so both relay and client code import the same constants.
+/** Maximum length of an event type string, in characters. */
+export const MAX_EVENT_TYPE_LENGTH = 64;
+/** Maximum length of an idempotency key string, in characters. */
+export const MAX_IDEMPOTENCY_KEY_LENGTH = 128;
+/** Maximum number of characters from a raw response body to include in error details. */
+export const MAX_RESPONSE_SNIPPET_LENGTH = 500;
+/** Maximum number of characters from a raw stream frame to include in error messages. */
+export const MAX_FRAME_SNIPPET_LENGTH = 200;

package/dist/register.d.ts

@@ -0,0 +1,25 @@
+export interface RegisterAgentOptions {
+    /** Relay base URL, e.g. https://pane.example.com. Trailing slash is trimmed. */
+    url: string;
+    /** Optional agent display name; the relay defaults it if omitted. */
+    name?: string;
+    /**
+     * Shared registration secret. Sent as `Authorization: Bearer <secret>`.
+     * Only needed when the relay runs REGISTRATION_MODE=secret; ignored by
+     * relays in open mode and rejected (404) by relays in closed mode.
+     */
+    secret?: string;
+    /** Optional fetch override (defaults to global fetch). */
+    fetch?: typeof fetch;
+}
+export interface RegisterAgentResult {
+    agent_id: string;
+    api_key: string;
+    key_prefix: string;
+}
+/**
+ * Provision a fresh agent + API key from the relay. Mirrors PaneClient.call's
+ * never-throw-raw style: network/parse failures and non-2xx responses are
+ * surfaced as PaneApiError.
+ */
+export declare function registerAgent(opts: RegisterAgentOptions): Promise<RegisterAgentResult>;

package/dist/register.js

@@ -0,0 +1,62 @@
+// Standalone agent self-registration: POST /v1/register.
+//
+// Unlike PaneClient operations this needs no bearer API key — registration is
+// the call that *obtains* one. Whether the relay endpoint is reachable depends
+// on its REGISTRATION_MODE: a `secret`-mode relay requires the shared
+// registration secret to be passed as a Bearer token (see the `secret` option
+// below). Abuse is bounded server-side by a per-IP rate limit (a 429 surfaces
+// here as a PaneApiError with status 429).
+import { PaneApiError } from "./client.js";
+import { MAX_RESPONSE_SNIPPET_LENGTH } from "./limits.js";
+/**
+ * Provision a fresh agent + API key from the relay. Mirrors PaneClient.call's
+ * never-throw-raw style: network/parse failures and non-2xx responses are
+ * surfaced as PaneApiError.
+ */
+export async function registerAgent(opts) {
+    const base = opts.url.replace(/\/$/, "");
+    const fetchImpl = opts.fetch ?? fetch;
+    const body = {};
+    if (opts.name !== undefined)
+        body["name"] = opts.name;
+    const headers = {
+        "content-type": "application/json",
+    };
+    // Sent only when the relay runs REGISTRATION_MODE=secret; harmless otherwise.
+    if (opts.secret !== undefined && opts.secret !== "") {
+        headers["authorization"] = `Bearer ${opts.secret}`;
+    }
+    let res;
+    try {
+        res = await fetchImpl(base + "/v1/register", {
+            method: "POST",
+            headers,
+            body: JSON.stringify(body),
+        });
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        throw new PaneApiError(0, "fetch_error", msg);
+    }
+    let data = null;
+    const text = await res.text().catch(() => "");
+    if (text !== "") {
+        try {
+            data = JSON.parse(text);
+        }
+        catch {
+            const snippet = text.length > MAX_RESPONSE_SNIPPET_LENGTH
+                ? text.slice(0, MAX_RESPONSE_SNIPPET_LENGTH) + "…"
+                : text;
+            throw new PaneApiError(res.status, "non_json_response", `relay returned a non-JSON body (status ${res.status})`, { body: snippet });
+        }
+    }
+    if (!res.ok) {
+        const err = data?.error;
+        throw new PaneApiError(res.status, err?.code ?? "relay_error", err?.message ?? `relay returned ${res.status}`, err?.details);
+    }
+    if (data === null || typeof data !== "object" || Array.isArray(data)) {
+        throw new PaneApiError(res.status, "invalid_response", `relay returned a ${res.status} with a non-object body`, { body: data });
+    }
+    return data;
+}

