wave-agent-sdk 0.16.0 → 0.16.1

package/dist/prompts/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/prompts/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAI/C,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAmBzD,eAAO,MAAM,kBAAkB,oKAAoK,CAAC;AAEpM,eAAO,MAAM,kBAAkB,opIAcqQ,CAAC;AAErS,eAAO,MAAM,wBAAwB,25DASqmB,CAAC;AAE3oB,eAAO,MAAM,WAAW,ihDAWqH,CAAC;AAE9I;;GAEG;AACH,eAAO,MAAM,wBAAwB,+uBAWiH,CAAC;AAEvJ,eAAO,MAAM,qBAAqB,6sBAMuL,CAAC;AAE1N,wBAAgB,mBAAmB,CACjC,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,OAAO,EACnB,UAAU,GAAE,OAAe,GAC1B,MAAM,CAmFR;AAED,eAAO,MAAM,qBAAqB,oKAAqB,CAAC;AAExD,eAAO,MAAM,8BAA8B,44DA8CI,CAAC;AAEhD,eAAO,MAAM,yBAAyB,wHAAwH,CAAC;AAC/J,eAAO,MAAM,iBAAiB,qWAG4B,CAAC;AAE3D,wBAAgB,iBAAiB,CAC/B,UAAU,EAAE,MAAM,GAAG,SAAS,EAC9B,KAAK,EAAE,UAAU,EAAE,EACnB,OAAO,GAAE;IACP,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,QAAQ,CAAC,EAAE;QACT,YAAY,EAAE,MAAM,CAAC;QACrB,UAAU,EAAE,OAAO,CAAC;KACrB,CAAC;IACF,UAAU,CAAC,EAAE;QACX,SAAS,EAAE,MAAM,CAAC;QAClB,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,cAAc,CAAC,EAAE,cAAc,CAAC;CAC5B,GACL,MAAM,CAuER;AAED,wBAAgB,iCAAiC,CAC/C,oBAAoB,EAAE,MAAM,EAC5B,OAAO,EAAE,MAAM,GACd,MAAM,CAkCR"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/prompts/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAI/C,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAmBzD,eAAO,MAAM,kBAAkB,oKAAoK,CAAC;AAEpM,eAAO,MAAM,kBAAkB,opIAcqQ,CAAC;AAErS,eAAO,MAAM,wBAAwB,25DASqmB,CAAC;AAE3oB,eAAO,MAAM,WAAW,ihDAWqH,CAAC;AAE9I;;GAEG;AACH,eAAO,MAAM,wBAAwB,+uBAWiH,CAAC;AAEvJ,eAAO,MAAM,qBAAqB,6sBAMuL,CAAC;AAE1N,wBAAgB,mBAAmB,CACjC,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,OAAO,EACnB,UAAU,GAAE,OAAe,GAC1B,MAAM,CAmFR;AAED,eAAO,MAAM,qBAAqB,oKAAqB,CAAC;AAExD,eAAO,MAAM,8BAA8B,44DA8CI,CAAC;AAEhD,eAAO,MAAM,yBAAyB,wHAAwH,CAAC;AAC/J,eAAO,MAAM,iBAAiB,qWAG4B,CAAC;AAE3D,wBAAgB,iBAAiB,CAC/B,UAAU,EAAE,MAAM,GAAG,SAAS,EAC9B,KAAK,EAAE,UAAU,EAAE,EACnB,OAAO,GAAE;IACP,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,QAAQ,CAAC,EAAE;QACT,YAAY,EAAE,MAAM,CAAC;QACrB,UAAU,EAAE,OAAO,CAAC;KACrB,CAAC;IACF,UAAU,CAAC,EAAE;QACX,SAAS,EAAE,MAAM,CAAC;QAClB,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,cAAc,CAAC,EAAE,cAAc,CAAC;CAC5B,GACL,MAAM,CA2ER;AAED,wBAAgB,iCAAiC,CAC/C,oBAAoB,EAAE,MAAM,EAC5B,OAAO,EAAE,MAAM,GACd,MAAM,CAkCR"}

