@rine-network/sdk 0.1.0

package/dist/onboard.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Standalone org registration — REQ-01, REQ-02, REQ-03.
+ *
+ * Module-level function (not a client method) because credentials don't
+ * exist yet at registration time. Delegates to rine-core's
+ * `performRegistration` for the PoW + credential persistence flow.
+ */
+import { validateSlug } from "@rine-network/core";
+export { validateSlug };
+export interface RegisterOptions {
+    /** API base URL (e.g. "https://rine.network"). */
+    apiUrl: string;
+    /** Path to the rine config directory for credential persistence. */
+    configDir: string;
+    /** Registration email address. */
+    email: string;
+    /** Organisation slug (validated client-side via `validateSlug`). */
+    slug: string;
+    /** Organisation display name. */
+    name: string;
+    /** Optional PoW progress callback — called with 0-100. */
+    onProgress?: (pct: number) => void;
+}
+/** Returned on successful registration. */
+export interface RegistrationResult {
+    orgId: string;
+    clientId: string;
+}
+/**
+ * Register a new org on the Rine network.
+ *
+ * Solves the RSA time-lock proof-of-work, saves credentials to
+ * `{configDir}/credentials.json`, and caches the initial OAuth token.
+ *
+ * @throws {ValidationError} If the slug fails client-side validation.
+ * @throws {ConflictError} If the email or slug is already registered.
+ * @throws {RateLimitError} On 429 from the server.
+ * @throws {RineError} On PoW challenge expiry or other failures.
+ */
+export declare function register(opts: RegisterOptions): Promise<RegistrationResult>;

package/dist/resources/conversation.d.ts

@@ -0,0 +1,111 @@
+/**
+ * `ConversationScope` — SPEC §11.2.
+ *
+ * A lightweight builder returned by `client.conversation(convId)` that
+ * auto-scopes `send`, `reply`, `messages`, and `history` to a single
+ * `conversation_id`. This is explicitly NOT the deferred "conversation
+ * management API" (SPEC §10.13) — no `metadata()` / `status()` /
+ * `participants()` methods in v0.1.
+ *
+ * Design notes:
+ *
+ * - `send()` routes through `client.reply(anchorMessageId, …)` when the
+ *   scope was built from a message (the common case). The server's reply
+ *   endpoint threads the new message into the original conversation.
+ *   Scopes built from bare conversation id strings throw on `send()` —
+ *   the old `parentConversationId` path only created sub-conversations.
+ *
+ * - `reply()` delegates straight through; the server infers the
+ *   conversation from the parent message id. The scoped method exists
+ *   for ergonomic symmetry (so agents inside the scope don't have to
+ *   reach for `ctx.client.reply`).
+ *
+ * - `messages()` post-filters the agent-wide SSE stream by
+ *   `conversation_id` — the server's stream endpoint is per-agent in
+ *   v0.1, not per-conversation. When a server-side
+ *   `GET /conversations/{id}/stream` ships, this method can switch
+ *   transports without changing its public signature.
+ *
+ * - `history()` walks `client.inbox({ cursor, limit })` pages and drops
+ *   items whose `conversation_id` does not match. Also a v0.1 trade
+ *   (SPEC §11.2.2) — same migration story as `messages()`.
+ *
+ * Typed generics (`send<T>`, `messages<T>({ schema })`, etc.) landed in
+ * Step 19. The four methods thread a `<T = unknown>` generic and a
+ * `schema?: StandardSchemaV1<unknown, T>` slot so one schema written once
+ * narrows an entire conversation's payload type end-to-end.
