npm - @syfthub/sdk - Versions diffs - 0.1.1 → 0.2.1 - Mend

@syfthub/sdk 0.1.1 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.js CHANGED Viewed

@@ -124,11 +124,21 @@ var init_errors = __esm({
 init_errors();
 // src/utils.ts
+var snakeToCamelCache = /* @__PURE__ */ new Map();
+var camelToSnakeCache = /* @__PURE__ */ new Map();
 function snakeToCamel(str) {
-  return str.replace(/_([a-z])/g, (_, letter) => letter.toUpperCase());
+  const cached = snakeToCamelCache.get(str);
+  if (cached !== void 0) return cached;
+  const result = str.replace(/_([a-z])/g, (_, letter) => letter.toUpperCase());
+  snakeToCamelCache.set(str, result);
+  return result;
 }
 function camelToSnake(str) {
-  return str.replace(/[A-Z]/g, (letter) => `_${letter.toLowerCase()}`);
+  const cached = camelToSnakeCache.get(str);
+  if (cached !== void 0) return cached;
+  const result = str.replace(/[A-Z]/g, (letter) => `_${letter.toLowerCase()}`);
+  camelToSnakeCache.set(str, result);
+  return result;
 }
 var ISO_DATE_REGEX = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}/;
 function isISODateString(value) {
@@ -141,6 +151,9 @@ function transformKeys(obj, keyTransformer, parseDates = true) {
   if (Array.isArray(obj)) {
     return obj.map((item) => transformKeys(item, keyTransformer, parseDates));
   }
+  if (obj instanceof Date) {
+    return obj.toISOString();
+  }
   if (parseDates && isISODateString(obj)) {
     return new Date(obj);
   }
@@ -168,9 +181,61 @@ function buildSearchParams(params) {
   }
   return searchParams;
 }
+async function* readSSEEvents(response) {
+  if (!response.body) return;
+  const reader = response.body.getReader();
+  const decoder = new TextDecoder();
+  let buffer = "";
+  let currentEvent = null;
+  let currentData = "";
+  const flush = function* () {
+    if (currentData) {
+      yield { event: currentEvent ?? "message", data: currentData };
+    }
+    currentEvent = null;
+    currentData = "";
+  };
+  try {
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      buffer += decoder.decode(value, { stream: true });
+      const lines = buffer.split("\n");
+      buffer = lines.pop() ?? "";
+      for (const line of lines) {
+        const trimmed = line.trim();
+        if (!trimmed) {
+          yield* flush();
+          continue;
+        }
+        if (trimmed.startsWith("event:")) {
+          currentEvent = trimmed.slice(6).trim();
+        } else if (trimmed.startsWith("data:")) {
+          if (currentData && currentEvent === null) {
+            yield* flush();
+          }
+          currentData = trimmed.slice(5).trim();
+        }
+      }
+    }
+    const trailing = buffer.trim();
+    if (trailing) {
+      if (trailing.startsWith("event:")) {
+        currentEvent = trailing.slice(6).trim();
+      } else if (trailing.startsWith("data:")) {
+        if (currentData && currentEvent === null) {
+          yield* flush();
+        }
+        currentData = trailing.slice(5).trim();
+      }
+    }
+    yield* flush();
+  } finally {
+    reader.releaseLock();
+  }
+}
 // src/http.ts
-init_errors();
 var HTTPClient = class {
   /**
    * Create a new HTTP client.
@@ -184,17 +249,32 @@ var HTTPClient = class {
   }
   accessToken = null;
   refreshToken = null;
+  apiToken = null;
   isRefreshing = false;
   refreshPromise = null;
   /**
-   * Set authentication tokens.
+   * Set JWT authentication tokens.
+   * Clears any API token if set.
    */
   setTokens(access, refresh) {
     this.accessToken = access;
     this.refreshToken = refresh;
+    this.apiToken = null;
   }
   /**
-   * Get current authentication tokens.
+   * Set API token for authentication.
+   * Clears any JWT tokens if set.
+   *
+   * @param token - The API token (starts with "syft_")
+   */
+  setApiToken(token) {
+    this.apiToken = token;
+    this.accessToken = null;
+    this.refreshToken = null;
+  }
+  /**
+   * Get current JWT authentication tokens.
+   * Returns null if using API token authentication.
    */
   getTokens() {
     if (!this.accessToken || !this.refreshToken) {
@@ -207,17 +287,30 @@ var HTTPClient = class {
     };
   }
   /**
-   * Clear authentication tokens.
+   * Check if using API token authentication.
+   */
+  isUsingApiToken() {
+    return this.apiToken !== null;
+  }
+  /**
+   * Clear all authentication (JWT and API tokens).
    */
   clearTokens() {
     this.accessToken = null;
     this.refreshToken = null;
+    this.apiToken = null;
   }
   /**
-   * Check if the client has valid tokens.
+   * Check if the client has valid authentication (JWT or API token).
    */
   hasTokens() {
-    return this.accessToken !== null;
+    return this.accessToken !== null || this.apiToken !== null;
+  }
+  /**
+   * Get the current bearer token (API token or JWT access token).
+   */
+  getBearerToken() {
+    return this.apiToken ?? this.accessToken;
   }
   /**
    * Make a GET request.
@@ -263,8 +356,9 @@ var HTTPClient = class {
       }
     }
     const headers = {};
-    if (includeAuth && this.accessToken) {
-      headers["Authorization"] = `Bearer ${this.accessToken}`;
+    const bearerToken = this.getBearerToken();
+    if (includeAuth && bearerToken) {
+      headers["Authorization"] = `Bearer ${bearerToken}`;
     }
     let requestBody;
     if (body !== void 0) {
@@ -292,7 +386,7 @@ var HTTPClient = class {
         signal: controller.signal
       });
       clearTimeout(timeoutId);
-      if (response.status === 401 && includeAuth && this.refreshToken) {
+      if (response.status === 401 && includeAuth && this.refreshToken && !this.apiToken) {
         await this.attemptTokenRefresh();
         return this.request(method, path, {
           ...options,
@@ -479,6 +573,110 @@ var HTTPClient = class {
 // src/client.ts
 init_errors();
+// src/resources/api-tokens.ts
+var APITokensResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Create a new API token.
+   *
+   * IMPORTANT: The returned token is only shown ONCE!
+   * Make sure to save it immediately - it cannot be retrieved later.
+   *
+   * @param input - Token creation options
+   * @returns The created token with the full token value
+   *
+   * @example
+   * const result = await client.apiTokens.create({
+   *   name: 'CI/CD Pipeline',
+   *   scopes: ['write'],
+   *   expiresAt: new Date('2025-12-31'),
+   * });
+   *
+   * // SAVE THIS TOKEN - it will not be shown again!
+   * console.log(result.token);
+   */
+  async create(input) {
+    return this.http.post("/api/v1/auth/tokens", input);
+  }
+  /**
+   * List all API tokens for the current user.
+   *
+   * By default, only active tokens are returned.
+   * Note: The full token value is never returned - only the prefix.
+   *
+   * @param options - List options
+   * @returns List of tokens and total count
+   *
+   * @example
+   * // List active tokens
+   * const { tokens, total } = await client.apiTokens.list();
+   *
+   * // Include revoked tokens
+   * const all = await client.apiTokens.list({ includeInactive: true });
+   */
+  async list(options = {}) {
+    const params = {};
+    if (options.includeInactive !== void 0) {
+      params.include_inactive = options.includeInactive;
+    }
+    if (options.skip !== void 0) {
+      params.skip = options.skip;
+    }
+    if (options.limit !== void 0) {
+      params.limit = options.limit;
+    }
+    return this.http.get("/api/v1/auth/tokens", params);
+  }
+  /**
+   * Get a single API token by ID.
+   *
+   * Note: The full token value is never returned - only the prefix.
+   *
+   * @param tokenId - The token ID
+   * @returns The token details
+   *
+   * @example
+   * const token = await client.apiTokens.get(123);
+   * console.log(token.name, token.lastUsedAt);
+   */
+  async get(tokenId) {
+    return this.http.get(`/api/v1/auth/tokens/${tokenId}`);
+  }
+  /**
+   * Update an API token's name.
+   *
+   * Only the name can be updated. Scopes and expiration cannot be
+   * changed after creation.
+   *
+   * @param tokenId - The token ID
+   * @param input - Update options
+   * @returns The updated token
+   *
+   * @example
+   * const updated = await client.apiTokens.update(123, {
+   *   name: 'New Name',
+   * });
+   */
+  async update(tokenId, input) {
+    return this.http.patch(`/api/v1/auth/tokens/${tokenId}`, input);
+  }
+  /**
+   * Revoke an API token.
+   *
+   * The token becomes immediately unusable. This action cannot be undone.
+   *
+   * @param tokenId - The token ID to revoke
+   *
+   * @example
+   * await client.apiTokens.revoke(123);
+   */
+  async revoke(tokenId) {
+    await this.http.delete(`/api/v1/auth/tokens/${tokenId}`);
+  }
+};
 // src/resources/auth.ts
 init_errors();
 var AuthResource = class {
@@ -546,8 +744,13 @@ var AuthResource = class {
     const response = await this.http.post("/api/v1/auth/register", input, {
       includeAuth: false
     });
-    this.http.setTokens(response.accessToken, response.refreshToken);
-    return response.user;
+    if (response.accessToken && response.refreshToken) {
+      this.http.setTokens(response.accessToken, response.refreshToken);
+    }
+    return {
+      user: response.user,
+      requiresEmailVerification: response.requiresEmailVerification
+    };
   }
   /**
    * Login with username/email and password.
@@ -621,6 +824,115 @@ var AuthResource = class {
       newPassword
     });
   }
+  /**
+   * Get the platform's authentication configuration.
+   *
+   * No authentication required. Use this to determine whether email
+   * verification or password reset is available.
+   *
+   * @returns AuthConfig with feature flags
+   */
+  async getAuthConfig() {
+    return this.http.get("/api/v1/auth/config", void 0, { includeAuth: false });
+  }
+  /**
+   * Verify a registration OTP and receive auth tokens.
+   *
+   * After registering when email verification is required, call this with
+   * the 6-digit code sent to the user's email.
+   *
+   * Idempotent: if the user is already verified, tokens are issued immediately.
+   *
+   * @param input - Email and 6-digit code
+   * @returns The authenticated User
+   * @throws {APIError} If the code is invalid or max attempts exceeded
+   */
+  async verifyOtp(input) {
+    const response = await this.http.post("/api/v1/auth/register/verify-otp", input, {
+      includeAuth: false
+    });
+    this.http.setTokens(response.accessToken, response.refreshToken);
+    return response.user;
+  }
+  /**
+   * Resend the registration OTP code.
+   *
+   * Rate-limited. Always returns successfully to prevent email enumeration.
+   *
+   * @param email - Email address to resend the OTP to
+   */
+  async resendOtp(email) {
+    await this.http.post(
+      "/api/v1/auth/register/resend-otp",
+      { email },
+      {
+        includeAuth: false
+      }
+    );
+  }
+  /**
+   * Request a password reset OTP.
+   *
+   * Always returns successfully to prevent email enumeration.
+   * If SMTP is not configured on the server, this is a no-op.
+   *
+   * @param input - Email address for password reset
+   */
+  async requestPasswordReset(input) {
+    await this.http.post("/api/v1/auth/password-reset/request", input, {
+      includeAuth: false
+    });
+  }
+  /**
+   * Confirm a password reset with OTP and set a new password.
+   *
+   * @param input - Email, 6-digit code, and new password
+   * @throws {APIError} If the code is invalid or max attempts exceeded
+   */
+  async confirmPasswordReset(input) {
+    await this.http.post("/api/v1/auth/password-reset/confirm", input, {
+      includeAuth: false
+    });
+  }
+  /**
+   * Get a peer token for NATS communication with tunneling spaces.
