@sylphx/sdk 0.9.0 → 0.10.1

package/dist/index.mjs

@@ -4783,7 +4783,7 @@ var init_webapi = __esm({
 // src/connection-url.ts
 var SYLPHX_PROTOCOL = "sylphx:";
 var DEFAULT_VERSION = "v1";
-var CREDENTIAL_REGEX = /^(pk|sk)_(dev|stg|prod|prev)_[a-f0-9]{32,64}$/;
+var CREDENTIAL_REGEX = /^(pk|sk)_(dev|stg|prod|prev)(?:_[a-z0-9]{12})?_[a-f0-9]{32,64}$/;
 var VERSION_REGEX = /^v[0-9]+$/;
 var SLUG_REGEX = /^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/;
 var InvalidConnectionUrlError = class _InvalidConnectionUrlError extends Error {
@@ -4800,7 +4800,7 @@ function fail(reason) {
 function parseCredential(raw) {
   const match = CREDENTIAL_REGEX.exec(raw);
   if (!match) {
-    fail(`credential must match (pk|sk)_(dev|stg|prod|prev)_[a-f0-9]{32,64}, got "${raw}"`);
+    fail(`credential must match (pk|sk)_(dev|stg|prod|prev)(_{ref})?_{hex}, got "${raw}"`);
   }
   return {
     credentialType: match[1],
@@ -4879,7 +4879,7 @@ init_constants();
 init_errors();
 var LEGACY_EMBEDDED_REF_PATTERN = /^(pk|sk)_(dev|stg|prod|prev)_[a-z0-9]{12}_[a-f0-9]+$/;
 var LEGACY_APP_KEY_PATTERN = /^app_(dev|stg|prod|prev)_/;
-var MIGRATION_MESSAGE = "API key format has changed. Use a sylphx:// connection URL instead.\n\nNew format: sylphx://pk_prod_{hex}@your-slug.api.sylphx.com\n\nGenerate new credentials from the Sylphx Console \u2192 Your App \u2192 Environments.\nSee https://docs.sylphx.com/migration for details.";
+var MIGRATION_MESSAGE = "API key format has changed. Use a sylphx:// connection URL instead.\n\nNew format: sylphx://pk_prod_{ref?}_{hex}@your-slug.api.sylphx.com\n\nGenerate new credentials from the Sylphx Console \u2192 Your App \u2192 Environments.\nSee https://docs.sylphx.com/migration for details.";
 function rejectLegacyKeyFormat(input) {
   const trimmed = input.trim().toLowerCase();
   if (LEGACY_APP_KEY_PATTERN.test(trimmed)) {
@@ -5012,7 +5012,7 @@ function createConfigFromComponents(input) {
     });
   }
   throw new SylphxError(
-    `[Sylphx] Invalid credential format. Expected (pk|sk)_(dev|stg|prod|prev)_[a-f0-9]{32,64}. Got: "${trimmedCred.slice(0, 30)}..."`,
+    `[Sylphx] Invalid credential format. Expected (pk|sk)_(dev|stg|prod|prev)(_{ref})?_{hex}. Got: "${trimmedCred.slice(0, 30)}..."`,
     { code: "BAD_REQUEST" }
   );
 }
@@ -5291,11 +5291,12 @@ init_constants();
 init_errors();
 
 // src/key-validation.ts
-var SECRET_KEY_PATTERN = /^sk_(dev|stg|prod)_[a-z0-9_-]+$/;
+var SECRET_KEY_PATTERN = /^sk_(dev|stg|prod|prev)_[a-z0-9_-]+$/;
 var ENV_PREFIX_MAP = {
   dev: "development",
   stg: "staging",
-  prod: "production"
+  prod: "production",
+  prev: "preview"
 };
 function detectKeyIssues(key) {
   const issues = [];
@@ -5320,7 +5321,7 @@ The SDK will automatically sanitize the key, but fixing the source is recommende
 }
 function createInvalidKeyError(keyType, key, envVarName) {
   const maskedKey = key.length > 20 ? `${key.slice(0, 20)}...` : key;
-  const formatHint = keyType === "appId" ? "pk_(dev|stg|prod)_{ref}_{hex} or app_(dev|stg|prod)_[id]" : "sk_(dev|stg|prod)_{ref}_{hex}";
+  const formatHint = keyType === "appId" ? "pk_(dev|stg|prod|prev)_{ref}_{hex} or app_(dev|stg|prod|prev)_[id]" : "sk_(dev|stg|prod|prev)_{ref}_{hex}";
   const keyTypeName = keyType === "appId" ? "App ID" : "Secret Key";
   return `[Sylphx] Invalid ${keyTypeName} format.
 
@@ -5333,7 +5334,7 @@ You can find your keys in the Sylphx Console \u2192 API Keys.
