@sylphx/sdk 0.10.0 → 0.10.2

package/dist/index.d.ts

@@ -95,7 +95,7 @@ interface PlatformRealtimeDeleteChannelResult {
  *
  * Invariants:
  *   - Protocol is always `sylphx:` (no exceptions)
- *   - Credential matches `(pk|sk)_(dev|stg|prod|prev)_[a-f0-9]{32,64}`
+ *   - Credential matches `(pk|sk)_(dev|stg|prod|prev)(_{ref})?_{hex}`
  *   - Host's first DNS label is the resource slug (validated by slug regex)
  *   - `apiBaseUrl` is always HTTPS, with `/v{version}` appended (default `v1`)
  *
@@ -135,7 +135,7 @@ declare class InvalidConnectionUrlError extends Error {
  * import { createClient } from '@sylphx/sdk'
  *
  * const sylphx = createClient(process.env.SYLPHX_URL!)
- * // Parses: sylphx://pk_prod_{hex}@bold-river-a1b2c3.api.sylphx.com
+ * // Parses: sylphx://pk_prod_{ref?}_{hex}@bold-river-a1b2c3.api.sylphx.com
  * ```
  */
 
@@ -207,7 +207,7 @@ interface SylphxClientInput {
  * @example Connection URL (recommended)
  * ```typescript
  * const sylphx = createClient(process.env.NEXT_PUBLIC_SYLPHX_URL!)
- * // Parses: sylphx://pk_prod_{hex}@bold-river-a1b2c3.api.sylphx.com
+ * // Parses: sylphx://pk_prod_{ref?}_{hex}@bold-river-a1b2c3.api.sylphx.com
  * ```
  *
  * @example Explicit components
@@ -228,7 +228,7 @@ declare function createClient(input: string | SylphxClientInput): SylphxConfig;
  * @example Connection URL (recommended)
  * ```typescript
  * const sylphx = createServerClient(process.env.SYLPHX_SECRET_URL!)
- * // Parses: sylphx://sk_prod_{hex}@bold-river-a1b2c3.api.sylphx.com
+ * // Parses: sylphx://sk_prod_{ref?}_{hex}@bold-river-a1b2c3.api.sylphx.com
  * ```
  *
  * @example Explicit components
@@ -354,7 +354,7 @@ declare function installGlobalDebugHelpers(): void;
  * import { createRestClient } from '@sylphx/sdk'
  *
  * const client = createRestClient({
- *   secretKey: process.env.SYLPHX_SECRET_KEY!,
+ *   secretKey: createServerClient(process.env.SYLPHX_SECRET_URL!).secretKey!,
  * })
  *
  * const { data: user, error } = await client.GET('/auth/me')
@@ -488,6 +488,10 @@ interface Middleware {
     onRequest?: (ctx: {
         request: Request;
     }) => Promise<Request | undefined> | Request | undefined;
+    onFetch?: (ctx: {
+        request: Request;
+        next: (request: Request) => Promise<Response>;
+    }) => Promise<Response | undefined> | Response | undefined;
     onResponse?: (ctx: {
         request: Request;
         response: Response;
@@ -573,7 +577,7 @@ declare function getCircuitBreakerState(): {
  * @example
  * ```typescript
  * const client = createRestClient({
- *   secretKey: process.env.SYLPHX_SECRET_KEY!,
+ *   secretKey: createServerClient(process.env.SYLPHX_SECRET_URL!).secretKey!,
  * })
  *
  * const { data: user } = await client.GET('/auth/me')
@@ -594,7 +598,7 @@ declare function createRestClient(config: RestClientConfig): RestClient;
  * @example
  * ```typescript
  * const client = createDynamicRestClient({
- *   secretKey: process.env.SYLPHX_SECRET_KEY!,
+ *   secretKey: createServerClient(process.env.SYLPHX_SECRET_URL!).secretKey!,
  *   getAccessToken: async () => (await cookies()).get('session')?.value,
  * })
  * ```
@@ -1912,6 +1916,18 @@ interface OrgTokenPayload {
     /** RBAC role key (e.g. "hr_manager", "admin"). Permissions resolved server-side. */
     org_role: string;
 }
+interface OrgScopedTokenResponse {
+    /** Org-scoped access token. */
+    token: string;
+    /** Org-scoped access token, matching the SDK's token naming convention. */
+    accessToken: string;
+    /** Token lifetime in seconds, when provided by the runtime. */
+    expiresIn?: number;
+    /** Bearer token type, when provided by the runtime. */
+    tokenType?: string;
+    /** User envelope returned by the runtime for session hydration. */
+    user?: User;
+}
 /**
  * Invite a user request payload.
  */
@@ -2129,9 +2145,14 @@ declare function inviteUser(config: SylphxConfig, input: InviteUserRequest): Pro
  * The returned access_token JWT includes org_id, org_slug, org_role claims.
  *
  * @example
- * const tokens = await switchOrg(withToken(config, currentToken), 'org_xxx')
+ * const { token } = await getOrgScopedToken(withToken(config, currentToken), 'org_xxx')
+ */
+declare function getOrgScopedToken(config: SylphxConfig, orgId: string): Promise<OrgScopedTokenResponse>;
+/**
+ * @deprecated Use getOrgScopedToken(config, orgId). Kept as the shorter
+ * organization switch alias for existing SDK callers.
