@sylphx/sdk 0.8.0-rc.1 → 0.8.0

package/dist/index.d.ts

@@ -82,12 +82,15 @@ interface PlatformRealtimeDeleteChannelResult {
  * Implements the canonical connection string format defined in ADR-055 §5.
  * This is a self-contained copy for SDK package independence (no app imports).
  *
- * Format:
- *   sylphx://{credential}@{slug}.{domain}[:port][/v{version}]
+ * Hosted format:
+ *   sylphx://{credential}@{tenant-slug}.api.sylphx.com[:port][/v{version}]
+ *
+ * Custom/self-hosted domains are also accepted as long as the first DNS label
+ * is the tenant slug.
  *
  * Examples:
- *   sylphx://pk_prod_f19e5cdc3cc54f7ff81bdc26ec5bfbad@bold-river-a1b2c3.sylphx.com
- *   sylphx://sk_prod_5120bfeb5120bfeb5120bfeb5120bfeb@bold-river-a1b2c3.sylphx.com/v1
+ *   sylphx://pk_prod_f19e5cdc3cc54f7ff81bdc26ec5bfbad@bold-river-a1b2c3.api.sylphx.com
+ *   sylphx://sk_prod_5120bfeb5120bfeb5120bfeb5120bfeb@bold-river-a1b2c3.api.sylphx.com/v1
  *   sylphx://pk_dev_abc12345abc12345abc12345abc12345@calm-peak-z9x4d5.sylphx.dev
  *
  * Invariants:
@@ -110,9 +113,9 @@ interface ParsedConnectionUrl {
     readonly env: ConnectionEnv;
     /** First DNS label of the host — the resource slug (e.g. `bold-river-a1b2c3`) */
     readonly slug: string;
-    /** Full host including port when present (e.g. `bold-river-a1b2c3.sylphx.com`) */
+    /** Full host including port when present (e.g. `bold-river-a1b2c3.api.sylphx.com`) */
     readonly host: string;
-    /** Ready-to-use SDK base URL, always HTTPS (e.g. `https://bold-river-a1b2c3.sylphx.com/v1`) */
+    /** Ready-to-use SDK base URL, always HTTPS (e.g. `https://bold-river-a1b2c3.api.sylphx.com/v1`) */
     readonly apiBaseUrl: string;
 }
 declare class InvalidConnectionUrlError extends Error {
@@ -132,7 +135,7 @@ declare class InvalidConnectionUrlError extends Error {
  * import { createClient } from '@sylphx/sdk'
  *
  * const sylphx = createClient(process.env.SYLPHX_URL!)
- * // Parses: sylphx://pk_prod_{hex}@bold-river-a1b2c3.sylphx.com
+ * // Parses: sylphx://pk_prod_{hex}@bold-river-a1b2c3.api.sylphx.com
  * ```
  */
 
@@ -151,7 +154,7 @@ interface SylphxConfig {
     readonly env: 'dev' | 'stg' | 'prod' | 'prev';
     /** Resource slug (first DNS label), e.g. 'bold-river-a1b2c3' */
     readonly slug: string;
-    /** Pre-computed API base URL, e.g. 'https://bold-river-a1b2c3.sylphx.com/v1' */
+    /** Pre-computed API base URL, e.g. 'https://bold-river-a1b2c3.api.sylphx.com/v1' */
     readonly baseUrl: string;
     /** Optional access token for authenticated requests */
     readonly accessToken?: string;
@@ -204,7 +207,7 @@ interface SylphxClientInput {
  * @example Connection URL (recommended)
  * ```typescript
  * const sylphx = createClient(process.env.NEXT_PUBLIC_SYLPHX_URL!)
- * // Parses: sylphx://pk_prod_{hex}@bold-river-a1b2c3.sylphx.com
+ * // Parses: sylphx://pk_prod_{hex}@bold-river-a1b2c3.api.sylphx.com
  * ```
  *
  * @example Explicit components
@@ -225,7 +228,7 @@ declare function createClient(input: string | SylphxClientInput): SylphxConfig;
  * @example Connection URL (recommended)
  * ```typescript
  * const sylphx = createServerClient(process.env.SYLPHX_SECRET_URL!)
- * // Parses: sylphx://sk_prod_{hex}@bold-river-a1b2c3.sylphx.com
+ * // Parses: sylphx://sk_prod_{hex}@bold-river-a1b2c3.api.sylphx.com
  * ```
  *
  * @example Explicit components
@@ -1752,6 +1755,8 @@ declare function getWebhookStats(config: SylphxConfig, environmentId?: string):
  * exposed; those aliases now come directly from `@sylphx/contract`.
  */
 
+declare const OAUTH_PROVIDERS: readonly ["google", "github", "apple", "microsoft", "facebook", "twitter", "discord", "linkedin", "slack", "gitlab", "bitbucket", "twitch", "spotify"];
+type OAuthProviderId = (typeof OAUTH_PROVIDERS)[number];
 /** SDK cookie/token shape. Richer authenticated surfaces live in `./react/types` `UserProfile`. */
 interface User {
     id: string;
@@ -2634,6 +2639,28 @@ interface PlatformAccessTokenClaims {
     readonly org_role?: string;
     readonly iat?: number;
     readonly exp?: number;
+    /**
+     * RFC 7800 confirmation claim — present when the token is sender-
+     * constrained. Today we emit this for DPoP-bound tokens (RFC 9449)
+     * where `cnf.jkt` is the SHA-256 thumbprint of the client's DPoP
+     * public key.
+     *
+     * Resource servers (e.g. apps/api Management plane) that want to
+     * enforce DPoP MUST:
+     *   1. Look up `oauth_clients.dpop_bound_access_tokens` on the
+     *      issuing client to know whether DPoP is required.
+     *   2. If required AND `cnf.jkt` is absent, reject 401.
+     *   3. If `cnf.jkt` is present, verify the inbound `DPoP` header's
+     *      proof JWT and assert its public-key thumbprint matches `jkt`.
+     *
+     * Pre-Wave-5.3 this field was stripped from `verifyAccessToken`'s
+     * return value, making resource-side enforcement impossible without
+     * decoding the JWT a second time. Exposing it preserves the wire
+     * format and unlocks the resource-server DPoP middleware.
+     */
+    readonly cnf?: {
+        readonly jkt?: string;
+    };
 }
 /**
  * `verifyAccessToken` — local JWT verification against cached JWKS.
@@ -7606,9 +7633,9 @@ declare function captureMessage(config: SylphxConfig, message: string, options?:
  * ## Usage
  *
  * ```typescript
- * import { createConfig, SandboxClient } from '@sylphx/sdk'
+ * import { createServerClient, SandboxClient } from '@sylphx/sdk'
  *
- * const config = createConfig({ secretKey: process.env.SYLPHX_SECRET_KEY!, ref: 'your-ref' })
+ * const config = createServerClient(process.env.SYLPHX_URL!)
