@aithos/sdk 0.1.0-alpha.3 → 0.1.0-alpha.5

package/dist/src/wallet.js

@@ -13,8 +13,9 @@
 //     compute proxy at `${compute}/v1/invoke`. Read-only DDB GetItem on
 //     the wallet table, gated by the same signed envelope verification
 //     as compute_invoke. Returns the current balance + daily spent.
-import { buildSignedEnvelope, } from "@aithos/protocol-client";
+import { buildSignedEnvelope } from "@aithos/protocol-client";
 import { computeInvokeUrl, walletTopupCheckoutUrl, } from "./endpoints.js";
+import { ownerKeyPair } from "./internal/protocol-client-bridge.js";
 import { AithosSDKError } from "./types.js";
 /**
  * `sdk.wallet` namespace.
@@ -29,12 +30,16 @@ export class WalletNamespace {
      * hosted URL — the caller is responsible for redirecting the user (e.g.
      * `window.location.href = result.checkoutUrl`).
      *
-     * On success, the Stripe webhook will credit `userDid`'s wallet once the
+     * On success, the Stripe webhook will credit the user's wallet once the
      * payment clears. Wallet balances are shared across all Aithos apps that
      * use the same DID.
      */
     async createTopupSession(args) {
-        const { userDid, endpoints, fetch: fetchImpl } = this.#deps;
+        const { auth, endpoints, fetch: fetchImpl } = this.#deps;
+        const owner = auth._getOwnerSigners();
+        if (!owner || owner.destroyed) {
+            throw new AithosSDKError("sdk_no_owner", "no owner signed in; sign in first");
+        }
         const url = walletTopupCheckoutUrl(endpoints);
         let res;
         try {
@@ -42,7 +47,7 @@ export class WalletNamespace {
                 method: "POST",
                 headers: { "content-type": "application/json" },
                 body: JSON.stringify({
-                    user_did: userDid,
+                    user_did: owner.did,
                     pack_id: args.packId,
                     success_url: args.successUrl,
                     cancel_url: args.cancelUrl,
@@ -88,16 +93,21 @@ export class WalletNamespace {
      *   envelope-verify failures from the proxy).
      */
     async getBalance(args = {}) {
-        const { identity, appDid, endpoints, fetch: fetchImpl } = this.#deps;
+        const { auth, appDid, endpoints, fetch: fetchImpl } = this.#deps;
+        const owner = auth._getOwnerSigners();
+        if (!owner || owner.destroyed) {
+            throw new AithosSDKError("sdk_no_owner", "no owner signed in; sign in first");
+        }
+        const publicKp = ownerKeyPair(owner, "public");
         const url = computeInvokeUrl(endpoints);
         const params = { app_did: appDid };
         const envelope = buildSignedEnvelope({
-            iss: identity.did,
+            iss: owner.did,
             aud: url,
             method: "aithos.wallet_get_balance",
-            verificationMethod: `${identity.did}#public`,
+            verificationMethod: `${owner.did}#public`,
             params,
-            signer: identity.public,
+            signer: publicKp,
         });
         let res;
         try {

package/dist/test/auth-j3.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=auth-j3.test.d.ts.map

package/dist/test/auth-j3.test.js

@@ -0,0 +1,360 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2026 Mathieu Colla
+// Tests for J3 — KeyStore integration, signInWithRecovery,
+// importMandate, resume(), signOut(), state accessors.
