@aithos/sdk 0.1.0-alpha.3 → 0.1.0-alpha.30

package/dist/src/auth.d.ts

@@ -1,116 +1,407 @@
+import { type AithosSessionStore } from "./session-store.js";
+import { type AithosKeyStore } from "./key-store.js";
+import { DelegateActor } from "./internal/delegate-state.js";
+import { OwnerSigners } from "./internal/owner-signers.js";
 /** Default URL of the Aithos auth backend. */
 export declare const DEFAULT_AUTH_BASE_URL = "https://auth.aithos.be";
-/**
- * Construction options for {@link AithosAuth}.
- */
+/** Default URL of the Aithos primitives API (publish_identity, publish_ethos_edition, etc.). */
+export declare const DEFAULT_API_BASE_URL = "https://api.aithos.be";
 export interface AithosAuthConfig {
-    /**
-     * Base URL of the Aithos auth backend. Defaults to
-     * {@link DEFAULT_AUTH_BASE_URL}. Override for staging or self-hosted
-     * deployments.
-     */
     readonly authBaseUrl?: string;
     /**
-     * Optional `fetch` implementation. Defaults to `globalThis.fetch`. Used
-     * by tests to inject a mock without monkeypatching globals.
+     * Base URL of the Aithos primitives API (`api.aithos.be`). Used by
+     * {@link AithosAuth.signUp} to bootstrap the user's Ethos via
+     * `aithos.publish_identity` after the auth account is created. Override
+     * for staging or self-hosted deployments. Defaults to
+     * {@link DEFAULT_API_BASE_URL}.
      */
+    readonly apiBaseUrl?: string;
     readonly fetch?: typeof fetch;
-    /**
-     * Optional `window`-like object. Defaults to `globalThis.window` when
-     * available. Provided so node-side tests can assert redirect URLs without
-     * shimming jsdom.
-     */
     readonly window?: Pick<Window, "location" | "history">;
+    /** Pluggable JWT-session storage. Defaults to {@link defaultSessionStore}. */
+    readonly sessionStore?: AithosSessionStore;
+    /** Pluggable key persistence. Defaults to {@link defaultKeyStore}. */
+    readonly keyStore?: AithosKeyStore;
 }
 /**
- * Payload returned by a successful Google sign-in.
- *
- * Wire-compatible with the auth Lambda's `SsoExchangeResponse`. Field names
- * are kept snake_case to match the backend; rationale: avoids an extra
- * mapping layer and keeps the SDK transparent if the user opens the
- * Network panel.
+ * Active Aithos session. Returned by JWT-backed entry points
+ * (`signIn`, `signUp`, `handleCallback`). Recovery-file and mandate
+ * sign-ins do NOT return an `AithosSession` — they yield the lighter
+ * {@link OwnerInfo} / {@link DelegateInfo}.
  */
 export interface AithosSession {
-    /** HS256 JWT — send in `Authorization: Bearer <session>` to auth/* and
-     *  app endpoints that consume it. */
     readonly session: string;
-    /** JWT expiry, Unix seconds. */
     readonly exp: number;
-    /** Aithos DID — `did:aithos:z…`. Stable across all the user's devices. */
     readonly did: string;
-    /** User-visible handle (rendered as `@handle`). */
     readonly handle: string;
-    /** Encrypted vault, base64. Empty string + version 0 on first sign-in. */
     readonly blob_b64: string;
-    /** AES-GCM nonce for the blob, base64 (12 bytes). Empty on first sign-in. */
     readonly blob_nonce_b64: string;
-    /** Monotonic blob version. Bumped on every PUT /auth/blob. */
     readonly blob_version: number;
-    /** 32-byte vault key, base64. Decrypts {@link blob_b64} via AES-GCM-256. */
     readonly enc_key_b64: string;
-    /** True the first time this user signs in. The app should run its
-     *  onboarding flow rather than mounting an empty blob. */
     readonly is_first_login: boolean;
 }
 /**
- * Options for {@link AithosAuth.signInWithGoogle}.
+ * Public information about the loaded owner identity. Available after
+ * any owner-side sign-in (password, Google, recovery), regardless of
+ * whether a JWT is also present.
  */
+export interface OwnerInfo {
+    readonly did: string;
+    readonly handle: string;
+    readonly displayName: string;
+}
+/**
+ * Public information about a delegate session held by the SDK. Returned
+ * by `importMandate` and `getDelegates`.
