@aithos/sdk 0.1.0-alpha.4 → 0.1.0-alpha.41

package/dist/test/signup-bootstrap.test.js

@@ -0,0 +1,311 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2026 Mathieu Colla
+// Tests for the Ethos bootstrap step inside AithosAuth.signUp().
+//
+// The contract:
+//   1. POST /auth/register → creates the auth user (auth.aithos.be).
+//   2. POST /mcp/primitives/write with method=aithos.publish_identity →
+//      provisions the user's Ethos on api.aithos.be.
+//   3. Hydrate local state ONLY after both steps succeed.
+//
+// Failure modes:
+//   - register fails  → throw, no publish_identity attempted, no hydrate.
+//   - publish_identity rejected (JSON-RPC error) → throw immediately,
+//     no retry, no hydrate.
+//   - publish_identity 5xx / network error → 2 retries with backoff,
+//     then throw `ethos_bootstrap_failed` if all fail.
+//
+// We mock fetch end-to-end so the tests run offline. The protocol-client
+// crypto runs for real — we want to assert that the envelope shape coming
+// out of the SDK matches what api.aithos.be will accept.
+import { strict as assert } from "node:assert";
+import { describe, it } from "node:test";
+import { AithosAuth, AithosSDKError, memoryKeyStore, noopStore, } from "../src/index.js";
+function makeMockFetch(handlers) {
+    const calls = [];
+    const fetchImpl = (async (input, init) => {
+        const url = String(input);
+        const method = init?.method ?? "GET";
+        const bodyText = typeof init?.body === "string"
+            ? init.body
+            : init?.body == null
+                ? null
+                : String(init.body);
+        const body = bodyText ? JSON.parse(bodyText) : null;
+        const call = { url, method, body };
+        calls.push(call);
+        for (const h of handlers) {
+            if (!url.includes(h.url))
+                continue;
+            if (h.method && h.method !== method)
+                continue;
+            if (h.remaining !== undefined && h.remaining <= 0)
+                continue;
+            if (h.remaining !== undefined)
+                h.remaining--;
+            const out = await h.respond(call);
+            const status = out.status ?? 200;
+            return new Response(JSON.stringify(out.json), {
+                status,
+                headers: { "content-type": "application/json" },
+            });
+        }
+        throw new Error(`unhandled fetch: ${method} ${url}`);
+    });
+    return { fetch: fetchImpl, calls };
+}
+function fakeRegisterOk() {
+    return {
+        json: {
+            session: "jwt-token-here",
+            exp: Math.floor(Date.now() / 1000) + 3600,
+        },
+    };
+}
+function fakePublishIdentityOk() {
+    return {
+        json: {
+            jsonrpc: "2.0",
+            id: "publish_identity",
+            result: { ok: true, did_document_url: "https://cdn.aithos.be/ethos/zABC/did.json" },
+        },
+    };
+}
+function makeAuth(fetchImpl) {
+    return new AithosAuth({
+        authBaseUrl: "https://auth.test",
+        apiBaseUrl: "https://api.test",
+        fetch: fetchImpl,
+        sessionStore: noopStore(),
+        keyStore: memoryKeyStore(),
+    });
+}
+const validInput = {
+    email: "alice@test.example",
+    password: "correct horse battery staple",
+    handle: "alice",
+};
+/* -------------------------------------------------------------------------- */
+/*  Happy path                                                                */
+/* -------------------------------------------------------------------------- */
+describe("AithosAuth.signUp — Ethos bootstrap", () => {
+    it("calls /auth/register THEN /mcp/primitives/write with publish_identity", async () => {
+        const { fetch: f, calls } = makeMockFetch([
+            { url: "/auth/register", method: "POST", respond: fakeRegisterOk },
