@premai/api-sdk 1.0.29

package/dist/index.mjs

@@ -0,0 +1,1691 @@
+// src/index.ts
+import dotenv2 from "dotenv";
+
+// src/server.ts
+import dotenv from "dotenv";
+import express from "express";
+import multer from "multer";
+
+// src/audio/index.ts
+import { bytesToHex as bytesToHex2, hexToBytes as hexToBytes2 } from "@noble/ciphers/utils.js";
+
+// src/config.ts
+var endpoints = {
+  enclave: process.env.ENCLAVE_URL,
+  proxy: process.env.PROXY_URL
+};
+var DEFAULT_REQUEST_TIMEOUT_MS = 60000;
+var DEFAULT_MAX_BUFFER_SIZE = 10 * 1024 * 1024;
+
+// src/utils/attestation.ts
+import { ClientBuilder, GatewayError, QueryParams } from "@premai/prem-rs";
+function isAttestationError(err) {
+  return err instanceof Error && err.name === "AttestationError";
+}
+function isGatewayError(err) {
+  return isAttestationError(err) && err.kind instanceof GatewayError;
+}
+function getGatewayErrorMessage(err) {
+  if (isGatewayError(err))
+    return err.kind.message;
+  return null;
+}
+async function attest(apiKey, options = { enabled: true }) {
+  if (!options.enabled)
+    return null;
+  const client = await new ClientBuilder(endpoints.proxy ?? "").with_authorization(apiKey).build();
+  let query = new QueryParams;
+  if (options.model)
+    query = query.with("model", options.model);
+  try {
+    const attested = await client.attest(query);
+    const headers = attested.headers();
+    const sessionId = attested.headers().gpu()?.get("x-session-id") ?? null;
+    headers.free();
+    attested.free();
+    return sessionId;
+  } finally {
+    client.free();
+  }
+}
+
+// src/utils/crypto.ts
+import { aeskwp } from "@noble/ciphers/aes.js";
+import { xchacha20poly1305 } from "@noble/ciphers/chacha.js";
+import { bytesToHex, hexToBytes, managedNonce, randomBytes } from "@noble/ciphers/utils.js";
+import { sha256 } from "@noble/hashes/sha2.js";
+import { sha3_256 } from "@noble/hashes/sha3.js";
+import { XWing } from "@noble/post-quantum/hybrid.js";
+function createMLKEMEncapsulation(publicKeyHex) {
+  return XWing.encapsulate(hexToBytes(publicKeyHex));
+}
+function encryptPayload(sharedSecret, data) {
+  const nonce = randomBytes(24);
+  const chacha = xchacha20poly1305(sharedSecret, nonce);
+  let encodedData;
+  if (data instanceof Uint8Array) {
+    encodedData = data;
+  } else if (typeof data === "string") {
+    encodedData = new TextEncoder().encode(data);
+  } else {
+    encodedData = new TextEncoder().encode(JSON.stringify(data));
+  }
+  const encrypted = chacha.encrypt(encodedData);
+  return { encrypted, nonce };
+}
+function decryptPayload(encryptedData, sharedSecret, nonce) {
+  const chacha = xchacha20poly1305(sharedSecret, nonce);
+  const encrypted = hexToBytes(encryptedData);
+  const decrypted = chacha.decrypt(encrypted);
+  const str = new TextDecoder().decode(decrypted);
+  try {
+    return JSON.parse(str);
+  } catch {
+    return str;
+  }
+}
+async function getEnclavePublicKey(timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(`${endpoints.enclave}/publicKey`, {
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      throw new Error(`Failed to fetch enclave public key: ${response.status} ${response.statusText}`);
+    }
+    const data = await response.json();
+    if (!data.publicKey || typeof data.publicKey !== "string") {
+      throw new Error("Invalid public key response from enclave");
+    }
+    return data.publicKey;
+  } catch (error) {
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`Enclave public key request timed out after ${timeoutMs}ms`);
+    }
+    throw new Error(`Failed to get enclave public key: ${error instanceof Error ? error.message : error}`);
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+async function generateEncryptionKeys(timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
+  return createMLKEMEncapsulation(enclavePublicKey);
+}
+function keyIdFromKEK(kek, context = "kek:v1", length = 16) {
+  const ctx = new TextEncoder().encode(context);
+  const input = new Uint8Array(kek.length + ctx.length);
+  input.set(kek, 0);
+  input.set(ctx, kek.length);
+  const digest = sha256(input);
+  return digest.slice(0, length);
+}
+function encryptWithDEK(dek, plaintext) {
+  const aead = managedNonce(xchacha20poly1305)(dek);
+  return aead.encrypt(plaintext);
+}
+function encryptMetadataWithDEK(dek, metadata) {
+  const encoded = new TextEncoder().encode(metadata);
+  const encrypted = encryptWithDEK(dek, encoded);
+  return bytesToHex(encrypted);
+}
+function wrapDEK(kek, dek) {
+  const kw = aeskwp(kek);
+  return kw.encrypt(dek);
+}
+function unwrapDEK(kek, wrappedDEK) {
+  const kw = aeskwp(kek);
+  return kw.decrypt(wrappedDEK);
+}
+function decryptWithDEK(dek, encryptedContent) {
+  const aead = managedNonce(xchacha20poly1305)(dek);
+  return aead.decrypt(encryptedContent);
+}
+
+// src/utils/error.ts
+async function throwIfErrorResponse(response) {
+  let raw;
+  try {
+    raw = await response.json();
+    if (!raw.status)
+      raw = { ...raw, status: response.status };
+  } catch {
+    raw = {
+      status: response.status,
+      data: null,
+      error: response.statusText || `HTTP ${response.status}`,
+      message: null
+    };
+  }
+  throw raw;
+}
+
+// src/utils/files.ts
+var getFileName = (file) => {
+  if (file instanceof File) {
+    return file.name;
+  }
+  if (file instanceof Blob) {
+    return;
+  }
+  const fileAny = file;
+  if (fileAny.path) {
+    const path = typeof fileAny.path === "string" ? fileAny.path : fileAny.path.toString();
+    return path.split("/").pop() || path.split("\\").pop() || path;
+  }
+  if (file instanceof Uint8Array || file instanceof ArrayBuffer) {
+    return;
+  }
+  return;
+};
+
+// src/audio/index.ts
+async function readUploadableToUint8Array(file) {
+  if (file instanceof Uint8Array) {
+    return file;
+  }
+  if (file instanceof ArrayBuffer) {
+    return new Uint8Array(file);
+  }
+  if (typeof file.arrayBuffer === "function") {
+    const blob = file;
+    const buffer = await blob.arrayBuffer();
+    return new Uint8Array(buffer);
+  }
+  const fileAny = file;
+  if (typeof fileAny.on === "function" && (typeof fileAny.read === "function" || typeof fileAny.pipe === "function")) {
+    const chunks = [];
+    return new Promise((resolve, reject) => {
+      fileAny.on("data", (chunk) => {
+        if (Buffer.isBuffer(chunk)) {
+          chunks.push(new Uint8Array(chunk));
+        } else if (chunk instanceof Uint8Array) {
+          chunks.push(chunk);
+        } else if (typeof chunk === "object" && chunk !== null) {
+          chunks.push(new Uint8Array(Buffer.from(chunk)));
+        }
+      });
+      fileAny.on("end", () => {
+        const totalLength = chunks.reduce((acc, chunk) => acc + chunk.length, 0);
+        const result = new Uint8Array(totalLength);
+        let offset = 0;
+        for (const chunk of chunks) {
+          result.set(chunk, offset);
+          offset += chunk.length;
+        }
+        resolve(result);
+      });
+      fileAny.on("error", (err) => reject(err));
+    });
+  }
+  throw new Error("Unsupported file type for audio transcription");
+}
+async function preprocessAudioRequest(body, encryptionKeys) {
+  const { cipherText, sharedSecret } = encryptionKeys;
+  const audioData = await readUploadableToUint8Array(body.file);
+  const isDeepgram = body.model.startsWith("deepgram/");
+  const requestBody = isDeepgram ? {
+    model: body.model,
+    diarize: body.diarize
+  } : {
+    model: body.model,
+    language: body.language,
+    prompt: body.prompt,
+    response_format: body.response_format,
