@aithos/sdk 0.1.0-alpha.2 → 0.1.0-alpha.20

package/dist/src/session-store.js

@@ -0,0 +1,158 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2026 Mathieu Colla
+/* -------------------------------------------------------------------------- */
+/*  Storage key & expiration                                                   */
+/* -------------------------------------------------------------------------- */
+/**
+ * Storage key used by the bundled stores. Apps that want to coexist with
+ * other Aithos-aware libs (or that want to scope sessions per-tenant) can
+ * pass a custom key via {@link sessionStorageStore} or
+ * {@link localStorageStore}.
+ */
+export const DEFAULT_SESSION_STORAGE_KEY = "aithos.session.v1";
+/** Conservative buffer — drop the session 30 s before its `exp` so we
+ *  don't hand out a token the server is about to reject. */
+const SESSION_EXPIRY_BUFFER_S = 30;
+function isExpired(session, nowSec) {
+    return session.exp <= nowSec + SESSION_EXPIRY_BUFFER_S;
+}
+/**
+ * Validate at runtime that an opaque object looks like an `AithosSession`.
+ * Storage values come from JSON.parse over user-controlled data — we can't
+ * trust them blind. This isn't a security check (the server validates the
+ * JWT ; persistence layers don't authenticate themselves) ; it just
+ * prevents weird crashes when the storage was tampered with.
+ */
+function isSessionShaped(v) {
+    if (typeof v !== "object" || v === null)
+        return false;
+    const o = v;
+    return (typeof o["session"] === "string" &&
+        typeof o["exp"] === "number" &&
+        typeof o["did"] === "string" &&
+        typeof o["handle"] === "string");
+}
+function browserStorageStore(storageRef, opts = {}) {
+    const key = opts.key ?? DEFAULT_SESSION_STORAGE_KEY;
+    return {
+        get() {
+            const s = storageRef();
+            if (!s)
+                return null;
+            let raw;
+            try {
+                raw = s.getItem(key);
+            }
+            catch {
+                return null;
+            }
+            if (!raw)
+                return null;
+            let parsed;
+            try {
+                parsed = JSON.parse(raw);
+            }
+            catch {
+                // Corrupted entry — wipe to recover.
+                try {
+                    s.removeItem(key);
+                }
+                catch {
+                    /* ignore */
+                }
+                return null;
+            }
+            if (!isSessionShaped(parsed))
+                return null;
+            const nowSec = Math.floor(Date.now() / 1000);
+            if (isExpired(parsed, nowSec)) {
+                // Auto-evict — let the caller see "no session" and re-auth.
+                try {
+                    s.removeItem(key);
+                }
+                catch {
+                    /* ignore */
+                }
+                return null;
+            }
+            return parsed;
+        },
+        set(session) {
+            const s = storageRef();
+            if (!s)
+                return;
+            try {
+                s.setItem(key, JSON.stringify(session));
+            }
+            catch (e) {
+                // Quota exceeded, private mode, etc. — log but don't throw : the
+                // sign-in returned successfully, the in-memory session is still
+                // usable for this tab.
+                // eslint-disable-next-line no-console
+                console.warn("[AithosAuth] failed to persist session:", e.message);
+            }
+        },
+        clear() {
+            const s = storageRef();
+            if (!s)
+                return;
+            try {
+                s.removeItem(key);
+            }
+            catch {
+                /* ignore */
+            }
+        },
+    };
+}
+function safeStorage(getter) {
+    return () => {
+        try {
+            const s = getter();
+            return s ?? null;
+        }
+        catch {
+            // Some restricted contexts (sandboxed iframes, file:// URLs) throw
+            // on access. Treat them as "no storage available".
+            return null;
+        }
+    };
+}
+/**
+ * Default web store : `sessionStorage`. The session lives until the tab
+ * is closed. Cleared on `signOut()`. Use this when reauthenticating each
+ * day is acceptable and reduces blast radius after an XSS.
+ */
+export function sessionStorageStore(opts) {
+    return browserStorageStore(safeStorage(() => (typeof sessionStorage !== "undefined" ? sessionStorage : undefined)), opts);
+}
+/**
+ * `localStorage` store. The session persists until the JWT expires or the
+ * user explicitly signs out. Higher convenience, larger XSS blast radius.
+ */
+export function localStorageStore(opts) {
+    return browserStorageStore(safeStorage(() => (typeof localStorage !== "undefined" ? localStorage : undefined)), opts);
+}
+/**
+ * No-op store. `set` and `clear` discard their input ; `get` always
+ * returns null. The default in non-browser contexts (Node, edge runtimes)
+ * — apps running there should pass their own store explicitly.
