@witnium-tech/witniumchain 0.2.0

package/dist/index.mjs

@@ -0,0 +1,729 @@
+// src/errors.ts
+var WitniumAccountsApiError = class extends Error {
+  status;
+  errorLabel;
+  body;
+  constructor(args) {
+    super(args.message);
+    this.name = "WitniumAccountsApiError";
+    this.status = args.status;
+    this.errorLabel = args.errorLabel;
+    this.body = args.body ?? null;
+  }
+};
+
+// src/client.ts
+var WitniumAccountsClient = class {
+  baseUrl;
+  cfg;
+  timeout;
+  fetchImpl;
+  /** Subscriptions / billing helpers. See {@link Subscriptions}. */
+  subscriptions;
+  /** Delegated-key namespace including the one-call {@link DelegatedKeys.provision} flow. */
+  delegatedKeys;
+  /** Owner signing-key management (list / add / revoke). */
+  keys;
+  /** OAuth session management. Accessed as `client.oauth.sessions.*`. */
+  oauth;
+  constructor(config) {
+    if (!config.baseUrl) {
+      throw new Error("WitniumAccountsClient: baseUrl is required");
+    }
+    this.cfg = config;
+    this.baseUrl = config.baseUrl.replace(/\/$/, "");
+    this.timeout = config.timeout ?? 3e4;
+    this.fetchImpl = config.fetch ?? globalThis.fetch;
+    if (!this.fetchImpl) {
+      throw new Error(
+        "WitniumAccountsClient: no fetch implementation available. Pass `config.fetch`."
+      );
+    }
+    this.subscriptions = new Subscriptions(this);
+    this.delegatedKeys = new DelegatedKeys(this);
+    this.keys = new SigningKeys(this);
+    this.oauth = new OauthNamespace(this);
+  }
+  /**
+   * Convenience alias for {@link getAccount} — returns the authenticated
+   * user's profile, the org they belong to, and their signing keys.
+   */
+  me() {
+    return this.getAccount();
+  }
+  // ────────────────────────────────────────────────────────────────────────
+  // Auth (/v1/auth/*)
+  // ────────────────────────────────────────────────────────────────────────
+  signup(body) {
+    return this.req("POST", "/v1/auth/signup", { auth: "Public", body });
+  }
+  verifyEmail(token) {
+    return this.req("GET", "/v1/auth/verify", {
+      auth: "Public",
+      query: { token }
+    });
+  }
+  login(body) {
+    return this.req("POST", "/v1/auth/login", { auth: "Public", body });
+  }
+  logout() {
+    return this.req("POST", "/v1/auth/logout", { auth: "Public" });
+  }
+  forgotPassword(body) {
+    return this.req("POST", "/v1/auth/forgot-password", { auth: "Public", body });
+  }
+  resetPassword(body) {
+    return this.req("POST", "/v1/auth/reset-password", { auth: "Public", body });
+  }
+  // ────────────────────────────────────────────────────────────────────────
+  // Billing (/v1/billing/*)
+  // ────────────────────────────────────────────────────────────────────────
+  createCheckoutSession(body) {
+    return this.req("POST", "/v1/billing/checkout", {
+      auth: "SessionCookie",
+      body
+    });
+  }
+  createPortalSession() {
+    return this.req("GET", "/v1/billing/portal", { auth: "SessionCookie" });
+  }
+  // Webhook endpoint is intentionally NOT exposed: only Stripe should call it.