 Common issues:
 \u2022 Key has uppercase characters (must be lowercase)
 \u2022 Key has wrong prefix (App ID: pk_ or app_, Secret Key: sk_)
-\u2022 Key has invalid environment (must be dev, stg, or prod)
+\u2022 Key has invalid environment (must be dev, stg, prod, or prev)
 \u2022 Key was copied with extra whitespace`;
 }
 function extractEnvironment(key) {
@@ -5380,7 +5381,7 @@ function validateKeyForType(key, keyType, pattern, envVarName) {
   };
 }
 function validateSecretKey(key) {
-  return validateKeyForType(key, "secret", SECRET_KEY_PATTERN, "SYLPHX_SECRET_KEY");
+  return validateKeyForType(key, "secret", SECRET_KEY_PATTERN, "secret credential");
 }
 function validateAndSanitizeSecretKey(key) {
   const result = validateSecretKey(key);
@@ -5402,7 +5403,14 @@ async function runPipeline(middlewares, initial) {
       if (next) request = next;
     }
   }
-  let response = await fetch(request);
+  const fetchWithMiddleware = middlewares.reduceRight(
+    (next, mw) => mw.onFetch ? async (request2) => {
+      const response2 = await mw.onFetch?.({ request: request2, next });
+      return response2 ?? next(request2);
+    } : next,
+    (request2) => fetch(request2)
+  );
+  let response = await fetchWithMiddleware(request);
   for (const mw of middlewares) {
     if (mw.onResponse) {
       const next = await mw.onResponse({ request, response });
@@ -5421,6 +5429,11 @@ function buildUrl(baseUrl, path, params) {
   ).toString();
   return `${url}?${search2}`;
 }
+function cloneRequestWithHeaders(request, updateHeaders) {
+  const headers = new Headers(request.headers);
+  updateHeaders(headers);
+  return new Request(request, { headers });
+}
 function interpolatePath(path, pathParams) {
   if (!pathParams) return path;
   return path.replace(/\{(\w+)\}/g, (_match, key) => {
@@ -5483,66 +5496,51 @@ function buildClient(baseUrl, baseHeaders) {
 function createAuthMiddleware(config) {
   return {
     async onRequest({ request }) {
-      request.headers.set("X-SDK-Version", SDK_VERSION);
-      request.headers.set("X-SDK-Platform", SDK_PLATFORM);
-      if (config.secretKey) {
-        request.headers.set("x-app-secret", config.secretKey);
-      }
-      const token = config.getAccessToken?.();
-      if (token) {
-        request.headers.set("Authorization", `Bearer ${token}`);
-      }
-      return request;
+      return cloneRequestWithHeaders(request, (headers) => {
+        headers.set("X-SDK-Version", SDK_VERSION);
+        headers.set("X-SDK-Platform", SDK_PLATFORM);
+        if (config.secretKey) {
+          headers.set("x-app-secret", config.secretKey);
+        }
+        const token = config.getAccessToken?.();
+        if (token) {
+          headers.set("Authorization", `Bearer ${token}`);
+        }
+      });
     }
   };
 }
 function isRetryableStatus(status) {
   return status >= 500 || status === 429;
 }
-var inFlightRequests = /* @__PURE__ */ new Map();
 async function getRequestKey(request) {
   const body = request.body ? await request.clone().text() : "";
   return `${request.method}:${request.url}:${body}`;
 }
 function createDeduplicationMiddleware(config = {}) {
   const { enabled = true, methods = ["GET"] } = config;
-  if (!enabled) {
-    return {
-      async onRequest({ request }) {
-        return request;
-      }
-    };
-  }
+  if (!enabled) return {};
+  const inFlightRequests = /* @__PURE__ */ new Map();
   return {
-    async onRequest({ request }) {
-      if (!methods.includes(request.method)) {
-        return request;
+    async onFetch({ request, next }) {
+      const method = request.method.toUpperCase();
+      if (!methods.includes(method)) {
+        return next(request);
       }
       const key = await getRequestKey(request);
       const existing = inFlightRequests.get(key);
       if (existing) {
-        const deduped = request.clone();
-        deduped._dedupKey = key;
-        return deduped;
-      }
-      ;
-      request._dedupKey = key;
-      return request;
-    },
-    async onResponse({ request, response }) {
-      const key = request._dedupKey;
-      if (!key) return response;
-      const existing = inFlightRequests.get(key);
-      if (existing && inFlightRequests.get(key) !== void 0) {
         const cachedResponse = await existing;
         return cachedResponse.clone();
       }
-      const responsePromise = Promise.resolve(response.clone());
+      const responsePromise = next(request).then((response) => response.clone());
       inFlightRequests.set(key, responsePromise);