package/dist/schemas.d.ts

@@ -0,0 +1,197 @@
+import { z } from "zod";
+export declare const artifactTypeSchema: z.ZodEnum<["html-inline", "html-ref"]>;
+export declare const artifactSchema: z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
+    type: z.ZodLiteral<"html-inline">;
+    source: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    type: "html-inline";
+    source: string;
+}, {
+    type: "html-inline";
+    source: string;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"html-ref">;
+    source: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    type: "html-ref";
+    source: string;
+}, {
+    type: "html-ref";
+    source: string;
+}>]>;
+export declare const callbackSchema: z.ZodObject<{
+    url: z.ZodString;
+    events: z.ZodArray<z.ZodString, "many">;
+    secret: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    url: string;
+    events: string[];
+    secret: string;
+}, {
+    url: string;
+    events: string[];
+    secret: string;
+}>;
+export declare const createSessionSchema: z.ZodObject<{
+    artifact: z.ZodEffects<z.ZodUnion<[z.ZodObject<{
+        id: z.ZodString;
+        version: z.ZodOptional<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        id: string;
+        version?: number | undefined;
+    }, {
+        id: string;
+        version?: number | undefined;
+    }>, z.ZodObject<{
+        source: z.ZodString;
+        type: z.ZodEnum<["html-inline", "html-ref"]>;
+        event_schema: z.ZodOptional<z.ZodUnknown>;
+    }, "strip", z.ZodTypeAny, {
+        type: "html-inline" | "html-ref";
+        source: string;
+        event_schema?: unknown;
+    }, {
+        type: "html-inline" | "html-ref";
+        source: string;
+        event_schema?: unknown;
+    }>]>, {
+        type: "html-inline" | "html-ref";
+        source: string;
+        event_schema?: unknown;
+    } | {
+        id: string;
+        version?: number | undefined;
+    }, {
+        type: "html-inline" | "html-ref";
+        source: string;
+        event_schema?: unknown;
+    } | {
+        id: string;
+        version?: number | undefined;
+    }>;
+    input_data: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    participants: z.ZodOptional<z.ZodObject<{
+        humans: z.ZodNumber;
+    }, "strip", z.ZodTypeAny, {
+        humans: number;
+    }, {
+        humans: number;
+    }>>;
+    ttl: z.ZodOptional<z.ZodNumber>;
+    metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    callback: z.ZodOptional<z.ZodObject<{
+        url: z.ZodString;
+        events: z.ZodArray<z.ZodString, "many">;
+        secret: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        url: string;
+        events: string[];
+        secret: string;
+    }, {
+        url: string;
+        events: string[];
+        secret: string;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    artifact: {
+        type: "html-inline" | "html-ref";
+        source: string;
+        event_schema?: unknown;
+    } | {
+        id: string;
+        version?: number | undefined;
+    };
+    input_data?: Record<string, unknown> | undefined;
+    participants?: {
+        humans: number;
+    } | undefined;
+    ttl?: number | undefined;
+    metadata?: Record<string, unknown> | undefined;
+    callback?: {
+        url: string;
+        events: string[];
+        secret: string;
+    } | undefined;
+}, {
+    artifact: {
+        type: "html-inline" | "html-ref";
+        source: string;
+        event_schema?: unknown;
+    } | {
+        id: string;
+        version?: number | undefined;
+    };
+    input_data?: Record<string, unknown> | undefined;
+    participants?: {
+        humans: number;
+    } | undefined;
+    ttl?: number | undefined;
+    metadata?: Record<string, unknown> | undefined;
+    callback?: {
+        url: string;
+        events: string[];
+        secret: string;
+    } | undefined;
+}>;
+export declare const createArtifactSchema: z.ZodObject<{
+    name: z.ZodString;
+    slug: z.ZodOptional<z.ZodString>;
+    description: z.ZodOptional<z.ZodString>;
+    tags: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    source: z.ZodString;
+    type: z.ZodEnum<["html-inline", "html-ref"]>;
+    event_schema: z.ZodOptional<z.ZodUnknown>;
+    input_schema: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    type: "html-inline" | "html-ref";
+    source: string;
+    name: string;
+    event_schema?: unknown;
+    slug?: string | undefined;
+    description?: string | undefined;
+    tags?: string[] | undefined;
+    input_schema?: Record<string, unknown> | undefined;
+}, {
+    type: "html-inline" | "html-ref";
+    source: string;
+    name: string;
+    event_schema?: unknown;
+    slug?: string | undefined;
+    description?: string | undefined;
+    tags?: string[] | undefined;
+    input_schema?: Record<string, unknown> | undefined;
+}>;
+export declare const createArtifactVersionSchema: z.ZodObject<{
+    source: z.ZodString;
+    type: z.ZodEnum<["html-inline", "html-ref"]>;
+    event_schema: z.ZodOptional<z.ZodUnknown>;
+    input_schema: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    type: "html-inline" | "html-ref";
+    source: string;
+    event_schema?: unknown;
+    input_schema?: Record<string, unknown> | undefined;
+}, {
+    type: "html-inline" | "html-ref";
+    source: string;
+    event_schema?: unknown;
+    input_schema?: Record<string, unknown> | undefined;
+}>;
+export declare const patchArtifactMetadataSchema: z.ZodObject<{
+    name: z.ZodOptional<z.ZodString>;
+    slug: z.ZodOptional<z.ZodString>;
+    description: z.ZodOptional<z.ZodString>;
+    tags: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "strip", z.ZodTypeAny, {
+    name?: string | undefined;
+    slug?: string | undefined;
+    description?: string | undefined;
+    tags?: string[] | undefined;
+}, {
+    name?: string | undefined;
+    slug?: string | undefined;
+    description?: string | undefined;
+    tags?: string[] | undefined;
+}>;
+/** @deprecated use `CreateSessionRequest` from ./types.js (same type). */
+export type CreateSessionInput = z.infer<typeof createSessionSchema>;