+    temperature: body.temperature,
+    timestamp_granularities: body.timestamp_granularities
+  };
+  const cleanedBody = Object.fromEntries(Object.entries(requestBody).filter(([_, v]) => v !== undefined));
+  const { encrypted, nonce } = encryptPayload(sharedSecret, cleanedBody);
+  const { encrypted: encryptedFile, nonce: fileNonce } = encryptPayload(sharedSecret, audioData);
+  const fileName = getFileName(body.file) || "audio.mp3";
+  const { encrypted: encryptedFileName, nonce: fileNameNonce } = encryptPayload(sharedSecret, fileName);
+  return {
+    body: {
+      cipherText: bytesToHex2(cipherText),
+      encryptedInference: bytesToHex2(encrypted),
+      nonce: bytesToHex2(nonce),
+      fileNameNonce: bytesToHex2(fileNameNonce),
+      encryptedFileName: bytesToHex2(encryptedFileName),
+      fileNonce: bytesToHex2(fileNonce),
+      encryptedFile: bytesToHex2(encryptedFile),
+      model: body.model
+    },
+    sharedSecret
+  };
+}
+async function postprocessTranscriptionResponse(response, sharedSecret) {
+  const responseData = await response.json();
+  const data = responseData.data;
+  if (!data.encryptedResponse || !data.nonce) {
+    throw new Error("Invalid transcription response: missing encryptedResponse or nonce");
+  }
+  const responseNonce = hexToBytes2(data.nonce);
+  return decryptPayload(data.encryptedResponse, sharedSecret, responseNonce);
+}
+async function postprocessTranslationResponse(response, sharedSecret) {
+  const responseData = await response.json();
+  const data = responseData.data;
+  if (!data.encryptedResponse || !data.nonce) {
+    throw new Error("Invalid translation response: missing encryptedResponse or nonce");
+  }
+  const responseNonce = hexToBytes2(data.nonce);
+  return decryptPayload(data.encryptedResponse, sharedSecret, responseNonce);
+}
+async function preprocessAudioTranslationRequest(body, encryptionKeys) {
+  const { cipherText, sharedSecret } = encryptionKeys;
+  const audioData = await readUploadableToUint8Array(body.file);
+  const requestBody = {
+    model: body.model,
+    prompt: body.prompt,
+    response_format: body.response_format,
+    temperature: body.temperature
+  };
+  const cleanedBody = Object.fromEntries(Object.entries(requestBody).filter(([_, v]) => v !== undefined));
+  const { encrypted, nonce } = encryptPayload(sharedSecret, cleanedBody);
+  const { encrypted: encryptedFile, nonce: fileNonce } = encryptPayload(sharedSecret, audioData);
+  const fileName = getFileName(body.file) || "audio.mp3";
+  const { encrypted: encryptedFileName, nonce: fileNameNonce } = encryptPayload(sharedSecret, fileName);
+  return {
+    body: {
+      cipherText: bytesToHex2(cipherText),
+      encryptedInference: bytesToHex2(encrypted),
+      nonce: bytesToHex2(nonce),
+      fileNameNonce: bytesToHex2(fileNameNonce),
+      encryptedFileName: bytesToHex2(encryptedFileName),
+      fileNonce: bytesToHex2(fileNonce),
+      encryptedFile: bytesToHex2(encryptedFile),
+      model: body.model
+    },
+    sharedSecret
+  };
+}
+function createAudioClient(apiKey, encryptionKeys, requestTimeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, attest2 = true) {
+  async function createTranscription(body) {
+    const controller = new AbortController;
+    const timeoutId = setTimeout(() => controller.abort(), requestTimeoutMs);
+    try {
+      const sessionId = await attest(apiKey, { model: body.model, enabled: attest2 });
+      const encryptedRequest = await preprocessAudioRequest(body, encryptionKeys);
+      const response = await fetch(`${endpoints.proxy}/rvenc/audio/transcriptions`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: apiKey,
+          ...sessionId && { "X-Session-Id": sessionId }
+        },
+        body: JSON.stringify(encryptedRequest.body),
+        signal: controller.signal
+      });
+      if (!response.ok) {
+        await throwIfErrorResponse(response);
+      }
+      clearTimeout(timeoutId);
+      return await postprocessTranscriptionResponse(response, encryptedRequest.sharedSecret);
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error instanceof Error && error.name === "AbortError") {
+        throw new Error(`Request timed out after ${requestTimeoutMs}ms`);
+      }
+      throw error;
+    }
+  }
+  const transcriptionsClient = {
+    create: createTranscription
+  };
+  async function createTranslation(body) {
+    const controller = new AbortController;
+    const timeoutId = setTimeout(() => controller.abort(), requestTimeoutMs);
+    try {
+      const sessionId = await attest(apiKey, { model: body.model, enabled: attest2 });
+      const encryptedRequest = await preprocessAudioTranslationRequest(body, encryptionKeys);
+      const response = await fetch(`${endpoints.proxy}/rvenc/audio/translations`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: apiKey,
+          ...sessionId && { "X-Session-Id": sessionId }
+        },
+        body: JSON.stringify(encryptedRequest.body),
+        signal: controller.signal
+      });
+      if (!response.ok) {
+        await throwIfErrorResponse(response);
+      }
+      clearTimeout(timeoutId);
+      return await postprocessTranslationResponse(response, encryptedRequest.sharedSecret);
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error instanceof Error && error.name === "AbortError") {
+        throw new Error(`Request timed out after ${requestTimeoutMs}ms`);
+      }
+      throw error;
+    }
+  }
+  const translationsClient = {
+    create: createTranslation
+  };
+  return {
+    transcriptions: transcriptionsClient,
+    translations: translationsClient
+  };
+}
+
+// src/files/index.ts
+import { bytesToHex as bytesToHex4, hexToBytes as hexToBytes4, randomBytes as randomBytes3 } from "@noble/ciphers/utils.js";
+import { sha256 as sha2562 } from "@noble/hashes/sha2.js";
+import { isValid, parseISO } from "date-fns";
+import { z } from "zod";
+
+// src/utils/dek-store.ts
+import { bytesToHex as bytesToHex3, hexToBytes as hexToBytes3, randomBytes as randomBytes2 } from "@noble/ciphers/utils.js";
+function initializeDEKStore(clientKEK) {
+  const ragDEK = randomBytes2(32);
+  const _clientKEK = clientKEK ? hexToBytes3(clientKEK) : getClientKEK();
+  const wrappedRagDEK = wrapDEK(_clientKEK, ragDEK);
+  return {
+    fileDEKs: new Map,
+    ragDEK: wrappedRagDEK,
+    ragVersion: "2"
+  };
+}
+function serializeDEKStore(store) {
+  const fileDEKsObj = {};
+  if (store.fileDEKs) {
+    store.fileDEKs.forEach((dek, fileId) => {
+      fileDEKsObj[fileId] = bytesToHex3(dek);
+    });
+  }
+  return JSON.stringify({
+    fileDEKs: fileDEKsObj,
+    ragDEK: store.ragDEK ? bytesToHex3(store.ragDEK) : undefined,
+    ragVersion: store.ragVersion
+  });
+}
+function deserializeDEKStore(serialized) {
+  const parsed = JSON.parse(serialized);
+  const fileDEKs = new Map;
+  if (parsed.fileDEKs) {
+    Object.entries(parsed.fileDEKs).forEach(([fileId, dekHex]) => {
+      fileDEKs.set(fileId, hexToBytes3(dekHex));
+    });
+  }
+  return {
+    fileDEKs,
+    ragDEK: parsed.ragDEK ? hexToBytes3(parsed.ragDEK) : undefined,
+    ragVersion: parsed.ragVersion
+  };
+}
+function getClientKEK() {
+  if (!process.env.CLIENT_KEK) {
+    throw new Error("CLIENT_KEK environment variable is not set.");
+  }
+  return hexToBytes3(process.env.CLIENT_KEK);
+}
+function getClientKID(clientKEK) {
+  if (clientKEK) {
+    return bytesToHex3(keyIdFromKEK(hexToBytes3(clientKEK)));
+  }
+  const _clientKEK = getClientKEK();
+  return bytesToHex3(keyIdFromKEK(_clientKEK));
+}
+function generateNewClientKEK() {