-      responsePromise.finally(() => {
-        setTimeout(() => inFlightRequests.delete(key), 100);
-      });
-      return response;
+      try {
+        const response = await responsePromise;
+        return response.clone();
+      } finally {
+        inFlightRequests.delete(key);
+      }
     }
   };
 }
@@ -5708,7 +5706,9 @@ function createETagMiddleware(config) {
         if (Date.now() - cached.timestamp > ttlMs) {
           etagCache.delete(cacheKey);
         } else {
-          request.headers.set("If-None-Match", cached.etag);
+          return cloneRequestWithHeaders(request, (headers) => {
+            headers.set("If-None-Match", cached.etag);
+          });
         }
       }
       return request;
@@ -6000,11 +6000,28 @@ async function inviteUser(config, input) {
     body: input
   });
 }
-async function switchOrg(config, orgId) {
-  return callApi(config, "/auth/switch-org", {
+function normalizeOrgScopedTokenResponse(data) {
+  const accessToken = data.accessToken ?? data.access_token;
+  if (!accessToken) {
+    throw new Error("Invalid org-scoped token response: missing access token");
+  }
+  return {
+    token: accessToken,
+    accessToken,
+    expiresIn: data.expiresIn ?? data.expires_in,
+    tokenType: data.tokenType ?? data.token_type,
+    user: data.user
+  };
+}
+async function getOrgScopedToken(config, orgId) {
+  const data = await callApi(config, "/auth/switch-org", {
     method: "POST",
     body: { orgId }
   });
+  return normalizeOrgScopedTokenResponse(data);
+}
+async function switchOrg(config, orgId) {
+  return getOrgScopedToken(config, orgId);
 }
 var device = {
   /**
@@ -8003,168 +8020,208 @@ async function getBillingUsage(config, options) {
 }
 
 // src/storage.ts
-import { storageEndpoints } from "@sylphx/contract";
-init_constants();
 init_errors();
-var UPLOAD_RETRY_CONFIG = {
-  /** Maximum number of retry attempts (AWS S3 pattern) */
+
+// src/lib/retry.ts
+init_constants();
+var DEFAULT_RETRY_CONFIG = {
   maxRetries: 5,
-  /** Base delay in milliseconds */
   baseDelayMs: BASE_RETRY_DELAY_MS,
-  /** Maximum delay cap in milliseconds */
-  maxDelayMs: MAX_RETRY_DELAY_MS,
-  /** Jitter type: 'full' for full jitter (AWS recommended) */
-  jitter: "full"
+  maxDelayMs: MAX_RETRY_DELAY_MS
 };
-function calculateBackoffDelay(attempt) {
-  const { baseDelayMs, maxDelayMs } = UPLOAD_RETRY_CONFIG;
-  const exponentialDelay = baseDelayMs * 2 ** attempt;
-  const cappedDelay = Math.min(exponentialDelay, maxDelayMs);
-  return Math.random() * cappedDelay;
+function calculateBackoffDelay(attempt, config = DEFAULT_RETRY_CONFIG) {
+  const exp = config.baseDelayMs * 2 ** attempt;
+  const capped = Math.min(exp, config.maxDelayMs);
+  return Math.random() * capped;
 }
-async function sleep(ms, signal) {
+function sleep(ms, signal) {
   return new Promise((resolve, reject) => {
     if (signal?.aborted) {
-      reject(new DOMException("Upload aborted", "AbortError"));
+      reject(toAbortError());
       return;
     }
-    const timeoutId = setTimeout(resolve, ms);
+    const timer = setTimeout(resolve, ms);
     signal?.addEventListener(
       "abort",
       () => {
-        clearTimeout(timeoutId);
-        reject(new DOMException("Upload aborted", "AbortError"));
+        clearTimeout(timer);
+        reject(toAbortError());
       },
       { once: true }
     );
   });
 }
+var RETRYABLE_STATUSES = /* @__PURE__ */ new Set([408, 425, 429]);
 function isRetryableError2(error) {
-  if (error instanceof DOMException && error.name === "AbortError") {
-    return false;
-  }
-  if (error instanceof TypeError) {
-    return true;
-  }
+  if (isAbortError(error)) return false;
+  if (error instanceof TypeError) return true;
   if (error instanceof Error && "status" in error) {
     const status = error.status;
-    return status >= 500 || status === 429;
+    return status >= 500 || RETRYABLE_STATUSES.has(status);
   }
   return false;
 }
-async function uploadFile(config, file, options) {
-  const { signal } = options ?? {};
-  if (signal?.aborted) {
-    throw new DOMException("Upload aborted", "AbortError");
+function isAbortError(error) {
+  if (error instanceof DOMException && error.name === "AbortError") return true;
+  if (error instanceof Error && error.name === "AbortError") return true;
+  return false;
+}
+function toAbortError(message2 = "Aborted") {
+  if (typeof DOMException !== "undefined") {
+    return new DOMException(message2, "AbortError");