package/dist/schemas.js

@@ -0,0 +1,82 @@
+// Zod schemas for the Pane relay request shapes. These let callers (the CLI,
+// other clients) validate user-supplied input — e.g. an inline JSON artifact
+// or callback config — before it hits the relay, producing clear errors.
+import { z } from "zod";
+// The artifact `type` discriminant. `html-inline` carries raw HTML in `source`;
+// `html-ref` carries a URL. The relay rejects `html-ref` in this release.
+export const artifactTypeSchema = z.enum(["html-inline", "html-ref"]);
+// Discriminated on `type`: both require a non-empty `source`. Kept for callers
+// that want to validate a bare artifact (no event schema attached).
+export const artifactSchema = z.discriminatedUnion("type", [
+    z.object({ type: z.literal("html-inline"), source: z.string().min(1) }),
+    z.object({ type: z.literal("html-ref"), source: z.string().min(1) }),
+]);
+export const callbackSchema = z.object({
+    url: z.string().url(),
+    events: z.array(z.string().min(1)).min(1),
+    secret: z.string().min(8),
+});
+// The inline artifact form for POST /v1/sessions — carries the event schema
+// INSIDE the artifact object (one-off, no registered artifact). The relay
+// transparently creates an anonymous artifact behind it.
+const inlineArtifactSchema = z.object({
+    source: z.string().min(1),
+    type: artifactTypeSchema,
+    // Optional: omit for a view-only one-off (a report/dashboard the human only
+    // views — the session then accepts no page/agent events).
+    event_schema: z.unknown().optional(),
+});
+// The reference form for POST /v1/sessions — instances an existing named
+// artifact. `id` accepts the artifact id or its slug; `version` is optional
+// and defaults to the artifact's latest version.
+const refArtifactSchema = z.object({
+    id: z.string().min(1),
+    version: z.number().int().positive().optional(),
+});
+// The session-create `artifact` field: exactly one of the two forms. A union
+// (not a discriminated union — the two forms share no discriminant key) with a
+// refine enforcing exactly-one-of `id` / `source`.
+const sessionArtifactSchema = z
+    .union([refArtifactSchema, inlineArtifactSchema])
+    .refine((a) => {
+    const hasId = "id" in a && a.id !== undefined;
+    const hasSource = "source" in a && a.source !== undefined;
+    return hasId !== hasSource;
+}, {
+    message: "artifact must carry exactly one of `id` (reference an existing artifact) or `source` (inline a one-off artifact)",
+});
+export const createSessionSchema = z.object({
+    artifact: sessionArtifactSchema,
+    input_data: z.record(z.unknown()).optional(),
+    participants: z.object({ humans: z.number().int().positive() }).optional(),
+    ttl: z.number().int().positive().optional(),
+    metadata: z.record(z.unknown()).optional(),
+    callback: callbackSchema.optional(),
+});
+// POST /v1/artifacts — create a named, reusable artifact plus its v1 content.
+export const createArtifactSchema = z.object({
+    name: z.string().min(1),
+    slug: z.string().min(1).optional(),
+    description: z.string().optional(),
+    tags: z.array(z.string().min(1)).optional(),
+    source: z.string().min(1),
+    type: artifactTypeSchema,
+    // Optional: omit for a view-only artifact (no event vocabulary).
+    event_schema: z.unknown().optional(),
+    input_schema: z.record(z.unknown()).optional(),
+});
+// POST /v1/artifacts/:id/versions — append a new version (content only).
+export const createArtifactVersionSchema = z.object({
+    source: z.string().min(1),
+    type: artifactTypeSchema,
+    // Optional: omit for a view-only artifact (no event vocabulary).
+    event_schema: z.unknown().optional(),
+    input_schema: z.record(z.unknown()).optional(),
+});
+// PATCH /v1/artifacts/:id — update head metadata only (never content).
+export const patchArtifactMetadataSchema = z.object({
+    name: z.string().min(1).optional(),
+    slug: z.string().min(1).optional(),
+    description: z.string().optional(),
+    tags: z.array(z.string().min(1)).optional(),
+});