+            {
+                url: "/mcp/primitives/write",
+                method: "POST",
+                respond: fakePublishIdentityOk,
+            },
+        ]);
+        const auth = makeAuth(f);
+        const r = await auth.signUp(validInput);
+        assert.equal(calls.length, 2, "should make exactly 2 calls");
+        assert.match(calls[0].url, /\/auth\/register$/);
+        assert.match(calls[1].url, /\/mcp\/primitives\/write$/);
+        assert.ok(r.session.session === "jwt-token-here");
+        assert.ok(auth.canSignAsOwner(), "must be hydrated as owner");
+    });
+    it("envelope is JSON-RPC publish_identity, signed by #root, with valid params", async () => {
+        let publishBody = null;
+        const { fetch: f } = makeMockFetch([
+            { url: "/auth/register", method: "POST", respond: fakeRegisterOk },
+            {
+                url: "/mcp/primitives/write",
+                method: "POST",
+                respond: (call) => {
+                    publishBody = call.body;
+                    return fakePublishIdentityOk();
+                },
+            },
+        ]);
+        await makeAuth(f).signUp(validInput);
+        // JSON-RPC envelope shape
+        assert.equal(publishBody.jsonrpc, "2.0");
+        assert.equal(publishBody.method, "aithos.publish_identity");
+        // params include the inline _envelope and the publish_identity payload
+        const params = publishBody.params;
+        assert.equal(typeof params.handle, "string");
+        assert.equal(params.handle, "alice");
+        assert.equal(typeof params.display_name, "string");
+        assert.ok(params.did_document, "did_document must be present");
+        assert.ok(params._envelope, "_envelope must be present");
+        // envelope is signed by #root
+        const env = params._envelope;
+        assert.equal(env["aithos-envelope"], "0.1.0");
+        assert.match(env.iss, /^did:aithos:/);
+        assert.equal(env.method, "aithos.publish_identity");
+        assert.equal(env.aud, "https://api.test/mcp/primitives/write");
+        assert.equal(env.proof.type, "Ed25519Signature2020");
+        assert.match(env.proof.verificationMethod, /#root$/);
+        assert.equal(typeof env.proof.proofValue, "string");
+        assert.ok(env.proof.proofValue.length > 0);
+    });
+    it("does NOT hydrate state when /auth/register fails", async () => {
+        const { fetch: f, calls } = makeMockFetch([
+            {
+                url: "/auth/register",
+                method: "POST",
+                respond: () => ({
+                    status: 409,
+                    json: { error: "email_taken" },
+                }),
+            },
+        ]);
+        const auth = makeAuth(f);
+        await assert.rejects(() => auth.signUp(validInput), AithosSDKError);
+        assert.equal(calls.length, 1, "publish_identity must NOT be called");
+        assert.equal(auth.canSignAsOwner(), false);
+    });
+    it("does NOT hydrate state when publish_identity returns a JSON-RPC error", async () => {
+        const { fetch: f, calls } = makeMockFetch([
+            { url: "/auth/register", method: "POST", respond: fakeRegisterOk },
+            {
+                url: "/mcp/primitives/write",
+                method: "POST",
+                respond: () => ({
+                    json: {
+                        jsonrpc: "2.0",
+                        id: "publish_identity",
+                        error: { code: -32600, message: "invalid envelope signature" },
+                    },
+                }),
+            },
+        ]);
+        const auth = makeAuth(f);
+        await assert.rejects(() => auth.signUp(validInput), (e) => e instanceof AithosSDKError && e.code === "ethos_bootstrap_failed");
+        // No retry on JSON-RPC error: 1 register + 1 publish.