+   *
+   * Peer tokens are short-lived credentials that allow the aggregator to
+   * communicate with tunneling SyftAI Spaces via NATS pub/sub.
+   *
+   * @param targetUsernames - Usernames of the tunneling spaces to communicate with
+   * @returns PeerTokenResponse with token, channel, expiry, and NATS URL
+   * @throws {AuthenticationError} If not authenticated
+   *
+   * @example
+   * const peer = await client.auth.getPeerToken(['alice', 'bob']);
+   * console.log(`Peer channel: ${peer.peerChannel}, expires in ${peer.expiresIn}s`);
+   */
+  async getPeerToken(targetUsernames) {
+    return this.http.post("/api/v1/peer-token", {
+      target_usernames: targetUsernames
+    });
+  }
+  /**
+   * Get a guest peer token for NATS communication without authentication.
+   *
+   * Guest peer tokens are rate-limited by IP address. They use the same
+   * response format as authenticated peer tokens.
+   *
+   * @param targetUsernames - Usernames of the tunneling spaces to communicate with
+   * @returns PeerTokenResponse with token, channel, expiry, and NATS URL
+   *
+   * @example
+   * const peer = await client.auth.getGuestPeerToken(['alice']);
+   * console.log(`Guest peer channel: ${peer.peerChannel}`);
+   */
+  async getGuestPeerToken(targetUsernames) {
+    return this.http.post(
+      "/api/v1/nats/guest-peer-token",
+      { target_usernames: targetUsernames },
+      { includeAuth: false }
+    );
+  }
   /**
    * Get a satellite token for a specific audience (target service).
    *
@@ -665,6 +977,59 @@ var AuthResource = class {
         return { audience: aud, token: response.targetToken };
       })
     );
+    for (const [i, result] of results.entries()) {
+      if (result.status === "fulfilled") {
+        tokenMap.set(result.value.audience, result.value.token);
+      } else {
+        console.warn(
+          `[SyftHub] Failed to fetch satellite token for "${uniqueAudiences[i]}":`,
+          result.reason
+        );
+      }
+    }
+    return tokenMap;
+  }
+  /**
+   * Get a guest satellite token for a specific audience (target service).
+   *
+   * Guest tokens allow unauthenticated users to access policy-free endpoints.
+   * No authentication is required to call this method.
+   *
+   * @param audience - Target service identifier (username of the service owner)
+   * @returns Satellite token response with token and expiry
+   * @throws {ValidationError} If audience is invalid or inactive
+   *
+   * @example
+   * // Get a guest token for querying alice's policy-free endpoints
+   * const tokenResponse = await client.auth.getGuestSatelliteToken('alice');
+   */
+  async getGuestSatelliteToken(audience) {
+    return this.http.get(
+      "/api/v1/token/guest",
+      { aud: audience },
+      { includeAuth: false }
+    );
+  }
+  /**
+   * Get guest satellite tokens for multiple audiences in parallel.
+   *
+   * No authentication is required to call this method.
+   *
+   * @param audiences - Array of unique audience identifiers (usernames)
+   * @returns Map of audience to satellite token
+   *
+   * @example
+   * const tokens = await client.auth.getGuestSatelliteTokens(['alice', 'bob']);
+   */
+  async getGuestSatelliteTokens(audiences) {
+    const uniqueAudiences = [...new Set(audiences)];
+    const tokenMap = /* @__PURE__ */ new Map();
+    const results = await Promise.allSettled(
+      uniqueAudiences.map(async (aud) => {
+        const response = await this.getGuestSatelliteToken(aud);
+        return { audience: aud, token: response.targetToken };
+      })
+    );
     for (const result of results) {
       if (result.status === "fulfilled") {
         tokenMap.set(result.value.audience, result.value.token);
@@ -675,38 +1040,137 @@ var AuthResource = class {
   /**
    * Get transaction tokens for multiple endpoint owners.
    *
-   * Transaction tokens are short-lived JWTs that pre-authorize the endpoint owner
-   * (recipient) to charge the current user (sender) for usage. These tokens are
-   * created via the accounting service and passed to the aggregator.
+   * @deprecated Transaction tokens are no longer needed. Payments are handled
+   * via the MPP 402 flow. This method is kept for backward compatibility and
+   * always returns empty tokens/errors.
+   *
+   * @param ownerUsernames - Array of endpoint owner usernames (ignored)
+   * @returns TransactionTokensResponse with empty tokens and errors
+   */
+  async getTransactionTokens(ownerUsernames) {
+    return { tokens: {}, errors: {} };
+  }
+  /**
+   * Get the current access token (JWT or API token).
+   *
+   * This is used by the chat flow to pass the user's Hub token to the
+   * aggregator for the MPP payment callback.
    *
-   * This is used by the chat flow to enable billing for endpoint usage.
+   * @returns The current access token, or null if not authenticated
+   */
+  getAccessToken() {
+    const tokens = this.http.getTokens();
+    return tokens?.accessToken ?? null;
+  }
+};
+// src/resources/aggregators.ts
+var AggregatorsResource = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * List all aggregator configurations for the current user.
    *
-   * @param ownerUsernames - Array of endpoint owner usernames
-   * @returns TransactionTokensResponse with tokens map and any errors
+   * @returns Array of UserAggregator objects
    * @throws {AuthenticationError} If not authenticated
    *
    * @example
-   * // Get transaction tokens for endpoint owners
-   * const response = await client.auth.getTransactionTokens(['alice', 'bob']);
-   * console.log(`Got ${Object.keys(response.tokens).length} tokens`);
-   * if (Object.keys(response.errors).length > 0) {
-   *   console.log('Some tokens failed:', response.errors);
+   * const aggregators = await client.users.aggregators.list();
+   * for (const agg of aggregators) {
+   *   if (agg.isDefault) {
+   *     console.log(`Default: ${agg.name}`);
+   *   }
    * }
    */
-  async getTransactionTokens(ownerUsernames) {
-    const uniqueOwners = [...new Set(ownerUsernames)];
-    if (uniqueOwners.length === 0) {
-      return { tokens: {}, errors: {} };
-    }
-    try {
-      return await this.http.post(
-        "/api/v1/accounting/transaction-tokens",
-        { owner_usernames: uniqueOwners }
-      );
-    } catch (error) {
-      console.warn("Failed to get transaction tokens:", error);
-      return { tokens: {}, errors: {} };
-    }
+  async list() {
+    return this.http.get("/api/v1/users/me/aggregators");
+  }
+  /**
+   * Get a specific aggregator configuration by ID.
+   *
+   * @param aggregatorId - The aggregator ID
+   * @returns The UserAggregator object
+   * @throws {AuthenticationError} If not authenticated
+   * @throws {NotFoundError} If aggregator not found
+   *
+   * @example
+   * const agg = await client.users.aggregators.get(1);
+   * console.log(`${agg.name}: ${agg.url}`);
+   */
+  async get(aggregatorId) {
+    return this.http.get(`/api/v1/users/me/aggregators/${aggregatorId}`);
+  }
+  /**
+   * Create a new aggregator configuration.
+   *
+   * The first aggregator created is automatically set as the default.
+   *
+   * @param input - Aggregator creation input
+   * @returns The created UserAggregator object
+   * @throws {AuthenticationError} If not authenticated
+   * @throws {ValidationError} If input is invalid
+   *
+   * @example
+   * const agg = await client.users.aggregators.create({
+   *   name: 'My Custom Aggregator',
+   *   url: 'https://my-aggregator.example.com'
+   * });
+   * console.log(`Created: ${agg.id}`);
+   */
+  async create(input) {
+    return this.http.post("/api/v1/users/me/aggregators", input);
+  }
+  /**
+   * Update an aggregator configuration.
+   *
+   * Only provided fields will be updated.
+   *
+   * @param aggregatorId - The aggregator ID to update
+   * @param input - Fields to update
+   * @returns The updated UserAggregator object
+   * @throws {AuthenticationError} If not authenticated
+   * @throws {NotFoundError} If aggregator not found
+   * @throws {ValidationError} If input is invalid
+   *
+   * @example
+   * const agg = await client.users.aggregators.update(1, {
+   *   name: 'Updated Name'
+   * });
+   */
+  async update(aggregatorId, input) {
+    return this.http.put(`/api/v1/users/me/aggregators/${aggregatorId}`, input);
+  }
+  /**
+   * Delete an aggregator configuration.
+   *
+   * @param aggregatorId - The aggregator ID to delete
+   * @throws {AuthenticationError} If not authenticated
+   * @throws {NotFoundError} If aggregator not found
+   *
+   * @example
+   * await client.users.aggregators.delete(1);
+   */
+  async delete(aggregatorId) {
+    await this.http.delete(`/api/v1/users/me/aggregators/${aggregatorId}`);
+  }
+  /**
+   * Set an aggregator as the default.
+   *
+   * Only one aggregator can be the default at a time. Setting a new default
+   * automatically unsets the previous one.
+   *
+   * @param aggregatorId - The aggregator ID to set as default
+   * @returns The updated UserAggregator object with isDefault=true
+   * @throws {AuthenticationError} If not authenticated
+   * @throws {NotFoundError} If aggregator not found
+   *
+   * @example
+   * const agg = await client.users.aggregators.setDefault(2);
+   * console.log(`${agg.name} is now the default`);
+   */
+  async setDefault(aggregatorId) {
+    return this.http.patch(`/api/v1/users/me/aggregators/${aggregatorId}/default`);
   }
 };
@@ -715,6 +1179,34 @@ var UsersResource = class {
   constructor(http) {
     this.http = http;
   }
+  _aggregators;
+  /**
+   * Access aggregator management operations.
+   *
+   * @returns AggregatorsResource for managing user's aggregator configurations
+   *
+   * @example
+   * // List aggregators
+   * const aggregators = await client.users.aggregators.list();
+   * for (const agg of aggregators) {
+   *   console.log(`${agg.name}: ${agg.url}`);
+   * }
+   *
+   * // Create aggregator
+   * const agg = await client.users.aggregators.create({
+   *   name: 'My Aggregator',
+   *   url: 'https://my-aggregator.example.com'
+   * });
+   *
+   * // Set as default
+   * await client.users.aggregators.setDefault(agg.id);
+   */
+  get aggregators() {
+    if (!this._aggregators) {
+      this._aggregators = new AggregatorsResource(this.http);
+    }
+    return this._aggregators;
+  }
   /**
    * Update the current user's profile.
    *
@@ -774,17 +1266,61 @@ var UsersResource = class {
   async getAccountingCredentials() {
     return this.http.get("/api/v1/users/me/accounting");
   }
-};
-// src/pagination.ts
-var PageIterator = class {
   /**
-   * Create a new PageIterator.
+   * Send a heartbeat to indicate this SyftAI Space is alive.
    *
-   * @param fetcher - Function that fetches a page of items given skip and limit
-   * @param pageSize - Number of items to fetch per page (default: 20)
-   */
-  constructor(fetcher, pageSize = 20) {
+   * The heartbeat mechanism allows SyftAI Spaces to signal their availability
+   * to SyftHub. This should be called periodically (before the TTL expires)
+   * to maintain the "active" status.
+   *
+   * @param input - Heartbeat parameters
+   * @param input.url - Full URL of this space (e.g., "https://myspace.example.com").
+   *                    The server extracts the domain from this URL.
+   * @param input.ttlSeconds - Time-to-live in seconds (1-3600). The server caps this
+   *                           at a maximum of 600 seconds (10 minutes). Default is 300
+   *                           seconds (5 minutes).
