npm - @tangle-network/sandbox - Versions diffs - 0.9.1-develop.20260624210934.e2730e8 → 0.9.2-develop.20260625093856.35d47c0 - Mend

@tangle-network/sandbox 0.9.1-develop.20260624210934.e2730e8 → 0.9.2-develop.20260625093856.35d47c0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/dist/agent/index.js +1026 -1
package/dist/auth/index.js +273 -1
package/dist/client-BBZ7YLmq.js +2193 -0
package/dist/collaboration/index.js +2 -1
package/dist/collaboration-BxlfZ2Uh.js +201 -1
package/dist/core.js +4 -1
package/dist/errors-DZsfJUuc.js +262 -1
package/dist/index.js +1180 -1
package/dist/intelligence/index.js +225 -1
package/dist/openai/index.js +1760 -1
package/dist/sandbox-joKtQ5y3.js +4457 -0
package/dist/session-gateway/index.js +667 -1
package/dist/tangle/index.js +2 -1
package/dist/tangle-DM0o66lW.js +831 -0
package/package.json +4 -4
package/dist/client-DFXGfX9s.js +0 -1
package/dist/sandbox-CPwJYUuQ.js +0 -1
package/dist/tangle-KvorROxa.js +0 -1

package/dist/client-BBZ7YLmq.js ADDED Viewed

@@ -0,0 +1,2193 @@
+import { f as encodePromptForWire, l as exportTraceBundle, p as parseSSEStream, s as normalizeConnection, t as SandboxInstance } from "./sandbox-joKtQ5y3.js";
+import { d as ValidationError, f as parseErrorResponse, i as NotFoundError, r as NetworkError, t as AuthError, u as TimeoutError } from "./errors-DZsfJUuc.js";
+//#region src/resources.ts
+/**
+* Compute tiers, ordered smallest → largest. Defined HERE (not imported from
+* `@tangle-network/agent-interface`) so the SDK is self-contained: a consumer
+* that type-checks the SDK SOURCE never has to resolve a cross-package export
+* for the size vocabulary. `agent-interface` keeps its own identical copy for
+* `Capability.recommendedSize`; a platform test guards the two against drift.
+*/
+const SANDBOX_SIZE_PRESET_NAMES = [
+	"nano",
+	"small",
+	"medium",
+	"large"
+];
+/**
+* The concrete compute behind each {@link SandboxSizePreset} — the SINGLE source
+* of truth for what a tier means. `@tangle-network/agent-interface` owns the
+* tier NAMES (so the lowest layer can reference a size); this owns the numbers.
+*
+* Values stay within the sandbox-api default plan caps (8 vCPU / 16 GB / 100 GB)
+* and keep memory at or above the driver's firecracker-snapshot floor (1536 MB),
+* so a requested tier is never silently bumped. `diskGB` is in gigabytes;
+* `memoryMB` in megabytes. The server still clamps every request to the owner's
+* actual plan limits — these are the unclamped tier definitions, not guarantees.
+*/
+const SANDBOX_SIZE_PRESETS = {
+	nano: {
+		cpuCores: 1,
+		memoryMB: 2048,
+		diskGB: 5
+	},
+	small: {
+		cpuCores: 2,
+		memoryMB: 4096,
+		diskGB: 10
+	},
+	medium: {
+		cpuCores: 4,
+		memoryMB: 8192,
+		diskGB: 20
+	},
+	large: {
+		cpuCores: 8,
+		memoryMB: 16384,
+		diskGB: 50
+	}
+};
+/**
+* Default tier when a caller provisions without picking a size. The smallest
+* tier that comfortably runs an agent harness (opencode + a repo clone + a
+* build) — deliberately NOT a maxed box, so a thin task is cheap by default and
+* a heavy one opts up explicitly.
+*/
+const DEFAULT_SANDBOX_SIZE = "small";
+/** The resources for a named tier, as a fresh object (never the shared preset).
+*  Fails loud on an unknown key rather than spreading `undefined` into an empty
+*  resources object — a silent zero would send no compute request downstream. */
+function sandboxResourcesForSize(size) {
+	const preset = SANDBOX_SIZE_PRESETS[size];
+	if (!preset) throw new Error(`sandboxResourcesForSize: unknown size preset '${size}' (expected one of ${SANDBOX_SIZE_PRESET_NAMES.join(", ")})`);
+	return { ...preset };
+}
+/**
+* Resolve a caller's size intent to concrete {@link SandboxResources}. Raw
+* `resources` win (an explicit cpu/memory request is authoritative); else a
+* named `size` expands to its preset; else `undefined` (the caller applies its
+* own default). Raw and preset are intentionally exclusive at the schema layer —
+* if both arrive here, the explicit numbers take precedence rather than being
+* silently merged.
+*/
+function resolveSandboxResources(opts) {
+	if (opts.resources) return opts.resources;
+	if (opts.size) return sandboxResourcesForSize(opts.size);
+}
+function normalizeSandboxResources(resources, driver) {
+	const legacyAccelerator = driver?.gpuRequired || driver?.gpuType || driver?.gpuCount ? {
+		kind: driver.gpuType ?? "gpu",
+		count: driver.gpuCount ?? 1
+	} : void 0;
+	if (!legacyAccelerator) return resources;
+	return {
+		...resources,
+		accelerator: resources?.accelerator ?? legacyAccelerator
+	};
+}
+//#endregion
+//#region src/fleet.ts
+const FLEET_ID_META = "tangle.fleet.id";
+const MACHINE_ID_META = "tangle.fleet.machine_id";
+const MACHINE_ROLE_META = "tangle.fleet.machine_role";
+const FLEET_CREATED_BY_META = "tangle.fleet.created_by";
+const WORKSPACE_MODE_META = "tangle.fleet.workspace.mode";
+const WORKSPACE_ID_META = "tangle.fleet.workspace.id";
+const WORKSPACE_QUOTA_META = "tangle.fleet.workspace.quota_mb";
+const WORKSPACE_MOUNT_META = "tangle.fleet.workspace.mount_path";
+const RESERVED_METADATA_PREFIX = "tangle.";
+const DEFAULT_MACHINE_LIFETIME_SECONDS = 3600;
+const DEFAULT_MAX_CONCURRENT_CREATES = 4;
+const MAX_CONCURRENT_ARTIFACT_READS = 8;
+const DEFAULT_ARTIFACT_ROOT = "/workspace";
+const DEFAULT_MAX_ARTIFACT_BYTES = 25 * 1024 * 1024;
+const MAX_MACHINE_ID_LENGTH = 64;
+const machineIdPattern = /^[a-zA-Z0-9][a-zA-Z0-9._-]*$/;
+function createFleetId() {
+	const crypto = globalThis.crypto;
+	if (crypto?.randomUUID) return `fleet_${crypto.randomUUID().replaceAll("-", "").slice(0, 24)}`;
+	if (crypto?.getRandomValues) {
+		const bytes = crypto.getRandomValues(new Uint8Array(12));
+		return `fleet_${Array.from(bytes, (byte) => byte.toString(16).padStart(2, "0")).join("")}`;
+	}
+	throw new ValidationError("Fleet id generation requires global crypto");
+}
+function assertSafeId(value, label) {
+	if (value.length === 0 || value.length > MAX_MACHINE_ID_LENGTH || !machineIdPattern.test(value)) throw new ValidationError(`${label} must be 1-${MAX_MACHINE_ID_LENGTH} characters and contain only letters, numbers, '.', '_' or '-'`, { [label]: "invalid" });
+}
+function assertUniqueMachineIds(machines) {
+	const seen = /* @__PURE__ */ new Set();
+	for (const machine of machines) {
+		assertSafeId(machine.machineId, "machineId");
+		if (seen.has(machine.machineId)) throw new ValidationError(`Duplicate machineId '${machine.machineId}' in fleet create request`, { machineId: "duplicate" });
+		seen.add(machine.machineId);
+	}
+}
+function assertNoReservedMetadata(metadata, label) {
+	if (!metadata) return;
+	const reserved = Object.keys(metadata).find((key) => key.startsWith(RESERVED_METADATA_PREFIX));
+	if (reserved) throw new ValidationError(`${label} metadata key '${reserved}' is reserved by Tangle`, { metadata: "reserved" });
+}
+function mergeCreateOptions(defaults, machine) {
+	const { machineId: _machineId, metadata: _metadata, name: _name, role: _role, ...rest } = machine;
+	const backend = defaults?.backend || machine.backend ? {
+		...defaults?.backend,
+		...machine.backend,
+		type: machine.backend?.type ?? defaults?.backend?.type ?? "opencode",
+		model: {
+			...defaults?.backend?.model,
+			...machine.backend?.model
+		}
+	} : void 0;
+	const driver = machine.driver ?? defaults?.driver;
+	return {
+		...defaults,
+		...rest,
+		resources: normalizeSandboxResources({
+			...defaults?.resources,
+			...machine.resources
+		}, driver),
+		env: {
+			...defaults?.env,
+			...machine.env
+		},
+		backend,
+		driver
+	};
+}
+function assertPolicy(machines, defaults, policy) {
+	const maxMachines = policy?.maxMachines ?? machines.length;
+	if (!Number.isInteger(maxMachines) || maxMachines <= 0) throw new ValidationError("policy.maxMachines must be a positive integer");
+	if (machines.length > maxMachines) throw new ValidationError(`Fleet create requested ${machines.length} machines but policy.maxMachines is ${maxMachines}`, { "policy.maxMachines": "exceeded" });
+	if (policy?.maxConcurrentCreates !== void 0 && (!Number.isInteger(policy.maxConcurrentCreates) || policy.maxConcurrentCreates <= 0)) throw new ValidationError("policy.maxConcurrentCreates must be a positive integer", { "policy.maxConcurrentCreates": "invalid" });
+	if (policy?.maxSpendUsd !== void 0 && (!Number.isFinite(policy.maxSpendUsd) || policy.maxSpendUsd < 0)) throw new ValidationError("policy.maxSpendUsd must be non-negative", { "policy.maxSpendUsd": "invalid" });
+	let totalCpu = 0;
+	let totalMemoryMb = 0;
+	let totalStorageMb = 0;
+	let totalAccelerators = 0;
+	for (const machine of machines) {
+		const resources = mergeCreateOptions(defaults, machine).resources;
+		totalCpu += resources?.cpuCores ?? 0;
+		totalMemoryMb += resources?.memoryMB ?? 0;
+		totalStorageMb += resources?.diskGB ? resources.diskGB * 1024 : 0;
+		totalAccelerators += resources?.accelerator?.count ?? (resources?.accelerator ? 1 : 0);
+	}
+	if (policy?.maxTotalCpu !== void 0 && totalCpu > policy.maxTotalCpu) throw new ValidationError(`Fleet create requested ${totalCpu} CPU cores but policy.maxTotalCpu is ${policy.maxTotalCpu}`, { "policy.maxTotalCpu": "exceeded" });
+	if (policy?.maxTotalMemoryMb !== void 0 && totalMemoryMb > policy.maxTotalMemoryMb) throw new ValidationError(`Fleet create requested ${totalMemoryMb} MB RAM but policy.maxTotalMemoryMb is ${policy.maxTotalMemoryMb}`, { "policy.maxTotalMemoryMb": "exceeded" });