+  // ────────────────────────────────────────────────────────────────────────
+  // Orgs (/v1/orgs/me/*)
+  // ────────────────────────────────────────────────────────────────────────
+  getMyOrg() {
+    return this.req("GET", "/v1/orgs/me", { auth: "OrgApiKey" });
+  }
+  createOrgUser(body) {
+    return this.req("POST", "/v1/orgs/me/users", { auth: "OrgApiKey", body });
+  }
+  listOrgUsers() {
+    return this.req("GET", "/v1/orgs/me/users", { auth: "OrgApiKey" });
+  }
+  // ────────────────────────────────────────────────────────────────────────
+  // Admin (/v1/admin/organizations/*)
+  // ────────────────────────────────────────────────────────────────────────
+  createOrganization(body) {
+    return this.req("POST", "/v1/admin/organizations", {
+      auth: "AdminToken",
+      body
+    });
+  }
+  setOrgAccountType(id, body) {
+    return this.req(
+      "PATCH",
+      `/v1/admin/organizations/${encodeURIComponent(id)}/account-type`,
+      { auth: "AdminToken", body }
+    );
+  }
+  verifyOrganization(id) {
+    return this.req(
+      "PATCH",
+      `/v1/admin/organizations/${encodeURIComponent(id)}/verify`,
+      { auth: "AdminToken" }
+    );
+  }
+  rotateOrgApiKey(id) {
+    return this.req(
+      "POST",
+      `/v1/admin/organizations/${encodeURIComponent(id)}/rotate-key`,
+      { auth: "AdminToken" }
+    );
+  }
+  adjustOrgCredits(id, body) {
+    return this.req(
+      "POST",
+      `/v1/admin/organizations/${encodeURIComponent(id)}/adjust-credits`,
+      { auth: "AdminToken", body }
+    );
+  }
+  // ────────────────────────────────────────────────────────────────────────
+  // Delegated keys (/v1/users/me/delegated-keys/*)
+  // ────────────────────────────────────────────────────────────────────────
+  listDelegatedKeys(query) {
+    return this.req("GET", "/v1/users/me/delegated-keys", {
+      auth: "BearerJWT",
+      query: query ?? {}
+    });
+  }
+  prepareDelegatedKey(body) {
+    return this.req("POST", "/v1/users/me/delegated-keys", {
+      auth: "BearerJWT",
+      body
+    });
+  }
+  submitDelegatedKey(id, body) {
+    return this.req(
+      "POST",
+      `/v1/users/me/delegated-keys/${encodeURIComponent(id)}/submit`,
+      { auth: "BearerJWT", body }
+    );
+  }
+  revokeDelegatedKey(id) {
+    return this.req(
+      "DELETE",
+      `/v1/users/me/delegated-keys/${encodeURIComponent(id)}`,
+      { auth: "BearerJWT" }
+    );
+  }
+  // ────────────────────────────────────────────────────────────────────────
+  // Sign (/v1/sign)
+  // ────────────────────────────────────────────────────────────────────────
+  sign(body, requestId) {
+    const headers = requestId ? { "x-request-id": requestId } : void 0;
+    return this.req("POST", "/v1/sign", {
+      auth: "BearerJWT",
+      body,
+      ...headers ? { headers } : {}
+    });
+  }
+  // ────────────────────────────────────────────────────────────────────────
+  // Contracts (/v1/contracts/* + /v1/keys/*)
+  // ────────────────────────────────────────────────────────────────────────
+  provisionContract(body) {
+    return this.req("POST", "/v1/contracts/provision", {
+      auth: "Public",
+      body
+    });
+  }
+  addSigningKey(body) {
+    return this.req("POST", "/v1/keys", { auth: "SessionCookie", body });
+  }
+  revokeSigningKey(body) {
+    return this.req("POST", "/v1/keys/revoke", {
+      auth: "SessionCookie",
+      body
+    });
+  }
+  pauseContract(body) {
+    return this.req("POST", "/v1/contracts/pause", {
+      auth: "SessionCookie",
+      body
+    });
+  }
+  unpauseContract(body) {
+    return this.req("POST", "/v1/contracts/unpause", {
+      auth: "SessionCookie",
+      body
+    });
+  }
+  // ────────────────────────────────────────────────────────────────────────
+  // Witnesses (/v1/contracts/{addr}/witnesses/*)
+  // ────────────────────────────────────────────────────────────────────────
+  proposeWitness(contractAddress, body, idempotencyKey) {
+    const key = idempotencyKey ?? randomUUID();
+    return this.req(
+      "POST",
+      `/v1/contracts/${encodeURIComponent(contractAddress)}/witnesses/propose`,
+      { auth: "SignedRequest", body, headers: { "idempotency-key": key } }
+    );
+  }
+  signWitness(contractAddress, witnessId, body) {
+    return this.req(
+      "POST",
+      `/v1/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(witnessId)}/sign`,
+      { auth: "SignedRequest", body }
+    );
+  }
+  finalizeWitness(contractAddress, witnessId) {
+    return this.req(
+      "POST",
+      `/v1/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(witnessId)}/finalize`,
+      { auth: "SignedRequest" }
+    );
+  }
+  revokeWitness(contractAddress, witnessId, body, idempotencyKey) {
+    const key = idempotencyKey ?? randomUUID();
+    return this.req(
+      "POST",
+      `/v1/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(witnessId)}/revoke`,
+      { auth: "SignedRequest", body, headers: { "idempotency-key": key } }
+    );
+  }
+  getWitness(contractAddress, witnessId) {
+    return this.req(
+      "GET",
+      `/v1/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(witnessId)}`,
+      { auth: "Public" }
+    );
+  }
+  // ────────────────────────────────────────────────────────────────────────
+  // v5 Witnesses (/v5/contracts/{addr}/witnesses/*)
+  //
+  // The v5 write surface is a metered proxy in accounts: every billable
+  // call (propose, revoke) reserves a credit; sign/finalize forward to
+  // chain-api with the admin token. Auth is OAuth Bearer; the URL
+  // contract must match the user's bound contract.