  *
  * // Create sandbox (Platform waits for pod ready before returning)
  * const sandbox = await SandboxClient.create(config)
@@ -7634,6 +7661,12 @@ declare function captureMessage(config: SylphxConfig, message: string, options?:
 interface SandboxOptions {
     /** Docker image (must be in registry.sylphx.com). Omit to use env default. */
     image?: string;
+    /**
+     * Request timeout for the create lifecycle call.
+     * Defaults to the SDK's sandbox-create budget, which matches the Runtime
+     * API readiness wait plus transport margin.
+     */
+    createTimeoutMs?: number;
     /** Idle timeout in ms before auto-termination (default: 300_000 = 5 min) */
     idleTimeoutMs?: number;
     /** Storage size in GiB (enables persistent PVC; default: disabled) */
@@ -7955,9 +7988,9 @@ declare class SandboxClient {
  *
  * ### Single worker
  * ```typescript
- * import { createConfig, RunsClient } from '@sylphx/sdk'
+ * import { createServerClient, RunsClient } from '@sylphx/sdk'
  *
- * const config = createConfig({ secretKey: process.env.SYLPHX_SECRET_KEY!, ref: 'my-project' })
+ * const config = createServerClient(process.env.SYLPHX_URL!)
  *
  * const run = await RunsClient.create(config, {
  *   image: 'registry.sylphx.com/sylphx/my-trainer:abc123',
@@ -8192,7 +8225,7 @@ declare class RunHandle {
  *
  * @example
  * ```typescript
- * const config = createConfig({ secretKey: process.env.SYLPHX_SECRET_KEY!, ref: 'my-project' })
+ * const config = createServerClient(process.env.SYLPHX_URL!)
  *
  * // Run a worker and wait for completion
  * const result = await RunsClient.create(config, { ... }).then(w => w.wait())
@@ -8336,8 +8369,8 @@ declare const WorkersClient: {
  *
  * ### Cron → Task
  * ```typescript
- * import { createConfig, TriggersClient } from '@sylphx/sdk'
- * const config = createConfig({ secretKey: process.env.SYLPHX_SECRET_KEY!, ref: 'my-project' })
+ * import { createServerClient, TriggersClient } from '@sylphx/sdk'
+ * const config = createServerClient(process.env.SYLPHX_URL!)
  *
  * const trigger = await TriggersClient.create(config, {
  *   name: 'daily-cleanup',
@@ -8917,7 +8950,7 @@ declare function userInfo(opts: {
     /** Override the discovered endpoint (e.g. when testing against a staging AS). */
     endpoint?: string;
 }): Promise<OidcUserInfoResponse>;
-type OAuthProvider = 'google' | 'github' | 'microsoft' | 'apple' | 'facebook' | (string & {});
+type OAuthProvider = OAuthProviderId | (string & {});
 type PkceMethod = 'S256' | 'plain';
 interface OAuthAuthorizeInput {
     readonly provider: OAuthProvider;
@@ -8937,6 +8970,14 @@ interface OAuthAuthorizeResult {
     /** Opaque server-side state — echo on callback handler if present. */
     readonly state: string;
 }
+interface OAuthProvidersResult {
+    readonly providers: readonly OAuthProvider[];
+}
+interface OAuthCodeExchangeInput {
+    readonly code: string;
+    readonly codeVerifier: string;
+    readonly anonymousId?: string;
+}
 /**
  * Initiate an OAuth flow with the given provider. Returns the provider's
  * authorization URL — redirect the user to it.
@@ -8956,6 +8997,21 @@ interface OAuthAuthorizeResult {
  * ```
  */
 declare function authorizeOAuth(config: SylphxConfig, input: OAuthAuthorizeInput): Promise<OAuthAuthorizeResult>;
+/**
+ * List OAuth providers enabled for the current customer app/environment.
+ *
+ * Uses the same `SylphxConfig` routing surface as every other BaaS call, so
+ * customer apps do not need a second app-id or platformUrl configuration path.
+ */
+declare function listOAuthProviders(config: SylphxConfig): Promise<OAuthProvidersResult>;
+/**
+ * Exchange a social-login authorization code for Platform session tokens.
+ *
+ * This is the customer-app counterpart to {@link authorizeOAuth}. It uses the
+ * app's publishable connection URL as the OAuth client id and keeps PKCE in
+ * the caller's control.
+ */
+declare function exchangeOAuthCode(config: SylphxConfig, input: OAuthCodeExchangeInput): Promise<TokenResponse>;
 /**
  * Parse an OAuth callback URL (e.g. `window.location.href`) into the
  * fields a customer app needs to complete sign-in.
@@ -9391,4 +9447,4 @@ declare const functions: {
     };
 };
 
-export { ACHIEVEMENT_TIER_CONFIG, type AIListModelsOptions, type AIListModelsResponse, type AIMessage, type AIMessageRole, type AIModel, type AIModelInfo, type AIModelsResponse, type AIProvider, type AIRateLimitInfo, type AIRateLimitResponse, type AIRequestType, type AIStreamChunk, type AITool, type AIToolCall, type AIUsageResponse, type AIUsageStats, type AccessTokenPayload, type AchievementCategory, type AchievementCriteria, type AchievementCriterion, type AchievementDefinition, type AchievementTier, type AchievementType, type AchievementUnlockEvent, type AdminUser, type AuditQueryFilter, type AuditQueryResult, AuthenticationError, AuthorizationError, type BackupCodesResult, type BatchEvent, type BatchIndexInput, type BatchIndexResult, type Breadcrumb, type BuildLog, type BuildLogHistoryResponse, type CaptureExceptionRequest, type CaptureMessageRequest, type ChallengeMethod, type ChallengeType, type ChallengeVerifyInput, type ChallengeVerifyResult, type ChatCompletionInput, type ChatCompletionResponse, type ChatInput, type ChatMessage, type ChatResult, type ChatStreamChunk, type CircuitBreakerConfig, CircuitBreakerOpenError, type CircuitState, type CommandResult, type ConsentCategory, type ConsentHistoryEntry, type ConsentHistoryResult, type ConsentPurposeDefaults, type ConsentType, type ContentPart, type CreateOrgInput, type CreatePermissionInput, type CreatePromoInput, type CreateRoleInput, type CreateRunOptions, type CreateTriggerOptions, type CriteriaOperator, type CronInput, type CronSchedule, type CronSource, type DatabaseConnectionInfo, type DatabaseStatus, type DatabaseStatusInfo, type DebugCategory, type