@aithos/sdk 0.1.0-alpha.3 → 0.1.0-alpha.31

package/dist/src/mandates.d.ts

@@ -1,2 +1,164 @@
-export { mintDelegateBundle, signAndPublishMandate, MintError, type MintArgs, type MintResult, type SignAndPublishMandateArgs, DEFAULT_READ_SCOPES, TTL_PRESETS, } from "@aithos/protocol-client";
+import type { AithosAuth } from "./auth.js";
+import type { AithosSdkEndpoints } from "./endpoints.js";
+/** Capability scope the SDK accepts. Server-side ultimately decides.
+ *
+ * Note: `compute.invoke` is intentionally NOT in this union. The token-
+ * spending capability is opt-in via the dedicated {@link CreateMandateInput.compute}
+ * namespace — see {@link MandatesNamespace.create}. Passing `compute.invoke`
+ * directly in `scopes` is rejected at runtime; the compiler can't enforce
+ * it (callers who up-cast to string[] would slip through), so the runtime
+ * check is the real gate. */
+export type Scope = "ethos.read.public" | "ethos.read.circle" | "ethos.read.self" | "ethos.write.public" | "ethos.write.circle" | "ethos.write.self";
+/**
+ * The opt-in scope that authorizes a delegate to spend the subject's
+ * compute credits via the Aithos compute proxy. Mirror of
+ * `COMPUTE_INVOKE_SCOPE` in `@aithos/protocol-core` v0.4.0.
+ *
+ * The SDK's `mandates.create()` injects this scope automatically when
+ * the caller passes a `compute` namespace, and refuses to mint a
+ * mandate where the caller put it directly into `scopes` — this is
+ * what makes "compute is a separate, conscious decision" hold at the
+ * API surface.
+ */
+export declare const COMPUTE_INVOKE_SCOPE: "compute.invoke";
+/**
+ * Which sphere of the owner signs the mandate. Bounds the upper-most
+ * scope set the mandate can carry.
+ */
+export type ActorSphere = "public" | "circle" | "self";
+/**
+ * Compute-spending capability — opt-in only, never implied by ethos
+ * scopes.
+ *
+ * When `compute` is set on {@link CreateMandateInput}, the SDK:
+ *   1. Adds the `compute.invoke` scope to the minted mandate.
+ *   2. Maps the caller's caps onto `constraints.compute` in the
+ *      protocol's snake_case shape (= what the verifier reads).
+ *   3. Forbids the caller from passing `compute.invoke` in `scopes`
+ *      directly — that would let an app slip the scope past a
+ *      consent UI that only reviews `compute`.
+ *
+ * At least one of `dailyCapMicrocredits` or `totalCapMicrocredits` MUST
+ * be set: an unbounded compute mandate is the kind of bearer-token
+ * footgun this whole namespace exists to prevent. Validation happens
+ * at the SDK boundary (here) AND at the protocol layer (the
+ * server-side verifier rejects capless 0.4.0 mandates), so a bug in
+ * either tier still fails closed.
+ *
+ * `maxCreditsPerCall` is a per-invocation safety net for runaway
+ * single requests. `allowedModels`, when set, restricts which Bedrock
+ * model ids the delegate may target (the proxy's own allowlist still
+ * applies on top).
+ */
+export interface CreateMandateComputeInput {
+    /** Hard cap on credits debited per UTC day under this mandate. */
+    readonly dailyCapMicrocredits?: number;
+    /** Hard cap on credits debited over the whole mandate lifetime. */
+    readonly totalCapMicrocredits?: number;
+    /** Hard cap on credits debited by any single invocation. */
+    readonly maxCreditsPerCall?: number;
+    /** Allowlist of Bedrock model ids the delegate may invoke. */
+    readonly allowedModels?: readonly string[];
+}
+export interface CreateMandateInput {
+    /** Grantee URN — usually `urn:aithos:agent:<extension-id>` or similar. */
+    readonly granteeId: string;
+    /** Optional human-readable label for the grantee. */
+    readonly granteeLabel?: string;
+    /**
+     * Sphere of the owner that issues the mandate. Defaults to the
+     * highest-numbered sphere covered by `scopes` (most permissive
+     * common ancestor): `"self"` if any scope ends in `.self`, else
+     * `"circle"` if any ends in `.circle`, else `"public"`.
