@sekuire/sdk 0.1.13 → 0.1.14

package/dist/beacon.d.ts

@@ -8,6 +8,7 @@
  * 1. Install Token (recommended): Use an install token from the dashboard
  * 2. API Key: Use an API key for SDK-initiated bootstrap (requires workspace)
  */
+import { RuntimeCredentialsStore } from "./runtime-credentials";
 export interface BeaconConfig {
     /** Sekuire Core API base URL */
     apiBaseUrl: string;
@@ -27,6 +28,26 @@ export interface BeaconConfig {
     capabilities?: string[];
     /** Optional callback invoked on status changes */
     onStatusChange?: (status: BeaconStatus) => void;
+    /** Optional shared credentials store for token synchronization */
+    credentialsStore?: RuntimeCredentialsStore;
+    /**
+     * Pre-existing installation ID for credential recovery.
+     * When set with refreshToken, allows recovery after container restarts.
+     * Reads from SEKUIRE_INSTALLATION_ID if not set.
+     */
+    installationId?: string;
+    /**
+     * Refresh token for credential recovery.
+     * Use with installationId to recover after container restarts.
+     * Reads from SEKUIRE_REFRESH_TOKEN if not set.
+     */
+    refreshToken?: string;
+    /**
+     * Pre-existing runtime token (optional).
+     * If still valid, skips refresh on startup.
+     * Reads from SEKUIRE_RUNTIME_TOKEN if not set.
+     */
+    runtimeToken?: string;
 }
 export interface BeaconStatus {
     isRunning: boolean;
@@ -37,6 +58,14 @@ export interface BeaconStatus {
     failedHeartbeats: number;
     /** True if bootstrap failed and agent is running without Sekuire features */
     degradedMode: boolean;
+    /** Indicates credentials were recovered from env vars rather than fresh bootstrap */
+    recoveredFromEnv?: boolean;
+}
+export interface InstallationCredentials {
+    installationId: string;
+    runtimeToken: string;
+    refreshToken: string;
+    expiresAt?: string;
 }
 export interface BootstrapResponse {
     installation_id: string;
@@ -54,11 +83,19 @@ export declare class Beacon {
     private lastHeartbeat;
     private failedHeartbeats;
     private degradedMode;
+    private recoveredFromEnv;
+    private expiresAt;
+    private credentialsStore?;
     constructor(config: BeaconConfig);
     /**
      * Start the beacon - registers with Sekuire and begins heartbeat loop
      *
-     * If bootstrap fails, the agent continues running in degraded mode
+     * Authentication priority:
+     * 1. If SEKUIRE_INSTALLATION_ID + SEKUIRE_REFRESH_TOKEN are set, recover credentials
+     * 2. If SEKUIRE_RUNTIME_TOKEN is also set and valid, use it directly
+     * 3. Fall back to SEKUIRE_INSTALL_TOKEN for fresh bootstrap
+     *
+     * If all authentication methods fail, the agent continues running in degraded mode
      * without Sekuire features. This prevents auth failures from crashing agents.
      */
     start(): Promise<void>;
@@ -82,6 +119,41 @@ export declare class Beacon {
         installationId: string;
         runtimeToken: string;
     } | null;
+    /**
+     * Get full installation credentials for persistence.
+     *
+     * Use this after successful bootstrap to extract credentials that can be
+     * saved as environment variables or secrets for future container restarts.
+     * These credentials allow recovery without consuming a new install token.
+     *
+     * Example usage:
+     * ```ts
+     * const creds = beacon.getInstallationCredentials();
+     * if (creds) {
+     *   // Save to your secrets manager (AWS Secrets Manager, K8s Secret, etc.)
+     *   // SEKUIRE_INSTALLATION_ID = creds.installationId
+     *   // SEKUIRE_REFRESH_TOKEN = creds.refreshToken
+     *   // SEKUIRE_RUNTIME_TOKEN = creds.runtimeToken (optional, has expiry)
+     * }
+     * ```
+     *
+     * @returns Full installation credentials or null if not bootstrapped
+     */
+    getInstallationCredentials(): InstallationCredentials | null;
+    /**
+     * Try to recover credentials using installation ID and refresh token from env.