DeduplicationConfig, type DeleteAccountResult, type DeleteDocumentInput, type DeployHistoryResponse, type DeployInfo, type DeployStatus, type DeviceApproveInput, type DeviceApproveResult, type DeviceDenyInput, type DeviceDenyResult, type DeviceGrant, type DeviceInitInput, type DevicePollResult, type DynamicRestClient, ERROR_CODE_STATUS, type EmailChangeInput, type EmailConfirmInput, type EmbedInput, type EmbedResult, type EmbeddingInput, type EmbeddingResponse, type LeaderboardEntry as EngagementLeaderboardEntry, type LeaderboardResult as EngagementLeaderboardResult, type EnvVar, type ErrorCode, type ErrorResponse, type EventSource, type ExceptionFrame, type ExceptionValue, type ExecEvent, type ExecOptions, type ExecResult, type FacetsResponse, type FileEvent, type FileInfo, type FileUploadOptions, type FlagContext, type FlagResult, type GetConsentHistoryInput, type GetConsentsInput, type GetFacetsInput, type GetSecretInput, type GetSecretResult, type GetSecretsInput, type GetSecretsResult, type HttpTarget, type IdentifyInput, type ImpersonationActive, type ImpersonationEndResult, type ImpersonationInfo, type ImpersonationStartResult, type IndexDocumentInput, type IndexDocumentResult, type IngestLogsResult, InvalidConnectionUrlError, type InviteMemberInput, type InviteUserRequest, type InviteUserResponse, type KvExpireRequest, type KvHgetRequest, type KvHgetallRequest, type KvHsetRequest, type KvIncrRequest, type KvLpushRequest, type KvLrangeRequest, type KvMgetRequest, type KvMsetRequest, type KvRateLimitRequest, type KvRateLimitResult, type KvScanOptions, type KvScanResult, type KvSetOptions, type KvSetRequest, type KvZMember, type KvZaddRequest, type KvZrangeRequest, type LeaderboardAggregation, type LeaderboardDefinition, type LeaderboardEntry$1 as LeaderboardEntry, type LeaderboardOptions, type LeaderboardQueryOptions, type LeaderboardResetPeriod, type LeaderboardResult$1 as LeaderboardResult, type LeaderboardSortDirection, type LinkAnonymousConsentsInput, type ListPromosOptions, type ListPromosResult, type ListRedemptionsOptions, type ListRedemptionsResult, type ListRunsOptions, type ListRunsResult, type ListScheduledEmailsOptions, type ListSecretKeysInput, type ListTriggersResult, type ListUsersOptions, type ListUsersResult, type LogEntry, type LogLevel, type LoginHistoryEntry, type LoginRequest, type LoginResponse, type MeResponse, type MemberPermissionsResult, type MintAccessTokenClaims, type MintAccessTokenResult, type MonitoringResponse, type MonitoringSeverity, type NativeStepContext, type NativeTaskDefinition, type TaskRunStatus as NativeTaskRunStatus, NetworkError, NotFoundError, type OAuthAuthorizeInput, type OAuthAuthorizeResult, type OAuthProvider, type OidcDiscoveryDocument, type OidcUserInfoResponse, type OrgRole, type OrgTokenPayload, type OrganizationInvitation, type OrganizationMember, type OrganizationMembership, type PageInput, type PaginatedResponse, type PaginationInput, type ParsedConnectionUrl, type PasskeyRegistrationInput, type PasskeyRegistrationOptions, type PasskeySummary, type PasskeysList, type PasswordSetInput, type Permission, type PkceMethod, type Plan, type PlatformAccessTokenClaims, type PlatformFunctionsDownloadBundleResult, type PlatformLogoutInput, type PlatformPasswordChangeInput, type PlatformPasswordChangeResult, type PlatformPasswordSetInput, type PlatformPasswordSetResult, type PlatformPasswordStatusResult, type PlatformRealtimeChannel, type PlatformRealtimeCreateChannelResult, type PlatformRealtimeDeleteChannelResult, type PlatformRealtimeListChannelsResult, type PlatformRealtimeStatusResult, type PlatformRefreshInput, type PlatformRefreshResult, type PlatformSessionRenameInput, type PlatformSessionRenameResult, type PlatformSessionRevokeAllResult, type PlatformSessionRevokeInput, type PlatformSessionRevokeOtherResult, type PlatformSessionRevokeResult, type PlatformSessionsListResult, type PlatformUserDeleteInput, type PlatformUserDeleteResult, type PlatformUserExportResult, type PlatformUserRecord, type PlatformUserResolution, type ProcessEvent, type ProcessInfo, type ProcessStartOptions, type ProcessSummary, type ProjectMetadata, type PromoCode, type PromoRedemption, type PromoStatus, type PromoType, type PromoValidationPreview, type PublishEventResult, type PushCampaign, type PushCampaignStats, type PushCampaignVariant, type PushNotification, type PushNotificationPayload, type PushSegment, type PushSegmentFilter, type PushServiceWorkerConfig, type PushSubscription, type QueryLogsOptions, type QueryLogsResult, RETRYABLE_CODES, RateLimitError, type RateLimitStatusFilter, type RateLimitStatusResult, type RateLimitStrategiesFilter, type RateLimitStrategiesResult, type RateLimitStrategyDeleteInput, type RateLimitStrategyDeleteResult, type RateLimitStrategyUpsertInput, type RateLimitStrategyUpsertResult, type RealtimeEmitRequest, type RealtimeEmitResponse, type RealtimeHistoryRequest, type RealtimeHistoryResponse, type RecordActivityInput, type RecordActivityResult, type RedeemPromoInput, type RedeemPromoResult, type RedeemReferralInput, type RedeemResult, type ReferralCode, type ReferralStats, type RegisterInput, type RegisterRequest, type RegisterResponse, type RestClient, type RestClientConfig, type RestDynamicConfig, type RetryConfig, type RevokeTokenOptions, type Role, type RollbackDeployRequest, type Run, RunHandle, type RunLogsResult, type RunResourceSpec, type RunResult, type RunStatus, type RunTarget, type RunVolumeMount, type CreateRunOptions as RunWorkerOptions, RunsClient, SandboxClient, type SandboxFile, SandboxFiles, type SandboxOptions, SandboxProcesses, type SandboxRecord, SandboxWatch, type ScheduleEmailOptions, type ScheduledEmail, type ScheduledEmailStats, type ScheduledEmailsResult, type SearchInput, type SearchResponse, type SearchResultItem, type SearchStatsResult, type