package/dist/prompts/index.js

@@ -207,11 +207,15 @@ export function buildSystemPrompt(basePrompt, tools, options = {}) {
     if (tools.length > 0) {
         prompt += `\n\n${TOOL_POLICY}`;
     }
-    // List available deferred tool names so the model knows they exist
-    // Matching Claude Code: deferred tools appear by name, not loaded until fetched.
-    const deferredToolNames = tools.filter(isDeferredTool).map((t) => t.name);
-    if (deferredToolNames.length > 0) {
-        prompt += `\n\n<available-deferred-tools>${deferredToolNames.join(" ")}\nThese tools are NOT loaded yet — call ${TOOL_SEARCH_TOOL_NAME} first to discover their schemas before invoking them.</available-deferred-tools>`;
+    // List available deferred tool names with descriptions so the model knows they exist
+    // and can decide which ones to discover via ToolSearch
+    const deferredTools = tools.filter(isDeferredTool);
+    if (deferredTools.length > 0) {
+        const lines = deferredTools.map((t) => {
+            const desc = t.config.function?.description;
+            return desc ? `${t.name} - ${desc}` : t.name;
+        });
+        prompt += `\n\n<available-deferred-tools>\n${lines.join("\n")}\nThese tools are NOT loaded yet — call ${TOOL_SEARCH_TOOL_NAME} first to discover their schemas before invoking them.</available-deferred-tools>`;
     }
     prompt += `\n\n${OUTPUT_EFFICIENCY_PROMPT}`;
     prompt += `\n\n${TONE_AND_STYLE_PROMPT}`;

package/dist/services/authService.d.ts

@@ -4,7 +4,7 @@
  * Handles SSO authentication via the admin server.
  * Manages auth token storage in ~/.wave/auth.json.
  */
-import type { AuthConfig } from "../types/auth.js";
+import type { AuthConfig, AuthUser } from "../types/auth.js";
 export declare class AuthService {
     private static instance;
     static getInstance(): AuthService;
@@ -17,12 +17,18 @@ export declare class AuthService {
     login(options?: {
         /** Callback to receive the auth URL (for display in CLI). */
         onAuthUrl?: (url: string) => void;
-        /** Read token manually (e.g. from stdin). Resolves with token or rejects on cancel. */
+        /** Read authorization code manually (e.g. from stdin). Resolves with code or rejects on cancel. */
         readToken?: () => Promise<string>;
     }): Promise<string>;
+    /**
+     * Exchange a short-lived authorization code for a JWT token.
+     * Returns both the token and user info.
+     */
+    private exchangeCode;
     private startLocalAuthServer;
     private openBrowser;
     isSSOAuthenticated(): boolean;
+    getAuthUser(): AuthUser | undefined;
 }
 export declare const authService: AuthService;
 //# sourceMappingURL=authService.d.ts.map

package/dist/services/authService.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authService.d.ts","sourceRoot":"","sources":["../../src/services/authService.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAgBH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAInD,qBAAa,WAAW;IACtB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAc;IAErC,MAAM,CAAC,WAAW,IAAI,WAAW;IAOjC,WAAW,IAAI,MAAM;IAKrB,QAAQ,IAAI,UAAU;IAatB,QAAQ,CAAC,MAAM,EAAE,UAAU,GAAG,IAAI;IAUlC,SAAS,IAAI,IAAI;IAajB,WAAW,IAAI,MAAM,GAAG,SAAS;IAKjC,eAAe,IAAI,MAAM;IAUnB,KAAK,CAAC,OAAO,CAAC,EAAE;QACpB,6DAA6D;QAC7D,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAClC,uFAAuF;QACvF,SAAS,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;KACnC,GAAG,OAAO,CAAC,MAAM,CAAC;IAgCnB,OAAO,CAAC,oBAAoB;YAiFd,WAAW;IAmBzB,kBAAkB,IAAI,OAAO;CAG9B;AAED,eAAO,MAAM,WAAW,aAA4B,CAAC"}
+{"version":3,"file":"authService.d.ts","sourceRoot":"","sources":["../../src/services/authService.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAgBH,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAI7D,qBAAa,WAAW;IACtB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAc;IAErC,MAAM,CAAC,WAAW,IAAI,WAAW;IAOjC,WAAW,IAAI,MAAM;IAKrB,QAAQ,IAAI,UAAU;IAatB,QAAQ,CAAC,MAAM,EAAE,UAAU,GAAG,IAAI;IAUlC,SAAS,IAAI,IAAI;IAajB,WAAW,IAAI,MAAM,GAAG,SAAS;IAKjC,eAAe,IAAI,MAAM;IAUnB,KAAK,CAAC,OAAO,CAAC,EAAE;QACpB,6DAA6D;QAC7D,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;QAClC,mGAAmG;QACnG,SAAS,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;KACnC,GAAG,OAAO,CAAC,MAAM,CAAC;IAmBnB;;;OAGG;YACW,YAAY;IA0B1B,OAAO,CAAC,oBAAoB;YAoGd,WAAW;IAmBzB,kBAAkB,IAAI,OAAO;IAI7B,WAAW,IAAI,QAAQ,GAAG,SAAS;CAIpC;AAED,eAAO,MAAM,WAAW,aAA4B,CAAC"}