+        assert.equal(calls.length, 2);
+        assert.equal(auth.canSignAsOwner(), false);
+    });
+    it("retries publish_identity on 5xx, then succeeds", async () => {
+        let publishCalls = 0;
+        const { fetch: f } = makeMockFetch([
+            { url: "/auth/register", method: "POST", respond: fakeRegisterOk },
+            {
+                url: "/mcp/primitives/write",
+                method: "POST",
+                respond: () => {
+                    publishCalls++;
+                    if (publishCalls < 2) {
+                        return { status: 503, json: { error: "transient" } };
+                    }
+                    return fakePublishIdentityOk();
+                },
+            },
+        ]);
+        const auth = makeAuth(f);
+        await auth.signUp(validInput);
+        assert.equal(publishCalls, 2);
+        assert.ok(auth.canSignAsOwner());
+    });
+    it("throws ethos_bootstrap_failed after all retries fail with 5xx", async () => {
+        let publishCalls = 0;
+        const { fetch: f } = makeMockFetch([
+            { url: "/auth/register", method: "POST", respond: fakeRegisterOk },
+            {
+                url: "/mcp/primitives/write",
+                method: "POST",
+                respond: () => {
+                    publishCalls++;
+                    return { status: 503, json: { error: "transient" } };
+                },
+            },
+        ]);
+        const auth = makeAuth(f);
+        await assert.rejects(() => auth.signUp(validInput), (e) => e instanceof AithosSDKError && e.code === "ethos_bootstrap_failed");
+        // 3 attempts total (initial + 2 retries).
+        assert.equal(publishCalls, 3);
+        assert.equal(auth.canSignAsOwner(), false);
+    });
+    /* ------------------------------------------------------------------------ */
+    /*  alpha.36 — defense-in-depth for legacy backends without semantic-equal  */
+    /* ------------------------------------------------------------------------ */
+    it("treats -32022 'different did.json already published' as a no-op success", async () => {
+        // This is the regression introduced in alpha.33: republishing the same
+        // identity returns -32022 because `signedDidDocument()` regenerates
+        // `aithos.created_at` on every call. For an honest signer, this is
+        // semantically a no-op — the Ethos is published, crypto material matches.
+        // The SDK swallows this specific case so chatty publish_identity callers
+        // (signInCustodial, verifyEmail) don't break on every subsequent sign-in.
+        const { fetch: f, calls } = makeMockFetch([
+            { url: "/auth/register", method: "POST", respond: fakeRegisterOk },
+            {
+                url: "/mcp/primitives/write",
+                method: "POST",
+                respond: () => ({
+                    json: {
+                        jsonrpc: "2.0",
+                        id: "publish_identity",
+                        error: {
+                            code: -32022,
+                            message: "different did.json already published for this DID",
+                            data: { existing_doc_url: "https://cdn.aithos.be/did.json" },
+                        },
+                    },
+                }),
+            },
+        ]);
+        const auth = makeAuth(f);
+        // Must succeed, not throw — the republish-conflict is masked.
+        await auth.signUp(validInput);
+        // Hydrate worked: owner is loaded.
+        assert.equal(auth.canSignAsOwner(), true);
+        // No retry on -32022 (deterministic) — exactly 1 publish call.
+        assert.equal(calls.filter((c) => c.url.includes("/mcp/primitives/write")).length, 1, "publish_identity must not retry on -32022");
+    });
+    it("still throws ethos_bootstrap_failed on -32022 with a DIFFERENT message", async () => {
+        // The shim is narrow: it ONLY swallows the specific
+        // "different did.json already published" message. Other -32022 cases
+        // (server might use the same code for different semantics) must still
+        // bubble up as ethos_bootstrap_failed.
+        const { fetch: f } = makeMockFetch([
+            { url: "/auth/register", method: "POST", respond: fakeRegisterOk },
+            {
+                url: "/mcp/primitives/write",
+                method: "POST",
+                respond: () => ({
+                    json: {
+                        jsonrpc: "2.0",
+                        id: "publish_identity",
+                        error: {
+                            code: -32022,
+                            message: "subject identity is tombstoned",
+                        },
+                    },
+                }),
+            },
+        ]);
+        const auth = makeAuth(f);
+        await assert.rejects(() => auth.signUp(validInput), (e) => e instanceof AithosSDKError &&
+            e.code === "ethos_bootstrap_failed" &&
+            /tombstoned/i.test(e.message));
+        assert.equal(auth.canSignAsOwner(), false);
+    });
+    it("still throws ethos_bootstrap_failed on the conflict message under a different code", async () => {
+        // Conversely, an error matching the message but with a code OTHER than
+        // -32022 is not swallowed — we anchor on both (code, message) to keep
+        // the shim narrow.