+  //
+  // The propose/revoke methods auto-generate an Idempotency-Key when the
+  // caller doesn't supply one — server side that header is part of the
+  // billing identity and is required.
+  // ────────────────────────────────────────────────────────────────────────
+  proposeWitnessV5(contractAddress, body, idempotencyKey) {
+    const key = idempotencyKey ?? randomUUID();
+    return this.req(
+      "POST",
+      `/v5/contracts/${encodeURIComponent(contractAddress)}/witnesses/propose`,
+      { auth: "BearerJWT", body, headers: { "idempotency-key": key } }
+    );
+  }
+  signWitnessV5(contractAddress, intentId, body) {
+    return this.req(
+      "POST",
+      `/v5/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(intentId)}/sign`,
+      { auth: "BearerJWT", body }
+    );
+  }
+  finalizeWitnessV5(contractAddress, intentId) {
+    return this.req(
+      "POST",
+      `/v5/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(intentId)}/finalize`,
+      { auth: "BearerJWT" }
+    );
+  }
+  revokeWitnessV5(contractAddress, witnessId, body, idempotencyKey) {
+    const key = idempotencyKey ?? randomUUID();
+    return this.req(
+      "POST",
+      `/v5/contracts/${encodeURIComponent(contractAddress)}/witnesses/${encodeURIComponent(witnessId)}/revoke`,
+      { auth: "BearerJWT", body, headers: { "idempotency-key": key } }
+    );
+  }
+  // ────────────────────────────────────────────────────────────────────────
+  // Users / account (/v1/account/*)
+  // ────────────────────────────────────────────────────────────────────────
+  getAccount() {
+    return this.req("GET", "/v1/account", { auth: "SessionCookie" });
+  }
+  getLedger() {
+    return this.req("GET", "/v1/account/ledger", { auth: "SessionCookie" });
+  }
+  // ────────────────────────────────────────────────────────────────────────
+  // OAuth sessions (/v1/oauth/sessions*)
+  // ────────────────────────────────────────────────────────────────────────
+  listOauthSessions() {
+    return this.req("GET", "/v1/oauth/sessions", { auth: "SessionCookie" });
+  }
+  revokeOauthSession(jti) {
+    return this.req("DELETE", `/v1/oauth/sessions/${encodeURIComponent(jti)}`, {
+      auth: "SessionCookie",
+      expectNoContent: true
+    });
+  }
+  revokeAllOauthSessions() {
+    return this.req("DELETE", "/v1/oauth/sessions", {
+      auth: "SessionCookie",
+      expectNoContent: true
+    });
+  }
+  // ────────────────────────────────────────────────────────────────────────
+  // Health (/health/*)
+  // ────────────────────────────────────────────────────────────────────────
+  healthLive() {
+    return this.req("GET", "/health/live", { auth: "Public" });
+  }
+  healthReady() {
+    return this.req("GET", "/health/ready", { auth: "Public" });
+  }
+  // ────────────────────────────────────────────────────────────────────────
+  // Internal: fetch wrapper that maps non-2xx → WitniumAccountsApiError
+  // and applies the configured credential to the request.
+  // ────────────────────────────────────────────────────────────────────────
+  async req(method, path, opts) {
+    const url = this.buildUrl(path, opts.query);
+    const headers = {
+      accept: "application/json",
+      ...opts.headers ?? {}
+    };
+    if (opts.body !== void 0) {
+      headers["content-type"] = "application/json";
+    }
+    const bodyString = opts.body !== void 0 ? JSON.stringify(opts.body) : void 0;
+    await this.applyAuth(headers, opts.auth, method, path, bodyString ?? "");
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), this.timeout);
+    let res;
+    try {
+      res = await this.fetchImpl(url, {
+        method,
+        headers,
+        body: bodyString,
+        signal: controller.signal,
+        // Send cookies cross-origin when the consumer is a browser using
+        // SessionCookie auth via document.cookie.