+     */
+    readonly actorSphere?: ActorSphere;
+    /** Capability set granted by the mandate. */
+    readonly scopes: readonly Scope[];
+    /** Lifetime in seconds. */
+    readonly ttlSeconds: number;
+    /**
+     * Opt-in compute (token-spending) capability — adds the
+     * `compute.invoke` scope and a bounded `constraints.compute` budget
+     * to the mandate. See {@link CreateMandateComputeInput}.
+     *
+     * NEVER add `compute.invoke` to `scopes` directly — the SDK rejects
+     * that path so the caller has to pass through this typed namespace,
+     * which is what a consent UI can review.
+     */
+    readonly compute?: CreateMandateComputeInput;
+    /**
+     * When the mandate becomes valid. Optional — when omitted, the
+     * underlying mint helper signs with `not_before = now - 30s` (see
+     * `MANDATE_NOTBEFORE_OFFSET_SECONDS_DEFAULT` in
+     * `@aithos/protocol-client`) so a server whose clock runs slightly
+     * behind the client doesn't reject the freshly-minted mandate as
+     * `not yet valid`.
+     *
+     * Pass an explicit `Date` only for advanced flows (delayed-activation
+     * mandates, deterministic tests).
+     */
+    readonly notBefore?: Date;
+}
+export interface MintedMandate {
+    /** Unique mandate id (matches `mandate.id` inside the bundle). */
+    readonly mandateId: string;
+    /** Subject DID — the owner who issued it. */
+    readonly subjectDid: string;
+    /** Grantee URN. */
+    readonly granteeId: string;
+    readonly scopes: readonly Scope[];
+    /** ISO-8601 (UTC) — `null` if the mandate has no `not_after`. */
+    readonly expiresAt: string | null;
+    /** Shareable `.aithos-delegate.json` Blob. Hand this to the grantee. */
+    readonly bundle: Blob;
+    /** Suggested filename for the bundle. */
+    readonly filename: string;
+}
+export interface OwnedMandate {
+    readonly mandateId: string;
+    readonly issuerDid: string;
+    readonly actorDid: string;
+    readonly scopes: readonly Scope[];
+    readonly notBefore: number | null;
+    readonly notAfter: number | null;
+    readonly createdAt: number;
+}
+export interface MandatesNamespaceDeps {
+    readonly auth: AithosAuth;
+    readonly endpoints: AithosSdkEndpoints;
+    readonly fetch: typeof fetch;
+}
+export declare class MandatesNamespace {
+    #private;
+    constructor(deps: MandatesNamespaceDeps);
+    /**
+     * Mint, sign, publish, and package a fresh delegate bundle. The
+     * grantee's keypair is generated inside this call and never
+     * persisted on the owner's machine — the seed flows out via the
+     * returned Blob and only via that Blob.
+     */
+    create(input: CreateMandateInput): Promise<MintedMandate>;
+    /**
+     * List mandates issued by the signed-in owner. Pages through
+     * `aithos.list_mandates` until exhausted (or until 5 pages have
+     * been crawled — an owner with more than 1000 active mandates is
+     * out of scope today).
+     */
+    list(): Promise<readonly OwnedMandate[]>;
+    /**
+     * Publish a §4.2 revocation for `mandateId`. The mandate stops
+     * authorizing future actions (artifacts dated before `revoked_at`
+     * remain valid — revocation is not retroactive).
+     *
+     * Server-side: handled by `aithos.publish_revocation`. The envelope
+     * is signed by the owner's `#public` sphere — the spec also accepts
+     * `#root`, but `#public` is what the existing app does.
+     *
+     * Throws {@link AithosSDKError} on backend errors. Note that
+     * server-side support is in-flight; this method may surface a
+     * `mandates_-32601` (method not found) until the auth platform
+     * lands the corresponding write handler.
+     */
+    revoke(mandateId: string): Promise<void>;
+}
 //# sourceMappingURL=mandates.d.ts.map

package/dist/src/mandates.js

@@ -1,13 +1,291 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2026 Mathieu Colla
-// Mandates namespace — re-exports of mandate mint/sign primitives.
+// `sdk.mandates` namespace — owner-side mandate lifecycle.
 //
-// A mandate is a signed delegation bundle that grants an app DID the right
-// to act on the user's behalf within a scoped set of operations (read
-// scopes, compute spend cap, TTL). Mandates are required by the compute
-// proxy on every Bedrock call.