+        const { fetch: f } = makeMockFetch([
+            { url: "/auth/register", method: "POST", respond: fakeRegisterOk },
+            {
+                url: "/mcp/primitives/write",
+                method: "POST",
+                respond: () => ({
+                    json: {
+                        jsonrpc: "2.0",
+                        id: "publish_identity",
+                        error: {
+                            code: -32000,
+                            message: "different did.json already published for this DID",
+                        },
+                    },
+                }),
+            },
+        ]);
+        const auth = makeAuth(f);
+        await assert.rejects(() => auth.signUp(validInput), (e) => e instanceof AithosSDKError && e.code === "ethos_bootstrap_failed");
+        assert.equal(auth.canSignAsOwner(), false);
+    });
+});
+//# sourceMappingURL=signup-bootstrap.test.js.map

package/dist/test/wallet.test.js

@@ -4,12 +4,23 @@
 import { strict as assert } from "node:assert";
 import { describe, it } from "node:test";
 import { createBrowserIdentity } from "@aithos/protocol-client";
-import { AithosSDK, AithosSDKError } from "../src/index.js";
+import { AithosAuth, AithosSDK, AithosSDKError, memoryKeyStore, noopStore, } from "../src/index.js";
+import { serializeRecoveryFile } from "../src/internal/recovery-file.js";
 const APP_DID = "did:aithos:app:test";
-function makeSdk(fetchImpl) {
-    const identity = createBrowserIdentity("test-handle", "Test User");
+async function makeSdk(fetchImpl) {
+    const id = createBrowserIdentity("test-handle", "Test User");
+    const auth = new AithosAuth({
+        authBaseUrl: "https://auth.test",
+        fetch: (() => {
+            throw new Error("auth not used in wallet tests");
+        }),
+        sessionStore: noopStore(),
+        keyStore: memoryKeyStore(),
+    });
+    const { text } = serializeRecoveryFile(id);
+    await auth.signInWithRecovery({ file: text });
     return new AithosSDK({
-        identity,
+        auth,
         appDid: APP_DID,
         endpoints: { wallet: "https://wallet.example.test" },
         fetch: fetchImpl,
@@ -27,7 +38,7 @@ describe("wallet.createTopupSession — happy path", () => {
                 session_id: "cs_test_xyz",
             }), { status: 200, headers: { "content-type": "application/json" } });
         };
-        const sdk = makeSdk(fakeFetch);
+        const sdk = await makeSdk(fakeFetch);
         const out = await sdk.wallet.createTopupSession({
             packId: "credits-1m",
             successUrl: "https://app.example.com/?topup=success",
@@ -47,7 +58,7 @@ describe("wallet.createTopupSession — errors", () => {
         const fakeFetch = async () => {
             throw new TypeError("Failed to fetch");
         };
-        const sdk = makeSdk(fakeFetch);
+        const sdk = await makeSdk(fakeFetch);
         await assert.rejects(sdk.wallet.createTopupSession({
             packId: "credits-100k",
             successUrl: "https://app.example.com/?ok",
@@ -60,7 +71,7 @@ describe("wallet.createTopupSession — errors", () => {
     });
     it("surfaces the proxy's structured error (error/detail) on a 4xx", async () => {
         const fakeFetch = async () => new Response(JSON.stringify({ error: "unknown_pack", pack_id: "credits-9999" }), { status: 400, headers: { "content-type": "application/json" } });
-        const sdk = makeSdk(fakeFetch);
+        const sdk = await makeSdk(fakeFetch);
         await assert.rejects(sdk.wallet.createTopupSession({
             // @ts-expect-error: deliberately invalid pack id
             packId: "credits-9999",
@@ -78,7 +89,7 @@ describe("wallet.createTopupSession — errors", () => {
             status: 500,
             headers: { "content-type": "text/html" },
         });
-        const sdk = makeSdk(fakeFetch);
+        const sdk = await makeSdk(fakeFetch);
         await assert.rejects(sdk.wallet.createTopupSession({
             packId: "credits-100k",
             successUrl: "https://app.example.com/?ok",
@@ -95,7 +106,7 @@ describe("wallet.createTopupSession — errors", () => {
             status: 200,
             headers: { "content-type": "application/json" },
         });
-        const sdk = makeSdk(fakeFetch);
+        const sdk = await makeSdk(fakeFetch);
         await assert.rejects(sdk.wallet.createTopupSession({
             packId: "credits-100k",
             successUrl: "https://app.example.com/?ok",

package/dist/test/web.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=web.test.d.ts.map

package/dist/test/web.test.js

@@ -0,0 +1,270 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2026 Mathieu Colla
+// Unit tests for sdk.web.extract with a mock fetch.
