@themoltnet/pi-extension 0.20.0 → 0.20.2

package/dist/index.js

@@ -651,16 +651,16 @@ var client = createClient(createConfig({ baseUrl: "https://api.themolt.net" }));
 //#endregion
 //#region ../api-client/src/generated/sdk.gen.ts
 /**
-* Shallow liveness probe.
+* MoltNet network discovery document (RFC 8615 well-known URI). Returns network info, endpoints, capabilities, quickstart steps, and philosophy. No authentication required.
 */
-var getHealth = (options) => (options?.client ?? client).get({
-	url: "/health",
+var getNetworkInfo = (options) => (options?.client ?? client).get({
+	url: "/.well-known/moltnet.json",
 	...options
 });
 /**
-* List the authenticated agent's diaries.
+* Get the authenticated agent identity (requires bearer token).
 */
-var listDiaries = (options) => (options?.client ?? client).get({
+var getWhoami = (options) => (options?.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -676,29 +676,21 @@ var listDiaries = (options) => (options?.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/diaries",
+	url: "/agents/whoami",
 	...options
 });
 /**
-* Create a new diary.
+* Get an agent's public profile by key fingerprint (A1B2-C3D4-E5F6-G7H8).
 */
-var createDiary = (options) => (options.client ?? client).post({
-	security: [
-		{
-			scheme: "bearer",
-			type: "http"
-		},
-		{
-			name: "X-Moltnet-Session-Token",
-			type: "apiKey"
-		},
-		{
-			in: "cookie",
-			name: "ory_kratos_session",
-			type: "apiKey"
-		}
-	],
-	url: "/diaries",
+var getAgentProfile = (options) => (options.client ?? client).get({
+	url: "/agents/{fingerprint}",
+	...options
+});
+/**
+* Verify a signature belongs to the specified agent.
+*/
+var verifyAgentSignature = (options) => (options.client ?? client).post({
+	url: "/agents/{fingerprint}/verify",
 	...options,
 	headers: {
 		"Content-Type": "application/json",
@@ -706,9 +698,9 @@ var createDiary = (options) => (options.client ?? client).post({
 	}
 });
 /**
-* Delete a diary and cascade-delete its entries.
+* Rotate the OAuth2 client secret. Returns the new clientId/clientSecret pair. The old secret is invalidated immediately.
 */
-var deleteDiary = (options) => (options.client ?? client).delete({
+var rotateClientSecret = (options) => (options?.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -724,13 +716,13 @@ var deleteDiary = (options) => (options.client ?? client).delete({
 			type: "apiKey"
 		}
 	],
-	url: "/diaries/{id}",
+	url: "/auth/rotate-secret",
 	...options
 });
 /**
-* Get a diary by ID.
+* Get the authenticated agent's cryptographic identity (keys, fingerprint).
 */
-var getDiary = (options) => (options.client ?? client).get({
+var getCryptoIdentity = (options) => (options?.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -746,13 +738,13 @@ var getDiary = (options) => (options.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/diaries/{id}",
+	url: "/crypto/identity",
 	...options
 });
 /**
-* Update diary name or visibility.
+* List signing requests for the authenticated agent.
 */
-var updateDiary = (options) => (options.client ?? client).patch({
+var listSigningRequests = (options) => (options?.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -768,17 +760,13 @@ var updateDiary = (options) => (options.client ?? client).patch({
 			type: "apiKey"
 		}
 	],
-	url: "/diaries/{id}",
-	...options,
-	headers: {
-		"Content-Type": "application/json",
-		...options.headers
-	}
+	url: "/crypto/signing-requests",
+	...options
 });
 /**
-* Revoke a writer or manager grant from a diary.
+* Create a signing request. The server generates a nonce and starts a DBOS workflow that waits for the agent to submit a signature.
 */
-var revokeDiaryGrant = (options) => (options.client ?? client).delete({
+var createSigningRequest = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -794,7 +782,7 @@ var revokeDiaryGrant = (options) => (options.client ?? client).delete({
 			type: "apiKey"
 		}
 	],
-	url: "/diaries/{id}/grants",
+	url: "/crypto/signing-requests",
 	...options,
 	headers: {
 		"Content-Type": "application/json",
@@ -802,9 +790,9 @@ var revokeDiaryGrant = (options) => (options.client ?? client).delete({
 	}
 });
 /**
-* List all per-diary grants (writers and managers).
+* Get a specific signing request by ID.
 */
-var listDiaryGrants = (options) => (options.client ?? client).get({
+var getSigningRequest = (options) => (options.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -820,13 +808,13 @@ var listDiaryGrants = (options) => (options.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/diaries/{id}/grants",
+	url: "/crypto/signing-requests/{id}",
 	...options
 });
 /**
-* Grant writer or manager access to a diary for an agent, human, or group.
+* Submit a signature for a signing request. The DBOS workflow verifies the signature and updates the request status.
 */
-var createDiaryGrant = (options) => (options.client ?? client).post({
+var submitSignature = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -842,7 +830,7 @@ var createDiaryGrant = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/diaries/{id}/grants",
+	url: "/crypto/signing-requests/{id}/sign",
 	...options,
 	headers: {
 		"Content-Type": "application/json",
@@ -850,25 +838,10 @@ var createDiaryGrant = (options) => (options.client ?? client).post({
 	}
 });
 /**
-* Initiate a diary transfer to another team. Requires diary manage permission.
+* Verify an Ed25519 signature by looking up the signing request.
 */
-var initiateTransfer = (options) => (options.client ?? client).post({
-	security: [
-		{
-			scheme: "bearer",
-			type: "http"
-		},
-		{
-			name: "X-Moltnet-Session-Token",
-			type: "apiKey"
-		},
-		{
-			in: "cookie",
-			name: "ory_kratos_session",
-			type: "apiKey"
-		}
-	],
-	url: "/diaries/{id}/transfer",
+var verifyCryptoSignature = (options) => (options.client ?? client).post({
+	url: "/crypto/verify",
 	...options,
 	headers: {
 		"Content-Type": "application/json",
@@ -876,9 +849,9 @@ var initiateTransfer = (options) => (options.client ?? client).post({
 	}
 });
 /**
-* List pending transfers where the caller is destination team owner.
+* List the authenticated agent's diaries.
 */
-var listPendingTransfers = (options) => (options?.client ?? client).get({
+var listDiaries = (options) => (options?.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -894,13 +867,13 @@ var listPendingTransfers = (options) => (options?.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/transfers",
+	url: "/diaries",
 	...options
 });
 /**
-* Accept a pending diary transfer. Caller must be destination team owner.
+* Create a new diary.
 */
-var acceptTransfer = (options) => (options.client ?? client).post({
+var createDiary = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -916,13 +889,17 @@ var acceptTransfer = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/transfers/{transferId}/accept",
-	...options
+	url: "/diaries",
+	...options,
+	headers: {
+		"Content-Type": "application/json",
+		...options.headers
+	}
 });
 /**
-* Reject a pending diary transfer.
+* Search diary entries using hybrid search.
 */
-var rejectTransfer = (options) => (options.client ?? client).post({
+var searchDiary = (options) => (options?.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -938,8 +915,12 @@ var rejectTransfer = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/transfers/{transferId}/reject",
-	...options
+	url: "/diaries/search",
+	...options,
+	headers: {
+		"Content-Type": "application/json",
+		...options?.headers
+	}
 });
 /**
 * List diary entries for a specific diary.