package/dist/services/authService.js

@@ -71,39 +71,68 @@ export class AuthService {
     }
     async login(options) {
         const adminUrl = this.getAdminBaseUrl();
-        // Step 1: Fetch available SSO providers
-        const providersResponse = await fetch(`${adminUrl}/api/auth/sso-providers`);
-        if (!providersResponse.ok) {
-            throw new Error(`Failed to fetch SSO providers: ${providersResponse.status} ${providersResponse.statusText}`);
-        }
-        const providers = (await providersResponse.json());
-        if (!providers || providers.length === 0) {
-            throw new Error("No SSO providers available");
-        }
-        const provider = providers[0].provider;
-        // Step 2-5: Start local server, open browser, wait for callback or manual input
-        const token = await this.startLocalAuthServer(adminUrl, provider, {
+        // Start local server, open browser, wait for callback or manual input
+        const { code } = await this.startLocalAuthServer(adminUrl, {
             onAuthUrl: options?.onAuthUrl,
             readToken: options?.readToken,
         });
-        // Save the token (preserve existing keys)
+        // Exchange authorization code for JWT (includes user info)
+        const { token, user } = await this.exchangeCode(adminUrl, code);
+        // Save the token and user info (preserve existing keys)
         const existing = this.loadAuth();
-        this.saveAuth({ ...existing, SSO_TOKEN: token });
+        this.saveAuth({ ...existing, SSO_TOKEN: token, user });
         return token;
     }
-    startLocalAuthServer(adminUrl, provider, options) {
+    /**
+     * Exchange a short-lived authorization code for a JWT token.
+     * Returns both the token and user info.
+     */
+    async exchangeCode(adminUrl, code) {
+        const exchangeUrl = `${adminUrl}/api/auth/exchange`;
+        const response = await fetch(exchangeUrl, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ code }),
+        });
+        if (!response.ok) {
+            const text = await response.text();
+            throw new Error(`Token exchange failed (${response.status}): ${text}`);
+        }
+        const data = (await response.json());
+        return {
+            token: data.token,
+            user: { id: data.user.id, email: data.user.email },
+        };
+    }
+    startLocalAuthServer(adminUrl, options) {
         return new Promise((resolve, reject) => {
             let settled = false;
             const server = createServer((req, res) => {
                 if (req.url) {
                     const parsedUrl = new URL(req.url, `http://127.0.0.1`);
-                    const token = parsedUrl.searchParams.get("token");
+                    const code = parsedUrl.searchParams.get("code");
+                    const error = parsedUrl.searchParams.get("error");
+                    if (error) {
+                        res.writeHead(200, { "Content-Type": "text/html" });
+                        res.end(`<html><body><h1>Authentication failed</h1><p>${parsedUrl.searchParams.get("error_description") || error}</p></body></html>`);
+                        if (!settled) {
+                            settled = true;
+                            server.close();
+                            reject(new Error(`SSO login failed: ${error}`));
+                        }
+                        return;
+                    }
+                    if (!code) {
+                        res.writeHead(404, { "Content-Type": "text/html" });
+                        res.end("<html><body><h1>Not Found</h1></body></html>");
+                        return;
+                    }
                     res.writeHead(200, { "Content-Type": "text/html" });
                     res.end("<html><body><h1>Authentication successful, you can close this window</h1></body></html>");
-                    if (token && !settled) {
+                    if (!settled) {
                         settled = true;
                         server.close();
-                        resolve(token);
+                        resolve({ code, user: { id: "", email: undefined } });
                     }
                 }
             });
@@ -117,7 +146,7 @@ export class AuthService {
                 }
                 const port = address.port;
                 const callbackUrl = `http://127.0.0.1:${port}`;
-                const authUrl = `${adminUrl}/api/auth/sso/${provider}?callback_url=${encodeURIComponent(callbackUrl)}`;
+                const authUrl = `${adminUrl}/login?callback_url=${encodeURIComponent(callbackUrl)}`;
                 // Notify caller of the auth URL
                 options?.onAuthUrl?.(authUrl);
                 // Try to open browser; if it fails, keep server alive for manual visit
@@ -128,13 +157,13 @@ export class AuthService {
                     // Browser not available — server stays alive
                 }
             });
-            // If manual token reading is provided, race between server callback and user input
+            // If manual code reading is provided, race between server callback and user input
             if (options?.readToken) {
-                options.readToken().then((token) => {
+                options.readToken().then((code) => {
                     if (!settled) {
                         settled = true;
                         server.close();
-                        resolve(token);
+                        resolve({ code, user: { id: "", email: undefined } });
                     }
                 }, () => {
                     // Manual input cancelled or closed, server keeps waiting for callback
@@ -171,5 +200,9 @@ export class AuthService {
     isSSOAuthenticated() {
         return this.getSSOToken() !== undefined;
     }
+    getAuthUser() {
+        const config = this.loadAuth();
+        return config.user;
+    }
 }
 export const authService = AuthService.getInstance();