+//
+// Mirrors test/compute.test.ts: real BrowserIdentity (synchronous Ed25519)
+// so the envelope-signing path runs for real and any
+// signature/canonicalization regression surfaces here.
+import { strict as assert } from "node:assert";
+import { describe, it } from "node:test";
+import { createBrowserIdentity } from "@aithos/protocol-client";
+import { AithosAuth, AithosSDK, AithosSDKError, memoryKeyStore, noopStore, } from "../src/index.js";
+import { serializeRecoveryFile } from "../src/internal/recovery-file.js";
+const APP_DID = "did:aithos:app:test";
+async function makeSdk(fetchImpl) {
+    const id = createBrowserIdentity("test-handle", "Test User");
+    const auth = new AithosAuth({
+        authBaseUrl: "https://auth.test",
+        fetch: (() => {
+            throw new Error("auth not used in web tests");
+        }),
+        sessionStore: noopStore(),
+        keyStore: memoryKeyStore(),
+    });
+    const { text } = serializeRecoveryFile(id);
+    await auth.signInWithRecovery({ file: text });
+    return new AithosSDK({
+        auth,
+        appDid: APP_DID,
+        endpoints: { web: "https://extract.example.test" },
+        fetch: fetchImpl,
+    });
+}
+const HAPPY_RESULT = {
+    data: {
+        url: "https://example.com",
+        final_url: "https://example.com/",
+        fetched_at: "2026-05-13T05:30:00.000Z",
+        render_ms: 1234,
+        meta: {
+            title: "Example",
+            description: null,
+            lang: "en",
+            charset: "UTF-8",
+            viewport: null,
+            canonical: null,
+            og: {},
+        },
+        structure: { headings: [], sections: [], nav_links: [], forms: [] },
+        content: {
+            main_html: "<main>hi</main>",
+            main_text: "hi",
+            images: [],
+            links: { internal: [], external: [] },
+        },
+        styles: { css: "", inline_styles_count: 0 },
+        visual_signature: {
+            colors: {
+                palette: [],
+                background: "#ffffff",
+                text: "#000000",
+                primary: null,
+                link: null,
+            },
+            typography: {
+                heading_font: null,
+                body_font: "sans-serif",
+                size_scale: [],
+                base_size_px: 16,
+                base_line_height: 1.5,
+            },
+            radii: { button: null, input: null, card: null },
+            spacing: { base_unit_px: null, common_gaps_px: [] },
+            layout: { max_content_width_px: null, mode: "block" },
+            components: { buttons: [], inputs: [], cards: [] },
+        },
+        logo: null,
+    },
+    creditsCharged: 1,
+    walletBalance: 99_999,
+    auditId: "audit-web-1",
+};
+describe("web.extract — happy path", () => {
+    it("posts to ${web}/v1/invoke with a JSON-RPC envelope and parses the result", async () => {
+        let capturedUrl;
+        let capturedInit;
+        const fakeFetch = async (input, init) => {
+            capturedUrl = typeof input === "string" ? input : input.toString();
+            capturedInit = init;
+            return new Response(JSON.stringify({ result: HAPPY_RESULT }), {
+                status: 200,
+                headers: { "content-type": "application/json" },
+            });
+        };
+        const sdk = await makeSdk(fakeFetch);
+        const out = await sdk.web.extract({ url: "https://example.com" });
+        assert.deepEqual(out, HAPPY_RESULT);
+        assert.equal(capturedUrl, "https://extract.example.test/v1/invoke");
+        assert.equal(capturedInit?.method, "POST");
+        const headers = capturedInit?.headers;
+        assert.equal(headers["content-type"], "application/json");
+        const body = JSON.parse(capturedInit?.body);