+     *
+     * This allows agents to survive container restarts without needing a new
+     * install token, which is especially important for ephemeral compute
+     * environments like Cloud Run, Kubernetes, or serverless functions.
+     *
+     * @returns true if recovery succeeded, false otherwise
+     */
+    private tryCredentialRecovery;
+    /**
+     * Validate a runtime token by making a lightweight API call.
+     */
+    private validateRuntimeToken;
     /**
      * Bootstrap with retry and exponential backoff
      *
@@ -119,13 +191,12 @@ export declare class Beacon {
      */
     private notifyStatusChange;
     /**
-     * Get API key from environment
-     */
-    private getApiKey;
-    /**
-     * Get install token from environment
+     * Get environment variable value (works in Node.js and browser)
      */
-    private getInstallToken;
+    private getEnvVar;
+    private getInstallationId;
+    private getRuntimeToken;
+    private getRefreshToken;
 }
 /**
  * Create a new beacon instance

package/dist/index.d.ts

@@ -3,6 +3,31 @@ import { Tracer } from '@opentelemetry/api';
 import { ExportResult } from '@opentelemetry/core';
 import { SpanExporter, ReadableSpan } from '@opentelemetry/sdk-trace-base';
 
+interface RuntimeCredentials {
+    installationId?: string;
+    runtimeToken?: string;
+    refreshToken?: string;
+    expiresAt?: string;
+}
+declare class RuntimeCredentialsStore {
+    private installationId?;
+    private runtimeToken?;
+    private refreshToken?;
+    private expiresAt?;
+    constructor(initial?: RuntimeCredentials);
+    update(partial: RuntimeCredentials): void;
+    setRuntimeToken(runtimeToken: string, expiresAt?: string): void;
+    setInstallationId(installationId: string): void;
+    setRefreshToken(refreshToken: string): void;
+    getInstallationId(): string | undefined;
+    getRuntimeToken(): string | undefined;
+    getRefreshToken(): string | undefined;
+    getExpiresAt(): string | undefined;
+    getAll(): RuntimeCredentials;
+    hasRecoveryCredentials(): boolean;
+    hasRuntimeToken(): boolean;
+}
+
 /**
  * Sekuire Beacon - Deployment Registration & Heartbeat
  *
@@ -13,6 +38,7 @@ import { SpanExporter, ReadableSpan } from '@opentelemetry/sdk-trace-base';
  * 1. Install Token (recommended): Use an install token from the dashboard
  * 2. API Key: Use an API key for SDK-initiated bootstrap (requires workspace)
  */
+
 interface BeaconConfig {
     /** Sekuire Core API base URL */
     apiBaseUrl: string;
@@ -32,6 +58,26 @@ interface BeaconConfig {
     capabilities?: string[];
     /** Optional callback invoked on status changes */
     onStatusChange?: (status: BeaconStatus) => void;
+    /** Optional shared credentials store for token synchronization */
+    credentialsStore?: RuntimeCredentialsStore;
+    /**
+     * Pre-existing installation ID for credential recovery.
+     * When set with refreshToken, allows recovery after container restarts.
+     * Reads from SEKUIRE_INSTALLATION_ID if not set.
+     */
+    installationId?: string;
+    /**
+     * Refresh token for credential recovery.
+     * Use with installationId to recover after container restarts.
+     * Reads from SEKUIRE_REFRESH_TOKEN if not set.
+     */
+    refreshToken?: string;
+    /**
+     * Pre-existing runtime token (optional).
+     * If still valid, skips refresh on startup.
+     * Reads from SEKUIRE_RUNTIME_TOKEN if not set.
