@premai/api-sdk 1.0.40 → 1.0.42

package/dist/cli.cjs

@@ -1,1698 +0,0 @@
-#!/usr/bin/env node
-var __create = Object.create;
-var __getProtoOf = Object.getPrototypeOf;
-var __defProp = Object.defineProperty;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-function __accessProp(key) {
-  return this[key];
-}
-var __toESMCache_node;
-var __toESMCache_esm;
-var __toESM = (mod, isNodeMode, target) => {
-  var canCache = mod != null && typeof mod === "object";
-  if (canCache) {
-    var cache = isNodeMode ? __toESMCache_node ??= new WeakMap : __toESMCache_esm ??= new WeakMap;
-    var cached = cache.get(mod);
-    if (cached)
-      return cached;
-  }
-  target = mod != null ? __create(__getProtoOf(mod)) : {};
-  const to = isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target;
-  for (let key of __getOwnPropNames(mod))
-    if (!__hasOwnProp.call(to, key))
-      __defProp(to, key, {
-        get: __accessProp.bind(mod, key),
-        enumerable: true
-      });
-  if (canCache)
-    cache.set(mod, to);
-  return to;
-};
-
-// src/cli.ts
-var import_node_util = require("node:util");
-
-// src/server.ts
-var import_dotenv = __toESM(require("dotenv"));
-var import_express = __toESM(require("express"));
-var import_multer = __toESM(require("multer"));
-
-// src/audio/index.ts
-var import_utils2 = require("@noble/ciphers/utils.js");
-
-// src/config.ts
-var endpoints = {
-  enclave: process.env.ENCLAVE_URL,
-  proxy: process.env.PROXY_URL
-};
-var DEFAULT_REQUEST_TIMEOUT_MS = 600000;
-var DEFAULT_MAX_BUFFER_SIZE = 10 * 1024 * 1024;
-
-// src/utils/attestation.ts
-var cachedPrem;
-async function loadPrem() {
-  if (cachedPrem)
-    return cachedPrem;
-  const isBare = typeof globalThis.Bare !== "undefined";
-  if (isBare) {
-    cachedPrem = await (async (s, y) => await import(s, y))("@premai/reticle", { with: { type: "script" } });
-    return cachedPrem;
-  }
-  cachedPrem = await import("@premai/reticle");
-  return cachedPrem;
-}
-async function attest(apiKey, options = { enabled: true }) {
-  if (!options.enabled)
-    return null;
-  const prem = await loadPrem();
-  const client = await new prem.ClientBuilder(endpoints.proxy ?? "").with_authorization(apiKey).build();
-  let query = new prem.QueryParams;
-  if (options.model)
-    query = query.with("model", options.model);
-  try {
-    client.set_query(query);
-    const attested = await client.attest();
-    const headers = attested.headers();
-    const sessionId = attested.headers().gpu()?.get("x-session-id") ?? null;
-    headers.free();
-    attested.free();
-    return sessionId;
-  } finally {
-    client.free();
-  }
-}
-
-// src/utils/crypto.ts
-var import_aes = require("@noble/ciphers/aes.js");
-var import_chacha = require("@noble/ciphers/chacha.js");
-var import_utils = require("@noble/ciphers/utils.js");
-var import_sha2 = require("@noble/hashes/sha2.js");
-var import_sha3 = require("@noble/hashes/sha3.js");
-var import_hybrid = require("@noble/post-quantum/hybrid.js");
-function createMLKEMEncapsulation(publicKeyHex) {
-  return import_hybrid.XWing.encapsulate(import_utils.hexToBytes(publicKeyHex));
-}
-function encryptPayload(sharedSecret, data) {
-  const nonce = import_utils.randomBytes(24);
-  const chacha = import_chacha.xchacha20poly1305(sharedSecret, nonce);
-  let encodedData;
-  if (data instanceof Uint8Array) {
-    encodedData = data;
-  } else if (typeof data === "string") {
-    encodedData = new TextEncoder().encode(data);
-  } else {
-    encodedData = new TextEncoder().encode(JSON.stringify(data));
-  }
-  const encrypted = chacha.encrypt(encodedData);
-  return { encrypted, nonce };
-}
-function decryptPayload(encryptedData, sharedSecret, nonce) {
-  const chacha = import_chacha.xchacha20poly1305(sharedSecret, nonce);
-  const encrypted = import_utils.hexToBytes(encryptedData);
-  const decrypted = chacha.decrypt(encrypted);
-  const str = new TextDecoder().decode(decrypted);
-  try {
-    return JSON.parse(str);
-  } catch {
-    return str;
-  }
-}
-async function getEnclavePublicKey(timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
-  const controller = new AbortController;
-  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
-  try {
-    const response = await fetch(`${endpoints.enclave}/publicKey`, {
-      signal: controller.signal
-    });
-    if (!response.ok) {
-      throw new Error(`Failed to fetch enclave public key: ${response.status} ${response.statusText}`);
-    }
-    const data = await response.json();
-    if (!data.publicKey || typeof data.publicKey !== "string") {
-      throw new Error("Invalid public key response from enclave");
-    }
-    return data.publicKey;
-  } catch (error) {
-    if (error instanceof Error && error.name === "AbortError") {
-      throw new Error(`Enclave public key request timed out after ${timeoutMs}ms`);
-    }
-    throw new Error(`Failed to get enclave public key: ${error instanceof Error ? error.message : error}`);
-  } finally {
-    clearTimeout(timeoutId);
-  }
-}
-async function generateEncryptionKeys(timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
-  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
-  return createMLKEMEncapsulation(enclavePublicKey);
-}
-function keyIdFromKEK(kek, context = "kek:v1", length = 16) {
-  const ctx = new TextEncoder().encode(context);
-  const input = new Uint8Array(kek.length + ctx.length);
-  input.set(kek, 0);
-  input.set(ctx, kek.length);
-  const digest = import_sha2.sha256(input);
-  return digest.slice(0, length);
-}
-function encryptWithDEK(dek, plaintext) {
-  const aead = import_utils.managedNonce(import_chacha.xchacha20poly1305)(dek);
-  return aead.encrypt(plaintext);
-}
-function encryptMetadataWithDEK(dek, metadata) {
-  const encoded = new TextEncoder().encode(metadata);
-  const encrypted = encryptWithDEK(dek, encoded);
-  return import_utils.bytesToHex(encrypted);
-}
-function wrapDEK(kek, dek) {
-  const kw = import_aes.aeskwp(kek);
-  return kw.encrypt(dek);
-}
-function unwrapDEK(kek, wrappedDEK) {
-  const kw = import_aes.aeskwp(kek);
-  return kw.decrypt(wrappedDEK);
-}
-function decryptWithDEK(dek, encryptedContent) {
-  const aead = import_utils.managedNonce(import_chacha.xchacha20poly1305)(dek);
-  return aead.decrypt(encryptedContent);
-}
-
-// src/utils/error.ts
-async function throwIfErrorResponse(response) {
-  let raw;
-  try {
-    raw = await response.json();
-    if (!raw.status)
-      raw = { ...raw, status: response.status };
-  } catch {
-    raw = {
-      status: response.status,
-      data: null,
-      error: response.statusText || `HTTP ${response.status}`,
-      message: null
-    };
-  }
-  throw raw;
-}
-
-// src/utils/files.ts
-var getFileName = (file) => {
-  if (file instanceof File) {
-    return file.name;
-  }
-  if (file instanceof Blob) {
-    return;
-  }
-  const fileAny = file;
-  if (fileAny.path) {
-    const path = typeof fileAny.path === "string" ? fileAny.path : fileAny.path.toString();
-    return path.split("/").pop() || path.split("\\").pop() || path;
-  }
-  if (file instanceof Uint8Array || file instanceof ArrayBuffer) {
-    return;
-  }
-  return;
-};
-
-// src/audio/index.ts
-async function readUploadableToUint8Array(file) {
-  if (file instanceof Uint8Array) {
-    return file;
-  }
-  if (file instanceof ArrayBuffer) {
-    return new Uint8Array(file);
-  }
-  if (typeof file.arrayBuffer === "function") {
-    const blob = file;
-    const buffer = await blob.arrayBuffer();
-    return new Uint8Array(buffer);
-  }
-  const fileAny = file;
-  if (typeof fileAny.on === "function" && (typeof fileAny.read === "function" || typeof fileAny.pipe === "function")) {
-    const chunks = [];
-    return new Promise((resolve, reject) => {
-      fileAny.on("data", (chunk) => {
-        if (Buffer.isBuffer(chunk)) {
-          chunks.push(new Uint8Array(chunk));
-        } else if (chunk instanceof Uint8Array) {
-          chunks.push(chunk);
-        } else if (typeof chunk === "object" && chunk !== null) {
-          chunks.push(new Uint8Array(Buffer.from(chunk)));
-        }
-      });