+import { strict as assert } from "node:assert";
+import { describe, it } from "node:test";
+import { createBrowserIdentity } from "@aithos/protocol-client";
+import { AithosAuth, AithosSDKError, memoryKeyStore, noopStore, } from "../src/index.js";
+import { parseDelegateBundle, readDelegateBundleText, } from "../src/internal/delegate-bundle.js";
+import { parseRecoveryFile, serializeRecoveryFile, } from "../src/internal/recovery-file.js";
+/* -------------------------------------------------------------------------- */
+/*  Test helpers                                                              */
+/* -------------------------------------------------------------------------- */
+function makeAuth(opts = {}) {
+    return new AithosAuth({
+        authBaseUrl: "https://auth.test",
+        fetch: (() => {
+            throw new Error("network not expected in this test");
+        }),
+        sessionStore: opts.sessionStore ?? noopStore(),
+        keyStore: opts.keyStore ?? memoryKeyStore(),
+    });
+}
+/** Build a recovery-file JSON string from a fresh BrowserIdentity. */
+function recoveryTextFor(handle, displayName) {
+    const id = createBrowserIdentity(handle, displayName);
+    const { text } = serializeRecoveryFile(id);
+    return { text, did: id.did };
+}
+function delegateBundleText(args) {
+    return JSON.stringify({
+        aithos_delegate_version: "0.1.0",
+        mandate: {
+            id: args.mandateId,
+            subject_did: args.subjectDid,
+            grantee: {
+                id: args.granteeId,
+                pubkey: args.granteePubkeyMultibase ?? "z6MkqGenericPubKey",
+            },
+            scopes: args.scopes ?? ["ethos.read.public"],
+        },
+        delegate_seed_hex: "11".repeat(32),
+    });
+}
+/* -------------------------------------------------------------------------- */
+/*  parseRecoveryFile / serializeRecoveryFile                                 */
+/* -------------------------------------------------------------------------- */
+describe("recovery file: parse + serialize", () => {
+    it("round-trips a fresh identity", () => {
+        const id = createBrowserIdentity("alice", "Alice");
+        const { text } = serializeRecoveryFile(id);
+        const parsed = parseRecoveryFile(text);
+        assert.equal(parsed.did, id.did);
+        assert.equal(parsed.handle, id.handle);
+        assert.equal(parsed.displayName, id.displayName);
+        assert.equal(parsed.seedsHex.root.length, 64);
+    });
+    it("accepts the runOnboarding shape (warning + created_at)", () => {
+        const id = createBrowserIdentity("bob", "Bob");
+        const text = JSON.stringify({
+            aithos_recovery_version: "0.1.0-plaintext",
+            warning: "this is plaintext, store offline",
+            handle: id.handle,
+            display_name: id.displayName,
+            did: id.did,
+            created_at: new Date().toISOString(),
+            seeds_hex: {
+                root: bytesToHex(id.root.seed),
+                public: bytesToHex(id.public.seed),
+                circle: bytesToHex(id.circle.seed),
+                self: bytesToHex(id.self.seed),
+            },
+            public_keys_multibase: {},
+        });
+        const parsed = parseRecoveryFile(text);
+        assert.equal(parsed.did, id.did);
+    });
+    it("rejects unsupported versions", () => {
+        assert.throws(() => parseRecoveryFile(JSON.stringify({ aithos_recovery_version: "9.9.9" })), (e) => e instanceof AithosSDKError && e.code === "auth_invalid_recovery_file");
+    });
+    it("rejects malformed seeds", () => {
+        const id = createBrowserIdentity("alice", "Alice");
+        const { text } = serializeRecoveryFile(id);
+        const obj = JSON.parse(text);
+        obj.seeds_hex.root = "not hex";
+        assert.throws(() => parseRecoveryFile(JSON.stringify(obj)), AithosSDKError);
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  parseDelegateBundle                                                       */
+/* -------------------------------------------------------------------------- */
+describe("delegate bundle: parse", () => {
+    it("parses a well-formed bundle", () => {
+        const text = delegateBundleText({
+            mandateId: "mandate:01H8XYZ",
+            subjectDid: "did:aithos:zCarol",
+            granteeId: "urn:aithos:agent:bob1",
+            scopes: ["ethos.read.public", "ethos.write.public"],
+        });
+        const parsed = parseDelegateBundle(text);
+        assert.equal(parsed.mandateId, "mandate:01H8XYZ");
+        assert.equal(parsed.subjectDid, "did:aithos:zCarol");
+        assert.equal(parsed.granteeId, "urn:aithos:agent:bob1");
+        assert.equal(parsed.delegateSeedHex.length, 64);
+    });
+    it("readDelegateBundleText accepts string passthrough", async () => {
+        const text = delegateBundleText({
+            mandateId: "m",
+            subjectDid: "did:aithos:z",
+            granteeId: "urn:x",
+        });
+        assert.equal(await readDelegateBundleText(text), text);
+    });
+    it("rejects missing mandate", () => {
+        assert.throws(() => parseDelegateBundle(JSON.stringify({
+            aithos_delegate_version: "0.1.0",
+            delegate_seed_hex: "11".repeat(32),
+        })), AithosSDKError);
+    });
+    it("rejects malformed delegate seed", () => {
+        assert.throws(() => parseDelegateBundle(JSON.stringify({
+            aithos_delegate_version: "0.1.0",
+            mandate: {