+     */
+    runtimeToken?: string;
 }
 interface BeaconStatus {
     isRunning: boolean;
@@ -42,6 +88,14 @@ interface BeaconStatus {
     failedHeartbeats: number;
     /** True if bootstrap failed and agent is running without Sekuire features */
     degradedMode: boolean;
+    /** Indicates credentials were recovered from env vars rather than fresh bootstrap */
+    recoveredFromEnv?: boolean;
+}
+interface InstallationCredentials {
+    installationId: string;
+    runtimeToken: string;
+    refreshToken: string;
+    expiresAt?: string;
 }
 interface BootstrapResponse {
     installation_id: string;
@@ -59,11 +113,19 @@ declare class Beacon {
     private lastHeartbeat;
     private failedHeartbeats;
     private degradedMode;
+    private recoveredFromEnv;
+    private expiresAt;
+    private credentialsStore?;
     constructor(config: BeaconConfig);
     /**
      * Start the beacon - registers with Sekuire and begins heartbeat loop
      *
-     * If bootstrap fails, the agent continues running in degraded mode
+     * Authentication priority:
+     * 1. If SEKUIRE_INSTALLATION_ID + SEKUIRE_REFRESH_TOKEN are set, recover credentials
+     * 2. If SEKUIRE_RUNTIME_TOKEN is also set and valid, use it directly
+     * 3. Fall back to SEKUIRE_INSTALL_TOKEN for fresh bootstrap
+     *
+     * If all authentication methods fail, the agent continues running in degraded mode
      * without Sekuire features. This prevents auth failures from crashing agents.
      */
     start(): Promise<void>;
@@ -87,6 +149,41 @@ declare class Beacon {
         installationId: string;
         runtimeToken: string;
     } | null;
+    /**
+     * Get full installation credentials for persistence.
+     *
+     * Use this after successful bootstrap to extract credentials that can be
+     * saved as environment variables or secrets for future container restarts.
+     * These credentials allow recovery without consuming a new install token.
+     *
+     * Example usage:
+     * ```ts
+     * const creds = beacon.getInstallationCredentials();
+     * if (creds) {
+     *   // Save to your secrets manager (AWS Secrets Manager, K8s Secret, etc.)
+     *   // SEKUIRE_INSTALLATION_ID = creds.installationId
+     *   // SEKUIRE_REFRESH_TOKEN = creds.refreshToken
+     *   // SEKUIRE_RUNTIME_TOKEN = creds.runtimeToken (optional, has expiry)
+     * }
+     * ```
+     *
+     * @returns Full installation credentials or null if not bootstrapped
+     */
+    getInstallationCredentials(): InstallationCredentials | null;
+    /**
+     * Try to recover credentials using installation ID and refresh token from env.
+     *
+     * This allows agents to survive container restarts without needing a new
+     * install token, which is especially important for ephemeral compute
+     * environments like Cloud Run, Kubernetes, or serverless functions.
+     *
+     * @returns true if recovery succeeded, false otherwise
+     */
+    private tryCredentialRecovery;
+    /**
+     * Validate a runtime token by making a lightweight API call.
+     */
+    private validateRuntimeToken;
     /**
      * Bootstrap with retry and exponential backoff
      *
@@ -124,13 +221,12 @@ declare class Beacon {
      */
     private notifyStatusChange;
     /**
-     * Get API key from environment
-     */
-    private getApiKey;
-    /**
-     * Get install token from environment
+     * Get environment variable value (works in Node.js and browser)
      */
-    private getInstallToken;
+    private getEnvVar;
+    private getInstallationId;
+    private getRuntimeToken;
+    private getRefreshToken;
 }
 /**
  * Create a new beacon instance
@@ -258,6 +354,7 @@ declare class SekuireLogger {
  * Handles SSE connection to Core for real-time task delivery.
  * Provides `onTask()` API for agents to register task handlers.
  */
+
 interface TaskEvent {
     task_id: string;
     capability?: string;
@@ -283,11 +380,27 @@ interface WorkerConfig {
     agentId: string;
     installToken?: string;
     runtimeToken?: string;
+    /** Optional token provider for shared runtime credentials */
+    tokenProvider?: () => string | undefined;
     heartbeatIntervalMs?: number;
     reconnectDelayMs?: number;
     maxReconnectDelayMs?: number;
     deploymentUrl?: string;
     capabilities?: string[];
+    /** Optional shared credentials store for token synchronization */
+    credentialsStore?: RuntimeCredentialsStore;
+    /**
+     * Pre-existing installation ID for credential recovery.
+     * When set with refreshToken, allows recovery after container restarts.