+        credentials: "include"
+      });
+    } catch (err) {
+      throw new WitniumAccountsApiError({
+        status: 0,
+        message: err instanceof Error ? `Network error contacting ${this.baseUrl}: ${err.message}` : `Network error contacting ${this.baseUrl}`
+      });
+    } finally {
+      clearTimeout(timer);
+    }
+    if (opts.expectNoContent) {
+      if (!res.ok) {
+        throw await this.toApiError(res);
+      }
+      return void 0;
+    }
+    const text = await res.text();
+    let parsed = null;
+    if (text.length > 0) {
+      try {
+        parsed = JSON.parse(text);
+      } catch {
+      }
+    }
+    if (!res.ok) {
+      throw this.parseApiError(res.status, parsed, text);
+    }
+    return parsed;
+  }
+  buildUrl(path, query) {
+    if (!query) return `${this.baseUrl}${path}`;
+    const qs = new URLSearchParams();
+    for (const [k, v] of Object.entries(query)) {
+      if (v !== void 0) qs.set(k, String(v));
+    }
+    const suffix = qs.toString();
+    return suffix ? `${this.baseUrl}${path}?${suffix}` : `${this.baseUrl}${path}`;
+  }
+  async applyAuth(headers, auth, method, path, bodyString) {
+    switch (auth) {
+      case "Public":
+        return;
+      case "SessionCookie": {
+        if (this.cfg.sessionCookie) {
+          headers["cookie"] = `wac_session=${this.cfg.sessionCookie}`;
+        }
+        return;
+      }
+      case "BearerJWT": {
+        if (!this.cfg.accessToken) {
+          throw new Error(
+            `WitniumAccountsClient: ${method} ${path} requires an OAuth access token. Pass \`accessToken\` to the constructor.`
+          );
+        }
+        headers["authorization"] = `Bearer ${this.cfg.accessToken}`;
+        return;
+      }
+      case "OrgApiKey": {
+        if (!this.cfg.orgApiKey) {
+          throw new Error(
+            `WitniumAccountsClient: ${method} ${path} requires an organisation API key. Pass \`orgApiKey\` to the constructor.`
+          );
+        }
+        headers["authorization"] = `Bearer ${this.cfg.orgApiKey}`;
+        return;
+      }
+      case "AdminToken": {
+        if (!this.cfg.adminToken) {
+          throw new Error(
+            `WitniumAccountsClient: ${method} ${path} requires an admin token. Pass \`adminToken\` to the constructor.`
+          );
+        }
+        headers["authorization"] = `Bearer ${this.cfg.adminToken}`;
+        return;
+      }
+      case "SignedRequest": {
+        if (!this.cfg.signedRequest) {
+          throw new Error(
+            `WitniumAccountsClient: ${method} ${path} requires a signed-request signer. Pass \`signedRequest\` to the constructor.`
+          );
+        }
+        const timestamp = Math.floor(Date.now() / 1e3).toString();
+        const bodyHash = await sha256Hex(bodyString);
+        const idemKey = headers["idempotency-key"] ?? "";
+        const canonical = `${method.toUpperCase()}
+${path}
+${timestamp}
+${idemKey}
+${bodyHash}`;
+        const signature = await this.cfg.signedRequest.sign(canonical);
+        headers["x-witnium-key"] = this.cfg.signedRequest.publicKeyHex;
+        headers["x-witnium-timestamp"] = timestamp;
+        headers["x-witnium-signature"] = signature;
+        return;
+      }
+    }
+  }
+  parseApiError(status, parsed, rawText) {
+    const body = parsed;
+    const message = Array.isArray(body?.message) ? body.message.join("; ") : typeof body?.message === "string" ? body.message : body?.error ?? `HTTP ${status}`;
+    return new WitniumAccountsApiError({
+      status,
+      message,
+      errorLabel: body?.error,
+      body: parsed ?? rawText
+    });
+  }
+  async toApiError(res) {
+    const text = await res.text();
+    let parsed = null;
+    if (text.length > 0) {
+      try {
+        parsed = JSON.parse(text);
+      } catch {
+      }
+    }
+    return this.parseApiError(res.status, parsed, text);
+  }
+};
+var Subscriptions = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  /**
+   * Start a Stripe Checkout session for the supplied price. Returns the
+   * hosted Checkout URL; redirect the user to it. Stripe's
+   * `checkout.session.completed` webhook grants credits on success.
