@aithos/sdk 0.1.0-alpha.40 → 0.1.0-alpha.42

package/dist/src/apps.d.ts

@@ -0,0 +1,224 @@
+import type { AithosAuth } from "./auth.js";
+import type { AithosSdkEndpoints } from "./endpoints.js";
+/**
+ * The audience set scopes which consumers are eligible. `"open"` lets
+ * any DID invoke the app; `"list"` restricts to an explicit allowlist.
+ */
+export type AudienceSet = "open" | "list";
+export interface SponsorshipBudgetInput {
+    /**
+     * Authority-interpreted unit of account. Default `"aithos.mc"` (the
+     * platform microcredit, ≈ €0.001 of AWS pass-through cost). Authorities
+     * MAY accept other units — see draft §13.3.4.
+     */
+    readonly unit?: string;
+    /** Lifetime cap per consumer, in `unit`. */
+    readonly perUserCap: number;
+    /** If set, the per-user cap applies over a sliding window. */
+    readonly perUserWindowSeconds?: number | null;
+    /** UTC-day cap on total sponsored consumption across all consumers. */
+    readonly perDayTotalCap: number;
+    /** Lifetime pool cap across all consumers. `null` ≡ no cap. */
+    readonly poolCapTotal?: number | null;
+}
+export interface SponsorshipAudienceInput {
+    /** App DID the sponsorship covers (typically `sdk.appDid`). */
+    readonly appDid: string;
+    readonly audienceSet: AudienceSet;
+    /** Required iff `audienceSet === "list"`. */
+    readonly consumers?: readonly string[];
+}
+export interface SponsorshipAccountingAuthorityInput {
+    readonly did: string;
+    readonly endpoint: string;
+}
+export interface CreateSponsorshipMandateArgs {
+    readonly audience: SponsorshipAudienceInput;
+    readonly scopes: readonly string[];
+    readonly allowedMethods: readonly string[];
+    readonly allowedModels?: readonly string[];
+    readonly budget: SponsorshipBudgetInput;
+    readonly accountingAuthority: SponsorshipAccountingAuthorityInput;
+    /** Defaults to now. */
+    readonly notBefore?: Date;
+    /** Defaults to 365 days. */
+    readonly ttlSeconds?: number;
+}
+/**
+ * Signed sponsorship mandate, ready to seed into the authority's
+ * `aithos-app-sponsorships` table. Same shape as
+ * `@aithos/protocol-core`'s `SponsorshipMandate`.
+ */
+export interface SignedSponsorshipMandate {
+    readonly "aithos-sponsorship-mandate": "0.1.0";
+    readonly id: string;
+    readonly issuer: string;
+    readonly issued_by_key: string;
+    readonly audience: {
+        readonly app_did: string;
+        readonly audience_set: AudienceSet;
+        readonly consumers?: readonly string[];
+    };
+    readonly scopes: readonly string[];
+    readonly allowed_methods: readonly string[];
+    readonly allowed_models?: readonly string[];
+    readonly budget: {
+        readonly unit: string;
+        readonly per_user_cap: number;
+        readonly per_user_window_seconds: number | null;
+        readonly per_day_total_cap: number;
+        readonly pool_cap_total: number | null;
+    };
+    readonly accounting_authority: {
+        readonly did: string;
+        readonly endpoint: string;
+    };
+    readonly not_before: string;
+    readonly not_after: string;
+    readonly issued_at: string;
+    readonly nonce: string;
+    readonly signature: {
+        readonly alg: "ed25519";
+        readonly key: string;
+        readonly value: string;
+    };
+}
+export interface SignedSponsorshipRevocation {
+    readonly "aithos-revocation": "0.1.0";
+    readonly mandate_id: string;
+    readonly mandate_kind: "sponsorship-mandate";
+    readonly issuer: string;
+    readonly issued_by_key: string;
+    readonly revoked_at: string;
+    readonly reason: string;
+    readonly signature: {
+        readonly alg: "ed25519";
