spaps-sdk 1.6.8 → 1.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -6,7 +6,15 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and
6
6
 
7
7
  ## [Unreleased]
8
8
 
9
- - No changes yet.
9
+ ## [1.7.0] - 2026-05-09
10
+
11
+ - Added `dayrate.getCheckoutStatus(sessionId)` and checkout-status response types for Bookme/dayrate confirmation polling.
12
+ - Added browser-safe runtime helpers: guarded environment reads, `TokenManager.decodePayload()`, and SPAPS envelope unwrapping/type guards.
13
+ - Added `headerProvider` SDK config for per-request custom context headers without overriding SDK-managed auth headers.
14
+
15
+ ## [1.6.8] - 2026-04-25
16
+
17
+ - Maintenance: align the published SDK package version after release automation.
10
18
 
11
19
  ## [1.6.7] - 2026-04-25
12
20
 
package/README.md CHANGED
@@ -23,7 +23,7 @@ This package targets `Node.js >=14`.
23
23
 
24
24
  | Need | Package gives you |
25
25
  | --- | --- |
26
- | One client for many SPAPS surfaces | `auth`, `payments`, `sessions`, `secureMessages`, `issueReporting`, `email`, `entitlements`, `dayrate`, `admin`, and `cfo` namespaces |
26
+ | One client for many SPAPS surfaces | `auth`, `payments`, `sessions`, `secureMessages`, `issueReporting`, `appLinks`, `email`, `entitlements`, `skillEvals`, `dayrate`, `admin`, and `cfo` namespaces |
27
27
  | Local development without extra config | Localhost URLs automatically enable local mode |
28
28
  | Browser and server usage | `publishableKey`, `secretKey`, or legacy `apiKey` support |
29
29
  | Shared contracts | Re-exports a large slice of `spaps-types` |
@@ -67,6 +67,7 @@ Constructor values take precedence over environment variables.
67
67
  | `secretKey` | Server-side key for privileged access |
68
68
  | `apiKey` | Legacy key field kept for compatibility |
69
69
  | `timeout` | Request timeout override |
70
+ | `headerProvider` | Optional function returning custom headers to add to every SDK request without overriding `Authorization` or `X-API-Key` |
70
71
 
71
72
  Relevant environment variables:
72
73
 
@@ -84,9 +85,11 @@ Relevant environment variables:
84
85
  | `sessions` | Session lookup, validation, and lifecycle helpers |
85
86
  | `secureMessages` | Secure-message create/list helpers |
86
87
  | `issueReporting` | Status, history, create, update, reply, and voice-token flows |
88
+ | `appLinks` | Authenticated create and public resolve helpers for application-scoped short links |
87
89
  | `email` | Template lookup, preview, and send helpers |
88
90
  | `entitlements` | User and resource entitlement queries |
89
- | `dayrate` | Availability and booking helpers |
91
+ | `skillEvals` | Paid blind skill-eval cases, review rooms, reviewer marks, insight inboxes, and controlled reveal |
92
+ | `dayrate` | Availability, Stripe booking, x402 booking-hold, and checkout-status helpers |
90
93
  | `admin` | Product and pricing admin helpers |
91
94
  | `cfo` | CFO-facing reporting endpoints |
92
95
 
@@ -120,6 +123,132 @@ const voiceToken = await spaps.issueReporting.createVoiceToken();
120
123
  console.log(voiceToken.provider, voiceToken.model_id);
121
124
  ```
122
125
 
126
+ ### Application Short Links
127
+
128
+ Use `appLinks` when a browser app needs a stable public URL for large local state, such as compressed diagram state.
129
+
130
+ ```ts
131
+ const spaps = new SPAPSClient({
132
+ apiUrl: "https://api.example.test",
133
+ publishableKey: "spaps_pub_example",
134
+ });
135
+ spaps.setAccessToken(accessToken);
136
+
137
+ const link = await spaps.appLinks.create({
138
+ app_slug: "mmdx",
139
+ resource_kind: "mermaid-diagram",
140
+ target_path: "/diagrams",
141
+ metadata: { diagram_state: "pako:..." },
142
+ });
143
+
144
+ console.log(`/${link.app_slug}/${link.username}/${link.slug}`);
145
+ ```
146
+
147
+ ### Skill Evals
148
+
149
+ Use `skillEvals` for SPAPS-owned blind review of agent-skill logs. Paid creation uses the same `PAYMENT-SIGNATURE` header shape as the x402 namespace. Reviewers submit `valuable` and `not_valuable` marks, and submitters read those marks through an insight inbox before applying skill changes.
