@premai/api-sdk 1.0.40 → 1.0.42

package/dist/cli-claude.mjs

@@ -0,0 +1,3304 @@
+#!/usr/bin/env node
+import { createRequire } from "node:module";
+var __require = /* @__PURE__ */ createRequire(import.meta.url);
+
+// src/launcher/claude-code.ts
+import { spawn, spawnSync } from "node:child_process";
+import { existsSync, mkdirSync, writeFileSync } from "node:fs";
+import path from "node:path";
+import { config } from "dotenv";
+import envPaths from "env-paths";
+
+// src/utils/dek-store.ts
+import { bytesToHex as bytesToHex2, hexToBytes as hexToBytes2, randomBytes as randomBytes2 } from "@noble/ciphers/utils.js";
+
+// src/utils/crypto.ts
+import { aeskwp } from "@noble/ciphers/aes.js";
+import { xchacha20poly1305 } from "@noble/ciphers/chacha.js";
+import { bytesToHex, hexToBytes, managedNonce, randomBytes } from "@noble/ciphers/utils.js";
+import { sha256 } from "@noble/hashes/sha2.js";
+import { sha3_256 } from "@noble/hashes/sha3.js";
+import { XWing } from "@noble/post-quantum/hybrid.js";
+
+// src/config.ts
+var endpoints = {
+  enclave: process.env.ENCLAVE_URL,
+  proxy: process.env.PROXY_URL
+};
+var DEFAULT_REQUEST_TIMEOUT_MS = 600000;
+var DEFAULT_MAX_BUFFER_SIZE = 10 * 1024 * 1024;
+
+// src/utils/crypto.ts
+function createMLKEMEncapsulation(publicKeyHex) {
+  return XWing.encapsulate(hexToBytes(publicKeyHex));
+}
+function encryptPayload(sharedSecret, data) {
+  const nonce = randomBytes(24);
+  const chacha = xchacha20poly1305(sharedSecret, nonce);
+  let encodedData;
+  if (data instanceof Uint8Array) {
+    encodedData = data;
+  } else if (typeof data === "string") {
+    encodedData = new TextEncoder().encode(data);
+  } else {
+    encodedData = new TextEncoder().encode(JSON.stringify(data));
+  }
+  const encrypted = chacha.encrypt(encodedData);
+  return { encrypted, nonce };
+}
+function decryptPayload(encryptedData, sharedSecret, nonce) {
+  const chacha = xchacha20poly1305(sharedSecret, nonce);
+  const encrypted = hexToBytes(encryptedData);
+  const decrypted = chacha.decrypt(encrypted);
+  const str = new TextDecoder().decode(decrypted);
+  try {
+    return JSON.parse(str);
+  } catch {
+    return str;
+  }
+}
+async function getEnclavePublicKey(timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(`${endpoints.enclave}/publicKey`, {
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      throw new Error(`Failed to fetch enclave public key: ${response.status} ${response.statusText}`);
+    }
+    const data = await response.json();
+    if (!data.publicKey || typeof data.publicKey !== "string") {
+      throw new Error("Invalid public key response from enclave");
+    }
+    return data.publicKey;
+  } catch (error) {
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`Enclave public key request timed out after ${timeoutMs}ms`);
+    }
+    throw new Error(`Failed to get enclave public key: ${error instanceof Error ? error.message : error}`);
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+async function generateEncryptionKeys(timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
+  return createMLKEMEncapsulation(enclavePublicKey);
+}
+function keyIdFromKEK(kek, context = "kek:v1", length = 16) {
+  const ctx = new TextEncoder().encode(context);
+  const input = new Uint8Array(kek.length + ctx.length);
+  input.set(kek, 0);
+  input.set(ctx, kek.length);
+  const digest = sha256(input);
+  return digest.slice(0, length);
+}
+function encryptWithDEK(dek, plaintext) {
+  const aead = managedNonce(xchacha20poly1305)(dek);
+  return aead.encrypt(plaintext);
+}
+function encryptMetadataWithDEK(dek, metadata) {
+  const encoded = new TextEncoder().encode(metadata);
+  const encrypted = encryptWithDEK(dek, encoded);
+  return bytesToHex(encrypted);
+}
+function wrapDEK(kek, dek) {
+  const kw = aeskwp(kek);
+  return kw.encrypt(dek);
+}
+function unwrapDEK(kek, wrappedDEK) {
+  const kw = aeskwp(kek);
+  return kw.decrypt(wrappedDEK);
+}
+function decryptWithDEK(dek, encryptedContent) {
+  const aead = managedNonce(xchacha20poly1305)(dek);
+  return aead.decrypt(encryptedContent);
+}
+
+// src/utils/dek-store.ts
+function initializeDEKStore(clientKEK) {
+  const ragDEK = randomBytes2(32);
+  const _clientKEK = clientKEK ? hexToBytes2(clientKEK) : getClientKEK();
+  const wrappedRagDEK = wrapDEK(_clientKEK, ragDEK);
+  return {
+    fileDEKs: new Map,
+    ragDEK: wrappedRagDEK,
+    ragVersion: "2"
+  };
+}
+function getClientKEK() {
+  if (!process.env.CLIENT_KEK) {
+    throw new Error("CLIENT_KEK environment variable is not set.");
+  }
+  return hexToBytes2(process.env.CLIENT_KEK);
+}
+function getClientKID(clientKEK) {
+  if (clientKEK) {
+    return bytesToHex2(keyIdFromKEK(hexToBytes2(clientKEK)));
+  }
+  const _clientKEK = getClientKEK();
+  return bytesToHex2(keyIdFromKEK(_clientKEK));
+}
+function generateNewClientKEK() {
+  return bytesToHex2(randomBytes2(32));
+}
+
+// src/launcher/model-picker.tsx
+import { Box, render, Text, useApp, useInput, useWindowSize } from "ink";
+import { useMemo, useState } from "react";
+import { jsxDEV } from "react/jsx-dev-runtime";
+function ModelPicker({ models, onSelect, onCancel }) {
+  const { exit } = useApp();
+  const { rows: termRows } = useWindowSize();
+  const [cursor, setCursor] = useState(0);
+  const modelLabels = useMemo(() => models.map((m) => m.display_name && m.display_name !== m.id ? `${m.id} — ${m.display_name}` : m.id), [models]);
+  const visibleCount = Math.max(1, Math.min(modelLabels.length, termRows - 4));
+  const scrollOffset = Math.max(0, Math.min(cursor - Math.floor(visibleCount / 2), modelLabels.length - visibleCount));
+  const windowedLabels = modelLabels.slice(scrollOffset, scrollOffset + visibleCount);
+  useInput((_input, key) => {
+    if (key.upArrow || _input === "k" && !key.ctrl) {
+      setCursor((c) => Math.max(0, c - 1));
+      return;
+    }
+    if (key.downArrow || _input === "j" && !key.ctrl) {
+      setCursor((c) => Math.min(modelLabels.length - 1, c + 1));
+      return;
+    }
+    if (key.return) {
+      onSelect(models[cursor]);
+      exit();
+      return;
+    }
+    if (key.escape) {
+      onCancel?.();
+      exit();
+    }
+  });
+  return /* @__PURE__ */ jsxDEV(Box, {
+    flexDirection: "column",
+    paddingTop: 1,
+    children: [
+      /* @__PURE__ */ jsxDEV(Text, {
+        dimColor: true,
+        children: "Available models (use ↑/↓ or j/k to navigate, Enter to select):"
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV(Box, {
+        flexDirection: "column",
+        paddingTop: 1,
+        children: windowedLabels.map((label, i) => {
+          const globalIdx = scrollOffset + i;
+          if (globalIdx === cursor) {
+            return /* @__PURE__ */ jsxDEV(Box, {
+              paddingLeft: 2,
+              children: /* @__PURE__ */ jsxDEV(Text, {
+                inverse: true,
+                children: label.padEnd(process.stdout.columns - 4)
+              }, undefined, false, undefined, this)
+            }, label, false, undefined, this);
+          }
+          return /* @__PURE__ */ jsxDEV(Box, {
+            paddingLeft: 2,
+            children: /* @__PURE__ */ jsxDEV(Text, {
+              children: label
+            }, undefined, false, undefined, this)
+          }, label, false, undefined, this);
+        })
+      }, undefined, false, undefined, this),
+      modelLabels.length > visibleCount && /* @__PURE__ */ jsxDEV(Box, {
+        paddingLeft: 2,
+        paddingTop: 1,
+        children: /* @__PURE__ */ jsxDEV(Text, {
+          dimColor: true,
+          children: [
+            scrollOffset > 0 ? "↑ more" : "",
+            scrollOffset > 0 && scrollOffset + visibleCount < modelLabels.length ? " · " : "",
+            scrollOffset + visibleCount < modelLabels.length ? "↓ more" : ""
+          ]
+        }, undefined, true, undefined, this)
+      }, undefined, false, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+function interactivePickModel(models) {
+  return new Promise((resolve, reject) => {
+    const { unmount, waitUntilExit } = render(/* @__PURE__ */ jsxDEV(ModelPicker, {
+      models,
+      onSelect: (model) => resolve(model),
+      onCancel: () => reject(new Error("Aborted by user (Escape)."))
+    }, undefined, false, undefined, this), { exitOnCtrlC: true });
+    waitUntilExit().then(() => {
+      unmount();
+    });
+  });
+}
+
+// src/server/create-app.ts
+import express from "express";
+
+// src/anthropic/http.ts
+import { randomBytes as randomBytes3 } from "node:crypto";
+var ANTHROPIC_VERSION_DEFAULT = "2023-06-01";
+var ANTHROPIC_VERSION_DATE = /^\d{4}-\d{2}-\d{2}$/;
+function isAnthropicApiVersionSupported(version) {
+  if (version === ANTHROPIC_VERSION_DEFAULT) {
+    return true;
+  }
+  return ANTHROPIC_VERSION_DATE.test(version);
+}
+function newAnthropicRequestId() {
+  return `req_${randomBytes3(12).toString("hex")}`;
+}
+function newAnthropicMessageId() {
+  return `msg_${randomBytes3(12).toString("hex")}`;
+}
+function extractAnthropicApiKey(req) {
+  const raw = req.headers["x-api-key"];
+  if (typeof raw === "string" && raw.length > 0) {
+    return raw;
+  }
+  if (Array.isArray(raw) && raw[0]) {
+    return raw[0];
+  }
+  const authHeader = req.headers.authorization;
+  if (!authHeader) {
+    return null;
+  }
+  if (authHeader.startsWith("Bearer ")) {
+    return authHeader.slice(7);
+  }
+  return authHeader;
+}
+function getAnthropicVersionHeader(req) {
+  const raw = req.headers["anthropic-version"];
+  if (typeof raw === "string" && raw.length > 0) {
+    return raw;
+  }
+  if (Array.isArray(raw) && raw[0]) {
+    return raw[0];
+  }
+  return null;
+}
+function resolveAnthropicVersion(req) {
+  const header = getAnthropicVersionHeader(req);
+  const version = header ?? ANTHROPIC_VERSION_DEFAULT;
+  if (!isAnthropicApiVersionSupported(version)) {
+    return {
+      ok: false,
+      message: `Unsupported anthropic-version: ${version}. Expected a dated version (YYYY-MM-DD) or ${ANTHROPIC_VERSION_DEFAULT}.`
+    };
+  }
+  return { ok: true, version };
+}
+function sendAnthropicHttpError(res, status, errorType, message, requestId) {
+  res.setHeader("request-id", requestId);
+  res.status(status).json({
+    type: "error",
+    error: { type: errorType, message },
+    request_id: requestId
+  });
+}
+function httpStatusToAnthropicErrorType(status) {
+  if (status === 401) {
+    return "authentication_error";
+  }
+  if (status === 402) {
+    return "billing_error";
+  }
+  if (status === 403) {
+    return "permission_error";
+  }
+  if (status === 404) {
+    return "not_found_error";
+  }
+  if (status === 413) {
+    return "request_too_large";
+  }
+  if (status === 429) {
+    return "rate_limit_error";
+  }
+  if (status === 504) {
+    return "timeout_error";
+  }
+  if (status === 529) {
+    return "overloaded_error";
+  }
+  if (status >= 400 && status < 500) {
+    return "invalid_request_error";
+  }
+  return "api_error";
+}
+function extractErrorMessage(err) {
+  if (!err || typeof err !== "object") {
+    return null;
+  }
+  const o = err;
+  if (typeof o.message === "string" && o.message.length > 0) {
+    return o.message;
+  }
+  if (typeof o.error === "string" && o.error.length > 0) {
+    return o.error;
+  }
+  if (o.error && typeof o.error === "object") {
+    const nested = o.error.message;
+    if (typeof nested === "string" && nested.length > 0) {
+      return nested;
+    }
+  }
+  return null;
+}
+function looksLikeApiErrorResponse(err) {
+  if (!err || typeof err !== "object")
+    return false;
+  const o = err;
+  if (typeof o.status !== "number")
+    return false;
+  return "error" in o || "message" in o;
+}
+function mapUnknownErrorToAnthropicResponse(err, res, requestId) {
+  if (looksLikeApiErrorResponse(err)) {
+    const status = err.status >= 400 && err.status < 600 ? err.status : 500;
+    const message2 = extractErrorMessage(err) ?? "Request failed";
+    const errorType = httpStatusToAnthropicErrorType(status);
+    sendAnthropicHttpError(res, status, errorType, message2, requestId);
+    return;
+  }
+  const message = extractErrorMessage(err) ?? (err instanceof Error ? err.message : "Internal server error");
+  sendAnthropicHttpError(res, 500, "api_error", message, requestId);
+}
+function writeAnthropicSseEvent(res, event, data) {
+  res.write(`event: ${event}
+data: ${JSON.stringify(data)}
+
+`);
+}
+
+// src/anthropic/to-openai.ts
+class AnthropicRequestValidationError extends Error {
+  status = 400;
+  anthropicType = "invalid_request_error";
+  constructor(message) {
+    super(message);
+    this.name = "AnthropicRequestValidationError";
+  }
+}
+function systemToOpenAiMessages(system) {
+  if (typeof system === "string") {
+    if (system.length === 0) {
+      return [];
+    }
+    return [{ role: "system", content: system }];
+  }
+  if (Array.isArray(system)) {
+    const parts = [];
+    for (const block of system) {
+      if (block && block.type === "text" && typeof block.text === "string") {
+        parts.push(block.text);
+      } else if (block && typeof block === "object") {
+        console.warn(`[proxy] system block type "${block.type}" is not supported and will be ignored.`);
+      }
+    }
+    if (parts.length === 0) {
+      return [];
+    }
+    return [{ role: "system", content: parts.join(`
+
+`) }];
+  }
+  if (system.type === "text" && typeof system.text === "string") {
+    return [{ role: "system", content: system.text }];
+  }
+  throw new AnthropicRequestValidationError("Invalid system parameter shape.");
+}
+function toolResultContentToString(content) {
+  if (typeof content === "string") {
+    return content;
+  }
+  if (content === null || content === undefined) {
+    return "";
+  }
+  if (Array.isArray(content)) {
+    const parts = [];
+    for (const block of content) {
+      if (block && typeof block === "object" && "type" in block && block.type === "text" && typeof block.text === "string") {
+        parts.push(block.text);
+      } else {
+        parts.push(JSON.stringify(block));
+      }
+    }
+    return parts.join(`
+`);
+  }
+  return JSON.stringify(content);
+}
+function anthropicImageBlockToOpenAIPart(part) {