+  return bytesToHex3(randomBytes2(32));
+}
+
+// src/files/index.ts
+var MAX_FILENAME_LENGTH = 255;
+var MIN_FILENAME_LENGTH = 1;
+var ALLOWED_MIME_TYPES = new Set([
+  "image/jpeg",
+  "image/png",
+  "image/gif",
+  "image/webp",
+  "application/pdf",
+  "application/msword",
+  "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+  "application/vnd.ms-excel",
+  "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+  "text/plain",
+  "text/csv",
+  "text/markdown",
+  "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+  "video/mp4",
+  "video/webm",
+  "video/quicktime",
+  "audio/mpeg",
+  "audio/wav",
+  "audio/ogg",
+  "application/zip",
+  "application/x-rar-compressed",
+  "application/x-7z-compressed",
+  "application/octet-stream"
+]);
+var ApiKeySchema = z.string().trim().min(1, "API key cannot be empty");
+var TimeoutSchema = z.number().int().min(1, "Timeout must be at least 1ms").max(600000, "Timeout must not exceed 600000ms (10 minutes)");
+var DEKStoreSchema = z.object({
+  ragDEK: z.instanceof(Uint8Array).optional(),
+  fileDEKs: z.instanceof(Map).optional()
+});
+var ISO8601DateSchema = z.string().refine((val) => {
+  const date = parseISO(val);
+  return isValid(date);
+}, { message: "Must be a valid ISO8601 date" });
+var MimeTypeSchema = z.string().refine((val) => ALLOWED_MIME_TYPES.has(val), {
+  message: "MIME type is not allowed"
+});
+var FileUploadOptionsSchema = z.object({
+  file: z.instanceof(Uint8Array),
+  fileName: z.string().min(MIN_FILENAME_LENGTH, "File name cannot be empty").max(MAX_FILENAME_LENGTH, `File name cannot exceed ${MAX_FILENAME_LENGTH} characters`).refine((name) => !/[<>:"|?*\x00-\x1F]/.test(name), "Invalid characters").refine((name) => !name.includes("..") && !name.includes("/") && !name.includes("\\"), "No path separators allowed"),
+  mimeType: z.string().optional(),
+  ragIndex: z.boolean().optional()
+});
+var ListFilesOptionsSchema = z.object({
+  limit: z.number().int().positive("Limit must be a positive integer").optional(),
+  offset: z.number().int().nonnegative("Offset must be a non-negative integer").optional(),
+  search: z.string().optional(),
+  from: ISO8601DateSchema.optional(),
+  to: ISO8601DateSchema.optional()
+}).optional();
+var GetFileOptionsSchema = z.object({
+  id: z.string().trim().min(1, "File ID cannot be empty"),
+  url: z.boolean().optional()
+});
+var DeleteFileOptionsSchema = z.object({
+  id: z.string().min(1, "File ID is required")
+});
+var IndexFileInputSchema = z.object({
+  fileId: z.string().min(1, "File ID is required"),
+  filePath: z.string().min(1, "File path is required"),
+  fileDEK: z.instanceof(Uint8Array).optional()
+});
+var IndexFilesOptionsSchema = z.object({
+  files: z.array(IndexFileInputSchema).min(1, "Files array must not be empty"),
+  ragDEK: z.instanceof(Uint8Array).optional()
+});
+var DeleteIndexOptionsSchema = z.object({
+  fileIds: z.array(z.string().min(1)).min(1, "File IDs array must not be empty"),
+  ragDEK: z.instanceof(Uint8Array).optional()
+});
+function validateAPIKey(apiKey) {
+  ApiKeySchema.parse(apiKey);
+}
+function validateDEKStore(dekStore) {
+  DEKStoreSchema.parse(dekStore);
+}
+function validateMimeType(mimeType) {
+  MimeTypeSchema.parse(mimeType);
+}
+function validateFileUploadOptions(options) {
+  FileUploadOptionsSchema.parse(options);
+}
+function validateListFilesOptions(options) {
+  ListFilesOptionsSchema.parse(options);
+}
+function validateGetFileOptions(options) {
+  GetFileOptionsSchema.parse(options);
+}
+function guessMimeType(fileName) {
+  const ext = fileName.toLowerCase().split(".").pop() || "";
+  const mimeTypeMap = {
+    jpg: "image/jpeg",
+    jpeg: "image/jpeg",
+    png: "image/png",
+    gif: "image/gif",
+    webp: "image/webp",
+    pdf: "application/pdf",
+    doc: "application/msword",
+    docx: "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+    xls: "application/vnd.ms-excel",
+    xlsx: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+    txt: "text/plain",
+    csv: "text/csv",
+    md: "text/markdown",
+    pptx: "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+    mp4: "video/mp4",
+    webm: "video/webm",
+    mov: "video/quicktime",
+    mp3: "audio/mpeg",
+    wav: "audio/wav",
+    ogg: "audio/ogg",
+    zip: "application/zip",
+    rar: "application/x-rar-compressed",
+    "7z": "application/x-7z-compressed"
+  };
+  return mimeTypeMap[ext] || "application/octet-stream";
+}
+async function saveRagDEKToBackend(apiKey, wrappedRagDEK, timeoutMs) {
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(`${endpoints.proxy}/users/save_rag_dek`, {
+      method: "POST",
+      headers: {
+        Authorization: apiKey,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        data: {
+          wrappedRagDEK,
+          confirmReplaceRagDEK: true
+        }
+      }),
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      throw new Error(`Failed to save RAG DEK: HTTP ${response.status}`);
+    }
+    const result = await response.json();
+    if (result.error) {
+      throw new Error(result.error);
+    }
+  } catch (error) {
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`Save RAG DEK request timed out after ${timeoutMs}ms`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+async function prepareEncryptedPayload(dekStore, options, apiKey, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  const fileBytes = options.file;
+  const mimeType = options.mimeType || guessMimeType(options.fileName);
+  validateMimeType(mimeType);
+  const dek = randomBytes3(32);
+  const encryptedFile = encryptWithDEK(dek, fileBytes);
+  const encryptedName = encryptMetadataWithDEK(dek, options.fileName);
+  const encryptedMimeType = encryptMetadataWithDEK(dek, mimeType);
+  const _clientKEK = clientKEK ? hexToBytes4(clientKEK) : getClientKEK();
+  const wrappedDEK = wrapDEK(_clientKEK, dek);
+  const clientKID = clientKEK ? getClientKID(clientKEK) : getClientKID();
+  const filePayload = {
+    client_hash: bytesToHex4(sha2562(fileBytes)),
+    encrypted_content: bytesToHex4(encryptedFile),
+    encrypted_name: encryptedName,
+    kid: clientKID,
+    mime_type: encryptedMimeType,
+    version: "2",
+    wrapped_dek: bytesToHex4(wrappedDEK)
+  };
+  if (options.ragIndex) {
+    await addRagIndexToPayload(dekStore, dek, filePayload, apiKey, clientKEK, timeoutMs);
+  }
+  return { dek, filePayload };
+}
+async function addRagIndexToPayload(dekStore, dek, filePayload, apiKey, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  let ragDEK = dekStore.ragDEK;
+  const _clientKEK = clientKEK ? hexToBytes4(clientKEK) : getClientKEK();
+  if (!ragDEK) {
+    ragDEK = randomBytes3(32);
+    const wrappedRagDEK = wrapDEK(_clientKEK, ragDEK);
+    dekStore.ragDEK = wrappedRagDEK;
+    try {
+      await saveRagDEKToBackend(apiKey, bytesToHex4(wrappedRagDEK), timeoutMs);
+    } catch (error) {
+      console.error("Warning: Failed to save RAG DEK to backend:", error);
+    }
+  } else {
+    ragDEK = unwrapDEK(_clientKEK, ragDEK);
+  }
+  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
+  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
+  const { encrypted: encryptedFileDEK, nonce: fileNonce } = encryptPayload(sharedSecret, dek);
+  const { encrypted: encryptedRagDEK, nonce: ragDEKNonce } = encryptPayload(sharedSecret, ragDEK);
+  filePayload.encrypted_file_dek = bytesToHex4(encryptedFileDEK);
+  filePayload.encrypted_rag_dek = bytesToHex4(encryptedRagDEK);
+  filePayload.file_nonce = bytesToHex4(fileNonce);
+  filePayload.rag_dek_nonce = bytesToHex4(ragDEKNonce);