+	if (policy?.maxTotalStorageMb !== void 0 && totalStorageMb > policy.maxTotalStorageMb) throw new ValidationError(`Fleet create requested ${totalStorageMb} MB storage but policy.maxTotalStorageMb is ${policy.maxTotalStorageMb}`, { "policy.maxTotalStorageMb": "exceeded" });
+	if (policy?.maxTotalAccelerators !== void 0 && totalAccelerators > policy.maxTotalAccelerators) throw new ValidationError(`Fleet create requested ${totalAccelerators} accelerator devices but policy.maxTotalAccelerators is ${policy.maxTotalAccelerators}`, { "policy.maxTotalAccelerators": "exceeded" });
+	const maxLifetimeSeconds = Math.max(...machines.map((machine) => mergeCreateOptions(defaults, machine).maxLifetimeSeconds ?? DEFAULT_MACHINE_LIFETIME_SECONDS));
+	if (policy?.maxLifetimeSeconds !== void 0 && maxLifetimeSeconds > policy.maxLifetimeSeconds) throw new ValidationError(`Fleet create requested ${maxLifetimeSeconds}s max lifetime but policy.maxLifetimeSeconds is ${policy.maxLifetimeSeconds}`, { "policy.maxLifetimeSeconds": "exceeded" });
+	for (const machine of machines) {
+		const options = mergeCreateOptions(defaults, machine);
+		assertMachineDescriptorPolicy(machine.machineId, options, policy);
+	}
+}
+function assertMachineDescriptorPolicy(machineId, options, policy) {
+	if (!policy) return;
+	const driverType = options.driver?.type;
+	if (policy.allowedDrivers && driverType && !policy.allowedDrivers.includes(driverType)) throw new ValidationError(`Fleet machine '${machineId}' requested driver '${driverType}' outside policy.allowedDrivers`, { "policy.allowedDrivers": "exceeded" });
+	const image = options.environment ?? options.image;
+	if (policy.allowedImages && image && !policy.allowedImages.includes(image)) throw new ValidationError(`Fleet machine '${machineId}' requested image '${image}' outside policy.allowedImages`, { "policy.allowedImages": "exceeded" });
+	const templateId = options.templateId ?? options.publicTemplateId;
+	if (policy.allowedTemplateIds && templateId && !policy.allowedTemplateIds.includes(templateId)) throw new ValidationError(`Fleet machine '${machineId}' requested template '${templateId}' outside policy.allowedTemplateIds`, { "policy.allowedTemplateIds": "exceeded" });
+	if (policy.allowAccelerators === false && (options.resources?.accelerator?.count ?? (options.resources?.accelerator ? 1 : 0)) > 0) throw new ValidationError(`Fleet machine '${machineId}' requested accelerators but policy.allowAccelerators is false`, { "policy.allowAccelerators": "exceeded" });
+}
+function calculateResourceTotals(machines, defaults) {
+	let totalCpu = 0;
+	let totalMemoryMb = 0;
+	let totalStorageMb = 0;
+	let totalAccelerators = 0;
+	let maxLifetimeSeconds = 0;
+	for (const machine of machines) {
+		const options = mergeCreateOptions(defaults, machine);
+		const resources = options.resources;
+		totalCpu += resources?.cpuCores ?? 0;
+		totalMemoryMb += resources?.memoryMB ?? 0;
+		totalStorageMb += resources?.diskGB ? resources.diskGB * 1024 : 0;
+		totalAccelerators += resources?.accelerator?.count ?? (resources?.accelerator ? 1 : 0);
+		maxLifetimeSeconds = Math.max(maxLifetimeSeconds, options.maxLifetimeSeconds ?? DEFAULT_MACHINE_LIFETIME_SECONDS);
+	}
+	return {
+		machines: machines.length,
+		totalCpu,
+		totalMemoryMb,
+		totalStorageMb,
+		totalAccelerators,
+		maxLifetimeSeconds
+	};
+}
+function workspaceMetadata(workspace) {
+	return {
+		[WORKSPACE_MODE_META]: workspace?.mode ?? "isolated",
+		...workspace?.id ? { [WORKSPACE_ID_META]: workspace.id } : {},
+		...workspace?.quotaMb ? { [WORKSPACE_QUOTA_META]: workspace.quotaMb } : {},
+		...workspace?.mountPath ? { [WORKSPACE_MOUNT_META]: workspace.mountPath } : {}
+	};
+}
+function resolveMaxConcurrentCreates(value) {
+	const resolved = value ?? DEFAULT_MAX_CONCURRENT_CREATES;
+	if (!Number.isInteger(resolved) || resolved <= 0) throw new ValidationError("maxConcurrentCreates must be a positive integer");
+	return resolved;
+}
+function getMachineId(info) {
+	const value = info.metadata?.[MACHINE_ID_META];
+	return typeof value === "string" && value.length > 0 ? value : null;
+}
+function getFleetId(info) {
+	const value = info.metadata?.[FLEET_ID_META];
+	return typeof value === "string" && value.length > 0 ? value : null;
+}
+function dispatchResultsPath(fleetId, dispatchId, options) {
+	const params = new URLSearchParams();
+	if (options?.cursor) params.set("cursor", options.cursor);
+	if (options?.limit !== void 0) params.set("limit", String(options.limit));
+	for (const machine of options?.machines ?? []) params.append("machine", machine);
+	const query = params.toString();
+	const path = `/v1/fleets/${fleetId}/dispatch/${encodeURIComponent(dispatchId)}/results`;
+	return query ? `${path}?${query}` : path;
+}
+function execDispatchBody(command, options) {
+	return {
+		type: "exec",
+		command,
+		cwd: options?.cwd,
+		env: options?.env,
+		timeoutMs: options?.timeoutMs,
+		machines: options?.machines,
+		maxConcurrent: options?.maxConcurrent,
+		retry: options?.retry,
+		dispatchId: options?.dispatchId,
+		bufferResults: options?.bufferResults
+	};
+}
+function promptDispatchBody(message, options) {
+	return {
+		type: "prompt",
+		parts: encodePromptForWire(message),
+		sessionId: options?.sessionId,
+		model: options?.model,
+		backend: options?.backend,
+		context: options?.context,
+		timeoutMs: options?.timeoutMs,
+		machines: options?.machines,
+		maxConcurrent: options?.maxConcurrent,
+		retry: options?.retry,
+		dispatchId: options?.dispatchId,
+		bufferResults: options?.bufferResults
+	};
+}
+var SandboxFleet = class {
+	constructor(client, fleetId, machines) {
+		this.client = client;
+		this.fleetId = fleetId;
+		this.machines = machines;
+	}
+	get ids() {
+		return [...this.machines.keys()];
+	}
+	get(machineId) {
+		const machine = this.machines.get(machineId);
+		if (!machine) throw new ValidationError(`Unknown fleet machine '${machineId}'`);
+		return machine;
+	}
+	sandbox(machineId) {
+		return this.requireSandbox(machineId);
+	}
+	async collectArtifacts(artifacts) {
+		return mapConcurrent(artifacts, Math.min(MAX_CONCURRENT_ARTIFACT_READS, artifacts.length || 1), async (artifact) => {
+			assertArtifactPath(artifact.path);
+			const machine = this.get(artifact.machineId);
+			const content = await (await this.requireSandbox(artifact.machineId)).read(artifact.path);
+			assertArtifactSize(content, artifact);
+			return {
+				...artifact,
+				sandboxId: machine.id,
+				content
+			};
+		});
+	}
+	async exec(machineId, command, options) {
+		const [result] = await this.dispatchExec(command, {
+			...options,
+			machines: [machineId]
+		});
+		if (result?.ok && result.result) return result.result;
+		if (result?.error) throw new Error(result.error.message);
+		throw new Error(`Fleet exec produced no result for machine '${machineId}'`);
+	}
+	async dispatchExec(command, options) {
+		return (await this.dispatchExecDetailed(command, options)).results;
+	}
+	async dispatchExecDetailed(command, options) {
+		const response = await this.client.fetch(`/v1/fleets/${this.fleetId}/dispatch`, {
+			method: "POST",
+			body: JSON.stringify(execDispatchBody(command, options))
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return await response.json();
+	}
+	async prompt(machineId, message, options) {
+		const [result] = await this.dispatchPrompt(message, {
+			...options,
+			machines: [machineId]
+		});
+		if (result?.prompt) return result.prompt;
+		if (result?.error) throw new Error(result.error.message);
+		throw new Error(`Fleet prompt produced no result for machine '${machineId}'`);
+	}
+	async dispatchPrompt(message, options) {
+		return (await this.dispatchPromptDetailed(message, options)).results;
+	}
+	async dispatchPromptDetailed(message, options) {
+		const response = await this.client.fetch(`/v1/fleets/${this.fleetId}/dispatch`, {
+			method: "POST",
+			body: JSON.stringify(promptDispatchBody(message, options))
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return await response.json();
+	}
+	manifest() {
+		return this.client.fleets.manifest(this.fleetId);
+	}
+	attachMachine(machine) {
+		return this.client.fleets.attachMachine(this.fleetId, machine);
+	}
+	detachMachine(machineId) {
+		return this.client.fleets.detachMachine(this.fleetId, machineId);
+	}
+	dispatchResults(dispatchId, options) {
+		return this.client.fleets.dispatchResults(this.fleetId, dispatchId, options);
+	}
+	cancelDispatch(dispatchId, reason) {
+		return this.client.fleets.cancelDispatch(this.fleetId, dispatchId, reason);
+	}
+	createWorkspaceSnapshot() {
+		return this.client.fleets.createWorkspaceSnapshot(this.fleetId);
+	}
+	restoreWorkspaceSnapshot(snapshotId) {
+		return this.client.fleets.restoreWorkspaceSnapshot(this.fleetId, snapshotId);
+	}
+	reconcileWorkspace() {
+		return this.client.fleets.reconcileWorkspace(this.fleetId);
+	}
+	dispatchExecStream(command, options) {
+		return this.client.fleets.dispatchExecStream(this.fleetId, command, options);
+	}
+	dispatchPromptStream(message, options) {
+		return this.client.fleets.dispatchPromptStream(this.fleetId, message, options);
+	}
+	async delete(options) {
+		const errors = [];
+		await Promise.all([...this.machines.values()].map(async (machine) => {
+			const box = await this.client.get(machine.id);
+			if (!box) return;
+			try {
+				await box.delete();
+			} catch (err) {
+				errors.push(err instanceof Error ? err : new Error(String(err)));
+			}