150
+
151
+ ```ts
152
+ const signedPayment = "base64-x402-payment";
153
+
154
+ const created = await spaps.skillEvals.createCase(
155
+ {
156
+ title: "Docs skill comparison",
157
+ task_claim: "Compare both implementations.",
158
+ success_criteria: ["Finds repo boundaries"],
159
+ candidates: [
160
+ {
161
+ candidate_id: "A",
162
+ output_ref: "spaps-artifact://case/a",
163
+ evidence_summary: "Validation passed",
164
+ artifact_hash: "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
165
+ artifact_mime: "text/markdown",
166
+ jsonl_log_ref: "spaps-artifact://logs/a.jsonl",
167
+ jsonl_log_hash: "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
168
+ skill_ref: "skill://docs-review",
169
+ skill_version_ref: "skill://docs-review/v2.0",
170
+ skill_version_digest: "sha256:1111111111111111111111111111111111111111111111111111111111111111",
171
+ model_id: "openai/gpt-5.4",
172
+ effort_level: "medium",
173
+ provenance_ref: "skill://private/a",
174
+ },
175
+ {
176
+ candidate_id: "B",
177
+ output_ref: "spaps-artifact://case/b",
178
+ evidence_summary: "Validation passed",
179
+ artifact_hash: "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
180
+ artifact_mime: "text/markdown",
181
+ jsonl_log_ref: "spaps-artifact://logs/b.jsonl",
182
+ jsonl_log_hash: "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
183
+ skill_ref: "skill://docs-review",
184
+ skill_version_ref: "skill://docs-review/v2.1",
185
+ skill_version_digest: "sha256:2222222222222222222222222222222222222222222222222222222222222222",
186
+ model_id: "openai/gpt-5.4",
187
+ effort_level: "medium",
188
+ provenance_ref: "skill://private/b",
189
+ },
190
+ ],
191
+ case_policy: {
192
+ access_mode: "team_private",
193
+ allowed_model_efforts: [{ model_id: "openai/gpt-5.4", effort_level: "medium" }],
194
+ participant_allowlist: ["reviewer-actor-id"],
195
+ },
196
+ idempotency_key: "eval-create-001",
197
+ },
198
+ { paymentSignature: signedPayment }
199
+ );
200
+
201
+ const room = await spaps.skillEvals.getReviewRoom(created.case_id);
202
+ console.log(room.reviewer_state);
203
+
204
+ const review = await spaps.skillEvals.submitReview(created.case_id, {
205
+ review_marks: [
206
+ {
207
+ candidate_id: "B",
208
+ kind: "valuable",
209
+ note: "B checks the configured docs path before recommending an edit.",
210
+ reason_code: "prevents_wrong_repo_patch",
211
+ confidence: "high",
212
+ criterion: "Finds repo boundaries",
213
+ },
214
+ ],
215
+ });
216
+
217
+ const inbox = await spaps.skillEvals.getInsights(created.case_id);
218
+ console.log(inbox.valuable[0]?.jsonl_log_ref, review.review_mark_counts);
219
+
220
+ await spaps.skillEvals.respondToReview(created.case_id, inbox.valuable[0].source_review_id, {
221
+ response: "applied",
222
+ reason: "Updated the skill from the concrete log-backed insight.",
223
+ applied_insight_ref: inbox.valuable[0].insight_ref,
224
+ skill_change_ref: "skill://docs-review/v2.1",
225
+ skill_version_before: "skill://docs-review/v2.0",
226
+ skill_version_after: "skill://docs-review/v2.1",
227
+ jsonl_log_ref: "spaps-artifact://logs/apply.jsonl",
228
+ jsonl_log_hash: "sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
229
+ model_id: "openai/gpt-5.4",
230
+ effort_level: "medium",
231
+ });
232
+ ```
233
+
234
+ ### Custom Context Headers
235
+
236
+ Use `headerProvider` when an app needs to attach tenant, app, or principal context to SDK requests:
237
+
238
+ ```ts
239
+ const spaps = new SPAPSClient({
240
+ apiUrl: "https://api.example.test",
241
+ publishableKey: "spaps_pub_example",
242
+ headerProvider: () => ({
243
+ "X-Tenant-Role": resolveTenantRole(),
244
+ "X-App-Slug": "unclawg",
245
+ "X-Principal-Id": resolvePrincipalId(),
246
+ }),
247
+ });
248
+ ```
249
+
250
+ The provider runs on each request. Headers named `Authorization` or `X-API-Key` are ignored because the SDK manages those from `setAccessToken()`, `publishableKey`, `secretKey`, or `apiKey`.
251
+
123
252
  ### Permission Helpers With Explicit Admin Config
124
253
 
125
254
  ```ts
@@ -142,6 +271,27 @@ const isAdmin = isAdminAccount("admin@example.com", customAdmins);
142
271
  console.log(role, adminCheck.allowed, isAdmin);
143
272
  ```
144
273
 
274
+ ### Runtime Helpers
275
+
276
+ ```ts
277
+ import {
278
+ TokenManager,
279
+ isErrorEnvelope,
280
+ unwrapEnvelope,
281
+ unwrapNestedData,
282
+ } from "spaps-sdk";
283
+
284
+ const payload = TokenManager.decodePayload(accessToken);
285
+ const response = unwrapEnvelope(await spaps.health());
286
+ const items = unwrapNestedData(listResponse);
287
+
288
+ if (isErrorEnvelope(errorBody)) {
289
+ console.error(errorBody.error.code, errorBody.error.message);
290
+ }
291
+ ```
292
+
293
+ `decodePayload()` returns `null` for invalid JWTs or non-object payloads. The envelope helpers accept unknown API payloads so apps can handle SPAPS success/error envelopes without copying ad hoc response guards.
