@syfthub/sdk 0.1.1 → 0.2.1

package/dist/index.cjs

@@ -126,11 +126,21 @@ var init_errors = __esm({
 init_errors();
 
 // src/utils.ts
+var snakeToCamelCache = /* @__PURE__ */ new Map();
+var camelToSnakeCache = /* @__PURE__ */ new Map();
 function snakeToCamel(str) {
-  return str.replace(/_([a-z])/g, (_, letter) => letter.toUpperCase());
+  const cached = snakeToCamelCache.get(str);
+  if (cached !== void 0) return cached;
+  const result = str.replace(/_([a-z])/g, (_, letter) => letter.toUpperCase());
+  snakeToCamelCache.set(str, result);
+  return result;
 }
 function camelToSnake(str) {
-  return str.replace(/[A-Z]/g, (letter) => `_${letter.toLowerCase()}`);
+  const cached = camelToSnakeCache.get(str);
+  if (cached !== void 0) return cached;
+  const result = str.replace(/[A-Z]/g, (letter) => `_${letter.toLowerCase()}`);
+  camelToSnakeCache.set(str, result);
+  return result;
 }
 var ISO_DATE_REGEX = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}/;
 function isISODateString(value) {
@@ -143,6 +153,9 @@ function transformKeys(obj, keyTransformer, parseDates = true) {
   if (Array.isArray(obj)) {
     return obj.map((item) => transformKeys(item, keyTransformer, parseDates));
   }
+  if (obj instanceof Date) {
+    return obj.toISOString();
+  }
   if (parseDates && isISODateString(obj)) {
     return new Date(obj);
   }
@@ -170,9 +183,61 @@ function buildSearchParams(params) {
   }
   return searchParams;
 }
+async function* readSSEEvents(response) {
+  if (!response.body) return;
+  const reader = response.body.getReader();
+  const decoder = new TextDecoder();
+  let buffer = "";
+  let currentEvent = null;
+  let currentData = "";
+  const flush = function* () {
+    if (currentData) {
+      yield { event: currentEvent ?? "message", data: currentData };
+    }
+    currentEvent = null;
+    currentData = "";
+  };
+  try {
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      buffer += decoder.decode(value, { stream: true });
+      const lines = buffer.split("\n");
+      buffer = lines.pop() ?? "";
+      for (const line of lines) {
+        const trimmed = line.trim();
+        if (!trimmed) {
+          yield* flush();
+          continue;
+        }
+        if (trimmed.startsWith("event:")) {
+          currentEvent = trimmed.slice(6).trim();
+        } else if (trimmed.startsWith("data:")) {
+          if (currentData && currentEvent === null) {
+            yield* flush();
+          }
+          currentData = trimmed.slice(5).trim();
+        }
+      }
+    }
+    const trailing = buffer.trim();
+    if (trailing) {
+      if (trailing.startsWith("event:")) {
+        currentEvent = trailing.slice(6).trim();
+      } else if (trailing.startsWith("data:")) {
+        if (currentData && currentEvent === null) {
+          yield* flush();
+        }
+        currentData = trailing.slice(5).trim();
+      }
+    }
+    yield* flush();
+  } finally {
+    reader.releaseLock();
+  }
+}
 
 // src/http.ts
-init_errors();
 var HTTPClient = class {
   /**
    * Create a new HTTP client.
@@ -186,17 +251,32 @@ var HTTPClient = class {
   }
   accessToken = null;
   refreshToken = null;
+  apiToken = null;
   isRefreshing = false;
   refreshPromise = null;
   /**
-   * Set authentication tokens.
+   * Set JWT authentication tokens.
+   * Clears any API token if set.
    */
   setTokens(access, refresh) {
     this.accessToken = access;
     this.refreshToken = refresh;
+    this.apiToken = null;
   }
   /**
-   * Get current authentication tokens.
+   * Set API token for authentication.
+   * Clears any JWT tokens if set.
+   *
+   * @param token - The API token (starts with "syft_")
+   */
+  setApiToken(token) {
+    this.apiToken = token;
+    this.accessToken = null;
+    this.refreshToken = null;
+  }
+  /**
+   * Get current JWT authentication tokens.
+   * Returns null if using API token authentication.
    */
   getTokens() {
     if (!this.accessToken || !this.refreshToken) {
@@ -209,17 +289,30 @@ var HTTPClient = class {
     };
   }
   /**
-   * Clear authentication tokens.
+   * Check if using API token authentication.
+   */
+  isUsingApiToken() {
+    return this.apiToken !== null;
+  }
+  /**
+   * Clear all authentication (JWT and API tokens).
    */
   clearTokens() {
     this.accessToken = null;
     this.refreshToken = null;
+    this.apiToken = null;
   }
   /**
-   * Check if the client has valid tokens.
+   * Check if the client has valid authentication (JWT or API token).
    */
   hasTokens() {
-    return this.accessToken !== null;
+    return this.accessToken !== null || this.apiToken !== null;
+  }
+  /**
+   * Get the current bearer token (API token or JWT access token).
+   */
+  getBearerToken() {
+    return this.apiToken ?? this.accessToken;
   }
   /**
    * Make a GET request.
@@ -265,8 +358,9 @@ var HTTPClient = class {
       }
     }
     const headers = {};
-    if (includeAuth && this.accessToken) {
-      headers["Authorization"] = `Bearer ${this.accessToken}`;
+    const bearerToken = this.getBearerToken();
+    if (includeAuth && bearerToken) {
+      headers["Authorization"] = `Bearer ${bearerToken}`;
     }
     let requestBody;
     if (body !== void 0) {
@@ -294,7 +388,7 @@ var HTTPClient = class {
         signal: controller.signal
       });
       clearTimeout(timeoutId);
-      if (response.status === 401 && includeAuth && this.refreshToken) {
+      if (response.status === 401 && includeAuth && this.refreshToken && !this.apiToken) {
         await this.attemptTokenRefresh();
         return this.request(method, path, {
           ...options,
@@ -481,6 +575,110 @@ var HTTPClient = class {
 // src/client.ts
 init_errors();
 
+// src/resources/api-tokens.ts
+var APITokensResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Create a new API token.
+   *
+   * IMPORTANT: The returned token is only shown ONCE!
+   * Make sure to save it immediately - it cannot be retrieved later.
+   *
+   * @param input - Token creation options
+   * @returns The created token with the full token value
+   *
+   * @example
+   * const result = await client.apiTokens.create({
+   *   name: 'CI/CD Pipeline',
+   *   scopes: ['write'],
+   *   expiresAt: new Date('2025-12-31'),
+   * });
+   *
+   * // SAVE THIS TOKEN - it will not be shown again!
+   * console.log(result.token);
+   */
+  async create(input) {
+    return this.http.post("/api/v1/auth/tokens", input);
+  }
+  /**
+   * List all API tokens for the current user.
+   *
+   * By default, only active tokens are returned.
+   * Note: The full token value is never returned - only the prefix.
+   *
+   * @param options - List options
+   * @returns List of tokens and total count
+   *
+   * @example
+   * // List active tokens
+   * const { tokens, total } = await client.apiTokens.list();
+   *
+   * // Include revoked tokens
+   * const all = await client.apiTokens.list({ includeInactive: true });
+   */
+  async list(options = {}) {
+    const params = {};
+    if (options.includeInactive !== void 0) {
+      params.include_inactive = options.includeInactive;
+    }
+    if (options.skip !== void 0) {
+      params.skip = options.skip;
+    }
+    if (options.limit !== void 0) {
+      params.limit = options.limit;
+    }
+    return this.http.get("/api/v1/auth/tokens", params);
+  }
+  /**
+   * Get a single API token by ID.
+   *
+   * Note: The full token value is never returned - only the prefix.
+   *
+   * @param tokenId - The token ID
+   * @returns The token details
+   *
+   * @example
+   * const token = await client.apiTokens.get(123);
+   * console.log(token.name, token.lastUsedAt);
+   */
+  async get(tokenId) {
+    return this.http.get(`/api/v1/auth/tokens/${tokenId}`);
+  }
+  /**
+   * Update an API token's name.
+   *
+   * Only the name can be updated. Scopes and expiration cannot be
+   * changed after creation.
+   *
+   * @param tokenId - The token ID
+   * @param input - Update options
+   * @returns The updated token
+   *
+   * @example
+   * const updated = await client.apiTokens.update(123, {
+   *   name: 'New Name',
+   * });
+   */
+  async update(tokenId, input) {
+    return this.http.patch(`/api/v1/auth/tokens/${tokenId}`, input);
+  }
+  /**
+   * Revoke an API token.
+   *
+   * The token becomes immediately unusable. This action cannot be undone.
+   *
+   * @param tokenId - The token ID to revoke
+   *
+   * @example
+   * await client.apiTokens.revoke(123);
+   */
+  async revoke(tokenId) {
+    await this.http.delete(`/api/v1/auth/tokens/${tokenId}`);
+  }
+};
+
 // src/resources/auth.ts
 init_errors();
 var AuthResource = class {
@@ -548,8 +746,13 @@ var AuthResource = class {
     const response = await this.http.post("/api/v1/auth/register", input, {
       includeAuth: false
     });
-    this.http.setTokens(response.accessToken, response.refreshToken);
-    return response.user;
+    if (response.accessToken && response.refreshToken) {
+      this.http.setTokens(response.accessToken, response.refreshToken);
+    }
+    return {
+      user: response.user,
+      requiresEmailVerification: response.requiresEmailVerification
+    };
   }
   /**
    * Login with username/email and password.
@@ -623,6 +826,115 @@ var AuthResource = class {
       newPassword
     });
   }
+  /**
+   * Get the platform's authentication configuration.
+   *
+   * No authentication required. Use this to determine whether email
+   * verification or password reset is available.
+   *
+   * @returns AuthConfig with feature flags
+   */
+  async getAuthConfig() {
+    return this.http.get("/api/v1/auth/config", void 0, { includeAuth: false });
+  }
+  /**
+   * Verify a registration OTP and receive auth tokens.
+   *
+   * After registering when email verification is required, call this with
+   * the 6-digit code sent to the user's email.
+   *
+   * Idempotent: if the user is already verified, tokens are issued immediately.
+   *
+   * @param input - Email and 6-digit code
+   * @returns The authenticated User
+   * @throws {APIError} If the code is invalid or max attempts exceeded
+   */
+  async verifyOtp(input) {
+    const response = await this.http.post("/api/v1/auth/register/verify-otp", input, {
+      includeAuth: false
+    });
+    this.http.setTokens(response.accessToken, response.refreshToken);
+    return response.user;
+  }
+  /**
+   * Resend the registration OTP code.
+   *
+   * Rate-limited. Always returns successfully to prevent email enumeration.
+   *
+   * @param email - Email address to resend the OTP to
+   */
+  async resendOtp(email) {
+    await this.http.post(
+      "/api/v1/auth/register/resend-otp",
+      { email },
+      {
+        includeAuth: false
+      }
+    );
+  }
+  /**
+   * Request a password reset OTP.
+   *
+   * Always returns successfully to prevent email enumeration.
+   * If SMTP is not configured on the server, this is a no-op.
+   *
+   * @param input - Email address for password reset
+   */
+  async requestPasswordReset(input) {
+    await this.http.post("/api/v1/auth/password-reset/request", input, {
+      includeAuth: false
+    });
+  }
+  /**
+   * Confirm a password reset with OTP and set a new password.
+   *
+   * @param input - Email, 6-digit code, and new password
+   * @throws {APIError} If the code is invalid or max attempts exceeded
+   */
+  async confirmPasswordReset(input) {
+    await this.http.post("/api/v1/auth/password-reset/confirm", input, {
+      includeAuth: false
+    });
+  }
+  /**
+   * Get a peer token for NATS communication with tunneling spaces.