+// Three verbs:
+//   create(input)           → mints + publishes + returns the
+//                              shareable .aithos-delegate.json bundle
+//   list()                  → mandates the owner has issued
+//   revoke(mandateId)       → publishes a §4.2 revocation
 //
-// See `@aithos/protocol-client/src/mandate-mint.ts` for the canonical
-// implementation; this namespace re-exports the public surface verbatim.
-export { mintDelegateBundle, signAndPublishMandate, MintError, DEFAULT_READ_SCOPES, TTL_PRESETS, } from "@aithos/protocol-client";
+// Capability boundary: every method requires an owner signed in. We
+// reach the OwnerSigners through `auth._getOwnerSigners()` and project
+// to a `StoredIdentity` for protocol-client interop. When
+// protocol-client gains a Signer-shaped API the projection step
+// disappears.
+import { buildSignedEnvelope, mintDelegateBundle, readRpc, } from "@aithos/protocol-client";
+import { ownerKeyPair } from "./internal/protocol-client-bridge.js";
+import { AithosSDKError } from "./types.js";
+/**
+ * The opt-in scope that authorizes a delegate to spend the subject's
+ * compute credits via the Aithos compute proxy. Mirror of
+ * `COMPUTE_INVOKE_SCOPE` in `@aithos/protocol-core` v0.4.0.
+ *
+ * The SDK's `mandates.create()` injects this scope automatically when
+ * the caller passes a `compute` namespace, and refuses to mint a
+ * mandate where the caller put it directly into `scopes` — this is
+ * what makes "compute is a separate, conscious decision" hold at the
+ * API surface.
+ */
+export const COMPUTE_INVOKE_SCOPE = "compute.invoke";
+export class MandatesNamespace {
+    #deps;
+    constructor(deps) {
+        this.#deps = deps;
+    }
+    /**
+     * Mint, sign, publish, and package a fresh delegate bundle. The
+     * grantee's keypair is generated inside this call and never
+     * persisted on the owner's machine — the seed flows out via the
+     * returned Blob and only via that Blob.
+     */
+    async create(input) {
+        const owner = this.#requireOwner();
+        // A mandate must carry at least one capability — either ethos
+        // scopes, the compute namespace, or both. A "compute-only" mandate
+        // (`scopes: []` + `compute: { ... }`) is legitimate: it gives the
+        // grantee no access to the subject's ethos data, only the right
+        // to spend a bounded amount of compute credits in their name.
+        // Useful for creative assistants, brainstorming agents, etc.
+        if (input.scopes.length === 0 && input.compute === undefined) {
+            throw new AithosSDKError("mandates_invalid_scopes", "scopes must be a non-empty list (or pass `compute` for a compute-only mandate)");
+        }
+        if (input.ttlSeconds <= 0) {
+            throw new AithosSDKError("mandates_invalid_ttl", "ttlSeconds must be > 0");
+        }
+        // Forbid `compute.invoke` smuggled in via `scopes[]`. The whole
+        // point of the dedicated `compute` namespace is that adding token-
+        // spending capability requires a typed, named, reviewable input —
+        // not a string lost in a generic list. Type-checking can't catch
+        // this (the union doesn't include the literal, but callers can
+        // up-cast); the runtime check is what holds.
+        if (input.scopes.some((s) => s === COMPUTE_INVOKE_SCOPE)) {
+            throw new AithosSDKError("mandates_invalid_scopes", `Pass token-spending capability via the dedicated 'compute' namespace, ` +
+                `not by adding "${COMPUTE_INVOKE_SCOPE}" to scopes[]. The namespace forces ` +
+                `an explicit budget and is what a consent UI reviews.`);
+        }
+        // Validate + project the compute namespace if present, then derive
+        // the final scopes/constraints to send to the protocol layer.
+        const computeProjection = projectCompute(input.compute);
+        const projectedScopes = [...input.scopes];
+        if (computeProjection) {
+            projectedScopes.push(COMPUTE_INVOKE_SCOPE);
+        }
+        const actorSphere = input.actorSphere ?? defaultSphereFromScopes(input.scopes);
+        const ownerStored = owner._unsafeStoredIdentity();
+        const result = await mintDelegateBundle({
+            owner: ownerStored,
+            granteeId: input.granteeId,
+            ...(input.granteeLabel ? { granteeLabel: input.granteeLabel } : {}),
+            actorSphere,
+            scopes: projectedScopes,
+            ttlSeconds: input.ttlSeconds,
+            // protocol-client v0.1.0-alpha.11 ships MandateConstraints without
+            // the `compute` field; the wire format accepts it though (the
+            // canonicalizer just serializes whatever's in the object). We
+            // up-cast through `unknown` to bypass the structural check until
+            // protocol-client picks up protocol-core 0.4.0 types.