294
+
145
295
  ### Convenience Helpers
146
296
 
147
297
  ```ts
@@ -215,7 +365,7 @@ npm run test:readme
215
365
  ## Metadata
216
366
 
217
367
  - `package_name`: `spaps-sdk`
218
- - `latest_version`: `1.6.7`
368
+ - `latest_version`: `1.7.0`
219
369
  - `minimum_runtime`: `Node.js >=14.0.0`
220
370
  - `api_base_url`: `https://api.sweetpotato.dev`
221
371
 
package/dist/index.d.mts CHANGED
@@ -1,6 +1,6 @@
1
1
  import * as spaps_types from 'spaps-types';
2
- import { ResourceType, Entitlement, CreateProductRequest, Product, UpdateProductRequest, CreatePriceRequest, Price, ProductSyncResult, CryptoReconcileRequest, CreateSecureMessageRequest, SecureMessage, IssueReportScope, IssueReportStatusResult, IssueReportStatus, IssueReportListResult, IssueReport, CreateIssueReportRequest, IssueReportingVoiceTokenResult, UpdateIssueReportRequest, ReplyIssueReportRequest, AuthResponse, User as User$1, CreateCryptoInvoiceRequest, CryptoInvoiceStatusSnapshot, CheckoutSession, DayrateAvailabilityResponse, DayrateBookingRequest, DayrateBookingResponse, DayrateMultiBookingRequest, DayrateMultiBookingResponse, Subscription, UsageBalance, VerifyCryptoWebhookSignatureOptions } from 'spaps-types';
3
- export { AdminPermission, AdminRole, AdminUser, ApiResponse, AuthResponse, CheckoutSession, CreateCryptoInvoiceRequest, CreateIssueReportRequest, CreatePriceRequest, CreateProductRequest, CreateSecureMessageInput, CreateSecureMessageRequest, CryptoInvoice, CryptoInvoiceResponse, CryptoInvoiceStatusSnapshot, CryptoReconcileRequest, DayrateAvailabilityResponse, DayrateAvailableSlot, DayrateBookingRequest, DayrateBookingResponse, DayrateDayOfWeek, DayrateMultiBookingRequest, DayrateMultiBookingResponse, DayratePriceBreakdown, DayrateSlotType, Entitlement, IssueReport, IssueReportListResult, IssueReportStatus, IssueReportStatusResult, IssueReportTarget, IssueReportingInputMode, IssueReportingVoiceProvider, IssueReportingVoiceTokenResult, LinkedIssueReportCase, Price, Product, ProductSyncResult, ReplyIssueReportRequest, ResourceType, SecureMessage, SecureMessageOutput, Subscription, TokenPair, UpdateIssueReportRequest, UpdateProductRequest, UsageBalance, User, UserProfile, UserRole, UserWallet, VerifyCryptoWebhookSignatureOptions, createSecureMessageRequestSchema, secureMessageMetadataSchema, secureMessageSchema } from 'spaps-types';
2
+ import { ResourceType, Entitlement, CreateProductRequest, Product, UpdateProductRequest, CreatePriceRequest, Price, ProductSyncResult, CryptoReconcileRequest, CreateSecureMessageRequest, SecureMessage, IssueReportScope, IssueReportStatusResult, IssueReportStatus, IssueReportListResult, IssueReport, CreateIssueReportRequest, IssueReportingVoiceTokenResult, UpdateIssueReportRequest, ReplyIssueReportRequest, CreateAppLinkRequest, AppLink, AuthResponse, User as User$1, CreateCryptoInvoiceRequest, CryptoInvoiceStatusSnapshot, CheckoutSession, X402ResourceStatusResponse, X402ActionResponse, X402ReceiptResponse, X402ReceiptListResponse, X402HandoffVerification, DayrateAvailabilityResponse, DayrateBookingRequest, DayrateBookingResponse, DayrateMultiBookingRequest, DayrateMultiBookingResponse, DayrateX402BookingRequest, DayrateX402BookingResponse, DayrateCheckoutStatusResponse, Subscription, UsageBalance, VerifyCryptoWebhookSignatureOptions } from 'spaps-types';
3
+ export { AdminPermission, AdminRole, AdminUser, ApiResponse, AppLink, AuthResponse, CheckoutSession, CreateAppLinkRequest, CreateCryptoInvoiceRequest, CreateIssueReportRequest, CreatePriceRequest, CreateProductRequest, CreateSecureMessageInput, CreateSecureMessageRequest, CryptoInvoice, CryptoInvoiceResponse, CryptoInvoiceStatusSnapshot, CryptoReconcileRequest, DayrateAvailabilityResponse, DayrateAvailableSlot, DayrateBookingRequest, DayrateBookingResponse, DayrateCheckoutStatus, DayrateCheckoutStatusBooking, DayrateCheckoutStatusResponse, DayrateDayOfWeek, DayrateMultiBookingRequest, DayrateMultiBookingResponse, DayratePriceBreakdown, DayrateSlotType, DayrateX402BookingRequest, DayrateX402BookingResponse, Entitlement, IssueReport, IssueReportListResult, IssueReportStatus, IssueReportStatusResult, IssueReportTarget, IssueReportingInputMode, IssueReportingVoiceProvider, IssueReportingVoiceTokenResult, LinkedIssueReportCase, Price, Product, ProductSyncResult, ReplyIssueReportRequest, ResourceType, SecureMessage, SecureMessageOutput, Subscription, TokenPair, UpdateIssueReportRequest, UpdateProductRequest, UsageBalance, User, UserProfile, UserRole, UserWallet, VerifyCryptoWebhookSignatureOptions, X402ActionFreeResponse, X402ActionOutcome, X402ActionPendingResponse, X402ActionReplayedResponse, X402ActionResponse, X402ActionSettledResponse, X402ExecuteActionRequest, X402HandoffAuthorization, X402HandoffVerification, X402HandoffVerifyRequest, X402PaymentAccept, X402PaymentRequirement, X402ProjectionStatus, X402Receipt, X402ReceiptListResponse, X402ReceiptResponse, X402ReceiptStatus, X402Resource, X402ResourceStatus, X402ResourceStatusResponse, createSecureMessageRequestSchema, isX402PaymentRequired, isX402ResourceStatus, secureMessageMetadataSchema, secureMessageSchema } from 'spaps-types';
4
4
 
5
5
  /**
6
6
  * Permission checking utilities for SPAPS SDK
@@ -244,6 +244,8 @@ declare class WebSocketAuthHelper {
244
244
  }
245
245
 
246
246
  type ApiKeyType = 'publishable' | 'secret';
247
+ /** Returns custom headers to merge into every SDK request. Called per request. */
248
+ type HeaderProvider = () => Record<string, string>;
247
249
  interface SPAPSConfig {
248
250
  apiUrl?: string;
249
251
  /** @deprecated Use publishableKey or secretKey instead */
@@ -254,6 +256,10 @@ interface SPAPSConfig {
254
256
  secretKey?: string;
255
257
  autoDetect?: boolean;
256
258
  timeout?: number;
259
+ /** Additive custom header provider. Called on each request.
260
+ * Returned headers are merged but cannot override SDK-managed
261
+ * `Authorization` or `X-API-Key` headers. */
262
+ headerProvider?: HeaderProvider;
257
263
  }
258
264
  interface CheckoutLineItemPriceData {
259
265
  currency: string;
@@ -354,6 +360,264 @@ interface IssueReportListParams {
354
360
  interface IssueReportStatusParams {
355
361
  scope?: SupportedIssueReportScope;
356
362
  }
363
+ declare class X402PaymentRequiredSDKError extends Error {
364
+ readonly paymentRequiredHeader: string;
365
+ readonly response: unknown;
366
+ constructor(paymentRequiredHeader: string, response: unknown);
367
+ }
368
+ interface X402ExecuteActionOptions {
369
+ paymentSignature?: string;
370
+ target: string;
371
+ bridgeToken?: string;
372
+ bridge_token?: string;
373
+ }
374
+ interface X402ReceiptListParams {
375
+ resourceKey?: string;
376
+ limit?: number;
377
+ offset?: number;
378
+ }
379
+ interface X402VerifyHandoffOptions {
380
+ resourceKey: string;
381
+ actionKey: string;
382
+ }
383
+ type SkillEvalDisclosurePolicy = 'blind_then_controlled_reveal';
384
+ type SkillEvalEligibilitySource = 'admin_assigned' | 'entitlement' | 'policy_import' | 'manual_override';
385
+ type SkillEvalConfidence = 'low' | 'medium' | 'high';
386
+ type SkillEvalReviewMarkKind = 'valuable' | 'not_valuable';
387
+ type SkillEvalPosterResponse = 'accepted' | 'rejected' | 'needs_clarification' | 'applied';
388
+ type SkillEvalRevealField = 'skill_version_digest' | 'provenance_ref';
389
+ type SkillEvalAccessMode = 'public' | 'team_private';
390
+ type SkillEvalGovernancePurpose = 'adopt_skill' | 'retire_skill' | 'merge_skill' | 'split_skill' | 'reviewer_policy' | 'fund_bounty';
391
+ interface SkillEvalCandidateInput {
392
+ candidate_id: string;
393
+ output_ref: string;
394
+ evidence_summary: string;
395
+ artifact_hash: string;
396
+ artifact_mime: string;
397
+ jsonl_log_ref: string;
398
+ jsonl_log_hash: string;
399
+ skill_ref: string;
400
+ skill_version_ref: string;
401
+ skill_version_digest: string;
402
+ model_id: string;
403
+ effort_level: string;
404
+ provenance_ref: string;
405
+ }
406
+ interface SkillEvalModelEffort {
407
+ model_id: string;
408
+ effort_level: string;
409
+ }
410
+ interface SkillEvalCasePolicy {
411
+ access_mode?: SkillEvalAccessMode;
412
+ allowed_model_efforts: SkillEvalModelEffort[];
413