+   * @returns HeartbeatResponse containing status, expiry time, domain, and effective TTL
+   * @throws {AuthenticationError} If not authenticated
+   * @throws {ValidationError} If URL or TTL is invalid
+   *
+   * @example
+   * // Send heartbeat with default TTL (300 seconds)
+   * const response = await client.users.sendHeartbeat({
+   *   url: 'https://myspace.example.com'
+   * });
+   * console.log(`Next heartbeat before: ${response.expiresAt}`);
+   *
+   * @example
+   * // Send heartbeat with custom TTL
+   * const response = await client.users.sendHeartbeat({
+   *   url: 'https://myspace.example.com',
+   *   ttlSeconds: 600  // Maximum allowed
+   * });
+   */
+  async sendHeartbeat(input) {
+    const response = await this.http.post("/api/v1/users/me/heartbeat", {
+      url: input.url,
+      ttl_seconds: input.ttlSeconds ?? 300
+    });
+    return {
+      status: response.status,
+      receivedAt: new Date(response.received_at),
+      expiresAt: new Date(response.expires_at),
+      domain: response.domain,
+      ttlSeconds: response.ttl_seconds
+    };
+  }
+};
+// src/pagination.ts
+var PageIterator = class {
+  /**
+   * Create a new PageIterator.
+   *
+   * @param fetcher - Function that fetches a page of items given skip and limit
+   * @param pageSize - Number of items to fetch per page (default: 20)
+   */
+  constructor(fetcher, pageSize = 20) {
     this.fetcher = fetcher;
     this.pageSize = pageSize;
   }
@@ -902,14 +1438,12 @@ var MyEndpointsResource = class {
    * Create a new endpoint.
    *
    * @param input - Endpoint creation details
-   * @param organizationId - Optional organization ID (for org-owned endpoints)
    * @returns The created Endpoint
    * @throws {AuthenticationError} If not authenticated
    * @throws {ValidationError} If input validation fails
    */
-  async create(input, organizationId) {
-    const body = organizationId !== void 0 ? { ...input, organizationId } : input;
-    return this.http.post("/api/v1/endpoints", body);
+  async create(input) {
+    return this.http.post("/api/v1/endpoints", input);
   }
   /**
    * Get a specific endpoint by path.
@@ -970,7 +1504,6 @@ var MyEndpointsResource = class {
    * 3. Is ATOMIC: either all endpoints sync successfully, or none do
    *
    * Important Notes:
-   * - Organization endpoints are NOT affected
    * - Stars on existing endpoints will be lost (reset to 0)
    * - Endpoint IDs will change (new IDs assigned)
    * - Maximum 100 endpoints per sync request
@@ -1044,17 +1577,23 @@ var HubResource = class {
   /**
    * Browse all public endpoints.
    *
-   * @param options - Pagination options
+   * @param options - Filter and pagination options
    * @returns PageIterator that lazily fetches endpoints
+   *
+   * @example
+   * // Browse only model endpoints
+   * const models = await client.hub.browse({ endpointType: 'model' }).firstPage();
    */
   browse(options) {
     const pageSize = options?.pageSize ?? 20;
     return new PageIterator(async (skip, limit) => {
-      return this.http.get(
-        "/api/v1/endpoints/public",
-        { skip, limit },
-        { includeAuth: false }
-      );
+      const params = { skip, limit };
+      if (options?.endpointType !== void 0) {
+        params["endpoint_type"] = options.endpointType;
+      }
+      return this.http.get("/api/v1/endpoints/public", params, {
+        includeAuth: false
+      });
     }, pageSize);
   }
   /**
@@ -1062,19 +1601,57 @@ var HubResource = class {
    *
    * @param options - Filter and pagination options
    * @returns PageIterator that lazily fetches endpoints
+   *
+   * @example
+   * // Get trending models only
+   * const models = await client.hub.trending({ endpointType: 'model' }).firstPage();
    */
   trending(options) {
     const pageSize = options?.pageSize ?? 20;
     return new PageIterator(async (skip, limit) => {
       const params = { skip, limit };
+      if (options?.endpointType !== void 0) {
+        params["endpoint_type"] = options.endpointType;
+      }
       if (options?.minStars !== void 0) {
-        params["minStars"] = options.minStars;
+        params["min_stars"] = options.minStars;
       }
       return this.http.get("/api/v1/endpoints/trending", params, {
         includeAuth: false
       });
     }, pageSize);
   }
+  /**
+   * List endpoints accessible to unauthenticated (guest) users.
+   *
+   * Guest-accessible endpoints are public, active, and have no policies attached.
+   * No authentication is required to call this method.
+   *
+   * @param options - Filter and pagination options
+   * @returns PageIterator that lazily fetches guest-accessible endpoints
+   *
+   * @example
+   * // List all guest-accessible endpoints
+   * for await (const endpoint of client.hub.guestAccessible()) {
+   *   console.log(`${endpoint.ownerUsername}/${endpoint.slug}: ${endpoint.name}`);
+   * }
+   *
+   * @example
+   * // List only guest-accessible models
+   * const models = await client.hub.guestAccessible({ endpointType: 'model' }).firstPage();
+   */
+  guestAccessible(options) {
+    const pageSize = options?.pageSize ?? 20;
+    return new PageIterator(async (skip, limit) => {
+      const params = { skip, limit };
+      if (options?.endpointType !== void 0) {
+        params["endpoint_type"] = options.endpointType;
+      }
+      return this.http.get("/api/v1/endpoints/guest-accessible", params, {
+        includeAuth: false
+      });
+    }, pageSize);
+  }
   /**
    * Search for endpoints using semantic search.
    *
@@ -1170,6 +1747,26 @@ var HubResource = class {
     const endpointId = await this.resolveEndpointId(path);
     await this.http.delete(`/api/v1/endpoints/${endpointId}/star`);
   }
+  /**
+   * Get the owner/slug paths of a collective's approved member endpoints,
+   * optionally narrowed to a single shared-endpoint subset.
+   *
+   * Used by the chat resource to expand both `collective/<slug>` and
+   * `collective/<slug>/<shared-slug>` data-source references into the
+   * individual endpoint paths before building the aggregator request.
+   *
+   * @param slug - The collective slug (e.g. "genomics-research")
+   * @param sharedSlug - Optional curated-subset slug. When provided, only the
+   *   intersection of the subset's configured endpoints with the collective's
+   *   currently approved members is returned. Omit for "all approved members".
+   * @returns Array of "owner/slug" path strings
+   * @throws {NotFoundError} If the collective (or shared endpoint) does not exist
+   */
+  async getCollectiveEndpointPaths(slug, sharedSlug) {
+    const base = `/api/v1/collectives/by-slug/${encodeURIComponent(slug)}`;
+    const path = sharedSlug ? `${base}/shared-endpoints/${encodeURIComponent(sharedSlug)}/endpoint-paths` : `${base}/endpoint-paths`;
+    return this.http.get(path, {}, { includeAuth: false });
+  }
   /**
    * Check if you have starred an endpoint.
    *
@@ -1187,489 +1784,408 @@ var HubResource = class {
   }
 };
-// src/models/common.ts
-var Visibility = {
-  /** Visible to everyone, no authentication required */
-  PUBLIC: "public",
-  /** Only visible to the owner and collaborators */
-  PRIVATE: "private",
-  /** Visible to authenticated users within the organization */
-  INTERNAL: "internal"
-};
-var EndpointType = {
-  /** Machine learning model endpoint */
-  MODEL: "model",
-  /** Data source endpoint */
-  DATA_SOURCE: "data_source"
-};
-var UserRole = {
-  /** Administrator with full access */
-  ADMIN: "admin",
-  /** Regular user */
-  USER: "user",
-  /** Guest user with limited access */
-  GUEST: "guest"
-};
-var OrganizationRole = {
-  /** Organization owner with full control */
-  OWNER: "owner",
-  /** Administrator with management privileges */
-  ADMIN: "admin",
-  /** Regular member */
-  MEMBER: "member"
-};
-// src/models/endpoint.ts
-function getEndpointOwnerType(endpoint) {
-  return endpoint.organizationId !== null ? "organization" : "user";
-}
-function getEndpointPublicPath(endpoint) {
-  return `${endpoint.ownerUsername}/${endpoint.slug}`;
-}
-// src/models/accounting.ts
-var TransactionStatus = {
-  /** Transaction created, awaiting confirmation */
-  PENDING: "pending",
-  /** Transaction confirmed, funds transferred */
-  COMPLETED: "completed",
-  /** Transaction cancelled, no funds transferred */
-  CANCELLED: "cancelled"
-};
-var CreatorType = {
-  /** System-initiated transaction */
-  SYSTEM: "system",
-  /** Sender-initiated transaction */
-  SENDER: "sender",
-  /** Recipient-initiated transaction (delegated) */
-  RECIPIENT: "recipient"
-};
-function parseTransaction(response) {
-  return {
-    ...response,
-    createdAt: new Date(response.createdAt),
-    resolvedAt: response.resolvedAt ? new Date(response.resolvedAt) : null
-  };
-}
-function isTransactionPending(tx) {
-  return tx.status === TransactionStatus.PENDING;
-}
-function isTransactionCompleted(tx) {
-  return tx.status === TransactionStatus.COMPLETED;
-}
-function isTransactionCancelled(tx) {
-  return tx.status === TransactionStatus.CANCELLED;
-}
 // src/resources/accounting.ts
-init_errors();
-async function handleResponseError(response) {
-  if (response.ok) return;
-  let detail;
-  try {
-    const body = await response.json();
-    detail = body.detail ?? body.message ?? JSON.stringify(body);
-  } catch {
-    detail = await response.text() || `HTTP ${response.status}`;
-  }
-  switch (response.status) {
-    case 401:
-      throw new AuthenticationError(`Authentication failed: ${detail}`);
-    case 403:
-      throw new AuthorizationError(`Permission denied: ${detail}`);
-    case 404:
-      throw new NotFoundError(`Not found: ${detail}`);
-    case 422:
-      throw new ValidationError(`Validation error: ${detail}`);
-    default:
-      throw new APIError(`Accounting API error: ${detail}`, response.status);
-  }
-}
-function createBasicAuth(email, password) {
-  const credentials = `${email}:${password}`;
-  const encoded = typeof btoa !== "undefined" ? btoa(credentials) : Buffer.from(credentials).toString("base64");
-  return `Basic ${encoded}`;
-}
 var AccountingResource = class {
-  baseUrl;
-  email;
-  password;
-  timeout;
-  authHeader;
-  constructor(options) {
-    this.baseUrl = options.url.replace(/\/$/, "");
-    this.email = options.email;
-    this.password = options.password;
-    this.timeout = options.timeout ?? 3e4;
-    this.authHeader = createBasicAuth(this.email, this.password);
-  }
-  // ===========================================================================
-  // Private HTTP Methods
-  // ===========================================================================
-  /**
-   * Make an authenticated request to the accounting service.
-   */
-  async request(method, path, options) {
-    const url = new URL(path, this.baseUrl);
-    if (options?.params) {
-      for (const [key, value] of Object.entries(options.params)) {
-        url.searchParams.set(key, String(value));
-      }
-    }
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), this.timeout);
-    try {
-      const response = await fetch(url.toString(), {
-        method,
-        headers: {
-          Authorization: this.authHeader,
-          "Content-Type": "application/json",
-          Accept: "application/json"
-        },
-        body: options?.body ? JSON.stringify(options.body) : void 0,
-        signal: controller.signal
-      });
-      await handleResponseError(response);
-      if (response.status === 204) {
-        return {};
-      }
-      return await response.json();
-    } catch (error) {
-      if (error instanceof SyftHubError) {
-        throw error;
-      }
-      if (error instanceof Error && error.name === "AbortError") {
-        throw new APIError("Request timeout", 408);
-      }
-      throw new APIError(
-        `Accounting request failed: ${error instanceof Error ? error.message : "Unknown error"}`,
-        0
-      );
-    } finally {
-      clearTimeout(timeoutId);
-    }
-  }
-  /**
-   * Make a request using Bearer token auth (for delegated transactions).