package/dist/telemetry/events.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"events.d.ts","sourceRoot":"","sources":["../../src/telemetry/events.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAuB3D;;GAEG;AACH,wBAAsB,YAAY,CAChC,SAAS,EAAE,aAAa,EACxB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,GAC3C,OAAO,CAAC,IAAI,CAAC,CAoBf"}
+{"version":3,"file":"events.d.ts","sourceRoot":"","sources":["../../src/telemetry/events.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AA2B3D;;GAEG;AACH,wBAAsB,YAAY,CAChC,SAAS,EAAE,aAAa,EACxB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,GAC3C,OAAO,CAAC,IAAI,CAAC,CAwBf"}

package/dist/telemetry/events.js

@@ -4,7 +4,7 @@
  * Provides the `logOTelEvent` API for structured session lifecycle events
  * with PII gates.
  */
-import { isInitialized, getCurrentConfig } from "./instrumentation.js";
+import { isInitialized, getCurrentConfig, getTelemetryAttributes, } from "./instrumentation.js";
 let cachedLogger;
 async function getOTelLogger() {
     if (cachedLogger)
@@ -39,6 +39,10 @@ export async function logOTelEvent(eventName, metadata) {
     }
     log.emit({
         body: eventName,
-        attributes: { "event.name": eventName, ...attributes },
+        attributes: {
+            "event.name": eventName,
+            ...getTelemetryAttributes(),
+            ...attributes,
+        },
     });
 }

package/dist/telemetry/instrumentation.d.ts

@@ -62,4 +62,9 @@ export declare function getCurrentConfig(): TelemetryConfig | undefined;
  */
 export declare function isInitialized(): boolean;
 export { JsonlSpanExporter, JsonlLogExporter };
+/**
+ * Get telemetry attributes based on the authenticated SSO user.
+ * Returns user.id and user.email when SSO authenticated, empty object otherwise.
+ */
+export declare function getTelemetryAttributes(): Record<string, string>;
 //# sourceMappingURL=instrumentation.d.ts.map