+            ...(computeProjection
+                ? {
+                    constraints: {
+                        compute: computeProjection,
+                    },
+                }
+                : {}),
+            ...(input.notBefore ? { notBefore: input.notBefore } : {}),
+        });
+        const mandate = result.mandate;
+        return {
+            mandateId: mandate.id,
+            subjectDid: mandate.subject_did,
+            granteeId: input.granteeId,
+            scopes: projectedScopes,
+            expiresAt: mandate.not_after ?? null,
+            bundle: result.bundleBlob,
+            filename: `aithos-delegate-${mandate.id}.json`,
+        };
+    }
+    /**
+     * List mandates issued by the signed-in owner. Pages through
+     * `aithos.list_mandates` until exhausted (or until 5 pages have
+     * been crawled — an owner with more than 1000 active mandates is
+     * out of scope today).
+     */
+    async list() {
+        const owner = this.#requireOwner();
+        const out = [];
+        let cursor;
+        for (let i = 0; i < 5; i++) {
+            const page = await readRpc("aithos.list_mandates", {
+                issuer_did: owner.did,
+                limit: 200,
+                ...(cursor ? { cursor } : {}),
+            });
+            for (const it of page.items) {
+                out.push(toOwnedMandate(it));
+            }
+            if (!page.next_cursor)
+                break;
+            cursor = page.next_cursor;
+        }
+        return out;
+    }
+    /**
+     * Publish a §4.2 revocation for `mandateId`. The mandate stops
+     * authorizing future actions (artifacts dated before `revoked_at`
+     * remain valid — revocation is not retroactive).
+     *
+     * Server-side: handled by `aithos.publish_revocation`. The envelope
+     * is signed by the owner's `#public` sphere — the spec also accepts
+     * `#root`, but `#public` is what the existing app does.
+     *
+     * Throws {@link AithosSDKError} on backend errors. Note that
+     * server-side support is in-flight; this method may surface a
+     * `mandates_-32601` (method not found) until the auth platform
+     * lands the corresponding write handler.
+     */
+    async revoke(mandateId) {
+        const owner = this.#requireOwner();
+        const ownerStored = owner._unsafeStoredIdentity();
+        // TODO(post-alpha): once @aithos/protocol-client exposes a public
+        // configuration API for the `api` endpoint, route this through the
+        // same channel as `readRpc` / `publishZoneEdit` so self-hosters
+        // can override. For now, target the production write surface.
+        const url = "https://api.aithos.be/mcp/primitives/write";
+        const params = {
+            mandate_id: mandateId,
+            revoked_at: new Date().toISOString(),
+        };
+        // Reach into the owner's #public signer for envelope signing via
+        // the centralized migration bridge (will go away when
+        // protocol-client accepts Signer-shaped objects).
+        const publicKp = ownerKeyPair(owner, "public");
+        const envelope = buildSignedEnvelope({
+            iss: ownerStored.did,
+            aud: url,
+            method: "aithos.publish_revocation",
+            verificationMethod: `${ownerStored.did}#public`,
+            params,
+            signer: publicKp,
+        });
+        let res;
+        try {
+            res = await this.#deps.fetch(url, {
+                method: "POST",
+                headers: { "content-type": "application/json" },
+                body: JSON.stringify({
+                    jsonrpc: "2.0",
+                    id: "aithos.publish_revocation",
+                    method: "aithos.publish_revocation",
+                    params: { ...params, _envelope: envelope },
+                }),
+            });
+        }
+        catch (e) {
+            throw new AithosSDKError("network", e.message);
+        }
+        const body = (await res.json().catch(() => null));
+        if (!body) {
+            throw new AithosSDKError("http", `HTTP ${res.status} ${res.statusText} — non-JSON response`, { status: res.status });
+        }
+        if (body.error) {
+            throw new AithosSDKError(`mandates_${body.error.code}`, body.error.message, body.error.data ? { data: body.error.data } : undefined);
+        }
+    }
+    /* ------------------------------------------------------------------------ */
+    /*  Internals                                                               */
+    /* ------------------------------------------------------------------------ */
+    #requireOwner() {
+        const owner = this.#deps.auth._getOwnerSigners();
+        if (!owner || owner.destroyed) {
+            throw new AithosSDKError("mandates_no_owner", "no owner signed in; sign in first");
+        }
+        return owner;
+    }
+}
+/* -------------------------------------------------------------------------- */
+/*  Helpers                                                                   */
+/* -------------------------------------------------------------------------- */
+function defaultSphereFromScopes(scopes) {
+    if (scopes.some((s) => s.endsWith(".self")))
+        return "self";
+    if (scopes.some((s) => s.endsWith(".circle")))
+        return "circle";
+    return "public";
+}
+/**
+ * Validate the SDK-side `compute` namespace and project it onto the
+ * snake_case shape the protocol layer canonicalizes into the mandate.