+   *
+   * Peer tokens are short-lived credentials that allow the aggregator to
+   * communicate with tunneling SyftAI Spaces via NATS pub/sub.
+   *
+   * @param targetUsernames - Usernames of the tunneling spaces to communicate with
+   * @returns PeerTokenResponse with token, channel, expiry, and NATS URL
+   * @throws {AuthenticationError} If not authenticated
+   *
+   * @example
+   * const peer = await client.auth.getPeerToken(['alice', 'bob']);
+   * console.log(`Peer channel: ${peer.peerChannel}, expires in ${peer.expiresIn}s`);
+   */
+  async getPeerToken(targetUsernames) {
+    return this.http.post("/api/v1/peer-token", {
+      target_usernames: targetUsernames
+    });
+  }
+  /**
+   * Get a guest peer token for NATS communication without authentication.
+   *
+   * Guest peer tokens are rate-limited by IP address. They use the same
+   * response format as authenticated peer tokens.
+   *
+   * @param targetUsernames - Usernames of the tunneling spaces to communicate with
+   * @returns PeerTokenResponse with token, channel, expiry, and NATS URL
+   *
+   * @example
+   * const peer = await client.auth.getGuestPeerToken(['alice']);
+   * console.log(`Guest peer channel: ${peer.peerChannel}`);
+   */
+  async getGuestPeerToken(targetUsernames) {
+    return this.http.post(
+      "/api/v1/nats/guest-peer-token",
+      { target_usernames: targetUsernames },
+      { includeAuth: false }
+    );
+  }
   /**
    * Get a satellite token for a specific audience (target service).
    *
@@ -667,6 +979,59 @@ var AuthResource = class {
         return { audience: aud, token: response.targetToken };
       })
     );
+    for (const [i, result] of results.entries()) {
+      if (result.status === "fulfilled") {
+        tokenMap.set(result.value.audience, result.value.token);
+      } else {
+        console.warn(
+          `[SyftHub] Failed to fetch satellite token for "${uniqueAudiences[i]}":`,
+          result.reason
+        );
+      }
+    }
+    return tokenMap;
+  }
+  /**
+   * Get a guest satellite token for a specific audience (target service).
+   *
+   * Guest tokens allow unauthenticated users to access policy-free endpoints.
+   * No authentication is required to call this method.
+   *
+   * @param audience - Target service identifier (username of the service owner)
+   * @returns Satellite token response with token and expiry
+   * @throws {ValidationError} If audience is invalid or inactive
+   *
+   * @example
+   * // Get a guest token for querying alice's policy-free endpoints
+   * const tokenResponse = await client.auth.getGuestSatelliteToken('alice');
+   */
+  async getGuestSatelliteToken(audience) {
+    return this.http.get(
+      "/api/v1/token/guest",
+      { aud: audience },
+      { includeAuth: false }
+    );
+  }
+  /**
+   * Get guest satellite tokens for multiple audiences in parallel.
+   *
+   * No authentication is required to call this method.
+   *
+   * @param audiences - Array of unique audience identifiers (usernames)
+   * @returns Map of audience to satellite token
+   *
+   * @example
+   * const tokens = await client.auth.getGuestSatelliteTokens(['alice', 'bob']);
+   */
+  async getGuestSatelliteTokens(audiences) {
+    const uniqueAudiences = [...new Set(audiences)];
+    const tokenMap = /* @__PURE__ */ new Map();
+    const results = await Promise.allSettled(
+      uniqueAudiences.map(async (aud) => {
+        const response = await this.getGuestSatelliteToken(aud);
+        return { audience: aud, token: response.targetToken };
+      })
+    );
     for (const result of results) {
       if (result.status === "fulfilled") {
         tokenMap.set(result.value.audience, result.value.token);
@@ -677,38 +1042,137 @@ var AuthResource = class {
   /**
    * Get transaction tokens for multiple endpoint owners.
    *
-   * Transaction tokens are short-lived JWTs that pre-authorize the endpoint owner
-   * (recipient) to charge the current user (sender) for usage. These tokens are
-   * created via the accounting service and passed to the aggregator.
+   * @deprecated Transaction tokens are no longer needed. Payments are handled
+   * via the MPP 402 flow. This method is kept for backward compatibility and
+   * always returns empty tokens/errors.
+   *
+   * @param ownerUsernames - Array of endpoint owner usernames (ignored)
+   * @returns TransactionTokensResponse with empty tokens and errors
+   */
+  async getTransactionTokens(ownerUsernames) {
+    return { tokens: {}, errors: {} };
+  }
+  /**
+   * Get the current access token (JWT or API token).
+   *
+   * This is used by the chat flow to pass the user's Hub token to the
+   * aggregator for the MPP payment callback.
    *
-   * This is used by the chat flow to enable billing for endpoint usage.
+   * @returns The current access token, or null if not authenticated
+   */
+  getAccessToken() {
+    const tokens = this.http.getTokens();
+    return tokens?.accessToken ?? null;
+  }
+};
+
+// src/resources/aggregators.ts
+var AggregatorsResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * List all aggregator configurations for the current user.
    *
-   * @param ownerUsernames - Array of endpoint owner usernames
-   * @returns TransactionTokensResponse with tokens map and any errors
+   * @returns Array of UserAggregator objects
    * @throws {AuthenticationError} If not authenticated
    *
    * @example
-   * // Get transaction tokens for endpoint owners
-   * const response = await client.auth.getTransactionTokens(['alice', 'bob']);
-   * console.log(`Got ${Object.keys(response.tokens).length} tokens`);
-   * if (Object.keys(response.errors).length > 0) {
-   *   console.log('Some tokens failed:', response.errors);
+   * const aggregators = await client.users.aggregators.list();
+   * for (const agg of aggregators) {
+   *   if (agg.isDefault) {
+   *     console.log(`Default: ${agg.name}`);
+   *   }
    * }
    */
-  async getTransactionTokens(ownerUsernames) {
-    const uniqueOwners = [...new Set(ownerUsernames)];
-    if (uniqueOwners.length === 0) {
-      return { tokens: {}, errors: {} };
-    }
-    try {
-      return await this.http.post(
-        "/api/v1/accounting/transaction-tokens",
-        { owner_usernames: uniqueOwners }
-      );
-    } catch (error) {
-      console.warn("Failed to get transaction tokens:", error);
-      return { tokens: {}, errors: {} };
-    }
+  async list() {
+    return this.http.get("/api/v1/users/me/aggregators");
+  }
+  /**
+   * Get a specific aggregator configuration by ID.
+   *
+   * @param aggregatorId - The aggregator ID
+   * @returns The UserAggregator object
+   * @throws {AuthenticationError} If not authenticated
+   * @throws {NotFoundError} If aggregator not found
+   *
+   * @example
+   * const agg = await client.users.aggregators.get(1);
+   * console.log(`${agg.name}: ${agg.url}`);
+   */
+  async get(aggregatorId) {
+    return this.http.get(`/api/v1/users/me/aggregators/${aggregatorId}`);
+  }
+  /**
+   * Create a new aggregator configuration.
+   *
+   * The first aggregator created is automatically set as the default.
+   *
+   * @param input - Aggregator creation input
+   * @returns The created UserAggregator object
+   * @throws {AuthenticationError} If not authenticated
+   * @throws {ValidationError} If input is invalid
+   *
+   * @example
+   * const agg = await client.users.aggregators.create({
+   *   name: 'My Custom Aggregator',
+   *   url: 'https://my-aggregator.example.com'
+   * });
+   * console.log(`Created: ${agg.id}`);
+   */
+  async create(input) {
+    return this.http.post("/api/v1/users/me/aggregators", input);
+  }
+  /**
+   * Update an aggregator configuration.
+   *
+   * Only provided fields will be updated.
+   *
+   * @param aggregatorId - The aggregator ID to update
+   * @param input - Fields to update
+   * @returns The updated UserAggregator object
+   * @throws {AuthenticationError} If not authenticated
+   * @throws {NotFoundError} If aggregator not found
+   * @throws {ValidationError} If input is invalid
+   *
+   * @example
+   * const agg = await client.users.aggregators.update(1, {
+   *   name: 'Updated Name'
+   * });
+   */
+  async update(aggregatorId, input) {
+    return this.http.put(`/api/v1/users/me/aggregators/${aggregatorId}`, input);
+  }
+  /**
+   * Delete an aggregator configuration.
+   *
+   * @param aggregatorId - The aggregator ID to delete
+   * @throws {AuthenticationError} If not authenticated
+   * @throws {NotFoundError} If aggregator not found
+   *
+   * @example
+   * await client.users.aggregators.delete(1);
+   */
+  async delete(aggregatorId) {
+    await this.http.delete(`/api/v1/users/me/aggregators/${aggregatorId}`);
+  }
+  /**
+   * Set an aggregator as the default.
+   *
+   * Only one aggregator can be the default at a time. Setting a new default
+   * automatically unsets the previous one.
+   *
+   * @param aggregatorId - The aggregator ID to set as default
+   * @returns The updated UserAggregator object with isDefault=true
+   * @throws {AuthenticationError} If not authenticated
+   * @throws {NotFoundError} If aggregator not found
+   *
+   * @example
+   * const agg = await client.users.aggregators.setDefault(2);
+   * console.log(`${agg.name} is now the default`);
+   */
+  async setDefault(aggregatorId) {
+    return this.http.patch(`/api/v1/users/me/aggregators/${aggregatorId}/default`);
   }
 };
 
@@ -717,6 +1181,34 @@ var UsersResource = class {
   constructor(http) {
     this.http = http;
   }
+  _aggregators;
+  /**
+   * Access aggregator management operations.
+   *
+   * @returns AggregatorsResource for managing user's aggregator configurations
+   *
+   * @example
+   * // List aggregators
+   * const aggregators = await client.users.aggregators.list();
+   * for (const agg of aggregators) {
+   *   console.log(`${agg.name}: ${agg.url}`);
+   * }
+   *
+   * // Create aggregator
+   * const agg = await client.users.aggregators.create({
+   *   name: 'My Aggregator',
+   *   url: 'https://my-aggregator.example.com'
+   * });
+   *
+   * // Set as default
+   * await client.users.aggregators.setDefault(agg.id);
+   */
+  get aggregators() {
+    if (!this._aggregators) {
+      this._aggregators = new AggregatorsResource(this.http);
+    }
+    return this._aggregators;
+  }
   /**
    * Update the current user's profile.
    *
@@ -776,17 +1268,61 @@ var UsersResource = class {
   async getAccountingCredentials() {
     return this.http.get("/api/v1/users/me/accounting");
   }
-};
-
-// src/pagination.ts
-var PageIterator = class {
   /**
-   * Create a new PageIterator.
+   * Send a heartbeat to indicate this SyftAI Space is alive.
    *
-   * @param fetcher - Function that fetches a page of items given skip and limit
-   * @param pageSize - Number of items to fetch per page (default: 20)
-   */
-  constructor(fetcher, pageSize = 20) {
+   * The heartbeat mechanism allows SyftAI Spaces to signal their availability
+   * to SyftHub. This should be called periodically (before the TTL expires)
+   * to maintain the "active" status.
+   *
+   * @param input - Heartbeat parameters
+   * @param input.url - Full URL of this space (e.g., "https://myspace.example.com").
+   *                    The server extracts the domain from this URL.
+   * @param input.ttlSeconds - Time-to-live in seconds (1-3600). The server caps this
+   *                           at a maximum of 600 seconds (10 minutes). Default is 300
+   *                           seconds (5 minutes).