-      fileAny.on("end", () => {
-        const totalLength = chunks.reduce((acc, chunk) => acc + chunk.length, 0);
-        const result = new Uint8Array(totalLength);
-        let offset = 0;
-        for (const chunk of chunks) {
-          result.set(chunk, offset);
-          offset += chunk.length;
-        }
-        resolve(result);
-      });
-      fileAny.on("error", (err) => reject(err));
-    });
-  }
-  throw new Error("Unsupported file type for audio transcription");
-}
-async function preprocessAudioRequest(body, encryptionKeys) {
-  const { cipherText, sharedSecret } = encryptionKeys;
-  const audioData = await readUploadableToUint8Array(body.file);
-  const isDeepgram = body.model.startsWith("deepgram/");
-  const requestBody = isDeepgram ? {
-    model: body.model,
-    diarize: body.diarize
-  } : {
-    model: body.model,
-    language: body.language,
-    prompt: body.prompt,
-    response_format: body.response_format,
-    temperature: body.temperature,
-    timestamp_granularities: body.timestamp_granularities
-  };
-  const cleanedBody = Object.fromEntries(Object.entries(requestBody).filter(([_, v]) => v !== undefined));
-  const { encrypted, nonce } = encryptPayload(sharedSecret, cleanedBody);
-  const { encrypted: encryptedFile, nonce: fileNonce } = encryptPayload(sharedSecret, audioData);
-  const fileName = getFileName(body.file) || "audio.mp3";
-  const { encrypted: encryptedFileName, nonce: fileNameNonce } = encryptPayload(sharedSecret, fileName);
-  return {
-    body: {
-      cipherText: import_utils2.bytesToHex(cipherText),
-      encryptedInference: import_utils2.bytesToHex(encrypted),
-      nonce: import_utils2.bytesToHex(nonce),
-      fileNameNonce: import_utils2.bytesToHex(fileNameNonce),
-      encryptedFileName: import_utils2.bytesToHex(encryptedFileName),
-      fileNonce: import_utils2.bytesToHex(fileNonce),
-      encryptedFile: import_utils2.bytesToHex(encryptedFile),
-      model: body.model
-    },
-    sharedSecret
-  };
-}
-async function postprocessTranscriptionResponse(response, sharedSecret) {
-  const responseData = await response.json();
-  const data = responseData.data;
-  if (!data.encryptedResponse || !data.nonce) {
-    throw new Error("Invalid transcription response: missing encryptedResponse or nonce");
-  }
-  const responseNonce = import_utils2.hexToBytes(data.nonce);
-  return decryptPayload(data.encryptedResponse, sharedSecret, responseNonce);
-}
-async function postprocessTranslationResponse(response, sharedSecret) {
-  const responseData = await response.json();
-  const data = responseData.data;
-  if (!data.encryptedResponse || !data.nonce) {
-    throw new Error("Invalid translation response: missing encryptedResponse or nonce");
-  }
-  const responseNonce = import_utils2.hexToBytes(data.nonce);
-  return decryptPayload(data.encryptedResponse, sharedSecret, responseNonce);
-}
-async function preprocessAudioTranslationRequest(body, encryptionKeys) {
-  const { cipherText, sharedSecret } = encryptionKeys;
-  const audioData = await readUploadableToUint8Array(body.file);
-  const requestBody = {
-    model: body.model,
-    prompt: body.prompt,
-    response_format: body.response_format,
-    temperature: body.temperature
-  };
-  const cleanedBody = Object.fromEntries(Object.entries(requestBody).filter(([_, v]) => v !== undefined));
-  const { encrypted, nonce } = encryptPayload(sharedSecret, cleanedBody);
-  const { encrypted: encryptedFile, nonce: fileNonce } = encryptPayload(sharedSecret, audioData);
-  const fileName = getFileName(body.file) || "audio.mp3";
-  const { encrypted: encryptedFileName, nonce: fileNameNonce } = encryptPayload(sharedSecret, fileName);
-  return {
-    body: {
-      cipherText: import_utils2.bytesToHex(cipherText),
-      encryptedInference: import_utils2.bytesToHex(encrypted),
-      nonce: import_utils2.bytesToHex(nonce),
-      fileNameNonce: import_utils2.bytesToHex(fileNameNonce),
-      encryptedFileName: import_utils2.bytesToHex(encryptedFileName),
-      fileNonce: import_utils2.bytesToHex(fileNonce),
-      encryptedFile: import_utils2.bytesToHex(encryptedFile),
-      model: body.model
-    },
-    sharedSecret
-  };
-}
-function createAudioClient(apiKey, encryptionKeys, requestTimeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, attest2 = true) {
-  async function createTranscription(body) {
-    const controller = new AbortController;
-    const timeoutId = setTimeout(() => controller.abort(), requestTimeoutMs);
-    try {
-      const sessionId = await attest(apiKey, { model: body.model, enabled: attest2 });
-      const encryptedRequest = await preprocessAudioRequest(body, encryptionKeys);
-      const response = await fetch(`${endpoints.proxy}/rvenc/audio/transcriptions`, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: apiKey,
-          ...sessionId && { "X-Session-Id": sessionId }
-        },
-        body: JSON.stringify(encryptedRequest.body),
-        signal: controller.signal
-      });
-      if (!response.ok) {
-        await throwIfErrorResponse(response);
-      }
-      clearTimeout(timeoutId);
-      return await postprocessTranscriptionResponse(response, encryptedRequest.sharedSecret);
-    } catch (error) {
-      clearTimeout(timeoutId);
-      if (error instanceof Error && error.name === "AbortError") {
-        throw new Error(`Request timed out after ${requestTimeoutMs}ms`);
-      }
-      throw error;
-    }
-  }
-  const transcriptionsClient = {
-    create: createTranscription
-  };
-  async function createTranslation(body) {
-    const controller = new AbortController;
-    const timeoutId = setTimeout(() => controller.abort(), requestTimeoutMs);
-    try {
-      const sessionId = await attest(apiKey, { model: body.model, enabled: attest2 });
-      const encryptedRequest = await preprocessAudioTranslationRequest(body, encryptionKeys);
-      const response = await fetch(`${endpoints.proxy}/rvenc/audio/translations`, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: apiKey,
-          ...sessionId && { "X-Session-Id": sessionId }
-        },
-        body: JSON.stringify(encryptedRequest.body),
-        signal: controller.signal
-      });
-      if (!response.ok) {
-        await throwIfErrorResponse(response);
-      }
-      clearTimeout(timeoutId);
-      return await postprocessTranslationResponse(response, encryptedRequest.sharedSecret);
-    } catch (error) {
-      clearTimeout(timeoutId);
-      if (error instanceof Error && error.name === "AbortError") {
-        throw new Error(`Request timed out after ${requestTimeoutMs}ms`);
-      }
-      throw error;
-    }
-  }
-  const translationsClient = {
-    create: createTranslation
-  };
-  return {
-    transcriptions: transcriptionsClient,
-    translations: translationsClient
-  };
-}
-
-// src/files/index.ts
-var import_utils4 = require("@noble/ciphers/utils.js");
-var import_sha22 = require("@noble/hashes/sha2.js");
-var import_date_fns = require("date-fns");
-var import_zod = require("zod");
-
-// src/utils/dek-store.ts
-var import_utils3 = require("@noble/ciphers/utils.js");
-function initializeDEKStore(clientKEK) {
-  const ragDEK = import_utils3.randomBytes(32);
-  const _clientKEK = clientKEK ? import_utils3.hexToBytes(clientKEK) : getClientKEK();
-  const wrappedRagDEK = wrapDEK(_clientKEK, ragDEK);
-  return {
-    fileDEKs: new Map,
-    ragDEK: wrappedRagDEK,
-    ragVersion: "2"
-  };
-}
-function getClientKEK() {
-  if (!process.env.CLIENT_KEK) {
-    throw new Error("CLIENT_KEK environment variable is not set.");
-  }
-  return import_utils3.hexToBytes(process.env.CLIENT_KEK);
-}
-function getClientKID(clientKEK) {
-  if (clientKEK) {
-    return import_utils3.bytesToHex(keyIdFromKEK(import_utils3.hexToBytes(clientKEK)));
-  }
-  const _clientKEK = getClientKEK();
-  return import_utils3.bytesToHex(keyIdFromKEK(_clientKEK));
-}
-
-// src/files/index.ts
-var MAX_FILENAME_LENGTH = 255;
-var MIN_FILENAME_LENGTH = 1;
-var ALLOWED_MIME_TYPES = new Set([
-  "image/jpeg",
-  "image/png",
-  "image/gif",
-  "image/webp",