+ *
+ * Returns `null` if the caller passed nothing — that's the "no compute
+ * authorization" path. Throws {@link AithosSDKError} on any structural
+ * problem (camelCase mirror of the rules `validateComputeAuthorization`
+ * enforces server-side; we duplicate them here so a misuse fails at the
+ * SDK boundary with a precise error rather than only blowing up at mint).
+ */
+function projectCompute(c) {
+    if (c === undefined)
+        return null;
+    const hasDaily = typeof c.dailyCapMicrocredits === "number";
+    const hasTotal = typeof c.totalCapMicrocredits === "number";
+    if (!hasDaily && !hasTotal) {
+        throw new AithosSDKError("mandates_invalid_compute", "compute namespace requires at least one of dailyCapMicrocredits " +
+            "or totalCapMicrocredits — an unbounded compute mandate is a bearer " +
+            "token to drain the subject's wallet.");
+    }
+    for (const [field, value] of [
+        ["dailyCapMicrocredits", c.dailyCapMicrocredits],
+        ["totalCapMicrocredits", c.totalCapMicrocredits],
+        ["maxCreditsPerCall", c.maxCreditsPerCall],
+    ]) {
+        if (value === undefined)
+            continue;
+        if (!Number.isInteger(value) || value <= 0) {
+            throw new AithosSDKError("mandates_invalid_compute", `compute.${field} must be a positive integer (got ${value}).`);
+        }
+    }
+    if (c.allowedModels !== undefined) {
+        if (!Array.isArray(c.allowedModels)) {
+            throw new AithosSDKError("mandates_invalid_compute", "compute.allowedModels must be an array of strings.");
+        }
+        for (const m of c.allowedModels) {
+            if (typeof m !== "string" || m.length === 0) {
+                throw new AithosSDKError("mandates_invalid_compute", `compute.allowedModels entries must be non-empty strings (got ${JSON.stringify(m)}).`);
+            }
+        }
+    }
+    const wire = {};
+    if (hasDaily)
+        wire.daily_cap_microcredits = c.dailyCapMicrocredits;
+    if (hasTotal)
+        wire.total_cap_microcredits = c.totalCapMicrocredits;
+    if (c.maxCreditsPerCall !== undefined)
+        wire.max_credits_per_call = c.maxCreditsPerCall;
+    if (c.allowedModels !== undefined)
+        wire.allowed_models = [...c.allowedModels];
+    return wire;
+}
+function toOwnedMandate(it) {
+    return {
+        mandateId: requireString(it, "mandate_id"),
+        issuerDid: requireString(it, "issuer_did"),
+        actorDid: requireString(it, "actor_did"),
+        scopes: filterScopeArray(it["scopes"]),
+        notBefore: typeof it["not_before"] === "number" ? it["not_before"] : null,
+        notAfter: typeof it["not_after"] === "number" ? it["not_after"] : null,
+        createdAt: typeof it["created_at"] === "number" ? it["created_at"] : 0,
+    };
+}
+function requireString(o, key) {
+    const v = o[key];
+    if (typeof v !== "string") {
+        throw new AithosSDKError("mandates_response_malformed", `list_mandates row missing string field ${key}`);
+    }
+    return v;
+}
+function filterScopeArray(v) {
+    if (!Array.isArray(v))
+        return [];
+    return v.filter((s) => typeof s === "string");
+}
 //# sourceMappingURL=mandates.js.map

package/dist/src/sdk.d.ts

@@ -1,18 +1,54 @@
+import type { AithosAuth } from "./auth.js";
 import { ComputeNamespace } from "./compute.js";
 import { type AithosSdkEndpoints } from "./endpoints.js";
+import { EthosNamespace } from "./ethos.js";
+import { MandatesNamespace } from "./mandates.js";
 import { WalletNamespace } from "./wallet.js";
-import type { AithosSDKConfig } from "./types.js";
+import { WebNamespace } from "./web.js";
+export interface AithosSDKConfig {
+    /**
+     * The {@link AithosAuth} instance the SDK reads sign-in state from.