+   */
+  subscribe(body) {
+    return this.client.createCheckoutSession(body);
+  }
+  /**
+   * Open the Stripe Billing Portal for the calling user's org. Returns the
+   * hosted portal URL — redirect the user there for subscription /
+   * payment-method management.
+   */
+  manage() {
+    return this.client.createPortalSession();
+  }
+  /** Recent credit-ledger entries (most recent 200). */
+  getLedger() {
+    return this.client.getLedger();
+  }
+};
+var DelegatedKeys = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  /** List the caller's delegated keys, optionally filtered by contract or active flag. */
+  list(query) {
+    return this.client.listDelegatedKeys(query);
+  }
+  /**
+   * One-call delegated-key provisioning: prepare → owner-sign → submit →
+   * poll until the on-chain `addSigningKey` tx confirms (or the polling
+   * budget elapses). The server mints the delegated key in Vault; the caller
+   * never sees its private key.
+   *
+   * Failure modes that surface as thrown {@link WitniumAccountsApiError}:
+   *   - 409 from prepare → an active key already exists for this contract;
+   *     caller must revoke the existing one first.
+   *   - 400 from submit → ownerSignature didn't verify against the prepared
+   *     message (wrong owner key, or the on-chain nonce shifted between
+   *     prepare and submit and the caller must re-provision).
+   *
+   * Returns `confirmed: false` (without throwing) when the on-chain tx is
+   * still pending after `pollTimeoutMs` — caller can keep polling via
+   * {@link list} or chain-api's receipt endpoint.
+   */
+  async provision(args) {
+    const prep = await this.client.prepareDelegatedKey({
+      contractAddress: args.contractAddress
+    });
+    const ownerSignature = await args.ownerSigner.sign(prep.messageToSign);
+    let res = await this.client.submitDelegatedKey(prep.id, { ownerSignature });
+    if (!res.confirmed) {
+      const interval = args.pollIntervalMs ?? 2e3;
+      const timeout = args.pollTimeoutMs ?? 6e4;
+      const deadline = Date.now() + timeout;
+      while (!res.confirmed && Date.now() < deadline) {
+        await sleep(interval);
+        res = await this.client.submitDelegatedKey(prep.id, {});
+      }
+    }
+    return {
+      id: prep.id,
+      publicKey: prep.publicKey,
+      transactionHash: res.transactionHash,
+      confirmed: res.confirmed,
+      blockNumber: res.blockNumber
+    };
+  }
+  /**
+   * Locally revoke a delegated key. Wipes the Vault Transit key and sets
+   * `revoked_at` on the row. The on-chain trust record persists — the caller
+   * must invoke `WitnessRegistryV3.revokeSigningKey` with their owner key to
+   * fully un-trust the key on the contract.
+   */
+  revoke(id) {
+    return this.client.revokeDelegatedKey(id);
+  }
+};
+var SigningKeys = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  /**
+   * The signing keys attached to the calling user's contract. There is no
+   * dedicated list endpoint; this method calls {@link
+   * WitniumAccountsClient.getAccount} and returns the `signingKeys` slice.
+   */
+  async list() {
+    const account = await this.client.getAccount();
+    return account.signingKeys;
+  }
+  add(body) {
+    return this.client.addSigningKey(body);
+  }
+  revoke(body) {
+    return this.client.revokeSigningKey(body);
+  }
+};
+var OauthNamespace = class {
+  sessions;
+  constructor(client) {
+    this.sessions = new OauthSessions(client);
+  }
+};
+var OauthSessions = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  list() {
+    return this.client.listOauthSessions();
+  }
+  revoke(jti) {
+    return this.client.revokeOauthSession(jti);
+  }
+  revokeAll() {
+    return this.client.revokeAllOauthSessions();
+  }
+};
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function randomUUID() {
+  const c = globalThis.crypto;
+  if (!c?.randomUUID) {
+    throw new Error(
+      "WitniumAccountsClient: globalThis.crypto.randomUUID is required (Node 19+ or modern browser). Polyfill for older runtimes."