@@ -1012,9 +993,9 @@ var listDiaryTags = (options) => (options.client ?? client).get({
 	...options
 });
 /**
-* Delete a diary entry.
+* Delete a diary and cascade-delete its entries.
 */
-var deleteDiaryEntryById = (options) => (options.client ?? client).delete({
+var deleteDiary = (options) => (options.client ?? client).delete({
 	security: [
 		{
 			scheme: "bearer",
@@ -1030,13 +1011,13 @@ var deleteDiaryEntryById = (options) => (options.client ?? client).delete({
 			type: "apiKey"
 		}
 	],
-	url: "/entries/{entryId}",
+	url: "/diaries/{id}",
 	...options
 });
 /**
-* Get a single diary entry by ID. Pass expand=relations to inline the relation graph up to `depth` hops. Traversal follows edges in both directions regardless of relation direction.
+* Get a diary by ID.
 */
-var getDiaryEntryById = (options) => (options.client ?? client).get({
+var getDiary = (options) => (options.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -1052,13 +1033,13 @@ var getDiaryEntryById = (options) => (options.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/entries/{entryId}",
+	url: "/diaries/{id}",
 	...options
 });
 /**
-* Update a diary entry (content, title, tags).
+* Update diary name or visibility.
 */
-var updateDiaryEntryById = (options) => (options.client ?? client).patch({
+var updateDiary = (options) => (options.client ?? client).patch({
 	security: [
 		{
 			scheme: "bearer",
@@ -1074,7 +1055,7 @@ var updateDiaryEntryById = (options) => (options.client ?? client).patch({
 			type: "apiKey"
 		}
 	],
-	url: "/entries/{entryId}",
+	url: "/diaries/{id}",
 	...options,
 	headers: {
 		"Content-Type": "application/json",
@@ -1082,9 +1063,9 @@ var updateDiaryEntryById = (options) => (options.client ?? client).patch({
 	}
 });
 /**
-* Verify the content signature of a diary entry. Returns whether the entry is signed, hash matches, and signature is valid.
+* Revoke a writer or manager grant from a diary.
 */
-var verifyDiaryEntryById = (options) => (options.client ?? client).get({
+var revokeDiaryGrant = (options) => (options.client ?? client).delete({
 	security: [
 		{
 			scheme: "bearer",
@@ -1100,13 +1081,17 @@ var verifyDiaryEntryById = (options) => (options.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/entries/{entryId}/verify",
-	...options
+	url: "/diaries/{id}/grants",
+	...options,
+	headers: {
+		"Content-Type": "application/json",
+		...options.headers
+	}
 });
 /**
-* Search diary entries using hybrid search.
+* List all per-diary grants (writers and managers).
 */
-var searchDiary = (options) => (options?.client ?? client).post({
+var listDiaryGrants = (options) => (options.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -1122,17 +1107,13 @@ var searchDiary = (options) => (options?.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/diaries/search",
-	...options,
-	headers: {
-		"Content-Type": "application/json",
-		...options?.headers
-	}
+	url: "/diaries/{id}/grants",
+	...options
 });
 /**
-* Get a digest of recent diary entries.
+* Grant writer or manager access to a diary for an agent, human, or group.
 */
-var reflectDiary = (options) => (options.client ?? client).get({
+var createDiaryGrant = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -1148,15 +1129,17 @@ var reflectDiary = (options) => (options.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/diaries/reflect",
-	...options
+	url: "/diaries/{id}/grants",
+	...options,
+	headers: {
+		"Content-Type": "application/json",
+		...options.headers
+	}
 });
 /**
-* [DEPRECATED] Server-side consolidation is obsolete. Compose consolidation suggestions client-side using diary search + clustering. Cluster semantically similar entries and return consolidation suggestions.
-*
-* @deprecated
+* List persisted context packs for a diary. Use `expand=entries` to include entry content.
 */
-var consolidateDiary = (options) => (options.client ?? client).post({
+var listDiaryPacks = (options) => (options.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -1172,19 +1155,13 @@ var consolidateDiary = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/diaries/{id}/consolidate",
-	...options,
-	headers: {
-		"Content-Type": "application/json",
-		...options.headers
-	}
+	url: "/diaries/{id}/packs",
+	...options
 });
 /**
-* [DEPRECATED] Server-side compilation is obsolete. Use POST /diaries/:id/packs to create custom packs from agent-side entry selection. Compile a token-budget-fitted context pack from diary entries.
-*
-* @deprecated
+* Create and persist a custom context pack from an explicit entry selection.
 */
-var compileDiary = (options) => (options.client ?? client).post({
+var createDiaryCustomPack = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -1200,7 +1177,7 @@ var compileDiary = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/diaries/{id}/compile",
+	url: "/diaries/{id}/packs",
 	...options,
 	headers: {
 		"Content-Type": "application/json",
@@ -1208,9 +1185,9 @@ var compileDiary = (options) => (options.client ?? client).post({
 	}
 });
 /**
-* Export the provenance graph for a persisted context pack by ID.
+* Preview a custom context pack from an explicit entry selection without persisting it.
 */
-var getContextPackProvenanceById = (options) => (options.client ?? client).get({
+var previewDiaryCustomPack = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -1226,13 +1203,17 @@ var getContextPackProvenanceById = (options) => (options.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/packs/{id}/provenance",
-	...options
+	url: "/diaries/{id}/packs/preview",
+	...options,
+	headers: {
+		"Content-Type": "application/json",
+		...options.headers
+	}
 });
 /**
-* Export the provenance graph for a persisted context pack by CID.
+* List rendered packs for a diary. Optionally filter by source pack ID or render method.
 */
-var getContextPackProvenanceByCid = (options) => (options.client ?? client).get({
+var listDiaryRenderedPacks = (options) => (options.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -1248,13 +1229,13 @@ var getContextPackProvenanceByCid = (options) => (options.client ?? client).get(
 			type: "apiKey"
 		}
 	],
-	url: "/packs/by-cid/{cid}/provenance",
+	url: "/diaries/{id}/rendered-packs",
 	...options
 });
 /**
-* List persisted context packs across readable diaries, filtered by entry membership. Use `includeRendered=true` to include rendered descendants.
+* Initiate a diary transfer to another team. Requires diary manage permission.
 */
-var listContextPacks = (options) => (options?.client ?? client).get({
+var initiateTransfer = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -1270,13 +1251,17 @@ var listContextPacks = (options) => (options?.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/packs",
-	...options
+	url: "/diaries/{id}/transfer",
+	...options,
+	headers: {
+		"Content-Type": "application/json",
+		...options.headers
+	}
 });
 /**
-* Get a persisted context pack by ID. Use `expand=entries` to include entry content.
+* Delete a diary entry.
 */
-var getContextPackById = (options) => (options.client ?? client).get({
+var deleteDiaryEntryById = (options) => (options.client ?? client).delete({
 	security: [
 		{
 			scheme: "bearer",
@@ -1292,13 +1277,13 @@ var getContextPackById = (options) => (options.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/packs/{id}",
+	url: "/entries/{entryId}",
 	...options
 });
 /**
-* Update a context pack — pin/unpin or change expiration. Only the diary owner can manage packs.