+  filePayload.cipher_text = bytesToHex4(cipherText);
+}
+async function performUpload(apiKey, filePayload, controller) {
+  const uploadResponse = await fetch(`${endpoints.proxy}/files/encrypted/upload`, {
+    method: "POST",
+    headers: {
+      Authorization: apiKey,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify(filePayload),
+    signal: controller.signal
+  });
+  if (!uploadResponse.ok) {
+    let errorMessage = `Upload request failed with status ${uploadResponse.status}`;
+    try {
+      const body = await uploadResponse.json();
+      if (body.error) {
+        errorMessage = body.error;
+      }
+    } catch {}
+    throw new Error(errorMessage);
+  }
+  const uploadResult = await uploadResponse.json();
+  if (uploadResult.status !== 200) {
+    throw new Error(uploadResult.error || "Upload failed");
+  }
+  if (!uploadResult.data) {
+    throw new Error("Upload response missing data");
+  }
+  return uploadResult.data;
+}
+function storeDEKForFile(dekStore, fileId, dek, clientKEK) {
+  if (!dekStore.fileDEKs) {
+    dekStore.fileDEKs = new Map;
+  }
+  const _clientKEK = clientKEK ? hexToBytes4(clientKEK) : getClientKEK();
+  const wrappedDEK = wrapDEK(_clientKEK, dek);
+  dekStore.fileDEKs.set(fileId, wrappedDEK);
+}
+async function uploadFile(apiKey, dekStore, options, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  validateAPIKey(apiKey);
+  validateDEKStore(dekStore);
+  validateFileUploadOptions(options);
+  TimeoutSchema.parse(timeoutMs);
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const { dek, filePayload } = await prepareEncryptedPayload(dekStore, options, apiKey, clientKEK, timeoutMs);
+    const uploadedFile = await performUpload(apiKey, filePayload, controller);
+    storeDEKForFile(dekStore, uploadedFile.id, dek, clientKEK);
+    return uploadedFile;
+  } catch (error) {
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`File upload timed out after ${timeoutMs}ms`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+async function listFiles(apiKey, options, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  validateAPIKey(apiKey);
+  validateListFilesOptions(options);
+  TimeoutSchema.parse(timeoutMs);
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  const queryParams = new URLSearchParams;
+  if (options?.limit !== undefined) {
+    queryParams.append("limit", options.limit.toString());
+  }
+  if (options?.offset !== undefined) {
+    queryParams.append("offset", options.offset.toString());
+  }
+  if (options?.search) {
+    queryParams.append("search", options.search);
+  }
+  if (options?.from) {
+    queryParams.append("from", options.from);
+  }
+  if (options?.to) {
+    queryParams.append("to", options.to);
+  }
+  const queryString = queryParams.toString();
+  const url = `${endpoints.proxy}/files/encrypted${queryString ? `?${queryString}` : ""}`;
+  try {
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: apiKey,
+        "Content-Type": "application/json"
+      },
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      throw new Error(`List files request failed with status ${response.status}`);
+    }
+    const result = await response.json();
+    if (result.status !== 200) {
+      throw new Error(result.error || "List files failed");
+    }
+    if (!result.data) {
+      throw new Error("List files response missing data");
+    }
+    return result.data;
+  } catch (error) {
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`List files request timed out after ${timeoutMs}ms`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+async function getFile(apiKey, options, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  validateAPIKey(apiKey);
+  validateGetFileOptions(options);
+  TimeoutSchema.parse(timeoutMs);
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  const queryParams = new URLSearchParams;
+  if (options.url !== undefined) {
+    queryParams.append("url", options.url ? "true" : "false");
+  }
+  const queryString = queryParams.toString();
+  const url = `${endpoints.proxy}/files/encrypted/${options.id}${queryString ? `?${queryString}` : ""}`;
+  try {
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: apiKey,
+        "Content-Type": "application/json"
+      },
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      if (response.status === 404) {
+        throw new Error(`File not found: ${options.id}`);
+      }
+      throw new Error(`Get file request failed with status ${response.status}`);
+    }
+    const result = await response.json();
+    if (result.status !== 200) {
+      throw new Error(result.error || "Get file failed");
+    }
+    if (!result.data) {
+      throw new Error("Get file response missing data");
+    }
+    return result.data;
+  } catch (error) {
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`Get file request timed out after ${timeoutMs}ms`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+async function deleteFile(apiKey, options, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  validateAPIKey(apiKey);
+  DeleteFileOptionsSchema.parse(options);
+  TimeoutSchema.parse(timeoutMs);
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(`${endpoints.proxy}/files/encrypted/${options.id}`, {
+      method: "DELETE",
+      headers: {
+        Authorization: apiKey,
+        "Content-Type": "application/json"
+      },
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      if (response.status === 404) {
+        throw new Error(`File not found: ${options.id}`);
+      }
+      throw new Error(`Delete file request failed with status ${response.status}`);
+    }
+    await response.json();
+  } catch (error) {
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`Delete file request timed out after ${timeoutMs}ms`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+async function indexFiles(apiKey, dekStore, options, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  validateAPIKey(apiKey);
+  validateDEKStore(dekStore);
+  IndexFilesOptionsSchema.parse(options);
+  TimeoutSchema.parse(timeoutMs);
+  const wrappedRagDEK = options.ragDEK || dekStore.ragDEK;
+  if (!wrappedRagDEK) {
+    throw new Error("RAG DEK not found. Provide ragDEK in options or upload at least one file with ragIndex: true.");
+  }
+  const _clientKEK = clientKEK ? hexToBytes4(clientKEK) : getClientKEK();
+  const ragDEK = unwrapDEK(_clientKEK, wrappedRagDEK);
+  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
+  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
+  const encryptedFiles = options.files.map((file) => {
+    const wrappedFileDEK = file.fileDEK || dekStore.fileDEKs?.get(file.fileId);
+    if (!wrappedFileDEK) {
+      throw new Error(`File DEK not found for file: ${file.fileId}. Provide fileDEK or ensure file was uploaded with this DEK store.`);
+    }
+    const fileDEK = unwrapDEK(_clientKEK, wrappedFileDEK);
+    const { encrypted: encryptedFileDEK, nonce: fileNonce } = encryptPayload(sharedSecret, fileDEK);
+    const { encrypted: encryptedRagDEK, nonce: ragDEKNonce } = encryptPayload(sharedSecret, ragDEK);
+    return {
+      file_id: file.fileId,
+      encrypted_file_dek: bytesToHex4(encryptedFileDEK),
+      encrypted_rag_dek: bytesToHex4(encryptedRagDEK),
+      file_nonce: bytesToHex4(fileNonce),
+      rag_dek_nonce: bytesToHex4(ragDEKNonce),
+      s3_r2_path: file.filePath,
+      cipher_text: bytesToHex4(cipherText)
+    };
+  });
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(`${endpoints.proxy}/files/encrypted/index`, {
+      method: "POST",
+      headers: {