+		}));
+		await this.client.fleets.deleteRecord(this.fleetId);
+		if (errors.length > 0) {
+			if (!options?.continueOnError) throw errors[0];
+		}
+	}
+	async usage() {
+		const response = await this.client.fetch(`/v1/fleets/${this.fleetId}/usage`);
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return await response.json();
+	}
+	async trace(options = {}) {
+		return this.client.fleets.trace(this.fleetId, options);
+	}
+	async intelligence() {
+		const intelligence = (await this.trace({ includeIntelligence: true })).intelligence;
+		if (!intelligence) throw new Error("Fleet intelligence was not returned");
+		return intelligence;
+	}
+	async createIntelligenceReport(options = {}) {
+		const { dispatchId, window, compareTo, ...rest } = options;
+		return this.client.intelligence.createReport({
+			subject: {
+				type: "fleet",
+				id: this.fleetId,
+				dispatchId,
+				window,
+				compareTo
+			},
+			...rest
+		});
+	}
+	async createAgenticIntelligenceReport(options) {
+		return this.createIntelligenceReport({
+			mode: "agentic",
+			budget: {
+				billTo: "customer",
+				maxUsd: options.maxUsd
+			},
+			metadata: options.metadata,
+			dispatchId: options.dispatchId,
+			window: options.window,
+			compareTo: options.compareTo
+		});
+	}
+	async exportTrace(sink) {
+		return exportTraceBundle(await this.trace(), sink);
+	}
+	async cost() {
+		return this.client.fleets.cost(this.fleetId);
+	}
+	async createToken(options) {
+		return this.client.fleets.createToken(this.fleetId, options);
+	}
+	async requireSandbox(machineId) {
+		const machine = this.get(machineId);
+		const box = await this.client.get(machine.id);
+		if (!box) throw new ValidationError(`Fleet machine '${machineId}' no longer exists`, { machineId: "not_found" });
+		return box;
+	}
+};
+var SandboxFleetClient = class {
+	constructor(client) {
+		this.client = client;
+	}
+	async capabilities() {
+		const response = await this.client.fetch("/v1/fleets/capabilities");
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return await response.json();
+	}
+	async operations() {
+		const response = await this.client.fetch("/v1/fleets/operations");
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return await response.json();
+	}
+	async reconcile(options) {
+		const response = await this.client.fetch("/v1/fleets/reconcile", {
+			method: "POST",
+			body: JSON.stringify(options ?? {})
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return await response.json();
+	}
+	async estimateCost(options) {
+		if (options.machines.length === 0) throw new ValidationError("Fleet cost estimate requires at least one machine");
+		assertUniqueMachineIds(options.machines);
+		assertPolicy(options.machines, options.defaults, options.policy);
+		const response = await this.client.fetch("/v1/fleets/estimate", {
+			method: "POST",
+			body: JSON.stringify({
+				machineCount: options.machines.length,
+				policy: options.policy,
+				resources: calculateResourceTotals(options.machines, options.defaults),
+				maxConcurrentCreates: options.maxConcurrentCreates
+			})
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).estimate;
+	}
+	async create(options) {
+		const fleetId = options.fleetId ?? createFleetId();
+		assertSafeId(fleetId, "fleetId");
+		if (options.machines.length === 0) throw new ValidationError("Fleet create requires at least one machine");
+		assertUniqueMachineIds(options.machines);
+		assertNoReservedMetadata(options.metadata, "Fleet");
+		for (const machine of options.machines) assertNoReservedMetadata(machine.metadata, `Fleet machine '${machine.machineId}'`);
+		assertPolicy(options.machines, options.defaults, options.policy);
+		const maxConcurrentCreates = resolveMaxConcurrentCreates(options.maxConcurrentCreates);
+		if (options.policy?.maxConcurrentCreates !== void 0 && maxConcurrentCreates > options.policy.maxConcurrentCreates) throw new ValidationError(`Fleet create requested ${maxConcurrentCreates} concurrent creates but policy.maxConcurrentCreates is ${options.policy.maxConcurrentCreates}`, { "policy.maxConcurrentCreates": "exceeded" });
+		if (options.policy?.maxSpendUsd !== void 0) {
+			const estimate = await this.estimateCost({
+				defaults: options.defaults,
+				machines: options.machines,
+				policy: options.policy,
+				maxConcurrentCreates
+			});
+			if (estimate.estimatedMaxLifetimeUsd > options.policy.maxSpendUsd) throw new ValidationError(`Fleet estimated max lifetime cost $${estimate.estimatedMaxLifetimeUsd} exceeds policy.maxSpendUsd $${options.policy.maxSpendUsd}`, { "policy.maxSpendUsd": "exceeded" });
+		}
+		const created = [];
+		try {
+			for (let i = 0; i < options.machines.length; i += maxConcurrentCreates) {
+				const batch = options.machines.slice(i, i + maxConcurrentCreates);
+				const results = await Promise.allSettled(batch.map((machine) => this.createMachine(fleetId, machine, options)));
+				const rejected = results.find((result) => result.status === "rejected");
+				for (const result of results) if (result.status === "fulfilled") created.push(result.value);
+				if (rejected) throw rejected.reason;
+			}
+		} catch (err) {
+			if (options.cleanupOnFailure !== false) await Promise.allSettled(created.map(async (machine) => {
+				await (await this.client.get(machine.sandbox.id))?.delete();
+			}));
+			throw err;
+		}
+		try {
+			await this.persistFleet(fleetId, created, options);
+		} catch (err) {
+			if (options.cleanupOnFailure !== false) await Promise.allSettled(created.map(async (machine) => {
+				await (await this.client.get(machine.sandbox.id))?.delete();
+			}));
+			throw err;
+		}
+		return this.fromInfo({
+			fleetId,
+			machines: created
+		});
+	}
+	async createWithCoordinator(options) {
+		const { coordinator: coordinatorOptions, workers, ...createOptions } = options;
+		const coordinator = {
+			...coordinatorOptions,
+			machineId: coordinatorOptions?.machineId ?? "coordinator",
+			role: "coordinator"
+		};
+		return this.create({
+			...createOptions,
+			machines: [coordinator, ...workers.map((worker) => ({
+				...worker,
+				role: worker.role ?? "worker"
+			}))]
+		});
+	}
+	async createMachine(fleetId, machine, options) {
+		const merged = mergeCreateOptions(options.defaults, machine);
+		const sandbox = await this.client.create({
+			...merged,
+			name: machine.name ?? `${fleetId}-${machine.machineId}`,
+			maxLifetimeSeconds: merged.maxLifetimeSeconds ?? DEFAULT_MACHINE_LIFETIME_SECONDS,
+			metadata: {
+				...options.metadata,
+				...machine.metadata,
+				[FLEET_ID_META]: fleetId,
+				[MACHINE_ID_META]: machine.machineId,
+				[MACHINE_ROLE_META]: machine.role ?? "worker",
+				[FLEET_CREATED_BY_META]: "@tangle-network/sandbox",
+				...workspaceMetadata(options.workspace)
+			}
+		});
+		return {
+			machineId: machine.machineId,
+			sandbox: sandbox.toJSON(),
+			role: machine.role
+		};
+	}
+	async list(options) {
+		assertSafeId(options.fleetId, "fleetId");
+		const serverFleet = await this.getServerFleet(options.fleetId);
+		if (serverFleet) return this.fromInfo(await this.hydrateServerFleet(serverFleet, options));
+		return this.listBySandboxMetadata(options);
+	}
+	async delete(fleetId, options) {
+		await (await this.list({
+			...options,
+			fleetId
+		})).delete({ continueOnError: options?.continueOnError });
+	}
+	fromInfo(info) {
+		const machines = /* @__PURE__ */ new Map();
+		for (const machine of info.machines) machines.set(machine.machineId, machine.sandbox);
+		return new SandboxFleet(this.client, info.fleetId, machines);
+	}
+	async persistFleet(fleetId, machines, options) {
+		const response = await this.client.fetch("/v1/fleets", {
+			method: "POST",
+			headers: { "Idempotency-Key": options.idempotencyKey ?? fleetId },
+			body: JSON.stringify({
+				id: fleetId,
+				metadata: {
+					...options.metadata,
+					...workspaceMetadata(options.workspace)
+				},
+				workspace: options.workspace,
+				policy: options.policy,
+				resources: calculateResourceTotals(options.machines, options.defaults),
+				maxConcurrentCreates: options.maxConcurrentCreates,
+				machines: machines.map((machine) => ({
+					machineId: machine.machineId,
+					sandboxId: machine.sandbox.id,
+					status: machine.sandbox.status,
+					role: machine.role,
+					...getMachineDescriptor(options, machine.machineId)
+				}))
+			})
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+	}
+	async getServerFleet(fleetId) {
+		const response = await this.client.fetch(`/v1/fleets/${fleetId}`);
+		if (response.status === 404) return null;
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).fleet ?? null;
+	}
+	async deleteRecord(fleetId) {
+		assertSafeId(fleetId, "fleetId");
+		const response = await this.client.fetch(`/v1/fleets/${fleetId}`, { method: "DELETE" });
+		if (response.status === 404) return;
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+	}
+	async usage(fleetId) {
+		assertSafeId(fleetId, "fleetId");
+		const response = await this.client.fetch(`/v1/fleets/${fleetId}/usage`);
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return await response.json();
+	}
+	async trace(fleetId, options = {}) {
+		assertSafeId(fleetId, "fleetId");
+		const query = new URLSearchParams();
+		if (options.includeIntelligence === true) query.set("includeIntelligence", "true");
+		const response = await this.client.fetch(`/v1/fleets/${fleetId}/trace${query.size ? `?${query}` : ""}`);