   }
-  let tokenResponse = null;
-  let lastError = null;
-  for (let attempt = 0; attempt <= UPLOAD_RETRY_CONFIG.maxRetries; attempt++) {
+  const err = new Error(message2);
+  err.name = "AbortError";
+  return err;
+}
+async function withRetry(fn, options = {}) {
+  const cfg = {
+    maxRetries: options.maxRetries ?? DEFAULT_RETRY_CONFIG.maxRetries,
+    baseDelayMs: options.baseDelayMs ?? DEFAULT_RETRY_CONFIG.baseDelayMs,
+    maxDelayMs: options.maxDelayMs ?? DEFAULT_RETRY_CONFIG.maxDelayMs
+  };
+  let lastError;
+  for (let attempt = 0; attempt <= cfg.maxRetries; attempt++) {
+    if (options.signal?.aborted) throw toAbortError("Aborted");
     try {
-      tokenResponse = await fetch(buildApiUrl(config, "/storage/upload"), {
-        method: "POST",
-        headers: buildHeaders(config),
-        body: JSON.stringify({
-          filename: file.name,
-          contentType: file.type,
-          size: file.size,
-          path: options?.path,
-          type: options?.type ?? "file",
-          userId: options?.userId
-        }),
-        signal
-      });
-      if (tokenResponse.ok) {
-        break;
-      }
-      if (tokenResponse.status >= 500 || tokenResponse.status === 429) {
-        if (attempt < UPLOAD_RETRY_CONFIG.maxRetries) {
-          const delay = calculateBackoffDelay(attempt);
-          await sleep(delay, signal);
-          continue;
-        }
-      }
-      const error = await tokenResponse.json().catch(() => ({ message: "Failed to get upload token" }));
-      throw new SylphxError(error.message ?? "Failed to get upload token", {
-        code: "BAD_REQUEST"
-      });
-    } catch (error) {
-      if (error instanceof DOMException && error.name === "AbortError") {
-        throw error;
-      }
-      lastError = error instanceof Error ? error : new Error(String(error));
-      if (isRetryableError2(error) && attempt < UPLOAD_RETRY_CONFIG.maxRetries) {
-        const delay = calculateBackoffDelay(attempt);
-        await sleep(delay, signal);
-        continue;
-      }
-      throw lastError;
-    }
+      return await fn();
+    } catch (err) {
+      lastError = err;
+      if (isAbortError(err)) throw err;
+      if (attempt === cfg.maxRetries) break;
+      if (!isRetryableError2(err)) throw err;
+      const retryAfter = extractRetryAfter(err);
+      const delay = retryAfter ?? calculateBackoffDelay(attempt, cfg);
+      options.onRetry?.(attempt, delay, err);
+      await sleep(delay, options.signal);
+    }
+  }
+  throw lastError;
+}
+function extractRetryAfter(err) {
+  if (err && typeof err === "object" && "retryAfter" in err) {
+    const v = err.retryAfter;
+    if (typeof v === "number" && v > 0) return v * 1e3;
+  }
+  return void 0;
+}
+function uuidv7() {
+  const ms = BigInt(Date.now());
+  const bytes = randomBytes(16);
+  bytes[0] = Number(ms >> 40n & 0xffn);
+  bytes[1] = Number(ms >> 32n & 0xffn);
+  bytes[2] = Number(ms >> 24n & 0xffn);
+  bytes[3] = Number(ms >> 16n & 0xffn);
+  bytes[4] = Number(ms >> 8n & 0xffn);
+  bytes[5] = Number(ms & 0xffn);
+  bytes[6] = bytes[6] & 15 | 112;
+  bytes[8] = bytes[8] & 63 | 128;
+  const hex = Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+  return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20, 32)}`;
+}
+function randomBytes(n) {
+  const out = new Uint8Array(n);
+  const c = globalThis.crypto;
+  if (c?.getRandomValues) {
+    c.getRandomValues(out);
+    return out;
+  }
+  for (let i = 0; i < n; i++) out[i] = Math.floor(Math.random() * 256);
+  return out;
+}
+
+// src/storage.ts
+var PATHS = {
+  uploads: "/storage/uploads",
+  upload: (id) => `/storage/uploads/${encodeURIComponent(String(id))}`,
+  uploadComplete: (id) => `/storage/uploads/${encodeURIComponent(String(id))}:complete`,
+  uploadPart: (id, n) => `/storage/uploads/${encodeURIComponent(String(id))}/parts/${n}`,
+  files: "/storage/files",
+  file: (id) => `/storage/files/${encodeURIComponent(String(id))}`,
+  fileRestore: (id) => `/storage/files/${encodeURIComponent(String(id))}:restore`,
+  fileSignedUrl: (id) => `/storage/files/${encodeURIComponent(String(id))}:signedUrl`,
+  fileCopy: (id) => `/storage/files/${encodeURIComponent(String(id))}:copy`,
+  versions: (id) => `/storage/files/${encodeURIComponent(String(id))}/versions`,
+  versionRestore: (id, vid) => `/storage/files/${encodeURIComponent(String(id))}/versions/${encodeURIComponent(String(vid))}:restore`
+};
+var hasXhr = () => typeof globalThis.XMLHttpRequest !== "undefined";