  */
-declare function switchOrg(config: SylphxConfig, orgId: string): Promise<TokenResponse>;
+declare function switchOrg(config: SylphxConfig, orgId: string): Promise<OrgScopedTokenResponse>;
 type DeviceInitInput = DeviceInitRequest;
 type DeviceGrant = DeviceInitResponse;
 type DevicePollResult = DevicePollResponse;
@@ -3371,7 +3392,7 @@ interface StreamMessage<T = unknown> {
  * import { createConfig, realtimeEmit } from '@sylphx/sdk'
  *
  * // Server: emit events to connected clients
- * const config = createConfig({ secretKey: process.env.SYLPHX_SECRET_KEY! })
+ * const config = createConfig({ secretKey: createServerClient(process.env.SYLPHX_SECRET_URL!).secretKey! })
  * await realtimeEmit(config, {
  *   channel: 'orders',
  *   event: 'order.created',
@@ -3694,9 +3715,8 @@ declare function createTracker(config: SylphxConfig, defaultAnonymousId?: string
  * Features (built-in defaults, ADR-100 §2.8):
  * - Idempotency-Key auto-generated (UUIDv7) on every POST
  * - Single-part PUT or multipart, picked server-side from `size`
- * - Streaming SHA-256 (browser `crypto.subtle.digest` / node `crypto.createHash`)
- * - Resumable: persists `(uploadId, completedParts[])` to localStorage
- *   (browser) or `~/.sylphx/uploads.json` (node)
+ * - Streaming SHA-256 via the Web Crypto API
+ * - Resumable: persists `(uploadId, completedParts[])` to localStorage when available
  * - AbortSignal cancellation; auto-DELETE upload session on abort
  * - Exponential backoff with full jitter (5 retries, 1s base, 30s cap)
  * - Progress: byte-accurate via XHR (browser) or stream sampling (node)
@@ -6075,7 +6095,7 @@ declare function assignMemberRole(config: SylphxConfig, orgIdOrSlug: string, mem
  * import { createConfig, getSecret, getSecrets, listSecretKeys } from '@sylphx/sdk'
  *
  * const config = createConfig({
- *   secretKey: process.env.SYLPHX_SECRET_KEY!,
+ *   secretKey: createServerClient(process.env.SYLPHX_SECRET_URL!).secretKey!,
  * })
  *
  * // Get a single secret
@@ -6226,7 +6246,7 @@ declare function getAllSecrets(config: SylphxConfig, environmentId?: string): Pr
  * import { createConfig, indexDocument, search, batchIndex } from '@sylphx/sdk'
  *
  * const config = createConfig({
- *   secretKey: process.env.SYLPHX_SECRET_KEY!,
+ *   secretKey: createServerClient(process.env.SYLPHX_SECRET_URL!).secretKey!,
  * })
  *
  * // Index a document
@@ -6642,7 +6662,7 @@ declare function trackClick(config: SylphxConfig, input: TrackClickInput): Promi
  * ```ts
  * import { createConfig, getDatabaseConnectionString } from '@sylphx/sdk'
  *
- * const config = createConfig({ secretKey: process.env.SYLPHX_SECRET_KEY! })
+ * const config = createConfig({ secretKey: createServerClient(process.env.SYLPHX_SECRET_URL!).secretKey! })
  * const { connectionString } = await getDatabaseConnectionString(config)
  *
  * const pool = new Pool({ connectionString })
@@ -6757,7 +6777,7 @@ interface KvZMember {
  * ```ts
  * import { createConfig, kvSet, kvGet, kvDelete } from '@sylphx/sdk'
  *
- * const config = createConfig({ secretKey: process.env.SYLPHX_SECRET_KEY! })
+ * const config = createConfig({ secretKey: createServerClient(process.env.SYLPHX_SECRET_URL!).secretKey! })
  *
  * // Basic key-value operations
  * await kvSet(config, { key: 'user:123', value: { name: 'Alice' }, ex: 3600 })
@@ -7103,7 +7123,7 @@ declare function kvSetJSON<T>(config: SylphxConfig, key: string, value: T, optio
  * ```ts
  * import { createConfig, triggerDeploy, getDeployStatus } from '@sylphx/sdk'
  *
- * const config = createConfig({ secretKey: process.env.SYLPHX_SECRET_KEY! })
+ * const config = createConfig({ secretKey: createServerClient(process.env.SYLPHX_SECRET_URL!).secretKey! })
  *
  * // Trigger a deployment
  * const deploy = await triggerDeploy(config, { envId: 'env_prod_xxx' })
@@ -7462,7 +7482,7 @@ declare function captureMessage(config: SylphxConfig, message: string, options?:
  * ```typescript
  * import { createServerClient, SandboxClient } from '@sylphx/sdk'
  *
- * const config = createServerClient(process.env.SYLPHX_URL!)
+ * const config = createServerClient(process.env.SYLPHX_SECRET_URL!)
  *
  * // Create sandbox (Platform waits for pod ready before returning)
  * const sandbox = await SandboxClient.create(config)
@@ -7817,7 +7837,7 @@ declare class SandboxClient {
  * ```typescript
  * import { createServerClient, RunsClient } from '@sylphx/sdk'
  *
- * const config = createServerClient(process.env.SYLPHX_URL!)
+ * const config = createServerClient(process.env.SYLPHX_SECRET_URL!)
  *
  * const run = await RunsClient.create(config, {
  *   image: 'registry.sylphx.com/sylphx/my-trainer:abc123',
@@ -8052,7 +8072,7 @@ declare class RunHandle {
  *
  * @example
  * ```typescript
- * const config = createServerClient(process.env.SYLPHX_URL!)
+ * const config = createServerClient(process.env.SYLPHX_SECRET_URL!)
  *
  * // Run a worker and wait for completion
  * const result = await RunsClient.create(config, { ... }).then(w => w.wait())
@@ -8197,7 +8217,7 @@ declare const WorkersClient: {
  * ### Cron → Task
  * ```typescript
  * import { createServerClient, TriggersClient } from '@sylphx/sdk'
- * const config = createServerClient(process.env.SYLPHX_URL!)
+ * const config = createServerClient(process.env.SYLPHX_SECRET_URL!)
  *
  * const trigger = await TriggersClient.create(config, {
  *   name: 'daily-cleanup',
@@ -9274,4 +9294,4 @@ declare const functions: {
     };
 };
 
-export { ACHIEVEMENT_TIER_CONFIG, type AIListModelsOptions, type AIListModelsResponse, type AIMessage, type AIMessageRole, type AIModel, type AIModelInfo, type AIModelsResponse, type AIProvider, type AIRateLimitInfo, type AIRateLimitResponse, type AIRequestType, type AIStreamChunk, type AITool, type AIToolCall, type AIUsageResponse, type AIUsageStats, type AccessTokenPayload, type AchievementCategory, type AchievementCriteria, type AchievementCriterion, type AchievementDefinition, type AchievementTier, type AchievementType, type AchievementUnlockEvent, type AdminUser, type AuditQueryFilter, type AuditQueryResult, AuthenticationError, AuthorizationError, type BackupCodesResult, type BatchEvent, type BatchIndexInput, type BatchIndexResult, type Breadcrumb, type BuildLog, type BuildLogHistoryResponse, type CaptureExceptionRequest, type CaptureMessageRequest, type ChallengeMethod, type ChallengeType, type ChallengeVerifyInput, type ChallengeVerifyResult, type ChatCompletionInput, type ChatCompletionResponse, type ChatInput, type ChatMessage, type ChatResult, type ChatStreamChunk, type CircuitBreakerConfig, CircuitBreakerOpenError, type CircuitState, type CommandResult, type ConsentCategory, type ConsentHistoryEntry, type ConsentHistoryResult, type