+        assert.equal(body.jsonrpc, "2.0");
+        assert.equal(body.method, "aithos.web_extract");
+        assert.equal(body.params.url, "https://example.com");
+        assert.equal(body.params.app_did, APP_DID);
+        assert.ok(typeof body.params.mandate_id === "string");
+        assert.ok(body.params.mandate_id.length > 0);
+        assert.ok(body.params._envelope, "request must carry a signed envelope");
+    });
+    it("forwards waitUntil and timeoutMs as snake_case-free params", async () => {
+        let capturedBody;
+        const fakeFetch = async (_input, init) => {
+            capturedBody = JSON.parse(init.body);
+            return new Response(JSON.stringify({ result: HAPPY_RESULT }), {
+                status: 200,
+                headers: { "content-type": "application/json" },
+            });
+        };
+        const sdk = await makeSdk(fakeFetch);
+        await sdk.web.extract({
+            url: "https://example.com",
+            waitUntil: "domcontentloaded",
+            timeoutMs: 5000,
+        });
+        assert.equal(capturedBody?.params.waitUntil, "domcontentloaded");
+        assert.equal(capturedBody?.params.timeoutMs, 5000);
+    });
+});
+describe("web.extract — error mapping", () => {
+    it("propagates -32071 insufficient_balance as AithosSDKError with data", async () => {
+        const fakeFetch = async () => new Response(JSON.stringify({
+            error: {
+                code: -32071,
+                message: "Insufficient balance",
+                data: { required: 1, available: 0 },
+            },
+        }), { status: 200, headers: { "content-type": "application/json" } });
+        const sdk = await makeSdk(fakeFetch);
+        await assert.rejects(() => sdk.web.extract({ url: "https://example.com" }), (err) => {
+            assert.ok(err instanceof AithosSDKError);
+            assert.equal(err.code, "-32071");
+            const data = err.data;
+            assert.equal(data?.required, 1);
+            assert.equal(data?.available, 0);
+            return true;
+        });
+    });
+    it("propagates -32042 scope mismatch as AithosSDKError", async () => {
+        const fakeFetch = async () => new Response(JSON.stringify({
+            error: {
+                code: -32042,
+                message: "mandate does not carry the web.extract scope",
+                data: {
+                    mandate_id: "mandate:abc",
+                    required_scope: "web.extract",
+                },
+            },
+        }), { status: 200, headers: { "content-type": "application/json" } });
+        const sdk = await makeSdk(fakeFetch);
+        await assert.rejects(() => sdk.web.extract({ url: "https://example.com" }), (err) => {
+            assert.ok(err instanceof AithosSDKError);
+            assert.equal(err.code, "-32042");
+            return true;
+        });
+    });
+    it("rejects HTTP transport errors as AithosSDKError code=http", async () => {
+        const fakeFetch = async () => new Response("upstream is down", { status: 502 });
+        const sdk = await makeSdk(fakeFetch);
+        await assert.rejects(() => sdk.web.extract({ url: "https://example.com" }), (err) => {
+            assert.ok(err instanceof AithosSDKError);
+            assert.equal(err.code, "http");
+            return true;
+        });
+    });
+});
+describe("web.extract — endpoint default", () => {
+    it("defaults to https://extract.aithos.be when no override is given", async () => {
+        let capturedUrl;
+        const fakeFetch = async (input) => {
+            capturedUrl = typeof input === "string" ? input : input.toString();
+            return new Response(JSON.stringify({ result: HAPPY_RESULT }), {
+                status: 200,
+                headers: { "content-type": "application/json" },
+            });