+var hasLocalStorage = () => {
+  try {
+    const ls = globalThis.localStorage;
+    return Boolean(ls && typeof ls.getItem === "function");
+  } catch {
+    return false;
   }
-  if (!tokenResponse?.ok) {
-    throw lastError ?? new SylphxError("Failed to get upload token after retries", {
-      code: "BAD_REQUEST"
+};
+async function computeSha256Hex(blob) {
+  const subtle = globalThis.crypto?.subtle;
+  if (!subtle?.digest) {
+    throw new SylphxError("Web Crypto SHA-256 support is required for storage uploads", {
+      code: "NOT_IMPLEMENTED"
     });
   }
-  const { uploadUrl, publicUrl } = await tokenResponse.json();
-  return executeUploadWithRetry(file, uploadUrl, publicUrl, options);
+  const buf = await blob.arrayBuffer();
+  const digest2 = await subtle.digest("SHA-256", buf);
+  return bytesToHex(new Uint8Array(digest2));
 }
-async function executeUploadWithRetry(file, uploadUrl, publicUrl, options) {
-  const { signal } = options ?? {};
-  let lastError = null;
-  for (let attempt = 0; attempt <= UPLOAD_RETRY_CONFIG.maxRetries; attempt++) {
+function bytesToHex(b) {
+  let s = "";
+  for (let i = 0; i < b.length; i++) s += b[i].toString(16).padStart(2, "0");
+  return s;
+}
+var RESUME_KEY_PREFIX = "sylphx_upload_";
+function resumeKey(uploadId) {
+  return `${RESUME_KEY_PREFIX}${uploadId}`;
+}
+function persistResume(rec) {
+  if (hasLocalStorage()) {
     try {
-      return await executeUpload(file, uploadUrl, publicUrl, options);
-    } catch (error) {
-      if (error instanceof DOMException && error.name === "AbortError") {
-        throw error;
-      }
-      lastError = error instanceof Error ? error : new Error(String(error));
-      if (isRetryableError2(error) && attempt < UPLOAD_RETRY_CONFIG.maxRetries) {
-        const delay = calculateBackoffDelay(attempt);
-        await sleep(delay, signal);
-        continue;
-      }
-      throw lastError;
+      localStorage.setItem(resumeKey(rec.uploadId), JSON.stringify(rec));
+    } catch {
     }
   }
-  throw lastError ?? new Error("Upload failed after retries");
 }
-function executeUpload(file, uploadUrl, publicUrl, options) {
-  const { signal, onProgress } = options ?? {};
+function clearResume(uploadId) {
+  if (hasLocalStorage()) {
+    try {
+      localStorage.removeItem(resumeKey(uploadId));
+    } catch {
+    }
+  }
+}
+function putBlob(url, body, headers, signal, onProgress) {
+  if (hasXhr()) return putBlobXhr(url, body, headers, signal, onProgress);
+  return putBlobFetch(url, body, headers, signal, onProgress);
+}
+function putBlobXhr(url, body, headers, signal, onProgress) {
   return new Promise((resolve, reject) => {
     const xhr = new XMLHttpRequest();
     const handleAbort = () => {
-      xhr.abort();
-      reject(new DOMException("Upload aborted", "AbortError"));
+      try {
+        xhr.abort();
+      } catch {
+      }
+      reject(toAbortError("Upload aborted"));
     };
     if (signal?.aborted) {
-      reject(new DOMException("Upload aborted", "AbortError"));
+      reject(toAbortError("Upload aborted"));
       return;
     }
     signal?.addEventListener("abort", handleAbort, { once: true });
-    xhr.upload.addEventListener("progress", (event) => {
-      if (event.lengthComputable && onProgress) {
-        onProgress({
-          loaded: event.loaded,
-          total: event.total,
-          progress: Math.round(event.loaded / event.total * 100)
-        });
-      }
-    });
+    if (onProgress) {
+      xhr.upload.addEventListener("progress", (e) => {
+        if (e.lengthComputable) onProgress(e.loaded);
+      });
+    }
     xhr.addEventListener("load", () => {
       signal?.removeEventListener("abort", handleAbort);
       if (xhr.status >= 200 && xhr.status < 300) {
-        resolve({
-          url: publicUrl,
-          pathname: options?.path ? `${options.path}/${file.name}` : file.name,
-          contentType: file.type,
-          size: file.size
-        });
+        const etag = resolveXhrEtag(xhr);
+        resolve({ etag: stripQuotes(etag), status: xhr.status });
       } else {
-        const error = new Error(`Upload failed with status ${xhr.status}`);
-        error.status = xhr.status;
-        reject(error);
+        const err = new Error(`PUT failed with status ${xhr.status}`);
+        err.status = xhr.status;
+        reject(err);
       }
     });
     xhr.addEventListener("error", () => {
@@ -8173,93 +8230,291 @@ function executeUpload(file, uploadUrl, publicUrl, options) {
     });