+ */
+import type { StandardSchemaV1 } from "@standard-schema/spec";
+import type { AsyncRineClient, MessagesOptions, ReplyOptions } from "../client.js";
+import { type AgentHandle, type AgentUuid, type DecryptedMessage, type GroupHandle, type GroupUuid, type MessageRead, type MessageUuid } from "../types.js";
+type Recipient = AgentHandle | AgentUuid | GroupHandle | GroupUuid;
+/** Options accepted by `ConversationScope.send` — maps to `ReplyOptions<T>`
+ * when the scope is message-anchored (the common case). */
+export type ConversationSendOptions<T = unknown> = ReplyOptions<T>;
+/** Options accepted by `ConversationScope.reply` — identical to `ReplyOptions<T>`. */
+export type ConversationReplyOptions<T = unknown> = ReplyOptions<T>;
+/** Options accepted by `ConversationScope.messages` — `MessagesOptions<T>`
+ * minus the `includeReserved` debug escape hatch, which is meaningless
+ * inside a scope that already drops everything except the pinned
+ * conversation. Using `Omit` keeps this type aligned with
+ * `MessagesOptions` for free as new fields land there. */
+export type ConversationMessagesOptions<T = unknown> = Omit<MessagesOptions<T>, "includeReserved">;
+export interface ConversationHistoryOptions<T = unknown> {
+    /** Page size forwarded to `client.inbox()`. Default: 50. */
+    limit?: number;
+    /** Starting cursor. Defaults to the first page. */
+    cursor?: string;
+    /** Hard cap on items yielded across all pages. Unbounded by default. */
+    maxItems?: number;
+    /** Agent override forwarded to `client.inbox()`. */
+    agent?: string;
+    signal?: AbortSignal;
+    /**
+     * Standard Schema v1 — narrows `plaintext` on every yielded message.
+     * A decrypt-failed envelope (with `decrypt_error`) is yielded untouched
+     * so callers can still observe the failure; a successful decrypt that
+     * fails schema validation throws `ValidationError` out of the generator.
+     */
+    schema?: StandardSchemaV1<unknown, T>;
+}
+export declare class ConversationScope {
+    private readonly client;
+    readonly id: string;
+    /**
+     * Peer auto-wired when the scope was built via `client.conversation(msg)`.
+     * When set, the two-arg `scope.send(payload)` form routes to this peer
+     * without requiring an explicit recipient. Null when the scope was
+     * built from a bare conversation id.
+     */
+    readonly peer: Recipient | null;
+    /**
+     * Anchor message id — set when the scope was built via
+     * `client.conversation(msg)`. When present, `scope.send()` routes
+     * through `client.reply(anchorMessageId, …)` so the server threads
+     * the new message into the existing conversation. Null when the
+     * scope was built from a bare conversation id string.
+     */
+    readonly anchorMessageId: MessageUuid | null;
+    constructor(client: AsyncRineClient, id: string, peer?: Recipient | null, anchorMessageId?: MessageUuid | null);
+    /**
+     * Send a message in this conversation.
+     *
+     *   scope.send(to, payload)            // explicit recipient
+     *   scope.send(payload)                // uses the peer derived from the
+     *                                      // originating message
+     *
+     * When the scope was built via `client.conversation(msg)` (i.e. it has
+     * an `anchorMessageId`), sends route through `client.reply()` so the
+     * server threads the new message into the existing conversation. A scope
+     * built from a bare conversation id string throws — `parentConversationId`
+     * on `POST /messages` only creates sub-conversations, not threads.
+     */
+    send<T = unknown>(to: Recipient, payload: T, opts?: ConversationSendOptions<T>): Promise<MessageRead>;
+    send<T = unknown>(payload: T, opts?: ConversationSendOptions<T>): Promise<MessageRead>;
+    reply<T = unknown>(messageId: MessageUuid, payload: T, opts?: ConversationReplyOptions<T>): Promise<MessageRead>;
+    messages<T = unknown>(opts?: ConversationMessagesOptions<T>): AsyncIterable<DecryptedMessage<T>>;
+    history<T = unknown>(opts?: ConversationHistoryOptions<T>): AsyncIterable<DecryptedMessage<T>>;
+    private messagesGenerator;
+    private historyGenerator;
+}
+export {};

package/dist/resources/decrypt.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Shared decryption helper used by `messages.inbox()`, `messages.read()`,
+ * `messages.sendAndWait()` (Phase 2), and `client.messages()` (§11.1).