-   */
-  async requestWithToken(method, path, token, options) {
-    const url = new URL(path, this.baseUrl);
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), this.timeout);
-    try {
-      const response = await fetch(url.toString(), {
-        method,
-        headers: {
-          Authorization: `Bearer ${token}`,
-          "Content-Type": "application/json",
-          Accept: "application/json"
-        },
-        body: options?.body ? JSON.stringify(options.body) : void 0,
-        signal: controller.signal
-      });
-      await handleResponseError(response);
-      if (response.status === 204) {
-        return {};
-      }
-      return await response.json();
-    } catch (error) {
-      if (error instanceof SyftHubError) {
-        throw error;
-      }
-      if (error instanceof Error && error.name === "AbortError") {
-        throw new APIError("Request timeout", 408);
-      }
-      throw new APIError(
-        `Accounting request failed: ${error instanceof Error ? error.message : "Unknown error"}`,
-        0
-      );
-    } finally {
-      clearTimeout(timeoutId);
-    }
+  constructor(http) {
+    this.http = http;
   }
   // ===========================================================================
-  // User Operations
+  // Wallet Operations
   // ===========================================================================
   /**
-   * Get the current user's account information including balance.
+   * Get the current user's wallet information.
    *
-   * @returns AccountingUser with id, email, balance, and organization
-   * @throws {AuthenticationError} If authentication fails
-   * @throws {APIError} On other errors
+   * @returns WalletInfo with address and existence status
+   * @throws {AuthenticationError} If not authenticated
    *
    * @example
    * ```typescript
-   * const user = await accounting.getUser();
-   * console.log(`Balance: ${user.balance}`);
-   * console.log(`Organization: ${user.organization}`);
+   * const wallet = await client.accounting.getWallet();
+   * if (wallet.exists) {
+   *   console.log(`Wallet address: ${wallet.address}`);
+   * } else {
+   *   console.log('No wallet configured');
+   * }
    * ```
    */
-  async getUser() {
-    return this.request("GET", "/user");
+  async getWallet() {
+    return this.http.get("/api/v1/wallet/");
   }
   /**
-   * Update the user's password.
+   * Get the current user's wallet balance and recent transactions.
    *
-   * @param currentPassword - Current password for verification
-   * @param newPassword - New password to set
-   * @throws {AuthenticationError} If current password is wrong
-   * @throws {ValidationError} If new password doesn't meet requirements
+   * @returns WalletBalance with balance, currency, and recent transactions
+   * @throws {AuthenticationError} If not authenticated
    *
    * @example
    * ```typescript
-   * await accounting.updatePassword('old_secret', 'new_secret');
+   * const balance = await client.accounting.getBalance();
+   * console.log(`Balance: ${balance.balance} ${balance.currency}`);
+   * console.log(`Wallet configured: ${balance.wallet_configured}`);
    * ```
    */
-  async updatePassword(currentPassword, newPassword) {
-    await this.request("PUT", "/user/password", {
-      body: {
-        oldPassword: currentPassword,
-        newPassword
-      }
-    });
+  async getBalance() {
+    return this.http.get("/api/v1/wallet/balance");
   }
   /**
-   * Update the user's organization.
+   * Get the current user's wallet transactions.
    *
-   * @param organization - New organization name
-   * @throws {AuthenticationError} If authentication fails
+   * @returns Array of WalletTransaction objects
+   * @throws {AuthenticationError} If not authenticated
    *
    * @example
    * ```typescript
-   * await accounting.updateOrganization('OpenMined');
+   * const transactions = await client.accounting.getTransactions();
+   * for (const tx of transactions) {
+   *   console.log(`${tx.created_at}: ${tx.amount} ${tx.status}`);
+   * }
    * ```
    */
-  async updateOrganization(organization) {
-    await this.request("PUT", "/user/organization", {
-      body: { organization }
-    });
+  async getTransactions() {
+    return this.http.get("/api/v1/wallet/transactions");
   }
-  // ===========================================================================
-  // Transaction Listing
-  // ===========================================================================
   /**
-   * List account transactions with pagination.
+   * Create a new wallet for the current user.
    *
-   * Returns a lazy iterator that fetches pages on demand.
+   * Generates a new wallet with a fresh keypair. The wallet address
+   * is returned and stored on the server.
    *
-   * @param options - Pagination options
-   * @returns PageIterator that yields Transaction objects
+   * @returns Object with the new wallet address
+   * @throws {AuthenticationError} If not authenticated
+   * @throws {ValidationError} If user already has a wallet
    *
    * @example
    * ```typescript
-   * // Iterate through all transactions
-   * for await (const tx of accounting.getTransactions()) {
-   *   console.log(`${tx.createdAt}: ${tx.amount} from ${tx.senderEmail}`);
-   * }
-   *
-   * // Get first page only
-   * const firstPage = await accounting.getTransactions().firstPage();
-   *
-   * // Get all transactions
-   * const allTxs = await accounting.getTransactions().all();
+   * const result = await client.accounting.createWallet();
+   * console.log(`New wallet address: ${result.address}`);
    * ```
    */
-  getTransactions(options) {
-    const pageSize = options?.pageSize ?? 20;
-    return new PageIterator(async (skip, limit) => {
-      const response = await this.request("GET", "/transactions", {
-        params: { skip, limit }
-      });
-      return response.map(parseTransaction);
-    }, pageSize);
+  async createWallet() {
+    return this.http.post("/api/v1/wallet/create", {});
   }
   /**
-   * Get a specific transaction by ID.
+   * Import an existing wallet using a private key.
    *
-   * @param transactionId - The transaction ID
-   * @returns Transaction object
-   * @throws {NotFoundError} If transaction not found
+   * @param privateKey - The private key to import
+   * @returns Object with the imported wallet address
+   * @throws {AuthenticationError} If not authenticated
+   * @throws {ValidationError} If the private key is invalid
    *
    * @example
    * ```typescript
-   * const tx = await accounting.getTransaction('tx_123');
-   * console.log(`Status: ${tx.status}`);
+   * const result = await client.accounting.importWallet('0x...');
+   * console.log(`Imported wallet address: ${result.address}`);
    * ```
    */
-  async getTransaction(transactionId) {
-    const response = await this.request(
-      "GET",
-      `/transactions/${transactionId}`
-    );
-    return parseTransaction(response);
+  async importWallet(privateKey) {
+    return this.http.post("/api/v1/wallet/import", {
+      private_key: privateKey
+    });
+  }
+};
+function createAccountingResource(options) {
+  throw new Error(
+    "createAccountingResource() is deprecated. The wallet API is now accessed through the SyftHubClient. Use client.initAccounting() after login instead."
+  );
+}
+// src/resources/agent.ts
+init_errors();
+var AgentSessionError = class extends SyftHubError {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "AgentSessionError";
+  }
+};
+var AgentResource = class {
+  constructor(auth, aggregatorUrl) {
+    this.auth = auth;
+    this.aggregatorUrl = aggregatorUrl;
   }
-  // ===========================================================================
-  // Direct Transaction Operations
-  // ===========================================================================
   /**
-   * Create a new transaction (direct transfer).
-   *
-   * Creates a PENDING transaction that must be confirmed or cancelled.
-   * The transaction is created by the sender (current user).
-   *
-   * @param input - Transaction details
-   * @returns Transaction in PENDING status
-   * @throws {ValidationError} If amount <= 0 or insufficient balance
-   *
-   * @example
-   * ```typescript
-   * const tx = await accounting.createTransaction({
-   *   recipientEmail: 'bob@example.com',
-   *   amount: 10.0,
-   *   appName: 'syftai-space',
-   *   appEpPath: 'alice/my-model'
-   * });
-   * console.log(`Created transaction ${tx.id}: ${tx.status}`);
+   * Start a new agent session.
    *
-   * // Later, confirm or cancel
-   * await accounting.confirmTransaction(tx.id);
-   * ```
+   * @param options - Session options including prompt, endpoint, and config
+   * @returns An AgentSessionClient for interacting with the session
    */
-  async createTransaction(input) {
-    if (input.amount <= 0) {
-      throw new ValidationError("Amount must be greater than 0");
-    }
-    const response = await this.request("POST", "/transactions", {
-      body: {
-        recipientEmail: input.recipientEmail,
-        amount: input.amount,
-        ...input.appName && { appName: input.appName },
-        ...input.appEpPath && { appEpPath: input.appEpPath }
+  async startSession(options) {
+    let owner;
+    let slug;
+    if (typeof options.endpoint === "string") {
+      const parts = options.endpoint.split("/");
+      if (parts.length !== 2) {
+        throw new AgentSessionError(
+          `Endpoint must be in 'owner/slug' format, got: ${options.endpoint}`
+        );
+      }
+      owner = parts[0];
+      slug = parts[1];
+    } else {
+      owner = options.endpoint.owner;
+      slug = options.endpoint.slug;
+    }
+    const satResponse = await this.auth.getSatelliteToken(owner);
+    const peerResponse = await this.auth.getPeerToken([owner]);
+    const wsUrl = this.aggregatorUrl.replace(/^http/, "ws") + "/agent/session";
+    const ws = new WebSocket(wsUrl);
+    await new Promise((resolve, reject) => {
+      const onOpen = () => {
+        ws.removeEventListener("error", onError);
+        resolve();
+      };
+      const onError = (_e) => {
+        ws.removeEventListener("open", onOpen);
+        reject(new AgentSessionError("Failed to connect to agent WebSocket"));
+      };
+      ws.addEventListener("open", onOpen, { once: true });
+      ws.addEventListener("error", onError, { once: true });
+      if (options.signal) {
+        options.signal.addEventListener(
+          "abort",
+          () => {
+            ws.close();
+            reject(new AgentSessionError("Session start aborted"));
+          },
+          { once: true }
+        );
       }
     });
-    return parseTransaction(response);
-  }
-  /**
-   * Confirm a pending transaction.
-   *
-   * Confirms the transaction, transferring funds from sender to recipient.
-   * Can be called by either the sender or recipient.
-   *
-   * @param transactionId - The transaction ID to confirm
-   * @returns Transaction in COMPLETED status
-   * @throws {NotFoundError} If transaction not found
-   * @throws {ValidationError} If transaction is not in PENDING status
-   *
-   * @example
-   * ```typescript
-   * const tx = await accounting.confirmTransaction('tx_123');
-   * console.log(`Confirmed: ${tx.status}`); // "completed"
-   * ```
-   */
-  async confirmTransaction(transactionId) {
-    const response = await this.request(
-      "POST",
-      `/transactions/${transactionId}/confirm`
+    const startPayload = {
+      prompt: options.prompt,
+      endpoint: { owner, slug },
+      satellite_token: satResponse.targetToken,
+      peer_token: peerResponse.peerToken,
+      peer_channel: peerResponse.peerChannel
+    };
+    if (options.config) {
+      startPayload.config = options.config;
+    }
+    if (options.messages) {
+      startPayload.messages = options.messages;
+    }
+    ws.send(
+      JSON.stringify({
+        type: "session.start",
+        payload: startPayload
+      })
     );
-    return parseTransaction(response);
+    const response = await new Promise((resolve, reject) => {
+      const onMessage = (event) => {
+        try {
+          const data = JSON.parse(event.data);
+          if (data.type === "session.created") {
+            ws.removeEventListener("message", onMessage);
+            resolve({
+              session_id: data.session_id || data.payload?.session_id
+            });
+          } else if (data.type === "agent.error") {
+            ws.removeEventListener("message", onMessage);
+            reject(
+              new AgentSessionError(
+                data.payload?.message || "Session start failed",
+                data.payload?.code
+              )
+            );
+          }
+        } catch {
+          reject(new AgentSessionError("Failed to parse session response"));
+        }
+      };
+      ws.addEventListener("message", onMessage);
+    });
+    return new AgentSessionClient(ws, response.session_id);
+  }
+};
+var AgentSessionClient = class {
+  constructor(ws, sessionId) {
+    this.ws = ws;
+    this.sessionId = sessionId;
+    this.ws.addEventListener("message", (event) => {
+      this._handleMessage(event);
+    });
+    this.ws.addEventListener("close", () => {
+      this._handleClose();
+    });
+    this.ws.addEventListener("error", () => {
+      this._state = "error";
+      this._handleClose();
+    });
+  }
+  _state = "running";
+  _sequenceCounter = 0;
+  _messageQueue = [];
+  _messageResolvers = [];
+  _closed = false;
+  /** Current session state */
+  get state() {
+    return this._state;
   }
   /**
-   * Cancel a pending transaction.