+        readonly key: string;
+        readonly value: string;
+    };
+}
+export type AppCreditPackId = "app-credits-10k" | "app-credits-50k" | "app-credits-200k";
+export interface CreateAppTopupSessionArgs {
+    /** Which app-credits pack to purchase. */
+    readonly packId: AppCreditPackId;
+    /** Where Stripe redirects after a successful payment. */
+    readonly successUrl: string;
+    /** Where Stripe redirects if the user cancels. */
+    readonly cancelUrl: string;
+    /** Abort signal to cancel the request. */
+    readonly signal?: AbortSignal;
+}
+export interface CreateAppTopupSessionResult {
+    readonly checkoutUrl: string;
+    readonly sessionId: string;
+}
+export interface AppsNamespaceDeps {
+    readonly auth: AithosAuth;
+    readonly appDid: string;
+    readonly endpoints: AithosSdkEndpoints;
+    readonly fetch: typeof fetch;
+}
+export declare class AppsNamespace {
+    #private;
+    constructor(deps: AppsNamespaceDeps);
+    /**
+     * Build and sign a `SponsorshipMandate` as the calling owner. The
+     * returned JSON is signed by the owner's `#public` sphere key, ready
+     * to be seeded into the authority's `aithos-app-sponsorships` table.
+     *
+     * V0.1 has no server endpoint — get the row into DDB via:
+     *   1. `aws dynamodb put-item --table-name aithos-app-sponsorships
+     *      --item file://mandate.json` (raw), or
+     *   2. The ops bootstrap script in
+     *      `innoesate/aithos/platform/scripts/seed-sponsorship.mjs`
+     *      (planned for V0.2).
+     *
+     * Hash with `sponsorshipMandateHash()` from `@aithos/protocol-core`
+     * if you need to embed it in an envelope's `sponsorship.hash` field.
+     */
+    createSponsorshipMandate(args: CreateSponsorshipMandateArgs): Promise<SignedSponsorshipMandate>;
+    /**
+     * Build and sign a §4.6 revocation document targeting a sponsorship
+     * mandate. Same upload caveat as `createSponsorshipMandate`.
+     */
+    revokeSponsorshipMandate(mandate: SignedSponsorshipMandate, reason: string): Promise<SignedSponsorshipRevocation>;
+    /**
+     * Stripe Checkout session for an `app-credits-*` pack. The session is
+     * bound to the calling owner's DID (which is treated as the app's
+     * funding DID — Option A unified wallet, see plan §3.4).
+     *
+     * Same endpoint and auth pattern as `sdk.wallet.createTopupSession`,
+     * just with the app-credits pack id family.
+     */
+    createAppTopupSession(args: CreateAppTopupSessionArgs): Promise<CreateAppTopupSessionResult>;
+    /**
+     * Build, sign, and PUBLISH a SponsorshipMandate to the authority's
+     * `aithos-app-sponsorships` table via `aithos.sponsorship_create`.
+     *
+     * Combines local signing (see {@link createSponsorshipMandate}) with the
+     * server upload step. After this resolves, the sponsorship is active —
+     * the next `sdk.compute.invokeBedrock` call targeting `args.audience.appDid`
+     * may be sponsored (subject to caps).
+     *
+     * Requires that the calling owner is the registered `owner_did` of
+     * `args.audience.appDid` in `aithos-auth-apps`; otherwise the server
+     * rejects with `-32042` "not the owner".
+     */
+    publishSponsorship(args: CreateSponsorshipMandateArgs): Promise<{
+        mandate: SignedSponsorshipMandate;
+        sponsorshipId: string;
+        mandateHash: string;
+        status: "active";
+        createdAt: number;
+    }>;
+    /**
+     * Read the active sponsorship for an app. Open endpoint (no envelope
+     * required): the mandate is publicly signed and resolvable anyway.
+     *
+     * Returns `{ exists: false }` when no row exists for the app.