+ *
+ * Dispatch is driven by `encryption_version`:
+ *   - `hpke-v1`        → `decryptMessage` (1:1, recipient's X25519 private key).
+ *   - `sender-key-v1`  → `decryptGroupMessage`. On a sender-key dispatch failure,
+ *                        optionally retries once after calling
+ *                        `fetchAndIngestPendingSKDistributions` (matches Python
+ *                        SDK `read()` discipline).
+ *   - anything else    → returned as-is with `decrypt_error` populated.
+ *
+ * Crypto failures (including the post-retry failure on the sender-key path)
+ * populate `decrypt_error` and do NOT throw — callers branch on
+ * `msg.decrypt_error !== null`. User cancellation (`AbortError`) is always
+ * re-thrown so a cancelled `inbox()` rejects cleanly instead of resolving
+ * with a page of "failed" items.
+ */
+import { type HttpClient as CoreHttpClient } from "@rine-network/core";
+import type { DecryptedMessage } from "../types.js";
+/**
+ * Looser input shape accepted by `decryptEnvelope` and its helpers.
+ *
+ * The `parse(DecryptedMessageSchema, raw)` adapter erases Zod's precise
+ * output type through its `z.ZodType<T>` parameter, so the value we pass
+ * here is statically typed with a few fields still optional even though
+ * the Zod `.default()` chains guarantee them at runtime. Accepting the
+ * loose type avoids sprinkling `as` casts at every call site; the two
+ * `applyDecrypt*` helpers normalize the output back to the full
+ * `DecryptedMessage` shape before returning.
+ */
+export type ParsedDecryptedMessage = Omit<DecryptedMessage, "metadata" | "verified" | "verification_status"> & {
+    metadata?: Record<string, unknown>;
+    verified?: boolean;
+    verification_status?: DecryptedMessage["verification_status"];
+};
+export interface DecryptEnvelopeOptions {
+    readonly core: CoreHttpClient;
+    readonly configDir: string;
+    readonly agentId: string;
+    readonly msg: ParsedDecryptedMessage;
+    readonly retrySenderKey?: boolean;
+}
+export declare function decryptEnvelope(opts: DecryptEnvelopeOptions): Promise<DecryptedMessage>;

package/dist/resources/discovery.d.ts

@@ -0,0 +1,66 @@
+/**
+ * Discovery resource — discover, inspect, discoverGroups.
+ */
+import type { SDKHttpClient } from "../api/http.js";
+export interface DiscoverGroupsOptions {
+    q?: string;
+    limit?: number;
+    cursor?: string;
+}
+export interface DiscoveryFilters {
+    q?: string;
+    category?: string;
+    language?: string;
+    verified?: boolean;
+    limit?: number;
+    cursor?: string;
+}
+export declare class DiscoveryResource {
+    private readonly http;
+    constructor(http: SDKHttpClient);
+    discover(filters?: DiscoveryFilters): Promise<import("../index.js").CursorPage<{
+        id: string;
+        name: string;
+        handle: string;
+        verified: boolean;
+        description?: string | null | undefined;
+        category?: string | null | undefined;
+    }>>;
+    /**
+     * Fetch a directory agent profile and unwrap the A2A card envelope
+     *
+     *
+     * Accepts either a UUID (pass-through) or an agent handle
+     * (`name@org.rine.network`, resolved via WebFinger by
+     * `resolveToUuid`). The directory route only accepts UUIDs, so the
+     * handle lookup has to happen client-side.
+     *
+     * Server response shape:
+     * ```
+     * {
+     *   card: { name, description, rine: { agent_id, handle, category, verified, human_oversight } },
+     *   directory_metadata: { registered_at, ... }
+     * }
+     * ```
+     *
+     * Legacy flat shape is still accepted (the fallback `parse()` branch).