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return await response.json();
+	}
+	async intelligence(fleetId) {
+		const intelligence = (await this.trace(fleetId, { includeIntelligence: true })).intelligence;
+		if (!intelligence) throw new Error("Fleet intelligence was not returned");
+		return intelligence;
+	}
+	async createIntelligenceReport(fleetId, options = {}) {
+		return this.client.intelligence.createReport({
+			subject: {
+				type: "fleet",
+				id: fleetId
+			},
+			...options
+		});
+	}
+	async createAgenticIntelligenceReport(fleetId, options) {
+		return this.createIntelligenceReport(fleetId, {
+			mode: "agentic",
+			budget: {
+				billTo: "customer",
+				maxUsd: options.maxUsd
+			},
+			metadata: options.metadata
+		});
+	}
+	async exportTrace(fleetId, sink) {
+		return exportTraceBundle(await this.trace(fleetId), sink);
+	}
+	async cost(fleetId) {
+		assertSafeId(fleetId, "fleetId");
+		const response = await this.client.fetch(`/v1/fleets/${fleetId}/cost`);
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).estimate;
+	}
+	async createToken(fleetId, options) {
+		assertSafeId(fleetId, "fleetId");
+		const response = await this.client.fetch(`/v1/fleets/${fleetId}/token`, {
+			method: "POST",
+			body: JSON.stringify(options ?? {})
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return await response.json();
+	}
+	async manifest(fleetId) {
+		assertSafeId(fleetId, "fleetId");
+		const response = await this.client.fetch(`/v1/fleets/${fleetId}/manifest`);
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return await response.json();
+	}
+	async attachMachine(fleetId, machine) {
+		assertSafeId(fleetId, "fleetId");
+		assertSafeId(machine.machineId, "machineId");
+		const response = await this.client.fetch(`/v1/fleets/${fleetId}/machines`, {
+			method: "POST",
+			body: JSON.stringify(machine)
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).machine;
+	}
+	async detachMachine(fleetId, machineId) {
+		assertSafeId(fleetId, "fleetId");
+		assertSafeId(machineId, "machineId");
+		const response = await this.client.fetch(`/v1/fleets/${fleetId}/machines/${encodeURIComponent(machineId)}`, { method: "DELETE" });
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return await response.json();
+	}
+	async dispatchResults(fleetId, dispatchId, options) {
+		assertSafeId(fleetId, "fleetId");
+		assertSafeId(dispatchId, "dispatchId");
+		const response = await this.client.fetch(dispatchResultsPath(fleetId, dispatchId, options));
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return await response.json();
+	}
+	async cancelDispatch(fleetId, dispatchId, reason) {
+		assertSafeId(fleetId, "fleetId");
+		assertSafeId(dispatchId, "dispatchId");
+		const response = await this.client.fetch(`/v1/fleets/${fleetId}/dispatch/${encodeURIComponent(dispatchId)}/cancel`, {
+			method: "POST",
+			body: JSON.stringify(reason ? { reason } : {})
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return await response.json();
+	}
+	async createWorkspaceSnapshot(fleetId) {
+		assertSafeId(fleetId, "fleetId");
+		const response = await this.client.fetch(`/v1/fleets/${fleetId}/workspace/snapshots`, { method: "POST" });
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return await response.json();
+	}
+	async restoreWorkspaceSnapshot(fleetId, snapshotId) {
+		assertSafeId(fleetId, "fleetId");
+		const response = await this.client.fetch(`/v1/fleets/${fleetId}/workspace/snapshots/${encodeURIComponent(snapshotId)}/restore`, { method: "POST" });
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return await response.json();
+	}
+	async reconcileWorkspace(fleetId) {
+		assertSafeId(fleetId, "fleetId");
+		const response = await this.client.fetch(`/v1/fleets/${fleetId}/workspace/reconcile`, { method: "POST" });
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return await response.json();
+	}
+	async *dispatchExecStream(fleetId, command, options) {
+		assertSafeId(fleetId, "fleetId");
+		const response = await this.client.fetch(`/v1/fleets/${fleetId}/dispatch/stream`, {
+			method: "POST",
+			headers: { Accept: "text/event-stream" },
+			signal: options?.signal,
+			body: JSON.stringify(execDispatchBody(command, options))
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		yield* parseSSEStream(response.body, { signal: options?.signal });
+	}
+	async *dispatchPromptStream(fleetId, message, options) {
+		assertSafeId(fleetId, "fleetId");
+		const response = await this.client.fetch(`/v1/fleets/${fleetId}/dispatch/stream`, {
+			method: "POST",
+			headers: { Accept: "text/event-stream" },
+			signal: options?.signal,
+			body: JSON.stringify(promptDispatchBody(message, options))
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		yield* parseSSEStream(response.body, { signal: options?.signal });
+	}
+	async reapExpired(options) {
+		const response = await this.client.fetch("/v1/fleets/reap-expired", {
+			method: "POST",
+			body: JSON.stringify(options ?? {})
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return await response.json();
+	}
+	async hydrateServerFleet(fleet, options) {
+		const machines = await Promise.all(fleet.machines.map(async (machine) => {
+			const box = await this.client.get(machine.sandboxId);
+			if (!box) throw new ValidationError(`Fleet machine '${machine.machineId}' points at missing sandbox '${machine.sandboxId}'`, { machineId: "missing_sandbox" });
+			return {
+				machineId: machine.machineId,
+				sandbox: box.toJSON(),
+				role: machine.role
+			};
+		}));
+		const filtered = options.status ? machines.filter((machine) => machine.sandbox.status === options.status) : machines;
+		return {
+			fleetId: fleet.id,
+			machines: filtered
+		};
+	}
+	async listBySandboxMetadata(options) {
+		const machines = (await this.client.list(options)).map((box) => box.toJSON()).filter((info) => getFleetId(info) === options.fleetId).flatMap((info) => {
+			const machineId = getMachineId(info);
+			return machineId ? [{
+				machineId,
+				sandbox: info,
+				role: getMachineRole(info)
+			}] : [];
+		});
+		return this.fromInfo({
+			fleetId: options.fleetId,
+			machines
+		});
+	}
+};
+function getMachineDescriptor(options, machineId) {
+	const spec = options.machines.find((machine) => machine.machineId === machineId);
+	if (!spec) return {};
+	const merged = mergeCreateOptions(options.defaults, spec);
+	return {
+		driverType: merged.driver?.type,
+		image: merged.image,
+		environment: merged.environment,
+		templateId: merged.templateId,
+		publicTemplateId: merged.publicTemplateId,
+		acceleratorCount: merged.resources?.accelerator?.count ?? (merged.resources?.accelerator ? 1 : void 0)
+	};
+}
+async function mapConcurrent(items, concurrency, fn) {
+	const results = new Array(items.length);
+	let index = 0;
+	const workers = Array.from({ length: Math.min(concurrency, items.length) }, async () => {
+		while (index < items.length) {
+			const current = index;
+			index += 1;
+			const item = items[current];
+			if (item === void 0) throw new Error(`Missing fleet item at index ${current}`);
+			results[current] = await fn(item);
+		}
+	});
+	await Promise.all(workers);
+	return results;
+}
+function assertArtifactPath(path) {
+	if (path !== DEFAULT_ARTIFACT_ROOT && !path.startsWith(`${DEFAULT_ARTIFACT_ROOT}/`)) throw new ValidationError(`Fleet artifact path '${path}' must be under ${DEFAULT_ARTIFACT_ROOT}`, { path: "outside_workspace" });
+	if (path.includes("\0") || path.split("/").includes("..")) throw new ValidationError(`Fleet artifact path '${path}' must not contain traversal segments`, { path: "invalid" });
+}
+function assertArtifactSize(content, artifact) {
+	const maxBytes = artifact.maxBytes ?? DEFAULT_MAX_ARTIFACT_BYTES;
+	if (!Number.isFinite(maxBytes) || maxBytes <= 0) throw new ValidationError("artifact.maxBytes must be a positive number", { maxBytes: "invalid" });
+	if (new TextEncoder().encode(content).byteLength > maxBytes) throw new ValidationError(`Fleet artifact '${artifact.path}' exceeded ${maxBytes} bytes`, { path: "too_large" });
+}
+function getMachineRole(info) {
+	const value = info.metadata?.[MACHINE_ROLE_META];
+	return value === "coordinator" || value === "worker" ? value : void 0;
+}
+//#endregion
+//#region src/client.ts
+/**
+* Sandbox Client
+*
+* Main client class for interacting with the Sandbox API.
+*/
+const DEFAULT_TIMEOUT_MS = 3e4;
+/**
+* Default time budget for `create()` — the full create-and-reach-running
+* flow. Cold provisions (image pull + container create + sidecar boot)
+* routinely take ~25–40s, well past the generic 30s request timeout, so
+* the create POST and the poll-to-running ride this higher ceiling
+* instead. A POST that rides the deadline polls the box to `running`
+* rather than re-POSTing (the idempotency key already makes a re-POST
+* safe server-side, but polling is cheaper and avoids duplicate work).
+*/
+const DEFAULT_CREATE_TIMEOUT_MS = 12e4;
+/**
+* Extra grace the SDK's client-side batch deadline gets on top of
+* the server-side `timeoutMs`. The server's clock starts when the
+* HTTP request lands on the server; the SDK's `AbortSignal.timeout`
+* clock starts before the TCP handshake. Without a grace buffer,
+* the two deadlines line up almost exactly — and a batch that legitimately
+* runs to the full `timeoutMs` on the server will race the SDK
+* deadline firing as the final `batch.completed` SSE event is still
+* in transit, making the caller throw `AbortError` and drop the
+* result.