     xhr.addEventListener("abort", () => {
       signal?.removeEventListener("abort", handleAbort);
-      reject(new DOMException("Upload aborted", "AbortError"));
+      reject(toAbortError("Upload aborted"));
     });
-    xhr.open("PUT", uploadUrl);
-    xhr.setRequestHeader("Content-Type", file.type);
-    xhr.send(file);
-  });
-}
-async function uploadAvatar(config, file, userId, options) {
-  return uploadFile(config, file, {
-    ...options,
-    type: "avatar",
-    userId
+    xhr.open("PUT", url);
+    for (const [k, v] of Object.entries(headers)) {
+      try {
+        xhr.setRequestHeader(k, v);
+      } catch {
+      }
+    }
+    xhr.send(body);
   });
 }
-async function deleteFile(config, fileId) {
-  const endpoint = storageEndpoints.delete;
-  await callApi(
-    config,
-    endpoint.path.replace(":id", encodeURIComponent(fileId)),
-    { method: endpoint.method }
-  );
-}
-async function getFileUrl(config, fileId) {
-  const data = await callApi(config, `/storage/files/${fileId}`, { method: "GET" });
-  return data.url;
+function resolveXhrEtag(xhr) {
+  const canonical = xhr.getResponseHeader("ETag");
+  if (canonical !== null) return canonical;
+  return xhr.getResponseHeader("etag") ?? "";
 }
-async function getFileInfo(config, fileId) {
-  const endpoint = storageEndpoints.get;
-  return callApi(config, endpoint.path.replace(":id", encodeURIComponent(fileId)), {
-    method: endpoint.method
+async function putBlobFetch(url, body, headers, signal, onProgress) {
+  let stream = body;
+  if (onProgress && typeof TransformStream !== "undefined" && typeof body.stream === "function") {
+    let loaded = 0;
+    const counter = new TransformStream({
+      transform(chunk, controller) {
+        loaded += chunk.byteLength;
+        onProgress(loaded);
+        controller.enqueue(chunk);
+      }
+    });
+    stream = body.stream().pipeThrough(counter);
+  }
+  const res = await fetch(url, {
+    method: "PUT",
+    body: stream,
+    headers,
+    signal,
+    // Required when streaming a request body in Chromium / undici.
+    // Cast: TS lib lacks `duplex`.
+    ...{ duplex: "half" }
   });
+  if (!res.ok) {
+    const err = new Error(`PUT failed with status ${res.status}`);
+    err.status = res.status;
+    throw err;
+  }
+  const etag = resolveFetchEtag(res.headers);
+  if (onProgress) onProgress(body.size);
+  return { etag: stripQuotes(etag), status: res.status };
 }
-async function listFileVersions(config, fileId) {
-  const data = await callApi(
-    config,
-    `/storage/files/${encodeURIComponent(fileId)}/versions`,
-    { method: "GET" }
-  );
-  return data.versions;
+function resolveFetchEtag(headers) {
+  const lowerCase = headers.get("etag");
+  if (lowerCase !== null) return lowerCase;
+  return headers.get("ETag") ?? "";
 }
-async function restoreFileVersion(config, fileId, versionId) {
-  const data = await callApi(
-    config,
-    `/storage/files/${encodeURIComponent(fileId)}/versions/${encodeURIComponent(versionId)}/restore`,
-    { method: "POST" }
-  );
-  return data.version;
+function stripQuotes(s) {
+  if (s.length >= 2 && s.startsWith('"') && s.endsWith('"')) return s.slice(1, -1);
+  return s;
 }
-async function softDeleteFile(config, fileId) {
-  await callApi(config, `/storage/files/${encodeURIComponent(fileId)}`, {
-    method: "DELETE"
+async function putWithRetry(url, body, headers, signal, onProgress) {
+  let lastErr;
+  const maxRetries = 5;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    if (signal?.aborted) throw toAbortError();
+    try {
+      return await putBlob(url, body, headers, signal, onProgress);
+    } catch (err) {
+      if (isAbortError(err)) throw err;
+      lastErr = err;
+      if (attempt === maxRetries || !isRetryableError2(err)) throw err;
+      await sleep(calculateBackoffDelay(attempt), signal);
+    }
+  }
+  throw lastErr;
+}
+async function uploadsCreate(config, blob, options) {
+  const signal = options.signal;
+  if (signal?.aborted) throw toAbortError();
+  const filename = options.filename ?? (isFile(blob) ? blob.name : void 0) ?? "upload.bin";
+  const contentType = options.contentType ?? (blob.type && blob.type.length > 0 ? blob.type : "application/octet-stream");
+  const size = blob.size;
+  const checksumSha256 = options.checksumSha256 ?? await computeSha256Hex(blob);
+  const idempotencyKey = options.idempotencyKey ?? uuidv7();
+  const createBody = {
+    filename,
+    contentType,
+    size,
+    folder: options.folder,