+  const source = part.source;
+  if (!source || typeof source !== "object") {
+    return null;
+  }
+  const s = source;
+  if (s.type === "base64" && typeof s.data === "string" && s.data.length > 0) {
+    const mediaType = typeof s.media_type === "string" && s.media_type.length > 0 ? s.media_type : "image/png";
+    return {
+      type: "image_url",
+      image_url: { url: `data:${mediaType};base64,${s.data}` }
+    };
+  }
+  if (s.type === "url" && typeof s.url === "string" && s.url.length > 0) {
+    return { type: "image_url", image_url: { url: s.url } };
+  }
+  return null;
+}
+function anthropicUserContentToOpenAIMessages(content) {
+  if (typeof content === "string") {
+    return [{ role: "user", content }];
+  }
+  const out = [];
+  const partsBuf = [];
+  const flushParts = () => {
+    if (partsBuf.length === 0) {
+      return;
+    }
+    if (partsBuf.length === 1 && partsBuf[0].type === "text") {
+      out.push({ role: "user", content: partsBuf[0].text });
+    } else {
+      out.push({ role: "user", content: [...partsBuf] });
+    }
+    partsBuf.length = 0;
+  };
+  for (const part of content) {
+    if (!part || typeof part !== "object") {
+      throw new AnthropicRequestValidationError("Invalid message content entry.");
+    }
+    if (part.type === "text" && typeof part.text === "string") {
+      partsBuf.push({
+        type: "text",
+        text: part.text
+      });
+      continue;
+    }
+    if (part.type === "image") {
+      const imgPart = anthropicImageBlockToOpenAIPart(part);
+      if (imgPart) {
+        partsBuf.push(imgPart);
+      }
+      continue;
+    }
+    if (part.type === "tool_result") {
+      flushParts();
+      const id = part.tool_use_id;
+      const rawContent = part.content;
+      if (typeof id !== "string" || id.length === 0) {
+        throw new AnthropicRequestValidationError("tool_result blocks require a non-empty tool_use_id.");
+      }
+      out.push({
+        role: "tool",
+        tool_call_id: id,
+        content: toolResultContentToString(rawContent)
+      });
+    }
+  }
+  flushParts();
+  return out;
+}
+function anthropicAssistantContentToOpenAI(content) {
+  if (typeof content === "string") {
+    return { role: "assistant", content };
+  }
+  const textParts = [];
+  const toolCalls = [];
+  for (const part of content) {
+    if (!part || typeof part !== "object") {
+      throw new AnthropicRequestValidationError("Invalid message content entry.");
+    }
+    if (part.type === "text" && typeof part.text === "string") {
+      textParts.push(part.text);
+      continue;
+    }
+    if (part.type === "tool_use") {
+      const p = part;
+      if (typeof p.id !== "string" || p.id.length === 0) {
+        throw new AnthropicRequestValidationError("tool_use blocks require a non-empty id.");
+      }
+      if (typeof p.name !== "string" || p.name.length === 0) {
+        throw new AnthropicRequestValidationError("tool_use blocks require a non-empty name.");
+      }
+      const args = typeof p.input === "string" ? p.input : JSON.stringify(p.input ?? {});
+      toolCalls.push({
+        id: p.id,
+        type: "function",
+        function: { name: p.name, arguments: args }
+      });
+    }
+  }
+  const msg = {
+    role: "assistant",
+    content: textParts.length > 0 ? textParts.join(`
+`) : null
+  };
+  if (toolCalls.length > 0) {
+    msg.tool_calls = toolCalls;
+  }
+  return msg;
+}
+function anthropicToolsToOpenAI(tools) {
+  if (tools === undefined) {
+    return;
+  }
+  if (!Array.isArray(tools)) {
+    throw new AnthropicRequestValidationError("tools must be an array.");
+  }
+  const out = [];
+  for (const t of tools) {
+    if (!t || typeof t !== "object") {
+      throw new AnthropicRequestValidationError("Invalid tool entry.");
+    }
+    const name = t.name;
+    const desc = t.description;
+    const schema = t.input_schema;
+    if (typeof name !== "string" || name.length === 0) {
+      throw new AnthropicRequestValidationError("Each tool must include a non-empty name.");
+    }
+    if (schema !== undefined && (typeof schema !== "object" || schema === null)) {
+      throw new AnthropicRequestValidationError("tool input_schema must be an object when provided.");
+    }
+    out.push({
+      type: "function",
+      function: {
+        name,
+        ...typeof desc === "string" ? { description: desc } : {},
+        parameters: schema ?? {
+          type: "object",
+          properties: {}
+        }
+      }
+    });
+  }
+  return out;
+}
+function anthropicToolChoiceToOpenAI(toolChoice) {
+  if (toolChoice === undefined) {
+    return;
+  }
+  if (typeof toolChoice !== "object" || toolChoice === null || !("type" in toolChoice)) {
+    throw new AnthropicRequestValidationError("Invalid tool_choice shape.");
+  }
+  const tc = toolChoice;
+  switch (tc.type) {
+    case "auto":
+      return "auto";
+    case "none":
+      return "none";
+    case "any":
+      return "required";
+    case "tool": {
+      if (typeof tc.name !== "string" || tc.name.length === 0) {
+        throw new AnthropicRequestValidationError('tool_choice type "tool" requires a non-empty name.');
+      }
+      return { type: "function", function: { name: tc.name } };
+    }
+    default:
+      throw new AnthropicRequestValidationError(`Unsupported tool_choice type "${tc.type}".`);
+  }
+}
+function anthropicMessagesCreateToOpenAI(body) {
+  if (typeof body.model !== "string" || !body.model) {
+    throw new AnthropicRequestValidationError("model is required.");
+  }
+  if (typeof body.max_tokens !== "number" || !Number.isFinite(body.max_tokens)) {
+    throw new AnthropicRequestValidationError("max_tokens is required and must be a number.");
+  }
+  if (!Array.isArray(body.messages)) {
+    throw new AnthropicRequestValidationError("messages must be an array.");
+  }
+  const messages = [];
+  if (body.system !== undefined) {
+    messages.push(...systemToOpenAiMessages(body.system));
+  }
+  for (const m of body.messages) {
+    if (m.role !== "user" && m.role !== "assistant") {
+      throw new AnthropicRequestValidationError(`Invalid message role "${m.role}".`);
+    }
+    if (m.role === "user") {
+      messages.push(...anthropicUserContentToOpenAIMessages(m.content));
+    } else {
+      messages.push(anthropicAssistantContentToOpenAI(m.content));
+    }
+  }
+  const isStreaming = Boolean(body.stream);
+  const params = {
+    model: body.model,
+    messages,
+    max_tokens: body.max_tokens,
+    stream: isStreaming
+  };
+  if (isStreaming) {
+    params.stream_options = { include_usage: true };
+  }
+  const tools = anthropicToolsToOpenAI(body.tools);
+  if (tools !== undefined && tools.length > 0) {
+    params.tools = tools;
+  }
+  const toolChoice = anthropicToolChoiceToOpenAI(body.tool_choice);
+  if (toolChoice !== undefined) {
+    params.tool_choice = toolChoice;
+  }
+  if (body.stop_sequences !== undefined) {
+    if (!Array.isArray(body.stop_sequences) || !body.stop_sequences.every((s) => typeof s === "string")) {
+      throw new AnthropicRequestValidationError("stop_sequences must be an array of strings.");
+    }
+    params.stop = body.stop_sequences;
+  }
+  if (typeof body.temperature === "number") {
+    params.temperature = body.temperature;
+  }
+  if (typeof body.top_p === "number") {
+    params.top_p = body.top_p;
+  }
+  if (typeof body.top_k === "number") {
+    console.warn("[proxy] top_k is not supported by the OpenAI API and will be ignored.");
+  }
+  return params;
+}
+
+// src/anthropic/count-tokens-route.ts
+function extractTextCharCount(body) {
+  let len = 0;
+  if (typeof body.system === "string") {
+    len += body.system.length;
+  } else if (Array.isArray(body.system)) {
+    for (const block of body.system) {
+      if (block && block.type === "text" && typeof block.text === "string") {
+        len += block.text.length;
+      }
+    }
+  } else if (body.system && typeof body.system === "object" && body.system.type === "text") {
+    len += body.system.text.length;
+  }
+  for (const msg of body.messages) {
+    if (typeof msg.content === "string") {
+      len += msg.content.length;
+    } else if (Array.isArray(msg.content)) {
+      for (const part of msg.content) {
+        if (!part || typeof part !== "object")
+          continue;
+        if (part.type === "text" && typeof part.text === "string") {
+          len += part.text.length;
+        } else if (part.type === "tool_result") {
+          const c = part.content;
+          if (typeof c === "string") {
+            len += c.length;
+          }
+        }
+      }
+    }
+  }
+  if (Array.isArray(body.tools)) {
+    len += JSON.stringify(body.tools).length;
+  }
+  return len;
+}
+function registerAnthropicCountTokensRoute(router, _deps) {
+  router.post("/v1/messages/count_tokens", async (req, res) => {
+    const requestId = newAnthropicRequestId();
+    res.setHeader("request-id", requestId);
+    const versionResult = resolveAnthropicVersion(req);
+    if (!versionResult.ok) {
+      return sendAnthropicHttpError(res, 400, "invalid_request_error", versionResult.message, requestId);
+    }
+    const apiKey = extractAnthropicApiKey(req);
+    if (!apiKey) {
+      return sendAnthropicHttpError(res, 401, "authentication_error", "Missing x-api-key header (or Authorization with API key).", requestId);
+    }
+    try {
+      const raw = req.body;
+      const body = {
+        ...raw,
+        max_tokens: typeof raw.max_tokens === "number" && Number.isFinite(raw.max_tokens) ? raw.max_tokens : 4096,
+        stream: false
+      };
+      anthropicMessagesCreateToOpenAI(body);
+      const input_tokens = Math.max(1, Math.ceil(extractTextCharCount(body) / 4));
+      res.json({ input_tokens });
+    } catch (err) {
+      if (err instanceof AnthropicRequestValidationError) {
+        return sendAnthropicHttpError(res, err.status, err.anthropicType, err.message, requestId);
+      }
+      mapUnknownErrorToAnthropicResponse(err, res, requestId);
+    }
+  });
+}
+
+// src/anthropic/from-openai.ts
+function openAiFinishReasonToAnthropic(finish) {
+  if (!finish) {
+    return { stop_reason: null, stop_sequence: null };
+  }
+  switch (finish) {
+    case "stop":
+      return { stop_reason: "end_turn", stop_sequence: null };
+    case "length":
+      return { stop_reason: "max_tokens", stop_sequence: null };
+    case "tool_calls":
+      return { stop_reason: "tool_use", stop_sequence: null };
+    case "content_filter":
+      return { stop_reason: "refusal", stop_sequence: null };
+    default:
+      return { stop_reason: "end_turn", stop_sequence: null };
+  }
+}
+function extractTextFromAssistantContent(content) {
+  if (content == null) {
+    return "";
+  }
+  if (typeof content === "string") {
+    return content;
+  }
+  if (!Array.isArray(content)) {
+    return "";
+  }
+  const parts = [];
+  for (const p of content) {
+    if (typeof p === "string") {
+      parts.push(p);
+      continue;
+    }
+    if (p && typeof p === "object" && "type" in p && p.type === "text" && "text" in p) {
+      parts.push(String(p.text));
+    }
+  }
+  return parts.join("");
+}
+function openAIChatCompletionToAnthropicMessage(completion, requestModel) {
+  const choice = completion.choices[0];
+  const message = choice?.message;
+  const contentText = message ? extractTextFromAssistantContent(message.content) : "";
+  const content = [];
+  if (contentText.length > 0) {
+    content.push({ type: "text", text: contentText });
+  }
+  if (message?.tool_calls?.length) {
+    for (const tc of message.tool_calls) {
+      if (tc.type !== "function") {
+        continue;
+      }
+      let input = {};
+      try {
+        input = JSON.parse(tc.function.arguments || "{}");
+      } catch {
+        input = { _raw_arguments: tc.function.arguments ?? "" };
+      }
+      content.push({
+        type: "tool_use",
+        id: tc.id,
+        name: tc.function.name,
+        input
+      });
+    }
+  }
+  if (content.length === 0) {
+    content.push({ type: "text", text: "" });
+  }
+  const { stop_reason, stop_sequence } = openAiFinishReasonToAnthropic(choice?.finish_reason);
+  const u = completion.usage;
+  const usage = {
+    input_tokens: u?.prompt_tokens ?? 0,
+    output_tokens: u?.completion_tokens ?? 0
+  };
+  return {
+    id: newAnthropicMessageId(),
+    type: "message",
+    role: "assistant",
+    content,
+    model: requestModel,
+    stop_reason,
+    stop_sequence,
+    usage
+  };
+}
+function chunkFinishToAnthropic(finish) {
+  if (!finish) {
+    return null;
+  }
+  return openAiFinishReasonToAnthropic(finish).stop_reason;
+}
+async function pipeOpenAIChunkStreamToAnthropicSse(res, stream, options) {
+  const { anthropicModel, messageId } = options;
+  let textBlockOpen = false;
+  let inputTokens = 0;
+  let outputTokens = 0;
+  let stopReason = null;
+  const toolStates = new Map;
+  let nextAnthropicIndex = 0;
+  let textBlockIndex = null;
+  writeAnthropicSseEvent(res, "message_start", {
+    type: "message_start",
+    message: {
+      id: messageId,
+      type: "message",
+      role: "assistant",
+      content: [],
+      model: anthropicModel,
+      stop_reason: null,
+      stop_sequence: null,
+      usage: { input_tokens: inputTokens, output_tokens: outputTokens }
+    }
+  });
+  const ensureTextBlock = () => {
+    if (textBlockOpen) {
+      return;
+    }
+    textBlockIndex = nextAnthropicIndex++;
+    textBlockOpen = true;
+    writeAnthropicSseEvent(res, "content_block_start", {
+      type: "content_block_start",
+      index: textBlockIndex,
+      content_block: { type: "text", text: "" }
+    });
+  };
+  const closeTextBlockIfOpen = () => {
+    if (!textBlockOpen || textBlockIndex === null) {
+      return;
+    }
+    writeAnthropicSseEvent(res, "content_block_stop", {
+      type: "content_block_stop",
+      index: textBlockIndex
+    });
+    textBlockOpen = false;
+  };
+  const getOrCreateTool = (openAiIdx) => {
+    let st = toolStates.get(openAiIdx);
+    if (!st) {
+      st = {
+        anthropicIndex: nextAnthropicIndex++,
+        id: "",
+        name: "",
+        lastArgs: "",
+        argsEmittedLen: 0,
+        started: false,
