@aithos/sdk 0.1.0-alpha.1 → 0.1.0-alpha.10

package/dist/src/compute.d.ts

@@ -1,4 +1,4 @@
-import { type BrowserIdentity } from "@aithos/protocol-client";
+import type { AithosAuth } from "./auth.js";
 import { type AithosSdkEndpoints } from "./endpoints.js";
 export interface ComputeMessage {
     readonly role: "user" | "assistant";
@@ -45,15 +45,16 @@ export interface InvokeBedrockResult {
     readonly auditId: string;
 }
 export interface ComputeNamespaceDeps {
-    readonly identity: BrowserIdentity;
+    readonly auth: AithosAuth;
     readonly appDid: string;
     readonly endpoints: AithosSdkEndpoints;
     readonly fetch: typeof fetch;
 }
 /**
  * `sdk.compute` namespace. Constructed once by the {@link AithosSDK}
- * constructor; all calls share the SDK's identity, app DID, and endpoint
- * configuration.
+ * constructor; reads the active owner from the supplied
+ * {@link AithosAuth} on every call so signing material follows the
+ * latest sign-in/sign-out state.
  */
 export declare class ComputeNamespace {
     #private;
@@ -62,9 +63,29 @@ export declare class ComputeNamespace {
      * Invoke a Bedrock model through the compute proxy. See
      * {@link InvokeBedrockArgs} and {@link InvokeBedrockResult}.
      *
+     * Two signer paths are supported:
+     *
+     *   - **Owner**: when the caller is signed in as an owner, the
+     *     envelope is signed with the owner's `#public` sphere key and
+     *     no mandate is attached (the proxy resolves the mandate
+     *     server-side from `params.mandate_id`).
+     *   - **Delegate**: when the caller is delegate-only (mandate
+     *     imported via `auth.importMandate`), the envelope is signed
+     *     with the delegate's bound keypair and the full SignedMandate
+     *     is attached so the proxy can verify both signature and
+     *     authorisation in one pass. The mandate must carry the
+     *     `compute.invoke` scope and the proxy enforces its constraints
+     *     (caps, allowed models, …) at server-side.
+     *
+     * Owner takes precedence: if a session has BOTH an owner and a
+     * matching delegate session, we use the owner key (more flexible —
+     * the mandate is dereferenced via `mandate_id` and there's no
+     * lifetime cliff if the delegate seed has been wiped).
+     *
      * @throws {AithosSDKError} on protocol errors. The `code` field is one of
-     *   `network`, `http`, `empty`, or any code returned by the proxy
-     *   (`quota_exceeded`, `mandate_revoked`, `insufficient_credits`, …).
+     *   `sdk_no_signer`, `sdk_no_delegate_for_mandate`, `network`, `http`,
+     *   `empty`, or any code returned by the proxy (`quota_exceeded`,
+     *   `mandate_revoked`, `insufficient_credits`, …).
      */
     invokeBedrock(args: InvokeBedrockArgs): Promise<InvokeBedrockResult>;
 }