+    visibility: options.visibility,
+    metadata: options.metadata,
+    checksumSha256,
+    ifNoneMatch: options.ifNoneMatch
+  };
+  const session = await callApi(config, PATHS.uploads, {
+    method: "POST",
+    body: createBody,
+    idempotencyKey,
+    signal
   });
+  const uploadId = session.uploadId;
+  const onAborted = async () => {
+    try {
+      await callApi(config, PATHS.upload(uploadId), { method: "DELETE" });
+    } catch {
+    }
+    clearResume(String(uploadId));
+  };
+  try {
+    if (session.method === "PUT") {
+      return await runSinglePart(config, blob, session, options, idempotencyKey);
+    }
+    return await runMultipart(config, blob, session, options, idempotencyKey);
+  } catch (err) {
+    if (isAbortError(err)) {
+      await onAborted();
+    }
+    throw err;
+  }
 }
-async function restoreFile(config, fileId) {
-  const data = await callApi(
-    config,
-    `/storage/files/${encodeURIComponent(fileId)}/restore`,
-    { method: "POST" }
-  );
-  return data.file;
+function isFile(b) {
+  return typeof b.name === "string";
 }
-async function downloadFileVersion(config, fileId, versionId) {
-  const signed = await callApi(
+async function runSinglePart(config, blob, session, options, idempotencyKey) {
+  const { onProgress, signal } = options;
+  const total = blob.size;
+  const trackProgress = onProgress ? (loaded) => {
+    onProgress({ loaded, total, partsCompleted: 0, partsTotal: 1 });
+  } : void 0;
+  const put = await putWithRetry(session.url, blob, session.headers, signal, trackProgress);
+  if (onProgress) onProgress({ loaded: total, total, partsCompleted: 1, partsTotal: 1 });
+  const completion = await callApi(
     config,
-    "/storage/signed-url",
+    PATHS.uploadComplete(session.uploadId),
     {
       method: "POST",
-      body: { fileId, versionId }
+      body: { parts: [{ partNumber: 1, etag: put.etag }] },
+      idempotencyKey: `${idempotencyKey}:complete`,
+      signal
     }
   );
-  const res = await fetch(signed.url);
-  if (!res.ok) {
-    throw new SylphxError(`Failed to download version payload: ${res.status}`, {
-      code: "BAD_REQUEST"
+  clearResume(String(session.uploadId));
+  return await fetchFile(config, completion.fileId);
+}
+async function runMultipart(config, blob, session, options, idempotencyKey) {
+  const { onProgress, signal } = options;
+  const partSize = session.partSize;
+  const total = blob.size;
+  const partsTotal = session.partCount;
+  const completedParts = [];
+  const partLoaded = /* @__PURE__ */ new Map();
+  const reportProgress = () => {
+    if (!onProgress) return;
+    let loaded = 0;
+    for (const v of partLoaded.values()) loaded += v;
+    onProgress({ loaded, total, partsCompleted: completedParts.length, partsTotal });
+  };
+  for (const part of session.parts) {
+    if (signal?.aborted) throw toAbortError();
+    const offset = (part.partNumber - 1) * partSize;
+    const end = Math.min(offset + partSize, total);
+    const slice = blob.slice(offset, end);
+    const trackProgress = onProgress ? (loaded) => {
+      partLoaded.set(part.partNumber, loaded);
+      reportProgress();
+    } : void 0;
+    const result = await putWithRetry(part.url, slice, {}, signal, trackProgress);
+    completedParts.push({ partNumber: part.partNumber, etag: result.etag });
+    partLoaded.set(part.partNumber, slice.size);
+    reportProgress();
+    persistResume({
+      uploadId: String(session.uploadId),
+      completedParts: [...completedParts],
+      updatedAt: Date.now()
     });
   }
-  return res.blob();
+  const completion = await callApi(
+    config,
+    PATHS.uploadComplete(session.uploadId),
+    {
+      method: "POST",
+      body: { parts: completedParts },
+      idempotencyKey: `${idempotencyKey}:complete`,
+      signal
+    }
+  );
+  clearResume(String(session.uploadId));
+  return await fetchFile(config, completion.fileId);
 }
-async function getSignedUrl(config, fileId, options) {
-  return callApi(config, "/storage/signed-url", {
-    method: "POST",
-    body: {
-      fileId,
-      ...options
+async function fetchFile(config, fileId) {
+  return callApi(config, PATHS.file(fileId), { method: "GET" });
+}
+async function uploadsAbort(config, uploadId) {
+  await withRetry(() => callApi(config, PATHS.upload(uploadId), { method: "DELETE" }), {
+    maxRetries: 3
+  });
+  clearResume(String(uploadId));
+}
+function filesListPage(config, options, cursor) {
+  const query = {
+    folder: options.folder,