+ */
+export function noopStore() {
+    return {
+        get: () => null,
+        set: () => { },
+        clear: () => { },
+    };
+}
+/**
+ * Pick a sensible default : `sessionStorage` if the browser environment
+ * is available, {@link noopStore} otherwise.
+ */
+export function defaultSessionStore() {
+    if (typeof sessionStorage !== "undefined") {
+        return sessionStorageStore();
+    }
+    return noopStore();
+}
+//# sourceMappingURL=session-store.js.map

package/dist/src/wallet.d.ts

@@ -1,4 +1,4 @@
-import { type BrowserIdentity } from "@aithos/protocol-client";
+import type { AithosAuth } from "./auth.js";
 import { type AithosSdkEndpoints } from "./endpoints.js";
 /**
  * Canonical credit-pack identifiers. Pricing and microcredit amounts are
@@ -44,12 +44,10 @@ export interface GetBalanceResult {
     readonly exists: boolean;
 }
 export interface WalletNamespaceDeps {
-    /** User identity — needed to sign the balance-lookup envelope. */
-    readonly identity: BrowserIdentity;
+    /** Auth instance — the wallet reads the active owner DID + signing key from here. */
+    readonly auth: AithosAuth;
     /** App DID — sent as audit attribution alongside the balance request. */
     readonly appDid: string;
-    /** Pre-resolved DID convenience accessor (mirrors identity.did). */
-    readonly userDid: string;
     readonly endpoints: AithosSdkEndpoints;
     readonly fetch: typeof fetch;
 }
@@ -64,7 +62,7 @@ export declare class WalletNamespace {
      * hosted URL — the caller is responsible for redirecting the user (e.g.
      * `window.location.href = result.checkoutUrl`).
      *
-     * On success, the Stripe webhook will credit `userDid`'s wallet once the
+     * On success, the Stripe webhook will credit the user's wallet once the
      * payment clears. Wallet balances are shared across all Aithos apps that
      * use the same DID.
      */

package/dist/src/wallet.js

@@ -13,8 +13,9 @@
 //     compute proxy at `${compute}/v1/invoke`. Read-only DDB GetItem on
 //     the wallet table, gated by the same signed envelope verification
 //     as compute_invoke. Returns the current balance + daily spent.
-import { buildSignedEnvelope, } from "@aithos/protocol-client";
+import { buildSignedEnvelope } from "@aithos/protocol-client";
 import { computeInvokeUrl, walletTopupCheckoutUrl, } from "./endpoints.js";
+import { ownerKeyPair } from "./internal/protocol-client-bridge.js";
 import { AithosSDKError } from "./types.js";
 /**
  * `sdk.wallet` namespace.
@@ -29,12 +30,16 @@ export class WalletNamespace {
      * hosted URL — the caller is responsible for redirecting the user (e.g.
      * `window.location.href = result.checkoutUrl`).
      *
-     * On success, the Stripe webhook will credit `userDid`'s wallet once the
+     * On success, the Stripe webhook will credit the user's wallet once the
      * payment clears. Wallet balances are shared across all Aithos apps that
      * use the same DID.
      */
     async createTopupSession(args) {
-        const { userDid, endpoints, fetch: fetchImpl } = this.#deps;
+        const { auth, endpoints, fetch: fetchImpl } = this.#deps;
+        const owner = auth._getOwnerSigners();
+        if (!owner || owner.destroyed) {
+            throw new AithosSDKError("sdk_no_owner", "no owner signed in; sign in first");
+        }
         const url = walletTopupCheckoutUrl(endpoints);
         let res;
         try {
@@ -42,7 +47,7 @@ export class WalletNamespace {
                 method: "POST",
                 headers: { "content-type": "application/json" },
                 body: JSON.stringify({
-                    user_did: userDid,
+                    user_did: owner.did,
                     pack_id: args.packId,
                     success_url: args.successUrl,
                     cancel_url: args.cancelUrl,
@@ -88,16 +93,21 @@ export class WalletNamespace {
      *   envelope-verify failures from the proxy).