+   * @returns HeartbeatResponse containing status, expiry time, domain, and effective TTL
+   * @throws {AuthenticationError} If not authenticated
+   * @throws {ValidationError} If URL or TTL is invalid
+   *
+   * @example
+   * // Send heartbeat with default TTL (300 seconds)
+   * const response = await client.users.sendHeartbeat({
+   *   url: 'https://myspace.example.com'
+   * });
+   * console.log(`Next heartbeat before: ${response.expiresAt}`);
+   *
+   * @example
+   * // Send heartbeat with custom TTL
+   * const response = await client.users.sendHeartbeat({
+   *   url: 'https://myspace.example.com',
+   *   ttlSeconds: 600  // Maximum allowed
+   * });
+   */
+  async sendHeartbeat(input) {
+    const response = await this.http.post("/api/v1/users/me/heartbeat", {
+      url: input.url,
+      ttl_seconds: input.ttlSeconds ?? 300
+    });
+    return {
+      status: response.status,
+      receivedAt: new Date(response.received_at),
+      expiresAt: new Date(response.expires_at),
+      domain: response.domain,
+      ttlSeconds: response.ttl_seconds
+    };
+  }
+};
+
+// src/pagination.ts
+var PageIterator = class {
+  /**
+   * Create a new PageIterator.
+   *
+   * @param fetcher - Function that fetches a page of items given skip and limit
+   * @param pageSize - Number of items to fetch per page (default: 20)
+   */
+  constructor(fetcher, pageSize = 20) {
     this.fetcher = fetcher;
     this.pageSize = pageSize;
   }
@@ -904,14 +1440,12 @@ var MyEndpointsResource = class {
    * Create a new endpoint.
    *
    * @param input - Endpoint creation details
-   * @param organizationId - Optional organization ID (for org-owned endpoints)
    * @returns The created Endpoint
    * @throws {AuthenticationError} If not authenticated
    * @throws {ValidationError} If input validation fails
    */
-  async create(input, organizationId) {
-    const body = organizationId !== void 0 ? { ...input, organizationId } : input;
-    return this.http.post("/api/v1/endpoints", body);
+  async create(input) {
+    return this.http.post("/api/v1/endpoints", input);
   }
   /**
    * Get a specific endpoint by path.
@@ -972,7 +1506,6 @@ var MyEndpointsResource = class {
    * 3. Is ATOMIC: either all endpoints sync successfully, or none do
    *
    * Important Notes:
-   * - Organization endpoints are NOT affected
    * - Stars on existing endpoints will be lost (reset to 0)
    * - Endpoint IDs will change (new IDs assigned)
    * - Maximum 100 endpoints per sync request
@@ -1046,17 +1579,23 @@ var HubResource = class {
   /**
    * Browse all public endpoints.
    *
-   * @param options - Pagination options
+   * @param options - Filter and pagination options
    * @returns PageIterator that lazily fetches endpoints
+   *
+   * @example
+   * // Browse only model endpoints
+   * const models = await client.hub.browse({ endpointType: 'model' }).firstPage();
    */
   browse(options) {
     const pageSize = options?.pageSize ?? 20;
     return new PageIterator(async (skip, limit) => {
-      return this.http.get(
-        "/api/v1/endpoints/public",
-        { skip, limit },
-        { includeAuth: false }
-      );
+      const params = { skip, limit };
+      if (options?.endpointType !== void 0) {
+        params["endpoint_type"] = options.endpointType;
+      }
+      return this.http.get("/api/v1/endpoints/public", params, {
+        includeAuth: false
+      });
     }, pageSize);
   }
   /**
@@ -1064,19 +1603,57 @@ var HubResource = class {
    *
    * @param options - Filter and pagination options
    * @returns PageIterator that lazily fetches endpoints
+   *
+   * @example
+   * // Get trending models only
+   * const models = await client.hub.trending({ endpointType: 'model' }).firstPage();
    */
   trending(options) {
     const pageSize = options?.pageSize ?? 20;
     return new PageIterator(async (skip, limit) => {
       const params = { skip, limit };
+      if (options?.endpointType !== void 0) {
+        params["endpoint_type"] = options.endpointType;
+      }
       if (options?.minStars !== void 0) {
-        params["minStars"] = options.minStars;
+        params["min_stars"] = options.minStars;
       }
       return this.http.get("/api/v1/endpoints/trending", params, {
         includeAuth: false
       });
     }, pageSize);
   }
+  /**
+   * List endpoints accessible to unauthenticated (guest) users.
+   *
+   * Guest-accessible endpoints are public, active, and have no policies attached.
+   * No authentication is required to call this method.
+   *
+   * @param options - Filter and pagination options
+   * @returns PageIterator that lazily fetches guest-accessible endpoints
+   *
+   * @example
+   * // List all guest-accessible endpoints
+   * for await (const endpoint of client.hub.guestAccessible()) {
+   *   console.log(`${endpoint.ownerUsername}/${endpoint.slug}: ${endpoint.name}`);
+   * }
+   *
+   * @example
+   * // List only guest-accessible models
+   * const models = await client.hub.guestAccessible({ endpointType: 'model' }).firstPage();
+   */
+  guestAccessible(options) {
+    const pageSize = options?.pageSize ?? 20;
+    return new PageIterator(async (skip, limit) => {
+      const params = { skip, limit };
+      if (options?.endpointType !== void 0) {
+        params["endpoint_type"] = options.endpointType;
+      }
+      return this.http.get("/api/v1/endpoints/guest-accessible", params, {
+        includeAuth: false
+      });
+    }, pageSize);
+  }
   /**
    * Search for endpoints using semantic search.
    *
@@ -1172,6 +1749,26 @@ var HubResource = class {
     const endpointId = await this.resolveEndpointId(path);
     await this.http.delete(`/api/v1/endpoints/${endpointId}/star`);
   }
+  /**
+   * Get the owner/slug paths of a collective's approved member endpoints,
+   * optionally narrowed to a single shared-endpoint subset.
+   *
+   * Used by the chat resource to expand both `collective/<slug>` and
+   * `collective/<slug>/<shared-slug>` data-source references into the
+   * individual endpoint paths before building the aggregator request.
+   *
+   * @param slug - The collective slug (e.g. "genomics-research")
+   * @param sharedSlug - Optional curated-subset slug. When provided, only the
+   *   intersection of the subset's configured endpoints with the collective's
+   *   currently approved members is returned. Omit for "all approved members".
+   * @returns Array of "owner/slug" path strings
+   * @throws {NotFoundError} If the collective (or shared endpoint) does not exist
+   */
+  async getCollectiveEndpointPaths(slug, sharedSlug) {
+    const base = `/api/v1/collectives/by-slug/${encodeURIComponent(slug)}`;
+    const path = sharedSlug ? `${base}/shared-endpoints/${encodeURIComponent(sharedSlug)}/endpoint-paths` : `${base}/endpoint-paths`;
+    return this.http.get(path, {}, { includeAuth: false });
+  }
   /**
    * Check if you have starred an endpoint.
    *
@@ -1189,489 +1786,408 @@ var HubResource = class {
   }
 };
 
-// src/models/common.ts
-var Visibility = {
-  /** Visible to everyone, no authentication required */
-  PUBLIC: "public",
-  /** Only visible to the owner and collaborators */
-  PRIVATE: "private",
-  /** Visible to authenticated users within the organization */
-  INTERNAL: "internal"
-};
-var EndpointType = {
-  /** Machine learning model endpoint */
-  MODEL: "model",
-  /** Data source endpoint */
-  DATA_SOURCE: "data_source"
-};
-var UserRole = {
-  /** Administrator with full access */
-  ADMIN: "admin",
-  /** Regular user */
-  USER: "user",
-  /** Guest user with limited access */
-  GUEST: "guest"
-};
-var OrganizationRole = {
-  /** Organization owner with full control */
-  OWNER: "owner",
-  /** Administrator with management privileges */
-  ADMIN: "admin",
-  /** Regular member */
-  MEMBER: "member"
-};
-
-// src/models/endpoint.ts
-function getEndpointOwnerType(endpoint) {
-  return endpoint.organizationId !== null ? "organization" : "user";
-}
-function getEndpointPublicPath(endpoint) {
-  return `${endpoint.ownerUsername}/${endpoint.slug}`;
-}
-
-// src/models/accounting.ts
-var TransactionStatus = {
-  /** Transaction created, awaiting confirmation */
-  PENDING: "pending",
-  /** Transaction confirmed, funds transferred */
-  COMPLETED: "completed",
-  /** Transaction cancelled, no funds transferred */
-  CANCELLED: "cancelled"
-};
-var CreatorType = {
-  /** System-initiated transaction */
-  SYSTEM: "system",
-  /** Sender-initiated transaction */
-  SENDER: "sender",
-  /** Recipient-initiated transaction (delegated) */
-  RECIPIENT: "recipient"
-};
-function parseTransaction(response) {
-  return {
-    ...response,
-    createdAt: new Date(response.createdAt),
-    resolvedAt: response.resolvedAt ? new Date(response.resolvedAt) : null
-  };
-}
-function isTransactionPending(tx) {
-  return tx.status === TransactionStatus.PENDING;
-}
-function isTransactionCompleted(tx) {
-  return tx.status === TransactionStatus.COMPLETED;
-}
-function isTransactionCancelled(tx) {
-  return tx.status === TransactionStatus.CANCELLED;
-}
-
 // src/resources/accounting.ts
-init_errors();
-async function handleResponseError(response) {
-  if (response.ok) return;
-  let detail;
-  try {
-    const body = await response.json();
-    detail = body.detail ?? body.message ?? JSON.stringify(body);
-  } catch {
-    detail = await response.text() || `HTTP ${response.status}`;
-  }
-  switch (response.status) {
-    case 401:
-      throw new exports.AuthenticationError(`Authentication failed: ${detail}`);
-    case 403:
-      throw new exports.AuthorizationError(`Permission denied: ${detail}`);
-    case 404:
-      throw new exports.NotFoundError(`Not found: ${detail}`);
-    case 422:
-      throw new exports.ValidationError(`Validation error: ${detail}`);
-    default:
-      throw new exports.APIError(`Accounting API error: ${detail}`, response.status);
-  }
-}
-function createBasicAuth(email, password) {
-  const credentials = `${email}:${password}`;
-  const encoded = typeof btoa !== "undefined" ? btoa(credentials) : Buffer.from(credentials).toString("base64");
-  return `Basic ${encoded}`;
-}
 var AccountingResource = class {
-  baseUrl;
-  email;
-  password;
-  timeout;
-  authHeader;
-  constructor(options) {
-    this.baseUrl = options.url.replace(/\/$/, "");
-    this.email = options.email;
-    this.password = options.password;
-    this.timeout = options.timeout ?? 3e4;
-    this.authHeader = createBasicAuth(this.email, this.password);
-  }
-  // ===========================================================================
-  // Private HTTP Methods
-  // ===========================================================================
-  /**
-   * Make an authenticated request to the accounting service.
-   */
-  async request(method, path, options) {
-    const url = new URL(path, this.baseUrl);
-    if (options?.params) {
-      for (const [key, value] of Object.entries(options.params)) {
-        url.searchParams.set(key, String(value));
-      }
-    }
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), this.timeout);
-    try {
-      const response = await fetch(url.toString(), {
-        method,
-        headers: {
-          Authorization: this.authHeader,
-          "Content-Type": "application/json",
-          Accept: "application/json"
-        },
-        body: options?.body ? JSON.stringify(options.body) : void 0,
-        signal: controller.signal
-      });
-      await handleResponseError(response);
-      if (response.status === 204) {
-        return {};
-      }
-      return await response.json();
-    } catch (error) {
-      if (error instanceof exports.SyftHubError) {
-        throw error;
-      }
-      if (error instanceof Error && error.name === "AbortError") {
-        throw new exports.APIError("Request timeout", 408);
-      }
-      throw new exports.APIError(
-        `Accounting request failed: ${error instanceof Error ? error.message : "Unknown error"}`,
-        0
-      );
-    } finally {
-      clearTimeout(timeoutId);
-    }
-  }
-  /**
-   * Make a request using Bearer token auth (for delegated transactions).