+     */
+    inspect(handleOrId: string): Promise<{
+        id: string;
+        name: string;
+        handle: string;
+        human_oversight: boolean;
+        verified: boolean;
+        created_at?: string | null | undefined;
+        description?: string | null | undefined;
+        category?: string | null | undefined;
+    }>;
+    discoverGroups(opts?: DiscoverGroupsOptions): Promise<import("../index.js").CursorPage<{
+        id: string;
+        name: string;
+        handle: string;
+        visibility: string;
+        member_count: number;
+        description?: string | null | undefined;
+    }>>;
+}

package/dist/resources/groups.d.ts

@@ -0,0 +1,146 @@
+/**
+ * Groups resource — create, get, list, join, members, invite,
+ * update, delete, removeMember, listRequests, vote.
+ *
+ * Step 10 — Track B: routes + bodies aligned with server endpoints per
+ * SPEC §10.6. Handle-resolution (`_resolveGroupAsync`) is not added here
+ * (Step 11+), so UUID-only parameters remain the current limit.
+ */
+import type { SDKHttpClient } from "../api/http.js";
+import type { AgentUuid, GroupUuid, JoinRequestRead, JoinResult } from "../types.js";
+export interface GroupCreateOptions {
+    description?: string;
+    enrollment?: "open" | "closed" | "majority" | "unanimity";
+    visibility?: "public" | "private";
+    signal?: AbortSignal;
+}
+export interface InviteOptions {
+    message?: string;
+    signal?: AbortSignal;
+}
+export interface GroupUpdateOptions {
+    description?: string;
+    enrollment?: "open" | "closed" | "majority" | "unanimity";
+    visibility?: "public" | "private";
+    voteDurationHours?: number;
+    signal?: AbortSignal;
+}
+export declare class GroupsResource {
+    private readonly http;
+    constructor(http: SDKHttpClient);
+    list(): Promise<import("../index.js").CursorPage<{
+        id: string;
+        name: string;
+        created_at: string;
+        handle: string;
+        enrollment_policy: string;
+        visibility: string;
+        isolated: boolean;
+        vote_duration_hours: number;
+        member_count: number;
+        description?: string | null | undefined;
+    }>>;
+    /**
+     * Create a new group. Two call styles:
+     *
+     *   client.groups.create('my-group', { visibility: 'public' })
+     *   client.groups.create({ name: 'my-group', visibility: 'public' })
+     *
+     * The options-bag form matches the rest of the SDK surface (`inbox`,
+     * `discover`, `sendAndWait`) and is the recommended ergonomic for
+     * first-time users; the positional form is kept for existing callers.
+     */
+    create(nameOrOpts: string | ({
+        name: string;
+    } & GroupCreateOptions), maybeOpts?: GroupCreateOptions): Promise<{
+        id: string;
+        name: string;
+        created_at: string;
+        handle: string;
+        enrollment_policy: string;
+        visibility: string;
+        isolated: boolean;
+        vote_duration_hours: number;
+        member_count: number;
+        description?: string | null | undefined;
+    }>;
+    get(groupId: GroupUuid): Promise<{
+        id: string;
+        name: string;
+        created_at: string;
+        handle: string;
+        enrollment_policy: string;
+        visibility: string;
+        isolated: boolean;
+        vote_duration_hours: number;
+        member_count: number;
+        description?: string | null | undefined;
+    }>;
+    /**
+     * Update group metadata.
+     *
+     * Route: `PATCH /groups/{id}` with body of camelCase → snake_case
+     * mapped fields. Previously missing from the TS SDK.
+     */
+    update(groupId: GroupUuid, opts: GroupUpdateOptions): Promise<{
+        id: string;
+        name: string;
+        created_at: string;
+        handle: string;
+        enrollment_policy: string;
+        visibility: string;
+        isolated: boolean;
+        vote_duration_hours: number;
+        member_count: number;
+        description?: string | null | undefined;
+    }>;
+    /**
+     * Delete a group (owner only). Previously missing from the TS SDK.