ConsentPurposeDefaults, type ConsentType, type ContentPart, type CopyFileOptions, type CreateOrgInput, type CreatePermissionInput, type CreatePromoInput, type CreateRoleInput, type CreateRunOptions, type CreateTriggerOptions, type CriteriaOperator, type CronInput, type CronSchedule, type CronSource, type DatabaseConnectionInfo, type DatabaseStatus, type DatabaseStatusInfo, type DebugCategory, type DeduplicationConfig, type DeleteAccountResult, type DeleteDocumentInput, type DeployHistoryResponse, type DeployInfo, type DeployStatus, type DeviceApproveInput, type DeviceApproveResult, type DeviceDenyInput, type DeviceDenyResult, type DeviceGrant, type DeviceInitInput, type DevicePollResult, type DynamicRestClient, ERROR_CODE_STATUS, type EmailChangeInput, type EmailConfirmInput, type EmbedInput, type EmbedResult, type EmbeddingInput, type EmbeddingResponse, type LeaderboardEntry as EngagementLeaderboardEntry, type LeaderboardResult as EngagementLeaderboardResult, type EnvVar, type ErrorCode, type ErrorResponse, type EventSource, type ExceptionFrame, type ExceptionValue, type ExecEvent, type ExecOptions, type ExecResult, type FacetsResponse, type FileEvent, type FlagContext, type FlagResult, type GetConsentHistoryInput, type GetConsentsInput, type GetFacetsInput, type GetSecretInput, type GetSecretResult, type GetSecretsInput, type GetSecretsResult, type HttpTarget, type IdentifyInput, type ImpersonationActive, type ImpersonationEndResult, type ImpersonationInfo, type ImpersonationStartResult, type IndexDocumentInput, type IndexDocumentResult, type IngestLogsResult, InvalidConnectionUrlError, type InviteMemberInput, type InviteUserRequest, type InviteUserResponse, type KvExpireRequest, type KvHgetRequest, type KvHgetallRequest, type KvHsetRequest, type KvIncrRequest, type KvLpushRequest, type KvLrangeRequest, type KvMgetRequest, type KvMsetRequest, type KvRateLimitRequest, type KvRateLimitResult, type KvScanOptions, type KvScanResult, type KvSetOptions, type KvSetRequest, type KvZMember, type KvZaddRequest, type KvZrangeRequest, type LeaderboardAggregation, type LeaderboardDefinition, type LeaderboardEntry$1 as LeaderboardEntry, type LeaderboardOptions, type LeaderboardQueryOptions, type LeaderboardResetPeriod, type LeaderboardResult$1 as LeaderboardResult, type LeaderboardSortDirection, type LinkAnonymousConsentsInput, type ListFilesOptions, type ListPromosOptions, type ListPromosResult, type ListRedemptionsOptions, type ListRedemptionsResult, type ListRunsOptions, type ListRunsResult, type ListScheduledEmailsOptions, type ListSecretKeysInput, type ListTriggersResult, type ListUsersOptions, type ListUsersResult, type LogEntry, type LogLevel, type LoginHistoryEntry, type LoginRequest, type LoginResponse, type MeResponse, type MemberPermissionsResult, type MintAccessTokenClaims, type MintAccessTokenResult, type MonitoringResponse, type MonitoringSeverity, type NativeStepContext, type NativeTaskDefinition, type TaskRunStatus as NativeTaskRunStatus, NetworkError, NotFoundError, type OAuthAuthorizeInput, type OAuthAuthorizeResult, type OAuthCodeExchangeInput, type OAuthProvider, type OAuthProvidersResult, type OidcDiscoveryDocument, type OidcUserInfoResponse, type OrgRole, type OrgTokenPayload, type OrganizationInvitation, type OrganizationMember, type OrganizationMembership, type PageInput, type PaginatedResponse, type PaginationInput, type ParsedConnectionUrl, type PasskeyRegistrationInput, type PasskeyRegistrationOptions, type PasskeySummary, type PasskeysList, type PasswordSetInput, type Permission, type PkceMethod, type Plan, type PlatformAccessTokenClaims, type PlatformFunctionsDownloadBundleResult, type PlatformLogoutInput, type PlatformPasswordChangeInput, type PlatformPasswordChangeResult, type PlatformPasswordSetInput, type PlatformPasswordSetResult, type PlatformPasswordStatusResult, type PlatformRealtimeChannel, type PlatformRealtimeCreateChannelResult, type PlatformRealtimeDeleteChannelResult, type PlatformRealtimeListChannelsResult, type PlatformRealtimeStatusResult, type PlatformRefreshInput, type PlatformRefreshResult, type PlatformSessionRenameInput, type PlatformSessionRenameResult, type PlatformSessionRevokeAllResult, type PlatformSessionRevokeInput, type PlatformSessionRevokeOtherResult, type PlatformSessionRevokeResult, type PlatformSessionsListResult, type PlatformUserDeleteInput, type PlatformUserDeleteResult, type PlatformUserExportResult, type PlatformUserRecord, type PlatformUserResolution, type ProcessEvent, type ProcessInfo, type ProcessStartOptions, type ProcessSummary, type ProjectMetadata, type PromoCode, type PromoRedemption, type PromoStatus, type PromoType, type PromoValidationPreview, type PublishEventResult, type PushCampaign, type PushCampaignStats, type PushCampaignVariant, type PushNotification, type PushNotificationPayload, type PushSegment, type PushSegmentFilter, type PushServiceWorkerConfig, type PushSubscription, type QueryLogsOptions, type QueryLogsResult, RETRYABLE_CODES, RateLimitError, type RateLimitStatusFilter, type RateLimitStatusResult, type RateLimitStrategiesFilter, type RateLimitStrategiesResult, type RateLimitStrategyDeleteInput, type RateLimitStrategyDeleteResult, type RateLimitStrategyUpsertInput, type RateLimitStrategyUpsertResult, type RealtimeEmitRequest, type RealtimeEmitResponse, type RealtimeHistoryRequest, type RealtimeHistoryResponse, type RecordActivityInput, type RecordActivityResult, type RedeemPromoInput, type RedeemPromoResult, type RedeemReferralInput, type RedeemResult, type ReferralCode, type ReferralStats, type RegisterInput, type RegisterRequest, type RegisterResponse, type ResendEmailVerificationRequest, type ResendEmailVerificationResponse, type RestClient, type RestClientConfig, type RestDynamicConfig, type RetryConfig, type RevokeTokenOptions, type Role, type RollbackDeployRequest, type Run, RunHandle, type RunLogsResult, type RunResourceSpec, type RunResult, type RunStatus, type RunTarget, type RunVolumeMount, type CreateRunOptions as RunWorkerOptions, RunsClient, SandboxClient, type SandboxFile, SandboxFiles, type SandboxOptions, SandboxProcesses, type SandboxRecord, SandboxWatch, type ScheduleEmailOptions, type ScheduledEmail, type ScheduledEmailStats, type ScheduledEmailsResult, type SearchInput, type SearchResponse, type SearchResultItem, type SearchStatsResult, type SearchType, type SecretKeyInfo, type SecurityAlert, type SecurityAlertsList, type SecurityScoreResult, type SecuritySettings, type SendEmailOptions, type SendResult, type SendTemplatedEmailOptions, type SendToUserOptions, type SessionResult, type SetConsentsInput, type SetEnvVarRequest, type SignedUrlOptions, StepCompleteSignal, StepSleepSignal, type