+     */
+    getSponsorship(args: {
+        appDid: string;
+        signal?: AbortSignal;
+    }): Promise<{
+        exists: false;
+    } | {
+        exists: true;
+        sponsorshipId: string;
+        mandate: SignedSponsorshipMandate;
+        mandateHash: string;
+        status: "active" | "paused" | "depleted" | "expired" | "revoked";
+        poolConsumedLifetime: number;
+        createdAt: number;
+        lastUpdatedAt: number;
+    }>;
+    /**
+     * Revoke a published sponsorship by `app_did` + `sponsorship_id`. The
+     * row is marked `status: "revoked"` server-side; the routing cache is
+     * invalidated so the next compute call falls back to the user wallet.
+     */
+    revokeSponsorship(args: {
+        appDid: string;
+        sponsorshipId: string;
+        reason: string;
+        signal?: AbortSignal;
+    }): Promise<{
+        status: "revoked";
+    }>;
+    /**
+     * Read the app's wallet balance (= the sponsor pool). Requires owner
+     * signature.
+     */
+    getAppWalletBalance(args: {
+        appDid: string;
+        signal?: AbortSignal;
+    }): Promise<{
+        appDid: string;
+        exists: boolean;
+        balance: number;
+        balancePurchase: number;
+        balanceGrant: number;
+        dailySpent: number;
+    }>;
+}
+//# sourceMappingURL=apps.d.ts.map

package/dist/src/apps.js

@@ -0,0 +1,443 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2026 Mathieu Colla
+// `sdk.apps` namespace — sponsorship lifecycle for app developers.
+//
+// V0.1 surface (2026-05-27) — minimal but sufficient to bootstrap a free
+// trial flow on Linkedone and similar apps:
+//
+//   createSponsorshipMandate(args)
+//       Build + sign a SponsorshipMandate as the calling owner. Returns
+//       the signed JSON. The caller is responsible for getting the row
+//       into the authority's `aithos-app-sponsorships` table — V0.1 has
+//       no server endpoint for it (manual `aws dynamodb put-item` or a
+//       Terraform-managed seed). V0.2 will add a server endpoint.
+//
+//   revokeSponsorshipMandate(mandate, reason)
+//       Build + sign a §4.6 revocation document targeting the mandate.
+//       Same upload caveat as create — V0.1 has no server endpoint.
+//
+//   createAppTopupSession(args)
+//       Stripe Checkout session for an `app-credits-*` pack. Reuses the
+//       existing wallet-topup endpoint; the difference is the pack id
+//       and the DID being credited (the app's, not the user's).
+//
+// Why no `getSponsorshipStatus*` in V0.1: the read side requires either
+// a CloudFront-fronted read endpoint or direct DDB access. We'll add it
+// in V0.2 once the sponsorship-api Lambda exists; for now, devs check
+// their sponsorship via the AWS Console.
+import { base64url, buildSignedEnvelope, sign } from "@aithos/protocol-client";
+import { computeInvokeUrl, walletTopupCheckoutUrl } from "./endpoints.js";
+import { ownerKeyPair } from "./internal/protocol-client-bridge.js";
+import { AithosSDKError } from "./types.js";
+/* -------------------------------------------------------------------------- */
+/*  Class                                                                     */
+/* -------------------------------------------------------------------------- */
+export class AppsNamespace {
+    #deps;
+    constructor(deps) {
+        this.#deps = deps;
+    }
+    /**
+     * Build and sign a `SponsorshipMandate` as the calling owner. The
+     * returned JSON is signed by the owner's `#public` sphere key, ready
+     * to be seeded into the authority's `aithos-app-sponsorships` table.
+     *
+     * V0.1 has no server endpoint — get the row into DDB via:
+     *   1. `aws dynamodb put-item --table-name aithos-app-sponsorships
+     *      --item file://mandate.json` (raw), or
+     *   2. The ops bootstrap script in
+     *      `innoesate/aithos/platform/scripts/seed-sponsorship.mjs`
+     *      (planned for V0.2).
+     *
+     * Hash with `sponsorshipMandateHash()` from `@aithos/protocol-core`
+     * if you need to embed it in an envelope's `sponsorship.hash` field.