-  "application/pdf",
-  "application/msword",
-  "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
-  "application/vnd.ms-excel",
-  "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
-  "text/plain",
-  "text/csv",
-  "text/markdown",
-  "application/vnd.openxmlformats-officedocument.presentationml.presentation",
-  "video/mp4",
-  "video/webm",
-  "video/quicktime",
-  "audio/mpeg",
-  "audio/wav",
-  "audio/ogg",
-  "application/zip",
-  "application/x-rar-compressed",
-  "application/x-7z-compressed",
-  "application/octet-stream"
-]);
-var ApiKeySchema = import_zod.z.string().trim().min(1, "API key cannot be empty");
-var TimeoutSchema = import_zod.z.number().int().min(1, "Timeout must be at least 1ms").max(600000, "Timeout must not exceed 600000ms (10 minutes)");
-var DEKStoreSchema = import_zod.z.object({
-  ragDEK: import_zod.z.instanceof(Uint8Array).optional(),
-  fileDEKs: import_zod.z.instanceof(Map).optional()
-});
-var ISO8601DateSchema = import_zod.z.string().refine((val) => {
-  const date = import_date_fns.parseISO(val);
-  return import_date_fns.isValid(date);
-}, { message: "Must be a valid ISO8601 date" });
-var MimeTypeSchema = import_zod.z.string().refine((val) => ALLOWED_MIME_TYPES.has(val), {
-  message: "MIME type is not allowed"
-});
-var FileUploadOptionsSchema = import_zod.z.object({
-  file: import_zod.z.instanceof(Uint8Array),
-  fileName: import_zod.z.string().min(MIN_FILENAME_LENGTH, "File name cannot be empty").max(MAX_FILENAME_LENGTH, `File name cannot exceed ${MAX_FILENAME_LENGTH} characters`).refine((name) => !/[<>:"|?*\x00-\x1F]/.test(name), "Invalid characters").refine((name) => !name.includes("..") && !name.includes("/") && !name.includes("\\"), "No path separators allowed"),
-  mimeType: import_zod.z.string().optional(),
-  ragIndex: import_zod.z.boolean().optional()
-});
-var ListFilesOptionsSchema = import_zod.z.object({
-  limit: import_zod.z.number().int().positive("Limit must be a positive integer").optional(),
-  offset: import_zod.z.number().int().nonnegative("Offset must be a non-negative integer").optional(),
-  search: import_zod.z.string().optional(),
-  from: ISO8601DateSchema.optional(),
-  to: ISO8601DateSchema.optional()
-}).optional();
-var GetFileOptionsSchema = import_zod.z.object({
-  id: import_zod.z.string().trim().min(1, "File ID cannot be empty"),
-  url: import_zod.z.boolean().optional()
-});
-var DeleteFileOptionsSchema = import_zod.z.object({
-  id: import_zod.z.string().min(1, "File ID is required")
-});
-var IndexFileInputSchema = import_zod.z.object({
-  fileId: import_zod.z.string().min(1, "File ID is required"),
-  filePath: import_zod.z.string().min(1, "File path is required"),
-  fileDEK: import_zod.z.instanceof(Uint8Array).optional()
-});
-var IndexFilesOptionsSchema = import_zod.z.object({
-  files: import_zod.z.array(IndexFileInputSchema).min(1, "Files array must not be empty"),
-  ragDEK: import_zod.z.instanceof(Uint8Array).optional()
-});
-var DeleteIndexOptionsSchema = import_zod.z.object({
-  fileIds: import_zod.z.array(import_zod.z.string().min(1)).min(1, "File IDs array must not be empty"),
-  ragDEK: import_zod.z.instanceof(Uint8Array).optional()
-});
-function validateAPIKey(apiKey) {
-  ApiKeySchema.parse(apiKey);
-}
-function validateDEKStore(dekStore) {
-  DEKStoreSchema.parse(dekStore);
-}
-function validateMimeType(mimeType) {
-  MimeTypeSchema.parse(mimeType);
-}
-function validateFileUploadOptions(options) {
-  FileUploadOptionsSchema.parse(options);
-}
-function validateListFilesOptions(options) {
-  ListFilesOptionsSchema.parse(options);
-}
-function validateGetFileOptions(options) {
-  GetFileOptionsSchema.parse(options);
-}
-function guessMimeType(fileName) {
-  const ext = fileName.toLowerCase().split(".").pop() || "";
-  const mimeTypeMap = {
-    jpg: "image/jpeg",
-    jpeg: "image/jpeg",
-    png: "image/png",
-    gif: "image/gif",
-    webp: "image/webp",
-    pdf: "application/pdf",
-    doc: "application/msword",
-    docx: "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
-    xls: "application/vnd.ms-excel",
-    xlsx: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
-    txt: "text/plain",
-    csv: "text/csv",
-    md: "text/markdown",
-    pptx: "application/vnd.openxmlformats-officedocument.presentationml.presentation",
-    mp4: "video/mp4",
-    webm: "video/webm",
-    mov: "video/quicktime",
-    mp3: "audio/mpeg",
-    wav: "audio/wav",
-    ogg: "audio/ogg",
-    zip: "application/zip",
-    rar: "application/x-rar-compressed",
-    "7z": "application/x-7z-compressed"
-  };
-  return mimeTypeMap[ext] || "application/octet-stream";
-}
-async function saveRagDEKToBackend(apiKey, wrappedRagDEK, timeoutMs) {
-  const controller = new AbortController;
-  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
-  try {
-    const response = await fetch(`${endpoints.proxy}/users/save_rag_dek`, {
-      method: "POST",
-      headers: {
-        Authorization: apiKey,
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify({
-        data: {
-          wrappedRagDEK,
-          confirmReplaceRagDEK: true
-        }
-      }),
-      signal: controller.signal
-    });
-    if (!response.ok) {
-      throw new Error(`Failed to save RAG DEK: HTTP ${response.status}`);
-    }
-    const result = await response.json();
-    if (result.error) {
-      throw new Error(result.error);
-    }
-  } catch (error) {
-    if (error instanceof Error && error.name === "AbortError") {
-      throw new Error(`Save RAG DEK request timed out after ${timeoutMs}ms`);
-    }
-    throw error;
-  } finally {
-    clearTimeout(timeoutId);
-  }
-}
-async function prepareEncryptedPayload(dekStore, options, apiKey, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
-  const fileBytes = options.file;
-  const mimeType = options.mimeType || guessMimeType(options.fileName);
-  validateMimeType(mimeType);
-  const dek = import_utils4.randomBytes(32);
-  const encryptedFile = encryptWithDEK(dek, fileBytes);
-  const encryptedName = encryptMetadataWithDEK(dek, options.fileName);
-  const encryptedMimeType = encryptMetadataWithDEK(dek, mimeType);
-  const _clientKEK = clientKEK ? import_utils4.hexToBytes(clientKEK) : getClientKEK();
-  const wrappedDEK = wrapDEK(_clientKEK, dek);
-  const clientKID = clientKEK ? getClientKID(clientKEK) : getClientKID();
-  const filePayload = {
-    client_hash: import_utils4.bytesToHex(import_sha22.sha256(fileBytes)),
-    encrypted_content: import_utils4.bytesToHex(encryptedFile),
-    encrypted_name: encryptedName,
-    kid: clientKID,
-    mime_type: encryptedMimeType,
-    version: "2",
-    wrapped_dek: import_utils4.bytesToHex(wrappedDEK)
-  };
-  if (options.ragIndex) {
-    await addRagIndexToPayload(dekStore, dek, filePayload, apiKey, clientKEK, timeoutMs);
-  }
-  return { dek, filePayload };
-}
-async function addRagIndexToPayload(dekStore, dek, filePayload, apiKey, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
-  let ragDEK = dekStore.ragDEK;
-  const _clientKEK = clientKEK ? import_utils4.hexToBytes(clientKEK) : getClientKEK();
-  if (!ragDEK) {
-    ragDEK = import_utils4.randomBytes(32);
-    const wrappedRagDEK = wrapDEK(_clientKEK, ragDEK);
-    dekStore.ragDEK = wrappedRagDEK;
-    try {
-      await saveRagDEKToBackend(apiKey, import_utils4.bytesToHex(wrappedRagDEK), timeoutMs);
-    } catch (error) {
-      console.error("Warning: Failed to save RAG DEK to backend:", error);
-    }
-  } else {
-    ragDEK = unwrapDEK(_clientKEK, ragDEK);
-  }
-  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
-  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
-  const { encrypted: encryptedFileDEK, nonce: fileNonce } = encryptPayload(sharedSecret, dek);
-  const { encrypted: encryptedRagDEK, nonce: ragDEKNonce } = encryptPayload(sharedSecret, ragDEK);
-  filePayload.encrypted_file_dek = import_utils4.bytesToHex(encryptedFileDEK);
-  filePayload.encrypted_rag_dek = import_utils4.bytesToHex(encryptedRagDEK);
-  filePayload.file_nonce = import_utils4.bytesToHex(fileNonce);
-  filePayload.rag_dek_nonce = import_utils4.bytesToHex(ragDEKNonce);