StoredLogEntry, type StreakDefinition, type StreakFrequency, type StreakState, type StreamMessage, type SubmitScoreInput, type SubmitScoreResult, type Subscription, type SuccessResponse, type SylphxClientInput, type SylphxConfig, type SylphxConfigInput, SylphxError, type SylphxErrorCode, type SylphxErrorOptions, type TaskInput, type TaskResult, type TaskStatus, type TaskTarget, type TextCompletionInput, type TextCompletionResponse, TimeoutError, type TokenIntrospectionResult, type TokenResponse, type Tool, type ToolCall, type TrackClickInput, type TrackInput, type Trigger, type TriggerDeployRequest, type TriggerSource, type TriggerSourceType, type TriggerStatus, type TriggerTarget, type TriggerTargetType, TriggersClient, type TwoFactorEnableResult, type TwoFactorSetupResult, type TwoFactorVerifyRequest, type UpdateOrgInput, type UpdatePromoInput, type UpdateRoleInput, type UpdateTriggerOptions, type UploadCreateOptions, type UploadProgressEvent, type UpsertDocumentInput, type UpsertDocumentResult, type User, type UserAchievement, type UserConsent, type UserDataExport, type UserFullProfile, type UserProfile, type UserSecuritySettings, type UserSession, type UserSessionsList, type UserUpdateProfileInput, type ValidatePromoInput, type ValidatePromoResult, ValidationError, type VisionInput, type WatchEntry, type WatchOptions, type WebhookConfig, type WebhookConfigUpdate, type WebhookDeliveriesResult, type WebhookDelivery, type WebhookStats, RunHandle as WorkerHandle, type RunLogsResult as WorkerLogsResult, type RunResourceSpec as WorkerResourceSpec, type RunResult as WorkerResult, type Run as WorkerRun, type RunStatus as WorkerStatus, type RunVolumeMount as WorkerVolumeMount, WorkersClient, acceptAllConsents, acceptOrganizationInvitation, assignMemberRole, audit, authorizeOAuth, batchIndex, canDeleteOrganization, canManageMembers, canManageSettings, cancelScheduledEmail, cancelTask, captureException, captureExceptionRaw, captureMessage, chat, chatStream, checkFlag, complete, confirmEmailChange, cookies, createCheckout, createClient, createConfig, createCron, createDynamicRestClient, createOrganization, createPermission, createPortalSession, createPromo, createRestClient, createRole, createServerClient, createServiceWorkerScript, createStepContext, createTasksHandler, createTracker, debugError, debugLog, debugTimer, debugWarn, declineOptionalConsents, deleteCron, deleteDocument, deleteEnvVar, deleteOrganization, deletePasskey, deletePermission, deletePromo, deleteRole, deleteUser, deleteUserAccount, device, disableDebug, disableTwoFactor, disconnectOAuthProvider, dpop, embed, enableDebug, exchangeOAuthCode, exponentialBackoff, exportUserData, extendedSignUp, forgotPassword, functions, generateAnonymousId, generatePkce, getAchievement, getAchievementPoints, getAchievements, getAllFlags, getAllSecrets, getAllStreaks, getBackupCodes, getBillingBalance, getBillingUsage, getBuildLogHistory, getCircuitBreakerState, getConsentHistory, getConsentTypes, getDatabaseConnectionString, getDatabaseStatus, getDebugMode, getDeployHistory, getDeployStatus, getErrorCode, getErrorMessage, getFacets, getFlagPayload, getFlags, getLeaderboard, getMemberPermissions, getMyReferralCode, getOidcDiscoveryDocument, getOrganization, getOrganizationInvitations, getOrganizationMembers, getOrganizations, getPlans, getProjectMetadata, getPromo, getPushPreferences, getRealtimeHistory, getReferralLeaderboard, getReferralStats, getRestErrorMessage, getRole, getScheduledEmail, getScheduledEmailStats, getSearchStats, getSecret, getSecrets, getSecurityScore, getSession, getStreak, getSubscription, getTask, getUser, getUserByEmail, getUserConsents, getUserLeaderboardRank, getUserProfile, getUserSecurity, getVariant, getWebhookConfig, getWebhookDeliveries, getWebhookDelivery, getWebhookStats, hasAllPermissions, hasAnyPermission, hasConsent, hasError, hasPermission, hasRole, hasSecret, identify, impersonation, incrementAchievementProgress, indexDocument, ingestLogs, initPushServiceWorker, installGlobalDebugHelpers, introspectToken, inviteOrganizationMember, inviteUser, isEmailConfigured, isEnabled, isRetryableError, isSylphxError, kvDelete, kvExists, kvExpire, kvGet, kvGetJSON, kvHget, kvHgetall, kvHset, kvIncr, kvLpush, kvLrange, kvMget, kvMset, kvRateLimit, kvScan, kvSet, kvSetJSON, kvZadd, kvZrange, leaveOrganization, linkAnonymousConsents, listEnvVars, listOAuthProviders, listPasskeys, listPermissions, listPromoRedemptions, listPromos, listRoles, listScheduledEmails, listSecretKeys, listSecurityAlerts, listTasks, listUserSessions, listUsers, markAllSecurityAlertsRead, markSecurityAlertRead, oauth, page, parseOAuthCallback, password, pauseCron, platformAuth, campaigns as pushCampaigns, segments as pushSegments, queryLogs, rateLimits, realtime, realtimeEmit, recordStreakActivity, recoverStreak, redeemPromo, redeemReferralCode, refreshToken, regenerateBackupCodes, regenerateReferralCode, registerPush, registerPushServiceWorker, removeOrganizationMember, renamePasskey, renameUserSession, replayWebhookDelivery, requestEmailChange, rescheduleEmail, resendVerificationEmail, resetCircuitBreaker, resetDebugModeCache, resetPassword, resetPlatformCookieCache, resetPlatformJwksCache, resumeCron, revokeAllTokens, revokeOrganizationInvitation, revokeToken, revokeUserSession, rollbackDeploy, scheduleEmail, scheduleTask, search, sendEmail, sendEmailToUser, sendPush, sendTemplatedEmail, sessions, setConsents, setEnvVar, setPassword, setupTwoFactor, signIn, signOut, signUp, startPasskeyRegistration, storage, streamToString, submitScore, suspendUser, switchOrg, toSylphxError, track, trackBatch, trackClick, triggerDeploy, unlockAchievement, unregisterPush, updateOrganization, updateOrganizationMemberRole, updatePromo, updatePushPreferences, updateRole, updateUser, updateUserMetadata, updateUserProfile, updateWebhookConfig, upsertDocument, user, userInfo, validatePromo, verifyAccessToken, verifyChallenge, verifyEmail, verifyPasskeyRegistration, verifySignature as verifyTaskSignature, verifyTwoFactor, verifyTwoFactorEnable, withToken };