+     */
+    async createSponsorshipMandate(args) {
+        const owner = this.#requireOwner();
+        validateBudget(args.budget);
+        validateAudience(args.audience);
+        if (args.scopes.length === 0) {
+            throw new AithosSDKError("invalid_input", "scopes must be non-empty");
+        }
+        if (args.allowedMethods.length === 0) {
+            throw new AithosSDKError("invalid_input", "allowedMethods must be non-empty");
+        }
+        const nb = args.notBefore ?? new Date();
+        const ttl = args.ttlSeconds ?? 365 * 24 * 3600;
+        const na = new Date(nb.getTime() + ttl * 1000);
+        if (na <= nb) {
+            throw new AithosSDKError("invalid_input", "ttlSeconds must produce not_after > not_before");
+        }
+        const nonce = base64url(randomBytes(9));
+        const unsigned = {
+            "aithos-sponsorship-mandate": "0.1.0",
+            id: `spons_${ulid()}`,
+            issuer: owner.did,
+            issued_by_key: `${owner.did}#public`,
+            audience: {
+                app_did: args.audience.appDid,
+                audience_set: args.audience.audienceSet,
+                ...(args.audience.consumers !== undefined
+                    ? { consumers: [...args.audience.consumers] }
+                    : {}),
+            },
+            scopes: [...args.scopes],
+            allowed_methods: [...args.allowedMethods],
+            ...(args.allowedModels ? { allowed_models: [...args.allowedModels] } : {}),
+            budget: {
+                unit: args.budget.unit ?? "aithos.mc",
+                per_user_cap: args.budget.perUserCap,
+                per_user_window_seconds: args.budget.perUserWindowSeconds === undefined
+                    ? null
+                    : args.budget.perUserWindowSeconds,
+                per_day_total_cap: args.budget.perDayTotalCap,
+                pool_cap_total: args.budget.poolCapTotal === undefined
+                    ? null
+                    : args.budget.poolCapTotal,
+            },
+            accounting_authority: { ...args.accountingAuthority },
+            not_before: nb.toISOString(),
+            not_after: na.toISOString(),
+            issued_at: new Date().toISOString(),
+            nonce,
+            signature: { alg: "ed25519", key: `${owner.did}#public`, value: "" },
+        };
+        const bytes = new TextEncoder().encode(jcsCanonicalize(unsigned));
+        const ownerPub = ownerKeyPair(owner, "public");
+        const sigBytes = sign(bytes, ownerPub.seed);
+        return {
+            ...unsigned,
+            signature: { ...unsigned.signature, value: base64url(sigBytes) },
+        };
+    }
+    /**
+     * Build and sign a §4.6 revocation document targeting a sponsorship
+     * mandate. Same upload caveat as `createSponsorshipMandate`.
+     */
+    async revokeSponsorshipMandate(mandate, reason) {
+        const owner = this.#requireOwner();
+        if (mandate.issuer !== owner.did) {
+            throw new AithosSDKError("invalid_input", `mandate.issuer (${mandate.issuer}) does not match signed-in owner (${owner.did}) — only the sponsor can revoke`);
+        }
+        const unsigned = {
+            "aithos-revocation": "0.1.0",
+            mandate_id: mandate.id,
+            mandate_kind: "sponsorship-mandate",
+            issuer: owner.did,
+            issued_by_key: `${owner.did}#public`,
+            revoked_at: new Date().toISOString(),
+            reason,
+            signature: { alg: "ed25519", key: `${owner.did}#public`, value: "" },
+        };
+        const bytes = new TextEncoder().encode(jcsCanonicalize(unsigned));
+        const ownerPub = ownerKeyPair(owner, "public");
+        const sigBytes = sign(bytes, ownerPub.seed);
+        return {
+            ...unsigned,
+            signature: { ...unsigned.signature, value: base64url(sigBytes) },
+        };
+    }
+    /**
+     * Stripe Checkout session for an `app-credits-*` pack. The session is
+     * bound to the calling owner's DID (which is treated as the app's
+     * funding DID — Option A unified wallet, see plan §3.4).