+                id: "m",
+                subject_did: "did:aithos:z",
+                grantee: { id: "u", pubkey: "z6MkXYZ" },
+            },
+            delegate_seed_hex: "not hex",
+        })), AithosSDKError);
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  AithosAuth — recovery sign-in                                             */
+/* -------------------------------------------------------------------------- */
+describe("AithosAuth.signInWithRecovery", () => {
+    it("hydrates owner signers + persists to keyStore (no JWT)", async () => {
+        const keyStore = memoryKeyStore();
+        const sessionStore = noopStore();
+        const auth = makeAuth({ sessionStore, keyStore });
+        assert.equal(auth.canSignAsOwner(), false);
+        assert.equal(auth.getOwnerInfo(), null);
+        const { text } = recoveryTextFor("alice", "Alice");
+        const info = await auth.signInWithRecovery({ file: text });
+        assert.equal(info.handle, "alice");
+        assert.equal(auth.canSignAsOwner(), true);
+        assert.equal(auth.getOwnerInfo()?.did, info.did);
+        assert.equal(auth.getCurrentSession(), null, "no JWT for recovery flow");
+        const persisted = await keyStore.loadOwner();
+        assert.equal(persisted?.did, info.did);
+    });
+    it("rejects loading a different owner without signOut first", async () => {
+        const auth = makeAuth();
+        const a = recoveryTextFor("alice", "Alice");
+        await auth.signInWithRecovery({ file: a.text });
+        const b = recoveryTextFor("bob", "Bob");
+        await assert.rejects(() => auth.signInWithRecovery({ file: b.text }), (e) => e instanceof AithosSDKError && e.code === "auth_owner_already_loaded");
+    });
+    it("clears any stale JWT to keep stores in sync", async () => {
+        const keyStore = memoryKeyStore();
+        let stored = {
+            session: "stale-jwt",
+            exp: Math.floor(Date.now() / 1000) + 3600,
+            did: "did:aithos:zStale",
+            handle: "stale",
+            blob_b64: "",
+            blob_nonce_b64: "",
+            blob_version: 0,
+            enc_key_b64: "",
+            is_first_login: false,
+        };
+        const sessionStore = {
+            get: () => stored,
+            set: (s) => {
+                stored = s;
+            },
+            clear: () => {
+                stored = null;
+            },
+        };
+        const auth = makeAuth({ sessionStore, keyStore });
+        const { text } = recoveryTextFor("alice", "Alice");
+        await auth.signInWithRecovery({ file: text });
+        assert.equal(stored, null, "stale JWT must be wiped");
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  AithosAuth — importMandate                                                */
+/* -------------------------------------------------------------------------- */
+describe("AithosAuth.importMandate", () => {
+    it("registers a delegate, lists it, removes it", async () => {
+        const keyStore = memoryKeyStore();
+        const auth = makeAuth({ keyStore });
+        const text = delegateBundleText({
+            mandateId: "mandate:A",
+            subjectDid: "did:aithos:zCarol",
+            granteeId: "urn:aithos:agent:bob1",
+            scopes: ["ethos.read.circle"],
+        });
+        const info = await auth.importMandate({ bundle: text });
+        assert.equal(info.mandateId, "mandate:A");
+        assert.equal(info.subjectDid, "did:aithos:zCarol");
+        assert.deepEqual(info.scopes, ["ethos.read.circle"]);
+        const list = auth.getDelegates();
+        assert.equal(list.length, 1);
+        assert.equal(list[0]?.mandateId, "mandate:A");
+        assert.equal(auth.canSignAsDelegateFor("did:aithos:zCarol"), true);
+        assert.equal(auth.canSignAsDelegateFor("did:aithos:zNobody"), false);
+        await auth.removeMandate("mandate:A");
+        assert.equal(auth.getDelegates().length, 0);
+        assert.equal((await keyStore.listDelegates()).length, 0);
+    });
+    it("works without an owner loaded (delegate-only session)", async () => {
+        const auth = makeAuth();
+        assert.equal(auth.canSignAsOwner(), false);
+        const text = delegateBundleText({
+            mandateId: "mandate:Solo",
+            subjectDid: "did:aithos:zCarol",
+            granteeId: "urn:aithos:agent:solo1",
+        });
+        await auth.importMandate({ bundle: text });
+        assert.equal(auth.canSignAsOwner(), false);
+        assert.equal(auth.canSignAsDelegateFor("did:aithos:zCarol"), true);
+    });
+    it("re-importing the same mandate replaces the prior actor", async () => {
+        const auth = makeAuth();
+        const text = delegateBundleText({
+            mandateId: "mandate:R",
+            subjectDid: "did:aithos:zCarol",
+            granteeId: "urn:aithos:agent:r",
+        });
+        await auth.importMandate({ bundle: text });
+        await auth.importMandate({ bundle: text });
+        assert.equal(auth.getDelegates().length, 1);
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  AithosAuth — resume()                                                     */
+/* -------------------------------------------------------------------------- */
+describe("AithosAuth.resume", () => {
+    it("rehydrates owner + delegates from keyStore on a fresh instance", async () => {
+        const keyStore = memoryKeyStore();
+        const sessionStore = noopStore();
+        // Seed the stores via a first auth instance.