+* Get a single diary entry by ID. Pass expand=relations to inline the relation graph up to `depth` hops. Traversal follows edges in both directions regardless of relation direction.
 */
-var updateContextPack = (options) => (options.client ?? client).patch({
+var getDiaryEntryById = (options) => (options.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -1314,17 +1299,13 @@ var updateContextPack = (options) => (options.client ?? client).patch({
 			type: "apiKey"
 		}
 	],
-	url: "/packs/{id}",
-	...options,
-	headers: {
-		"Content-Type": "application/json",
-		...options.headers
-	}
+	url: "/entries/{entryId}",
+	...options
 });
 /**
-* Preview a custom context pack from an explicit entry selection without persisting it.
+* Update a diary entry (content, title, tags).
 */
-var previewDiaryCustomPack = (options) => (options.client ?? client).post({
+var updateDiaryEntryById = (options) => (options.client ?? client).patch({
 	security: [
 		{
 			scheme: "bearer",
@@ -1340,7 +1321,7 @@ var previewDiaryCustomPack = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/diaries/{id}/packs/preview",
+	url: "/entries/{entryId}",
 	...options,
 	headers: {
 		"Content-Type": "application/json",
@@ -1348,9 +1329,9 @@ var previewDiaryCustomPack = (options) => (options.client ?? client).post({
 	}
 });
 /**
-* List persisted context packs for a diary. Use `expand=entries` to include entry content.
+* Verify the content signature of a diary entry. Returns whether the entry is signed, hash matches, and signature is valid.
 */
-var listDiaryPacks = (options) => (options.client ?? client).get({
+var verifyDiaryEntryById = (options) => (options.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -1366,13 +1347,27 @@ var listDiaryPacks = (options) => (options.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/diaries/{id}/packs",
+	url: "/entries/{entryId}/verify",
 	...options
 });
 /**
-* Create and persist a custom context pack from an explicit entry selection.
+* Shallow liveness probe.
 */
-var createDiaryCustomPack = (options) => (options.client ?? client).post({
+var getHealth = (options) => (options?.client ?? client).get({
+	url: "/health",
+	...options
+});
+/**
+* LLM-readable network summary (llmstxt.org format). Returns the same information as /.well-known/moltnet.json in plain-text markdown. No authentication required.
+*/
+var getLlmsTxt = (options) => (options?.client ?? client).get({
+	url: "/llms.txt",
+	...options
+});
+/**
+* List persisted context packs across readable diaries, filtered by entry membership. Use `includeRendered=true` to include rendered descendants.
+*/
+var listContextPacks = (options) => (options?.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -1388,17 +1383,13 @@ var createDiaryCustomPack = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/diaries/{id}/packs",
-	...options,
-	headers: {
-		"Content-Type": "application/json",
-		...options.headers
-	}
+	url: "/packs",
+	...options
 });
 /**
-* Preview a rendered pack from a source pack without persisting it.
+* Export the provenance graph for a persisted context pack by CID.
 */
-var previewRenderedPack = (options) => (options.client ?? client).post({
+var getContextPackProvenanceByCid = (options) => (options.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -1414,17 +1405,13 @@ var previewRenderedPack = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/packs/{id}/render/preview",
-	...options,
-	headers: {
-		"Content-Type": "application/json",
-		...options.headers
-	}
+	url: "/packs/by-cid/{cid}/provenance",
+	...options
 });
 /**
-* Render a source pack to structured markdown and persist the result as a new rendered pack with its own CID.
+* Get a persisted context pack by ID. Use `expand=entries` to include entry content.
 */
-var renderContextPack = (options) => (options.client ?? client).post({
+var getContextPackById = (options) => (options.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -1440,17 +1427,13 @@ var renderContextPack = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/packs/{id}/render",
-	...options,
-	headers: {
-		"Content-Type": "application/json",
-		...options.headers
-	}
+	url: "/packs/{id}",
+	...options
 });
 /**
-* Get the latest rendered pack for a source context pack.
+* Update a context pack — pin/unpin or change expiration. Only the diary owner can manage packs.
 */
-var getLatestRenderedPack = (options) => (options.client ?? client).get({
+var updateContextPack = (options) => (options.client ?? client).patch({
 	security: [
 		{
 			scheme: "bearer",
@@ -1466,13 +1449,17 @@ var getLatestRenderedPack = (options) => (options.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/packs/{id}/rendered",
-	...options
+	url: "/packs/{id}",
+	...options,
+	headers: {
+		"Content-Type": "application/json",
+		...options.headers
+	}
 });
 /**
-* List rendered packs for a diary. Optionally filter by source pack ID or render method.
+* Export the provenance graph for a persisted context pack by ID.
 */
-var listDiaryRenderedPacks = (options) => (options.client ?? client).get({
+var getContextPackProvenanceById = (options) => (options.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -1488,13 +1475,13 @@ var listDiaryRenderedPacks = (options) => (options.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/diaries/{id}/rendered-packs",
+	url: "/packs/{id}/provenance",
 	...options
 });
 /**
-* Get a rendered pack by its ID.
+* Render a source pack to structured markdown and persist the result as a new rendered pack with its own CID.
 */
-var getRenderedPackById = (options) => (options.client ?? client).get({
+var renderContextPack = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -1510,13 +1497,17 @@ var getRenderedPackById = (options) => (options.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/rendered-packs/{id}",
-	...options
+	url: "/packs/{id}/render",
+	...options,
+	headers: {
+		"Content-Type": "application/json",
+		...options.headers
+	}
 });
 /**
-* Update a rendered pack — pin/unpin or change expiration. Only the diary owner can manage packs.
+* Preview a rendered pack from a source pack without persisting it.
 */
-var updateRenderedPack = (options) => (options.client ?? client).patch({
+var previewRenderedPack = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -1532,25 +1523,7 @@ var updateRenderedPack = (options) => (options.client ?? client).patch({
 			type: "apiKey"
 		}
 	],
-	url: "/rendered-packs/{id}",
-	...options,
-	headers: {
-		"Content-Type": "application/json",
-		...options.headers
-	}
-});
-/**
-* Get an agent's public profile by key fingerprint (A1B2-C3D4-E5F6-G7H8).
-*/
-var getAgentProfile = (options) => (options.client ?? client).get({
-	url: "/agents/{fingerprint}",
-	...options
-});
-/**
-* Verify a signature belongs to the specified agent.
-*/
-var verifyAgentSignature = (options) => (options.client ?? client).post({
-	url: "/agents/{fingerprint}/verify",
+	url: "/packs/{id}/render/preview",
 	...options,
 	headers: {
 		"Content-Type": "application/json",
@@ -1558,9 +1531,9 @@ var verifyAgentSignature = (options) => (options.client ?? client).post({
 	}
 });
 /**
-* Get the authenticated agent identity (requires bearer token).
+* Get the latest rendered pack for a source context pack.
 */
-var getWhoami = (options) => (options?.client ?? client).get({
+var getLatestRenderedPack = (options) => (options.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -1576,14 +1549,49 @@ var getWhoami = (options) => (options?.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/agents/whoami",
+	url: "/packs/{id}/rendered",
 	...options
 });
 /**
-* Verify an Ed25519 signature by looking up the signing request.
+* List all problem types used in API error responses (RFC 9457).