+        Authorization: apiKey,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ files: encryptedFiles }),
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      throw new Error(`Index files request failed with status ${response.status}`);
+    }
+    const result = await response.json();
+    return result;
+  } catch (error) {
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`Index files request timed out after ${timeoutMs}ms`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+async function deleteIndex(apiKey, dekStore, options, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  validateAPIKey(apiKey);
+  validateDEKStore(dekStore);
+  DeleteIndexOptionsSchema.parse(options);
+  TimeoutSchema.parse(timeoutMs);
+  const wrappedRagDEK = options.ragDEK || dekStore.ragDEK;
+  if (!wrappedRagDEK) {
+    throw new Error("RAG DEK not found. Provide ragDEK in options or ensure dekStore has a ragDEK.");
+  }
+  const _clientKEK = clientKEK ? hexToBytes4(clientKEK) : getClientKEK();
+  const ragDEK = unwrapDEK(_clientKEK, wrappedRagDEK);
+  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
+  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
+  const { encrypted: encryptedRagDEK, nonce: ragDEKNonce } = encryptPayload(sharedSecret, ragDEK);
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(`${endpoints.proxy}/files/encrypted/delete-index`, {
+      method: "POST",
+      headers: {
+        Authorization: apiKey,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        cipher_text: bytesToHex4(cipherText),
+        encrypted_rag_dek: bytesToHex4(encryptedRagDEK),
+        rag_dek_nonce: bytesToHex4(ragDEKNonce),
+        fileIds: options.fileIds
+      }),
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      throw new Error(`Delete index request failed with status ${response.status}`);
+    }
+    const result = await response.json();
+    return result;
+  } catch (error) {
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`Delete index request timed out after ${timeoutMs}ms`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+function createFilesClient(apiKey, dekStore, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  return {
+    upload: (options) => uploadFile(apiKey, dekStore, options, clientKEK, timeoutMs),
+    list: (options) => listFiles(apiKey, options, timeoutMs),
+    get: (options) => getFile(apiKey, options, timeoutMs),
+    delete: (options) => deleteFile(apiKey, options, timeoutMs),
+    index: (options) => indexFiles(apiKey, dekStore, options, clientKEK, timeoutMs),
+    deleteIndex: (options) => deleteIndex(apiKey, dekStore, options, clientKEK, timeoutMs)
+  };
+}
+
+// src/models/index.ts
+async function listModels(params, apiKey, timeoutMs) {
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  const queryParams = new URLSearchParams;
+  if (params?.type !== undefined) {
+    queryParams.append("type", params.type);
+  }
+  const queryString = queryParams.toString();
+  const url = `${endpoints.proxy}/models${queryString ? `?${queryString}` : ""}`;
+  try {
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: apiKey,
+        "Content-Type": "application/json"
+      },
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      throw new Error(`List models request failed with status ${response.status}`);
+    }
+    const result = await response.json();
+    if (result.status !== 200) {
+      throw new Error(result.error || "List models failed");
+    }
+    if (!result.data) {
+      throw new Error("List models response missing data");
+    }
+    return result.data;
+  } catch (error) {
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`List models request timed out after ${timeoutMs}ms`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+function createModelsClient(apiKey, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  return {
+    list: (params) => listModels(params, apiKey, timeoutMs)
+  };
+}
+
+// src/rvenc/index.ts
+import { bytesToHex as bytesToHex5, hexToBytes as hexToBytes5 } from "@noble/ciphers/utils.js";
+import OpenAI from "openai";
+function preprocessRequest(body, encryptionKeys) {
+  const { cipherText, sharedSecret } = encryptionKeys;
+  const { encrypted, nonce } = encryptPayload(sharedSecret, body);
+  return {
+    body: {
+      cipherText: bytesToHex5(cipherText),
+      encryptedInference: bytesToHex5(encrypted),
+      nonce: bytesToHex5(nonce),
+      model: body.model
+    },
+    sharedSecret,
+    nonce
+  };
+}
+async function postprocessStreamingResponse(response, sharedSecret, nonce, maxBufferSize) {
+  if (!response.body) {
+    throw new Error("Response body is null");
+  }
+  const reader = response.body.getReader();
+  const generator = createDecryptedStreamGenerator(reader, sharedSecret, nonce, maxBufferSize);
+  return {
+    [Symbol.asyncIterator]() {
+      return generator;
+    }
+  };
+}
+async function postprocessNonStreamingResponse(response, sharedSecret) {
+  const data = await response.json();
+  if (!data.encryptedResponse || !data.nonce) {
+    throw new Error("Invalid non-streaming response: missing encryptedResponse or nonce");
+  }
+  const responseNonce = hexToBytes5(data.nonce);
+  return decryptPayload(data.encryptedResponse, sharedSecret, responseNonce);
+}
+function createRvencChatClient(apiKey, encryptionKeys, requestTimeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, maxBufferSize = DEFAULT_MAX_BUFFER_SIZE, attest2 = true, OpenAIClientParams) {
+  const client = new OpenAI({ apiKey: "not-used", ...OpenAIClientParams });
+  const originalChatCreate = client.chat.completions.create.bind(client.chat.completions);
+  client.chat.completions.create = async (body) => {
+    const isStreaming = body.stream === true;
+    const controller = new AbortController;
+    const timeoutId = setTimeout(() => controller.abort(), requestTimeoutMs);
+    try {
+      const sessionId = await attest(apiKey, { model: body.model, enabled: attest2 });
+      const encryptedRequest = preprocessRequest(body, encryptionKeys);
+      const response = await fetch(`${endpoints.proxy}/rvenc/chat/completions`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: isStreaming ? "text/event-stream" : "application/json",
+          Authorization: apiKey,
+          ...sessionId && { "X-Session-Id": sessionId }
+        },
+        body: JSON.stringify(encryptedRequest.body),
+        signal: controller.signal
+      });
+      if (!response.ok) {
+        await throwIfErrorResponse(response);
+      }
+      clearTimeout(timeoutId);
+      if (isStreaming) {
+        return await postprocessStreamingResponse(response, encryptedRequest.sharedSecret, encryptedRequest.nonce, maxBufferSize);
+      } else {
+        return await postprocessNonStreamingResponse(response, encryptedRequest.sharedSecret);
+      }
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error instanceof Error && error.name === "AbortError") {
+        throw new Error(`Request timed out after ${requestTimeoutMs}ms`);
+      }
+      throw error;
+    }
+  };
+  return client;
+}
+async function* createDecryptedStreamGenerator(reader, sharedSecret, nonce, maxBufferSize) {
+  const decoder = new TextDecoder;
+  let buffer = "";
+  try {
+    while (true) {
+      const { value, done } = await reader.read();
+      if (done)
+        break;
+      buffer += decoder.decode(value, { stream: true });
+      if (buffer.length > maxBufferSize) {
+        throw new Error(`Stream buffer exceeded maximum size of ${maxBufferSize} bytes`);
+      }
+      const parts = buffer.split(`
+
+`);
+      for (let i = 0;i < parts.length - 1; i++) {