+ min_contribution_score?: number | null;
414
+ contribution_score_source_ref?: string | null;
415
+ viewer_allowlist?: string[];
416
+ skill_user_allowlist?: string[];
417
+ participant_allowlist?: string[];
418
+ }
419
+ interface SkillEvalReviewerEligibilityInput {
420
+ reviewer_actor_id: string;
421
+ eligibility_source?: SkillEvalEligibilitySource;
422
+ contribution_score?: number | null;
423
+ contribution_score_source_ref?: string | null;
424
+ }
425
+ interface CreateSkillEvalCaseRequest {
426
+ title: string;
427
+ task_claim: string;
428
+ success_criteria: string[];
429
+ candidates: SkillEvalCandidateInput[];
430
+ disclosure_policy?: SkillEvalDisclosurePolicy;
431
+ case_policy: SkillEvalCasePolicy;
432
+ idempotency_key: string;
433
+ reviewer_eligibility?: SkillEvalReviewerEligibilityInput[];
434
+ }
435
+ interface SkillEvalCreateOptions {
436
+ paymentSignature?: string;
437
+ }
438
+ interface SkillEvalMutationOptions {
439
+ ifMatch?: string | number;
440
+ caseVersion?: number;
441
+ }
442
+ interface SkillEvalCaseResponse {
443
+ case_id: string;
444
+ status: string;
445
+ review_room_url?: string;
446
+ x402_action_key?: string;
447
+ x402_receipt_id?: string | null;
448
+ payload_fingerprint?: string;
449
+ case_version: number;
450
+ access_mode?: SkillEvalAccessMode;
451
+ case_policy?: SkillEvalCasePolicy;
452
+ actor_access?: SkillEvalActorAccess;
453
+ created_at?: string | null;
454
+ updated_at?: string | null;
455
+ idempotent_replay?: boolean;
456
+ title?: string;
457
+ task_claim?: string;
458
+ success_criteria?: string[];
459
+ candidates?: SkillEvalCandidateResponse[];
460
+ }
461
+ interface SkillEvalActorAccess {
462
+ can_view: boolean;
463
+ can_use_skill: boolean;
464
+ can_participate: boolean;
465
+ }
466
+ interface SkillEvalCandidateResponse {
467
+ candidate_id: string;
468
+ output_ref: string;
469
+ evidence_summary: string;
470
+ artifact_hash: string;
471
+ artifact_mime: string;
472
+ skill_version_digest?: string;
473
+ provenance_ref?: string;
474
+ jsonl_log_ref?: string;
475
+ jsonl_log_hash?: string;
476
+ model_id?: string;
477
+ effort_level?: string;
478
+ }
479
+ interface SkillEvalReviewRoom {
480
+ case_id: string;
481
+ status: string;
482
+ task_claim: string;
483
+ success_criteria: string[];
484
+ candidates: SkillEvalCandidateResponse[];
485
+ reviewer_state: string;
486
+ actor_access?: SkillEvalActorAccess;
487
+ case_version: number;
488
+ }
489
+ interface SkillEvalReviewMarkInput {
490
+ candidate_id: string;
491
+ kind: SkillEvalReviewMarkKind;
492
+ note: string;
493
+ reason_code: string;
494
+ confidence: SkillEvalConfidence;
495
+ criterion?: string | null;
496
+ }
497
+ interface SubmitSkillEvalReviewRequest {
498
+ winner_candidate_id?: string | null;
499
+ rationale?: string | null;
500
+ missing_from_winner?: string | null;
501
+ criteria_challenge?: string | null;
502
+ confidence?: SkillEvalConfidence | null;
503
+ review_marks?: SkillEvalReviewMarkInput[];
504
+ }
505
+ interface SkillEvalRewardEvent {
506
+ reward_event_id?: string;
507
+ event_kind: 'participation' | 'accepted_insight' | 'applied_insight' | 'delayed_bonus_candidate';
508
+ }
509
+ interface SkillEvalReviewResponse {
510
+ review_id: string;
511
+ status: string;
512
+ review_mark_counts?: {
513
+ valuable: number;
514
+ not_valuable: number;
515
+ };
516
+ reward_event?: SkillEvalRewardEvent | null;
517
+ }
518
+ interface SkillEvalInsight {
519
+ insight_ref: string;
520
+ mark_id?: string | null;
521
+ source_review_id: string;
522
+ reviewer_actor_id?: string | null;
523
+ source_review_created_at?: string | null;
524
+ candidate_id: string;
525
+ kind: SkillEvalReviewMarkKind;
526
+ note: string;
527
+ reason_code: string;
528
+ confidence: SkillEvalConfidence;
529
+ criterion?: string | null;
530
+ jsonl_log_ref: string;
531
+ jsonl_log_hash: string;
532
+ source_candidate?: {
533
+ output_ref?: string | null;
534
+ evidence_summary?: string | null;
535
+ artifact_hash?: string | null;
536
+ artifact_mime?: string | null;
537
+ model_id?: string | null;
538
+ effort_level?: string | null;