+        {
+            const auth1 = makeAuth({ keyStore, sessionStore });
+            const { text: rt } = recoveryTextFor("alice", "Alice");
+            await auth1.signInWithRecovery({ file: rt });
+            const dt = delegateBundleText({
+                mandateId: "mandate:M1",
+                subjectDid: "did:aithos:zCarol",
+                granteeId: "urn:x",
+            });
+            await auth1.importMandate({ bundle: dt });
+        }
+        // Fresh instance, same stores → resume() must reload everything.
+        const auth2 = makeAuth({ keyStore, sessionStore });
+        assert.equal(auth2.canSignAsOwner(), false, "before resume, in-memory only");
+        await auth2.resume();
+        assert.equal(auth2.canSignAsOwner(), true);
+        assert.equal(auth2.getOwnerInfo()?.handle, "alice");
+        assert.equal(auth2.getDelegates().length, 1);
+        assert.equal(auth2.canSignAsDelegateFor("did:aithos:zCarol"), true);
+    });
+    it("strict mode: JWT in sessionStore but no owner in keyStore → wipes JWT", async () => {
+        let jwt = {
+            session: "j",
+            exp: Math.floor(Date.now() / 1000) + 3600,
+            did: "did:aithos:zGhost",
+            handle: "ghost",
+            blob_b64: "",
+            blob_nonce_b64: "",
+            blob_version: 0,
+            enc_key_b64: "",
+            is_first_login: false,
+        };
+        const sessionStore = {
+            get: () => jwt,
+            set: (s) => {
+                jwt = s;
+            },
+            clear: () => {
+                jwt = null;
+            },
+        };
+        const keyStore = memoryKeyStore();
+        const auth = makeAuth({ keyStore, sessionStore });
+        await auth.resume();
+        assert.equal(jwt, null, "out-of-sync JWT must be cleared");
+        assert.equal(auth.canSignAsOwner(), false);
+    });
+    it("strict mode: JWT and owner disagree on DID → wipes JWT only", async () => {
+        const keyStore = memoryKeyStore();
+        const { text } = recoveryTextFor("alice", "Alice");
+        // Seed the keystore with alice via one instance.
+        {
+            const auth1 = makeAuth({ keyStore });
+            await auth1.signInWithRecovery({ file: text });
+        }
+        // Now plant a JWT for a DIFFERENT DID in the session store.
+        let jwt = {
+            session: "j",
+            exp: Math.floor(Date.now() / 1000) + 3600,
+            did: "did:aithos:zSomeoneElse",
+            handle: "someone",
+            blob_b64: "",
+            blob_nonce_b64: "",
+            blob_version: 0,
+            enc_key_b64: "",
+            is_first_login: false,
+        };
+        const sessionStore = {
+            get: () => jwt,
+            set: (s) => {
+                jwt = s;
+            },
+            clear: () => {
+                jwt = null;
+            },
+        };
+        const auth2 = makeAuth({ keyStore, sessionStore });
+        await auth2.resume();
+        assert.equal(jwt, null, "mismatched JWT must be wiped");
+        // Owner is preserved (it's the source of truth in strict mode).