+        stopped: false
+      };
+      toolStates.set(openAiIdx, st);
+    }
+    return st;
+  };
+  const flushToolArgs = (st) => {
+    if (!st.started || st.lastArgs.length <= st.argsEmittedLen) {
+      return;
+    }
+    const partial = st.lastArgs.slice(st.argsEmittedLen);
+    st.argsEmittedLen = st.lastArgs.length;
+    writeAnthropicSseEvent(res, "content_block_delta", {
+      type: "content_block_delta",
+      index: st.anthropicIndex,
+      delta: {
+        type: "input_json_delta",
+        partial_json: partial
+      }
+    });
+  };
+  try {
+    for await (const chunk of stream) {
+      if (chunk.usage) {
+        const u = chunk.usage;
+        inputTokens = u.prompt_tokens ?? inputTokens;
+        outputTokens = u.completion_tokens ?? outputTokens;
+      }
+      const choice = chunk.choices?.[0];
+      if (!choice) {
+        continue;
+      }
+      const delta = choice.delta;
+      if (typeof delta?.content === "string" && delta.content.length > 0) {
+        ensureTextBlock();
+        if (textBlockIndex !== null) {
+          writeAnthropicSseEvent(res, "content_block_delta", {
+            type: "content_block_delta",
+            index: textBlockIndex,
+            delta: { type: "text_delta", text: delta.content }
+          });
+        }
+      }
+      if (delta?.tool_calls?.length) {
+        closeTextBlockIfOpen();
+        for (const tc of delta.tool_calls) {
+          const idx = typeof tc.index === "number" && Number.isFinite(tc.index) ? tc.index : 0;
+          const st = getOrCreateTool(idx);
+          if (typeof tc.id === "string" && tc.id.length > 0) {
+            st.id = tc.id;
+          }
+          const fn = tc.function;
+          if (fn?.name && fn.name.length > 0) {
+            st.name = fn.name;
+          }
+          if (typeof fn?.arguments === "string") {
+            st.lastArgs += fn.arguments;
+          }
+          if (!st.started && st.id.length > 0 && st.name.length > 0) {
+            writeAnthropicSseEvent(res, "content_block_start", {
+              type: "content_block_start",
+              index: st.anthropicIndex,
+              content_block: {
+                type: "tool_use",
+                id: st.id,
+                name: st.name
+              }
+            });
+            st.started = true;
+          }
+          if (st.started) {
+            flushToolArgs(st);
+          }
+        }
+      }
+      if (choice.finish_reason) {
+        const mapped = chunkFinishToAnthropic(choice.finish_reason);
+        if (mapped) {
+          stopReason = mapped;
+        }
+      }
+    }
+    closeTextBlockIfOpen();
+    const sortedTools = [...toolStates.values()].sort((a, b) => a.anthropicIndex - b.anthropicIndex);
+    for (const st of sortedTools) {
+      if (st.started && !st.stopped) {
+        writeAnthropicSseEvent(res, "content_block_stop", {
+          type: "content_block_stop",
+          index: st.anthropicIndex
+        });
+        st.stopped = true;
+      }
+    }
+    writeAnthropicSseEvent(res, "message_delta", {
+      type: "message_delta",
+      delta: { stop_reason: stopReason, stop_sequence: null },
+      usage: {
+        input_tokens: inputTokens,
+        output_tokens: outputTokens
+      }
+    });
+    writeAnthropicSseEvent(res, "message_stop", { type: "message_stop" });
+    res.end();
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "Stream error";
+    writeAnthropicSseEvent(res, "error", {
+      type: "error",
+      error: { type: "api_error", message }
+    });
+    res.end();
+  }
+}
+
+// src/anthropic/messages-route.ts
+function registerAnthropicMessagesRoute(router, deps) {
+  router.post("/v1/messages", async (req, res) => {
+    const requestId = newAnthropicRequestId();
+    res.setHeader("request-id", requestId);
+    const versionResult = resolveAnthropicVersion(req);
+    if (!versionResult.ok) {
+      return sendAnthropicHttpError(res, 400, "invalid_request_error", versionResult.message, requestId);
+    }
+    const apiKey = extractAnthropicApiKey(req);
+    if (!apiKey) {
+      return sendAnthropicHttpError(res, 401, "authentication_error", "Missing x-api-key header (or Authorization with API key).", requestId);
+    }
+    try {
+      const body = req.body;
+      const openaiParams = anthropicMessagesCreateToOpenAI(body);
+      const client = await deps.getOrCreateClient(apiKey);
+      const completion = await client.chat.completions.create(openaiParams);
+      if (body.stream) {
+        res.status(200);
+        res.setHeader("Content-Type", "text/event-stream; charset=utf-8");
+        res.setHeader("Cache-Control", "no-cache");
+        res.setHeader("Connection", "keep-alive");
+        if (completion && typeof completion === "object" && Symbol.asyncIterator in completion) {
+          const messageId = newAnthropicMessageId();
+          await pipeOpenAIChunkStreamToAnthropicSse(res, completion, {
+            anthropicModel: body.model,
+            messageId
+          });
+        } else {
+          sendAnthropicHttpError(res, 500, "api_error", "Expected streamed completion", requestId);
+        }
+        return;
+      }
+      const message = openAIChatCompletionToAnthropicMessage(completion, body.model);
+      res.json(message);
+    } catch (err) {
+      if (err instanceof AnthropicRequestValidationError) {
+        return sendAnthropicHttpError(res, err.status, err.anthropicType, err.message, requestId);
+      }
+      mapUnknownErrorToAnthropicResponse(err, res, requestId);
+    }
+  });
+}
+
+// src/anthropic/models-route.ts
+function toAnthropicModel(model) {
+  return {
+    type: "model",
+    id: model.model,
+    display_name: model.name || model.model,
+    created_at: model.created_at
+  };
+}
+function filterEnabled(models) {
+  return models.filter((m) => m.enabled !== 0);
+}
+function parseLimit(raw) {
+  if (typeof raw !== "string" || raw.length === 0) {
+    return 20;
+  }
+  const n = Number.parseInt(raw, 10);
+  if (!Number.isFinite(n) || n <= 0) {
+    return 20;
+  }
+  return Math.min(n, 1000);
+}
+function paginate(all, beforeId, afterId, limit) {
+  let start = 0;
+  let end = all.length;
+  if (afterId) {
+    const idx = all.findIndex((m) => m.id === afterId);
+    if (idx >= 0) {
+      start = idx + 1;
+    }
+  }
+  if (beforeId) {
+    const idx = all.findIndex((m) => m.id === beforeId);
+    if (idx >= 0) {
+      end = idx;
+    }
+  }
+  const window = all.slice(start, end);
+  const items = window.slice(0, limit);
+  return { items, hasMore: window.length > items.length };
+}
+function registerAnthropicModelsRoute(router, deps) {
+  router.get("/v1/models", async (req, res) => {
+    const requestId = newAnthropicRequestId();
+    res.setHeader("request-id", requestId);
+    const versionResult = resolveAnthropicVersion(req);
+    if (!versionResult.ok) {
+      return sendAnthropicHttpError(res, 400, "invalid_request_error", versionResult.message, requestId);
+    }
+    const apiKey = extractAnthropicApiKey(req);
+    if (!apiKey) {
+      return sendAnthropicHttpError(res, 401, "authentication_error", "Missing x-api-key header (or Authorization with API key).", requestId);
+    }
+    try {
+      const client = await deps.getOrCreateClient(apiKey);
+      const type = typeof req.query.type === "string" ? req.query.type : undefined;
+      const all = filterEnabled(await client.models.list({ type })).map(toAnthropicModel);
+      const beforeId = typeof req.query.before_id === "string" ? req.query.before_id : undefined;
+      const afterId = typeof req.query.after_id === "string" ? req.query.after_id : undefined;
+      const limit = parseLimit(req.query.limit);
+      const { items, hasMore } = paginate(all, beforeId, afterId, limit);
+      res.json({
+        data: items,
+        first_id: items.length > 0 ? items[0].id : null,
+        last_id: items.length > 0 ? items[items.length - 1].id : null,
+        has_more: hasMore
+      });
+    } catch (err) {
+      mapUnknownErrorToAnthropicResponse(err, res, requestId);
+    }
+  });
+  router.get("/v1/models/:model_id", async (req, res) => {
+    const requestId = newAnthropicRequestId();
+    res.setHeader("request-id", requestId);
+    const versionResult = resolveAnthropicVersion(req);
+    if (!versionResult.ok) {
+      return sendAnthropicHttpError(res, 400, "invalid_request_error", versionResult.message, requestId);
+    }
+    const apiKey = extractAnthropicApiKey(req);
+    if (!apiKey) {
+      return sendAnthropicHttpError(res, 401, "authentication_error", "Missing x-api-key header (or Authorization with API key).", requestId);
+    }
+    const modelId = req.params.model_id;
+    if (!modelId) {
+      return sendAnthropicHttpError(res, 400, "invalid_request_error", "Missing model id.", requestId);
+    }
+    try {
+      const client = await deps.getOrCreateClient(apiKey);
+      const found = filterEnabled(await client.models.list()).find((m) => m.model === modelId);
+      if (!found) {
+        return sendAnthropicHttpError(res, 404, "not_found_error", `Model "${modelId}" not found.`, requestId);
+      }
+      res.json(toAnthropicModel(found));
+    } catch (err) {
+      mapUnknownErrorToAnthropicResponse(err, res, requestId);
+    }
+  });
+}
+
+// src/server/runtime.ts
+import multer from "multer";
+
+// src/audio/index.ts
+import { bytesToHex as bytesToHex3, hexToBytes as hexToBytes3 } from "@noble/ciphers/utils.js";
+
+// src/utils/attestation.ts
+var cachedPrem;
+async function loadPrem() {
+  if (cachedPrem)
+    return cachedPrem;
+  const isBare = typeof globalThis.Bare !== "undefined";
+  if (isBare) {
+    cachedPrem = await (async (s, y) => await import(s, y))("@premai/reticle", { with: { type: "script" } });
+    return cachedPrem;
+  }
+  cachedPrem = await import("@premai/reticle");
+  return cachedPrem;
+}
+function isAttestationError(err) {
+  return err instanceof Error && err.name === "AttestationError";
+}
+var ATTEST_TTL_MS = 30000;
+var ATTEST_CACHE_MAX = 500;
+var ATTEST_MAX_ATTEMPTS = 4;
+var ATTEST_RETRY_BASE_MS = 250;
+var ATTEST_RETRY_MAX_MS = 2000;
+var TRANSIENT_PATTERNS = [
+  /EOF while parsing/i,
+  /error decoding response body/i,
+  /connection (reset|closed|refused)/i,
+  /socket hang up/i,
+  /ETIMEDOUT/i
+];
+var attestCache = new Map;
+var attestInflight = new Map;
+function attestCacheKey(apiKey, model) {
+  return `${apiKey}|${model ?? ""}`;
+}
+function pruneExpired(now) {
+  for (const [key, entry] of attestCache) {
+    if (entry.expires <= now) {
+      attestCache.delete(key);
+    } else {
+      break;
+    }
+  }
+}
+function isTransientError(err) {
+  const messages = [];
+  if (err instanceof Error) {
+    messages.push(err.message);
+  }
+  if (isAttestationError(err) && Array.isArray(err.cause)) {
+    messages.push(...err.cause);
+  }
+  return messages.some((m) => TRANSIENT_PATTERNS.some((re) => re.test(m)));
+}
+function backoffDelayMs(attempt) {
+  const exp = ATTEST_RETRY_BASE_MS * 2 ** (attempt - 1);
+  const capped = Math.min(exp, ATTEST_RETRY_MAX_MS);
+  const jitter = Math.floor(Math.random() * (capped / 2));
+  return capped + jitter;
+}
+function delay(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function safeFree(obj) {
+  if (typeof obj?.free !== "function")
+    return;
+  try {
+    obj.free();
+  } catch {}
+}
+async function attemptAttest(apiKey, options) {
+  const prem = await loadPrem();
+  let client;
+  let attested;
+  let headers;
+  let sessionId;
+  try {
+    client = await new prem.ClientBuilder(endpoints.proxy ?? "").with_authorization(apiKey).build();
+    if (options.model) {
+      client.set_query(new prem.QueryParams().with("model", options.model));
+    }
+    attested = await client.attest();
+    headers = attested.headers();
+    sessionId = headers.cpu()?.get("x-session-id") ?? headers.gpu()?.get("x-session-id") ?? null;
+  } finally {
+    safeFree(headers);
+    safeFree(attested);
+    safeFree(client);
+  }
+  if (sessionId === null) {
+    throw new Error("missing x-session-id issued by attestation");
+  }
+  return sessionId;
+}
+async function runAttest(apiKey, options) {
+  let lastErr;
+  for (let attempt = 1;attempt <= ATTEST_MAX_ATTEMPTS; attempt++) {
+    try {
+      return await attemptAttest(apiKey, options);
+    } catch (err) {
+      lastErr = err;
+      if (attempt === ATTEST_MAX_ATTEMPTS || !isTransientError(err)) {
+        throw err;
+      }
+      await delay(backoffDelayMs(attempt));
+    }
+  }
+  throw lastErr;
+}
+async function attest(apiKey, options = { enabled: true }) {
+  if (!options.enabled)
+    return null;
+  const key = attestCacheKey(apiKey, options.model);
+  const now = Date.now();
+  const cached = attestCache.get(key);
+  if (cached) {
+    if (cached.expires > now)
+      return cached.sessionId;
+    attestCache.delete(key);
+  }
+  const inflight = attestInflight.get(key);
+  if (inflight) {
+    return inflight;
+  }
+  const work = runAttest(apiKey, options).then((sessionId) => {
+    const insertTime = Date.now();
+    pruneExpired(insertTime);
+    attestCache.set(key, { sessionId, expires: insertTime + ATTEST_TTL_MS });
+    if (attestCache.size > ATTEST_CACHE_MAX) {
+      const oldest = attestCache.keys().next().value;
+      if (oldest)
+        attestCache.delete(oldest);
+    }
+    return sessionId;
+  }).finally(() => {
+    attestInflight.delete(key);
+  });
+  attestInflight.set(key, work);
+  return work;
+}
+
+// src/utils/error.ts
+async function throwIfErrorResponse(response) {
+  let raw;
+  try {
+    raw = await response.json();
+    if (!raw.status)
+      raw = { ...raw, status: response.status };
+  } catch {
+    raw = {
+      status: response.status,
+      data: null,
+      error: response.statusText || `HTTP ${response.status}`,
+      message: null
+    };
+  }
+  throw raw;
+}
+
+// src/utils/files.ts
+var getFileName = (file) => {
+  if (file instanceof File) {
+    return file.name;
+  }
+  if (file instanceof Blob) {
+    return;
+  }
+  const fileAny = file;
+  if (fileAny.path) {
+    const path = typeof fileAny.path === "string" ? fileAny.path : fileAny.path.toString();