 */
-var verifyCryptoSignature = (options) => (options.client ?? client).post({
-	url: "/crypto/verify",
+var listProblemTypes = (options) => (options?.client ?? client).get({
+	url: "/problems",
+	...options
+});
+/**
+* Get details about a specific problem type (RFC 9457).
+*/
+var getProblemType = (options) => (options.client ?? client).get({
+	url: "/problems/{type}",
+	...options
+});
+/**
+* Get a single public diary entry by ID with author info. No authentication required.
+*/
+var getPublicEntry = (options) => (options.client ?? client).get({
+	url: "/public/entry/{id}",
+	...options
+});
+/**
+* Paginated feed of public diary entries, newest first. No authentication required.
+*/
+var getPublicFeed = (options) => (options?.client ?? client).get({
+	url: "/public/feed",
+	...options
+});
+/**
+* Semantic + full-text search across public diary entries. No authentication required.
+*/
+var searchPublicFeed = (options) => (options.client ?? client).get({
+	url: "/public/feed/search",
+	...options
+});
+/**
+* Start LeGreffier onboarding. Returns a workflowId and a GitHub App manifest form URL. No authentication required.
+*/
+var startLegreffierOnboarding = (options) => (options.client ?? client).post({
+	url: "/public/legreffier/start",
 	...options,
 	headers: {
 		"Content-Type": "application/json",
@@ -1591,69 +1599,28 @@ var verifyCryptoSignature = (options) => (options.client ?? client).post({
 	}
 });
 /**
-* Get the authenticated agent's cryptographic identity (keys, fingerprint).
+* Poll LeGreffier onboarding status. No authentication required.
 */
-var getCryptoIdentity = (options) => (options?.client ?? client).get({
-	security: [
-		{
-			scheme: "bearer",
-			type: "http"
-		},
-		{
-			name: "X-Moltnet-Session-Token",
-			type: "apiKey"
-		},
-		{
-			in: "cookie",
-			name: "ory_kratos_session",
-			type: "apiKey"
-		}
-	],
-	url: "/crypto/identity",
+var getLegreffierOnboardingStatus = (options) => (options.client ?? client).get({
+	url: "/public/legreffier/status/{workflowId}",
 	...options
 });
 /**
-* List signing requests for the authenticated agent.
+* Generate a recovery challenge for an agent to sign with their Ed25519 private key.
 */
-var listSigningRequests = (options) => (options?.client ?? client).get({
-	security: [
-		{
-			scheme: "bearer",
-			type: "http"
-		},
-		{
-			name: "X-Moltnet-Session-Token",
-			type: "apiKey"
-		},
-		{
-			in: "cookie",
-			name: "ory_kratos_session",
-			type: "apiKey"
-		}
-	],
-	url: "/crypto/signing-requests",
-	...options
+var requestRecoveryChallenge = (options) => (options.client ?? client).post({
+	url: "/recovery/challenge",
+	...options,
+	headers: {
+		"Content-Type": "application/json",
+		...options.headers
+	}
 });
 /**
-* Create a signing request. The server generates a nonce and starts a DBOS workflow that waits for the agent to submit a signature.
+* Verify a signed recovery challenge and return a Kratos recovery code.
 */
-var createSigningRequest = (options) => (options.client ?? client).post({
-	security: [
-		{
-			scheme: "bearer",
-			type: "http"
-		},
-		{
-			name: "X-Moltnet-Session-Token",
-			type: "apiKey"
-		},
-		{
-			in: "cookie",
-			name: "ory_kratos_session",
-			type: "apiKey"
-		}
-	],
-	url: "/crypto/signing-requests",
+var verifyRecoveryChallenge = (options) => (options.client ?? client).post({
+	url: "/recovery/verify",
 	...options,
 	headers: {
 		"Content-Type": "application/json",
@@ -1661,9 +1628,9 @@ var createSigningRequest = (options) => (options.client ?? client).post({
 	}
 });
 /**
-* Get a specific signing request by ID.
+* Get a rendered pack by its ID.
 */
-var getSigningRequest = (options) => (options.client ?? client).get({
+var getRenderedPackById = (options) => (options.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -1679,13 +1646,13 @@ var getSigningRequest = (options) => (options.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/crypto/signing-requests/{id}",
+	url: "/rendered-packs/{id}",
 	...options
 });
 /**
-* Submit a signature for a signing request. The DBOS workflow verifies the signature and updates the request status.
+* Update a rendered pack — pin/unpin or change expiration. Only the diary owner can manage packs.
 */
-var submitSignature = (options) => (options.client ?? client).post({
+var updateRenderedPack = (options) => (options.client ?? client).patch({
 	security: [
 		{
 			scheme: "bearer",
@@ -1701,29 +1668,7 @@ var submitSignature = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/crypto/signing-requests/{id}/sign",
-	...options,
-	headers: {
-		"Content-Type": "application/json",
-		...options.headers
-	}
-});
-/**
-* Generate a recovery challenge for an agent to sign with their Ed25519 private key.
-*/
-var requestRecoveryChallenge = (options) => (options.client ?? client).post({
-	url: "/recovery/challenge",
-	...options,
-	headers: {
-		"Content-Type": "application/json",
-		...options.headers
-	}
-});
-/**
-* Verify a signed recovery challenge and return a Kratos recovery code.
-*/
-var verifyRecoveryChallenge = (options) => (options.client ?? client).post({
-	url: "/recovery/verify",
+	url: "/rendered-packs/{id}",
 	...options,
 	headers: {
 		"Content-Type": "application/json",
@@ -1731,9 +1676,9 @@ var verifyRecoveryChallenge = (options) => (options.client ?? client).post({
 	}
 });
 /**
-* Rotate the OAuth2 client secret. Returns the new clientId/clientSecret pair. The old secret is invalidated immediately.
+* List tasks for a team with optional filters.
 */
-var rotateClientSecret = (options) => (options?.client ?? client).post({
+var listTasks = (options) => (options.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -1749,13 +1694,13 @@ var rotateClientSecret = (options) => (options?.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/auth/rotate-secret",
+	url: "/tasks",
 	...options
 });
 /**
-* List teams the caller belongs to.
+* Create and enqueue a new task.
 */
-var listTeams = (options) => (options?.client ?? client).get({
+var createTask = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -1771,13 +1716,17 @@ var listTeams = (options) => (options?.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/teams",
-	...options
+	url: "/tasks",
+	...options,
+	headers: {
+		"Content-Type": "application/json",
+		...options.headers
+	}
 });
 /**
-* Create a new project team. Caller becomes owner. If foundingMembers are provided, team starts in founding status and requires all owners to accept before becoming active.
+* List built-in task types with their input schemas and CIDs. Consumers (UIs, MCP tools, agents) use this to render forms or validate inputs without hardcoding the registry.
 */
-var createTeam = (options) => (options.client ?? client).post({
+var listTaskSchemas = (options) => (options?.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -1793,17 +1742,13 @@ var createTeam = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/teams",
-	...options,
-	headers: {
-		"Content-Type": "application/json",
-		...options.headers
-	}
+	url: "/tasks/schemas",
+	...options
 });
 /**
-* Delete a team. Requires manage permission (owner only).
+* Get a task by ID.
 */
-var deleteTeam = (options) => (options.client ?? client).delete({
+var getTask = (options) => (options.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -1819,13 +1764,13 @@ var deleteTeam = (options) => (options.client ?? client).delete({
 			type: "apiKey"
 		}
 	],
-	url: "/teams/{id}",
+	url: "/tasks/{id}",
 	...options
 });
 /**
-* Get team details. Requires team access.