package/dist/src/compute.js

@@ -4,8 +4,8 @@
 //
 // Wraps the JSON-RPC + signed-envelope protocol of `compute.aithos.be`
 // behind an ergonomic method on the SDK. Internally builds a §11 envelope
-// signed with the user's public-sphere key and posts it to
-// `${compute}/v1/invoke`.
+// signed with the user's public-sphere key (read from
+// {@link AithosAuth} at call time) and posts it to `${compute}/v1/invoke`.
 //
 // Server-side guarantees (enforced by the proxy, not by this lib):
 //   - Envelope signature verified against the user's `did.json`.
@@ -18,11 +18,13 @@
 // tool calling on the proxy) will land in a follow-up.
 import { buildSignedEnvelope, } from "@aithos/protocol-client";
 import { computeInvokeUrl, } from "./endpoints.js";
+import { delegateKeyPair, ownerKeyPair, } from "./internal/protocol-client-bridge.js";
 import { AithosSDKError } from "./types.js";
 /**
  * `sdk.compute` namespace. Constructed once by the {@link AithosSDK}
- * constructor; all calls share the SDK's identity, app DID, and endpoint
- * configuration.
+ * constructor; reads the active owner from the supplied
+ * {@link AithosAuth} on every call so signing material follows the
+ * latest sign-in/sign-out state.
  */
 export class ComputeNamespace {
     #deps;
@@ -33,12 +35,66 @@ export class ComputeNamespace {
      * Invoke a Bedrock model through the compute proxy. See
      * {@link InvokeBedrockArgs} and {@link InvokeBedrockResult}.
      *
+     * Two signer paths are supported:
+     *
+     *   - **Owner**: when the caller is signed in as an owner, the
+     *     envelope is signed with the owner's `#public` sphere key and
+     *     no mandate is attached (the proxy resolves the mandate
+     *     server-side from `params.mandate_id`).
+     *   - **Delegate**: when the caller is delegate-only (mandate
+     *     imported via `auth.importMandate`), the envelope is signed
+     *     with the delegate's bound keypair and the full SignedMandate
+     *     is attached so the proxy can verify both signature and
+     *     authorisation in one pass. The mandate must carry the
+     *     `compute.invoke` scope and the proxy enforces its constraints
+     *     (caps, allowed models, …) at server-side.
+     *
+     * Owner takes precedence: if a session has BOTH an owner and a
+     * matching delegate session, we use the owner key (more flexible —
+     * the mandate is dereferenced via `mandate_id` and there's no
+     * lifetime cliff if the delegate seed has been wiped).
+     *
      * @throws {AithosSDKError} on protocol errors. The `code` field is one of
-     *   `network`, `http`, `empty`, or any code returned by the proxy
-     *   (`quota_exceeded`, `mandate_revoked`, `insufficient_credits`, …).
+     *   `sdk_no_signer`, `sdk_no_delegate_for_mandate`, `network`, `http`,
+     *   `empty`, or any code returned by the proxy (`quota_exceeded`,
+     *   `mandate_revoked`, `insufficient_credits`, …).
      */
     async invokeBedrock(args) {
-        const { identity, appDid, endpoints, fetch: fetchImpl } = this.#deps;
+        const { auth, appDid, endpoints, fetch: fetchImpl } = this.#deps;
+        const owner = auth._getOwnerSigners();
+        const ownerLoaded = owner !== null && !owner.destroyed;
+        let choice;
+        if (ownerLoaded) {
+            const publicKp = ownerKeyPair(owner, "public");
+            choice = {
+                kind: "owner",
+                iss: owner.did,
+                verificationMethod: `${owner.did}#public`,
+                signer: publicKp,
+                mandate: undefined,
+            };
+        }
+        else {
+            // Delegate-only path. Find a session whose mandate id matches.
+            const actor = auth._getDelegateActor(args.mandateId);
+            if (!actor || actor.destroyed) {
+                throw new AithosSDKError("sdk_no_delegate_for_mandate", `no owner signed in and no imported delegate mandate matches '${args.mandateId}'. Sign in as an owner, or import a delegate bundle for that mandate via auth.importMandate.`);
+            }
+            const kp = delegateKeyPair(actor);
+            choice = {
+                kind: "delegate",
+                iss: actor.subjectDid,
+                verificationMethod: actor.granteePubkeyMultibase,
+                signer: kp,
+                // The DelegateActor stores the SignedMandate as a structurally
+                // opaque object so the SDK doesn't have to import the
+                // protocol-client type at the storage boundary. Round-trip
+                // through `unknown` for the TS cast — at runtime the bytes are
+                // the canonical SignedMandate the bundle parser already
+                // validated.
+                mandate: actor.mandate,
+            };
+        }
         const url = computeInvokeUrl(endpoints);
         const idempotencyKey = args.idempotencyKey ?? generateIdempotencyKey();
         const params = {
@@ -55,12 +111,13 @@ export class ComputeNamespace {
         if (args.temperature !== undefined)
             params.temperature = args.temperature;
         const envelope = buildSignedEnvelope({
-            iss: identity.did,
+            iss: choice.iss,
             aud: url,
             method: "aithos.compute_invoke",
-            verificationMethod: `${identity.did}#public`,
+            verificationMethod: choice.verificationMethod,
             params,
-            signer: identity.public,
+            signer: choice.signer,
+            ...(choice.kind === "delegate" ? { mandate: choice.mandate } : {}),
         });
         let res;
         try {