SearchType, type SecretKeyInfo, type SecurityAlert, type SecurityAlertsList, type SecurityScoreResult, type SecuritySettings, type SendEmailOptions, type SendResult, type SendTemplatedEmailOptions, type SendToUserOptions, type SessionResult, type SetConsentsInput, type SetEnvVarRequest, type SignedUrlOptions, type SignedUrlResult, StepCompleteSignal, StepSleepSignal, type StorageFileVersion, type StoredLogEntry, type StreakDefinition, type StreakFrequency, type StreakState, type StreamMessage, type SubmitScoreInput, type SubmitScoreResult, type Subscription, type SuccessResponse, type SylphxClientInput, type SylphxConfig, type SylphxConfigInput, SylphxError, type SylphxErrorCode, type SylphxErrorOptions, type TaskInput, type TaskResult, type TaskStatus, type TaskTarget, type TextCompletionInput, type TextCompletionResponse, TimeoutError, type TokenIntrospectionResult, type TokenResponse, type Tool, type ToolCall, type TrackClickInput, type TrackInput, type Trigger, type TriggerDeployRequest, type TriggerSource, type TriggerSourceType, type TriggerStatus, type TriggerTarget, type TriggerTargetType, TriggersClient, type TwoFactorEnableResult, type TwoFactorSetupResult, type TwoFactorVerifyRequest, type UpdateOrgInput, type UpdatePromoInput, type UpdateRoleInput, type UpdateTriggerOptions, type UploadProgressEvent, type UploadResult, type UpsertDocumentInput, type UpsertDocumentResult, type User, type UserAchievement, type UserConsent, type UserDataExport, type UserFullProfile, type UserProfile, type UserSecuritySettings, type UserSession, type UserSessionsList, type UserUpdateProfileInput, type ValidatePromoInput, type ValidatePromoResult, ValidationError, type VisionInput, type WatchEntry, type WatchOptions, type WebhookConfig, type WebhookConfigUpdate, type WebhookDeliveriesResult, type WebhookDelivery, type WebhookStats, RunHandle as WorkerHandle, type RunLogsResult as WorkerLogsResult, type RunResourceSpec as WorkerResourceSpec, type RunResult as WorkerResult, type Run as WorkerRun, type RunStatus as WorkerStatus, type RunVolumeMount as WorkerVolumeMount, WorkersClient, acceptAllConsents, acceptOrganizationInvitation, assignMemberRole, audit, authorizeOAuth, batchIndex, canDeleteOrganization, canManageMembers, canManageSettings, cancelScheduledEmail, cancelTask, captureException, captureExceptionRaw, captureMessage, chat, chatStream, checkFlag, complete, confirmEmailChange, cookies, createCheckout, createClient, createConfig, createCron, createDynamicRestClient, createOrganization, createPermission, createPortalSession, createPromo, createRestClient, createRole, createServerClient, createServiceWorkerScript, createStepContext, createTasksHandler, createTracker, debugError, debugLog, debugTimer, debugWarn, declineOptionalConsents, deleteCron, deleteDocument, deleteEnvVar, deleteFile, deleteOrganization, deletePasskey, deletePermission, deletePromo, deleteRole, deleteUser, deleteUserAccount, device, disableDebug, disableTwoFactor, disconnectOAuthProvider, downloadFileVersion, dpop, embed, enableDebug, exponentialBackoff, exportUserData, extendedSignUp, forgotPassword, functions, generateAnonymousId, generatePkce, getAchievement, getAchievementPoints, getAchievements, getAllFlags, getAllSecrets, getAllStreaks, getBackupCodes, getBillingBalance, getBillingUsage, getBuildLogHistory, getCircuitBreakerState, getConsentHistory, getConsentTypes, getDatabaseConnectionString, getDatabaseStatus, getDebugMode, getDeployHistory, getDeployStatus, getErrorCode, getErrorMessage, getFacets, getFileInfo, getFileUrl, getFlagPayload, getFlags, getLeaderboard, getMemberPermissions, getMyReferralCode, getOidcDiscoveryDocument, getOrganization, getOrganizationInvitations, getOrganizationMembers, getOrganizations, getPlans, getProjectMetadata, getPromo, getPushPreferences, getRealtimeHistory, getReferralLeaderboard, getReferralStats, getRestErrorMessage, getRole, getScheduledEmail, getScheduledEmailStats, getSearchStats, getSecret, getSecrets, getSecurityScore, getSession, getSignedUrl, getStreak, getSubscription, getTask, getUser, getUserByEmail, getUserConsents, getUserLeaderboardRank, getUserProfile, getUserSecurity, getVariant, getWebhookConfig, getWebhookDeliveries, getWebhookDelivery, getWebhookStats, hasAllPermissions, hasAnyPermission, hasConsent, hasError, hasPermission, hasRole, hasSecret, identify, impersonation, incrementAchievementProgress, indexDocument, ingestLogs, initPushServiceWorker, installGlobalDebugHelpers, introspectToken, inviteOrganizationMember, inviteUser, isEmailConfigured, isEnabled, isRetryableError, isSylphxError, kvDelete, kvExists, kvExpire, kvGet, kvGetJSON, kvHget, kvHgetall, kvHset, kvIncr, kvLpush, kvLrange, kvMget, kvMset, kvRateLimit, kvScan, kvSet, kvSetJSON, kvZadd, kvZrange, leaveOrganization, linkAnonymousConsents, listEnvVars, listFileVersions, listPasskeys, listPermissions, listPromoRedemptions, listPromos, listRoles, listScheduledEmails, listSecretKeys, listSecurityAlerts, listTasks, listUserSessions, listUsers, markAllSecurityAlertsRead, markSecurityAlertRead, oauth, page, parseOAuthCallback, password, pauseCron, platformAuth, campaigns as pushCampaigns, segments as pushSegments, queryLogs, rateLimits, realtime, realtimeEmit, recordStreakActivity, recoverStreak, redeemPromo, redeemReferralCode, refreshToken, regenerateBackupCodes, regenerateReferralCode, registerPush, registerPushServiceWorker, removeOrganizationMember, renamePasskey, renameUserSession, replayWebhookDelivery, requestEmailChange, rescheduleEmail, resetCircuitBreaker, resetDebugModeCache, resetPassword, resetPlatformCookieCache, resetPlatformJwksCache, restoreFile, restoreFileVersion, resumeCron, revokeAllTokens, revokeOrganizationInvitation, revokeToken, revokeUserSession, rollbackDeploy, scheduleEmail, scheduleTask, search, sendEmail, sendEmailToUser, sendPush, sendTemplatedEmail, sessions, setConsents, setEnvVar, setPassword, setupTwoFactor, signIn, signOut, signUp, softDeleteFile, startPasskeyRegistration, streamToString, submitScore, suspendUser, switchOrg, toSylphxError, track, trackBatch, trackClick, triggerDeploy, unlockAchievement, unregisterPush, updateOrganization, updateOrganizationMemberRole, updatePromo, updatePushPreferences, updateRole, updateUser, updateUserMetadata, updateUserProfile, updateWebhookConfig, uploadAvatar, uploadFile, upsertDocument, user, userInfo, validatePromo, verifyAccessToken, verifyChallenge, verifyEmail, verifyPasskeyRegistration, verifySignature as verifyTaskSignature, verifyTwoFactor, verifyTwoFactorEnable, withToken };