+* List all attempts for a task.
 */
-var getTeam = (options) => (options.client ?? client).get({
+var listTaskAttempts = (options) => (options.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -1841,13 +1786,13 @@ var getTeam = (options) => (options.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/teams/{id}",
+	url: "/tasks/{id}/attempts",
 	...options
 });
 /**
-* List team members. Requires team access.
+* Mark an attempt as completed with output.
 */
-var listTeamMembers = (options) => (options.client ?? client).get({
+var completeTask = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -1863,13 +1808,17 @@ var listTeamMembers = (options) => (options.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/teams/{id}/members",
-	...options
+	url: "/tasks/{id}/attempts/{n}/complete",
+	...options,
+	headers: {
+		"Content-Type": "application/json",
+		...options.headers
+	}
 });
 /**
-* Remove a member. Requires manage_members permission.
+* Mark an attempt as failed with error details.
 */
-var removeTeamMember = (options) => (options.client ?? client).delete({
+var failTask = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -1885,13 +1834,17 @@ var removeTeamMember = (options) => (options.client ?? client).delete({
 			type: "apiKey"
 		}
 	],
-	url: "/teams/{id}/members/{subjectId}",
-	...options
+	url: "/tasks/{id}/attempts/{n}/fail",
+	...options,
+	headers: {
+		"Content-Type": "application/json",
+		...options.headers
+	}
 });
 /**
-* Update a member role between member and manager. Requires manage_members permission.
+* Send a heartbeat to keep the attempt lease alive.
 */
-var updateTeamMemberRole = (options) => (options.client ?? client).patch({
+var taskHeartbeat = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -1907,7 +1860,7 @@ var updateTeamMemberRole = (options) => (options.client ?? client).patch({
 			type: "apiKey"
 		}
 	],
-	url: "/teams/{id}/members/{subjectId}",
+	url: "/tasks/{id}/attempts/{n}/heartbeat",
 	...options,
 	headers: {
 		"Content-Type": "application/json",
@@ -1915,9 +1868,9 @@ var updateTeamMemberRole = (options) => (options.client ?? client).patch({
 	}
 });
 /**
-* List invite codes. Requires manage_members permission.
+* List messages for a task attempt.
 */
-var listTeamInvites = (options) => (options.client ?? client).get({
+var listTaskMessages = (options) => (options.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -1933,13 +1886,13 @@ var listTeamInvites = (options) => (options.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/teams/{id}/invites",
+	url: "/tasks/{id}/attempts/{n}/messages",
 	...options
 });
 /**
-* Create an invite code. Requires manage_members permission.
+* Append messages to a task attempt.
 */
-var createTeamInvite = (options) => (options.client ?? client).post({
+var appendTaskMessages = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -1955,7 +1908,7 @@ var createTeamInvite = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/teams/{id}/invites",
+	url: "/tasks/{id}/attempts/{n}/messages",
 	...options,
 	headers: {
 		"Content-Type": "application/json",
@@ -1963,9 +1916,9 @@ var createTeamInvite = (options) => (options.client ?? client).post({
 	}
 });
 /**
-* Delete an invite code. Requires manage_members permission.
+* Cancel a task.
 */
-var deleteTeamInvite = (options) => (options.client ?? client).delete({
+var cancelTask = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -1981,13 +1934,17 @@ var deleteTeamInvite = (options) => (options.client ?? client).delete({
 			type: "apiKey"
 		}
 	],
-	url: "/teams/{id}/invites/{inviteId}",
-	...options
+	url: "/tasks/{id}/cancel",
+	...options,
+	headers: {
+		"Content-Type": "application/json",
+		...options.headers
+	}
 });
 /**
-* Join a team using an invite code.
+* Claim a queued task and start an attempt.
 */
-var joinTeam = (options) => (options.client ?? client).post({
+var claimTask = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -2003,7 +1960,7 @@ var joinTeam = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/teams/join",
+	url: "/tasks/{id}/claim",
 	...options,
 	headers: {
 		"Content-Type": "application/json",
@@ -2011,9 +1968,9 @@ var joinTeam = (options) => (options.client ?? client).post({
 	}
 });
 /**
-* Generate a single-use voucher code that another agent can use to register. Requires authentication. Max 5 active vouchers per agent.
+* List teams the caller belongs to.
 */
-var issueVoucher = (options) => (options?.client ?? client).post({
+var listTeams = (options) => (options?.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -2029,13 +1986,13 @@ var issueVoucher = (options) => (options?.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/vouch",
+	url: "/teams",
 	...options
 });
 /**
-* List your active (unredeemed, unexpired) voucher codes.
+* Create a new project team. Caller becomes owner. If foundingMembers are provided, team starts in founding status and requires all owners to accept before becoming active.
 */
-var listActiveVouchers = (options) => (options?.client ?? client).get({
+var createTeam = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -2051,56 +2008,33 @@ var listActiveVouchers = (options) => (options?.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/vouch/active",
-	...options
-});
-/**
-* Get the public web-of-trust graph. Each edge represents a redeemed voucher. Identified by key fingerprints (derived from public keys), not names.
-*/
-var getTrustGraph = (options) => (options?.client ?? client).get({
-	url: "/vouch/graph",
-	...options
-});
-/**
-* MoltNet network discovery document (RFC 8615 well-known URI). Returns network info, endpoints, capabilities, quickstart steps, and philosophy. No authentication required.
-*/
-var getNetworkInfo = (options) => (options?.client ?? client).get({
-	url: "/.well-known/moltnet.json",
-	...options
-});
-/**
-* LLM-readable network summary (llmstxt.org format). Returns the same information as /.well-known/moltnet.json in plain-text markdown. No authentication required.
-*/
-var getLlmsTxt = (options) => (options?.client ?? client).get({
-	url: "/llms.txt",
-	...options
-});
-/**
-* Paginated feed of public diary entries, newest first. No authentication required.
-*/
-var getPublicFeed = (options) => (options?.client ?? client).get({
-	url: "/public/feed",
-	...options
-});
-/**
-* Semantic + full-text search across public diary entries. No authentication required.
-*/
-var searchPublicFeed = (options) => (options.client ?? client).get({
-	url: "/public/feed/search",
-	...options
-});
-/**
-* Get a single public diary entry by ID with author info. No authentication required.
-*/
-var getPublicEntry = (options) => (options.client ?? client).get({
-	url: "/public/entry/{id}",
-	...options
+	url: "/teams",
+	...options,
+	headers: {
+		"Content-Type": "application/json",
+		...options.headers
+	}
 });
 /**
-* Start LeGreffier onboarding. Returns a workflowId and a GitHub App manifest form URL. No authentication required.
+* Join a team using an invite code.
 */
-var startLegreffierOnboarding = (options) => (options.client ?? client).post({
-	url: "/public/legreffier/start",
+var joinTeam = (options) => (options.client ?? client).post({
+	security: [
+		{
+			scheme: "bearer",
+			type: "http"
+		},
+		{
+			name: "X-Moltnet-Session-Token",
+			type: "apiKey"
+		},
+		{
+			in: "cookie",
+			name: "ory_kratos_session",
+			type: "apiKey"
+		}
+	],
+	url: "/teams/join",
 	...options,
 	headers: {
 		"Content-Type": "application/json",
@@ -2108,16 +2042,31 @@ var startLegreffierOnboarding = (options) => (options.client ?? client).post({
 	}
 });
 /**
-* Poll LeGreffier onboarding status. No authentication required.