+     *
+     * Same endpoint and auth pattern as `sdk.wallet.createTopupSession`,
+     * just with the app-credits pack id family.
+     */
+    async createAppTopupSession(args) {
+        const { auth, endpoints, fetch: fetchImpl } = this.#deps;
+        const owner = auth._getOwnerSigners();
+        if (!owner || owner.destroyed) {
+            throw new AithosSDKError("sdk_no_owner", "no owner signed in; sign in first");
+        }
+        const url = walletTopupCheckoutUrl(endpoints);
+        let res;
+        try {
+            res = await fetchImpl(url, {
+                method: "POST",
+                headers: { "content-type": "application/json" },
+                body: JSON.stringify({
+                    // Same endpoint as user-pack top-ups. The Lambda's pack-table
+                    // distinguishes `app-credits-*` from `credits-*` and routes
+                    // the credit to the same `aithos-wallet-user` row keyed on
+                    // `user_did`, which for an app is its DID (= sdk.appDid).
+                    user_did: this.#deps.appDid,
+                    pack_id: args.packId,
+                    success_url: args.successUrl,
+                    cancel_url: args.cancelUrl,
+                }),
+                ...(args.signal ? { signal: args.signal } : {}),
+            });
+        }
+        catch (e) {
+            throw new AithosSDKError("network", e.message);
+        }
+        let body;
+        try {
+            body = await res.json();
+        }
+        catch {
+            throw new AithosSDKError("http", `HTTP ${res.status} ${res.statusText} — non-JSON response`, { status: res.status });
+        }
+        if (!res.ok) {
+            const err = body;
+            throw new AithosSDKError(err.error ?? "http", err.detail ?? `HTTP ${res.status} ${res.statusText}`, { status: res.status });
+        }
+        const ok = body;
+        if (typeof ok.checkout_url !== "string" ||
+            typeof ok.session_id !== "string") {
+            throw new AithosSDKError("empty", "wallet response missing checkout_url or session_id");
+        }
+        return { checkoutUrl: ok.checkout_url, sessionId: ok.session_id };
+    }
+    /**
+     * Build, sign, and PUBLISH a SponsorshipMandate to the authority's
+     * `aithos-app-sponsorships` table via `aithos.sponsorship_create`.
+     *
+     * Combines local signing (see {@link createSponsorshipMandate}) with the
+     * server upload step. After this resolves, the sponsorship is active —
+     * the next `sdk.compute.invokeBedrock` call targeting `args.audience.appDid`
+     * may be sponsored (subject to caps).
+     *
+     * Requires that the calling owner is the registered `owner_did` of
+     * `args.audience.appDid` in `aithos-auth-apps`; otherwise the server
+     * rejects with `-32042` "not the owner".
+     */
+    async publishSponsorship(args) {
+        const mandate = await this.createSponsorshipMandate(args);
+        const result = await this.#signedRpc({
+            method: "aithos.sponsorship_create",
+            params: { mandate },
+        });
+        return {
+            mandate,
+            sponsorshipId: result.sponsorship_id,
+            mandateHash: result.mandate_hash,
+            status: result.status,
+            createdAt: result.created_at,
+        };
+    }
+    /**
+     * Read the active sponsorship for an app. Open endpoint (no envelope
+     * required): the mandate is publicly signed and resolvable anyway.
+     *
+     * Returns `{ exists: false }` when no row exists for the app.