+ */
+export interface DelegateInfo {
+    readonly mandateId: string;
+    readonly subjectDid: string;
+    readonly granteeId: string;
+    readonly scopes: readonly string[];
+    /** ISO-8601, or null when the mandate has no `not_after`. */
+    readonly expiresAt: string | null;
+    readonly label?: string;
+}
 export interface SignInWithGoogleOptions {
     /**
-     * Opaque deep-link state preserved across the OAuth round-trip and
-     * surfaced back to the app via `?app_state=…` on the callback URL. Use
-     * to remember "the user clicked sign-in from /settings/billing" so you
-     * can restore that route after the redirect chain.
-     *
-     * Maximum 1024 characters.
+     * Opaque state the consumer app wants to recover after the OAuth
+     * round-trip (e.g. a deep-link to resume on). Echoed back as
+     * `?app_state=` on the final redirect.
      */
     readonly appState?: string;
+    /**
+     * App id registered in the Aithos `aithos-auth-apps` table. When set
+     * together with {@link returnTo}, the auth backend redirects the
+     * browser to {@link returnTo} (post Google + Aithos sign-in) instead
+     * of the legacy hard-coded `app.aithos.be/auth/callback`.
+     *
+     * The pair is required together: the backend rejects half-presence
+     * with `sso_app_redirect_pair_required`. Use it for any consumer app
+     * other than the canonical `app.aithos.be` (typically your own
+     * domain in prod, `http://localhost:<port>/auth/callback` in dev).
+     */
+    readonly appId?: string;
+    /**
+     * Where the auth backend should 302 the browser back to after a
+     * successful Google sign-in. MUST be on the app's
+     * `allowed_redirect_uris` allowlist (registered with Aithos out of
+     * band; see {@link appId}). Exact-match — wildcards rejected.
+     */
+    readonly returnTo?: string;
+}
+export interface SignInInput {
+    readonly email: string;
+    readonly password: string;
+}
+export interface SignUpInput {
+    readonly email: string;
+    readonly password: string;
+    readonly handle: string;
+    readonly displayName?: string;
+}
+export interface SignUpResult {
+    readonly session: AithosSession;
+    readonly recoveryFile: Blob;
+    readonly recoveryFilename: string;
+}
+/**
+ * Input to {@link AithosAuth.completeSsoFirstLogin}. The handle is
+ * required (the auth backend pre-generated one from the user's email
+ * local-part, available on the session payload — we re-confirm it
+ * here so the user can edit before commit).
+ */
+export interface CompleteSsoFirstLoginInput {
+    readonly handle: string;
+    readonly displayName?: string;
+}
+/**
+ * Result of {@link AithosAuth.completeSsoFirstLogin}. Returns a recovery
+ * file just like signUp — even though the user authenticated via Google,
+ * the freshly-generated Ed25519 seeds are the only material that can
+ * sign Aithos artifacts; without the recovery file, losing access to
+ * the Google account means losing the ethos forever.
+ */
+export interface CompleteSsoFirstLoginResult {
+    readonly session: AithosSession;
+    readonly recoveryFile: Blob;
+    readonly recoveryFilename: string;
+}
+export interface SignInWithRecoveryInput {
+    /** Recovery file as a Blob (browser File input) or already-decoded JSON string. */
+    readonly file: Blob | string;
+}
+export interface ImportMandateInput {
+    /** Delegate bundle as a Blob or already-decoded JSON string. */
+    readonly bundle: Blob | string;
 }
 /**
- * Authenticator for the Aithos identity service. One instance per app
- * is the recommended pattern (the constructor is cheap; it just trims the
- * URL). All methods are pure — no module-global state.
+ * Input to {@link AithosAuth.signUpCustodial}. Server-side only — the
+ * API key MUST stay off the browser (it grants account-creation
+ * authority under your app's name). Typical use site: your app's
+ * backend in response to a sign-up form submission.
  */
+export interface CustodialSignUpInput {
+    /** Bearer API key issued to your app (`aithos_<env>_<32b58>`). */
+    readonly apiKey: string;
+    /** Email address of the new user. Will receive the welcome mail. */
+    readonly email: string;
+    /** Optional display name. Capped at 200 chars by the backend. */
+    readonly displayName?: string;
+    /** Optional handle hint. Backend may sanitise or replace. */
+    readonly handleHint?: string;
+}
+/**
+ * Result of {@link AithosAuth.signUpCustodial}. The raw password is
+ * NEVER returned in this response — it lives only in the welcome email
+ * sent to the user via SES. `mailSent: false` means the account row
+ * was created but the email handoff to SES failed; the operator can
+ * trigger a manual resend.