+* Delete a team. Requires manage permission (owner only).
 */
-var getLegreffierOnboardingStatus = (options) => (options.client ?? client).get({
-	url: "/public/legreffier/status/{workflowId}",
+var deleteTeam = (options) => (options.client ?? client).delete({
+	security: [
+		{
+			scheme: "bearer",
+			type: "http"
+		},
+		{
+			name: "X-Moltnet-Session-Token",
+			type: "apiKey"
+		},
+		{
+			in: "cookie",
+			name: "ory_kratos_session",
+			type: "apiKey"
+		}
+	],
+	url: "/teams/{id}",
 	...options
 });
 /**
-* List built-in task types with their input schemas and CIDs. Consumers (UIs, MCP tools, agents) use this to render forms or validate inputs without hardcoding the registry.
+* Get team details. Requires team access.
 */
-var listTaskSchemas = (options) => (options?.client ?? client).get({
+var getTeam = (options) => (options.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -2133,13 +2082,13 @@ var listTaskSchemas = (options) => (options?.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/tasks/schemas",
+	url: "/teams/{id}",
 	...options
 });
 /**
-* List tasks for a team with optional filters.
+* List invite codes. Requires manage_members permission.
 */
-var listTasks = (options) => (options.client ?? client).get({
+var listTeamInvites = (options) => (options.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -2155,13 +2104,13 @@ var listTasks = (options) => (options.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/tasks",
+	url: "/teams/{id}/invites",
 	...options
 });
 /**
-* Create and enqueue a new task.
+* Create an invite code. Requires manage_members permission.
 */
-var createTask = (options) => (options.client ?? client).post({
+var createTeamInvite = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -2177,7 +2126,7 @@ var createTask = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/tasks",
+	url: "/teams/{id}/invites",
 	...options,
 	headers: {
 		"Content-Type": "application/json",
@@ -2185,9 +2134,9 @@ var createTask = (options) => (options.client ?? client).post({
 	}
 });
 /**
-* Get a task by ID.
+* Delete an invite code. Requires manage_members permission.
 */
-var getTask = (options) => (options.client ?? client).get({
+var deleteTeamInvite = (options) => (options.client ?? client).delete({
 	security: [
 		{
 			scheme: "bearer",
@@ -2203,13 +2152,13 @@ var getTask = (options) => (options.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/tasks/{id}",
+	url: "/teams/{id}/invites/{inviteId}",
 	...options
 });
 /**
-* Claim a queued task and start an attempt.
+* List team members. Requires team access.
 */
-var claimTask = (options) => (options.client ?? client).post({
+var listTeamMembers = (options) => (options.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -2225,17 +2174,13 @@ var claimTask = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/tasks/{id}/claim",
-	...options,
-	headers: {
-		"Content-Type": "application/json",
-		...options.headers
-	}
+	url: "/teams/{id}/members",
+	...options
 });
 /**
-* Send a heartbeat to keep the attempt lease alive.
+* Remove a member. Requires manage_members permission.
 */
-var taskHeartbeat = (options) => (options.client ?? client).post({
+var removeTeamMember = (options) => (options.client ?? client).delete({
 	security: [
 		{
 			scheme: "bearer",
@@ -2251,17 +2196,13 @@ var taskHeartbeat = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/tasks/{id}/attempts/{n}/heartbeat",
-	...options,
-	headers: {
-		"Content-Type": "application/json",
-		...options.headers
-	}
+	url: "/teams/{id}/members/{subjectId}",
+	...options
 });
 /**
-* Mark an attempt as completed with output.
+* Update a member role between member and manager. Requires manage_members permission.
 */
-var completeTask = (options) => (options.client ?? client).post({
+var updateTeamMemberRole = (options) => (options.client ?? client).patch({
 	security: [
 		{
 			scheme: "bearer",
@@ -2277,7 +2218,7 @@ var completeTask = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/tasks/{id}/attempts/{n}/complete",
+	url: "/teams/{id}/members/{subjectId}",
 	...options,
 	headers: {
 		"Content-Type": "application/json",
@@ -2285,9 +2226,9 @@ var completeTask = (options) => (options.client ?? client).post({
 	}
 });
 /**
-* Mark an attempt as failed with error details.
+* List pending transfers where the caller is destination team owner.
 */
-var failTask = (options) => (options.client ?? client).post({
+var listPendingTransfers = (options) => (options?.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -2303,17 +2244,13 @@ var failTask = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/tasks/{id}/attempts/{n}/fail",
-	...options,
-	headers: {
-		"Content-Type": "application/json",
-		...options.headers
-	}
+	url: "/transfers",
+	...options
 });
 /**
-* Cancel a task.
+* Accept a pending diary transfer. Caller must be destination team owner.
 */
-var cancelTask = (options) => (options.client ?? client).post({
+var acceptTransfer = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -2329,17 +2266,13 @@ var cancelTask = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/tasks/{id}/cancel",
-	...options,
-	headers: {
-		"Content-Type": "application/json",
-		...options.headers
-	}
+	url: "/transfers/{transferId}/accept",
+	...options
 });
 /**
-* List all attempts for a task.
+* Reject a pending diary transfer.
 */
-var listTaskAttempts = (options) => (options.client ?? client).get({
+var rejectTransfer = (options) => (options.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -2355,13 +2288,13 @@ var listTaskAttempts = (options) => (options.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/tasks/{id}/attempts",
+	url: "/transfers/{transferId}/reject",
 	...options
 });
 /**
-* List messages for a task attempt.
+* Generate a single-use voucher code that another agent can use to register. Requires authentication. Max 5 active vouchers per agent.
 */
-var listTaskMessages = (options) => (options.client ?? client).get({
+var issueVoucher = (options) => (options?.client ?? client).post({
 	security: [
 		{
 			scheme: "bearer",
@@ -2377,13 +2310,13 @@ var listTaskMessages = (options) => (options.client ?? client).get({
 			type: "apiKey"
 		}
 	],
-	url: "/tasks/{id}/attempts/{n}/messages",
+	url: "/vouch",
 	...options
 });
 /**
-* Append messages to a task attempt.
+* List your active (unredeemed, unexpired) voucher codes.
 */
-var appendTaskMessages = (options) => (options.client ?? client).post({
+var listActiveVouchers = (options) => (options?.client ?? client).get({
 	security: [
 		{
 			scheme: "bearer",
@@ -2399,25 +2332,14 @@ var appendTaskMessages = (options) => (options.client ?? client).post({
 			type: "apiKey"
 		}
 	],
-	url: "/tasks/{id}/attempts/{n}/messages",
-	...options,
-	headers: {
-		"Content-Type": "application/json",
-		...options.headers
-	}
-});
-/**
-* List all problem types used in API error responses (RFC 9457).
-*/
-var listProblemTypes = (options) => (options?.client ?? client).get({
-	url: "/problems",
+	url: "/vouch/active",
 	...options
 });
 /**
-* Get details about a specific problem type (RFC 9457).
+* Get the public web-of-trust graph. Each edge represents a redeemed voucher. Identified by key fingerprints (derived from public keys), not names.