+    return path.split("/").pop() || path.split("\\").pop() || path;
+  }
+  if (file instanceof Uint8Array || file instanceof ArrayBuffer) {
+    return;
+  }
+  return;
+};
+
+// src/audio/index.ts
+async function readUploadableToUint8Array(file) {
+  if (file instanceof Uint8Array) {
+    return file;
+  }
+  if (file instanceof ArrayBuffer) {
+    return new Uint8Array(file);
+  }
+  if (typeof file.arrayBuffer === "function") {
+    const blob = file;
+    const buffer = await blob.arrayBuffer();
+    return new Uint8Array(buffer);
+  }
+  const fileAny = file;
+  if (typeof fileAny.on === "function" && (typeof fileAny.read === "function" || typeof fileAny.pipe === "function")) {
+    const chunks = [];
+    return new Promise((resolve, reject) => {
+      fileAny.on("data", (chunk) => {
+        if (Buffer.isBuffer(chunk)) {
+          chunks.push(new Uint8Array(chunk));
+        } else if (chunk instanceof Uint8Array) {
+          chunks.push(chunk);
+        } else if (typeof chunk === "object" && chunk !== null) {
+          chunks.push(new Uint8Array(Buffer.from(chunk)));
+        }
+      });
+      fileAny.on("end", () => {
+        const totalLength = chunks.reduce((acc, chunk) => acc + chunk.length, 0);
+        const result = new Uint8Array(totalLength);
+        let offset = 0;
+        for (const chunk of chunks) {
+          result.set(chunk, offset);
+          offset += chunk.length;
+        }
+        resolve(result);
+      });
+      fileAny.on("error", (err) => reject(err));
+    });
+  }
+  throw new Error("Unsupported file type for audio transcription");
+}
+async function preprocessAudioRequest(body, encryptionKeys) {
+  const { cipherText, sharedSecret } = encryptionKeys;
+  const audioData = await readUploadableToUint8Array(body.file);
+  const isDeepgram = body.model.startsWith("deepgram/");
+  const requestBody = isDeepgram ? {
+    model: body.model,
+    diarize: body.diarize,
+    smart_format: body.smart_format
+  } : {
+    model: body.model,
+    language: body.language,
+    prompt: body.prompt,
+    response_format: body.response_format,
+    temperature: body.temperature,
+    timestamp_granularities: body.timestamp_granularities
+  };
+  const cleanedBody = Object.fromEntries(Object.entries(requestBody).filter(([_, v]) => v !== undefined));
+  const { encrypted, nonce } = encryptPayload(sharedSecret, cleanedBody);
+  const { encrypted: encryptedFile, nonce: fileNonce } = encryptPayload(sharedSecret, audioData);
+  const fileName = getFileName(body.file) || "audio.mp3";
+  const { encrypted: encryptedFileName, nonce: fileNameNonce } = encryptPayload(sharedSecret, fileName);
+  return {
+    body: {
+      cipherText: bytesToHex3(cipherText),
+      encryptedInference: bytesToHex3(encrypted),
+      nonce: bytesToHex3(nonce),
+      fileNameNonce: bytesToHex3(fileNameNonce),
+      encryptedFileName: bytesToHex3(encryptedFileName),
+      fileNonce: bytesToHex3(fileNonce),
+      encryptedFile: bytesToHex3(encryptedFile),
+      model: body.model
+    },
+    sharedSecret
+  };
+}
+async function postprocessTranscriptionResponse(response, sharedSecret) {
+  const responseData = await response.json();
+  const data = responseData.data;
+  if (!data.encryptedResponse || !data.nonce) {
+    throw new Error("Invalid transcription response: missing encryptedResponse or nonce");
+  }
+  const responseNonce = hexToBytes3(data.nonce);
+  return decryptPayload(data.encryptedResponse, sharedSecret, responseNonce);
+}
+async function postprocessTranslationResponse(response, sharedSecret) {
+  const responseData = await response.json();
+  const data = responseData.data;
+  if (!data.encryptedResponse || !data.nonce) {
+    throw new Error("Invalid translation response: missing encryptedResponse or nonce");
+  }
+  const responseNonce = hexToBytes3(data.nonce);
+  return decryptPayload(data.encryptedResponse, sharedSecret, responseNonce);
+}
+async function preprocessAudioTranslationRequest(body, encryptionKeys) {
+  const { cipherText, sharedSecret } = encryptionKeys;
+  const audioData = await readUploadableToUint8Array(body.file);
+  const requestBody = {
+    model: body.model,
+    prompt: body.prompt,
+    response_format: body.response_format,
+    temperature: body.temperature
+  };
+  const cleanedBody = Object.fromEntries(Object.entries(requestBody).filter(([_, v]) => v !== undefined));
+  const { encrypted, nonce } = encryptPayload(sharedSecret, cleanedBody);
+  const { encrypted: encryptedFile, nonce: fileNonce } = encryptPayload(sharedSecret, audioData);
+  const fileName = getFileName(body.file) || "audio.mp3";
+  const { encrypted: encryptedFileName, nonce: fileNameNonce } = encryptPayload(sharedSecret, fileName);
+  return {
+    body: {
+      cipherText: bytesToHex3(cipherText),
+      encryptedInference: bytesToHex3(encrypted),
+      nonce: bytesToHex3(nonce),
+      fileNameNonce: bytesToHex3(fileNameNonce),
+      encryptedFileName: bytesToHex3(encryptedFileName),
+      fileNonce: bytesToHex3(fileNonce),
+      encryptedFile: bytesToHex3(encryptedFile),
+      model: body.model
+    },
+    sharedSecret
+  };
+}
+function createAudioClient(apiKey, encryptionKeys, requestTimeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, attest2 = true) {
+  async function createTranscription(body) {
+    const controller = new AbortController;
+    const timeoutId = setTimeout(() => controller.abort(), requestTimeoutMs);
+    try {
+      const sessionId = await attest(apiKey, { model: body.model, enabled: attest2 });
+      const encryptedRequest = await preprocessAudioRequest(body, encryptionKeys);
+      const response = await fetch(`${endpoints.proxy}/rvenc/audio/transcriptions`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: apiKey,
+          ...sessionId && { "X-Session-Id": sessionId }
+        },
+        body: JSON.stringify(encryptedRequest.body),
+        signal: controller.signal
+      });
+      if (!response.ok) {
+        await throwIfErrorResponse(response);
+      }
+      clearTimeout(timeoutId);
+      return await postprocessTranscriptionResponse(response, encryptedRequest.sharedSecret);
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error instanceof Error && error.name === "AbortError") {
+        throw new Error(`Request timed out after ${requestTimeoutMs}ms`);
+      }
+      throw error;
+    }
+  }
+  const transcriptionsClient = {
+    create: createTranscription
+  };
+  async function createTranslation(body) {
+    const controller = new AbortController;
+    const timeoutId = setTimeout(() => controller.abort(), requestTimeoutMs);
+    try {
+      const sessionId = await attest(apiKey, { model: body.model, enabled: attest2 });
+      const encryptedRequest = await preprocessAudioTranslationRequest(body, encryptionKeys);
+      const response = await fetch(`${endpoints.proxy}/rvenc/audio/translations`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: apiKey,
+          ...sessionId && { "X-Session-Id": sessionId }
+        },
+        body: JSON.stringify(encryptedRequest.body),
+        signal: controller.signal
+      });
+      if (!response.ok) {
+        await throwIfErrorResponse(response);
+      }
+      clearTimeout(timeoutId);
+      return await postprocessTranslationResponse(response, encryptedRequest.sharedSecret);
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error instanceof Error && error.name === "AbortError") {
+        throw new Error(`Request timed out after ${requestTimeoutMs}ms`);
+      }
+      throw error;
+    }
+  }
+  const translationsClient = {
+    create: createTranslation
+  };
+  return {
+    transcriptions: transcriptionsClient,
+    translations: translationsClient
+  };
+}
+
+// src/files/index.ts
+import { bytesToHex as bytesToHex4, hexToBytes as hexToBytes4, randomBytes as randomBytes4 } from "@noble/ciphers/utils.js";
+import { sha256 as sha2562 } from "@noble/hashes/sha2.js";
+import { isValid, parseISO } from "date-fns";
+import { z } from "zod";
+var MAX_FILENAME_LENGTH = 255;
+var MIN_FILENAME_LENGTH = 1;
+var ALLOWED_MIME_TYPES = new Set([
+  "image/jpeg",
+  "image/png",
+  "image/gif",
+  "image/webp",
+  "application/pdf",
+  "application/msword",
+  "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+  "application/vnd.ms-excel",
+  "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+  "text/plain",
+  "text/csv",
+  "text/markdown",
+  "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+  "video/mp4",
+  "video/webm",
+  "video/quicktime",
+  "audio/mpeg",
+  "audio/wav",
+  "audio/ogg",
+  "application/zip",
+  "application/x-rar-compressed",
+  "application/x-7z-compressed",
+  "application/octet-stream"
+]);
+var ApiKeySchema = z.string().trim().min(1, "API key cannot be empty");
+var TimeoutSchema = z.number().int().min(1, "Timeout must be at least 1ms").max(600000, "Timeout must not exceed 600000ms (10 minutes)");
+var DEKStoreSchema = z.object({
+  ragDEK: z.instanceof(Uint8Array).optional(),
+  fileDEKs: z.instanceof(Map).optional()
+});
+var ISO8601DateSchema = z.string().refine((val) => {
+  const date = parseISO(val);
+  return isValid(date);
+}, { message: "Must be a valid ISO8601 date" });
+var MimeTypeSchema = z.string().refine((val) => ALLOWED_MIME_TYPES.has(val), {
+  message: "MIME type is not allowed"
+});
+var FileUploadOptionsSchema = z.object({
+  file: z.instanceof(Uint8Array),
+  fileName: z.string().min(MIN_FILENAME_LENGTH, "File name cannot be empty").max(MAX_FILENAME_LENGTH, `File name cannot exceed ${MAX_FILENAME_LENGTH} characters`).refine((name) => !/[<>:"|?*\x00-\x1F]/.test(name), "Invalid characters").refine((name) => !name.includes("..") && !name.includes("/") && !name.includes("\\"), "No path separators allowed"),
+  mimeType: z.string().optional(),
+  ragIndex: z.boolean().optional()
+});
+var ListFilesOptionsSchema = z.object({
+  limit: z.number().int().positive("Limit must be a positive integer").optional(),
+  offset: z.number().int().nonnegative("Offset must be a non-negative integer").optional(),
+  search: z.string().optional(),
+  from: ISO8601DateSchema.optional(),
+  to: ISO8601DateSchema.optional()
+}).optional();
+var GetFileOptionsSchema = z.object({
+  id: z.string().trim().min(1, "File ID cannot be empty"),
+  url: z.boolean().optional()
+});
+var DeleteFileOptionsSchema = z.object({
+  id: z.string().min(1, "File ID is required")
+});
+var IndexFileInputSchema = z.object({
+  fileId: z.string().min(1, "File ID is required"),
+  filePath: z.string().min(1, "File path is required"),
+  fileDEK: z.instanceof(Uint8Array).optional()
+});
+var IndexFilesOptionsSchema = z.object({
+  files: z.array(IndexFileInputSchema).min(1, "Files array must not be empty"),
+  ragDEK: z.instanceof(Uint8Array).optional()
+});
+var DeleteIndexOptionsSchema = z.object({
+  fileIds: z.array(z.string().min(1)).min(1, "File IDs array must not be empty"),
+  ragDEK: z.instanceof(Uint8Array).optional()
+});
+function validateAPIKey(apiKey) {
+  ApiKeySchema.parse(apiKey);
+}
+function validateDEKStore(dekStore) {
+  DEKStoreSchema.parse(dekStore);
+}
+function validateMimeType(mimeType) {
+  MimeTypeSchema.parse(mimeType);
+}
+function validateFileUploadOptions(options) {
+  FileUploadOptionsSchema.parse(options);
+}
+function validateListFilesOptions(options) {
+  ListFilesOptionsSchema.parse(options);
+}
+function validateGetFileOptions(options) {
+  GetFileOptionsSchema.parse(options);
+}
+function guessMimeType(fileName) {
+  const ext = fileName.toLowerCase().split(".").pop() || "";
+  const mimeTypeMap = {
+    jpg: "image/jpeg",
+    jpeg: "image/jpeg",
+    png: "image/png",
+    gif: "image/gif",
+    webp: "image/webp",
+    pdf: "application/pdf",
+    doc: "application/msword",
+    docx: "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+    xls: "application/vnd.ms-excel",
+    xlsx: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+    txt: "text/plain",
+    csv: "text/csv",
+    md: "text/markdown",
+    pptx: "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+    mp4: "video/mp4",
+    webm: "video/webm",
+    mov: "video/quicktime",
+    mp3: "audio/mpeg",
+    wav: "audio/wav",
+    ogg: "audio/ogg",
+    zip: "application/zip",
+    rar: "application/x-rar-compressed",
+    "7z": "application/x-7z-compressed"
+  };
+  return mimeTypeMap[ext] || "application/octet-stream";
+}
+async function saveRagDEKToBackend(apiKey, wrappedRagDEK, timeoutMs) {
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(`${endpoints.proxy}/users/save_rag_dek`, {
+      method: "POST",
+      headers: {
+        Authorization: apiKey,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        data: {
+          wrappedRagDEK,
+          confirmReplaceRagDEK: true
+        }
+      }),
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      throw new Error(`Failed to save RAG DEK: HTTP ${response.status}`);
+    }
+    const result = await response.json();
+    if (result.error) {
+      throw new Error(result.error);
+    }
+  } catch (error) {
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`Save RAG DEK request timed out after ${timeoutMs}ms`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+async function prepareEncryptedPayload(dekStore, options, apiKey, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  const fileBytes = options.file;
+  const mimeType = options.mimeType || guessMimeType(options.fileName);
+  validateMimeType(mimeType);
+  const dek = randomBytes4(32);
+  const encryptedFile = encryptWithDEK(dek, fileBytes);
+  const encryptedName = encryptMetadataWithDEK(dek, options.fileName);
+  const encryptedMimeType = encryptMetadataWithDEK(dek, mimeType);
+  const _clientKEK = clientKEK ? hexToBytes4(clientKEK) : getClientKEK();
+  const wrappedDEK = wrapDEK(_clientKEK, dek);
+  const clientKID = clientKEK ? getClientKID(clientKEK) : getClientKID();
+  const filePayload = {
+    client_hash: bytesToHex4(sha2562(fileBytes)),
+    encrypted_content: bytesToHex4(encryptedFile),
+    encrypted_name: encryptedName,
+    kid: clientKID,
+    mime_type: encryptedMimeType,
+    version: "2",
+    wrapped_dek: bytesToHex4(wrappedDEK)
+  };
+  if (options.ragIndex) {