+        const part = parts[i];
+        const lines = part.split(`
+`);
+        let event;
+        let data;
+        if (lines[0]) {
+          const eventSplit = lines[0].split(": ");
+          event = eventSplit[1];
+        }
+        if (lines[1]) {
+          const dataSplit = lines[1].split(": ");
+          data = dataSplit.slice(1).join(": ");
+        }
+        if (event === "done" && data === "[DONE]") {
+          return;
+        }
+        if (event === "error") {
+          const errorObj = JSON.parse(data || "{}");
+          throw new Error(errorObj.error?.message || data || "Stream error");
+        }
+        if (event === "data" && data && data !== "[DONE]") {
+          const chunk = decryptPayload(data, sharedSecret, nonce);
+          if (chunk.error) {
+            throw new Error(chunk.error.message || "Stream error");
+          }
+          yield chunk;
+        }
+      }
+      buffer = parts[parts.length - 1];
+    }
+  } finally {
+    reader.releaseLock();
+  }
+}
+
+// src/tools/index.ts
+import { bytesToHex as bytesToHex6, hexToBytes as hexToBytes6, randomBytes as randomBytes4 } from "@noble/ciphers/utils.js";
+var FILE_OUTPUT_TOOLS = ["generateImage", "audioGenerateFromText", "createFileForUser"];
+var FILE_INPUT_TOOLS = [
+  "imageDescribeAndCaption",
+  "imageDescribeAndCaptionFallback",
+  "videoDescribeAndCaption",
+  "getPDFContent",
+  "getTextDocumentContent",
+  "transcribeAudioToText",
+  "transcribeAudioWithDiarization",
+  "audioDiarization",
+  "getSpreadsheetContent",
+  "getPowerPointContent",
+  "getDataFileContent",
+  "getFileContentOCR"
+];
+var RAG_TOOLS = ["searchRag"];
+async function callToolRequest(toolName, body, apiKey, timeoutMs, attest2) {
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(`${endpoints.proxy}/tools/${toolName}`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: apiKey
+      },
+      body: JSON.stringify(body),
+      signal: controller.signal
+    });
+    clearTimeout(timeoutId);
+    if (!response.ok) {
+      await throwIfErrorResponse(response);
+    }
+    const data = await response.json();
+    return data.data;
+  } catch (error) {
+    clearTimeout(timeoutId);
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`Tool request timed out after ${timeoutMs}ms`);
+    }
+    throw new Error(`Tool request failed: ${error instanceof Error ? error.message : error}`);
+  }
+}
+async function downloadEncryptedFile(fileId, apiKey, timeoutMs) {
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const metadataResponse = await fetch(`${endpoints.proxy}/files/encrypted/${fileId}?url=true`, {
+      headers: { Authorization: apiKey },
+      signal: controller.signal
+    });
+    if (!metadataResponse.ok) {
+      throw new Error(`Failed to get file metadata: ${metadataResponse.status}`);
+    }
+    const metadata = await metadataResponse.json();
+    const downloadUrl = metadata.data?.url;
+    if (!downloadUrl) {
+      throw new Error("No download URL in response");
+    }
+    const fileResponse = await fetch(downloadUrl, { signal: controller.signal });
+    if (!fileResponse.ok) {
+      throw new Error(`Failed to download file: ${fileResponse.status}`);
+    }
+    clearTimeout(timeoutId);
+    const arrayBuffer = await fileResponse.arrayBuffer();
+    return new Uint8Array(arrayBuffer);
+  } catch (error) {
+    clearTimeout(timeoutId);
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`File download timed out after ${timeoutMs}ms`);
+    }
+    throw error;
+  }
+}
+async function downloadAndDecryptFile(response, dek, apiKey, timeoutMs) {
+  if (!response.success || !response.fileId) {
+    return null;
+  }
+  const decryptFileName = (encryptedHex) => {
+    const encrypted = hexToBytes6(encryptedHex);
+    const decrypted = decryptWithDEK(dek, encrypted);
+    return new TextDecoder().decode(decrypted);
+  };
+  const fileName = decryptFileName(response.fileName);
+  const mimeType = decryptFileName(response.mimeType);
+  const encryptedFile = await downloadEncryptedFile(response.fileId, apiKey, timeoutMs);
+  const decryptedFile = decryptWithDEK(dek, encryptedFile);
+  return {
+    fileId: response.fileId,
+    fileName,
+    mimeType,
+    content: decryptedFile,
+    fileSize: decryptedFile.length
+  };
+}
+async function callSimpleTool(toolName, params, apiKey, timeoutMs, attest2) {
+  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
+  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
+  const { encrypted, nonce } = encryptPayload(sharedSecret, params);
+  const body = {
+    cipherText: bytesToHex6(cipherText),
+    encryptedParams: bytesToHex6(encrypted),
+    nonce: bytesToHex6(nonce)
+  };
+  const response = await callToolRequest(toolName, body, apiKey, timeoutMs, attest2);
+  return decryptPayload(response.encryptedResponse, sharedSecret, hexToBytes6(response.nonce));
+}
+async function callFileOutputTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, attest2 = true) {
+  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
+  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
+  const { encrypted, nonce } = encryptPayload(sharedSecret, params);
+  const dek = randomBytes4(32);
+  const { encrypted: encryptedDEK, nonce: dekNonce } = encryptPayload(sharedSecret, dek);
+  const _clientKEK = clientKEK ? hexToBytes6(clientKEK) : getClientKEK();
+  const wrappedDEK = wrapDEK(_clientKEK, dek);
+  const clientKID = clientKEK ? getClientKID(clientKEK) : getClientKID();
+  const body = {
+    cipherText: bytesToHex6(cipherText),
+    encryptedParams: bytesToHex6(encrypted),
+    nonce: bytesToHex6(nonce),
+    encryptedDEK: bytesToHex6(encryptedDEK),
+    dekNonce: bytesToHex6(dekNonce),
+    kid: clientKID,
+    wrappedDEK: bytesToHex6(wrappedDEK)
+  };
+  const response = await callToolRequest(toolName, body, apiKey, timeoutMs, attest2);
+  const result = await downloadAndDecryptFile(response, dek, apiKey, timeoutMs);
+  if (result && result.fileId) {
+    if (!dekStore.fileDEKs) {
+      dekStore.fileDEKs = new Map;
+    }
+    dekStore.fileDEKs.set(result.fileId, wrappedDEK);
+  }
+  return result;
+}
+async function callFileInputTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, attest2 = true) {
+  if (!params.fileId) {
+    throw new Error(`Tool ${toolName} requires fileId parameter`);
+  }
+  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
+  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
+  const dek = randomBytes4(32);
+  const { encrypted: encryptedDEK, nonce: dekNonce } = encryptPayload(sharedSecret, dek);
+  const nonce = randomBytes4(24);
+  if (!dekStore.fileDEKs) {
+    dekStore.fileDEKs = new Map;
+  }
+  const _clientKEK = clientKEK ? hexToBytes6(clientKEK) : getClientKEK();
+  let fileDEK = dekStore.fileDEKs.get(params.fileId);
+  if (!fileDEK) {
+    fileDEK = randomBytes4(32);
+    const wrappedFileDEK = wrapDEK(_clientKEK, fileDEK);
+    dekStore.fileDEKs.set(params.fileId, wrappedFileDEK);
+  } else {
+    fileDEK = unwrapDEK(_clientKEK, fileDEK);
+  }
+  const { encrypted: encryptedFileDEK, nonce: fileDEKNonce } = encryptPayload(sharedSecret, fileDEK);
+  const body = {
+    cipherText: bytesToHex6(cipherText),
+    nonce: bytesToHex6(nonce),
+    fileId: params.fileId,
+    encryptedDEK: bytesToHex6(encryptedDEK),
+    dekNonce: bytesToHex6(dekNonce),
+    encryptedFileDEK: bytesToHex6(encryptedFileDEK),
+    fileDEKNonce: bytesToHex6(fileDEKNonce)
+  };
+  const response = await callToolRequest(toolName, body, apiKey, timeoutMs, attest2);