      */
     async getBalance(args = {}) {
-        const { identity, appDid, endpoints, fetch: fetchImpl } = this.#deps;
+        const { auth, appDid, endpoints, fetch: fetchImpl } = this.#deps;
+        const owner = auth._getOwnerSigners();
+        if (!owner || owner.destroyed) {
+            throw new AithosSDKError("sdk_no_owner", "no owner signed in; sign in first");
+        }
+        const publicKp = ownerKeyPair(owner, "public");
         const url = computeInvokeUrl(endpoints);
         const params = { app_did: appDid };
         const envelope = buildSignedEnvelope({
-            iss: identity.did,
+            iss: owner.did,
             aud: url,
             method: "aithos.wallet_get_balance",
-            verificationMethod: `${identity.did}#public`,
+            verificationMethod: `${owner.did}#public`,
             params,
-            signer: identity.public,
+            signer: publicKp,
         });
         let res;
         try {

package/dist/test/auth-j3.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=auth-j3.test.d.ts.map

package/dist/test/auth-j3.test.js

@@ -0,0 +1,391 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2026 Mathieu Colla
+// Tests for J3 — KeyStore integration, signInWithRecovery,
+// importMandate, resume(), signOut(), state accessors.
+import { strict as assert } from "node:assert";
+import { describe, it } from "node:test";
+import { createBrowserIdentity } from "@aithos/protocol-client";
+import { AithosAuth, AithosSDKError, memoryKeyStore, noopStore, } from "../src/index.js";
+import { parseDelegateBundle, readDelegateBundleText, } from "../src/internal/delegate-bundle.js";
+import { parseRecoveryFile, serializeRecoveryFile, } from "../src/internal/recovery-file.js";
+/* -------------------------------------------------------------------------- */
+/*  Test helpers                                                              */
+/* -------------------------------------------------------------------------- */
+function makeAuth(opts = {}) {
+    return new AithosAuth({
+        authBaseUrl: "https://auth.test",
+        fetch: (() => {
+            throw new Error("network not expected in this test");
+        }),
+        sessionStore: opts.sessionStore ?? noopStore(),
+        keyStore: opts.keyStore ?? memoryKeyStore(),
+    });
+}
+/** Build a recovery-file JSON string from a fresh BrowserIdentity. */
+function recoveryTextFor(handle, displayName) {
+    const id = createBrowserIdentity(handle, displayName);
+    const { text } = serializeRecoveryFile(id);
+    return { text, did: id.did };
+}
+function delegateBundleText(args) {
+    return JSON.stringify({
+        aithos_delegate_version: "0.1.0",
+        mandate: {
+            id: args.mandateId,
+            subject_did: args.subjectDid,
+            grantee: {
+                id: args.granteeId,
+                pubkey: args.granteePubkeyMultibase ?? "z6MkqGenericPubKey",
+            },
+            scopes: args.scopes ?? ["ethos.read.public"],
+        },
+        delegate_seed_hex: "11".repeat(32),
+    });
+}
+/* -------------------------------------------------------------------------- */
+/*  parseRecoveryFile / serializeRecoveryFile                                 */
+/* -------------------------------------------------------------------------- */
+describe("recovery file: parse + serialize", () => {
+    it("round-trips a fresh identity", () => {
+        const id = createBrowserIdentity("alice", "Alice");
+        const { text } = serializeRecoveryFile(id);
+        const parsed = parseRecoveryFile(text);
+        assert.equal(parsed.did, id.did);
+        assert.equal(parsed.handle, id.handle);
+        assert.equal(parsed.displayName, id.displayName);
+        assert.equal(parsed.seedsHex.root.length, 64);
+    });
+    it("accepts the runOnboarding shape (warning + created_at)", () => {
+        const id = createBrowserIdentity("bob", "Bob");
+        const text = JSON.stringify({
+            aithos_recovery_version: "0.1.0-plaintext",
+            warning: "this is plaintext, store offline",
+            handle: id.handle,
+            display_name: id.displayName,
+            did: id.did,
+            created_at: new Date().toISOString(),
+            seeds_hex: {
+                root: bytesToHex(id.root.seed),
+                public: bytesToHex(id.public.seed),
+                circle: bytesToHex(id.circle.seed),
+                self: bytesToHex(id.self.seed),
+            },
+            public_keys_multibase: {},
+        });
+        const parsed = parseRecoveryFile(text);
+        assert.equal(parsed.did, id.did);