+     * Constructed and managed by the app — typically a singleton at the
+     * top of the application tree.
+     */
+    readonly auth: AithosAuth;
+    /**
+     * Application DID — identifies the calling app in mandates, audit
+     * logs, billing splits. Issued at developer onboarding (will be
+     * self-service before 0.1.0 stable).
+     */
+    readonly appDid: string;
+    /**
+     * Optional endpoint overrides. Production defaults point at the
+     * Aithos infrastructure; pass overrides for staging, self-hosting,
+     * tests.
+     */
+    readonly endpoints?: Partial<AithosSdkEndpoints>;
+    /**
+     * Optional `fetch` implementation. Defaults to the global `fetch`.
+     * Used by tests to inject a mock without monkeypatching globals.
+     */
+    readonly fetch?: typeof fetch;
+}
 export declare class AithosSDK {
     /** Resolved endpoint configuration (defaults + caller overrides). */
     readonly endpoints: AithosSdkEndpoints;
     /** Application DID (as declared in mandates). */
     readonly appDid: string;
-    /** User DID (derived from `config.identity`). */
-    readonly userDid: string;
+    /** The same auth instance the app constructed and passed in. */
+    readonly auth: AithosAuth;
     /** Compute proxy namespace — Bedrock invocation. */
     readonly compute: ComputeNamespace;
     /** Wallet namespace — Stripe top-up. */
     readonly wallet: WalletNamespace;
+    /** Ethos editing namespace — load, mutate (staged), publish. */
+    readonly ethos: EthosNamespace;
+    /** Mandate lifecycle namespace — create / list / revoke. */
+    readonly mandates: MandatesNamespace;
+    /** Web extraction namespace — aithos.web_extract through the web extractor proxy. */
+    readonly web: WebNamespace;
     constructor(config: AithosSDKConfig);
+    /** DID of the currently signed-in owner, or null if no owner is loaded. */
+    get userDid(): string | null;
 }
 //# sourceMappingURL=sdk.d.ts.map

package/dist/src/sdk.js

@@ -1,58 +1,71 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2026 Mathieu Colla
-// AithosSDK — top-level developer surface.
-//
-// One construction, namespaced methods. The SDK takes the user's identity
-// (a `BrowserIdentity` from `@aithos/protocol-client`) and the calling
-// app's DID, then exposes:
-//
-//   sdk.compute  — Bedrock invocation through the compute proxy.
-//   sdk.wallet   — Stripe Checkout for credit-pack top-ups.
-//   sdk.ethos    — re-exports from protocol-client (zone editor, signers).
-//   sdk.onboarding / sdk.mandates — likewise.
-//
-// The class is intentionally thin: the heavy lifting lives in dedicated
-// namespace classes (`ComputeNamespace`, `WalletNamespace`) so each can be
-// tested in isolation with a mock fetch and so an advanced caller could
-// instantiate just one of them if needed.