-  filePayload.cipher_text = import_utils4.bytesToHex(cipherText);
-}
-async function performUpload(apiKey, filePayload, controller) {
-  const uploadResponse = await fetch(`${endpoints.proxy}/files/encrypted/upload`, {
-    method: "POST",
-    headers: {
-      Authorization: apiKey,
-      "Content-Type": "application/json"
-    },
-    body: JSON.stringify(filePayload),
-    signal: controller.signal
-  });
-  if (!uploadResponse.ok) {
-    let errorMessage = `Upload request failed with status ${uploadResponse.status}`;
-    try {
-      const body = await uploadResponse.json();
-      if (body.error) {
-        errorMessage = body.error;
-      }
-    } catch {}
-    throw new Error(errorMessage);
-  }
-  const uploadResult = await uploadResponse.json();
-  if (uploadResult.status !== 200) {
-    throw new Error(uploadResult.error || "Upload failed");
-  }
-  if (!uploadResult.data) {
-    throw new Error("Upload response missing data");
-  }
-  return uploadResult.data;
-}
-function storeDEKForFile(dekStore, fileId, dek, clientKEK) {
-  if (!dekStore.fileDEKs) {
-    dekStore.fileDEKs = new Map;
-  }
-  const _clientKEK = clientKEK ? import_utils4.hexToBytes(clientKEK) : getClientKEK();
-  const wrappedDEK = wrapDEK(_clientKEK, dek);
-  dekStore.fileDEKs.set(fileId, wrappedDEK);
-}
-async function uploadFile(apiKey, dekStore, options, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
-  validateAPIKey(apiKey);
-  validateDEKStore(dekStore);
-  validateFileUploadOptions(options);
-  TimeoutSchema.parse(timeoutMs);
-  const controller = new AbortController;
-  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
-  try {
-    const { dek, filePayload } = await prepareEncryptedPayload(dekStore, options, apiKey, clientKEK, timeoutMs);
-    const uploadedFile = await performUpload(apiKey, filePayload, controller);
-    storeDEKForFile(dekStore, uploadedFile.id, dek, clientKEK);
-    return uploadedFile;
-  } catch (error) {
-    if (error instanceof Error && error.name === "AbortError") {
-      throw new Error(`File upload timed out after ${timeoutMs}ms`);
-    }
-    throw error;
-  } finally {
-    clearTimeout(timeoutId);
-  }
-}
-async function listFiles(apiKey, options, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
-  validateAPIKey(apiKey);
-  validateListFilesOptions(options);
-  TimeoutSchema.parse(timeoutMs);
-  const controller = new AbortController;
-  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
-  const queryParams = new URLSearchParams;
-  if (options?.limit !== undefined) {
-    queryParams.append("limit", options.limit.toString());
-  }
-  if (options?.offset !== undefined) {
-    queryParams.append("offset", options.offset.toString());
-  }
-  if (options?.search) {
-    queryParams.append("search", options.search);
-  }
-  if (options?.from) {
-    queryParams.append("from", options.from);
-  }
-  if (options?.to) {
-    queryParams.append("to", options.to);
-  }
-  const queryString = queryParams.toString();
-  const url = `${endpoints.proxy}/files/encrypted${queryString ? `?${queryString}` : ""}`;
-  try {
-    const response = await fetch(url, {
-      method: "GET",
-      headers: {
-        Authorization: apiKey,
-        "Content-Type": "application/json"
-      },
-      signal: controller.signal
-    });
-    if (!response.ok) {
-      throw new Error(`List files request failed with status ${response.status}`);
-    }
-    const result = await response.json();
-    if (result.status !== 200) {
-      throw new Error(result.error || "List files failed");
-    }
-    if (!result.data) {
-      throw new Error("List files response missing data");
-    }
-    return result.data;
-  } catch (error) {
-    if (error instanceof Error && error.name === "AbortError") {
-      throw new Error(`List files request timed out after ${timeoutMs}ms`);
-    }
-    throw error;
-  } finally {
-    clearTimeout(timeoutId);
-  }
-}
-async function getFile(apiKey, options, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
-  validateAPIKey(apiKey);
-  validateGetFileOptions(options);
-  TimeoutSchema.parse(timeoutMs);
-  const controller = new AbortController;
-  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
-  const queryParams = new URLSearchParams;
-  if (options.url !== undefined) {
-    queryParams.append("url", options.url ? "true" : "false");
-  }
-  const queryString = queryParams.toString();
-  const url = `${endpoints.proxy}/files/encrypted/${options.id}${queryString ? `?${queryString}` : ""}`;
-  try {
-    const response = await fetch(url, {
-      method: "GET",
-      headers: {
-        Authorization: apiKey,
-        "Content-Type": "application/json"
-      },
-      signal: controller.signal
-    });
-    if (!response.ok) {
-      if (response.status === 404) {
-        throw new Error(`File not found: ${options.id}`);
-      }
-      throw new Error(`Get file request failed with status ${response.status}`);
-    }
-    const result = await response.json();
-    if (result.status !== 200) {
-      throw new Error(result.error || "Get file failed");
-    }
-    if (!result.data) {
-      throw new Error("Get file response missing data");
-    }
-    return result.data;
-  } catch (error) {
-    if (error instanceof Error && error.name === "AbortError") {
-      throw new Error(`Get file request timed out after ${timeoutMs}ms`);
-    }
-    throw error;
-  } finally {
-    clearTimeout(timeoutId);
-  }
-}
-async function deleteFile(apiKey, options, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
-  validateAPIKey(apiKey);
-  DeleteFileOptionsSchema.parse(options);
-  TimeoutSchema.parse(timeoutMs);
-  const controller = new AbortController;
-  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
-  try {
-    const response = await fetch(`${endpoints.proxy}/files/encrypted/${options.id}`, {
-      method: "DELETE",
-      headers: {
-        Authorization: apiKey,
-        "Content-Type": "application/json"
-      },
-      signal: controller.signal
-    });
-    if (!response.ok) {
-      if (response.status === 404) {
-        throw new Error(`File not found: ${options.id}`);
-      }
-      throw new Error(`Delete file request failed with status ${response.status}`);
-    }
-    await response.json();
-  } catch (error) {
-    if (error instanceof Error && error.name === "AbortError") {
-      throw new Error(`Delete file request timed out after ${timeoutMs}ms`);
-    }
-    throw error;
-  } finally {
-    clearTimeout(timeoutId);
-  }
-}
-async function indexFiles(apiKey, dekStore, options, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
-  validateAPIKey(apiKey);
-  validateDEKStore(dekStore);
-  IndexFilesOptionsSchema.parse(options);
-  TimeoutSchema.parse(timeoutMs);
-  const wrappedRagDEK = options.ragDEK || dekStore.ragDEK;
-  if (!wrappedRagDEK) {
-    throw new Error("RAG DEK not found. Provide ragDEK in options or upload at least one file with ragIndex: true.");
-  }
-  const _clientKEK = clientKEK ? import_utils4.hexToBytes(clientKEK) : getClientKEK();
-  const ragDEK = unwrapDEK(_clientKEK, wrappedRagDEK);
-  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
-  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
-  const encryptedFiles = options.files.map((file) => {
-    const wrappedFileDEK = file.fileDEK || dekStore.fileDEKs?.get(file.fileId);
-    if (!wrappedFileDEK) {
-      throw new Error(`File DEK not found for file: ${file.fileId}. Provide fileDEK or ensure file was uploaded with this DEK store.`);
-    }
-    const fileDEK = unwrapDEK(_clientKEK, wrappedFileDEK);
-    const { encrypted: encryptedFileDEK, nonce: fileNonce } = encryptPayload(sharedSecret, fileDEK);
-    const { encrypted: encryptedRagDEK, nonce: ragDEKNonce } = encryptPayload(sharedSecret, ragDEK);
-    return {
-      file_id: file.fileId,
-      encrypted_file_dek: import_utils4.bytesToHex(encryptedFileDEK),
-      encrypted_rag_dek: import_utils4.bytesToHex(encryptedRagDEK),
-      file_nonce: import_utils4.bytesToHex(fileNonce),
-      rag_dek_nonce: import_utils4.bytesToHex(ragDEKNonce),