+export { ACHIEVEMENT_TIER_CONFIG, type AIListModelsOptions, type AIListModelsResponse, type AIMessage, type AIMessageRole, type AIModel, type AIModelInfo, type AIModelsResponse, type AIProvider, type AIRateLimitInfo, type AIRateLimitResponse, type AIRequestType, type AIStreamChunk, type AITool, type AIToolCall, type AIUsageResponse, type AIUsageStats, type AccessTokenPayload, type AchievementCategory, type AchievementCriteria, type AchievementCriterion, type AchievementDefinition, type AchievementTier, type AchievementType, type AchievementUnlockEvent, type AdminUser, type AuditQueryFilter, type AuditQueryResult, AuthenticationError, AuthorizationError, type BackupCodesResult, type BatchEvent, type BatchIndexInput, type BatchIndexResult, type Breadcrumb, type BuildLog, type BuildLogHistoryResponse, type CaptureExceptionRequest, type CaptureMessageRequest, type ChallengeMethod, type ChallengeType, type ChallengeVerifyInput, type ChallengeVerifyResult, type ChatCompletionInput, type ChatCompletionResponse, type ChatInput, type ChatMessage, type ChatResult, type ChatStreamChunk, type CircuitBreakerConfig, CircuitBreakerOpenError, type CircuitState, type CommandResult, type ConsentCategory, type ConsentHistoryEntry, type ConsentHistoryResult, type ConsentPurposeDefaults, type ConsentType, type ContentPart, type CopyFileOptions, type CreateOrgInput, type CreatePermissionInput, type CreatePromoInput, type CreateRoleInput, type CreateRunOptions, type CreateTriggerOptions, type CriteriaOperator, type CronInput, type CronSchedule, type CronSource, type DatabaseConnectionInfo, type DatabaseStatus, type DatabaseStatusInfo, type DebugCategory, type DeduplicationConfig, type DeleteAccountResult, type DeleteDocumentInput, type DeployHistoryResponse, type DeployInfo, type DeployStatus, type DeviceApproveInput, type DeviceApproveResult, type DeviceDenyInput, type DeviceDenyResult, type DeviceGrant, type DeviceInitInput, type DevicePollResult, type DynamicRestClient, ERROR_CODE_STATUS, type EmailChangeInput, type EmailConfirmInput, type EmbedInput, type EmbedResult, type EmbeddingInput, type EmbeddingResponse, type LeaderboardEntry as EngagementLeaderboardEntry, type LeaderboardResult as EngagementLeaderboardResult, type EnvVar, type ErrorCode, type ErrorResponse, type EventSource, type ExceptionFrame, type ExceptionValue, type ExecEvent, type ExecOptions, type ExecResult, type FacetsResponse, type FileEvent, type FlagContext, type FlagResult, type GetConsentHistoryInput, type GetConsentsInput, type GetFacetsInput, type GetSecretInput, type GetSecretResult, type GetSecretsInput, type GetSecretsResult, type HttpTarget, type IdentifyInput, type ImpersonationActive, type ImpersonationEndResult, type ImpersonationInfo, type ImpersonationStartResult, type IndexDocumentInput, type IndexDocumentResult, type IngestLogsResult, InvalidConnectionUrlError, type InviteMemberInput, type InviteUserRequest, type InviteUserResponse, type KvExpireRequest, type KvHgetRequest, type KvHgetallRequest, type KvHsetRequest, type KvIncrRequest, type KvLpushRequest, type KvLrangeRequest, type KvMgetRequest, type KvMsetRequest, type KvRateLimitRequest, type KvRateLimitResult, type KvScanOptions, type KvScanResult, type KvSetOptions, type KvSetRequest, type KvZMember, type KvZaddRequest, type KvZrangeRequest, type LeaderboardAggregation, type LeaderboardDefinition, type LeaderboardEntry$1 as LeaderboardEntry, type LeaderboardOptions, type LeaderboardQueryOptions, type LeaderboardResetPeriod, type LeaderboardResult$1 as LeaderboardResult, type LeaderboardSortDirection, type LinkAnonymousConsentsInput, type ListFilesOptions, type ListPromosOptions, type ListPromosResult, type ListRedemptionsOptions, type ListRedemptionsResult, type ListRunsOptions, type ListRunsResult, type ListScheduledEmailsOptions, type ListSecretKeysInput, type ListTriggersResult, type ListUsersOptions, type ListUsersResult, type LogEntry, type LogLevel, type LoginHistoryEntry, type LoginRequest, type LoginResponse, type MeResponse, type MemberPermissionsResult, type MintAccessTokenClaims, type MintAccessTokenResult, type MonitoringResponse, type MonitoringSeverity, type NativeStepContext, type NativeTaskDefinition, type TaskRunStatus as NativeTaskRunStatus, NetworkError, NotFoundError, type OAuthAuthorizeInput, type OAuthAuthorizeResult, type OAuthCodeExchangeInput, type OAuthProvider, type OAuthProvidersResult, type OidcDiscoveryDocument, type OidcUserInfoResponse, type OrgRole, type OrgScopedTokenResponse, type OrgTokenPayload, type OrganizationInvitation, type OrganizationMember, type OrganizationMembership, type PageInput, type PaginatedResponse, type PaginationInput, type ParsedConnectionUrl, type PasskeyRegistrationInput, type PasskeyRegistrationOptions, type PasskeySummary, type PasskeysList, type PasswordSetInput, type Permission, type PkceMethod, type Plan, type PlatformAccessTokenClaims, type PlatformFunctionsDownloadBundleResult, type PlatformLogoutInput, type PlatformPasswordChangeInput, type PlatformPasswordChangeResult, type PlatformPasswordSetInput, type PlatformPasswordSetResult, type PlatformPasswordStatusResult, type PlatformRealtimeChannel, type PlatformRealtimeCreateChannelResult, type PlatformRealtimeDeleteChannelResult, type PlatformRealtimeListChannelsResult, type PlatformRealtimeStatusResult, type PlatformRefreshInput, type PlatformRefreshResult, type PlatformSessionRenameInput, type PlatformSessionRenameResult, type PlatformSessionRevokeAllResult, type PlatformSessionRevokeInput, type PlatformSessionRevokeOtherResult, type PlatformSessionRevokeResult, type PlatformSessionsListResult, type PlatformUserDeleteInput, type PlatformUserDeleteResult, type PlatformUserExportResult, type PlatformUserRecord, type PlatformUserResolution, type ProcessEvent, type ProcessInfo, type ProcessStartOptions, type ProcessSummary, type ProjectMetadata, type PromoCode, type PromoRedemption, type PromoStatus, type PromoType, type PromoValidationPreview, type PublishEventResult, type PushCampaign, type PushCampaignStats, type PushCampaignVariant, type PushNotification, type PushNotificationPayload, type PushSegment, type PushSegmentFilter, type PushServiceWorkerConfig, type PushSubscription, type QueryLogsOptions, type QueryLogsResult, RETRYABLE_CODES, RateLimitError, type RateLimitStatusFilter, type RateLimitStatusResult, type RateLimitStrategiesFilter, type RateLimitStrategiesResult, type RateLimitStrategyDeleteInput, type RateLimitStrategyDeleteResult, type RateLimitStrategyUpsertInput, type RateLimitStrategyUpsertResult, type RealtimeEmitRequest, type RealtimeEmitResponse, type RealtimeHistoryRequest, type RealtimeHistoryResponse, type RecordActivityInput, type RecordActivityResult, type RedeemPromoInput, type RedeemPromoResult, type RedeemReferralInput, type RedeemResult, type ReferralCode, type ReferralStats, type RegisterInput, type RegisterRequest, type RegisterResponse, type ResendEmailVerificationRequest, type ResendEmailVerificationResponse, type RestClient, type RestClientConfig, type RestDynamicConfig, type RetryConfig, type RevokeTokenOptions, type Role, type RollbackDeployRequest, type Run, RunHandle, type RunLogsResult, type RunResourceSpec, type RunResult, type RunStatus, type RunTarget, type RunVolumeMount, type CreateRunOptions as