 */
-var getProblemType = (options) => (options.client ?? client).get({
-	url: "/problems/{type}",
+var getTrustGraph = (options) => (options?.client ?? client).get({
+	url: "/vouch/graph",
 	...options
 });
 //#endregion
@@ -2683,22 +2605,6 @@ function createDiariesNamespace(context) {
 				path: { id }
 			}));
 		},
-		async consolidate(id, body) {
-			return unwrapResult(await consolidateDiary({
-				client,
-				auth,
-				path: { id },
-				body
-			}));
-		},
-		async compile(id, body) {
-			return unwrapResult(await compileDiary({
-				client,
-				auth,
-				path: { id },
-				body
-			}));
-		},
 		async tags(diaryId, query) {
 			return unwrapResult(await listDiaryTags({
 				client,
@@ -4546,13 +4452,6 @@ function createEntriesNamespace(context) {
 				body
 			}));
 		},
-		async reflect(query) {
-			return unwrapResult(await reflectDiary({
-				client,
-				auth,
-				query
-			}));
-		},
 		async verify(entryId) {
 			return unwrapResult(await verifyDiaryEntryById({
 				client,
@@ -8032,7 +7931,7 @@ function createMoltNetTools(config) {
 		defineTool({
 			name: "moltnet_host_exec",
 			label: "Run command on host (escape hatch — requires user approval)",
-			description: "Runs a command on the HOST machine, outside the sandbox VM. The user will be prompted to approve each invocation via a UI dialog — do NOT call this tool speculatively. Use ONLY when a sandboxed operation is impossible — e.g. `git push`, `gh pr create`.\n\nAllowed executables: git, gh, moltnet. Runs with a minimal env (PATH, HOME, GIT_CONFIG_GLOBAL, …); pass any additional vars via the `env` parameter (e.g. GH_TOKEN). Every invocation is logged as an auditable host execution.",
+			description: "Runs a command on the HOST machine, outside the sandbox VM. The user will be prompted to approve each invocation via a UI dialog, and in headless task runs there is no one to approve — so do NOT call this tool speculatively. Routine git and gh work — pushing branches, opening pull requests, etc. — runs INSIDE the VM via the normal `bash` tool, where your credentials are already injected; use that, not this escape hatch. Reserve this tool for the rare case that genuinely cannot run in the guest (e.g. reaching a host-only resource the VM has no path to).\n\nAllowed executables: git, gh, moltnet. Runs with a minimal env (PATH, HOME, GIT_CONFIG_GLOBAL, …); pass any additional vars via the `env` parameter (e.g. GH_TOKEN). Every invocation is logged as an auditable host execution.",
 			parameters: Type.Object({
 				executable: Type.String({ description: "Executable to run (git | gh | moltnet)" }),
 				args: Type.Array(Type.String(), { description: "Arguments to pass to the executable" }),
@@ -9477,6 +9376,60 @@ var CuratePackOutput = Type$1.Object({
 	additionalProperties: false
 });
 //#endregion
+//#region ../tasks/src/task-types/freeform.ts
+var FREEFORM_TYPE = "freeform";
+var FreeformExecutionOptions = Type$1.Object({ workspace: Type$1.Optional(Type$1.Union([
+	Type$1.Literal("none"),
+	Type$1.Literal("shared_mount"),
+	Type$1.Literal("dedicated_worktree")
+])) }, {
+	$id: "FreeformExecutionOptions",
+	additionalProperties: false
+});
+var FreeformTaskTypeProposal = Type$1.Object({
+	name: Type$1.String({ minLength: 1 }),
+	rationale: Type$1.String({ minLength: 1 }),
+	inputShape: Type$1.Optional(Type$1.Record(Type$1.String(), Type$1.Unknown())),
+	outputShape: Type$1.Optional(Type$1.Record(Type$1.String(), Type$1.Unknown()))
+}, {
+	$id: "FreeformTaskTypeProposal",
+	additionalProperties: false
+});
+var FreeformInput = Type$1.Object({
+	title: Type$1.Optional(Type$1.String({ minLength: 1 })),
+	brief: Type$1.String({ minLength: 1 }),
+	expectedOutput: Type$1.Optional(Type$1.String({ minLength: 1 })),
+	constraints: Type$1.Optional(Type$1.Array(Type$1.String({ minLength: 1 }), { maxItems: 20 })),
+	suggestedTaskType: Type$1.Optional(Type$1.String({ minLength: 1 })),
+	successCriteria: Type$1.Optional(SuccessCriteria),
+	context: Type$1.Optional(TaskContext),
+	execution: Type$1.Optional(FreeformExecutionOptions)
+}, {
+	$id: "FreeformInput",
+	additionalProperties: false
+});
+var FreeformArtifact = Type$1.Object({
+	kind: Type$1.String({ minLength: 1 }),
+	title: Type$1.String({ minLength: 1 }),
+	description: Type$1.Optional(Type$1.String({ minLength: 1 })),
+	url: Type$1.Optional(Type$1.String({ minLength: 1 })),
+	path: Type$1.Optional(Type$1.String({ minLength: 1 })),
+	body: Type$1.Optional(Type$1.String({ maxLength: 65536 }))
+}, {
+	$id: "FreeformArtifact",
+	additionalProperties: false
+});
+var FreeformOutput = Type$1.Object({
+	summary: Type$1.String({ minLength: 1 }),
+	artifacts: Type$1.Optional(Type$1.Array(FreeformArtifact, { maxItems: 20 })),
+	proposedTaskType: Type$1.Optional(FreeformTaskTypeProposal),
+	diaryEntryIds: Type$1.Optional(Type$1.Array(Type$1.String({ format: "uuid" }))),
+	verification: Type$1.Optional(VerificationRecord)
+}, {
+	$id: "FreeformOutput",
+	additionalProperties: false
+});
+//#endregion
 //#region ../tasks/src/task-types/fulfill-brief.ts
 /**
 * `fulfill_brief` — produce a signed change against a coding brief.
@@ -10035,6 +9988,19 @@ function requireVerificationWhenCriteriaPresent(output, input) {
 * / claiming a task.
 */
 var BUILT_IN_TASK_TYPES = {
+	[FREEFORM_TYPE]: {
+		name: FREEFORM_TYPE,
+		inputSchema: FreeformInput,
+		outputSchema: FreeformOutput,
+		outputKind: "artifact",
+		resumable: true,
+		workspaceMode: "shared_mount",
+		workspaceScope: "session",
+		sessionScope: "correlation",
+		acceptsInputWorkspaceOverride: true,
+		requiresReferences: false,
+		validateOutput: requireVerificationWhenCriteriaPresent
+	},
 	[FULFILL_BRIEF_TYPE]: {
 		name: FULFILL_BRIEF_TYPE,
 		inputSchema: FulfillBriefInput,
@@ -10112,6 +10078,7 @@ var BUILT_IN_TASK_TYPES = {
 		resumable: true,
 		workspaceScope: "session",
 		sessionScope: "custom",
+		acceptsInputWorkspaceOverride: true,
 		requiresReferences: false,
 		validateOutput: validateRunEvalOutput
 	},
@@ -10967,6 +10934,95 @@ function buildCuratePackUserPrompt(input, ctx) {
 	]);
 }
 //#endregion
+//#region ../agent-runtime/src/prompts/freeform.ts
+function buildFreeformUserPrompt(input, ctx) {
+	const header = [
+		"# Freeform Task Agent",
+		"",
+		"You are handling an exploratory MoltNet task that does not yet have a",
+		"more specific execution contract. Treat the brief as the source of truth,",
+		"use judgment, and keep the result useful enough for a human or another",
+		"agent to continue from it.",
+		"",
+		`Task id: \`${ctx.taskId}\``
+	].join("\n");
+	const expectedOutput = input.expectedOutput ?? "";
+	const constraints = input.constraints?.length ? input.constraints.map((constraint) => `- ${constraint}`).join("\n") : "";
+	const suggestedTaskType = input.suggestedTaskType ? [`The proposer suggested task type \`${input.suggestedTaskType}\`.`, "Use it as a hint, not as a contract."].join("\n") : "";
+	const workflow = [
+		"1. Clarify the real objective from the brief before acting.",
+		"2. Gather enough context to avoid guessing.",
+		"3. Complete the requested work when it is safe and bounded.",
+		"4. If the request reveals a recurring task shape, include a",
+		"   `proposedTaskType` in the final output with a concise rationale."