+    await addRagIndexToPayload(dekStore, dek, filePayload, apiKey, clientKEK, timeoutMs);
+  }
+  return { dek, filePayload };
+}
+async function addRagIndexToPayload(dekStore, dek, filePayload, apiKey, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  let ragDEK = dekStore.ragDEK;
+  const _clientKEK = clientKEK ? hexToBytes4(clientKEK) : getClientKEK();
+  if (!ragDEK) {
+    ragDEK = randomBytes4(32);
+    const wrappedRagDEK = wrapDEK(_clientKEK, ragDEK);
+    dekStore.ragDEK = wrappedRagDEK;
+    try {
+      await saveRagDEKToBackend(apiKey, bytesToHex4(wrappedRagDEK), timeoutMs);
+    } catch (error) {
+      console.error("Warning: Failed to save RAG DEK to backend:", error);
+    }
+  } else {
+    ragDEK = unwrapDEK(_clientKEK, ragDEK);
+  }
+  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
+  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
+  const { encrypted: encryptedFileDEK, nonce: fileNonce } = encryptPayload(sharedSecret, dek);
+  const { encrypted: encryptedRagDEK, nonce: ragDEKNonce } = encryptPayload(sharedSecret, ragDEK);
+  filePayload.encrypted_file_dek = bytesToHex4(encryptedFileDEK);
+  filePayload.encrypted_rag_dek = bytesToHex4(encryptedRagDEK);
+  filePayload.file_nonce = bytesToHex4(fileNonce);
+  filePayload.rag_dek_nonce = bytesToHex4(ragDEKNonce);
+  filePayload.cipher_text = bytesToHex4(cipherText);
+}
+async function performUpload(apiKey, filePayload, controller) {
+  const uploadResponse = await fetch(`${endpoints.proxy}/files/encrypted/upload`, {
+    method: "POST",
+    headers: {
+      Authorization: apiKey,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify(filePayload),
+    signal: controller.signal
+  });
+  if (!uploadResponse.ok) {
+    let errorMessage = `Upload request failed with status ${uploadResponse.status}`;
+    try {
+      const body = await uploadResponse.json();
+      if (body.error) {
+        errorMessage = body.error;
+      }
+    } catch {}
+    throw new Error(errorMessage);
+  }
+  const uploadResult = await uploadResponse.json();
+  if (uploadResult.status !== 200) {
+    throw new Error(uploadResult.error || "Upload failed");
+  }
+  if (!uploadResult.data) {
+    throw new Error("Upload response missing data");
+  }
+  return uploadResult.data;
+}
+function storeDEKForFile(dekStore, fileId, dek, clientKEK) {
+  if (!dekStore.fileDEKs) {
+    dekStore.fileDEKs = new Map;
+  }
+  const _clientKEK = clientKEK ? hexToBytes4(clientKEK) : getClientKEK();
+  const wrappedDEK = wrapDEK(_clientKEK, dek);
+  dekStore.fileDEKs.set(fileId, wrappedDEK);
+}
+async function uploadFile(apiKey, dekStore, options, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  validateAPIKey(apiKey);
+  validateDEKStore(dekStore);
+  validateFileUploadOptions(options);
+  TimeoutSchema.parse(timeoutMs);
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const { dek, filePayload } = await prepareEncryptedPayload(dekStore, options, apiKey, clientKEK, timeoutMs);
+    const uploadedFile = await performUpload(apiKey, filePayload, controller);
+    storeDEKForFile(dekStore, uploadedFile.id, dek, clientKEK);
+    return uploadedFile;
+  } catch (error) {
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`File upload timed out after ${timeoutMs}ms`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+async function listFiles(apiKey, options, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  validateAPIKey(apiKey);
+  validateListFilesOptions(options);
+  TimeoutSchema.parse(timeoutMs);
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  const queryParams = new URLSearchParams;
+  if (options?.limit !== undefined) {
+    queryParams.append("limit", options.limit.toString());
+  }
+  if (options?.offset !== undefined) {
+    queryParams.append("offset", options.offset.toString());
+  }
+  if (options?.search) {
+    queryParams.append("search", options.search);
+  }
+  if (options?.from) {
+    queryParams.append("from", options.from);
+  }
+  if (options?.to) {
+    queryParams.append("to", options.to);
+  }
+  const queryString = queryParams.toString();
+  const url = `${endpoints.proxy}/files/encrypted${queryString ? `?${queryString}` : ""}`;
+  try {
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: apiKey,
+        "Content-Type": "application/json"
+      },
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      throw new Error(`List files request failed with status ${response.status}`);
+    }
+    const result = await response.json();
+    if (result.status !== 200) {
+      throw new Error(result.error || "List files failed");
+    }
+    if (!result.data) {
+      throw new Error("List files response missing data");
+    }
+    return result.data;
+  } catch (error) {
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`List files request timed out after ${timeoutMs}ms`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+async function getFile(apiKey, options, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  validateAPIKey(apiKey);
+  validateGetFileOptions(options);
+  TimeoutSchema.parse(timeoutMs);
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  const queryParams = new URLSearchParams;
+  if (options.url !== undefined) {
+    queryParams.append("url", options.url ? "true" : "false");
+  }
+  const queryString = queryParams.toString();
+  const url = `${endpoints.proxy}/files/encrypted/${options.id}${queryString ? `?${queryString}` : ""}`;
+  try {
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: apiKey,
+        "Content-Type": "application/json"
+      },
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      if (response.status === 404) {
+        throw new Error(`File not found: ${options.id}`);
+      }
+      throw new Error(`Get file request failed with status ${response.status}`);
+    }
+    const result = await response.json();
+    if (result.status !== 200) {
+      throw new Error(result.error || "Get file failed");
+    }
+    if (!result.data) {
+      throw new Error("Get file response missing data");
+    }
+    return result.data;
+  } catch (error) {
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`Get file request timed out after ${timeoutMs}ms`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+async function deleteFile(apiKey, options, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  validateAPIKey(apiKey);
+  DeleteFileOptionsSchema.parse(options);
+  TimeoutSchema.parse(timeoutMs);
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(`${endpoints.proxy}/files/encrypted/${options.id}`, {
+      method: "DELETE",
+      headers: {
+        Authorization: apiKey,
+        "Content-Type": "application/json"
+      },
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      if (response.status === 404) {
+        throw new Error(`File not found: ${options.id}`);
+      }
+      throw new Error(`Delete file request failed with status ${response.status}`);
+    }
+    await response.json();
+  } catch (error) {
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`Delete file request timed out after ${timeoutMs}ms`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+async function indexFiles(apiKey, dekStore, options, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  validateAPIKey(apiKey);
+  validateDEKStore(dekStore);
+  IndexFilesOptionsSchema.parse(options);
+  TimeoutSchema.parse(timeoutMs);
+  const wrappedRagDEK = options.ragDEK || dekStore.ragDEK;
+  if (!wrappedRagDEK) {
+    throw new Error("RAG DEK not found. Provide ragDEK in options or upload at least one file with ragIndex: true.");
+  }
+  const _clientKEK = clientKEK ? hexToBytes4(clientKEK) : getClientKEK();
+  const ragDEK = unwrapDEK(_clientKEK, wrappedRagDEK);
+  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
+  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
+  const encryptedFiles = options.files.map((file) => {
+    const wrappedFileDEK = file.fileDEK || dekStore.fileDEKs?.get(file.fileId);
+    if (!wrappedFileDEK) {
+      throw new Error(`File DEK not found for file: ${file.fileId}. Provide fileDEK or ensure file was uploaded with this DEK store.`);
+    }
+    const fileDEK = unwrapDEK(_clientKEK, wrappedFileDEK);
+    const { encrypted: encryptedFileDEK, nonce: fileNonce } = encryptPayload(sharedSecret, fileDEK);
+    const { encrypted: encryptedRagDEK, nonce: ragDEKNonce } = encryptPayload(sharedSecret, ragDEK);
+    return {
+      file_id: file.fileId,
+      encrypted_file_dek: bytesToHex4(encryptedFileDEK),
+      encrypted_rag_dek: bytesToHex4(encryptedRagDEK),
+      file_nonce: bytesToHex4(fileNonce),
+      rag_dek_nonce: bytesToHex4(ragDEKNonce),
+      s3_r2_path: file.filePath,
+      cipher_text: bytesToHex4(cipherText)
+    };
+  });
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(`${endpoints.proxy}/files/encrypted/index`, {
+      method: "POST",
+      headers: {
+        Authorization: apiKey,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ files: encryptedFiles }),
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      throw new Error(`Index files request failed with status ${response.status}`);
+    }
+    const result = await response.json();
+    return result;
+  } catch (error) {
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`Index files request timed out after ${timeoutMs}ms`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+async function deleteIndex(apiKey, dekStore, options, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  validateAPIKey(apiKey);
+  validateDEKStore(dekStore);
+  DeleteIndexOptionsSchema.parse(options);
+  TimeoutSchema.parse(timeoutMs);
+  const wrappedRagDEK = options.ragDEK || dekStore.ragDEK;
+  if (!wrappedRagDEK) {
+    throw new Error("RAG DEK not found. Provide ragDEK in options or ensure dekStore has a ragDEK.");
+  }
+  const _clientKEK = clientKEK ? hexToBytes4(clientKEK) : getClientKEK();
+  const ragDEK = unwrapDEK(_clientKEK, wrappedRagDEK);
+  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
+  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
+  const { encrypted: encryptedRagDEK, nonce: ragDEKNonce } = encryptPayload(sharedSecret, ragDEK);
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(`${endpoints.proxy}/files/encrypted/delete-index`, {
+      method: "POST",
+      headers: {
+        Authorization: apiKey,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        cipher_text: bytesToHex4(cipherText),
+        encrypted_rag_dek: bytesToHex4(encryptedRagDEK),
+        rag_dek_nonce: bytesToHex4(ragDEKNonce),
+        fileIds: options.fileIds
+      }),
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      throw new Error(`Delete index request failed with status ${response.status}`);
+    }
+    const result = await response.json();
+    return result;
+  } catch (error) {
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`Delete index request timed out after ${timeoutMs}ms`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+function createFilesClient(apiKey, dekStore, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  return {
+    upload: (options) => uploadFile(apiKey, dekStore, options, clientKEK, timeoutMs),
+    list: (options) => listFiles(apiKey, options, timeoutMs),
+    get: (options) => getFile(apiKey, options, timeoutMs),
+    delete: (options) => deleteFile(apiKey, options, timeoutMs),
+    index: (options) => indexFiles(apiKey, dekStore, options, clientKEK, timeoutMs),
+    deleteIndex: (options) => deleteIndex(apiKey, dekStore, options, clientKEK, timeoutMs)
+  };
+}
+
+// src/models/index.ts
+async function listModels(params, apiKey, timeoutMs) {
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  const queryParams = new URLSearchParams;
+  if (params?.type !== undefined) {
+    queryParams.append("type", params.type);
+  }
+  const queryString = queryParams.toString();
+  const url = `${endpoints.proxy}/models${queryString ? `?${queryString}` : ""}`;
+  try {
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: apiKey,
+        "Content-Type": "application/json"
+      },
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      throw new Error(`List models request failed with status ${response.status}`);
+    }
+    const result = await response.json();
+    if (result.status !== 200) {
+      throw new Error(result.error || "List models failed");
+    }
+    if (!result.data) {
+      throw new Error("List models response missing data");
+    }
+    return result.data;
+  } catch (error) {
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`List models request timed out after ${timeoutMs}ms`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+function createModelsClient(apiKey, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
+  return {
+    list: (params) => listModels(params, apiKey, timeoutMs)
+  };
+}
+
+// src/rvenc/index.ts
+import { bytesToHex as bytesToHex5, hexToBytes as hexToBytes5 } from "@noble/ciphers/utils.js";
+import OpenAI from "openai";
+function preprocessRequest(body, encryptionKeys) {
+  const { cipherText, sharedSecret } = encryptionKeys;
+  const { encrypted, nonce } = encryptPayload(sharedSecret, body);
+  return {
+    body: {
+      cipherText: bytesToHex5(cipherText),
+      encryptedInference: bytesToHex5(encrypted),
+      nonce: bytesToHex5(nonce),
+      model: body.model,
+      stream: body.stream === true
+    },
+    sharedSecret,
+    nonce
+  };
+}
+async function postprocessStreamingResponse(response, sharedSecret, nonce, maxBufferSize) {
+  if (!response.body) {
+    throw new Error("Response body is null");
+  }
+  const reader = response.body.getReader();
+  const generator = createDecryptedStreamGenerator(reader, sharedSecret, nonce, maxBufferSize);
+  return {
+    [Symbol.asyncIterator]() {
+      return generator;
+    }
+  };
+}
+async function postprocessNonStreamingResponse(response, sharedSecret) {
+  const data = await response.json();
+  if (!data.encryptedResponse || !data.nonce) {
+    throw new Error("Invalid non-streaming response: missing encryptedResponse or nonce");
+  }
+  const responseNonce = hexToBytes5(data.nonce);
+  return decryptPayload(data.encryptedResponse, sharedSecret, responseNonce);
+}