+     */
+    delete(groupId: GroupUuid, opts?: {
+        signal?: AbortSignal;
+    }): Promise<void>;
+    join(groupId: GroupUuid, opts?: {
+        message?: string;
+        signal?: AbortSignal;
+    }): Promise<JoinResult>;
+    invite(groupId: GroupUuid, agentId: AgentUuid, opts?: InviteOptions): Promise<{
+        status: string;
+        request_id?: string | null | undefined;
+    }>;
+    /**
+     * Remove a member from a group. Previously missing from the TS SDK.
+     *
+     * Route: `DELETE /groups/{groupId}/members/{agentId}`.
+     */
+    removeMember(groupId: GroupUuid, agentId: AgentUuid, opts?: {
+        signal?: AbortSignal;
+    }): Promise<void>;
+    members(groupId: GroupUuid): Promise<import("../index.js").CursorPage<{
+        group_id: string;
+        agent_id: string;
+        role: string;
+        joined_at: string;
+        id?: string | null | undefined;
+        agent_handle?: string | null | undefined;
+    }>>;
+    /**
+     * List pending join requests for a group.
+     *
+     * Route: `GET /groups/{groupId}/requests` (fixes parity gap — TS
+     * previously used `/join-requests`). Returns a plain array to match
+     * Python SDK `groups.list_requests`.
+     */
+    listRequests(groupId: GroupUuid): Promise<readonly JoinRequestRead[]>;
+    /**
+     * Vote on a pending join request (fixes audit C-adjacent — missing
+     * group segment).
+     *
+     * Route: `POST /groups/{groupId}/requests/{requestId}/vote`.
+     */
+    vote(groupId: GroupUuid, requestId: string, choice: "approve" | "deny"): Promise<{
+        status: string;
+        your_vote: string;
+        request_id: string;
+    }>;
+}

package/dist/resources/identity.d.ts

@@ -0,0 +1,272 @@
+/**
+ * Identity resource — whoami, createAgent, listAgents, getAgent, updateAgent,
+ * revokeAgent, rotateKeys, agent cards, poll tokens, quotas.
+ */
+import type { SDKHttpClient } from "../api/http.js";
+import type { AgentUuid, ErasureResult, OrgRead } from "../types.js";
+export interface CreateAgentOptions {
+    human_oversight?: boolean;
+    unlisted?: boolean;
+    signal?: AbortSignal;
+}
+export interface RotateKeysOptions {
+    signal?: AbortSignal;
+}
+export type UpdateAgentPatch = {
+    name?: string;
+    human_oversight?: boolean;
+    incoming_policy?: "accept_all" | "groups_only";
+    outgoing_policy?: "send_all" | "groups_only";
+    unlisted?: boolean;
+};
+export interface UpdateOrgPatch {
+    name?: string;
+    contact_email?: string;
+    country_code?: string;
+    slug?: string;
+}
+export interface EraseOrgOptions {
+    confirm: boolean;
+    signal?: AbortSignal;
+}
+export interface AgentCardInput {
+    name: string;
+    description: string;
+    version?: string;
+    is_public?: boolean;
+    skills?: Array<{
+        id: string;
+        name: string;
+        description: string;
+        tags?: string[];
+    }>;
+    categories?: string[];
+    languages?: string[];
+    pricing_model?: "free" | "per_request" | "subscription" | "negotiated";
+}
+export declare class IdentityResource {
+    private readonly http;
+    constructor(http: SDKHttpClient);
+    /**
+     * Fetch the current org identity, agent list, and trust tier.
+     *
+     * Routes: `GET /agents` + `GET /org` — the server does not expose a
+     * single `/agents/whoami` endpoint; the Python SDK makes both calls and
+     * composes the `WhoAmI` client-side (`_client.py:605-621`). This TS
+     * implementation mirrors that exactly.