+     * Reads from SEKUIRE_INSTALLATION_ID if not set.
+     */
+    installationId?: string;
+    /**
+     * Refresh token for credential recovery.
+     * Use with installationId to recover after container restarts.
+     * Reads from SEKUIRE_REFRESH_TOKEN if not set.
+     */
+    refreshToken?: string;
 }
 declare class TaskWorker {
     private eventSource;
@@ -302,15 +415,28 @@ declare class TaskWorker {
     private refreshToken;
     private expiresAt;
     private onCommandCallback?;
+    private recoveredFromEnv;
+    private credentialsStore?;
+    private tokenProvider?;
     constructor(config: WorkerConfig);
+    private getEnvVar;
     /**
      * Register a handler for a specific capability
      */
     onTask(capability: string, handler: TaskHandler): this;
     /**
      * Start the worker (connects to SSE stream and starts heartbeat)
+     *
+     * Authentication priority:
+     * 1. If runtimeToken is provided, use it directly
+     * 2. If installationId + refreshToken are set, recover credentials
+     * 3. Fall back to installToken for fresh bootstrap
      */
     start(): Promise<void>;
+    /**
+     * Try to recover credentials using installation ID and refresh token.
+     */
+    private tryCredentialRecovery;
     /**
      * Stop the worker gracefully
      */
@@ -363,6 +489,8 @@ declare class TaskWorker {
      * Refresh the runtime token using the refresh token
      */
     private refreshRuntimeToken;
+    private getInstallationId;
+    private getRefreshToken;
 }
 declare function createWorker(config: WorkerConfig): TaskWorker;
 
@@ -389,6 +517,24 @@ interface SekuireSDKConfig {
     loggingEnabled?: boolean;
     /** Capabilities this agent provides */
     capabilities?: string[];
+    /**
+     * Pre-existing installation ID for credential recovery.
+     * When set with refreshToken, allows recovery after container restarts.
+     * Reads from SEKUIRE_INSTALLATION_ID if not set.
+     */
+    installationId?: string;
+    /**
+     * Refresh token for credential recovery.
+     * Use with installationId to recover after container restarts.
+     * Reads from SEKUIRE_REFRESH_TOKEN if not set.
+     */
+    refreshToken?: string;
+    /**
+     * Pre-existing runtime token (optional).
+     * If still valid, skips refresh on startup.
+     * Reads from SEKUIRE_RUNTIME_TOKEN if not set.
+     */
+    runtimeToken?: string;
 }
 declare class SekuireSDK {
     private config;
@@ -397,13 +543,17 @@ declare class SekuireSDK {
     private client;
     private beacon;
     private isRunning;
+    private credentialsStore;
     constructor(config: SekuireSDKConfig);
     /**
      * Create SDK instance from environment variables.
      *
      * Required env vars:
      *   SEKUIRE_AGENT_ID - The agent's sekuire_id
-     *   SEKUIRE_INSTALL_TOKEN - Install token from dashboard (required for heartbeat)
+     *
+     * Authentication (one of the following):
+     *   SEKUIRE_INSTALL_TOKEN - Install token from dashboard (for initial bootstrap)
+     *   SEKUIRE_INSTALLATION_ID + SEKUIRE_REFRESH_TOKEN - For credential recovery
      *
      * Optional env vars:
      *   SEKUIRE_API_KEY - API key for authentication (X-API-Key header)
@@ -412,6 +562,7 @@ declare class SekuireSDK {
      *   SEKUIRE_API_URL - API base URL (default: https://api.sekuire.ai)
      *   SEKUIRE_WORKSPACE_ID - Workspace ID for policy enforcement
      *   SEKUIRE_ENVIRONMENT - Environment name (default: production)
+     *   SEKUIRE_RUNTIME_TOKEN - Pre-existing runtime token (skips refresh if valid)
      */
     static fromEnv(options?: {
         autoHeartbeat?: boolean;
@@ -420,10 +571,12 @@ declare class SekuireSDK {
     /**
      * Start the SDK.