-   */
-  async requestWithToken(method, path, token, options) {
-    const url = new URL(path, this.baseUrl);
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), this.timeout);
-    try {
-      const response = await fetch(url.toString(), {
-        method,
-        headers: {
-          Authorization: `Bearer ${token}`,
-          "Content-Type": "application/json",
-          Accept: "application/json"
-        },
-        body: options?.body ? JSON.stringify(options.body) : void 0,
-        signal: controller.signal
-      });
-      await handleResponseError(response);
-      if (response.status === 204) {
-        return {};
-      }
-      return await response.json();
-    } catch (error) {
-      if (error instanceof exports.SyftHubError) {
-        throw error;
-      }
-      if (error instanceof Error && error.name === "AbortError") {
-        throw new exports.APIError("Request timeout", 408);
-      }
-      throw new exports.APIError(
-        `Accounting request failed: ${error instanceof Error ? error.message : "Unknown error"}`,
-        0
-      );
-    } finally {
-      clearTimeout(timeoutId);
-    }
+  constructor(http) {
+    this.http = http;
   }
   // ===========================================================================
-  // User Operations
+  // Wallet Operations
   // ===========================================================================
   /**
-   * Get the current user's account information including balance.
+   * Get the current user's wallet information.
    *
-   * @returns AccountingUser with id, email, balance, and organization
-   * @throws {AuthenticationError} If authentication fails
-   * @throws {APIError} On other errors
+   * @returns WalletInfo with address and existence status
+   * @throws {AuthenticationError} If not authenticated
    *
    * @example
    * ```typescript
-   * const user = await accounting.getUser();
-   * console.log(`Balance: ${user.balance}`);
-   * console.log(`Organization: ${user.organization}`);
+   * const wallet = await client.accounting.getWallet();
+   * if (wallet.exists) {
+   *   console.log(`Wallet address: ${wallet.address}`);
+   * } else {
+   *   console.log('No wallet configured');
+   * }
    * ```
    */
-  async getUser() {
-    return this.request("GET", "/user");
+  async getWallet() {
+    return this.http.get("/api/v1/wallet/");
   }
   /**
-   * Update the user's password.
+   * Get the current user's wallet balance and recent transactions.
    *
-   * @param currentPassword - Current password for verification
-   * @param newPassword - New password to set
-   * @throws {AuthenticationError} If current password is wrong
-   * @throws {ValidationError} If new password doesn't meet requirements
+   * @returns WalletBalance with balance, currency, and recent transactions
+   * @throws {AuthenticationError} If not authenticated
    *
    * @example
    * ```typescript
-   * await accounting.updatePassword('old_secret', 'new_secret');
+   * const balance = await client.accounting.getBalance();
+   * console.log(`Balance: ${balance.balance} ${balance.currency}`);
+   * console.log(`Wallet configured: ${balance.wallet_configured}`);
    * ```
    */
-  async updatePassword(currentPassword, newPassword) {
-    await this.request("PUT", "/user/password", {
-      body: {
-        oldPassword: currentPassword,
-        newPassword
-      }
-    });
+  async getBalance() {
+    return this.http.get("/api/v1/wallet/balance");
   }
   /**
-   * Update the user's organization.
+   * Get the current user's wallet transactions.
    *
-   * @param organization - New organization name
-   * @throws {AuthenticationError} If authentication fails
+   * @returns Array of WalletTransaction objects
+   * @throws {AuthenticationError} If not authenticated
    *
    * @example
    * ```typescript
-   * await accounting.updateOrganization('OpenMined');
+   * const transactions = await client.accounting.getTransactions();
+   * for (const tx of transactions) {
+   *   console.log(`${tx.created_at}: ${tx.amount} ${tx.status}`);
+   * }
    * ```
    */
-  async updateOrganization(organization) {
-    await this.request("PUT", "/user/organization", {
-      body: { organization }
-    });
+  async getTransactions() {
+    return this.http.get("/api/v1/wallet/transactions");
   }
-  // ===========================================================================
-  // Transaction Listing
-  // ===========================================================================
   /**
-   * List account transactions with pagination.
+   * Create a new wallet for the current user.
    *
-   * Returns a lazy iterator that fetches pages on demand.
+   * Generates a new wallet with a fresh keypair. The wallet address
+   * is returned and stored on the server.
    *
-   * @param options - Pagination options
-   * @returns PageIterator that yields Transaction objects
+   * @returns Object with the new wallet address
+   * @throws {AuthenticationError} If not authenticated
+   * @throws {ValidationError} If user already has a wallet
    *
    * @example
    * ```typescript
-   * // Iterate through all transactions
-   * for await (const tx of accounting.getTransactions()) {
-   *   console.log(`${tx.createdAt}: ${tx.amount} from ${tx.senderEmail}`);
-   * }
-   *
-   * // Get first page only
-   * const firstPage = await accounting.getTransactions().firstPage();
-   *
-   * // Get all transactions
-   * const allTxs = await accounting.getTransactions().all();
+   * const result = await client.accounting.createWallet();
+   * console.log(`New wallet address: ${result.address}`);
    * ```
    */
-  getTransactions(options) {
-    const pageSize = options?.pageSize ?? 20;
-    return new PageIterator(async (skip, limit) => {
-      const response = await this.request("GET", "/transactions", {
-        params: { skip, limit }
-      });
-      return response.map(parseTransaction);
-    }, pageSize);
+  async createWallet() {
+    return this.http.post("/api/v1/wallet/create", {});
   }
   /**
-   * Get a specific transaction by ID.
+   * Import an existing wallet using a private key.
    *
-   * @param transactionId - The transaction ID
-   * @returns Transaction object
-   * @throws {NotFoundError} If transaction not found
+   * @param privateKey - The private key to import
+   * @returns Object with the imported wallet address
+   * @throws {AuthenticationError} If not authenticated
+   * @throws {ValidationError} If the private key is invalid
    *
    * @example
    * ```typescript
-   * const tx = await accounting.getTransaction('tx_123');
-   * console.log(`Status: ${tx.status}`);
+   * const result = await client.accounting.importWallet('0x...');
+   * console.log(`Imported wallet address: ${result.address}`);
    * ```
    */
-  async getTransaction(transactionId) {
-    const response = await this.request(
-      "GET",
-      `/transactions/${transactionId}`
-    );
-    return parseTransaction(response);
+  async importWallet(privateKey) {
+    return this.http.post("/api/v1/wallet/import", {
+      private_key: privateKey
+    });
+  }
+};
+function createAccountingResource(options) {
+  throw new Error(
+    "createAccountingResource() is deprecated. The wallet API is now accessed through the SyftHubClient. Use client.initAccounting() after login instead."
+  );
+}
+
+// src/resources/agent.ts
+init_errors();
+var AgentSessionError = class extends exports.SyftHubError {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "AgentSessionError";
+  }
+};
+var AgentResource = class {
+  constructor(auth, aggregatorUrl) {
+    this.auth = auth;
+    this.aggregatorUrl = aggregatorUrl;
   }
-  // ===========================================================================
-  // Direct Transaction Operations
-  // ===========================================================================
   /**
-   * Create a new transaction (direct transfer).
-   *
-   * Creates a PENDING transaction that must be confirmed or cancelled.
-   * The transaction is created by the sender (current user).
-   *
-   * @param input - Transaction details
-   * @returns Transaction in PENDING status
-   * @throws {ValidationError} If amount <= 0 or insufficient balance
-   *
-   * @example
-   * ```typescript
-   * const tx = await accounting.createTransaction({
-   *   recipientEmail: 'bob@example.com',
-   *   amount: 10.0,
-   *   appName: 'syftai-space',
-   *   appEpPath: 'alice/my-model'
-   * });
-   * console.log(`Created transaction ${tx.id}: ${tx.status}`);
+   * Start a new agent session.
    *
-   * // Later, confirm or cancel
-   * await accounting.confirmTransaction(tx.id);
-   * ```
+   * @param options - Session options including prompt, endpoint, and config
+   * @returns An AgentSessionClient for interacting with the session
    */
-  async createTransaction(input) {
-    if (input.amount <= 0) {
-      throw new exports.ValidationError("Amount must be greater than 0");
-    }
-    const response = await this.request("POST", "/transactions", {
-      body: {
-        recipientEmail: input.recipientEmail,
-        amount: input.amount,
-        ...input.appName && { appName: input.appName },
-        ...input.appEpPath && { appEpPath: input.appEpPath }
+  async startSession(options) {
+    let owner;
+    let slug;
+    if (typeof options.endpoint === "string") {
+      const parts = options.endpoint.split("/");
+      if (parts.length !== 2) {
+        throw new AgentSessionError(
+          `Endpoint must be in 'owner/slug' format, got: ${options.endpoint}`
+        );
+      }
+      owner = parts[0];
+      slug = parts[1];
+    } else {
+      owner = options.endpoint.owner;
+      slug = options.endpoint.slug;
+    }
+    const satResponse = await this.auth.getSatelliteToken(owner);
+    const peerResponse = await this.auth.getPeerToken([owner]);
+    const wsUrl = this.aggregatorUrl.replace(/^http/, "ws") + "/agent/session";
+    const ws = new WebSocket(wsUrl);
+    await new Promise((resolve, reject) => {
+      const onOpen = () => {
+        ws.removeEventListener("error", onError);
+        resolve();
+      };
+      const onError = (_e) => {
+        ws.removeEventListener("open", onOpen);
+        reject(new AgentSessionError("Failed to connect to agent WebSocket"));
+      };
+      ws.addEventListener("open", onOpen, { once: true });
+      ws.addEventListener("error", onError, { once: true });
+      if (options.signal) {
+        options.signal.addEventListener(
+          "abort",
+          () => {
+            ws.close();
+            reject(new AgentSessionError("Session start aborted"));
+          },
+          { once: true }
+        );
       }
     });
-    return parseTransaction(response);
-  }
-  /**
-   * Confirm a pending transaction.
-   *
-   * Confirms the transaction, transferring funds from sender to recipient.
-   * Can be called by either the sender or recipient.
-   *
-   * @param transactionId - The transaction ID to confirm
-   * @returns Transaction in COMPLETED status
-   * @throws {NotFoundError} If transaction not found
-   * @throws {ValidationError} If transaction is not in PENDING status
-   *
-   * @example
-   * ```typescript
-   * const tx = await accounting.confirmTransaction('tx_123');
-   * console.log(`Confirmed: ${tx.status}`); // "completed"
-   * ```
-   */
-  async confirmTransaction(transactionId) {
-    const response = await this.request(
-      "POST",
-      `/transactions/${transactionId}/confirm`
+    const startPayload = {
+      prompt: options.prompt,
+      endpoint: { owner, slug },
+      satellite_token: satResponse.targetToken,
+      peer_token: peerResponse.peerToken,
+      peer_channel: peerResponse.peerChannel
+    };
+    if (options.config) {
+      startPayload.config = options.config;
+    }
+    if (options.messages) {
+      startPayload.messages = options.messages;
+    }
+    ws.send(
+      JSON.stringify({
+        type: "session.start",
+        payload: startPayload
+      })
     );
-    return parseTransaction(response);
+    const response = await new Promise((resolve, reject) => {
+      const onMessage = (event) => {
+        try {
+          const data = JSON.parse(event.data);
+          if (data.type === "session.created") {
+            ws.removeEventListener("message", onMessage);
+            resolve({
+              session_id: data.session_id || data.payload?.session_id
+            });
+          } else if (data.type === "agent.error") {
+            ws.removeEventListener("message", onMessage);
+            reject(
+              new AgentSessionError(
+                data.payload?.message || "Session start failed",
+                data.payload?.code
+              )
+            );
+          }
+        } catch {
+          reject(new AgentSessionError("Failed to parse session response"));
+        }
+      };
+      ws.addEventListener("message", onMessage);
+    });
+    return new AgentSessionClient(ws, response.session_id);
+  }
+};
+var AgentSessionClient = class {
+  constructor(ws, sessionId) {
+    this.ws = ws;
+    this.sessionId = sessionId;
+    this.ws.addEventListener("message", (event) => {
+      this._handleMessage(event);
+    });
+    this.ws.addEventListener("close", () => {
+      this._handleClose();
+    });
+    this.ws.addEventListener("error", () => {
+      this._state = "error";
+      this._handleClose();
+    });
+  }
+  _state = "running";
+  _sequenceCounter = 0;
+  _messageQueue = [];
+  _messageResolvers = [];
+  _closed = false;
+  /** Current session state */
+  get state() {
+    return this._state;
   }
   /**
-   * Cancel a pending transaction.