-      s3_r2_path: file.filePath,
-      cipher_text: import_utils4.bytesToHex(cipherText)
-    };
-  });
-  const controller = new AbortController;
-  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
-  try {
-    const response = await fetch(`${endpoints.proxy}/files/encrypted/index`, {
-      method: "POST",
-      headers: {
-        Authorization: apiKey,
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify({ files: encryptedFiles }),
-      signal: controller.signal
-    });
-    if (!response.ok) {
-      throw new Error(`Index files request failed with status ${response.status}`);
-    }
-    const result = await response.json();
-    return result;
-  } catch (error) {
-    if (error instanceof Error && error.name === "AbortError") {
-      throw new Error(`Index files request timed out after ${timeoutMs}ms`);
-    }
-    throw error;
-  } finally {
-    clearTimeout(timeoutId);
-  }
-}
-async function deleteIndex(apiKey, dekStore, options, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
-  validateAPIKey(apiKey);
-  validateDEKStore(dekStore);
-  DeleteIndexOptionsSchema.parse(options);
-  TimeoutSchema.parse(timeoutMs);
-  const wrappedRagDEK = options.ragDEK || dekStore.ragDEK;
-  if (!wrappedRagDEK) {
-    throw new Error("RAG DEK not found. Provide ragDEK in options or ensure dekStore has a ragDEK.");
-  }
-  const _clientKEK = clientKEK ? import_utils4.hexToBytes(clientKEK) : getClientKEK();
-  const ragDEK = unwrapDEK(_clientKEK, wrappedRagDEK);
-  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
-  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
-  const { encrypted: encryptedRagDEK, nonce: ragDEKNonce } = encryptPayload(sharedSecret, ragDEK);
-  const controller = new AbortController;
-  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
-  try {
-    const response = await fetch(`${endpoints.proxy}/files/encrypted/delete-index`, {
-      method: "POST",
-      headers: {
-        Authorization: apiKey,
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify({
-        cipher_text: import_utils4.bytesToHex(cipherText),
-        encrypted_rag_dek: import_utils4.bytesToHex(encryptedRagDEK),
-        rag_dek_nonce: import_utils4.bytesToHex(ragDEKNonce),
-        fileIds: options.fileIds
-      }),
-      signal: controller.signal
-    });
-    if (!response.ok) {
-      throw new Error(`Delete index request failed with status ${response.status}`);
-    }
-    const result = await response.json();
-    return result;
-  } catch (error) {
-    if (error instanceof Error && error.name === "AbortError") {
-      throw new Error(`Delete index request timed out after ${timeoutMs}ms`);
-    }
-    throw error;
-  } finally {
-    clearTimeout(timeoutId);
-  }
-}
-function createFilesClient(apiKey, dekStore, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
-  return {
-    upload: (options) => uploadFile(apiKey, dekStore, options, clientKEK, timeoutMs),
-    list: (options) => listFiles(apiKey, options, timeoutMs),
-    get: (options) => getFile(apiKey, options, timeoutMs),
-    delete: (options) => deleteFile(apiKey, options, timeoutMs),
-    index: (options) => indexFiles(apiKey, dekStore, options, clientKEK, timeoutMs),
-    deleteIndex: (options) => deleteIndex(apiKey, dekStore, options, clientKEK, timeoutMs)
-  };
-}
-
-// src/models/index.ts
-async function listModels(params, apiKey, timeoutMs) {
-  const controller = new AbortController;
-  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
-  const queryParams = new URLSearchParams;
-  if (params?.type !== undefined) {
-    queryParams.append("type", params.type);
-  }
-  const queryString = queryParams.toString();
-  const url = `${endpoints.proxy}/models${queryString ? `?${queryString}` : ""}`;
-  try {
-    const response = await fetch(url, {
-      method: "GET",
-      headers: {
-        Authorization: apiKey,
-        "Content-Type": "application/json"
-      },
-      signal: controller.signal
-    });
-    if (!response.ok) {
-      throw new Error(`List models request failed with status ${response.status}`);
-    }
-    const result = await response.json();
-    if (result.status !== 200) {
-      throw new Error(result.error || "List models failed");
-    }
-    if (!result.data) {
-      throw new Error("List models response missing data");
-    }
-    return result.data;
-  } catch (error) {
-    if (error instanceof Error && error.name === "AbortError") {
-      throw new Error(`List models request timed out after ${timeoutMs}ms`);
-    }
-    throw error;
-  } finally {
-    clearTimeout(timeoutId);
-  }
-}
-function createModelsClient(apiKey, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) {
-  return {
-    list: (params) => listModels(params, apiKey, timeoutMs)
-  };
-}
-
-// src/rvenc/index.ts
-var import_utils5 = require("@noble/ciphers/utils.js");
-var import_openai = __toESM(require("openai"));
-function preprocessRequest(body, encryptionKeys) {
-  const { cipherText, sharedSecret } = encryptionKeys;
-  const { encrypted, nonce } = encryptPayload(sharedSecret, body);
-  return {
-    body: {
-      cipherText: import_utils5.bytesToHex(cipherText),
-      encryptedInference: import_utils5.bytesToHex(encrypted),
-      nonce: import_utils5.bytesToHex(nonce),
-      model: body.model,
-      stream: body.stream === true
-    },
-    sharedSecret,
-    nonce
-  };
-}
-async function postprocessStreamingResponse(response, sharedSecret, nonce, maxBufferSize) {
-  if (!response.body) {
-    throw new Error("Response body is null");
-  }
-  const reader = response.body.getReader();
-  const generator = createDecryptedStreamGenerator(reader, sharedSecret, nonce, maxBufferSize);
-  return {
-    [Symbol.asyncIterator]() {
-      return generator;
-    }
-  };
-}
-async function postprocessNonStreamingResponse(response, sharedSecret) {
-  const data = await response.json();
-  if (!data.encryptedResponse || !data.nonce) {
-    throw new Error("Invalid non-streaming response: missing encryptedResponse or nonce");
-  }
-  const responseNonce = import_utils5.hexToBytes(data.nonce);
-  return decryptPayload(data.encryptedResponse, sharedSecret, responseNonce);
-}
-function createRvencChatClient(apiKey, encryptionKeys, requestTimeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, maxBufferSize = DEFAULT_MAX_BUFFER_SIZE, attest2 = true, OpenAIClientParams) {
-  const client = new import_openai.default({ apiKey: "not-used", ...OpenAIClientParams });
-  const originalChatCreate = client.chat.completions.create.bind(client.chat.completions);
-  client.chat.completions.create = async (body) => {
-    const isStreaming = body.stream === true;
-    const controller = new AbortController;
-    const timeoutId = setTimeout(() => controller.abort(), requestTimeoutMs);
-    try {
-      const sessionId = await attest(apiKey, { model: body.model, enabled: attest2 });
-      const encryptedRequest = preprocessRequest(body, encryptionKeys);
-      const response = await fetch(`${endpoints.proxy}/rvenc/chat/completions`, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Accept: isStreaming ? "text/event-stream" : "application/json",
-          Authorization: apiKey,
-          ...sessionId && { "X-Session-Id": sessionId }
-        },
-        body: JSON.stringify(encryptedRequest.body),
-        signal: controller.signal
-      });
-      if (!response.ok) {
-        await throwIfErrorResponse(response);
-      }
-      clearTimeout(timeoutId);
-      if (isStreaming) {
-        return await postprocessStreamingResponse(response, encryptedRequest.sharedSecret, encryptedRequest.nonce, maxBufferSize);
-      } else {
-        return await postprocessNonStreamingResponse(response, encryptedRequest.sharedSecret);
-      }
-    } catch (error) {
-      clearTimeout(timeoutId);
-      if (error instanceof Error && error.name === "AbortError") {
-        throw new Error(`Request timed out after ${requestTimeoutMs}ms`);
-      }
-      throw error;
-    }
-  };
-  return client;
-}