+     */
+    async getSponsorship(args) {
+        const { endpoints, fetch: fetchImpl } = this.#deps;
+        const url = computeInvokeUrl(endpoints);
+        let res;
+        try {
+            res = await fetchImpl(url, {
+                method: "POST",
+                headers: { "content-type": "application/json" },
+                body: JSON.stringify({
+                    jsonrpc: "2.0",
+                    id: "aithos.sponsorship_get",
+                    method: "aithos.sponsorship_get",
+                    params: { app_did: args.appDid },
+                }),
+                ...(args.signal ? { signal: args.signal } : {}),
+            });
+        }
+        catch (e) {
+            throw new AithosSDKError("network", e.message);
+        }
+        const body = (await res.json());
+        if (body.error) {
+            throw new AithosSDKError(String(body.error.code), body.error.message);
+        }
+        const r = body.result ?? {};
+        if (r.exists === false || !r.exists) {
+            return { exists: false };
+        }
+        return {
+            exists: true,
+            sponsorshipId: r.sponsorship_id,
+            mandate: r.mandate,
+            mandateHash: r.mandate_hash,
+            status: r.status,
+            poolConsumedLifetime: r.pool_consumed_lifetime ?? 0,
+            createdAt: r.created_at ?? 0,
+            lastUpdatedAt: r.last_updated_at ?? 0,
+        };
+    }
+    /**
+     * Revoke a published sponsorship by `app_did` + `sponsorship_id`. The
+     * row is marked `status: "revoked"` server-side; the routing cache is
+     * invalidated so the next compute call falls back to the user wallet.
+     */
+    async revokeSponsorship(args) {
+        const result = await this.#signedRpc({
+            method: "aithos.sponsorship_revoke",
+            params: {
+                app_did: args.appDid,
+                sponsorship_id: args.sponsorshipId,
+                reason: args.reason,
+            },
+            ...(args.signal ? { signal: args.signal } : {}),
+        });
+        return result;
+    }
+    /**
+     * Read the app's wallet balance (= the sponsor pool). Requires owner
+     * signature.
+     */
+    async getAppWalletBalance(args) {
+        const result = await this.#signedRpc({
+            method: "aithos.app_wallet_get_balance",
+            params: { app_did: args.appDid },
+            ...(args.signal ? { signal: args.signal } : {}),
+        });
+        return {
+            appDid: result.app_did,
+            exists: result.exists,
+            balance: result.balance,
+            balancePurchase: result.balance_purchase,
+            balanceGrant: result.balance_grant,
+            dailySpent: result.daily_spent,
+        };
+    }
+    /**
+     * Internal: sign an envelope with the calling owner's `#public` sphere
+     * and POST a JSON-RPC request to the compute proxy. Used by the
+     * sponsorship CRUD methods above. Mirrors `ComputeNamespace.#signAndPost`.
+     */
+    async #signedRpc(opts) {
+        const { endpoints, fetch: fetchImpl } = this.#deps;
+        const owner = this.#requireOwner();
+        const publicKp = ownerKeyPair(owner, "public");
+        const url = computeInvokeUrl(endpoints);
+        const envelope = buildSignedEnvelope({
+            iss: owner.did,
+            aud: url,
+            method: opts.method,
+            verificationMethod: `${owner.did}#public`,
+            params: opts.params,
+            signer: publicKp,
+        });
+        let res;
+        try {
+            res = await fetchImpl(url, {
+                method: "POST",
+                headers: { "content-type": "application/json" },
+                body: JSON.stringify({
+                    jsonrpc: "2.0",
+                    id: opts.method,
+                    method: opts.method,
+                    params: { ...opts.params, _envelope: envelope },
+                }),
+                ...(opts.signal ? { signal: opts.signal } : {}),
+            });
+        }
+        catch (e) {
+            throw new AithosSDKError("network", e.message);
+        }
+        if (!res.ok) {
+            throw new AithosSDKError("http", `HTTP ${res.status} ${res.statusText}`, { status: res.status });
+        }
+        const body = (await res.json());