-   *
-   * Cancels the transaction without transferring funds.
-   * Can be called by either the sender or recipient.
-   *
-   * @param transactionId - The transaction ID to cancel
-   * @returns Transaction in CANCELLED status
-   * @throws {NotFoundError} If transaction not found
-   * @throws {ValidationError} If transaction is not in PENDING status
+   * Async generator yielding agent events.
    *
    * @example
-   * ```typescript
-   * const tx = await accounting.cancelTransaction('tx_123');
-   * console.log(`Cancelled: ${tx.status}`); // "cancelled"
-   * ```
+   * for await (const event of session.events()) {
+   *   console.log(event.type, event.payload);
+   * }
    */
-  async cancelTransaction(transactionId) {
-    const response = await this.request(
-      "POST",
-      `/transactions/${transactionId}/cancel`
-    );
-    return parseTransaction(response);
+  async *events() {
+    while (!this._closed) {
+      const event = await this._nextEvent();
+      if (event === null) break;
+      yield event;
+    }
   }
-  // ===========================================================================
-  // Delegated Transaction Operations
-  // ===========================================================================
   /**
-   * Create a transaction token for delegated transfers.
-   *
-   * Creates a JWT token that authorizes the recipient to create a
-   * transaction on behalf of the sender (current user). The token
-   * is short-lived (typically ~5 minutes).
+   * Register an event handler.
    *
-   * Use this when you want to pre-authorize a payment that will be
-   * initiated by the recipient (e.g., a service charging for usage).
-   *
-   * @param recipientEmail - Email of the authorized recipient
-   * @returns JWT token string to share with recipient
-   *
-   * @example
-   * ```typescript
-   * // Sender creates token
-   * const token = await accounting.createTransactionToken('service@example.com');
-   *
-   * // Share token with recipient out-of-band
-   * // Recipient uses token to create delegated transaction
-   * ```
+   * @param eventType - The event type to listen for, or '*' for all events
+   * @param handler - Callback function
    */
-  async createTransactionToken(recipientEmail) {
-    const response = await this.request("POST", "/token/create", {
-      body: { recipientEmail }
+  on(eventType, handler) {
+    this.ws.addEventListener("message", (msgEvent) => {
+      try {
+        const data = JSON.parse(msgEvent.data);
+        if (eventType === "*" || data.type === eventType) {
+          handler(data);
+        }
+      } catch {
+      }
     });
-    return response.token;
   }
-  /**
-   * Create a delegated transaction using a pre-authorized token.
-   *
-   * Creates a transaction on behalf of the sender using their token.
-   * This is typically used by services to charge users for usage.
-   *
-   * The token authenticates the request instead of Basic auth.
-   *
-   * @param senderEmail - Email of the sender who created the token
-   * @param amount - Amount to transfer (must be > 0)
-   * @param token - JWT token from sender's createTransactionToken()
-   * @returns Transaction in PENDING status (createdBy=RECIPIENT)
-   * @throws {AuthenticationError} If token is invalid or expired
-   * @throws {ValidationError} If amount <= 0
-   *
-   * @example
-   * ```typescript
-   * // Recipient creates transaction using sender's token
-   * const tx = await accounting.createDelegatedTransaction(
-   *   'alice@example.com',
-   *   5.0,
-   *   aliceToken
-   * );
-   *
-   * // Recipient confirms the transaction
-   * await accounting.confirmTransaction(tx.id);
-   * ```
-   */
-  async createDelegatedTransaction(senderEmail, amount, token) {
-    if (amount <= 0) {
-      throw new exports.ValidationError("Amount must be greater than 0");
+  /** Send a user message to the agent */
+  sendMessage(content) {
+    this._send({
+      type: "user.message",
+      payload: { content }
+    });
+  }
+  /** Confirm a tool call */
+  confirm(toolCallId) {
+    this._send({
+      type: "user.confirm",
+      payload: { tool_call_id: toolCallId }
+    });
+  }
+  /** Deny a tool call */
+  deny(toolCallId, reason) {
+    this._send({
+      type: "user.deny",
+      payload: { tool_call_id: toolCallId, reason }
+    });
+  }
+  /** Cancel the session */
+  cancel() {
+    this._state = "cancelled";
+    this._send({ type: "user.cancel" });
+  }
+  /** Close the session and WebSocket */
+  close() {
+    if (this._closed) return;
+    this._send({ type: "session.close" });
+    this.ws.close();
+    this._handleClose();
+  }
+  // ---- Internal ----
+  _send(msg) {
+    if (this.ws.readyState === WebSocket.OPEN) {
+      this.ws.send(JSON.stringify(msg));
     }
-    const response = await this.requestWithToken(
-      "POST",
-      "/transactions",
-      token,
-      {
-        body: {
-          senderEmail,
-          amount
-        }
+  }
+  _handleMessage(event) {
+    try {
+      const data = JSON.parse(event.data);
+      this._sequenceCounter++;
+      switch (data.type) {
+        case "agent.request_input":
+          this._state = "awaiting_input";
+          break;
+        case "session.completed":
+          this._state = "completed";
+          break;
+        case "session.failed":
+          this._state = "failed";
+          break;
+        case "agent.error":
+          if (!data.payload.recoverable) {
+            this._state = "error";
+          }
+          break;
+        default:
+          if (this._state === "awaiting_input" || this._state === "connecting") {
+            this._state = "running";
+          }
       }
-    );
-    return parseTransaction(response);
+      if (this._messageResolvers.length > 0) {
+        const resolve = this._messageResolvers.shift();
+        resolve(data);
+      } else {
+        this._messageQueue.push(data);
+      }
+      if (data.type === "session.completed" || data.type === "session.failed") {
+        this._handleClose();
+      }
+    } catch {
+    }
+  }
+  _handleClose() {
+    if (this._closed) return;
+    this._closed = true;
+    for (const resolve of this._messageResolvers) {
+      resolve(null);
+    }
+    this._messageResolvers = [];
+  }
+  _nextEvent() {
+    if (this._messageQueue.length > 0) {
+      return Promise.resolve(this._messageQueue.shift());
+    }
+    if (this._closed) {
+      return Promise.resolve(null);
+    }
+    return new Promise((resolve) => {
+      this._messageResolvers.push(resolve);
+    });
   }
 };
-function createAccountingResource(options) {
-  return new AccountingResource(options);
-}
 
 // src/resources/chat.ts
 init_errors();
+
+// src/models/common.ts
+var Visibility = {
+  /** Visible to everyone, no authentication required */
+  PUBLIC: "public",
+  /** Only visible to the owner and collaborators */
+  PRIVATE: "private",
+  /** Behaves like private — only visible to the owner */
+  INTERNAL: "internal"
+};
+var EndpointType = {
+  /** Machine learning model endpoint */
+  MODEL: "model",
+  /** Data source endpoint */
+  DATA_SOURCE: "data_source",
+  /** Both model and data source endpoint */
+  MODEL_DATA_SOURCE: "model_data_source",
+  /** Agent endpoint with session-based interaction */
+  AGENT: "agent"
+};
+var UserRole = {
+  /** Administrator with full access */
+  ADMIN: "admin",
+  /** Regular user */
+  USER: "user",
+  /** Guest user with limited access */
+  GUEST: "guest"
+};
+
+// src/models/endpoint.ts
+function getEndpointPublicPath(endpoint) {
+  return `${endpoint.ownerUsername}/${endpoint.slug}`;
+}
+
+// src/resources/chat.ts
 var AggregatorError = class extends exports.SyftHubError {
   constructor(message, status, detail) {
     super(message);
@@ -1687,12 +2203,26 @@ var EndpointResolutionError = class extends exports.SyftHubError {
     this.name = "EndpointResolutionError";
   }
 };
-var ChatResource = class {
+var ChatResource = class _ChatResource {
   constructor(hub, auth, aggregatorUrl) {
     this.hub = hub;
     this.auth = auth;
     this.aggregatorUrl = aggregatorUrl;
   }
+  /**
+   * Check if an endpoint type matches the expected type.
+   * A model_data_source endpoint matches both 'model' and 'data_source'.
+   */
+  static typeMatches(actualType, expectedType) {
+    if (actualType === expectedType) return true;
+    if (actualType === EndpointType.MODEL_DATA_SOURCE) {
+      return expectedType === EndpointType.MODEL || expectedType === EndpointType.DATA_SOURCE;
+    }
+    if (actualType === EndpointType.AGENT && expectedType === EndpointType.MODEL) {
+      return true;
+    }
+    return false;
+  }
   /**
    * Convert any endpoint format to EndpointRef with URL and owner info.
    * The ownerUsername is critical for satellite token authentication.
@@ -1702,7 +2232,7 @@ var ChatResource = class {
       return endpoint;
     }
     if (this.isEndpointPublic(endpoint)) {
-      if (expectedType && endpoint.type !== expectedType) {
+      if (expectedType && !_ChatResource.typeMatches(endpoint.type, expectedType)) {
         throw new Error(
           `Expected endpoint type '${expectedType}', got '${endpoint.type}' for '${endpoint.slug}'`
         );
@@ -1757,52 +2287,181 @@ var ChatResource = class {
   /**
    * Get satellite tokens for all unique endpoint owners.
    * Returns a map of owner username to satellite token.
+   *
+   * @param owners - Array of unique owner usernames
+   * @param guestMode - If true, fetch guest tokens (no auth required)
    */
-  async getSatelliteTokensForOwners(owners) {
+  async getSatelliteTokensForOwners(owners, guestMode = false) {
     if (owners.length === 0) {
       return {};
     }
-    const tokenMap = await this.auth.getSatelliteTokens(owners);
+    const tokenMap = guestMode ? await this.auth.getGuestSatelliteTokens(owners) : await this.auth.getSatelliteTokens(owners);
     const result = {};
     for (const [owner, token] of tokenMap) {
       result[owner] = token;
     }
-    return result;
+    return result;
+  }
+  /**
+   * Get the user's Hub access token for MPP payment flow.
+   * Returns null if in guest mode or not authenticated.
+   */
+  getUserToken() {
+    return this.auth.getAccessToken();
+  }
+  /**
+   * Type guard for EndpointRef.
+   */
+  isEndpointRef(value) {
+    return typeof value === "object" && value !== null && "url" in value && "slug" in value && typeof value.url === "string" && typeof value.slug === "string";
+  }
+  /**
+   * Type guard for EndpointPublic.
+   */
+  isEndpointPublic(value) {
+    return typeof value === "object" && value !== null && "connect" in value && "ownerUsername" in value && Array.isArray(value.connect);
+  }
+  static COLLECTIVE_PREFIX = "collective/";
+  static TUNNELING_PREFIX = "tunneling:";
+  /**
+   * Expand any `collective/<slug>` (or `collective/<slug>/<shared-slug>`)
+   * entries in the data-sources list into the individual `owner/slug` paths
+   * of the collective's approved members.