+export { ACHIEVEMENT_TIER_CONFIG, type AIListModelsOptions, type AIListModelsResponse, type AIMessage, type AIMessageRole, type AIModel, type AIModelInfo, type AIModelsResponse, type AIProvider, type AIRateLimitInfo, type AIRateLimitResponse, type AIRequestType, type AIStreamChunk, type AITool, type AIToolCall, type AIUsageResponse, type AIUsageStats, type AccessTokenPayload, type AchievementCategory, type AchievementCriteria, type AchievementCriterion, type AchievementDefinition, type AchievementTier, type AchievementType, type AchievementUnlockEvent, type AdminUser, type AuditQueryFilter, type AuditQueryResult, AuthenticationError, AuthorizationError, type BackupCodesResult, type BatchEvent, type BatchIndexInput, type BatchIndexResult, type Breadcrumb, type BuildLog, type BuildLogHistoryResponse, type CaptureExceptionRequest, type CaptureMessageRequest, type ChallengeMethod, type ChallengeType, type ChallengeVerifyInput, type ChallengeVerifyResult, type ChatCompletionInput, type ChatCompletionResponse, type ChatInput, type ChatMessage, type ChatResult, type ChatStreamChunk, type CircuitBreakerConfig, CircuitBreakerOpenError, type CircuitState, type CommandResult, type ConsentCategory, type ConsentHistoryEntry, type ConsentHistoryResult, type ConsentPurposeDefaults, type ConsentType, type ContentPart, type CreateOrgInput, type CreatePermissionInput, type CreatePromoInput, type CreateRoleInput, type CreateRunOptions, type CreateTriggerOptions, type CriteriaOperator, type CronInput, type CronSchedule, type CronSource, type DatabaseConnectionInfo, type DatabaseStatus, type DatabaseStatusInfo, type DebugCategory, type DeduplicationConfig, type DeleteAccountResult, type DeleteDocumentInput, type DeployHistoryResponse, type DeployInfo, type DeployStatus, type DeviceApproveInput, type DeviceApproveResult, type DeviceDenyInput, type DeviceDenyResult, type DeviceGrant, type DeviceInitInput, type DevicePollResult, type DynamicRestClient, ERROR_CODE_STATUS, type EmailChangeInput, type EmailConfirmInput, type EmbedInput, type EmbedResult, type EmbeddingInput, type EmbeddingResponse, type LeaderboardEntry as EngagementLeaderboardEntry, type LeaderboardResult as EngagementLeaderboardResult, type EnvVar, type ErrorCode, type ErrorResponse, type EventSource, type ExceptionFrame, type ExceptionValue, type ExecEvent, type ExecOptions, type ExecResult, type FacetsResponse, type FileEvent, type FileInfo, type FileUploadOptions, type FlagContext, type FlagResult, type GetConsentHistoryInput, type GetConsentsInput, type GetFacetsInput, type GetSecretInput, type GetSecretResult, type GetSecretsInput, type GetSecretsResult, type HttpTarget, type IdentifyInput, type ImpersonationActive, type ImpersonationEndResult, type ImpersonationInfo, type ImpersonationStartResult, type IndexDocumentInput, type IndexDocumentResult, type IngestLogsResult, InvalidConnectionUrlError, type InviteMemberInput, type InviteUserRequest, type InviteUserResponse, type KvExpireRequest, type KvHgetRequest, type KvHgetallRequest, type KvHsetRequest, type KvIncrRequest, type KvLpushRequest, type KvLrangeRequest, type KvMgetRequest, type KvMsetRequest, type KvRateLimitRequest, type KvRateLimitResult, type KvScanOptions, type KvScanResult, type KvSetOptions, type KvSetRequest, type KvZMember, type KvZaddRequest, type KvZrangeRequest, type LeaderboardAggregation, type LeaderboardDefinition, type LeaderboardEntry$1 as LeaderboardEntry, type LeaderboardOptions, type LeaderboardQueryOptions, type LeaderboardResetPeriod, type LeaderboardResult$1 as LeaderboardResult, type LeaderboardSortDirection, type LinkAnonymousConsentsInput, type ListPromosOptions, type ListPromosResult, type ListRedemptionsOptions, type ListRedemptionsResult, type ListRunsOptions, type ListRunsResult, type ListScheduledEmailsOptions, type ListSecretKeysInput, type ListTriggersResult, type ListUsersOptions, type ListUsersResult, type LogEntry, type LogLevel, type LoginHistoryEntry, type LoginRequest, type LoginResponse, type MeResponse, type MemberPermissionsResult, type MintAccessTokenClaims, type MintAccessTokenResult, type MonitoringResponse, type MonitoringSeverity, type NativeStepContext, type NativeTaskDefinition, type TaskRunStatus as NativeTaskRunStatus, NetworkError, NotFoundError, type OAuthAuthorizeInput, type OAuthAuthorizeResult, type OAuthCodeExchangeInput, type OAuthProvider, type OAuthProvidersResult, type OidcDiscoveryDocument, type OidcUserInfoResponse, type OrgRole, type OrgTokenPayload, type OrganizationInvitation, type OrganizationMember, type OrganizationMembership, type PageInput, type PaginatedResponse, type PaginationInput, type ParsedConnectionUrl, type PasskeyRegistrationInput, type PasskeyRegistrationOptions, type PasskeySummary, type PasskeysList, type PasswordSetInput, type Permission, type PkceMethod, type Plan, type PlatformAccessTokenClaims, type PlatformFunctionsDownloadBundleResult, type PlatformLogoutInput, type PlatformPasswordChangeInput, type PlatformPasswordChangeResult, type PlatformPasswordSetInput, type PlatformPasswordSetResult, type PlatformPasswordStatusResult, type PlatformRealtimeChannel, type