+function createRvencChatClient(apiKey, encryptionKeys, requestTimeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, maxBufferSize = DEFAULT_MAX_BUFFER_SIZE, attest2 = true, OpenAIClientParams) {
+  const client = new OpenAI({ apiKey: "not-used", ...OpenAIClientParams });
+  const originalChatCreate = client.chat.completions.create.bind(client.chat.completions);
+  client.chat.completions.create = async (body) => {
+    const isStreaming = body.stream === true;
+    const controller = new AbortController;
+    const timeoutId = setTimeout(() => controller.abort(), requestTimeoutMs);
+    try {
+      const sessionId = await attest(apiKey, { model: body.model, enabled: attest2 });
+      const encryptedRequest = preprocessRequest(body, encryptionKeys);
+      const response = await fetch(`${endpoints.proxy}/rvenc/chat/completions`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: isStreaming ? "text/event-stream" : "application/json",
+          Authorization: apiKey,
+          ...sessionId && { "X-Session-Id": sessionId }
+        },
+        body: JSON.stringify(encryptedRequest.body),
+        signal: controller.signal
+      });
+      if (!response.ok) {
+        await throwIfErrorResponse(response);
+      }
+      clearTimeout(timeoutId);
+      if (isStreaming) {
+        const contentType = response.headers.get("content-type") ?? "";
+        if (contentType.includes("text/event-stream")) {
+          return await postprocessStreamingResponse(response, encryptedRequest.sharedSecret, encryptedRequest.nonce, maxBufferSize);
+        }
+        const completion = await postprocessNonStreamingResponse(response, encryptedRequest.sharedSecret);
+        return completionToChunkStream(completion);
+      }
+      return await postprocessNonStreamingResponse(response, encryptedRequest.sharedSecret);
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error instanceof Error && error.name === "AbortError") {
+        throw new Error(`Request timed out after ${requestTimeoutMs}ms`);
+      }
+      throw error;
+    }
+  };
+  return client;
+}
+async function* completionToChunkStream(completion) {
+  const choice = completion.choices[0];
+  const message = choice?.message;
+  const content = typeof message?.content === "string" ? message.content : "";
+  const toolCalls = message?.tool_calls?.filter((tc) => tc.type === "function").map((tc, i) => ({
+    index: i,
+    id: tc.id,
+    type: "function",
+    function: {
+      name: tc.function.name,
+      arguments: tc.function.arguments
+    }
+  }));
+  yield {
+    id: completion.id,
+    object: "chat.completion.chunk",
+    created: completion.created,
+    model: completion.model,
+    choices: [
+      {
+        index: choice?.index ?? 0,
+        delta: {
+          role: "assistant",
+          content,
+          ...toolCalls && toolCalls.length > 0 && { tool_calls: toolCalls }
+        },
+        finish_reason: choice?.finish_reason ?? "stop",
+        logprobs: null
+      }
+    ],
+    usage: completion.usage ?? null
+  };
+}
+async function* createDecryptedStreamGenerator(reader, sharedSecret, nonce, maxBufferSize) {
+  const decoder = new TextDecoder;
+  let buffer = "";
+  try {
+    while (true) {
+      const { value, done } = await reader.read();
+      if (done)
+        break;
+      buffer += decoder.decode(value, { stream: true });
+      if (buffer.length > maxBufferSize) {
+        throw new Error(`Stream buffer exceeded maximum size of ${maxBufferSize} bytes`);
+      }
+      const parts = buffer.split(`
+
+`);
+      for (let i = 0;i < parts.length - 1; i++) {
+        const part = parts[i];
+        const lines = part.split(`
+`);
+        let event;
+        let data;
+        if (lines[0]) {
+          const eventSplit = lines[0].split(": ");
+          event = eventSplit[1];
+        }
+        if (lines[1]) {
+          const dataSplit = lines[1].split(": ");
+          data = dataSplit.slice(1).join(": ");
+        }
+        if (event === "done" && data === "[DONE]") {
+          return;
+        }
+        if (event === "error") {
+          const errorObj = JSON.parse(data || "{}");
+          throw new Error(errorObj.error?.message || data || "Stream error");
+        }
+        if (event === "data" && data && data !== "[DONE]") {
+          const chunk = decryptPayload(data, sharedSecret, nonce);
+          if (chunk.error) {
+            throw new Error(chunk.error.message || "Stream error");
+          }
+          yield chunk;
+        }
+      }
+      buffer = parts[parts.length - 1];
+    }
+  } finally {
+    reader.releaseLock();
+  }
+}
+
+// src/tools/index.ts
+import { bytesToHex as bytesToHex6, hexToBytes as hexToBytes6, randomBytes as randomBytes5 } from "@noble/ciphers/utils.js";
+var FILE_OUTPUT_TOOLS = ["generateImage", "audioGenerateFromText", "createFileForUser"];
+var FILE_INPUT_TOOLS = [
+  "imageDescribeAndCaption",
+  "imageDescribeAndCaptionFallback",
+  "videoDescribeAndCaption",
+  "getPDFContent",
+  "getTextDocumentContent",
+  "transcribeAudioToText",
+  "transcribeAudioWithDiarization",
+  "audioDiarization",
+  "getSpreadsheetContent",
+  "getPowerPointContent",
+  "getDataFileContent",
+  "getFileContentOCR"
+];
+var RAG_TOOLS = ["searchRag"];
+async function callToolRequest(toolName, body, apiKey, timeoutMs, attest2) {
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(`${endpoints.proxy}/tools/${toolName}`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: apiKey
+      },
+      body: JSON.stringify(body),
+      signal: controller.signal
+    });
+    clearTimeout(timeoutId);
+    if (!response.ok) {
+      await throwIfErrorResponse(response);
+    }
+    const data = await response.json();
+    return data.data;
+  } catch (error) {
+    clearTimeout(timeoutId);
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`Tool request timed out after ${timeoutMs}ms`);
+    }
+    throw new Error(`Tool request failed: ${error instanceof Error ? error.message : error}`);
+  }
+}
+async function downloadEncryptedFile(fileId, apiKey, timeoutMs) {
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const metadataResponse = await fetch(`${endpoints.proxy}/files/encrypted/${fileId}?url=true`, {
+      headers: { Authorization: apiKey },
+      signal: controller.signal
+    });
+    if (!metadataResponse.ok) {
+      throw new Error(`Failed to get file metadata: ${metadataResponse.status}`);
+    }
+    const metadata = await metadataResponse.json();
+    const downloadUrl = metadata.data?.url;
+    if (!downloadUrl) {
+      throw new Error("No download URL in response");
+    }
+    const fileResponse = await fetch(downloadUrl, { signal: controller.signal });
+    if (!fileResponse.ok) {
+      throw new Error(`Failed to download file: ${fileResponse.status}`);
+    }
+    clearTimeout(timeoutId);
+    const arrayBuffer = await fileResponse.arrayBuffer();
+    return new Uint8Array(arrayBuffer);
+  } catch (error) {
+    clearTimeout(timeoutId);
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Error(`File download timed out after ${timeoutMs}ms`);
+    }
+    throw error;
+  }
+}
+async function downloadAndDecryptFile(response, dek, apiKey, timeoutMs) {
+  if (!response.success || !response.fileId) {
+    return null;
+  }
+  const decryptFileName = (encryptedHex) => {
+    const encrypted = hexToBytes6(encryptedHex);
+    const decrypted = decryptWithDEK(dek, encrypted);
+    return new TextDecoder().decode(decrypted);
+  };
+  const fileName = decryptFileName(response.fileName);
+  const mimeType = decryptFileName(response.mimeType);
+  const encryptedFile = await downloadEncryptedFile(response.fileId, apiKey, timeoutMs);
+  const decryptedFile = decryptWithDEK(dek, encryptedFile);
+  return {
+    fileId: response.fileId,
+    fileName,
+    mimeType,
+    content: decryptedFile,
+    fileSize: decryptedFile.length
+  };
+}
+async function callSimpleTool(toolName, params, apiKey, timeoutMs, attest2) {
+  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
+  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
+  const { encrypted, nonce } = encryptPayload(sharedSecret, params);
+  const body = {
+    cipherText: bytesToHex6(cipherText),
+    encryptedParams: bytesToHex6(encrypted),
+    nonce: bytesToHex6(nonce)
+  };
+  const response = await callToolRequest(toolName, body, apiKey, timeoutMs, attest2);
+  return decryptPayload(response.encryptedResponse, sharedSecret, hexToBytes6(response.nonce));
+}
+async function callFileOutputTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, attest2 = true) {
+  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
+  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
+  const { encrypted, nonce } = encryptPayload(sharedSecret, params);
+  const dek = randomBytes5(32);
+  const { encrypted: encryptedDEK, nonce: dekNonce } = encryptPayload(sharedSecret, dek);
+  const _clientKEK = clientKEK ? hexToBytes6(clientKEK) : getClientKEK();
+  const wrappedDEK = wrapDEK(_clientKEK, dek);
+  const clientKID = clientKEK ? getClientKID(clientKEK) : getClientKID();
+  const body = {
+    cipherText: bytesToHex6(cipherText),
+    encryptedParams: bytesToHex6(encrypted),
+    nonce: bytesToHex6(nonce),
+    encryptedDEK: bytesToHex6(encryptedDEK),
+    dekNonce: bytesToHex6(dekNonce),
+    kid: clientKID,
+    wrappedDEK: bytesToHex6(wrappedDEK)
+  };
+  const response = await callToolRequest(toolName, body, apiKey, timeoutMs, attest2);
+  const result = await downloadAndDecryptFile(response, dek, apiKey, timeoutMs);
+  if (result?.fileId) {
+    if (!dekStore.fileDEKs) {
+      dekStore.fileDEKs = new Map;
+    }
+    dekStore.fileDEKs.set(result.fileId, wrappedDEK);
+  }
+  return result;
+}
+async function callFileInputTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, attest2 = true) {
+  if (!params.fileId) {
+    throw new Error(`Tool ${toolName} requires fileId parameter`);
+  }
+  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
+  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
+  const dek = randomBytes5(32);
+  const { encrypted: encryptedDEK, nonce: dekNonce } = encryptPayload(sharedSecret, dek);
+  const nonce = randomBytes5(24);
+  if (!dekStore.fileDEKs) {
+    dekStore.fileDEKs = new Map;
+  }
+  const _clientKEK = clientKEK ? hexToBytes6(clientKEK) : getClientKEK();
+  let fileDEK = dekStore.fileDEKs.get(params.fileId);
+  if (!fileDEK) {
+    fileDEK = randomBytes5(32);
+    const wrappedFileDEK = wrapDEK(_clientKEK, fileDEK);
+    dekStore.fileDEKs.set(params.fileId, wrappedFileDEK);
+  } else {
+    fileDEK = unwrapDEK(_clientKEK, fileDEK);
+  }
+  const { encrypted: encryptedFileDEK, nonce: fileDEKNonce } = encryptPayload(sharedSecret, fileDEK);
+  const body = {
+    cipherText: bytesToHex6(cipherText),
+    nonce: bytesToHex6(nonce),
+    fileId: params.fileId,
+    encryptedDEK: bytesToHex6(encryptedDEK),
+    dekNonce: bytesToHex6(dekNonce),
+    encryptedFileDEK: bytesToHex6(encryptedFileDEK),
+    fileDEKNonce: bytesToHex6(fileDEKNonce)
+  };
+  const response = await callToolRequest(toolName, body, apiKey, timeoutMs, attest2);
+  return decryptPayload(response.encryptedResponse, sharedSecret, hexToBytes6(response.nonce));
+}
+async function callRagTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, attest2 = true) {
+  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
+  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
+  const { encrypted, nonce } = encryptPayload(sharedSecret, params);
+  const dek = randomBytes5(32);
+  const { encrypted: encryptedDEK, nonce: dekNonce } = encryptPayload(sharedSecret, dek);
+  if (!dekStore.fileDEKs) {
+    dekStore.fileDEKs = new Map;
+  }
+  let fileIds = [];
+  if (dekStore.fileDEKs.size > 0) {
+    fileIds = Array.from(dekStore.fileDEKs.keys());
+  }
+  const _clientKEK = clientKEK ? hexToBytes6(clientKEK) : getClientKEK();
+  const encryptedFileDEKs = fileIds.reduce((acc, fileId) => {
+    const fileDEK = dekStore.fileDEKs?.get(fileId);
+    if (!fileDEK) {
+      return acc;
+    }
+    const unwrappedFileDEK = unwrapDEK(_clientKEK, fileDEK);
+    const { encrypted: encryptedFileDEK, nonce: fileDEKNonce } = encryptPayload(sharedSecret, unwrappedFileDEK);
+    acc.push({
+      fileId,
+      encryptedDEK: bytesToHex6(encryptedFileDEK),
+      nonce: bytesToHex6(fileDEKNonce)
+    });
+    return acc;
+  }, []);
+  if (!dekStore.ragDEK) {
+    throw new Error("RAG DEK not found in dekStore. Please upload at least one file with ragIndex: true to initialize RAG.");
+  }
+  if (!dekStore.ragVersion) {
+    throw new Error("RAG Version not found in dekStore. Please upload at least one file with ragIndex: true to initialize RAG.");
+  }
+  const ragDEK = unwrapDEK(_clientKEK, dekStore.ragDEK);
+  const { encrypted: encryptedRagDEK, nonce: ragDEKNonce } = encryptPayload(sharedSecret, ragDEK);
+  const { encrypted: encryptedRagVersion, nonce: ragVersionNonce } = encryptPayload(sharedSecret, dekStore.ragVersion);
+  const body = {
+    cipherText: bytesToHex6(cipherText),
+    encryptedParams: bytesToHex6(encrypted),
+    nonce: bytesToHex6(nonce),
+    encryptedDEK: bytesToHex6(encryptedDEK),
+    dekNonce: bytesToHex6(dekNonce),
+    encryptedFileDEKs,
+    encryptedRagDEK: bytesToHex6(encryptedRagDEK),
+    ragDEKNonce: bytesToHex6(ragDEKNonce),
+    encryptedRagVersion: bytesToHex6(encryptedRagVersion),
+    ragVersionNonce: bytesToHex6(ragVersionNonce)
+  };
+  const response = await callToolRequest(toolName, body, apiKey, timeoutMs, attest2);
+  return decryptPayload(response.encryptedResponse, sharedSecret, hexToBytes6(response.nonce));
+}
+async function callTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, attest2 = true) {
+  if (FILE_OUTPUT_TOOLS.includes(toolName)) {
+    return callFileOutputTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs, attest2);
+  } else if (FILE_INPUT_TOOLS.includes(toolName)) {
+    return callFileInputTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs, attest2);
+  } else if (RAG_TOOLS.includes(toolName)) {
+    return callRagTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs, attest2);
+  } else {
+    return callSimpleTool(toolName, params, apiKey, timeoutMs, attest2);
+  }