package/dist/telemetry/instrumentation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"instrumentation.d.ts","sourceRoot":"","sources":["../../src/telemetry/instrumentation.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,eAAe,EAGhB,MAAM,uBAAuB,CAAC;AAI/B,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAChF,OAAO,KAAK,EACV,iBAAiB,EACjB,iBAAiB,EAClB,MAAM,yBAAyB,CAAC;AA0JjC;;;GAGG;AACH,wBAAgB,sBAAsB,CACpC,cAAc,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,GACxC,eAAe,CAmBjB;AAwCD;;GAEG;AACH,cAAM,iBAAkB,YAAW,YAAY;IAC7C,OAAO,CAAC,QAAQ,CAAS;gBAEb,QAAQ,CAAC,EAAE,MAAM;IAI7B,MAAM,CACJ,KAAK,EAAE,YAAY,EAAE,EACrB,cAAc,EAAE,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,GACjD,IAAI;IAwBP,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;IAIzB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;CAG5B;AAED;;GAEG;AACH,cAAM,gBAAiB,YAAW,iBAAiB;IACjD,OAAO,CAAC,QAAQ,CAAS;gBAEb,QAAQ,CAAC,EAAE,MAAM;IAI7B,MAAM,CACJ,IAAI,EAAE,iBAAiB,EAAE,EACzB,cAAc,EAAE,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,GACjD,IAAI;IAuBP,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;IAIzB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;CAG5B;AAED;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,GAChC,OAAO,CAAC,IAAI,CAAC,CA8Ef;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC,CAuBvD;AAED;;;GAGG;AACH,wBAAgB,UAAU,IAAI,cAAc,oBAAoB,CAAC,GAAG,SAAS,CAE5E;AAED;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,eAAe,GAAG,SAAS,CAE9D;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,OAAO,CAEvC;AAGD,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,CAAC"}
+{"version":3,"file":"instrumentation.d.ts","sourceRoot":"","sources":["../../src/telemetry/instrumentation.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,eAAe,EAGhB,MAAM,uBAAuB,CAAC;AAI/B,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAChF,OAAO,KAAK,EACV,iBAAiB,EACjB,iBAAiB,EAClB,MAAM,yBAAyB,CAAC;AA2JjC;;;GAGG;AACH,wBAAgB,sBAAsB,CACpC,cAAc,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,GACxC,eAAe,CAmBjB;AAwCD;;GAEG;AACH,cAAM,iBAAkB,YAAW,YAAY;IAC7C,OAAO,CAAC,QAAQ,CAAS;gBAEb,QAAQ,CAAC,EAAE,MAAM;IAI7B,MAAM,CACJ,KAAK,EAAE,YAAY,EAAE,EACrB,cAAc,EAAE,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,GACjD,IAAI;IAwBP,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;IAIzB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;CAG5B;AAED;;GAEG;AACH,cAAM,gBAAiB,YAAW,iBAAiB;IACjD,OAAO,CAAC,QAAQ,CAAS;gBAEb,QAAQ,CAAC,EAAE,MAAM;IAI7B,MAAM,CACJ,IAAI,EAAE,iBAAiB,EAAE,EACzB,cAAc,EAAE,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,GACjD,IAAI;IAuBP,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;IAIzB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;CAG5B;AAED;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,GAChC,OAAO,CAAC,IAAI,CAAC,CA8Ef;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC,CAuBvD;AAED;;;GAGG;AACH,wBAAgB,UAAU,IAAI,cAAc,oBAAoB,CAAC,GAAG,SAAS,CAE5E;AAED;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,eAAe,GAAG,SAAS,CAE9D;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,OAAO,CAEvC;AAGD,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,CAAC;AAE/C;;;GAGG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAc/D"}

package/dist/telemetry/instrumentation.js

@@ -6,6 +6,7 @@
  */
 import { logger } from "../utils/globalLogger.js";
 import * as fs from "node:fs";
+import { AuthService } from "../services/authService.js";
 // Lazy-loaded OTEL modules — only imported when telemetry is initialized
 let sdkNode;
 let api;
@@ -369,3 +370,23 @@ export function isInitialized() {
 }
 // Export JSONL exporters for testing
 export { JsonlSpanExporter, JsonlLogExporter };
+/**
+ * Get telemetry attributes based on the authenticated SSO user.
+ * Returns user.id and user.email when SSO authenticated, empty object otherwise.
+ */
+export function getTelemetryAttributes() {
+    try {
+        const user = AuthService.getInstance().getAuthUser();
+        if (user) {
+            const attrs = { "user.id": user.id };
+            if (user.email) {
+                attrs["user.email"] = user.email;
+            }
+            return attrs;
+        }
+    }
+    catch {
+        // AuthService not available or not authenticated
+    }
+    return {};
+}

package/dist/tools/toolSearchTool.js

@@ -103,7 +103,7 @@ export const toolSearchTool = {
             name: TOOL_SEARCH_TOOL_NAME,
             description: `Fetches full schema definitions for deferred tools so they can be called.
 