RunWorkerOptions, RunsClient, SandboxClient, type SandboxFile, SandboxFiles, type SandboxOptions, SandboxProcesses, type SandboxRecord, SandboxWatch, type ScheduleEmailOptions, type ScheduledEmail, type ScheduledEmailStats, type ScheduledEmailsResult, type SearchInput, type SearchResponse, type SearchResultItem, type SearchStatsResult, type SearchType, type SecretKeyInfo, type SecurityAlert, type SecurityAlertsList, type SecurityScoreResult, type SecuritySettings, type SendEmailOptions, type SendResult, type SendTemplatedEmailOptions, type SendToUserOptions, type SessionResult, type SetConsentsInput, type SetEnvVarRequest, type SignedUrlOptions, StepCompleteSignal, StepSleepSignal, type StoredLogEntry, type StreakDefinition, type StreakFrequency, type StreakState, type StreamMessage, type SubmitScoreInput, type SubmitScoreResult, type Subscription, type SuccessResponse, type SylphxClientInput, type SylphxConfig, type SylphxConfigInput, SylphxError, type SylphxErrorCode, type SylphxErrorOptions, type TaskInput, type TaskResult, type TaskStatus, type TaskTarget, type TextCompletionInput, type TextCompletionResponse, TimeoutError, type TokenIntrospectionResult, type TokenResponse, type Tool, type ToolCall, type TrackClickInput, type TrackInput, type Trigger, type TriggerDeployRequest, type TriggerSource, type TriggerSourceType, type TriggerStatus, type TriggerTarget, type TriggerTargetType, TriggersClient, type TwoFactorEnableResult, type TwoFactorSetupResult, type TwoFactorVerifyRequest, type UpdateOrgInput, type UpdatePromoInput, type UpdateRoleInput, type UpdateTriggerOptions, type UploadCreateOptions, type UploadProgressEvent, type UpsertDocumentInput, type UpsertDocumentResult, type User, type UserAchievement, type UserConsent, type UserDataExport, type UserFullProfile, type UserProfile, type UserSecuritySettings, type UserSession, type UserSessionsList, type UserUpdateProfileInput, type ValidatePromoInput, type ValidatePromoResult, ValidationError, type VisionInput, type WatchEntry, type WatchOptions, type WebhookConfig, type WebhookConfigUpdate, type WebhookDeliveriesResult, type WebhookDelivery, type WebhookStats, RunHandle as WorkerHandle, type RunLogsResult as WorkerLogsResult, type RunResourceSpec as WorkerResourceSpec, type RunResult as WorkerResult, type Run as WorkerRun, type RunStatus as WorkerStatus, type RunVolumeMount as WorkerVolumeMount, WorkersClient, acceptAllConsents, acceptOrganizationInvitation, assignMemberRole, audit, authorizeOAuth, batchIndex, canDeleteOrganization, canManageMembers, canManageSettings, cancelScheduledEmail, cancelTask, captureException, captureExceptionRaw, captureMessage, chat, chatStream, checkFlag, complete, confirmEmailChange, cookies, createCheckout, createClient, createConfig, createCron, createDynamicRestClient, createOrganization, createPermission, createPortalSession, createPromo, createRestClient, createRole, createServerClient, createServiceWorkerScript, createStepContext, createTasksHandler, createTracker, debugError, debugLog, debugTimer, debugWarn, declineOptionalConsents, deleteCron, deleteDocument, deleteEnvVar, deleteOrganization, deletePasskey, deletePermission, deletePromo, deleteRole, deleteUser, deleteUserAccount, device, disableDebug, disableTwoFactor, disconnectOAuthProvider, dpop, embed, enableDebug, exchangeOAuthCode, exponentialBackoff, exportUserData, extendedSignUp, forgotPassword, functions, generateAnonymousId, generatePkce, getAchievement, getAchievementPoints, getAchievements, getAllFlags, getAllSecrets, getAllStreaks, getBackupCodes, getBillingBalance, getBillingUsage, getBuildLogHistory, getCircuitBreakerState, getConsentHistory, getConsentTypes, getDatabaseConnectionString, getDatabaseStatus, getDebugMode, getDeployHistory, getDeployStatus, getErrorCode, getErrorMessage, getFacets, getFlagPayload, getFlags, getLeaderboard, getMemberPermissions, getMyReferralCode, getOidcDiscoveryDocument, getOrgScopedToken, getOrganization, getOrganizationInvitations, getOrganizationMembers, getOrganizations, getPlans, getProjectMetadata, getPromo, getPushPreferences, getRealtimeHistory, getReferralLeaderboard, getReferralStats, getRestErrorMessage, getRole, getScheduledEmail, getScheduledEmailStats, getSearchStats, getSecret, getSecrets, getSecurityScore, getSession, getStreak, getSubscription, getTask, getUser, getUserByEmail, getUserConsents, getUserLeaderboardRank, getUserProfile, getUserSecurity, getVariant, getWebhookConfig, getWebhookDeliveries, getWebhookDelivery, getWebhookStats, hasAllPermissions, hasAnyPermission, hasConsent, hasError, hasPermission, hasRole, hasSecret, identify, impersonation, incrementAchievementProgress, indexDocument, ingestLogs, initPushServiceWorker, installGlobalDebugHelpers, introspectToken, inviteOrganizationMember, inviteUser, isEmailConfigured, isEnabled, isRetryableError, isSylphxError, kvDelete, kvExists, kvExpire, kvGet, kvGetJSON, kvHget, kvHgetall, kvHset, kvIncr, kvLpush, kvLrange, kvMget, kvMset, kvRateLimit, kvScan, kvSet, kvSetJSON, kvZadd, kvZrange, leaveOrganization, linkAnonymousConsents, listEnvVars, listOAuthProviders, listPasskeys, listPermissions, listPromoRedemptions, listPromos, listRoles, listScheduledEmails, listSecretKeys, listSecurityAlerts, listTasks, listUserSessions, listUsers, markAllSecurityAlertsRead, markSecurityAlertRead, oauth, page, parseOAuthCallback, password, pauseCron, platformAuth, campaigns as pushCampaigns, segments as pushSegments, queryLogs, rateLimits, realtime, realtimeEmit, recordStreakActivity, recoverStreak, redeemPromo, redeemReferralCode, refreshToken, regenerateBackupCodes, regenerateReferralCode, registerPush, registerPushServiceWorker, removeOrganizationMember, renamePasskey, renameUserSession, replayWebhookDelivery, requestEmailChange, rescheduleEmail, resendVerificationEmail, resetCircuitBreaker, resetDebugModeCache, resetPassword, resetPlatformCookieCache, resetPlatformJwksCache, resumeCron, revokeAllTokens, revokeOrganizationInvitation, revokeToken, revokeUserSession, rollbackDeploy, scheduleEmail, scheduleTask, search, sendEmail, sendEmailToUser, sendPush, sendTemplatedEmail, sessions, setConsents, setEnvVar, setPassword, setupTwoFactor, signIn, signOut, signUp, startPasskeyRegistration, storage, streamToString, submitScore, suspendUser, switchOrg, toSylphxError, track, trackBatch, trackClick, triggerDeploy, unlockAchievement, unregisterPush, updateOrganization, updateOrganizationMemberRole, updatePromo, updatePushPreferences, updateRole, updateUser, updateUserMetadata, updateUserProfile, updateWebhookConfig, upsertDocument, user, userInfo, validatePromo, verifyAccessToken, verifyChallenge, verifyEmail, verifyPasskeyRegistration, verifySignature as verifyTaskSignature, verifyTwoFactor, verifyTwoFactorEnable, withToken };