+    });
+    it("rejects unsupported versions", () => {
+        assert.throws(() => parseRecoveryFile(JSON.stringify({ aithos_recovery_version: "9.9.9" })), (e) => e instanceof AithosSDKError && e.code === "auth_invalid_recovery_file");
+    });
+    it("rejects malformed seeds", () => {
+        const id = createBrowserIdentity("alice", "Alice");
+        const { text } = serializeRecoveryFile(id);
+        const obj = JSON.parse(text);
+        obj.seeds_hex.root = "not hex";
+        assert.throws(() => parseRecoveryFile(JSON.stringify(obj)), AithosSDKError);
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  parseDelegateBundle                                                       */
+/* -------------------------------------------------------------------------- */
+describe("delegate bundle: parse", () => {
+    it("parses a well-formed bundle (legacy subject_did field)", () => {
+        const text = delegateBundleText({
+            mandateId: "mandate:01H8XYZ",
+            subjectDid: "did:aithos:zCarol",
+            granteeId: "urn:aithos:agent:bob1",
+            scopes: ["ethos.read.public", "ethos.write.public"],
+        });
+        const parsed = parseDelegateBundle(text);
+        assert.equal(parsed.mandateId, "mandate:01H8XYZ");
+        assert.equal(parsed.subjectDid, "did:aithos:zCarol");
+        assert.equal(parsed.granteeId, "urn:aithos:agent:bob1");
+        assert.equal(parsed.delegateSeedHex.length, 64);
+    });
+    it("parses a bundle minted by mintDelegateBundle (issuer field)", () => {
+        // Real wire shape emitted by `mintDelegateBundle` in protocol-client:
+        // SignedMandate carries the subject's DID under `issuer`, NOT
+        // `subject_did`. Regression test for the import flow that broke
+        // every freshly-minted mandate before this fix.
+        const text = JSON.stringify({
+            aithos_delegate_version: "0.1.0",
+            mandate: {
+                "aithos-mandate": "0.1",
+                id: "mandate:01H8ISSUER",
+                issuer: "did:aithos:zCarol",
+                issued_by_key: "did:aithos:zCarol#root",
+                grantee: {
+                    id: "urn:aithos:agent:bob1",
+                    pubkey: "z6MkqGenericPubKey",
+                },
+                actor_sphere: "self",
+                scopes: ["ethos.read.public", "ethos.write.public"],
+                not_before: "2026-05-10T00:00:00Z",
+                not_after: "2026-05-11T00:00:00Z",
+                issued_at: "2026-05-10T00:00:00Z",
+                nonce: "abc",
+                signature: { alg: "ed25519", key: "...", value: "..." },
+            },
+            delegate_seed_hex: "11".repeat(32),
+        });
+        const parsed = parseDelegateBundle(text);
+        assert.equal(parsed.subjectDid, "did:aithos:zCarol");
+        assert.equal(parsed.mandateId, "mandate:01H8ISSUER");
+        assert.equal(parsed.granteeId, "urn:aithos:agent:bob1");
+    });
+    it("readDelegateBundleText accepts string passthrough", async () => {
+        const text = delegateBundleText({
+            mandateId: "m",
+            subjectDid: "did:aithos:z",
+            granteeId: "urn:x",
+        });
+        assert.equal(await readDelegateBundleText(text), text);
+    });
+    it("rejects missing mandate", () => {
+        assert.throws(() => parseDelegateBundle(JSON.stringify({
+            aithos_delegate_version: "0.1.0",
+            delegate_seed_hex: "11".repeat(32),
+        })), AithosSDKError);
+    });
+    it("rejects malformed delegate seed", () => {
+        assert.throws(() => parseDelegateBundle(JSON.stringify({
+            aithos_delegate_version: "0.1.0",
+            mandate: {
+                id: "m",
+                subject_did: "did:aithos:z",
+                grantee: { id: "u", pubkey: "z6MkXYZ" },
+            },
+            delegate_seed_hex: "not hex",
+        })), AithosSDKError);
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  AithosAuth — recovery sign-in                                             */
+/* -------------------------------------------------------------------------- */
+describe("AithosAuth.signInWithRecovery", () => {
+    it("hydrates owner signers + persists to keyStore (no JWT)", async () => {
+        const keyStore = memoryKeyStore();
+        const sessionStore = noopStore();
+        const auth = makeAuth({ sessionStore, keyStore });
+        assert.equal(auth.canSignAsOwner(), false);
+        assert.equal(auth.getOwnerInfo(), null);
+        const { text } = recoveryTextFor("alice", "Alice");