539
+ };
540
+ }
541
+ interface SkillEvalInsightsResponse {
542
+ case_id: string;
543
+ status?: string;
544
+ task_claim?: string;
545
+ success_criteria?: string[];
546
+ case_version?: number;
547
+ valuable: SkillEvalInsight[];
548
+ not_valuable: SkillEvalInsight[];
549
+ counts?: {
550
+ valuable: number;
551
+ not_valuable: number;
552
+ };
553
+ visibility_policy?: {
554
+ access_mode?: SkillEvalAccessMode;
555
+ actor_access?: SkillEvalActorAccess;
556
+ reviewer_identity_visible?: boolean;
557
+ case_policy?: SkillEvalCasePolicy;
558
+ };
559
+ }
560
+ interface RespondToSkillEvalReviewRequest {
561
+ response: SkillEvalPosterResponse;
562
+ reason: string;
563
+ applied_insight_ref?: string | null;
564
+ skill_change_ref?: string | null;
565
+ skill_version_before?: string | null;
566
+ skill_version_after?: string | null;
567
+ jsonl_log_ref?: string | null;
568
+ jsonl_log_hash?: string | null;
569
+ model_id?: string | null;
570
+ effort_level?: string | null;
571
+ }
572
+ interface SkillEvalPosterResponseResult {
573
+ response_id: string;
574
+ response: SkillEvalPosterResponse;
575
+ applied_insight_ref?: string | null;
576
+ skill_change_ref?: string | null;
577
+ skill_version_before?: string | null;
578
+ skill_version_after?: string | null;
579
+ jsonl_log_ref?: string | null;
580
+ jsonl_log_hash?: string | null;
581
+ model_id?: string | null;
582
+ effort_level?: string | null;
583
+ reward_event?: SkillEvalRewardEvent | null;
584
+ }
585
+ interface RevealSkillEvalEvidenceRequest {
586
+ fields: SkillEvalRevealField[];
587
+ reason: string;
588
+ }
589
+ interface SkillEvalRevealResult {
590
+ reveal_id: string;
591
+ case_id: string;
592
+ status: string;
593
+ revealed_fields: SkillEvalRevealField[];
594
+ }
595
+ interface CreateSkillEvalGovernanceSnapshotRequest {
596
+ proposal_purpose: SkillEvalGovernancePurpose;
597
+ summary?: Record<string, unknown>;
598
+ realms_proposal_ref?: string | null;
599
+ }
600
+ interface SkillEvalGovernanceSnapshotResult {
601
+ snapshot_id: string;
602
+ case_id: string;
603
+ summary: Record<string, unknown>;
604
+ content_hash: string;
605
+ proposal_purpose: SkillEvalGovernancePurpose;
606
+ realms_proposal_ref?: string | null;
607
+ status: string;
608
+ }
609
+ interface ImportSkillEvalGovernanceOutcomeRequest {
610
+ outcome_status: string;
611
+ realms_proposal_ref?: string | null;
612
+ outcome_ref?: string | null;
613
+ notes?: Record<string, unknown>;
614
+ }
615
+ interface SkillEvalGovernanceOutcomeResult {
616
+ snapshot_id: string;
617
+ case_id: string;
618
+ status: string;
619
+ realms_proposal_ref?: string | null;
620
+ }
357
621
 
358
622
  declare class SPAPSClient<SecureMessageMetadata extends Record<string, any> = Record<string, any>> {
359
623
  private client;
@@ -361,10 +625,17 @@ declare class SPAPSClient<SecureMessageMetadata extends Record<string, any> = Re
361
625
  private accessToken?;
362
626
  private refreshToken?;
363
627
  private _isLocalMode;
628
+ private headerProvider?;
364
629
  private unwrapApiResponse;
630
+ private skillEvalMutationConfig;
365
631
  private isAxiosResponse;
366
632
  private isResponseLikeWithData;
367
633
  private isApiResponse;
634
+ private static isSdkManagedHeader;
635
+ private static hasHeader;
636
+ private static setHeader;
637
+ private static assertSafeHeaderValue;
638
+ private applyCustomHeaders;
368
639
  admin: {
369
640
  createProduct: (productData: CreateProductRequest) => Promise<{
370
641
  data: Product;
@@ -472,6 +743,22 @@ declare class SPAPSClient<SecureMessageMetadata extends Record<string, any> = Re
472
743
  */
473
744
  reply: (issueReportId: string, payload: ReplyIssueReportRequest) => Promise<IssueReport>;
474
745
  };
746
+ /**
747
+ * Application-scoped short links for browser apps that need stable public URLs.
748
+ */
749
+ appLinks: {
750
+ /**
751
+ * Create a short link owned by the authenticated user.
752
+ */
753
+ create: (payload: CreateAppLinkRequest) => Promise<AppLink>;
754
+ /**
755
+ * Resolve a public short link for the active application.