package/dist/index.mjs

@@ -4783,7 +4783,7 @@ var init_webapi = __esm({
 // src/connection-url.ts
 var SYLPHX_PROTOCOL = "sylphx:";
 var DEFAULT_VERSION = "v1";
-var CREDENTIAL_REGEX = /^(pk|sk)_(dev|stg|prod|prev)_[a-f0-9]{32,64}$/;
+var CREDENTIAL_REGEX = /^(pk|sk)_(dev|stg|prod|prev)(?:_[a-z0-9]{12})?_[a-f0-9]{32,64}$/;
 var VERSION_REGEX = /^v[0-9]+$/;
 var SLUG_REGEX = /^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/;
 var InvalidConnectionUrlError = class _InvalidConnectionUrlError extends Error {
@@ -4800,7 +4800,7 @@ function fail(reason) {
 function parseCredential(raw) {
   const match = CREDENTIAL_REGEX.exec(raw);
   if (!match) {
-    fail(`credential must match (pk|sk)_(dev|stg|prod|prev)_[a-f0-9]{32,64}, got "${raw}"`);
+    fail(`credential must match (pk|sk)_(dev|stg|prod|prev)(_{ref})?_{hex}, got "${raw}"`);
   }
   return {
     credentialType: match[1],
@@ -4879,7 +4879,7 @@ init_constants();
 init_errors();
 var LEGACY_EMBEDDED_REF_PATTERN = /^(pk|sk)_(dev|stg|prod|prev)_[a-z0-9]{12}_[a-f0-9]+$/;
 var LEGACY_APP_KEY_PATTERN = /^app_(dev|stg|prod|prev)_/;
-var MIGRATION_MESSAGE = "API key format has changed. Use a sylphx:// connection URL instead.\n\nNew format: sylphx://pk_prod_{hex}@your-slug.api.sylphx.com\n\nGenerate new credentials from the Sylphx Console \u2192 Your App \u2192 Environments.\nSee https://docs.sylphx.com/migration for details.";
+var MIGRATION_MESSAGE = "API key format has changed. Use a sylphx:// connection URL instead.\n\nNew format: sylphx://pk_prod_{ref?}_{hex}@your-slug.api.sylphx.com\n\nGenerate new credentials from the Sylphx Console \u2192 Your App \u2192 Environments.\nSee https://docs.sylphx.com/migration for details.";
 function rejectLegacyKeyFormat(input) {
   const trimmed = input.trim().toLowerCase();
   if (LEGACY_APP_KEY_PATTERN.test(trimmed)) {
@@ -5012,7 +5012,7 @@ function createConfigFromComponents(input) {
     });
   }
   throw new SylphxError(
-    `[Sylphx] Invalid credential format. Expected (pk|sk)_(dev|stg|prod|prev)_[a-f0-9]{32,64}. Got: "${trimmedCred.slice(0, 30)}..."`,
+    `[Sylphx] Invalid credential format. Expected (pk|sk)_(dev|stg|prod|prev)(_{ref})?_{hex}. Got: "${trimmedCred.slice(0, 30)}..."`,
     { code: "BAD_REQUEST" }
   );
 }
@@ -5291,11 +5291,12 @@ init_constants();
 init_errors();
 
 // src/key-validation.ts
-var SECRET_KEY_PATTERN = /^sk_(dev|stg|prod)_[a-z0-9_-]+$/;
+var SECRET_KEY_PATTERN = /^sk_(dev|stg|prod|prev)_[a-z0-9_-]+$/;
 var ENV_PREFIX_MAP = {
   dev: "development",
   stg: "staging",
-  prod: "production"
+  prod: "production",
+  prev: "preview"
 };
 function detectKeyIssues(key) {
   const issues = [];
@@ -5320,7 +5321,7 @@ The SDK will automatically sanitize the key, but fixing the source is recommende
 }
 function createInvalidKeyError(keyType, key, envVarName) {
   const maskedKey = key.length > 20 ? `${key.slice(0, 20)}...` : key;
-  const formatHint = keyType === "appId" ? "pk_(dev|stg|prod)_{ref}_{hex} or app_(dev|stg|prod)_[id]" : "sk_(dev|stg|prod)_{ref}_{hex}";
+  const formatHint = keyType === "appId" ? "pk_(dev|stg|prod|prev)_{ref}_{hex} or app_(dev|stg|prod|prev)_[id]" : "sk_(dev|stg|prod|prev)_{ref}_{hex}";
   const keyTypeName = keyType === "appId" ? "App ID" : "Secret Key";
   return `[Sylphx] Invalid ${keyTypeName} format.
 
@@ -5333,7 +5334,7 @@ You can find your keys in the Sylphx Console \u2192 API Keys.
 Common issues:
 \u2022 Key has uppercase characters (must be lowercase)
 \u2022 Key has wrong prefix (App ID: pk_ or app_, Secret Key: sk_)
-\u2022 Key has invalid environment (must be dev, stg, or prod)
+\u2022 Key has invalid environment (must be dev, stg, prod, or prev)
 \u2022 Key was copied with extra whitespace`;
 }
 function extractEnvironment(key) {
@@ -5380,7 +5381,7 @@ function validateKeyForType(key, keyType, pattern, envVarName) {
   };
 }
 function validateSecretKey(key) {
-  return validateKeyForType(key, "secret", SECRET_KEY_PATTERN, "SYLPHX_SECRET_KEY");
+  return validateKeyForType(key, "secret", SECRET_KEY_PATTERN, "secret credential");
 }
 function validateAndSanitizeSecretKey(key) {
   const result = validateSecretKey(key);
@@ -5402,7 +5403,14 @@ async function runPipeline(middlewares, initial) {
       if (next) request = next;
     }
   }
-  let response = await fetch(request);
+  const fetchWithMiddleware = middlewares.reduceRight(
+    (next, mw) => mw.onFetch ? async (request2) => {
+      const response2 = await mw.onFetch?.({ request: request2, next });
+      return response2 ?? next(request2);
+    } : next,
+    (request2) => fetch(request2)
+  );
+  let response = await fetchWithMiddleware(request);
   for (const mw of middlewares) {
     if (mw.onResponse) {
       const next = await mw.onResponse({ request, response });
@@ -5421,6 +5429,11 @@ function buildUrl(baseUrl, path, params) {
   ).toString();
   return `${url}?${search2}`;
 }
+function cloneRequestWithHeaders(request, updateHeaders) {
+  const headers = new Headers(request.headers);
+  updateHeaders(headers);
+  return new Request(request, { headers });
+}
 function interpolatePath(path, pathParams) {
   if (!pathParams) return path;
   return path.replace(/\{(\w+)\}/g, (_match, key) => {
@@ -5483,66 +5496,51 @@ function buildClient(baseUrl, baseHeaders) {
 function createAuthMiddleware(config) {
   return {
     async onRequest({ request }) {
-      request.headers.set("X-SDK-Version", SDK_VERSION);
-      request.headers.set("X-SDK-Platform", SDK_PLATFORM);
-      if (config.secretKey) {
-        request.headers.set("x-app-secret", config.secretKey);
-      }
-      const token = config.getAccessToken?.();
-      if (token) {
-        request.headers.set("Authorization", `Bearer ${token}`);
-      }
-      return request;
+      return cloneRequestWithHeaders(request, (headers) => {
+        headers.set("X-SDK-Version", SDK_VERSION);
+        headers.set("X-SDK-Platform", SDK_PLATFORM);
+        if (config.secretKey) {
+          headers.set("x-app-secret", config.secretKey);
+        }
+        const token = config.getAccessToken?.();
+        if (token) {
+          headers.set("Authorization", `Bearer ${token}`);
+        }
+      });
     }
   };
 }
 function isRetryableStatus(status) {
   return status >= 500 || status === 429;
 }
-var inFlightRequests = /* @__PURE__ */ new Map();
 async function getRequestKey(request) {
   const body = request.body ? await request.clone().text() : "";
   return `${request.method}:${request.url}:${body}`;
 }
 function createDeduplicationMiddleware(config = {}) {
   const { enabled = true, methods = ["GET"] } = config;
-  if (!enabled) {
-    return {