+*
+* The client deadline is purely a safety valve against hung
+* connections, not a batch correctness timer — the server enforces
+* the real `timeoutMs`. 30s is enough to cover TCP/TLS setup, the
+* server-side batch bookkeeping, and SSE teardown, while still
+* shutting down quickly on a truly hung stream.
+*/
+const CLIENT_DEADLINE_GRACE_MS = 3e4;
+function isLocalSandboxEndpoint(baseUrl) {
+	try {
+		const { hostname } = new URL(baseUrl);
+		return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1";
+	} catch {
+		return false;
+	}
+}
+function generateIdempotencyKey() {
+	const c = globalThis.crypto;
+	if (c?.randomUUID) return c.randomUUID();
+	if (c?.getRandomValues) {
+		const bytes = c.getRandomValues(new Uint8Array(16));
+		return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+	}
+	throw new Error("idempotency key generation requires global crypto");
+}
+function withRequestContextHeaders(response, path, method) {
+	const headers = new Headers(response.headers);
+	headers.set("x-tangle-request-path", path);
+	if (method) headers.set("x-tangle-request-method", method);
+	return new Response(response.body, {
+		status: response.status,
+		statusText: response.statusText,
+		headers
+	});
+}
+async function resolveLocalCliAuthFiles(backendType) {
+	try {
+		const { discoverLocalCliAuthFiles } = await importLocalCliRegistry();
+		return discoverLocalCliAuthFiles(backendType);
+	} catch {
+		return discoverLocalCliAuthFilesFallback(backendType);
+	}
+}
+async function discoverLocalCliAuthFilesFallback(backendType) {
+	try {
+		const [{ existsSync, readFileSync }, { homedir }, { join }] = await Promise.all([
+			import("node:fs"),
+			import("node:os"),
+			import("node:path")
+		]);
+		const homeDir = homedir();
+		const authFiles = (backendType === "codex" ? [".codex/auth.json"] : [".claude/.credentials.json", ".claude/settings.json"]).flatMap((path) => {
+			const absolutePath = join(homeDir, path);
+			if (!existsSync(absolutePath)) return [];
+			return [{
+				path,
+				content: readFileSync(absolutePath, "utf8"),
+				mode: 384
+			}];
+		});
+		return authFiles.length ? authFiles : void 0;
+	} catch {
+		return;
+	}
+}
+async function describeLocalCliAuthExpectation(backendType) {
+	try {
+		return (await importLocalCliRegistry()).describeLocalCliAuthExpectation(backendType);
+	} catch {
+		return backendType === "codex" ? "~/.codex/auth.json" : "~/.claude/.credentials.json or ~/.claude/settings.json";
+	}
+}
+async function importLocalCliRegistry() {
+	return await import(
+		/* @vite-ignore */
+		["@tangle-network", "cli-agent-registry"].join("/")
+);
+}
+async function hydrateLocalCliBackendAuth(backend, baseUrl, trustLocalCliAuth) {
+	if (!backend) return void 0;
+	if (!isLocalSandboxEndpoint(baseUrl)) return backend;
+	if (backend.type !== "codex" && backend.type !== "claude-code") return backend;
+	if (backend.model?.authFiles?.length) return backend;
+	if (backend.model?.apiKey) return backend;
+	if (backend.model?.authMode === "api-key") return backend;
+	if (!trustLocalCliAuth) {
+		const cliName = backend.type === "codex" ? "codex" : "claude";
+		throw new AuthError(`Local ${backend.type} backend requested for ${baseUrl}, but the SDK will not read CLI credentials from the host home directory unless you opt in by constructing the client with \`new Sandbox({ ..., trustLocalCliAuth: true })\`. Only opt in when the localhost endpoint is one you control. Otherwise, pass \`backend.model.apiKey\` / \`backend.model.authFiles\` explicitly, or run \`${cliName} login\` inside the sandbox.`);
+	}
+	const authFiles = await resolveLocalCliAuthFiles(backend.type);
+	if (!authFiles?.length) {
+		const cliName = backend.type === "codex" ? "codex" : "claude";
+		const expectation = await describeLocalCliAuthExpectation(backend.type);
+		throw new AuthError(`Local ${backend.type} backend requested for ${baseUrl}, but no local CLI auth was found. Run \`${cliName} login\` on the host or provide backend.model.apiKey/authFiles explicitly. Expected auth under ${expectation}.`);
+	}
+	return {
+		...backend,
+		model: {
+			...backend.model,
+			authMode: backend.model?.authMode ?? "oauth",
+			authFiles
+		}
+	};
+}
+/**
+* Client for the Tangle Sandbox platform.
+*
+* @example
+* ```typescript
+* import { Sandbox } from "@tangle-network/sandbox";
+*
+* const client = new Sandbox({
+*   apiKey: "sk_sandbox_...",
+*   baseUrl: "https://your-sandbox-api.example.com",
+* });
+*
+* // Create a sandbox
+* const box = await client.create({
+*   name: "my-project",
+*   sshEnabled: true,
+* });
+*
+* // Execute commands
+* const result = await box.exec("npm install");
+*
+* // Clean up
+* await box.delete();
+* ```
+*/
+var SandboxClient = class {
+	baseUrl;
+	apiKey;
+	timeoutMs;
+	trustLocalCliAuth;
+	_secrets = null;
+	_sshKeys = null;
+	_fleets = null;
+	_intelligence = null;
+	constructor(config) {
+		if (!config.apiKey) throw new AuthError("API key is required");
+		if (!config.baseUrl) throw new ValidationError("Base URL is required");
+		this.baseUrl = config.baseUrl.replace(/\/$/, "");
+		this.apiKey = config.apiKey;
+		this.timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+		this.trustLocalCliAuth = config.trustLocalCliAuth === true;
+	}
+	/**
+	* Fleet operations for agent-managed groups of sandboxes.
+	*
+	* Fleets are an SDK-level convenience over the existing sandbox lifecycle
+	* API. Each worker is a normal sandbox tagged with stable fleet metadata,
+	* so older clients and dashboards can still inspect and delete them.
+	*/
+	get fleets() {
+		if (!this._fleets) this._fleets = new SandboxFleetClient(this);
+		return this._fleets;
+	}
+	get intelligence() {
+		if (!this._intelligence) this._intelligence = new IntelligenceClient(this);
+		return this._intelligence;
+	}
+	getApiKey() {
+		return this.apiKey;
+	}
+	/**
+	* Access the secrets manager for storing and retrieving encrypted secrets.
+	*
+	* @example
+	* ```typescript
+	* // Create a secret
+	* await client.secrets.create("HF_TOKEN", "hf_xxx");
+	*
+	* // List secrets (names only)
+	* const secrets = await client.secrets.list();
+	*
+	* // Get secret value
+	* const value = await client.secrets.get("HF_TOKEN");
+	*
+	* // Update secret
+	* await client.secrets.update("HF_TOKEN", "hf_new_value");
+	*
+	* // Delete secret
+	* await client.secrets.delete("HF_TOKEN");
+	* ```
+	*/
+	get secrets() {
+		if (!this._secrets) this._secrets = new SecretsManagerImpl(this);
+		return this._secrets;
+	}
+	get sshKeys() {
+		if (!this._sshKeys) this._sshKeys = new SshKeysManagerImpl(this);
+		return this._sshKeys;
+	}
+	_environments = null;
+	/**
+	* Access available development environments.
+	*
+	* @example
+	* ```typescript
+	* const envs = await client.environments.list();
+	* // → [{ id: "universal", description: "Universal environment with all toolchains via Nix", ... }]
+	*
+	* const sandbox = await client.create({ environment: "universal" });
+	* ```
+	*/
+	get environments() {
+		if (!this._environments) this._environments = new EnvironmentsClient(this);
+		return this._environments;
+	}
+	_teams = null;
+	_publicTemplates = null;
+	/**
+	* Access team management (collaboration groups, invitations,
+	* member roles). Teams scope shared sandboxes — pass `teamId` to
+	* `client.create()` to create a sandbox accessible to a team's
+	* members.
+	*
+	* @example
+	* ```typescript
+	* const teams = await client.teams.list();
+	* const invite = await client.teams.invite(teams[0].id, {
+	*   email: "alice@example.com",
+	*   role: "member",
+	* });
+	* ```
+	*/
+	get teams() {
+		if (!this._teams) this._teams = new TeamsClient(this);
+		return this._teams;
+	}
+	get publicTemplates() {
+		if (!this._publicTemplates) this._publicTemplates = new PublicTemplatesClient(this);
+		return this._publicTemplates;
+	}
+	/**
+	* Create a new sandbox.