+}
+function createToolsClient(apiKey, dekStore, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, attest2 = true) {
+  return {
+    generateImage: (params) => callTool("generateImage", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    audioGenerateFromText: (params) => callTool("audioGenerateFromText", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    createFileForUser: (params) => callTool("createFileForUser", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    imageDescribeAndCaption: (params) => callTool("imageDescribeAndCaption", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    imageDescribeAndCaptionFallback: (params) => callTool("imageDescribeAndCaptionFallback", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    videoDescribeAndCaption: (params) => callTool("videoDescribeAndCaption", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    getPDFContent: (params) => callTool("getPDFContent", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    getTextDocumentContent: (params) => callTool("getTextDocumentContent", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    transcribeAudioToText: (params) => callTool("transcribeAudioToText", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    transcribeAudioWithDiarization: (params) => callTool("transcribeAudioWithDiarization", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    audioDiarization: (params) => callTool("audioDiarization", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    getFileContentOCR: (params) => callTool("getFileContentOCR", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    getSpreadsheetContent: (params) => callTool("getSpreadsheetContent", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    getDataFileContent: (params) => callTool("getDataFileContent", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    getPowerPointContent: (params) => callTool("getPowerPointContent", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    getTime: (params) => callTool("getTime", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    webSearchTool: (params) => callTool("webSearchTool", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    webPageScraperTool: (params) => callTool("webPageScraperTool", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
+    searchRag: (params) => callTool("searchRag", params, apiKey, dekStore, clientKEK, timeoutMs, attest2)
+  };
+}
+
+// src/core.ts
+async function createRvencClient(options) {
+  const {
+    apiKey,
+    clientKEK,
+    requestTimeoutMs = DEFAULT_REQUEST_TIMEOUT_MS,
+    maxBufferSize = DEFAULT_MAX_BUFFER_SIZE,
+    attest: attest2 = true
+  } = options;
+  if (options.config?.endpoints !== undefined) {
+    Object.assign(endpoints, options.config.endpoints);
+  }
+  let encryptionKeys;
+  try {
+    encryptionKeys = options.encryptionKeys ?? await generateEncryptionKeys(requestTimeoutMs);
+  } catch (error) {
+    throw new Error(`Failed to initialize encryption keys: ${error instanceof Error ? error.message : error}`);
+  }
+  const dekStore = options.dekStore ?? initializeDEKStore(clientKEK);
+  const client = createRvencChatClient(apiKey, encryptionKeys, requestTimeoutMs, maxBufferSize, attest2, options.config?.openAIClientOptions ?? {});
+  client.files = createFilesClient(apiKey, dekStore, clientKEK, requestTimeoutMs);
+  client.tools = createToolsClient(apiKey, dekStore, clientKEK, requestTimeoutMs, attest2);
+  client.audio = createAudioClient(apiKey, encryptionKeys, requestTimeoutMs, attest2);
+  client.models = createModelsClient(apiKey, requestTimeoutMs);
+  client.dekStore = dekStore;
+  return client;
+}
+var core_default = createRvencClient;
+
+// src/server/runtime.ts
+var DEFAULT_HOST = process.env.HOST ?? "127.0.0.1";
+var DEFAULT_PORT = process.env.PORT ? Number.parseInt(process.env.PORT, 10) : 8000;
+var CLIENT_CACHE_MAX = (() => {
+  let cacheTTL = 256;
+  const raw = process.env.CLIENT_CACHE_MAX;
+  if (raw) {
+    const _cacheTTL = Number.parseInt(raw, 10);
+    if (Number.isSafeInteger(_cacheTTL) && _cacheTTL > 0)
+      cacheTTL = _cacheTTL;
+  }
+  return cacheTTL;
+})();
+var serverProxyUrl = process.env.PROXY_URL;
+var serverEnclaveUrl = process.env.ENCLAVE_URL;
+var serverKek = process.env.CLIENT_KEK;
+var serverAttest = true;
+var clientCache = new Map;
+var storage = multer.memoryStorage();
+var audioUpload = multer({
+  storage,
+  limits: { fileSize: 25 * 1024 * 1024 }
+});
+function applyServerOptions(options) {
+  const { proxyUrl, enclaveUrl, kek, attest: attest2 } = options;
+  serverAttest = attest2 !== false;
+  if (proxyUrl) {
+    serverProxyUrl = proxyUrl;
+  }
+  if (enclaveUrl) {
+    serverEnclaveUrl = enclaveUrl;
+  }
+  if (kek) {
+    serverKek = kek;
+  }
+}
+async function getOrCreateRvencClient(apiKey) {
+  const existing = clientCache.get(apiKey);
+  if (existing)
+    return existing;
+  const client = await core_default({
+    apiKey,
+    clientKEK: serverKek,
+    attest: serverAttest,
+    config: {
+      endpoints: {
+        enclave: serverEnclaveUrl,
+        proxy: serverProxyUrl
+      }
+    }
+  });
+  clientCache.set(apiKey, client);
+  if (clientCache.size > CLIENT_CACHE_MAX) {
+    const oldest = clientCache.keys().next().value;
+    if (oldest !== undefined)
+      clientCache.delete(oldest);
+  }
+  return client;
+}
+
+// src/openai/routes.ts
+function extractApiKey(req) {
+  const authHeader = req.headers.authorization;
+  if (!authHeader) {
+    return null;
+  }
+  if (authHeader.startsWith("Bearer ")) {
+    return authHeader.slice(7);
+  }
+  return authHeader;
+}
+function sendUnauthorized(res) {
+  res.status(401).json({
+    error: {
+      message: 'Missing Authorization header. Expected format: "Bearer <api-key>" or "<api-key>"',
+      type: "invalid_request_error",
+      code: "invalid_api_key"
+    }
+  });
+}
+function sendServerError(res, error) {
+  const err = error;
+  res.status(err.status ?? 500).json({
+    error: {
+      message: err.message ?? "Internal server error",
+      type: err.type ?? "server_error",
+      code: err.code
+    }
+  });
+}
+function openAIOwnedBy(modelId) {
+  const slash = modelId.indexOf("/");
+  if (slash > 0) {
+    return modelId.slice(0, slash);
+  }
+  return "prem";
+}
+function isoToUnix(iso) {
+  const t = Date.parse(iso);
+  if (!Number.isFinite(t)) {
+    return 0;
+  }
+  return Math.floor(t / 1000);
+}
+function registerOpenAICompatRoutes(router, deps) {
+  router.get("/v1/models", async (req, res) => {
+    try {
+      const apiKey = extractApiKey(req);
+      if (!apiKey) {
+        return sendUnauthorized(res);
+      }
+      const client = await deps.getOrCreateClient(apiKey);
+      const all = await client.models.list();
+      const data = all.filter((m) => m.enabled !== 0).map((m) => ({
+        id: m.model,
+        object: "model",
+        created: isoToUnix(m.created_at),
+        owned_by: openAIOwnedBy(m.model)
+      }));
+      res.json({ object: "list", data });
+    } catch (error) {
+      sendServerError(res, error);
+    }
+  });
+  router.post("/v1/chat/completions", async (req, res) => {
+    try {
+      const apiKey = extractApiKey(req);
+      if (!apiKey) {
+        return sendUnauthorized(res);
+      }
+      const client = await deps.getOrCreateClient(apiKey);
+      const params = req.body;
+      const completion = await client.chat.completions.create(params);
+      if (params.stream) {
+        res.setHeader("Content-Type", "text/event-stream");
+        res.setHeader("Cache-Control", "no-cache");
+        res.setHeader("Connection", "keep-alive");
+        if (completion && typeof completion === "object" && Symbol.asyncIterator in completion) {
+          try {
+            for await (const chunk of completion) {
+              res.write(`data: ${JSON.stringify(chunk)}
+
+`);
+            }
+            res.write(`data: [DONE]
+
+`);
+            res.end();
+          } catch (streamErr) {
+            if (!res.headersSent) {
+              sendServerError(res, streamErr);
+            } else {
+              res.end();
+            }
+          }
+        } else {
+          res.write(`data: ${JSON.stringify(completion)}
+
+`);
+          res.write(`data: [DONE]
+
+`);
+          res.end();
+        }
+      } else {
+        res.json(completion);
+      }
+    } catch (error) {
+      sendServerError(res, error);
+    }
+  });
+  router.post("/v1/audio/transcriptions", audioUpload.single("file"), async (req, res) => {
+    try {
+      const apiKey = extractApiKey(req);
+      if (!apiKey) {
+        return sendUnauthorized(res);
+      }
+      if (!req.file) {
+        return res.status(400).json({
+          error: {
+            message: "Missing required file parameter",
+            type: "invalid_request_error"
+          }
+        });
+      }
+      const client = await deps.getOrCreateClient(apiKey);
+      const file = new File([req.file.buffer], req.file.originalname, {
+        type: req.file.mimetype
+      });
+      const params = {
+        file,
+        model: req.body.model
+      };
+      if (req.body.language) {
+        params.language = req.body.language;
+      }
+      if (req.body.prompt) {
+        params.prompt = req.body.prompt;
+      }
+      if (req.body.response_format) {
+        params.response_format = req.body.response_format;
+      }
+      if (req.body.temperature) {
+        params.temperature = parseFloat(req.body.temperature);
+      }
+      if (req.body.timestamp_granularities) {
+        params.timestamp_granularities = Array.isArray(req.body.timestamp_granularities) ? req.body.timestamp_granularities : JSON.parse(req.body.timestamp_granularities);
+      }
+      const transcription = await client.audio.transcriptions.create(params);
+      res.json(transcription);
+    } catch (error) {
+      sendServerError(res, error);
+    }
+  });
+  router.post("/v1/audio/translations", audioUpload.single("file"), async (req, res) => {
+    try {
+      const apiKey = extractApiKey(req);
+      if (!apiKey) {
+        return sendUnauthorized(res);
+      }
+      if (!req.file) {
+        return res.status(400).json({
+          error: {
+            message: "Missing required file parameter",
+            type: "invalid_request_error"
+          }
+        });
+      }
+      const client = await deps.getOrCreateClient(apiKey);
+      const file = new File([req.file.buffer], req.file.originalname, {
+        type: req.file.mimetype
+      });
+      const params = {
+        file,
+        model: req.body.model
+      };
+      if (req.body.prompt) {
+        params.prompt = req.body.prompt;
+      }
+      if (req.body.response_format) {
+        params.response_format = req.body.response_format;
+      }
+      if (req.body.temperature) {
+        params.temperature = parseFloat(req.body.temperature);
+      }
+      const translation = await client.audio.translations.create(params);
+      res.json(translation);
+    } catch (error) {
+      sendServerError(res, error);
+    }
+  });
+}
+
+// src/server/route-prefix.ts
+function normalizeRoutePrefix(raw) {
+  if (raw == null) {
+    return "";
+  }
+  return new URL(String(raw).trim(), "http://localhost").pathname || "";
+}
+var DEFAULT_OPENAI_ROUTE_PREFIX_BOTH = "/openai";
+var DEFAULT_ANTHROPIC_ROUTE_PREFIX_BOTH = "/anthropic";
+function resolvePrefixesForCompat(compat, openaiRaw, anthropicRaw) {
+  const oNorm = normalizeRoutePrefix(openaiRaw);
+  const aNorm = normalizeRoutePrefix(anthropicRaw);
+  if (compat === "both") {
+    const openaiPrefix = oNorm || DEFAULT_OPENAI_ROUTE_PREFIX_BOTH;
+    const anthropicPrefix = aNorm || DEFAULT_ANTHROPIC_ROUTE_PREFIX_BOTH;
+    if (openaiPrefix === anthropicPrefix) {
+      throw new Error(`When compat is "both", openaiRoutePrefix and anthropicRoutePrefix must differ (both resolved to "${openaiPrefix}").`);
+    }
+    return { openaiPrefix, anthropicPrefix };
+  }
+  if (compat === "openai") {
+    return { openaiPrefix: oNorm, anthropicPrefix: "" };
+  }
+  return { openaiPrefix: "", anthropicPrefix: aNorm };
+}
+function prefixedRoute(prefix, path) {
+  const s = path.startsWith("/") ? path : `/${path}`;
+  if (!prefix) {
+    return s;
+  }
+  return `${prefix}${s}`;
+}
+
+// src/server/discovery.ts
+function registerApiDiscoveryRoute(app, mount) {
+  const {
+    openai: mountOpenAI,
+    anthropic: mountAnthropic,
+    openaiPrefix,
+    anthropicPrefix
+  } = mount;
+  app.get("/", (_, res) => {
+    const endpoints2 = {};
+    if (mountOpenAI) {
+      endpoints2.chat_completions = `POST ${prefixedRoute(openaiPrefix, "/v1/chat/completions")}`;
+      endpoints2.audio_transcriptions = `POST ${prefixedRoute(openaiPrefix, "/v1/audio/transcriptions")}`;
+      endpoints2.audio_translations = `POST ${prefixedRoute(openaiPrefix, "/v1/audio/translations")}`;
+      endpoints2.models = `GET ${prefixedRoute(openaiPrefix, "/v1/models")}`;
+    }
+    if (mountAnthropic) {
+      endpoints2.messages = `POST ${prefixedRoute(anthropicPrefix, "/v1/messages")}`;
+      endpoints2.messages_count_tokens = `POST ${prefixedRoute(anthropicPrefix, "/v1/messages/count_tokens")}`;
+      endpoints2.anthropic_models = `GET ${prefixedRoute(anthropicPrefix, "/v1/models")}`;
+      endpoints2.anthropic_model_get = `GET ${prefixedRoute(anthropicPrefix, "/v1/models/{model_id}")}`;
+    }
+    const labels = [];
+    if (mountOpenAI) {
+      labels.push("OpenAI-compatible");
+    }
+    if (mountAnthropic) {
+      labels.push("Anthropic Messages-compatible");
+    }
+    res.json({
+      message: `Rvenc API Server (${labels.join(" + ")})`,
+      version: "1.0.0",
+      compat: resolveCompatLabel(mount),
+      route_prefixes: buildRoutePrefixesPayload(mountOpenAI, mountAnthropic, openaiPrefix, anthropicPrefix),
+      endpoints: endpoints2
+    });
+  });
+}
+function buildRoutePrefixesPayload(mountOpenAI, mountAnthropic, openaiPrefix, anthropicPrefix) {
+  const out = {};
+  if (mountOpenAI) {
+    out.openai = openaiPrefix || "/";
+  }
+  if (mountAnthropic) {
+    out.anthropic = anthropicPrefix || "/";
+  }
+  if (Object.keys(out).length === 0) {
+    return;
+  }
+  return out;
+}