-   *
-   * Cancels the transaction without transferring funds.
-   * Can be called by either the sender or recipient.
-   *
-   * @param transactionId - The transaction ID to cancel
-   * @returns Transaction in CANCELLED status
-   * @throws {NotFoundError} If transaction not found
-   * @throws {ValidationError} If transaction is not in PENDING status
+   * Async generator yielding agent events.
    *
    * @example
-   * ```typescript
-   * const tx = await accounting.cancelTransaction('tx_123');
-   * console.log(`Cancelled: ${tx.status}`); // "cancelled"
-   * ```
+   * for await (const event of session.events()) {
+   *   console.log(event.type, event.payload);
+   * }
    */
-  async cancelTransaction(transactionId) {
-    const response = await this.request(
-      "POST",
-      `/transactions/${transactionId}/cancel`
-    );
-    return parseTransaction(response);
+  async *events() {
+    while (!this._closed) {
+      const event = await this._nextEvent();
+      if (event === null) break;
+      yield event;
+    }
   }
-  // ===========================================================================
-  // Delegated Transaction Operations
-  // ===========================================================================
   /**
-   * Create a transaction token for delegated transfers.
-   *
-   * Creates a JWT token that authorizes the recipient to create a
-   * transaction on behalf of the sender (current user). The token
-   * is short-lived (typically ~5 minutes).
+   * Register an event handler.
    *
-   * Use this when you want to pre-authorize a payment that will be
-   * initiated by the recipient (e.g., a service charging for usage).
-   *
-   * @param recipientEmail - Email of the authorized recipient
-   * @returns JWT token string to share with recipient
-   *
-   * @example
-   * ```typescript
-   * // Sender creates token
-   * const token = await accounting.createTransactionToken('service@example.com');
-   *
-   * // Share token with recipient out-of-band
-   * // Recipient uses token to create delegated transaction
-   * ```
+   * @param eventType - The event type to listen for, or '*' for all events
+   * @param handler - Callback function
    */
-  async createTransactionToken(recipientEmail) {
-    const response = await this.request("POST", "/token/create", {
-      body: { recipientEmail }
+  on(eventType, handler) {
+    this.ws.addEventListener("message", (msgEvent) => {
+      try {
+        const data = JSON.parse(msgEvent.data);
+        if (eventType === "*" || data.type === eventType) {
+          handler(data);
+        }
+      } catch {
+      }
     });
-    return response.token;
   }
-  /**
-   * Create a delegated transaction using a pre-authorized token.
-   *
-   * Creates a transaction on behalf of the sender using their token.
-   * This is typically used by services to charge users for usage.
-   *
-   * The token authenticates the request instead of Basic auth.
-   *
-   * @param senderEmail - Email of the sender who created the token
-   * @param amount - Amount to transfer (must be > 0)
-   * @param token - JWT token from sender's createTransactionToken()
-   * @returns Transaction in PENDING status (createdBy=RECIPIENT)
-   * @throws {AuthenticationError} If token is invalid or expired
-   * @throws {ValidationError} If amount <= 0
-   *
-   * @example
-   * ```typescript
-   * // Recipient creates transaction using sender's token
-   * const tx = await accounting.createDelegatedTransaction(
-   *   'alice@example.com',
-   *   5.0,
-   *   aliceToken
-   * );
-   *
-   * // Recipient confirms the transaction
-   * await accounting.confirmTransaction(tx.id);
-   * ```
-   */
-  async createDelegatedTransaction(senderEmail, amount, token) {
-    if (amount <= 0) {
-      throw new ValidationError("Amount must be greater than 0");
+  /** Send a user message to the agent */
+  sendMessage(content) {
+    this._send({
+      type: "user.message",
+      payload: { content }
+    });
+  }
+  /** Confirm a tool call */
+  confirm(toolCallId) {
+    this._send({
+      type: "user.confirm",
+      payload: { tool_call_id: toolCallId }
+    });
+  }
+  /** Deny a tool call */
+  deny(toolCallId, reason) {
+    this._send({
+      type: "user.deny",
+      payload: { tool_call_id: toolCallId, reason }
+    });
+  }
+  /** Cancel the session */
+  cancel() {
+    this._state = "cancelled";
+    this._send({ type: "user.cancel" });
+  }
+  /** Close the session and WebSocket */
+  close() {
+    if (this._closed) return;
+    this._send({ type: "session.close" });
+    this.ws.close();
+    this._handleClose();
+  }
+  // ---- Internal ----
+  _send(msg) {
+    if (this.ws.readyState === WebSocket.OPEN) {
+      this.ws.send(JSON.stringify(msg));
     }
-    const response = await this.requestWithToken(
-      "POST",
-      "/transactions",
-      token,
-      {
-        body: {
-          senderEmail,
-          amount
-        }
+  }
+  _handleMessage(event) {
+    try {
+      const data = JSON.parse(event.data);
+      this._sequenceCounter++;
+      switch (data.type) {
+        case "agent.request_input":
+          this._state = "awaiting_input";
+          break;
+        case "session.completed":
+          this._state = "completed";
+          break;
+        case "session.failed":
+          this._state = "failed";
+          break;
+        case "agent.error":
+          if (!data.payload.recoverable) {
+            this._state = "error";
+          }
+          break;
+        default:
+          if (this._state === "awaiting_input" || this._state === "connecting") {
+            this._state = "running";
+          }
       }
-    );
-    return parseTransaction(response);
+      if (this._messageResolvers.length > 0) {
+        const resolve = this._messageResolvers.shift();
+        resolve(data);
+      } else {
+        this._messageQueue.push(data);
+      }
+      if (data.type === "session.completed" || data.type === "session.failed") {
+        this._handleClose();
+      }
+    } catch {
+    }
+  }
+  _handleClose() {
+    if (this._closed) return;
+    this._closed = true;
+    for (const resolve of this._messageResolvers) {
+      resolve(null);
+    }
+    this._messageResolvers = [];
+  }
+  _nextEvent() {
+    if (this._messageQueue.length > 0) {
+      return Promise.resolve(this._messageQueue.shift());
+    }
+    if (this._closed) {
+      return Promise.resolve(null);
+    }
+    return new Promise((resolve) => {
+      this._messageResolvers.push(resolve);
+    });
   }
 };
-function createAccountingResource(options) {
-  return new AccountingResource(options);
-}
 // src/resources/chat.ts
 init_errors();
+// src/models/common.ts
+var Visibility = {
+  /** Visible to everyone, no authentication required */
+  PUBLIC: "public",
+  /** Only visible to the owner and collaborators */
+  PRIVATE: "private",
+  /** Behaves like private — only visible to the owner */
+  INTERNAL: "internal"
+};
+var EndpointType = {
+  /** Machine learning model endpoint */
+  MODEL: "model",
+  /** Data source endpoint */
+  DATA_SOURCE: "data_source",
+  /** Both model and data source endpoint */
+  MODEL_DATA_SOURCE: "model_data_source",
+  /** Agent endpoint with session-based interaction */
+  AGENT: "agent"
+};
+var UserRole = {
+  /** Administrator with full access */
+  ADMIN: "admin",
+  /** Regular user */
+  USER: "user",
+  /** Guest user with limited access */
+  GUEST: "guest"
+};
+// src/models/endpoint.ts
+function getEndpointPublicPath(endpoint) {
+  return `${endpoint.ownerUsername}/${endpoint.slug}`;
+}
+// src/resources/chat.ts
 var AggregatorError = class extends SyftHubError {
   constructor(message, status, detail) {
     super(message);
@@ -1685,12 +2201,26 @@ var EndpointResolutionError = class extends SyftHubError {
     this.name = "EndpointResolutionError";
   }
 };
-var ChatResource = class {
+var ChatResource = class _ChatResource {
   constructor(hub, auth, aggregatorUrl) {
     this.hub = hub;
     this.auth = auth;
     this.aggregatorUrl = aggregatorUrl;
   }
+  /**
+   * Check if an endpoint type matches the expected type.
+   * A model_data_source endpoint matches both 'model' and 'data_source'.
+   */
+  static typeMatches(actualType, expectedType) {
+    if (actualType === expectedType) return true;
+    if (actualType === EndpointType.MODEL_DATA_SOURCE) {
+      return expectedType === EndpointType.MODEL || expectedType === EndpointType.DATA_SOURCE;
+    }
+    if (actualType === EndpointType.AGENT && expectedType === EndpointType.MODEL) {
+      return true;
+    }
+    return false;
+  }
   /**
    * Convert any endpoint format to EndpointRef with URL and owner info.
    * The ownerUsername is critical for satellite token authentication.
@@ -1700,7 +2230,7 @@ var ChatResource = class {
       return endpoint;
     }
     if (this.isEndpointPublic(endpoint)) {
-      if (expectedType && endpoint.type !== expectedType) {
+      if (expectedType && !_ChatResource.typeMatches(endpoint.type, expectedType)) {
         throw new Error(
           `Expected endpoint type '${expectedType}', got '${endpoint.type}' for '${endpoint.slug}'`
         );
@@ -1755,52 +2285,181 @@ var ChatResource = class {
   /**
    * Get satellite tokens for all unique endpoint owners.
    * Returns a map of owner username to satellite token.
+   *
+   * @param owners - Array of unique owner usernames
+   * @param guestMode - If true, fetch guest tokens (no auth required)
    */
-  async getSatelliteTokensForOwners(owners) {
+  async getSatelliteTokensForOwners(owners, guestMode = false) {
     if (owners.length === 0) {
       return {};
     }
-    const tokenMap = await this.auth.getSatelliteTokens(owners);
+    const tokenMap = guestMode ? await this.auth.getGuestSatelliteTokens(owners) : await this.auth.getSatelliteTokens(owners);
     const result = {};
     for (const [owner, token] of tokenMap) {
       result[owner] = token;
     }
-    return result;
+    return result;
+  }
+  /**
+   * Get the user's Hub access token for MPP payment flow.
+   * Returns null if in guest mode or not authenticated.
+   */
+  getUserToken() {
+    return this.auth.getAccessToken();
+  }
+  /**
+   * Type guard for EndpointRef.
+   */
+  isEndpointRef(value) {
+    return typeof value === "object" && value !== null && "url" in value && "slug" in value && typeof value.url === "string" && typeof value.slug === "string";
+  }
+  /**
+   * Type guard for EndpointPublic.
+   */
+  isEndpointPublic(value) {
+    return typeof value === "object" && value !== null && "connect" in value && "ownerUsername" in value && Array.isArray(value.connect);
+  }
+  static COLLECTIVE_PREFIX = "collective/";
+  static TUNNELING_PREFIX = "tunneling:";
+  /**
+   * Expand any `collective/<slug>` (or `collective/<slug>/<shared-slug>`)
+   * entries in the data-sources list into the individual `owner/slug` paths
+   * of the collective's approved members.