756
+ */
757
+ get: (username: string, slug: string, options?: {
758
+ track?: boolean;
759
+ }) => Promise<AppLink>;
760
+ };
761
+ private static envVar;
475
762
  constructor(config?: SPAPSConfig);
476
763
  /** Raw API request helper that returns an ApiResponse-like shape */
477
764
  request<T = any>(method: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH', url: string, data?: any, requiresAuth?: boolean): Promise<{
@@ -749,6 +1036,32 @@ declare class SPAPSClient<SecureMessageMetadata extends Record<string, any> = Re
749
1036
  message: string;
750
1037
  }>;
751
1038
  };
1039
+ /**
1040
+ * x402 paid-resource namespace.
1041
+ * Handles resource status checks, payment-gated actions, receipts, and handoff authorization.
1042
+ */
1043
+ x402: {
1044
+ getResourceStatus: (resourceKey: string) => Promise<X402ResourceStatusResponse>;
1045
+ executeAction: (resourceKey: string, actionKey: string, options: X402ExecuteActionOptions) => Promise<X402ActionResponse>;
1046
+ getReceipt: (receiptId: string) => Promise<X402ReceiptResponse>;
1047
+ listReceipts: (params?: X402ReceiptListParams) => Promise<X402ReceiptListResponse>;
1048
+ verifyHandoff: (token: string, target: string, bridgeToken: string, options: X402VerifyHandoffOptions) => Promise<X402HandoffVerification>;
1049
+ };
1050
+ /**
1051
+ * Blind comparative skill-eval namespace.
1052
+ */
1053
+ skillEvals: {
1054
+ createCase: (payload: CreateSkillEvalCaseRequest, options?: SkillEvalCreateOptions) => Promise<SkillEvalCaseResponse>;
1055
+ getCase: (caseId: string) => Promise<SkillEvalCaseResponse>;
1056
+ getReviewRoom: (caseId: string) => Promise<SkillEvalReviewRoom>;
1057
+ getInsights: (caseId: string) => Promise<SkillEvalInsightsResponse>;
1058
+ submitReview: (caseId: string, payload: SubmitSkillEvalReviewRequest, options?: SkillEvalMutationOptions) => Promise<SkillEvalReviewResponse>;
1059
+ respondToReview: (caseId: string, reviewId: string, payload: RespondToSkillEvalReviewRequest, options?: SkillEvalMutationOptions) => Promise<SkillEvalPosterResponseResult>;
1060
+ lockReviews: (caseId: string, options?: SkillEvalMutationOptions) => Promise<SkillEvalCaseResponse>;
1061
+ revealEvidence: (caseId: string, payload: RevealSkillEvalEvidenceRequest, options?: SkillEvalMutationOptions) => Promise<SkillEvalRevealResult>;
1062
+ createGovernanceSnapshot: (caseId: string, payload: CreateSkillEvalGovernanceSnapshotRequest, options?: SkillEvalMutationOptions) => Promise<SkillEvalGovernanceSnapshotResult>;
1063
+ importGovernanceOutcome: (snapshotId: string, payload: ImportSkillEvalGovernanceOutcomeRequest) => Promise<SkillEvalGovernanceOutcomeResult>;
1064
+ };
752
1065
  /**
753
1066
  * DayRate (Dynamic Scheduling) namespace
754
1067
  * For booking half-day sessions with dynamic pricing
@@ -769,6 +1082,14 @@ declare class SPAPSClient<SecureMessageMetadata extends Record<string, any> = Re
769
1082
  * Reserves multiple slots with a single checkout session
770
1083
  */
771
1084
  createMultiBooking: (payload: DayrateMultiBookingRequest) => Promise<DayrateMultiBookingResponse>;
1085
+ /**
1086
+ * Create a single-slot booking hold backed by an x402 paid-resource action.
1087
+ */
1088
+ createX402Booking: (payload: DayrateX402BookingRequest) => Promise<DayrateX402BookingResponse>;
1089
+ /**
1090
+ * Get guest-safe checkout confirmation state for a Stripe session.