+  return decryptPayload(response.encryptedResponse, sharedSecret, hexToBytes6(response.nonce));
+}
+async function callRagTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, attest2 = true) {
+  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
+  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
+  const { encrypted, nonce } = encryptPayload(sharedSecret, params);
+  const dek = randomBytes4(32);
+  const { encrypted: encryptedDEK, nonce: dekNonce } = encryptPayload(sharedSecret, dek);
+  if (!dekStore.fileDEKs) {
+    dekStore.fileDEKs = new Map;
+  }
+  let fileIds = [];
+  if (dekStore.fileDEKs.size > 0) {
+    fileIds = Array.from(dekStore.fileDEKs.keys());
+  }
+  const _clientKEK = clientKEK ? hexToBytes6(clientKEK) : getClientKEK();
+  const encryptedFileDEKs = fileIds.reduce((acc, fileId) => {
+    const fileDEK = dekStore.fileDEKs.get(fileId);
+    if (!fileDEK) {
+      return acc;
+    }
+    const unwrappedFileDEK = unwrapDEK(_clientKEK, fileDEK);
+    const { encrypted: encryptedFileDEK, nonce: fileDEKNonce } = encryptPayload(sharedSecret, unwrappedFileDEK);
+    acc.push({
+      fileId,
+      encryptedDEK: bytesToHex6(encryptedFileDEK),
+      nonce: bytesToHex6(fileDEKNonce)
+    });
+    return acc;
+  }, []);
+  if (!dekStore.ragDEK) {
+    throw new Error("RAG DEK not found in dekStore. Please upload at least one file with ragIndex: true to initialize RAG.");
+  }
+  if (!dekStore.ragVersion) {
+    throw new Error("RAG Version not found in dekStore. Please upload at least one file with ragIndex: true to initialize RAG.");
+  }
+  const ragDEK = unwrapDEK(_clientKEK, dekStore.ragDEK);
+  const { encrypted: encryptedRagDEK, nonce: ragDEKNonce } = encryptPayload(sharedSecret, ragDEK);
+  const { encrypted: encryptedRagVersion, nonce: ragVersionNonce } = encryptPayload(sharedSecret, dekStore.ragVersion);
+  const body = {
+    cipherText: bytesToHex6(cipherText),
+    encryptedParams: bytesToHex6(encrypted),
+    nonce: bytesToHex6(nonce),
+    encryptedDEK: bytesToHex6(encryptedDEK),
+    dekNonce: bytesToHex6(dekNonce),
+    encryptedFileDEKs,
+    encryptedRagDEK: bytesToHex6(encryptedRagDEK),
+    ragDEKNonce: bytesToHex6(ragDEKNonce),
+    encryptedRagVersion: bytesToHex6(encryptedRagVersion),
+    ragVersionNonce: bytesToHex6(ragVersionNonce)
+  };
+  const response = await callToolRequest(toolName, body, apiKey, timeoutMs, attest2);
+  return decryptPayload(response.encryptedResponse, sharedSecret, hexToBytes6(response.nonce));
+}
+async function callTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, attest2 = true) {
+  if (FILE_OUTPUT_TOOLS.includes(toolName)) {
+    return callFileOutputTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs, attest2);
+  } else if (FILE_INPUT_TOOLS.includes(toolName)) {
+    return callFileInputTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs, attest2);
+  } else if (RAG_TOOLS.includes(toolName)) {
+    return callRagTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs, attest2);
+  } else {
+    return callSimpleTool(toolName, params, apiKey, timeoutMs, attest2);
+  }
+}
+function createToolsClient(apiKey, dekStore, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, attest2 = true) {
+  return {
+    generateImage: (params) => callTool("generateImage", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    audioGenerateFromText: (params) => callTool("audioGenerateFromText", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    createFileForUser: (params) => callTool("createFileForUser", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    imageDescribeAndCaption: (params) => callTool("imageDescribeAndCaption", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    imageDescribeAndCaptionFallback: (params) => callTool("imageDescribeAndCaptionFallback", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    videoDescribeAndCaption: (params) => callTool("videoDescribeAndCaption", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    getPDFContent: (params) => callTool("getPDFContent", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    getTextDocumentContent: (params) => callTool("getTextDocumentContent", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    transcribeAudioToText: (params) => callTool("transcribeAudioToText", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    transcribeAudioWithDiarization: (params) => callTool("transcribeAudioWithDiarization", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    audioDiarization: (params) => callTool("audioDiarization", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    getFileContentOCR: (params) => callTool("getFileContentOCR", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    getSpreadsheetContent: (params) => callTool("getSpreadsheetContent", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    getDataFileContent: (params) => callTool("getDataFileContent", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    getPowerPointContent: (params) => callTool("getPowerPointContent", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    getTime: (params) => callTool("getTime", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    webSearchTool: (params) => callTool("webSearchTool", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    webPageScraperTool: (params) => callTool("webPageScraperTool", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    searchRag: (params) => callTool("searchRag", params, apiKey, dekStore, clientKEK, timeoutMs, attest2)
+  };
+}
+
+// src/core.ts
+async function createRvencClient(options) {
+  const {
+    apiKey,
+    clientKEK,
+    requestTimeoutMs = DEFAULT_REQUEST_TIMEOUT_MS,
+    maxBufferSize = DEFAULT_MAX_BUFFER_SIZE,
+    attest: attest2 = true
+  } = options;
+  if (options.config?.endpoints !== undefined) {
+    Object.assign(endpoints, options.config.endpoints);
+  }
+  let encryptionKeys;
+  try {
+    encryptionKeys = options.encryptionKeys ?? await generateEncryptionKeys(requestTimeoutMs);
+  } catch (error) {
+    throw new Error(`Failed to initialize encryption keys: ${error instanceof Error ? error.message : error}`);
+  }
+  const dekStore = options.dekStore ?? initializeDEKStore(clientKEK);
+  const client = createRvencChatClient(apiKey, encryptionKeys, requestTimeoutMs, maxBufferSize, attest2, options.config?.openAIClientOptions ?? {});
+  client.files = createFilesClient(apiKey, dekStore, clientKEK, requestTimeoutMs);
+  client.tools = createToolsClient(apiKey, dekStore, clientKEK, requestTimeoutMs, attest2);
+  client.audio = createAudioClient(apiKey, encryptionKeys, requestTimeoutMs, attest2);
+  client.models = createModelsClient(apiKey, requestTimeoutMs);
+  client.dekStore = dekStore;
+  return client;
+}
+var core_default = createRvencClient;
+
+// src/server.ts
+dotenv.config();
+var app = express();
+var HOST = process.env.HOST ?? "127.0.0.1";
+var PORT = process.env.PORT ? Number.parseInt(process.env.PORT, 10) : 3000;
+var serverProxyUrl = process.env.PROXY_URL;
+var serverEnclaveUrl = process.env.ENCLAVE_URL;
+var serverKek = process.env.CLIENT_KEK;
+var serverAttest = true;
+app.use(express.json());
+var storage = multer.memoryStorage();
+var upload = multer({
+  storage,
+  limits: {
+    fileSize: 25 * 1024 * 1024
+  }
+});
+var clientCache = new Map;
+function extractApiKey(req) {
+  const authHeader = req.headers.authorization;
+  if (!authHeader) {
+    return null;
+  }
+  if (authHeader.startsWith("Bearer ")) {
+    return authHeader.substring(7);
+  }
+  return authHeader;
+}
+async function getOrCreateClient(apiKey) {
+  if (clientCache.has(apiKey)) {