 import { ComputeNamespace } from "./compute.js";
 import { resolveEndpoints } from "./endpoints.js";
+import { EthosNamespace } from "./ethos.js";
+import { MandatesNamespace } from "./mandates.js";
 import { WalletNamespace } from "./wallet.js";
+import { WebNamespace } from "./web.js";
 export class AithosSDK {
     /** Resolved endpoint configuration (defaults + caller overrides). */
     endpoints;
     /** Application DID (as declared in mandates). */
     appDid;
-    /** User DID (derived from `config.identity`). */
-    userDid;
+    /** The same auth instance the app constructed and passed in. */
+    auth;
     /** Compute proxy namespace — Bedrock invocation. */
     compute;
     /** Wallet namespace — Stripe top-up. */
     wallet;
+    /** Ethos editing namespace — load, mutate (staged), publish. */
+    ethos;
+    /** Mandate lifecycle namespace — create / list / revoke. */
+    mandates;
+    /** Web extraction namespace — aithos.web_extract through the web extractor proxy. */
+    web;
     constructor(config) {
-        if (!config.identity) {
-            throw new TypeError("AithosSDK: config.identity is required");
+        if (!config.auth) {
+            throw new TypeError("AithosSDK: config.auth is required");
         }
         if (!config.appDid || typeof config.appDid !== "string") {
             throw new TypeError("AithosSDK: config.appDid is required (string)");
         }
         this.endpoints = resolveEndpoints(config.endpoints);
         this.appDid = config.appDid;
-        this.userDid = config.identity.did;
+        this.auth = config.auth;
         const fetchImpl = config.fetch ?? globalThis.fetch.bind(globalThis);
         this.compute = new ComputeNamespace({
-            identity: config.identity,
+            auth: config.auth,
             appDid: config.appDid,
             endpoints: this.endpoints,
             fetch: fetchImpl,
         });
         this.wallet = new WalletNamespace({
-            identity: config.identity,
+            auth: config.auth,
             appDid: config.appDid,
-            userDid: config.identity.did,
             endpoints: this.endpoints,
             fetch: fetchImpl,
         });
+        this.ethos = new EthosNamespace({
+            auth: config.auth,
+            endpoints: this.endpoints,
+            fetch: fetchImpl,
+        });
+        this.mandates = new MandatesNamespace({
+            auth: config.auth,
+            endpoints: this.endpoints,
+            fetch: fetchImpl,
+        });
+        this.web = new WebNamespace({
+            auth: config.auth,
+            appDid: config.appDid,
+            endpoints: this.endpoints,
+            fetch: fetchImpl,
+        });
+    }
+    /** DID of the currently signed-in owner, or null if no owner is loaded. */
+    get userDid() {
+        return this.auth.getOwnerInfo()?.did ?? null;
     }
 }
 //# sourceMappingURL=sdk.js.map

package/dist/src/session-store.d.ts

@@ -0,0 +1,58 @@
+import type { AithosSession } from "./auth.js";
+/**
+ * Pluggable storage backend for the active session.
+ *
+ * Implementations should be **synchronous** : the SDK reads the store on
+ * boot to surface `getCurrentSession()` and async storage would force a
+ * Promise everywhere it's not warranted. Async backends should pre-warm
+ * the cache during the app's bootstrap and then implement the methods
+ * over that cache.
+ *
+ * `set` is called after every successful sign-in / sign-up / Google
+ * callback exchange. `clear` is called on `signOut`. `get` is called by
+ * `getCurrentSession()` and may also be called by the app on boot.
+ */
+export interface AithosSessionStore {
+    /** Read the persisted session. Return null if none, or if it's expired. */
+    get(): AithosSession | null;
+    /** Persist the session. Implementations should not throw — at worst
+     *  they should warn and silently no-op (e.g. quota exceeded). */
+    set(session: AithosSession): void;
+    /** Wipe the persisted session. */
+    clear(): void;
+}
+/**
+ * Storage key used by the bundled stores. Apps that want to coexist with
+ * other Aithos-aware libs (or that want to scope sessions per-tenant) can
+ * pass a custom key via {@link sessionStorageStore} or
+ * {@link localStorageStore}.
+ */
+export declare const DEFAULT_SESSION_STORAGE_KEY = "aithos.session.v1";
+interface WebStorageStoreOptions {
+    /** Storage key. Defaults to {@link DEFAULT_SESSION_STORAGE_KEY}. */
+    readonly key?: string;
+}
+/**
+ * Default web store : `sessionStorage`. The session lives until the tab
+ * is closed. Cleared on `signOut()`. Use this when reauthenticating each
+ * day is acceptable and reduces blast radius after an XSS.
+ */
+export declare function sessionStorageStore(opts?: WebStorageStoreOptions): AithosSessionStore;
+/**
+ * `localStorage` store. The session persists until the JWT expires or the
+ * user explicitly signs out. Higher convenience, larger XSS blast radius.
+ */
+export declare function localStorageStore(opts?: WebStorageStoreOptions): AithosSessionStore;
+/**
+ * No-op store. `set` and `clear` discard their input ; `get` always
+ * returns null. The default in non-browser contexts (Node, edge runtimes)
+ * — apps running there should pass their own store explicitly.
+ */
+export declare function noopStore(): AithosSessionStore;
+/**
+ * Pick a sensible default : `sessionStorage` if the browser environment
+ * is available, {@link noopStore} otherwise.
+ */
+export declare function defaultSessionStore(): AithosSessionStore;
+export {};
+//# sourceMappingURL=session-store.d.ts.map