-Deferred tools appear by name in <available-deferred-tools> messages. Until fetched, only the name is known — there is no parameter schema, so the tool cannot be invoked. This tool takes a query, matches it against the deferred tool list, and returns the matched tools' complete JSONSchema definitions inside a <functions> block. Once a tool's schema appears in that result, it is callable exactly like any tool defined at the top of the prompt.
+Deferred tools appear by name and description in <available-deferred-tools> messages. The full parameter schema is NOT loaded yet — use this tool to fetch it before invoking a deferred tool. This tool takes a query, matches it against the deferred tool list, and returns the matched tools' complete JSONSchema definitions inside a <functions> block. Once a tool's schema appears in that result, it is callable exactly like any tool defined at the top of the prompt.
 
 Result format: each matched tool appears as one <function>{"description": "...", "name": "...", "parameters": {...}}`,
             parameters: {

package/dist/types/auth.d.ts

@@ -1,4 +1,9 @@
+export interface AuthUser {
+    id: string;
+    email?: string;
+}
 export interface AuthConfig {
     SSO_TOKEN?: string;
+    user?: AuthUser;
 }
 //# sourceMappingURL=auth.d.ts.map

package/dist/types/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/types/auth.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/types/auth.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,UAAU;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,QAAQ,CAAC;CACjB"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wave-agent-sdk",
-  "version": "0.16.0",
+  "version": "0.16.1",
   "description": "SDK for building AI-powered development tools and agents",
   "keywords": [
     "ai",

package/src/prompts/index.ts

@@ -260,11 +260,15 @@ export function buildSystemPrompt(
     prompt += `\n\n${TOOL_POLICY}`;
   }
 
-  // List available deferred tool names so the model knows they exist
-  // Matching Claude Code: deferred tools appear by name, not loaded until fetched.
-  const deferredToolNames = tools.filter(isDeferredTool).map((t) => t.name);
-  if (deferredToolNames.length > 0) {
-    prompt += `\n\n<available-deferred-tools>${deferredToolNames.join(" ")}\nThese tools are NOT loaded yet — call ${TOOL_SEARCH_TOOL_NAME} first to discover their schemas before invoking them.</available-deferred-tools>`;
+  // List available deferred tool names with descriptions so the model knows they exist
+  // and can decide which ones to discover via ToolSearch
+  const deferredTools = tools.filter(isDeferredTool);
+  if (deferredTools.length > 0) {
+    const lines = deferredTools.map((t) => {
+      const desc = t.config.function?.description;
+      return desc ? `${t.name} - ${desc}` : t.name;
+    });
+    prompt += `\n\n<available-deferred-tools>\n${lines.join("\n")}\nThese tools are NOT loaded yet — call ${TOOL_SEARCH_TOOL_NAME} first to discover their schemas before invoking them.</available-deferred-tools>`;
   }
 
   prompt += `\n\n${OUTPUT_EFFICIENCY_PROMPT}`;

package/src/services/authService.ts

@@ -19,7 +19,7 @@ import { createServer, Server } from "http";
 import { URL } from "url";
 import { execFile } from "child_process";
 import { promisify } from "util";
-import type { AuthConfig } from "../types/auth.js";
+import type { AuthConfig, AuthUser } from "../types/auth.js";
 
 const execFileAsync = promisify(execFile);
 
@@ -92,64 +92,100 @@ export class AuthService {
   async login(options?: {
     /** Callback to receive the auth URL (for display in CLI). */
     onAuthUrl?: (url: string) => void;
-    /** Read token manually (e.g. from stdin). Resolves with token or rejects on cancel. */
+    /** Read authorization code manually (e.g. from stdin). Resolves with code or rejects on cancel. */
     readToken?: () => Promise<string>;
   }): Promise<string> {
     const adminUrl = this.getAdminBaseUrl();
 