+   *
+   * Path forms recognised:
+   * - `collective/<slug>` → every approved member (backward-compatible)
+   * - `collective/<slug>/all` → equivalent alias of the above
+   * - `collective/<slug>/<shared-slug>` → the named subset, intersected with
+   *   the collective's currently approved members
+   *
+   * Non-collective entries pass through unchanged. String paths are
+   * deduplicated so a regular endpoint that also belongs to a selected
+   * collective is not queried twice.
+   */
+  async expandCollectivePaths(dataSources) {
+    const expanded = [];
+    const seenPaths = /* @__PURE__ */ new Set();
+    for (const ds of dataSources) {
+      if (typeof ds === "string" && ds.startsWith(_ChatResource.COLLECTIVE_PREFIX)) {
+        const rest = ds.slice(_ChatResource.COLLECTIVE_PREFIX.length);
+        const slashAt = rest.indexOf("/");
+        const collectiveSlug = slashAt < 0 ? rest : rest.slice(0, slashAt);
+        const rawShared = slashAt < 0 ? void 0 : rest.slice(slashAt + 1);
+        const sharedSlug = rawShared && rawShared !== "all" ? rawShared : void 0;
+        if (!collectiveSlug) {
+          throw new EndpointResolutionError(`Malformed collective path: ${ds}`, ds);
+        }
+        let memberPaths;
+        try {
+          memberPaths = await this.hub.getCollectiveEndpointPaths(collectiveSlug, sharedSlug);
+        } catch (error) {
+          const target = sharedSlug ? `${collectiveSlug}/${sharedSlug}` : collectiveSlug;
+          throw new EndpointResolutionError(
+            `Failed to resolve collective '${target}': ${error instanceof Error ? error.message : String(error)}`,
+            ds
+          );
+        }
+        for (const path of memberPaths) {
+          if (!seenPaths.has(path)) {
+            seenPaths.add(path);
+            expanded.push(path);
+          }
+        }
+      } else if (typeof ds === "string") {
+        if (!seenPaths.has(ds)) {
+          seenPaths.add(ds);
+          expanded.push(ds);
+        }
+      } else {
+        expanded.push(ds);
+      }
+    }
+    return expanded;
   }
   /**
-   * Get transaction tokens for all unique endpoint owners.
-   * Returns a map of owner username to transaction token.
-   *
-   * Transaction tokens are used for billing - they authorize the endpoint
-   * owner to charge the current user for usage.
+   * Check if any endpoints use tunneling URLs and extract target usernames.
    */
-  async getTransactionTokensForOwners(owners) {
-    if (owners.length === 0) {
-      return {};
+  collectTunnelingUsernames(modelRef, dataSourceRefs) {
+    const usernames = /* @__PURE__ */ new Set();
+    if (modelRef.url.startsWith(_ChatResource.TUNNELING_PREFIX)) {
+      usernames.add(modelRef.url.slice(_ChatResource.TUNNELING_PREFIX.length));
+    }
+    for (const ds of dataSourceRefs) {
+      if (ds.url.startsWith(_ChatResource.TUNNELING_PREFIX)) {
+        usernames.add(ds.url.slice(_ChatResource.TUNNELING_PREFIX.length));
+      }
     }
-    const response = await this.auth.getTransactionTokens(owners);
-    return response.tokens;
+    return [...usernames];
   }
   /**
-   * Type guard for EndpointRef.
+   * Shared request preparation for complete() and stream().
+   * Resolves endpoints, fetches tokens, and builds the aggregator request body.
+   * Returns the request body and the resolved aggregator URL.
    */
-  isEndpointRef(value) {
-    return typeof value === "object" && value !== null && "url" in value && "slug" in value && typeof value.url === "string" && typeof value.slug === "string";
+  async prepareRequest(options, stream) {
+    const modelRef = await this.resolveEndpointRef(options.model, "model");
+    const expandedDataSources = await this.expandCollectivePaths(options.dataSources ?? []);
+    const dsRefs = [];
+    for (const ds of expandedDataSources) {
+      dsRefs.push(await this.resolveEndpointRef(ds, "data_source"));
+    }
+    const uniqueOwners = this.collectUniqueOwners(modelRef, dsRefs);
+    const guestMode = options.guestMode ?? false;
+    const endpointTokens = await this.getSatelliteTokensForOwners(uniqueOwners, guestMode);
+    const userToken = guestMode ? null : this.getUserToken();
+    let peerToken = options.peerToken;
+    let peerChannel = options.peerChannel;
+    if (!peerToken) {
+      const tunnelingUsernames = this.collectTunnelingUsernames(modelRef, dsRefs);
+      if (tunnelingUsernames.length > 0) {
+        const peerResponse = guestMode ? await this.auth.getGuestPeerToken(tunnelingUsernames) : await this.auth.getPeerToken(tunnelingUsernames);
+        peerToken = peerResponse.peerToken;
+        peerChannel = peerResponse.peerChannel;
+      }
+    }
+    const requestBody = this.buildRequestBody(
+      options.prompt,
+      modelRef,
+      dsRefs,
+      endpointTokens,
+      userToken,
+      {
+        topK: options.topK,
+        maxTokens: options.maxTokens,
+        temperature: options.temperature,
+        similarityThreshold: options.similarityThreshold,
+        stream,
+        messages: options.messages,
+        peerToken,
+        peerChannel
+      }
+    );
+    const effectiveAggregatorUrl = (options.aggregatorUrl ?? this.aggregatorUrl).replace(
+      /\/+$/,
+      ""
+    );
+    return { requestBody, effectiveAggregatorUrl };
   }
   /**
-   * Type guard for EndpointPublic.
+   * Parse an error response from the aggregator into an AggregatorError.
    */
-  isEndpointPublic(value) {
-    return typeof value === "object" && value !== null && "connect" in value && "ownerUsername" in value && Array.isArray(value.connect);
+  async handleAggregatorErrorResponse(response) {
+    let message = `HTTP ${response.status}`;
+    try {
+      const data = await response.json();
+      message = String(data["message"] ?? data["error"] ?? message);
+    } catch {
+    }
+    throw new AggregatorError(`Aggregator error: ${message}`, response.status);
   }
   /**
    * Build the request body for the aggregator.
    * Includes endpoint_tokens mapping for satellite token authentication.
-   * Includes transaction_tokens mapping for billing authorization.
+   * Includes user_token for MPP payment callback authorization.
    * User identity is derived from satellite tokens, not passed in request body.
    */
-  buildRequestBody(prompt, modelRef, dataSourceRefs, endpointTokens, transactionTokens, options) {
-    return {
+  buildRequestBody(prompt, modelRef, dataSourceRefs, endpointTokens, userToken, options) {
+    const body = {
       prompt,
       model: {
         url: modelRef.url,
@@ -1817,13 +2476,25 @@ var ChatResource = class {
         owner_username: ds.ownerUsername ?? null
       })),
       endpoint_tokens: endpointTokens,
-      transaction_tokens: transactionTokens,
       top_k: options.topK ?? 5,
       max_tokens: options.maxTokens ?? 1024,
       temperature: options.temperature ?? 0.7,
       similarity_threshold: options.similarityThreshold ?? 0.5,
       stream: options.stream ?? false
     };
+    if (userToken) {
+      body["user_token"] = userToken;
+    }
+    if (options.messages && options.messages.length > 0) {
+      body.messages = options.messages.map((m) => ({ role: m.role, content: m.content }));
+    }
+    if (options.peerToken) {
+      body["peer_token"] = options.peerToken;
+    }
+    if (options.peerChannel) {
+      body["peer_channel"] = options.peerChannel;
+    }
+    return body;
   }
   /**
    * Parse a SourceInfo from raw data.
@@ -1895,7 +2566,7 @@ var ChatResource = class {
    * This method automatically:
    * 1. Resolves endpoints and extracts owner information
    * 2. Exchanges Hub tokens for satellite tokens (one per unique owner)
-   * 3. Fetches transaction tokens for billing authorization
+   * 3. Passes the user's Hub access token for MPP payment authorization
    * 4. Sends tokens to the aggregator for forwarding to SyftAI-Space
    *
    * @param options - Chat completion options
@@ -1904,48 +2575,14 @@ var ChatResource = class {
    * @throws {AggregatorError} If aggregator service fails
    */
   async complete(options) {
-    const modelRef = await this.resolveEndpointRef(options.model, "model");
-    const dsRefs = [];
-    for (const ds of options.dataSources ?? []) {
-      dsRefs.push(await this.resolveEndpointRef(ds, "data_source"));
-    }
-    const uniqueOwners = this.collectUniqueOwners(modelRef, dsRefs);
-    const endpointTokens = await this.getSatelliteTokensForOwners(uniqueOwners);
-    const transactionTokens = await this.getTransactionTokensForOwners(uniqueOwners);
-    const requestBody = this.buildRequestBody(
-      options.prompt,
-      modelRef,
-      dsRefs,
-      endpointTokens,
-      transactionTokens,
-      {
-        topK: options.topK,
-        maxTokens: options.maxTokens,
-        temperature: options.temperature,
-        similarityThreshold: options.similarityThreshold,
-        stream: false
-      }
-    );
-    const effectiveAggregatorUrl = (options.aggregatorUrl ?? this.aggregatorUrl).replace(
-      /\/+$/,
-      ""
-    );
-    const url = `${effectiveAggregatorUrl}/chat`;
-    const response = await fetch(url, {
+    const { requestBody, effectiveAggregatorUrl } = await this.prepareRequest(options, false);
+    const response = await fetch(`${effectiveAggregatorUrl}/chat`, {
       method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
+      headers: { "Content-Type": "application/json" },
       body: JSON.stringify(requestBody)
     });
     if (!response.ok) {
-      let message = `HTTP ${response.status}`;
-      try {
-        const data2 = await response.json();
-        message = String(data2["message"] ?? data2["error"] ?? message);
-      } catch {
-      }
-      throw new AggregatorError(`Aggregator error: ${message}`, response.status);
+      return this.handleAggregatorErrorResponse(response);
     }
     const data = await response.json();
     const sourcesData = data["sources"];
@@ -1956,12 +2593,14 @@ var ChatResource = class {
     const metadata = this.parseMetadata(metadataData ?? {});
     const usageData = data["usage"];
     const usage = usageData ? this.parseUsage(usageData) : void 0;
+    const profitShare = data["profit_share"];
     return {
       response: String(data["response"] ?? ""),
       sources,
       retrievalInfo,
       metadata,
-      usage
+      usage,
+      profitShare
     };
   }
   /**
@@ -1970,41 +2609,15 @@ var ChatResource = class {
    * This method automatically:
    * 1. Resolves endpoints and extracts owner information
    * 2. Exchanges Hub tokens for satellite tokens (one per unique owner)
-   * 3. Fetches transaction tokens for billing authorization
+   * 3. Passes the user's Hub access token for MPP payment authorization
    * 4. Sends tokens to the aggregator for forwarding to SyftAI-Space
    *
    * @param options - Chat completion options