+ */
+export interface CustodialSignUpResult {
+    readonly userId: string;
+    readonly did: string;
+    readonly handle: string;
+    readonly email: string;
+    readonly mailSent: boolean;
+    readonly mailMessageId?: string;
+}
+export interface CustodialSignInInput {
+    readonly email: string;
+    readonly password: string;
+}
+/**
+ * Active custodial session. Same JWT-backed shape as {@link AithosSession}
+ * but adds a `passwordMustChange` flag the UI can honour to nudge the
+ * user toward a `requestPasswordReset` on first login.
+ */
+export interface CustodialSignInResult {
+    readonly session: AithosSession;
+    readonly passwordMustChange: boolean;
+}
+export interface RequestPasswordResetInput {
+    readonly email: string;
+}
+/**
+ * Input to {@link AithosAuth.applyPasswordReset}. Finalises a password
+ * reset started by {@link AithosAuth.requestPasswordReset}. The `email`
+ * and `token` come straight from the magic-link URL that landed in the
+ * user's inbox (`?email=…&token=…`); the `newPassword` is what the user
+ * just typed in the reset page.
+ */
+export interface ApplyPasswordResetInput {
+    /** Email address whose password is being reset. */
+    readonly email: string;
+    /** Raw reset token extracted from the magic-link URL query string. */
+    readonly token: string;
+    /** New password — must satisfy the backend's policy (≥ 10 chars). */
+    readonly newPassword: string;
+}
+/**
+ * Result of {@link AithosAuth.applyPasswordReset}. Carries a fresh JWT
+ * session so the UI can either redirect to a "you're now signed in"
+ * landing or prompt the user to sign in explicitly with their new
+ * credentials — same {@link CustodialSignInResult} shape as a normal
+ * sign-in.
+ *
+ * Note: unlike {@link signInCustodial}, this DOES NOT hydrate the local
+ * keystore. The reset path on the auth Lambda re-wraps the seed bundle
+ * with KMS but doesn't return it (the user just typed a password — they
+ * still need to sign in once to materialise the seeds locally). The
+ * {@link AithosSession} returned here lets the app store the JWT and
+ * call {@link signInCustodial} to complete hydration.
+ */
+export interface ApplyPasswordResetResult {
+    readonly session: AithosSession;
+}
 export declare class AithosAuth {
-    /** Resolved auth base URL with a trailing slash trimmed. */
+    #private;
     readonly authBaseUrl: string;
-    private readonly fetchImpl;
-    private readonly win;
+    readonly apiBaseUrl: string;
     constructor(config?: AithosAuthConfig);
     /**
-     * Redirect the browser to Google's OAuth consent screen. Must be called
-     * synchronously in response to a user gesture (button click) — most
-     * browsers block top-level navigation triggered from idle code.
+     * Reload signing material and JWT session from the configured stores.
+     * Must be called once at app boot before relying on
+     * {@link getCurrentSession} / {@link getOwnerInfo} / {@link canSignAsOwner}
+     * — until then they reflect only what's been done in-memory in the
+     * current tab.
      *
-     * Does not return: navigation tears the JS context down. The `never`
-     * return type tells callers any code after the call is unreachable.
+     * Strict consistency: if the JWT and the stored owner disagree about
+     * who's signed in, both are wiped and the user re-auths. JWT-less
+     * owner state (loaded from keyStore but no JWT) is a valid resumed
+     * state — the user signed in via recovery or imported a mandate at
+     * some earlier moment and never went through the JWT flow.
      */
-    signInWithGoogle(opts?: SignInWithGoogleOptions): never;
+    resume(): Promise<void>;
+    /** JWT-backed session. Null when signed in via recovery / mandate / not at all. */
+    getCurrentSession(): AithosSession | null;
+    /** Loaded owner identity. Independent of JWT presence. */
+    getOwnerInfo(): OwnerInfo | null;
+    getDelegates(): readonly DelegateInfo[];
+    canSignAsOwner(): boolean;
+    canSignAsDelegateFor(did: string): boolean;
     /**
-     * Inspect the current URL for an `aithos_code` query parameter. If it's
-     * present, exchange it at the backend and return the resulting
-     * {@link AithosSession}. The query params are stripped from the URL via
-     * `history.replaceState` so a page refresh doesn't replay the redeem
-     * (which would 410 anyway).
+     * Internal accessor used by sibling SDK namespaces (compute, wallet,
+     * ethos) when they need to sign on behalf of the owner. Returns null
+     * if no owner is loaded.