PlatformRealtimeCreateChannelResult, type PlatformRealtimeDeleteChannelResult, type PlatformRealtimeListChannelsResult, type PlatformRealtimeStatusResult, type PlatformRefreshInput, type PlatformRefreshResult, type PlatformSessionRenameInput, type PlatformSessionRenameResult, type PlatformSessionRevokeAllResult, type PlatformSessionRevokeInput, type PlatformSessionRevokeOtherResult, type PlatformSessionRevokeResult, type PlatformSessionsListResult, type PlatformUserDeleteInput, type PlatformUserDeleteResult, type PlatformUserExportResult, type PlatformUserRecord, type PlatformUserResolution, type ProcessEvent, type ProcessInfo, type ProcessStartOptions, type ProcessSummary, type ProjectMetadata, type PromoCode, type PromoRedemption, type PromoStatus, type PromoType, type PromoValidationPreview, type PublishEventResult, type PushCampaign, type PushCampaignStats, type PushCampaignVariant, type PushNotification, type PushNotificationPayload, type PushSegment, type PushSegmentFilter, type PushServiceWorkerConfig, type PushSubscription, type QueryLogsOptions, type QueryLogsResult, RETRYABLE_CODES, RateLimitError, type RateLimitStatusFilter, type RateLimitStatusResult, type RateLimitStrategiesFilter, type RateLimitStrategiesResult, type RateLimitStrategyDeleteInput, type RateLimitStrategyDeleteResult, type RateLimitStrategyUpsertInput, type RateLimitStrategyUpsertResult, type RealtimeEmitRequest, type RealtimeEmitResponse, type RealtimeHistoryRequest, type RealtimeHistoryResponse, type RecordActivityInput, type RecordActivityResult, type RedeemPromoInput, type RedeemPromoResult, type RedeemReferralInput, type RedeemResult, type ReferralCode, type ReferralStats, type RegisterInput, type RegisterRequest, type RegisterResponse, type RestClient, type RestClientConfig, type RestDynamicConfig, type RetryConfig, type RevokeTokenOptions, type Role, type RollbackDeployRequest, type Run, RunHandle, type RunLogsResult, type RunResourceSpec, type RunResult, type RunStatus, type RunTarget, type RunVolumeMount, type CreateRunOptions as RunWorkerOptions, RunsClient, SandboxClient, type SandboxFile, SandboxFiles, type SandboxOptions, SandboxProcesses, type SandboxRecord, SandboxWatch, type ScheduleEmailOptions, type ScheduledEmail, type ScheduledEmailStats, type ScheduledEmailsResult, type SearchInput, type SearchResponse, type SearchResultItem, type SearchStatsResult, type SearchType, type SecretKeyInfo, type SecurityAlert, type SecurityAlertsList, type SecurityScoreResult, type SecuritySettings, type SendEmailOptions, type SendResult, type SendTemplatedEmailOptions, type SendToUserOptions, type SessionResult, type SetConsentsInput, type SetEnvVarRequest, type SignedUrlOptions, type SignedUrlResult, StepCompleteSignal, StepSleepSignal, type StorageFileVersion, type StoredLogEntry, type StreakDefinition, type StreakFrequency, type StreakState, type StreamMessage, type SubmitScoreInput, type SubmitScoreResult, type Subscription, type SuccessResponse, type SylphxClientInput, type SylphxConfig, type SylphxConfigInput, SylphxError, type SylphxErrorCode, type SylphxErrorOptions, type TaskInput, type TaskResult, type TaskStatus, type TaskTarget, type TextCompletionInput, type TextCompletionResponse, TimeoutError, type TokenIntrospectionResult, type TokenResponse, type Tool, type ToolCall, type TrackClickInput, type TrackInput, type Trigger, type TriggerDeployRequest, type TriggerSource, type TriggerSourceType, type TriggerStatus, type TriggerTarget, type TriggerTargetType, TriggersClient, type TwoFactorEnableResult, type TwoFactorSetupResult, type TwoFactorVerifyRequest, type UpdateOrgInput, type UpdatePromoInput, type UpdateRoleInput, type UpdateTriggerOptions, type UploadProgressEvent, type UploadResult, type UpsertDocumentInput, type UpsertDocumentResult, type User, type UserAchievement, type UserConsent, type UserDataExport, type UserFullProfile, type UserProfile, type UserSecuritySettings, type UserSession, type UserSessionsList, type UserUpdateProfileInput, type ValidatePromoInput, type ValidatePromoResult, ValidationError, type VisionInput, type WatchEntry, type WatchOptions, type WebhookConfig, type WebhookConfigUpdate, type WebhookDeliveriesResult, type WebhookDelivery, type WebhookStats, RunHandle as WorkerHandle, type RunLogsResult as WorkerLogsResult, type RunResourceSpec as WorkerResourceSpec, type RunResult as WorkerResult, type Run as WorkerRun, type RunStatus as WorkerStatus, type RunVolumeMount as WorkerVolumeMount, WorkersClient, acceptAllConsents, acceptOrganizationInvitation, assignMemberRole, audit, authorizeOAuth, batchIndex, canDeleteOrganization, canManageMembers, canManageSettings, cancelScheduledEmail, cancelTask, captureException, captureExceptionRaw, captureMessage, chat, chatStream, checkFlag, complete, confirmEmailChange, cookies, createCheckout, createClient, createConfig, createCron, createDynamicRestClient, createOrganization, createPermission, createPortalSession, createPromo, createRestClient, createRole, createServerClient, createServiceWorkerScript, createStepContext, createTasksHandler, createTracker, debugError, debugLog, debugTimer, debugWarn, declineOptionalConsents, deleteCron, deleteDocument, deleteEnvVar, deleteFile, deleteOrganization, deletePasskey, deletePermission, deletePromo, deleteRole, deleteUser, deleteUserAccount, device, disableDebug, disableTwoFactor, disconnectOAuthProvider, downloadFileVersion, dpop, embed, enableDebug, exchangeOAuthCode, exponentialBackoff, exportUserData, extendedSignUp, forgotPassword, functions, generateAnonymousId, generatePkce, getAchievement, getAchievementPoints, getAchievements, getAllFlags, getAllSecrets, getAllStreaks, getBackupCodes, getBillingBalance, getBillingUsage, getBuildLogHistory, getCircuitBreakerState, getConsentHistory, getConsentTypes, getDatabaseConnectionString, getDatabaseStatus, getDebugMode, getDeployHistory, getDeployStatus, getErrorCode, getErrorMessage, getFacets, getFileInfo, getFileUrl, getFlagPayload, getFlags, getLeaderboard, getMemberPermissions, getMyReferralCode, getOidcDiscoveryDocument, getOrganization, getOrganizationInvitations, getOrganizationMembers, getOrganizations, getPlans, getProjectMetadata, getPromo, getPushPreferences, getRealtimeHistory, getReferralLeaderboard, getReferralStats, getRestErrorMessage, getRole, getScheduledEmail, getScheduledEmailStats, getSearchStats, getSecret, getSecrets, getSecurityScore, getSession, getSignedUrl, getStreak, getSubscription, getTask, getUser, getUserByEmail, getUserConsents, getUserLeaderboardRank, getUserProfile, getUserSecurity, getVariant, getWebhookConfig, getWebhookDeliveries, getWebhookDelivery, getWebhookStats, hasAllPermissions, hasAnyPermission, hasConsent, hasError, hasPermission, hasRole, hasSecret, identify, impersonation, incrementAchievementProgress, indexDocument, ingestLogs, initPushServiceWorker, installGlobalDebugHelpers, introspectToken, inviteOrganizationMember, inviteUser, isEmailConfigured, isEnabled, isRetryableError, isSylphxError, kvDelete, kvExists, kvExpire, kvGet, kvGetJSON, kvHget, kvHgetall, kvHset, kvIncr, kvLpush, kvLrange, kvMget, kvMset, kvRateLimit, kvScan, kvSet, kvSetJSON, kvZadd, kvZrange, leaveOrganization, linkAnonymousConsents, listEnvVars, listFileVersions, listOAuthProviders, listPasskeys, listPermissions, listPromoRedemptions, listPromos, listRoles, listScheduledEmails, listSecretKeys, listSecurityAlerts, listTasks, listUserSessions, listUsers, markAllSecurityAlertsRead, markSecurityAlertRead, oauth, page, parseOAuthCallback, password, pauseCron, platformAuth, campaigns as pushCampaigns, segments as pushSegments, queryLogs, rateLimits, realtime, realtimeEmit, recordStreakActivity, recoverStreak, redeemPromo, redeemReferralCode, refreshToken, regenerateBackupCodes, regenerateReferralCode, registerPush, registerPushServiceWorker, removeOrganizationMember, renamePasskey, renameUserSession, replayWebhookDelivery, requestEmailChange, rescheduleEmail, resetCircuitBreaker, resetDebugModeCache, resetPassword, resetPlatformCookieCache, resetPlatformJwksCache, restoreFile, restoreFileVersion, resumeCron, revokeAllTokens, revokeOrganizationInvitation, revokeToken, revokeUserSession, rollbackDeploy, scheduleEmail, scheduleTask, search, sendEmail, sendEmailToUser, sendPush, sendTemplatedEmail, sessions, setConsents, setEnvVar, setPassword, setupTwoFactor, signIn, signOut, signUp, softDeleteFile, startPasskeyRegistration, streamToString, submitScore, suspendUser, switchOrg, toSylphxError, track, trackBatch, trackClick, triggerDeploy, unlockAchievement, unregisterPush, updateOrganization, updateOrganizationMemberRole, updatePromo, updatePushPreferences, updateRole, updateUser, updateUserMetadata, updateUserProfile, updateWebhookConfig, uploadAvatar, uploadFile, upsertDocument, user, userInfo, validatePromo, verifyAccessToken, verifyChallenge, verifyEmail, verifyPasskeyRegistration, verifySignature as verifyTaskSignature, verifyTwoFactor, verifyTwoFactorEnable, withToken };

package/dist/index.mjs

@@ -9,7 +9,7 @@ var __export = (target, all) => {
 };
 
 // src/constants.ts
-var SDK_API_PATH, DEFAULT_SDK_API_HOST, SDK_VERSION, SDK_PLATFORM, DEFAULT_TIMEOUT_MS, SESSION_TOKEN_LIFETIME_SECONDS, SESSION_TOKEN_LIFETIME_MS, REFRESH_TOKEN_LIFETIME_SECONDS, FLAGS_CACHE_TTL_MS, FLAGS_STALE_WHILE_REVALIDATE_MS, MAX_RETRY_DELAY_MS, BASE_RETRY_DELAY_MS, ANALYTICS_SESSION_TIMEOUT_MS, WEBHOOK_MAX_AGE_MS, WEBHOOK_CLOCK_SKEW_MS, PKCE_CODE_TTL_MS, JOBS_DLQ_MAX_AGE_MS, SESSION_REPLAY_MAX_DURATION_MS, FLAGS_EXPOSURE_DEDUPE_WINDOW_MS, CLICK_ID_EXPIRY_MS, STALE_TIME_FREQUENT_MS, STALE_TIME_MODERATE_MS, STALE_TIME_STABLE_MS, STALE_TIME_STATS_MS, NEW_USER_THRESHOLD_MS, STORAGE_MULTIPART_THRESHOLD_BYTES, STORAGE_DEFAULT_MAX_SIZE_BYTES, STORAGE_AVATAR_MAX_SIZE_BYTES, STORAGE_LARGE_MAX_SIZE_BYTES, JWK_CACHE_TTL_MS, CIRCUIT_BREAKER_FAILURE_THRESHOLD, CIRCUIT_BREAKER_WINDOW_MS, CIRCUIT_BREAKER_OPEN_DURATION_MS, ETAG_CACHE_MAX_ENTRIES, ETAG_CACHE_TTL_MS;
+var SDK_API_PATH, DEFAULT_SDK_API_HOST, SDK_VERSION, SDK_PLATFORM, DEFAULT_TIMEOUT_MS, SANDBOX_CREATE_TIMEOUT_MS, SESSION_TOKEN_LIFETIME_SECONDS, SESSION_TOKEN_LIFETIME_MS, REFRESH_TOKEN_LIFETIME_SECONDS, FLAGS_CACHE_TTL_MS, FLAGS_STALE_WHILE_REVALIDATE_MS, MAX_RETRY_DELAY_MS, BASE_RETRY_DELAY_MS, ANALYTICS_SESSION_TIMEOUT_MS, WEBHOOK_MAX_AGE_MS, WEBHOOK_CLOCK_SKEW_MS, PKCE_CODE_TTL_MS, JOBS_DLQ_MAX_AGE_MS, SESSION_REPLAY_MAX_DURATION_MS, FLAGS_EXPOSURE_DEDUPE_WINDOW_MS, CLICK_ID_EXPIRY_MS, STALE_TIME_FREQUENT_MS, STALE_TIME_MODERATE_MS, STALE_TIME_STABLE_MS, STALE_TIME_STATS_MS, NEW_USER_THRESHOLD_MS, STORAGE_MULTIPART_THRESHOLD_BYTES, STORAGE_DEFAULT_MAX_SIZE_BYTES, STORAGE_AVATAR_MAX_SIZE_BYTES, STORAGE_LARGE_MAX_SIZE_BYTES, JWK_CACHE_TTL_MS, CIRCUIT_BREAKER_FAILURE_THRESHOLD, CIRCUIT_BREAKER_WINDOW_MS, CIRCUIT_BREAKER_OPEN_DURATION_MS, ETAG_CACHE_MAX_ENTRIES, ETAG_CACHE_TTL_MS;
 var init_constants = __esm({
   "src/constants.ts"() {
     "use strict";
@@ -18,6 +18,7 @@ var init_constants = __esm({
     SDK_VERSION = "0.5.0";
     SDK_PLATFORM = typeof window !== "undefined" ? "browser" : typeof process !== "undefined" && process.versions?.node ? "node" : "unknown";
     DEFAULT_TIMEOUT_MS = 3e4;
+    SANDBOX_CREATE_TIMEOUT_MS = 15e4;
     SESSION_TOKEN_LIFETIME_SECONDS = 5 * 60;
     SESSION_TOKEN_LIFETIME_MS = SESSION_TOKEN_LIFETIME_SECONDS * 1e3;
     REFRESH_TOKEN_LIFETIME_SECONDS = 30 * 24 * 60 * 60;
@@ -4878,7 +4879,7 @@ init_constants();
 init_errors();
 var LEGACY_EMBEDDED_REF_PATTERN = /^(pk|sk)_(dev|stg|prod|prev)_[a-z0-9]{12}_[a-f0-9]+$/;
 var LEGACY_APP_KEY_PATTERN = /^app_(dev|stg|prod|prev)_/;