-      async onRequest({ request }) {
-        return request;
-      }
-    };
-  }
+  if (!enabled) return {};
+  const inFlightRequests = /* @__PURE__ */ new Map();
   return {
-    async onRequest({ request }) {
-      if (!methods.includes(request.method)) {
-        return request;
+    async onFetch({ request, next }) {
+      const method = request.method.toUpperCase();
+      if (!methods.includes(method)) {
+        return next(request);
       }
       const key = await getRequestKey(request);
       const existing = inFlightRequests.get(key);
       if (existing) {
-        const deduped = request.clone();
-        deduped._dedupKey = key;
-        return deduped;
-      }
-      ;
-      request._dedupKey = key;
-      return request;
-    },
-    async onResponse({ request, response }) {
-      const key = request._dedupKey;
-      if (!key) return response;
-      const existing = inFlightRequests.get(key);
-      if (existing && inFlightRequests.get(key) !== void 0) {
         const cachedResponse = await existing;
         return cachedResponse.clone();
       }
-      const responsePromise = Promise.resolve(response.clone());
+      const responsePromise = next(request).then((response) => response.clone());
       inFlightRequests.set(key, responsePromise);
-      responsePromise.finally(() => {
-        setTimeout(() => inFlightRequests.delete(key), 100);
-      });
-      return response;
+      try {
+        const response = await responsePromise;
+        return response.clone();
+      } finally {
+        inFlightRequests.delete(key);
+      }
     }
   };
 }
@@ -5708,7 +5706,9 @@ function createETagMiddleware(config) {
         if (Date.now() - cached.timestamp > ttlMs) {
           etagCache.delete(cacheKey);
         } else {
-          request.headers.set("If-None-Match", cached.etag);
+          return cloneRequestWithHeaders(request, (headers) => {
+            headers.set("If-None-Match", cached.etag);
+          });
         }
       }
       return request;
@@ -6000,11 +6000,28 @@ async function inviteUser(config, input) {
     body: input
   });
 }
-async function switchOrg(config, orgId) {
-  return callApi(config, "/auth/switch-org", {
+function normalizeOrgScopedTokenResponse(data) {
+  const accessToken = data.accessToken ?? data.access_token;
+  if (!accessToken) {
+    throw new Error("Invalid org-scoped token response: missing access token");
+  }
+  return {
+    token: accessToken,
+    accessToken,
+    expiresIn: data.expiresIn ?? data.expires_in,
+    tokenType: data.tokenType ?? data.token_type,
+    user: data.user
+  };
+}
+async function getOrgScopedToken(config, orgId) {
+  const data = await callApi(config, "/auth/switch-org", {
     method: "POST",
     body: { orgId }
   });
+  return normalizeOrgScopedTokenResponse(data);
+}
+async function switchOrg(config, orgId) {
+  return getOrgScopedToken(config, orgId);
 }
 var device = {
   /**
@@ -8002,6 +8019,9 @@ async function getBillingUsage(config, options) {
   });
 }
 
+// src/storage.ts
+init_errors();
+
 // src/lib/retry.ts
 init_constants();
 var DEFAULT_RETRY_CONFIG = {
@@ -8124,7 +8144,6 @@ var PATHS = {
   versions: (id) => `/storage/files/${encodeURIComponent(String(id))}/versions`,
   versionRestore: (id, vid) => `/storage/files/${encodeURIComponent(String(id))}/versions/${encodeURIComponent(String(vid))}:restore`
 };
-var isBrowser = () => typeof globalThis !== "undefined" && typeof globalThis.window !== "undefined";
 var hasXhr = () => typeof globalThis.XMLHttpRequest !== "undefined";
 var hasLocalStorage = () => {
   try {
@@ -8136,16 +8155,14 @@ var hasLocalStorage = () => {
 };
 async function computeSha256Hex(blob) {
   const subtle = globalThis.crypto?.subtle;
-  if (subtle?.digest) {
-    const buf2 = await blob.arrayBuffer();
-    const digest2 = await subtle.digest("SHA-256", buf2);
-    return bytesToHex(new Uint8Array(digest2));
+  if (!subtle?.digest) {
+    throw new SylphxError("Web Crypto SHA-256 support is required for storage uploads", {
+      code: "NOT_IMPLEMENTED"
+    });
   }
-  const nodeCrypto = await import("crypto");
-  const hash = nodeCrypto.createHash("sha256");
-  const buf = Buffer.from(await blob.arrayBuffer());
-  hash.update(buf);
-  return hash.digest("hex");
+  const buf = await blob.arrayBuffer();
+  const digest2 = await subtle.digest("SHA-256", buf);
+  return bytesToHex(new Uint8Array(digest2));
 }
 function bytesToHex(b) {
   let s = "";
@@ -8162,10 +8179,6 @@ function persistResume(rec) {
       localStorage.setItem(resumeKey(rec.uploadId), JSON.stringify(rec));
     } catch {
     }
-    return;
-  }
-  if (!isBrowser()) {
-    void persistResumeNode(rec);
   }
 }
 function clearResume(uploadId) {
@@ -8174,41 +8187,6 @@ function clearResume(uploadId) {
       localStorage.removeItem(resumeKey(uploadId));
     } catch {
     }
-    return;
-  }
-  if (!isBrowser()) void clearResumeNode(uploadId);
-}
-async function persistResumeNode(rec) {
-  try {
-    const fs = await import("fs/promises");
-    const path = await import("path");
-    const os = await import("os");
-    const dir = path.join(os.homedir(), ".sylphx");
-    await fs.mkdir(dir, { recursive: true });
-    const file = path.join(dir, "uploads.json");
-    let store = {};
-    try {
-      const text = await fs.readFile(file, "utf8");
-      store = JSON.parse(text);
-    } catch {
-      store = {};
-    }
-    store[rec.uploadId] = rec;
-    await fs.writeFile(file, JSON.stringify(store), "utf8");
-  } catch {
-  }
-}
-async function clearResumeNode(uploadId) {
-  try {
-    const fs = await import("fs/promises");
-    const path = await import("path");
-    const os = await import("os");
-    const file = path.join(os.homedir(), ".sylphx", "uploads.json");
-    const text = await fs.readFile(file, "utf8");
-    const store = JSON.parse(text);
-    delete store[uploadId];
-    await fs.writeFile(file, JSON.stringify(store), "utf8");
-  } catch {
   }
 }
 function putBlob(url, body, headers, signal, onProgress) {
@@ -8925,7 +8903,7 @@ function createTasksHandler(taskDefs, options = {}) {
         { status: 400 }
       );
     }
-    const signingSecret = options.signingSecret ?? process.env.SYLPHX_SIGNING_SECRET ?? process.env.SYLPHX_SECRET_KEY ?? "";
+    const signingSecret = options.signingSecret ?? process.env.SYLPHX_SIGNING_SECRET ?? "";
     if (signingSecret) {
       const signature = req.headers.get("x-sylphx-signature") ?? "";
       if (!signature) {
@@ -11032,6 +11010,7 @@ export {
   getMemberPermissions,
   getMyReferralCode,
   getOidcDiscoveryDocument,
+  getOrgScopedToken,
   getOrganization,
   getOrganizationInvitations,
   getOrganizationMembers,