-async function* createDecryptedStreamGenerator(reader, sharedSecret, nonce, maxBufferSize) {
-  const decoder = new TextDecoder;
-  let buffer = "";
-  try {
-    while (true) {
-      const { value, done } = await reader.read();
-      if (done)
-        break;
-      buffer += decoder.decode(value, { stream: true });
-      if (buffer.length > maxBufferSize) {
-        throw new Error(`Stream buffer exceeded maximum size of ${maxBufferSize} bytes`);
-      }
-      const parts = buffer.split(`
-
-`);
-      for (let i = 0;i < parts.length - 1; i++) {
-        const part = parts[i];
-        const lines = part.split(`
-`);
-        let event;
-        let data;
-        if (lines[0]) {
-          const eventSplit = lines[0].split(": ");
-          event = eventSplit[1];
-        }
-        if (lines[1]) {
-          const dataSplit = lines[1].split(": ");
-          data = dataSplit.slice(1).join(": ");
-        }
-        if (event === "done" && data === "[DONE]") {
-          return;
-        }
-        if (event === "error") {
-          const errorObj = JSON.parse(data || "{}");
-          throw new Error(errorObj.error?.message || data || "Stream error");
-        }
-        if (event === "data" && data && data !== "[DONE]") {
-          const chunk = decryptPayload(data, sharedSecret, nonce);
-          if (chunk.error) {
-            throw new Error(chunk.error.message || "Stream error");
-          }
-          yield chunk;
-        }
-      }
-      buffer = parts[parts.length - 1];
-    }
-  } finally {
-    reader.releaseLock();
-  }
-}
-
-// src/tools/index.ts
-var import_utils6 = require("@noble/ciphers/utils.js");
-var FILE_OUTPUT_TOOLS = ["generateImage", "audioGenerateFromText", "createFileForUser"];
-var FILE_INPUT_TOOLS = [
-  "imageDescribeAndCaption",
-  "imageDescribeAndCaptionFallback",
-  "videoDescribeAndCaption",
-  "getPDFContent",
-  "getTextDocumentContent",
-  "transcribeAudioToText",
-  "transcribeAudioWithDiarization",
-  "audioDiarization",
-  "getSpreadsheetContent",
-  "getPowerPointContent",
-  "getDataFileContent",
-  "getFileContentOCR"
-];
-var RAG_TOOLS = ["searchRag"];
-async function callToolRequest(toolName, body, apiKey, timeoutMs, attest2) {
-  const controller = new AbortController;
-  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
-  try {
-    const response = await fetch(`${endpoints.proxy}/tools/${toolName}`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: apiKey
-      },
-      body: JSON.stringify(body),
-      signal: controller.signal
-    });
-    clearTimeout(timeoutId);
-    if (!response.ok) {
-      await throwIfErrorResponse(response);
-    }
-    const data = await response.json();
-    return data.data;
-  } catch (error) {
-    clearTimeout(timeoutId);
-    if (error instanceof Error && error.name === "AbortError") {
-      throw new Error(`Tool request timed out after ${timeoutMs}ms`);
-    }
-    throw new Error(`Tool request failed: ${error instanceof Error ? error.message : error}`);
-  }
-}
-async function downloadEncryptedFile(fileId, apiKey, timeoutMs) {
-  const controller = new AbortController;
-  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
-  try {
-    const metadataResponse = await fetch(`${endpoints.proxy}/files/encrypted/${fileId}?url=true`, {
-      headers: { Authorization: apiKey },
-      signal: controller.signal
-    });
-    if (!metadataResponse.ok) {
-      throw new Error(`Failed to get file metadata: ${metadataResponse.status}`);
-    }
-    const metadata = await metadataResponse.json();
-    const downloadUrl = metadata.data?.url;
-    if (!downloadUrl) {
-      throw new Error("No download URL in response");
-    }
-    const fileResponse = await fetch(downloadUrl, { signal: controller.signal });
-    if (!fileResponse.ok) {
-      throw new Error(`Failed to download file: ${fileResponse.status}`);
-    }
-    clearTimeout(timeoutId);
-    const arrayBuffer = await fileResponse.arrayBuffer();
-    return new Uint8Array(arrayBuffer);
-  } catch (error) {
-    clearTimeout(timeoutId);
-    if (error instanceof Error && error.name === "AbortError") {
-      throw new Error(`File download timed out after ${timeoutMs}ms`);
-    }
-    throw error;
-  }
-}
-async function downloadAndDecryptFile(response, dek, apiKey, timeoutMs) {
-  if (!response.success || !response.fileId) {
-    return null;
-  }
-  const decryptFileName = (encryptedHex) => {
-    const encrypted = import_utils6.hexToBytes(encryptedHex);
-    const decrypted = decryptWithDEK(dek, encrypted);
-    return new TextDecoder().decode(decrypted);
-  };
-  const fileName = decryptFileName(response.fileName);
-  const mimeType = decryptFileName(response.mimeType);
-  const encryptedFile = await downloadEncryptedFile(response.fileId, apiKey, timeoutMs);
-  const decryptedFile = decryptWithDEK(dek, encryptedFile);
-  return {
-    fileId: response.fileId,
-    fileName,
-    mimeType,
-    content: decryptedFile,
-    fileSize: decryptedFile.length
-  };
-}
-async function callSimpleTool(toolName, params, apiKey, timeoutMs, attest2) {
-  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
-  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
-  const { encrypted, nonce } = encryptPayload(sharedSecret, params);
-  const body = {
-    cipherText: import_utils6.bytesToHex(cipherText),
-    encryptedParams: import_utils6.bytesToHex(encrypted),
-    nonce: import_utils6.bytesToHex(nonce)
-  };
-  const response = await callToolRequest(toolName, body, apiKey, timeoutMs, attest2);
-  return decryptPayload(response.encryptedResponse, sharedSecret, import_utils6.hexToBytes(response.nonce));
-}
-async function callFileOutputTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, attest2 = true) {
-  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
-  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
-  const { encrypted, nonce } = encryptPayload(sharedSecret, params);
-  const dek = import_utils6.randomBytes(32);
-  const { encrypted: encryptedDEK, nonce: dekNonce } = encryptPayload(sharedSecret, dek);
-  const _clientKEK = clientKEK ? import_utils6.hexToBytes(clientKEK) : getClientKEK();
-  const wrappedDEK = wrapDEK(_clientKEK, dek);
-  const clientKID = clientKEK ? getClientKID(clientKEK) : getClientKID();
-  const body = {
-    cipherText: import_utils6.bytesToHex(cipherText),
-    encryptedParams: import_utils6.bytesToHex(encrypted),
-    nonce: import_utils6.bytesToHex(nonce),
-    encryptedDEK: import_utils6.bytesToHex(encryptedDEK),
-    dekNonce: import_utils6.bytesToHex(dekNonce),
-    kid: clientKID,
-    wrappedDEK: import_utils6.bytesToHex(wrappedDEK)
-  };
-  const response = await callToolRequest(toolName, body, apiKey, timeoutMs, attest2);
-  const result = await downloadAndDecryptFile(response, dek, apiKey, timeoutMs);
-  if (result && result.fileId) {
-    if (!dekStore.fileDEKs) {
-      dekStore.fileDEKs = new Map;
-    }
-    dekStore.fileDEKs.set(result.fileId, wrappedDEK);
-  }
-  return result;
-}
-async function callFileInputTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, attest2 = true) {
-  if (!params.fileId) {
-    throw new Error(`Tool ${toolName} requires fileId parameter`);
-  }
-  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
-  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
-  const dek = import_utils6.randomBytes(32);
-  const { encrypted: encryptedDEK, nonce: dekNonce } = encryptPayload(sharedSecret, dek);
-  const nonce = import_utils6.randomBytes(24);
-  if (!dekStore.fileDEKs) {
-    dekStore.fileDEKs = new Map;
-  }
-  const _clientKEK = clientKEK ? import_utils6.hexToBytes(clientKEK) : getClientKEK();
-  let fileDEK = dekStore.fileDEKs.get(params.fileId);
-  if (!fileDEK) {
-    fileDEK = import_utils6.randomBytes(32);
-    const wrappedFileDEK = wrapDEK(_clientKEK, fileDEK);
-    dekStore.fileDEKs.set(params.fileId, wrappedFileDEK);
-  } else {
-    fileDEK = unwrapDEK(_clientKEK, fileDEK);
-  }
-  const { encrypted: encryptedFileDEK, nonce: fileDEKNonce } = encryptPayload(sharedSecret, fileDEK);
-  const body = {
-    cipherText: import_utils6.bytesToHex(cipherText),