+        const info = await auth.signInWithRecovery({ file: text });
+        assert.equal(info.handle, "alice");
+        assert.equal(auth.canSignAsOwner(), true);
+        assert.equal(auth.getOwnerInfo()?.did, info.did);
+        assert.equal(auth.getCurrentSession(), null, "no JWT for recovery flow");
+        const persisted = await keyStore.loadOwner();
+        assert.equal(persisted?.did, info.did);
+    });
+    it("rejects loading a different owner without signOut first", async () => {
+        const auth = makeAuth();
+        const a = recoveryTextFor("alice", "Alice");
+        await auth.signInWithRecovery({ file: a.text });
+        const b = recoveryTextFor("bob", "Bob");
+        await assert.rejects(() => auth.signInWithRecovery({ file: b.text }), (e) => e instanceof AithosSDKError && e.code === "auth_owner_already_loaded");
+    });
+    it("clears any stale JWT to keep stores in sync", async () => {
+        const keyStore = memoryKeyStore();
+        let stored = {
+            session: "stale-jwt",
+            exp: Math.floor(Date.now() / 1000) + 3600,
+            did: "did:aithos:zStale",
+            handle: "stale",
+            blob_b64: "",
+            blob_nonce_b64: "",
+            blob_version: 0,
+            enc_key_b64: "",
+            is_first_login: false,
+        };
+        const sessionStore = {
+            get: () => stored,
+            set: (s) => {
+                stored = s;
+            },
+            clear: () => {
+                stored = null;
+            },
+        };
+        const auth = makeAuth({ sessionStore, keyStore });
+        const { text } = recoveryTextFor("alice", "Alice");
+        await auth.signInWithRecovery({ file: text });
+        assert.equal(stored, null, "stale JWT must be wiped");
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  AithosAuth — importMandate                                                */
+/* -------------------------------------------------------------------------- */
+describe("AithosAuth.importMandate", () => {
+    it("registers a delegate, lists it, removes it", async () => {
+        const keyStore = memoryKeyStore();
+        const auth = makeAuth({ keyStore });
+        const text = delegateBundleText({
+            mandateId: "mandate:A",
+            subjectDid: "did:aithos:zCarol",
+            granteeId: "urn:aithos:agent:bob1",
+            scopes: ["ethos.read.circle"],
+        });
+        const info = await auth.importMandate({ bundle: text });
+        assert.equal(info.mandateId, "mandate:A");
+        assert.equal(info.subjectDid, "did:aithos:zCarol");
+        assert.deepEqual(info.scopes, ["ethos.read.circle"]);
+        const list = auth.getDelegates();
+        assert.equal(list.length, 1);
+        assert.equal(list[0]?.mandateId, "mandate:A");
+        assert.equal(auth.canSignAsDelegateFor("did:aithos:zCarol"), true);
+        assert.equal(auth.canSignAsDelegateFor("did:aithos:zNobody"), false);
+        await auth.removeMandate("mandate:A");
+        assert.equal(auth.getDelegates().length, 0);
+        assert.equal((await keyStore.listDelegates()).length, 0);
+    });
+    it("works without an owner loaded (delegate-only session)", async () => {
+        const auth = makeAuth();
+        assert.equal(auth.canSignAsOwner(), false);
+        const text = delegateBundleText({
+            mandateId: "mandate:Solo",
+            subjectDid: "did:aithos:zCarol",
+            granteeId: "urn:aithos:agent:solo1",
+        });
+        await auth.importMandate({ bundle: text });
+        assert.equal(auth.canSignAsOwner(), false);
+        assert.equal(auth.canSignAsDelegateFor("did:aithos:zCarol"), true);
+    });
+    it("re-importing the same mandate replaces the prior actor", async () => {
+        const auth = makeAuth();
+        const text = delegateBundleText({
+            mandateId: "mandate:R",
+            subjectDid: "did:aithos:zCarol",
+            granteeId: "urn:aithos:agent:r",
+        });
+        await auth.importMandate({ bundle: text });
+        await auth.importMandate({ bundle: text });
+        assert.equal(auth.getDelegates().length, 1);
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  AithosAuth — resume()                                                     */
+/* -------------------------------------------------------------------------- */
+describe("AithosAuth.resume", () => {
+    it("rehydrates owner + delegates from keyStore on a fresh instance", async () => {
+        const keyStore = memoryKeyStore();
+        const sessionStore = noopStore();
+        // Seed the stores via a first auth instance.