package/dist/src/ethos.d.ts

@@ -1,2 +1,118 @@
-export { parsePublicZone, type ParsedZone, loadEditSnapshot, publishZoneEdit, publishPublicZoneAsDelegate, publishPrivateZoneAsDelegate, type EditSnapshot, type AddSectionInput, type ModifySectionInput, type PublishEditArgs, type PublishEditResult, addSectionToList, modifySectionInList, deleteSectionFromList, buildSignedFirstEdition, buildSignedNextEdition, type ZoneDoc, type ZoneManifest, type Section, SPHERES, type Sphere, } from "@aithos/protocol-client";
+import { type Section } from "@aithos/protocol-client";
+import type { AithosAuth } from "./auth.js";
+import type { AithosSdkEndpoints } from "./endpoints.js";
+import type { DelegateActor } from "./internal/delegate-state.js";
+import type { OwnerSigners } from "./internal/owner-signers.js";
+export type ZoneName = "public" | "circle" | "self";
+export declare const ZONE_NAMES: readonly ZoneName[];
+export interface AddSectionInput {
+    readonly title: string;
+    readonly body: string;
+    readonly tags?: readonly string[];
+}
+export interface UpdateSectionPatch {
+    readonly title?: string;
+    readonly body?: string;
+    readonly tags?: readonly string[];
+}
+export type StagedChange = {
+    readonly kind: "add";
+    readonly zone: ZoneName;
+    readonly section: Section;
+} | {
+    readonly kind: "update";
+    readonly zone: ZoneName;
+    readonly sectionId: string;
+    readonly patch: UpdateSectionPatch;
+} | {
+    readonly kind: "delete";
+    readonly zone: ZoneName;
+    readonly sectionId: string;
+};
+export interface PublishResult {
+    /** New manifest height after publish. */
+    readonly editionHeight: number;
+    /** SHA-256 hex of the canonical manifest. */
+    readonly manifestHash: string;
+    /** DID of the subject we published for. */
+    readonly subjectDid: string;
+    /** Zones whose contents changed in this edition. */
+    readonly zonesPublished: readonly ZoneName[];
+}
+type ActorOwner = {
+    readonly kind: "owner";
+    readonly subjectDid: string;
+    readonly signers: OwnerSigners;
+};
+type ActorDelegate = {
+    readonly kind: "delegate";
+    readonly subjectDid: string;
+    readonly actor: DelegateActor;
+};
+type ActorAnonymous = {
+    readonly kind: "anonymous";
+    readonly subjectDid: string;
+};
+type Actor = ActorOwner | ActorDelegate | ActorAnonymous;
+export declare class EthosClient {
+    #private;
+    readonly subjectDid: string;
+    readonly mode: Actor["kind"];
+    constructor(actor: Actor);
+    /** Return the per-zone proxy. */
+    zone(name: ZoneName): EthosZone;
+    hasPendingChanges(): boolean;
+    pendingChanges(): readonly StagedChange[];
+    discard(): void;
+    /**
+     * Build and publish a new edition with all staged mutations applied.
+     * Throws if there's nothing staged. After a successful publish, the
+     * mutation buffer is cleared and any cached snapshot is invalidated
+     * so the next read picks up the fresh edition.
+     */
+    publish(): Promise<PublishResult>;
+    _readZone(zone: ZoneName): Promise<readonly Section[]>;
+    _stageAdd(zone: ZoneName, input: AddSectionInput): void;
+    _stageUpdate(zone: ZoneName, sectionId: string, patch: UpdateSectionPatch): void;
+    _stageDelete(zone: ZoneName, sectionId: string): void;
+}
+export declare class EthosZone {
+    #private;
+    constructor(parent: EthosClient, name: ZoneName);
+    get name(): ZoneName;
+    /** Effective sections (persisted + staged mutations applied). */
+    sections(): Promise<readonly Section[]>;
+    addSection(input: AddSectionInput): void;
+    updateSection(sectionId: string, patch: UpdateSectionPatch): void;
+    deleteSection(sectionId: string): void;
+}
+export interface EthosNamespaceDeps {
+    readonly auth: AithosAuth;
+    readonly endpoints: AithosSdkEndpoints;
+    readonly fetch: typeof fetch;
+}
+export declare class EthosNamespace {
+    #private;
+    constructor(deps: EthosNamespaceDeps);
+    /**
+     * EthosClient for the currently signed-in owner. Throws if there is
+     * no owner — callers should check `auth.canSignAsOwner()` first or
+     * surface the error to the user as "please sign in".
+     */
+    me(): EthosClient;
+    /**
+     * EthosClient for an arbitrary subject DID. The mode is resolved at
+     * construction time:
+     *   - if `did` matches the currently signed-in owner → owner mode
+     *   - else if a mandate held by `auth` covers this subject → delegate mode
+     *   - else → anonymous read-only mode
+     *
+     * Async signature so future implementations may do an eager manifest
+     * fetch (e.g. to fail fast on unknown DIDs); today resolution is sync
+     * and the actual fetch happens on the first `sections()` / `publish()`
+     * call.
+     */
+    of(did: string): Promise<EthosClient>;
+}
+export {};
 //# sourceMappingURL=ethos.d.ts.map