-    nonce: import_utils6.bytesToHex(nonce),
-    fileId: params.fileId,
-    encryptedDEK: import_utils6.bytesToHex(encryptedDEK),
-    dekNonce: import_utils6.bytesToHex(dekNonce),
-    encryptedFileDEK: import_utils6.bytesToHex(encryptedFileDEK),
-    fileDEKNonce: import_utils6.bytesToHex(fileDEKNonce)
-  };
-  const response = await callToolRequest(toolName, body, apiKey, timeoutMs, attest2);
-  return decryptPayload(response.encryptedResponse, sharedSecret, import_utils6.hexToBytes(response.nonce));
-}
-async function callRagTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, attest2 = true) {
-  const enclavePublicKey = await getEnclavePublicKey(timeoutMs);
-  const { cipherText, sharedSecret } = createMLKEMEncapsulation(enclavePublicKey);
-  const { encrypted, nonce } = encryptPayload(sharedSecret, params);
-  const dek = import_utils6.randomBytes(32);
-  const { encrypted: encryptedDEK, nonce: dekNonce } = encryptPayload(sharedSecret, dek);
-  if (!dekStore.fileDEKs) {
-    dekStore.fileDEKs = new Map;
-  }
-  let fileIds = [];
-  if (dekStore.fileDEKs.size > 0) {
-    fileIds = Array.from(dekStore.fileDEKs.keys());
-  }
-  const _clientKEK = clientKEK ? import_utils6.hexToBytes(clientKEK) : getClientKEK();
-  const encryptedFileDEKs = fileIds.reduce((acc, fileId) => {
-    const fileDEK = dekStore.fileDEKs.get(fileId);
-    if (!fileDEK) {
-      return acc;
-    }
-    const unwrappedFileDEK = unwrapDEK(_clientKEK, fileDEK);
-    const { encrypted: encryptedFileDEK, nonce: fileDEKNonce } = encryptPayload(sharedSecret, unwrappedFileDEK);
-    acc.push({
-      fileId,
-      encryptedDEK: import_utils6.bytesToHex(encryptedFileDEK),
-      nonce: import_utils6.bytesToHex(fileDEKNonce)
-    });
-    return acc;
-  }, []);
-  if (!dekStore.ragDEK) {
-    throw new Error("RAG DEK not found in dekStore. Please upload at least one file with ragIndex: true to initialize RAG.");
-  }
-  if (!dekStore.ragVersion) {
-    throw new Error("RAG Version not found in dekStore. Please upload at least one file with ragIndex: true to initialize RAG.");
-  }
-  const ragDEK = unwrapDEK(_clientKEK, dekStore.ragDEK);
-  const { encrypted: encryptedRagDEK, nonce: ragDEKNonce } = encryptPayload(sharedSecret, ragDEK);
-  const { encrypted: encryptedRagVersion, nonce: ragVersionNonce } = encryptPayload(sharedSecret, dekStore.ragVersion);
-  const body = {
-    cipherText: import_utils6.bytesToHex(cipherText),
-    encryptedParams: import_utils6.bytesToHex(encrypted),
-    nonce: import_utils6.bytesToHex(nonce),
-    encryptedDEK: import_utils6.bytesToHex(encryptedDEK),
-    dekNonce: import_utils6.bytesToHex(dekNonce),
-    encryptedFileDEKs,
-    encryptedRagDEK: import_utils6.bytesToHex(encryptedRagDEK),
-    ragDEKNonce: import_utils6.bytesToHex(ragDEKNonce),
-    encryptedRagVersion: import_utils6.bytesToHex(encryptedRagVersion),
-    ragVersionNonce: import_utils6.bytesToHex(ragVersionNonce)
-  };
-  const response = await callToolRequest(toolName, body, apiKey, timeoutMs, attest2);
-  return decryptPayload(response.encryptedResponse, sharedSecret, import_utils6.hexToBytes(response.nonce));
-}
-async function callTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, attest2 = true) {
-  if (FILE_OUTPUT_TOOLS.includes(toolName)) {
-    return callFileOutputTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs, attest2);
-  } else if (FILE_INPUT_TOOLS.includes(toolName)) {
-    return callFileInputTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs, attest2);
-  } else if (RAG_TOOLS.includes(toolName)) {
-    return callRagTool(toolName, params, apiKey, dekStore, clientKEK, timeoutMs, attest2);
-  } else {
-    return callSimpleTool(toolName, params, apiKey, timeoutMs, attest2);
-  }
-}
-function createToolsClient(apiKey, dekStore, clientKEK, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS, attest2 = true) {
-  return {
-    generateImage: (params) => callTool("generateImage", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
-    audioGenerateFromText: (params) => callTool("audioGenerateFromText", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
-    createFileForUser: (params) => callTool("createFileForUser", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
-    imageDescribeAndCaption: (params) => callTool("imageDescribeAndCaption", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
-    imageDescribeAndCaptionFallback: (params) => callTool("imageDescribeAndCaptionFallback", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
-    videoDescribeAndCaption: (params) => callTool("videoDescribeAndCaption", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
-    getPDFContent: (params) => callTool("getPDFContent", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
-    getTextDocumentContent: (params) => callTool("getTextDocumentContent", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
-    transcribeAudioToText: (params) => callTool("transcribeAudioToText", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
-    transcribeAudioWithDiarization: (params) => callTool("transcribeAudioWithDiarization", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
-    audioDiarization: (params) => callTool("audioDiarization", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
-    getFileContentOCR: (params) => callTool("getFileContentOCR", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
-    getSpreadsheetContent: (params) => callTool("getSpreadsheetContent", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
-    getDataFileContent: (params) => callTool("getDataFileContent", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
-    getPowerPointContent: (params) => callTool("getPowerPointContent", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
-    getTime: (params) => callTool("getTime", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
-    webSearchTool: (params) => callTool("webSearchTool", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
-    webPageScraperTool: (params) => callTool("webPageScraperTool", params, apiKey, dekStore, clientKEK, timeoutMs, attest2),
-    searchRag: (params) => callTool("searchRag", params, apiKey, dekStore, clientKEK, timeoutMs, attest2)
-  };
-}
-
-// src/core.ts
-async function createRvencClient(options) {
-  const {
-    apiKey,
-    clientKEK,
-    requestTimeoutMs = DEFAULT_REQUEST_TIMEOUT_MS,
-    maxBufferSize = DEFAULT_MAX_BUFFER_SIZE,
-    attest: attest2 = true
-  } = options;
-  if (options.config?.endpoints !== undefined) {
-    Object.assign(endpoints, options.config.endpoints);
-  }
-  let encryptionKeys;
-  try {
-    encryptionKeys = options.encryptionKeys ?? await generateEncryptionKeys(requestTimeoutMs);
-  } catch (error) {
-    throw new Error(`Failed to initialize encryption keys: ${error instanceof Error ? error.message : error}`);
-  }
-  const dekStore = options.dekStore ?? initializeDEKStore(clientKEK);
-  const client = createRvencChatClient(apiKey, encryptionKeys, requestTimeoutMs, maxBufferSize, attest2, options.config?.openAIClientOptions ?? {});
-  client.files = createFilesClient(apiKey, dekStore, clientKEK, requestTimeoutMs);
-  client.tools = createToolsClient(apiKey, dekStore, clientKEK, requestTimeoutMs, attest2);
-  client.audio = createAudioClient(apiKey, encryptionKeys, requestTimeoutMs, attest2);
-  client.models = createModelsClient(apiKey, requestTimeoutMs);
-  client.dekStore = dekStore;
-  return client;
-}
-var core_default = createRvencClient;
-
-// src/server.ts
-import_dotenv.default.config();
-var app = import_express.default();
-var HOST = process.env.HOST ?? "127.0.0.1";
-var PORT = process.env.PORT ? Number.parseInt(process.env.PORT, 10) : 3000;
-var serverProxyUrl = process.env.PROXY_URL;
-var serverEnclaveUrl = process.env.ENCLAVE_URL;
-var serverKek = process.env.CLIENT_KEK;
-var serverAttest = true;
-app.use(import_express.default.json());
-var storage = import_multer.default.memoryStorage();
-var upload = import_multer.default({
-  storage,
-  limits: {
-    fileSize: 25 * 1024 * 1024
-  }
-});
-var clientCache = new Map;