+        };
+        const id = createBrowserIdentity("test-handle", "Test User");
+        const auth = new AithosAuth({
+            authBaseUrl: "https://auth.test",
+            fetch: (() => {
+                throw new Error("auth not used");
+            }),
+            sessionStore: noopStore(),
+            keyStore: memoryKeyStore(),
+        });
+        const { text } = serializeRecoveryFile(id);
+        await auth.signInWithRecovery({ file: text });
+        const sdk = new AithosSDK({
+            auth,
+            appDid: APP_DID,
+            fetch: fakeFetch,
+        });
+        await sdk.web.extract({ url: "https://example.com" });
+        assert.equal(capturedUrl, "https://extract.aithos.be/v1/invoke");
+    });
+});
+describe("web.fetchAsset — happy path", () => {
+    it("posts to ${web}/v1/invoke with method aithos.web_fetch_asset", async () => {
+        let capturedUrl;
+        let capturedInit;
+        const fakeResult = {
+            data: {
+                url: "https://example.com/logo.png",
+                final_url: "https://example.com/logo.png",
+                content_type: "image/png",
+                size_bytes: 4096,
+                base64: "aGVsbG8K",
+            },
+            creditsCharged: 1,
+            walletBalance: 99_998,
+            auditId: "audit-asset-1",
+        };
+        const fakeFetch = async (input, init) => {
+            capturedUrl = typeof input === "string" ? input : input.toString();
+            capturedInit = init;
+            return new Response(JSON.stringify({ result: fakeResult }), {
+                status: 200,
+                headers: { "content-type": "application/json" },
+            });
+        };
+        const sdk = await makeSdk(fakeFetch);
+        const out = await sdk.web.fetchAsset({ url: "https://example.com/logo.png" });
+        assert.deepEqual(out, fakeResult);
+        assert.equal(capturedUrl, "https://extract.example.test/v1/invoke");
+        const body = JSON.parse(capturedInit?.body);
+        assert.equal(body.method, "aithos.web_fetch_asset");
+        assert.equal(body.params.url, "https://example.com/logo.png");
+        assert.equal(body.params.app_did, APP_DID);
+        assert.ok(typeof body.params.mandate_id === "string");
+        assert.ok(body.params._envelope, "request must carry a signed envelope");
+    });
+});
+describe("web.fetchAsset — error propagation", () => {
+    it("propagates -32071 insufficient_balance as AithosSDKError", async () => {
+        const fakeFetch = async () => new Response(JSON.stringify({
+            error: {
+                code: -32071,
+                message: "Insufficient balance",
+                data: { required: 1, available: 0 },
+            },
+        }), { status: 200, headers: { "content-type": "application/json" } });
+        const sdk = await makeSdk(fakeFetch);
+        await assert.rejects(() => sdk.web.fetchAsset({ url: "https://example.com/logo.png" }), (err) => {
+            assert.ok(err instanceof AithosSDKError);
+            assert.equal(err.code, "-32071");
+            return true;
+        });
+    });
+    it("propagates -32000 upstream fetch failure as AithosSDKError", async () => {
+        const fakeFetch = async () => new Response(JSON.stringify({
+            error: { code: -32000, message: "Asset fetch failed", data: { reason: "upstream HTTP 404" } },
+        }), { status: 200, headers: { "content-type": "application/json" } });
+        const sdk = await makeSdk(fakeFetch);
+        await assert.rejects(() => sdk.web.fetchAsset({ url: "https://example.com/missing.png" }), (err) => {
+            assert.ok(err instanceof AithosSDKError);
+            assert.equal(err.code, "-32000");
+            return true;
+        });
+    });
+});
+//# sourceMappingURL=web.test.js.map