+	*
+	* @param options - Configuration for the new sandbox
+	* @returns A SandboxInstance representing the created sandbox
+	*
+	* @example
+	* ```typescript
+	* const box = await client.create({
+	*   name: "my-project",
+	*   environment: "universal",
+	*   sshEnabled: true,
+	*   env: { NODE_ENV: "development" },
+	* });
+	* ```
+	*/
+	async create(options, requestOptions) {
+		const timeoutMs = requestOptions?.timeoutMs ?? DEFAULT_CREATE_TIMEOUT_MS;
+		const idempotencyKey = options?.idempotencyKey ?? generateIdempotencyKey();
+		const deadline = Date.now() + timeoutMs;
+		const git = options?.git ? {
+			url: options.git.url,
+			ref: options.git.ref,
+			depth: options.git.depth,
+			sparse: options.git.sparse,
+			auth: options.git.auth
+		} : void 0;
+		const resolvedEnvironment = options?.environment ?? options?.image;
+		const backend = await hydrateLocalCliBackendAuth(options?.backend, this.baseUrl, this.trustLocalCliAuth);
+		const resolvedBackend = backend ? {
+			...backend,
+			type: backend.type ?? "opencode"
+		} : void 0;
+		const resources = normalizeSandboxResources(options?.resources, options?.driver);
+		const postDeadline = AbortSignal.timeout(timeoutMs);
+		const postSignal = requestOptions?.signal ? AbortSignal.any([requestOptions.signal, postDeadline]) : postDeadline;
+		let response;
+		try {
+			response = await this.fetch("/v1/sandboxes", {
+				method: "POST",
+				headers: { "Idempotency-Key": idempotencyKey },
+				signal: postSignal,
+				body: JSON.stringify({
+					name: options?.name,
+					...resolvedEnvironment !== void 0 ? {
+						environment: resolvedEnvironment,
+						image: resolvedEnvironment
+					} : {},
+					git,
+					tools: options?.tools,
+					bare: options?.bare,
+					driver: options?.driver,
+					backend: resolvedBackend,
+					permissions: options?.permissions,
+					env: options?.env,
+					resources,
+					sshEnabled: options?.sshEnabled,
+					sshPublicKeys: options?.sshPublicKeys ?? (options?.sshPublicKey ? [options.sshPublicKey] : void 0),
+					sshKeyIds: options?.sshKeyIds,
+					webTerminalEnabled: options?.webTerminalEnabled,
+					maxLifetimeSeconds: options?.maxLifetimeSeconds,
+					idleTimeoutSeconds: options?.idleTimeoutSeconds,
+					storage: options?.storage,
+					fromSnapshot: options?.fromSnapshot,
+					fromSandboxId: options?.fromSandboxId,
+					templateId: options?.templateId,
+					publicTemplateId: options?.publicTemplateId,
+					publicTemplateVersionId: options?.publicTemplateVersionId,
+					secrets: options?.secrets,
+					confidential: options?.confidential,
+					metadata: options?.metadata,
+					teamId: options?.teamId,
+					capabilities: options?.capabilities,
+					privacy: options?.privacy,
+					egressPolicy: options?.egressPolicy,
+					idempotencyKey
+				})
+			});
+		} catch (err) {
+			if (requestOptions?.signal?.aborted) throw err;
+			if (err instanceof TimeoutError || err instanceof Error && (err.name === "AbortError" || err.name === "TimeoutError")) throw new TimeoutError(timeoutMs, `Sandbox create did not complete within ${timeoutMs}ms. The provision may still be running server-side; retry create() with idempotencyKey="${idempotencyKey}" to join it.`);
+			throw err;
+		}
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		const data = await response.json();
+		const instance = new SandboxInstance(this, this.parseInfo(data), resolvedBackend);
+		if (instance.status === "provisioning" || instance.status === "pending") {
+			const remainingMs = Math.max(0, deadline - Date.now());
+			await instance.waitFor("running", {
+				timeoutMs: remainingMs,
+				signal: requestOptions?.signal
+			});
+		}
+		return instance;
+	}
+	/**
+	* Poll a sandbox to `running` by id. Surfaces a real provision failure
+	* as a {@link StateError} (carrying the sandbox's error message) rather
+	* than an opaque timeout, and throws {@link NotFoundError} if the id is
+	* unknown. Use after a {@link create} that timed out client-side but may
+	* have continued provisioning server-side under its idempotency key.
+	*/
+	async waitForRunning(id, options) {
+		const instance = await this.get(id);
+		if (!instance) throw new NotFoundError("Sandbox", id, {
+			endpoint: `/v1/sandboxes/${id}`,
+			origin: "sandbox-api"
+		});
+		await instance.waitFor("running", {
+			timeoutMs: options?.timeoutMs ?? DEFAULT_CREATE_TIMEOUT_MS,
+			signal: options?.signal
+		});
+		return instance;
+	}
+	/**
+	* List all sandboxes.
+	*
+	* @param options - Filtering and pagination options
+	* @returns Array of SandboxInstance objects
+	*
+	* @example
+	* ```typescript
+	* // List all running sandboxes
+	* const running = await client.list({ status: "running" });
+	*
+	* // List with pagination
+	* const page = await client.list({ limit: 10, offset: 0 });
+	* ```
+	*/
+	async list(options) {
+		const params = new URLSearchParams();
+		if (options?.status) {
+			const statuses = Array.isArray(options.status) ? options.status : [options.status];
+			for (const s of statuses) params.append("status", s);
+		}
+		if (options?.limit !== void 0) params.set("limit", String(options.limit));
+		if (options?.offset !== void 0) params.set("offset", String(options.offset));
+		if (options?.scope !== void 0) params.set("scope", options.scope);
+		const query = params.toString();
+		const path = query ? `/v1/sandboxes?${query}` : "/v1/sandboxes";
+		const response = await this.fetch(path);
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		const data = await response.json();
+		return (Array.isArray(data) ? data : data.sandboxes ?? []).map((item) => new SandboxInstance(this, this.parseInfo(item)));
+	}
+	/**
+	* Get a sandbox by ID.
+	*
+	* @param id - The sandbox ID
+	* @returns A SandboxInstance or null if not found
+	*
+	* @example
+	* ```typescript
+	* const box = await client.get("sandbox_abc123");
+	* if (box) {
+	*   console.log(box.status);
+	* }
+	* ```
+	*/
+	async get(id) {
+		const response = await this.fetch(`/v1/sandboxes/${encodeURIComponent(id)}`);
+		if (response.status === 404) return null;
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		const data = await response.json();
+		return new SandboxInstance(this, this.parseInfo(data));
+	}
+	/**
+	* Get usage information for the account.
+	*
+	* @returns Usage statistics for the current billing period
+	*
+	* @example
+	* ```typescript
+	* const usage = await client.usage();
+	* console.log(`Active sandboxes: ${usage.activeSandboxes}`);
+	* console.log(`Compute minutes: ${usage.computeMinutes}`);
+	* ```
+	*/
+	async usage() {
+		const response = await this.fetch("/usage");
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		const data = await response.json();
+		return {
+			computeMinutes: data.computeMinutes ?? 0,
+			activeSandboxes: data.activeSandboxes ?? 0,
+			totalSandboxes: data.totalSandboxes ?? 0,
+			periodStart: new Date(data.periodStart),
+			periodEnd: new Date(data.periodEnd)
+		};
+	}
+	/**
+	* Get subscription and billing information for the account.
+	*
+	* @returns Subscription details including plan, credits, and limits
+	*
+	* @example
+	* ```typescript
+	* const sub = await client.subscription();
+	* console.log(`Plan: ${sub.plan}`);
+	* console.log(`Credits: $${sub.creditsAvailableUsd.toFixed(2)}`);
+	* ```
+	*/
+	async subscription() {
+		const response = await this.fetch("/subscription");
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		const data = await response.json();
+		return {
+			plan: data.plan ?? "free",
+			status: data.status ?? "active",
+			creditsAvailableUsd: data.creditsAvailableUsd ?? 0,
+			creditsUsedUsd: data.creditsUsedUsd ?? 0,
+			monthlyBalanceUsd: data.monthlyBalanceUsd ?? 0,
+			maxConcurrentSandboxes: data.maxConcurrentSandboxes ?? 0,
+			overageAllowed: data.overageAllowed ?? false,
+			limits: data.limits ?? {
+				maxCpuCores: 1,
+				maxRamGB: 2,
+				maxStorageGB: 50
+			},
+			currentPeriodEnd: data.currentPeriodEnd ?? 0
+		};
+	}
+	/**
+	* Check if the Sandbox API is available.
+	*
+	* @returns true if the API is healthy, false otherwise
+	*/
+	async health() {
+		try {
+			return (await this.fetch("/health")).ok;
+		} catch {
+			return false;
+		}
+	}
+	/**
+	* Check if CRIU checkpointing is available on the platform.
+	*
+	* CRIU enables memory preservation for true pause/resume and fork operations.
+	* It requires specific host configuration.
+	*
+	* @returns CRIU availability status
+	*
+	* @example
+	* ```typescript
+	* const status = await client.criuStatus();
+	* if (status.available) {
+	*   console.log(`CRIU ${status.criuVersion} available`);
+	* } else {
+	*   console.log(`CRIU not available: ${status.reason}`);
+	* }
+	* ```
+	*/
+	async criuStatus() {
+		const response = await this.fetch("/v1/system/criu-status");
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return await response.json();
+	}
+	/**
+	* Run multiple tasks in parallel across sandboxes.
+	* Returns the aggregated results after all tasks complete.
+	*
+	* @param tasks - Array of tasks to execute
+	* @param options - Batch execution options
+	* @returns Aggregated batch results
+	*
+	* @throws {@link TimeoutError} if the server hasn't begun responding
+	*   before the deadline (pre-stream timeout).
+	* @throws {@link ValidationError} / {@link QuotaError} / other typed
+	*   SDK errors if the server rejects the request before streaming.
+	* @throws `DOMException` with `name === "AbortError"` if
+	*   `options.signal` fires OR the safety-valve deadline fires
+	*   AFTER streaming has begun — parseSSEStream can't distinguish
+	*   the source mid-stream. Callers that need to tell cancel from
+	*   timeout should check `options.signal?.aborted` in their catch.
+	* @throws `Error` with the server message if the stream emits a
+	*   `batch.failed` event.
+	*
+	* @example
+	* ```typescript
+	* const result = await client.runBatch([
+	*   { id: "task-1", message: "Analyze this file" },
+	*   { id: "task-2", message: "Generate a summary" },
+	* ]);
+	* console.log(`Success rate: ${result.successRate}%`);
+	* ```
+	*/
+	async runBatch(tasks, options) {
+		const results = [];
+		let totalRetries = 0;
+		for await (const event of this.streamBatch(tasks, options)) {
+			if (event.type === "task.completed") {
+				const data = event.data;
+				const usageTotal = (data.usage?.inputTokens ?? 0) + (data.usage?.outputTokens ?? 0);
+				results.push({
+					taskId: data.taskId,
+					success: true,
+					response: data.resultSummary ?? data.response,
+					durationMs: data.durationMs ?? 0,
+					retries: data.retries ?? 0,
+					tokensUsed: data.tokensUsed ?? (usageTotal > 0 ? usageTotal : void 0)
+				});
+				totalRetries += data.retries ?? 0;
+			}
+			if (event.type === "task.failed") {
+				const data = event.data;
+				results.push({
+					taskId: data.taskId,
+					success: false,
+					error: data.error,
+					durationMs: data.durationMs ?? 0,
+					retries: data.retries ?? 0
+				});
+				totalRetries += data.retries ?? 0;
+			}
+			if (event.type === "batch.failed") {
+				const data = event.data;
+				throw new Error(data.error ?? "Batch failed");
+			}
+		}
+		const succeeded = results.filter((r) => r.success).length;
+		const failed = results.filter((r) => !r.success).length;
+		return {
+			totalTasks: tasks.length,
+			succeeded,
+			failed,
+			totalRetries,
+			successRate: tasks.length > 0 ? succeeded / tasks.length * 100 : 0,
+			results
+		};
+	}
+	/**
+	* Stream events from a batch execution.