+function resolveCompatLabel(mount) {
+  if (mount.openai && mount.anthropic) {
+    return "both";
+  }
+  if (mount.anthropic) {
+    return "anthropic";
+  }
+  return "openai";
+}
+
+// src/server/create-app.ts
+var rvencDeps = {
+  getOrCreateClient: getOrCreateRvencClient
+};
+function resolveJsonBodyLimit(override) {
+  if (override != null && String(override).trim() !== "") {
+    return String(override).trim();
+  }
+  const env = process.env.JSON_BODY_LIMIT;
+  if (env != null && env !== "") {
+    return env;
+  }
+  return "32mb";
+}
+function resolveCreateServerInput(compatOrOptions) {
+  if (typeof compatOrOptions === "string") {
+    const compat2 = compatOrOptions;
+    const { openaiPrefix: openaiPrefix2, anthropicPrefix: anthropicPrefix2 } = resolvePrefixesForCompat(compat2, undefined, undefined);
+    return {
+      compat: compat2,
+      openaiPrefix: openaiPrefix2,
+      anthropicPrefix: anthropicPrefix2,
+      jsonBodyLimit: resolveJsonBodyLimit()
+    };
+  }
+  const compat = compatOrOptions.compat ?? "openai";
+  const { openaiPrefix, anthropicPrefix } = resolvePrefixesForCompat(compat, compatOrOptions.openaiRoutePrefix, compatOrOptions.anthropicRoutePrefix);
+  return {
+    compat,
+    openaiPrefix,
+    anthropicPrefix,
+    jsonBodyLimit: resolveJsonBodyLimit(compatOrOptions.jsonBodyLimit)
+  };
+}
+function httpErrorStatus(err) {
+  if (err && typeof err === "object") {
+    const o = err;
+    const s = o.status ?? o.statusCode;
+    if (typeof s === "number" && s >= 400 && s < 600) {
+      return s;
+    }
+  }
+  return 500;
+}
+function mountRouter(app, prefix, router) {
+  app.use(prefix || "/", router);
+}
+function createServerApp(compatOrOptions = "openai") {
+  const { compat, openaiPrefix, anthropicPrefix, jsonBodyLimit } = resolveCreateServerInput(compatOrOptions);
+  const mountOpenAI = compat === "openai" || compat === "both";
+  const mountAnthropic = compat === "anthropic" || compat === "both";
+  const app = express();
+  app.use(express.json({ limit: jsonBodyLimit }));
+  registerApiDiscoveryRoute(app, {
+    openai: mountOpenAI,
+    anthropic: mountAnthropic,
+    openaiPrefix,
+    anthropicPrefix
+  });
+  if (mountOpenAI) {
+    const router = express.Router();
+    registerOpenAICompatRoutes(router, rvencDeps);
+    mountRouter(app, openaiPrefix, router);
+  }
+  if (mountAnthropic) {
+    const router = express.Router();
+    registerAnthropicMessagesRoute(router, rvencDeps);
+    registerAnthropicCountTokensRoute(router, rvencDeps);
+    registerAnthropicModelsRoute(router, rvencDeps);
+    mountRouter(app, anthropicPrefix, router);
+  }
+  const isAnthropicRequest = (req) => {
+    if (!mountAnthropic) {
+      return false;
+    }
+    if (!mountOpenAI) {
+      return true;
+    }
+    return req.path === anthropicPrefix || req.path.startsWith(`${anthropicPrefix}/`);
+  };
+  app.use((err, req, res, _next) => {
+    const status = httpErrorStatus(err);
+    const message = err instanceof Error ? err.message : "Internal server error";
+    if (isAnthropicRequest(req)) {
+      const requestId = newAnthropicRequestId();
+      res.setHeader("request-id", requestId);
+      res.status(status).json({
+        type: "error",
+        error: {
+          type: httpStatusToAnthropicErrorType(status),
+          message
+        },
+        request_id: requestId
+      });
+      return;
+    }
+    res.status(status).json({
+      error: {
+        message,
+        type: "server_error"
+      }
+    });
+  });
+  app.use((req, res) => {
+    const message = `Route ${req.method} ${req.path} not found`;
+    if (isAnthropicRequest(req)) {
+      const requestId = newAnthropicRequestId();
+      res.setHeader("request-id", requestId);
+      res.status(404).json({
+        type: "error",
+        error: { type: "not_found_error", message },
+        request_id: requestId
+      });
+      return;
+    }
+    res.status(404).json({
+      error: {
+        message,
+        type: "invalid_request_error"
+      }
+    });
+  });
+  return app;
+}
+// src/server/start.ts
+async function startServer(options = {}) {
+  const {
+    host,
+    port,
+    compat: compatOpt,
+    openaiRoutePrefix,
+    anthropicRoutePrefix,
+    jsonBodyLimit
+  } = options;
+  const serverHost = host || DEFAULT_HOST;
+  const serverPort = port || DEFAULT_PORT;
+  const compat = compatOpt ?? "openai";
+  applyServerOptions(options);
+  resolvePrefixesForCompat(compat, openaiRoutePrefix, anthropicRoutePrefix);
+  const app = createServerApp({
+    compat,
+    openaiRoutePrefix,
+    anthropicRoutePrefix,
+    jsonBodyLimit
+  });
+  return new Promise((resolve, reject) => {
+    const server = app.listen(serverPort, serverHost, () => {
+      resolve({ close: () => server.close() });
+    });
+    server.on("error", (error) => {
+      if (error && typeof error === "object" && "code" in error && error.code === "EADDRINUSE") {
+        reject(new Error(`Port ${serverPort} is already in use`));
+      } else {
+        reject(error);
+      }
+    });
+  });
+}
+// src/server.ts
+var server_default = createServerApp("both");
+
+// src/launcher/proxy-subprocess.ts
+function startProxySubprocess(config) {
+  let close;
+  const ready = startServer({ ...config, compat: "anthropic" }).then((handle) => {
+    close = handle.close;
+  });
+  const whenCrashed = new Promise(() => {});
+  return {
+    stop: () => close?.(),
+    ready,
+    whenCrashed
+  };
+}
+
+// src/launcher/text-input.tsx
+import { Box as Box2, render as render2, Text as Text2, useApp as useApp2, useInput as useInput2 } from "ink";
+import { useState as useState2 } from "react";
+import { jsxDEV as jsxDEV2 } from "react/jsx-dev-runtime";
+function TextInput({ label, secret, onSubmit, onCancel }) {
+  const { exit } = useApp2();
+  const [value, setValue] = useState2("");
+  const [showRequired, setShowRequired] = useState2(false);
+  useInput2((input, key) => {
+    if (key.ctrl && input === "c") {
+      onCancel(new Error("Aborted by user (Ctrl-C)."));
+      exit();
+      return;
+    }
+    if (key.return) {
+      const trimmed = value.trim();
+      if (trimmed.length === 0) {
+        setShowRequired(true);
+        return;
+      }
+      onSubmit(trimmed);
+      exit();
+      return;
+    }
+    if (key.backspace || key.delete) {
+      setValue((v) => v.slice(0, -1));
+      setShowRequired(false);
+      return;
+    }
+    if (input && !key.ctrl && !key.meta) {
+      setValue((v) => v + input);
+      setShowRequired(false);
+    }
+  });
+  const displayed = secret ? "·".repeat(value.length) : value;
+  return /* @__PURE__ */ jsxDEV2(Box2, {
+    flexDirection: "column",
+    paddingTop: 1,
+    children: [
+      /* @__PURE__ */ jsxDEV2(Box2, {
+        children: [
+          /* @__PURE__ */ jsxDEV2(Text2, {
+            dimColor: true,
+            children: [
+              label,
+              ": "
+            ]
+          }, undefined, true, undefined, this),
+          /* @__PURE__ */ jsxDEV2(Text2, {
+            children: displayed
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ jsxDEV2(Text2, {
+            inverse: true,
+            children: " "
+          }, undefined, false, undefined, this)
+        ]
+      }, undefined, true, undefined, this),
+      showRequired && /* @__PURE__ */ jsxDEV2(Text2, {
+        color: "red",
+        children: [
+          "  (",
+          label,
+          " is required)"
+        ]
+      }, undefined, true, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+function promptValue(label, options = {}) {
+  return new Promise((resolve, reject) => {
+    const { unmount, waitUntilExit } = render2(/* @__PURE__ */ jsxDEV2(TextInput, {
+      label,
+      secret: options.secret,
+      onSubmit: resolve,
+      onCancel: reject
+    }, undefined, false, undefined, this), { exitOnCtrlC: false });
+    waitUntilExit().then(() => unmount());
+  });
+}
+
+// src/launcher/claude-code.ts
+var appData = envPaths("confidential-claude");
+if (!existsSync(appData.config))
+  mkdirSync(appData.config, { recursive: true });
+var envPath = path.join(appData.config, ".env");
+if (!existsSync(envPath))
+  writeFileSync(envPath, "");
+var dotenvConfig = config({ path: envPath });
+var DEFAULT_HOST2 = "127.0.0.1";
+var DEFAULT_PORT2 = 8787;
+var CLAUDE_FLAGS = {
+  CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC: "1",
+  CLAUDE_CODE_DISABLE_NONSTREAMING_FALLBACK: "1",
+  CLAUDE_STREAM_IDLE_TIMEOUT_MS: "600000",
+  CLAUDE_CODE_DISABLE_ADAPTIVE_THINKING: "1",
+  CLAUDE_CODE_DISABLE_THINKING: "1"
+};
+async function requireValue(current, label, options = {}) {
+  if (current)
+    return current;
+  const val = await promptValue(label, options);
+  const updated = { ...dotenvConfig.parsed ?? {}, [label]: val };
+  dotenvConfig.parsed = updated;
+  writeFileSync(envPath, Object.entries(updated).map(([k, v]) => `${k}=${v}`).join(`
+`));
+  return val;
+}
+async function loadConfig() {
+  const host = process.env?.HOST ?? DEFAULT_HOST2;
+  const portRaw = process.env?.PORT;
+  const port = portRaw ? Number.parseInt(portRaw, 10) : DEFAULT_PORT2;
+  if (!Number.isFinite(port) || port <= 0) {
+    throw new Error(`Invalid PORT: ${portRaw}`);
+  }
+  const enclaveUrl = await requireValue(process.env?.ENCLAVE_URL, "ENCLAVE_URL");
+  const proxyUrl = await requireValue(process.env?.PROXY_URL, "PROXY_URL");
+  const kek = process.env?.CLIENT_KEK ?? generateNewClientKEK();
+  const apiKey = await requireValue(process.env?.API_KEY, "API_KEY", { secret: true });
+  return { host, port, enclaveUrl, proxyUrl, kek, apiKey };
+}
+async function fetchModels(baseUrl, apiKey, type = "CHAT") {
+  const url = new URL(`/v1/models?type=${encodeURIComponent(type)}`, baseUrl);
+  const response = await fetch(url, {
+    method: "GET",
+    headers: { "x-api-key": apiKey }
+  });
+  if (!response.ok) {
+    throw new Error(`Failed to list models (${response.status} ${response.statusText})`);
+  }
+  const json = await response.json();
+  if (!json || !Array.isArray(json.data)) {
+    throw new Error("Unexpected /v1/models response shape");
+  }
+  return json.data;
+}
+async function pickModel(models) {
+  if (models.length === 0) {
+    throw new Error("No models available from upstream.");
+  }
+  const selected = await interactivePickModel(models.map((m) => ({ id: m.id, display_name: m.display_name })));
+  return models.find((m) => m.id === selected.id) || [];
+}
+function detectCommand(command, args = ["--version"]) {
+  const result = spawnSync(command, args, {
+    shell: process.platform === "win32",
+    stdio: "ignore"
+  });
+  return result.status === 0;
+}
+function detectClaude() {
+  return detectCommand("claude");
+}
+async function ensureClaudeInstalled() {
+  if (detectClaude())
+    return;
+  throw new Error("install claude code: https://code.claude.com/docs/en/overview");
+}
+function buildClaudeEnv(baseUrl, modelId, apiKey) {
+  const env = {
+    ...process.env,
+    ANTHROPIC_BASE_URL: baseUrl.toString(),
+    ANTHROPIC_AUTH_TOKEN: apiKey,
+    ANTHROPIC_MODEL: modelId,
+    ANTHROPIC_SMALL_FAST_MODEL: modelId,
+    ANTHROPIC_DEFAULT_OPUS_MODEL: modelId,
+    ANTHROPIC_DEFAULT_SONNET_MODEL: modelId,
+    ANTHROPIC_DEFAULT_HAIKU_MODEL: modelId,
+    DEFAULT_MODEL: modelId,
+    ...CLAUDE_FLAGS
+  };
+  delete env.ANTHROPIC_API_KEY;
+  return env;
+}
+function spawnClaude(baseUrl, modelId, apiKey, forwardedArgs) {
+  const env = buildClaudeEnv(baseUrl, modelId, apiKey);
+  return new Promise((resolve, reject) => {
+    const child = spawn("claude", forwardedArgs, {
+      stdio: "inherit",
+      env,
+      shell: process.platform === "win32"
+    });
+    child.on("error", reject);
+    child.on("exit", (code, signal) => {
+      if (signal) {
+        resolve(128);
+        return;
+      }
+      resolve(code ?? 0);
+    });
+  });
+}
+function installProxyLifecycleHandlers(proxy) {
+  const onSignal = (sig) => {
+    proxy.stop();
+    process.exit(sig === "SIGINT" ? 130 : 143);
+  };
+  const sigintHandler = () => onSignal("SIGINT");
+  const sigtermHandler = () => onSignal("SIGTERM");
+  const exitHandler = () => proxy.stop();
+  process.once("SIGINT", sigintHandler);
+  process.once("SIGTERM", sigtermHandler);
+  process.once("exit", exitHandler);
+  return {
+    dispose: () => {
+      process.off("SIGINT", sigintHandler);
+      process.off("SIGTERM", sigtermHandler);
+      process.off("exit", exitHandler);
+    },
+    whenCrashed: proxy.whenCrashed
+  };
+}
+async function runClaudeCode(forwardedArgs = []) {
+  if (!process.stdout.isTTY || !process.stdin.isTTY) {
+    throw new Error("TTY environment required");
+  }
+  const config2 = await loadConfig();
+  const baseUrl = new URL(`http://${config2.host}:${config2.port}`);
+  const proxy = startProxySubprocess({
+    host: config2.host,
+    port: config2.port,
+    proxyUrl: config2.proxyUrl,
+    enclaveUrl: config2.enclaveUrl,
+    kek: config2.kek
+  });
+  const lifecycle = installProxyLifecycleHandlers(proxy);
+  try {
+    try {
+      await proxy.ready;
+    } catch (err) {
+      proxy.stop();
+      lifecycle.dispose();
+      const msg = err instanceof Error ? err.message : String(err);
+      throw new Error(`Failed to start proxy: ${msg}`);
+    }
+    let models;
+    try {
+      models = await Promise.race([
+        fetchModels(baseUrl, config2.apiKey),
+        lifecycle.whenCrashed
+      ]);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      throw new Error(`Failed to fetch models from proxy: ${msg}`);
+    }
+    const selected = await pickModel(models);
+    await ensureClaudeInstalled();
+    process.stdin.pause();
+    process.stdin.removeAllListeners();
+    const exitCode = await Promise.race([
+      spawnClaude(baseUrl, selected.id, config2.apiKey, forwardedArgs),
+      lifecycle.whenCrashed
+    ]);
+    return exitCode;
+  } finally {
+    lifecycle.dispose();
+    proxy.stop();
+  }
+}
+
+// src/cli-claude.ts
+runClaudeCode(process.argv.slice(2)).then((code) => {
+  process.exit(code);
+}).catch((err) => {
+  const message = err instanceof Error ? err.message : String(err);
+  console.error(message);
+  process.exit(1);
+});