-    // Step 1: Fetch available SSO providers
-    const providersResponse = await fetch(`${adminUrl}/api/auth/sso-providers`);
-    if (!providersResponse.ok) {
-      throw new Error(
-        `Failed to fetch SSO providers: ${providersResponse.status} ${providersResponse.statusText}`,
-      );
-    }
-    const providers = (await providersResponse.json()) as {
-      provider: string;
-      displayName: string;
-    }[];
-    if (!providers || providers.length === 0) {
-      throw new Error("No SSO providers available");
-    }
-    const provider = providers[0].provider;
-
-    // Step 2-5: Start local server, open browser, wait for callback or manual input
-    const token = await this.startLocalAuthServer(adminUrl, provider, {
+    // Start local server, open browser, wait for callback or manual input
+    const { code } = await this.startLocalAuthServer(adminUrl, {
       onAuthUrl: options?.onAuthUrl,
       readToken: options?.readToken,
     });
 
-    // Save the token (preserve existing keys)
+    // Exchange authorization code for JWT (includes user info)
+    const { token, user } = await this.exchangeCode(adminUrl, code);
+
+    // Save the token and user info (preserve existing keys)
     const existing = this.loadAuth();
-    this.saveAuth({ ...existing, SSO_TOKEN: token });
+    this.saveAuth({ ...existing, SSO_TOKEN: token, user });
 
     return token;
   }
 
+  /**
+   * Exchange a short-lived authorization code for a JWT token.
+   * Returns both the token and user info.
+   */
+  private async exchangeCode(
+    adminUrl: string,
+    code: string,
+  ): Promise<{ token: string; user: AuthUser }> {
+    const exchangeUrl = `${adminUrl}/api/auth/exchange`;
+    const response = await fetch(exchangeUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ code }),
+    });
+
+    if (!response.ok) {
+      const text = await response.text();
+      throw new Error(`Token exchange failed (${response.status}): ${text}`);
+    }
+
+    const data = (await response.json()) as {
+      token: string;
+      user: { id: string; email?: string };
+    };
+    return {
+      token: data.token,
+      user: { id: data.user.id, email: data.user.email },
+    };
+  }
+
   private startLocalAuthServer(
     adminUrl: string,
-    provider: string,
     options?: {
       onAuthUrl?: (url: string) => void;
       readToken?: () => Promise<string>;
     },
-  ): Promise<string> {
+  ): Promise<{ code: string; user: AuthUser }> {
     return new Promise((resolve, reject) => {
       let settled = false;
       const server: Server = createServer((req, res) => {
         if (req.url) {
           const parsedUrl = new URL(req.url, `http://127.0.0.1`);
-          const token = parsedUrl.searchParams.get("token");
+          const code = parsedUrl.searchParams.get("code");
+          const error = parsedUrl.searchParams.get("error");
+
+          if (error) {
+            res.writeHead(200, { "Content-Type": "text/html" });
+            res.end(
+              `<html><body><h1>Authentication failed</h1><p>${parsedUrl.searchParams.get("error_description") || error}</p></body></html>`,
+            );
+            if (!settled) {
+              settled = true;
+              server.close();
+              reject(new Error(`SSO login failed: ${error}`));
+            }
+            return;
+          }
+
+          if (!code) {
+            res.writeHead(404, { "Content-Type": "text/html" });
+            res.end("<html><body><h1>Not Found</h1></body></html>");
+            return;
+          }
 
           res.writeHead(200, { "Content-Type": "text/html" });
           res.end(
             "<html><body><h1>Authentication successful, you can close this window</h1></body></html>",
           );
 
-          if (token && !settled) {
+          if (!settled) {
             settled = true;
             server.close();
-            resolve(token);
+            resolve({ code, user: { id: "", email: undefined } });
           }
         }
       });
@@ -164,7 +200,7 @@ export class AuthService {
         }
         const port = address.port;
         const callbackUrl = `http://127.0.0.1:${port}`;
-        const authUrl = `${adminUrl}/api/auth/sso/${provider}?callback_url=${encodeURIComponent(callbackUrl)}`;
+        const authUrl = `${adminUrl}/login?callback_url=${encodeURIComponent(callbackUrl)}`;
 