+    cursor: cursor ?? options.cursor,
+    limit: options.limit,
+    includeDeleted: options.includeDeleted
+  };
+  return callApi(config, PATHS.files, {
+    method: "GET",
+    query: {
+      folder: query.folder,
+      cursor: query.cursor,
+      limit: query.limit,
+      includeDeleted: query.includeDeleted
     }
   });
 }
+function filesList(config, options = {}) {
+  const fetchPage = (cursor) => filesListPage(config, options, cursor);
+  const iter = {
+    [Symbol.asyncIterator]: async function* () {
+      let cursor = options.cursor;
+      do {
+        const page2 = await fetchPage(cursor ?? void 0);
+        for (const f of page2.files) yield f;
+        cursor = page2.nextCursor;
+      } while (cursor);
+    }
+  };
+  return Object.assign(iter, { fetchPage });
+}
+async function filesGet(config, fileId) {
+  return callApi(config, PATHS.file(fileId), { method: "GET" });
+}
+async function filesDelete(config, fileId) {
+  return callApi(config, PATHS.file(fileId), { method: "DELETE" });
+}
+async function filesRestore(config, fileId) {
+  return callApi(config, PATHS.fileRestore(fileId), { method: "POST" });
+}
+async function filesSignedUrl(config, fileId, options = {}) {
+  const body = {
+    expiresIn: options.expiresIn,
+    disposition: options.disposition,
+    userId: options.userId
+  };
+  return callApi(config, PATHS.fileSignedUrl(fileId), {
+    method: "POST",
+    body
+  });
+}
+async function filesCopy(config, fileId, options) {
+  const body = {
+    folder: options.folder,
+    filename: options.filename,
+    visibility: options.visibility,
+    metadata: options.metadata
+  };
+  return callApi(config, PATHS.fileCopy(fileId), {
+    method: "POST",
+    body
+  });
+}
+async function filesVersionsList(config, fileId) {
+  const data = await callApi(config, PATHS.versions(fileId), {
+    method: "GET"
+  });
+  return data.versions;
+}
+async function filesVersionsRestore(config, fileId, versionId) {
+  return callApi(config, PATHS.versionRestore(fileId, versionId), { method: "POST" });
+}
+var storage = {
+  uploads: {
+    create: uploadsCreate,
+    abort: uploadsAbort
+  },
+  files: {
+    list: filesList,
+    get: filesGet,
+    delete: filesDelete,
+    restore: filesRestore,
+    signedUrl: filesSignedUrl,
+    copy: filesCopy,
+    versions: {
+      list: filesVersionsList,
+      restore: filesVersionsRestore
+    }
+  }
+};
 
 // src/lib/notifications/service-worker.ts
 function initPushServiceWorker(config = {}) {
@@ -8648,7 +8903,7 @@ function createTasksHandler(taskDefs, options = {}) {
         { status: 400 }
       );
     }
-    const signingSecret = options.signingSecret ?? process.env.SYLPHX_SIGNING_SECRET ?? process.env.SYLPHX_SECRET_KEY ?? "";
+    const signingSecret = options.signingSecret ?? process.env.SYLPHX_SIGNING_SECRET ?? "";
     if (signingSecret) {
       const signature = req.headers.get("x-sylphx-signature") ?? "";
       if (!signature) {
@@ -10706,7 +10961,6 @@ export {
   deleteCron,
   deleteDocument,
   deleteEnvVar,
-  deleteFile,
   deleteOrganization,
   deletePasskey,
   deletePermission,
@@ -10718,7 +10972,6 @@ export {
   disableDebug,
   disableTwoFactor,
   disconnectOAuthProvider,
-  downloadFileVersion,
   dpop,
   embed,
   enableDebug,
@@ -10751,14 +11004,13 @@ export {
   getErrorCode,
   getErrorMessage,
   getFacets,
-  getFileInfo,
-  getFileUrl,
   getFlagPayload,
   getFlags,
   getLeaderboard,
   getMemberPermissions,
   getMyReferralCode,
   getOidcDiscoveryDocument,
+  getOrgScopedToken,
   getOrganization,
   getOrganizationInvitations,
   getOrganizationMembers,
@@ -10779,7 +11031,6 @@ export {
   getSecrets,
   getSecurityScore,
   getSession,
-  getSignedUrl,
   getStreak,
   getSubscription,
   getTask,
@@ -10837,7 +11088,6 @@ export {
   leaveOrganization,
   linkAnonymousConsents,
   listEnvVars,
-  listFileVersions,
   listOAuthProviders,
   listPasskeys,
   listPermissions,
@@ -10885,8 +11135,6 @@ export {
   resetPassword,
   resetPlatformCookieCache,
   resetPlatformJwksCache,
-  restoreFile,
-  restoreFileVersion,
   resumeCron,
   revokeAllTokens,
   revokeOrganizationInvitation,
@@ -10908,8 +11156,8 @@ export {
   signIn,
   signOut,
   signUp,
-  softDeleteFile,
   startPasskeyRegistration,
+  storage,
   streamToString,
   submitScore,
   suspendUser,
@@ -10930,8 +11178,6 @@ export {
   updateUserMetadata,
   updateUserProfile,
   updateWebhookConfig,
-  uploadAvatar,
-  uploadFile,
   upsertDocument,
   user,
   userInfo,