+   *
+   * Path forms recognised:
+   * - `collective/<slug>` → every approved member (backward-compatible)
+   * - `collective/<slug>/all` → equivalent alias of the above
+   * - `collective/<slug>/<shared-slug>` → the named subset, intersected with
+   *   the collective's currently approved members
+   *
+   * Non-collective entries pass through unchanged. String paths are
+   * deduplicated so a regular endpoint that also belongs to a selected
+   * collective is not queried twice.
+   */
+  async expandCollectivePaths(dataSources) {
+    const expanded = [];
+    const seenPaths = /* @__PURE__ */ new Set();
+    for (const ds of dataSources) {
+      if (typeof ds === "string" && ds.startsWith(_ChatResource.COLLECTIVE_PREFIX)) {
+        const rest = ds.slice(_ChatResource.COLLECTIVE_PREFIX.length);
+        const slashAt = rest.indexOf("/");
+        const collectiveSlug = slashAt < 0 ? rest : rest.slice(0, slashAt);
+        const rawShared = slashAt < 0 ? void 0 : rest.slice(slashAt + 1);
+        const sharedSlug = rawShared && rawShared !== "all" ? rawShared : void 0;
+        if (!collectiveSlug) {
+          throw new EndpointResolutionError(`Malformed collective path: ${ds}`, ds);
+        }
+        let memberPaths;
+        try {
+          memberPaths = await this.hub.getCollectiveEndpointPaths(collectiveSlug, sharedSlug);
+        } catch (error) {
+          const target = sharedSlug ? `${collectiveSlug}/${sharedSlug}` : collectiveSlug;
+          throw new EndpointResolutionError(
+            `Failed to resolve collective '${target}': ${error instanceof Error ? error.message : String(error)}`,
+            ds
+          );
+        }
+        for (const path of memberPaths) {
+          if (!seenPaths.has(path)) {
+            seenPaths.add(path);
+            expanded.push(path);
+          }
+        }
+      } else if (typeof ds === "string") {
+        if (!seenPaths.has(ds)) {
+          seenPaths.add(ds);
+          expanded.push(ds);
+        }
+      } else {
+        expanded.push(ds);
+      }
+    }
+    return expanded;
   }
   /**
-   * Get transaction tokens for all unique endpoint owners.
-   * Returns a map of owner username to transaction token.
-   *
-   * Transaction tokens are used for billing - they authorize the endpoint
-   * owner to charge the current user for usage.
+   * Check if any endpoints use tunneling URLs and extract target usernames.
    */
-  async getTransactionTokensForOwners(owners) {
-    if (owners.length === 0) {
-      return {};
+  collectTunnelingUsernames(modelRef, dataSourceRefs) {
+    const usernames = /* @__PURE__ */ new Set();
+    if (modelRef.url.startsWith(_ChatResource.TUNNELING_PREFIX)) {
+      usernames.add(modelRef.url.slice(_ChatResource.TUNNELING_PREFIX.length));
+    }
+    for (const ds of dataSourceRefs) {
+      if (ds.url.startsWith(_ChatResource.TUNNELING_PREFIX)) {
+        usernames.add(ds.url.slice(_ChatResource.TUNNELING_PREFIX.length));
+      }
     }
-    const response = await this.auth.getTransactionTokens(owners);
-    return response.tokens;
+    return [...usernames];
   }
   /**
-   * Type guard for EndpointRef.
+   * Shared request preparation for complete() and stream().
+   * Resolves endpoints, fetches tokens, and builds the aggregator request body.
+   * Returns the request body and the resolved aggregator URL.
    */
-  isEndpointRef(value) {
-    return typeof value === "object" && value !== null && "url" in value && "slug" in value && typeof value.url === "string" && typeof value.slug === "string";
+  async prepareRequest(options, stream) {
+    const modelRef = await this.resolveEndpointRef(options.model, "model");
+    const expandedDataSources = await this.expandCollectivePaths(options.dataSources ?? []);
+    const dsRefs = [];
+    for (const ds of expandedDataSources) {
+      dsRefs.push(await this.resolveEndpointRef(ds, "data_source"));
+    }
+    const uniqueOwners = this.collectUniqueOwners(modelRef, dsRefs);
+    const guestMode = options.guestMode ?? false;
+    const endpointTokens = await this.getSatelliteTokensForOwners(uniqueOwners, guestMode);
+    const userToken = guestMode ? null : this.getUserToken();
+    let peerToken = options.peerToken;
+    let peerChannel = options.peerChannel;
+    if (!peerToken) {
+      const tunnelingUsernames = this.collectTunnelingUsernames(modelRef, dsRefs);
+      if (tunnelingUsernames.length > 0) {
+        const peerResponse = guestMode ? await this.auth.getGuestPeerToken(tunnelingUsernames) : await this.auth.getPeerToken(tunnelingUsernames);
+        peerToken = peerResponse.peerToken;
+        peerChannel = peerResponse.peerChannel;
+      }
+    }
+    const requestBody = this.buildRequestBody(
+      options.prompt,
+      modelRef,
+      dsRefs,
+      endpointTokens,
+      userToken,
+      {
+        topK: options.topK,
+        maxTokens: options.maxTokens,
+        temperature: options.temperature,
+        similarityThreshold: options.similarityThreshold,
+        stream,
+        messages: options.messages,
+        peerToken,
+        peerChannel
+      }
+    );
+    const effectiveAggregatorUrl = (options.aggregatorUrl ?? this.aggregatorUrl).replace(
+      /\/+$/,
+      ""
+    );
+    return { requestBody, effectiveAggregatorUrl };
   }
   /**
-   * Type guard for EndpointPublic.
+   * Parse an error response from the aggregator into an AggregatorError.
    */
-  isEndpointPublic(value) {
-    return typeof value === "object" && value !== null && "connect" in value && "ownerUsername" in value && Array.isArray(value.connect);
+  async handleAggregatorErrorResponse(response) {
+    let message = `HTTP ${response.status}`;
+    try {
+      const data = await response.json();
+      message = String(data["message"] ?? data["error"] ?? message);
+    } catch {
+    }
+    throw new AggregatorError(`Aggregator error: ${message}`, response.status);
   }
   /**
    * Build the request body for the aggregator.
    * Includes endpoint_tokens mapping for satellite token authentication.
-   * Includes transaction_tokens mapping for billing authorization.
+   * Includes user_token for MPP payment callback authorization.
    * User identity is derived from satellite tokens, not passed in request body.
    */
-  buildRequestBody(prompt, modelRef, dataSourceRefs, endpointTokens, transactionTokens, options) {
-    return {
+  buildRequestBody(prompt, modelRef, dataSourceRefs, endpointTokens, userToken, options) {
+    const body = {
       prompt,
       model: {
         url: modelRef.url,
@@ -1819,13 +2478,25 @@ var ChatResource = class {
         owner_username: ds.ownerUsername ?? null
       })),
       endpoint_tokens: endpointTokens,
-      transaction_tokens: transactionTokens,
       top_k: options.topK ?? 5,
       max_tokens: options.maxTokens ?? 1024,
       temperature: options.temperature ?? 0.7,
       similarity_threshold: options.similarityThreshold ?? 0.5,
       stream: options.stream ?? false
     };
+    if (userToken) {
+      body["user_token"] = userToken;
+    }
+    if (options.messages && options.messages.length > 0) {
+      body.messages = options.messages.map((m) => ({ role: m.role, content: m.content }));
+    }
+    if (options.peerToken) {
+      body["peer_token"] = options.peerToken;
+    }
+    if (options.peerChannel) {
+      body["peer_channel"] = options.peerChannel;
+    }
+    return body;
   }
   /**
    * Parse a SourceInfo from raw data.
@@ -1897,7 +2568,7 @@ var ChatResource = class {
    * This method automatically:
    * 1. Resolves endpoints and extracts owner information
    * 2. Exchanges Hub tokens for satellite tokens (one per unique owner)
-   * 3. Fetches transaction tokens for billing authorization
+   * 3. Passes the user's Hub access token for MPP payment authorization
    * 4. Sends tokens to the aggregator for forwarding to SyftAI-Space
    *
    * @param options - Chat completion options
@@ -1906,48 +2577,14 @@ var ChatResource = class {
    * @throws {AggregatorError} If aggregator service fails
    */
   async complete(options) {
-    const modelRef = await this.resolveEndpointRef(options.model, "model");
-    const dsRefs = [];
-    for (const ds of options.dataSources ?? []) {
-      dsRefs.push(await this.resolveEndpointRef(ds, "data_source"));
-    }
-    const uniqueOwners = this.collectUniqueOwners(modelRef, dsRefs);
-    const endpointTokens = await this.getSatelliteTokensForOwners(uniqueOwners);
-    const transactionTokens = await this.getTransactionTokensForOwners(uniqueOwners);
-    const requestBody = this.buildRequestBody(
-      options.prompt,
-      modelRef,
-      dsRefs,
-      endpointTokens,
-      transactionTokens,
-      {
-        topK: options.topK,
-        maxTokens: options.maxTokens,
-        temperature: options.temperature,
-        similarityThreshold: options.similarityThreshold,
-        stream: false
-      }
-    );
-    const effectiveAggregatorUrl = (options.aggregatorUrl ?? this.aggregatorUrl).replace(
-      /\/+$/,
-      ""
-    );
-    const url = `${effectiveAggregatorUrl}/chat`;
-    const response = await fetch(url, {
+    const { requestBody, effectiveAggregatorUrl } = await this.prepareRequest(options, false);
+    const response = await fetch(`${effectiveAggregatorUrl}/chat`, {
       method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
+      headers: { "Content-Type": "application/json" },
       body: JSON.stringify(requestBody)
     });
     if (!response.ok) {
-      let message = `HTTP ${response.status}`;
-      try {
-        const data2 = await response.json();
-        message = String(data2["message"] ?? data2["error"] ?? message);
-      } catch {
-      }
-      throw new AggregatorError(`Aggregator error: ${message}`, response.status);
+      return this.handleAggregatorErrorResponse(response);
     }
     const data = await response.json();
     const sourcesData = data["sources"];
@@ -1958,12 +2595,14 @@ var ChatResource = class {
     const metadata = this.parseMetadata(metadataData ?? {});
     const usageData = data["usage"];
     const usage = usageData ? this.parseUsage(usageData) : void 0;
+    const profitShare = data["profit_share"];
     return {
       response: String(data["response"] ?? ""),
       sources,
       retrievalInfo,
       metadata,
-      usage
+      usage,
+      profitShare
     };
   }
   /**
@@ -1972,41 +2611,15 @@ var ChatResource = class {
    * This method automatically:
    * 1. Resolves endpoints and extracts owner information
    * 2. Exchanges Hub tokens for satellite tokens (one per unique owner)
-   * 3. Fetches transaction tokens for billing authorization
+   * 3. Passes the user's Hub access token for MPP payment authorization
    * 4. Sends tokens to the aggregator for forwarding to SyftAI-Space
    *
    * @param options - Chat completion options