-var MIGRATION_MESSAGE = "API key format has changed. Use a sylphx:// connection URL instead.\n\nNew format: sylphx://pk_prod_{hex}@your-slug.sylphx.com\n\nGenerate new credentials from the Sylphx Console \u2192 Your App \u2192 Environments.\nSee https://docs.sylphx.com/migration for details.";
+var MIGRATION_MESSAGE = "API key format has changed. Use a sylphx:// connection URL instead.\n\nNew format: sylphx://pk_prod_{hex}@your-slug.api.sylphx.com\n\nGenerate new credentials from the Sylphx Console \u2192 Your App \u2192 Environments.\nSee https://docs.sylphx.com/migration for details.";
 function rejectLegacyKeyFormat(input) {
   const trimmed = input.trim().toLowerCase();
   if (LEGACY_APP_KEY_PATTERN.test(trimmed)) {
@@ -4921,7 +4922,7 @@ function createServerClient(input) {
 function createConfigFromUrl(url) {
   if (!url || typeof url !== "string") {
     throw new SylphxError(
-      "[Sylphx] Connection URL is required. Set SYLPHX_URL or NEXT_PUBLIC_SYLPHX_URL environment variable.\n\nFormat: sylphx://pk_prod_{hex}@your-slug.sylphx.com",
+      "[Sylphx] Connection URL is required. Set SYLPHX_URL or NEXT_PUBLIC_SYLPHX_URL environment variable.\n\nFormat: sylphx://pk_prod_{hex}@your-slug.api.sylphx.com",
       { code: "BAD_REQUEST" }
     );
   }
@@ -4930,7 +4931,7 @@ function createConfigFromUrl(url) {
   if (!trimmed.startsWith("sylphx://")) {
     if (CREDENTIAL_REGEX.test(trimmed)) {
       throw new SylphxError(
-        "[Sylphx] Received a bare credential instead of a connection URL.\n\nWrap it in a connection URL: sylphx://<credential>@<slug>.sylphx.com\nOr use createClient({ slug, publicKey }) for explicit components.",
+        "[Sylphx] Received a bare credential instead of a connection URL.\n\nWrap it in a connection URL: sylphx://<credential>@<slug>.api.sylphx.com\nOr use createClient({ slug, publicKey }) for explicit components.",
         { code: "BAD_REQUEST" }
       );
     }
@@ -4975,7 +4976,7 @@ function createConfigFromComponents(input) {
     const credentialType = match[1];
     const env = match[2];
     const slug = resolvedSlug.trim().toLowerCase();
-    const domain = input.domain?.trim() || "api.sylphx.com";
+    const domain = input.domain?.trim() || DEFAULT_SDK_API_HOST;
     const baseUrl = `https://${slug}.${domain}/v1`;
     return freezeConfig({
       credential: trimmedCred,
@@ -4998,7 +4999,7 @@ function createConfigFromComponents(input) {
       const platform = input.platformUrl.trim().replace(/\/$/, "");
       baseUrl = platform.includes("/v1") ? platform : `${platform}/v1`;
     } else {
-      const domain = input.domain?.trim() || "api.sylphx.com";
+      const domain = input.domain?.trim() || DEFAULT_SDK_API_HOST;
       baseUrl = `https://${slug}.${domain}/v1`;
     }
     return freezeConfig({
@@ -5994,7 +5995,7 @@ async function inviteUser(config, input) {
 async function switchOrg(config, orgId) {
   return callApi(config, "/auth/switch-org", {
     method: "POST",
-    body: JSON.stringify({ orgId })
+    body: { orgId }
   });
 }
 var device = {
@@ -6695,6 +6696,8 @@ async function verifyAccessToken(token, opts) {
       const { payload } = await jwtVerify2(token, jwk, {
         audience: opts.audience
       });
+      const cnfRaw = payload.cnf;
+      const cnf = cnfRaw && typeof cnfRaw === "object" && "jkt" in cnfRaw ? { jkt: typeof cnfRaw.jkt === "string" ? cnfRaw.jkt : void 0 } : void 0;
       return {
         sub: payload.sub,
         pid: payload.pid,
@@ -6708,7 +6711,8 @@ async function verifyAccessToken(token, opts) {
         org_slug: payload.org_slug,
         org_role: payload.org_role,
         iat: payload.iat,
-        exp: payload.exp
+        exp: payload.exp,
+        ...cnf ? { cnf } : {}
       };
     } catch (err) {
       lastError = err;
@@ -9692,6 +9696,7 @@ async function captureMessage(config, message2, options = {}) {
 }
 
 // src/sandbox.ts
+init_constants();
 var SandboxFiles = class {
   constructor(endpoint, token) {
     this.endpoint = endpoint;
@@ -9916,7 +9921,8 @@ var SandboxClient = class _SandboxClient {
         env: options?.env,
         storage: options?.storageGi !== void 0 ? { enabled: true, sizeGi: options.storageGi } : void 0,
         volumeMounts: options?.volumeMounts
-      }
+      },
+      timeout: options?.createTimeoutMs ?? SANDBOX_CREATE_TIMEOUT_MS
     });
     return new _SandboxClient(record.id, config, record.endpoint, record.token);
   }
@@ -10477,6 +10483,7 @@ async function markAllSecurityAlertsRead(config) {
 }
 
 // src/oauth.ts
+init_errors();
 async function getOidcDiscoveryDocument(opts) {
   const url = `${opts.baseUrl.replace(/\/$/, "")}/.well-known/openid-configuration`;
   const res = await fetch(url, { headers: { accept: "application/json" } });
@@ -10513,6 +10520,27 @@ async function authorizeOAuth(config, input) {
     }
   });
 }
+async function listOAuthProviders(config) {
+  return callApi(config, "/auth/oauth-providers");
+}
+async function exchangeOAuthCode(config, input) {
+  if (config.credentialType !== "pk" || !config.publicKey) {
+    throw new SylphxError(
+      "[Sylphx] exchangeOAuthCode() requires a publishable connection URL (pk_*).",
+      { code: "BAD_REQUEST" }
+    );
+  }
+  return callApi(config, "/auth/token", {
+    method: "POST",
+    body: {
+      grant_type: "authorization_code",
+      code: input.code,
+      client_id: config.publicKey,
+      code_verifier: input.codeVerifier,
+      ...input.anonymousId ? { anonymous_id: input.anonymousId } : {}
+    }
+  });
+}
 function parseOAuthCallback(url) {
   const parsed = new URL(url);
   return {
@@ -10686,6 +10714,7 @@ export {
   dpop,
   embed,
   enableDebug,
+  exchangeOAuthCode,
   exponentialBackoff,
   exportUserData,
   extendedSignUp,
@@ -10801,6 +10830,7 @@ export {
   linkAnonymousConsents,
   listEnvVars,
   listFileVersions,
+  listOAuthProviders,
   listPasskeys,
   listPermissions,
   listPromoRedemptions,