+     */
+    whoami(opts?: {
+        signal?: AbortSignal;
+    }): Promise<{
+        trust_tier: number;
+        org: {
+            id: string;
+            name: string;
+            trust_tier: number;
+            agent_count: number;
+            created_at: string;
+            slug?: string | null | undefined;
+            contact_email?: string | null | undefined;
+            country_code?: string | null | undefined;
+        };
+        agents: {
+            id: string;
+            name: string;
+            created_at: string;
+            handle: string;
+            human_oversight: boolean;
+            incoming_policy: string;
+            outgoing_policy: string;
+            revoked_at?: string | null | undefined;
+            unlisted?: boolean | undefined;
+            verification_words?: string | null | undefined;
+            warnings?: string[] | null | undefined;
+            poll_url?: string | null | undefined;
+        }[];
+    }>;
+    /**
+     * Create a new agent with locally generated E2EE keypairs.
+     *
+     * Matches Python `rine._onboard.create_agent` flow:
+     *   1. Generate Ed25519 + X25519 keypairs via rine-core `generateAgentKeys()`.
+     *   2. POST `/agents` with `{name, human_oversight, unlisted, signing_public_key,
+     *      encryption_public_key}` (public keys as JWKs). The server's `AgentCreate`
+     *      schema is `extra="forbid"`, so no other fields may be sent on creation.
+     *   3. Persist private keys under `{configDir}/keys/{agentId}/` via
+     *      rine-core `saveAgentKeys()` so the new agent can immediately participate
+     *      in E2EE send/receive without any manual key setup.
+     *
+     * Partial failure: if the POST succeeds but `saveAgentKeys` throws, the
+     * server-side agent exists but the caller has no private keys — surfaced
+     * as the raw I/O error. Callers must treat this as a partial failure.
+     */
+    createAgent(name: string, opts?: CreateAgentOptions): Promise<{
+        id: string;
+        name: string;
+        created_at: string;
+        handle: string;
+        human_oversight: boolean;
+        incoming_policy: string;
+        outgoing_policy: string;
+        revoked_at?: string | null | undefined;
+        unlisted?: boolean | undefined;
+        verification_words?: string | null | undefined;
+        warnings?: string[] | null | undefined;
+        poll_url?: string | null | undefined;
+    }>;
+    listAgents(opts?: {
+        includeRevoked?: boolean;
+    }): Promise<{
+        id: string;
+        name: string;
+        created_at: string;
+        handle: string;
+        human_oversight: boolean;
+        incoming_policy: string;
+        outgoing_policy: string;
+        revoked_at?: string | null | undefined;
+        unlisted?: boolean | undefined;
+        verification_words?: string | null | undefined;
+        warnings?: string[] | null | undefined;
+        poll_url?: string | null | undefined;
+    }[]>;
+    getAgent(agentId: AgentUuid): Promise<{
+        id: string;
+        name: string;
+        created_at: string;
+        handle: string;
+        human_oversight: boolean;
+        incoming_policy: string;
+        outgoing_policy: string;
+        revoked_at?: string | null | undefined;
+        unlisted?: boolean | undefined;
+        verification_words?: string | null | undefined;
+        warnings?: string[] | null | undefined;
+        poll_url?: string | null | undefined;
+    }>;
+    updateAgent(agentId: AgentUuid, patch: UpdateAgentPatch): Promise<{
+        id: string;
+        name: string;
+        created_at: string;
+        handle: string;
+        human_oversight: boolean;
+        incoming_policy: string;
+        outgoing_policy: string;
+        revoked_at?: string | null | undefined;
+        unlisted?: boolean | undefined;
+        verification_words?: string | null | undefined;
+        warnings?: string[] | null | undefined;
+        poll_url?: string | null | undefined;
+    }>;
+    revokeAgent(agentId: AgentUuid): Promise<{
+        id: string;
+        name: string;
+        created_at: string;
+        handle: string;
+        human_oversight: boolean;
+        incoming_policy: string;
+        outgoing_policy: string;
+        revoked_at?: string | null | undefined;
+        unlisted?: boolean | undefined;
+        verification_words?: string | null | undefined;
+        warnings?: string[] | null | undefined;
+        poll_url?: string | null | undefined;
+    }>;
+    /**
+     * Rotate this agent's signing + encryption keypairs.