+	* Use this for real-time progress updates during batch processing.
+	*
+	* @param tasks - Array of tasks to execute
+	* @param options - Batch execution options
+	*
+	* @throws {@link TimeoutError} if the server hasn't begun responding
+	*   before the deadline (pre-stream timeout).
+	* @throws {@link ValidationError} / {@link QuotaError} / other typed
+	*   SDK errors if the server rejects the request before streaming.
+	* @throws `DOMException` with `name === "AbortError"` if
+	*   `options.signal` fires OR the safety-valve deadline fires
+	*   AFTER streaming has begun. Distinguish via
+	*   `options.signal?.aborted` in the consumer's catch.
+	*
+	* @example
+	* ```typescript
+	* for await (const event of client.streamBatch(tasks)) {
+	*   if (event.type === "task.completed") {
+	*     console.log(`Task ${event.data.taskId} completed`);
+	*   }
+	* }
+	* ```
+	*/
+	async *streamBatch(tasks, options) {
+		const url = `${this.baseUrl}/batch/run`;
+		const resolvedTimeoutMs = options?.timeoutMs ?? 3e5;
+		const requestBody = JSON.stringify({
+			tasks,
+			backend: options?.backend ? {
+				...options.backend,
+				type: options.backend.type ?? "opencode"
+			} : { type: "opencode" },
+			timeoutMs: resolvedTimeoutMs,
+			scalingMode: options?.scalingMode ?? "balanced",
+			persistent: options?.persistent ?? false,
+			graceMs: options?.graceMs ?? 0
+		});
+		const deadline = AbortSignal.timeout(resolvedTimeoutMs + CLIENT_DEADLINE_GRACE_MS);
+		const combinedSignal = options?.signal ? AbortSignal.any([options.signal, deadline]) : deadline;
+		let response;
+		try {
+			response = await globalThis.fetch(url, {
+				method: "POST",
+				headers: {
+					Authorization: `Bearer ${this.apiKey}`,
+					"Content-Type": "application/json",
+					Accept: "text/event-stream"
+				},
+				body: requestBody,
+				signal: combinedSignal
+			});
+		} catch (err) {
+			if (options?.signal?.aborted) throw err instanceof Error && err.name === "AbortError" ? err : new DOMException("Batch aborted", "AbortError");
+			if (err instanceof Error && (err.name === "AbortError" || err.name === "TimeoutError")) throw new TimeoutError(resolvedTimeoutMs, "Batch request timed out before the first SSE event");
+			throw new NetworkError(`Failed to connect to Sandbox API: ${err instanceof Error ? err.message : String(err)}`, err instanceof Error ? err : void 0, {
+				endpoint: "/batch/run",
+				origin: "sandbox-api"
+			});
+		}
+		if (!response.ok) {
+			const errBody = await response.text();
+			throw parseErrorResponse(response.status, errBody, void 0, response.headers);
+		}
+		yield* parseSSEStream(response.body, { signal: combinedSignal });
+	}
+	/**
+	* Make an authenticated HTTP request to the API.
+	* This is exposed for use by SandboxInstance.
+	*
+	* `fetchOptions.timeoutMs` overrides the client-wide `this.timeoutMs`
+	* for a single request. Slow data-plane operations (snapshot create
+	* blocks the server up to 600s while the host-agent compresses and
+	* uploads the rootfs) must pass a higher ceiling, otherwise the
+	* default client timeout aborts mid-operation with a `TimeoutError`
+	* even though the server is still working.
+	*/
+	async fetch(path, options, fetchOptions) {
+		const url = `${this.baseUrl}${path}`;
+		const requestTimeoutMs = typeof fetchOptions?.timeoutMs === "number" && fetchOptions.timeoutMs > 0 ? fetchOptions.timeoutMs : this.timeoutMs;
+		const controller = new AbortController();
+		const timeoutId = setTimeout(() => controller.abort(), requestTimeoutMs);
+		try {
+			const headers = new Headers(options?.headers);
+			headers.set("Authorization", `Bearer ${this.apiKey}`);
+			const isFormDataBody = typeof FormData !== "undefined" && options?.body instanceof FormData;
+			if (!headers.has("Content-Type") && !isFormDataBody) headers.set("Content-Type", "application/json");
+			return withRequestContextHeaders(await globalThis.fetch(url, {
+				...options,
+				headers,
+				signal: options?.signal ?? controller.signal
+			}), path, options?.method);
+		} catch (err) {
+			if (err instanceof Error && err.name === "AbortError") throw new TimeoutError(requestTimeoutMs);
+			throw new NetworkError(`Failed to connect to Sandbox API: ${err instanceof Error ? err.message : String(err)}`, err instanceof Error ? err : void 0, {
+				endpoint: path,
+				origin: "sandbox-api"
+			});
+		} finally {
+			clearTimeout(timeoutId);
+		}
+	}
+	parseInfo(data) {
+		return {
+			id: data.id ?? "",
+			name: data.name,
+			status: data.status ?? "pending",
+			connection: normalizeConnection(data.connection),
+			metadata: data.metadata,
+			createdAt: data.createdAt ? new Date(data.createdAt) : /* @__PURE__ */ new Date(),
+			startedAt: data.startedAt ? new Date(data.startedAt) : void 0,
+			lastActivityAt: data.lastActivityAt ? new Date(data.lastActivityAt) : void 0,
+			expiresAt: data.expiresAt ? new Date(data.expiresAt) : void 0,
+			error: data.error
+		};
+	}
+	_tokenRefreshHandlers = /* @__PURE__ */ new Set();
+	/**
+	* Register a handler invoked when the SDK transparently refreshes a
+	* sandbox bearer after a 401 retry. Returns a function that
+	* unregisters the handler when called.
+	*/
+	onTokenRefresh(handler) {
+		this._tokenRefreshHandlers.add(handler);
+		return () => {
+			this._tokenRefreshHandlers.delete(handler);
+		};
+	}
+	/** @internal — fired by the runtime-fetch retry path after a successful
+	* refresh. Errors thrown by handlers are caught and surfaced as
+	* console warnings so one bad subscriber does not poison the rest. */
+	_emitTokenRefresh(sandboxId, newToken) {
+		for (const h of this._tokenRefreshHandlers) try {
+			h(sandboxId, newToken);
+		} catch (err) {
+			console.warn(`[sandbox-sdk] tokenRefresh handler threw: ${err instanceof Error ? err.message : String(err)}`);
+		}
+	}
+};
+var SecretsManagerImpl = class {
+	constructor(client) {
+		this.client = client;
+	}
+	async create(name, value) {
+		const response = await this.client.fetch("/v1/secrets", {
+			method: "POST",
+			body: JSON.stringify({
+				name,
+				value
+			})
+		});
+		if (response.status === 409) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		if (response.status === 400) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		const data = await response.json();
+		return {
+			name: data.name,
+			createdAt: new Date(data.createdAt),
+			updatedAt: new Date(data.updatedAt)
+		};
+	}
+	async list() {
+		const response = await this.client.fetch("/v1/secrets");
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return ((await response.json()).secrets ?? []).map((s) => ({
+			name: s.name,
+			createdAt: new Date(s.createdAt),
+			updatedAt: new Date(s.updatedAt)
+		}));
+	}
+	async get(name) {
+		const response = await this.client.fetch(`/v1/secrets/${encodeURIComponent(name)}`);
+		if (response.status === 404) throw new NotFoundError("Secret", name);
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).value;
+	}
+	async update(name, value) {
+		const response = await this.client.fetch(`/v1/secrets/${encodeURIComponent(name)}`, {
+			method: "PATCH",
+			body: JSON.stringify({ value })
+		});
+		if (response.status === 404) throw new NotFoundError("Secret", name);
+		if (response.status === 400) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		const data = await response.json();
+		return {
+			name: data.name,
+			createdAt: new Date(data.createdAt),
+			updatedAt: new Date(data.updatedAt)
+		};
+	}
+	async delete(name) {
+		const response = await this.client.fetch(`/v1/secrets/${encodeURIComponent(name)}`, { method: "DELETE" });
+		if (response.status === 404) throw new NotFoundError("Secret", name);
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+	}
+};
+var SshKeysManagerImpl = class {
+	constructor(client) {
+		this.client = client;
+	}
+	async create(name, publicKey) {
+		const response = await this.client.fetch("/v1/ssh-keys", {
+			method: "POST",
+			body: JSON.stringify({
+				name,
+				publicKey
+			})
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return toSshKeyInfo((await response.json()).sshKey);
+	}
+	async list() {
+		const response = await this.client.fetch("/v1/ssh-keys");
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return ((await response.json()).sshKeys ?? []).map(toSshKeyInfo);
+	}
+	async delete(id) {
+		const response = await this.client.fetch(`/v1/ssh-keys/${encodeURIComponent(id)}`, { method: "DELETE" });
+		if (response.status === 404) throw new NotFoundError("SSH key", id);
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+	}
+};
+function toSshKeyInfo(key) {
+	return {
+		...key,
+		createdAt: new Date(key.createdAt),
+		updatedAt: new Date(key.updatedAt)
+	};
+}
+/**
+* Client for the Intelligence Reports API.
+*
+* Two analysis modes:
+*
+* - `deterministic` (default): free, rule-based platform analysis over
+*   the subject's trace evidence. Returns immediately.
+* - `agentic`: routes to the **Tangle Trace Analyst**, an LLM-driven
+*   reasoning loop that reads OTLP-shaped trace evidence and emits
+*   findings, evidence references, recommended actions, and a
+*   validation plan. Billed against `budget.maxUsd`; the platform
+*   never spends past the budget the caller sets.
+*
+* Subjects: `sandbox` or `fleet`. A fleet subject can be narrowed to
+* a single coordinated command via `subject.dispatchId`.
+*/
+var IntelligenceClient = class {
+	constructor(client) {
+		this.client = client;
+	}
+	/**
+	* Create an intelligence report over the given subject.
+	*
+	* Use `mode: "agentic"` to engage the **Tangle Trace Analyst** with a
+	* spending budget. The budget is enforced server-side before billing
+	* fires — a request whose computed cost exceeds `budget.maxUsd`
+	* returns 402 without charging the customer.