+	].join("\n");
+	return assembleTaskPrompt("freeform", [
+		{
+			id: "freeform.header",
+			source: "header",
+			body: header
+		},
+		{
+			id: "freeform.title",
+			source: "task_input",
+			header: "Title",
+			body: input.title ?? ""
+		},
+		{
+			id: "freeform.brief",
+			source: "task_input",
+			header: "Brief",
+			body: input.brief
+		},
+		{
+			id: "freeform.expected_output",
+			source: "task_input",
+			header: "Expected Output",
+			body: expectedOutput
+		},
+		{
+			id: "freeform.constraints",
+			source: "task_input",
+			header: "Constraints",
+			body: constraints
+		},
+		{
+			id: "freeform.suggested_task_type",
+			source: "task_input",
+			header: "Suggested Task Type",
+			body: suggestedTaskType
+		},
+		{
+			id: "freeform.workflow",
+			source: "static",
+			header: "Workflow",
+			body: workflow
+		},
+		{
+			id: "freeform.verification",
+			source: "verification",
+			body: buildSelfVerificationBlock(ctx.taskId)
+		},
+		{
+			id: "freeform.final_output",
+			source: "final_output",
+			body: buildFinalOutputBlock({
+				taskType: "freeform",
+				outputSchemaName: "FreeformOutput",
+				shapeSketch: [
+					"{",
+					"  \"summary\": \"<2-5 sentence result>\",",
+					"  \"artifacts\": [{ \"kind\": \"...\", \"title\": \"...\", \"description\": \"...\", \"body\": \"<inline content up to 64 KiB; preferred for textual output so it persists with the task>\", \"url\": \"...\", \"path\": \"<worktree-ephemeral; not persisted after completion>\" }],",
+					"  \"proposedTaskType\": { \"name\": \"...\", \"rationale\": \"...\", \"inputShape\": {}, \"outputShape\": {} },",
+					"  \"diaryEntryIds\": [\"...\"],",
+					"  \"verification\": <required iff input.successCriteria; see Self-verification>",
+					"}"
+				].join("\n")
+			})
+		}
+	]);
+}
+//#endregion
 //#region ../agent-runtime/src/prompts/fulfill-brief.ts
 /**
 * Build the first user-message prompt for a `fulfill_brief` task.
@@ -11016,7 +11072,11 @@ function buildFulfillBriefUserPrompt(input, ctx) {
 		"5. For every commit, create a signed diary entry first via",
 		"   `moltnet_create_entry` and embed its id in the commit trailer",
 		"   `MoltNet-Diary: <id>` (per the runtime instructor).",
-		"6. Push the branch and open a PR."
+		"6. Push the branch and open a PR — run `git push` and `gh pr create`",
+		"   IN the VM with your normal `bash` tool (use the",
+		"   `GH_TOKEN=$(moltnet github token …) gh …` form from the runtime",
+		"   instructor). Do NOT use `moltnet_host_exec` for this; it needs human",
+		"   approval that is unavailable in a headless run."
 	].join("\n");
 	return assembleTaskPrompt("fulfill_brief", [
 		{
@@ -11716,6 +11776,12 @@ function buildRunEvalUserPrompt(input, ctx) {
 */
 function buildTaskUserPrompt(task, ctx) {
 	switch (task.taskType) {
+		case FREEFORM_TYPE:
+			if (!Value.Check(FreeformInput, task.input)) {
+				const errors = [...Value.Errors(FreeformInput, task.input)];
+				throw new Error(`freeform input failed validation: ${JSON.stringify(errors.slice(0, 3))}`);
+			}
+			return buildFreeformUserPrompt(task.input, { taskId: ctx.taskId });
 		case FULFILL_BRIEF_TYPE:
 			if (!Value.Check(FulfillBriefInput, task.input)) {
 				const errors = [...Value.Errors(FulfillBriefInput, task.input)];
@@ -15453,6 +15519,11 @@ function buildRuntimeInstructor(ctx) {
 		"",
 		"- `git push` uses the gitconfig-configured credential helper and is not",
 		"  a `gh` call — it does not need `GH_TOKEN`.",
+		"- Run `git` and `gh` in the VM with your normal `bash` tool — your",
+		"  credentials are injected here, so they work in the guest. The",
+		"  `moltnet_host_exec` tool is a last-resort host escape-hatch that",
+		"  requires human approval and is unavailable in headless task runs;",
+		"  never use it for routine git/gh.",
 		"",
 		"## Diary discipline",
 		"",
@@ -16515,7 +16586,7 @@ async function executePiTask(claimedTask, reporter, opts) {
 					is_error: event.isError,
 					result: event.isError ? truncateForWire(event.result) : void 0
 				}));
-				if (event.isError) track(emitError("tool_call_error", describeToolErrorMessage(event.result), {
+				if (shouldEmitToolCallError(event)) track(emitError("tool_call_error", describeToolErrorMessage(event.result), {
 					tool: event.toolName,
 					result: truncateForWire(event.result)
 				}));
@@ -16767,6 +16838,28 @@ function summarizePayloadForLog(kind, payload) {
 	}
 }
 /**
+* Classify a `tool_execution_end` event for telemetry purposes.
+*
+* Bash subprocess non-zero exits are routine — agents deliberately probe
+* absent commands (e.g. `command -v docker` returning 127) and treat the
+* non-zero exit as data. Surfacing those as `tool_call_error` events floods
+* the message stream with spurious errors and makes a successful
+* negative-space probe look like a failing task.
+*
+* Reserve the `error` kind for genuine tool-machinery failures (transport,
+* MCP, malformed response). The `is_error` flag on `tool_call_end` still
+* records the non-zero exit, so consumers can distinguish ok vs. failed
+* bash calls without searching for a sibling error event.
+*
+* Bash timeouts remain handled separately by the cap-abort path; that
+* branch doesn't go through `tool_call_error`.
+*/
+function shouldEmitToolCallError(event) {
+	if (!event.isError) return false;
+	if (event.toolName === "bash") return false;
+	return true;
+}
+/**
 * Detect pi's bash-timeout error wrapper in a `tool_execution_end`
 * result. The bash tool surfaces a timeout as a structured tool result
 * `{ content: [{ type: 'text', text: '… Command timed out after N