1091
+ */
1092
+ getCheckoutStatus: (sessionId: string) => Promise<DayrateCheckoutStatusResponse>;
772
1093
  };
773
1094
  createCheckoutSession(priceId: string, successUrl: string, cancelUrl?: string): Promise<{
774
1095
  data: CheckoutSession;
@@ -878,6 +1199,7 @@ declare class TokenManager {
878
1199
  static getRefreshToken(): string | null;
879
1200
  static getStoredUser(): User$1 | null;
880
1201
  static clearTokens(): void;
1202
+ static decodePayload(token: string): Record<string, unknown> | null;
881
1203
  static isTokenExpired(token: string): boolean;
882
1204
  static autoRefreshToken(sdk: SPAPSClient): Promise<boolean>;
883
1205
  /**
@@ -903,6 +1225,29 @@ declare class WalletUtils {
903
1225
  static detectChainType(address: string): 'solana' | 'ethereum' | 'bitcoin' | null;
904
1226
  static isValidAddress(address: string, chainType?: 'solana' | 'ethereum' | 'bitcoin' | 'base'): boolean;
905
1227
  }
1228
+ interface SPAPSEnvelope<T = unknown> {
1229
+ success: boolean;
1230
+ data?: T;
1231
+ error?: {
1232
+ code: string;
1233
+ message: string;
1234
+ details?: unknown;
1235
+ };
1236
+ }
1237
+ declare function isEnvelope(value: unknown): value is SPAPSEnvelope;
1238
+ declare function isSuccessEnvelope<T = unknown>(value: unknown): value is SPAPSEnvelope<T> & {
1239
+ success: true;
1240
+ };
1241
+ declare function isErrorEnvelope(value: unknown): value is SPAPSEnvelope & {
1242
+ success: false;
1243
+ error: {
1244
+ code: string;
1245
+ message: string;
1246
+ details?: unknown;
1247
+ };
1248
+ };
1249
+ declare function unwrapEnvelope<T = unknown>(value: unknown, fallbackMessage?: string): T;
1250
+ declare function unwrapNestedData<T = unknown>(value: unknown): T;
906
1251
  /**
907
1252
  * Create a SPAPS client for browser/client-side usage
908
1253
  * Uses publishable key which is safe to expose in client bundles
@@ -938,4 +1283,4 @@ declare function createServerClient(secretKey: string, options?: Omit<SPAPSConfi
938
1283
  */
939
1284
  declare function detectKeyType(key: string): ApiKeyType | null;
940
1285
 
941
- export { type AdminConfig, type ApiKeyType, type CheckoutLineItem, type CheckoutLineItemPriceData, type CreateCheckoutSessionPayload, DEFAULT_ADMIN_ACCOUNTS, type EmailSendOptions, type EmailSendResult, type EmailTemplate, type EmailTemplatePreview, type EntitlementCheckResult, type EntitlementListParams, type FeatureContext, type FeatureDefinition, FeatureEvaluator, type IssueReportListParams, type IssueReportStatusParams, type PermissionCheckResult, PermissionChecker, RoleHierarchy, SPAPSClient as SPAPS, SPAPSClient, type SPAPSConfig, type TemplateVariable, TokenManager, WalletUtils, WebSocketAuthHelper, type WebSocketAuthHelperConfig, canAccessAdmin, createBrowserClient, createPermissionChecker, createServerClient, SPAPSClient as default, defaultPermissionChecker, detectKeyType, getRoleAwareErrorMessage, getUserDisplay, getUserRole, hasPermission, isAdminAccount, verifyCryptoWebhookSignature };
1286
+ export { type AdminConfig, type ApiKeyType, type CheckoutLineItem, type CheckoutLineItemPriceData, type CreateCheckoutSessionPayload, type CreateSkillEvalCaseRequest, type CreateSkillEvalGovernanceSnapshotRequest, DEFAULT_ADMIN_ACCOUNTS, type EmailSendOptions, type EmailSendResult, type EmailTemplate, type EmailTemplatePreview, type EntitlementCheckResult, type EntitlementListParams, type FeatureContext, type FeatureDefinition, FeatureEvaluator, type HeaderProvider, type ImportSkillEvalGovernanceOutcomeRequest, type IssueReportListParams, type IssueReportStatusParams, type PermissionCheckResult, PermissionChecker, type RespondToSkillEvalReviewRequest, type RevealSkillEvalEvidenceRequest, RoleHierarchy, SPAPSClient as SPAPS, SPAPSClient, type SPAPSConfig, type SPAPSEnvelope, type SkillEvalAccessMode, type SkillEvalActorAccess, type SkillEvalCandidateInput, type SkillEvalCandidateResponse, type SkillEvalCasePolicy, type SkillEvalCaseResponse, type SkillEvalConfidence, type SkillEvalCreateOptions, type SkillEvalDisclosurePolicy, type SkillEvalEligibilitySource, type SkillEvalGovernanceOutcomeResult, type SkillEvalGovernancePurpose, type SkillEvalGovernanceSnapshotResult, type SkillEvalInsight, type SkillEvalInsightsResponse, type SkillEvalModelEffort, type SkillEvalMutationOptions, type SkillEvalPosterResponse, type SkillEvalPosterResponseResult, type SkillEvalRevealField, type SkillEvalRevealResult, type SkillEvalReviewMarkInput, type SkillEvalReviewMarkKind, type SkillEvalReviewResponse, type SkillEvalReviewRoom, type SkillEvalReviewerEligibilityInput, type SkillEvalRewardEvent, type SubmitSkillEvalReviewRequest, type TemplateVariable, TokenManager, WalletUtils, WebSocketAuthHelper, type WebSocketAuthHelperConfig, type X402ExecuteActionOptions, X402PaymentRequiredSDKError, type X402ReceiptListParams, type X402VerifyHandoffOptions, canAccessAdmin, createBrowserClient, createPermissionChecker, createServerClient, SPAPSClient as default, defaultPermissionChecker, detectKeyType, getRoleAwareErrorMessage, getUserDisplay, getUserRole, hasPermission, isAdminAccount, isEnvelope, isErrorEnvelope, isSuccessEnvelope, unwrapEnvelope, unwrapNestedData, verifyCryptoWebhookSignature };