+	*/
+	async createReport(options) {
+		const response = await this.client.fetch("/v1/intelligence/reports", {
+			method: "POST",
+			body: JSON.stringify(options)
+		});
+		const body = await response.text();
+		if (!response.ok) throw parseErrorResponse(response.status, body, void 0, response.headers);
+		return JSON.parse(body).report;
+	}
+	async createAgenticReport(options) {
+		return this.createReport({
+			subject: options.subject,
+			mode: "agentic",
+			budget: {
+				billTo: "customer",
+				maxUsd: options.maxUsd
+			},
+			metadata: options.metadata
+		});
+	}
+	/**
+	* Estimate the cost of a prospective report without creating one.
+	* Verifies subject ownership the same way `createReport` does, so it
+	* never becomes an existence oracle for foreign subjects.
+	*/
+	async estimateReport(options) {
+		const response = await this.client.fetch("/v1/intelligence/reports/estimate", {
+			method: "POST",
+			body: JSON.stringify(options)
+		});
+		const body = await response.text();
+		if (!response.ok) throw parseErrorResponse(response.status, body, void 0, response.headers);
+		return JSON.parse(body).estimate;
+	}
+	async getReport(jobId) {
+		const response = await this.client.fetch(`/v1/intelligence/reports/${encodeURIComponent(jobId)}`);
+		const body = await response.text();
+		if (!response.ok) throw parseErrorResponse(response.status, body, void 0, response.headers);
+		return JSON.parse(body).report;
+	}
+	async listReports(options = {}) {
+		const query = new URLSearchParams();
+		if (options.subjectType) query.set("subjectType", options.subjectType);
+		if (options.subjectId) query.set("subjectId", options.subjectId);
+		if (options.limit !== void 0) query.set("limit", String(options.limit));
+		const suffix = query.size > 0 ? `?${query}` : "";
+		const response = await this.client.fetch(`/v1/intelligence/reports${suffix}`);
+		const body = await response.text();
+		if (!response.ok) throw parseErrorResponse(response.status, body, void 0, response.headers);
+		return JSON.parse(body).reports;
+	}
+	async waitForReport(jobId, options = {}) {
+		const deadline = Date.now() + (options.timeoutMs ?? 6e4);
+		const pollMs = options.pollMs ?? 1e3;
+		while (true) {
+			const report = await this.getReport(jobId);
+			if (report.status === "completed" || report.status === "failed") return report;
+			if (Date.now() >= deadline) throw new TimeoutError(options.timeoutMs ?? 6e4);
+			await new Promise((resolve) => setTimeout(resolve, Math.min(pollMs, Math.max(0, deadline - Date.now()))));
+		}
+	}
+};
+/**
+* Client for browsing available development environments.
+*/
+var EnvironmentsClient = class {
+	constructor(client) {
+		this.client = client;
+	}
+	/**
+	* List available development environments.
+	*
+	* @returns Array of available environments with metadata
+	*
+	* @example
+	* ```typescript
+	* const envs = await client.environments.list();
+	* for (const env of envs) {
+	*   console.log(`${env.id}: ${env.description}`);
+	* }
+	* ```
+	*/
+	async list() {
+		const response = await this.client.fetch("/v1/environments");
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).environments ?? [];
+	}
+	/**
+	* Get details for a specific environment.
+	*
+	* @param id - Environment identifier (e.g., "universal")
+	*/
+	async get(id) {
+		return (await this.list()).find((e) => e.id === id) ?? null;
+	}
+};
+var PublicTemplatesClient = class {
+	constructor(client) {
+		this.client = client;
+	}
+	async list(options) {
+		const params = new URLSearchParams();
+		if (options?.query) params.set("q", options.query);
+		if (options?.tag) params.set("tag", options.tag);
+		if (options?.featuredOnly) params.set("featured", "true");
+		if (options?.limit !== void 0) params.set("limit", String(options.limit));
+		if (options?.offset !== void 0) params.set("offset", String(options.offset));
+		const suffix = params.toString();
+		const response = await this.client.fetch(`/v1/public-templates${suffix ? `?${suffix}` : ""}`);
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).templates ?? [];
+	}
+	async featured() {
+		const response = await this.client.fetch("/v1/public-templates/featured");
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).templates ?? [];
+	}
+	async get(idOrSlug) {
+		const response = await this.client.fetch(`/v1/public-templates/${encodeURIComponent(idOrSlug)}`);
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).template;
+	}
+	async versions(idOrSlug) {
+		const response = await this.client.fetch(`/v1/public-templates/${encodeURIComponent(idOrSlug)}/versions`);
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).versions ?? [];
+	}
+	async publish(options) {
+		const response = await this.client.fetch("/v1/public-templates", {
+			method: "POST",
+			body: JSON.stringify(options)
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).template;
+	}
+	async publishVersion(idOrSlug, options) {
+		const response = await this.client.fetch(`/v1/public-templates/${encodeURIComponent(idOrSlug)}/versions`, {
+			method: "POST",
+			body: JSON.stringify(options)
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).version;
+	}
+};
+/**
+* Client for managing teams and team-scoped sharing.
+*
+* Team resources are scoped to the authenticated user's membership —
+* the client never needs to pass an org id explicitly.
+*/
+var TeamsClient = class {
+	constructor(client) {
+		this.client = client;
+	}
+	async list() {
+		const response = await this.client.fetch("/v1/teams");
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).teams ?? [];
+	}
+	async create(options) {
+		const response = await this.client.fetch("/v1/teams", {
+			method: "POST",
+			body: JSON.stringify(options)
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).team;
+	}
+	async get(teamId) {
+		const response = await this.client.fetch(`/v1/teams/${encodeURIComponent(teamId)}`);
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).team;
+	}
+	async update(teamId, updates) {
+		const response = await this.client.fetch(`/v1/teams/${encodeURIComponent(teamId)}`, {
+			method: "PATCH",
+			body: JSON.stringify(updates)
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).team;
+	}
+	async delete(teamId) {
+		const response = await this.client.fetch(`/v1/teams/${encodeURIComponent(teamId)}`, { method: "DELETE" });
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+	}
+	async leave(teamId) {
+		const response = await this.client.fetch(`/v1/teams/${encodeURIComponent(teamId)}/leave`, { method: "POST" });
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+	}
+	async transferOwnership(teamId, newOwnerCustomerId) {
+		const response = await this.client.fetch(`/v1/teams/${encodeURIComponent(teamId)}/transfer`, {
+			method: "POST",
+			body: JSON.stringify({ newOwnerCustomerId })
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+	}
+	async listMembers(teamId) {
+		const response = await this.client.fetch(`/v1/teams/${encodeURIComponent(teamId)}/members`);
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).members ?? [];
+	}
+	async updateMember(teamId, memberId, updates) {
+		const response = await this.client.fetch(`/v1/teams/${encodeURIComponent(teamId)}/members/${encodeURIComponent(memberId)}`, {
+			method: "PATCH",
+			body: JSON.stringify(updates)
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).member;
+	}
+	async removeMember(teamId, memberId) {
+		const response = await this.client.fetch(`/v1/teams/${encodeURIComponent(teamId)}/members/${encodeURIComponent(memberId)}`, { method: "DELETE" });
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+	}
+	async listInvitations(teamId) {
+		const response = await this.client.fetch(`/v1/teams/${encodeURIComponent(teamId)}/invitations`);
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).invitations ?? [];
+	}
+	async invite(teamId, options) {
+		const response = await this.client.fetch(`/v1/teams/${encodeURIComponent(teamId)}/invitations`, {
+			method: "POST",
+			body: JSON.stringify(options)
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).invitation;
+	}
+	async revokeInvitation(invitationId) {
+		const response = await this.client.fetch(`/v1/teams/invitations/${encodeURIComponent(invitationId)}`, { method: "DELETE" });
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+	}
+	async acceptInvitation(token) {
+		const response = await this.client.fetch(`/v1/teams/invitations/${encodeURIComponent(token)}/accept`, { method: "POST" });
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).member;
+	}
+	async getInvitation(token) {
+		const response = await this.client.fetch(`/v1/teams/invitations/${encodeURIComponent(token)}`);
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).invitation;
+	}
+	async listSecrets(teamId) {
+		const response = await this.client.fetch(`/v1/teams/${encodeURIComponent(teamId)}/secrets`);
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).secrets ?? [];
+	}
+	async upsertSecret(teamId, name, value) {
+		const response = await this.client.fetch(`/v1/teams/${encodeURIComponent(teamId)}/secrets/${encodeURIComponent(name)}`, {
+			method: "PUT",
+			body: JSON.stringify({ value })
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).secret;
+	}
+	async deleteSecret(teamId, name) {
+		const response = await this.client.fetch(`/v1/teams/${encodeURIComponent(teamId)}/secrets/${encodeURIComponent(name)}`, { method: "DELETE" });
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+	}
+	async revealSecret(teamId, name) {
+		const response = await this.client.fetch(`/v1/teams/${encodeURIComponent(teamId)}/secrets/${encodeURIComponent(name)}/reveal`, { method: "POST" });
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return await response.json();
+	}
+	async listTemplates(teamId) {
+		const response = await this.client.fetch(`/v1/teams/${encodeURIComponent(teamId)}/templates`);
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).templates ?? [];
+	}
+	async createTemplate(teamId, options) {
+		const response = await this.client.fetch(`/v1/teams/${encodeURIComponent(teamId)}/templates`, {
+			method: "POST",
+			body: JSON.stringify({
+				name: options.name,
+				snapshotId: options.snapshotId,
+				description: options.description,
+				environment: options.environment,
+				config: options.config
+			})
+		});
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+		return (await response.json()).template;
+	}
+	async deleteTemplate(teamId, templateId) {
+		const response = await this.client.fetch(`/v1/teams/${encodeURIComponent(teamId)}/templates/${encodeURIComponent(templateId)}`, { method: "DELETE" });
+		if (!response.ok) {
+			const body = await response.text();
+			throw parseErrorResponse(response.status, body, void 0, response.headers);
+		}
+	}
+};
+//#endregion
+export { DEFAULT_SANDBOX_SIZE as a, resolveSandboxResources as c, SandboxFleetClient as i, sandboxResourcesForSize as l, SandboxClient as n, SANDBOX_SIZE_PRESETS as o, SandboxFleet as r, SANDBOX_SIZE_PRESET_NAMES as s, IntelligenceClient as t };