    * @yields ChatStreamEvent objects as they arrive
    */
   async *stream(options) {
-    const modelRef = await this.resolveEndpointRef(options.model, "model");
-    const dsRefs = [];
-    for (const ds of options.dataSources ?? []) {
-      dsRefs.push(await this.resolveEndpointRef(ds, "data_source"));
-    }
-    const uniqueOwners = this.collectUniqueOwners(modelRef, dsRefs);
-    const endpointTokens = await this.getSatelliteTokensForOwners(uniqueOwners);
-    const transactionTokens = await this.getTransactionTokensForOwners(uniqueOwners);
-    const requestBody = this.buildRequestBody(
-      options.prompt,
-      modelRef,
-      dsRefs,
-      endpointTokens,
-      transactionTokens,
-      {
-        topK: options.topK,
-        maxTokens: options.maxTokens,
-        temperature: options.temperature,
-        similarityThreshold: options.similarityThreshold,
-        stream: true
-      }
-    );
-    const effectiveAggregatorUrl = (options.aggregatorUrl ?? this.aggregatorUrl).replace(
-      /\/+$/,
-      ""
-    );
-    const url = `${effectiveAggregatorUrl}/chat/stream`;
-    const response = await fetch(url, {
+    const { requestBody, effectiveAggregatorUrl } = await this.prepareRequest(options, true);
+    const response = await fetch(`${effectiveAggregatorUrl}/chat/stream`, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
@@ -2014,55 +2627,22 @@ var ChatResource = class {
       signal: options.signal
     });
     if (!response.ok) {
-      let message = `HTTP ${response.status}`;
-      try {
-        const data = await response.json();
-        message = String(data["message"] ?? data["error"] ?? message);
-      } catch {
-      }
-      throw new AggregatorError(`Aggregator error: ${message}`, response.status);
+      return this.handleAggregatorErrorResponse(response);
     }
     if (!response.body) {
       throw new AggregatorError("No response body from aggregator");
     }
-    const reader = response.body.getReader();
-    const decoder = new TextDecoder();
-    let buffer = "";
-    let currentEvent = null;
-    let currentData = "";
-    try {
-      while (true) {
-        const { done, value } = await reader.read();
-        if (done) break;
-        buffer += decoder.decode(value, { stream: true });
-        const lines = buffer.split("\n");
-        buffer = lines.pop() ?? "";
-        for (const line of lines) {
-          const trimmedLine = line.trim();
-          if (!trimmedLine) {
-            if (currentEvent && currentData) {
-              try {
-                const data = JSON.parse(currentData);
-                const event = this.parseSSEEvent(currentEvent, data);
-                if (event) {
-                  yield event;
-                }
-              } catch {
-              }
-            }
-            currentEvent = null;
-            currentData = "";
-            continue;
-          }
-          if (trimmedLine.startsWith("event:")) {
-            currentEvent = trimmedLine.slice(6).trim();
-          } else if (trimmedLine.startsWith("data:")) {
-            currentData = trimmedLine.slice(5).trim();
-          }
+    for await (const { event: eventName, data: dataStr } of readSSEEvents(response)) {
+      if (eventName === "message") continue;
+      try {
+        const data = JSON.parse(dataStr);
+        const event = this.parseSSEEvent(eventName, data);
+        if (event) {
+          yield event;
         }
+      } catch {
+        yield { type: "error", message: `Failed to parse SSE data: ${dataStr}` };
       }
-    } finally {
-      reader.releaseLock();
     }
   }
   /**
@@ -2088,8 +2668,24 @@ var ChatResource = class {
           totalDocuments: Number(data["total_documents"] ?? 0),
           timeMs: Number(data["time_ms"] ?? 0)
         };
+      case "reranking_start":
+        return {
+          type: "reranking_start",
+          documents: Number(data["documents"] ?? 0)
+        };
+      case "reranking_complete":
+        return {
+          type: "reranking_complete",
+          documents: Number(data["documents"] ?? 0),
+          timeMs: Number(data["time_ms"] ?? 0)
+        };
       case "generation_start":
         return { type: "generation_start" };
+      case "generation_heartbeat":
+        return {
+          type: "generation_heartbeat",
+          elapsedMs: Number(data["elapsed_ms"] ?? 0)
+        };
       case "token":
         return {
           type: "token",
@@ -2104,7 +2700,9 @@ var ChatResource = class {
         const metadata = this.parseMetadata(metadataData ?? {});
         const usageData = data["usage"];
         const usage = usageData ? this.parseUsage(usageData) : void 0;
-        return { type: "done", sources, retrievalInfo, metadata, usage };
+        const profitShare = data["profit_share"];
+        const response = data["response"];
+        return { type: "done", sources, retrievalInfo, metadata, usage, profitShare, response };
       }
       case "error":
         return {
@@ -2112,30 +2710,33 @@ var ChatResource = class {
           message: String(data["message"] ?? "Unknown error")
         };
       default:
+        console.warn(`[SyftHub] Unknown SSE event type received from aggregator: ${eventType}`);
         return {
           type: "error",
           message: `Unknown event type: ${eventType}`
         };
     }
   }
-  /**
-   * Get model endpoints that have connection URLs configured.
-   *
-   * @param limit - Maximum number of results (default: 20)
-   * @returns Array of EndpointPublic objects for models with URLs
-   */
-  async getAvailableModels(limit = 20) {
+  async getAvailableEndpoints(endpointType, limit) {
     const results = [];
     for await (const endpoint of this.hub.browse()) {
       if (results.length >= limit) break;
-      if (endpoint.type !== EndpointType.MODEL) continue;
-      const hasUrl = endpoint.connect.some((conn) => conn.enabled && conn.config["url"]);
-      if (hasUrl) {
+      if (endpoint.type !== endpointType) continue;
+      if (endpoint.connect.some((conn) => conn.enabled && conn.config["url"])) {
         results.push(endpoint);
       }
     }
     return results;
   }
+  /**
+   * Get model endpoints that have connection URLs configured.
+   *
+   * @param limit - Maximum number of results (default: 20)
+   * @returns Array of EndpointPublic objects for models with URLs
+   */
+  async getAvailableModels(limit = 20) {
+    return this.getAvailableEndpoints(EndpointType.MODEL, limit);
+  }
   /**
    * Get data source endpoints that have connection URLs configured.
    *
@@ -2143,16 +2744,7 @@ var ChatResource = class {
    * @returns Array of EndpointPublic objects for data sources with URLs
    */
   async getAvailableDataSources(limit = 20) {
-    const results = [];
-    for await (const endpoint of this.hub.browse()) {
-      if (results.length >= limit) break;
-      if (endpoint.type !== EndpointType.DATA_SOURCE) continue;
-      const hasUrl = endpoint.connect.some((conn) => conn.enabled && conn.config["url"]);
-      if (hasUrl) {
-        results.push(endpoint);
-      }
-    }
-    return results;
+    return this.getAvailableEndpoints(EndpointType.DATA_SOURCE, limit);
   }
 };
@@ -2175,28 +2767,125 @@ var GenerationError = class extends SyftHubError {
   }
 };
 var SyftAIResource = class {
-  // No dependencies - uses direct fetch to SyftAI-Space endpoints
+  /**
+   * @param http - Hub HTTP client, used to mint satellite tokens and settle
+   *   MPP payments. Endpoint queries themselves use direct `fetch`, since the
+   *   SyftAI-Space URL is arbitrary and not the Hub base URL.
+   */
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Mint a satellite token for `audience` (the endpoint owner's username).
+   *
+   * Mirrors the aggregator's token coordination layer: try an authenticated
+   * token first, then fall back to a guest token. Returns `undefined` if both
+   * fail, so the caller can still attempt an unauthenticated request.
+   */
+  async mintSatelliteToken(audience) {
+    if (this.http.hasTokens()) {
+      try {
+        const res = await this.http.get("/api/v1/token", {
+          aud: audience
+        });
+        if (res.targetToken) return res.targetToken;
+      } catch {
+      }
+    }
+    try {
+      const res = await this.http.get(
+        "/api/v1/token/guest",
+        { aud: audience },
+        { includeAuth: false }
+      );
+      return res.targetToken;
+    } catch {
+      return void 0;
+    }
+  }
+  /**
+   * Pay an MPP `402` challenge via the Hub wallet, returning an X-Payment credential.
+   *
+   * Mirrors the aggregator's `handleMppPayment`: the `WWW-Authenticate`
+   * challenge is forwarded verbatim to the Hub's `/api/v1/wallet/pay`, which
+   * parses it and returns an `x_payment` string to attach to a retry.
+   */
+  async payMpp(wwwAuthenticate, slug) {
+    if (!wwwAuthenticate) return void 0;
+    const res = await this.http.post("/api/v1/wallet/pay", {
+      wwwAuthenticate,
+      endpointSlug: slug
+    });
+    return res.xPayment;
+  }
   /**
    * Build headers for SyftAI-Space request.
    */
-  buildHeaders(tenantName) {
+  buildHeaders(tenantName, authorizationToken) {
     const headers = {
       "Content-Type": "application/json"
     };
     if (tenantName) {
       headers["X-Tenant-Name"] = tenantName;
     }
+    if (authorizationToken) {
+      headers["Authorization"] = `Bearer ${authorizationToken}`;
+    }
     return headers;
   }
+  /**
+   * Parse documents from a SyftAI-Space query response.
+   *
+   * Mirrors the aggregator's `DataSourceClient._parse_syftai_response`: the
+   * canonical shape nests documents under `references.documents` and names the
+   * score `similarity_score`. A legacy top-level `documents` list (with
+   * `score`) is still honoured for backward compatibility.
+   */
+  parseDocuments(data) {
+    const references = data["references"];
+    let rawDocs;
+    let scoreKey = "score";
+    if (references && typeof references === "object") {
+      rawDocs = references["documents"];
+      scoreKey = "similarity_score";
+    } else {
+      rawDocs = data["documents"];
+    }
+    const documents = [];
+    if (Array.isArray(rawDocs)) {
+      for (const doc of rawDocs) {
+        documents.push({
+          content: String(doc["content"] ?? ""),
+          score: Number(doc[scoreKey] ?? doc["score"] ?? 0),
+          metadata: doc["metadata"] ?? {}
+        });
+      }
+    }
+    return documents;
+  }
   /**
    * Query a data source endpoint directly.
    *
+   * Authentication mirrors the aggregator: SyftAI-Space endpoints expect a
+   * satellite bearer token whose audience is the endpoint owner's username. If
+   * `authorizationToken` is not supplied, one is minted automatically when an
+   * owner is known (`ownerUsername` option or `endpoint.ownerUsername`).