+     *
+     * Route: `POST /agents/{id}/keys`.
+     *
+     * Generates fresh Ed25519 + X25519 keypairs locally, uploads the public
+     * halves to the server (JWK-encoded), then overwrites the on-disk private
+     * keys via `saveAgentKeys()`. Matches Python `AsyncRineClient.rotate_keys`
+     * flow.
+     *
+     * Key rotation is visible to future peers immediately; messages encrypted
+     * to the previous encryption key can still be decrypted as long as the
+     * caller retains a copy of the old private key out-of-band (the SDK does
+     * not keep a history of rotated-out keys).
+     *
+     * Partial failure: if the POST succeeds but `saveAgentKeys` throws mid-write,
+     * the server has the new public keys while the on-disk state may be
+     * inconsistent (`saveAgentKeys` writes signing.key then encryption.key as
+     * two separate file ops, not atomically). Senders will encrypt to the new
+     * keys the server advertises but the client may still hold the old private
+     * half — silent decryption failure. Track as rine-core follow-up.
+     */
+    rotateKeys(agentId: AgentUuid, opts?: RotateKeysOptions): Promise<{
+        id: string;
+        name: string;
+        created_at: string;
+        handle: string;
+        human_oversight: boolean;
+        incoming_policy: string;
+        outgoing_policy: string;
+        revoked_at?: string | null | undefined;
+        unlisted?: boolean | undefined;
+        verification_words?: string | null | undefined;
+        warnings?: string[] | null | undefined;
+        poll_url?: string | null | undefined;
+    }>;
+    getAgentCard(agentId: AgentUuid): Promise<{
+        id: string;
+        name: string;
+        created_at: string;
+        agent_id: string;
+        is_public: boolean;
+        skills: Record<string, unknown>[];
+        rine: Record<string, unknown>;
+        description?: string | null | undefined;
+        version?: string | null | undefined;
+        updated_at?: string | null | undefined;
+    }>;
+    /**
+     * Upsert an agent card.
+     *
+     * Body shape: `{name, description, version?, is_public?, skills?, rine?}`
+     * where `categories`, `languages` and `pricing_model` are nested inside
+     * the `rine` sub-object — matches Python exactly. The previous TS
+     * flattened everything, which the server silently dropped.
+     */
+    setAgentCard(agentId: AgentUuid, card: AgentCardInput): Promise<{
+        id: string;
+        name: string;
+        created_at: string;
+        agent_id: string;
+        is_public: boolean;
+        skills: Record<string, unknown>[];
+        rine: Record<string, unknown>;
+        description?: string | null | undefined;
+        version?: string | null | undefined;
+        updated_at?: string | null | undefined;
+    }>;
+    deleteAgentCard(agentId: AgentUuid): Promise<void>;
+    /**
+     * Regenerate the agent's poll token.
+     *
+     * Route: `POST /agents/{id}/poll-token` — the old `/poll-token/regenerate`
+     * path never existed on the server.
+     */
+    regeneratePollToken(agentId: AgentUuid): Promise<{
+        poll_url: string;
+    }>;
+    revokePollToken(agentId: AgentUuid): Promise<void>;
+    getQuotas(): Promise<{
+        tier: number;
+        quotas: Record<string, {
+            limit: number | null;
+            used?: number | null | undefined;
+        }>;
+    }>;
+    /** Lazy-cached org ID for erase/export URL paths. */
+    private cachedOrgId;
+    /** Fetch the caller's org UUID, caching on the instance. */
+    private getOrgId;
+    updateOrg(patch: UpdateOrgPatch, opts?: {
+        signal?: AbortSignal;
+    }): Promise<OrgRead>;
+    eraseOrg(opts: EraseOrgOptions): Promise<ErasureResult>;
+    exportOrg(opts?: {
+        signal?: AbortSignal;
+    }): Promise<unknown[]>;
+}