+    );
+  }
+  return c.randomUUID();
+}
+async function sha256Hex(input) {
+  const subtle = globalThis.crypto?.subtle;
+  if (!subtle) {
+    throw new Error(
+      "WitniumAccountsClient: SubtleCrypto is not available. Polyfill `globalThis.crypto.subtle` for SignedRequest auth."
+    );
+  }
+  const data = new TextEncoder().encode(input);
+  const digest = await subtle.digest("SHA-256", data);
+  const bytes = new Uint8Array(digest);
+  let out = "";
+  for (const b of bytes) out += b.toString(16).padStart(2, "0");
+  return out;
+}
+
+// src/admin-client.ts
+var WitniumAccountsAdminClient = class {
+  inner;
+  constructor(config) {
+    if (!config.adminToken) {
+      throw new Error("WitniumAccountsAdminClient: adminToken is required");
+    }
+    this.inner = new WitniumAccountsClient({
+      baseUrl: config.baseUrl,
+      adminToken: config.adminToken,
+      timeout: config.timeout,
+      fetch: config.fetch
+    });
+  }
+  /**
+   * Mint a new organisation. The returned `apiKey` is shown ONCE — the server
+   * only retains its SHA-256 hash. Persist it before the response leaves
+   * scope; there is no recovery path.
+   *
+   * @param body  Organisation seed: name, email, optional accountType and
+   *              signup credit grant, optional skip-email-verification flag.
+   */
+  createOrganization(body) {
+    return this.inner.createOrganization(body);
+  }
+  /** Flip an org between `metered` (Stripe checkout + credit ledger) and `unlimited` (flat-fee). */
+  setAccountType(orgId, accountType) {
+    return this.inner.setOrgAccountType(orgId, { accountType });
+  }
+  /** Mark an org's email as verified. Prerequisite for the org to create users. */
+  verifyEmail(orgId) {
+    return this.inner.verifyOrganization(orgId);
+  }
+  /**
+   * Rotate the org's API key. The previous `wcorg_live_…` is invalidated and
+   * the new key is returned ONCE — same one-time-secret semantics as
+   * {@link createOrganization}.
+   */
+  rotateApiKey(orgId) {
+    return this.inner.rotateOrgApiKey(orgId);
+  }
+  /**
+   * Apply a signed credit delta to an org's ledger. Positive `delta` grants
+   * credits (goodwill, migration backfill); negative claws them back.
+   * Recorded as `reason: adjustment` with the supplied `note`.
+   *
+   * Use sparingly — this bypasses Stripe and should be auditable from the
+   * `note` alone.
+   */
+  adjustCredits(orgId, delta, note) {
+    return this.inner.adjustOrgCredits(orgId, { delta, note });
+  }
+};
+
+// src/org-client.ts
+var WitniumAccountsOrgClient = class {
+  inner;
+  /** User-management namespace — `client.users.create/list`. */
+  users;
+  constructor(config) {
+    if (!config.orgApiKey) {
+      throw new Error("WitniumAccountsOrgClient: orgApiKey is required");
+    }
+    this.inner = new WitniumAccountsClient({
+      baseUrl: config.baseUrl,
+      orgApiKey: config.orgApiKey,
+      timeout: config.timeout,
+      fetch: config.fetch
+    });
+    this.users = new OrgUsers(this.inner);
+  }
+  /**
+   * The org's own profile — name, email, account type, cached credit
+   * balance (null for `unlimited` accounts), and the `isPersonal` flag.
+   *
+   * Note: a 401 here usually means the API key was rotated; rotate-key
+   * invalidates the previous one.
+   */
+  me() {
+    return this.inner.getMyOrg();
+  }
+};
+var OrgUsers = class {
+  constructor(inner) {
+    this.inner = inner;
+  }
+  inner;
+  /**
+   * Provision a new user inside the org. Requires the org's email to have
+   * been verified (sysadmin gate) — otherwise the server returns 403.
+   */
+  create(body) {
+    return this.inner.createOrgUser(body);
+  }
+  /** List the org's users. */
+  list() {
+    return this.inner.listOrgUsers();
+  }
+};
+
+export { DelegatedKeys, OauthNamespace, OauthSessions, OrgUsers, SigningKeys, Subscriptions, WitniumAccountsAdminClient, WitniumAccountsApiError, WitniumAccountsClient, WitniumAccountsOrgClient };
+//# sourceMappingURL=index.mjs.map
+//# sourceMappingURL=index.mjs.map