         // Notify caller of the auth URL
         options?.onAuthUrl?.(authUrl);
@@ -177,14 +213,14 @@ export class AuthService {
         }
       });
 
-      // If manual token reading is provided, race between server callback and user input
+      // If manual code reading is provided, race between server callback and user input
       if (options?.readToken) {
         options.readToken().then(
-          (token) => {
+          (code) => {
             if (!settled) {
               settled = true;
               server.close();
-              resolve(token);
+              resolve({ code, user: { id: "", email: undefined } });
             }
           },
           () => {
@@ -229,6 +265,11 @@ export class AuthService {
   isSSOAuthenticated(): boolean {
     return this.getSSOToken() !== undefined;
   }
+
+  getAuthUser(): AuthUser | undefined {
+    const config = this.loadAuth();
+    return config.user;
+  }
 }
 
 export const authService = AuthService.getInstance();

package/src/telemetry/events.ts

@@ -6,7 +6,11 @@
  */
 
 import type { OTelEventName } from "../types/telemetry.js";
-import { isInitialized, getCurrentConfig } from "./instrumentation.js";
+import {
+  isInitialized,
+  getCurrentConfig,
+  getTelemetryAttributes,
+} from "./instrumentation.js";
 
 interface OTelLogger {
   emit: (logRecord: {
@@ -52,6 +56,10 @@ export async function logOTelEvent(
 
   log.emit({
     body: eventName,
-    attributes: { "event.name": eventName, ...attributes },
+    attributes: {
+      "event.name": eventName,
+      ...getTelemetryAttributes(),
+      ...attributes,
+    },
   });
 }

package/src/telemetry/instrumentation.ts

@@ -18,6 +18,7 @@ import type {
   LogRecordExporter,
   ReadableLogRecord,
 } from "@opentelemetry/sdk-logs";
+import { AuthService } from "../services/authService.js";
 
 // Lazy-loaded OTEL modules — only imported when telemetry is initialized
 let sdkNode: typeof import("@opentelemetry/sdk-node") | undefined;
@@ -468,3 +469,23 @@ export function isInitialized(): boolean {
 
 // Export JSONL exporters for testing
 export { JsonlSpanExporter, JsonlLogExporter };
+
+/**
+ * Get telemetry attributes based on the authenticated SSO user.
+ * Returns user.id and user.email when SSO authenticated, empty object otherwise.
+ */
+export function getTelemetryAttributes(): Record<string, string> {
+  try {
+    const user = AuthService.getInstance().getAuthUser();
+    if (user) {
+      const attrs: Record<string, string> = { "user.id": user.id };
+      if (user.email) {
+        attrs["user.email"] = user.email;
+      }
+      return attrs;
+    }
+  } catch {
+    // AuthService not available or not authenticated
+  }
+  return {};
+}

package/src/tools/toolSearchTool.ts

@@ -127,7 +127,7 @@ export const toolSearchTool: ToolPlugin = {
       name: TOOL_SEARCH_TOOL_NAME,
       description: `Fetches full schema definitions for deferred tools so they can be called.
 
-Deferred tools appear by name in <available-deferred-tools> messages. Until fetched, only the name is known — there is no parameter schema, so the tool cannot be invoked. This tool takes a query, matches it against the deferred tool list, and returns the matched tools' complete JSONSchema definitions inside a <functions> block. Once a tool's schema appears in that result, it is callable exactly like any tool defined at the top of the prompt.
+Deferred tools appear by name and description in <available-deferred-tools> messages. The full parameter schema is NOT loaded yet — use this tool to fetch it before invoking a deferred tool. This tool takes a query, matches it against the deferred tool list, and returns the matched tools' complete JSONSchema definitions inside a <functions> block. Once a tool's schema appears in that result, it is callable exactly like any tool defined at the top of the prompt.
 
 Result format: each matched tool appears as one <function>{"description": "...", "name": "...", "parameters": {...}}`,
       parameters: {

package/src/types/auth.ts

@@ -1,3 +1,9 @@
+export interface AuthUser {
+  id: string;
+  email?: string;
+}
+
 export interface AuthConfig {
   SSO_TOKEN?: string;
+  user?: AuthUser;
 }