    * @yields ChatStreamEvent objects as they arrive
    */
   async *stream(options) {
-    const modelRef = await this.resolveEndpointRef(options.model, "model");
-    const dsRefs = [];
-    for (const ds of options.dataSources ?? []) {
-      dsRefs.push(await this.resolveEndpointRef(ds, "data_source"));
-    }
-    const uniqueOwners = this.collectUniqueOwners(modelRef, dsRefs);
-    const endpointTokens = await this.getSatelliteTokensForOwners(uniqueOwners);
-    const transactionTokens = await this.getTransactionTokensForOwners(uniqueOwners);
-    const requestBody = this.buildRequestBody(
-      options.prompt,
-      modelRef,
-      dsRefs,
-      endpointTokens,
-      transactionTokens,
-      {
-        topK: options.topK,
-        maxTokens: options.maxTokens,
-        temperature: options.temperature,
-        similarityThreshold: options.similarityThreshold,
-        stream: true
-      }
-    );
-    const effectiveAggregatorUrl = (options.aggregatorUrl ?? this.aggregatorUrl).replace(
-      /\/+$/,
-      ""
-    );
-    const url = `${effectiveAggregatorUrl}/chat/stream`;
-    const response = await fetch(url, {
+    const { requestBody, effectiveAggregatorUrl } = await this.prepareRequest(options, true);
+    const response = await fetch(`${effectiveAggregatorUrl}/chat/stream`, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
@@ -2016,55 +2629,22 @@ var ChatResource = class {
       signal: options.signal
     });
     if (!response.ok) {
-      let message = `HTTP ${response.status}`;
-      try {
-        const data = await response.json();
-        message = String(data["message"] ?? data["error"] ?? message);
-      } catch {
-      }
-      throw new AggregatorError(`Aggregator error: ${message}`, response.status);
+      return this.handleAggregatorErrorResponse(response);
     }
     if (!response.body) {
       throw new AggregatorError("No response body from aggregator");
     }
-    const reader = response.body.getReader();
-    const decoder = new TextDecoder();
-    let buffer = "";
-    let currentEvent = null;
-    let currentData = "";
-    try {
-      while (true) {
-        const { done, value } = await reader.read();
-        if (done) break;
-        buffer += decoder.decode(value, { stream: true });
-        const lines = buffer.split("\n");
-        buffer = lines.pop() ?? "";
-        for (const line of lines) {
-          const trimmedLine = line.trim();
-          if (!trimmedLine) {
-            if (currentEvent && currentData) {
-              try {
-                const data = JSON.parse(currentData);
-                const event = this.parseSSEEvent(currentEvent, data);
-                if (event) {
-                  yield event;
-                }
-              } catch {
-              }
-            }
-            currentEvent = null;
-            currentData = "";
-            continue;
-          }
-          if (trimmedLine.startsWith("event:")) {
-            currentEvent = trimmedLine.slice(6).trim();
-          } else if (trimmedLine.startsWith("data:")) {
-            currentData = trimmedLine.slice(5).trim();
-          }
+    for await (const { event: eventName, data: dataStr } of readSSEEvents(response)) {
+      if (eventName === "message") continue;
+      try {
+        const data = JSON.parse(dataStr);
+        const event = this.parseSSEEvent(eventName, data);
+        if (event) {
+          yield event;
         }
+      } catch {
+        yield { type: "error", message: `Failed to parse SSE data: ${dataStr}` };
       }
-    } finally {
-      reader.releaseLock();
     }
   }
   /**
@@ -2090,8 +2670,24 @@ var ChatResource = class {
           totalDocuments: Number(data["total_documents"] ?? 0),
           timeMs: Number(data["time_ms"] ?? 0)
         };
+      case "reranking_start":
+        return {
+          type: "reranking_start",
+          documents: Number(data["documents"] ?? 0)
+        };
+      case "reranking_complete":
+        return {
+          type: "reranking_complete",
+          documents: Number(data["documents"] ?? 0),
+          timeMs: Number(data["time_ms"] ?? 0)
+        };
       case "generation_start":
         return { type: "generation_start" };
+      case "generation_heartbeat":
+        return {
+          type: "generation_heartbeat",
+          elapsedMs: Number(data["elapsed_ms"] ?? 0)
+        };
       case "token":
         return {
           type: "token",
@@ -2106,7 +2702,9 @@ var ChatResource = class {
         const metadata = this.parseMetadata(metadataData ?? {});
         const usageData = data["usage"];
         const usage = usageData ? this.parseUsage(usageData) : void 0;
-        return { type: "done", sources, retrievalInfo, metadata, usage };
+        const profitShare = data["profit_share"];
+        const response = data["response"];
+        return { type: "done", sources, retrievalInfo, metadata, usage, profitShare, response };
       }
       case "error":
         return {
@@ -2114,30 +2712,33 @@ var ChatResource = class {
           message: String(data["message"] ?? "Unknown error")
         };
       default:
+        console.warn(`[SyftHub] Unknown SSE event type received from aggregator: ${eventType}`);
         return {
           type: "error",
           message: `Unknown event type: ${eventType}`
         };
     }
   }
-  /**
-   * Get model endpoints that have connection URLs configured.
-   *
-   * @param limit - Maximum number of results (default: 20)
-   * @returns Array of EndpointPublic objects for models with URLs
-   */
-  async getAvailableModels(limit = 20) {
+  async getAvailableEndpoints(endpointType, limit) {
     const results = [];
     for await (const endpoint of this.hub.browse()) {
       if (results.length >= limit) break;
-      if (endpoint.type !== EndpointType.MODEL) continue;
-      const hasUrl = endpoint.connect.some((conn) => conn.enabled && conn.config["url"]);
-      if (hasUrl) {
+      if (endpoint.type !== endpointType) continue;
+      if (endpoint.connect.some((conn) => conn.enabled && conn.config["url"])) {
         results.push(endpoint);
       }
     }
     return results;
   }
+  /**
+   * Get model endpoints that have connection URLs configured.
+   *
+   * @param limit - Maximum number of results (default: 20)
+   * @returns Array of EndpointPublic objects for models with URLs
+   */
+  async getAvailableModels(limit = 20) {
+    return this.getAvailableEndpoints(EndpointType.MODEL, limit);
+  }
   /**
    * Get data source endpoints that have connection URLs configured.
    *
@@ -2145,16 +2746,7 @@ var ChatResource = class {
    * @returns Array of EndpointPublic objects for data sources with URLs
    */
   async getAvailableDataSources(limit = 20) {
-    const results = [];
-    for await (const endpoint of this.hub.browse()) {
-      if (results.length >= limit) break;
-      if (endpoint.type !== EndpointType.DATA_SOURCE) continue;
-      const hasUrl = endpoint.connect.some((conn) => conn.enabled && conn.config["url"]);
-      if (hasUrl) {
-        results.push(endpoint);
-      }
-    }
-    return results;
+    return this.getAvailableEndpoints(EndpointType.DATA_SOURCE, limit);
   }
 };
 
@@ -2177,28 +2769,125 @@ var GenerationError = class extends exports.SyftHubError {
   }
 };
 var SyftAIResource = class {
-  // No dependencies - uses direct fetch to SyftAI-Space endpoints
+  /**
+   * @param http - Hub HTTP client, used to mint satellite tokens and settle
+   *   MPP payments. Endpoint queries themselves use direct `fetch`, since the
+   *   SyftAI-Space URL is arbitrary and not the Hub base URL.
+   */
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Mint a satellite token for `audience` (the endpoint owner's username).
+   *
+   * Mirrors the aggregator's token coordination layer: try an authenticated
+   * token first, then fall back to a guest token. Returns `undefined` if both
+   * fail, so the caller can still attempt an unauthenticated request.
+   */
+  async mintSatelliteToken(audience) {
+    if (this.http.hasTokens()) {
+      try {
+        const res = await this.http.get("/api/v1/token", {
+          aud: audience
+        });
+        if (res.targetToken) return res.targetToken;
+      } catch {
+      }
+    }
+    try {
+      const res = await this.http.get(
+        "/api/v1/token/guest",
+        { aud: audience },
+        { includeAuth: false }
+      );
+      return res.targetToken;
+    } catch {
+      return void 0;
+    }
+  }
+  /**
+   * Pay an MPP `402` challenge via the Hub wallet, returning an X-Payment credential.
+   *
+   * Mirrors the aggregator's `handleMppPayment`: the `WWW-Authenticate`
+   * challenge is forwarded verbatim to the Hub's `/api/v1/wallet/pay`, which
+   * parses it and returns an `x_payment` string to attach to a retry.
+   */
+  async payMpp(wwwAuthenticate, slug) {
+    if (!wwwAuthenticate) return void 0;
+    const res = await this.http.post("/api/v1/wallet/pay", {
+      wwwAuthenticate,
+      endpointSlug: slug
+    });
+    return res.xPayment;
+  }
   /**
    * Build headers for SyftAI-Space request.
    */
-  buildHeaders(tenantName) {
+  buildHeaders(tenantName, authorizationToken) {
     const headers = {
       "Content-Type": "application/json"
     };
     if (tenantName) {
       headers["X-Tenant-Name"] = tenantName;
     }
+    if (authorizationToken) {
+      headers["Authorization"] = `Bearer ${authorizationToken}`;
+    }
     return headers;
   }
+  /**
+   * Parse documents from a SyftAI-Space query response.
+   *
+   * Mirrors the aggregator's `DataSourceClient._parse_syftai_response`: the
+   * canonical shape nests documents under `references.documents` and names the
+   * score `similarity_score`. A legacy top-level `documents` list (with
+   * `score`) is still honoured for backward compatibility.
+   */
+  parseDocuments(data) {
+    const references = data["references"];
+    let rawDocs;
+    let scoreKey = "score";
+    if (references && typeof references === "object") {
+      rawDocs = references["documents"];
+      scoreKey = "similarity_score";
+    } else {
+      rawDocs = data["documents"];
+    }
+    const documents = [];
+    if (Array.isArray(rawDocs)) {
+      for (const doc of rawDocs) {
+        documents.push({
+          content: String(doc["content"] ?? ""),
+          score: Number(doc[scoreKey] ?? doc["score"] ?? 0),
+          metadata: doc["metadata"] ?? {}
+        });
+      }
+    }
+    return documents;
+  }
   /**
    * Query a data source endpoint directly.
    *
+   * Authentication mirrors the aggregator: SyftAI-Space endpoints expect a
+   * satellite bearer token whose audience is the endpoint owner's username. If
+   * `authorizationToken` is not supplied, one is minted automatically when an
+   * owner is known (`ownerUsername` option or `endpoint.ownerUsername`).