      *
-     * - Bootstraps with Sekuire using the install token
+     * - Bootstraps with Sekuire using install token or recovery credentials
      * - Starts auto-heartbeat loop if enabled
      *
-     * Requires SEKUIRE_INSTALL_TOKEN to be set (from dashboard or CLI).
+     * Authentication (one of):
+     * - SEKUIRE_INSTALL_TOKEN for initial bootstrap
+     * - SEKUIRE_INSTALLATION_ID + SEKUIRE_REFRESH_TOKEN for recovery
      */
     start(): Promise<void>;
     /**
@@ -468,6 +621,39 @@ declare class SekuireSDK {
         installationId: string;
         runtimeToken: string;
     } | null;
+    /**
+     * Get full installation credentials for persistence.
+     *
+     * Use this after successful SDK start to extract credentials that can be
+     * saved as environment variables or secrets for future container restarts.
+     * These credentials allow recovery without consuming a new install token.
+     *
+     * Recommended workflow for ephemeral compute (Cloud Run, K8s, etc.):
+     * 1. First deploy: use SEKUIRE_INSTALL_TOKEN for initial bootstrap
+     * 2. After start: call getInstallationCredentials() to extract creds
+     * 3. Save to secrets manager (AWS Secrets Manager, K8s Secret, etc.)
+     * 4. Update deployment with:
+     *    - SEKUIRE_INSTALLATION_ID
+     *    - SEKUIRE_REFRESH_TOKEN
+     *    - (optionally) SEKUIRE_RUNTIME_TOKEN
+     * 5. Future restarts: SDK auto-recovers using refresh token
+     *
+     * @example
+     * ```ts
+     * const sdk = SekuireSDK.fromEnv();
+     * await sdk.start();
+     *
+     * const creds = sdk.getInstallationCredentials();
+     * if (creds) {
+     *   console.log('Save these to your secrets manager:');
+     *   console.log(`SEKUIRE_INSTALLATION_ID=${creds.installationId}`);
+     *   console.log(`SEKUIRE_REFRESH_TOKEN=${creds.refreshToken}`);
+     * }
+     * ```
+     *
+     * @returns Full installation credentials or null if not bootstrapped
+     */
+    getInstallationCredentials(): InstallationCredentials | null;
     /**
      * Create a TaskWorker that shares credentials with this SDK instance.
      *
@@ -475,6 +661,9 @@ declare class SekuireSDK {
      * the runtime credentials from the SDK's beacon. The SDK must be started
      * before calling this method.
      *
+     * The Worker receives full credentials (installationId, runtimeToken, refreshToken)
+     * so it can independently refresh tokens when they expire.
+     *
      * @param options Optional worker configuration overrides
      * @returns TaskWorker instance ready to be started
      * @throws Error if SDK hasn't been started or bootstrap failed
@@ -3228,5 +3417,5 @@ declare class A2ATaskDelegator {
 }
 declare function createDelegator(config: DelegatorConfig): A2ATaskDelegator;
 
-export { A2AClient, A2AError, A2AServer, A2ATaskDelegator, SekuireAgent as Agent, AgentIdentity, AnthropicProvider, BaseMemoryStorage, Beacon, CONVEX_FUNCTIONS_TEMPLATE, CONVEX_SCHEMA_TEMPLATE, CloudflareD1Storage, CloudflareKVStorage, ComplianceError, ComplianceMonitor, ContentPolicyError, ConvexStorage, CryptoError, DEFAULT_API_URL, DynamoDBStorage, FileAccessError, GoogleProvider, InMemoryStorage, NetworkComplianceError, NetworkError, OllamaProvider, OpenAIProvider, PolicyClient, PolicyEnforcer, PolicyViolationError, PostgresStorage, ProtocolError, RedisStorage, SQLiteStorage, SekuireAgent$1 as