+        if (body.error) {
+            throw new AithosSDKError(String(body.error.code), body.error.message, body.error.data ? { data: body.error.data } : undefined);
+        }
+        if (body.result === undefined) {
+            throw new AithosSDKError("empty", `empty result for ${opts.method}`);
+        }
+        return body.result;
+    }
+    #requireOwner() {
+        const owner = this.#deps.auth._getOwnerSigners();
+        if (!owner || owner.destroyed) {
+            throw new AithosSDKError("sdk_no_owner", "no owner signed in; sign in first");
+        }
+        return owner;
+    }
+}
+/* -------------------------------------------------------------------------- */
+/*  Validation                                                                */
+/* -------------------------------------------------------------------------- */
+function validateBudget(b) {
+    if (!Number.isInteger(b.perUserCap) || b.perUserCap < 0) {
+        throw new AithosSDKError("invalid_input", "budget.perUserCap must be a non-negative integer");
+    }
+    if (!Number.isInteger(b.perDayTotalCap) || b.perDayTotalCap < 0) {
+        throw new AithosSDKError("invalid_input", "budget.perDayTotalCap must be a non-negative integer");
+    }
+    if (b.perUserWindowSeconds !== undefined &&
+        b.perUserWindowSeconds !== null) {
+        if (!Number.isInteger(b.perUserWindowSeconds) ||
+            b.perUserWindowSeconds <= 0) {
+            throw new AithosSDKError("invalid_input", "budget.perUserWindowSeconds must be null or a positive integer");
+        }
+    }
+    if (b.poolCapTotal !== undefined && b.poolCapTotal !== null) {
+        if (!Number.isInteger(b.poolCapTotal) || b.poolCapTotal < 0) {
+            throw new AithosSDKError("invalid_input", "budget.poolCapTotal must be null or a non-negative integer");
+        }
+    }
+}
+function validateAudience(a) {
+    if (!a.appDid || typeof a.appDid !== "string") {
+        throw new AithosSDKError("invalid_input", "audience.appDid must be a DID string");
+    }
+    if (a.audienceSet === "open") {
+        if (a.consumers !== undefined) {
+            throw new AithosSDKError("invalid_input", "audience.consumers MUST be absent when audienceSet is 'open'");
+        }
+    }
+    else if (a.audienceSet === "list") {
+        if (!Array.isArray(a.consumers) || a.consumers.length === 0) {
+            throw new AithosSDKError("invalid_input", "audience.consumers MUST be a non-empty array when audienceSet is 'list'");
+        }
+    }
+    else {
+        throw new AithosSDKError("invalid_input", `audience.audienceSet must be 'open' or 'list' (got: ${String(a.audienceSet)})`);
+    }
+}
+/* -------------------------------------------------------------------------- */
+/*  ULID + JCS — local copies to avoid a runtime dep                          */
+/* -------------------------------------------------------------------------- */
+const ULID_ALPHABET = "0123456789ABCDEFGHJKMNPQRSTVWXYZ";
+function ulid(now = Date.now()) {
+    // 10 chars timestamp + 16 chars random = 26 chars
+    let timePart = "";
+    let t = now;
+    for (let i = 0; i < 10; i++) {
+        const mod = t % 32;
+        timePart = ULID_ALPHABET[mod] + timePart;
+        t = (t - mod) / 32;
+    }
+    let randPart = "";
+    for (let i = 0; i < 16; i++) {
+        randPart += ULID_ALPHABET[Math.floor(Math.random() * 32)];
+    }
+    return timePart + randPart;
+}
+function randomBytes(n) {
+    const out = new Uint8Array(n);
+    crypto.getRandomValues(out);
+    return out;
+}
+/**
+ * Minimal RFC-8785 (JCS) canonicalization. Sorts object keys
+ * lexicographically by code point, no whitespace, JSON.stringify for
+ * primitives. Matches the protocol-core canonicalize used to compute
+ * the hash the signature commits to.
+ */
+function jcsCanonicalize(value) {
+    if (value === null || typeof value !== "object") {
+        return JSON.stringify(value);
+    }
+    if (Array.isArray(value)) {
+        return "[" + value.map(jcsCanonicalize).join(",") + "]";
+    }
+    const obj = value;
+    const keys = Object.keys(obj).sort();
+    return ("{" +
+        keys
+            .map((k) => JSON.stringify(k) + ":" + jcsCanonicalize(obj[k]))
+            .join(",") +
+        "}");
+}
+//# sourceMappingURL=apps.js.map