      *
-     * Returns `null` when there's no code in the URL — safe to call on every
-     * page load. Throws {@link AithosSDKError} on backend errors or when
-     * the URL carries `aithos_error=…` (Google denial, token-exchange
-     * failure, etc.).
+     * @internal
      */
-    handleCallback(): Promise<AithosSession | null>;
+    _getOwnerSigners(): OwnerSigners | null;
     /**
-     * Programmatically redeem an `aithos_code` for a session. `handleCallback`
-     * calls this for you; expose it directly for callers that already pulled
-     * the code out of the URL via their own router.
+     * Internal accessor — looks up an active delegate by mandate id.
+     * @internal
      */
+    _getDelegateActor(mandateId: string): DelegateActor | undefined;
+    /**
+     * Internal accessor — finds the first active delegate whose subject
+     * matches `did`. Used by `sdk.ethos.of(did)` when the user holds a
+     * mandate for that subject.
+     * @internal
+     */
+    _findDelegateForSubject(did: string): DelegateActor | undefined;
+    signIn(input: SignInInput): Promise<AithosSession>;
+    signUp(input: SignUpInput): Promise<SignUpResult>;
+    /**
+     * Sign in by uploading a recovery file. Hydrates the owner signers
+     * locally — no JWT is obtained on this path because the recovery
+     * file alone doesn't authenticate against the auth backend (no
+     * password, no Google session). Apps that need compute/wallet
+     * access should follow up with an email+password sign-in or with
+     * Google SSO.
+     *
+     * The recovery file is ALWAYS the file produced by `signUp` (or the
+     * equivalent one emitted by `protocol-client`'s `runOnboarding`).
+     * Both shapes are accepted.
+     */
+    signInWithRecovery(input: SignInWithRecoveryInput): Promise<OwnerInfo>;
+    /**
+     * Import a delegate bundle (`.aithos-delegate.json`). Works in any
+     * state: with no owner loaded (delegate-only session), or alongside
+     * an existing owner (the user holds mandates for other people's
+     * ethoses while also being an owner themselves).
+     */
+    importMandate(input: ImportMandateInput): Promise<DelegateInfo>;
+    removeMandate(mandateId: string): Promise<void>;
+    signInWithGoogle(opts?: SignInWithGoogleOptions): never;
+    /**
+     * Public entrypoint — dedupes concurrent calls (React StrictMode).
+     * The first call kicks off the actual exchange; subsequent calls
+     * before that promise resolves return the SAME promise so they all
+     * receive the same `AithosSession | null`. Otherwise StrictMode's
+     * second invocation would race against the URL clean done by the
+     * first call and resolve to `null`, robbing the AuthCallback page
+     * of the session it actually obtained.
+     */
+    handleCallback(): Promise<AithosSession | null>;
     exchange(aithosCode: string): Promise<AithosSession>;
     /**
-     * Stateless sign-out. The Aithos backend doesn't track sessions, so
-     * there's nothing to revoke server-side; this method exists so the app
-     * has a symmetric API surface and to remind callers to clear their
-     * own storage. The Promise always resolves.
+     * Finish the first-time Google SSO bootstrap. After
+     * `signInWithGoogle()` + `handleCallback()`, a brand-new SSO user has
+     * a session JWT and an `enc_key` released by the auth backend, but
+     * NO Aithos identity yet (no Ed25519 seeds, no published did.json,
+     * no blob in the auth vault). This method closes that gap:
+     *
+     *   1. Generates a fresh {@link BrowserIdentity} client-side (4
+     *      Ed25519 keypairs, derived DID).
+     *   2. Calls `aithos.publish_identity` on api.aithos.be so reads
+     *      and writes against the Aithos primitives have an ethos to
+     *      anchor to.
+     *   3. AES-GCM-encrypts the seeds with the session's `enc_key`,
+     *      PUTs the result to `/auth/blob`. From now on, every Google
+     *      sign-in for this user will receive the encrypted blob and
+     *      hydrate locally.
+     *   4. Hydrates `ownerSigners` + `keyStore` so `canSignAsOwner()`
+     *      flips to true.
+     *   5. Returns a recovery-file Blob — the only material that can
+     *      restore this ethos if Google access is lost.
+     *
+     * Preconditions:
+     *   - `getCurrentSession()` returns a non-null session (caller went
+     *     through `handleCallback()` already).
+     *   - The session's `blob_version` is 0 (i.e. no blob yet).
+     *   - The session's `enc_key_b64` is non-empty.