package/dist/stream.d.ts

@@ -0,0 +1,51 @@
+import { WebSocket } from "ws";
+import type { PaneEvent } from "./types.js";
+export interface OpenStreamOptions {
+    /** WebSocket base URL, e.g. wss://pane.example.com (no trailing slash). */
+    wsBaseUrl: string;
+    /** Session id. */
+    sessionId: string;
+    /** Agent (or participant) bearer token. */
+    token: string;
+    /** Opaque cursor: replay only events strictly after this id. */
+    since?: string | null;
+}
+/** Callbacks for a live stream. */
+export interface StreamHandlers {
+    /** Fired for every event envelope (replayed and live). */
+    onEvent?: (event: PaneEvent) => void;
+    /** Fired once when the initial replay finishes. */
+    onReplayComplete?: () => void;
+    /** Fired on a relay error frame. */
+    onRelayError?: (error: {
+        code?: string;
+        message?: string;
+        details?: unknown;
+    }) => void;
+    /** Fired when the socket closes (cleanly or otherwise). */
+    onClose?: (info: {
+        code: number;
+        reason: string;
+    }) => void;
+    /** Fired on a transport-level error. */
+    onError?: (err: Error) => void;
+}
+/** A live handle to an open stream. */
+export interface StreamHandle {
+    /** Send an event frame into the session. */
+    send(frame: {
+        type: string;
+        data?: unknown;
+        causation_id?: string;
+        idempotency_key?: string;
+    }): void;
+    /** Close the stream. */
+    close(): void;
+    /** The underlying ws socket (escape hatch). */
+    readonly socket: WebSocket;
+}
+/**
+ * Open a WebSocket stream to a Pane session. Replays on connect, then streams
+ * live. Returns a handle for sending frames and closing.
+ */
+export declare function openStream(opts: OpenStreamOptions, handlers: StreamHandlers): StreamHandle;