+        {
+            const auth1 = makeAuth({ keyStore, sessionStore });
+            const { text: rt } = recoveryTextFor("alice", "Alice");
+            await auth1.signInWithRecovery({ file: rt });
+            const dt = delegateBundleText({
+                mandateId: "mandate:M1",
+                subjectDid: "did:aithos:zCarol",
+                granteeId: "urn:x",
+            });
+            await auth1.importMandate({ bundle: dt });
+        }
+        // Fresh instance, same stores → resume() must reload everything.
+        const auth2 = makeAuth({ keyStore, sessionStore });
+        assert.equal(auth2.canSignAsOwner(), false, "before resume, in-memory only");
+        await auth2.resume();
+        assert.equal(auth2.canSignAsOwner(), true);
+        assert.equal(auth2.getOwnerInfo()?.handle, "alice");
+        assert.equal(auth2.getDelegates().length, 1);
+        assert.equal(auth2.canSignAsDelegateFor("did:aithos:zCarol"), true);
+    });
+    it("strict mode: JWT in sessionStore but no owner in keyStore → wipes JWT", async () => {
+        let jwt = {
+            session: "j",
+            exp: Math.floor(Date.now() / 1000) + 3600,
+            did: "did:aithos:zGhost",
+            handle: "ghost",
+            blob_b64: "",
+            blob_nonce_b64: "",
+            blob_version: 0,
+            enc_key_b64: "",
+            is_first_login: false,
+        };
+        const sessionStore = {
+            get: () => jwt,
+            set: (s) => {
+                jwt = s;
+            },
+            clear: () => {
+                jwt = null;
+            },
+        };
+        const keyStore = memoryKeyStore();
+        const auth = makeAuth({ keyStore, sessionStore });
+        await auth.resume();
+        assert.equal(jwt, null, "out-of-sync JWT must be cleared");
+        assert.equal(auth.canSignAsOwner(), false);
+    });
+    it("strict mode: JWT and owner disagree on DID → wipes JWT only", async () => {
+        const keyStore = memoryKeyStore();
+        const { text } = recoveryTextFor("alice", "Alice");
+        // Seed the keystore with alice via one instance.
+        {
+            const auth1 = makeAuth({ keyStore });
+            await auth1.signInWithRecovery({ file: text });
+        }
+        // Now plant a JWT for a DIFFERENT DID in the session store.
+        let jwt = {
+            session: "j",
+            exp: Math.floor(Date.now() / 1000) + 3600,
+            did: "did:aithos:zSomeoneElse",
+            handle: "someone",
+            blob_b64: "",
+            blob_nonce_b64: "",
+            blob_version: 0,
+            enc_key_b64: "",
+            is_first_login: false,
+        };
+        const sessionStore = {
+            get: () => jwt,
+            set: (s) => {
+                jwt = s;
+            },
+            clear: () => {
+                jwt = null;
+            },
+        };
+        const auth2 = makeAuth({ keyStore, sessionStore });
+        await auth2.resume();
+        assert.equal(jwt, null, "mismatched JWT must be wiped");
+        // Owner is preserved (it's the source of truth in strict mode).
+        assert.equal(auth2.canSignAsOwner(), true);
+        assert.equal(auth2.getOwnerInfo()?.handle, "alice");
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  AithosAuth — signOut                                                      */
+/* -------------------------------------------------------------------------- */
+describe("AithosAuth.signOut", () => {
+    it("wipes both stores and in-memory state", async () => {
+        const keyStore = memoryKeyStore();
+        const auth = makeAuth({ keyStore });
+        const { text } = recoveryTextFor("alice", "Alice");
+        await auth.signInWithRecovery({ file: text });
+        const dt = delegateBundleText({
+            mandateId: "mandate:X",
+            subjectDid: "did:aithos:zCarol",
+            granteeId: "urn:x",
+        });
+        await auth.importMandate({ bundle: dt });
+        await auth.signOut();
+        assert.equal(auth.canSignAsOwner(), false);
+        assert.equal(auth.getOwnerInfo(), null);
+        assert.equal(auth.getDelegates().length, 0);
+        assert.equal(await keyStore.loadOwner(), null);
+        assert.equal((await keyStore.listDelegates()).length, 0);
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  Helpers                                                                   */
+/* -------------------------------------------------------------------------- */
+function bytesToHex(b) {
+    let out = "";
+    for (let i = 0; i < b.length; i++)
+        out += b[i].toString(16).padStart(2, "0");
+    return out;
+}
+//# sourceMappingURL=auth-j3.test.js.map

package/dist/test/auth.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=auth.test.d.ts.map