+   *
    * @param options - Query options
    * @returns Array of Document objects
    * @throws {RetrievalError} If the query fails
    */
   async queryDataSource(options) {
-    const { endpoint, query, userEmail, topK = 5, similarityThreshold = 0.5 } = options;
+    const {
+      endpoint,
+      query,
+      userEmail,
+      topK = 5,
+      similarityThreshold = 0.5,
+      authorizationToken,
+      ownerUsername,
+      pay = false
+    } = options;
     const url = `${endpoint.url.replace(/\/$/, "")}/api/v1/endpoints/${endpoint.slug}/query`;
     const requestBody = {
       user_email: userEmail,
@@ -2205,19 +2894,44 @@ var SyftAIResource = class {
       limit: topK,
       similarity_threshold: similarityThreshold
     };
-    let response;
-    try {
-      response = await fetch(url, {
-        method: "POST",
-        headers: this.buildHeaders(endpoint.tenantName),
-        body: JSON.stringify(requestBody)
-      });
-    } catch (error) {
-      throw new RetrievalError(
-        `Failed to connect to data source '${endpoint.slug}': ${error instanceof Error ? error.message : String(error)}`,
-        endpoint.slug,
-        error
-      );
+    let token = authorizationToken;
+    if (!token) {
+      const audience = ownerUsername ?? endpoint.ownerUsername;
+      if (audience) {
+        token = await this.mintSatelliteToken(audience);
+      }
+    }
+    const headers = this.buildHeaders(endpoint.tenantName, token);
+    const postQuery = async (extraHeaders) => {
+      try {
+        return await fetch(url, {
+          method: "POST",
+          headers: { ...headers, ...extraHeaders },
+          body: JSON.stringify(requestBody)
+        });
+      } catch (error) {
+        throw new RetrievalError(
+          `Failed to connect to data source '${endpoint.slug}': ${error instanceof Error ? error.message : String(error)}`,
+          endpoint.slug,
+          error
+        );
+      }
+    };
+    let response = await postQuery();
+    if (response.status === 402 && pay) {
+      let xPayment;
+      try {
+        xPayment = await this.payMpp(response.headers.get("www-authenticate") ?? "", endpoint.slug);
+      } catch (error) {
+        throw new RetrievalError(
+          `Payment failed for data source '${endpoint.slug}': ${error instanceof Error ? error.message : String(error)}`,
+          endpoint.slug,
+          error
+        );
+      }
+      if (xPayment) {
+        response = await postQuery({ "X-Payment": xPayment });
+      }
     }
     if (!response.ok) {
       let message = `HTTP ${response.status}`;
@@ -2229,17 +2943,7 @@ var SyftAIResource = class {
       throw new RetrievalError(`Data source query failed: ${message}`, endpoint.slug);
     }
     const data = await response.json();
-    const documents = [];
-    const docsData = data["documents"];
-    if (Array.isArray(docsData)) {
-      for (const doc of docsData) {
-        documents.push({
-          content: String(doc["content"] ?? ""),
-          score: Number(doc["score"] ?? 0),
-          metadata: doc["metadata"] ?? {}
-        });
-      }
-    }
+    const documents = this.parseDocuments(data);
     return documents;
   }
   /**
@@ -2338,45 +3042,22 @@ var SyftAIResource = class {
     if (!response.body) {
       throw new GenerationError("No response body from model", endpoint.slug);
     }
-    const reader = response.body.getReader();
-    const decoder = new TextDecoder();
-    let buffer = "";
-    try {
-      while (true) {
-        const { done, value } = await reader.read();
-        if (done) break;
-        buffer += decoder.decode(value, { stream: true });
-        const lines = buffer.split("\n");
-        buffer = lines.pop() ?? "";
-        for (const line of lines) {
-          const trimmedLine = line.trim();
-          if (!trimmedLine || trimmedLine.startsWith("event:")) {
-            continue;
-          }
-          if (trimmedLine.startsWith("data:")) {
-            const dataStr = trimmedLine.slice(5).trim();
-            if (dataStr === "[DONE]") {
-              return;
-            }
-            try {
-              const data = JSON.parse(dataStr);
-              if (typeof data["content"] === "string") {
-                yield data["content"];
-              } else if (Array.isArray(data["choices"])) {
-                for (const choice of data["choices"]) {
-                  const delta = choice["delta"];
-                  if (delta && typeof delta["content"] === "string") {
-                    yield delta["content"];
-                  }
-                }
-              }
-            } catch {
+    for await (const { data: dataStr } of readSSEEvents(response)) {
+      if (dataStr === "[DONE]") return;
+      try {
+        const data = JSON.parse(dataStr);
+        if (typeof data["content"] === "string") {
+          yield data["content"];
+        } else if (Array.isArray(data["choices"])) {
+          for (const choice of data["choices"]) {
+            const delta = choice["delta"];
+            if (delta && typeof delta["content"] === "string") {
+              yield delta["content"];
             }
           }
         }
+      } catch {
       }
-    } finally {
-      reader.releaseLock();
     }
   }
 };
@@ -2393,7 +3074,6 @@ function isBrowser() {
 }
 var SyftHubClient = class {
   http;
-  options;
   aggregatorUrl;
   // Lazy-initialized resources
   _auth;
@@ -2401,9 +3081,10 @@ var SyftHubClient = class {
   _myEndpoints;
   _hub;
   _accounting;
-  _accountingInitPromise = null;
+  _agent;
   _chat;
   _syftai;
+  _apiTokens;
   /**
    * Create a new SyftHub client.
    *
@@ -2411,7 +3092,6 @@ var SyftHubClient = class {
    * @throws {SyftHubError} If baseUrl is not provided and SYFTHUB_URL is not set (in non-browser environments)
    */
   constructor(options = {}) {
-    this.options = options;
     let baseUrl = options.baseUrl ?? getEnv("SYFTHUB_URL");
     if (!baseUrl && !isBrowser()) {
       throw new SyftHubError(
@@ -2422,6 +3102,10 @@ var SyftHubClient = class {
     const normalizedUrl = baseUrl ? baseUrl.replace(/\/+$/, "") : "";
     this.http = new HTTPClient(normalizedUrl, options.timeout ?? 3e4);
     this.aggregatorUrl = options.aggregatorUrl ?? getEnv("SYFTHUB_AGGREGATOR_URL") ?? `${normalizedUrl}/aggregator/api/v1`;
+    const apiToken = options.apiToken ?? getEnv("SYFTHUB_API_TOKEN");
+    if (apiToken) {
+      this.http.setApiToken(apiToken);
+    }
   }
   /**
    * Authentication resource for login, register, and session management.
@@ -2477,13 +3161,33 @@ var SyftHubClient = class {
     return this._hub;
   }
   /**
-   * Accounting resource for billing and transactions.
+   * Agent resource for bidirectional agent sessions via WebSocket.
+   *
+   * @example
+   * const session = await client.agent.startSession({
+   *   prompt: 'Help me refactor this code',
+   *   endpoint: 'alice/code-assistant',
+   * });
+   *
+   * for await (const event of session.events()) {
+   *   console.log(event.type, event.payload);
+   * }
+   */
+  get agent() {
+    if (!this._agent) {
+      this._agent = new AgentResource(this.auth, this.aggregatorUrl);
+    }
+    return this._agent;
+  }
+  /**
+   * Accounting resource for wallet and payment operations.
    *
-   * The accounting service is external and uses separate credentials
-   * (email/password Basic auth) from SyftHub's JWT authentication.
+   * Provides access to MPP wallet management (balance, transactions,
+   * wallet creation/import). Uses the same SyftHub JWT authentication
+   * as other resources.
    *
-   * Credentials are automatically retrieved from the backend after login.
-   * You must call `initAccounting()` after login to initialize this resource.
+   * You must call `initAccounting()` after login to initialize this resource,
+   * or access it directly if already initialized.
    *
    * @throws {AuthenticationError} If not initialized
    *
@@ -2493,7 +3197,8 @@ var SyftHubClient = class {
    * await client.initAccounting();
    *
    * // Now accounting is available
-   * const user = await client.accounting.getUser();
+   * const wallet = await client.accounting.getWallet();
+   * const balance = await client.accounting.getBalance();
    */
   get accounting() {
     if (this._accounting) {
@@ -2504,14 +3209,13 @@ var SyftHubClient = class {
     );
   }
   /**
-   * Initialize accounting resource by fetching credentials from the backend.
+   * Initialize the accounting (wallet) resource.
    *
-   * This method retrieves accounting credentials from the SyftHub backend
-   * and initializes the accounting resource. Requires authentication.
+   * The wallet API uses the same SyftHub authentication as other resources.
+   * This method simply verifies authentication and creates the resource.
    *
    * @returns The initialized AccountingResource
    * @throws {AuthenticationError} If not authenticated
-   * @throws {ConfigurationError} If user has no accounting service configured
    *
    * @example
    * // Login first, then initialize accounting
@@ -2519,49 +3223,20 @@ var SyftHubClient = class {
    * await client.initAccounting();
    *
    * // Now accounting is available
-   * const user = await client.accounting.getUser();
+   * const wallet = await client.accounting.getWallet();
+   * const balance = await client.accounting.getBalance();
    */
   async initAccounting() {
     if (this._accounting) {
       return this._accounting;
     }
-    if (this._accountingInitPromise) {
-      return this._accountingInitPromise;
-    }
-    this._accountingInitPromise = this._doInitAccounting();
-    try {
-      this._accounting = await this._accountingInitPromise;
-      return this._accounting;
-    } finally {
-      this._accountingInitPromise = null;
-    }
-  }
-  /**
-   * Internal method to perform accounting initialization.
-   */
-  async _doInitAccounting() {
     if (!this.isAuthenticated) {
       throw new AuthenticationError(
         "Must be logged in to use accounting. Call client.auth.login() first."
       );
     }
-    const creds = await this.users.getAccountingCredentials();
-    if (!creds.url) {
-      throw new ConfigurationError(
-        "No accounting service configured for this user. Contact your administrator to set up accounting."
-      );
-    }
-    if (!creds.password) {
-      throw new ConfigurationError(
-        "Accounting password not available. This may indicate an issue with your account setup."
-      );
-    }
-    return new AccountingResource({
-      url: creds.url,
-      email: creds.email,
-      password: creds.password,
-      timeout: this.options.timeout
-    });
+    this._accounting = new AccountingResource(this.http);
+    return this._accounting;
   }
   /**
    * Chat resource for RAG-augmented conversations via the Aggregator.
@@ -2621,10 +3296,44 @@ var SyftHubClient = class {
    */
   get syftai() {
     if (!this._syftai) {
-      this._syftai = new SyftAIResource();
+      this._syftai = new SyftAIResource(this.http);
     }
     return this._syftai;
   }
+  /**
+   * API Tokens resource for managing personal access tokens.
+   *
+   * API tokens provide an alternative to username/password authentication.
+   * They are ideal for CI/CD pipelines, scripts, and programmatic access.
+   *
+   * @example
+   * // Create a new token
+   * const result = await client.apiTokens.create({
+   *   name: 'CI/CD Pipeline',
+   *   scopes: ['write'],
+   * });
+   * console.log('Save this token:', result.token);
+   *
+   * // List all tokens
+   * const { tokens } = await client.apiTokens.list();
+   *
+   * // Revoke a token
+   * await client.apiTokens.revoke(tokenId);
+   */
+  get apiTokens() {
+    if (!this._apiTokens) {
+      this._apiTokens = new APITokensResource(this.http);
+    }
+    return this._apiTokens;
+  }
+  /**
+   * Check if the client is using API token authentication.
+   *
+   * @returns True if authenticated with an API token (vs JWT)
+   */
+  get isUsingApiToken() {
+    return this.http.isUsingApiToken();
+  }
   /**
    * Get current authentication tokens.
    *
@@ -2666,7 +3375,7 @@ var SyftHubClient = class {
     return this.http.hasTokens();
   }
   /**
-   * Check if accounting has been initialized.
+   * Check if the accounting (wallet) resource has been initialized.
    *
    * Use this to check if accounting is available before accessing
    * the `accounting` property, which will throw if not initialized.
@@ -2675,7 +3384,7 @@ var SyftHubClient = class {
    *
    * @example
    * if (client.isAccountingInitialized) {
-   *   const user = await client.accounting.getUser();
+   *   const wallet = await client.accounting.getWallet();
    * }
    */
   get isAccountingInitialized() {
@@ -2693,6 +3402,6 @@ var SyftHubClient = class {
 // src/index.ts
 init_errors();
-export { APIError, AccountingAccountExistsError, AccountingResource, AccountingServiceUnavailableError, AggregatorError, AuthenticationError, AuthorizationError, ChatResource, ConfigurationError, CreatorType, EndpointResolutionError, EndpointType, GenerationError, InvalidAccountingPasswordError, NetworkError, NotFoundError, OrganizationRole, PageIterator, RetrievalError, SyftAIResource, SyftHubClient, SyftHubError, TransactionStatus, UserAlreadyExistsError, UserRole, ValidationError, Visibility, createAccountingResource, getEndpointOwnerType, getEndpointPublicPath, isTransactionCancelled, isTransactionCompleted, isTransactionPending, parseTransaction };
+export { APIError, APITokensResource, AccountingAccountExistsError, AccountingResource, AccountingServiceUnavailableError, AgentResource, AgentSessionClient, AgentSessionError, AggregatorError, AggregatorsResource, AuthenticationError, AuthorizationError, ChatResource, ConfigurationError, EndpointResolutionError, EndpointType, GenerationError, InvalidAccountingPasswordError, NetworkError, NotFoundError, PageIterator, RetrievalError, SyftAIResource, SyftHubClient, SyftHubError, UserAlreadyExistsError, UserRole, ValidationError, Visibility, createAccountingResource, getEndpointPublicPath };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map