+     *
+     * Throws `AithosSDKError("auth_sso_no_pending_first_login", …)` if
+     * preconditions don't hold (e.g. blob_version > 0 means the user has
+     * already completed setup; nothing to do).
+     */
+    completeSsoFirstLogin(input: CompleteSsoFirstLoginInput): Promise<CompleteSsoFirstLoginResult>;
+    /**
+     * Provision a custodial-mode account on behalf of a registered app.
+     *
+     * SERVER-ONLY — the API key MUST stay off the browser. The raw user
+     * password is generated server-side and sent to the user via the
+     * Aithos welcome email; it is NEVER returned in this response.
+     *
+     * Typical use site: your app's backend in response to a sign-up form
+     * submission. The frontend never sees the API key, only the resulting
+     * `{ userId, did, handle, email, mailSent }` it can show to the user
+     * ("we just sent you a mail with your credentials").
+     *
+     * Errors map to `AithosSDKError` codes:
+     *   - `auth_missing_api_key`         (your code passed empty apiKey)
+     *   - `auth_invalid_api_key`         (Bearer rejected by backend)
+     *   - `auth_api_key_revoked`         (backend marked the key revoked)
+     *   - `auth_email_exists`            (409 — email already registered)
+     *   - `auth_email_invalid`           (400 — bad email format)
+     *   - `auth_mail_send_failed`        (502 — DDB row exists but SES failed)
+     *   - `auth_custodial_signup_failed` (catch-all)
+     */
+    signUpCustodial(input: CustodialSignUpInput): Promise<CustodialSignUpResult>;
+    /**
+     * Authenticate a custodial-mode user with email + password. Single
+     * round-trip: returns a fresh JWT session AND hydrates the local
+     * KeyStore with the user's 4 Ed25519 seeds (KMS-unwrapped server-side
+     * after Argon2id verify).
+     *
+     * After this returns, the SDK is ready to publish ethos editions,
+     * invoke compute, mint mandates, etc. — exactly as if the user had
+     * signed in via {@link signIn} (zk) or {@link handleCallback} (SSO).
+     *
+     * Errors map to `AithosSDKError` codes:
+     *   - `auth_invalid_input`        (your code passed empty fields)
+     *   - `auth_invalid_credentials`  (401 — wrong email / wrong password)
+     *   - `auth_wrong_auth_mode`      (403 — user exists in another flow)
+     */
+    signInCustodial(input: CustodialSignInInput): Promise<CustodialSignInResult>;
+    /**
+     * Trigger a password-reset email to the given address. Backend ALWAYS
+     * resolves silently (no enumeration) — caller cannot tell whether the
+     * email is registered or not. The mail itself, if sent, contains a
+     * magic-link URL of shape `<resetBaseUrl>?token=<raw>&email=<email>`.
+     *
+     * Per-email rate limits apply server-side (5 mails/day, 5 min cooldown
+     * between consecutive requests). Calls during cooldown silently no-op
+     * the mail send while still returning success here.
+     */
+    requestPasswordReset(input: RequestPasswordResetInput): Promise<void>;
+    /**
+     * Finalise a password reset using the magic-link token sent to the
+     * user's inbox by {@link requestPasswordReset}.
+     *
+     * Typical use site: the page mounted on the reset URL declared in
+     * `aithos-auth-apps.reset_base_url`. The page reads `email` and
+     * `token` from `window.location.search`, prompts the user for a new
+     * password, then calls this method.
+     *
+     * On success, the returned {@link AithosSession} is persisted to the
+     * session store but the local keystore is NOT hydrated — the backend
+     * does not return the seed bundle on this endpoint. To get a fully
+     * usable session (one that can sign envelopes), follow up with
+     * {@link signInCustodial} using the email + new password. The two
+     * round-trips can be hidden inside a single UI action: reset → auto
+     * sign-in → redirect to dashboard.
+     *
+     * Errors map to `AithosSDKError` codes:
+     *   - `auth_invalid_input`              (your code passed empty fields)
+     *   - `auth_reset_token_invalid`        (400 — token forged / wrong email)
+     *   - `auth_reset_token_expired`        (410 — token TTL elapsed)
+     *   - `auth_reset_token_consumed`       (409 — already used)
+     *   - `auth_password_too_short`         (400 — < 10 chars)
+     *   - `auth_custodial_reset_failed`     (catch-all)
      */
+    applyPasswordReset(input: ApplyPasswordResetInput): Promise<ApplyPasswordResetResult>;
     signOut(): Promise<void>;
 }
 //# sourceMappingURL=auth.d.ts.map