SekuireAgent, SekuireAgentBuilder, SekuireClient, SekuireCrypto, SekuireError, SekuireLogger, SekuireRegistryClient, SekuireSDK, SekuireServer, SekuireSpanExporter, TaskWorker, Tool, ToolPatternParser, ToolRegistry, ToolUsageError, TursoStorage, UpstashStorage, builtInTools, calculateSekuireId, createAgent, createBeacon, createDefaultToolRegistry, createDelegationTool, createDelegator, createDiscoveryTool, createLLMProvider, createMemoryStorage, createRegistryClient, createSekuireClient, createSekuireExpressMiddleware, createSekuireFastifyPlugin, createWorker, detectDeploymentUrl, generateKeyPair, getAgent, getAgentConfig, getAgents, getTools$1 as getLegacyTools, getStorageInfo, getSystemPrompt, getTools, getTracer, hasStorage, initTelemetry, listStorageTypes, llm, loadConfig, loadSystemPrompt, loadTools, registerStorage, shutdownTelemetry, tool, tools };
-export type { A2AArtifact, A2AClientOptions, A2AMessage, A2AMessagePart, A2ARouteRequest, A2ARouteResponse, A2AServerOptions, A2ATask, A2ATaskState, A2ATaskStatus, ActivePolicy, ActivePolicyResponse, AgentCapabilities, AgentCard, AgentConfig, AgentId, AgentInvokeOptions, AgentOptions, AgentProvider, AgentResponse$1 as AgentResponse, AgentSkill, BeaconConfig, BeaconStatus, BootstrapResponse, BuiltInMemoryType, ChatChunk, ChatOptions, ChatResponse, CloudflareD1Config, CloudflareKVConfig, ComplianceConfig, ComplianceViolation, ToolDefinition$1 as ConfigToolDefinition, ConvexConfig, CreateOrgRequest, CreateWorkspaceRequest, DelegationRequest, DelegationResult, DelegatorConfig, DisputeRequest, DisputeResponse, DynamoDBConfig, EventLog, EventType, ExporterType, HandshakeAuth, HandshakeHello, HandshakeResult, HandshakeWelcome, HexString, IdentityConfig, InviteRequest, InviteResponse, JsonRpcError, JsonRpcRequest, JsonRpcResponse, KeyPair, LLMConfig, Message as LLMMessage, LLMProvider, LLMProviderConfig, ToolCallFunction as LLMToolCall, ToolDefinition as LLMToolDefinition, LeaderboardEntry, LoggerConfig$1 as LoggerConfig, Manifest, MemoryConfig, MemoryFactoryConfig, MemoryMessage, MemoryStorage, MemoryType, Message$1 as Message, OrgResponse, OrgSummary, PostgresConfig, ProjectMetadata, PublishAgentOptions, PublishRequest, PublishResponse, RedisConfig, RegistryClientConfig, ReputationLog, ReputationResponse, SQLiteConfig, SearchAgentsOptions, SekuireAgentConfig, SekuireClientConfig, SekuireConfig, SekuireExporterConfig, SekuireSDKConfig, Severity, SkillContext, SkillHandler, StreamingSkillContext, StreamingSkillHandler, StreamingUpdate, SubmitReputationRequest, TaskCompletion, TaskContext, TaskEvent, TaskHandler, TaskState, TaskUpdateEvent, TasksCancelParams, TasksGetParams, TasksSendParams, TasksSendSubscribeParams, TelemetryConfig, ToolCall, ToolDefinition$2 as ToolDefinition, ToolInput, ToolMetadata, ToolParameter, ToolsSchema, TrustHeaders, TrustHeadersRequest, TursoConfig, UpdateAgentOptions, UpstashConfig, UserContextResponse, VerificationIssue, VerificationRequest, VerificationResult, VerificationStatus, VerifyAgentRequest, WorkerConfig, WorkspaceResponse, WorkspaceSummary };