+        assert.equal(auth2.canSignAsOwner(), true);
+        assert.equal(auth2.getOwnerInfo()?.handle, "alice");
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  AithosAuth — signOut                                                      */
+/* -------------------------------------------------------------------------- */
+describe("AithosAuth.signOut", () => {
+    it("wipes both stores and in-memory state", async () => {
+        const keyStore = memoryKeyStore();
+        const auth = makeAuth({ keyStore });
+        const { text } = recoveryTextFor("alice", "Alice");
+        await auth.signInWithRecovery({ file: text });
+        const dt = delegateBundleText({
+            mandateId: "mandate:X",
+            subjectDid: "did:aithos:zCarol",
+            granteeId: "urn:x",
+        });
+        await auth.importMandate({ bundle: dt });
+        await auth.signOut();
+        assert.equal(auth.canSignAsOwner(), false);
+        assert.equal(auth.getOwnerInfo(), null);
+        assert.equal(auth.getDelegates().length, 0);
+        assert.equal(await keyStore.loadOwner(), null);
+        assert.equal((await keyStore.listDelegates()).length, 0);
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  Helpers                                                                   */
+/* -------------------------------------------------------------------------- */
+function bytesToHex(b) {
+    let out = "";
+    for (let i = 0; i < b.length; i++)
+        out += b[i].toString(16).padStart(2, "0");
+    return out;
+}
+//# sourceMappingURL=auth-j3.test.js.map

package/dist/test/compute.test.js

@@ -9,12 +9,23 @@
 import { strict as assert } from "node:assert";
 import { describe, it } from "node:test";
 import { createBrowserIdentity } from "@aithos/protocol-client";
-import { AithosSDK, AithosSDKError } from "../src/index.js";
+import { AithosAuth, AithosSDK, AithosSDKError, memoryKeyStore, noopStore, } from "../src/index.js";
+import { serializeRecoveryFile } from "../src/internal/recovery-file.js";
 const APP_DID = "did:aithos:app:test";
-function makeSdk(fetchImpl) {
-    const identity = createBrowserIdentity("test-handle", "Test User");
+async function makeSdk(fetchImpl) {
+    const id = createBrowserIdentity("test-handle", "Test User");
+    const auth = new AithosAuth({
+        authBaseUrl: "https://auth.test",
+        fetch: (() => {
+            throw new Error("auth not used in compute tests");
+        }),
+        sessionStore: noopStore(),
+        keyStore: memoryKeyStore(),
+    });
+    const { text } = serializeRecoveryFile(id);
+    await auth.signInWithRecovery({ file: text });
     return new AithosSDK({
-        identity,
+        auth,
         appDid: APP_DID,
         endpoints: { compute: "https://compute.example.test" },
         fetch: fetchImpl,
@@ -40,7 +51,7 @@ describe("compute.invokeBedrock — happy path", () => {
                 headers: { "content-type": "application/json" },
             });
         };
-        const sdk = makeSdk(fakeFetch);
+        const sdk = await makeSdk(fakeFetch);
         const out = await sdk.compute.invokeBedrock({
             mandateId: "mandate:abc",
             model: "claude-sonnet-4-6",
@@ -71,7 +82,7 @@ describe("compute.invokeBedrock — happy path", () => {
                 headers: { "content-type": "application/json" },
             });
         };
-        const sdk = makeSdk(fakeFetch);
+        const sdk = await makeSdk(fakeFetch);
         await sdk.compute.invokeBedrock({
             mandateId: "mandate:abc",
             model: "claude-sonnet-4-6",
@@ -92,7 +103,7 @@ describe("compute.invokeBedrock — errors", () => {
         const fakeFetch = async () => {
             throw new Error("fetch failed: ECONNREFUSED");
         };
-        const sdk = makeSdk(fakeFetch);
+        const sdk = await makeSdk(fakeFetch);
         await assert.rejects(sdk.compute.invokeBedrock({
             mandateId: "mandate:abc",
             model: "claude-sonnet-4-6",
@@ -106,7 +117,7 @@ describe("compute.invokeBedrock — errors", () => {
     });
     it("wraps an HTTP non-2xx as AithosSDKError(code='http')", async () => {
         const fakeFetch = async () => new Response("nope", { status: 503, statusText: "Service Unavailable" });
-        const sdk = makeSdk(fakeFetch);
+        const sdk = await makeSdk(fakeFetch);
         await assert.rejects(sdk.compute.invokeBedrock({
             mandateId: "mandate:abc",
             model: "claude-sonnet-4-6",
@@ -126,7 +137,7 @@ describe("compute.invokeBedrock — errors", () => {
                 data: { balance: 0, required: 1 },
             },
         }), { status: 200, headers: { "content-type": "application/json" } });
-        const sdk = makeSdk(fakeFetch);
+        const sdk = await makeSdk(fakeFetch);
         await assert.rejects(sdk.compute.invokeBedrock({
             mandateId: "mandate:abc",
             model: "claude-sonnet-4-6",
@@ -143,7 +154,7 @@ describe("compute.invokeBedrock — errors", () => {
             status: 200,
             headers: { "content-type": "application/json" },
         });
-        const sdk = makeSdk(fakeFetch);
+        const sdk = await makeSdk(fakeFetch);
         await assert.rejects(sdk.compute.invokeBedrock({
             mandateId: "mandate:abc",
             model: "claude-sonnet-4-6",
@@ -165,7 +176,7 @@ describe("compute.invokeBedrock — abort", () => {
                 headers: { "content-type": "application/json" },
             });
         };
-        const sdk = makeSdk(fakeFetch);
+        const sdk = await makeSdk(fakeFetch);
         const ac = new AbortController();
         await sdk.compute.invokeBedrock({
             mandateId: "mandate:abc",

package/dist/test/ethos.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=ethos.test.d.ts.map