+   *
    * @param options - Query options
    * @returns Array of Document objects
    * @throws {RetrievalError} If the query fails
    */
   async queryDataSource(options) {
-    const { endpoint, query, userEmail, topK = 5, similarityThreshold = 0.5 } = options;
+    const {
+      endpoint,
+      query,
+      userEmail,
+      topK = 5,
+      similarityThreshold = 0.5,
+      authorizationToken,
+      ownerUsername,
+      pay = false
+    } = options;
     const url = `${endpoint.url.replace(/\/$/, "")}/api/v1/endpoints/${endpoint.slug}/query`;
     const requestBody = {
       user_email: userEmail,
@@ -2207,19 +2896,44 @@ var SyftAIResource = class {
       limit: topK,
       similarity_threshold: similarityThreshold
     };
-    let response;
-    try {
-      response = await fetch(url, {
-        method: "POST",
-        headers: this.buildHeaders(endpoint.tenantName),
-        body: JSON.stringify(requestBody)
-      });
-    } catch (error) {
-      throw new RetrievalError(
-        `Failed to connect to data source '${endpoint.slug}': ${error instanceof Error ? error.message : String(error)}`,
-        endpoint.slug,
-        error
-      );
+    let token = authorizationToken;
+    if (!token) {
+      const audience = ownerUsername ?? endpoint.ownerUsername;
+      if (audience) {
+        token = await this.mintSatelliteToken(audience);
+      }
+    }
+    const headers = this.buildHeaders(endpoint.tenantName, token);
+    const postQuery = async (extraHeaders) => {
+      try {
+        return await fetch(url, {
+          method: "POST",
+          headers: { ...headers, ...extraHeaders },
+          body: JSON.stringify(requestBody)
+        });
+      } catch (error) {
+        throw new RetrievalError(
+          `Failed to connect to data source '${endpoint.slug}': ${error instanceof Error ? error.message : String(error)}`,
+          endpoint.slug,
+          error
+        );
+      }
+    };
+    let response = await postQuery();
+    if (response.status === 402 && pay) {
+      let xPayment;
+      try {
+        xPayment = await this.payMpp(response.headers.get("www-authenticate") ?? "", endpoint.slug);
+      } catch (error) {
+        throw new RetrievalError(
+          `Payment failed for data source '${endpoint.slug}': ${error instanceof Error ? error.message : String(error)}`,
+          endpoint.slug,
+          error
+        );
+      }
+      if (xPayment) {
+        response = await postQuery({ "X-Payment": xPayment });
+      }
     }
     if (!response.ok) {
       let message = `HTTP ${response.status}`;
@@ -2231,17 +2945,7 @@ var SyftAIResource = class {
       throw new RetrievalError(`Data source query failed: ${message}`, endpoint.slug);
     }
     const data = await response.json();
-    const documents = [];
-    const docsData = data["documents"];
-    if (Array.isArray(docsData)) {
-      for (const doc of docsData) {
-        documents.push({
-          content: String(doc["content"] ?? ""),
-          score: Number(doc["score"] ?? 0),
-          metadata: doc["metadata"] ?? {}
-        });
-      }
-    }
+    const documents = this.parseDocuments(data);
     return documents;
   }
   /**
@@ -2340,45 +3044,22 @@ var SyftAIResource = class {
     if (!response.body) {
       throw new GenerationError("No response body from model", endpoint.slug);
     }
-    const reader = response.body.getReader();
-    const decoder = new TextDecoder();
-    let buffer = "";
-    try {
-      while (true) {
-        const { done, value } = await reader.read();
-        if (done) break;
-        buffer += decoder.decode(value, { stream: true });
-        const lines = buffer.split("\n");
-        buffer = lines.pop() ?? "";
-        for (const line of lines) {
-          const trimmedLine = line.trim();
-          if (!trimmedLine || trimmedLine.startsWith("event:")) {
-            continue;
-          }
-          if (trimmedLine.startsWith("data:")) {
-            const dataStr = trimmedLine.slice(5).trim();
-            if (dataStr === "[DONE]") {
-              return;
-            }
-            try {
-              const data = JSON.parse(dataStr);
-              if (typeof data["content"] === "string") {
-                yield data["content"];
-              } else if (Array.isArray(data["choices"])) {
-                for (const choice of data["choices"]) {
-                  const delta = choice["delta"];
-                  if (delta && typeof delta["content"] === "string") {
-                    yield delta["content"];
-                  }
-                }
-              }
-            } catch {
+    for await (const { data: dataStr } of readSSEEvents(response)) {
+      if (dataStr === "[DONE]") return;
+      try {
+        const data = JSON.parse(dataStr);
+        if (typeof data["content"] === "string") {
+          yield data["content"];
+        } else if (Array.isArray(data["choices"])) {
+          for (const choice of data["choices"]) {
+            const delta = choice["delta"];
+            if (delta && typeof delta["content"] === "string") {
+              yield delta["content"];
             }
           }
         }
+      } catch {
       }
-    } finally {
-      reader.releaseLock();
     }
   }
 };
@@ -2395,7 +3076,6 @@ function isBrowser() {
 }
 var SyftHubClient = class {
   http;
-  options;
   aggregatorUrl;
   // Lazy-initialized resources
   _auth;
@@ -2403,9 +3083,10 @@ var SyftHubClient = class {
   _myEndpoints;
   _hub;
   _accounting;
-  _accountingInitPromise = null;
+  _agent;
   _chat;
   _syftai;
+  _apiTokens;
   /**
    * Create a new SyftHub client.
    *
@@ -2413,7 +3094,6 @@ var SyftHubClient = class {
    * @throws {SyftHubError} If baseUrl is not provided and SYFTHUB_URL is not set (in non-browser environments)
    */
   constructor(options = {}) {
-    this.options = options;
     let baseUrl = options.baseUrl ?? getEnv("SYFTHUB_URL");
     if (!baseUrl && !isBrowser()) {
       throw new exports.SyftHubError(
@@ -2424,6 +3104,10 @@ var SyftHubClient = class {
     const normalizedUrl = baseUrl ? baseUrl.replace(/\/+$/, "") : "";
     this.http = new HTTPClient(normalizedUrl, options.timeout ?? 3e4);
     this.aggregatorUrl = options.aggregatorUrl ?? getEnv("SYFTHUB_AGGREGATOR_URL") ?? `${normalizedUrl}/aggregator/api/v1`;
+    const apiToken = options.apiToken ?? getEnv("SYFTHUB_API_TOKEN");
+    if (apiToken) {
+      this.http.setApiToken(apiToken);
+    }
   }
   /**
    * Authentication resource for login, register, and session management.
@@ -2479,13 +3163,33 @@ var SyftHubClient = class {
     return this._hub;
   }
   /**
-   * Accounting resource for billing and transactions.
+   * Agent resource for bidirectional agent sessions via WebSocket.
+   *
+   * @example
+   * const session = await client.agent.startSession({
+   *   prompt: 'Help me refactor this code',
+   *   endpoint: 'alice/code-assistant',
+   * });
+   *
+   * for await (const event of session.events()) {
+   *   console.log(event.type, event.payload);
+   * }
+   */
+  get agent() {
+    if (!this._agent) {
+      this._agent = new AgentResource(this.auth, this.aggregatorUrl);
+    }
+    return this._agent;
+  }
+  /**
+   * Accounting resource for wallet and payment operations.
    *
-   * The accounting service is external and uses separate credentials
-   * (email/password Basic auth) from SyftHub's JWT authentication.
+   * Provides access to MPP wallet management (balance, transactions,
+   * wallet creation/import). Uses the same SyftHub JWT authentication
+   * as other resources.
    *
-   * Credentials are automatically retrieved from the backend after login.
-   * You must call `initAccounting()` after login to initialize this resource.
+   * You must call `initAccounting()` after login to initialize this resource,
+   * or access it directly if already initialized.
    *
    * @throws {AuthenticationError} If not initialized
    *
@@ -2495,7 +3199,8 @@ var SyftHubClient = class {
    * await client.initAccounting();
    *
    * // Now accounting is available
-   * const user = await client.accounting.getUser();
+   * const wallet = await client.accounting.getWallet();
+   * const balance = await client.accounting.getBalance();
    */
   get accounting() {
     if (this._accounting) {
@@ -2506,14 +3211,13 @@ var SyftHubClient = class {
     );
   }
   /**
-   * Initialize accounting resource by fetching credentials from the backend.
+   * Initialize the accounting (wallet) resource.
    *
-   * This method retrieves accounting credentials from the SyftHub backend
-   * and initializes the accounting resource. Requires authentication.
+   * The wallet API uses the same SyftHub authentication as other resources.
+   * This method simply verifies authentication and creates the resource.
    *
    * @returns The initialized AccountingResource
    * @throws {AuthenticationError} If not authenticated
-   * @throws {ConfigurationError} If user has no accounting service configured
    *
    * @example
    * // Login first, then initialize accounting
@@ -2521,49 +3225,20 @@ var SyftHubClient = class {
    * await client.initAccounting();
    *
    * // Now accounting is available
-   * const user = await client.accounting.getUser();
+   * const wallet = await client.accounting.getWallet();
+   * const balance = await client.accounting.getBalance();
    */
   async initAccounting() {
     if (this._accounting) {
       return this._accounting;
     }
-    if (this._accountingInitPromise) {
-      return this._accountingInitPromise;
-    }
-    this._accountingInitPromise = this._doInitAccounting();
-    try {
-      this._accounting = await this._accountingInitPromise;
-      return this._accounting;
-    } finally {
-      this._accountingInitPromise = null;
-    }
-  }
-  /**
-   * Internal method to perform accounting initialization.
-   */
-  async _doInitAccounting() {
     if (!this.isAuthenticated) {
       throw new exports.AuthenticationError(
         "Must be logged in to use accounting. Call client.auth.login() first."
       );
     }
-    const creds = await this.users.getAccountingCredentials();
-    if (!creds.url) {
-      throw new exports.ConfigurationError(
-        "No accounting service configured for this user. Contact your administrator to set up accounting."
-      );
-    }
-    if (!creds.password) {
-      throw new exports.ConfigurationError(
-        "Accounting password not available. This may indicate an issue with your account setup."
-      );
-    }
-    return new AccountingResource({
-      url: creds.url,
-      email: creds.email,
-      password: creds.password,
-      timeout: this.options.timeout
-    });
+    this._accounting = new AccountingResource(this.http);
+    return this._accounting;
   }
   /**
    * Chat resource for RAG-augmented conversations via the Aggregator.
@@ -2623,10 +3298,44 @@ var SyftHubClient = class {
    */
   get syftai() {
     if (!this._syftai) {
-      this._syftai = new SyftAIResource();
+      this._syftai = new SyftAIResource(this.http);
     }
     return this._syftai;
   }
+  /**
+   * API Tokens resource for managing personal access tokens.
+   *
+   * API tokens provide an alternative to username/password authentication.
+   * They are ideal for CI/CD pipelines, scripts, and programmatic access.
+   *
+   * @example
+   * // Create a new token
+   * const result = await client.apiTokens.create({
+   *   name: 'CI/CD Pipeline',
+   *   scopes: ['write'],
+   * });
+   * console.log('Save this token:', result.token);
+   *
+   * // List all tokens
+   * const { tokens } = await client.apiTokens.list();
+   *
+   * // Revoke a token
+   * await client.apiTokens.revoke(tokenId);
+   */
+  get apiTokens() {
+    if (!this._apiTokens) {
+      this._apiTokens = new APITokensResource(this.http);
+    }
+    return this._apiTokens;
+  }
+  /**
+   * Check if the client is using API token authentication.
+   *
+   * @returns True if authenticated with an API token (vs JWT)
+   */
+  get isUsingApiToken() {
+    return this.http.isUsingApiToken();
+  }
   /**
    * Get current authentication tokens.
    *
@@ -2668,7 +3377,7 @@ var SyftHubClient = class {
     return this.http.hasTokens();
   }
   /**
-   * Check if accounting has been initialized.
+   * Check if the accounting (wallet) resource has been initialized.
    *
    * Use this to check if accounting is available before accessing
    * the `accounting` property, which will throw if not initialized.
@@ -2677,7 +3386,7 @@ var SyftHubClient = class {
    *
    * @example
    * if (client.isAccountingInitialized) {
-   *   const user = await client.accounting.getUser();
+   *   const wallet = await client.accounting.getWallet();
    * }
    */
   get isAccountingInitialized() {
@@ -2695,27 +3404,24 @@ var SyftHubClient = class {
 // src/index.ts
 init_errors();
 
+exports.APITokensResource = APITokensResource;
 exports.AccountingResource = AccountingResource;
+exports.AgentResource = AgentResource;
+exports.AgentSessionClient = AgentSessionClient;
+exports.AgentSessionError = AgentSessionError;
 exports.AggregatorError = AggregatorError;
+exports.AggregatorsResource = AggregatorsResource;
 exports.ChatResource = ChatResource;
-exports.CreatorType = CreatorType;
 exports.EndpointResolutionError = EndpointResolutionError;
 exports.EndpointType = EndpointType;
 exports.GenerationError = GenerationError;
-exports.OrganizationRole = OrganizationRole;
 exports.PageIterator = PageIterator;
 exports.RetrievalError = RetrievalError;
 exports.SyftAIResource = SyftAIResource;
 exports.SyftHubClient = SyftHubClient;
-exports.TransactionStatus = TransactionStatus;
 exports.UserRole = UserRole;
 exports.Visibility = Visibility;
 exports.createAccountingResource = createAccountingResource;
-exports.getEndpointOwnerType = getEndpointOwnerType;
 exports.getEndpointPublicPath = getEndpointPublicPath;
-exports.isTransactionCancelled = isTransactionCancelled;
-exports.isTransactionCompleted = isTransactionCompleted;
-exports.isTransactionPending = isTransactionPending;
-exports.parseTransaction = parseTransaction;
 //# sourceMappingURL=index.cjs.map
 //# sourceMappingURL=index.cjs.map