package/dist/stream.js

@@ -0,0 +1,97 @@
+// WebSocket client for WS /v1/sessions/:id/stream.
+//
+// The relay protocol (see the relay's src/ws/handler.ts):
+//   - on connect, the relay replays every event since `?since=` (or from the
+//     start), then sends a `{ kind: "system.replay.complete" }` marker;
+//   - thereafter it pushes live events as they land;
+//   - each frame is a JSON object: either a PaneEvent envelope, the replay
+//     marker, an `{ ack, deduped }` for frames we sent, or an `{ error }`.
+//
+// Note: `system.participant.joined` / `system.participant.left` (and other
+// `system.*` events) arrive as ordinary `PaneEvent` envelopes — they are not a
+// distinct frame kind, and may be interleaved with the initial replay stream
+// just like any other event.
+//
+// `openStream` exposes this as a typed event emitter over the `ws` package.
+import { WebSocket } from "ws";
+import { MAX_FRAME_SNIPPET_LENGTH } from "./limits.js";
+/**
+ * Open a WebSocket stream to a Pane session. Replays on connect, then streams
+ * live. Returns a handle for sending frames and closing.
+ */
+export function openStream(opts, handlers) {
+    const base = opts.wsBaseUrl.replace(/\/$/, "");
+    const u = new URL(`${base}/v1/sessions/${encodeURIComponent(opts.sessionId)}/stream`);
+    if (opts.since != null && opts.since !== "") {
+        u.searchParams.set("since", opts.since);
+    }
+    // Token via Authorization header (Node ws supports it); the relay also
+    // accepts ?token= but the header keeps it out of any URL access log.
+    const socket = new WebSocket(u.toString(), {
+        headers: { authorization: "Bearer " + opts.token },
+    });
+    socket.on("message", (raw) => {
+        const text = raw.toString();
+        let msg;
+        try {
+            msg = JSON.parse(text);
+        }
+        catch (e) {
+            // A malformed frame must never be silently dropped — a dropped event
+            // makes `watch --type X` hang forever. Surface it as a transport error.
+            const snippet = text.length > MAX_FRAME_SNIPPET_LENGTH
+                ? text.slice(0, MAX_FRAME_SNIPPET_LENGTH) + "…"
+                : text;
+            handlers.onError?.(new Error(`failed to parse stream frame as JSON (${e instanceof Error ? e.message : String(e)}): ${snippet}`));
+            return;
+        }
+        if (!msg || typeof msg !== "object") {
+            handlers.onError?.(new Error(`unexpected non-object stream frame: ${text.slice(0, MAX_FRAME_SNIPPET_LENGTH)}`));
+            return;
+        }
+        const obj = msg;
+        if (obj["kind"] === "system.replay.complete") {
+            handlers.onReplayComplete?.();
+            return;
+        }
+        if ("error" in obj) {
+            handlers.onRelayError?.(obj["error"]);
+            return;
+        }
+        if ("ack" in obj) {
+            // Ack for a frame we sent; nothing to surface by default.
+            return;
+        }
+        if (typeof obj["id"] === "string" && typeof obj["type"] === "string") {
+            handlers.onEvent?.(obj);
+            return;
+        }
+        // Unrecognized frame shape — route to onError rather than dropping it.
+        handlers.onError?.(new Error(`unrecognized stream frame: ${JSON.stringify(obj).slice(0, MAX_FRAME_SNIPPET_LENGTH)}`));
+    });
+    socket.on("close", (code, reason) => {
+        handlers.onClose?.({ code, reason: reason.toString() });
+    });
+    socket.on("error", (err) => {
+        handlers.onError?.(err instanceof Error ? err : new Error(String(err)));
+    });
+    return {
+        send(frame) {
+            if (socket.readyState !== WebSocket.OPEN) {
+                throw new Error(`cannot send frame: stream socket is not open (readyState=${socket.readyState})`);
+            }
+            socket.send(JSON.stringify(frame));
+        },
+        close() {
+            try {
+                socket.close();
+            }
+            catch (e) {
+                console.debug("[pane] stream close error:", e instanceof Error ? e.message : String(e));
+            }
+        },
+        get socket() {
+            return socket;
+        },
+    };
+}