-function extractApiKey(req) {
-  const authHeader = req.headers.authorization;
-  if (!authHeader) {
-    return null;
-  }
-  if (authHeader.startsWith("Bearer ")) {
-    return authHeader.substring(7);
-  }
-  return authHeader;
-}
-async function getOrCreateClient(apiKey) {
-  if (clientCache.has(apiKey)) {
-    return clientCache.get(apiKey);
-  }
-  const client = await core_default({
-    apiKey,
-    clientKEK: serverKek,
-    attest: serverAttest,
-    config: {
-      endpoints: {
-        enclave: serverEnclaveUrl,
-        proxy: serverProxyUrl
-      }
-    }
-  });
-  clientCache.set(apiKey, client);
-  return client;
-}
-app.get("/", (_, res) => {
-  res.json({
-    message: "Rvenc OpenAI-compatible API Server",
-    version: "1.0.0",
-    endpoints: {
-      chat_completions: "POST /v1/chat/completions"
-    }
-  });
-});
-app.post("/v1/chat/completions", async (req, res) => {
-  try {
-    const apiKey = extractApiKey(req);
-    if (!apiKey) {
-      return res.status(401).json({
-        error: {
-          message: 'Missing Authorization header. Expected format: "Bearer <api-key>" or "<api-key>"',
-          type: "invalid_request_error",
-          code: "invalid_api_key"
-        }
-      });
-    }
-    const client = await getOrCreateClient(apiKey);
-    const params = req.body;
-    const completion = await client.chat.completions.create(params);
-    if (params.stream) {
-      res.setHeader("Content-Type", "text/event-stream");
-      res.setHeader("Cache-Control", "no-cache");
-      res.setHeader("Connection", "keep-alive");
-      if (completion && typeof completion === "object" && Symbol.asyncIterator in completion) {
-        try {
-          for await (const chunk of completion) {
-            const data = `data: ${JSON.stringify(chunk)}
-
-`;
-            res.write(data);
-          }
-          res.write(`data: [DONE]
-
-`);
-          res.end();
-        } catch (error) {
-          console.error("Streaming error:", error);
-          if (!res.headersSent) {
-            res.status(500).json({
-              error: {
-                message: error.message || "Streaming error",
-                type: "server_error"
-              }
-            });
-          } else {
-            res.end();
-          }
-        }
-      } else {
-        res.write(`data: ${JSON.stringify(completion)}
-
-`);
-        res.write(`data: [DONE]
-
-`);
-        res.end();
-      }
-    } else {
-      res.json(completion);
-    }
-  } catch (error) {
-    console.error("Chat completions error:", error);
-    const statusCode = error.status || 500;
-    res.status(statusCode).json({
-      error: {
-        message: error.message || "Internal server error",
-        type: error.type || "server_error",
-        code: error.code
-      }
-    });
-  }
-});
-app.post("/v1/audio/transcriptions", upload.single("file"), async (req, res) => {
-  try {
-    const apiKey = extractApiKey(req);
-    if (!apiKey) {
-      return res.status(401).json({
-        error: {
-          message: 'Missing Authorization header. Expected format: "Bearer <api-key>" or "<api-key>"',
-          type: "invalid_request_error",
-          code: "invalid_api_key"
-        }
-      });
-    }
-    if (!req.file) {
-      return res.status(400).json({
-        error: {
-          message: "Missing required file parameter",
-          type: "invalid_request_error"
-        }
-      });
-    }
-    const client = await getOrCreateClient(apiKey);
-    const file = new File([req.file.buffer], req.file.originalname, {
-      type: req.file.mimetype
-    });
-    const params = {
-      file,
-      model: req.body.model
-    };
-    if (req.body.language)
-      params.language = req.body.language;
-    if (req.body.prompt)
-      params.prompt = req.body.prompt;
-    if (req.body.response_format)
-      params.response_format = req.body.response_format;
-    if (req.body.temperature)
-      params.temperature = parseFloat(req.body.temperature);
-    if (req.body.timestamp_granularities) {
-      params.timestamp_granularities = Array.isArray(req.body.timestamp_granularities) ? req.body.timestamp_granularities : JSON.parse(req.body.timestamp_granularities);
-    }
-    const transcription = await client.audio.transcriptions.create(params);
-    res.json(transcription);
-  } catch (error) {
-    console.error("Audio transcription error:", error);
-    const statusCode = error.status || 500;
-    res.status(statusCode).json({
-      error: {
-        message: error.message || "Internal server error",
-        type: error.type || "server_error",
-        code: error.code
-      }
-    });
-  }
-});
-app.post("/v1/audio/translations", upload.single("file"), async (req, res) => {
-  try {
-    const apiKey = extractApiKey(req);
-    if (!apiKey) {
-      return res.status(401).json({
-        error: {
-          message: 'Missing Authorization header. Expected format: "Bearer <api-key>" or "<api-key>"',
-          type: "invalid_request_error",
-          code: "invalid_api_key"
-        }
-      });
-    }
-    if (!req.file) {
-      return res.status(400).json({
-        error: {
-          message: "Missing required file parameter",
-          type: "invalid_request_error"
-        }
-      });
-    }
-    const client = await getOrCreateClient(apiKey);
-    const file = new File([req.file.buffer], req.file.originalname, {
-      type: req.file.mimetype
-    });
-    const params = {
-      file,
-      model: req.body.model
-    };
-    if (req.body.prompt)
-      params.prompt = req.body.prompt;
-    if (req.body.response_format)
-      params.response_format = req.body.response_format;
-    if (req.body.temperature)
-      params.temperature = parseFloat(req.body.temperature);
-    const translation = await client.audio.translations.create(params);
-    res.json(translation);
-  } catch (error) {
-    console.error("Audio translation error:", error);
-    const statusCode = error.status || 500;
-    res.status(statusCode).json({
-      error: {
-        message: error.message || "Internal server error",
-        type: error.type || "server_error",
-        code: error.code
-      }
-    });
-  }
-});
-app.use((err, _req, res, _next) => {
-  console.error(`Unhandled error: ${err}`);
-  res.status(500).json({
-    error: {
-      message: err.message || "Internal server error",
-      type: "server_error"
-    }
-  });
-});
-app.use((req, res) => {
-  res.status(404).json({
-    error: {
-      message: `Route ${req.method} ${req.path} not found`,
-      type: "invalid_request_error"
-    }
-  });
-});
-async function startServer(options = {}) {
-  const { host, port, proxyUrl, enclaveUrl, kek, attest: attest2 } = options;
-  const serverHost = host || HOST;
-  const serverPort = port || PORT;
-  serverAttest = attest2 !== false;
-  if (proxyUrl) {
-    serverProxyUrl = proxyUrl;
-  }
-  if (enclaveUrl) {
-    serverEnclaveUrl = enclaveUrl;
-  }
-  if (kek) {
-    serverKek = kek;
-  }
-  return new Promise((resolve, reject) => {
-    const server = app.listen(serverPort, serverHost, () => {
-      console.log(`
-Rvenc Server running on http://${serverHost}:${serverPort}`);
-      resolve();
-    });
-    server.on("error", (error) => {
-      if (error.code === "EADDRINUSE") {
-        console.error(`❌ Port ${serverPort} is already in use`);
-      } else {
-        console.error(`❌ Failed to start server: ${error}`);
-      }
-      reject(error);
-    });
-  });
-}
-if (false) {}
-
-// src/cli.ts
-var { values } = import_node_util.parseArgs({
-  args: process.argv.slice(2),
-  options: {
-    host: { type: "string", default: "127.0.0.1" },
-    "proxy-url": { type: "string" },
-    "enclave-url": { type: "string" },
-    kek: { type: "string" },
-    port: { type: "string", default: "8000" },
-    "no-attest": { type: "boolean", default: false }
-  },
-  strict: true
-});
-startServer({
-  host: values["host"],
-  proxyUrl: values["proxy-url"],
-  enclaveUrl: values["enclave-url"],
-  kek: values["kek"],
-  port: Number(values["port"]),
-  attest: !values["no-attest"]
-});