+export { A2AClient, A2AError, A2AServer, A2ATaskDelegator, SekuireAgent as Agent, AgentIdentity, AnthropicProvider, BaseMemoryStorage, Beacon, CONVEX_FUNCTIONS_TEMPLATE, CONVEX_SCHEMA_TEMPLATE, CloudflareD1Storage, CloudflareKVStorage, ComplianceError, ComplianceMonitor, ContentPolicyError, ConvexStorage, CryptoError, DEFAULT_API_URL, DynamoDBStorage, FileAccessError, GoogleProvider, InMemoryStorage, NetworkComplianceError, NetworkError, OllamaProvider, OpenAIProvider, PolicyClient, PolicyEnforcer, PolicyViolationError, PostgresStorage, ProtocolError, RedisStorage, RuntimeCredentialsStore, SQLiteStorage, SekuireAgent$1 as SekuireAgent, SekuireAgentBuilder, SekuireClient, SekuireCrypto, SekuireError, SekuireLogger, SekuireRegistryClient, SekuireSDK, SekuireServer, SekuireSpanExporter, TaskWorker, Tool, ToolPatternParser, ToolRegistry, ToolUsageError, TursoStorage, UpstashStorage, builtInTools, calculateSekuireId, createAgent, createBeacon, createDefaultToolRegistry, createDelegationTool, createDelegator, createDiscoveryTool, createLLMProvider, createMemoryStorage, createRegistryClient, createSekuireClient, createSekuireExpressMiddleware, createSekuireFastifyPlugin, createWorker, detectDeploymentUrl, generateKeyPair, getAgent, getAgentConfig, getAgents, getTools$1 as getLegacyTools, getStorageInfo, getSystemPrompt, getTools, getTracer, hasStorage, initTelemetry, listStorageTypes, llm, loadConfig, loadSystemPrompt, loadTools, registerStorage, shutdownTelemetry, tool, tools };
+export type { A2AArtifact, A2AClientOptions, A2AMessage, A2AMessagePart, A2ARouteRequest, A2ARouteResponse, A2AServerOptions, A2ATask, A2ATaskState, A2ATaskStatus, ActivePolicy, ActivePolicyResponse, AgentCapabilities, AgentCard, AgentConfig, AgentId, AgentInvokeOptions, AgentOptions, AgentProvider, AgentResponse$1 as AgentResponse, AgentSkill, BeaconConfig, BeaconStatus, BootstrapResponse, BuiltInMemoryType, ChatChunk, ChatOptions, ChatResponse, CloudflareD1Config, CloudflareKVConfig, ComplianceConfig, ComplianceViolation, ToolDefinition$1 as ConfigToolDefinition, ConvexConfig, CreateOrgRequest, CreateWorkspaceRequest, DelegationRequest, DelegationResult, DelegatorConfig, DisputeRequest, DisputeResponse, DynamoDBConfig, EventLog, EventType, ExporterType, HandshakeAuth, HandshakeHello, HandshakeResult, HandshakeWelcome, HexString, IdentityConfig, InstallationCredentials, InviteRequest, InviteResponse, JsonRpcError, JsonRpcRequest, JsonRpcResponse, KeyPair, LLMConfig, Message as LLMMessage, LLMProvider, LLMProviderConfig, ToolCallFunction as LLMToolCall, ToolDefinition as LLMToolDefinition, LeaderboardEntry, LoggerConfig$1 as LoggerConfig, Manifest, MemoryConfig, MemoryFactoryConfig, MemoryMessage, MemoryStorage, MemoryType, Message$1 as Message, OrgResponse, OrgSummary, PostgresConfig, ProjectMetadata, PublishAgentOptions, PublishRequest, PublishResponse, RedisConfig, RegistryClientConfig, ReputationLog, ReputationResponse, RuntimeCredentials, SQLiteConfig, SearchAgentsOptions, SekuireAgentConfig, SekuireClientConfig, SekuireConfig, SekuireExporterConfig, SekuireSDKConfig, Severity, SkillContext, SkillHandler, StreamingSkillContext, StreamingSkillHandler, StreamingUpdate, SubmitReputationRequest, TaskCompletion, TaskContext, TaskEvent, TaskHandler, TaskState, TaskUpdateEvent, TasksCancelParams, TasksGetParams, TasksSendParams, TasksSendSubscribeParams, TelemetryConfig, ToolCall, ToolDefinition$2 as ToolDefinition, ToolInput, ToolMetadata, ToolParameter, ToolsSchema, TrustHeaders, TrustHeadersRequest, TursoConfig, UpdateAgentOptions, UpstashConfig, UserContextResponse, VerificationIssue, VerificationRequest, VerificationResult, VerificationStatus, VerifyAgentRequest, WorkerConfig, WorkspaceResponse, WorkspaceSummary };