package/dist/types.d.ts

@@ -0,0 +1,144 @@
+import type { z } from "zod";
+import type { createSessionSchema } from "./schemas.js";
+export type AuthorKind = "human" | "agent" | "system";
+/** A single event envelope as emitted by the relay. */
+export interface PaneEvent {
+    id: string;
+    session_id: string;
+    author: {
+        kind: AuthorKind;
+        id: string;
+    };
+    ts: string;
+    type: string;
+    data: unknown;
+    causation_id: string | null;
+    idempotency_key: string | null;
+}
+/** The artifact content type. `html-ref` is rejected by the relay for now. */
+export type ArtifactType = "html-inline" | "html-ref";
+/**
+ * An artifact: discriminated on `type`. `html-inline` carries raw HTML in
+ * `source`; `html-ref` carries a URL the relay/shell fetches on the human's
+ * behalf. The discriminant keeps the type↔source coupling explicit.
+ */
+export type Artifact = {
+    type: "html-inline";
+    source: string;
+} | {
+    type: "html-ref";
+    source: string;
+};
+/** Optional webhook callback config. */
+export interface Callback {
+    url: string;
+    events: string[];
+    secret: string;
+}
+/**
+ * Request body for POST /v1/sessions. Derived from `createSessionSchema` so the
+ * runtime validator and the static type cannot drift.
+ */
+export type CreateSessionRequest = z.infer<typeof createSessionSchema>;
+/** Response from POST /v1/sessions. */
+export interface CreateSessionResponse {
+    session_id: string;
+    tokens: {
+        humans: string[];
+        agent: string;
+    };
+    urls: {
+        humans: string[];
+        agent_stream: string;
+    };
+    expires_at: string;
+}
+/** Response from GET /v1/sessions/:id. */
+export interface SessionState {
+    session_id: string;
+    status: string;
+    /** The artifact version this session is pinned to. */
+    artifact_id: string;
+    artifact_version_id: string;
+    artifact_version: number;
+    metadata: Record<string, unknown> | null;
+    input_data: Record<string, unknown> | null;
+    created_at: string;
+    expires_at: string;
+}
+/** Response from GET /v1/sessions/:id/events. */
+export interface EventsPage {
+    events: PaneEvent[];
+    next_cursor: string | null;
+}
+/** One immutable version of an artifact's content. */
+export interface ArtifactVersion {
+    id: string;
+    version: number;
+    type: ArtifactType;
+    source: string;
+    event_schema: unknown;
+    input_schema: Record<string, unknown> | null;
+    created_at: string;
+}
+/** A full artifact — head metadata plus its version list. */
+export interface Artifact_ {
+    id: string;
+    slug: string | null;
+    name: string | null;
+    description: string | null;
+    tags: string[] | null;
+    latest_version: number;
+    last_used_at: string | null;
+    created_at: string;
+    updated_at: string;
+    versions: ArtifactVersion[];
+}
+/**
+ * A full artifact — head metadata plus its version list. (`ArtifactRecord` is
+ * the public name; `Artifact` is kept as the older inline-artifact union.)
+ */
+export type ArtifactRecord = Artifact_;
+/**
+ * A lean artifact summary for list/search responses — head metadata only, no
+ * `source` blob. See GET /v1/artifacts.
+ */
+export interface ArtifactSummary {
+    id: string;
+    slug: string | null;
+    name: string | null;
+    description: string | null;
+    tags: string[] | null;
+    latest_version: number;
+    last_used_at: string | null;
+}
+/** Response from POST /v1/artifacts and POST /v1/artifacts/:id/versions. */
+export interface CreateArtifactResponse {
+    artifact_id: string;
+    version: number;
+}
+/**
+ * Response from GET /v1/keys — the calling agent's own key info. The relay
+ * scopes this to the authenticated agent: it returns ONE key (the caller's),
+ * not a list.
+ */
+export interface KeyInfo {
+    agent_id: string;
+    name: string | null;
+    key_prefix: string;
+    created_at: string;
+    last_used_at: string | null;
+    revoked_at: string | null;
+}
+/** A relay error envelope. */
+export interface RelayError {
+    code: string;
+    message?: string;
+    details?: unknown;
+    /** Agent-friendly remediation hint. */
+    hint?: string;
+    /** Whether retrying the same request may succeed. */
+    retryable?: boolean;
+    /** Documentation URL for this error class (snake_case on the wire). */
+    docs_url?: string;
+}

package/dist/types.js

@@ -0,0 +1,7 @@
+// Wire types for the Pane relay HTTP + WebSocket API.
+//
+// These mirror the relay's public response shapes (see the relay's
+// src/types.ts, src/http/serialize.ts and src/http/routes/*). They are
+// re-declared here rather than imported from @paneui/relay so that @paneui/core
+// stays pure and framework-free — no Prisma, no Hono, no server deps.
+export {};

package/package.json

@@ -0,0 +1,58 @@
+{
+  "name": "@paneui/core",
+  "version": "0.0.1",
+  "description": "Pane relay client: typed HTTP + WebSocket operations against a Pane relay. Framework-free.",
+  "license": "MIT",
+  "type": "module",
+  "keywords": [
+    "pane",
+    "agent",
+    "websocket",
+    "relay",
+    "human-in-the-loop"
+  ],
+  "homepage": "https://github.com/aerolalit/paneui#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/aerolalit/paneui.git",
+    "directory": "packages/core"
+  },
+  "bugs": {
+    "url": "https://github.com/aerolalit/paneui/issues"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "LICENSE",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "test:unit": "vitest run"
+  },
+  "dependencies": {
+    "ws": "^8.20.1",
+    "zod": "^3.23.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.7.0",
+    "@types/ws": "^8.18.1",
+    "typescript": "^5.6.0",
+    "vitest": "^4.1.6"
+  }
+}