+    return clientCache.get(apiKey);
+  }
+  const client = await core_default({
+    apiKey,
+    clientKEK: serverKek,
+    attest: serverAttest,
+    config: {
+      endpoints: {
+        enclave: serverEnclaveUrl,
+        proxy: serverProxyUrl
+      }
+    }
+  });
+  clientCache.set(apiKey, client);
+  return client;
+}
+app.get("/", (_, res) => {
+  res.json({
+    message: "Rvenc OpenAI-compatible API Server",
+    version: "1.0.0",
+    endpoints: {
+      chat_completions: "POST /v1/chat/completions"
+    }
+  });
+});
+app.post("/v1/chat/completions", async (req, res) => {
+  try {
+    const apiKey = extractApiKey(req);
+    if (!apiKey) {
+      return res.status(401).json({
+        error: {
+          message: 'Missing Authorization header. Expected format: "Bearer <api-key>" or "<api-key>"',
+          type: "invalid_request_error",
+          code: "invalid_api_key"
+        }
+      });
+    }
+    const client = await getOrCreateClient(apiKey);
+    const params = req.body;
+    const completion = await client.chat.completions.create(params);
+    if (params.stream) {
+      res.setHeader("Content-Type", "text/event-stream");
+      res.setHeader("Cache-Control", "no-cache");
+      res.setHeader("Connection", "keep-alive");
+      if (completion && typeof completion === "object" && Symbol.asyncIterator in completion) {
+        try {
+          for await (const chunk of completion) {
+            const data = `data: ${JSON.stringify(chunk)}
+
+`;
+            res.write(data);
+          }
+          res.write(`data: [DONE]
+
+`);
+          res.end();
+        } catch (error) {
+          console.error("Streaming error:", error);
+          if (!res.headersSent) {
+            res.status(500).json({
+              error: {
+                message: error.message || "Streaming error",
+                type: "server_error"
+              }
+            });
+          } else {
+            res.end();
+          }
+        }
+      } else {
+        res.write(`data: ${JSON.stringify(completion)}
+
+`);
+        res.write(`data: [DONE]
+
+`);
+        res.end();
+      }
+    } else {
+      res.json(completion);
+    }
+  } catch (error) {
+    console.error("Chat completions error:", error);
+    const statusCode = error.status || 500;
+    res.status(statusCode).json({
+      error: {
+        message: error.message || "Internal server error",
+        type: error.type || "server_error",
+        code: error.code
+      }
+    });
+  }
+});
+app.post("/v1/audio/transcriptions", upload.single("file"), async (req, res) => {
+  try {
+    const apiKey = extractApiKey(req);
+    if (!apiKey) {
+      return res.status(401).json({
+        error: {
+          message: 'Missing Authorization header. Expected format: "Bearer <api-key>" or "<api-key>"',
+          type: "invalid_request_error",
+          code: "invalid_api_key"
+        }
+      });
+    }
+    if (!req.file) {
+      return res.status(400).json({
+        error: {
+          message: "Missing required file parameter",
+          type: "invalid_request_error"
+        }
+      });
+    }
+    const client = await getOrCreateClient(apiKey);
+    const file = new File([req.file.buffer], req.file.originalname, {
+      type: req.file.mimetype
+    });
+    const params = {
+      file,
+      model: req.body.model
+    };
+    if (req.body.language)
+      params.language = req.body.language;
+    if (req.body.prompt)
+      params.prompt = req.body.prompt;
+    if (req.body.response_format)
+      params.response_format = req.body.response_format;
+    if (req.body.temperature)
+      params.temperature = parseFloat(req.body.temperature);
+    if (req.body.timestamp_granularities) {
+      params.timestamp_granularities = Array.isArray(req.body.timestamp_granularities) ? req.body.timestamp_granularities : JSON.parse(req.body.timestamp_granularities);
+    }
+    const transcription = await client.audio.transcriptions.create(params);
+    res.json(transcription);
+  } catch (error) {
+    console.error("Audio transcription error:", error);
+    const statusCode = error.status || 500;
+    res.status(statusCode).json({
+      error: {
+        message: error.message || "Internal server error",
+        type: error.type || "server_error",
+        code: error.code
+      }
+    });
+  }
+});
+app.post("/v1/audio/translations", upload.single("file"), async (req, res) => {
+  try {
+    const apiKey = extractApiKey(req);
+    if (!apiKey) {
+      return res.status(401).json({
+        error: {
+          message: 'Missing Authorization header. Expected format: "Bearer <api-key>" or "<api-key>"',
+          type: "invalid_request_error",
+          code: "invalid_api_key"
+        }
+      });
+    }
+    if (!req.file) {
+      return res.status(400).json({
+        error: {
+          message: "Missing required file parameter",
+          type: "invalid_request_error"
+        }
+      });
+    }
+    const client = await getOrCreateClient(apiKey);
+    const file = new File([req.file.buffer], req.file.originalname, {
+      type: req.file.mimetype
+    });
+    const params = {
+      file,
+      model: req.body.model
+    };
+    if (req.body.prompt)
+      params.prompt = req.body.prompt;
+    if (req.body.response_format)
+      params.response_format = req.body.response_format;
+    if (req.body.temperature)
+      params.temperature = parseFloat(req.body.temperature);
+    const translation = await client.audio.translations.create(params);
+    res.json(translation);
+  } catch (error) {
+    console.error("Audio translation error:", error);
+    const statusCode = error.status || 500;
+    res.status(statusCode).json({
+      error: {
+        message: error.message || "Internal server error",
+        type: error.type || "server_error",
+        code: error.code
+      }
+    });
+  }
+});
+app.use((err, _req, res, _next) => {
+  console.error(`Unhandled error: ${err}`);
+  res.status(500).json({
+    error: {
+      message: err.message || "Internal server error",
+      type: "server_error"
+    }
+  });
+});
+app.use((req, res) => {
+  res.status(404).json({
+    error: {
+      message: `Route ${req.method} ${req.path} not found`,
+      type: "invalid_request_error"
+    }
+  });
+});
+async function startServer(options = {}) {
+  const { host, port, proxyUrl, enclaveUrl, kek, attest: attest2 } = options;
+  const serverHost = host || HOST;
+  const serverPort = port || PORT;
+  serverAttest = attest2 !== false;
+  if (proxyUrl) {
+    serverProxyUrl = proxyUrl;
+  }
+  if (enclaveUrl) {
+    serverEnclaveUrl = enclaveUrl;
+  }
+  if (kek) {
+    serverKek = kek;
+  }
+  return new Promise((resolve, reject) => {
+    const server = app.listen(serverPort, serverHost, () => {
+      console.log(`
+Rvenc Server running on http://${serverHost}:${serverPort}`);
+      resolve();
+    });
+    server.on("error", (error) => {
+      if (error.code === "EADDRINUSE") {
+        console.error(`❌ Port ${serverPort} is already in use`);
+      } else {
+        console.error(`❌ Failed to start server: ${error}`);
+      }
+      reject(error);
+    });
+  });
+}
+if (false) {}
+var server_default = app;
+
+// src/index.ts
+dotenv2.config();
+export {
+  startServer,
+  server_default as serverApp,
+  serializeDEKStore,
+  isGatewayError,
+  isAttestationError,
+  initializeDEKStore,
+  getGatewayErrorMessage,
+  getClientKID,
+  getClientKEK,
+  generateNewClientKEK,
+  generateEncryptionKeys,
+  deserializeDEKStore,
+  core_default as default,
+  createRvencClient
+};